9 research outputs found
Differential Cryptanalysis of SMS4 Block Cipher
SMS4 is a 128-bit block cipher used in the
WAPI standard for wireless networks in China. In this paper, we
analyze the security of SMS4 block cipher against differential
cryptanalysis. Firstly, we prove three theorems and one corollary
that reflect relationships of 5- and 6-round SMS4. Nextly, by
these relationships, we clarify the minimum number of differentially
active S-boxes in 6-, 7- and 12-round SMS4 respectively.
Finally, based on the above results, we present a family of about
differential characteristics for 19-round SMS4, which
leads to an attack on 23-round SMS4 with chosen
plaintexts and encryptions. Our attack is the best known
attack on SMS4 so far
Near-Collisions on the Reduced-Round Compression Functions of Skein and BLAKE
The SHA-3 competition organized by NIST aims
to find a new hash standard as a replacement of SHA-2. Till now, 14
submissions have been selected as the second round candidates,
including Skein and BLAKE, both of which have components based on
modular addition, rotation and bitwise XOR (ARX). In this paper, we
propose improved near-collision attacks on the reduced-round
compression functions of Skein and a variant of BLAKE. The attacks
are based on linear differentials of the modular additions. The
computational complexity of near-collision attacks on a 4-round
compression function of BLAKE-32, 4-round and 5-round compression
functions of BLAKE-64 are 2^{21}, 2^{16} and 2^{216}
respectively, and the attacks on a 24-round compression functions of
Skein-256, Skein-512 and Skein-1024 have a complexity of 2^{60},
2^{230} and 2^{395} respectively
Some Observations on TWIS Block Cipher
The 128-bit block cipher TWIS was proposed by Ojha et al in
2009. It is a lightweight block cipher and its design is inspired
from CLEFIA. In this paper, we first study the properties of TWIS
structure, and as an extension we also considered the generalized
TWIS-type structure which can be called G-TWIS cipher, where the
block size and round number can be arbitrary values. Then we
present a series of 10-round differential distinguishers for TWIS
and a n-round differential distinguisher for G-TWIS whose
probabilities are all equal to 1. Therefore, by utilizing these
kinds of differential distinguishers, we can break the full
10-round TWIS cipher and n-round G-TWIS cipher
some new observations on the sms4 block cipher in the chinese wapi standard
Xidian Univ, Xidian Univ, Sch Telecommun Engn, Key Lab Comp Networks & Informat Security, Minist EducSMS4 is a 128-bit block cipher used in the WAPI standard in wireless networks in China. The cipher has attracted much attention in the past two years. This paper consists of two parts. The first part is on the design of the linear diffusion layer L of SMS4. Some new observations on L are present, which open out the design rationales of L and such class functions to a great extent. The second part is on the differential attack against SMS4. A class of 18-round differential characteristics with a higher probability is given. Then a simple differential attack on 22-round SMS4 is present, which is an improvement of the previous work, thus our attack becomes the best known one on SMS4. Furthermore, we make a remark on the construction of differential characteristics of SMS4
hyper-sbox view of aes-like permutations: a generalized distinguisher
State Key Laboratory of Information Security; Chinese Academy of Sciences; Chinese Association for Cryptologic ResearchGrøstl[1] is one of the second round candidates of the SHA-3 competition[2] hosted by NIST, which aims to find a new hash standard. In this paper, we studied equivalent expressions of the generalized AES-like permutation. We found that four rounds of the AES-like permutation can be regarded as a Hyper-Sbox. Then we further analyzed the differential properties of both Super-Sbox and Hyper-Sbox. Based on these observations, we give an 8-round truncated differential path of the generalized AES-like permutation, which can be used to construct a distinguisher of 8-round Grøstl-256 permutation with 264 time and 264 memory. This is the best known distinguisher of reduced-round Grøstl permutation. © 2011 Springer-Verlag
full-round differential attack on twis block cipher
The 128-bit block cipher TWIS was proposed by Ojha et al in 2009. It is a lightweight block cipher and its design is inspired from CLEFIA. In this paper, we first study the properties of TWIS structure, and as an extension we also consider the generalized TWIS-type structure named G-TWIS cipher whose block size and round number are 4m and n repectively, where n and m are any positive integers. Then we present a series of 10-round differential distinguishers for TWIS and an n-round differential distinguisher for G-TWIS whose probabilities are all equal to 1. It shows that 10-round TWIS cipher and n-round G-TWIS cipher can be distinguished efficiently from random permutation.Minist Publ Adm & Secur, Korea Commun CommissThe 128-bit block cipher TWIS was proposed by Ojha et al in 2009. It is a lightweight block cipher and its design is inspired from CLEFIA. In this paper, we first study the properties of TWIS structure, and as an extension we also consider the generalized TWIS-type structure named G-TWIS cipher whose block size and round number are 4m and n repectively, where n and m are any positive integers. Then we present a series of 10-round differential distinguishers for TWIS and an n-round differential distinguisher for G-TWIS whose probabilities are all equal to 1. It shows that 10-round TWIS cipher and n-round G-TWIS cipher can be distinguished efficiently from random permutation
