This paper first presents an impossible differential property for 5-round Advanced Encryption Standard (AES) with high probability. Based on the property and the impossible differential cryptanalytic method for the ...This paper first presents an impossible differential property for 5-round Advanced Encryption Standard (AES) with high probability. Based on the property and the impossible differential cryptanalytic method for the 5-round AES, a new method is proposed for cryptanalyzing the 8-round AES-192 and AES-256. This attack on the reduced 8-round AES-192 demands 2^121 words of memory, and performs 2^148 8-round AES-192 encryptions. This attack on the reduced 8-round AES-256 demands 2^153 words of memory, and performs 2^180 8-round AES-256 encryptions. Furthermore, both AES-192 and AES-256 require about 2^98 chosen plaintexts for this attack, and have the same probability that is only 2^-3 to fail to recover the secret key.展开更多
This paper studies the security of the block ciphers ARIA and Camellia against impossible differential cryptanalysis. Our work improves the best impossible differential cryptanalysis of ARIA and Camellia known so far....This paper studies the security of the block ciphers ARIA and Camellia against impossible differential cryptanalysis. Our work improves the best impossible differential cryptanalysis of ARIA and Camellia known so far. The designers of ARIA expected no impossible differentials exist for 4-round ARIA. However, we found some nontrivial 4-round impossible differentials, which may lead to a possible attack on 6-round ARIA. Moreover, we found some nontrivial 8-round impossible differentials for Camellia, whereas only 7-round impossible differentials were previously known. By using the 8-round impossible differentials, we presented an attack on 12-round Camellia without FL/FL^-1 layers.展开更多
Impossible differential cryptanalysis is a method recovering secret key, which gets rid of the keys that satisfy impossible differential relations. This paper concentrates on the impossible differential cryptanalysis ...Impossible differential cryptanalysis is a method recovering secret key, which gets rid of the keys that satisfy impossible differential relations. This paper concentrates on the impossible differential cryptanalysis of Advanced Encryption Standard (AES) and presents two methods for impossible differential cryptanalysis of 7-round AES-192 and 8-round AES-256 combined with time-memory trade-off by exploiting weaknesses in their key schedule. This attack on the reduced to 7-round AES-192 requires about 294.5 chosen plaintexts, demands 2129 words of memory, and performs 2157 7-round AES-192 encryptions. Furthermore, this attack on the reduced to 8-round AES-256 requires about 2^101 chosen plaintexts, demands 2^201 words of memory, and performs 2^228 8-round AES-256 encryptions.展开更多
基金Supported by the Foundation of National Labora-tory for Modern Communications (51436030105DZ0105)
文摘This paper first presents an impossible differential property for 5-round Advanced Encryption Standard (AES) with high probability. Based on the property and the impossible differential cryptanalytic method for the 5-round AES, a new method is proposed for cryptanalyzing the 8-round AES-192 and AES-256. This attack on the reduced 8-round AES-192 demands 2^121 words of memory, and performs 2^148 8-round AES-192 encryptions. This attack on the reduced 8-round AES-256 demands 2^153 words of memory, and performs 2^180 8-round AES-256 encryptions. Furthermore, both AES-192 and AES-256 require about 2^98 chosen plaintexts for this attack, and have the same probability that is only 2^-3 to fail to recover the secret key.
基金This work is supported by the National Natural Science Foundation of China under Grant No.90604036the National Grand Fundamental Research 973 Program of China under Grant No.2004CB318004.
文摘This paper studies the security of the block ciphers ARIA and Camellia against impossible differential cryptanalysis. Our work improves the best impossible differential cryptanalysis of ARIA and Camellia known so far. The designers of ARIA expected no impossible differentials exist for 4-round ARIA. However, we found some nontrivial 4-round impossible differentials, which may lead to a possible attack on 6-round ARIA. Moreover, we found some nontrivial 8-round impossible differentials for Camellia, whereas only 7-round impossible differentials were previously known. By using the 8-round impossible differentials, we presented an attack on 12-round Camellia without FL/FL^-1 layers.
基金the National Natural Science Foundation of China (Grant No. 60673072)Foundation of National Laboratory for Modern Communications (Grant No. 51436030105DZ0105)
文摘Impossible differential cryptanalysis is a method recovering secret key, which gets rid of the keys that satisfy impossible differential relations. This paper concentrates on the impossible differential cryptanalysis of Advanced Encryption Standard (AES) and presents two methods for impossible differential cryptanalysis of 7-round AES-192 and 8-round AES-256 combined with time-memory trade-off by exploiting weaknesses in their key schedule. This attack on the reduced to 7-round AES-192 requires about 294.5 chosen plaintexts, demands 2129 words of memory, and performs 2157 7-round AES-192 encryptions. Furthermore, this attack on the reduced to 8-round AES-256 requires about 2^101 chosen plaintexts, demands 2^201 words of memory, and performs 2^228 8-round AES-256 encryptions.
