Improved Linear Cryptanalysis of CAST-256

CAST-256, a first-round AES (Advanced Encryption Standard) candidate, is designed based on CAST-128. It is a 48-round Generalized-Feistel-Network cipher with 128-bit block accepting 128, 160, 192, 224 ...     

Automatic search method for multiple differentials and its application on MANTIS

Rijndael is a substitution-permutation network (SPN) block cipher for the AES development process. Its block and key sizes range from 128 to 256 bits in steps of 32 bits, which can be denoted by Rijndael-b-k, where b and k are the block and key sizes, respectively. Among them, Rijndael-128-128/192/256, that is, AES, has been studied by many researchers, and the security of other large-block versions of Rijndael has been exploited less frequently. However, more attention has been paid to large-block versions of block ciphers with the fast development of quantum computers. In this paper, we propose improved impossible differential attacks on 10-round Rijndael-256-256, 10-round Rijndael-224-256, and 9-round Rijndael-224-224 using precomputation tables, redundancies of key schedules, and multiple impossible differentials. For 10-round Rijndael-256-256, the data, time, and memory complexities of our attack were approximately 2^244.4 chosen plaintexts, 2^240.1 encryptions, and 2^181.4 blocks, respectively. For 10-round Rijndael-224-256, the data, time, and memory complexities of our attack were approximately 2^214.4 chosen plaintexts, 2^241.3 encryptions, and 2^183.4 blocks, respectively. For 9-round Rijndael-224-224, the data, time, and memory complexities of our attack are approximately 2^214.4 chosen plaintexts, 2^113.4 encryptions, and 2^87.4 blocks, respectively, or 2^206.6 chosen plaintexts, 2^153.6 encryptions, and 2^111.6 blocks, respectively. To the best of our knowledge, our results are currently the best on Rijndael-256-256 and Rijndael-224-224/256.

     

Collision attack on reduced-round Camellia

Camellia is the final winner of 128-bit block cipher in NESSIE. In this paper, we construct some efficient distinguishers between 4-round Camellia and a random permutation of the blocks space. By using collision-searching techniques, the distinguishers are used to attack on 6, 7, 8 and 9 rounds of Camellia with 128-bit key and 8, 9 and 10 rounds of Camellia with 192/256-bit key. The 128-bit key of 6 rounds Camellia can be recovered with 210 chosen plaintexts and 215 encryptions. The 128-bit key of 7 rounds Camellia can be recovered with 212 chosen plaintexts and 254.5 encryptions. The 128-bit key of 8 rounds Camellia can be recovered with 213 chosen plaintexts and 2112.1 encryptions. The 128-bit key of 9 rounds Camellia can be recovered with 2113.6 chosen plaintexts and 2121 encryptions. The 192/256-bit key of 8 rounds Camellia can be recovered with 213 chosen plaintexts and 2111.1 encryptions. The 192/256-bit key of 9 rounds Camellia can be recovered with 213 chosen plaintexts and 2175.6 encryptions. Th     

Known-key distinguishers on type-1 Feistel scheme and near-collision attacks on its hashing modes

We present some known-key distinguishers for a type-1 Feistel scheme with a permutation as the round function. To be more specific, the 29-round known-key truncated differential distinguishers are given for the 256-bit type-1 Feistel scheme with an SP (substitution-permutation) round function by using the rebound attack, where the S -boxes have perfect differential and linear properties and the linear diffusion layer has a maximum branch number. For two 128-bit versions, the distinguishers can be applied on 25-round structures. Based on these distinguishers, we construct near-collision attacks on these schemes with MMO (Matyas-Meyer-Oseas) and MP (Miyaguchi-Preneel) hashing modes, and propose the 26-round and 22-round near-collision attacks for two 256-bit schemes and two 128-bit schemes, respectively. We apply the near-collision attack on MAME and obtain a 26-round near-collision attack. Using the algebraic degree and some integral properties, we prove the correctness of the 31-round known-key integral distinguisher proposed by Sasaki et al. We show that if the round function is a permutation, the integral distinguisher is suitable for a type-1 Feistel scheme of any size.     

