Differential Cryptanalysis of SMS4 Block Cipher

SMS4 is a 128-bit block cipher used in the WAPI standard for wireless networks in China. In this paper, we analyze the security of SMS4 block cipher against differential cryptanalysis. Firstly, we prove three theorems and one corollary that reflect relationships of 5- and 6-round SMS4. Nextly, by these relationships, we clarify the minimum number of differentially active S-boxes in 6-, 7- and 12-round SMS4 respectively. Finally, based on the above results, we present a family of about $2^{14}$ differential characteristics for 19-round SMS4, which leads to an attack on 23-round SMS4 with $2^{115}$ chosen plaintexts and $2^{124.3}$ encryptions. Our attack is the best known attack on SMS4 so far

Near-Collisions on the Reduced-Round Compression Functions of Skein and BLAKE

The SHA-3 competition organized by NIST aims to find a new hash standard as a replacement of SHA-2. Till now, 14 submissions have been selected as the second round candidates, including Skein and BLAKE, both of which have components based on modular addition, rotation and bitwise XOR (ARX). In this paper, we propose improved near-collision attacks on the reduced-round compression functions of Skein and a variant of BLAKE. The attacks are based on linear differentials of the modular additions. The computational complexity of near-collision attacks on a 4-round compression function of BLAKE-32, 4-round and 5-round compression functions of BLAKE-64 are 2^{21}, 2^{16} and 2^{216} respectively, and the attacks on a 24-round compression functions of Skein-256, Skein-512 and Skein-1024 have a complexity of 2^{60}, 2^{230} and 2^{395} respectively

Some Observations on TWIS Block Cipher

The 128-bit block cipher TWIS was proposed by Ojha et al in 2009. It is a lightweight block cipher and its design is inspired from CLEFIA. In this paper, we first study the properties of TWIS structure, and as an extension we also considered the generalized TWIS-type structure which can be called G-TWIS cipher, where the block size and round number can be arbitrary values. Then we present a series of 10-round differential distinguishers for TWIS and a n-round differential distinguisher for G-TWIS whose probabilities are all equal to 1. Therefore, by utilizing these kinds of differential distinguishers, we can break the full 10-round TWIS cipher and n-round G-TWIS cipher

some new observations on the sms4 block cipher in the chinese wapi standard

Xidian Univ, Xidian Univ, Sch Telecommun Engn, Key Lab Comp Networks & Informat Security, Minist EducSMS4 is a 128-bit block cipher used in the WAPI standard in wireless networks in China. The cipher has attracted much attention in the past two years. This paper consists of two parts. The first part is on the design of the linear diffusion layer L of SMS4. Some new observations on L are present, which open out the design rationales of L and such class functions to a great extent. The second part is on the differential attack against SMS4. A class of 18-round differential characteristics with a higher probability is given. Then a simple differential attack on 22-round SMS4 is present, which is an improvement of the previous work, thus our attack becomes the best known one on SMS4. Furthermore, we make a remark on the construction of differential characteristics of SMS4

hyper-sbox view of aes-like permutations: a generalized distinguisher

State Key Laboratory of Information Security; Chinese Academy of Sciences; Chinese Association for Cryptologic ResearchGrøstl[1] is one of the second round candidates of the SHA-3 competition[2] hosted by NIST, which aims to find a new hash standard. In this paper, we studied equivalent expressions of the generalized AES-like permutation. We found that four rounds of the AES-like permutation can be regarded as a Hyper-Sbox. Then we further analyzed the differential properties of both Super-Sbox and Hyper-Sbox. Based on these observations, we give an 8-round truncated differential path of the generalized AES-like permutation, which can be used to construct a distinguisher of 8-round Grøstl-256 permutation with 264 time and 264 memory. This is the best known distinguisher of reduced-round Grøstl permutation. © 2011 Springer-Verlag

full-round differential attack on twis block cipher

The 128-bit block cipher TWIS was proposed by Ojha et al in 2009. It is a lightweight block cipher and its design is inspired from CLEFIA. In this paper, we first study the properties of TWIS structure, and as an extension we also consider the generalized TWIS-type structure named G-TWIS cipher whose block size and round number are 4m and n repectively, where n and m are any positive integers. Then we present a series of 10-round differential distinguishers for TWIS and an n-round differential distinguisher for G-TWIS whose probabilities are all equal to 1. It shows that 10-round TWIS cipher and n-round G-TWIS cipher can be distinguished efficiently from random permutation.Minist Publ Adm & Secur, Korea Commun CommissThe 128-bit block cipher TWIS was proposed by Ojha et al in 2009. It is a lightweight block cipher and its design is inspired from CLEFIA. In this paper, we first study the properties of TWIS structure, and as an extension we also consider the generalized TWIS-type structure named G-TWIS cipher whose block size and round number are 4m and n repectively, where n and m are any positive integers. Then we present a series of 10-round differential distinguishers for TWIS and an n-round differential distinguisher for G-TWIS whose probabilities are all equal to 1. It shows that 10-round TWIS cipher and n-round G-TWIS cipher can be distinguished efficiently from random permutation

