Showing papers on "Block cipher published in 2010"
Book•
01 Jan 2010
TL;DR: Cryptosystems I and II: Cryptography between Wonderland and Underland as discussed by the authors, a simple BGN-type Cryptosystem from LWE, or Bonsai Trees, or how to delegate a Lattice Basis.
Abstract: Cryptosystems I.- On Ideal Lattices and Learning with Errors over Rings.- Fully Homomorphic Encryption over the Integers.- Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups.- Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption.- Obfuscation and Side Channel Security.- Secure Obfuscation for Encrypted Signatures.- Public-Key Encryption in the Bounded-Retrieval Model.- Protecting Circuits from Leakage: the Computationally-Bounded and Noisy Cases.- 2-Party Protocols.- Partial Fairness in Secure Two-Party Computation.- Secure Message Transmission with Small Public Discussion.- On the Impossibility of Three-Move Blind Signature Schemes.- Efficient Device-Independent Quantum Key Distribution.- Cryptanalysis.- New Generic Algorithms for Hard Knapsacks.- Lattice Enumeration Using Extreme Pruning.- Algebraic Cryptanalysis of McEliece Variants with Compact Keys.- Key Recovery Attacks of Practical Complexity on AES-256 Variants with up to 10 Rounds.- IACR Distinguished Lecture.- Cryptography between Wonderland and Underland.- Automated Tools and Formal Methods.- Automatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers: Application to AES, Camellia, Khazad and Others.- Plaintext-Dependent Decryption: A Formal Security Treatment of SSH-CTR.- Computational Soundness, Co-induction, and Encryption Cycles.- Models and Proofs.- Encryption Schemes Secure against Chosen-Ciphertext Selective Opening Attacks.- Cryptographic Agility and Its Relation to Circular Encryption.- Bounded Key-Dependent Message Security.- Multiparty Protocols.- Perfectly Secure Multiparty Computation and the Computational Overhead of Cryptography.- Adaptively Secure Broadcast.- Universally Composable Quantum Multi-party Computation.- Cryptosystems II.- A Simple BGN-Type Cryptosystem from LWE.- Bonsai Trees, or How to Delegate a Lattice Basis.- Efficient Lattice (H)IBE in the Standard Model.- Hash and MAC.- Multi-property-preserving Domain Extension Using Polynomial-Based Modes of Operation.- Stam's Collision Resistance Conjecture.- Universal One-Way Hash Functions via Inaccessible Entropy.- Foundational Primitives.- Constant-Round Non-malleable Commitments from Sub-exponential One-Way Functions.- Constructing Verifiable Random Functions with Large Input Spaces.- Adaptive Trapdoor Functions and Chosen-Ciphertext Security.
320 citations
Journal Article•
TL;DR: In this paper, a new family of lightweight block ciphers named KLEIN, which is designed for resource-constrained devices such as wireless sensors and RFID tags, is presented.
Abstract: Resource-efficient cryptographic primitives become fundamental for realizing both security and efficiency in embedded systems like RFID tags and sensor nodes. Among those primitives, lightweight block cipher plays a major role as a building block for security protocols. In this paper, we describe a new family of lightweight block ciphers named KLEIN, which is designed for resource-constrained devices such as wireless sensors and RFID tags. Compared to the related proposals, KLEIN has advantage in the software performance on legacy sensor platforms, while its hardware implementation can be compact as well.
291 citations
17 Aug 2010
TL;DR: Two block ciphers PRINTcipher-48 and PRINTCipher-96 are presented that are designed to exploit the properties of IC-printing technology and further extend recent advances in lightweight block cipher design.
Abstract: In this paper we consider some cryptographic implications of integrated circuit (IC) printing. While still in its infancy, IC-printing allows the production and personalisation of circuits at very low cost. In this paper we present two block ciphers PRINTcipher-48 and PRINTcipher-96 that are designed to exploit the properties of IC-printing technology and we further extend recent advances in lightweight block cipher design.
277 citations
TL;DR: An attack is proposed that reveals the secret permutation that is used to shuffle the pixels of a round input that makes Fridrich's chaotic image encryption algorithm vulnerable against chosen-ciphertext attacks.
