CLEFIA-128/192/256的不可能差分分析

对分组密码算法CLEFIA进行不可能差分分析.CLEFIA算法是索尼公司在2007年快速软件加密大会(FSE)上提出来的.结合新发现和新技巧,可有效过滤错误密钥,从而将算法设计者在评估报告中给出的对11圈CLEFIA-192/256的攻击扩展到11圈CLEFIA-128/192/256,复杂度为2103.1次加密和2103.1个明文.通过对明文附加更多限制条件,给出对12圈CLEFIA-128/192/256的攻击,复杂度为2119.1次加密和2119.1个明文.而且,引入一种新的生日筛法以降低预计算的时间复杂度.此外,指出并改正了Tsunoo等人对12圈CLEFIA的攻击中复杂度计算方面的错误.     

New impossible differential attacks on reduced-round Crypton

Crypton is a 128-bit block cipher which was submitted to the Advanced Encryption Standard competition. In this paper, we present two new impossible differential attacks to reduced-round Crypton. Using two new observations on the diffusion layer of Crypton, exploiting a 4-round impossible differential, and appropriately choosing three additional rounds, we mount the first impossible differential attack on 7-round Crypton. The proposed attacks require 2¹²¹ chosen plaintexts each. The first attack requires 2^125.2 encryptions. We then utilize more pre-computation and memory to reduce the time complexity to 2^116.2 encryptions in the second attack.     

Cryptanalysis of full PRIDE block cipher

PRIDE is a lightweight block cipher proposed at CRYPTO 2014 by Albrecht et al., who claimed that the construction of linear layers is efficient and secure. In this paper, we investigate the key schedule and find eight 2-round iterative related-key differential characteristics, which can be used to construct 18-round related-key differentials. A study of the first subkey derivation function reveals that there exist three weak-key classes, as a result of which all the differences of subkeys for each round are identical. For the weak-key classes, we also find eight 2-round iterative related-key differential characteristics. Based on one of the related-key differentials, we launch an attack on the full PRIDE block cipher. The data and time complexity are 2³⁹ chosen plaintexts and 2⁹² encryptions, respectively. Moreover, by using multiple related-key differentials, we improve the cryptanalysis, which then requires 2^41.6 chosen plaintexts and 2^42.7 encryptions, respectively. Finally, we use two 17-round related-key differentials to analyze full PRIDE, which requires 2³⁵ plaintexts and 2^54.7 encryptions. These are the first results on full PRIDE, and show that the PRIDE block cipher is not secure against related-key differential attack.     

Differential attack on nine rounds of the SEED block cipher

The SEED block cipher has a 128-bit block length, a 128-bit user key and a total number of 16 rounds. It is an ISO international standard. In this letter, we describe two 7-round differentials with a trivially larger probability than the best previously known one on SEED, and present a differential cryptanalysis attack on a 9-round reduced version of SEED. The attack requires a memory of 2^69.71 bytes, and has a time complexity of 2^126.36 encryptions with a success probability of 99.9% when using 2¹²⁵ chosen plaintexts, or a time complexity of 2^125.36 encryptions with a success probability of 97.8% when using 2¹²⁴ chosen plaintexts. Our result is better than any previously published cryptanalytic results on SEED in terms of the numbers of attacked rounds, and it suggests for the first time that the safety margin of SEED decreases below half of the number of rounds.     

对CRYPTON V1.0算法的积分攻击

CRYPTONV1.0密码是一个具有128比特分组长度、128比特密钥的分组密码。CRYP-TONV1.0密码的线性层是基于比特设计的,因而传统的积分攻击无法对其进行分析。本文对CRYP-TONV1.0密码进行分析,从比特的层面上寻找平衡性,得到了一个3轮积分区分器,区分器的可靠性在PC机上进行了验证,该区分器需要1024个明文将3轮CRYPTONV1.0与随机置换区分开来,并且所得密文的每一比特都是平衡的。基于该区分器,对低轮CRYPTONV1.0密码进行了攻击,结果表明,攻击4轮CRYPTONV1.0密码的数据复杂度为211,时间复杂度为223,攻击5轮的数据复杂度为212.4,时间复杂度为253。     

Security analysis of the full-round DDO-64 block cipher

DDO-64 is a 64-bit Feistel-like block cipher based on data-dependent operations (DDOs). It is composed of 8 rounds and uses a 128-bit key. There are two versions of DDO-64, named DDO-64V₁ and DDO-64V₂, according to the key schedule. They were designed under an attempt for improving the security and performance of DDP-based ciphers. In this paper, however, we show that like most of the existing DDP-based ciphers, DDO-64V₁ and DDO-64V₂ are also vulnerable to related-key attacks. The attack on DDO-64V₁ requires 2^35.5 related-key chosen plaintexts and 2^63.5 encryptions while the attack on DDO-64V₂ only needs 8 related-key chosen plaintexts and 2³¹ encryptions; our attacks are both mainly due to their simple key schedules and structural weaknesses. These works are the first known cryptanalytic results on DDO-64V₁ and DDO-64V₂ so far.     

