Differential Attack on Five Rounds of the SC2000 Block Cipher<Superscript>*</Superscript>

The SC2000 block cipher has a 128-bit block size and a user key of 128,192 or 256 bits,which employs a total of 6.5 rounds if a 128-bit user key is used.It is a CRYPTREC recommended e-government cipher in Japan.In this paper we address how to recover the user key from a few subkey bits of SC2000,and describe two 4.75-round differential characteristics with probability 2-126 of SC2000 and seventy-six 4.75-round differential characteristics with probability 2-127.Finally,we present a differential cryptanalysis attack on a 5-round reduced version of SC2000 when used with a 128-bit key;the attack requires 2-125.68 chosen plaintexts and has a time complexity of 2 125.75 5-round SC2000 encryptions.The attack does not threat the security of the full SC2000 cipher,but it suggests for the first time that the safety margin of SC2000 with a 128-bit key decreases below one and a half rounds.     

ESF算法的不可能差分密码分析

分析研究了分组密码算法ESF抵抗不可能差分的能力,使用8轮不可能差分路径,给出了相关攻击结果。基于一条8轮的不可能差分路径,根据轮密钥之间的关系,通过改变原有轮数扩展和密钥猜测的顺序,攻击了11轮的ESF,改善了关于11轮的ESF的不可能差分攻击的结果。计算结果表明:攻击11轮的ESF所需要的数据复杂度为O(2⁵³),时间复杂度为O(2³²),同时也说明了11轮的ESF对不可能差分是不免疫的。     

New impossible differential attacks on reduced-round Crypton

Crypton is a 128-bit block cipher which was submitted to the Advanced Encryption Standard competition. In this paper, we present two new impossible differential attacks to reduced-round Crypton. Using two new observations on the diffusion layer of Crypton, exploiting a 4-round impossible differential, and appropriately choosing three additional rounds, we mount the first impossible differential attack on 7-round Crypton. The proposed attacks require 2¹²¹ chosen plaintexts each. The first attack requires 2^125.2 encryptions. We then utilize more pre-computation and memory to reduce the time complexity to 2^116.2 encryptions in the second attack.     

Related-Key Impossible Diferential Attack on Reduced-Round LBlock简

LBlock is a 32-round lightweight block cipher with 64-bit block size and 80-bit key. This paper identifies 16- round related-key impossible differentials of LBlock, which are better than the 15-round related-key impossible differentials used in the previous attack. Based on these 16-round related-key impossible differentials, we can attack 23 rounds of LBlock while the previous related-key impossible differential attacks could only work on 22-round LBlock. This makes our attack on LBlock the best attack in terms of the number of attacked rounds.     

Automatic search method for multiple differentials and its application on MANTIS

Rijndael is a substitution-permutation network (SPN) block cipher for the AES development process. Its block and key sizes range from 128 to 256 bits in steps of 32 bits, which can be denoted by Rijndael-b-k, where b and k are the block and key sizes, respectively. Among them, Rijndael-128-128/192/256, that is, AES, has been studied by many researchers, and the security of other large-block versions of Rijndael has been exploited less frequently. However, more attention has been paid to large-block versions of block ciphers with the fast development of quantum computers. In this paper, we propose improved impossible differential attacks on 10-round Rijndael-256-256, 10-round Rijndael-224-256, and 9-round Rijndael-224-224 using precomputation tables, redundancies of key schedules, and multiple impossible differentials. For 10-round Rijndael-256-256, the data, time, and memory complexities of our attack were approximately 2^244.4 chosen plaintexts, 2^240.1 encryptions, and 2^181.4 blocks, respectively. For 10-round Rijndael-224-256, the data, time, and memory complexities of our attack were approximately 2^214.4 chosen plaintexts, 2^241.3 encryptions, and 2^183.4 blocks, respectively. For 9-round Rijndael-224-224, the data, time, and memory complexities of our attack are approximately 2^214.4 chosen plaintexts, 2^113.4 encryptions, and 2^87.4 blocks, respectively, or 2^206.6 chosen plaintexts, 2^153.6 encryptions, and 2^111.6 blocks, respectively. To the best of our knowledge, our results are currently the best on Rijndael-256-256 and Rijndael-224-224/256.

     

Key recovery attack for PRESENT using slender-set linear cryptanalysisPRESENT 算法的 slender 集线性密钥恢复攻击

In this paper, we propose a new n-round key recovery attack using modified slender-set linear cryptanalysis on PRESENT-like cipher with public S-boxes. In our attack, an effective method for distinguishing the right key from the wrong ones is presented. We apply our attack to PRESENT-80. The experiments show that we can recover the entire 80 key bits of 12-rounds PRESENT-80 with 2{sn32} data complexity, 2³⁶ time complexity, and negligible memory complexity. Furthermore, we investigate an (n+1)-round attack by extending the n-round key recovery attack. Our method can be used in most PRESENT-like ciphers where the linear layer is a bit-wise permutation.     