Abstract: We cryptanalyze Fridrich’s chaotic image encryption algorithm. We show that the algebraic weaknesses of the algorithm make it vulnerable against chosen-ciphertext attacks. We propose an attack that reveals the secret permutation that is used to shuffle the pixels of a round input. We demonstrate the effectiveness of our attack with examples and simulation results. We also show that our proposed attack can be generalized to other well-known chaotic image encryption algorithms.
204 citations
01 Jan 2010
TL;DR: This chapter aims to introduce side-channel cryptanalysis with illustrative examples and to put forward a number of practical concerns related to their implementation and countermeasures.
Abstract: Side-channel cryptanalysis is a new research area in applied cryptography that has gained more and more interest since the mid-nineties. It considers adversaries trying to take advantage of the physical specificities of actual cryptographic devices. These implementation-specific attacks frequently turn out to be much more efficient than the best known cryptanalytic attacks against the underlying primitive seen as an idealized object. This chapter aims to introduce such attacks with illustrative examples and to put forward a number of practical concerns related to their implementation and countermeasures.
203 citations
07 Feb 2010
TL;DR: Super-Sboxes as discussed by the authors uses the fact that one can view two rounds of such permutations as a layer of big Sboxes preceded and followed by simple affine transformations to obtain improvements over the previous cryptanalysis results for these two schemes.
Abstract: In this paper, we improve the recent rebound and start-from-the-middle attacks on AES-like permutations. Our new cryptanalysis technique uses the fact that one can view two rounds of such permutations as a layer of big Sboxes preceded and followed by simple affine transformations. The big Sboxes encountered in this alternative representation are named Super-Sboxes. We apply this method to two second-round SHA-3 candidates Grostl and ECHO, and obtain improvements over the previous cryptanalysis results for these two schemes. Moreover, we improve the best distinguisher for the AES block cipher in the known-key setting, reaching 8 rounds for the 128-bit version.
201 citations
Book•
01 Jan 2010
TL;DR: In this article, the SHA-3 side-channel attacks and countermeasures were evaluated using FPGA-based hardware. But, the side channel attacks were not considered in this paper.
Abstract: Low Cost Cryptography.- Quark: A Lightweight Hash.- PRINTcipher: A Block Cipher for IC-Printing.- Sponge-Based Pseudo-Random Number Generators.- Efficient Implementations I.- A High Speed Coprocessor for Elliptic Curve Scalar Multiplications over .- Co-Z Addition Formulae and Binary Ladders on Elliptic Curves.- Efficient Techniques for High-Speed Elliptic Curve Cryptography.- Side-Channel Attacks and Countermeasures I.- Analysis and Improvement of the Random Delay Countermeasure of CHES 2009.- New Results on Instruction Cache Attacks.- Correlation-Enhanced Power Analysis Collision Attack.- Side-Channel Analysis of Six SHA-3 Candidates.- Tamper Resistance and Hardware Trojans.- Flash Memory 'Bumping' Attacks.- Self-referencing: A Scalable Side-Channel Approach for Hardware Trojan Detection.- When Failure Analysis Meets Side-Channel Attacks.- Efficient Implementations II.- Fast Exhaustive Search for Polynomial Systems in .- 256 Bit Standardized Crypto for 650 GE - GOST Revisited.- Mixed Bases for Efficient Inversion in and Conversion Matrices of SubBytes of AES.- SHA-3.- Developing a Hardware Evaluation Method for SHA-3 Candidates.- Fair and Comprehensive Methodology for Comparing Hardware Performance of Fourteen Round Two SHA-3 Candidates Using FPGAs.- Performance Analysis of the SHA-3 Candidates on Exotic Multi-core Architectures.- XBX: eXternal Benchmarking eXtension for the SUPERCOP Crypto Benchmarking Framework.- Fault Attacks and Countermeasures.- Public Key Perturbation of Randomized RSA Implementations.- Fault Sensitivity Analysis.- PUFs and RNGs.- An Alternative to Error Correction for SRAM-Like PUFs.- New High Entropy Element for FPGA Based True Random Number Generators.- The Glitch PUF: A New Delay-PUF Architecture Exploiting Glitch Shapes.- New Designs.- Garbled Circuits for Leakage-Resilience: Hardware Implementation and Evaluation of One-Time Programs.- ARMADILLO: A Multi-purpose Cryptographic Primitive Dedicated to Hardware.- Side-Channel Attacks and Countermeasures II.- Provably Secure Higher-Order Masking of AES.- Algebraic Side-Channel Analysis in the Presence of Errors.- Coordinate Blinding over Large Prime Fields.
