Multidimensional zero-correlation attacks on lightweight block cipher HIGHT: Improved cryptanalysis of an ISO standard

AbstractHIGHT is a block cipher designed in Korea with the involvement of Korea Information Security Agency. It was proposed at CHES 2006 for usage in lightweight applications such as sensor networks and RFID tags. Lately, it has been adopted as ISO standard. Though there is a great deal of cryptanalytic results on HIGHT, its security evaluation against the recent zero-correlation linear attacks is still lacking. At the same time, the Feistel-type structure of HIGHT suggests that it might be susceptible to this type of cryptanalysis. In this paper, we aim to bridge this gap.We identify zero-correlation linear approximations over 16 rounds of HIGHT. Based upon those, we attack 27-round HIGHT (round 4 to round 30) with improved time complexity and practical memory requirements. This attack of ours is the best result on HIGHT to date in the classical single-key setting. We also provide the first attack on 26-round HIGHT (round 4 to round 29) with the full whitening key

Linear Hull Attack on Round-Reduced Simeck with Dynamic Key-guessing Techniques

Simeck is a new family of lightweight block ciphers proposed by Yang $et\ al.$ in CHES\u2715, which has efficient hardware implementation. In this paper, we find differentials with low hamming weight and high probability for Simeck using Kölbl\u27s tool, then we consider the links between the differential and linear characteristic to construct linear hulls for Simeck. We give improved linear hull attack with dynamic key-guessing techniques on Simeck according to the property of the AND operation. Our best results cover Simeck 32/64 reduced to 23 rounds, Simeck 48/96 reduced to 30 rounds, Simeck 64/128 reduced to 37 rounds. Our result is the best known so far for any variant of Simeck

Note of Multidimensional MITM Attack on 25-Round TWINE-128

TWINE is a lightweight block cipher proposed in SAC 2012 by Suzaki et al. TWINE operates on 64-bit block and supports 80 or 128-bit key, denoted as TWINE-80 and TWINE-128 respectively. TWINE has attracted some attention since its publication and its security has been analyzed against several cryptanalytic techniques in both single-key and related-key settings. In the single-key setting, the best attack so far is reported by Boztaş et al. at LightSec\u2713, where a splice-and-cut attack on 21-round TWINE-128 and a multidimensional meet-in-the-middle (MITM) attack on 25-round TWINE-128 are presented. Yet, the evaluation of the time complexity of the multidimensional MITM attack on 25-round TWINE-128 is somehow controversial in the way we understand. We here describe the attack in detail and explains our concerns about the time complexity of the attack. And it turns out that the multidimensional MITM attack on 25-round TWINE-128 may have a time complexity higher than exhaustive search

Effects of fertilizer application schemes and soil environmental factors on nitrous oxide emission fluxes in a rice-wheat cropping system, east China

Nitrous oxide (N2O) is a potent greenhouse gas (GHG) with agricultural soils representing its largest anthropogenic source. However, the mechanisms involved in the N2O emission and factors affecting N2O emission fluxes in response to various nitrogenous fertilizer applications remain uncertain. We conducted a four-year (2012–2015) field experiment to assess how fertilization scheme impacts N2O emissions from a rice-wheat cropping system in eastern China. The fertilizer treatments included Control (CK), Conventional fertilizer (CF), CF with shallow-irrigation (CF+SI), CF with deep-irrigation system (CF+DI), Optimized fertilizer (OF), OF with Urease inhibitor (OF+UI), OF with conservation tillage (OF+CT) and Slow-release fertilizer (SRF). N2O emissions were measured by a closed static chamber method. N2O emission fluxes ranged from 0.61 μg m-2 h-1 to 1707 μg m-2 h-1, indicating a significant impact of nitrogen fertilizer and cropping type on N2O emissions. The highest crop yields for wheat (3515–3667 kg ha-1) and rice (8633–8990 kg ha-1) were observed under the SRF and OF+UI treatments with significant reduction in N2O emissions by 16.94–21.20% and 5.55–7.93%, respectively. Our findings suggest that the SRF and OF+UI treatments can be effective in achieving maximum crop yield and lowering N2O emissions for the rice-wheat cropping system in eastern China

