Impossible differential cryptanalysis of advanced encryption standard

Impossible differential cryptanalysis is a method recovering secret key, which gets rid of the keys that satisfy impossible differential relations. This paper concentrates on the impossible differential cryptanalysis of Advanced Encryption Standard (AES) and presents two methods for impossible differential cryptanalysis of 7-round AES-192 and 8-round AES-256 combined with time-memory trade-off by exploiting weaknesses in their key schedule. This attack on the reduced to 7-round AES-192 requires about 294.5 chosen plaintexts, demands 2129 words of memory, and performs 2157 7-round AES-192 encryptions. Furthermore, this attack on the reduced to 8-round AES-256 requires about 2101 chosen plaintexts, demands 2201 words of memory, and performs 2228 8-round AES-256 encryptions.     

Differential cryptanalysis of eight-round SEED

Block Cipher SEED is one of the standard 128-bit block ciphers of ISO/IEC together with AES and Camellia (Aoki et al., 2000, ISO/IEC 18033-3, 2005; Korea Information Security Agency, 1999; National Institute of Standards and Technology, 2001) [1], [4], [5] and [6]. Since SEED had been developed, there is no distinguishing cryptanalysis except a 7-round differential attack in 2002 [7]. For this, they used the six-round differential characteristics with probability ²−124 and analyzed seven-round SEED with 2¹²⁶ chosen plaintexts. In this paper, we propose a new seven-round differential characteristic with probability ²−122 and analyze eight-round SEED with 2¹²⁵ chosen plaintexts. The attack requires about 2¹²² eight-round encryptions. This is the best-known attack on a reduced version of SEED so far.     

Computational aspects of the expected differential probability of 4-round AES and AES-like ciphers

In this paper we study the security of the Advanced Encryption Standard (AES) and AES-like block ciphers against differential cryptanalysis. Differential cryptanalysis is one of the most powerful methods for analyzing the security of block ciphers. Even though no formal proofs for the security of AES against differential cryptanalysis have been provided to date, some attempts to compute the maximum expected differential probability (MEDP) for two and four rounds of AES have been presented recently. In this paper, we will improve upon existing approaches in order to derive better bounds on the EDP for two and four rounds of AES based on a slightly simplified S-box. More precisely, we are able to provide the complete distribution of the EDP for two rounds of this AES variant with five active S-boxes and methods to improve the estimates for the EDP in the case of six active S-boxes.     

ESF算法的相关密钥不可能差分分析

ESF算法是一种具有广义Feistel结构的32轮迭代型轻量级分组密码。为研究ESF算法抵抗不可能差分攻击的能力,首次对ESF算法进行相关密钥不可能差分分析,结合密钥扩展算法的特点和轮函数本身的结构,构造了两条10轮相关密钥不可能差分路径。将一条10轮的相关密钥不可能差分路径向前向后分别扩展1轮和2轮,分析了13轮ESF算法,数据复杂度是260次选择明文对,计算量是223次13轮加密,可恢复18 bit密钥。将另一条10轮的相关密钥不可能差分路径向前向后都扩展2轮,分析了14轮ESF算法,数据复杂度是262选择明文对,计算复杂度是243.95次14轮加密,可恢复37 bit密钥。     

SECURITY OF NUMBER THEORETIC PUBLIC KEY CRYPTOSYSTEMS AGAINST RANDOM ATTACK,I

Abstract

Simplified AES was developed in 2003, as a teaching tool to help students understand AES. It was designed so that the two primary attacks on symmetric-key block ciphers of that time, differential cryptanalysis and linear cryptanalysis, are not trivial on simplified AES. Algebraic cryptanalysis is a technique that uses modern equation solvers to attack cryptographic algorithms. We will use algebraic cryptanalysis to attack simplified AES.     

On computational complexity of impossible differential cryptanalysis

Impossible differential cryptanalysis is one of the conventional methods in the field of cryptanalysis of block ciphers. In this paper, a general model of an impossible differential attack is introduced. Then, according to this model, the concept of an ideal impossible differential attack is defined and it is proven that the time complexity of an ideal attack only depends on the number of involved round key bits in the attack.     

