Zhichao Xu,Hong Xu,Lin Tan,Wenfeng Qi

DOI: https://doi.org/10.1016/j.jisa.2024.103773

IF: 4.96

2024-04-19

Journal of Information Security and Applications

Abstract:SPECK and SPARX are two kinds of block ciphers with an ARX structure. In this paper, we use the SAT-based automatic search tool to search for linear approximations of these two ARX ciphers. As a result, we find a linear approximation for 17-round SPECK128, which covers one more round than previous work. Based on this linear approximation, we propose improved linear cryptanalysis for 19-round SPECK128/192 and 20-round SPECK128/256, which cover one more round than previous work. For ARX cipher SPARX, we find an optimal linear approximation for 13-round SPARX-64, which covers three more rounds than previous work. We also find an optimal linear approximation for 10-round SPARX-128, which covers two more rounds than previous work. Furthermore, we find a linear approximation for 14-round SPARX-128 by splicing two short linear approximations, which covers four more rounds than previous work. Based on these linear approximations, we propose linear cryptanalysis for 15-round SPARX-64/128, 15-round SPARX-128/128 and 16-round SPARX-128/256.

computer science, information systems

Yi Chen,Zhenzhen Bao,Hongbo Yu

DOI: https://doi.org/10.1007/978-981-99-8727-6_8

2023-01-01

Abstract:The differential-linear attack is one of the most effective attacks against ARX ciphers. However, two technical problems are preventing it from being more effective and having more applications: (1) there is no efficient method to search for good differential-linear approximations. Existing methods either have many constraints or are currently inefficient. (2) partitioning technique has great potential to reduce the time complexity of the key-recovery attack, but there is no general tool to construct partitions for ARX ciphers. In this work, we step forward in solving the two problems. First, we propose a novel idea for generating new good differential-linear approximations from known ones, based on which new searching algorithms are designed. Second, we propose a general tool named partition tree, for constructing partitions for ARX ciphers. Based on these new techniques, we present better attacks for two ISO/IEC standards, i.e., LEA and Speck. For LEA, we present the first 17-round distinguisher which is 1 round longer than the previous best distinguisher. Furthermore, we present the first key recovery attacks on 17-round LEA-128, 18-round LEA-192, and 18-round LEA-256, which attack 3, 4, and 3 rounds more than the previous best attacks. For Speck, we find better differential-linear distinguishers for Speck48 and Speck64. The first differential-linear distinguishers for Speck96 and Speck128 are also presented.

Cui Tingting,Chen Shiyao,Fu Kai,Wang Meiqin,Jia Keting

DOI: https://doi.org/10.1007/s11432-018-1506-4

2020-01-01

Science China Information Sciences

Abstract:Impossible differential and zero-correlation linear cryptanalysis are two of the most powerful cryptanalysis methods in the field of symmetric key cryptography. There are several automatic tools to search such trails for ciphers with S-boxes. These tools focus on the properties of linear layers, and idealize the underlying S-boxes, i.e., assume any input and output difference pairs are possible. In reality, such S-box never exists, and the possible output differences with any fixed input difference can be at most half of the entire space. Hence, some of the possible differential trails under the ideal world become impossible in reality, possibly resulting in impossible differential trails for more rounds. In this paper, we firstly take the differential and linear properties of non-linear components such as S-box into consideration and propose a new automatic tool to search impossible differential trails for ciphers with S-box. We then generalize the tool to modulo addition, and apply it to ARX ciphers. To demonstrate the usefulness of the tool, we apply it to HIGHT, SHACAL-2, LEA, LBlock. As a result, it improves the best existing results of each cipher. keywords Impossible differential cryptanalysis, zero-correlation linear cryptanalysis, MILP, automatic tool

Haiwen Qin,Baofeng Wu

DOI: https://doi.org/10.48550/arXiv.2203.09741

2022-03-18

Abstract:ARX-based ciphers, constructed by the modular addition, rotation and XOR operations, have been receiving a lot of attention in the design of lightweight symmetric ciphers. For their differential cryptanalysis, most automatic search methods of differential trails adopt the assumption of independence of modulo additions. However, this assumption does not necessarily hold when the trail includes consecutive modular additions (CMAs). It has already been found that in this case some differential trails searched by automatic methods before are actually impossible, but the study is not in depth yet, for example, few effort has been paid to exploiting the root causes of non-independence between CMAs and accurate calculation of probabilities of the valid trails. In this paper, we devote to solving these two problems. By examing the differential equations of single and consecutive modular additions, we find that the influence of non-independence can be described by relationships between constraints on the intermediate state of two additions. Specifically, constraints of the first addition can make some of its output bits non-uniform, and when they meet the constraints of the second addition, the differential probability of the whole CMA may be different from the value calculated under the independence assumption. As a result, we can build SAT models to verify the validity of a given differential trail of ARX ciphers and #SAT models to calculate the exact probabilities of the differential propagation through CMAs in the trail, promising a more accurate evaluation of probability of the trail. Our automic methods and searching tools are applied to search related-key differential trails of SPECK and Chaskey including CMAs in the key schedule and the round function respectively.

