6 research outputs found
Improved Linear Cryptanalysis of Reduced-Round MIBS
MIBS is a 32-round lightweight block cipher with 64-bit block size and two different key sizes, namely 64-bit and 80-bit keys. Bay et al. provided the first impossible differential, differential and linear cryptanalyses of MIBS. Their best attack was a linear attack on the 18-round MIBS-80. In this paper, we significantly improve their attack by discovering more approximations and mounting Hermelin et al.'s multidimensional linear cryptanalysis. We also use Nguyen et al.'s technique to have less time complexity. We attack on 19 rounds of MIBS-80 with a time complexity of 2^{74.23} 19-round MIBS-80 encryptions by using 2^{57.87} plaintext-ciphertext pairs. To the best of our knowledge, the result proposed in this paper is the best cryptanalytic result for MIBS, so far
ElimLin Algorithm Revisited
ElimLin is a simple algorithm for solving polynomial systems of multivariate equations over small finite fields. It was initially proposed as a single tool by Courtois to attack DES. It can reveal some hidden linear equations existing in the ideal generated by the system. We report a number of key theorems on ElimLin. Our main result is to characterize ElimLin in terms of a sequence of intersections of vector spaces. It implies that the linear space generated by ElimLin is invariant with respect to any variable ordering during elimination and substitution. This can be seen as surprising given the fact that it eliminates variables. On the contrary, monomial ordering is a crucial factor in Gröbner basis algorithms such as F4. Moreover, we prove that the result of ElimLin is invariant with respect to any affine bijective variable change. Analyzing an overdefined dense system of equations, we argue that to obtain more linear equations in the succeeding iteration in ElimLin some restrictions should be satisfied. Finally, we compare the security of LBlock and MIBS block ciphers with respect to algebraic attacks and propose several attacks on Courtois Toy Cipher version 2 (CTC2) with distinct parameters using ElimLin
Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version)
Impossible differential cryptanalysis is a powerful technique to recover the secret key of block ciphers by
exploiting the fact that in block ciphers specific input and output
differences are not compatible.
This paper introduces a novel tool to search truncated impossible differentials for
word-oriented block ciphers with bijective Sboxes. Our tool generalizes the earlier
-method and the UID-method. It allows to reduce
the gap between the best impossible differentials found by these methods and the best known
differentials found by ad hoc methods that rely on cryptanalytic insights.
The time and space complexities of our tool in judging an -round truncated impossible differential are about and respectively,
where is the number of words in the plaintext and , are constants depending on the machine and the block cipher.
In order to demonstrate the strength of our tool, we show that it does not only allow to automatically rediscover the
longest truncated impossible differentials of many word-oriented block ciphers, but also finds new
results. It independently rediscovers all 72 known truncated impossible differentials on 9-round CLEFIA.
In addition, finds new truncated impossible differentials for AES, ARIA, Camellia without
FL and FL layers, E2, LBlock, MIBS and Piccolo.
Although our tool does
not improve the lengths of impossible differentials for existing block ciphers, it helps to
close the gap between the best known results of previous tools and those of manual cryptanalysis
Cryptanalysis of reduced-round MIBS Block Cipher
Abstract. This paper presents the first independent and systematic linear, differential and impossible-differential (ID) cryptanalyses of MIBS, a lightweight block cipher aimed at constrained devices such as RFID tags and sensor networks. Our contributions include linear attacks on up to 18-round MIBS, and the first ciphertext-only attacks on 13-round MIBS. Our differential analysis reaches 14 rounds, and our impossibledifferential attack reaches 12 rounds. These attacks do not threaten the full 32-round MIBS, but significantly reduce its margin of security by more than 50%. One fact that attracted our attention is the striking similarity of the round function of MIBS with that of the Camellia block cipher. We actually used this fact in our ID attacks. We hope further similarities will help build better attacks for Camellia as well