Practical security against linear cryptanalysis for SMS4-like ciphers with SP round function

SMS4,a block cipher whose global structure adopts a special unbalanced Feistel scheme with SP round function,is accepted as the Chinese National Standard for securing Wireless LANs.In this paper,in order to evaluate the security against linear cryptanalysis,we examine the upper bound of the maximum linear characteristic probability of SMS4-like ciphers with SP round function.In the same way as for SPN ciphers,it is sufficient to consider the lower bound of the number of linear active s-boxes.We propose a formula to compute the lower bound of the number of linear active s-boxes with regard to the number of rounds.The security threshold of SMS4-like ciphers can be estimated easily with our result.Furthermore,if the number of input words in each round of SMS4-like cipher is m,we find that it is unnecessary for designers to make the linear branch number of P greater than 2 m with respect to linear cryptanalysis.     

AKF: A key alternating Feistel scheme for lightweight cipher designs

In the classical Feistel structure the usage of alternating keys makes the cipher insecure against the related key attacks. In this work, we propose a new block cipher scheme, AKF, based on a Feistel structure with alternating keys but resistant against related key attacks. AKF leads constructions of lightweight block ciphers suitable for resource restricted devices such as RFID tags and wireless sensor nodes.     

一种基于动态S-盒P-盒的快速分组密码算法——DSP

密钥相关加密结构作为一种较安全的密码结构受到密码工作者的广泛关注,然而现有该类算法的安全缺陷和十分复杂的算法初始化过程,严重地限制了算法的使用.因此,提出一种基于密钥相关Feistel结构的快速分组加密算法,算法通过结合密钥相关的动态S-盒和密钥相关动态P-盒两种基本密码组件,设计一种更加安全的Feistel轮加密结构,可以使算法在较少的轮数内达到安全.同时,该算法通过采用快速置乱算法生成S-盒、p-盒,改进了现有该类算法子密钥生成算法效率极低的缺点.为了得到更好的兼容性,算法仅选用基于字节的密码操作,使得算法广泛适用现有的大多数处理器.算法的最大特点就是使用了密钥相关的动态S-盒(DS)和动态P-盒(DP),因此该密码结构命名为DSP结构,该算法为DSP分组密码算法.分别用C和Java在不同Pentium PC上实现了该算法;实验结果表明,该算法有着较好的加密解密效率,以及相对快速的算法初始化过程.     

Linear cryptanalysis and block cipher design in East Germany in the 1970s

Linear cryptanalysis (LC) is an important codebreaking method that became popular in the 1990s and has roots in the earlier research of Shamir in the 1980s. In this article we show evidence that linear cryptanalysis is even older. According to documents from the former East Germany cipher authority ZCO, the systematic study of linear characteristics for nonlinear Boolean functions was routinely performed in the 1970s. At the same time East German cryptologists produced an excessively complex set of requirements known as KT1, which requirements were in particular satisfied by known historical used in the 1980s. An interesting line of inquiry, then, is to see if KT1 keys offer some level of protection against linear cryptanalysis. In this article we demonstrate that, strangely, this is not really the case. This is demonstrated by constructing specific counterexamples of pathologically weak keys that satisfy all the requirements of KT1. However, because we use T-310 in a stream cipher mode that uses only a tiny part of the internal state for actual encryption, it remains unclear whether this type of weak key could lead to key recovery attacks on T-310.     

SOME DESIGN CRITERIA FOR FEISTEL-CIPHER KEY SCHEDULES

The ANSI Data Encryption Algorithm (DEA) X3.92-1981, is probably a Feistel cipher. In considering how to expand the key of the DEA from 56 to 64 bits two similar ciphers are examined, and several design criteria inferred. As an example of their application, a 64-bit key schedule for the DEA is presented.     

A Simplified and Generalized Treatment of DES-Related Ciphers

Abstract

This work is a study of DES-like ciphers where the bitwise exclusive-or (XOR) operation in the underlying Feistel network is replaced by an arbitrary group operation. The authors construct a two-round simplified version of DES that contains all the DES components and show that its set of encryption permutations is not a group under functional composition, it is not a pure cipher, and its set of encryption permutations does not generate the alternating group. They present a non-statistical proof that for n ≤ 4 the set of n-round Feistel permutations over an arbitrary group do not constitute a group under functional composition.     

