CLEFIA

About: CLEFIA is a research topic. Over the lifetime, 124 publications have been published within this topic receiving 3350 citations.

Improbable differential cryptanalysis

Abstract: Statistical attacks on block ciphers make use of a property of the cipher so that an event occurs with different probabilities depending on whether or not the correct key is used. For instance, differential cryptanalysis [3] and truncated differential cryptanalysis [5] consider characteristics or differentials which show that a particular output difference should be obtained with a relatively high probability when a particular input difference is used. Hence, when the correct key is used, the predicted differences occur more frequently.On the other hand, impossible differential cryptanalysis [2] uses an impossible differential which shows that a particular difference cannot occur for the correct key (i.e. the probability of this event is exactly zero). Therefore, if these differences are satisfied under a trial key, then it cannot be the correct one. Thus, the correct key can be obtained by eliminating all or most of the wrong keys.However, in a recent study [7] we showed that it is also possible to obtain differentials so that the predicted differences occur less frequently for the correct key. This new cryptanalytic technique is called the improbable differential cryptanalysis and the impossible differential cryptanalysis is just a special case of it. Thus, improbable differential cryptanalysis bridges the gap between differential and impossible differential cryptanalysis.Substitution layer of cryptographic algorithms mostly consists of substitution boxes (S-boxes) and in order to provide better security against known attacks, S-boxes are selected depending on their cryptographic properties like differential probability, linear bias, algebraic degree, and branch number. For instance, differential attacks highly use the differential probabilities of the S-boxes. Recently we proposed a new property of S-boxes that we call undisturbed bits [8] which can be used to obtain better truncated, impossible or improbable differentials.In this tutorial, we will start by describing differential, truncated and impossible differential cryptanalysis. We will then describe the improbable differential cryptanalysis and the expansion technique that expands impossible differentials to improbable differentials. As an example for the expansion technique, we will discuss the improbable differential attacks on CLEFIA [6] in detail. Then we will describe the concept of undistubed bits and discuss their effects on the block ciphers PRESENT [4] and Serpent [1].

The Improved 96th-Order Differential Attack on 11 Rounds of the Block Cipher CLEFIA

Abstract: CLEFIA is a 128-bit block cipher proposed by Shirai of SONY et al. in 2007. Its key size is 128, 192, or 256 bits. The number of the round of data processing part depends on a key size, viz. it is 18, 22, or 26 rounds for 128, 192, or 256 bits of a key size, respectively. Such a characteristic of CLEFIA have been known that the 96th- order differential of 64 bits out of 128 bits of the 8th-round's output is zero. With this characteristic, we reported the 96th-order differential attack on 11 rounds of CLEFIA that requires 2 98.3 blocks of plain text and 2 159 times of data encryption. In this paper, we reduce this number of the times of the encryption, (viz. computational complexity) by applying a partial sum technique proposed by Ferguson et al. With the technique, we sequentially derive a modulo 2 occurrence distribution of intermediate data of cryptanalysis. We also reduce the complexity by introducing a nested structure of iterative computations to the attack algorithm. As a result we reduce the complexity to 2 106.6 , which is 1/2 52.4 of the conventional complexity. 

Compact and High Speed Hardware Implementation of the Block- Cipher Clefia

Abstract: Main fundamental directions which are considered as important for practical ciphers are (1) security, (2) speed, and (3) cost for implementations. To realize these fundamental directions CLEFIA is designed. Clefia is a first block cipher employing the Diffusion Switching Mechanism (DSM) to enhance the immunity against the differential attack and the linear attack. Clefia uses lightweight components for efficient software and hardware implementations. This paper proposes compact and high speed hardware implementation for block cipher clefia-128. This hardware architecture uses minimum hardware resources and maximum frequency of 135.452 Mhz, through which we can achieve a throughputs of 17 Gbit/s

New Property of Diffusion Switching Mechanism on CLEFIA and Its Application to DFA

Abstract: In this paper, we show a new property for the diffusion switching mechanism (DSM) which was proposed by Shirai and Shibutani in 2006, and propose new differential fault attacks (DFAs) on CLEFIA. The DSM is an effective mechanism to design Feistel ciphers, and Feistel ciphers using the DSM are more secure against the differential and the linear cryptanalysis. By applying the DSM to the generalized Feistel network, Shirai et al. proposed a 128-bit block cipher CLEFIA which was adopted as an ISO standard. Shirai and Shibutani proposed two types DSMs; one is using two matrices and the other is using three matrices. It was considered that the security difference between two types DSMs was quite small. In this paper, we propose a new property for the DSM. Our property can be applied to two types DSMs, in particular, it can be applied to the one using two matrices efficiently. We show a small security advantage of the DSM using three matrices, and our results contribute to the comprehension of the DSM. Moreover we can improve DFAs on CLEFIA by using our property. Existing DFAs can not execute without exploiting several faults induced after the 14-th round, but our new DFAs can execute by exploiting several faults induced after the 12-th round. The position where several faults are induced of new DFAs is improved, and it is two rounds earlier than that of existing works.