Showing papers on "Differential cryptanalysis published in 2023"

Cryptanalysis of Reduced Round ChaCha- New Attack and Deeper Analysis

Abstract: In this paper we present several analyses on ChaCha, a software stream cipher. First, we consider a divide-and-conquer approach on the secret key bits by partitioning them. The partitions are based on multiple input-output differentials to obtain a significantly improved attack on 6-round ChaCha256 with a complexity of 299.48. It is 240 times faster than the currently best known attack. This is the first time an attack on a round reduced ChaCha with a complexity smaller than 2k/2, where the secret key is of k bits, has been successful.Further, all the attack complexities related to ChaCha are theoretically estimated in general and there are several questions in this regard as pointed out by Dey, Garai, Sarkar and Sharma in Eurocrypt 2022. In this regard, we propose a toy version of ChaCha, with a 32-bit secret key, on which the attacks can be implemented completely to verify whether the theoretical estimates are justified. This idea is implemented for our proposed attack on 6 rounds. Finally, we show that it is possible to estimate the success probabilities of these kinds of PNB-based differential attacks more accurately. Our methodology explains how different cryptanalytic results can be evaluated with better accuracy rather than claiming that the success probability is significantly better than 50%.

Cryptanalysis of Reduced-Round SipHash

Abstract: SipHash is a family of ARX-based MAC algorithms optimized for short inputs. So far, a lot of implementations and applications for SipHash have been proposed, whereas the cryptanalysis of SipHash still lags behind. In this paper, we study the property of truncated differential in reduced-round SipHash. By exhaustively testing all kinds of 1-bit input differences, we find out the greatest differential biases from corresponding output bits through 3 or 4 SipRounds. Making use of these results, we construct distinguishers for SipHash-2-1 and SipHash-2-2 with practical complexities of $2^{12}$ and $2^{36}$, respectively. However, one limitation of the latter is that it begins with 1-bit input differences on the most significant message bit, which means it can only work when neglecting the padding rules of SipHash. Furthermore, we reveal the relations between the value of output bias and the difference after the first modular addition step, which is directly determined by corresponding key bits. Based on these relations, we propose a key recovery method for SipHash-2-1 that can obtain a significantly nonuniform distribution of the 128-bit secret key. It is summarized that about $97\%$ of random keys can be fully recovered under this method within a complexity of $2^{83}$.

Deep Learning based Cryptanalysis of Lightweight Block Ciphers, Revisited

Abstract: With the development of artificial intelligence, deep-learning-based cryptanalysis has been actively studied. There are many cryptanalysis techniques. Among them, cryptanalysis was performed to recover the secret key used for cryptography encryption using known plaintext. In this paper, we propose a cryptanalysis method based on state-of-art deep learning technologies (e.g., residual connections and gated linear units) for lightweight block ciphers (e.g., S-DES, S-AES, and S-SPECK). The number of parameters required for training is significantly reduced by 93.16%, and the average of bit accuracy probability increased by about 5.3% compared with previous the-state-of-art work. In addition, cryptanalysis for S-AES and S-SPECK was possible with up to 12-bit and 6-bit keys, respectively. Through this experiment, we confirmed that the-state-of-art deep-learning-based key recovery techniques for modern cryptography algorithms with the full round and the full key are practically infeasible.

Linear Cryptanalysis of Reduced-Round Simeck Using Super Rounds

Abstract: The Simeck family of lightweight block ciphers was proposed by Yang et al. in 2015, which combines the design features of the NSA-designed block ciphers Simon and Speck. Previously, we proposed the use of linear cryptanalysis using super-rounds to increase the efficiency of implementing Matsui’s second algorithm and achieved good results on all variants of Simon. The improved linear attacks result from the observation that, after four rounds of encryption, one bit of the left half of the state of the cipher depends on only 17 key bits (19 key bits for the larger variants of the cipher). We were able to follow a similar approach, in all variants of Simeck, with an improvement in Simeck 32 and Simeck 48 by relaxing the previous constraint of a single active bit, using multiple active bits instead. In this paper we present improved linear attacks against all variants of Simeck: attacks on 19-rounds of Simeck 32/64, 28-rounds of Simeck 48/96, and 34-rounds of Simeck 64/128, often with the direct recovery of the full master key without repeating the attack over multiple rounds. We also verified the results of linear cryptanalysis on 8, 10, and 12 rounds for Simeck 32/64.