CLEFIA-128/192/256的不可能差分分析

对分组密码算法CLEFIA进行不可能差分分析.CLEFIA算法是索尼公司在2007年快速软件加密大会(FSE)上提出来的.结合新发现和新技巧,可有效过滤错误密钥,从而将算法设计者在评估报告中给出的对11圈CLEFIA-192/256的攻击扩展到11圈CLEFIA-128/192/256,复杂度为2103.1次加密和2103.1个明文.通过对明文附加更多限制条件,给出对12圈CLEFIA-128/192/256的攻击,复杂度为2119.1次加密和2119.1个明文.而且,引入一种新的生日筛法以降低预计算的时间复杂度.此外,指出并改正了Tsunoo等人对12圈CLEFIA的攻击中复杂度计算方面的错误.     

Midori-64算法的截断不可能差分分析

分析了Midori-64算法在截断不可能差分攻击下的安全性.首先,通过分析Midori算法加、解密过程差分路径规律,证明了Midori算法在单密钥条件下的截断不可能差分区分器至多6轮,并对6轮截断不可能差分区分器进行了分类;其次,根据分类结果,构造了一个6轮区分器,并给出11轮Midori-64算法的不可能差分分析,恢复了128比特主密钥,其时间复杂度为2^121.4,数据复杂度为2^60.8,存储复杂度为2^96.5.     

Cryptanalysis of full PRIDE block cipher

PRIDE is a lightweight block cipher proposed at CRYPTO 2014 by Albrecht et al., who claimed that the construction of linear layers is efficient and secure. In this paper, we investigate the key schedule and find eight 2-round iterative related-key differential characteristics, which can be used to construct 18-round related-key differentials. A study of the first subkey derivation function reveals that there exist three weak-key classes, as a result of which all the differences of subkeys for each round are identical. For the weak-key classes, we also find eight 2-round iterative related-key differential characteristics. Based on one of the related-key differentials, we launch an attack on the full PRIDE block cipher. The data and time complexity are 2³⁹ chosen plaintexts and 2⁹² encryptions, respectively. Moreover, by using multiple related-key differentials, we improve the cryptanalysis, which then requires 2^41.6 chosen plaintexts and 2^42.7 encryptions, respectively. Finally, we use two 17-round related-key differentials to analyze full PRIDE, which requires 2³⁵ plaintexts and 2^54.7 encryptions. These are the first results on full PRIDE, and show that the PRIDE block cipher is not secure against related-key differential attack.     

MIBS-64算法的三子集中间相遇攻击

MIBS算法于2009年在CANS会议上提出,是一个32轮Feistel结构、64比特分组长度以及包含64比特、80比特两种主密钥长度的轻量级分组密码.针对该算法密钥编排中第1轮到第11轮子密钥之间存在部分重复和等价关系,本文首次完成了MIBS-64的11轮三子集中间相遇攻击,数据复杂度为2^[47],存储复杂度为2^[47]64-bit,时间复杂度为2^[62.25]次11轮加密.与目前已有的对MIBS-64算法的中间相遇攻击相比,将攻击轮数由10轮扩展至11轮,刷新了该算法在中间相遇攻击下的安全性评估结果.     

对SMS4密码算法改进的差分攻击

差分分析和线性分析是重要的密码算法分析工具.多年来,很多研究者致力于改善这两种攻击方法.Achiya Bar-On等人提出了一种方法,能够使攻击者对部分状态参与非线性变换的SPN结构的密码算法进行更多轮数的差分分析和线性分析.这种方法使用了两个辅助矩阵,其目的就是更多地利用密码算法中线性层的约束,从而能攻击更多轮数.将这种方法应用到中国密码算法SMS4的多差分攻击中,获得了一个比现有攻击存储复杂度更低和数据复杂度更少的攻击结果.在成功概率为0.9时,实施23轮的SMS4密钥恢复攻击需要2^113.5个明文,时间复杂度为2^126.7轮等价的23轮加密.这是目前为止存储复杂度最低的攻击,存储复杂度为2¹⁷个字节.     

Robin算法改进的6轮不可能差分攻击

Robin算法是Grosso等人在2014年提出的一个分组密码算法。研究该算法抵抗不可能差分攻击的能力。利用中间相错技术构造一条新的4轮不可能差分区分器,该区分器在密钥恢复阶段涉及到的轮密钥之间存在线性关系,在构造的区分器首尾各加一轮,对6轮Robin算法进行不可能差分攻击。攻击的数据复杂度为2118.8个选择明文,时间复杂度为293.97次6轮算法加密。与已有最好结果相比,在攻击轮数相同的情况下,通过挖掘轮密钥的信息,减少轮密钥的猜测量,进而降低攻击所需的时间复杂度,该攻击的时间复杂度约为原来的2?8。     

Differential attack on nine rounds of the SEED block cipher

The SEED block cipher has a 128-bit block length, a 128-bit user key and a total number of 16 rounds. It is an ISO international standard. In this letter, we describe two 7-round differentials with a trivially larger probability than the best previously known one on SEED, and present a differential cryptanalysis attack on a 9-round reduced version of SEED. The attack requires a memory of 2^69.71 bytes, and has a time complexity of 2^126.36 encryptions with a success probability of 99.9% when using 2¹²⁵ chosen plaintexts, or a time complexity of 2^125.36 encryptions with a success probability of 97.8% when using 2¹²⁴ chosen plaintexts. Our result is better than any previously published cryptanalytic results on SEED in terms of the numbers of attacked rounds, and it suggests for the first time that the safety margin of SEED decreases below half of the number of rounds.     

