Cryptanalysis of mCrypton‐64

In recent years, because of the security requirements of resource‐constrained devices, design and analysis of lightweight block ciphers has received more attention. mCrypton is a lightweight block cipher that has been specifically designed for using in resource‐constrained devices, such as low‐cost radio‐frequency identification tags and sensors. In this paper, we consider cryptanalysis of full‐round mCrypton‐64 using a new extension of biclique attack called non‐isomorphic biclique cryptanalysis. As it is known, effectiveness of the biclique attack is highly dependent to the weakness of key schedule, and it does not seem to be appropriate for block ciphers with strong key scheduling. The non‐isomorphic biclique attack, using an asymmetric key partitioning technique, provides more degrees of freedom to the attacker and makes it possible to use the diffusion layer properties of a block cipher for constructing longer bicliques. Results show that the attack on full‐round mCrypton requires 2^33.9 chosen plaintexts and a time complexity of 2^62.67 encryptions. The computational complexity reduces to 2^62.3, 2^61.4, and 2^59.75 encryptions for 10, 8, and 6 rounds of mCrypton‐64, respectively. We also have a discussion on the general form of the computational complexity for non‐isomorphic biclique cryptanalysis. Copyright © 2014 John Wiley & Sons, Ltd.     

Cryptanalysis of mCrypton—A lightweight block cipher for security of RFID tags and sensors

mCrypton is a 64‐bit lightweight block cipher designed for use in low‐cost and resource‐constrained applications such as RFID tags and sensors in wireless sensor networks. In this paper, we investigate the strength of this cipher against related‐key impossible differential cryptanalysis. First, we construct two 6‐round related‐key impossible differentials for mCrypton‐96 and mCrypton‐128. Then, using these distinguishers, we present 9‐round related‐key impossible differential attacks on these two versions. The attack on mCrypton‐96 requires 2^59.9 chosen plaintexts, and has a time complexity of about 2^74.9 encryptions. The data and time complexities for the attack on mCrypton‐128 are 2^59.7 chosen plaintexts and 2^66.7 encryptions, respectively. Copyright © 2011 John Wiley & Sons, Ltd.     

HIGHT算法的积分攻击

对轻量级分组密码算法HIGHT在积分攻击方法下的安全性进行了研究。首先纠正了现有研究成果在构造区分器时的不当之处,重新构造了HIGHT算法的11轮积分区分器,并构造了相应高阶积分扩展下的17轮区分器;其次利用所构造的17轮区分器,结合“时空折中”原理对25轮HIGHT算法进行了积分攻击;最后对攻击算法的复杂度进行了分析,攻击算法需要的数据复杂度为262.92,时间复杂度为266.20,空间复杂度为2119。分析结果表明,所给出的攻击算法的攻击轮数和时间复杂度要优于现有研究结果。     

数字视频广播通用加扰算法的不可能差分分析

数字视频广播通用加扰算法(DVB-CSA)是一种混合对称加密算法,由分组密码加密和流密码加密两部分组成。该算法通常用于保护视讯压缩标准(MPEG-2)中的信号流。主要研究DVB-CSA分组加密算法(DVB-CSA-Block Cipher, CSA-BC)的不可能差分性质。通过利用S盒的具体信息,该文构造了CSA-BC的22轮不可能差分区分器,该区分器的长度比已有最好结果长2轮。进一步,利用构造的22轮不可能差分区分器,攻击了缩减的25轮CSA-BC,该攻击可以恢复24 bit种子密钥。攻击的数据复杂度、时间复杂度和存储复杂度分别为253.3个选择明文、232.5次加密和224个存储单元。对于CSA-BC的不可能差分分析,目前已知最好结果能够攻击21轮的CSA-BC并恢复16 bit的种子密钥量。就攻击的长度和恢复的密钥量而言,该文的攻击结果大大改进了已有最好结果。     