The provable constructive effect of diffusion switching mechanism in CLEFIA-type block ciphers

CLEFIA is a block cipher designed by Sony Corporation, adopted as a lightweight encryption algorithm of the new ISO/IEC 29192-2 standard, and proposed as a Japanese e-Government recommendation cipher CRYPTREC candidate.Provable security properties of cryptographic design are crucial in any security evaluation. Providing lower bounds on the number of active S-boxes in differential and linear characteristics has been one of the few important provable properties that can be formally shown for block ciphers and hence received a lot of attention.In this work, we prove tighter lower bounds on the number of linearly active S-boxes in CLEFIA-type generalized Feistel networks (GFNs) with diffusion switching mechanism (DSM). We show that every 6 rounds of such GFNs provide 50% more linearly active S-boxes than proven previously. Moreover, we experimentally demonstrate that the new bound is tight for up to at least 12 rounds, whereas the previous one is not. Thus, this paper delivers first provable evidence that diffusion switching mechanism actually provides an advantage by guaranteeing more active S-boxes in GFNs.     

基于双伪随机变换和Feistel结构的轻量级分组密码VHF

针对资源受限的移动终端对轻量级密码的需求,提出了一种 基于双伪随机变换和Feistel结构的新的轻量级分组密码算法VHF。类似于许多其他轻量级分组密码,VHF的分组长度为128bit,密钥长度为80bit和128bit。VHF的安全评估结果表明,其可以对已知的攻击实现足够的安全性,如差分分析、线性分析和不可能差分分析等。在安全的基础上测试软件效率及硬件实现,与现有的轻量级分组密码进行的对比表明,VHF的软硬件效率都高于同为面向8位平台的国际标准CLEFIA算法。     

Security evaluation against differential and linear cryptanalyses for Feistel ciphers

To evaluate the security against differential and linear cryptanalyses for Feistel ciphers with substitutionpermutation network (SPN) round function, we consider the lower bounds of the number of differential and linear active s-boxes, which provides the upper bounds of the maximum differential and linear characteristic probabilities of Feistel ciphers. Concretely, using differential and linear branch numbers B_d, B_l of P transformation within the round function, we give new lower bounds of the number of active s-boxes in any consecutive rounds of Feistel ciphers, respectively. Furthermore, we show that our results are better than others by comparing these results.     

Differential fault analysis on the contracting UFN structure, with application to SMS4 and MacGuffin

The contracting unbalanced Feistel networks (UFN) is a particular structure in the block ciphers, where the “left half” and the “right half” are not of equal size, and the size of the domain of one half is larger than that of the range. This paper studies the security of the contracting UFN structure against differential fault analysis (DFA). We propose two basic byte-oriented fault models and two corresponding attacking methods. Then we implement the attack on two instances of the contracting UFN structure, the block ciphers SMS4 and MacGuffin. The experiments require 20 and 4 faulty ciphertexts to recover the 128-bit secret key of SMS4 in the two fault models, respectively. Under similar hypothesis, MacGuffin is breakable with 355 and 165 faulty ciphertexts, respectively. So our work not only builds up a general model of DFA on the contracting UFN structure and ciphers, but also provides a new reference for fault analysis on other block ciphers.     

关于Trivium-型序列密码代数次数估计的研究

对于序列密码,输出密钥流比特可以视为关于密钥变元和Ⅳ变元的布尔函数,而该布尔函数的代数次数是影响密码算法安全性的重要因素;当代数次数偏低时,密码算法抵抗代数攻击、立方攻击和积分攻击的能力比较弱.目前,针对Trivium-型序列密码算法,最有效的代数次数估计方法是数值映射方法和基于MILP的可分性质方法.本文通过分析两种典型方法的特点,结合两种方法的优势,对Trivium-型算法的代数次数估计进行了改进.我们利用改进后的方法对大量随机选取的Ⅳ变量集进行了实验.实验结果表明,对于Trivium-型算法,改进后的方法能够给出比数值映射方法更紧的代数次数上界.特别地,针对Trivium算法,当输入变元为全密钥变元和全Ⅳ变元时,即80个密钥变元和80个Ⅳ变元,输出比特代数次数未达到160的最大轮数从907轮提高到912轮,这是目前已知的全变元情形下的最优代数次数估计结果.     

THE MATRIX CIPHER OF C. L. DODGSON

A diary entry of Charles L. Dodgson, better known as Lewis Carroll, indicates that he invented two polyalphabetic ciphers in 1858. He published neither of them. In this paper we present one, a matrix based cipher, and show that it is equivalent to a Variant Beaufort cipher using a non-standard arithmetic. This is placed in historical perspective not only from the point of view of cryptography but also in regard to the state of mathematics in England in the middle of the nineteenth century. The authors have written a computer program that can be used to explore this and similar ciphers.     