181 citations
30 May 2010
TL;DR: Ateniese et al. as mentioned in this paper showed that AES-256 can be broken in 10 rounds with complexity which is feasible, using only two related keys and 239 time to recover the complete 256-bit key of a 9-round version of AES256.
Abstract: AES is the best known and most widely used block cipher. Its three versions (AES-128, AES-192, and AES-256) differ in their key sizes (128 bits, 192 bits and 256 bits) and in their number of rounds (10, 12, and 14, respectively). While for AES-128, there are no known attacks faster than exhaustive search, AES-192 and AES-256 were recently shown to be breakable by attacks which require 2176 and 299.5 time, respectively. While these complexities are much faster than exhaustive search, they are completely non-practical, and do not seem to pose any real threat to the security of AES-based systems.
In this paper we aim to increase our understanding of AES security, and we concentrate on attacks with practical complexity, i.e., attacks that can be experimentally verified. We show attacks on reduced-round variants of AES-256 with up to 10 rounds with complexity which is feasible. One of our attacks uses only two related keys and 239 time to recover the complete 256-bit key of a 9-round version of AES-256 (the best previous attack on this variant required 4 related keys and 2120 time). Another attack can break a 10-round version of AES-256 in 245 time, but it uses a stronger type of related subkey attack (the best previous attack on this variant required 64 related keys and 2172 time). While the full AES-256 cannot be directly broken by these attacks, the fact that 10 rounds can be broken with such a low complexity raises serious concerns about the remaining safety margin offered by AES-256.
176 citations
TL;DR: In the two attacks, only a pair of (plaintext/ciphertext) was needed to totally break the cryptosystem.
172 citations
13 Jun 2010
TL;DR: The 3-round Feistel cipher with internal permutations may be insecure against a chosen plaintext attack on a quantum computer because there exists a polynomial quantum algorithm for distinguishing them.
Abstract: No polynomial classical algorithms can distinguish between the 3-round Feistel cipher with internal permutations and a random permutation. It means that the 3-round Feistel cipher with internal permutations is secure against any chosen plaintext attack on the classical computer. This paper shows that there exists a polynomial quantum algorithm for distinguishing them. Hence, the 3-round Feistel cipher with internal permutations may be insecure against a chosen plaintext attack on a quantum computer. This distinguishing problem is an instance that can be efficiently solved by exploiting the quantum parallelism. The proposed algorithm is the first application of Simon's algorithm to cryptographic analysis.
168 citations
01 Mar 2010
TL;DR: In this article, a multidimensional linear cryptanalysis method was proposed to recover the 80-bit secret key of PRESENT up to 25 rounds out of 31 rounds with around 2624 data complexity.
Abstract: PRESENT is a hardware-oriented block cipher suitable for resource constrained environment In this paper we analyze PRESENT by the multidimensional linear cryptanalysis method We claim that our attack can recover the 80-bit secret key of PRESENT up to 25 rounds out of 31 rounds with around 2624 data complexity Furthermore, we showed that the 26-round version of PRESENT can be attacked faster than key exhaustive search with the 264 data complexity by an advanced key search technique Our results are superior to all the previous attacks We demonstrate our result by performing the linear attacks on reduced variants of PRESENT Our results exemplify that the performance of the multidimensional linear attack is superior compared to the classical linear attack
15 Aug 2010
TL;DR: Beyond-birthday-bound security is proved for most of the well-known types of generalized Feistel networks, showing that, in any of these settings, for any e > 0, with enough rounds, the subject scheme can tolerate CCA attacks of up to q ∼ N1-e adversarial queries.
