113,875 research outputs found

    The (related-key) impossible boomerang attack and its application to the AES block cipher

    Get PDF
    The Advanced Encryption Standard (AES) is a 128-bit block cipher with a user key of 128, 192 or 256 bits, released by NIST in 2001 as the next-generation data encryption standard for use in the USA. It was adopted as an ISO international standard in 2005. Impossible differential cryptanalysis and the boomerang attack are powerful variants of differential cryptanalysis for analysing the security of a block cipher. In this paper, building on the notions of impossible differential cryptanalysis and the boomerang attack, we propose a new cryptanalytic technique, which we call the impossible boomerang attack, and then describe an extension of this attack which applies in a related-key attack scenario. Finally, we apply the impossible boomerang attack to break 6-round AES with 128 key bits and 7-round AES with 192/256 key bits, and using two related keys we apply the related-key impossible boomerang attack to break 8-round AES with 192 key bits and 9-round AES with 256 key bits. In the two-key related-key attack scenario, our results, which were the first to achieve this amount of attacked rounds, match the best currently known results for AES with 192/256 key bits in terms of the numbers of attacked rounds. The (related-key) impossible boomerang attack is a general cryptanalytic technique, and can potentially be used to cryptanalyse other block ciphers

    New Impossible Differential Characteristic of SPECK64 using MILP

    Get PDF
    Impossible differential attack is one of powerful methods for analyzing block ciphers. When designing block ciphers, it must be safe for impossible differential attacks. In case of impossible differential attack, the attack starts from finding the impossible differential characteristic. However, in the case of the ARX-based block cipher, these analyzes were difficult due to the addition of modulus. In this paper, we introduce 157 new six-round impossible differential characteristics of ARX-basef block cipher, SPECK64, using Mixed Integer Linear Programming (MILP) base impossible differential characteristic search proposed by Cui [3] etc

    Related-Key Impossible-Differential Attack on Reduced-Round Skinny

    Get PDF
    At CRYPTO’16, Beierle et al. presented SKINNY, a family of lightweight tweakable block ciphers intended to compete with the NSA designs SIMON and SPECK. SKINNY can be implemented efficiently in both soft- and hardware and supports block sizes of 64 and 128 bits as well as tweakey sizes of 64, 128, 192 and 128, 256, 384 bits respectively. This paper presents a related-tweakey impossible-differential attack on up to 23 (out of 36) rounds of SKINNY-64/128 for different tweak sizes. All our attacks can be trivially extended to SKINNY-128/128

    Cryptanalysis of Block Ciphers

    Get PDF
    The block cipher is one of the most important primitives in modern cryptography, information and network security; one of the primary purposes of such ciphers is to provide confidentiality for data transmitted in insecure communication environments. To ensure that confidentiality is robustly provided, it is essential to investigate the security of a block cipher against a variety of cryptanalytic attacks. In this thesis, we propose a new extension of differential cryptanalysis, which we call the impossible boomerang attack. We describe the early abort technique for (related-key) impossible differential cryptanalysis and rectangle attacks. Finally, we analyse the security of a number of block ciphers that are currently being widely used or have recently been proposed for use in emerging cryptographic applications; our main cryptanalytic results are as follows. An impossible differential attack on 7-round AES when used with 128 or 192 key bits, and an impossible differential attack on 8-round AES when used with 256 key bits. An impossible boomerang attack on 6-round AES when used with 128 key bits, and an impossible boomerang attack on 7-round AES when used with 192 or 256 key bits. A related-key impossible boomerang attack on 8-round AES when used with 192 key bits, and a related-key impossible boomerang attack on 9-round AES when used with 256 key bits, both using two keys. An impossible differential attack on 11-round reduced Camellia when used with 128 key bits, an impossible differential attack on 12-round reduced Camellia when used with 192 key bits, and an impossible differential attack on 13-round reduced Camellia when used with 256 key bits. A related-key rectangle attack on the full Cobra-F64a, and a related-key differential attack on the full Cobra-F64b. A related-key rectangle attack on 44-round SHACAL-2. A related-key rectangle attack on 36-round XTEA. An impossible differential attack on 25-round reduced HIGHT, a related-key rectangle attack on 26-round reduced HIGHT, and a related-key impossible differential attack on 28-round reduced HIGHT. In terms of either the attack complexity or the numbers of attacked rounds, the attacks presented in the thesis are better than any previously published cryptanalytic results for the block ciphers concerned, except in the case of AES; for AES, the presented impossible differential attacks on 7-round AES used with 128 key bits and 8-round AES used with 256 key bits are the best currently published results on AES in a single key attack scenario, and the presented related-key impossible boomerang attacks on 8-round AES used with 192 key bits and 9-round AES used with 256 key bits are the best currently published results on AES in a related-key attack scenario involving two keys

