INTEGRAL DISTINGUISHERS OF JH AND GRØSTL-512

In December of 2010 NIST selected five SHA-3 finalists - BLAKE, Grøstl, JH, Keccak, and Skein to advance to the third (and final) round of the SHA-3 competition. At present most specialists and scholars focus on the design and the attacks on these hash functions. However, it is very significant to study some properties of their primitives and underlying permutations. Because some properties reflect the pseudo-randomness of the structures. Moreover, they help us to find new cryptanalysis for some block cipher structures. In this paper, we analyze the resistance of JH and Grøstl-512 against structural properties built on integral distinguishers. And then 31.5 (out of 42) rounds integral distinguishers for JH compression function and 11.5 (out of 14) rounds for Grøstl-512 compression function are presented.     

Improved Practical Attacks on Round-Reduced Keccak

The Keccak hash function is the winner of NIST’s SHA-3 competition, and so far it showed remarkable resistance against practical collision finding attacks: After several years of cryptanalysis and a lot of effort, the largest number of Keccak rounds for which actual collisions were found was only 2. In this paper, we develop improved collision finding techniques which enable us to double this number. More precisely, we can now find within a few minutes on a single PC actual collisions in the standard Keccak-224 and Keccak-256, where the only modification is to reduce their number of rounds to 4. When we apply our techniques to 5-round Keccak, we can get in a few days near collisions, where the Hamming distance is 5 in the case of Keccak-224 and 10 in the case of Keccak-256. Our new attack combines differential and algebraic techniques, and uses the fact that each round of Keccak is only a quadratic mapping in order to efficiently find pairs of messages which follow a high probability differential characteristic. Since full Keccak has 24 rounds, our attack does not threaten the security of the hash function.     

Practical Collisions for EnRUPT

The EnRUPT hash functions were proposed by O??Neil, Nohl and Henzen as candidates for the SHA-3 competition, organised by NIST. The proposal contains seven concrete hash functions, each with a different digest length. We present a practical collision attack on each of these seven EnRUPT variants. The time complexity of our attack varies from 2³⁶ to 2⁴⁰ round computations, depending on the EnRUPT variant, and the memory requirements are negligible. We demonstrate that our attack is practical by giving an actual collision example for EnRUPT-256.     

数字视频广播通用加扰算法的不可能差分分析

数字视频广播通用加扰算法(DVB-CSA)是一种混合对称加密算法,由分组密码加密和流密码加密两部分组成。该算法通常用于保护视讯压缩标准(MPEG-2)中的信号流。主要研究DVB-CSA分组加密算法(DVB-CSA-Block Cipher, CSA-BC)的不可能差分性质。通过利用S盒的具体信息,该文构造了CSA-BC的22轮不可能差分区分器,该区分器的长度比已有最好结果长2轮。进一步,利用构造的22轮不可能差分区分器,攻击了缩减的25轮CSA-BC,该攻击可以恢复24 bit种子密钥。攻击的数据复杂度、时间复杂度和存储复杂度分别为2^53.3个选择明文、2^32.5次加密和2²⁴个存储单元。对于CSA-BC的不可能差分分析,目前已知最好结果能够攻击21轮的CSA-BC并恢复16 bit的种子密钥量。就攻击的长度和恢复的密钥量而言,该文的攻击结果大大改进了已有最好结果。

     

Integral Cryptanalysis on Full MISTY1

MISTY1 is a block cipher designed by Matsui in 1997. It was well evaluated and standardized by projects, such as CRYPTREC, ISO/IEC, and NESSIE. In this paper, we propose a key recovery attack on the full MISTY1, i.e., we show that 8-round MISTY1 with 5 FL layers does not have 128-bit security. Many attacks against MISTY1 have been proposed, but there is no attack against the full MISTY1. Therefore, our attack is the first cryptanalysis against the full MISTY1. We construct a new integral characteristic by using the propagation characteristic of the division property, which was proposed in EUROCRYPT 2015. We first improve the division property by optimizing the division property for a public S-box and then construct a 6-round integral characteristic on MISTY1. Finally, we recover the secret key of the full MISTY1 with \(2^{63.58}\) chosen plaintexts and \(2^{121}\) time complexity. Moreover, if we use \(2^{63.994}\) chosen plaintexts, the time complexity for our attack is reduced to \(2^{108.3}\). Note that our cryptanalysis is a theoretical attack. Therefore, the practical use of MISTY1 will not be affected by our attack.     

