Showing papers on "CLEFIA published in 2012"

Hardware Comparison of the ISO/IEC 29192-2 Block Ciphers

Abstract: As ubiquitous computing becomes a reality, sensitive information is increasingly processed and transmitted by smart cards, mobile devices and various types of embedded systems. This has led to the requirement of a new class of lightweight cryptographic algorithm to ensure security in these resource constrained environments. The International Organization for Standardization (ISO) has recently standardized two low-cost block ciphers for this purpose, Clefia and Present. In this paper we provide the first comprehensive hardware architecture comparison between these ciphers, as well as a comparison with the current National Institute of Standards and Technology (NIST) standard, the Advanced Encryption Standard.

Meet-in-the-Middle Technique for Integral Attacks against Feistel Ciphers

Abstract: In this paper, an improvement for integral attacks against Feistel ciphers is discussed. The new technique can reduce the complexity of the key recovery phase. This possibly leads to an extension of the number of attacked rounds. In the integral attack, an attacker guesses a part of round keys and performs the partial decryption. The correctness of the guess is judged by examining whether the XOR sum of the results becomes 0 or not. In this paper, it is shown that the computation of the XOR sum of the partial decryptions can be divided into two independent parts if the analysis target adopts the Feistel network or its variant. Then, correct key candidates are efficiently obtained with the meet-in-the-middle approach. The effect of our technique is demonstrated for several Feistel ciphers. Improvements on integral attacks against LBlock, HIGHT, and CLEFIA are presented. Particularly, the number of attacked rounds with integral analysis is extended for LBlock.

Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers

Abstract: Impossible differential cryptanalysis is a powerful technique to recover the secret key of block ciphers by exploiting the fact that in block ciphers specific input and output differences are not compatible. This paper introduces a novel tool to search truncated impossible differentials for word-oriented block ciphers with bijective Sboxes. Our tool generalizes the earlier \(\mathcal{U}\)-method and the UID-method. It allows to reduce the gap between the best impossible differentials found by these methods and the best known differentials found by ad hoc methods that rely on cryptanalytic insights. The time and space complexities of our tool in judging an r-round truncated impossible differential are about O(c·l 4·r 4) and O(c′·l 2·r 2) respectively, where l is the number of words in the plaintext and c, c′ are constants depending on the machine and the block cipher. In order to demonstrate the strength of our tool, we show that it does not only allow to automatically rediscover the longest truncated impossible differentials of many word-oriented block ciphers, but also finds new results. It independently rediscovers all 72 known truncated impossible differentials on 9-round CLEFIA. In addition, it finds new truncated impossible differentials for AES, ARIA, Camellia without FL and FL− 1 layers, E2, LBlock, MIBS and Piccolo. Although our tool does not improve the lengths of impossible differentials for existing block ciphers, it helps to close the gap between the best known results of previous tools and those of manual cryptanalysis.

Hardware Prefetchers Leak: A Revisit of SVF for Cache-Timing Attacks

Abstract: Micro-architectural features have an influence on security against cache attacks. This paper shows that modern hardware prefetchers enabled in cache memories to reduce the miss penalty, can be a source of information leakage with respect to cache-timing attacks. The work revisits the Side Channel Vulnerability Factor (SVF) proposed in ISCA'12 and shows how to adapt the metric to assess the vulnerability of a prefetcher in cache-timing attacks. We use the modified metric denoted Timing-SVF, to show that standard prefetchers based on sequential algorithms can leak information in cache timing attacks. The findings have been established by experimental validations on a standard 128 bit cipher, called CLEFIA, designed by Sony Corporation Ltd. and used for light weight cryptography.

Improved differential cache attacks on SMS4

Abstract: Block ciphers that have Feistel structures are prone to a class of cache attacks known as differential cache attacks, which monitor power or timing side-channels to reveal the secret key. Differential cache attacks were first demonstrated on the block cipher CLEFIA, which has a type-2 generalized Feistel structure. In this paper we improve the attack methodology by showing that a sophisticated method of choosing plaintexts can result in a considerable reduction in attack complexity. This coupled with other cryptanalytic techniques, when applied to the block cipher SMS4, requires just 210 plaintexts to recover the SMS4 secret key from power traces for a 64 byte cache line. Further, the attack becomes more dangerous for large cache lines. For example, with a 128 byte cache line, only 52 power traces are required. Experimental validation of the complete attack has been done on an Intel Xeon microprocessor. Further we suggest an alteration to the SMS4 algorithm that can counter this attack.

A peculiar higher order differential of CLEFIA

Abstract: CLEFIA is a 128-bit block cipher proposed by Shirai et al. in 2007. In this paper, we focused on a higher order differential of CLEFIA. It has been reported that CLEFIA has 6-round saturation characteristics using 32-nd order differential. This paper introduces two new concepts for higher order differential (HOD) which are control transform for the input and observation transform for the output. With these concepts, we found a new 6-round HOD characteristic using 8-th order differential. By close examination of byte-value, we found the reason for this HOD. If we use the new HOD characteristic, instead of 32-nd order differential for the attack to 7-round CLEFIA, we can reduce to data and computational complexity around 2−23, 2−15 of the conventional one, respectively.

