This paper first presents an impossible differential property for 5-round Advanced Encryption Standard (AES) with high probability. Based on the property and the impossible differential cryptanalytic method for the ...This paper first presents an impossible differential property for 5-round Advanced Encryption Standard (AES) with high probability. Based on the property and the impossible differential cryptanalytic method for the 5-round AES, a new method is proposed for cryptanalyzing the 8-round AES-192 and AES-256. This attack on the reduced 8-round AES-192 demands 2^121 words of memory, and performs 2^148 8-round AES-192 encryptions. This attack on the reduced 8-round AES-256 demands 2^153 words of memory, and performs 2^180 8-round AES-256 encryptions. Furthermore, both AES-192 and AES-256 require about 2^98 chosen plaintexts for this attack, and have the same probability that is only 2^-3 to fail to recover the secret key.展开更多
A new attack on block ciphers is introduced, which is termed linear-differential cryptanalysis. It bases the combining of linear cryptanalysis and differential cryptanalysis, and works by using linear-differential pro...A new attack on block ciphers is introduced, which is termed linear-differential cryptanalysis. It bases the combining of linear cryptanalysis and differential cryptanalysis, and works by using linear-differential probability (LDP). Moreover, we present a new method for upper bounding the maximum linear-differential probability (MLDP) for 2 rounds of substitution permutation network (SPN) cipher structure. When our result applies to 2-round advanced encryption standard(AES), It is shown that the upper bound of MLDP is up to 1.68×2^-19, which extends the known results for the 2-round SPN. Furthermore, when using a recursive technique, we obtain that the MLDP for 4 rounds of AES is bounded by 2^-73.展开更多
Unified Irrpossible Differential (UID) cryptanalysis is a systeimtic method for finding impossible differentials for block ciphers. Regarding to the problem of automatically retrieving the impossible differential ch...Unified Irrpossible Differential (UID) cryptanalysis is a systeimtic method for finding impossible differentials for block ciphers. Regarding to the problem of automatically retrieving the impossible differential characteristics of block ciphers, with the use of particular intermediate difference state expression, UID gets the same or better results compared with other present cryptanalysis results. ARIA is a Korean block cipher expecting that there are no impossible differentials on four or rmre rounds. Based on a property of the Diffusion layer (DL) of ARIA, a specific selection is used before conflict searching to optimize. UID is applied to ARIA, and 6 721 impossible differential chains are found. The length of those chains is four rounds, the same as eisting results, but more varied in form Moreover, ARIA is a Substitution-Penmtation Network (SPN), not a Feistel structure or generalized Feistel structure as UID was applied to before.展开更多
Due to the strong attacking ability, fast speed, simple implementation and other characteristics, differential fault analysis has become an important method to evaluate the security of cryptosystem in the Internet of ...Due to the strong attacking ability, fast speed, simple implementation and other characteristics, differential fault analysis has become an important method to evaluate the security of cryptosystem in the Internet of Things. As one of the AES finalists, the Serpent is a 128-bit Substitution-Permutation Network(SPN) cryptosystem. It has 32 rounds with the variable key length between 0 and 256 bits, which is flexible to provide security in the Internet of Things. On the basis of the byte-oriented model and the differential analysis, we propose an effective differential fault attack on the Serpent cryptosystem. Mathematical analysis and simulating experiment show that the attack could recover its secret key by introducing 48 faulty ciphertexts. The result in this study describes that the Serpent is vulnerable to differential fault analysis in detail. It will be beneficial to the analysis of the same type of other iterated cryptosystems.展开更多
4-bit linear relations play an important role in cryptanalysis of 4-bit crypto S-boxes. 4-bit finite differences have also been a major part of cryptanalysis of 4-bit S-boxes. Existence of all 4-bit linear relations h...4-bit linear relations play an important role in cryptanalysis of 4-bit crypto S-boxes. 4-bit finite differences have also been a major part of cryptanalysis of 4-bit S-boxes. Existence of all 4-bit linear relations have been counted for all of 16 input and 16 output 4-bit bit patterns of 4-bit Crypto S-boxes said as S-boxes has been reported in Linear Cryptanalysis of 4-bit S-boxes. Count of existing finite differences from each element of output S-boxes to distant output S-boxes have been noted in Differential Cryptanalysis of S-boxes. In this paper a brief review of these two cryptanalytic methods for 4-bit S-boxes has been introduced in a very lucid and conceptual manner. Two new analysis techniques, one to search for the existing linear approximations among the input vectors (IPVs) and output Boolean functions (BFs) of a particular S-box has also been introduced in this paper. The search is limited to find the existing linear relations or approximations in the contrary to count the number of existent linear relations among all 16, 4-bit input and output bit patterns within all possible linear approximations. Another is to find number of balanced BFs in difference output S-boxes. Better the number of Balanced BFs, Better the security.展开更多