Cryptography and Security

Jorge Nakahara,Pouyan Sepehrdad,Bingsheng Zhang,Meiqin Wang

DOI: https://doi.org/10.1007/978-3-642-10433-6_5

2009-01-01

Abstract:The contributions of this paper include the first linear hull and a revisit of the algebraic cryptanalysis of reduced-round variants of the block cipher PRESENT, under known-plaintext and ciphertext-only settings. We introduce a pure algebraic cryptanalysis of 5-round PRESENT and in one of our attacks we recover half of the bits of the key in less than three minutes using an ordinary desktop PC. The PRESENT block cipher is a design by Bogdanov et al., announced in CHES 2007 and aimed at RFID tags and sensor networks. For our linear attacks, we can attack 25-round PRESENT with the whole code book, 296.68 25-round PRESENT encryptions, 240 blocks of memory and 0.61 success rate. Further we can extend the linear attack to 26-round with small success rate. As a further contribution of this paper we computed linear hulls in practice for the original PRESENT cipher, which corroborated and even improved on the predicted bias (and the corresponding attack complexities) of conventional linear relations based on a single linear trail.

Yanjun Li,Hao Lin,Xinjie Bi,Shanshan Huo,Yiyi Han

DOI: https://doi.org/10.1016/j.jisa.2023.103696

IF: 4.96

2024-01-19

Journal of Information Security and Applications

Abstract:Shadow (Guo et al., 2021) is a lightweight block cipher based on a new logical combination method of AND-RX operation and the generalized Feistel structure with high diffusion and excellent performance in hardware implementation. In this paper, the components and structure of Shadow cipher are researched, and based on MILP automatic search algorithms for differential trails the 2-round iterative differential characteristics are obtained, then the full-round differential characteristics of both Shadow-32 and Shadow-64 are given. Moreover, targeting Shadow-32, we conduct 32-bit round-key recovery attack by using four 13.5-round differential trails, and the experimental verification shows that the time complexity is 226.02 and space complexity is 214.1 . Recovering the 64 master key bits need to solve a system of multivariate equations over F2 with the time complexity more than 250.69 . For Shadow-64, the process of recovering the master key is similar. Finally, we analyze the reasons for the insecurity of the Shadow cipher that may help to improve the cryptographic performance of the Shadow or provide help for a new block cipher design.

computer science, information systems

Wenya Li,Kai Zhang,Bin Hu

DOI: https://doi.org/10.1049/2024/6164262

2024-06-04

IET Information Security

Abstract:Differential and linear cryptanalysis are two important methods to evaluate the security of block ciphers. Building on these two methods, differential‐linear (DL) cryptanalysis was introduced by Langford and Hellman in 1994. This cryptanalytic method has been not only extensively researched but also proven to be effective. In this paper, a security evaluation framework for AND‐RX ciphers against DL cryptanalysis is proposed, which is denoted as K6. In addition to modeling the structure of all the possible differential trails and linear trails at the bit level, we introduce a method to calculate this structure round by round. Based on this approach, an automatic algorithm is proposed to construct the DL distinguisher. Unlike previous methods, K6 uses a truncated differential and a linear hull instead of a differential characteristic and a linear approximation, which brings the bias of the DL distinguisher close to the experimental value. To validate the effectiveness of the framework, K6 is applied to Simon and Simeck, which are two typical AND‐RX ciphers. With the automatic algorithm, we discover an 11‐round DL distinguisher of Simon32 with bias 2−14.89 and a 12‐round DL distinguisher of Simeck32 with bias 2−14.89. Moreover, the 14‐round DL distinguisher of Simon48 with bias 2−22.30 is longer than the longest DL distinguisher currently known. In addition, the framework K6 shows advantages when analyzing ciphers with large block sizes. As far as we know, for Simon64/96/128 and Simeck48/64, the first DL distinguishers are obtained with our framework. The DL distinguishers are 16, 23, 32, 17, and 22 rounds of Simon64/96/128 and Simeck48/64 with bias 2−24.31, 2−47.57, 2−60.75, 2−22.54, and 2−31.41, respectively. To prove the correctness of distinguishers, experiments on Simon32 and Simeck32 have been performed. The experimental bias are 2−13.76 and 2−14.82, respectively. Comparisons of the theoretical and experimental results show good agreement.

