Showing papers on "Differential cryptanalysis published in 2009"

KATAN and KTANTAN -- A Family of Small and Efficient Hardware-Oriented Block Ciphers

Abstract: In this paper we propose a new family of very efficient hardware oriented block ciphers. The family contains six block ciphers divided into two flavors. All block ciphers share the 80-bit key size and security level. The first flavor, KATAN, is composed of three block ciphers, with 32, 48, or 64-bit block size. The second flavor, KTANTAN, contains the other three ciphers with the same block sizes, and is more compact in hardware, as the key is burnt into the device (and cannot be changed). The smallest cipher of the entire family, KTANTAN32, can be implemented in 462 GE while achieving encryption speed of 12.5 KBit/sec (at 100 KHz). KTANTAN48, which is the version we recommend for RFID tags uses 588 GE, whereas KATAN64, the largest and most flexible candidate of the family, uses 1054 GE and has a throughput of 25.1 Kbit/sec (at 100 KHz).

A Statistical Saturation Attack against the Block Cipher PRESENT

Abstract: In this paper, we present a statistical saturation attack that combines previously introduced cryptanalysis techniques against block ciphers. As the name suggests, the attack is statistical and can be seen as a particular example of partitioning cryptanalysis. It extracts information about the key by observing non-uniform distributions in the ciphertexts. It can also be seen as a dual to saturation (aka square, integral) attacks in the sense that it exploits the diffusion properties in block ciphers and a combination of active and passive multisets of bits in the plaintexts. The attack is chosen-plaintext in its basic version but can be easily extended to a known-plaintext scenario. As an illustration, it is applied to the block cipher PRESENT proposed by Bogdanov et al. at CHES 2007. We provide theoretical arguments to predict the attack efficiency and show that it improves previous (linear, differential) cryptanalysis results. We also provide experimental evidence that we can break up to 15 rounds of PRESENT with 235.6 plaintext-ciphertext pairs. Eventually, we discuss the attack specificities and possible countermeasures. Although dedicated to PRESENT, it is an open question to determine if this technique improves the best known cryptanalysis for other ciphers.

Lightweight Block Ciphers Revisited: Cryptanalysis of Reduced Round PRESENT and HIGHT

Abstract: Design and analysis of lightweight block ciphers have become more popular due to the fact that the future use of block ciphers in ubiquitous devices is generally assumed to be extensive. In this respect, several lightweight block ciphers are designed, of which Present and Hight are two recently proposed ones by Bogdanov et al. and Hong et al. respectively. In this paper, we propose new attacks on Present and Hight . Firstly, we present the first related-key cryptanalysis of 128-bit keyed Present by introducing 17-round related-key rectangle attack with time complexity approximately 2104 memory accesses. Moreover, we further analyze the resistance of Hight against impossible differential attacks by mounting new 26-round impossible differential and 31-round related-key impossible differential attacks where the former requires time complexity of 2119.53 reduced round Hight evaluations and the latter is slightly better than exhaustive search.

Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher

Abstract: In this paper, we propose two new ways to mount attacks on the SHA-3 candidates Grostl, and ECHO, and apply these attacks also to the AES. Our results improve upon and extend the rebound attack. Using the new techniques, we are able to extend the number of rounds in which available degrees of freedom can be used. As a result, we present the first attack on 7 rounds for the Grostl-256 output transformation and improve the semi-free-start collision attack on 6 rounds. Further, we present an improved known-key distinguisher for 7 rounds of the AES block cipher and the internal permutation used in ECHO.

Cryptanalysis of a Generic Class of White-Box Implementations

Abstract: A white-box implementation of a block cipher is a software implementation from which it is difficult for an attacker to extract the cryptographic key. Chow et al. published white-box implementations for AES and DES. These implementations are based on ideas that can be used to derive white-box implementations for other block ciphers as well. In particular, the ideas can be used to derive a white-box implementation for any substitution linear-transformation (SLT) cipher. Although the white-box implementations of AES and DES have been cryptanalyzed, the cryptanalyses published use typical properties of AES and DES. It is therefore an open question whether an SLT cipher exists for which the techniques of Chow et al. result in a secure white-box implementation. In this paper we largely settle this question by presenting an algorithm that is able to extract the key from such an implementation under a mild condition on the diffusion matrix. The condition is, for instance, satisfied by all MDS matrices. Our result can serve as a basis to design block ciphers and to develop white-box techniques that result in secure white-box implementations.