Differential Attack on Five Rounds of the SC2000 Block Cipher<Superscript>*</Superscript>

The SC2000 block cipher has a 128-bit block size and a user key of 128,192 or 256 bits,which employs a total of 6.5 rounds if a 128-bit user key is used.It is a CRYPTREC recommended e-government cipher in Japan.In this paper we address how to recover the user key from a few subkey bits of SC2000,and describe two 4.75-round differential characteristics with probability 2-126 of SC2000 and seventy-six 4.75-round differential characteristics with probability 2-127.Finally,we present a differential cryptanalysis attack on a 5-round reduced version of SC2000 when used with a 128-bit key;the attack requires 2-125.68 chosen plaintexts and has a time complexity of 2 125.75 5-round SC2000 encryptions.The attack does not threat the security of the full SC2000 cipher,but it suggests for the first time that the safety margin of SC2000 with a 128-bit key decreases below one and a half rounds.     

Automatic search method for multiple differentials and its application on MANTIS

Rijndael is a substitution-permutation network (SPN) block cipher for the AES development process. Its block and key sizes range from 128 to 256 bits in steps of 32 bits, which can be denoted by Rijndael-b-k, where b and k are the block and key sizes, respectively. Among them, Rijndael-128-128/192/256, that is, AES, has been studied by many researchers, and the security of other large-block versions of Rijndael has been exploited less frequently. However, more attention has been paid to large-block versions of block ciphers with the fast development of quantum computers. In this paper, we propose improved impossible differential attacks on 10-round Rijndael-256-256, 10-round Rijndael-224-256, and 9-round Rijndael-224-224 using precomputation tables, redundancies of key schedules, and multiple impossible differentials. For 10-round Rijndael-256-256, the data, time, and memory complexities of our attack were approximately 2^244.4 chosen plaintexts, 2^240.1 encryptions, and 2^181.4 blocks, respectively. For 10-round Rijndael-224-256, the data, time, and memory complexities of our attack were approximately 2^214.4 chosen plaintexts, 2^241.3 encryptions, and 2^183.4 blocks, respectively. For 9-round Rijndael-224-224, the data, time, and memory complexities of our attack are approximately 2^214.4 chosen plaintexts, 2^113.4 encryptions, and 2^87.4 blocks, respectively, or 2^206.6 chosen plaintexts, 2^153.6 encryptions, and 2^111.6 blocks, respectively. To the best of our knowledge, our results are currently the best on Rijndael-256-256 and Rijndael-224-224/256.

     

7轮ARIA-256的不可能差分新攻击

如何针对分组密码标准ARIA给出新的安全性分析是当前的研究热点。基于ARIA的算法结构,利用中间相遇的思想设计了一个新的4轮不可能差分区分器。基于该区分器,结合ARIA算法特点,在前面加2轮,后面加1轮,构成7轮ARIA-256的新攻击。研究结果表明：攻击7轮ARIA-256所需的数据复杂度约为2120选择明文数据量,所需的时间复杂度约为2219次7轮ARIA-256加密。与已有的7轮ARIA-256不可能差分攻击结果相比较,新攻击进一步地降低了所需的数据复杂度和时间复杂度。     

对SMS4密码算法改进的差分攻击

差分分析和线性分析是重要的密码算法分析工具.多年来,很多研究者致力于改善这两种攻击方法.Achiya Bar-On等人提出了一种方法,能够使攻击者对部分状态参与非线性变换的SPN结构的密码算法进行更多轮数的差分分析和线性分析.这种方法使用了两个辅助矩阵,其目的就是更多地利用密码算法中线性层的约束,从而能攻击更多轮数.将这种方法应用到中国密码算法SMS4的多差分攻击中,获得了一个比现有攻击存储复杂度更低和数据复杂度更少的攻击结果.在成功概率为0.9时,实施23轮的SMS4密钥恢复攻击需要2^113.5个明文,时间复杂度为2^126.7轮等价的23轮加密.这是目前为止存储复杂度最低的攻击,存储复杂度为2¹⁷个字节.     

