Known-key distinguishers on type-1 Feistel scheme and near-collision attacks on its hashing modes

We present some known-key distinguishers for a type-1 Feistel scheme with a permutation as the round function. To be more specific, the 29-round known-key truncated differential distinguishers are given for the 256-bit type-1 Feistel scheme with an SP (substitution-permutation) round function by using the rebound attack, where the S -boxes have perfect differential and linear properties and the linear diffusion layer has a maximum branch number. For two 128-bit versions, the distinguishers can be applied on 25-round structures. Based on these distinguishers, we construct near-collision attacks on these schemes with MMO (Matyas-Meyer-Oseas) and MP (Miyaguchi-Preneel) hashing modes, and propose the 26-round and 22-round near-collision attacks for two 256-bit schemes and two 128-bit schemes, respectively. We apply the near-collision attack on MAME and obtain a 26-round near-collision attack. Using the algebraic degree and some integral properties, we prove the correctness of the 31-round known-key integral distinguisher proposed by Sasaki et al. We show that if the round function is a permutation, the integral distinguisher is suitable for a type-1 Feistel scheme of any size.     

New impossible differential attacks on reduced-round Crypton

Crypton is a 128-bit block cipher which was submitted to the Advanced Encryption Standard competition. In this paper, we present two new impossible differential attacks to reduced-round Crypton. Using two new observations on the diffusion layer of Crypton, exploiting a 4-round impossible differential, and appropriately choosing three additional rounds, we mount the first impossible differential attack on 7-round Crypton. The proposed attacks require 2¹²¹ chosen plaintexts each. The first attack requires 2^125.2 encryptions. We then utilize more pre-computation and memory to reduce the time complexity to 2^116.2 encryptions in the second attack.     

Differential Attack on Five Rounds of the SC2000 Block Cipher<Superscript>*</Superscript>

The SC2000 block cipher has a 128-bit block size and a user key of 128,192 or 256 bits,which employs a total of 6.5 rounds if a 128-bit user key is used.It is a CRYPTREC recommended e-government cipher in Japan.In this paper we address how to recover the user key from a few subkey bits of SC2000,and describe two 4.75-round differential characteristics with probability 2-126 of SC2000 and seventy-six 4.75-round differential characteristics with probability 2-127.Finally,we present a differential cryptanalysis attack on a 5-round reduced version of SC2000 when used with a 128-bit key;the attack requires 2-125.68 chosen plaintexts and has a time complexity of 2 125.75 5-round SC2000 encryptions.The attack does not threat the security of the full SC2000 cipher,but it suggests for the first time that the safety margin of SC2000 with a 128-bit key decreases below one and a half rounds.     

Collision attack on reduced-round Camellia

Camellia is the final winner of 128-bit block cipher in NESSIE. In this paper, we construct some efficient distinguishers between 4-round Camellia and a random permutation of the blocks space. By using collision-searching techniques, the distinguishers are used to attack on 6, 7, 8 and 9 rounds of Camellia with 128-bit key and 8, 9 and 10 rounds of Camellia with 192/256-bit key. The 128-bit key of 6 rounds Camellia can be recovered with 210 chosen plaintexts and 215 encryptions. The 128-bit key of 7 rounds Camellia can be recovered with 212 chosen plaintexts and 254.5 encryptions. The 128-bit key of 8 rounds Camellia can be recovered with 213 chosen plaintexts and 2112.1 encryptions. The 128-bit key of 9 rounds Camellia can be recovered with 2113.6 chosen plaintexts and 2121 encryptions. The 192/256-bit key of 8 rounds Camellia can be recovered with 213 chosen plaintexts and 2111.1 encryptions. The 192/256-bit key of 9 rounds Camellia can be recovered with 213 chosen plaintexts and 2175.6 encryptions. Th     

Cryptanalysis of Reduced-Round DASH

In ACISP 2008,the hash family DASH has been proposed by Billet et al.,which considers the design of Rijndael and RC6.DASH family has two variants that support 256-bit and 512-bit output length respectively.This paper presents the first third-party cryptanalysis of DASH-256 with a focus on the underlying block cipher A256.In particular,we study the distinguisher using differential and boomerang attack.As a result,we build a distinguishing attack for the compression function of DASH-256 with 8-round A256 using the differential cryptanalysis.Finally,we obtain a boomerang distinguisher of 9-round A256.     