Linear (Hull) and Algebraic Cryptanalysis of the Block Cipher PRESENT

Abstract: The contributions of this paper include the first linear hull and a revisit of the algebraic cryptanalysis of reduced-round variants of the block cipher PRESENT, under known-plaintext and ciphertext-only settings. We introduce a pure algebraic cryptanalysis of 5-round PRESENT and in one of our attacks we recover half of the bits of the key in less than three minutes using an ordinary desktop PC. The PRESENT block cipher is a design by Bogdanov et al. , announced in CHES 2007 and aimed at RFID tags and sensor networks. For our linear attacks, we can attack 25-round PRESENT with the whole code book, 296.68 25-round PRESENT encryptions, 240 blocks of memory and 0.61 success rate. Further we can extend the linear attack to 26-round with small success rate. As a further contribution of this paper we computed linear hulls in practice for the original PRESENT cipher, which corroborated and even improved on the predicted bias (and the corresponding attack complexities) of conventional linear relations based on a single linear trail.

Key-Dependent S-Box Generation in AES Block Cipher System

Abstract: Advanced Encryption Standard (AES) block cipher system is widely used in cryptographic applications. A nonlinear substitution operation is the main factor of the AES cipher system strength. The purpose of the proposed approach is to generate the random S-boxes changing for every change of the secret key. The fact that the S-boxes are randomly key-dependent and unknown is the main strength of the new approach, since both linear and differential cryptanalysis require known S-boxes. In the paper, we briefly analyze the AES algorithm, substitution S-boxes, linear and differential cryptanalysis, and describe a randomly key-dependent S-box and inverse S-box generation algorithm. After that, we introduce the independency measure of the S-box elements, and experimentally investigate the quality of the generated S-boxes.

Beyond-Birthday-Bound Security Based on Tweakable Block Cipher

Abstract: This paper studies how to build a 2n-bit block cipher which is hard to distinguish from a truly random permutation against attacks with q ≈ 2 n/2 queries, i.e., birthday attacks. Unlike previous approaches using pseudorandom functions, we present a simple and efficient proposal using a tweakable block cipher as an internal module. Our proposal is provably secure against birthday attacks, if underlying tweakable block cipher is also secure against birthday attacks. We also study how to build such tweakable block ciphers from ordinary block ciphers, which may be of independent interest.

Algebraic Techniques in Differential Cryptanalysis

Abstract: In this paper we propose a new cryptanalytic method against block ciphers, which combines both algebraic and statistical techniques. More specifically, we show how to use algebraic relations arising from differential characteristics to speed up and improve key-recovery differential attacks against block ciphers. To illustrate the new technique, we apply algebraic techniques to mount differential attacks against round reduced variants of Present-128.

Weak Keys of Reduced-Round PRESENT for Linear Cryptanalysis

Abstract: The block cipher PRESENT designed as an ultra-light weight cipher has a 31-round SPN structure in which the S-box layer has 16-parallel 4-bit S-boxes and the diffusion layer is a bit permutation. The designers claimed that the maximum linear characteristic deviation is not more than 2? 43 for 28 rounds and concluded that PRESENT is not vulnerable to linear cryptanalysis. But we have found that 32% of PRESENT keys are weak for linear cryptanalysis, and the linear deviation can be much larger than the linear characteristic value by the multi-path effect. And we discovered a 28-round path with a linear deviation of 2? 39.3 for the weak keys. Furthermore, we found that linear cryptanalysis can be used to attack up to 24 rounds of PRESENT for the weak keys.