This paper studies the security of the block ciphers ARIA and Camellia against impossible differential cryptanalysis. Our work improves the best impossible differential cryptanalysis of ARIA and Camellia known so far....This paper studies the security of the block ciphers ARIA and Camellia against impossible differential cryptanalysis. Our work improves the best impossible differential cryptanalysis of ARIA and Camellia known so far. The designers of ARIA expected no impossible differentials exist for 4-round ARIA. However, we found some nontrivial 4-round impossible differentials, which may lead to a possible attack on 6-round ARIA. Moreover, we found some nontrivial 8-round impossible differentials for Camellia, whereas only 7-round impossible differentials were previously known. By using the 8-round impossible differentials, we presented an attack on 12-round Camellia without FL/FL^-1 layers.展开更多
SMS4 is a 128-bit block cipher used in the WAPI standard for wireless networks in China. In this paper, we analyze the security of the SMS4 block cipher against differential cryptanalysis. Firstly, we prove three theo...SMS4 is a 128-bit block cipher used in the WAPI standard for wireless networks in China. In this paper, we analyze the security of the SMS4 block cipher against differential cryptanalysis. Firstly, we prove three theorems and one corollary that reflect relationships of 5- and 6-round SMS4. Next, by these relationships, we clarify the minimum number of active S-boxes in 6-, 7- and 12-round SMS4 respectively. Finally, based on the above results, we present a family of about 2^14 differential characteristics for 19-round SMS4, which leads to an attack on 23-round SMS4 with 2^118 chosen plaintexts and 2^126.7 encryptions.展开更多
The security of international date encryption algorithm (IDEA(16)), a mini IDEA cipher, against differential cryptanalysis is investigated. The results show that [DEA(16) is secure against differential cryptanal...The security of international date encryption algorithm (IDEA(16)), a mini IDEA cipher, against differential cryptanalysis is investigated. The results show that [DEA(16) is secure against differential cryptanalysis attack after 5 rounds while IDEA(8) needs 7 rounds for the same level of security. The transition matrix for IDEA(16) and its eigenvalue of second largest magnitude are computed. The storage method for the transition matrix has been optimized to speed up file I/O. The emphasis of the work lies in finding out an effective way of computing the eigenvalue of the matrix. To lower time complexity, three mature algorithms in finding eigenvalues are compared from one another and subspace iteration algorithm is employed to compute the eigenvalue of second largest module, with a precision of 0.001.展开更多
Impossible differential cryptanalysis is a method recovering secret key, which gets rid of the keys that satisfy impossible differential relations. This paper concentrates on the impossible differential cryptanalysis ...Impossible differential cryptanalysis is a method recovering secret key, which gets rid of the keys that satisfy impossible differential relations. This paper concentrates on the impossible differential cryptanalysis of Advanced Encryption Standard (AES) and presents two methods for impossible differential cryptanalysis of 7-round AES-192 and 8-round AES-256 combined with time-memory trade-off by exploiting weaknesses in their key schedule. This attack on the reduced to 7-round AES-192 requires about 294.5 chosen plaintexts, demands 2129 words of memory, and performs 2157 7-round AES-192 encryptions. Furthermore, this attack on the reduced to 8-round AES-256 requires about 2^101 chosen plaintexts, demands 2^201 words of memory, and performs 2^228 8-round AES-256 encryptions.展开更多
基金Supported by the Foundation of National Labora-tory for Modern Communications (51436030105DZ0105)
文摘This paper first presents an impossible differential property for 5-round Advanced Encryption Standard (AES) with high probability. Based on the property and the impossible differential cryptanalytic method for the 5-round AES, a new method is proposed for cryptanalyzing the 8-round AES-192 and AES-256. This attack on the reduced 8-round AES-192 demands 2^121 words of memory, and performs 2^148 8-round AES-192 encryptions. This attack on the reduced 8-round AES-256 demands 2^153 words of memory, and performs 2^180 8-round AES-256 encryptions. Furthermore, both AES-192 and AES-256 require about 2^98 chosen plaintexts for this attack, and have the same probability that is only 2^-3 to fail to recover the secret key.
