Showing papers on "Round function published in 2015"

Robust Authenticated-Encryption AEZ and the Problem That It Solves

Abstract: With a scheme for robust authenticated-encryption a user can select an arbitrary value \(\lambda \!\ge 0\) and then encrypt a plaintext of any length into a ciphertext that’s \(\lambda \) characters longer. The scheme must provide all the privacy and authenticity possible for the requested \(\lambda \). We formalize and investigate this idea, and construct a well-optimized solution, AEZ, from the AES round function. Our scheme encrypts strings at almost the same rate as OCB-AES or CTR-AES (on Haswell, AEZ has a peak speed of about 0.7 cpb). To accomplish this we employ an approach we call prove-then-prune: prove security and then instantiate with a scaled-down primitive (e.g., reducing rounds for blockcipher calls).

Cryptanalysis of Feistel Networks with Secret Round Functions

Abstract: Generic distinguishers against Feistel Network with upi¾?to 5 rounds exist in the regular setting and upi¾?to 6 rounds in a multi-key setting. We present new cryptanalyses against Feistel Networks with 5, 6 and 7 rounds which are not simply distinguishers but actually recover completely the unknown Feistel functions. When an exclusive-or is used to combine the output of the round function with the other branch, we use the so-called yoyo game which we improved using a heuristic based on particular cycle structures. The complexity of a complete recovery is equivalent to $$\text {O}2^{2n}$$ encryptions where n is the branch size. This attack can be used against 6- and 7-round Feistel Networks in time respectively $$\text {O}2^{n2^{n-1}+2n}$$ and $$\text {O}2^{n2^{n}+2n}$$. However when modular addition is used, this attack does not work. In this case, we use an optimized guess-and-determine strategy to attack 5 rounds with complexity $$\text {O}2^{n2^{3n/4}}$$. Our results are, to the best of our knowledge, the first recovery attacks against generic 5-, 6- and 7-round Feistel Networks.

Improved Higher-Order Differential Attacks on MISTY1

Abstract: MISTY1 is a block cipher designed by Matsui in 1997. It is widely deployed in Japan, and is recognized internationally as an European NESSIE-recommended cipher and an ISO standard. Since its introduction, MISTY1 was subjected to extensive cryptanalytic efforts, yet no attack significantly faster than exhaustive key search is known on its full version. The best currently known attack is a higher-order differential attack presented by Tsunoo et al. in 2012 which breaks a reduced variant of MISTY1 that contains 7 of the 8 rounds and 4 of the 5 FL layers in \(2^{49.7}\) data and \(2^{116.4}\) time.

Known-key distinguishers on 15-round 4-branch type-2 generalised Feistel networks with single substitution–permutation functions and near-collision attacks on its hashing modes

Abstract: Generalised Feistel network (GFN) is a popular design for block ciphers and hash functions. The round function of the network often chooses a substitution–permutation (SP) transformation (consists of a subkey XOR, an S-boxes layer and a linear layer). In 2011, Bogdanov and Shibutani provided another choice to build round functions, namely the double SP-functions, which has two SP-layers in series. They showed that a 4-branch type-2 GFN with double SP-functions was stronger than the one with single SP-function in terms of the number of active S-boxes in a differential or linear cryptanalysis, but some subsequent results showed that the double SP-function is the weaker one in some known-key scenarios and hashing modes. In this study, the authors present a new result of the 4-branch type-2 GFN, whose round function is a single SP-function. They show some 15-round truncated differential distinguishers for this network with four usual parameters by utilising some rebound attack techniques. Based on these distinguishers, they construct some 15-round near-collision attacks on the Matyas–Meyer–Oseas and Miyaguchi–Preneel compression function modes in which the 4-branch type-2 GFN with the single SP-function is used.

Upper Bounds for the Security of Several Feistel Networks

Abstract: In this paper, we are dealing with upper bounds for the security of some Feistel networks. Such a topic has been discussed since the introduction of Luby-Rackoff construction, but it is unrealistic construction because its round functions must be chosen at random from the set of all functions. Knudsen dealt with more practical construction where its round functions are chosen at random from a family of 2 k randomly chosen functions, and showed an upper bound for the security by demonstrating generic key recovery attacks. However it is still difficult for designers to choose functions randomly. Then, this paper considers the security of some Feistel networks which have more efficient and practical round functions and are indeed used by some Feistel ciphers in practice. For this Feistel ciphers, we discover new properties using the relation of plaintexts and ciphertexts. By using our properties, we propose new generic key recovery attacks, and confirm the feasibility by implementing the attack for small block sizes. Our results indicate that the 6 round networks are not enough to complicate the relationship between plaintexts and ciphertexts, and how to insert a round key is very influential in the upper bound for the security. This feature should be taken into account when the round function is designed in future. Moreover, for immunity to our attacks and maintenance of the efficiency, we show design principles for efficient and secure Feistel ciphers.