On the security of lightweight block ciphers against neural distinguishers: Observations on LBC-IoT and SLIM

Abstract: Interest in the application of deep learning in cryptography has increased immensely in recent years. Several works have shown that such attacks are not only feasible but, in some cases, are superior compared to classical cryptanalysis techniques. However, due to the black-box nature of deep learning models, more work is required to understand how they work in the context of cryptanalysis. In this paper, we contribute towards the latter by first constructing neural distinguishers for 2 different block ciphers, LBC-IoT and SLIM that share similar properties. We then show that, unlike classical differential cryptanalysis (on which neural distinguishers are based), the position where the round keys are included in round functions can have a significant impact on distinguishing probability. We explore this further to investigate if different choices of where the round key is introduced can lead to better resistance against neural distinguishers. We compare several variants of the round function to showcase this phenomenon, which is useful for securing future block cipher designs against deep learning attacks. As an additional contribution, the neural distinguisher for LBC-IoT was also applied in a practical-time key recovery attack on up to 8 rounds. Results show that even with no optimizations, the attack can consistently recover the correct round key with an attack complexity of around 224 full encryptions. To the best of our knowledge, this is the first third-party cryptanalysis results for LBC-IoT to date.

Impossible Differential Cryptanalysis and A Security Evaluation Framework for AND-RX Ciphers

Abstract: In this paper, a security evaluation framework for AND-RX ciphers against impossible differential cryptanalysis is proposed. This framework is constructed based on three different methods towards finding the theoretical upper boundary, theoretical lower boundary, and practical boundary of impossible differential distinguishers (short for ID) respectively. The provable security boundary (upper boundary) can be calculated with two round-function-related matrices through a few matrix multiplications, this calculation is beyond actual input and output differences. For searching longer IDs (lower boundary), an automatic method is proposed. With this method, given the input and output difference, all the possible direct and indirect contradictions are detected. For the practical boundary, a method of approximating all the potential longest IDs with concrete differential trails is introduced. The three boundaries validate the correctness from each other. According to our result, on the one hand, the boundaries derived with well-designed ID-construction methods can already reach the practical boundary for some block ciphers and it is unlikely to be improved based on known construction methods or future unknown construction methods. On the other hand, for those ciphers whose current best result does not reach our boundary, longer IDs can be discovered with this framework. The correctness is validated by a series of applications. For the provable security boundary, four family ciphers-SIMON, Simeck, Friet-PC and SAND are investigated. For SIMON and Simeck, the lengths of current longest IDs have reached their provable security boundaries. For Friet-PC and SAND, there is a gap between the provable security boundary and current best results. With the automatic searching method, some longer IDs on Friet-PC and SAND are discovered. For Friet-PC, 128 11-round IDs are discovered, while the previous best differential distinguisher is 9-round. For SAND64, 256 11-round IDs are proposed. For SAND128, 456 14-round IDs are presented. Both results extend previous longest IDs by one round and all these newly proposed distinguishers reached corresponding provable security boundaries. For Simeck, the length of longest IDs has not been improved. However, more distinguishers of the same length are discovered. For Simeck64, the increased ratio for the quantity can reach 300%. Besides, the practical boundary of SIMON is investigated, the results indicate that for SIMON, the practical boundary is identical with the provable security boundary or the boundary derived with the automatic searching method.