基金Supported by the National Natural Science Foun-dation of China(60503010) and the Foundation of National Laboratory for Modern communications(51436030105DZ0105)
文摘A new attack on block ciphers is introduced, which is termed linear-differential cryptanalysis. It bases the combining of linear cryptanalysis and differential cryptanalysis, and works by using linear-differential probability (LDP). Moreover, we present a new method for upper bounding the maximum linear-differential probability (MLDP) for 2 rounds of substitution permutation network (SPN) cipher structure. When our result applies to 2-round advanced encryption standard(AES), It is shown that the upper bound of MLDP is up to 1.68×2^-19, which extends the known results for the 2-round SPN. Furthermore, when using a recursive technique, we obtain that the MLDP for 4 rounds of AES is bounded by 2^-73.
基金Acknowledgements This paper was supported by the National Natural Science Foundation of China under Ccant No.61073149 the Research Fund for the Doctoral Program of Higher Education of China under Grant No. 20090073110027.
文摘Unified Irrpossible Differential (UID) cryptanalysis is a systeimtic method for finding impossible differentials for block ciphers. Regarding to the problem of automatically retrieving the impossible differential characteristics of block ciphers, with the use of particular intermediate difference state expression, UID gets the same or better results compared with other present cryptanalysis results. ARIA is a Korean block cipher expecting that there are no impossible differentials on four or rmre rounds. Based on a property of the Diffusion layer (DL) of ARIA, a specific selection is used before conflict searching to optimize. UID is applied to ARIA, and 6 721 impossible differential chains are found. The length of those chains is four rounds, the same as eisting results, but more varied in form Moreover, ARIA is a Substitution-Penmtation Network (SPN), not a Feistel structure or generalized Feistel structure as UID was applied to before.
基金supported by the National Natural Science Foundation of China under Grant No.61003278,No.61073150 and No.61202371Innovation Program of Shanghai Municipal Education Commission under Grant No.14ZZ066+5 种基金the open research fund of State Key Laboratory of Information Securitythe Opening Project of Shanghai Key Laboratory of Integrate Administration Technologies for Information Securitythe Fundamental Research Funds for the Central Universities,National Key Basic Research Program of China under Grant No.2013CB338004China Postdoctoral Science Foundation under Grant No.2012M521829Shanghai Postdoctoral Research Funding Program under Grant No.12R21414500the National Social Science Foundation of China under Grant No.13CFX054
文摘Due to the strong attacking ability, fast speed, simple implementation and other characteristics, differential fault analysis has become an important method to evaluate the security of cryptosystem in the Internet of Things. As one of the AES finalists, the Serpent is a 128-bit Substitution-Permutation Network(SPN) cryptosystem. It has 32 rounds with the variable key length between 0 and 256 bits, which is flexible to provide security in the Internet of Things. On the basis of the byte-oriented model and the differential analysis, we propose an effective differential fault attack on the Serpent cryptosystem. Mathematical analysis and simulating experiment show that the attack could recover its secret key by introducing 48 faulty ciphertexts. The result in this study describes that the Serpent is vulnerable to differential fault analysis in detail. It will be beneficial to the analysis of the same type of other iterated cryptosystems.
