Showing papers on "Round function published in 2014"

Robust Authenticated-Encryption: AEZ and the Problem that it Solves.

Abstract: With a scheme for robust authenticated-encryption a user can select an arbitrary value \(\lambda \!\ge 0\) and then encrypt a plaintext of any length into a ciphertext that’s \(\lambda \) characters longer. The scheme must provide all the privacy and authenticity possible for the requested \(\lambda \). We formalize and investigate this idea, and construct a well-optimized solution, AEZ, from the AES round function. Our scheme encrypts strings at almost the same rate as OCB-AES or CTR-AES (on Haswell, AEZ has a peak speed of about 0.7 cpb). To accomplish this we employ an approach we call prove-then-prune: prove security and then instantiate with a scaled-down primitive (e.g., reducing rounds for blockcipher calls).

The Hash Function "Fugue".

Abstract: We describe Fugue, a hash function supporting inputs of length upto 2 − 1 bits and hash outputs of length upto 512 bits. Notably, Fugue is not based on a compression function. Rather, it is directly a hash function that supports variable-length inputs. The starting point for Fugue is the hash function Grindahl, but it extends that design to protect against the kind of attacks that were developed for Grindahl, as well as earlier hash functions like SHA-1. A key enhancement is the design of a much stronger round function which replaces the AES round function of Grindahl, using better codes (over longer words) than the AES 4× 4 MDS matrix. Also, Fugue makes judicious use of this new round function on a much larger internal state. The design of Fugue is proof-oriented: the various components are designed in such a way as to allow proofs of security, and yet be efficient to implement. As a result, we can prove that current attack methods cannot find collisions in Fugue any faster than the trivial birthday attack. Although the proof is computer assisted, the assistance is limited to computing ranks of various matrices.

Meet-in-the-Middle Attacks on Generic Feistel Constructions

Abstract: We show key recovery attacks on generic balanced Feistel ciphers. The analysis is based on the meet-in-the-middle technique and exploits truncated differentials that are present in the ciphers due to the Feistel construction. Depending on the type of round function, we differentiate and show attacks on two types of Feistels. For the first type, which is the most general Feistel, we show a 5-round distinguisher (based on a truncated differential), which allows to launch 6-round and 10-round attacks, for single-key and double-key sizes, respectively. For the second type, we assume the round function follows the SPN structure with a linear layer P that has a maximal branch number, and based on a 7-round distinguisher, we show attacks that reach up to 14 rounds. Our attacks outperform all the known attacks for any key sizes, have been experimentally verified (implemented on a regular PC), and provide new lower bounds on the number of rounds required to achieve a practical and a secure Feistel.

A new attempt of white-box AES implementation

Abstract: In this paper, we propose an improved table-based white-box implementation of AES which is able to resist different types of attack, including the BGE attack and De Mulder et al.'s cryptanalysis, to protect information under “white-box attack context”. The notion of white-box attack context, introduced by Chow et al., describes a general setting in which cryptographic algorithms are executed in untrusted environments. In this setting, adversaries have attained complete access to the implementations of cryptographic algorithms as well as the dynamic execution environments. The key strategy applied to our design is to compose different operations of the AES round function and convert the composition into encoded lookup tables. The new scheme exploits larger key-dependent tables, each of which contains two bytes of the round keys. We then analyze the security against different types of attack and measure two security metrics: the “white-box diversity” and “ambiguity”. The new scheme can withstand the BGE attack due to the utilization of larger mixing bijections and tabulated “ShiftRows” it can also resist the cryptanalysis of De Mulder et al. since the bindings between “nTMC” and “TSR” are irreducible and the non-linear encodings are introduced to all tables.