Explicit Upper Bound Of Impossible Differentials For AES-Like Ciphers: Application To uBlock And Midori

Abstract: Whether a block cipher can resist impossible differential attack is an important basis to evaluate the security of a block cipher. However, the length of impossible differentials is important for the security evaluation of block ciphers. Most of the previous studies are based on structural cryptanalysis to find the impossible differential, and the structural cryptanalysis covers a lot of specific cryptanalytic vectors which are independent of the nonlinear S-boxes. In this paper, we study the maximum length of the impossible differential of an Advanced Encryption Standard-like cipher in the setting with the details of S-boxes. Inspired by the ‘Divide-and-Conquer’ technique, we propose a new technique called Reduced Block, which combines the details of the S-box. With this tool, the maximum length of impossible differentials can be proven under reasonable assumptions. As applications, we use this tool on uBlock and Midori. Consequently, we prove that for uBlock-128, uBlock-256 and Midori-64, there are no impossible five-round, six-round and seven-round differentials with one active input nibble and one active output nibble, even when considering the details of S-boxes. Furthermore, we reveal some properties of the uBlock S-box and linear layer and demonstrate theoretically that there are no impossible differentials longer than four rounds for uBlock-128 under the assumption that the round keys are independent and uniformly random. This study might provide some insight into the bounds of the length of impossible differentials.

Related-Cipher Attacks: Applications to Ballet and ANT

Abstract: Quite a lot of block ciphers proposed in recent years are families of ciphers that conveniently support multiple block lengths and key lengths. The essential security requirements for a family of block ciphers are: (1) Each cipher instance from family is secure; (2) Cipher instances do not endanger each other’s security, namely, by one or more cipher instances, other instances cannot be predicted. However, traditional cryptanalysis methods always assess the security of a special member of the family cipher, such as differential cryptanalysis, linear cryptanalysis, integral cryptanalysis. Related-cipher attacks focus on the security between cipher instances. This paper researches the security of Ballet-128 and ANT-128 against related-cipher attacks. Since their key schedules do not rely on the round number of encryption, we consider the related-cipher attack with equivalent keys by limiting the 256-bit key space. As a result, we recover the secret key of the full Ballet-128/128 with just one chosen plaintext pairs and one call of Ballet-128/128 and Ballet-128/256, which means Ballet-128 is insecure against related-cipher attack. For ANT-128, we show that there exist at most 6-round related-cipher distinguishers between ANT-128/128 and ANT-128/256, and launch a 9-round key-recovery attack on ANT-128/128 based on a 6-round related-cipher distinguisher with the time complexity about $$2^{60.9}$$ .

Bayesian Modeling for Differential Cryptanalysis of Block Ciphers: A DES Instance

Abstract: Encryption algorithms based on block ciphers are among the most widely adopted solutions for providing information security. Over the years, a variety of methods have been proposed to evaluate the robustness of these algorithms to different types of security attacks. One of the most effective analysis techniques is differential cryptanalysis, whose aim is to study how variations in the input propagate on the output. In this work we address the modeling of differential attacks to block cipher algorithms by defining a Bayesian framework that allows a probabilistic estimation of the secret key. In order to prove the validity of the proposed approach, we present as case study a differential attack to the Data Encryption Standard (DES) which, despite being one of the methods that has been most thoroughly analyzed, is still of great interest to the scientific community since its vulnerabilities may have implications on other ciphers.

Boosting Differential-Linear Cryptanalysis of ChaCha7 with MILP

Abstract: In this paper, we present an improved differential-linear cryptanalysis of the ChaCha stream cipher. Our main contributions are new differential-linear distinguishers that we were able to build thanks to the following improvements: a) we considered a larger search space, including 2-bit differences (besides 1-bit differences) for the difference at the beginning of the differential part of the differential-linear trail; b) a better choice of mask between the differential and linear parts; c) a carefully crafted MILP tool that finds linear trails with higher correlation for the linear part. We eventually obtain a new distinguisher for ChaCha reduced to 7 rounds that requires 2166.89 computations, improving the previous record (ASIACRYPT 2022) by a factor of 247. Also, we obtain a distinguisher for ChaCha reduced to 7.5 rounds that requires 2251.4 computations, being the first time of a distinguisher against ChaCha reduced to 7.5 rounds. Using our MILP tool, we also found a 5-round differential-linear distinguisher. When combined with the probabilistic neutral bits (PNB) framework, we obtain a key-recovery attack on ChaCha reduced to 7 rounds with a computational complexity of 2206.8, improving by a factor 214.2 upon the recent result published at EUROCRYPT 2022.

