For block ciphers,Bogdanov et al.found that there are some linear approximations satisfying that their biases are deterministically invariant under key difference.This property is called key difference invariant bias....For block ciphers,Bogdanov et al.found that there are some linear approximations satisfying that their biases are deterministically invariant under key difference.This property is called key difference invariant bias.Based on this property,Bogdanov et al.proposed a related-key statistical distinguisher and turned it into key-recovery attacks on LBlock and TWINE-128.In this paper,we propose a new related-key model by combining multidimensional linear cryptanalysis with key difference invariant bias.The main theoretical advantage is that our new model does not depend on statistical independence of linear approximations.We demonstrate our cryptanalysis technique by performing key recovery attacks on LBlock and TWINE-128.By using the relations of the involved round keys to reduce the number of guessed subkey bits.Moreover,the partial-compression technique is used to reduce the time complexity.We can recover the master key of LBlock up to 25 rounds with about 260.4 distinct known plaintexts,278.85 time complexity and 261 bytes of memory requirements.Our attack can recover the master key of TWINE-128 up to 28 rounds with about 261.5 distinct known plaintexts,2126.15 time complexity and 261 bytes of memory requirements.The results are the currently best ones on cryptanalysis of LBlock and TWINE-128.展开更多
For block ciphers,Bogdanov et al.found that there are some linear approximations satisfying that their biases are deterministically invariant under key difference.This property is called key difference invariant bias....For block ciphers,Bogdanov et al.found that there are some linear approximations satisfying that their biases are deterministically invariant under key difference.This property is called key difference invariant bias.Based on this property,Bogdanov et al.proposed a related-key statistical distinguisher and turned it into key-recovery attacks on LBlock and TWINE-128.In this paper,we propose a new related-key model by combining multidimensional linear cryptanalysis with key difference invariant bias.The main theoretical advantage is that our new model does not depend on statistical independence of linear approximations.We demonstrate our cryptanalysis technique by performing key recovery attacks on LBlock and TWINE-128.By using the relations of the involved round keys to reduce the number of guessed subkey bits.Moreover,the partial-compression technique is used to reduce the time complexity.We can recover the master key of LBlock up to 25 rounds with about 2^(60.4)distinct known plaintexts,2^(78.85)time complexity and 2^(61)bytes of memory requirements.Our attack can recover the master key of TWINE-128 up to 28 rounds with about 2^(61.5)distinct known plaintexts,2^(126.15)time complexity and 261 bytes of memory requirements.The results are the currently best ones on cryptanalysis of LBlock and TWINE-128.展开更多
NUSH is a block cipher as a candidate for NESSIE. NUSH is analyzed by linear crypt-analysis . The complexity δ = (ε , η) of the attack consists of data complexity ε and time complexity η. Three linear approximati...NUSH is a block cipher as a candidate for NESSIE. NUSH is analyzed by linear crypt-analysis . The complexity δ = (ε , η) of the attack consists of data complexity ε and time complexity η. Three linear approximations are used to analyze NUSH with 64-bit block. When |K| = 128 bits, the complexities of three attacks are (258, 2124), (260, 278) and (262, 255) respectively. When |K| = 192 bits, the complexities of three attacks are (258, 2157) (260, 2%) and (262, 258) respectively. When |K| = 256 bits, the complexities of three attacks are (258, 2125), (260, 278) and (262, 253) respectively. Three linear approximations are used to analyze NUSH with 128-bit block. When |K|= 128 bits, the complexities of three attacks are (2122, 295), (2124, 257) and (2126, 252) respectively. When |K| = 192 bits, the complexities of three attacks are (2122, 2142), (2124, 275) and (2126, 258) respectively. When |K|= 256 bits, the complexities of three attacks are (2122, 2168), (2124, 281) and (2126, 264) respectively. Two linear approximations are used to analyze NUSH with 256-bit block. When |K|= 128 bits, the complexities of two attacks are (2252, 2122) and (2254, 2119) respectively. When |K|= 192 bits, the complexities of two attacks are (2252, 2181) and (2254, 2177) respectively. When |K|=256 bits, the complexities of two attacks are (2252, 2240) and (2254, 2219) respectively. These results show that NUSH is not immune to linear cryptanalysis, and longer key cannot enhance the security of NUSH.展开更多