文摘4-bit linear relations play an important role in cryptanalysis of 4-bit crypto S-boxes. 4-bit finite differences have also been a major part of cryptanalysis of 4-bit S-boxes. Existence of all 4-bit linear relations have been counted for all of 16 input and 16 output 4-bit bit patterns of 4-bit Crypto S-boxes said as S-boxes has been reported in Linear Cryptanalysis of 4-bit S-boxes. Count of existing finite differences from each element of output S-boxes to distant output S-boxes have been noted in Differential Cryptanalysis of S-boxes. In this paper a brief review of these two cryptanalytic methods for 4-bit S-boxes has been introduced in a very lucid and conceptual manner. Two new analysis techniques, one to search for the existing linear approximations among the input vectors (IPVs) and output Boolean functions (BFs) of a particular S-box has also been introduced in this paper. The search is limited to find the existing linear relations or approximations in the contrary to count the number of existent linear relations among all 16, 4-bit input and output bit patterns within all possible linear approximations. Another is to find number of balanced BFs in difference output S-boxes. Better the number of Balanced BFs, Better the security.
基金This work is supported by the National Natural Science Foundation of China under Grant No.90604036the National Grand Fundamental Research 973 Program of China under Grant No.2004CB318004.
文摘This paper studies the security of the block ciphers ARIA and Camellia against impossible differential cryptanalysis. Our work improves the best impossible differential cryptanalysis of ARIA and Camellia known so far. The designers of ARIA expected no impossible differentials exist for 4-round ARIA. However, we found some nontrivial 4-round impossible differentials, which may lead to a possible attack on 6-round ARIA. Moreover, we found some nontrivial 8-round impossible differentials for Camellia, whereas only 7-round impossible differentials were previously known. By using the 8-round impossible differentials, we presented an attack on 12-round Camellia without FL/FL^-1 layers.
基金supported by the National Natural Science Foundation of China under Grant Nos.60873259 and 60903212the Knowledge Innovation Project of the Chinese Academy of Sciences
文摘SMS4 is a 128-bit block cipher used in the WAPI standard for wireless networks in China. In this paper, we analyze the security of the SMS4 block cipher against differential cryptanalysis. Firstly, we prove three theorems and one corollary that reflect relationships of 5- and 6-round SMS4. Next, by these relationships, we clarify the minimum number of active S-boxes in 6-, 7- and 12-round SMS4 respectively. Finally, based on the above results, we present a family of about 2^14 differential characteristics for 19-round SMS4, which leads to an attack on 23-round SMS4 with 2^118 chosen plaintexts and 2^126.7 encryptions.
基金Supported by the National Natural Science Foundation of China (60573032, 90604036)Participation in Research Project of Shanghai Jiao Tong University
文摘The security of international date encryption algorithm (IDEA(16)), a mini IDEA cipher, against differential cryptanalysis is investigated. The results show that [DEA(16) is secure against differential cryptanalysis attack after 5 rounds while IDEA(8) needs 7 rounds for the same level of security. The transition matrix for IDEA(16) and its eigenvalue of second largest magnitude are computed. The storage method for the transition matrix has been optimized to speed up file I/O. The emphasis of the work lies in finding out an effective way of computing the eigenvalue of the matrix. To lower time complexity, three mature algorithms in finding eigenvalues are compared from one another and subspace iteration algorithm is employed to compute the eigenvalue of second largest module, with a precision of 0.001.
基金the National Natural Science Foundation of China (Grant No. 60673072)Foundation of National Laboratory for Modern Communications (Grant No. 51436030105DZ0105)
文摘Impossible differential cryptanalysis is a method recovering secret key, which gets rid of the keys that satisfy impossible differential relations. This paper concentrates on the impossible differential cryptanalysis of Advanced Encryption Standard (AES) and presents two methods for impossible differential cryptanalysis of 7-round AES-192 and 8-round AES-256 combined with time-memory trade-off by exploiting weaknesses in their key schedule. This attack on the reduced to 7-round AES-192 requires about 294.5 chosen plaintexts, demands 2129 words of memory, and performs 2157 7-round AES-192 encryptions. Furthermore, this attack on the reduced to 8-round AES-256 requires about 2^101 chosen plaintexts, demands 2^201 words of memory, and performs 2^228 8-round AES-256 encryptions.
