Zejun Xiang,Wentao Zhang,Zhenzhen Bao,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-662-53887-6_24

2016-01-01

Abstract:Division property is a generalized integral property proposed by Todo at EUROCRYPT 2015, and very recently, Todo et al. proposed bit-based division property and applied to SIMON32 at FSE 2016. However, this technique can only be applied to block ciphers with block size no larger than 32 due to its high time and memory complexity. In this paper, we extend Mixed Integer Linear Programming (MILP) method, which is used to search differential characteristics and linear trails of block ciphers, to search integral distinguishers of block ciphers based on division property with block size larger than 32. Firstly, we study how to model division property propagations of three basic operations (copy, bitwise AND, XOR) and an Sbox operation by linear inequalities, based on which we are able to construct a linear inequality system which can accurately describe the division property propagations of a block cipher given an initial division property. Secondly, by choosing an appropriate objective function, we convert a search algorithm under Todo's framework into an MILP problem, and we use this MILP problem appropriately to search integral distinguishers. As an application of our technique, we have searched integral distinguishers for SIMON, SIMECK, PRESENT, RECTANGLE, LBlock and TWINE. Our results show that we can find 14-, 16-, 18-, 22- and 26-round integral distinguishers for SIMON32, 48, 64, 96 and 128 respectively. Moreover, for two SP-network lightweight block ciphers PRESENT and RECTANGLE, we found 9-round integral distinguishers for both ciphers which are two more rounds than the best integral distinguishers in the literature [ 22,29]. For LBlock and TWINE, our results are consistent with the best known ones with respect to the longest distinguishers.

Kai Zhang,Xuejia Lai,Lei Wang,Jie Guan,Bin Hu,Senpeng Wang,Tairong Shi

DOI: https://doi.org/10.1155/2022/3611840

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:LiCi-2 is an ultralightweight block cipher designed for constrained IoT devices. It is a successor of LiCi and has even better performance in both software and hardware implementation. In this paper, based on the idea of related-key multiple impossible differential cryptanalysis, a key recovery attack on full-round LiCi-2 is proposed. First, an interesting property is revealed that, with a single bit difference in the related key, a 10-round differential character with probability of 1 exists on LiCi-2. With an automatic approach, the boundaries of impossible differential distinguishers in terms of single-key setting and related-key setting are explored. Under our construction method, the longest length is 8 rounds for single-key setting and 18 rounds for related-key setting. Finally, based on these 18-round distinguishers, a 25-round key recovery attack is proposed with adding 3 rounds before and 4 rounds after the distinguisher. Our attack needs one related key. The time complexity for our attack is O(2123.44), the memory complexity is O(294), and the data complexity is O(260.68). As far as we know, no full-round attack has previously been reported on LiCi-2.

Fen Liu,Zhe Sun,Xi Luo,Chao Li,Junping Wan

DOI: https://doi.org/10.3390/math12111696

IF: 2.4

2024-05-31

Mathematics

Abstract:This paper delves into the realm of cryptographic analysis by employing mixed-integer linear programming (MILP), a powerful tool for automated cryptanalysis. Building on this foundation, we apply the division property method alongside MILP to conduct a comprehensive cryptanalysis of the IIoTBC (industrial Internet of Things block cipher) algorithm, a critical cipher in the security landscape of industrial IoT systems. Our investigation into IIoTBC System A has led to identifying a 14-round integral distinguisher, further extended to a 22-round key recovery. This significant finding underscores the cipher's susceptibility to sophisticated cryptanalytic attacks and demonstrates the profound impact of combining the division property method with MILP in revealing hidden cipher weaknesses. In the case of IIoTBC System B, our innovative approach has uncovered a full-round distinguisher. We provide theoretical validation for this distinguisher and uncover a pivotal structural issue in the System B algorithm, specifically the non-diffusion of its third branch. This discovery sheds light on inherent security challenges within System B and points to areas for potential enhancement in its design. Our research, through its methodical examination and analysis of the IIoTBC algorithm, contributes substantially to the field of cryptographic security, especially concerning industrial IoT applications. By uncovering and analyzing the vulnerabilities within IIoTBC, we enhance the understanding of cipher robustness and pave the way for advancements in securing industrial IoT communications.