The block cipher used in the Chinese Wireless LAN Standard (WAPI), SMS4, was recently renamed as SM4, and became the block cipher standard issued by the Chinese government. This paper gives a method for finding the ...The block cipher used in the Chinese Wireless LAN Standard (WAPI), SMS4, was recently renamed as SM4, and became the block cipher standard issued by the Chinese government. This paper gives a method for finding the linear approximations of SMS4. With this method, 19-round one-dimensional approximations are given, which are used to improve the previous linear cryptanalysis of SMS4. The 19-round approximations hold with bias 2-62.27; we use one of them to leverage a linear attack on 23-round SMS4. Our attack improves the previous 23-round attacks by reducing the time complexity. Furthermore, the data complexity of our attack is further improved by the multidimensional linear approach.展开更多
In June 2013, the U.S. National Security Agency proposed two families of lightweight block ciphers, called SIMON and SPECK respectively. These ciphers are designed to perform excellently on both hardware and software ...In June 2013, the U.S. National Security Agency proposed two families of lightweight block ciphers, called SIMON and SPECK respectively. These ciphers are designed to perform excellently on both hardware and software platforms. In this paper, we mainly present zero-correlation linear cryptanalysis on various versions of SIMON. Firstly, by using miss- in-the-middle approach, we construct zero-correlation linear distinguishers of SIMON, and zero-correlation linear attacks are presented based oi1 careful analysis of key recovery phase. Secondly, multidimensional zero-correlation linear attacks are used to reduce the data complexity. Our zero-correlation linear attacks perform better than impossible differential attacks proposed by Abed et al. in ePrint Report 2013/568. Finally, we also use the divide-and-conquer technique to improve the results of linear cryptanalysis proposed by Javad et al. in ePrint Report 2013/663.展开更多
CAST-256, a first-round AES (Advanced Encryption Standard) candidate, is designed based on CAST-128. It is a 48-round Generalized-Feistel-Network cipher with ]28-bit block accepting 128, 160, 192, 224 or 256 bits ke...CAST-256, a first-round AES (Advanced Encryption Standard) candidate, is designed based on CAST-128. It is a 48-round Generalized-Feistel-Network cipher with ]28-bit block accepting 128, 160, 192, 224 or 256 bits keys. Its S-boxes are non-surjective with 8-bit input and 32-bit output. Wang et al. identified a 21-round linear approximation and gave a key recovery attack on 24-round CAST-256. In ASIACRYPT 2012, Bogdanov et al. presented the multidimensional zero-correlation linear cryptanalysis of 28 rounds of CAST-256. By observing the property of the concatenation of forward quad-round and reverse quad-round and choosing the proper active round function, we construct a linear approximation of 26-round CAST-256 and recover partial key information on 32 rounds of CAST-256. Our result is the best attack according to the number of rounds for CAST-256 without weak-key assumption so far.展开更多
This letter proposes algebraic attacks on two kinds of nonlinear filter generators with symmetric Boolean functions as the filter fimctions. Different fxom the classical algebraic attacks, the proposed attacks take th...This letter proposes algebraic attacks on two kinds of nonlinear filter generators with symmetric Boolean functions as the filter fimctions. Different fxom the classical algebraic attacks, the proposed attacks take the advantage of the combinational property of a linear feedback shift register (LFSR) and the symmetric Boolean function to obtain a tow-degree algebraic relation, and hence the complexities of the proposed attacks are independent of the algebraic immunity (AI) of the filter functions. It is shown that improper combining of the LFSR with the filter function can make the filter generator suffer from algebraic attacks. As a result, the bits of the LFSR must be selected properly to input the filter function with large AI in order to withstand the proposed algebraic attacks.展开更多
We consider direct solution to third order ordinary differential equations in this paper. Method of collection and interpolation of the power series approximant of single variable is considered to derive a linear mult...We consider direct solution to third order ordinary differential equations in this paper. Method of collection and interpolation of the power series approximant of single variable is considered to derive a linear multistep method (LMM) with continuous coefficient. Block method was later adopted to generate the independent solution at selected grid points. The properties of the block viz: order, zero stability and stability region are investigated. Our method was tested on third order ordinary differential equation and found to give better result when compared with existing methods.展开更多
Camellia算法的线性扩散层是8阶字节级(0,1)-矩阵。由于该矩阵的分组较宽且异或项数较多,因此难以建立精确的字节级自动化分析评估模型。目前,仅利用线性扩散矩阵分支数为5的性质评估出的算法得到的差分和线性活跃S盒偏少。针对以上问题...Camellia算法的线性扩散层是8阶字节级(0,1)-矩阵。由于该矩阵的分组较宽且异或项数较多,因此难以建立精确的字节级自动化分析评估模型。目前,仅利用线性扩散矩阵分支数为5的性质评估出的算法得到的差分和线性活跃S盒偏少。针对以上问题,提出了一种基于混合整数线性规划(Mixed Integer Linear Programming,MILP)来建立复杂(0,1)-线性扩散矩阵字节级评估模型的通用方法。该方法利用线性扩散矩阵的内部性质快速且较精确地搜索出Camellia算法的差分和线性活跃S盒,从而能够得到Camellia算法更紧致的差分和线性安全界。该方法对基于(0,1)-线性扩散矩阵设计的密码算法有一定的指导意义,能够更清楚地评估出算法的安全界。展开更多
基金the National Natural Science Foundation of China(Grant No.61379138).