near-collisions on the reduced-round compression functions of skein and blake
The SHA-3 competition organized by NIST [1] aims to find a new hash standard as a replacement of SHA-2. Till now, 14 submissions have been selected as the second round candidates, including Skein and BLAKE, both of which have components based on modular addition, rotation and bitwise XOR (ARX). In this paper, we propose improved near-collision attacks on the reduced-round compression functions of Skein and BLAKE. The attacks are based on linear differentials of the modular additions. The computational complexity of near-collision attacks on a 4-round compression function of BLAKE-32, 4-round and 5-round compression functions of BLAKE-64 are 221, 216 and 2216 respectively, and the attacks on 20-round compression functions of Skein-256, Skein-512 and a 24-round compression function of Skein-1024 have a complexity of 297, 252 and 2452 respectively
extending higher-order integral: an efficient unified algorithm of constructing integral distinguishers for block ciphers
In this paper, we give an extension of the concept of higher-order integral, which can make us design better higher-order integral distinguishers for some block ciphers (structures). Using the new extension, we present a unified algorithm of searching for the best possible higher-order integral distinguishers for block ciphers. We adopt the inside-out approach, trying to predict the behavior of a set of carefully chosen data, not only along encryption direction, but also along decryption direction. Applying the unified algorithm, we search for the best possible higher-order integral distinguishers of Gen-SMS4 structure, Gen-Fourcell structure and Present. For Gen-SMS4 structure and Present, the best higher-order integral distinguishers given by our algorithm are better than the best results known so far. For Gen-Fourcell structure, the best higher-order integral distinguishers given by our algorithm are the same as the best results known so far. We expect that the inside-out method is helpful to understand higher-order integral of block ciphers better, and the unified algorithm presented in this paper can be used as a tool for efficiently evaluating the security of a block cipher against integral cryptanalysis. © 2012 Springer-Verlag.AdNovumIn this paper, we give an extension of the concept of higher-order integral, which can make us design better higher-order integral distinguishers for some block ciphers (structures). Using the new extension, we present a unified algorithm of searching for the best possible higher-order integral distinguishers for block ciphers. We adopt the inside-out approach, trying to predict the behavior of a set of carefully chosen data, not only along encryption direction, but also along decryption direction. Applying the unified algorithm, we search for the best possible higher-order integral distinguishers of Gen-SMS4 structure, Gen-Fourcell structure and Present. For Gen-SMS4 structure and Present, the best higher-order integral distinguishers given by our algorithm are better than the best results known so far. For Gen-Fourcell structure, the best higher-order integral distinguishers given by our algorithm are the same as the best results known so far. We expect that the inside-out method is helpful to understand higher-order integral of block ciphers better, and the unified algorithm presented in this paper can be used as a tool for efficiently evaluating the security of a block cipher against integral cryptanalysis. © 2012 Springer-Verlag
preimage attacks on step-reduced sm3 hash function
This paper proposes a preimage attack on SM3 hash function reduced to 30 steps. SM3 is an iterated hash function based on the Merkle-Damga˚rd design. It is a hash function used in applications such as the electronic certification service system in China. Our cryptanalysis is based on the Meet-in-the-Middle (MITM) attack. We utilize several techniques such as initial structure, partial matching and message compensation to improve the standard MITM preimage attack. Moreover, we use some observations on the SM3 hash function to optimize the computation complexity. Overall, a preimage of 30 steps SM3 hash function can be computed with a complexity of 2249 SM3 compression function computation, and requires a memory of 216. As far as we know, this is yet the first preimage result on the SM3 hash function. © 2012 Springer-Verlag.National Security Research Institute (NSRI); Electronics and Telecommunications Research Institute (ETRI); Korea Internet and Security Agency (KISA); Ministry of Public Administration and Security (MOPAS)This paper proposes a preimage attack on SM3 hash function reduced to 30 steps. SM3 is an iterated hash function based on the Merkle-Damga˚rd design. It is a hash function used in applications such as the electronic certification service system in China. Our cryptanalysis is based on the Meet-in-the-Middle (MITM) attack. We utilize several techniques such as initial structure, partial matching and message compensation to improve the standard MITM preimage attack. Moreover, we use some observations on the SM3 hash function to optimize the computation complexity. Overall, a preimage of 30 steps SM3 hash function can be computed with a complexity of 2249 SM3 compression function computation, and requires a memory of 216. As far as we know, this is yet the first preimage result on the SM3 hash function. © 2012 Springer-Verlag