11轮3D密码的不可能差分攻击

3D密码是CANS 2008提出的新的分组密码算法, 其设计思想是基于美国高级加密标准AES,但3D密码算法采用的是3维结构。该文根据3D算法的结构特点,构造出一类新的6轮不可能差分区分器,将3D密码的不可能差分攻击扩展到11轮。将10轮不可能差分攻击时间复杂度降为2318.8。该文中大量应用预计算技术,大大降低了时间复杂度,对于分组密码的实际攻击中的数据处理,提高运算效率过程,有很好的借鉴意义。     

Related-key impossible boomerang cryptanalysis on TWINE

In order to evaluate the security of the lightweight block cipher TWINE,the method of related-key impossible boomerang cryptanalysis was applied and a related-key impossible boomerang distinguisher consisting of 16-round and 17-round paths was constructed.Based on this new distinguisher,an attack on 23-round TWINE was mounted successfully by concatenating 4-round to the beginning and 2-round for the 17-round path and 3-round for the 16-round path to the end respectively.The attack on 23-round TWINE required data complexity of only 2 ^62.05plaintexts and computational complexity of about 2 ^70.4923-round encryptions.Compared with published cryptanalysis results,the proposed attack has obvious advantages.     

Provable security against a differential attack

The purpose of this paper is to show that DES-like iterated ciphers that are provably resistant against differential attacks exist. The main result on the security of a DES-like cipher with independent round keys is Theorem 1, which gives an upper bound to the probability of s-round differentials, as defined in [4], and this upper bound depends only on the round function of the iterated cipher. Moreover, it is shown that functions exist such that the probabilities of differentials are less than or equal to 2^3–n , where n is the length of the plaintext block. We also show a prototype of an iterated block cipher, which is compatible with DES and has proven security against differential attack.A preliminary version of this paper was presented in the rump session at Crypto '92. The work of Kaisa Nyberg on this project was supported by MATINE Board, Finland.     

LiCi分组密码算法的不可能差分分析

LiCi是由Patil等人(2017)提出的轻量级分组密码算法。由于采用新型的设计理念,该算法具有结构紧凑、能耗低、占用芯片面积小等优点,特别适用于资源受限的环境。目前该算法的安全性备受关注,Patil等人声称:16轮简化算法足以抵抗经典的差分攻击及线性攻击。该文基于S盒的差分特征,结合中间相遇思想,构造了一个10轮的不可能差分区分器。基于此区分器,向前后各扩展3轮,并利用密钥编排方案,给出了LiCi的一个16轮的不可能差分分析方法。该攻击需要时间复杂度约为283.08次16轮加密,数据复杂度约为259.76选择明文,存储复杂度约为276.76数据块,这说明16轮简化的LiCi算法无法抵抗不可能差分攻击。     

3D密码的不可能差分攻击

3D密码是在CANS2008上提出的一个新的分组密码算法,与以往的分组密码算法不同,它采用了3维结构。密码设计者给出了3D密码的一个5轮不可能差分并对6轮3D密码进行了不可能差分攻击。该文通过3D密码的结构特性找到了新的6轮不可能差分。基于新的不可能差分和3D密码的等价结构,可以对7轮和8轮3D密码进行有效的不可能差分攻击。此外,结合其密钥扩展规则,可以将攻击轮数提高至9轮。该文的攻击结果优于密码设计者的结果。     

Impossible Differential Cryptanalysis on Lai‐Massey Scheme

The Lai‐Massey scheme, proposed by Vaudenay, is a modified structure in the International Data Encryption Algorithm cipher. A family of block ciphers, named FOX, were built on the Lai‐Massey scheme. Impossible differential cryptanalysis is a powerful technique used to recover the secret key of block ciphers. This paper studies the impossible differential cryptanalysis of the Lai‐Massey scheme with affine orthomorphism for the first time. Firstly, we prove that there always exist 4‐round impossible differentials of a Lai‐Massey cipher having a bijective F‐function. Such 4‐round impossible differentials can be used to help find 4‐round impossible differentials of FOX64 and FOX128. Moreover, we give some sufficient conditions to characterize the existence of 5‐, 6‐, and 7‐round impossible differentials of Lai‐Massey ciphers having a substitution‐permutation (SP) F‐function, and we observe that if Lai‐Massey ciphers having an SP F‐function use the same diffusion layer and orthomorphism as a FOX64, then there are indeed 5‐ and 6‐round impossible differentials. These results indicate that both the diffusion layer and orthomorphism should be chosen carefully so as to make the Lai‐Massey cipher secure against impossible differential cryptanalysis.     

