558 research outputs found
Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version)
Impossible differential cryptanalysis is a powerful technique to recover the secret key of block ciphers by
exploiting the fact that in block ciphers specific input and output
differences are not compatible.
This paper introduces a novel tool to search truncated impossible differentials for
word-oriented block ciphers with bijective Sboxes. Our tool generalizes the earlier
-method and the UID-method. It allows to reduce
the gap between the best impossible differentials found by these methods and the best known
differentials found by ad hoc methods that rely on cryptanalytic insights.
The time and space complexities of our tool in judging an -round truncated impossible differential are about and respectively,
where is the number of words in the plaintext and , are constants depending on the machine and the block cipher.
In order to demonstrate the strength of our tool, we show that it does not only allow to automatically rediscover the
longest truncated impossible differentials of many word-oriented block ciphers, but also finds new
results. It independently rediscovers all 72 known truncated impossible differentials on 9-round CLEFIA.
In addition, finds new truncated impossible differentials for AES, ARIA, Camellia without
FL and FL layers, E2, LBlock, MIBS and Piccolo.
Although our tool does
not improve the lengths of impossible differentials for existing block ciphers, it helps to
close the gap between the best known results of previous tools and those of manual cryptanalysis
A Meaningful MD5 Hash Collision Attack
It is now proved by Wang et al., that MD5 hash is no more secure, after they proposed an attack that would generate two different messages that gives the same MD5 sum. Many conditions need to be satisfied to attain this collision. Vlastimil Klima then proposed a more efficient and faster technique to implement this attack. We use these techniques to first create a collision attack and then use these collisions to implement meaningful collisions by creating two different packages that give identical MD5 hash, but when extracted, each gives out different files with contents specified by the atacker
A Comprehensive Survey on the Implementations, Attacks, and Countermeasures of the Current NIST Lightweight Cryptography Standard
This survey is the first work on the current standard for lightweight
cryptography, standardized in 2023. Lightweight cryptography plays a vital role
in securing resource-constrained embedded systems such as deeply-embedded
systems (implantable and wearable medical devices, smart fabrics, smart homes,
and the like), radio frequency identification (RFID) tags, sensor networks, and
privacy-constrained usage models. National Institute of Standards and
Technology (NIST) initiated a standardization process for lightweight
cryptography and after a relatively-long multi-year effort, eventually, in Feb.
2023, the competition ended with ASCON as the winner. This lightweight
cryptographic standard will be used in deeply-embedded architectures to provide
security through confidentiality and integrity/authentication (the dual of the
legacy AES-GCM block cipher which is the NIST standard for symmetric key
cryptography). ASCON's lightweight design utilizes a 320-bit permutation which
is bit-sliced into five 64-bit register words, providing 128-bit level
security. This work summarizes the different implementations of ASCON on
field-programmable gate array (FPGA) and ASIC hardware platforms on the basis
of area, power, throughput, energy, and efficiency overheads. The presented
work also reviews various differential and side-channel analysis attacks (SCAs)
performed across variants of ASCON cipher suite in terms of algebraic,
cube/cube-like, forgery, fault injection, and power analysis attacks as well as
the countermeasures for these attacks. We also provide our insights and visions
throughout this survey to provide new future directions in different domains.
This survey is the first one in its kind and a step forward towards
scrutinizing the advantages and future directions of the NIST lightweight
cryptography standard introduced in 2023
Mind the Gap - A Closer Look at the Security of Block Ciphers against Differential Cryptanalysis
Resistance against differential cryptanalysis is an important design criteria for any modern block cipher and most designs rely on finding some upper bound on probability of single differential characteristics. However, already at EUROCRYPT'91, Lai et al. comprehended that differential cryptanalysis rather uses differentials instead of single characteristics.
In this paper, we consider exactly the gap between these two approaches and investigate this gap in the context of recent lightweight cryptographic primitives. This shows that for many recent designs like Midori, Skinny or Sparx one has to be careful as bounds from counting the number of active S-boxes only give an inaccurate evaluation of the best differential distinguishers. For several designs we found new differential distinguishers and show how this gap evolves. We found an 8-round differential distinguisher for Skinny-64 with a probability of 2−56.932−56.93, while the best single characteristic only suggests a probability of 2−722−72. Our approach is integrated into publicly available tools and can easily be used when developing new cryptographic primitives.