mathematics

Kai Zhang,Xuejia Lai,Lei Wang,Jie Guan,Bin Hu

DOI: https://doi.org/10.1155/2022/4291000

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:To meet the security demand for IoT devices, many new lightweight block ciphers are proposed. ULC is a lightweight block cipher designed for the IoT. It has many advantages in terms of memory use, efficiency, and security. In this paper, a slide attack on full-round ULC is proposed in a related key setting. First, two properties on ULC are discovered. The first property is presented to illustrate the property of a slid pair for ULC. The second property is introduced to construct a link between some round key bits and some master key bits. Based on these properties, a key recovery attack on ULC is proposed. In this attack, with the condition of one related key, all the 80 master key bits can be recovered with the data complexity of O(232), the memory complexity of O(232), and the time complexity of O(263). The result of this paper indicates that ULC can’t resist slide attack in related key settings.

Qingwen Yan,Ying Guo,Wenfen Liu,Wen Chen,Yongcan Lu

DOI: https://doi.org/10.1088/1402-4896/ad9867

2024-11-29

Physica Scripta

Abstract:With the rapid growth of the Internet of Things (IoT), designing lightweight block ciphers has become essential for securing resource-constrained devices. This necessitates a balance among low-cost implementation, diffusion, and security. To address this challenge, we propose a novel lightweight block cipher named LIBC, which has a 64-bit block size supporting 128-bit keys. In the nonlinear layer, we develop a four-round structure to design optimal 4-bit S-boxes, generating 8,832 S-boxes that provide excellent security and compact hardware overhead. To balance diffusion with resource efficiency, we use a 4×4 almost MDS matrix and introduce a type of optimal involutive nibble-based permutations based on SAT. This ensures that LIBC achieves full diffusion within the minimal rounds while providing the required security. Combining the above design, LIBC's encryption and decryption circuits become nearly identical, requiring only 24 additional XOR gates for decryption. Experimental results show that LIBC exhibits strong diffusion and avalanche characteristics, providing sufficient security against various known attacks. Regarding hardware performance, the single-round iteration of the internal state in LIBC occupies only 10.05 GE per bit, which is superior compared to the round-based implementations of Midori, PRESENT, RECTANGLE, etc.

physics, multidisciplinary

Qingju Wang,Zhiqiang Liu,Kerem Varici,Yu Sasaki,Vincent Rijmen,Yosuke Todo

DOI: https://doi.org/10.1007/978-3-319-13039-2_9

2014-01-01

Abstract:SIMON family is one of the recent lightweight block cipher designs introduced by NSA. So far there have been several cryptanalytic results on this cipher by means of differential, linear and impossible differential cryptanalysis. In this paper, we study the security of SIMON32, SIMON48/72 and SIMON48/96 by using integral, zero-correlation linear and impossible differential cryptanalysis. Firstly, we present a novel experimental approach to construct the best known integral distinguishers of SIMON32. The small block size, 32 bits, of SIMON32 enables us to experimentally find a 15-round integral distinguisher, based on which we present a key recovery attack on 21-round SIMON32, while previous best results only achieved 19 rounds. Moreover, we attack 20-round SIMON32, 20-round SIMON48/72 and 21-round SIMON48/96 based on 11 and 12-round zero-correlation linear hulls of SIMON32 and SIMON48 respectively. Finally, we propose new impossible differential attacks which improve the previous impossible differential attacks. Our analysis shows that SIMON maintains enough security margin.