Abstract: We prove beyond-birthday-bound security for most of the well-known types of generalized Feistel networks: (1) unbalanced Feistel networks, where the n-bit to m-bit round functions may have n ≠ m; (2) alternating Feistel networks, where the round functions alternate between contracting and expanding; (3) type-1, type-2, and type-3 Feistel networks, where n-bit to n-bit round functions are used to encipher kn-bit strings for some k ≥ 2; and (4) numeric variants of any of the above, where one enciphers numbers in some given range rather than strings of some given size. Using a unified analytic framework, we show that, in any of these settings, for any e > 0, with enough rounds, the subject scheme can tolerate CCA attacks of up to q ∼ N1-e adversarial queries, where N is the size of the round functions' domain (the larger domain for alternating Feistel). Prior analyses for most generalized Feistel networks established security to only q ∼ N0.5 queries.
07 Feb 2010
TL;DR: This paper analyzes the security of systems based on modular additions, rotations, and XORs (ARX systems) and proves that ARX with constants are functionally complete, i.e. any function can be realized with these operations.
Abstract: In this paper we analyze the security of systems based on modular additions, rotations, and XORs (ARX systems). We provide both theoretical support for their security and practical cryptanalysis of real ARX primitives. We use a technique called rotational cryptanalysis, that is universal for the ARX systems and is quite efficient. We illustrate the method with the best known attack on reduced versions of the block cipher Threefish (the core of Skein). Additionally, we prove that ARX with constants are functionally complete, i.e. any function can be realized with these operations.
25 Jan 2010
TL;DR: The experimental results show that after a system initialization phase Hummingbird can achieve up to 147 and 4.7 times faster throughput for a size-optimized and a speed- Optimized implementations, respectively, when compared to the state-of-the-art ultra-lightweight block cipher PRESENT on the similar platforms.
Abstract: Due to the tight cost and constrained resources of high-volume consumer devices such as RFID tags, smart cards and wireless sensor nodes, it is desirable to employ lightweight and specialized cryptographic primitives for many security applications. Motivated by the design of the well-known Enigma machine, we present a novel ultra-lightweight cryptographic algorithm, referred to as Hummingbird, for resource-constrained devices in this paper. Hummingbird can provide the designed security with small block size and is resistant to the most common attacks such as linear and differential cryptanalysis. Furthermore, we also present efficient software implementation of Hummingbird on the 8-bit microcontroller ATmega128L from Atmel and the 16-bit microcontroller MSP430 from Texas Instruments, respectively. Our experimental results show that after a system initialization phase Hummingbird can achieve up to 147 and 4.7 times faster throughput for a size-optimized and a speed-optimized implementations, respectively, when compared to the state-of-the-art ultra-lightweight block cipher PRESENT [10] on the similar platforms.
15 Aug 2010
TL;DR: This paper fills an important foundational gap with the first proofs, under standard assumptions and in the standard model, of the existence of PRFs and PRPs resisting rich and relevant forms of related-key attack (RKA).
Abstract: This paper fills an important foundational gap with the first proofs, under standard assumptions and in the standard model, of the existence of PRFs and PRPs resisting rich and relevant forms of related-key attack (RKA). An RKA allows the adversary to query the function not only under the target key but under other keys derived from it in adversary-specified ways. Based on the Naor-Reingold PRF we obtain an RKA-PRF whose keyspace is a group and that is proven, under DDH, to resist attacks in which the key may be operated on by arbitrary adversary-specified group elements. Our framework yields other RKA-PRFs including a DLIN-based one derived from the Lewko-Waters PRF. We show how to turn these PRFs into PRPs (blockciphers) while retaining security against RKAs. Over the last 17 years cryptanalysts and blockcipher designers have routinely and consistenly targeted RKA-security; it is important for abuse-resistant cryptography; and it helps protect against fault-injection sidechannel attacks. Yet ours are the first significant proofs of existence of secure constructs. We warn that our constructs are proofs-of-concept in the foundational style and not practical.
05 Dec 2010
TL;DR: Non-linear feedback shift registers are widely used in lightweight cryptographic primitives and a general analysis technique based on differential cryptanalysis is proposed to identify conditions on the internal state to obtain a deterministic differential characteristic for a large number of rounds.