computer science, information systems, theory & methods

Yiyi Han,Caibing Wang,Zhongfeng Niu,Lei Hu,Debiao He

DOI: https://doi.org/10.23919/cje.2022.00.313

IF: 1.019

2024-01-01

Chinese Journal of Electronics

Abstract:Boolean satisfiability problem (SAT) is now widely applied in differential cryptanalysis and linear cryptanalysis for various cipher algorithms. It generated many excellent results for some ciphers, for example, Salsa20. In this research, we study the differential and linear propagations through the operations of addition, rotation and XOR (ARX), and construct the SAT models. We apply the models to CRAX to search differential trails and linear trails automatically. In this sense, our contribution can be broadly divided into two parts. We give the bounds for differential and linear cryptanalysis of Alzette both up to 12 steps, by which we present a 3-round differential attack and a 3-round linear attack for CRAX. We construct a 4-round key-recovery attack for CRAX with time complexity 289 times of 4-round encryption and data complexity 225.

engineering, electrical & electronic

Nicolas T. Courtois,Marios Georgiou

DOI: https://doi.org/10.48550/arXiv.1902.02748

2019-02-08

Abstract:One of the major open problems in symmetric cryptanalysis is to discover new specif i c types of invariant properties which can hold for a larger number of rounds of a block cipher. We have Generalised Linear Cryptanalysis (GLC) and Partitioning Cryptanalysis (PC). Due to double-exponential combinatorial explosion of the number of possible invariant properties systematic exploration is not possible and extremely few positive working examples of GLC are known. Our answer is to work with polynomial algebraic invariants which makes partitions more intelligible. We have developed a constructive algebraic approach which is about making sure that a certain combination of polynomial equations is zero. We work with an old block cipher from 1980s which has particularly large hardware complexity compared to modern ciphers e.g. AES. However all this complexity is not that useful if we are able to construct powerful non-linear invariants which work for any number of rounds. A key feature of our invariant attacks is that we are able to completely eliminate numerous state and key bits. We also construct invariants for the (presumably stronger) KT1 keys. Some of these lead to powerful ciphertext-only correlation attacks.

Cryptography and Security,Algebraic Geometry,Combinatorics,Group Theory,Rings and Algebras

D. R. Chowdhury,Upasana Mandal,D. Pal,Abhijit Das,Mainak Chaudhury

Abstract:Over the last few years, deep learning is becoming the most trending topic for the classical cryptanalysis of block ciphers. Differential cryptanalysis is one of the primary and potent attacks on block ciphers. Here we apply deep learning techniques to model differential cryptanalysis more easily. In this paper, we report a generic tool using deep neural classifier that assists to find differential distinguishers for block ciphers with reduced round. We apply this approach for the differential cryptanalysis of ARX-based encryption schemes HIGHT, LEA, and SPARX. The result shows that our deep learning based distinguishers work with high accuracy for 14-round HIGHT, 13-Round LEA and 11-round SPARX. We also achieve an improvement of the lower bound of data complexity for these three ARX based ciphers.

Computer Science

Xinjie Zhao,Shize Guo,Fan Zhang,Tao Wang,Zhijie Shi,Hao Luo

DOI: https://doi.org/10.1587/transfun.e96.a.332

2012-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:This paper proposes several improved Side-channel cube attacks (SCCAs) on PRESENT-80/128 under single bit leakage model. Assuming the leakage is in the output of round 3 as in previous work, we discover new results of SCCA on PRESENT. Then an enhanced SCCA is proposed to extract key related non-linear equations. 64-bit key for both PRESENT-80 and 128 can be obtained. To mount more effective attack, we utilize the leakage in round 4 and enhance SCCA in two ways. A partitioning scheme is proposed to handle huge polynomials, and an iterative scheme is proposed to extract more key bits. With these enhanced techniques, the master key search space can be reduced to 28 for PRESENT-80 and to 229 for PRESENT-128.