对ARIA算法中间相遇攻击的改进

对ARIA算法的结构特征进行了研究,利用“多重集”并结合截断差分的性质,将预计算的参数由30个减少到16个,构造新的4轮中间相遇区分器,有效地改进了ARIA-192算法的7轮中间相遇攻击。新攻击的预计算复杂度为2135.3,时间复杂度约为2123。     

Making the Impossible Possible

This paper introduces new techniques and correct complexity analyses for impossible differential cryptanalysis, a powerful block cipher attack. We show how the key schedule of a cipher impacts an impossible differential attack, and we provide a new formula for the time complexity analysis that takes this parameter into account. Further, we show, for the first time, that the technique of multiple differentials can be applied to impossible differential attacks. Then, we demonstrate how this technique can be combined in practice with multiple impossible differentials or with the so-called state-test technique. To support our proposal, we implemented the above techniques on small-scale ciphers and verified their efficiency and accuracy in practice. We apply our techniques to the cryptanalysis of ciphers including AES-128, CRYPTON-128, ARIA-128, CLEFIA-128, Camellia-256 and LBlock. All of our attacks significantly improve previous impossible differential attacks and generally achieve the best memory complexity among all previous attacks against these ciphers.     

轻量级分组密码算法ESF的相关密钥不可能差分分析

八阵图算法(ESF)是一种具有广义Feistel结构的轻量级分组密码算法,可用在物联网环境下保护射频识别(RFID)标签等资源受限的环境中,目前对该算法的安全性研究主要为不可能差分分析。该文通过深入研究S盒的特点并结合ESF密钥扩展算法的性质,研究了ESF抵抗相关密钥不可能差分攻击的能力。通过构造11轮相关密钥不可能差分区分器,在此基础上前后各扩展2轮,成功攻击15轮ESF算法。该攻击的时间复杂度为2^40.5次15轮加密,数据复杂度为2^61.5个选择明文,恢复密钥比特数为40 bit。与现有结果相比,攻击轮数提高的情况下,时间复杂度降低,数据复杂度也较为理想。

     

Multidimensional Differential‐Linear Cryptanalysis of ARIA Block Cipher

ARIA is a 128‐bit block cipher that has been selected as a Korean encryption standard. Similar to AES, it is robust against differential cryptanalysis and linear cryptanalysis. In this study, we analyze the security of ARIA against differential‐linear cryptanalysis. We present five rounds of differential‐linear distinguishers for ARIA, which can distinguish five rounds of ARIA from random permutations using only 284.8 chosen plaintexts. Moreover, we develop differential‐linear attacks based on six rounds of ARIA‐128 and seven rounds of ARIA‐256. This is the first multidimensional differential‐linear cryptanalysis of ARIA and it has lower data complexity than all previous results. This is a preliminary study and further research may obtain better results in the future.     

对八阵图算法的不可能差分密码分析和线性密码分析

该文对八阵图(ESF)算法抵抗不可能差分密码分析和线性密码分析的能力进行了研究。ESF算法是一种具有Feistel结构的轻量级分组密码算法,它的轮函数为代换置换(SP)结构。该文首先用新的不可能差分区分器分析了12轮ESF算法,随后用线性密码分析的方法分析了9轮ESF算法。计算得出12轮不可能差分分析的数据复杂度大约为O(2⁶⁷),时间复杂度约为O(2^110.7),而9轮线性密码分析的数据复杂度仅为O(2³⁵),时间复杂度不大于O(2^15.6)。结果表明ESF算法足够抵抗不可能差分密码分析,而抵抗线性密码分析的能力相对较弱。     

