Showing papers by "Kyoji Shibutani published in 2012"

Security analysis of the lightweight block ciphers XTEA, LED and piccolo

Abstract: In this paper, we investigate the security of the lightweight block ciphers against the meet-in-the-middle (MITM) attack. Since the MITM attack mainly exploits low key-dependency in a key expanding function, the block ciphers having a simple key expanding function are likely to be vulnerable to the MITM attack. On the other hand, such a simple key expanding function leads compact implementation, and thus is utilized in several lightweight block ciphers. However, the security of such lightweight block ciphers against the MITM attack has not been studied well so far. We apply the MITM attack to the ciphers, then give more accurate security analysis for them. Specifically, combining thorough analysis with new techniques, we present the MITM attacks on 29, 8, 16, 14 and 21 rounds of XTEA, LED-64, LED-128, Piccolo-80 and Piccolo-128, respectively. Consequently, it is demonstrated that the MITM attack is the most powerful attack in the single-key setting on those ciphers with respect to the number of attacked rounds. Moreover, we consider the possibility of applying the recent speed-up keysearch based on MITM attack to those ciphers.

All Subkeys Recovery Attack on Block Ciphers: Extending Meet-in-the-Middle Approach

Abstract: We revisit meet-in-the-middle (MITM) attacks on block ciphers Despite recent significant improvements of the MITM attack, its application is still restrictive In other words, most of the recent MITM attacks work only on block ciphers consisting of a bit permutation based key schedule such as KTANTAN, GOST, IDEA, XTEA, LED and Piccolo In this paper, we extend the MITM attack so that it can be applied to a wider class of block ciphers In our approach, MITM attacks on block ciphers consisting of a complex key schedule can be constructed We regard all subkeys as independent variables, then transform the game that finds the user-provided key to the game that finds all independent subkeys We apply our approach called all subkeys recovery (ASR) attack to block ciphers employing a complex key schedule such as CAST-128, SHACAL-2, KATAN, FOX128 and Blowfish, and present the best attacks on them with respect to the number of attacked rounds in literature Moreover, since our attack is simple and generic, it is applied to the block ciphers consisting of any key schedule functions even if the key schedule is an ideal function

Converting meet-in-the-middle preimage attack into pseudo collision attack: application to SHA-2

Abstract: In this paper, we present a new technique to construct a collision attack from a particular preimage attack which is called a partial target preimage attack. Since most of the recent meet-in-the-middle preimage attacks can be regarded as the partial target preimage attack, a collision attack is derived from the meet-in-the-middle preimage attack. By using our technique, pseudo collisions of the 43-step reduced SHA-256 and the 46-step reduced SHA-512 can be obtained with complexities of 2126 and 2254.5, respectively. As far as we know, our results are the best pseudo collision attacks on both SHA-256 and SHA-512 in literature. Moreover, we show that our pseudo collision attacks can be extended to 52 and 57 steps of SHA-256 and SHA-512, respectively, by combined with the recent preimage attacks on SHA-2 by bicliques. Furthermore, since the proposed technique is quite simple, it can be directly applied to other hash functions. We apply our algorithm to several hash functions including Skein and BLAKE, which are the SHA-3 finalists. We present not only the best pseudo collision attacks on SHA-2 family, but also a new insight of relation between a meet-in-the-middle preimage attack and a pseudo collision attack.

Encryption processing device, encryption processing method, and program

Abstract: An encryption processing device including an encryption processing part configured to divide configuration bits of data to be data processed into plural lines, and to input, and to repeatedly execute data conversion processing applying a round function to each line of data as a round calculation; and a key scheduling part configured to output round keys to a round calculation executing unit in the encryption processing part. The key scheduling part is a replacement type key scheduling part configured to generate plural round keys or round key configuration data by dividing a secret key stored beforehand into plural parts. The plural round keys are output to a round calculation executing unit sequentially executing in the encryption processing part such that a constant sequence is not repeated. The encryption processing configuration has a high level of security and a high level of resistance to repeated key attacks or other attacks.

Encryption processing device, encryption processing method, and programme

Abstract: A cryptographic processing unit divides and inputs constituent bits of data to be subjected to data processing to lines, and repeatedly performs a data converting operation using round functions on the data of the respective lines. The cryptographic processing unit inputs n/d-bit data obtained by dividing n-bit data as input data by a division number d to each line, and repeatedly performs a round calculation including a data converting operation using round functions. The n/d-bit data in each line having output data of the round calculations is divided into d/2 sets of data, and the divided data are combined to restructure d sets of n/d-bit data that are different from the output data of the round calculations of the previous stage. The restructured data is set as input data for round calculations of the next stage. The cryptographic processing realizes improved diffusion properties and a high level of security.

Data processing device, data processing method, and program

Abstract: A miniaturized non-linear conversion unit is achieved Included is an encryption processing part configured to divide and input configuration bits of data to be processed into a plurality of lines, and to repeatedly execute a data conversion processing applying a round function as to the data in each line, wherein the encryption processing part includes an F function executing unit configured to input one line of data configuring the plurality of lines, and to generate conversion data, wherein the F function executing unit includes a non-linear conversion processing unit configured to execute a non-linear conversion processing, and wherein the non-linear conversion processing unit includes a repeating structure of a non-linear calculation unit made up from either one NAND or NOR, and either one XOR or XNOR calculation unit, and a bit replacement unit The miniaturized non-linear conversion unit is achieved by this repeating configuration

Data processing device, data processing method, and programme

Abstract: A miniaturized non-linear conversion unit is achieved. Included is an encryption processing part configured to divide and input configuration bits of data to be processed into a plurality of lines, and to repeatedly execute a data conversion processing applying a round function as to the data in each line, wherein the encryption processing part includes an F function executing unit configured to input one line of data configuring the plurality of lines, and to generate conversion data, wherein the F function executing unit includes a non-linear conversion processing unit configured to execute a non-linear conversion processing, and wherein the non-linear conversion processing unit includes a repeating structure of a non-linear calculation unit made up from either one NAND or NOR, and either one XOR or XNOR calculation unit, and a bit replacement unit. The miniaturized non-linear conversion unit is achieved by this repeating configuration.

Message processing module

Abstract: A non-linear transformation processing structure having a high implementation efficiency and a high security is realized. Data transformation is performed using a first non-linear transformation part performing non-linear transformation using a plurality of small S-boxes; a linear transformation part receiving all the outputs from the first non-linear transformation part and performing data transformation using a matrix for performing optimal diffusion mappings; and a second non-linear transformation part including a plurality of small non-linear transformation parts that perform non-linear transformation on individual data units into which output data from the linear transformation part is divided. With this structure, appropriate data diffusion can be achieved without excessively increasing a critical path, and a structure with a high implementation efficiency and a high security can be achieved.