near-collisions on the reduced-round compression functions of skein and blake

The SHA-3 competition organized by NIST [1] aims to find a new hash standard as a replacement of SHA-2. Till now, 14 submissions have been selected as the second round candidates, including Skein and BLAKE, both of which have components based on modular addition, rotation and bitwise XOR (ARX). In this paper, we propose improved near-collision attacks on the reduced-round compression functions of Skein and BLAKE. The attacks are based on linear differentials of the modular additions. The computational complexity of near-collision attacks on a 4-round compression function of BLAKE-32, 4-round and 5-round compression functions of BLAKE-64 are 221, 216 and 2216 respectively, and the attacks on 20-round compression functions of Skein-256, Skein-512 and a 24-round compression function of Skein-1024 have a complexity of 297, 252 and 2452 respectively

extending higher-order integral: an efficient unified algorithm of constructing integral distinguishers for block ciphers

In this paper, we give an extension of the concept of higher-order integral, which can make us design better higher-order integral distinguishers for some block ciphers (structures). Using the new extension, we present a unified algorithm of searching for the best possible higher-order integral distinguishers for block ciphers. We adopt the inside-out approach, trying to predict the behavior of a set of carefully chosen data, not only along encryption direction, but also along decryption direction. Applying the unified algorithm, we search for the best possible higher-order integral distinguishers of Gen-SMS4 structure, Gen-Fourcell structure and Present. For Gen-SMS4 structure and Present, the best higher-order integral distinguishers given by our algorithm are better than the best results known so far. For Gen-Fourcell structure, the best higher-order integral distinguishers given by our algorithm are the same as the best results known so far. We expect that the inside-out method is helpful to understand higher-order integral of block ciphers better, and the unified algorithm presented in this paper can be used as a tool for efficiently evaluating the security of a block cipher against integral cryptanalysis. © 2012 Springer-Verlag.AdNovumIn this paper, we give an extension of the concept of higher-order integral, which can make us design better higher-order integral distinguishers for some block ciphers (structures). Using the new extension, we present a unified algorithm of searching for the best possible higher-order integral distinguishers for block ciphers. We adopt the inside-out approach, trying to predict the behavior of a set of carefully chosen data, not only along encryption direction, but also along decryption direction. Applying the unified algorithm, we search for the best possible higher-order integral distinguishers of Gen-SMS4 structure, Gen-Fourcell structure and Present. For Gen-SMS4 structure and Present, the best higher-order integral distinguishers given by our algorithm are better than the best results known so far. For Gen-Fourcell structure, the best higher-order integral distinguishers given by our algorithm are the same as the best results known so far. We expect that the inside-out method is helpful to understand higher-order integral of block ciphers better, and the unified algorithm presented in this paper can be used as a tool for efficiently evaluating the security of a block cipher against integral cryptanalysis. © 2012 Springer-Verlag

preimage attacks on step-reduced sm3 hash function

This paper proposes a preimage attack on SM3 hash function reduced to 30 steps. SM3 is an iterated hash function based on the Merkle-Damga˚rd design. It is a hash function used in applications such as the electronic certification service system in China. Our cryptanalysis is based on the Meet-in-the-Middle (MITM) attack. We utilize several techniques such as initial structure, partial matching and message compensation to improve the standard MITM preimage attack. Moreover, we use some observations on the SM3 hash function to optimize the computation complexity. Overall, a preimage of 30 steps SM3 hash function can be computed with a complexity of 2249 SM3 compression function computation, and requires a memory of 216. As far as we know, this is yet the first preimage result on the SM3 hash function. © 2012 Springer-Verlag.National Security Research Institute (NSRI); Electronics and Telecommunications Research Institute (ETRI); Korea Internet and Security Agency (KISA); Ministry of Public Administration and Security (MOPAS)This paper proposes a preimage attack on SM3 hash function reduced to 30 steps. SM3 is an iterated hash function based on the Merkle-Damga˚rd design. It is a hash function used in applications such as the electronic certification service system in China. Our cryptanalysis is based on the Meet-in-the-Middle (MITM) attack. We utilize several techniques such as initial structure, partial matching and message compensation to improve the standard MITM preimage attack. Moreover, we use some observations on the SM3 hash function to optimize the computation complexity. Overall, a preimage of 30 steps SM3 hash function can be computed with a complexity of 2249 SM3 compression function computation, and requires a memory of 216. As far as we know, this is yet the first preimage result on the SM3 hash function. © 2012 Springer-Verlag