Hash Functions Based on Block Ciphers

Abstract: In this paper, a hash function with lower rate but higher efficiency is proposed and it can be built on insecure compression functions. The security of this scheme is proved under black-box model and some compression function based on block ciphers are given to build this scheme. It is also shown that key schedule is a more important factor affecting the efficiency of a block-cipher-based hash function than rate. The new scheme only needs 2 keys and the key schedule of it can be pre-computed. It means the new scheme need not re-schedule the keys at every step during the iterations and its efficiency is improved.

Cryptanalysis of Stream Cipher Grain Family.

Abstract: Grain v1 is one of the 7 final candidates of ECRYPT eStream project, which involves in the 80-bit secret key. Grain-128 is a variant version with 128-bit secret key, and Grain v0 is the original version in the first evaluation phase. Firstly, we describe a distinguishing attack against the Grain family with weak Key-IVs. Utilizing the second Walsh spectra of the nonlinear functions, we show that there are 2/2/2 weak Key-IVs among total 2/2/2 Key-IVs, and to distinguish a weak Key-IV needs about 2/2/2 keystream bits and 2/2/ 2 operations for Grain v0, Grain v1 and Grain-128 respectively. Secondly, we apply algebraic attacks to the Grain family with a weak Key-IV, and can recover the secret key in about 2 seconds and 150 keystream bits for Grain v0 and Grain v1, and reveal the key of Grain-128 with about 100 keystream bits and 2 operations. Furthermore, we discuss the period of the keystream with a weak Key-IV for any Grain-like structure which can lead in self-sliding attack.

A secure variant of the Hill Cipher

Abstract: The Hill cipher is a classical symmetric encryption algorithm that succumbs to the know-plaintext attack. Although its vulnerability to cryptanalysis has rendered it unusable in practice, it still serves an important pedagogical role in cryptology and linear algebra. In this paper, a variant of the Hill cipher is introduced that makes the Hill cipher secure while it retains the efficiency. The proposed scheme includes a ciphering core for which a cryptographic protocol is introduced.

Distinguishers for Ciphers and Known Key Attack against Rijndael with Large Blocks

Abstract: Knudsen and Rijmen introduced the notion of known-key distinguishers in an effort to view block cipher security from an alternative perspective e.g. a block cipher viewed as a primitive underlying some other cryptographic construction such as a hash function; and applied this new concept to construct a 7-round distinguisher for the AES and a 7-round Feistel cipher. In this paper, we give a natural formalization to capture this notion, and present new distinguishers that we then use to construct known-key distinguishers for Rijndael with Large Blocks up to 7 and 8 rounds.

Computational aspects of the expected differential probability of 4-round AES and AES-like ciphers

Abstract: In this paper we study the security of the Advanced Encryption Standard (AES) and AES-like block ciphers against differential cryptanalysis. Differential cryptanalysis is one of the most powerful methods for analyzing the security of block ciphers. Even though no formal proofs for the security of AES against differential cryptanalysis have been provided to date, some attempts to compute the maximum expected differential probability (MEDP) for two and four rounds of AES have been presented recently. In this paper, we will improve upon existing approaches in order to derive better bounds on the EDP for two and four rounds of AES based on a slightly simplified S-box. More precisely, we are able to provide the complete distribution of the EDP for two rounds of this AES variant with five active S-boxes and methods to improve the estimates for the EDP in the case of six active S-boxes.

On some block ciphers and imprimitive groups

Abstract: The group generated by the round functions of a block cipher has been widely investigated. We identify a large class of block ciphers for which this group is easily guaranteed to be primitive. Our class includes the AES cipher and the SERPENT cipher.

Breaking a Chaotic Cryptographic Scheme Based on Composition Maps

Abstract: Recently, a chaotic cryptographic scheme based on composition maps was proposed. This paper studies the security of the scheme and reports the following findings: 1) the scheme can be broken by a differential attack with $6+\lceil\log_L(MN)\rceil$ chosen-plaintext, where $MN$ is the size of plaintext and $L$ is the number of different elements in plain-text; 2) the scheme is not sensitive to the changes of plaintext; 3) the two composition maps do not work well as a secure and efficient random number source.