基于混合整数线性规划的八阵图不可能差分分析

八阵图(ESF)是基于LBlock改进的轻量级分组密码,具有优良的软硬件实现效率。针对ESF算法的安全性,该文借助自动化搜索工具,利用不可能差分分析方法,对算法进行安全性评估。首先结合ESF的结构特性和$ S $盒的差分传播特性,建立了基于混合整数线性规划(MILP)的不可能差分搜索模型;其次利用算法 $ S $盒的差分传播特性和密钥扩展算法中轮子密钥间的相互关系,基于一条9轮不可能差分区分器,通过向前扩展2轮向后扩展4轮,实现了对ESF算法的15轮密钥恢复攻击。分析结果表明,该攻击的数据复杂度和时间复杂度分别为$ {2^{60.16}} $和 $ {2^{67.44}} $,均得到有效降低,且足够抵抗不可能差分分析。     

分组密码算法CTC的立方分析

立方攻击是在2009年欧洲密码年会上由Dinur和Shamir提出的一种新型密码分析方法,该方法旨在寻找密钥比特之间的线性关系。CTC(Courtois Toy Cipher)是N.Courtois设计的一种用于密码分析研究的分组密码算法,该算法的密钥长度、明文长度和迭代轮数都是可变的。文中利用立方攻击方法针对密钥长度为60bit的4轮CTC进行了分析,在选择明文攻击条件下,结合二次测试可恢复全部密钥,密钥恢复阶段仅需要不到2~10次加密算法。     

Improved impossible differential and biclique cryptanalysis of HIGHT

HIGHT is a lightweight block cipher introduced in CHES 2006 by Hong et al as a block cipher suitable for low‐resource applications. In this paper, we propose improved impossible differential and biclique attacks on HIGHT block cipher both exploiting the permutation‐based property of the cipher's key schedule algorithm as well as its low diffusion. For impossible differential attack, we found a new 17‐round impossible differential characteristic that enables us to propose a new 27‐round impossible differential attack. The total time complexity of the attack is 2^120.4 where an amount of 2^59.3 chosen plaintext‐ciphertext pairs and 2^107.4 memory are required. We also instantiate a new biclique cryptanalysis of HIGHT, which is based on the new idea of splitting each of the forward and backward keys into 2 parts where the computations associated to each one are performed independently. The time complexity and data complexity of this attack are 2^125.7 and 2⁴², respectively. To the best of our knowledge, this is the fastest biclique attack on full‐round HIGHT.     

Improved Cryptanalysis of AES-like Permutations

AES-based functions have attracted of a lot of analysis in the recent years, mainly due to the SHA-3 hash function competition. In particular, the rebound attack allowed to break several proposals and many improvements/variants of this method have been published. Yet, it remained an open question whether it was possible to reach one more round with this type of technique compared to the state-of-the-art. In this article, we close this open problem by providing a further improvement over the original rebound attack and its variants, that allows the attacker to control one more round in the middle of a differential path for an AES-like permutation. Our algorithm is based on lists merging as defined in (Naya-Plasencia in Advances in Cryptology: CRYPTO 2011, pp. 188–205, 2011) and we generalized the concept to non-full active truncated differential paths (Sasaki et al. in Lecture Notes in Computer Science, pp. 38–55, 2010). As an illustration, we applied our method to the internal permutations used in Grøstl, one of the five finalist hash functions of the SHA-3 competition. When entering this final phase, the designers tweaked the function so as to thwart attacks from Peyrin (Peyrin in Lecture Notes in Computer Science, pp. 370–392, 2010) that exploited relations between the internal permutations. Until our results, no analysis was published on Grøstl and the best results reached 8 and 7 rounds for the 256-bit and 512-bit versions, respectively. By applying our algorithm, we present new internal permutation distinguishers on 9 and 10 rounds, respectively.     

