Показатели и оценки стойкости блочных шифров относительно статистических атак первого порядка

Получены аналитические верхние оценки надежности различающей и, соответственно, «вскрывающей» статистической атаки первого порядка на блочные шифры. Указанные оценки позволяют ввести теоретически обоснованные показатели стойкости блочных шифров относительно обобщенного линейного, билинейного и ряда других методов криптоанализа. В случае линейной различающей атаки полученная оценка стойкости блочных шифров является более точной по сравнению с ранее известной.Отримано аналітичні верхні оцінки надійності розрізнювальної та, відповідно, «вскриваючої» статистичної атаки першого порядку на блокові шифри. Зазначені оцінки дозволяють ввести теоретично обґрунтовані показники стійкості блокових шифрів відносно узагальненого лінійного, білінійного і низки інших методів криптоаналізу. У випадку лінійної розрізнювальної атаки отримана оцінка стійкості блокових шифрів є більш точною у порівнянні з раніше відомою.Analytical upper estimations of the success probability of a distinguishing and, consequently, a «breaking» first order statistical attack on block ciphers are obtained. These estimations form a foundament for the definition of measures that characterize provable security of block ciphers against generalized linear, bilinear and some other cryptanalysis techniques. For the case of linear distinguishing attack, the obtained estimation of block ciphers security is more accurate that the previous well-known estimation

A nonlinear invariant attack on T-310 with the original Boolean function

There are numerous results on nonlinear invariant attacks on T-310. In all such attacks found so far, both the Boolean functions and the cipher wiring were contrived and chosen by the attacker. In this article, we show how to construct an invariant attack with the original Boolean function that was used to encrypt government communications in the 1980s

Variable elimination strategies and construction of nonlinear polynomial invariant attacks on T-310

One of the major open problems in symmetric cryptanalysis is to discover new specific types of invariant properties for block ciphers. In this article, we study nonlinear polynomial invariant attacks. The number of such attacks grows as 22n and systematic exploration is not possible. The main question is HOW do we find such attacks? We have developed a constructive algebraic approach that is about making sure that a certain combination of polynomial equations is zero. We work by progressive elimination of specific variables in polynomial spaces and we show that one can totally eliminate big chunks of the cipher circuit. As an application, we present several new attacks on the historical T-310 block cipher that has particularly large hardware complexity and a very large number of rounds compared with modern ciphers, e.g., AES. However, all this complexity is not that useful if we are able to construct new types of polynomial invariant attacks that work for any number of rounds

Linear cryptanalysis and block cipher design in East Germany in the 1970s

Linear cryptanalysis (LC) is an important codebreaking method that became popular in the 1990s and has roots in the earlier research of Shamir in the 1980s. In this article we show evidence that linear cryptanalysis is even older. According to documents from the former East Germany cipher authority ZCO, the systematic study of linear characteristics for nonlinear Boolean functions was routinely performed in the 1970s. At the same time East German cryptologists produced an excessively complex set of requirements known as KT1, which requirements were in particular satisfied by known historical used in the 1980s. An interesting line of inquiry, then, is to see if KT1 keys offer some level of protection against linear cryptanalysis. In this article we demonstrate that, strangely, this is not really the case. This is demonstrated by constructing specific counterexamples of pathologically weak keys that satisfy all the requirements of KT1. However, because we use T-310 in a stream cipher mode that uses only a tiny part of the internal state for actual encryption, it remains unclear whether this type of weak key could lead to key recovery attacks on T-310

Matrix Power S-Box Construction

The new symmetric cipher S-box construction based on matrix power function is presented. The matrix consisting of plain data bit strings is combined with three round key matrices using arithmetical addition and exponent operations. The matrix power means the matrix powered by other matrix. The left and right side matrix powers are introduced. This operation is linked with two sound one-way functions: the discrete logarithm problem and decomposition problem. The latter is used in the infinite non-commutative group based public key cryptosystems. It is shown that generic S-box equations are not transferable to the multivariate polynomial equations in respect of input and key variables and hence the algebraic attack to determine the key variables cannot be applied in this case. The mathematical description of proposed S-box in its nature possesses a good ``confusion and diffusion\u27\u27 properties and contains variables ``of a complex type\u27\u27 as was formulated by Shannon. Some comparative simulation results are presented

Construction of a polynomial invariant annihilation attack of degree 7 for T-310

Cryptographic attacks are typically constructed by black-box methods and combinations of simpler properties, for example in [Generalised] Linear Cryptanalysis. In this article, we work with a more recent white-box algebraic-constructive methodology. Polynomial invariant attacks on a block cipher are constructed explicitly through the study of the space of Boolean polynomials which does not have a unique factorisation and solving the so-called Fundamental Equation (FE). Some recent invariant attacks are quite symmetric and exhibit some sort of clear structure, or work only when the Boolean function is degenerate. As a proof of concept, we construct an attack where a highly irregular product of seven polynomials is an invariant for any number of rounds for T-310 under certain conditions on the long term key and for any key and any IV. A key feature of our attack is that it works for any Boolean function which satisfies a specific annihilation property. We evaluate very precisely the probability that our attack works when the Boolean function is chosen uniformly at random

Алгоритм оцiнювання стiйкостi небiнарних SP-мереж до узагальненого лiнiйного криптоаналiзу

В роботi роботи проведено огляд опублiкованих джерел за тематикою дослiдження, зокрема дослiдження аналiтичних оцiнок та алгоритмiв оцiнювання стiйкостi SP-мереж до лiнiйного криптоаналiзу. Також узагальнено метод Келiхера для побудови оцiнок максимального значення узагальненого середнього лiнiйного потенцiалу для небiнарних SP-мереж, орiєнтованих на модульне додавання. Вперше одержано оцiнки стiйкостi небiнарних версiй шифру Midori64 до узагальненого лiнiйного криптоаналiзу.In the course of writing the qualification work, a review of published sources on the research topic of analytical estimations and algorithms of estimation of resistance of SP-networks to linear cryptanalysis was conducted. Also Keliher’s technique for computing bounds on maximum expected (generalized) linear potential for non-binary SP-networks based on modular addition was generalized. The first security evaluation of non-binary versions of Midori64 against generalized linear cryptanalysis was presented