MARS和Rijndael的能量攻击

使用能量攻击对MARS 和Rijndael进行了深入分析.结果表明:对于256,192和128比特密钥的MARS算法,能量攻击的复杂度平均分别为2²⁸⁸,2¹⁶⁸ 和 2116.对于256,192和128比特密钥的Rijndael算法,能量攻击的复杂度平均分别为2¹³¹,2⁹⁹和267.虽然攻击的复杂度实际上无法达到,但是此攻击方法大大降低了MARS 和Rijndae的密钥规模.     

BORON: an ultra-lightweight and low power encryption design for pervasive computing

We propose an ultra-lightweight, compact, and low power block cipher BORON. BORON is a substitution and permutation based network, which operates on a 64-bit plain text and supports a key length of 128/80 bits. BORON has a compact structure which requires 1939 gate equivalents (GEs) for a 128-bit key and 1626 GEs for an 80-bit key. The BORON cipher includes shift operators, round permutation layers, and XOR operations. Its unique design helps generate a large number of active S-boxes in fewer rounds, which thwarts the linear and differential attacks on the cipher. BORON shows good performance on both hardware and software platforms. BORON consumes less power as compared to the lightweight cipher LED and it has a higher throughput as compared to other existing SP network ciphers. We also present the security analysis of BORON and its performance as an ultra-lightweight compact cipher. BORON is a well-suited cipher design for applications where both a small footprint area and low power dissipation play a crucial role.     

10轮Midori128的中间相遇攻击

轻量级分组密码由于软硬件实现代价小且功耗低,被广泛地运用资源受限的智能设备中保护数据的安全。Midori是在2015年亚密会议上发布的轻量级分组密码算法,分组长度分为64 bit和128 bit两种,分别记为Midori64和Midori128,目前仍没有Midori128抵抗中间相遇攻击的结果。通过研究Midori128算法基本结构和密钥编排计划特点,结合差分枚举和相关密钥筛选技巧构造了一条7轮中间相遇区分器。再在此区分器前端增加一轮,后端增加两轮,利用时空折中的方法,提出对10轮的Midori128算法的第一个中间相遇攻击,整个攻击需要的时间复杂度为2126.5次10轮Midori128加密,数据复杂度为2125选择明文,存储复杂度2105 128-bit块,这是首次对Midori128进行了中间相遇攻击。     

Power dissipation and area comparison of 512-bit and 1024-bit key AES

Advanced Encryption Standard (AES) has replaced its predecessor, Double Encryption Standard (DES), as the most widely used encryption algorithm in many security applications. Up to today, AES standard has key size variants of 128, 192, and 256-bit, where longer bit keys provide more secure ciphered text output. In the hardware perspective, bigger key size also means bigger area and power consumption due to more operations that need to be done. Some companies that employ ultra-high security in their systems may look for a key size bigger than 256-bit AES. In this paper, 128 and 256-bit AES hardware, as well as two variants of an AES encryption algorithm for 512-bit and 1024-bit key size, are implemented and compared in terms of power consumption and area. The experiment is done in 45 nm CMOS technology at 1.1 V using a Synopys DC Compiler and Modelsim and total power consumption and area results are presented and graphically compared.     

对CRYPTON V1.0算法的积分攻击

CRYPTONV1.0密码是一个具有128比特分组长度、128比特密钥的分组密码。CRYP-TONV1.0密码的线性层是基于比特设计的,因而传统的积分攻击无法对其进行分析。本文对CRYP-TONV1.0密码进行分析,从比特的层面上寻找平衡性,得到了一个3轮积分区分器,区分器的可靠性在PC机上进行了验证,该区分器需要1024个明文将3轮CRYPTONV1.0与随机置换区分开来,并且所得密文的每一比特都是平衡的。基于该区分器,对低轮CRYPTONV1.0密码进行了攻击,结果表明,攻击4轮CRYPTONV1.0密码的数据复杂度为211,时间复杂度为223,攻击5轮的数据复杂度为212.4,时间复杂度为253。     

