A Highly Nonlinear Differentially 4 Uniform Power Mapping That Permutes Fields of Even Degree

Functions with low differential uniformity can be used as the s-boxes of symmetric cryptosystems as they have good resistance to differential attacks. The AES (Advanced Encryption Standard) uses a differentially-4 uniform function called the inverse function. Any function used in a symmetric cryptosystem should be a permutation. Also, it is required that the function is highly nonlinear so that it is resistant to Matsui's linear attack. In this article we demonstrate that a highly nonlinear permutation discovered by Hans Dobbertin has differential uniformity of four and hence, with respect to differential and linear cryptanalysis, is just as suitable for use in a symmetric cryptosystem as the inverse function.Comment: 10 pages, submitted to Finite Fields and Their Application

Rotational Cryptanalysis From a Differential-linear Perspective: Practical Distinguishers for Round-reduced FRIET, Xoodoo, and Alzette

The differential-linear attack, combining the power of the two most effective techniques for symmetric-key cryptanalysis, was proposed by Langford and Hellman at CRYPTO 1994. From the exact formula for evaluating the bias of a differential-linear distinguisher (JoC 2017), to the differential-linear connectivity table (DLCT) technique for dealing with the dependencies in the switch between the differential and linear parts (EUROCRYPT 2019), and to the improvements in the context of cryptanalysis of ARX primitives (CRYPTO 2020), we have seen significant development of the differential-linear attack during the last four years. In this work, we further extend this framework by replacing the differential part of the attack by rotational-xor differentials. Along the way, we establish the theoretical link between the rotational-xor differential and linear approximations, revealing that it is nontrivial to directly apply the closed formula for the bias of ordinary differential- linear attack to rotational differential-linear cryptanalysis. We then revisit the rotational cryptanalysis from the perspective of differential- linear cryptanalysis and generalize Morawiecki et al.’s technique for analyzing Keccak, which leads to a practical method for estimating the bias of a (rotational) differential-linear distinguisher in the special case where the output linear mask is a unit vector. Finally, we apply the rotational differential-linear technique to the permutations involved in FRIET, Xoodoo, Alzette, and SipHash. This gives significant improvements over existing cryptanalytic results or offers explanations for previous experimental distinguishers without a theoretical foundation. To confirm the validity of our analysis, all distinguishers with practical complexities are verified experimentally

Cryptographic Properties and Application of a Generalized Unbalanced Feistel Network Structure (Revised Version)

In this paper, we study GF-NLFSR, a Generalized Unbalanced Feis- tel Network (GUFN) which can be considered as an extension of the outer function FO of the KASUMI block cipher. We show that the differential and linear probabilities of any n + 1 rounds of an n-cell GF-NLFSR are both bounded by p^2, where the corresponding probability of the round function is p. Besides analyzing security against differential and linear cryptanalysis, we provide a frequency distribution for upper bounds on the true differential and linear hull probabilities. From the frequency distribution, we deduce that the proportion of input-output differences/mask values with probability bounded by p^n is close to 1 whereas only a negligible proportion has probability bounded by p^2. We also recall an n^2-round integral attack distinguisher and (n^2+n-2)-round impossible impossible differential distinguisher on the n-cell GF-NLFSR by Li et al. and Wu et al. As an application, we design a new 30-round block cipher Four-Cell+ based on a 4-cell GF-NLFSR. We prove the security of Four-Cell+ against differential, linear, and boomerang attack. Four-Cell+ also resists existing key recovery attacks based on the 16-round integral attack distinguisher and 18-round impossible differential distinguisher. Furthermore, Four-Cell+ can be shown to be secure against other attacks such as higher order differential attack, cube attack, interpolation attack, XSL attack and slide attack

Атака апаратних збоїв на проріджуючий генератор псевдовипадкових чисел

Запропоновано алгоритм диференційноїкриптоатак збоїв на базовукомпоненту сучасних потокових шифрів – регістр зсуву з лінійними зворотними зв’язками. Розроблено програмне забезпечення, що імітує проведення даної атаки, на основі якого показано її ефективність. Запропонована модифікація даної атаки на конструкцію проріджуючого генератора.The algorithm of differential fault attack on the linear feedback shift register – basic component of modern stream ciphers, was proposed. The software tool for simulation of this attack was developed. The efficiency of the proposed algorithm was shown by this software tool. The modification of attack was proposed and applied on the construction of shrinking generator

Linear and Differential Cryptanalysis of SHA-256

The one-way hash function plays an important role in digital signatures and message authentication from the viewpoint of security. No effective attacking method has been discovered to the algorithm of hash function standard. In this study, we tried to attack SHA-256 in encryption mode using linear and differential cryptanalysis to solve a private key. We deduced that an estimate of the private key would require huge known and chosen plaintexts in both linear and differential cryptanalysis, and that it would be difficult to decipher SHA-256 in view of the required computation

Neural-Linear Attack Based on Distribution Data and Its Application on DES

The neural-differential distinguisher proposed by Gohr boosted the development of neural aided differential attack. As another significant cryptanalysis technique, linear attack has not been developing as rapidly in combination with deep learning technology as differential attack. In 2020, Hou et al. proposed the first neural-linear attack with one bit key recovery on 3, 4 and 5-round DES and restricted multiple bits recovery on 4 rounds, where the effective bits in one plain-ciphertext pair are spliced as one data sample. In this paper, we compare the neural-linear cryptanalysis with neural-differential cryptanalysis and propose a new data preprocessing algorithm depending on their similarities and differences. We call the new data structure distribution data. Basing on it, we mount our key recovery on round-reduced DES—first, we raise the accuracy of the neural-linear distinguisher by about 50%. Second, our distinguisher improves the effectiveness of one bit key recovery against 3, 4 and 5-round DES than the former one, and attack 6-round DES with success rate of 60.6% using 2048 plain-ciphertext pairs. Third, we propose a real multiple bit key recovery algorithm, leading neural-linear attack from theory to practice

Improved Attacks on GIFT-64

One of the well-known superiorities of GIFT-64 over PRESENT lies in the correction of the strong linear hull effect. However, apart from the investigation of the 9-round linear hull effect in the design document, we find no linear attack result on GIFT-64. Although we do not doubt the security of GIFT-64 regarding the linear cryptanalysis, the actual resistance of the cipher to the linear attack should be evaluated since it promotes a comprehensive perception of the soundness of GIFT-64. Motivated by this observation, we implement an automatic search and find a 12-round linear distinguisher whose dominating trail is an optimal linear characteristic. Following that, the first 19-round linear attack is launched by utilising the newly identified distinguisher. On the other side, we notice that the previous differential attack of GIFT-64 covering 20 rounds claims the entire codebook. To reduce the data complexity of the 20-round attack, we apply the automatic method to exhaustively check 13-round differential trails with probabilities no less than $2^{-64}$ and identify multiple 13-round differentials facilitating 20-round attacks without using the full codebook. One of the candidate differentials with the maximum probability and the minimum number of guessed subkey bits is then employed to realise the first 20-round differential attack without relying on the complete codebook. Given the newly obtained results, we conjecture that the resistances of GIFT-64 against differential and linear attacks do not have a significant gap. Also, we note that the attack results in this paper are far from threatening the security of GIFT-64