163 research outputs found

    A 2^{70} Attack on the Full MISTY1

    Get PDF
    MISTY1 is a block cipher designed by Matsui in 1997. It is widely deployed in Japan, and is recognized internationally as a European NESSIE-recommended cipher and an ISO standard. After almost 20 years of unsuccessful cryptanalytic attempts, a first attack on the full MISTY1 was presented at CRYPTO 2015 by Todo. The attack, using a new technique called {\it division property}, requires almost the full codebook and has time complexity of 2^{107.3} encryptions. In this paper we present a new attack on the full MISTY1. It is based on a modified variant of Todo\u27s division property, along with a variety of refined key-recovery techniques. Our attack requires the full codebook, but allows to retrieve 49 bits of the secret key in time complexity of only 2^{64} encryptions, and the full key in time complexity of 2^{69.5} encryptions. While our attack is clearly impractical due to its large data complexity, it shows that MISTY1 provides security of only 2^{70} --- significantly less than what was considered before

    Improved Higher-Order Differential Attacks on MISTY1

    Get PDF
    MISTY1 is a block cipher designed by Matsui in 1997. It is widely deployed in Japan, and is recognized internationally as an European NESSIE-recommended cipher and an ISO standard. Since its introduction, MISTY1 was subjected to extensive cryptanalytic efforts, yet no attack significantly faster than exhaustive key search is known on its full version. The best currently known attack is a higher-order differential attack presented by Tsunoo et al. in 2012 which breaks a reduced variant of MISTY1 that contains 7 of the 8 rounds and 4 of the 5 FLFL layers in 249.72^{49.7} data and 2116.42^{116.4} time. In this paper, we present improved higher-order differential attacks on reduced-round MISTY1. Our attack on the variant considered by Tsunoo et al. requires roughly the same amount of data and only 2100.42^{100.4} time (i.e., is 2162^{16} times faster). Furthermore, we present the first attack on a MISTY1 variant with 7 rounds and all 5 FLFL layers, requiring 251.42^{51.4} data and 21212^{121} time. To achieve our results, we use a new higher-order differential characteristic for 4-round MISTY1, as well as enhanced key recovery algorithms based on the {\it partial sums} technique

    Multidimensional Zero-Correlation Linear Cryptanalysis of the Block Cipher KASUMI

    Full text link
    The block cipher KASUMI is widely used for security in many synchronous wireless standards. It was proposed by ETSI SAGE for usage in 3GPP (3rd Generation Partnership Project) ciphering algorthms in 2001. There are a great deal of cryptanalytic results on KASUMI, however, its security evaluation against the recent zero-correlation linear attacks is still lacking so far. In this paper, we select some special input masks to refine the general 5-round zero-correlation linear approximations combining with some observations on the FLFL functions and then propose the 6-round zero-correlation linear attack on KASUMI. Moreover, zero-correlation linear attacks on the last 7-round KASUMI are also introduced under some weak keys conditions. These weak keys take 2−142^{-14} of the whole key space. The new zero-correlation linear attack on the 6-round needs about 2852^{85} encryptions with 262.82^{62.8} known plaintexts. For the attack under weak keys conditions on the last 7 round, the data complexity is about 262.12^{62.1} known plaintexts and the time complexity 2110.52^{110.5} encryptions

    Integral Cryptanalysis on Full MISTY1

    Get PDF
    MISTY1 is a block cipher designed by Matsui in 1997. It was well evaluated and standardized by projects, such as CRYPTREC, ISO/IEC, and NESSIE. In this paper, we propose a key recovery attack on the full MISTY1, i.e., we show that 8-round MISTY1 with 5 FL layers does not have 128-bit security. Many attacks against MISTY1 have been proposed, but there is no attack against the full MISTY1. Therefore, our attack is the first cryptanalysis against the full MISTY1. We construct a new integral characteristic by using the propagation characteristic of the division property, which was proposed in 2015. We first improve the division property by optimizing a public S-box and then construct a 6-round integral characteristic on MISTY1. Finally, we recover the secret key of the full MISTY1 with 263.582^{63.58} chosen plaintexts and 21212^{121} time complexity. Moreover, if we can use 263.9942^{63.994} chosen plaintexts, the time complexity for our attack is reduced to 2107.92^{107.9}. Note that our cryptanalysis is a theoretical attack. Therefore, the practical use of MISTY1 will not be affected by our attack

    A Practical-Time Attack on the A5/3 Cryptosystem Used in Third Generation GSM Telephony