Side channel energy attack method aiming at SM4 password round function output

Abstract: The invention discloses a side channel energy attack method selecting a clear text or a cipher text aiming at SM4 password round function output. The method includes the following steps: S1 selecting clear text input or cipher text input to enable one byte of (Xi+1 Xi+2 Xi+3) to be a random digit and other bytes to be identical fixed digits, adopting the side channel energy attack method to first attack bytes of a round key and the fixed digits in linear transformation and then attack other fixed digits in linear transformation, conducting corresponding computing on attacked data to obtain the complete round key rki, wherein i= 0, 1, 2, 3; S2 conducting reversible calculation to obtain an initial key through a password expansion algorithm according to rk0, rk1, rk2 and rk3 of first four rounds of the round keys. By means of the analysis method, the collection curve attack times and the clear text selection times can be reduced, and analysis flexibility, attack efficiency and successfully rate are improved.

Collision Attack on 4-branch, Type-2 GFN based Hash Functions using Sliced Biclique Cryptanalysis Technique.

Abstract: In this work, we apply the sliced biclique cryptanalysis technique to show 8-round collision attack on a hash function H based on 4-branch, Type-2 Generalized Feistel Network (Type-2 GFN). This attack is generic and works on 4-branch, Type-2 GFN with any parameters including the block size, type of round function, the number of S-boxes in each round and the number of SP layers inside the round function. We rst construct a 8-round distinguisher on 4-branch, Type-2 GFN and then use this distinguisher to launch 8-round collision attack on compression functions based on Matyas-Meyer-Oseas (MMO) and Miyaguchi-Preneel (MP) modes. The complexity of the attack on 128bit compression function is 2. The attack can be directly translated to collision attack on MP and MMO based hash functions and pseudocollision attack on Davies-Meyer (DM) based hash functions. When the round function F is instantiated with double SP layer, we show the rst 8 round collision attack on 4-branch, Type-2 GFN with double SP layer based compression function. The previous best attack on this structure was a 6-round near collision attack shown by Sasaki at Indocrypt'12. His attack cannot be used to generate full collisions on 6-rounds and hence our result can be regarded the best so far in literature on this structure.

Analysis on Differential Properties of the Round Function of SIMON Family of Block Ciphers

Abstract: SIMON is a family of the lightweight block ciphers designed by the U.S. National Security Agency in 2013 which have a classical Feistel structure. The round function F(x) uses bitwise AND、rotation and XOR operations. In cryptanalysis, it is essential to evaluate the security of the cipher against differential cryptanalysis, however, the SIMON is still lack of systematic research on the differential properties of the round function. This paper analyzes the differential properties of the round function F(x) and completely figures out the differential distribution of the round function. It proves that, for a fixed input difference, the output differential probability can only be 0 and 2 -r (1

Preimage Attacks on Feistel-SP Functions: Impact of Omitting the Last Network Twist

Abstract: In this paper, generic attacks are presented against hash functions that are constructed by a hashing mode instantiating a Feistel or generalized Feistel networks with an SP-round function. It is observed that the omission of the network twist in the last round can be a weakness against preimage attacks. The first target is a standard Feistel network with an SP round function. Up to 11 rounds can be attacked in generic if a condition on a key schedule function is satisfied. The second target is a 4-branch type-2 generalized Feistel network with an SP round function. Up to 15 rounds can be attacked in generic. These generic attacks are then applied to hashing modes of ISO standard ciphers Camellia-128 without FL and whitening layers and CLEFIA-128.

Etworks rfwkidea 32-16, 32 - fwkidea 32-1, b ased on etwork ide a32-16

Abstract: In this article, based on a network IDEA32 RFWKIDEA32-16, RFWKIDEA32 not use round keys in round functions. It shows that in offered networks such Feistel network, encryption and decryption using the same algorithm as a round function can be used any transformation.