Integrals go Statistical: Cryptanalysis of Full Skipjack Variants

Integral attacks form a powerful class of cryptanalytic techniques that have been widely used in the security analysis of block ciphers. The integral distinguishers are based on balanced properties holding with probability one. To obtain a distinguisher covering more rounds, an attacker will normally increase the data complexity by iterating through more plaintexts with a given structure under the strict limitation of the full codebook. On the other hand, an integral property can only be deterministically verified if the plaintexts cover all possible values of a bit selection. These circumstances have somehow restrained the applications of integral cryptanalysis. In this paper, we aim to address these limitations and propose a novel \emph{statistical integral distinguisher} where only a part of value sets for these input bit selections are taken into consideration instead of all possible values. This enables us to achieve significantly lower data complexities for our statistical integral distinguisher as compared to those of traditional integral distinguisher. As an illustration, we successfully attack the full-round Skipjack-BABABABA for the first time, which is the variant of NSA\u27s Skipjack block cipher

Improved Linear Hull Attack on Round-Reduced \textsc{Simon} with Dynamic Key-guessing Techniques

\textsc{Simon} is a lightweight block cipher family proposed by NSA in 2013. It has drawn many cryptanalysts\u27 attention and varieties of cryptanalysis results have been published, including differential, linear, impossible differential, integral cryptanalysis and so on. In this paper, we give the improved linear attacks on all reduced versions of \textsc{Simon} with dynamic key-guessing technique, which was proposed to improve the differential attack on \textsc{Simon} recently. By establishing the boolean function of parity bit in the linear hull distinguisher and reducing the function according to the property of AND operation, we can guess different subkeys (or equivalent subkeys) for different situations, which decrease the number of key bits involved in the attack and decrease the time complexity in a further step. As a result, 23-round \textsc{Simon}32/64, 24-round \textsc{Simon}48/72, 25-round \textsc{Simon}48/96, 30-round \textsc{Simon}64/96, 31-round \textsc{Simon}64/128, 37-round \textsc{Simon}96/96, 38-round \textsc{Simon}96/144, 49-round \textsc{Simon}128/128, 51-round \textsc{Simon}128/192 and 53-round \textsc{Simon}128/256 can be attacked. As far as we know, our attacks on most reduced versions of \textsc{Simon} are the best compared with the previous cryptanalysis results. However, this does not shake the security of \textsc{Simon} family with full rounds

Improved Integral Attacks on SIMON32 and SIMON48 with Dynamic Key-Guessing Techniques

Dynamic key-guessing techniques, which exploit the property of AND operation, could improve the differential and linear cryptanalytic results by reducing the number of guessed subkey bits and lead to good cryptanalytic results for SIMON. They have only been applied in differential and linear attacks as far as we know. In this paper, dynamic key-guessing techniques are first introduced in integral cryptanalysis. According to the features of integral cryptanalysis, we extend dynamic key-guessing techniques and get better integral cryptanalysis results than before. As a result, we present integral attacks on 24-round SIMON32, 24-round SIMON48/72, and 25-round SIMON48/96. In terms of the number of attacked rounds, our attack on SIMON32 is better than any previously known attacks, and our attacks on SIMON48 are the same as the best attacks

Measurement of wind field data in Southeast China

The data presented in this article are the wind measurements acquired from a tower in Southeast China during typhoon Nesat (1709#) and typhoon Haitang (1710#). Three 3D ultrasonic anemometers Wind Master Pro were utilized to obtain 3D wind data. The anemometer works well with wind speed range of 0–65 m/s and wind angle range of 0–360°. Three direction wind speeds and wind angles were recorded per every 0.1 s. The present research analyzed wind characteristics based on recorded data. In this article, the detailed test set-up and data pre-processing methodology for the wind characteristics analysis are provided

Towards Key-recovery-attack Friendly Distinguishers: Application to GIFT-128

When analyzing a block cipher, the first step is to search for some valid distinguishers, for example, the differential trails in the differential cryptanalysis and the linear trails in the linear cryptanalysis. A distinguisher is advantageous if it can be utilized to attack more rounds and the amount of the involved key bits during the key-recovery process is small, as this leads to a long attack with a low complexity. In this article, we propose a two-step strategy to search for such advantageous distinguishers. This strategy is inspired by the intuition that if a differential is advantageous only when some properties are satisfied, then we can predefine some constraints describing these properties and search for the differentials in the small set.As applications, our strategy is used to analyze GIFT-128, which was proposed in CHES 2017. Based on some 20-round differentials, we give the first 27-round differential attack on GIFT-128, which covers one more round than the best previous result. Also, based on two 17-round linear trails, we give the first linear hull attack on GIFT-128, which covers 22 rounds. In addition, we also give some results on two GIFT-128 based AEADs GIFT-COFB and SUNDAE-GIFT