Making the Impossible Possible

This paper introduces new techniques and correct complexity analyses for impossible differential cryptanalysis, a powerful block cipher attack. We show how the key schedule of a cipher impacts an impossible differential attack, and we provide a new formula for the time complexity analysis that takes this parameter into account. Further, we show, for the first time, that the technique of multiple differentials can be applied to impossible differential attacks. Then, we demonstrate how this technique can be combined in practice with multiple impossible differentials or with the so-called state-test technique. To support our proposal, we implemented the above techniques on small-scale ciphers and verified their efficiency and accuracy in practice. We apply our techniques to the cryptanalysis of ciphers including AES-128, CRYPTON-128, ARIA-128, CLEFIA-128, Camellia-256 and LBlock. All of our attacks significantly improve previous impossible differential attacks and generally achieve the best memory complexity among all previous attacks against these ciphers.     

A Single-Key Attack on the Full GOST Block Cipher

The GOST block cipher is the Russian encryption standard published in 1989. In spite of considerable cryptanalytic efforts over the past 20 years, a key recovery attack on the full GOST block cipher without any key conditions (e.g., weak keys and related keys) has not been published yet. In this paper, we show the first single-key attack, which works for all key classes, on the full GOST block cipher. To begin, we develop a new attack framework called Reflection-Meet-in-the-Middle Attack. This approach combines techniques of the reflection attack and the meet-in-the-middle (MITM) attack. Then we apply it to the GOST block cipher employing bijective S-boxes. In order to construct the full-round attack, we use additional novel techniques which are the effective MITM techniques using equivalent keys on a small number of rounds. As a result, a key can be recovered with a time complexity of 2²²⁵ encryptions and 2³² known plaintexts. Moreover, we show that our attack is applicable to the full GOST block cipher using any S-boxes, including non-bijective S-boxes.     

Biclique cryptanalysis on lightweight block ciphers I-PRESENT-80 and I-PRESENT-128

I-PRESENT was a lightweight SPN block cipher for resource-constraint environments such as RFID tags and sensor networks.The biclique structures of I-PRESENT with sieve-in-the-middle technique was an constracted.The biclique cryptanalysis schemes on full-round I-PRESENT-80 and I-PRESENT-128 were proposed for the first time.The results show that the data complexity of the biclique cryptanalysis on I-PRESENT-80 and I-PRESENT-128 is 2 ²⁶ and 2³⁶ chosen ciphertexts respectively，and the time complexity on them is 2 ^79.48 and 2 ^127.33 encryptions respectively.The time and data complexity are better than that of the exhaustive attack.In addition,the time complexity on them can be reduced to 2 ^78.61 and 2^126.48 encryptions by using related-key technology of I-PRESENT.     

Security analysis of mCrypton proper to low‐cost ubiquitous computing devices and applications

mCrypton, which is a mini‐version of Crypton, is a 64‐bit block cipher with three key size options (64 bits, 96 bits, 128 bits). It was designed for use in low‐cost ubiquitous wireless devices and resource‐constrained tiny devices such as low‐cost Radio‐Frequency Identification tags and sensors in Ubiquitous Sensor Network. In this paper we show that 8‐round mCrypton with 128‐bit key is vulnerable to related‐key rectangle attack. We first describe how to construct two related‐key truncated differentials on which 7‐round related‐key rectangle distinguisher is based and then we exploit it to attack 8‐round mCrypton. This attack requires 2⁴⁶ dada and 2⁴⁶ time complexities, which is faster than exhaustive search. This is the first known cryptanalytic result on mCrypton. Copyright © 2009 John Wiley & Sons, Ltd.     