Haijian Zhou,Ping Luo,Daoshun Wang,Yiqi Dai

DOI: https://doi.org/10.1007/978-3-540-79499-8_32

2008-01-01

Abstract:The Lu-Lee public key cryptosystem and Adiga-Shankar's modification are considered to be insecure with cryptanalysis by integer linear programing, since only 2 or 3 unknown message blocks are used in the modular linear equation for encryption procedure. Unfortunately integer linear programming algorithms falls in trouble with more unknowns. In this paper we present a probabilistic algorithm for cryptanalysis of general Lu-Lee type systems with nmessage blocks. The new algorithm is base on lattice reduction and succeeds to break Lu-Lee type systems with up to 68 message blocks.

Yanzhao Yin,Liji Wu,Qian Peng,Xiangmin Zhang

DOI: https://doi.org/10.1109/icasid.2018.8693138

2018-01-01

Abstract:Although SPA (Simple Power Analysis) has been studied for many years, it is still effective on many cryptographic algorithms based on ECC. Double-and-Add and Montgomery ladder can avoid attacks with point double and point add operations, but in software implementation of ECC algorithm, modular addition and subtraction will be the weakness that the hostile attackers may use. In this paper, a black box SPA is performed on a smart card with SM2 algorithm, a Chinese standard of ECC cryptographic algorithm. The card was proved to implement the SM2 algorithm by Jacobi form and non-adjacent form, and its private key can be extracted by SPA within less than 10 power traces, with conditional operations in the modular subtraction. Then we discussed the probability that the ECC cryptography implemented by other forms be attacked with modular subtraction or addition, and illustrate how the problem can be solved by hardware implementation.

Yan Yan,Elisabeth Oswald

DOI: https://doi.org/10.1145/3310273.3323399

2019-04-30

Abstract:Implementations of ARX ciphers are hoped to have some intrinsic side channel resilience owing to the specific choice of cipher components: modular addition (A), rotation (R) and exclusive-or (X). Previous work has contributed to this understanding by developing theory regarding the side channel resilience of components (pioneered by the early works of Prouff) as well as some more recent practical investigations by Biryukov et al. that focused on lightweight cipher constructions. We add to this work by specifically studying ARX-boxes both mathematically as well as practically. Our results show that previous works' reliance on the simplistic assumption that intermediates independently leak (their Hamming weight) has led to the incorrect conclusion that the modular addition is necessarily the best target and that ARX constructions are therefore harder to attack in practice: we show that on an ARM M0, the best practical target is the exclusive or and attacks succeed with only tens of traces.

ZHAO Xin-jie,GUO Shi-ze,WANG Tao,ZHANG Fan,LIU Huiying,JI Ke-ke

DOI: https://doi.org/10.3969/j.issn.1671-1742.2012.04.001

2012-01-01

Abstract:The security of a lightweight block cipher KLEIN against the algebraic side-channel attack is evaluated by combining algebraic attack with side-channel attack under the Hamming weight leakage model.Firstly,the algebraic representation of KLEIN is given.Then,the Hamming weights of the intermediate states are deduced from analyzing the power leakages and converted into algebraic equations.Finally,the CryptoMinisat solver is applied to solve for the key.Based on three different error tolerant strategies,many physical experiments are conducted on KLEIN under an 8-bit microcontroller and the complexity of the attack is also evaluated.Experiment results show that: the unprotected software implementation of KLEIN is vulnerable to algebraic side-channel attack.Full 64-bit master key of KLEIN can be recovered by analyzing the Hamming weight leakages of the first round under know plaintext/ciphertext scenario and 2 rounds under unknown plaintext/ciphertext scenario.

Fan Zhang,Xiaofei Dong,Xinjie Zhao,Yidi Wang,Samiya Qureshi,Yiran Zhang,Xiaoxuan Lou,Yongkang Tang

DOI: https://doi.org/10.1109/MASS.2018.00056

2018-01-01

Abstract:This paper proposed an advanced round modification fault analysis (RMFA) at the theoretical level on AEGIS-128, which is one of seven finalists in CAESAR competition. First, we clarify our assumptions and simplifications on the attack model, focusing on the encryption security. Then, we emphasize the difficulty of applying vanilla RMFA to AEGIS-128 in the practical case. Finally we demonstrate our advanced fault analysis on AEGIS-128 using machine-solver based algebraic techniques. Our enhancement can be used to conquer the practical scenario which is difficult for vanilla RMFA. Simulation results show that when the fault is injected to the initialization phase and the number of rounds is reduced to one, two samples of injections can extract the whole 128 key bits within less than two hours. This work can also be extended to other versions such as AEGIS-256.