Cryptanalysis of mCrypton‐64

In recent years, because of the security requirements of resource‐constrained devices, design and analysis of lightweight block ciphers has received more attention. mCrypton is a lightweight block cipher that has been specifically designed for using in resource‐constrained devices, such as low‐cost radio‐frequency identification tags and sensors. In this paper, we consider cryptanalysis of full‐round mCrypton‐64 using a new extension of biclique attack called non‐isomorphic biclique cryptanalysis. As it is known, effectiveness of the biclique attack is highly dependent to the weakness of key schedule, and it does not seem to be appropriate for block ciphers with strong key scheduling. The non‐isomorphic biclique attack, using an asymmetric key partitioning technique, provides more degrees of freedom to the attacker and makes it possible to use the diffusion layer properties of a block cipher for constructing longer bicliques. Results show that the attack on full‐round mCrypton requires 2^33.9 chosen plaintexts and a time complexity of 2^62.67 encryptions. The computational complexity reduces to 2^62.3, 2^61.4, and 2^59.75 encryptions for 10, 8, and 6 rounds of mCrypton‐64, respectively. We also have a discussion on the general form of the computational complexity for non‐isomorphic biclique cryptanalysis. Copyright © 2014 John Wiley & Sons, Ltd.     

Quantum rebound attacks on reduced-round ARIA-based hash functions

ARIA is a block cipher proposed by Kwon et al. at ICISC 2003 that is widely used as the national standard block cipher in the Republic of Korea. Herein, we identify some flaws in the quantum rebound attack on seven-round ARIA-DM proposed by Dou et al. and reveal that the limit of this attack is up to five rounds. Our revised attack applies to not only ARIA-DM but also ARIA-MMO and ARIA-MP among the PGV models, and it is valid for all ARIA key lengths. Furthermore, we present dedicated quantum rebound attacks on seven-round ARIA-Hirose and ARIA-MJH for the first time. These attacks are only valid for the 256-bit key length of ARIA because they are constructed using the degrees of freedom in the key schedule. All our attacks are faster than the generic quantum attack in the cost metric of the time–space tradeoff.     

Information leakage of Feistel ciphers

We examine the information leakage between sets of plaintext and ciphertext bits in symmetric-key block ciphers. The paper demonstrates the effectiveness of information leakage as a measure of cipher security by relating information leakage to linear cryptanalysis and by determining a lower bound on the amount of data required in an attack from an upper bound on information leakage. As well, a model is developed which is used to estimate the upper bound on the information leakage of a general Feistel (1975) block cipher. For a cipher that fits the model well, the results of the analysis can be used as a measure in determining the number of rounds required for security against attacks based on information leakage. It is conjectured that the CAST-128 cipher fits the model well and using the model it is predicted that information leaked from 20 or fewer plaintext bits is small enough to make an attack on CAST-128 infeasible     

Cryptanalysis of Full RIPEMD-128

In this article we propose a new cryptanalysis method for double-branch hash functions and we apply it on the standard RIPEMD-128, greatly improving over previously known results on this algorithm. Namely, we are able to build a very good differential path by placing one nonlinear differential part in each computation branch of the RIPEMD-128 compression function, but not necessarily in the early steps. In order to handle the low differential probability induced by the nonlinear part located in later steps, we propose a new method for using the available freedom degrees, by attacking each branch separately and then merging them with free message blocks. Overall, we present the first collision attack on the full RIPEMD-128 compression function as well as the first distinguisher on the full RIPEMD-128 hash function. Experiments on reduced number of rounds were conducted, confirming our reasoning and complexity analysis. Our results show that 16-year-old RIPEMD-128, one of the last unbroken primitives belonging to the MD-SHA family, might not be as secure as originally thought.     

Cryptanalysis of full Skipjack block cipher

The first known cryptanalysis of the full 32 rounds of Skipjack, a symmetric-key block cipher, is presented. By exploiting its periodic key schedule, a complementation slide attack is mounted, requiring only 2 ^32.5 known texts and 2⁴⁴ encryptions. This result shows the importance of putting more emphasis on key schedule design     

Linearly weak keys of RC5 [private-key cipher]

The author examines the application of linear cryptanalysis to the RC5 private-key cipher and shows that there are expected to be weak keys for which the attack is applicable to many rounds. It is demonstrated that, for the 12-round nominal RC5 version with a 64 bit block size and a 128 bit key, there are 2²⁸ weak keys for which only ~2¹⁷ known plaintexts are required to break the cipher. There are 268 keys for which the cipher is theoretically breakable, requiring ~2⁵⁷ known plaintexts. The analysis highlights the sensitivity of RC5 security to its key scheduling algorithm