Attack on AES Implementation Exploiting Publicly-visible Partial Result

Although AES is designed to be secure against a wide variety of linear and differential attacks, security ultimately depends on a combination of the engineering implementation and proper application by intended users. In this work, we attack a publicly-available VHDL implementation of AES by exploiting a partial result visible at the top-level public interface of the implementation. The vulnerability renders the security of the implementation equivalent to a one-round version of AES. An algorithm is presented that exploits this vulnerability to recover the secret key in 2^31 operations. The algorithm is coded in an interpreted high-level language and successfully recovers secret keys, with one set of known plaintext, using a general-purpose CPU in an average of 30 minutes

Attacking Reduced Rounds of the ARIA Block Cipher

ARIA is a block cipher proposed at ICISC\u2703. Its design is very similar to the advanced encryption standard (AES). The authors propose that on 32-bit processors, the encryption speed is at least 70% of that of the AES. They claim to offer a higher security level than AES. In this paper we present two attacks of reduced round ARIA which shows some weaknesses of the cipher. Moreover, our attacks have the lowest memory requirements compared to existing attacks on ARIA with an increase in the time complexity

The (related-key) impossible boomerang attack and its application to the AES block cipher

The Advanced Encryption Standard (AES) is a 128-bit block cipher with a user key of 128, 192 or 256 bits, released by NIST in 2001 as the next-generation data encryption standard for use in the USA. It was adopted as an ISO international standard in 2005. Impossible differential cryptanalysis and the boomerang attack are powerful variants of differential cryptanalysis for analysing the security of a block cipher. In this paper, building on the notions of impossible differential cryptanalysis and the boomerang attack, we propose a new cryptanalytic technique, which we call the impossible boomerang attack, and then describe an extension of this attack which applies in a related-key attack scenario. Finally, we apply the impossible boomerang attack to break 6-round AES with 128 key bits and 7-round AES with 192/256 key bits, and using two related keys we apply the related-key impossible boomerang attack to break 8-round AES with 192 key bits and 9-round AES with 256 key bits. In the two-key related-key attack scenario, our results, which were the first to achieve this amount of attacked rounds, match the best currently known results for AES with 192/256 key bits in terms of the numbers of attacked rounds. The (related-key) impossible boomerang attack is a general cryptanalytic technique, and can potentially be used to cryptanalyse other block ciphers

New Related-Key Boomerang Attacks on AES

In this paper we present two new attacks on round reduced versions of the AES. We present the first application of the related-key boomerang attack on 7 and 9 rounds of AES-192. The 7-round attack requires only 2^{18} chosen plaintexts and ciphertexts and needs 2^{67.5} encryptions. We extend our attack to nine rounds of AES-192. This leaves to a data complexity of 2^{67} chosen plaintexts and ciphertexts using about 2^{143.33} encryptions to break 9 rounds of AES-192

A Practical-Time Attack on the A5/3 Cryptosystem Used in Third Generation GSM Telephony

The privacy of most GSM phone conversations is currently protected by the 20+ years old A5/1 and A5/2 stream ciphers, which were repeatedly shown to be cryptographically weak. They will soon be replaced in third generation networks by a new A5/3 block cipher called KASUMI, which is a modified version of the MISTY cryptosystem. In this paper we describe a new type of attack called a sandwich attack, and use it to construct a simple distinguisher for 7 of the 8 rounds of KASUMI with an amazingly high probability of $2^{ -14}$. By using this distinguisher and analyzing the single remaining round, we can derive the complete 128 bit key of the full KASUMI by using only 4 related keys, $2^{26}$ data, $2^{30}$ bytes of memory, and $2^{32}$ time. These complexities are so small that we have actually simulated the attack in less than two hours on a single PC, and experimentally verified its correctness and complexity. Interestingly, neither our technique nor any other published attack can break MISTY in less than the $2^{128}$ complexity of exhaustive search, which indicates that the changes made by the GSM Association in moving from MISTY to KASUMI resulted in a much weaker cryptosystem