7轮ARIA-256的不可能差分新攻击

如何针对分组密码标准ARIA给出新的安全性分析是当前的研究热点。基于ARIA的算法结构,利用中间相遇的思想设计了一个新的4轮不可能差分区分器。基于该区分器,结合ARIA算法特点,在前面加2轮,后面加1轮,构成7轮ARIA-256的新攻击。研究结果表明：攻击7轮ARIA-256所需的数据复杂度约为2120选择明文数据量,所需的时间复杂度约为2219次7轮ARIA-256加密。与已有的7轮ARIA-256不可能差分攻击结果相比较,新攻击进一步地降低了所需的数据复杂度和时间复杂度。     

ESF算法的相关密钥不可能差分分析

ESF算法是一种具有广义Feistel结构的32轮迭代型轻量级分组密码。为研究ESF算法抵抗不可能差分攻击的能力,首次对ESF算法进行相关密钥不可能差分分析,结合密钥扩展算法的特点和轮函数本身的结构,构造了两条10轮相关密钥不可能差分路径。将一条10轮的相关密钥不可能差分路径向前向后分别扩展1轮和2轮,分析了13轮ESF算法,数据复杂度是260次选择明文对,计算量是223次13轮加密,可恢复18 bit密钥。将另一条10轮的相关密钥不可能差分路径向前向后都扩展2轮,分析了14轮ESF算法,数据复杂度是262选择明文对,计算复杂度是243.95次14轮加密,可恢复37 bit密钥。     

SNAKE(2)分组密码的积分攻击

针对目前对SNAKE算法的安全性分析主要是插值攻击及不可能差分攻击,评估了SNAKE(2)算法对积分攻击的抵抗能力。利用高阶积分的思想,构造了一个8轮区分器,利用该区分器,对SNAKE(2)算法进行了9轮、10轮积分攻击。攻击结果表明,SNAKE(2)算法对10轮积分攻击是不免疫的。     

简化轮LBlock的密钥中比特检测及分析

LBlock密码算法是近来提出的一类轻量级分组加密算法。利用LBlock算法的结构特点,结合立方检测的基本思想,设计2个密钥中比特捕获算法,对LBlock算法输出所涉及的密钥比特个数情况进行分析。9轮简化LBlock的每个输出比特全部卷入所有的主密钥比特信息,在18维立方变元下,11轮简化LBlock的输出累加中每个比特全部卷入所有的主密钥比特信息。上述2轮简化LBlock均不存在密钥中比特。研究结果表明,全轮LBlock密码算法具有稳固的密钥信息扩散及混淆性,足以抵抗经典立方攻击。     

概率积分及其在PUFFIN算法中的应用

积分分析是一种针对分组密码十分有效的分析方法,其通常利用密文某些位置的零和性质构造积分区分器.基于高阶差分理论,可通过研究密文与明文之间多项式的代数次数来确定密文某些位置是否平衡.从传统的积分分析出发,首次考虑常数对多项式首项系数的影响,提出了概率积分分析方法,并将其应用于PUFFIN算法的安全性分析.针对PUFFIN算法,构造了7轮概率积分区分器,比已有最好的积分区分器轮数长1轮.进一步,利用构造的概率积分区分器,对9轮PUFFIN算法进行密钥恢复攻击.该攻击可恢复92比特轮密钥,攻击的数据复杂度为2^24.8个选择明文,时间复杂度为2^35.48次9轮算法加密,存储复杂度为2²⁰个存储单元.     

Improved Linear Cryptanalysis of CAST-256

CAST-256, a first-round AES (Advanced Encryption Standard) candidate, is designed based on CAST-128. It is a 48-round Generalized-Feistel-Network cipher with 128-bit block accepting 128, 160, 192, 224 ...     

A new impossible differential attack on SAFER ciphers

This paper presents an improved impossible differential cryptanalysis of SAFER ciphers, which uses the miss-in-the-middle technique developed by Biham et al. We analyze 3.75-round SAFER SK-64,¹ using 2⁴⁵ chosen plaintexts, 2³⁸ bytes memory and 2⁴² half round computations. Furthermore, the new impossible differential attack on 3.75-round SAFER+/128 uses 2⁷⁸ chosen plaintexts, 2⁷⁵ half round computations and 2⁶⁸ bytes memory. And attack on 3.75-round SAFER++/128 uses 2⁷⁸ data, 2⁶⁶ time, and 2⁶² memory.