    Get PDF
    The privacy of most GSM phone conversations is currently protected by the 20+ years old A5/1 and A5/2 stream ciphers, which were repeatedly shown to be cryptographically weak. They will soon be replaced in third generation networks by a new A5/3 block cipher called KASUMI, which is a modified version of the MISTY cryptosystem. In this paper we describe a new type of attack called a sandwich attack, and use it to construct a simple distinguisher for 7 of the 8 rounds of KASUMI with an amazingly high probability of 2−142^{ -14}. By using this distinguisher and analyzing the single remaining round, we can derive the complete 128 bit key of the full KASUMI by using only 4 related keys, 2262^{26} data, 2302^{30} bytes of memory, and 2322^{32} time. These complexities are so small that we have actually simulated the attack in less than two hours on a single PC, and experimentally verified its correctness and complexity. Interestingly, neither our technique nor any other published attack can break MISTY in less than the 21282^{128} complexity of exhaustive search, which indicates that the changes made by the GSM Association in moving from MISTY to KASUMI resulted in a much weaker cryptosystem

    Quantum Attacks on Some Feistel Block Ciphers

    Get PDF
    Post-quantum cryptography has attracted much attention from worldwide cryptologists. However, most research works are related to public-key cryptosystem due to Shor\u27s attack on RSA and ECC ciphers. At CRYPTO 2016, Kaplan et al. showed that many secret-key (symmetric) systems could be broken using a quantum period finding algorithm, which encouraged researchers to evaluate symmetric systems against quantum attackers. In this paper, we continue to study symmetric ciphers against quantum attackers. First, we convert the classical advanced slide attacks (introduced by Biryukov and Wagner) to a quantum one, that gains an exponential speed-up in time complexity. Thus, we could break 2/4K-Feistel and 2/4K-DES in polynomial time. Second, we give a new quantum key-recovery attack on full-round GOST, which is a Russian standard, with 2114.82^{114.8} quantum queries of the encryption process, faster than a quantum brute-force search attack by a factor of 213.22^{13.2}

    Key classification attack on block ciphers

    Get PDF
    In this paper, security analysis of block ciphers with key length greater than block length is proposed. When key length is significantly greater than block length and the statistical distribution of cipher system is like a uniform distribution, there are more than one key which map fixed input to fixed output. If a block cipher designed sufficiently random, it is expected that the key space can be classified into same classes. Using such classes of keys, our proposed algorithm would be able to recover the key of block cipher with complexity O(max(2^n, 2^{k-n}) where n is block length and k is key length. We applied our algorithm to 2- round KASUMI block cipher as sample block cipher by using weakness of functions that used in KASUMI

    Partial Sums Meet FFT: Improved Attack on 6-Round AES

    Get PDF
    The partial sums cryptanalytic technique was introduced in 2000 by Ferguson et al., who used it to break 6-round AES with time complexity of 2522^{52} S-box computations -- a record that has not been beaten ever since. In 2014, Todo and Aoki showed that for 6-round AES, partial sums can be replaced by a technique based on the Fast Fourier Transform (FFT), leading to an attack with a comparable complexity. In this paper we show that the partial sums technique can be combined with an FFT-based technique, to get the best of the two worlds. Using our combined technique, we obtain an attack on 6-round AES with complexity of about 246.42^{46.4} additions. We fully implemented the attack experimentally, along with the partial sums attack and the Todo-Aoki attack, and confirmed that our attack improves the best known attack on 6-round AES by a factor of more than 32. We expect that our technique can be used to significantly enhance numerous attacks that exploit the partial sums technique. To demonstrate this, we use our technique to improve the best known attack on 7-round Kuznyechik by a factor of more than 80, and to reduce the complexity of the best known attack on the full MISTY1 from 269.52^{69.5} to 2672^{67}

    Generic Round-Function-Recovery Attacks for Feistel Networks over Small Domains

    Get PDF
    Feistel Networks (FN) are now being used massively to encrypt credit card numbers through format-preserving encryption. In our work, we focus on FN with two branches, entirely unknown round functions, modular additions (or other group operations), and when the domain size of a branch (called NN) is small. We investigate round-function-recovery attacks. The best known attack so far is an improvement of Meet-In-The-Middle (MITM) attack by Isobe and Shibutani from ASIACRYPT~2013 with optimal data complexity q=rN2q=r \frac{N}{2} and time complexity Nr−42N+o(N)N^{ \frac{r-4}{2}N + o(N)}, where rr is the round number in FN. We construct an algorithm with a surprisingly better complexity when rr is too low, based on partial exhaustive search. When the data complexity varies from the optimal to the one of a codebook attack q=N2q=N^2, our time complexity can reach NO(N1−1r−2)N^{O \left( N^{1-\frac{1}{r-2}} \right) }. It crosses the complexity of the improved MITM for q∼Ne3r2r−3q\sim N\frac{\mathrm{e}^3}{r}2^{r-3}. We also estimate the lowest secure number of rounds depending on NN and the security goal. We show that the format-preserving-encryption schemes FF1 and FF3 standardized by NIST and ANSI cannot offer 128-bit security (as they are supposed to) for N≤11N\leq11 and N≤17N\leq17, respectively (the NIST standard only requires N≥10N \geq 10), and we improve the results by Durak and Vaudenay from CRYPTO~2017
    • …
    corecore