Improbable Differential Attacks on Reduced FOX64

Abstract: FOX is a family of block ciphers designed by Junod and Vaudenay in 2004, which is the result of a joint project with the company MediaCrypt AG in Switzerland. Several attacks on reduced FOX have been proposed. In this paper we present an improbable differential cryptanalysis on the reduced-round FOX. By using this method, we present the attacks on 6, 7, and 8-round FOX64 with the time complexity of 276.92, 2141.27, and 2205.85 respectively. Introduction FOX [1], also known as IDEA-NXT, is a family of block ciphers designed by Junod and Vaudenay in 2004. The high level of FOX adopts a modified structure of Lai-Massey Scheme [2], which can be proven to have good pseudorandom properties in the Luby-Rackoff paradigm and decorrelation in hesitance properties. FOX has two version, both have the variable number of rounds which depends on the key size. The first FOX64/k/r has a 64-bit block-size with a variable key length which is a multiple of 8 and up to 256 bits. The second FOX128/k/r uses a 128-bit block-size with the same possible key lengths. The original design suggests these two ciphers should be iterated for 16 rounds. The round function of FOX uses SPS (Substitution-Permutation-Substitution) structure with sub-key addition of those three layers. The key schedule of FOX is very complex, which uses the round function as a compress function to generate sub-keys from the master key. The designers of FOX have analyzed the security of FOX against differential attacks, linear attacks, integral attacks, statistical attacks, slide attacks, interpolation attacks and algebraic attacks [3]. In 2006, Wu et al. made some improvement of integral attack [4]. For FOX64, the time complexity of their improved integral attack on 4, 5, 6, 7 rounds is 2, 2, 2 and 2, respectively. Then, Wu et al. proposed the impossible differential attack on reduced FOX [5]. They presented impossible differential attack could break 5, 6, 7 rounds FOX64 with 2 chosen plaintexts and 2, 2, 2 one-round encryptions respectively. As we known, impossible differential cryptanalysis [6] uses the impossible differential shows that a particular difference can’t occur for the correct key. Therefore, if these differences are satisfied under a trial key, then it cannot be the correct one. Thus, the correct key can be obtained by eliminating all or most of the wrong keys. Recently, Tezcan [7] proved that it is possible to obtain differentials such that the predicted differences occur less frequently for the correct key. This new cryptanalytic technique is called the improbable differential attack and the impossible differential attack is just a special case of it. The power of this method was shown in [7] by constructing the 15-round improbable differential cryptanalysis of CLEFIA. This was the best known attack on CLEFIA. Moreover, in [8], they presented an improbable differential attacks on PRESNET. In this paper, we find 5-round improbable differentials of FOX and use them to attack 6, 7, and 8-round FOX64. 4th International Conference on Mechatronics, Materials, Chemistry and Computer Engineering (ICMMCCE 2015) © 2015. The authors Published by Atlantis Press 2450 Description of FOX64 In FOX64/k/r, the number of round r must satisfy 12  r  255. The key length is k bits, which is a multiple of 8 and no more than 256 bits. Here we give brief descriptions of FOX64, for more details refer to [1]. Round Function f32. The round function f32 consists of three main parts: sigma4 denotes a substitution part; mu4 denotes a diffusion part; and a round key addition part. Let 32 64 32 32 :{0,1} {0,1} {0,1} f   , for a 32-bit input x{0,1} 32 and a 64-bit round key 0 1 || k k k  , 32 0 1 0 ( , ) 4( 4( ( )) ) f x k sigma mu sigma x k k k     . The substitution transformation sigma4: {0,1}{0,1} consists of 4 parallel applications of a non-linear bijective s-box. The linear bijection mu4: [GF(256)] [GF(256)] considers an input (x0, x1, x2, x3) as a vector (x0, x1, x2, x3) over [GF(256)] and multiple it with a MDS matrix to output vector with the same size. The branch number of the MDS matrix is 5. The MDS matrix is defined as follows: 1 1 1 1 1 1 1 1                     Where =1,  is a root of the irreducible polynomial 8 7 6 5 4 3 ( ) 1 m x x x x x x x        . Encryption and Decryption of FOX64. FOX64 is 15-times iteration of round transformation Imor64, followed by the applications of last round transformation called Imid64. The round transformation Imor64 is defined as 32 32 ( || ) ( ( , )) || ( ( , )) L R L L R R L R y y or x f x x k y f x x k      , where || L R x x and || L R y y represent the input and output of Imor64, respectively, k is the round key, ( , ) ( , ) or a b b a b   is a linear orthomorphism. The Imid64 function is a slightly modified version of Imor64, namely the orthomorphism or is replaced by the identity transformation. Moreover, for the Imid64 transformation, bit-wise exclusive OR the two parts of an input is obviously equal to bit-wise exclusive OR the two parts of output. The encrypted result by FOX64 for a 64-bit plaintext P is defined as 1 2 64( 64( ( 64( , ), , ), ) r C Imid Imor Imor P k k k    , where 1 2 , , , r k k k  are round sub-keys. Improbable Differential Attack The improbable differential cryptanalysis was proposed by Tezcan [7]. The attack aims to find a differential with an  input difference and an  output difference so that these differences are observed with probability , c k p for the correct key and with probability , w k p for a wrong key, where , , c k w k p p  . One way of obtaining such differences is to find nontrivial differentials that have  input difference and an output difference other than , or vice versa. Since , c k p is less than , w k p , improbable differential aims to use N plaintext pairs and count the hits that every guessed sub-key gets and expect that the counter for the correct sub-key to be less than a thresholdT . Number of hits a wrong sub-key gets can be seen as a random variable of a binomial distribution with parameters N, , c k p (and a random variable of a binomial distribution with parameters N, , w k p for the correct sub-key). The non-detection error probability nd p denotes the probability of the counter for the correct sub-key to be higher thanT . And the false alarm error