Abstract: Non-linear feedback shift registers are widely used in lightweight cryptographic primitives. For such constructions we propose a general analysis technique based on differential cryptanalysis. The essential idea is to identify conditions on the internal state to obtain a deterministic differential characteristic for a large number of rounds. Depending on whether these conditions involve public variables only, or also key variables, we derive distinguishing and partial key recovery attacks. We apply these methods to analyse the security of the eSTREAM finalist Grain v1 as well as the block cipher family KATAN/KTANTAN. This allows us to distinguish Grain v1 reduced to 104 of its 160 rounds and to recover some information on the key. The technique naturally extends to higher order differentials and enables us to distinguish Grain-128 up to 215 of its 256 rounds and to recover parts of the key up to 213 rounds. All results are the best known thus far and are achieved by experiments in practical time.
TL;DR: Theoretical treatments of physical attacks have recently attracted the attention of the cryptographic community, as witnessed by various publications, e.g., this paper, which consider adversaries enhanced with abilities such as inserting faults during a computation or monitoring side-channel leakages.
Abstract: Theoretical treatments of physical attacks have recently attracted the attention of the cryptographic community, as witnessed by various publications, e.g., [1, 17, 22, 24, 29, 31, 33, 34, 42]. These works consider adversaries enhanced with abilities such as inserting faults during a computation or monitoring side-channel leakages.
15 Aug 2010
TL;DR: This paper describes a new type of attack called a sandwich attack, and uses it to construct a simple distinguisher for 7 of the 8 rounds of KASUMI with an amazingly high probability of 2-14, which indicates that the changes made by ETSI's SAGE group in moving from MISTY to KASumI resulted in a much weaker cipher.
Abstract: The privacy of most GSM phone conversations is currently protected by the 20+ years old A5/1 and A5/2 stream ciphers, which were repeatedly shown to be cryptographically weak. They will soon be replaced by the new A5/3 (and the soon to be announced A5/4) algorithm based on the block cipher KASUMI, which is a modified version of MISTY. In this paper we describe a new type of attack called a sandwich attack, and use it to construct a simple distinguisher for 7 of the 8 rounds of KASUMI with an amazingly high probability of 2-14. By using this distinguisher and analyzing the single remaining round, we can derive the complete 128 bit key of the full KASUMI by using only 4 related keys, 226 data, 230 bytes of memory, and 232 time. These complexities are so small that we have actually simulated the attack in less than two hours on a single PC, and experimentally verified its correctness and complexity. Interestingly, neither our technique nor any other published attack can break MISTY in less than the 2128 complexity of exhaustive search, which indicates that the changes made by ETSI's SAGE group in moving from MISTY to KASUMI resulted in a much weaker cipher.
NEC1
TL;DR: This paper improves the security-efficiency treading off of Type-II GFS when k is a power of two and obtains a significant improvement using a highly effective permutation based on the de Bruijn graph.
Abstract: The generalized Feistel structure (GFS) is a generalized form of the classical Feistel cipher A popular version of GFS, called Type-II, divides a message into k > 2 sub blocks and applies a (classical) Feistel transformation for every two sub blocks, and then performs a cyclic shift of k sub blocks Type-II GFS has many desirable features for implementation A drawback, however, is its low diffusion property with a large k This weakness can be exploited by some attacks, such as impossible differential attack To protect from them, Type-II GFS generally needs a large number of rounds
In this paper, we improve the Type-II GFS's diffusion property by replacing the cyclic shift with a different permutation Our proposal enables to reduce the number of rounds to attain a sufficient level of security Thus, we improve the security-efficiency treading off of Type-II GFS In particular, when k is a power of two, we obtain a significant improvement using a highly effective permutation based on the de Bruijn graph
05 Dec 2010
TL;DR: The first non-marginal attack on 8-round AES-192 was reported in this paper, which reduced the time complexity of exhaustive key search to about 1/32,000 of the full codebook.