Collision attack on reduced-round Camellia

Camellia is the final winner of 128-bit block cipher in NESSIE. In this paper, we construct some efficient distinguishers between 4-round Camellia and a random permutation of the blocks space. By using collision-searching techniques, the distinguishers are used to attack on 6, 7, 8 and 9 rounds of Camellia with 128-bit key and 8, 9 and 10 rounds of Camellia with 192/256-bit key. The 128-bit key of 6 rounds Camellia can be recovered with 210 chosen plaintexts and 215 encryptions. The 128-bit key of 7 rounds Camellia can be recovered with 212 chosen plaintexts and 254.5 encryptions. The 128-bit key of 8 rounds Camellia can be recovered with 213 chosen plaintexts and 2112.1 encryptions. The 128-bit key of 9 rounds Camellia can be recovered with 2113.6 chosen plaintexts and 2121 encryptions. The 192/256-bit key of 8 rounds Camellia can be recovered with 213 chosen plaintexts and 2111.1 encryptions. The 192/256-bit key of 9 rounds Camellia can be recovered with 213 chosen plaintexts and 2175.6 encryptions. Th     

New related-key rectangle attacks on reduced AES-192 and AES-256

In this paper, we examine the security of reduced AES-192 and AES-256 against related-key rectangle attacks by exploiting the weakness in the AES key schedule. We find the following two new attacks: 9-round reduced AES-192 with 4 related keys, and 10-round reduced AES-256 with 4 related keys. Our results show that related-key rectangle attack with 4 related keys on 9-round reduced AES-192 requires a data complexity of about 2¹⁰¹ chosen plaintexts and a time complexity of about 2^174.8 encryptions, and moreover, related-key rectangle attack with 4 related keys on 10-round reduced AES-256 requires a data complexity of about 2^97.5 chosen plaintexts and a time complexity of about 2²⁵⁴ encryptions. These attacks are the first known attacks on 9-round reduced AES-192 and 10-round reduced AES-256 with only 4 related keys. Furthermore, we give an improvement of the 10-round reduced AES-192 attack presented at FSE2007, which reduces both the data complexity and the time complexity. Supported by the National Natural Science Foundation of China (Grant No. 60673072), and the National Basic Research Program of China (Grant No. 2007CB311201)     

概率积分及其在PUFFIN算法中的应用

积分分析是一种针对分组密码十分有效的分析方法,其通常利用密文某些位置的零和性质构造积分区分器.基于高阶差分理论,可通过研究密文与明文之间多项式的代数次数来确定密文某些位置是否平衡.从传统的积分分析出发,首次考虑常数对多项式首项系数的影响,提出了概率积分分析方法,并将其应用于PUFFIN算法的安全性分析.针对PUFFIN算法,构造了7轮概率积分区分器,比已有最好的积分区分器轮数长1轮.进一步,利用构造的概率积分区分器,对9轮PUFFIN算法进行密钥恢复攻击.该攻击可恢复92比特轮密钥,攻击的数据复杂度为2^24.8个选择明文,时间复杂度为2^35.48次9轮算法加密,存储复杂度为2²⁰个存储单元.     

10轮Midori128的中间相遇攻击

轻量级分组密码由于软硬件实现代价小且功耗低,被广泛地运用资源受限的智能设备中保护数据的安全。Midori是在2015年亚密会议上发布的轻量级分组密码算法,分组长度分为64 bit和128 bit两种,分别记为Midori64和Midori128,目前仍没有Midori128抵抗中间相遇攻击的结果。通过研究Midori128算法基本结构和密钥编排计划特点,结合差分枚举和相关密钥筛选技巧构造了一条7轮中间相遇区分器。再在此区分器前端增加一轮,后端增加两轮,利用时空折中的方法,提出对10轮的Midori128算法的第一个中间相遇攻击,整个攻击需要的时间复杂度为2126.5次10轮Midori128加密,数据复杂度为2125选择明文,存储复杂度2105 128-bit块,这是首次对Midori128进行了中间相遇攻击。     

Differential cryptanalysis of eight-round SEED

Block Cipher SEED is one of the standard 128-bit block ciphers of ISO/IEC together with AES and Camellia (Aoki et al., 2000, ISO/IEC 18033-3, 2005; Korea Information Security Agency, 1999; National Institute of Standards and Technology, 2001) [1], [4], [5] and [6]. Since SEED had been developed, there is no distinguishing cryptanalysis except a 7-round differential attack in 2002 [7]. For this, they used the six-round differential characteristics with probability ²−124 and analyzed seven-round SEED with 2¹²⁶ chosen plaintexts. In this paper, we propose a new seven-round differential characteristic with probability ²−122 and analyze eight-round SEED with 2¹²⁵ chosen plaintexts. The attack requires about 2¹²² eight-round encryptions. This is the best-known attack on a reduced version of SEED so far.     