Zodiac密码算法的多维零相关线性分析

分组密码算法Zodiac支持3种密钥长度,分别为Zodiac-128、Zodiac-192、Zodiac-256。利用零相关线性分析方法评估了Zodiac算法的安全性,首先根据算法的结构特性,构造了一些关于Zodiac算法的10轮零相关线性逼近,然后对16轮Zodiac-192进行了多维零相关分析。分析结果显示：攻击过程中一共恢复了19个字节的密钥,其数据复杂度约为2^124.40个明密文对,计算复杂度为2^181.58次16轮加密。由此可得：16轮（即全轮）192 bit密钥的Zodiac算法（Zodiac-192）对于零相关线性分析方法是不安全的。     

A Parallel Yet Pipelined Architecture for Efficient Implementation of the Advanced Encryption Standard Algorithm on Reconfigurable Hardware

The Advanced Encryption System (AES) is used in almost all network-based applications to ensure security. The core computation of AES, which is performed on data blocks of 128 bits, is iterated for several rounds, depending on the key size. The strength of AES is proportional to the number of rounds applied. So far, the number of rounds is fixed to 10, 12 and 14 for a key size of 128, 192 and 256 bits respectively. Most cryptographers feel that the margin between the number of rounds specified in the cipher and the best known attacks is too small. On the other hand, it is clear that the overall efficiency of a given AES implementation is inversely proportional to the number of rounds imposed. In this paper, we propose a very efficient pipelined hardware implementation of AES-128. Besides, we show that if the required number of rounds must increase to defeat attackers, the proposed implementation stays efficient.     

改进的多步法快速相关攻击及其应用

本文提出了两个新的流密码多步法快速相关攻击算法.第一个算法适用于噪音不是很大,而攻击者只有很少预计算资源的环境.第二个算法适用于高噪音而只能获得有限密钥流的场合.新算法均适用于任何形式的LFSR,并在所考虑情况下优于以前的结果.作为应用,本文分别给出一级蓝牙流密码E0和LILI-128新的密钥恢复攻击.给定237比特密钥流和228字节存储空间,针对一级蓝牙流密码E0的新攻击可以在235.1次操作中完成.给定224比特密钥流和224.5字节存储,针对LILI-128的新攻击复杂度为270.6次操作.     

Zodiac算法的碰撞攻击

为了研究Zodiac算法抵抗碰撞攻击的能力,根据算法的一个等价结构,分别给出了Zodiac算法的两个8轮和9轮区分器。通过在此区分器前后加适当的轮数,首先,利用9轮区分器对12轮到16轮的算法进行了碰撞攻击,其攻击的数据复杂度分别为215,231.2,231.5,231.7,263.9,时间复杂度分别为233.8,249.9,275.1,2108,2140.1;其次,利用8轮区分器对全轮算法进行了攻击,其攻击的数据复杂度和时间复杂度分别为260.6和2173.9。结果表明:全轮的Zodiac-192/256算法均不能抵抗碰撞攻击。     

FPGA implementation and performance evaluation of a high throughput crypto coprocessor

This paper describes the FPGA implementation of FastCrypto, which extends a general-purpose processor with a crypto coprocessor for encrypting/decrypting data. Moreover, it studies the trade-offs between FastCrypto performance and design parameters, including the number of stages per round, the number of parallel Advance Encryption Standard (AES) pipelines, and the size of the queues. Besides, it shows the effect of memory latency on the FastCrypto performance. FastCrypto is implemented with VHDL programming language on Xilinx Virtex V FPGA. A throughput of 222 Gb/s at 444 MHz can be achieved on four parallel AES pipelines. To reduce the power consumption, the frequency of four parallel AES pipelines is reduced to 100 MHz while the other components are running at 400 MHz. In this case, our results show a FastCrypto performance of 61.725 bits per clock cycle (b/cc) when 128-bit single-port L2 cache memory is used. However, increasing the memory bus width to 256-bit or using 128-bit dual-port memory, improves the performance to 112.5 b/cc (45 Gb/s at 400 MHz), which represents 88% of the ideal performance (128 b/cc).     