Yoyo Tricks with AES

In this paper we present new fundamental properties of SPNs. These properties turn out to be particularly useful in the adaptive chosen ciphertext/plaintext setting and we show this by introducing for the first time key-independent yoyo-distinguishers for 3- to 5-rounds of AES. All of our distinguishers beat previous records and require respectively $3, 4$ and $2^{25.8}$ data and essentially zero computation except for observing differences. In addition, we present the first key-independent distinguisher for 6-rounds AES based on yoyos that preserve impossible zero differences in plaintexts and ciphertexts. This distinguisher requires an impractical amount of $2^{122.83}$ plaintext/ciphertext pairs and essentially no computation apart from observing the corresponding differences. We then present a very favorable key-recovery attack on 5-rounds of AES that requires only $2^{11.3}$ data complexity and $2^{31}$ computational complexity, which as far as we know is also a new record. All our attacks are in the adaptively chosen plaintext/ciphertext scenario. Our distinguishers for AES stem from new and fundamental properties of generic SPNs, including generic SAS and SASAS, that can be used to preserve zero differences under the action of exchanging values between existing ciphertext and plaintext pairs. We provide a simple distinguisher for 2 generic SP-rounds that requires only 4 adaptively chosen ciphertexts and no computation on the adversaries side. We then describe a generic and deterministic yoyo-game for 3 generic SP-rounds which preserves zero differences in the middle but which we are not capable of exploiting in the generic setting

Multi-operation data encryption mechanism using dynamic data blocking and randomized substitution

Existing cryptosystems deal with static design features such as fixed sized data blocks, static substitution and apply identical set of known encryption operations in each encryption round. Fixed sized blocks associate several issues such as ineffective permutations, padding issues, deterministic brute force strength and known-length of bits which support the cracker in formulating of modern cryptanalysis. Existing static substitution policies are either not optimally fit for dynamic sized data blocks or contain known S-box transformation and fixed lookup tables. Moreover, static substitution does not directly correlate with secret key due to which it has not been shown safer especially for Advanced Encryption Standard (AES) and Data Encryption Standard (DES). Presently, entire cryptosystems encrypt each data block with identical set of known operations in each iteration, thereby lacked to offer dynamic selection of encryption operation. These discussed, static design features are fully known to the cracker, therefore caused the practical cracking of DES and undesirable security pitfalls against AES as witnessed in earlier studies. Various studies have reported the mathematical cryptanalysis of AES up to full of its 14 rounds. Thus, this situation completely demands the proposal of dynamic design features in symmetric cryptosystems. Firstly, as a substitute to fixed sized data blocks, the Dynamic Data Blocking Mechanism (DDBM) has been proposed to provide the facility of dynamic sized data blocks. Secondly, as an alternative of static substitution approach, a Randomized Substitution Mechanism (RSM) has been proposed which can randomly modify session-keys and plaintext blocks. Finally, Multi-operation Data Encryption Mechanism (MoDEM) has been proposed to tackle the issue of static and identical set of known encryption operations on each data block in each round. With MoDEM, the encryption operation can dynamically be selected against the desired data block from the list of multiple operations bundled with several sub-operations. The methods or operations such as exclusive-OR, 8-bit permutation, random substitution, cyclic-shift and logical operations are used. Results show that DDBM can provide dynamic sized data blocks comparatively to existing approaches. Both RSM and MoDEM fulfill dynamicity and randomness properties as tested and validated under recommended statistical analysis with standard tool. The proposed method not only contains randomness and avalanche properties but it also has passed recommended statistical tests within five encryption rounds (significant than existing). Moreover, mathematical testing shows that common security attacks are not applicable on MoDEM and brute force attack is significantly resistive

Revisiting Yoyo Tricks on AES

At Asiacrypt 2017, Rønjom et al. presented key-independent distinguishers for different numbers of rounds of AES, ranging from 3 to 6 rounds, in their work titled “Yoyo Tricks with AES”. The reported data complexities for these distinguishers were 3, 4, 225.8, and 2122.83, respectively. In this work, we revisit those key-independent distinguishers and analyze their success probabilities. We show that the distinguishing algorithms provided for 5 and 6 rounds of AES in the paper of Rønjom et al. are ineffective with the proposed data complexities. Our thorough theoretical analysis has revealed that the success probability of these distinguishers for both 5-round and 6-round AES is approximately 0.5, with the corresponding data complexities mentioned earlier. We investigate the reasons behind this seemingly random behavior of those reported distinguishers. Based on our theoretical findings, we have revised the distinguishing algorithm for 5-round AES. Our revised algorithm demonstrates success probabilities of approximately 0.55 and 0.81 for 5-round AES, with data complexities of 229.95 and 230.65, respectively. We have also conducted experimental tests to validate our theoretical findings, which further support our findings. Additionally, we have theoretically demonstrated that improving the success probability of the distinguisher for 6-round AES from 0.50000 to 0.50004 would require a data complexity of 2129.15. This finding invalidates the reported distinguisher by Rønjom et al. for 6-round AES