Plaintext or ciphertext selection based side channel power analysis attack method on round function output of SM4 cipher algorithm

Abstract: The invention discloses a plaintext or ciphertext selection based side channel power analysis attack method on round function output of the SM4 cipher algorithm. The method includes the steps of S1, selecting plaintext or ciphertext to input X , X , X and X on the condition of allowing the exclusive OR result of the X , X and X to be a constant value and guaranteeing randomness of the X , utilizing side channel power attack processes to attack the output C of linear transform L of each round of the first four round functions, and deducing inversely to acquire the round key rk of the first four round functions in encryption or decryption according to the output C; S2, according to the round keys rk , rk , rk and rk of the first four found functions, inversely calculating the initial key by a key expansion algorithm. The method can realize power analysis attack by means of multiple attacks and can attack with selection of proper-length bits according to actual computing capacity, thus flexibility, effectiveness and success rate of analysis are improved.

Novel low-resource efficient lightweight Surge block cipher implementation method

Abstract: The invention discloses a novel low-resource efficient lightweight Surge block cipher implementation method. The method comprises the steps that the Surge block length is designed to be of a 64-bit type, and the secrete key length is designed to be of the 64-bit type, the 80-bit type and the 128-bit type on the basis of the SPN structure; a secrete key is in a non-extensible mode; five modules of a round function are combined in a new mode, the encryption sequence is constant addition, round key addition, S-box replacement, row shifting and column mixing transformation, and column mixing transformation does not exist in the last round; a constant addition transformation module operates a round constant in each round; according to the round constant selection combination, 0, 1, 2 and 3 are selected as the high bits, the combination of one odd number, one even number, one even number and one add number from 0 to 15 is selected as the low bits, and the obtained combinatorial numbers are randomly fixed into a permutation; a column mixing transformation module utilizes the (0,1,2 and 4) combination which facilitates hardware implementation for forming a matrix, and hardware is constructed on a galois field GF (24) to obtain the friendly matrix. The experimental result shows that the occupied area resources are smaller, meanwhile, the encryption performance is good and the known attacks can be resisted compared with existing lightweight ciphers of the SPN structure.

Known-key distinguishers on type-1 Feistel scheme and near-collision attacks on its hashing modes

Abstract: We present some known-key distinguishers for a type-1 Feistel scheme with a permutation as the round function. To be more specific, the 29-round known-key truncated differential distinguishers are given for the 256-bit type-1 Feistel scheme with an SP (substitution-permutation) round function by using the rebound attack, where the S -boxes have perfect differential and linear properties and the linear diffusion layer has a maximum branch number. For two 128-bit versions, the distinguishers can be applied on 25-round structures. Based on these distinguishers, we construct near-collision attacks on these schemes with MMO (Matyas-Meyer-Oseas) and MP (Miyaguchi-Preneel) hashing modes, and propose the 26-round and 22-round near-collision attacks for two 256-bit schemes and two 128-bit schemes, respectively. We apply the near-collision attack on MAME and obtain a 26-round near-collision attack. Using the algebraic degree and some integral properties, we prove the correctness of the 31-round known-key integral distinguisher proposed by Sasaki et al. We show that if the round function is a permutation, the integral distinguisher is suitable for a type-1 Feistel scheme of any size.

Customizable encryption algorithm based on a sponge construction with authenticated and non-authenticated modes of operation

Abstract: Systems ( 100 ) and methods ( 600 ) for generating encrypted data. The methods involve: combining a cryptographic key with state initialization bits to generate first combination bits; producing a first keystream by performing a permutation function ƒ using the first combination bits as inputs thereto; and using the first keystream to encrypt first data (e.g., authentication data or message body data) so as to produce first encrypted data. The permutation function ƒ comprises a round function ƒ round that is iterated R times. The round function ƒ round consists of (1) a substitution layer in which the first combination bits are substituted with substitute bits, (2) a permutation layer in which the substitute bits are re-arranged, (3) a mixing layer in which multiple of the permutation layer are combined together, and (4) an addition layer in which a constant is added to the output of the mixing layer.