A middletext distinguisher for full CLEFIA-128

Abstract: CLEFIA is a 128-bit block cipher proposed by Shirai et al. at FSE 2007, and it was adopted as several standards. CLEFIA adopts a generalized Feistel structure with the switching diffusion mechanism, which realizes a compact hardware implementation for CLEFIA, and it seems one of the promising candidates to be used for restricted environments, which requires that a cryptographic primitive is versatile. It means that we need to evaluate the security of CLEFIA even for unusual scenario such as known-key scenario. As Knudsen and Rijmen did for 7-round AES at Asiacrypt 2007, we construct 17-round known-key distinguisher using two integral characteristics. To combine the 17-round known-key distinguisher with the standard subkey recovery technique for a secret-key scenario, we can construct a distinguisher for full CLEFIA-128 from a random permutation under the framework of middletext distinguisher proposed by Minier et al. at Africacrypt 2009. The distinguisher requires query of 2112 texts, time complexity of 2112, and memory complexity of 23 blocks, with the advantage of e−1, where e is the base of the natural logarithm.

Protecting Last Four Rounds of CLEFIA is Not Enough Against Differential Fault Analysis.

Abstract: In this paper we propose a new differential fault analysis (DFA) on CLEFIA of 128-bit key. The proposed attack requires to induce byte faults at the fourteenth round of CLEFIA encryption. The attack uses only two pairs of fault-free and faulty ciphertexts and uniquely determines the 128-bit secret key. The attacker does not need to know the plaintext. The most efficient reported fault attack on CLEFIA, needs fault induction at the fifteenth round of encryption and can be performed with two pairs of fault-free and faulty ciphertexts and brute-force search of around 20 bits. Therefore, the proposed attack can evade the countermeasures against the existing DFAs which only protect the last four rounds of encryption. Extensive simulation results have been presented to validate the proposed attack. The simulation results show that the attack can retrieve the 128-bit secret key in around one minute of execution time. To the best of authors’ knowledge the proposed attack is the most efficient attack in terms of both the input requirements as well as the complexity.

Fault Detection on the Software Implementation of CLEFIA Lightweight Cipher

Abstract: CLEFIA is an efficient lightweight cipher that delivers advanced copyright protection and authentication in computer networks. It is also applied in the secure protocol for transmission including SSL and TLS. Since it was proposed in 2007, some work about its security against differential fault analysis has been devoted to reducing the number of faults and to improving the time complexity of this attack. This attack is very efficient when a single fault is injected into the last several rounds of the CLEFIA, and it allows to recover the whole secret key. Thus, it is an open question whether detecting the faults injected into the CLEFIA with low overhead of space and time tolerance. In this paper, we present a fault detection of the CLEFIA block cipher in the single-byte fault model. Our result in this study could detect the faults with negligible cost when faults are even injected into the last four rounds.

Some Saturation Characteristics of XOR Sum of Balance Functions

Abstract: CLEFIA is a 128-bit block cipher proposed by Shirai et al. in 2007. On its saturation attack, Tsunoo et al. reported peculiar saturation characteristics in 2010. They formulated some hypotheses on the existence of the characteristics with no proof. In this paper we have theoretically proved their hypotheses. In their attack scenario, we show that the mod-2 distribution is a code word of Extended Hamming code, and then proof is given by using the property of Hadamard transform.

Linear Hulls with Correlation Zero and Linear Cryptanalysis of Block Ciphers

Abstract: Linear cryptanalysis, along with differential cryptanalysis, is an important tool to evaluate the security of block ciphers. This work introduces a novel extension of linear cryptanalysis: zero-correlation linear cryptanalysis, a technique applicable to many block cipher constructions. It is based on linear approximations with a correlation value of exactly zero. For a permutation on n bits, an algorithm of complexity 2 is proposed for the exact evaluation of correlation. Non-trivial zero-correlation linear approximations are demonstrated for various block cipher structures including AES, balanced Feistel networks, Skipjack, CLEFIA, and CAST256. As an example, using the zero-correlation linear cryptanalysis, a key-recovery attack is shown on 6 rounds of AES-192 and AES-256 as well as 13 rounds of CLEFIA-256.

Impossible Differential Cryptanalysis of CLEFIA-128 Algorithm

Abstract: This paper presents an impossible differential cryptanalysis of 13-round CLEFIA-128 no whitening key,which use the 9-round impossible differential.In the process of cryptanalysis,it guesses each key and filter the data pairs using the output and input differences of S-box.It utilizes the keys relations to reduce the number of guessed keys,and introduces the early abort technique to reduce the time complexity.Computing result shows that the complexity of the cryptanalysis is about 2120 data and 2125.5 encryptions