Abstract: AES is the most widely used block cipher today, and its security is one of the most important issues in cryptanalysis. After 13 years of analysis, related-key attacks were recently found against two of its flavors (AES-192 and AES-256). However, such a strong type of attack is not universally accepted as a valid attack model, and in the more standard single-key attack model at most 8 rounds of these two versions can be currently attacked. In the case of 8-round AES-192, the only known attack (found 10 years ago) is extremely marginal, requiring the evaluation of essentially all the 2128 possible plaintext/ciphertext pairs in order to speed up exhaustive key search by a factor of 16. In this paper we introduce three new cryptanalytic techniques, and use them to get the first non-marginal attack on 8-round AES-192 (making its time complexity about a million times faster than exhaustive search, and reducing its data complexity to about 1/32,000 of the full codebook). In addition, our new techniques can reduce the best known time complexities for all the other combinations of 7-round and 8-round AES-192 and AES-256.
01 Dec 2010
TL;DR: An improved whitebox implementation of AES that uses dual ciphers to modify the state and key representations in each round as well as two of the four classical AES operations, SubBytes and MixColumns.
Abstract: In order to protect AES software running on untrusted platforms, Chow et al. (2002) designed a white-box implementation. However, Billet et al. (2004) showed that the secret key can be extracted with a time complexity of 230. In this paper, we present an improved whitebox implementation of AES. We use dual ciphers to modify the state and key representations in each round as well as two of the four classical AES operations, SubBytes and MixColumns. We show that, with 61200 possible dual ciphers the complexity of Billet et al. attack is raised to 291. Interestingly, our white-box implementation does not require more memory space than that of Chow et al. implementation.
TL;DR: A new chaotic block cipher scheme for image cryptosystems that encrypts block of bits rather than block of pixels and is able to encrypt large size of images with superior performance speed than other schemes.
TL;DR: In this article, the authors proposed modifications in the Patidar et al. image cipher to make it robust against these two cryptanalytic attacks, and the security analysis shows that the modified image cipher preserves all the good properties of the original cipher and is also capable to stand against the aforesaid attacks.
12 Aug 2010
TL;DR: In this paper, the authors describe a variant of existing meet-in-the-middle attacks on block ciphers, which are applicable to the KTANTAN family of block Ciphers accepting a key of 80 bits and show that strong related-key property can translate to a successful attack in the non-related-key setting.
Abstract: In this paper we describe a variant of existing meet-in-the-middle attacks on block ciphers. As an application, we propose meetin-the-middle attacks that are applicable to the KTANTAN family of block ciphers accepting a key of 80 bits. The attacks are due to some weaknesses in its bitwise key schedule. We report an attack of time complexity 275.170 encryptions on the full KTANTAN32 cipher with only 3 plaintext/ciphertext pairs and well as 275.044 encryptions on the full KTANTAN48 and 275.584 encryptions on the full KTANTAN64 with 2 plaintext/ciphertext pairs. All these attacks work in the classical attack model without any related keys.
In the differential related-key model, we demonstrate 218- and 174- round differentials holding with probability 1. This shows that a strong related-key property can translate to a successful attack in the nonrelated-key setting. Having extremely low data requirements, these attacks are valid even in RFID-like environments where only a very limited amount of text material may be available to an attacker.
TL;DR: This article demonstrates that the highly nonlinear permutation f(x)=x^2^^^2^k^+^ 2^^^k+^1 on the field F"2" ^"4"^"k, discovered by Hans Dobbertin (1998), has differential uniformity of four and hence, with respect to differential and linear cryptanalysis, is just as suitable for use in a symmetric cryptosystem as the inverse function.
12 Dec 2010
TL;DR: An algebraic analysis is presented to recover equivalent keys from the white-box implementation and show how the perturbations and system of random equations can be distinguished from the implementation, and how the linear input and output encodings can be eliminated.
Abstract: In response to various cryptanalysis results on white-box cryptography, Bringer et al. presented a novel white-box strategy. They propose to extend the round computations of a block cipher with a set of random equations and perturbations, and complicate the analysis by implementing each such round as one system that is obfuscated with annihilating linear input and output encodings. The improved version presented by Bringer et al. implements the AEw/oS, which is an AES version with key-dependent S-boxes (the S-boxes are in fact the secret key). In this paper we present an algebraic analysis to recover equivalent keys from the implementation. We show how the perturbations and system of random equations can be distinguished from the implementation, and how the linear input and output encodings can be eliminated. The result is that we have decomposed the white-box implementation into a much more simple, functionally equivalent implementation and retrieved a set of keys that are equivalent to the original key. Our cryptanalysis has a worst time complexity of 217 and a negligible space complexity.