Yanyan Zhou,Senpeng Wang,Bin Hu

DOI: https://doi.org/10.1049/2024/8315115

2024-01-12

IET Information Security

Abstract:Differential-linear (DL) cryptanalysis is an important cryptanalytic method in cryptography and has received extensive attention from the cryptography community since its proposal by Langford and Hellman in 1994. At CT-RSA 2023, Bellini et al. introduced continuous difference propagations of XOR, rotation, and modulo-addition operations and proposed a fully automatic method using Mixed-Integer Linear Programing (MILP) and Mixed-Integer Quadratic Constraint Programing (MIQCP) techniques to search for DL distinguishers of Addition-Rotation-XOR (ARX) ciphers. In this paper, we propose continuous difference propagation of AND operation and construct an MILP/MIQCP-based fully automatic model of searching for DL distinguishers of SIMON-like ciphers. We apply the fully automatic model to all versions of SIMON and SIMECK. As a result, for SIMON, we find 13 and 14-round DL distinguishers of SIMON32, 15, 16, and 17-round DL distinguishers of SIMON48, 20-round DL distinguishers of SIMON64, 25 and 26-round DL distinguishers of SIMON96, 31 and 32-round DL distinguishers of SIMON128. For SIMECK, we find 14-round DL distinguishers of SIMECK32, 17 and 18-round DL distinguishers of SIMECK48, 22, 23, 24, and 25-round DL distinguishers of SIMECK64. As far as we know, our results are currently the best.

computer science, information systems, theory & methods

Nicky Mouha,Qingju Wang,Dawu Gu,Bart Preneel

DOI: https://doi.org/10.1007/978-3-642-34704-7_5

2011-01-01

Abstract:Differential and linear cryptanalysis are two of the most powerful techniques to analyze symmetric-key primitives. For modern ciphers, resistance against these attacks is therefore a mandatory design criterion. In this paper, we propose a novel technique to prove security bounds against both differential and linear cryptanalysis. We use mixed-integer linear programming (MILP), a method that is frequently used in business and economics to solve optimization problems. Our technique significantly reduces the workload of designers and cryptanalysts, because it only involves writing out simple equations that are input into an MILP solver. As very little programming is required, both the time spent on cryptanalysis and the possibility of human errors are greatly reduced. Our method is used to analyze Enocoro-128v2, a stream cipher that consists of 96 rounds. We prove that 38 rounds are sufficient for security against differential cryptanalysis, and 61 rounds for security against linear cryptanalysis. We also illustrate our technique by calculating the number of active S-boxes for AES.

Hong Xu,Ping Jia,Geshi Huang,Xuejia Lai

DOI: https://doi.org/10.1007/978-3-319-29814-6_9

2015-01-01

Abstract:LBlock-s is the kernel block cipher of the authentication encryption algorithm LAC submitted to CAESAR competition. The LBlock-s algorithm is almost the same as LBlock except that the former adopts an improved key schedule algorithm with better diffusion property. Using the shifting relation of certain subkeys derived by the new key schedule algorithm, we present a multidimensional zero-correlation linear cryptanalysis on 23-round LBlock-s. The time complexity of the attack is about (2^{75.4}) 23-round encryptions, where (2^{62.3}) known plaintexts are used and 60 subkey bits are guessed, which is three bits less than that of LBlock. Our research showed that the improved key schedule algorithm did not enhance their ability to protect against zero-correlation linear cryptanalysis, and it is better to use the irregular bit-shifting to disturb the shifting relation between subkeys.

Ting Cui,Yi Zhang,Jiyan Zhang,Chenhui Jin,Shiwei Chen

DOI: https://doi.org/10.1109/jiot.2024.3358346

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:This paper considers a new cryptanalysis called differential invariant subspace cryptanalysis, which can be used to evaluate the security of IoT-friendly word-based block ciphers. This cryptanalysis estimates the behavior of differential propagation for particularly chosen input differences, and applies to the ciphers contain only the word-based components, e.g., word-based S-boxes, word-based linear mappings, etc. Firstly, this paper proves that, for any word-based block cipher, if the S-box causes the differential invariant subspace property, it then indicates a full-round distinguisher with probability 1, even if the target cipher is believed to be resistant enough against traditional differential or linear cryptanalysis. Secondly, a class of linear-equivalent S-boxes meeting the differential invariant subspace property are constructed as L∘S∘L-1, where L is any invertible linear mapping and S is a group of S-boxes in parallel. Finally, as application, we provide a full-round differential invariant subspace distinguisher for the variant Midori128 (the only difference is that the variant version utilizes only one single type S-box instead of four types). This distinguishing is experimentally verified and could be executed within negligible time.

