465 research outputs found
New Related-Key Boomerang Attacks on AES
In this paper we present two new attacks on round reduced versions of the AES. We present
the first application of the related-key boomerang attack on 7 and 9 rounds of AES-192. The 7-round attack requires only 2^{18} chosen plaintexts and ciphertexts and needs 2^{67.5} encryptions. We extend our attack to nine rounds of AES-192. This leaves to a data complexity of 2^{67} chosen plaintexts and ciphertexts using about 2^{143.33} encryptions to break 9 rounds of AES-192
Cryptanalysis of Block Ciphers
The block cipher is one of the most important primitives in
modern cryptography, information and network security; one of
the primary purposes of such ciphers is to provide
confidentiality for data transmitted in insecure communication
environments. To ensure that confidentiality is robustly
provided, it is essential to investigate the security of a
block cipher against a variety of cryptanalytic attacks.
In this thesis, we propose a new extension of differential
cryptanalysis, which we call the impossible boomerang attack.
We describe the early abort technique for (related-key)
impossible differential cryptanalysis and rectangle attacks.
Finally, we analyse the security of a number of block ciphers
that are currently being widely used or have recently been
proposed for use in emerging cryptographic applications; our
main cryptanalytic results are as follows.
An impossible differential attack on 7-round AES when used with
128 or 192 key bits, and an impossible differential attack on
8-round AES when used with 256 key bits. An impossible
boomerang attack on 6-round AES when used with 128 key bits,
and an impossible boomerang attack on 7-round AES when used
with 192 or 256 key bits. A related-key impossible boomerang
attack on 8-round AES when used with 192 key bits, and a
related-key impossible boomerang attack on 9-round AES when
used with 256 key bits, both using two keys.
An impossible differential attack on 11-round reduced Camellia
when used with 128 key bits, an impossible differential attack
on 12-round reduced Camellia when used with 192 key bits, and
an impossible differential attack on 13-round reduced Camellia
when used with 256 key bits.
A related-key rectangle attack on the full Cobra-F64a, and a
related-key differential attack on the full Cobra-F64b.
A related-key rectangle attack on 44-round SHACAL-2.
A related-key rectangle attack on 36-round XTEA.
An impossible differential attack on 25-round reduced HIGHT, a
related-key rectangle attack on 26-round reduced HIGHT, and a
related-key impossible differential attack on 28-round reduced
HIGHT.
In terms of either the attack complexity or the numbers of
attacked rounds, the attacks presented in the thesis are better
than any previously published cryptanalytic results for the
block ciphers concerned, except in the case of AES; for AES,
the presented impossible differential attacks on 7-round AES
used with 128 key bits and 8-round AES used with 256 key bits
are the best currently published results on AES in a single key
attack scenario, and the presented related-key impossible
boomerang attacks on 8-round AES used with 192 key bits and
9-round AES used with 256 key bits are the best currently
published results on AES in a related-key attack scenario
involving two keys
Related-Key Boomerang and Rectangle Attacks
This paper introduces the related-key boomerang and the related-key
rectangle attacks. These new attacks
can expand the cryptanalytic toolbox, and can be applied to
many block ciphers. The main advantage of these new attacks, is the ability
to exploit the related-key model twice. Hence, even ciphers which were
considered resistant to either boomerang or related-key differential attacks
may be broken using the new techniques.