AES的差分－代数攻击

差分－代数攻击是一种新的攻击方法,此方法结合了差分分析和代数攻击的思想。差分分析和代数攻击都是对高级加密标准（AES）最有效的攻击算法之一。对差分－代数如何在AES中应用进行了分析,并成功地应用此方法对5轮AES-256进行了攻击,使之比穷尽攻击更有效。     

AES布尔函数Walsh谱分析

高级加密标准算法Rijndael的设计初衷是抵抗差分攻击并口线性攻击等现有攻击。本文从另一个角度--布尔函数出发，利用Walsh谱理论，分析AES的S盒的线性性、非线性性、严格雪崩特性、扩散特性并口相关免疫性等密码性质，从理论上揭示AES的S盒的安全性。     

8轮PRINCE的快速密钥恢复攻击

PRINCE算法是J.Borghoff等在2012年亚密会上提出的一个轻量级分组密码算法,它模仿AES并采用α-反射结构设计,具有加解密相似的特点.2014年,设计者发起了针对PRINCE实际攻击的公开挑战,使得该算法的安全性成为研究的热点.目前对PRINCE攻击的最长轮数是10轮,其中P.Derbez等利用中间相遇技术攻击的数据和时间复杂度的乘积D×T=2¹²⁵,A.Canteaut等利用多重差分技术攻击的复杂度D×T=2^118.5,并且两种方法的时间复杂度都超过了257.本文将A.Canteaut等给出的多重差分技术稍作改变,通过考虑输入差分为固定值,输出差分为选定的集合,给出了目前轮数最长的7轮PRINCE区分器,并应用该区分器对8轮PRINCE进行了密钥恢复攻击.本文的7轮PRINCE差分区分器的概率为2^-56.89,8轮PRINCE的密钥恢复攻击所需的数据复杂度为2^61.89个选择明文,时间复杂度为219.68次8轮加密,存储复杂度为2^15.21个16比特计数器.相比目前已知的8轮PRINCE密钥恢复攻击的结果,包括将A.Canteaut等给出的10轮攻击方案减少到8轮,本文给出的攻击方案的时间复杂度和D×T复杂度都是最低的.     

Rijndael算法代数性质及其七轮攻击

2000年被选为AES的Rijndael算法是SPN(SubstitutionPermutationNetwork)结构的分组密码。由于此算法依托于代数学理论的加密算法,所以本文介绍了它的基本函数的一些代数性质并提出了轮变换的一些差分特征。然后根据其中的一些代数性质和差分特征对Rijndael-128-192算法进行了七轮攻击,使得这种攻击方法比穷尽攻击更有效。     

A related key impossible differential attack against 22 rounds of the lightweight block cipher LBlock

LBlock is a new lightweight block cipher proposed by Wu and Zhang (2011) [12] at ACNS 2011. It is based on a modified 32-round Feistel structure. It uses keys of length 80 bits and message blocks of length 64 bits.In this letter, we examine the security arguments given in the original article and we show that we can improve the impossible differential attack given in the original article on 20 rounds by constructing a 22-round related key impossible differential attack that relies on intrinsic weaknesses of the key schedule. This attack has a complexity of 2⁷⁰ cipher operations using 2⁴⁷ plaintexts. This result was already published in Minier and Naya-Plasencia (2011) [9].     

Impossible Differential Cryptanalysis of Reduced-Round ARIA and Camellia

This paper studies the security of the block ciphers ARIA and Camellia against impossible differential cryptanalysis. Our work improves the best impossible differential cryptanalysis of ARIA and Camellia known so far. The designers of ARIA expected no impossible differentials exist for 4-round ARIA. However, we found some nontrivial 4-round impossible differentials, which may lead to a possible attack on 6-round ARIA. Moreover, we found some nontrivial 8-round impossible differentials for Camellia, whereas only 7-round impossible differentials were previously known. By using the 8-round impossible differentials, we presented an attack on 12-round Camellia without FL/FL^-1 layers.     

MINI ADVANCED ENCRYPTION STANDARD (MINI-AES): A TESTBED FOR CRYPTANALYSIS STUDENTS

In this paper, we present a mini version of Rijndael, the symmetric-key block cipher selected as the Advanced Encryption Standard (AES) recently. Mini-AES has all the parameters significantly reduced while at the same time preserving its original structure. It is meant to be a purely educational cipher and is not considered secure for actual applications. The purpose is such that once undergraduate students and amateur cryptanalysts have grasped the basic principles behind how Mini-AES works, it will be easy for them to move on to the real AES. At the same time, an illustration of how the Square attack can be applied to Mini-AES is presented in the hope that Mini-AES would also serve as a testbed for students to begin their cryptanalysis efforts.     

轻量级分组密码Pyjamask的不可能差分分析

Pyjamask是美国国家技术标准研究院征选后量子时代轻量级密码算法中进入第二轮的候选分组密码,对其抵抗现在流行的不可能差分分析分析为未来在实际系统中使用起到重要的作用.提出一些2.5轮不可能差分链并分析它们的结构特点和攻击效率,在一些最有效的不可能差分链的前后各接1轮和半轮,形成4轮Py-jamask多重不可能差分攻击路径.攻击结果表明Pyjamask的行混淆运算扩散性比较强,能较好地抵抗不可能差分分析,此结果是对Pyjamask安全性分析的一个重要补充.     