On Guess and Determine Cryptanalysis of LFSR-Based Stream Ciphers

Abstract: In this paper, the complexity of applying a guess and determine attack to so-called Linear Feedback Shift register (LFSR)-based stream ciphers is analyzed. This family of stream ciphers uses a single or several LFSR and a filtering function F : GF(2)n rarr GF(2)m to generate the blocks of m ges 1 keystream bits at the time. In difference to a classical guess and determine attack, a method based on guessing certain bits in order to determine the remaining secret key/state bits, our approach efficiently takes advantage of the reduced preimage space for relatively large m and at the same time employing the design structure of the cipher. Several variations of the algorithm are derived to circumvent the sensitivity of attack to the input data, n, m and the key length. In certain cases, our attack outperforms classical algebraic attacks; these being considered as one of the most efficient cryptanalyst tools for this type of ciphers. A superior performance of our attack over algebraic attacks is demonstrated in case the filtering function belongs to the extended Maiorana-McFarland class.

Unknown Plaintext Template Attacks

Abstract: In this paper we present a variation of the template attack classification process that can be applied to block ciphers when the plaintext and ciphertext used are unknown. In a naive implementation this attack can be applied to any round of a block cipher. We also show that when a block cipher is implemented with the masking countermeasure a similar attack can be applied to the first round of the cipher. We demonstrate that the attack works in practice by applying it to implementations of AES on 8051 and ARM7 microprocessors. We also demonstrate that the attack can be applied to implementations of block ciphers that use the masking countermeasure when three points are selected from which templates are constructed, or two points if the plaintext can be guessed.

New Results on Impossible Differential Cryptanalysis of Reduced---Round Camellia---128

Abstract: Camellia, a 128---bit block cipher which has been accepted by ISO/IEC as an international standard, is increasingly being used in many cryptographic applications. In this paper, using the redundancy in the key schedule and accelerating the filtration of wrong pairs, we present a new impossible differential attack to reduced---round Camellia. By this attack 12---round Camellia---128 without FL/FL ? 1 functions and whitening is breakable with a total complexity of about 2116.6 encryptions and 2116.3 chosen plaintexts. In terms of the numbers of the attacked rounds, our attack is better than any previously known attack on Camellia---128.

Cache Timing Analysis of LFSR-Based Stream Ciphers

Abstract: Cache timing attacks are a class of side-channel attacks that is applicable against certain software implementations. They have generated significant interest when demonstrated against the Advanced Encryption Standard (AES), but have more recently also been applied against other cryptographic primitives. In this paper, we give a cache timing cryptanalysis of stream ciphers using word-based linear feedback shift registers (LFSRs), such as Snow, Sober, Turing, or Sosemanuk. Fast implementations of such ciphers use tables that can be the target for a cache timing attack. Assuming that a small number of noise-free cache timing measurements are possible, we describe a general framework showing how the LFSR state for any such cipher can be recovered using very little computational effort. For the ciphers mentioned above, we show how this knowledge can be turned into efficient cache-timing attacks against the full ciphers.

The RAKAPOSHI stream cipher

Abstract: In this paper, we introduce the rakaposhi stream cipher. The algorithm is based on Dynamic Linear Feedback Shift Registers, with a simple and potentially scalable design, and is particularly suitable for hardware applications with restricted resources. The rakaposhi stream cipher offers 128-bit security, and aims to complement the current eSTREAM portfolio of hardware-oriented stream ciphers.

The Cryptanalysis of Reduced-Round SMS4

Abstract: In this paper we consider the cryptanalysis of the block cipher SMS4. The cipher has received much recent attention due its simplicity and prominence (it is used in wireless networks in China) and a range of differential attacks break up to 21 of the 32 rounds used in SMS4. Here we consider the application of linear cryptanalysis to the cipher and we demonstrate a simple attack on 22 rounds of SMS4. We also consider some advanced linear cryptanalytic techniques which, under the best conditions for the cryptanalyst, might (just) extend to 23 rounds.

