Linear cryptanalysis of pseudorandom functions

Relatório de projeto de pesquisa.In this paper, we study linear relations propagating across block ciphers from the key input to the ciphertext (for a fixed plaintext block). This is a usual setting of a one-way function, used for instance in modes of operation such as KFB (key feedback). We instantiate the block cipher with the full 16-round DES and $s^2$-DES, 10-round LOKI91 and 24-round Khufu, for which linear relations with high bias are well known. Other interesting targets include the full 8.5-round IDEA and PES ciphers for which high bias linear relations exist under the assumption of weak keys. Consequences of these findings impact the security of modes of operation such as KFB and of pseudorandom number/bit generators. These analyses were possible due to the linear structure and the poor diffusion of the key schedule algorithms. These findings shall motivate carefull (re)design of current and future key schedule algorithms

Unique Aspects of Usage of the Quadratic Cryptanalysis Method to the GOST 28147-89 Encryption Algorithm

In this article, issues related to the application of the quadratic cryptanalysis method to the five rounds of GOST 28147-89 encryption algorithm are given. For example, the role of the bit gains in the application of the quadratic cryptanalysis method, which is formed in the operation of addition according to mod232 used in this algorithm is described. In this case, it is shown that the selection of the relevant bits of the incoming plaintext and cipher text to be equal to zero plays an important role in order to obtain an effective result in cryptanalysi

Cryptanalysis of LOKI91

In this paper we examine the redesign of LOKI, LOKI91 proposed by Brown et al. First it is shown that there is no characteristic with a probability high enough to do a successful differential attack on LOKI91. Secondly we show that the size of the image of the F-function in LOKI91 is 8\22*2^32. Finally we introduce a chosen plaintext attack that reduces an exhaustive key search on LOKI91 by almost a factor 4 using 2^33+2 chosen plaintexts

Multidimensional Linear Cryptanalysis of Feistel Ciphers

This paper presents new generic attacks on Feistel ciphers that incorporate the key addition at the input of the non-invertible round function only. This feature leads to a specific vulnerability that can be exploited using multidimensional linear cryptanalysis. More specifically, our approach involves using key-independent linear trails so that the distribution of a combination of the plaintext and ciphertext can be computed. This makes it possible to use the likelihood-ratio test as opposed to the χ2 test. We provide theoretical estimates of the cost of our generic attacks and verify these experimentally by applying the attacks to CAST-128 and LOKI91. The theoretical and experimental findings demonstrate that the proposed attacks lead to significant reductions in data-complexity in several interesting cases

Flaws of hypercube-like ciphers

Рассмотрен класс блочных криптографических XSLP-алгоритмов, называемых «гиперкуб». Для алгоритмов данного класса получены оценки показателя рассеивания линейной среды для любого числа итераций. Показано, что при выборе преобразования P с использованием обобщённых графов де Брейна для рассматриваемых алгоритмов может не наступать лавинный эффект, вследствие чего ключ шифрования может быть определён с трудоёмкостью, существенной меньшей трудоёмкости тотального опробования ключей

Cryptanalysis of CIKS-128 and CIKS-128H Suitable for Intelligent Multimedia and Ubiquitous Computing Systems

Recently, data-dependent permutations (DDP) that are very suitable for intelligent multimedia and ubiquitous computing systems have been introduced as a new cryptographic primitive for the design of fast encryption systems. The CIKS-128 and CIKS-128H block ciphers are the typical examples of DDP-based encryption algorithms. In this paper, we show that CIKS-128 and CIKS-128H are vulnerable to related-key differential attacks. We first describe how to construct their full-round related-key differential characteristics with high probabilities and then we exploit them to break the full-round CIKS-128 and CIKS-128H with 2^44, and 2^48 data/time complexities, respectively

Slide Attacks on a Class of Hash Functions

Abstract. This paper studies the application of slide attacks to hash functions. Slide attacks have mostly been used for block cipher cryptanalysis. But, as shown in the current paper, they also form a potential threat for hash functions, namely for sponge-function like structures. As it turns out, certain constructions for hash-function-based MACs can be vulnerable to forgery and even to key recovery attacks. In other cases, we can at least distinguish a given hash function from a random oracle. To illustrate our results, we describe attacks against the Grindahl-256 and Grindahl-512 hash functions. To the best of our knowledge, this is the first cryptanalytic result on Grindahl-512. Furthermore, we point out a slide-based distinguisher attack on a slightly modified version of RadioGatún. We finally discuss simple countermeasures as a defense against slide attacks. Key words: slide attacks, hash function, Grindahl, RadioGatún, MAC, sponge function.

Plaintext Recovery in DES-like Cryptosystems Based on S-boxes with Embedded Parity Check

We describe an approach for recovering the plaintext in block ciphers having a design structure similar to the Data Encryption Standard but with improperly constructed S-boxes. The experiments with a backtracking search algorithm performing this kind of attack against modified DES/Triple-DES in ECB mode show that the unknown plaintext can be recovered with a small amount of uncertainty and this algorithm is highly efficient both in time and memory costs for plaintext sources with relatively low entropy. Our investigations demonstrate once again that modifications resulting to S-boxes which still satisfy some design criteria may lead to very weak ciphers. ACM Computing Classification System (1998): E.3, I.2.7, I.2.8.This work was presented in part at the 1-st International Conference Bulgarian Cryptography Days 2012, Sofia, Bulgaria, 20–21 September 2012

The (related-key) impossible boomerang attack and its application to the AES block cipher

The Advanced Encryption Standard (AES) is a 128-bit block cipher with a user key of 128, 192 or 256 bits, released by NIST in 2001 as the next-generation data encryption standard for use in the USA. It was adopted as an ISO international standard in 2005. Impossible differential cryptanalysis and the boomerang attack are powerful variants of differential cryptanalysis for analysing the security of a block cipher. In this paper, building on the notions of impossible differential cryptanalysis and the boomerang attack, we propose a new cryptanalytic technique, which we call the impossible boomerang attack, and then describe an extension of this attack which applies in a related-key attack scenario. Finally, we apply the impossible boomerang attack to break 6-round AES with 128 key bits and 7-round AES with 192/256 key bits, and using two related keys we apply the related-key impossible boomerang attack to break 8-round AES with 192 key bits and 9-round AES with 256 key bits. In the two-key related-key attack scenario, our results, which were the first to achieve this amount of attacked rounds, match the best currently known results for AES with 192/256 key bits in terms of the numbers of attacked rounds. The (related-key) impossible boomerang attack is a general cryptanalytic technique, and can potentially be used to cryptanalyse other block ciphers