Fourteen years of cube attacks

Abstract: Abstract Algebraic Cryptanalysis is a widely used technique that tackles the problem of breaking ciphers mainly relying on the ability to express a cryptosystem as a solvable polynomial system. Each output bit/word can be expressed as a polynomial equation in the cipher’s inputs—namely the key and the plaintext or the initialisation vector bits/words. A part of research in this area consists in finding suitable algebraic structures where polynomial systems can be effectively solved, e.g., by computing Gröbner bases. In 2009, Dinur and Shamir proposed the cube attack , a chosen plaintext algebraic cryptanalysis technique for the offline acquisition of an equivalent system by means of monomial reduction; interpolation on cubes in the space of variables enables retrieving a linear polynomial system, hence making it exploitable in the online phase to recover the secret key. Since its introduction, this attack has received both many criticisms and endorsements from the crypto community; this work aims at providing, under a unified notation, a complete state-of-the-art review of recent developments by categorising contributions in five classes. We conclude the work with an in-depth description of the kite attack framework , a cipher-independent tool that implements cube attacks on GPUs. Mickey2.0 is adopted as a showcase.

Block cipher performance and risk analysis

Abstract: Article history: Received :30/6/2022 Accepted :13/11/2022 Available online: Block cipher algorithms are a very important issue in the field of information security. Their simple structure and software-based encryption allow users to implement them in several applications such as: data security and cloud computing. In this paper, we reviewed 8 block ciphers that had been presented in the recently five years and were used in different applications. The 8 block ciphers are: DES, 3DES, Blowfish, Twofish, PRISENT, KLEIN, IDEA and AES. All of them are symmetric block ciphers with different designs. The comparative results showed that the block ciphers can still be used in different applications and fields. They showed that many modifications had been presented in which, chaotic maps had been implemented in key generation to enhance the robustness of the block ciphers and its randomness. The comparative results also showed that the AES is one of the block ciphers that is still unbroken algorithm and still modified to suit other new applications. Since less robust ciphers have continuous modification and enhancement in order to be more robust against some of probable attacks, the length of the key and its complexity and the structure of the ciphers are essential directions for improving block ciphers.

A New Approach of Evaluating the Security Against Differential and Linear Cryptanalysis and Its Applications to Serpent, NOEKEON and ASCON

Abstract: In recent years, Mixed-Integer Linear Programming (MILP)-based automatic tools have played a significant role in providing security evaluations of symmetric-key primitives. Differential and linear cryptanalysis are the two most important cryptographic techniques. Although some methods have conducted a great effort in exploiting MILP-aided tools in searching for differential (linear) characteristics, traditional methods still suffer from primitives with strong diffusion layers and large sizes, such as NOEKEON. Typically, searching for differential (linear) characteristics of such primitives is difficult, and the corresponding MILP models are too heavy to be solved efficiently. To this end, we propose a simple yet efficient approach to employ MILP to evaluate the security against differential and linear cryptanalysis of such primitives. The core of our approach is to reduce the complex problem to a set of simpler subproblems and obtain the optimal solution of the complex problem by combining all the subproblems. A subproblem is equivalent to searching for all differential (linear) characteristics with a fixed number of active S-boxes in each round. Furthermore, we design an elaborate algorithm consisting of three MILP-aided methods to solve various subproblems and adopt some techniques to improve efficiency further. Applying our new algorithm to three SPN primitives Serpent, NOEKEON and ASCON, we obtain the tightest security bounds against differential and linear cryptanalysis for all three primitives so far and find improved differential and linear characteristics for Serpent and NOEKEON. For Serpent, we improve the upper bound of the maximum probability of 7-round differential characteristics from $2^{-71}$ to $2^{-76}$ and find for the first time 7-round differential characteristics. For NOEKEON, our results show that there is no 9-round (10-round) differential (linear) characteristic with a probability (correlation) higher than $2^{-128}$ ($2^{-64}$), whereas it needs 10 rounds (11 rounds) according to the previous results. In addition, we find an 8-round (9-round) differential (linear) characteristic with a probability (correlation) of $2^{-127}$ ($2^{-60}$). For ASCON permutation, we provide for the first time an upper bound of the maximum probability (correlation) of 5-round differential (linear) characteristics as $2^{-70}$ ($2^{-33}$).