针对MIBS的宽度差分故障分析

MIBS分组密码主要用于RFIv轻量级密码设备实现,对其安全性研究尚无公开结果发表。首先给出了MIBS算法及故障分析原理,提出了一种针对MIBS的宽度差分故障分析方法,并通过仿真实验进行了验证。实验结果表明,由于其Feistel结构和S盒特性,MII3S易遭受宽度故障攻击,通过在第32轮和第31轮分别导入1次32位故障即可将64位主密钥降低到21. 70位,经1秒钟暴力破解恢复完整密钥。该故障分析方法也可为其它分组密码差分故障分析提供一定思路。     

MA4210 ALPHANUMERIC POCKET CIPHER

Abstract

Vigenère ciphers can be broken, if the key length is known. In trying to break the Vigenère cipher, Charles Babbage and Friedrich Wilhelm Kasiski found the length of the key by searching for periodical repetitions in the ciphertext to split the cipher into multiple Caesar ciphers. William Friedman's, “index of coincidence,” also requires an adequate length of the ciphertext to retrieve the key length. Both methods lack, if the ciphertext is short or does not include repetitions and no other effective linguistic solution to break short Vigenère ciphers is known. Massively decreasing the solution space by logic, reverse digram frequency, and language properties allows breaking short and long Vigenère ciphers with and without repetitions.     

一类不平衡Feistel密码的安全性能分析

为评估一类不平衡Feistel密码的安全性能,通过列举的方法,对该密码抵抗差分密码分析和线性密码分析的能力进行了深入的研究。在轮函数是双射的假设条件下,证明了3,4,6,8,10,2r（r≥3）轮密码分别至少有1,1,3,4,5,r个轮函数的输入差分非零,从而若设轮函数的最大差分和线性逼近的概率分别为p和q,则2r（r≥3）轮密码的差分特征和线性特征的概率分别以pr和qr为上界。     

A New Feistel-Type White-Box Encryption Scheme

The white-box attack is a new attack context in which it is assumed that cryptographic software is implemented on an un-trusted platform and all the implementation details are controlled by the attackers. So far, almost all white-box solutions have been broken. In this study, we propose a white-box encryption scheme that is not a variant of obfuscating existing ciphers but a completely new solution. The new scheme is based on the unbalanced Feistel network as well as the ASASASA (where “A” means affine, and “S” means substitution) structure. It has an optional input block size and is suitable for saving space compared with other solutions because the space requirement grows slowly (linearly) with the growth of block size. Moreover, our scheme not only has huge white-box diversity and white-box ambiguity but also has a particular construction to bypass public white-box cryptanalysis techniques, including attacks aimed at white-box variants of existing ciphers and attacks specific to the ASASASA structure. More precisely, we present a definition of white-box security with regard to equivalent key, and prove that our scheme satisfies such security requirement.     

ERROR-CORRECTING CODES AND CRYPTOGRAPHY PART I

Charles L. Dodgson, better known as Lewis Carroll, invented several polyal-phabetic ciphers by 1868. The two that he published are put into historical perspective in this paper. His Alphabet Cipher produces a Vigenère enciphered text, while his Telegraph Cipher is equivalent to a Beaufort cipher. In constructing the Telegraph Cipher, Dodgson used two sliding alphabets, similar to the St. Cyr slide invented by Auguste Ker-ckhoff fifteen years later. A program is available to explore these ciphers and another, the Variant Beaufort.     

随机分组密码算法框架及实现

针对现有的对分组密码的攻击方法对于未知结构的密码算法是无效的特点,提出了一个根据已有分组密码算法生成随机密码算法的框架,其密码算法是由随机控制密钥生成的,因而算法是随机的,能抵抗针对固定结构的密码算法的线性密码分析和差分密码分析。同时还提出了一个具体的AES的随机化算法,该算法具有可证明的安全性,其安全性高于原始的AES,性能与原始的AES算法接近。     

Extending commutative diagram cryptanalysis to slide,boomerang, rectangle and square attacks

Encryption algorithms that use the same secret key for encryption and decryption (also known as block ciphers) allow confidential information to be protected and accessible only by legitimate parties who have knowledge of that secret key. Before the public can be comfortable with using a block cipher, it needs to gain public trust on its level of security. Over the years, the approach has been somewhat ad hoc where security of a cipher is generally taken to be resistance against some commonly known cryptanalytic attacks, though in parallel some researchers began to introduce sound design theory related to the resistance of a cipher against particular types of attacks. The commutative diagram (CD) cryptanalysis was formalized at FSE 2004 as a framework for expressing certain kinds of attacks on block ciphers. Being able to use this to unify the different types of attacks in one common framework is one of its main advantages. It was also left as an open problem to extend the framework to incorporate more attacks namely the slide, boomerang, amplified boomerang/rectangle and Square attacks. In this paper, we show how to model these attacks with the CD framework.     

Entropic security in quantum cryptography

We present two new definitions of security for quantum ciphers which are inspired by the definitions of entropic security and entropic indistinguishability defined by Dodis and Smith. We prove the equivalence of these two new definitions. We also propose a generalization of a cipher described by Dodis and Smith and show that it can actually encrypt n qubits using less than n classical bits of key under reasonable conditions and yet be secure in an information theoretic setting. This cipher also totally closes the gap between the key requirement of quantum ciphers and classical ciphers.