computer science, information systems,telecommunications,engineering, electrical & electronic

Fan Zhang,Yiran Zhang,Xinjie Zhao,Shize Guo,Ziyuan Liang,Samiya Qureshi

DOI: https://doi.org/10.1109/PADSW.2018.8645010

2018-01-01

Abstract:The block cipher LED is well suited for resource-constrained scenarios. However, it is vulnerable to the recent fault attacks and different results have been achieved even under the same fault model. In this paper, a comprehensive investigation is conducted on the fault analysis on LED. A novel differential fault analysis is proposed, which is based on the so-called constraint equations. The proposed attack can combine constraint equations at different levels, pushing the differential fault analysis on LED towards its limit in terms of the time complexity, the data complexity and the remained key search space. Under random nibble fault model, SINGLE fault injection can reduce the key search space of LED-64 to 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">7.90</sup> within 1.89s, compared to 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">17.65</sup> within 7 minutes in prior finest contributions. As to DFA on LED-128, TWO fault injections can reduce the key search space to 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">15.82</sup> within 247.88s, compared to 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">21.96</sup> within 16 minutes in previous work. To the best of our knowledge, the scheme that we proposed is the most efficient fault attack on LED cryptosystems.

Aayush Jain,Varun Kohli,Girish Mishra

DOI: https://doi.org/10.48550/arXiv.2112.05061

2021-12-09

Cryptography and Security

Abstract:Recent years have seen an increasing involvement of Deep Learning in the cryptanalysis of various ciphers. The present study is inspired by past works on differential distinguishers, to develop a Deep Neural Network-based differential distinguisher for round reduced lightweight block ciphers PRESENT and Simeck. We make improvements in the state-of-the-art approach and extend its use to the two structurally different block ciphers, PRESENT-80 and Simeck64/128. The obtained results suggest the universality of our cryptanalysis method. The proposed method can distinguish random data from the cipher data obtained until 6 rounds of PRESENT and 7 rounds of Simeck encryption with high accuracy. In addition to this, we explore a new approach to select good input differentials, which to the best of our knowledge has not been explored in the past. We also provide a minimum-security requirement for the discussed ciphers against our differential attack.

Kai Zhang,Jie Guan,Bin Hu,Dongdai Lin

DOI: https://doi.org/10.1049/iet-ifs.2016.0503

2017-01-01

IET Information Security

Abstract:Since proposed by the National Security Agency in June 2013, two lightweight block ciphers-SIMON and SPECK have attracted the attention of cryptographers from all over the world. At CHES 2015, Simeck, a new block cipher inspired from both SIMON and SPECK is proposed, which is more compact and efficient. However, the security evaluation on Simeck against zero-correlation linear cryptanalysis seems missing from the specification. The main focus of this study is to fill this gap and evaluate the security level of Simeck against zero-correlation linear cryptanalysis. According to the authors' study, 11-, 13- and 15-round zero-correlation linear distinguishers on Simeck32/48/64 are proposed, respectively, then zero-correlation linear cryptanalysis on 21-, 24-, 28-round Simeck32/48/64 are first proposed. As far as they know, for Simeck32, their result is the best result up to date.

ZHAO Xin-jie,GUO Shi-ze,WANG Tao,ZHANG Fan,LIU Huiying,JI Ke-ke

DOI: https://doi.org/10.3969/j.issn.1671-1742.2012.04.001

2012-01-01

Abstract:The security of a lightweight block cipher KLEIN against the algebraic side-channel attack is evaluated by combining algebraic attack with side-channel attack under the Hamming weight leakage model.Firstly,the algebraic representation of KLEIN is given.Then,the Hamming weights of the intermediate states are deduced from analyzing the power leakages and converted into algebraic equations.Finally,the CryptoMinisat solver is applied to solve for the key.Based on three different error tolerant strategies,many physical experiments are conducted on KLEIN under an 8-bit microcontroller and the complexity of the attack is also evaluated.Experiment results show that: the unprotected software implementation of KLEIN is vulnerable to algebraic side-channel attack.Full 64-bit master key of KLEIN can be recovered by analyzing the Hamming weight leakages of the first round under know plaintext/ciphertext scenario and 2 rounds under unknown plaintext/ciphertext scenario.