分组密码复杂线性层可分性传播的MILP刻画方法

混合整数线性规划(MILP)作为一种自动化搜索工具, 被广泛地应用于搜索分组密码的差分、线性、积分等密码性质. 提出一种基于动态选取策略构建MILP模型的新技术, 该技术在不同的条件下采用不同的约束不等式刻画密码性质的传播. 具体地, 从可分性出发根据输入可分性汉明重量的不同, 分别采用不同的方法构建线性层可分性传播的MILP模型. 最后, 将该技术应用于搜索uBlock和Saturnin算法的积分区分器. 实验结果表明: 对于uBlock128算法, 该技术可以搜索到比之前最优区分器多32个平衡比特的8轮积分区分器. 除此之外, 搜索到uBlock128和uBlock256算法比之前最优区分器更长一轮的9和10轮积分区分器. 对于Saturnin256算法, 同样搜索到比之前最优区分器更长一轮的9轮积分区分器.     

An algebraic attack on the improved summation generator with 2-bit memory

Recently algebraic attacks on stream ciphers have received much attention. In this paper we apply an algebraic attack to the improved summation generator with 2-bit memory, which was presented by Lee and Moon in order to give the original summation generator correlation immunity. We show that the initial state of the generator can be recovered within O(n^5.6) bit operations from O(n²) regular output bits, where n is the total length of LFSRs. We could recover the initial key bits in practice within 3 minutes on a PC even for the case n=256. Our result is a good example that shows how powerful algebraic attacks are in the analysis of stream ciphers.     

Surge:一种新型、低资源、高效的轻量级分组密码算法

目前,适合资源约束的轻量级密码算法已成为研究热点。提出一种低资源、高性能与高安全性的新轻量级分组密码算法Surge。Surge密码分组长度为64位,使用64位、80位和128位3种密钥长度,且基于SPN结构。轮函数分为5个模块,密钥扩展模块采用无扩展方式;轮常数加模块采用0到15的数字组合成轮常数,构造高效且高度混淆的轮常数加变换;列混合模块利用易于硬件实现的(0,1,2,4)组合矩阵,从而可以在有限域GF(2⁴)上构造硬件实现友好型矩阵。将Surge算法在FPGA上进行了实现,实验结果表明,相对于目前SPN结构的轻量级密码算法,Surge算法占用的面积资源更小,同时有着良好的加密性能;安全性实验证明了Surge可以有效抗差分与线性攻击、代数攻击。     

A practical distinguisher for the Shannon cipher

In this paper, we present a practical linear distinguisher on the Shannon stream cipher. Shannon is a synchronous stream cipher that uses at most 256-bit secret key. In the specification for Shannon, designers state that the intention of the design is to make sure that there are no distinguishing attacks on Shannon requiring less than 2⁸⁰ keystream words and less than 2¹²⁸ computations. In this work we use the Crossword Puzzle attack technique to construct a distinguisher which requires a keystream of length about 2³¹ words with workload about 2³¹.     

对MIBS算法的Integral攻击

MIBS是M.Izadi等人在2009开发研制的轻量级分组密码算法,它广泛用于电子标签和传感器网络等环境.本文给出了对MIBS算法Integral攻击的4.5轮区分器,利用该区分器对MIBS算法进行了8轮和9轮的Integral攻击,并利用密钥编排算法中轮密钥之间的关系,结合“部分和”技术降低了攻击的时间复杂度.攻击结果如下:攻击8轮MIBS-64的数据复杂度和时间复杂度分别为238.6和224.2;攻击9轮MIBS-80的数据复杂度和时间复杂度分别为239.6和268.4.本文攻击的数据复杂度和时间复杂度都优于穷举攻击.这是对MIBS算法第一个公开的Integral攻击.     

一个演化密码体制的安全性分析

利用密钥输出序列的相关性,对一个演化密码体制的安全性进行了系统的分析。通过分析可以得出：当已知连续128bit的密钥输出序列时,该密码体制的密钥空间规模将由2256下降到2128。当已知连续256bit的密钥输出序列时,该密码体制的密钥空间规模将由2256下降到284,并且在容许最多4个含错方程的情况下,密钥空间的规模将降低到272。因此,从选择明文攻击的角度来说,该密码体制的安全性是极其脆弱的。