对SMS4密码算法改进的差分攻击

差分分析和线性分析是重要的密码算法分析工具.多年来,很多研究者致力于改善这两种攻击方法.Achiya Bar-On等人提出了一种方法,能够使攻击者对部分状态参与非线性变换的SPN结构的密码算法进行更多轮数的差分分析和线性分析.这种方法使用了两个辅助矩阵,其目的就是更多地利用密码算法中线性层的约束,从而能攻击更多轮数.将这种方法应用到中国密码算法SMS4的多差分攻击中,获得了一个比现有攻击存储复杂度更低和数据复杂度更少的攻击结果.在成功概率为0.9时,实施23轮的SMS4密钥恢复攻击需要2^113.5个明文,时间复杂度为2^126.7轮等价的23轮加密.这是目前为止存储复杂度最低的攻击,存储复杂度为2¹⁷个字节.     

缩减轮数的CAST-256积分分析*

CAST-256是在CAST-128基础上改进的Feistel结构分组密码,作为首轮AES候选算法,该算法的分析成果已有不少。目前,已知的攻击方法分析中,多维零相关线性分析和积分分析能实现28轮的密钥恢复攻击。本文详细分析如何利用积分分析与零相关分析两种方法之间联系,实现28轮CAST-256算法积分分析,并且密钥恢复算法的复杂度达到2₂₄₇Enc。     

Zodiac密码算法的多维零相关线性分析

分组密码算法Zodiac支持3种密钥长度,分别为Zodiac-128、Zodiac-192、Zodiac-256。利用零相关线性分析方法评估了Zodiac算法的安全性,首先根据算法的结构特性,构造了一些关于Zodiac算法的10轮零相关线性逼近,然后对16轮Zodiac-192进行了多维零相关分析。分析结果显示：攻击过程中一共恢复了19个字节的密钥,其数据复杂度约为2^124.40个明密文对,计算复杂度为2^181.58次16轮加密。由此可得：16轮（即全轮）192 bit密钥的Zodiac算法（Zodiac-192）对于零相关线性分析方法是不安全的。     

Improved preimage attacks on hash modes of 8-round AES-256

We observe the slow diffusion of the AES key schedule for 256-bit keys and find weakness which can be used in the preimage attack on its Davies-Meyer mode. Our preimage attack works for 8 rounds of AES-256 with the computational complexity of 2^124.9. It is comparable with Bogdanov et al.’s biclique-based preimage attack on AES-256, which is applicable up to full rounds but has the computational complexity more than 2^126.5. We also extend our result to the preimage attack on some well-known double-block-length hash modes assuming the underlying block cipher is 8-round AES-256, whose computational complexity is 2^252.9.     

Power dissipation and area comparison of 512-bit and 1024-bit key AES

Advanced Encryption Standard (AES) has replaced its predecessor, Double Encryption Standard (DES), as the most widely used encryption algorithm in many security applications. Up to today, AES standard has key size variants of 128, 192, and 256-bit, where longer bit keys provide more secure ciphered text output. In the hardware perspective, bigger key size also means bigger area and power consumption due to more operations that need to be done. Some companies that employ ultra-high security in their systems may look for a key size bigger than 256-bit AES. In this paper, 128 and 256-bit AES hardware, as well as two variants of an AES encryption algorithm for 512-bit and 1024-bit key size, are implemented and compared in terms of power consumption and area. The experiment is done in 45 nm CMOS technology at 1.1 V using a Synopys DC Compiler and Modelsim and total power consumption and area results are presented and graphically compared.     

Related-key rectangle attack on 36 rounds of the XTEA block cipher

XTEA is a 64-round block cipher with a 64-bit block size and a 128-bit user key, which was designed as a short C program that would run safely on most computers. In this paper, we present a related-key rectangle attack on a series of inner 36 rounds of XTEA without making a weak key assumption, and a related-key rectangle attack on the first 36 rounds of XTEA under certain weak key assumptions. These are better than any previously published cryptanalytic results on XTEA in terms of the numbers of attacked rounds.