Huiqin Xie,Li Yang

DOI: https://doi.org/10.48550/arXiv.1712.06997

2018-07-23

Abstract:Traditional cryptography is suffering a huge threat from the development of quantum computing. While many currently used public-key cryptosystems would be broken by Shor's algorithm, the effect of quantum computing on symmetric ones is still unclear. The security of symmetric ciphers relies heavily on the development of cryptanalytic tools. Thus, in order to accurately evaluate the security of symmetric primitives in the post-quantum world, it is significant to improve classical cryptanalytic methods using quantum algorithms. In this paper, we focus on two variants of differential cryptanalysis: truncated differential cryptanalysis and impossible differential cryptanalysis. Based on the fact that Bernstein-Vazirani algorithm can be used to find the linear structures of Boolean functions, we propose two quantum algorithms that can be used to find high-probability truncated differentials and impossible differentials of block ciphers, respectively. We rigorously prove the validity of the algorithms and analyze their complexity. Our algorithms treat all rounds of the reduced cipher as a whole and only concerns the input and output differences at its both ends, instead of specific differential characteristics. Therefore, to a certain extent, they alleviate the weakness of conventional differential cryptanalysis, namely the difficulties in finding differential characteristics as the number of rounds increases.

Quantum Physics,Cryptography and Security

HaiJian Zhou,Ping Luo,DaoShun Wang,YiQi Dai

DOI: https://doi.org/10.1007/s11432-009-0159-9

2009-01-01

Science in China Series F Information Sciences

Abstract:Finding the solution to a general multivariate modular linear equation plays an important role in cryptanalysis field. Earlier results show that obtaining a relatively short solution is possible in polynomial time. However, one problem arises here that if the equation has a short solution in given bounded range, the results outputted by earlier algorithms are often not the ones we are interested in. In this paper, we present a probability method based on lattice basis reduction to solve the problem. For a general multivariate modular linear equation with short solution in the given bounded range, the new method outputs this short solution in polynomial time, with a high probability. When the number of unknowns is not too large (smaller than 68), the probability is approximating 1. Experimental results show that Knapsack systems and Lu-Lee type systems are easily broken in polynomial time with this new method.

MeiQin Wang,XiaoYun Wang,Lucas C.K. Hui

DOI: https://doi.org/10.1007/s11432-010-0048-2

2010-01-01

Abstract:Differential cryptanalysis is a general cryptanalytic tool that makes use of differentials over some rounds of a cipher, combined with some key bit guesses of one or two rounds. This paper introduces a new cryptanalysis strategy of block ciphers named differential-algebraic cryptanalysis. The idea of differential-algebraic cryptanalysis is to find a differential with high probability and build the multivariable system equations for the last few rounds. The subkey values of the last few rounds can be obtained by filtering the solutions of system equations instead of guessing all possible subkey values. We use the differential-algebraic cryptanalysis to break 8-round Serpent-256. Our attack can recover the 256-bit key with 283 chosen plaintexts, 2180.4 8-round Serpent-256 encryptions and 2176.7 bytes memory. Compared with the previous differential cryptanalysis results, both the data complexity and the time complexity are reduced, but the memory requirements are increased. The time complexity and the memory requirements are very close, and a time-memory tradeoff is exploited.

Marc Kaplan,Gaëtan Leurent,Anthony Leverrier,María Naya-Plasencia

DOI: https://doi.org/10.13154/tosc.v2016.i1.71-94

2017-03-07

Abstract:Quantum computers, that may become available one day, would impact many scientific fields, most notably cryptography since many asymmetric primitives are insecure against an adversary with quantum capabilities. Cryptographers are already anticipating this threat by proposing and studying a number of potentially quantum-safe alternatives for those primitives. On the other hand, symmetric primitives seem less vulnerable against quantum computing: the main known applicable result is Grover's algorithm that gives a quadratic speed-up for exhaustive search. In this work, we examine more closely the security of symmetric ciphers against quantum attacks. Since our trust in symmetric ciphers relies mostly on their ability to resist cryptanalysis techniques, we investigate quantum cryptanalysis techniques. More specifically, we consider quantum versions of differential and linear cryptanalysis. We show that it is usually possible to use quantum computations to obtain a quadratic speed-up for these attack techniques, but the situation must be nuanced: we don't get a quadratic speed-up for all variants of the attacks. This allows us to demonstrate the following non-intuitive result: the best attack in the classical world does not necessarily lead to the best quantum one. We give some examples of application on ciphers LAC and KLEIN. We also discuss the important difference between an adversary that can only perform quantum computations, and an adversary that can also make quantum queries to a keyed primitive.

Quantum Physics,Cryptography and Security