Differential cryptanalysis

About: Differential cryptanalysis is a research topic. Over the lifetime, 2131 publications have been published within this topic receiving 54681 citations.

Combined algebraic and truncated differential cryptanalysis on reduced-round SIMON

Abstract: Recently, two families of ultra-lightweight block ciphers were proposed, SIMON and SPECK, which come in a variety of block and key sizes (Beaulieu et al., 2013). They are designed to offer excellent performance for hardware and software implementations (Beaulieu et al., 2013; Aysu et al., 2014). In this paper, we study the resistance of SIMON-64/128 with respect to algebraic attacks. Its round function has very low Multiplicative Complexity (MC) (Boyar et al., 2000; Boyar and Peralta, 2010) and very low non-linearity (Boyar et al., 2013; Courtois et al., 2011) since the only non-linear component is the bitwise multiplication operation. Such ciphers are expected to be very good candidates to be broken by algebraic attacks and combinations with truncated differentials (additional work by the same authors). We algebraically encode the cipher and then using guess-then-determine techniques, we try to solve the underlying system using either a SAT solver (Bard et al., 2007) or by ElimLin algorithm (Courtois et al., 2012b). We consider several settings where P-C pairs that satisfy certain properties are available, such as low Hamming distance or follow a strong truncated differential property (Knudsen, 1995). We manage to break faster than brute force up to 10(/44) rounds for most cases we have tried. Surprisingly, no key guessing is required if pairs which satisfy a strong truncated differential property are available. This reflects the power of combining truncated differentials with algebraic attacks in ciphers of low non-linearity and shows that such ciphers require a large number of rounds to be secure.

Impossible differential cryptanalysis on feistel ciphers with SP and SPS round functions

Abstract: Impossible differential cryptanalysis is well known to be effective in analyzing the security of block ciphers. Known result shows that there always exists 5-round impossible differentials of a Feistel cipher with bijective round function. However, if more details of the round function are known, the result could be improved. This paper mainly studies the impossible differentials of Feistel ciphers with both SP and SPS round functions where the linear transformation P is defined over Fn×n2. For Feistel ciphers with SP round functions, any column of P ⊕ P-1 whose Hamming weight is greater than 1 corresponds to some 6-round impossible differentials. The existence of some 7-round impossible differentials can be determined by counting the times that 1 appears at some special positions of P and P-1. Some 8-round impossible differentials can be found by computing the rank of some sub-matrix of P. Impossible differentials of Camellia found by these techniques are well consistent with previously known results. For Feistel ciphers with SPS round functions, by determining the rank of some sub-matrix of P, 6- round impossible differentials can be found, which improves the results on E2 by one round. These results tell that when designing a Feistel cipher with SP or SPS round function where the diffusion layer is selected from Fn×n2, the linear transformation should be chosen carefully to make the cipher secure against impossible differential cryptanalysis.

Block ciphers: A survey

Abstract: In this paper we give a short overview of the state of the art of secret key block ciphers. We focus on the main application of block ciphers, namely for encryption. The most important known attacks on block ciphers are linear cryptanalysis and differential cryptanalysis. Linear cryptanalysis makes use of so-called linear hulls i.e., the parity of a subset of ciphertext bits with a probability sufficiently far away from one half. Differential cryptanalysis makes use of so-called differentials (A, B),i.e., a pair of plaintexts with difference A, which after a certain number of rounds result in a difference B with a high probability. The hulls and differentials can be used to derive (parts of) the secret key.

Improved differential fault analysis on PRESENT-80/128

Abstract: PRESENT is a hardware-optimized 64-bit lightweight block cipher which supports 80-and 128-bit secret keys. In this paper, we propose a differential fault analysis DFA on PRESENT-80/128. The proposed attack is based on a 2-byte random fault model. In detail, by inducing several 2-byte random faults in input registers after 28 rounds, our attack recovers the secret key of the target algorithm. From simulation results, our attacks on PRESENT-80/128 can recover the secret key by inducing only two and three 2-byte random faults, respectively. These are superior to known DFA results on them.

Linear Frameworks for Block Ciphers

Abstract: In this paper we generalize the structure of the ciphers Shark, Square, BKSQ, Crypton and Rijndael. We show that the linear components play an essential role in the effect of the nonlinear S-boxes in providing resistance against differential and linear cryptanalysis and provide upper bounds for the probability of differential characteristics and the correlation of linear approximations for the general structure. We show how good linear components can be constructed efficiently from Maximum-Distance Separable codes. The presented block cipher structure can make optimal use of a wide range of processor word lengths and its parallelism allows very fast dedicated hardware implementations. Ciphers with variable block length can be constructed by varying certain parameters in the presented structure.