Related-Key Impossible Diferential Attack on Reduced-Round LBlock简

LBlock is a 32-round lightweight block cipher with 64-bit block size and 80-bit key. This paper identifies 16- round related-key impossible differentials of LBlock, which are better than the 15-round related-key impossible differentials used in the previous attack. Based on these 16-round related-key impossible differentials, we can attack 23 rounds of LBlock while the previous related-key impossible differential attacks could only work on 22-round LBlock. This makes our attack on LBlock the best attack in terms of the number of attacked rounds.     

Impossible differential cryptanalysis of advanced encryption standard

Impossible differential cryptanalysis is a method recovering secret key, which gets rid of the keys that satisfy impossible differential relations. This paper concentrates on the impossible differential cryptanalysis of Advanced Encryption Standard (AES) and presents two methods for impossible differential cryptanalysis of 7-round AES-192 and 8-round AES-256 combined with time-memory trade-off by exploiting weaknesses in their key schedule. This attack on the reduced to 7-round AES-192 requires about 294.5 chosen plaintexts, demands 2129 words of memory, and performs 2157 7-round AES-192 encryptions. Furthermore, this attack on the reduced to 8-round AES-256 requires about 2101 chosen plaintexts, demands 2201 words of memory, and performs 2228 8-round AES-256 encryptions.     

Differential attack on nine rounds of the SEED block cipher

The SEED block cipher has a 128-bit block length, a 128-bit user key and a total number of 16 rounds. It is an ISO international standard. In this letter, we describe two 7-round differentials with a trivially larger probability than the best previously known one on SEED, and present a differential cryptanalysis attack on a 9-round reduced version of SEED. The attack requires a memory of 2^69.71 bytes, and has a time complexity of 2^126.36 encryptions with a success probability of 99.9% when using 2¹²⁵ chosen plaintexts, or a time complexity of 2^125.36 encryptions with a success probability of 97.8% when using 2¹²⁴ chosen plaintexts. Our result is better than any previously published cryptanalytic results on SEED in terms of the numbers of attacked rounds, and it suggests for the first time that the safety margin of SEED decreases below half of the number of rounds.     

A robust multimedia authentication and restoration scheme in digital photography

Image authentication and restoration is an important area of modern research. In digital photography, copyright protection is very crucial. Visible signatures distract from the meaning of the photograph as well as they are easy to be removed by using advanced softwares. Invisible watermarks provide protection, offer a better look to photographs than visible watermarking, and prevent the photographs from unauthorized manipulations. A robust multiple watermarking scheme is required which could invisibly protect the content and also should survive the manipulations for later verification and restoration. In this paper, a robust and imperceptible multimedia authentication and restoration scheme is proposed. The security of Advanced Encryption Standard (AES) is utilized to make an encrypted watermark. The encrypted watermark is then embedded into photographs in the salient regions by proposed Feature-Closest Point Transform (F-CPT) algorithm. The second watermark is generated by wavelet decomposition and embedded in the second and third level wavelet sub-bands of the cover photographs. Several security attacks are performed e.g. noise attack, compression attack, resizing attack, rotation attack, collage attack, and cropping attack on multiple watermarked photographs to examine the system robustness by normalized cross correlation (NCC) for retrieved authentication watermarks. Result of PSNR, MSE, and SSIM show the high imperceptibility of our technique and aesthetic score (AS) shows the aesthetic quality of watermarked photographs (WPs).     

Midori-64算法的截断不可能差分分析

分析了Midori-64算法在截断不可能差分攻击下的安全性.首先,通过分析Midori算法加、解密过程差分路径规律,证明了Midori算法在单密钥条件下的截断不可能差分区分器至多6轮,并对6轮截断不可能差分区分器进行了分类;其次,根据分类结果,构造了一个6轮区分器,并给出11轮Midori-64算法的不可能差分分析,恢复了128比特主密钥,其时间复杂度为2^121.4,数据复杂度为2^60.8,存储复杂度为2^96.5.     