Cryptographic processor, method for implementing a cryptographic processor and key generation circuit

Abstract: A cryptographic processor is described comprising a processing circuit configured to perform a round function of an iterated cryptographic algorithm, a controller configured to control the processing circuit to apply a plurality of iterations of the round function on a message to process the message in accordance with the iterated cryptographic algorithm and a transformation circuit configured to transform the input of a second iteration of the round function following a first iteration of the round function of the plurality of iterations and to supply the transformed input as input to the second iteration wherein the transformation circuit is implemented using a circuit camouflage technique.

Analytic Toolbox for White-Box Implementations: Limitation and Perspectives.

Abstract: White-box cryptography is an obfuscation technique to protect the secret key in the software implementations even if an adversary has full access to the implementation of the encryption algorithm and full control over its execution platforms. This concept was presented in 2002 by Chow et al., and since then there have been many proposals to give solutions for the white-box cryptography. However, the progress does not seem to be substantial in spite of its practical importance. In fact, it is repeated that as a proposal on white-box implementation is announced, an attack of this implementation with lower complexity followed soon. It is mainly because most cryptanalytic methods were just targeted to some specific implementations and there is no general attack tool for the white-box cryptography. In this paper, we present a general analytic toolbox for white-box implementations which extracts the secret information obfuscated in the implementation. For a general SLT cipher on n bits with S-boxes on m bits, one can remove the nonlinear encodings with complexity O( n mQ 2Q) using our attack tool, if mQ-bit nonlinear encodings are used to obfuscate input/output values in the implementation. Also, one can recover the affine encoding A in time O( n m ·mA2) using our extended affine equivalence algorithm (EAEA), if the inverse of the encoded round function F on n bits is given, where mA is the smallest integer p such that A or its similar matrix obtained by permuting rows and columns is a block diagonal matrix with a p× p matrix as a block. To avoid our attack, we need to consider a special encoding of large mA, up to n. This results in storage blowing up in general. We suggest one approach with special affine encodings of mA = n that saves storage. In that case, the EAEA has the complexity O ( min { n m · n · 2, n · logn · √ 2 n }) , which can be large up to 2 and 2 for n = 128 and 256, respectively, when m = 8. This gives an approach to design secure white-box implementation with practical storage. We expect that our analytic toolbox initiates the research on white-box implementation design.

Low power encryption device and method

Abstract: PROBLEM TO BE SOLVED: To provide an encryption device and method which can provide high-speed block encryption algorithm for mobile capable of supporting low power encryption.SOLUTION: An encryption device comprises: a user interface unit which receives input of a plain text (Plaintext) to be encrypted and a master key (Master Key) from a user; a key scheduler unit which generates a round key (Round Key) from the master key; an initial conversion unit which generates an initial round function value from the plain text; a round function processing unit which repeatedly processes a round function using the round key and the initial round function value; and a final conversion unit which generates a cipher text from a result value of the round function at the last round processed by the round function processing unit.

Collision Attack on 4-Branch, Type-2 GFN Based Hash Functions Using Sliced Biclique Cryptanalysis Technique

Abstract: In this work, we apply the sliced biclique cryptanalysis technique to show 8-round collision attack on a hash function \(H\) based on 4-branch, Type-2 Generalized Feistel Network (Type-2 GFN) This attack is generic and works on 4-branch, Type-2 GFN with any parameters including the block size, type of round function, the number of S-boxes in each round and the number of SP layers inside the round function We first construct a 8-round distinguisher on 4-branch, Type-2 GFN and then use this distinguisher to launch 8-round collision attack on compression functions based on Matyas-Meyer-Oseas (MMO) and Miyaguchi-Preneel (MP) modes The complexity of the attack on 128-bit compression function is \(2^{56}\) The attack can be directly translated to collision attack on MP and MMO based hash functions and pseudo-collision attack on Davies-Meyer (DM) based hash functions When the round function \(F\) is instantiated with double SP layer, we show the first 8 round collision attack on 4-branch, Type-2 GFN with double SP layer based compression function The previous best attack on this structure was a 6-round near collision attack shown by Sasaki at Indocrypt’12 His attack cannot be used to generate full collisions on 6-rounds and hence our result can be regarded the best so far in literature on this structure