轻量级分组密码算法ESF的相关密钥不可能差分分析

八阵图算法(ESF)是一种具有广义Feistel结构的轻量级分组密码算法,可用在物联网环境下保护射频识别(RFID)标签等资源受限的环境中,目前对该算法的安全性研究主要为不可能差分分析。该文通过深入研究S盒的特点并结合ESF密钥扩展算法的性质,研究了ESF抵抗相关密钥不可能差分攻击的能力。通过构造11轮相关密钥不可能差分区分器,在此基础上前后各扩展2轮,成功攻击15轮ESF算法。该攻击的时间复杂度为240.5次15轮加密,数据复杂度为261.5个选择明文,恢复密钥比特数为40 bit。与现有结果相比,攻击轮数提高的情况下,时间复杂度降低,数据复杂度也较为理想。     

对轻量级密码算法MIBS的相关密钥不可能差分攻击

研究了轻量级分组密码算法MIBS抵抗相关密钥不可能差分的能力。利用MIBS-80密钥编排算法的性质,给出了一个密钥差分特征,并结合特殊明密文对的选取,构造了一个10轮不可能差分。在此不可能差分特征上进行扩展,对14轮的MIBS-80进行了攻击,并给出了复杂度分析。此攻击的结果需要的数据复杂度为254和时间复杂度为256。     

对八阵图算法的不可能差分密码分析和线性密码分析

该文对八阵图(ESF)算法抵抗不可能差分密码分析和线性密码分析的能力进行了研究。ESF算法是一种具有Feistel结构的轻量级分组密码算法，它的轮函数为代换置换(SP)结构。该文首先用新的不可能差分区分器分析了12轮ESF算法，随后用线性密码分析的方法分析了9轮ESF算法。计算得出12轮不可能差分分析的数据复杂度大约为O(267)，时间复杂度约为O(2110.7)，而9轮线性密码分析的数据复杂度仅为O(235)，时间复杂度不大于O(215.6)。结果表明ESF算法足够抵抗不可能差分密码分析，而抵抗线性密码分析的能力相对较弱。     

对简化版LBLock算法的相关密钥不可能差分攻击

LBLOCK是吴文玲等人于2011年设计的一种轻量级密码算法。该文利用一个特殊的相关密钥差分特征,对19轮的LBlock算法进行了相关密钥不可能差分攻击,攻击的计算复杂度为O(270.0),所需要的数据量为264。进一步,提出了一种针对21轮LBlock的相关密钥不可能差分攻击,计算复杂度为O(271.5),数据量为263。     

3D密码的Square攻击

3D密码是CANS 2008提出的新的分组密码算法,与以往的分组密码算法不同,该密码采用3维结构。该文根据3D密码的结构特性,得到了3D密码的5.25轮和6.25轮新的Square区分器,重新评估了其抗Square攻击的强度。攻击结果表明:新区分器对6轮3D密码攻击的数据复杂度和时间复杂度比已有的结果好,并且还可应用到7轮,8轮和9轮的3D密码攻击中。     

An enhanced chaotic key‐based RC5 block cipher adapted to image encryption

RC5 is a block cipher that has several salient features such as adaptability to process different word lengths with a variable block size, a variable number of rounds and a variable‐length secret key. However, RC5 can be broken with various attacks such as correlation attack, timing attack, known plaintext correlation attack and differential attacks, revealing weak security. We aimed to enhance the RC5 block cipher to be more secure and efficient for real‐time applications while preserving its advantages. For this purpose, this article introduces a new approach based on strengthening both the confusion and diffusion operations by combining chaos and cryptographic primitive operations to produce round keys with better pseudo‐random sequences. Comparative security analysis and performance evaluation of the enhanced RC5 block cipher (ERC5) with RC5, RC6 and chaotic block cipher algorithm (CBCA) are addressed. Several test images are used for inspecting the validity of the encryption and decryption algorithms. The experimental results show the superiority of the suggested enhanced RC5 (ERC5) block cipher to image encryption algorithms such as RC5, RC6 and CBCA from the security analysis and performance evaluation points of view.