Selecting Rotation Constants on SIMON-Type Ciphers

Abstract: In 2013, a lightweight block cipher SIMON is proposed by NSA. This paper tries to investigate this design criterion in terms of resisting against impossible differential cryptanalysis. On one hand, starting from all the possible rotation constants, this paper sieves those “bad parameters” step by step, for each step, the regular patterns for those “bad parameters” are deduced. Accordingly, basic rules for selecting rotation constants on SIMON-type ciphers to construct shorter longest impossible differentials are proposed. On the other hand, the authors categorize the optimal parameters proposed in CRYPTO 2015, according to these results, some “good parameters” in terms of differential cryptanalysis may be rather “bad parameters” while considering impossible differential cryptanalysis. Finally, a concrete attack on 26-round SIMON(13,0,10) is proposed, which is a suggested SIMON variant in CRYPTO 2015 against differential cryptanalysis and linear cryptanalysis. The result in this paper indicates that it is very important to choose appropriate rotation constants when designing a new block cipher.

A New Construction Method for Keystream Generators

Abstract: We introduce a new construction method of diffusion layers for Substitution Permutation Network (SPN) structures along with its security proofs. The new method can be used in block ciphers, stream ciphers, hash functions, and sponge constructions. Moreover, we define a new stream cipher mode of operation through a fixed pseudorandom permutation and provide its security proofs in the indistinguishability model. We refer to a stream cipher as a Small Internal State Stream (SISS) cipher if its internal state size is less than twice its key size. There are not many studies about how to design and analyze SISS ciphers due to the criterion on the internal state sizes, resulting from the classical tradeoff attacks. We utilize our new mode and diffusion layer construction to design an SISS cipher having two versions, which we call DIZY. We further provide security analyses and hardware implementations of DIZY. In terms of area cost, power, and energy consumption, the hardware performance is among the best when compared to some prominent stream ciphers, especially for frame-based encryptions that need frequent initialization. Unlike recent SISS ciphers such as Sprout, Plantlet, LILLE, and Fruit; DIZY does not have a keyed update function, enabling efficient key changing.

Differential and Linear Cryptanalysis

Abstract: This chapter covers two important cryptanalysis types: linear and differential. To understand how to merge theoretical and practical concepts, basic concepts and advanced techniques on how professionals implement them are discussed first.

The Triangle Differential Cryptanalysis

Abstract: In this paper, a new variant of differential cryptanalysis is developed by applying the idea of the boomerang attack on the truncated differential. We call this variant a triangle differential cryptanalysis since it utilizes the difference of every pair in an input and output triple. Similar to the boomerang attack, the triangle differential cryptanalysis combines two independent truncated differential distinguishers of two parts of a cryptosystem into a distinguisher of the whole cryptosystem. It provides a new perspective on the differential propagation, and so it is possible to break the limit of the traditional truncated differential. An MILP modeling technique is also provided for the triangle differential distinguisher search against general SPN ciphers. To demonstrate the power of this new type of differential distinguishers, we apply it to SKINNY-64 and CRAFT. For SKINNY-64, an 11-round triangle differential distinguisher is obtained, while the previous longest truncated differential distinguisher is 10-round. For CRAFT, a 13-round triangle differential distinguisher is obtained, while the previous longest truncated differential distinguisher is 12-round. Besides, compared with the best distinguishers other than the truncated differential distinguishers, there are still some improvements on the probabilities for both SKINNY-64 and CRAFT.