文摘For block ciphers,Bogdanov et al.found that there are some linear approximations satisfying that their biases are deterministically invariant under key difference.This property is called key difference invariant bias.Based on this property,Bogdanov et al.proposed a related-key statistical distinguisher and turned it into key-recovery attacks on LBlock and TWINE-128.In this paper,we propose a new related-key model by combining multidimensional linear cryptanalysis with key difference invariant bias.The main theoretical advantage is that our new model does not depend on statistical independence of linear approximations.We demonstrate our cryptanalysis technique by performing key recovery attacks on LBlock and TWINE-128.By using the relations of the involved round keys to reduce the number of guessed subkey bits.Moreover,the partial-compression technique is used to reduce the time complexity.We can recover the master key of LBlock up to 25 rounds with about 260.4 distinct known plaintexts,278.85 time complexity and 261 bytes of memory requirements.Our attack can recover the master key of TWINE-128 up to 28 rounds with about 261.5 distinct known plaintexts,2126.15 time complexity and 261 bytes of memory requirements.The results are the currently best ones on cryptanalysis of LBlock and TWINE-128.
基金supported by the National Natural Science Foundation of China(Grant No.61379138).
文摘For block ciphers,Bogdanov et al.found that there are some linear approximations satisfying that their biases are deterministically invariant under key difference.This property is called key difference invariant bias.Based on this property,Bogdanov et al.proposed a related-key statistical distinguisher and turned it into key-recovery attacks on LBlock and TWINE-128.In this paper,we propose a new related-key model by combining multidimensional linear cryptanalysis with key difference invariant bias.The main theoretical advantage is that our new model does not depend on statistical independence of linear approximations.We demonstrate our cryptanalysis technique by performing key recovery attacks on LBlock and TWINE-128.By using the relations of the involved round keys to reduce the number of guessed subkey bits.Moreover,the partial-compression technique is used to reduce the time complexity.We can recover the master key of LBlock up to 25 rounds with about 2^(60.4)distinct known plaintexts,2^(78.85)time complexity and 2^(61)bytes of memory requirements.Our attack can recover the master key of TWINE-128 up to 28 rounds with about 2^(61.5)distinct known plaintexts,2^(126.15)time complexity and 261 bytes of memory requirements.The results are the currently best ones on cryptanalysis of LBlock and TWINE-128.
基金This work was supported by 973 Project (Grant No. G1999035802) and the National Natural Science Foundation of China (Grant No. 19931010) .
文摘NUSH is a block cipher as a candidate for NESSIE. NUSH is analyzed by linear crypt-analysis . The complexity δ = (ε , η) of the attack consists of data complexity ε and time complexity η. Three linear approximations are used to analyze NUSH with 64-bit block. When |K| = 128 bits, the complexities of three attacks are (258, 2124), (260, 278) and (262, 255) respectively. When |K| = 192 bits, the complexities of three attacks are (258, 2157) (260, 2%) and (262, 258) respectively. When |K| = 256 bits, the complexities of three attacks are (258, 2125), (260, 278) and (262, 253) respectively. Three linear approximations are used to analyze NUSH with 128-bit block. When |K|= 128 bits, the complexities of three attacks are (2122, 295), (2124, 257) and (2126, 252) respectively. When |K| = 192 bits, the complexities of three attacks are (2122, 2142), (2124, 275) and (2126, 258) respectively. When |K|= 256 bits, the complexities of three attacks are (2122, 2168), (2124, 281) and (2126, 264) respectively. Two linear approximations are used to analyze NUSH with 256-bit block. When |K|= 128 bits, the complexities of two attacks are (2252, 2122) and (2254, 2119) respectively. When |K|= 192 bits, the complexities of two attacks are (2252, 2181) and (2254, 2177) respectively. When |K|=256 bits, the complexities of two attacks are (2252, 2240) and (2254, 2219) respectively. These results show that NUSH is not immune to linear cryptanalysis, and longer key cannot enhance the security of NUSH.
基金supported by the National Basic Research 973 Program of China under Grant Nos.2013CB834201 and 2013CB834205the Postdoctoral Science Foundation of China under Grant No.2013M540786the National Natural Science Foundation of China under Grant Nos.61202493 and 61103237
文摘The block cipher used in the Chinese Wireless LAN Standard (WAPI), SMS4, was recently renamed as SM4, and became the block cipher standard issued by the Chinese government. This paper gives a method for finding the linear approximations of SMS4. With this method, 19-round one-dimensional approximations are given, which are used to improve the previous linear cryptanalysis of SMS4. The 19-round approximations hold with bias 2-62.27; we use one of them to leverage a linear attack on 23-round SMS4. Our attack improves the previous 23-round attacks by reducing the time complexity. Furthermore, the data complexity of our attack is further improved by the multidimensional linear approach.