Piccolo encryption algorithm hardware achieving method

Abstract: The invention discloses a Piccolo encryption algorithm hardware achieving method The Piccolo encryption algorithm hardware can be achieved once by utilizing identical round operation in a repeated calling mode The original r-1 round repeated calling is directly converted into r wheel repeated calling Meanwhile, an RP-1 round displacement function is added on the r round circulation operation, and operation is conducted once to enable an output cipher to be correct By means of the method, an original algorithm is not required to achieve again in the last rth round, the former repeated round function module can be directly multiplexed, and users only need to add the relatively simple RP-1 in the end By means of the method, modules in the Piccolo encryption algorithm to be highly multiplexed, hardware achieving area is effectively saved, and meanwhile the encryption speed is increased

Integral Cryptanalysis of the Block Cipher E2.

Abstract: Block cipher E2, designed and submitted by Nippon Telegraph and Telephone Corporation, is a first-round Advanced Encryption Standard candidate. It employs a Feistel structure as global structure and two-layer substitution-permutation network structure in round function with initial transformation IT function before the first round and final transformation FT function after the last round. The design principles influences several more recent block ciphers including Camellia, an ISO/IEC standard cipher. In this paper, we focus on the key-recovery attacks on reduced-round E2-128/192 taking both IT and FT functions in consideration with integral cryptanalysis. We first improve the relations between zero-correlation linear approximations and integral distinguishers, and then deduce some integral distinguishers from zero-correlation linear approximations over 6 rounds of E2. Furthermore, we apply these integral distinguishers to break 6-round E2-128 with 2^{120} known plaintexts (KPs), 2^{115.4} encryptions and 2^{28} bytes memory. In addition, the attack on 7-round E2-192 requires 2^{120} KPs, 2^{167.2} encryptions and 2^{60} bytes memory.

On the Practical Security Bound of GF-NLFSR Structure with SPN Round Function

Abstract: At ACISP 2009, Choy et al. proposed the generalised Feistel nonlinear feedback shift register structure (GF-NLFSR). The main feature of GF-NLFSR containing n sub-blocks is that it can be parallelized up to n-round for implementation, and meanwhile the provable security bound against differential cryptanalysis (DC) and linear cryptanalysis (LC) can be provided for n + 1 rounds. Thus, it maybe suit for the light-weight encryption environment, such as RFID tags, smart cards, and sensor nodes. The practical security bound of GF-NLFSR with SPN round function was further studied by Yap et al. at Africacrypt 2010, where a differential bound for 2nr-round was provided, while for the linear bound, only partial results for n = 2,4 were presented. In this paper, we eliminate such discrepancy between the practical differential and linear bound of GF-NLFSR with SPN round function by demonstrating that a unified bound could be proved using the “divide and conquer” strategy. We further find a relationship between the truncated differential characteristics and linear characteristics of GF-NLFSR, which builds a nice link between the lower differential bound and linear bound of such construction, and demonstrate that proving the cipher’s resistance against either DC or LC is enough to show its resistance against both DC and LC. We hope that the result in the current paper will be useful when designing ciphers based on GF-NLFSR structure with SPN round function.

4-point Attacks with Standard Deviation Analysis on A-Feistel Schemes.

Abstract: A usual way to construct block ciphers is to apply several rounds of a given structure. Many kinds of attacks are mounted against block ciphers. Among them, differential and linear attacks are widely used. In [18, 19], it is shown that ciphers that achieve perfect pairwise decorrelation are secure against linear and differential attacks. It is possible to obtain such schemes by introducing at least one random affine permutation as a round function in the design of the scheme. In this paper, we study attacks on schemes based on classical Feistel schemes where we introduce one or two affine permutations. Since these schemes resist against linear and differential attacks, we will study stronger attacks based on specific equations on 4-tuples of cleartext/ciphertext messages. We give the number of messages needed to distinguish a permutation produced by such schemes from a random permutation, depending on the number of rounds used in the schemes, the number and the position of the random affine permutations introduced in the schemes.