Linear Cryptanalysis and Its Variants with Fast Fourier Transformation Technique on MPC/FHE/ZK-Friendly $\mathbb {F}_p$-Based Ciphers

Abstract: The emergence of advanced cryptographic protocols has promoted the developments of many applications, such as secure multi-party computation (MPC). For this reason, new symmetric-key primitives have been designed to natively support the finite field $$\mathbb {F}_p$$ with odd characteristic for better efficiencies. However, some well-studied symmetric cryptanalytic methods and techniques over $$\mathbb {F}_2^n$$ cannot be applied to these new primitives over $$\mathbb {F}_p$$ directly. Considering less standard design approaches adopted in these novel MPC-friendly ciphers, these proposals are in urgent need of full investigations; generalizations of the traditional cryptanalytic tools and techniques to $$\mathbb {F}_p$$ will also contribute to better understand the security of these new designs. In this paper, we first show that the Fast Fourier Transform (FFT) technique for the estimations of correlation, introduced by Collard et al. at ICISC 2007, can be applied to $$\mathbb {F}_p$$ and significantly improves the complexity of Matsui’s Algorithm 2 over $$\mathbb {F}_p$$ . Then, we formalize the differential-linear (DL) cryptanalysis to $$\mathbb {F}_p$$ . Inspired by the differential-linear connectivity table (DLCT) introduced by Bar-On et al. at EUROCRYPT 2019, we also include the DLCT into the consideration, and find the relation between DLCT and differential distribution table (DDT) over $$\mathbb {F}_p$$ . Finally, we mount key recovery attacks on a version of HADESMiMC, which is a SHARK-like MPC-friendly block cipher proposed by Grassi et al. at EUROCRYPT 2020. We denote this version as HADESMiMC-128 in this paper. For linear cryptanalysis with the FFT technique, we can attack 7 rounds of HADESMiMC-128. For DL cryptanalysis, a 7-round key recovery attack of HADESMiMC-128 is also mounted but with better time and data complexity. It should be noted that the attacks are still far from threatening the security of the full 14-round HADESMiMC-128.

Методы криптоанализа и свойства s-блоков

Abstract: Жұмыста криптоталдау әдістері және сәйкес шабуылдарды орындаудағы S-жәшіктерінің криптографиялық қасиеттерінің рөлі талқыланады. Симметриялық криптографиялық түрлендірулер тиімділігі, жылдамдығы және сенімділігі бойынша бірқатар практикалық артықшылықтарға ие. Бұл жағдайда S-блоктарысимметриялық түрлендірулердің беріктігін қамтамасыз етуде маңызды рөл атқарады. Алгоритмдерді әртүрлі криптоталдау әдістерінен қорғау үшін S-блоктарыбірқатар криптографиялық қасиеттерге ие болуы және бірқатар критерийлерді қанағаттандыруы керек. Қазіргі уақытта криптографиялық алгоритмдерде қолданылатын S-блоктарының қасиеттері маңызды болып табылатын негізгі шабуылдар сызықтық, дифференциалды, алгебралық криптоталдау әдістеріне негізделген шабуылдар болып табылады. Басқа талдау әдістері бір алгоритм үшін әбден спецификалық болып табылады және, әдетте, алгоритмнің S-блоктарысияқты жеке құрамдас бөліктерін емес, жалпы құрылымын пайдаланады. Қағаз S-блоктарындағы ықтимал әлсіздіктерді пайдаланатын қолданыстағы криптоталдау әдістерін қарастырады. В работе рассматриваются методы криптоанализа и роль криптографических свойств S-блоков при проведении соответствующих атак. Симметричные криптографические преобразования обладают рядом преимуществ при практическом использовании с точки зрения их эффективности, скорости и надежности. При этом S-блоки играют важную роль в обеспечении стойкости симметричных преобразований. Для защиты алгоритмов от различных методов криптоанализа S-блоки должны обладать рядом криптографических свойств, удовлетворять ряду критериев. В настоящее время основными атаками, для которых имеют значения свойства S-блоков, используемых в криптографических алгоритмах, являются атаки, основанные на линейном, дифференциальном, алгебраическом методах криптоанализа. Другие методы анализа достаточно специфичны для отдельно взятого алгоритма, и, как правило, используют общую структуру алгоритма, ане отдельные его составляющие компоненты, как, например, S-блоки. В работе выполнен обзор существующих методов криптоанализа, использующих возможные слабости в S-блоках The paper discusses cryptanalysis methods and the role of the cryptographic properties of S-boxes in carrying out the corresponding attacks. Symmetric cryptographic transformations have a number of practical advantages in terms of their efficiency, speed and reliability. In this case, S-boxes play an important role in ensuring the robustness of symmetric transformations. To protect algorithms from various cryptanalysis methods, S-boxes must have a number of cryptographic properties and satisfy a number of criteria. Currently, the main attacks for which the properties of S-boxes used in cryptographic algorithms are important are attacks based on linear, differential, algebraic cryptanalysis methods. Other analysis methods are quite specific for a single algorithm, and, as a rule, use the general structure of the algorithm, and not its individual components, such as S-boxes. The paper reviews existing cryptanalysis methods that exploit possible weaknesses in S-boxes