Moreover, as differential cryptanalysis is critically dependent on the distribution over the keys for the probability of differentials, we provide experiments for some of these new differentials found, in order to confirm that our estimates for the probability are correct. While for Skinny-64 the distribution over the keys follows a Poisson distribution, as one would expect, we noticed that Speck-64 follows a bimodal distribution, and the distribution of Midori-64 suggests a large class of weak keys
Differential Cryptanalysis of Round-Reduced Sparx-64/128
Sparx is a family of ARX-based block ciphers designed according to the long-trail strategy (LTS) that were both introduced by Dinu et al. at ASIACRYPT'16. Similar to the wide-trail strategy, the LTS allows provable upper bounds on the length of differential characteristics and linear paths. Thus, the cipher is a highly interesting target for third-party cryptanalysis. However, the only third-party cryptanalysis on Sparx-64/128 to date was given by Abdelkhalek et al. at AFRICACRYPT'17 who proposed impossible-differential attacks on 15 and 16 (out of 24) rounds.
In this paper, we present chosen-ciphertext differential attacks on 16 rounds of Sparx-64/128. First, we show a truncated-differential analysis that requires 232232 chosen ciphertexts and approximately 293293 encryptions. Second, we illustrate the effectiveness of boomerangs on Sparx by a rectangle attack that requires approximately 259.6259.6 chosen ciphertexts and about 2122.22122.2 encryption equivalents. Finally, we also considered a yoyo attack on 16 rounds that, however, requires the full codebook and approximately 21262126 encryption equivalents
Differential cryptanalysis of substitution permutation networks and Rijndael-like ciphers
A block cipher, in general, consist of several repetitions of a round transformation. A round transformation is a weak block cipher which consists of a nonlinear substitution transformation, a linear diffusion transformation and a key mixing. Differential cryptanalysis is a well known chosen plaintext attack on block ciphers. In this project, differential cryptanalysis is performed on two kinds of block ciphers: Substitution Permutation Networks(SPN) and Rijndael-like Ciphers. In order to strengthen a block cipher against differential attack, care should be taken in the design of both substitution and diffusion components and in the choice of number of rounds. In this context, most of the researches has been focused on the design of substitution component. In this project, differential cryptanalysis is carried out on several SPNs to find the role of permutation. Differential analysis on Rijndael-like ciphers is done to find the strength of the cipher as a whole. Tools are developed to configure and to perform differential analysis on these ciphers. In the context of SPN, the importance of permutation, the effect of bad permutation, no permutation and sequentially chosen plaintext pairs are discussed. The diffusion strength of SPN and Rijndael-like ciphers are discussed and compared
New Insights on AES-like SPN Ciphers
It has been proved in Eurocrypt 2016 that if the details of the S-boxes are not exploited, an impossible differential and a zero-correlation hull can extend over at most 4 rounds of the AES. This paper concentrates on distinguishing attacks on AES-like SPN ciphers by investigating the details of both the S-boxes and the MDS matrices and illustrates some new insights on the security of these schemes. Firstly, we construct several types of -round zero-correlation linear hulls for AES-like ciphers that adopt identical S-boxes to construct the round function and that
have two identical elements in a column of the inverse of their MDS matrices. We then use these linear hulls to construct 5-round integrals provided that the difference of two sub-key bytes is known. Furthermore, we prove that we can always distinguish 5 rounds of such ciphers from random permutations even when the difference of the sub-keys is unknown. Secondly, the constraints for the S-boxes and special property of the MDS matrices can be removed if the cipher is used as a building block of the Miyaguchi-Preneel hash function. As an example, we construct two types of 5-round distinguishers for the hash function Whirlpool. Finally, we show that, in the chosen-ciphertext mode, there exist some nontrivial distinguishers for 5-round AES. To the best of our knowledge, this is the longest distinguishing attack for the round-reduced AES in the secret-key setting. Since the 5-round distinguisher for the AES can only be constructed in the chosen-ciphertext mode, the security margin for the round-reduced AES under the chosen-plaintext attack may be different from that under the chosen-ciphertext attack
Links among Impossible Differential, Integral and Zero Correlation Linear Cryptanalysis
As two important cryptanalytic methods, impossible differential cryptanalysis and integral cryptanalysis have attracted much attention in recent years. Although relations among other important cryptanalytic approaches have been investigated, the link between these two methods has been missing. The motivation in this paper is to fix this gap and establish links between impossible differential cryptanalysis and integral cryptanalysis.
