36 research outputs found
Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation Linear Cryptanalysis
Impossible differential and zero correlation linear cryptanalysis are two of the most important cryptanalytic vectors. To characterize the impossible differentials and zero correlation linear hulls which are independent of the choices of the non-linear components, Sun et al. proposed the structure deduced by a block cipher at CRYPTO 2015. Based on that, we concentrate in this paper on the security of the SPN structure and Feistel structure with SP-type round functions. Firstly, we prove that for an SPN structure, if \alpha_1\rightarrow\beta_1 and \alpha_2\rightarrow\beta_ are possible differentials, \alpha_1|\alpha_2\rightarrow\beta_1|\beta_2 is also a possible differential, i.e., the OR | operation preserves differentials. Secondly, we show that for an SPN structure, there exists an r-round impossible differential if and only if there exists an r-round impossible differential \alpha\not\rightarrow\beta where the Hamming weights of both \alpha and \beta are 1. Thus for an SPN structure operating on m bytes, the computation complexity for deciding whether there exists an impossible differential can be reduced from O(2^{2m}) to O(m^2). Thirdly, we associate a primitive index with the linear layers of SPN structures. Based on the matrices theory over integer rings, we prove that the length of impossible differentials of an SPN structure is upper bounded by the primitive index of the linear layers. As a result we show that, unless the details of the S-boxes are considered, there do not exist 5-round impossible differentials for the AES and ARIA. Lastly, based on the links between impossible differential and zero correlation linear hull, we projected these results on impossible differentials to zero correlation linear hulls. It is interesting to note some of our results also apply to the Feistel structures with SP-type round functions
Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version)
Impossible differential cryptanalysis is a powerful technique to recover the secret key of block ciphers by
exploiting the fact that in block ciphers specific input and output
differences are not compatible.
This paper introduces a novel tool to search truncated impossible differentials for
word-oriented block ciphers with bijective Sboxes. Our tool generalizes the earlier
-method and the UID-method. It allows to reduce
the gap between the best impossible differentials found by these methods and the best known
differentials found by ad hoc methods that rely on cryptanalytic insights.
The time and space complexities of our tool in judging an -round truncated impossible differential are about and respectively,
where is the number of words in the plaintext and , are constants depending on the machine and the block cipher.
In order to demonstrate the strength of our tool, we show that it does not only allow to automatically rediscover the
longest truncated impossible differentials of many word-oriented block ciphers, but also finds new
results. It independently rediscovers all 72 known truncated impossible differentials on 9-round CLEFIA.
In addition, finds new truncated impossible differentials for AES, ARIA, Camellia without
FL and FL layers, E2, LBlock, MIBS and Piccolo.
Although our tool does
not improve the lengths of impossible differentials for existing block ciphers, it helps to
close the gap between the best known results of previous tools and those of manual cryptanalysis
Improved Results on Impossible Differential Cryptanalysis of Reduced-Round Camellia-192/256
As an international standard adopted by ISO/IEC, the block cipher Camellia has been used in various cryptographic applications. In this paper, we reevaluate the security of Camellia against impossible differential cryptanalysis. Specifically, we propose several 7-round impossible differentials with the layers. Based on them, we mount impossible differential attacks on 11-round Camellia-192 and 12-round Camellia-256. The data complexities of our attacks on 11-round Camellia-192 and 12-round Camellia-256 are about chosen plaintexts and chosen plaintexts, respectively. The corresponding time complexities are approximately 11-round encryptions and 12-round encryptions. As far as we know, our attacks are times and times faster than the previously best known ones but have slightly more data
New Impossible Differential Cryptanalysis of ARIA
This paper studies the security of ARIA against impossible differential cryptanalysis. Firstly an algorithm is given to find many new 4-round impossible differentials of ARIA. Followed by such impossible differentials, we improve the previous impossible differential attack on 5/6-round ARIA. We also point out that the existence of such impossible differentials are due to the bad properties of the binary matrix employed in the diffusion layer
Cache Timing Attacks on Camellia Block Cipher