Midori-64算法的截断不可能差分分析

分析了Midori-64算法在截断不可能差分攻击下的安全性.首先,通过分析Midori算法加、解密过程差分路径规律,证明了Midori算法在单密钥条件下的截断不可能差分区分器至多6轮,并对6轮截断不可能差分区分器进行了分类;其次,根据分类结果,构造了一个6轮区分器,并给出11轮Midori-64算法的不可能差分分析,恢复了128比特主密钥,其时间复杂度为2^121.4,数据复杂度为2^60.8,存储复杂度为2^96.5.     

SIMON不可能差分及零相关路径自动化搜索算法

对于分组密码,不可能差分和零相关线性分析都是很重要的分析手段.通过研究非线性组件与（AND）的性质,首先得到用于刻画SIMON轮函数差分及线性传播特性的约束式,再基于布尔可满足约束问题（SAT）,提出一种普适性不可能差分和零相关路径自动化搜索算法,并利用该算法搜索得到SIMON更多的不可能差分及零相关路径.除用于自动化搜索外,该算法还可判断特定的差分对（掩码对）是否能构成一条有效不可能差分和零相关路径.此外,基于该算法,从抵抗不可能差分攻击的角度出发,给出SIMON轮函数设计中循环移位常数的选取依据.     

A TUTORIAL ON LINEAR AND DIFFERENTIAL CRYPTANALYSIS

In this paper, we present a detailed tutorial on linear cryptanalysis and differential cryptanalysis, the two most significant attacks applicable to symmetric-key block ciphers. The intent of the paper is to present a lucid explanation of the attacks, detailing the practical application of the attacks to a cipher in a simple, conceptually revealing manner for the novice cryptanalyst. The tutorial is based on the analysis of a simple, yet realistically structured, basic Substitution-Permutation Network cipher. Understanding the attacks as they apply to this structure is useful, as the Rijndael cipher, recently selected for the Advanced Encryption Standard (AES), has been derived from the basic SPN architecture. As well, experimental data from the attacks is presented as confirmation of the applicability of the concepts as outlined.     

对低轮SAFER++的差分-非线性密码分析

SAFER 是进入NESSIE第2轮评估的7个分组算法之一．采用差分密码分析和非线性密码分析相结合的方法对4轮、5轮和6轮SAFER 进行分析，结果表明：6轮SAFER 对这种攻击方法不免疫；攻击4轮和5轮SAFER 时，与已有结果相比，攻击复杂度大大减小．攻击对2^250个256比特长度的密钥有效．     

高阶差分视角下的积分攻击

积分攻击和高阶差分攻击是分组密码的两种重要分析技术.尽管两者的理论基础并不相同,但是它们的攻击过程却十分相似.该文从高阶差分分析的视角来解释AES和Rijndael-256的积分区分器,证明高阶差分分析对此类算法同样有很强的分析能力.此外,改进了Rijndael-256的3轮区分器的数据复杂度.最后,给出了SPONGENT杂凑函数中间置换的14轮零和区分器.     

Side-channel countermeasures utilizing dynamic logic reconfiguration: Protecting AES/Rijndael and Serpent encryption in hardware

Dynamic logic reconfiguration is a concept that allows for efficient on-the-fly modifications of combinational circuit behavior in both ASIC and FPGA devices. The reconfiguration of Boolean functions is achieved by modification of their generators (e.g., shift register-based look-up tables) and it can be controlled from within the chip, without the necessity of any external intervention. This hardware polymorphism can be utilized for the implementation of side-channel attack countermeasures, as demonstrated by Sasdrich et al. for the lightweight cipher PRESENT.In this work, we adapt these countermeasures to two of the AES finalists, namely Rijndael and Serpent. Just like PRESENT, both Rijndael and Serpent are block ciphers based on a substitution–permutation network. We describe the countermeasures and adjustments necessary to protect these ciphers using the resources available in modern Xilinx FPGAs. We describe our implementations and evaluate the side-channel leakage and effectiveness of different countermeasures combinations using a methodology based on Welch’s t-test. Furthermore, we attempt to break the protected AES/Rijndael implementation using second-order DPA/CPA attacks.We did not detect any significant first-order leakage from the fully protected versions of our implementations. Using one million power traces, we detect second-order leakage from Serpent encryption, while AES encryption second-order leakage is barely detectable. We show that the countermeasures proposed by Sasdrich et al.are, with some modifications, successfully applicable to AES and Serpent.