Cryptanalysis of Hash Functions with Structures

Abstract: Hash function cryptanalysis has acquired many methods, tools and tricks from other areas, mostly block ciphers. In this paper another trick from block cipher cryptanalysis, the structures, is used for speeding up the collision search. We investigate the memory and the time complexities of this approach under different assumptions on the round functions. The power of the new attack is illustrated with the cryptanalysis of the hash functions Grindahl and the analysis of the SHA-3 candidate Fugue (both functions as 256 and 512 bit versions). The collision attack on Grindahl-512 is the first collision attack on this function.

Some New Observations on the SMS4 Block Cipher in the Chinese WAPI Standard

Abstract: SMS4 is a 128-bit block cipher used in the WAPI standard in wireless networks in China The cipher has attracted much attention in the past two years This paper consists of two parts The first part is on the design of the linear diffusion layer L of SMS4 Some new observations on L are present, which open out the design rationales of L and such class functions to a great extent The second part is on the differential attack against SMS4 A class of 18-round differential characteristics with a higher probability is given Then a simple differential attack on 22-round SMS4 is present, which is an improvement of the previous work, thus our attack becomes the best known one on SMS4 Furthermore, we make a remark on the construction of differential characteristics of SMS4

Block Ciphers: Algebraic Cryptanalysis and Gröbner Bases

Abstract: Block ciphers are one of the most important classes of cryptographic algorithms in current use. Commonly used to provide confidentiality for transmission and storage of information, they encrypt and decrypt blocks of data according to a secret key. Several recently proposed block ciphers (in particular the AES (Daemen and Rijmen in The Design of Rijndael, Springer, Berlin, 2002)) exhibit a highly algebraic structure: their round transformations are based on simple algebraic operations over a finite field of characteristic 2. This has caused an increasing amount of cryptanalytic attention to be directed to the algebraic properties of these ciphers. Of particular interest is the proposal of the so-called algebraic attacks against block ciphers. In these attacks, a cryptanalyst describes the encryption operation as a large set of multivariate polynomial equations, which—once solved—can be used to recover the secret key. Thus the difficulty of solving these systems of equations is directly related to the cipher’s security. As a result computational algebra is becoming an important tool for the cryptanalysis of block ciphers. In this paper we give an overview of block ciphers design and recall some of the work that has been developed in the area of algebraic cryptanalysis. We also consider a few computational and algebraic techniques that could be used in the analysis of block ciphers and discuss possible directions for future work.

Higher Order Differential Attacks on Reduced-Round MISTY1

Abstract: MISTY1 is a 64-bit block cipher that has provable security against differential and linear cryptanalysis. MISTY1 is one of the algorithms selected in the European NESSIE project, and it has been recommended for Japanese e-Government ciphers by the CRYPTREC project. This paper shows that higher order differential attacks can be successful against 6-round and 7-round versions of MISTY1 with FL functions. The attack on 6-round MISTY1 can recover a partial subkey with a data complexity of 253.7 and a computational complexity of 253.7, which is the smallest computational complexity for an attack on 6-round MISTY1. The attack on 7-round MISTY1 can recover a partial subkey with a data complexity of 254.1 and a computational complexity of 2120.7, which signifies the first successful attack on 7-round MISTY1 without limiting conditions such as a weak key.

Algebraic Cryptanalysis of Simplified AES

Abstract: Simplified AES was developed in 2003, as a teaching tool to help students understand AES. It was designed so that the two primary attacks on symmetric-key block ciphers of that time, differential cryptanalysis and linear cryptanalysis, are not trivial on simplified AES. Algebraic cryptanalysis is a technique that uses modern equation solvers to attack cryptographic algorithms. We will use algebraic cryptanalysis to attack simplified AES.

On dynamic chaotic S-BOX

Abstract: The substitution table or S-Box is considered as the core of the block ciphers. The good design of the S-Box can increase the cipher security and simplicity.