    Impossible Differential Attack on Simpira v2

    Get PDF
    Simpira v2 is a family of cryptographic permutations proposed at ASIACRYPT 2016 which can be used to construct high throughput block ciphers using the Even-Mansour construction, permutation-based hashing and wide-block authenticated encryption. In this paper, we give a 9-round impossible differential of Simpira-4, which turns out to be the first 9-round impossible differential. In order to get some efficient key recovery attacks on its block cipher mode (EM construction with Simpira-4), we use some 6/7-round shrunken impossible differentials. Based on eight different 6-round impossible differentials, we propose a series of 7-round key recovery attacks on the block cipher mode, each 6-round impossible differential helps to recover 32-bit of the master key (512-bit) and totally half of the master key bits are recovered. The attacks need 2572^{57} chosen plaintexts and 2572^{57} 7-round encryptions. Furthermore, based on ten 7-round impossible differentials, we add one round on the top or at the bottom to mount ten 8-round key recovery attacks on the block cipher mode, which recover the full key space (512-bit) with the data complexity of 21702^{170} chosen plaintexts and time complexity of 21702^{170} 8-round encryptions. Those are the first attacks on round-reduced Simpira v2 and do not threaten the EM mode with the full 15-round Simpira-4

    Polytopic Cryptanalysis

    Get PDF
    Standard differential cryptanalysis uses statistical dependencies between the difference of two plaintexts and the difference of the respective two ciphertexts to attack a cipher. Here we introduce polytopic cryptanalysis which considers interdependencies between larger sets of texts as they traverse through the cipher. We prove that the methodology of standard differential cryptanalysis can unambiguously be extended and transferred to the polytopic case including impossible differentials. We show that impossible polytopic transitions have generic advantages over impossible differentials. To demonstrate the practical relevance of the generalization, we present new low-data attacks on round-reduced DES and AES using impossible polytopic transitions that are able to compete with existing attacks, partially outperforming these

    Impossible Differential Cryptanalysis of the Lightweight Block Ciphers TEA, XTEA and HIGHT

    Get PDF
    TEA, XTEA and HIGHT are lightweight block ciphers with 64-bit block sizes and 128-bit keys. The round functions of the three ciphers are based on the simple operations XOR, modular addition and shift/rotation. TEA and XTEA are Feistel ciphers with 64 rounds designed by Needham and Wheeler, where XTEA is a successor of TEA, which was proposed by the same authors as an enhanced version of TEA. Whilst HIGHT, which is designed by Hong et al., is a generalized Feistel cipher with 32 rounds and eight 8-bit words in each round. On the one hand, all these ciphers are simple and easy to implement; on the other hand, the diffusion is slow, which allow us to find some impossible properties. This paper proposes a method to identify the impossible differentials for TEA and XTEA by using the diffusion property of these block ciphers, where the impossible differential comes from one bit contradiction. By means of the method, 14-round impossible differential of XTEA and 13-round impossible differential of TEA are derived, which results in improved impossible differential attacks on 23-round XTEA and 17-round TEA, respectively. These attacks significantly improve the previous 11-round impossible differential attack on TEA and 14-round impossible differential attack on XTEA given by Moon et al. from FSE 2002. For HIGHT, we improve the 26-round impossible differential attack proposed by Özen et al.; an impossible differential attack on 27-round HIGHT that is slightly faster that the exhaustive search is also given. The attacks on TEA, XTEA and HIGHT are also the best attacks in terms of time complexity

    Impossible Boomerang Attack for Block Cipher Structures

    Get PDF
    Impossible boomerang attack \cite{lu} (IBA) is a new variant of differential cryptanalysis against block ciphers. Evident from its name, it combines the ideas of both impossible differential cryptanalysis and boomerang attack. Though such an attack might not be the best attack available, its complexity is still less than that of the exhaustive search. In impossible boomerang attack, impossible boomerang distinguishers are used to retrieve some of the subkeys. Thus the security of a block cipher against IBA can be evaluated by impossible boomerang distinguishers. In this paper, we study the impossible boomerang distinguishers for block cipher structures whose round functions are bijective. Inspired by the U\mathcal{U}-method in \cite{kim}, we provide an algorithm to compute the maximum length of impossible boomerang distinguishers for general block cipher structures, and apply the algorithm to known block cipher structures such as Nyberg\u27s generalized Feistel network, a generalized CAST256-like structure, a generalized MARS-like structure, a generalized RC6-like structure, etc

    Impossible Differential Cryptanalysis of Pelican, MT-MAC-AES and PC-MAC-AES

    Get PDF
    In this paper, the impossible differential cryptanalysis is extended to MAC algorithms \textsc{Pelican}, MT-MAC and PC-MAC based on AES and 4-round AES. First, we collect message pairs that produce the inner near-collision with some specific differences by the birthday attack. Then the impossible differential attack on 4-round AES is implemented using a 3-round impossible differential property. For \textsc{Pelican}, our attack can recover the internal state, which is an equivalent subkey. For MT-MAC-AES, the attack turns out to be a subkey recovery attack directly. The data complexity of the two attacks is 285.52^{85.5} chosen messages, and the time complexity is about 285.52^{85.5} queries. For PC-MAC-AES, we can recover the 256-bit key with 285.52^{85.5} chosen messages and 21282^{128} queries
    • …
    corecore