Related-Key Rectangle Attack of the Full 80-Round HAS-160 Encryption Mode

In this paper we investigate the security of the encryption mode of the HAS-160 hash function. HAS-160 is a Korean hash standard which is widely used in Korea\u27s industry. The structure of HAS-160 is similar to SHA-1 but includes some improvements. The encryption mode of HAS-160 is defined similarly as the encryption mode of SHA-1 that is called SHACAL-1. In 2006, Dunkelman et. al. successfully broke the full 80-round SHACAL-1. In this paper, we present the first cryptographic attack that breaks the encryption mode of the full 80-round HAS-160. SHACAL-1 and the encryption mode of HAS-160 are both blockciphers with key size 512 bits and plain-/ciphertext size of 160 bits. We will apply a key recovery attack that needs about 2^{155} chosen plaintexts and 2^{375.98} 80-round HAS-160 encryptions. The attack does not aim for a collision, preimage or 2nd-preimage attack, but it shows that HAS-160 used as a block cipher can be differentiated from an ideal cipher faster than exhaustive search

Practical-time Attack on the Full MMB Block Cipher

Modular Multiplication based Block Cipher (MMB) is a block cipher designed by Daemen \emph{et al.} as an alternative to the IDEA block cipher. In this paper, we give a practical-time attack on the full MMB with adaptive chosen plaintexts and ciphertexts. By the constructive sandwich distinguisher for 5 of the 6 rounds of MMB with amazingly high probability 1, we give the key recovery attack on the full MMB with data complexity $2^{40}$ and time complexity $2^{13.4}$ MMB encryptions. Then a rectangle-like sandwich attack on the full MMB is presented, with $2^{66.5}$ chosen plaintexts, $2^{64}$ MMB encryptions and $2^{70.5}$ memory bytes. By the way, we show an improved differential attack on the full MMB with data complexity of $2^{96}$ chosen plaintexts and ciphertexts, time complexity $2^{64}$ encryptions and $2^{66}$ bytes of memory

A Chaotic System and Count Tracking Mechanism-based Dynamic S-Box and Secret Key Generation

In cryptography, Block ciphers use S-Boxes to perform substitution and permutation operations on a data block. S-Boxes provide non-linearity and confusion of bits to the cryptographic algorithms. In addition, secret keys are critical security aspects for encrypting and decrypting messages. The uncertainty and randomness of the secret key and S-boxes used in the algorithm determine the extent of security against any cryptanalysis attack. This paper proposes a new mechanism to dynamically generate a secret key and S-Box each time while sending and receiving the message. These dynamically generated S-Boxes and keys depend on mutually decided security parameters and message transfer history. Furthermore, a new counter-based mechanism is introduced in this paper. These enhancement techniques are applied to the serpent cipher algorithm, and a data transfer simulation is performed to validate the efficacy of the proposed method. We observe that the dynamically generated S-box follows the strict avalanche criteria. We further validate that the encrypted message shows higher sensitivity to the S-box and the secret key in enhanced serpent cipher than the original version. However, to validate our proposed method, we test and analyze the improvements in the Serpent Cipher Algorithm

Towards Finding the Best Characteristics of Some Bit-oriented Block Ciphers and Automatic Enumeration of (Related-key) Differential and Linear Characteristics with Predefined Properties

In this paper, we investigate the Mixed-integer Linear Programming (MILP) modelling of the differential and linear behavior of a wide range of block ciphers. We point out that the differential behavior of an arbitrary S-box can be exactly described by a small system of linear inequalities. ~~~~~Based on this observation and MILP technique, we propose an automatic method for finding high probability (related-key) differential or linear characteristics of block ciphers. Compared with Sun {\it et al.}\u27s {\it heuristic} method presented in Asiacrypt 2014, the new method is {\it exact} for most ciphers in the sense that every feasible 0-1 solution of the MILP model generated by the new method corresponds to a valid characteristic, and therefore there is no need to repeatedly add valid cutting-off inequalities into the MILP model as is done in Sun {\it et al.}\u27s method; the new method is more powerful which allows us to get the {\it exact lower bounds} of the number of differentially or linearly active S-boxes; and the new method is more efficient which allows to obtain characteristic with higher probability or covering more rounds of a cipher (sometimes with less computational effort). ~~~~~Further, by encoding the probability information of the differentials of an S-boxes into its differential patterns, we present a novel MILP modelling technique which can be used to search for the characteristics with the maximal probability, rather than the characteristics with the smallest number of active S-boxes. With this technique, we are able to get tighter security bounds and find better characteristics. ~~~~~Moreover, by employing a type of specially constructed linear inequalities which can remove {\it exactly one} feasible 0-1 solution from the feasible region of an MILP problem, we propose a method for automatic enumeration of {\it all} (related-key) differential or linear characteristics with some predefined properties, {\it e.g.}, characteristics with given input or/and output difference/mask, or with a limited number of active S-boxes. Such a method is very useful in the automatic (related-key) differential analysis, truncated (related-key) differential analysis, linear hull analysis, and the automatic construction of (related-key) boomerang/rectangle distinguishers. ~~~~~The methods presented in this paper are very simple and straightforward, based on which we implement a Python framework for automatic cryptanalysis, and extensive experiments are performed using this framework. To demonstrate the usefulness of these methods, we apply them to SIMON, PRESENT, Serpent, LBlock, DESL, and we obtain some improved cryptanalytic results

The (related-key) impossible boomerang attack and its application to the AES block cipher

The Advanced Encryption Standard (AES) is a 128-bit block cipher with a user key of 128, 192 or 256 bits, released by NIST in 2001 as the next-generation data encryption standard for use in the USA. It was adopted as an ISO international standard in 2005. Impossible differential cryptanalysis and the boomerang attack are powerful variants of differential cryptanalysis for analysing the security of a block cipher. In this paper, building on the notions of impossible differential cryptanalysis and the boomerang attack, we propose a new cryptanalytic technique, which we call the impossible boomerang attack, and then describe an extension of this attack which applies in a related-key attack scenario. Finally, we apply the impossible boomerang attack to break 6-round AES with 128 key bits and 7-round AES with 192/256 key bits, and using two related keys we apply the related-key impossible boomerang attack to break 8-round AES with 192 key bits and 9-round AES with 256 key bits. In the two-key related-key attack scenario, our results, which were the first to achieve this amount of attacked rounds, match the best currently known results for AES with 192/256 key bits in terms of the numbers of attacked rounds. The (related-key) impossible boomerang attack is a general cryptanalytic technique, and can potentially be used to cryptanalyse other block ciphers