Yong Liu,Zejun Xiang,Siwei Chen,Shasha Zhang,Xiangyong Zeng

DOI: https://doi.org/10.1007/978-3-031-33488-7_5

2023-01-01

Abstract:The Mixed Integer Linear Programming (MILP) is a common method of searching for impossible differentials (IDs). However, the optimality of the distinguisher should be confirmed by an exhaustive search of all input and output differences, which is clearly computationally infeasible due to the huge search space. In this paper, we propose a new technique that uses two-dimensional binary variables to model the input and output differences and characterize contradictions with constraints. In our model, the existence of IDs can be directly obtained by checking whether the model has a solution. In addition, our tool can also detect any contradictions between input and output differences by changing the position of the contradictions. Our method is confirmed by applying it to several block ciphers, and our results show that we can find 6-, 13-, and 12-round IDs for Midori-64, CRAFT, and SKINNY-64 within a few seconds, respectively. Moreover, by carefully analyzing the key schedule of Midori-64, we propose an equivalent key transform technique and construct a complete MILP model for an 11-round impossible differential attack (IDA) on Midori-64 to search for the minimum number of keys to be guessed. Based on our automatic technique, we present a new 11-round IDA on Midori-64, where 23 nibbles of keys need to be guessed, which reduces the time complexity compared to previous work. The time and data complexity of our attack are 2 116.59 and 2 60 , respectively. To the best of our knowledge, this is the best IDA on Midori-64 at present.

Anubhab Baksi,Jakub Breier,Yi Chen,Xiaoyang Dong

DOI: https://doi.org/10.23919/date51398.2021.9474092

2022-01-01

Abstract:At CRYPTO 2019, Gohr first introduces the deep learning based cryptanalysis on round-reduced SPECK. Using a deep residual network, Gohr trains several neural network based distinguishers on 8-round SPECK-32/64. The analysis follows an 'all-in-one' differential cryptanalysis approach, which considers all the output differences effect under the same input difference. Usually, the all-in-one differential cryptanalysis is more effective compared to the one using only one single differential trail. However, when the cipher is non-Markov or its block size is large, it is usually very hard to fully compute. Inspired by Gohr's work, we try to simulate the all-in-one differentials for non-Markov ciphers through machine learning. Our idea here is to reduce a distinguishing problem to a classification problem, so that it can be efficiently managed by machine learning. As a proof of concept, we show several distinguishers for four high profile ciphers, each of which works with trivial complexity. In particular, we show differential distinguishers for 8-round Gimli-Hash, Gimli-Cipher and Gimli-Permutation; 3-round Ascon-Permutation; 10-round Knot-256 permutation and 12-round Knot-512 permutation; and 4-round Chaskey-Permutation. Finally, we explore more on choosing an efficient machine learning model and observe that only a three layer neural network can be used. Our analysis shows the attacker is able to reduce the complexity of finding distinguishers by using machine learning techniques.

Wei Sun,Lang Li,Xiantong Huang

DOI: https://doi.org/10.1007/s10586-024-04476-6

2024-04-30

Cluster Computing

Abstract:The low-latency property is becoming increasingly crucial in response to the demand for data processing in the Internet of Things (IoT) environment, especially in lightweight cryptography. A low-latency lightweight block cipher called LTLBC is proposed in this paper. In particular, we propose a hybrid approach of word-wise involutive mapping and a bit-wise permutation, with careful selection of the shift and permutation parameters. This scheme enables LTLBC to achieve better diffusion than Midori and MANTIS. Also, a S-box which is constructed through a gate-level bottom-up circuit search has good security and latency characteristics. LTLBC mainly focuses on the hardware environment of fully unrolled architecture. LTLBC achieves a minimum latency of around 4.73 ns, with a total area of only 10007.6 based on NanGate 45nm technology. The comprehensive safety analysis shows LTLBC has sufficient redundancy rounds to resist attacks, such as differential cryptanalysis, linear cryptanalysis, impossible differential cryptanalysis, etc.