01 Jan 2010
TL;DR: This publication approves the XTS-AES mode of the AES algorithm by reference to IEEE Std 1619-2007, subject to one additional requirement, as an option for protecting the confidentiality of data on storage devices.
Abstract: This publication approves the XTS-AES mode of the AES algorithm by reference to IEEE Std 1619-2007, subject to one additional requirement, as an option for protecting the confidentiality of data on storage devices. The mode does not provide authentication of the data or its source.
12 Dec 2010
TL;DR: By this attack, 7-round AES- 128 is breakable with a data complexity of about 2106 chosen plaintexts and a time complexity equivalent to about 2110 encryptions, better than any previously known attack on AES-128 in the single-key scenario.
Abstract: Using a new 4-round impossible differential in AES that allows us to exploit the redundancy in the key schedule of AES-128 in a way more effective than previous work, we present a new impossible differential attack on 7 rounds of this block cipher. By this attack, 7-round AES-128 is breakable with a data complexity of about 2106 chosen plaintexts and a time complexity equivalent to about 2110 encryptions. This result is better than any previously known attack on AES-128 in the single-key scenario.
Posted Content•
TL;DR: In this paper, the authors presented an efficient search tool for finding differential characteristics both in the state and in the key of block ciphers against related-key attacks, and they used this tool to search for the best possible (in terms of the number of rounds) relatedkey differential characteristics in AES, byte-Camellia, Khazad, FOX, and Anubis.
Abstract: While differential behavior of modern ciphers in a single secret key scenario is relatively well understood, and simple techniques for computation of security lower bounds are readily available, the security of modern block ciphers against related-key attacks is still very ad hoc. In this paper we make a first step towards provable security of block ciphers against related-key attacks by presenting an efficient search tool for finding differential characteristics both in the state and in the key (note that due to similarities between block ciphers and hash functions such tool will be useful in analysis of hash functions as well). We use this tool to search for the best possible (in terms of the number of rounds) related-key differential characteristics in AES, byte-Camellia, Khazad, FOX, and Anubis. We show the best relatedkey differential characteristics for 5, 11, and 14 rounds of AES-128, AES-192, and AES-256 respectively. We use the optimal differential characteristics to design the best related-key and chosen key attacks on AES-128 (7 out of 10 rounds), AES-192 (full 12 rounds), byte-Camellia (full 18 rounds) and Khazad (7 and 8 out of 8 rounds). We also show that ciphers FOX and Anubis have no related-key attacks on more than 4-5 rounds.
30 May 2010
TL;DR: This paper presents an efficient search tool for finding differential characteristics both in the state and in the key and designs the best related-key and chosen key attacks on AES, byte-Camellia, Khazad, FOX, and Anubis.
Abstract: While differential behavior of modern ciphers in a single secret key scenario is relatively well understood, and simple techniques for computation of security lower bounds are readily available, the security of modern block ciphers against related-key attacks is still very ad hoc. In this paper we make a first step towards provable security of block ciphers against related-key attacks by presenting an efficient search tool for finding differential characteristics both in the state and in the key (note that due to similarities between block ciphers and hash functions such tool will be useful in analysis of hash functions as well). We use this tool to search for the best possible (in terms of the number of rounds) related-key differential characteristics in AES, byte-Camellia, Khazad, FOX, and Anubis. We show the best related-key differential characteristics for 5, 11, and 14 rounds of AES-128, AES-192, and AES-256 respectively. We use the optimal differential characteristics to design the best related-key and chosen key attacks on AES-128 (7 out of 10 rounds), AES-192 (full 12 rounds), byte-Camellia (full 18 rounds) and Khazad (7 and 8 out of 8 rounds). We also show that ciphers FOX and Anubis have no related-key attacks on more than 4-5 rounds.