In this paper we present a rigorous treatment of the related-key boomerang and
the related-key rectangle distinguishers. Following this treatment, we
devise optimal distinguishing algorithms using the LLR
(Logarithmic Likelihood Ratio)
statistics. We then analyze the success probability under
reasonable independence assumptions, and verify the
computation experimentally by implementing an actual attack on a
6-round variant of KASUMI. The paper ends with a demonstration of the strength
of our new proposed techniques with attacks on 10-round AES-192 and the full
KASUMI
Boomerang Switch in Multiple Rounds. Application to AES Variants and Deoxys
The boomerang attack is a cryptanalysis technique that allows an attacker to concatenate two short differential characteristics. Several research results (ladder switch, S-box switch, sandwich attack, Boomerang Connectivity Table (BCT), ...) showed that the dependency between these two characteristics at the switching round can have a significant impact on the complexity of the attack, or even potentially invalidate it. In this paper, we revisit the issue of boomerang switching effect, and exploit it in the case where multiple rounds are involved. To support our analysis, we propose a tool called Boomerang Difference Table (BDT), which can be seen as an improvement of the BCT and allows a systematic evaluation of the boomerang switch through multiple rounds. In order to illustrate the power of this technique, we propose a new related-key attack on 10-round AES-256 which requires only 2 simple related-keys and 275 computations. This is a much more realistic scenario than the state-of-the-art 10-round AES-256 attacks, where subkey oracles, or several related-keys and high computational power is needed. Furthermore, we also provide improved attacks against full AES-192 and reduced-round Deoxys
Revisiting Related-Key Boomerang attacks on AES using computer-aided tool
In recent years, several MILP models were introduced to search automatically for boomerang distinguishers and boomerang attacks on block ciphers. However, they can only be used when the key schedule is linear. Here, a new model is introduced to deal with nonlinear key schedules as it is the case for AES. This model is more complex and actually it is too slow for exhaustive search. However, when some hints are added to the solver, it found the current best related-key boomerang attack on AES-192 with time, data, and memory complexities, which is better than the one presented by Biryukov and Khovratovich at ASIACRYPT 2009 with complexities respectively. This represents a huge improvement for the time and memory complexity, illustrating the power of MILP in cryptanalysis
The (related-key) impossible boomerang attack and its application to the AES block cipher
The Advanced Encryption Standard (AES) is a 128-bit block cipher with a user key of 128, 192 or 256 bits, released by NIST in 2001 as the next-generation data encryption standard for use in the USA. It was adopted as an ISO international standard in 2005. Impossible differential cryptanalysis and the boomerang attack are powerful variants of differential cryptanalysis for analysing the security of a block cipher. In this paper, building on the notions of impossible differential cryptanalysis and the boomerang attack, we propose a new cryptanalytic technique, which we call the impossible boomerang attack, and then describe an extension of this attack which applies in a related-key attack scenario. Finally, we apply the impossible boomerang attack to break 6-round AES with 128 key bits and 7-round AES with 192/256 key bits, and using two related keys we apply the related-key impossible boomerang attack to break 8-round AES with 192 key bits and 9-round AES with 256 key bits. In the two-key related-key attack scenario, our results, which were the first to achieve this amount of attacked rounds, match the best currently known results for AES with 192/256 key bits in terms of the numbers of attacked rounds. The (related-key) impossible boomerang attack is a general cryptanalytic technique, and can potentially be used to cryptanalyse other block ciphers
Boomerang Connectivity Table:A New Cryptanalysis Tool
A boomerang attack is a cryptanalysis framework that regards a block cipher as the composition of two sub-ciphers and builds a particular characteristic for with probability by combining differential characteristics for and with probability and , respectively.
Crucially the validity of this figure is under the assumption that the characteristics for and can be chosen independently. Indeed, Murphy has shown that independently chosen characteristics may turn out to be incompatible. On the other hand, several researchers observed that the probability can be improved to or around the boundary between and by considering a positive dependency of the two characteristics, e.g.~the ladder switch and S-box switch by Biryukov and Khovratovich.
This phenomenon was later formalised by Dunkelman et al.~as a sandwich attack that regards as , where satisfies some differential propagation among four texts with probability , and the entire probability is .
In this paper, we revisit the issue of dependency of two characteristics in , and propose a new tool called Boomerang Connectivity Table (BCT), which evaluates in a systematic and easy-to-understand way when is composed of a single S-box layer. With the BCT, previous observations on the S-box including the incompatibility, the ladder switch and the S-box switch are represented in a unified manner. Moreover, the BCT can detect a new switching effect, which shows that the probability around the boundary may be even higher than or .
To illustrate the power of the BCT-based analysis, we improve boomerang attacks against Deoxys-BC, and disclose the mechanism behind an unsolved probability amplification for generating a quartet in SKINNY. Lastly, we discuss the issue of searching for S-boxes having good BCT and extending the analysis to modular addition
Improved cryptanalysis of skein
The hash function Skein is the submission of Ferguson et
al. to the NIST Hash Competition, and is arguably a serious candidate
for selection as SHA-3. This paper presents the rst third-party analysis
of Skein, with an extensive study of its main component: the block
cipher Three sh. We notably investigate near collisions, distinguishers,
impossible di erentials, key recovery using related-key di erential and
boomerang attacks. In particular, we present near collisions on up to 17
rounds, an impossible di erential on 21 rounds, a related-key boomerang
distinguisher on 34 rounds, a known-related-key boomerang distinguisher
on 35 rounds, and key recovery attacks on up to 32 rounds, out of 72 in
total for Threefish-512. None of our attacks directly extends to the full
Skein hash. However, the pseudorandomness of Threefish is required to
validate the security proofs on Skein, and our results conclude that at
least 3
- …