computer science, information systems, theory & methods

Yun-fei MA,Tao WANG,Hao CHEN,Fan ZHANG,Xiao-xuan LOU,Lu-min XU,Wen-bing YANG

DOI: https://doi.org/10.3785/j.issn.1008-973X.2017.09.011

2017-01-01

Abstract:A fault-cube method was given aiming at the special property of And operation (&) in SIMON and the problem in previous cube attack and fault attack.The round-candidates for fault injection were identified according to the number of linear and quadratic equations.Positions for fault injection were determined by using a difference-characteristics table.Some round-keys were recovered by extracting low-degree equations during the off-line phase.Then,the entire round-keys were obtained with combination of guess-and-determine attack.The experimental results show that the attack on SIMON32/64 needs 69 fault injections on average and requires a compute complexity of 247.91,which is better than the previous cube attack.Compared to differential fault attack,the fault-cube method is more effective in determining fault positions.Moreover,using the fault model is easier to realize and the attack process is of high automation.The fault-cube method will provide some ideas on other lightweight block ciphers with low-degree core operations as well.

Yongchao Li,Jingya Feng,Qi Zhao,Yongzhuang Wei

DOI: https://doi.org/10.1016/j.vlsi.2023.102090

IF: 1.345

2024-01-01

Integration

Abstract:Both the diffusion property and the area consumption are two important evaluation criteria in the design and implementation of symmetric encryption algorithms. Many AND-Rotation-XOR (AND-RX) block ciphers are usually designed by reducing the diffusion property to minimize the area consumption. On the other hand, these AND-RX block ciphers use multiple round function operations to achieve the enough diffusion property, which always induce more area consumption in their hardware implementation. How to trade off the diffusion property and the area consumption appears to be an interesting task in the design of block cipher. In this paper, HDLBC as a new family of lightweight block cipher (with 64-bit plaintext and 64-bit/128-bit key) for the Internet of Things (IoT) is proposed. More specifically, the HDLBC is designed by using only two F-functions (RA 1 and RA 2 ), where the non-linear layer of the F-functions is constructed by the NAND operation that consumes the least area among the non-linear logic operations. To the best of our knowledge, HDLBC cipher requires the minimum number of F-functions to provide the diffusion property, where the F-functions require fewer implementation resources than the F-functions of existing similar encryption algorithms. It illustrates the hardware implementation of HDLBC cipher on SMIC 0 . 18 μ m requires only 1248 Gate Equivalents (GEs), its throughput rate is 256 Kbps at 100 KHz. Compared with other encryption algorithms, the implementation performance of HDLBC cipher achieves well-balanced in both the area consumption and diffusion property. Moreover, the security analysis shows that HDLBC cipher has enough security margin against various known attacks, such as differential cryptanalysis, linear cryptanalysis, impossible differential cryptanalysis, zero correlation cryptanalysis, etc.

engineering, electrical & electronic,computer science, hardware & architecture

Ning Wang,Xiaoyun Wang,Keting Jia

DOI: https://doi.org/10.1007/978-3-319-30840-1_9

2015-01-01

Abstract:LBlock is a 32-round lightweight block cipher with a 64-bit block size and an 80-bit key. This paper presents a new impossible differential attack on LBlock by improving the previous best result for 1 more round. Based on the nibble conditions, detailed differential properties of LBlock S-Boxes and thorough exploration of subkey relations, we set up well precomputation tables to collect the data needed and propose an optimal key-guessing arrangement to effectively reduce the time complexity of the attack. With these techniques, we launch an impossible differential attack on 24-round LBlock. To the best of our knowledge, this attack is currently the best in terms of the number of rounds attacked (except for biclique attacks).