Camellia, as the final winner of 128-bit block cipher in NESSIE, is the most secure block cipher of the world. In 2003, Tsunoo proposed a Cache Attack using a timing of CPU cache, successfully recovered Camellia-128 key within 228 plaintexts and 35 minutes. In 2004, IKEDA YOSHITAKA made some further improvements on Tsunooβs attacks, recovered Camellia-128 key within 221.4 plaintexts and 22 minutes. All of their attacks are belonged to timing driven Cache attacks, our research shows that, due to its frequent S-box lookup operations, Camellia is also quite vulnerable to access driven Cache timing attacks, and it is much more effective than timing driven Cache attacks. Firstly, we provide a general analysis model for symmetric ciphers using S-box based on access driven Cache timing attacks, point out that the F function of the Camellia can leak information about the result of encryption key XORed with expand-key, and the left circular rotating operation of the key schedule in Camellia has serious designing problem. Next, we present several attacks on Camellia-128/192/256 with and without FL/FL-1. Experiment results demonstrate: 500 random plaintexts are enough to recover full Camellia-128 key; 900 random plaintexts are enough to recover full Camellia-192/256 key; also, our attacks can be expanded to known ciphertext conditions by attacking the Camellia decryption procedure; besides, our attacks are quite easy to be expanded to remote scenarios, 3000 random plaintexts are enough to recover full encryption key of Camellia-128/192/256 in both local and campus networks. Finally, we discuss the reason why Camellia is weak in this type of attack, and provide some advices to cipher designers for hardening ciphers against cache timing attacks
Impossible Differential Cryptanalysis of SPN Ciphers
Impossible differential cryptanalysis is a very popular tool
for analyzing the security of modern block ciphers and the core of
such attack is based on the existence of impossible differentials.
Currently, most methods for finding impossible differentials are
based on the miss-in-the-middle technique and they are very ad-hoc.
In this paper, we concentrate SPN ciphers whose diffusion layer is
defined by a linear transformation . Based on the theory of
linear algebra, we propose several criteria on and its inversion
to characterize the existence of -round impossible
differentials. We further discuss the possibility to extend these
methods to analyze -round impossible differentials. Using these
criteria, impossible differentials for reduced-round Rijndael are
found that are consistent with the ones found before. New -round
impossible differentials are discovered for block cipher ARIA. And
many -round impossible differentials are firstly detected for a
kind of SPN cipher that employs a binary matrix
proposed at ICISC 2006 as its diffusion layer. It is concluded
that the linear transformation should be carefully designed
in order to protect the cipher against impossible differential cryptanalysis
New Impossible Differential Attacks on Camellia
Camellia is one of the most worldwide used block ciphers, which has
been selected as a standard by ISO/IEC. In this paper, we propose
several new 7-round impossible differentials of Camellia with 2
layers, which turn out to be the first 7-round
impossible differentials with 2 layers. Combined with
some basic techniques including the early abort approach and the key
schedule consideration, we achieve the impossible differential
attacks on 11-round Camellia-128, 11-round Camellia-192, 12-round
Camellia-192, and 14-round Camellia-256, and the time complexity are
, , and respectively.
As far as we know, these are the best results against the
reduced-round variants of Camellia. Especially, we give the first
attack on 11-round Camellia-128 reduced version with
layers
New Impossible Differential Attacks of Reduced-Round Camellia-192 and Camellia-256
Camellia is a block cipher selected as a standard by ISO/IEC, which has been
analyzed by a number of cryptanalysts. In this paper, we propose several
6-round impossible differential paths of Camellia with the layer
in the middle of them. With the impossible differential and a well-organized precomputational table, impossible differential attacks on 10-round Camellia-192 and
11-round Camellia-256 are given, and the time
complexity are and respectively. An impossible differential
attack on 15-round Camellia-256 without layers and whitening is also be given,
which needs about encryptions. To the best of our
knowledge, these are the best cryptanalytic results of Camellia-192/-256 with layers and Camellia-256 without layers to date
An overview of memristive cryptography
Smaller, smarter and faster edge devices in the Internet of things era
demands secure data analysis and transmission under resource constraints of
hardware architecture. Lightweight cryptography on edge hardware is an emerging
topic that is essential to ensure data security in near-sensor computing
systems such as mobiles, drones, smart cameras, and wearables. In this article,
the current state of memristive cryptography is placed in the context of
lightweight hardware cryptography. The paper provides a brief overview of the
traditional hardware lightweight cryptography and cryptanalysis approaches. The
contrast for memristive cryptography with respect to traditional approaches is
evident through this article, and need to develop a more concrete approach to
developing memristive cryptanalysis to test memristive cryptographic approaches
is highlighted.Comment: European Physical Journal: Special Topics, Special Issue on
"Memristor-based systems: Nonlinearity, dynamics and applicatio