Firstly, by introducing the concept of structure and dual structure, we prove that is an impossible differential of a structure if and only if it is a zero correlation linear hull of the dual structure . More specifically, constructing a zero correlation linear hull of a Feistel structure with -type round function where is invertible, is equivalent to constructing an impossible differential of the same structure with instead of . Constructing a zero correlation linear hull of an SPN structure is equivalent to constructing an impossible differential of the same structure with instead of . Meanwhile, our proof shows that the automatic search tool presented by Wu and Wang could find all impossible differentials of both Feistel structures with -type round functions and SPN structures, which is useful in provable security of block ciphers against impossible differential cryptanalysis.
Secondly, by establishing some boolean equations, we show that a zero correlation linear hull always indicates the existence of an integral distinguisher while a special integral implies the existence of a zero correlation linear hull. With this observation we improve the integral distinguishers of Feistel structures by round, build a -round integral distinguisher of CAST- based on which we propose the best known key recovery attack on reduced round CAST- in the non-weak key model, present a -round integral distinguisher of SMS4 and an -round integral distinguisher of Camellia without . Moreover, this result provides a novel way for establishing integral distinguishers and converting known plaintext attacks to chosen plaintext attacks.
Finally, we conclude that an -round impossible differential of always leads to an -round integral distinguisher of the dual structure . In the case that and are linearly equivalent, we derive a direct link between impossible differentials and integral distinguishers of . Specifically, we obtain that an -round impossible differential of an SPN structure, which adopts a bit permutation as its linear layer, always indicates the existence of an -round integral distinguisher. Based on this newly established link, we deduce that impossible differentials of SNAKE(2), PRESENT, PRINCE and ARIA, which are independent of the choices of the -boxes, always imply the existence of integral distinguishers.
Our results could help to classify different cryptanalytic tools. Furthermore, when designing a block cipher, the designers need to demonstrate that the cipher has sufficient security margins against important cryptanalytic approaches, which is a very tough task since there have been so many cryptanalytic tools up to now. Our results certainly facilitate this security evaluation process
An Innovative Design of Substitution Box Using Trigonometric Transformation
As the number of hacking events and cyber threats keeps going up, it is
getting harder and harder to communicate securely and keep personal information
safe on the Internet. Cryptography is a very important way to deal with these
problems because it can secure data by changing it from one form to another. In
this study, we show a new, lightweight algorithm that is based on trigonometric
ideas and offers a lot of security by making it less likely that cryptanalysis
will work. The performance of our suggested algorithm is better than that of
older methods like the Hill cipher, Blowfish, and DES. Even though traditional
methods offer good security, they may have more work to do, which slows them
down. The suggested algorithm tries to close this gap by offering a solution
based on trigonometric ideas that are both fast and safe. The main goal of this
study is to come up with a small but strong encryption algorithm that cannot be
broken by cryptanalysis and keeps Internet communication safe. We want to speed
up the coding process without making it less secure by using trigonometric
principles. The suggested algorithm uses trigonometric functions and operations
to create non-linearity and confusion, making it resistant to both differential
and linear cryptanalysis. We show that the suggested algorithm is more secure
and faster than traditional methods like the Hill cipher, Blowfish, and DES by
doing a lot of research and testing. Combining trigonometric ideas with a
simple design makes it workable for real world uses and offers a promising way
to protect data on the Internet
- …