基金supported by the National Natural Science Foundation of China under Grant No.10871106
文摘For a class of generalized Feistel block ciphers, an explicit formula for the minimum numbers of linearly active S-boxes of any round r is presented.
基金This work was supported by the National Basic Research 973 Program of China under Grant No. 2013CB338002 and the National Natural Science Foundation of China under Grant Nos. 61272476, 61202420, and 61232009.
文摘In June 2013, the U.S. National Security Agency proposed two families of lightweight block ciphers, called SIMON and SPECK respectively. These ciphers are designed to perform excellently on both hardware and software platforms. In this paper, we mainly present zero-correlation linear cryptanalysis on various versions of SIMON. Firstly, by using miss- in-the-middle approach, we construct zero-correlation linear distinguishers of SIMON, and zero-correlation linear attacks are presented based oi1 careful analysis of key recovery phase. Secondly, multidimensional zero-correlation linear attacks are used to reduce the data complexity. Our zero-correlation linear attacks perform better than impossible differential attacks proposed by Abed et al. in ePrint Report 2013/568. Finally, we also use the divide-and-conquer technique to improve the results of linear cryptanalysis proposed by Javad et al. in ePrint Report 2013/663.
基金supported by the National Basic Research 973 Program of China under Grant No.2013CB834205the National Natural Science Foundation of China under Grant Nos.61133013,61070244 and 61103237+1 种基金the Program for New Century Excellent Talents in University of China under Grant No.NCET-13-0350the Interdisciplinary Research Foundation of Shandong University under Grant No.2012JC018
文摘CAST-256, a first-round AES (Advanced Encryption Standard) candidate, is designed based on CAST-128. It is a 48-round Generalized-Feistel-Network cipher with ]28-bit block accepting 128, 160, 192, 224 or 256 bits keys. Its S-boxes are non-surjective with 8-bit input and 32-bit output. Wang et al. identified a 21-round linear approximation and gave a key recovery attack on 24-round CAST-256. In ASIACRYPT 2012, Bogdanov et al. presented the multidimensional zero-correlation linear cryptanalysis of 28 rounds of CAST-256. By observing the property of the concatenation of forward quad-round and reverse quad-round and choosing the proper active round function, we construct a linear approximation of 26-round CAST-256 and recover partial key information on 32 rounds of CAST-256. Our result is the best attack according to the number of rounds for CAST-256 without weak-key assumption so far.
基金Supported by the National Basic Research Program of China (No. 2007CB311201), the National Natural Science Foundation of China (No.60833008 No.60803149), and the Foundation of Guangxi Key Laboratory of Information and Communication (No.20902).
文摘This letter proposes algebraic attacks on two kinds of nonlinear filter generators with symmetric Boolean functions as the filter fimctions. Different fxom the classical algebraic attacks, the proposed attacks take the advantage of the combinational property of a linear feedback shift register (LFSR) and the symmetric Boolean function to obtain a tow-degree algebraic relation, and hence the complexities of the proposed attacks are independent of the algebraic immunity (AI) of the filter functions. It is shown that improper combining of the LFSR with the filter function can make the filter generator suffer from algebraic attacks. As a result, the bits of the LFSR must be selected properly to input the filter function with large AI in order to withstand the proposed algebraic attacks.
文摘We consider direct solution to third order ordinary differential equations in this paper. Method of collection and interpolation of the power series approximant of single variable is considered to derive a linear multistep method (LMM) with continuous coefficient. Block method was later adopted to generate the independent solution at selected grid points. The properties of the block viz: order, zero stability and stability region are investigated. Our method was tested on third order ordinary differential equation and found to give better result when compared with existing methods.
文摘Camellia算法的线性扩散层是8阶字节级(0,1)-矩阵。由于该矩阵的分组较宽且异或项数较多,因此难以建立精确的字节级自动化分析评估模型。目前,仅利用线性扩散矩阵分支数为5的性质评估出的算法得到的差分和线性活跃S盒偏少。针对以上问题,提出了一种基于混合整数线性规划(Mixed Integer Linear Programming,MILP)来建立复杂(0,1)-线性扩散矩阵字节级评估模型的通用方法。该方法利用线性扩散矩阵的内部性质快速且较精确地搜索出Camellia算法的差分和线性活跃S盒,从而能够得到Camellia算法更紧致的差分和线性安全界。该方法对基于(0,1)-线性扩散矩阵设计的密码算法有一定的指导意义,能够更清楚地评估出算法的安全界。
