We present attacks on the generalized Feistel schemes, where each round function consists of a subkey XOR, S-boxes, and then a linear transformation (i.e. a Substitution-Permutation (SP) round function). Our techniques are based on rebound attacks. We assume that the S-boxes have a good differential property and the linear transformation has an optimal branch number. Under this assumption, we firstly describe known-key distinguishers on the type-1, -2, and -3 generalized Feistel schemes up to 21, 13 and 8 rounds, respectively. Then, we use the distinguishers to make several attacks on hash functions where Merkle-Damgård domain extender is used and the compression function is constructed with Matyas-Meyer-Oseas or Miyaguchi-Preneel hash modes from generalized Feistel schemes. Collision attacks are made for 11 rounds of type-1 Feistel scheme. Near collision attacks are made for 13 rounds of type-1 Feistel scheme and 9 rounds of type-2 Feistel scheme. Half collision attacks are made for 15 rounds of type-1 Feistel scheme, 9 rounds of type-2 Feistel scheme, and 5 rounds of type-3 Feistel scheme.

In 1997, M. Matsui proposed secret-key cryptosystems called MISTY 1 and MISTY 2, which are 8- and 12-round block ciphers with a 64-bit block, and a 128-bit key. They are designed based on the principle of provable security against differential and linear cryptanalysis. In this paper we present large collections of weak-key classes encompassing 273 and 270 weak keys for 7-round MISTY 1 and 2 for which they are vulnerable to a related-key amplified boomerang attack. Under our weak-key assumptions, the related-key amplified boomerang attack can be applied to 7-round MISTY 1 and 2 with 254, 256 chosen plaintexts and 255.3 7-round MISTY 1 encryptions, 265 7-round MISTY 2 encryptions, respectively.

A noise source is an essential component of random bit generator, and is either an application or a device to provide entropy from analog noise. In 2008, Colesa et al. first proposed two software strategies for constructing noise source based on race conditions. However, Colesa et al.'s designs require a lot of threads and even suffer from a low bit rate. Moreover, setting a parameter for each system is complicated since the parameter is related to the entropy and the bit rate at the same time. In this paper, we propose new constructions of noise source based on race conditions. We call them NSRC-1 and NSRC-2. The bit rate of our designs is improved by up to 819 times higher on multi-core systems with high entropy. The parameter adjustment becomes straightforward by removing the relation between the parameter and the entropy. Additionally, since NSRC-1 and 2 require only two threads at once, they are more available software-based methods for harvesting entropy not only on general devices but also on mobile devices.

The design and analysis of block ciphers is an established field of study which has seen significant progress since the early 1990s. Nevertheless, what remains on an interesting direction to explore in this area is to design block ciphers with provable security against powerful known attacks such as differential and linear cryptanalysis. In this paper we introduce seven new block cipher structures, named Feistel-variant A, B, CLEFIA and MISTY-FO-variant A, B, C, D structures, and show that these structures are provably resistant against differential cryptanalysis. The main results of this paper are that the average differential probabilities over at least 2 rounds of Feistel-variant A structure and 1 round of Feistel-variant B structure are both upperbounded by p2, while the average differential probabilities over at least 5 rounds of CLEFIA, MISTY-FO-variant A, B, C and D structures are upperbounded by p4+2p5, p4, p4, 2p4 and 2p4, respectively, if the maximum differential probability of a round F function is p. We also give provable security for the Feistel-variant A, B and CLEFIA structures against linear cryptanalysis. Our results are attained under the assumption that all of components in our proposed structures are bijective. We expect that our results are useful to design block ciphers with provable security against differential and linear cryptanalysis.

We present the first known-key attack on SM4, which is the Chinese standard block cipher made for the wireless LAN WAPI. We make a known-key distinguisher using rebound techniques with the time complexity of 212.75. Then, with the distinguisher, we provide near-collision attacks on MMO and MP hash modes of SM4. Precisely, we find a 104-bit near-collision for 13 rounds of SM4 with the time complexity of 213.30 and a 32-bit near-collision for 17 rounds of SM4 with the time complexity of 212.91. They are much more efficient than generic attacks for the case of random permutation.

In this paper, we discuss the impossible differential cryptanalysis for the block cipher Zodiac. The main design principles of Zodiac include simplicity and efficiency. However, the diffusion layer in its round function is too simple to offer enough security. The impossible differential cryptanalysis exploits such weakness in Zodiac. Our attack using a 14-round impossible characteristic derives the 128-bit master key of the full 16-round Zodiac faster than the exhaustive search. The efficiency of the attack compared with exhaustive search increases as the key size increases.

In this paper, we introduce new compression function design principles supporting variable output lengths (multiples of size n). They are based on a function or block cipher with an n-bit output size. In the case of the compression function with a(t+1)n-bit output size, in the random oracle and ideal cipher models, their maximum advantages from the perspective of collision resistance are . In the case of t=1, the advantage is near-optimal. In the case of t>1, the advantage is optimal.