Security analysis of the SCO-family using key schedules

The COS-based ciphers SCO-1, SCO-2 and SCO-3 (called the SCO-family) have been designed to improve the security of DDP-based ciphers which are all broken by related-key attacks. In this paper we show that the SCO-family is still vulnerable to related-key attacks: we present related-key differential attacks on a full-round SCO-1, a full-round SCO-2 and an 11-round reduced SCO-3, respectively. The attack on SCO-1 requires 2⁶¹ related-key chosen ciphertexts and 2^120.59 full-round SCO-1 decryptions. For the attack on SCO-2, we require 2⁵⁹ related-key chosen plaintexts and 2^118.42 full-round SCO-2 encryptions, and the 11-round attack on SCO-3 works with 2⁵⁸ related-key chosen plaintexts and 2^117.54 11-round SCO-3 encryptions. This work is the first known cryptanalytic results on the SCO-family.     

Security of the SMS4 Block Cipher Against Differential Cryptanalysis

SMS4 is a 128-bit block cipher used in the WAPI standard for wireless networks in China.In this paper,we analyze the security of the SMS4 block cipher against differential cryptanalysis.Firstly,we prove three theorems and one corollary that reflect relationships of 5- and 6-round SMS4.Next,by these relationships,we clarify the minimum number of active S-boxes in 6-,7- and 12-round SMS4 respectively.Finally,based on the above results,we present a family of about 2¹⁴ differential characteristics for 19-round SMS4,which leads to an attack on 23-round SMS4 with 2¹¹⁸ chosen plaintexts and 2^126.7 encryptions.     

对DES的Rectangle攻击和Boomerang攻击

作为加密标准,DES(data encryption standard)算法虽然已被AES(advanced encryption standard)算法所取代,但其仍有着不可忽视的重要作用.在一些领域,尤其是金融领域,DES和Triple DES仍被广泛使用着.而近年来又提出了一些新的密码分析方法,其中,Rectangle攻击和Boomerang攻击已被证明是非常强大而有效的.因此,有必要重新评估DES算法抵抗这些新分析方法的能力.研究了DES算法针对Rectangle攻击和Boomerang攻击的安全性.利用DES各轮最优差分路径及其概率,分别得到了对12轮DES的Rectangle攻击和对11轮DES的Boomerang攻击.攻击结果分别为:利用Rectangle攻击可以攻击到12轮DES,数据复杂度为2~(62)个选择明文,时间复杂度为2~(42)次12轮加密;利用Boomerang攻击可以攻击到11轮DES,数据复杂度为2~(58)个适应性选择明密文,时间复杂度为2~(38)次11轮加密.由于使用的都是DES各轮的最优差分路径,所以可以相信,该结果是Rectangle攻击和Boomerang攻击对DES所能达到的最好结果.     

ESF算法的相关密钥不可能差分分析

ESF算法是一种具有广义Feistel结构的32轮迭代型轻量级分组密码。为研究ESF算法抵抗不可能差分攻击的能力,首次对ESF算法进行相关密钥不可能差分分析,结合密钥扩展算法的特点和轮函数本身的结构,构造了两条10轮相关密钥不可能差分路径。将一条10轮的相关密钥不可能差分路径向前向后分别扩展1轮和2轮,分析了13轮ESF算法,数据复杂度是260次选择明文对,计算量是223次13轮加密,可恢复18 bit密钥。将另一条10轮的相关密钥不可能差分路径向前向后都扩展2轮,分析了14轮ESF算法,数据复杂度是262选择明文对,计算复杂度是243.95次14轮加密,可恢复37 bit密钥。     

Rijndael-256算法的中间相遇攻击

根据Rijndael密码的算法结构,构造一个新的5轮相遇区分器：若输入状态的第一个字节可变动,而余下字节固定不变,则通过5轮加密后,算法输出的每个字节差分值均可由输入状态的第一个字节值及25个常量字节以概率2-96确定。基于该区分器,给出一种针对9轮Rijndael-256的中间相遇攻击。分析结果表明,该攻击的数据复杂度约为2128个选择明文数据量,时间复杂度约为2211.6次9轮Rijndael- 256加密。