New cryptanalysis of LowMC with algebraic techniques

Abstract: Abstract LowMC is a family of block ciphers proposed by Albrecht et al. at EUROCRYPT 2015, which is tailored specifically for FHE and MPC applications. At ToSC 2018, a difference enumeration attack was given for the cryptanalysis of low-data instances of full LowMCv2 with few applied S-boxes per round. Recently at CRYPTO 2021, an efficient algebraic technique was proposed to attack 4-round LowMC adopting a full S-box layer. Following these works, we present a new difference enumeration attack framework, which is based on our new observations on the LowMC S-box, to analyze LowMC instances with a full S-box layer. As a result, with only 3 chosen plaintexts, we can attack 4-round LowMC instances which adopt a full S-box layer with block size of 129, 192, and 255 bits, respectively. We show that all these attacks have either a lower time complexity or a higher success probability than those reported in the CRYPTO paper.

Differential-Linear Cryptanalsis on SIMECK32/64 and SIMON32/64

Abstract: In this paper, we give differential-linear cryptanalysis of SIMON, which is a family of lightweight block ciphers published by the National Security Agency, and SIMECK, which is a family of lightweight block ciphers proposed by Yang et al. Firstly, all input difference and output masks with one active bit are traversed to obtain a 9-round SIMON32/64 differential-linear distinguisher and a 10-round SIMECK32/64 differential-linear distinguisher. Then, a 12-round SIMON32/64 differential-linear distinguisher with bias 2−12.69 and a 13-round SIMECK32/64 differential-linear distinguisher with bias 2−14.03 can be obtained by searching one round of differential characteristics forward and two rounds of linear approximations backward. The dynamic key guessing technique proposed by Wang et al. has excellent advantages in the SIMON-like cipher key recovery process. Therefore, we have applied it to differential-linear cryptanalysis. Then, the 12-round SIMON32/64 differential-linear distinguisher is extended forward by four rounds and backward by four rounds to attack the 20-round SIMON32/64 with time complexity 255.68 and data complexity 228. And the 13-round SIMECk32/64 differential-linear distinguisher is extended forward by four rounds and backward by four rounds to attack the 21-round SIMECK32/64 with time complexity 250.67 and data complexity 230. These are the best differential-linear cryptanalysis results for SIMON32/64 and SIMECK32/64 in the open literature.

Integral Cryptanalysis

Abstract: Integral cryptanalysis is a technique designed for block ciphers constructed on substitution-permutation networks. Since an integral cryptanalysis attack can be launched against a Square block cipher [1], it is also known as a Square attack and was designed by Lars Knudsen.

Improved Differential Cryptanalysis on SPECK Using Plaintext Structures

Abstract: Plaintext structures are a commonly-used technique for improving differential cryptanalysis. Generally, there are two types of plaintext structures: multiple-differential structures and truncated-differential structures. Both types have been widely used in cryptanalysis of S-box-based ciphers while for SPECK, an Addition-Rotation-XOR (ARX) cipher, the truncated-differential structure has not been used so far. In this paper, we investigate the properties of modular addition and propose a method to construct truncated-differential structures for SPECK. Moreover, we show that a combination of both types of structures is also possible for SPECK. For recovering the key of SPECK, we propose dedicated algorithms and apply them to various differential distinguishers, which helps to obtain a series of improved attacks on all variants of SPECK. The results show that the combination of both structures helps to improve the data and time complexity at the same time, as in the cryptanalysis of S-box-based ciphers.