RECTANGLE-80的相关密钥差分分析

轻量级分组密码RECTANGLE采用SPN结构,分组长度是64比特,密钥长度是80或128比特,迭代轮数是25轮。其采用比特切片技术,在软硬件实现方面均有很好的性能。本文以Matsui和Moriai等人的自动化搜索算法为基础,采用包珍珍等人提出的2种优化策略,对RECTANGLE-80版本进行相关密钥差分分析。我们对最窄点处的密钥状态差分进行限制,使最窄点密钥状态差分的汉明重量取值范围分别属于区间[1,1],[1,2],[1,3],[1,4],[1,5]五种情况,目的是求得此五种情况下前9轮相关密钥差分最大概率及其对应的路径。我们获得了此5种情况前8轮的最大概率及其对应的路径,前2种情况9轮最大概率及其对应路径和后3种情况9轮最大概率的上界。以上5种情况的结果显示,当取值范围属于后三种情况时,前8轮的最大概率是相同的,由此说明随着取值范围的扩大,最大概率趋向稳定。当最窄点密钥状态差分的汉明重量取值范围属于[1,1]或[1,2]时,9轮的最大概率为2^-42。当取值范围分别是[1,3],[1,4]和[1,5]时,9轮最大概率的上界分别是2^-41,2^-37,2^-34。我们预测9轮最大概率的上界是2^-41,由此可以预测18轮的最大概率的上界是2^-82,从而RECTANGLE-80可以抵抗相关密钥差分分析。这是目前RECTANGLE抵抗相关密钥密码分析安全性评估最好结果。     

Key recovery attack for PRESENT using slender-set linear cryptanalysisPRESENT 算法的 slender 集线性密钥恢复攻击

In this paper, we propose a new n-round key recovery attack using modified slender-set linear cryptanalysis on PRESENT-like cipher with public S-boxes. In our attack, an effective method for distinguishing the right key from the wrong ones is presented. We apply our attack to PRESENT-80. The experiments show that we can recover the entire 80 key bits of 12-rounds PRESENT-80 with 2{sn32} data complexity, 2³⁶ time complexity, and negligible memory complexity. Furthermore, we investigate an (n+1)-round attack by extending the n-round key recovery attack. Our method can be used in most PRESENT-like ciphers where the linear layer is a bit-wise permutation.     

8轮PRINCE的快速密钥恢复攻击

PRINCE算法是J.Borghoff等在2012年亚密会上提出的一个轻量级分组密码算法,它模仿AES并采用α-反射结构设计,具有加解密相似的特点.2014年,设计者发起了针对PRINCE实际攻击的公开挑战,使得该算法的安全性成为研究的热点.目前对PRINCE攻击的最长轮数是10轮,其中P.Derbez等利用中间相遇技术攻击的数据和时间复杂度的乘积D×T=2¹²⁵,A.Canteaut等利用多重差分技术攻击的复杂度D×T=2^118.5,并且两种方法的时间复杂度都超过了257.本文将A.Canteaut等给出的多重差分技术稍作改变,通过考虑输入差分为固定值,输出差分为选定的集合,给出了目前轮数最长的7轮PRINCE区分器,并应用该区分器对8轮PRINCE进行了密钥恢复攻击.本文的7轮PRINCE差分区分器的概率为2^-56.89,8轮PRINCE的密钥恢复攻击所需的数据复杂度为2^61.89个选择明文,时间复杂度为219.68次8轮加密,存储复杂度为2^15.21个16比特计数器.相比目前已知的8轮PRINCE密钥恢复攻击的结果,包括将A.Canteaut等给出的10轮攻击方案减少到8轮,本文给出的攻击方案的时间复杂度和D×T复杂度都是最低的.     

10轮Midori128的中间相遇攻击

轻量级分组密码由于软硬件实现代价小且功耗低,被广泛地运用资源受限的智能设备中保护数据的安全。Midori是在2015年亚密会议上发布的轻量级分组密码算法,分组长度分为64 bit和128 bit两种,分别记为Midori64和Midori128,目前仍没有Midori128抵抗中间相遇攻击的结果。通过研究Midori128算法基本结构和密钥编排计划特点,结合差分枚举和相关密钥筛选技巧构造了一条7轮中间相遇区分器。再在此区分器前端增加一轮,后端增加两轮,利用时空折中的方法,提出对10轮的Midori128算法的第一个中间相遇攻击,整个攻击需要的时间复杂度为2126.5次10轮Midori128加密,数据复杂度为2125选择明文,存储复杂度2105 128-bit块,这是首次对Midori128进行了中间相遇攻击。