The search functionality is under construction.
The search functionality is under construction.

Keyword Search Result

[Keyword] block cipher(83hit)

1-20hit(83hit)

  • Feistel Ciphers Based on a Single Primitive Open Access

    Kento TSUJI  Tetsu IWATA  

     
    PAPER-Cryptography and Information Security

      Pubricized:
    2024/03/29
      Vol:
    E107-A No:8
      Page(s):
    1229-1240

    We consider Feistel ciphers instantiated with tweakable block ciphers (TBCs) and ideal ciphers (ICs). The indistinguishability security of the TBC-based Feistel cipher is known, and the indifferentiability security of the IC-based Feistel cipher is also known, where independently keyed TBCs and independent ICs are assumed. In this paper, we analyze the security of a single-keyed TBC-based Feistel cipher and a single IC-based Feistel cipher. We characterize the security depending on the number of rounds. More precisely, we cover the case of contracting Feistel ciphers that have d ≥ 2 lines, and the results on Feistel ciphers are obtained as a special case by setting d = 2. Our indistinguishability security analysis shows that it is provably secure with d + 1 rounds. Our indifferentiability result shows that, regardless of the number of rounds, it cannot be secure. Our attacks are a type of a slide attack, and we consider a structure that uses a round constant, which is a well-known countermeasure against slide attacks. We show an indifferentiability attack for the case d = 2 and 3 rounds.

  • Investigating and Enhancing the Neural Distinguisher for Differential Cryptanalysis Open Access

    Gao WANG  Gaoli WANG  Siwei SUN  

     
    PAPER-Information Network

      Pubricized:
    2024/04/12
      Vol:
    E107-D No:8
      Page(s):
    1016-1028

    At Crypto 2019, Gohr first adopted the neural distinguisher for differential cryptanalysis, and since then, this work received increasing attention. However, most of the existing work focuses on improving and applying the neural distinguisher, the studies delving into the intrinsic principles of neural distinguishers are finite. At Eurocrypt 2021, Benamira et al. conducted a study on Gohr’s neural distinguisher. But for the neural distinguishers proposed later, such as the r-round neural distinguishers trained with k ciphertext pairs or ciphertext differences, denoted as NDcpk_r (Gohr’s neural distinguisher is the special NDcpk_r with K = 1) and NDcdk_r , such research is lacking. In this work, we devote ourselves to study the intrinsic principles and relationship between NDcdk_r and NDcpk_r. Firstly, we explore the working principle of NDcd1_r through a series of experiments and find that it strongly relies on the probability distribution of ciphertext differences. Its operational mechanism bears a strong resemblance to that of NDcp1_r given by Benamira et al.. Therefore, we further compare them from the perspective of differential cryptanalysis and sample features, demonstrating the superior performance of NDcp1_r can be attributed to the relationships between certain ciphertext bits, especially the significant bits. We then extend our investigation to NDcpk_r, and show that its ability to recognize samples heavily relies on the average differential probability of k ciphertext pairs and some relationships in the ciphertext itself, but the reliance between k ciphertext pairs is very weak. Finally, in light of the findings of our research, we introduce a strategy to enhance the accuracy of the neural distinguisher by using a fixed difference to generate the negative samples instead of the random one. Through the implementation of this approach, we manage to improve the accuracy of the neural distinguishers by approximately 2% to 8% for 7-round Speck32/64 and 9-round Simon32/64.

  • Integral Cryptanalysis on Reduced-Round KASUMI

    Nobuyuki SUGIO  Yasutaka IGARASHI  Sadayuki HONGO  

     
    PAPER-Cryptography and Information Security

      Pubricized:
    2022/04/22
      Vol:
    E105-A No:9
      Page(s):
    1309-1316

    Integral cryptanalysis is one of the most powerful attacks on symmetric key block ciphers. Attackers preliminarily search integral characteristics of a target cipher and use them to perform the key recovery attack. Todo proposed a novel technique named the bit-based division property to find integral characteristics. Xiang et al. extended the Mixed Integer Linear Programming (MILP) method to search integral characteristics of lightweight block ciphers based on the bit-based division property. In this paper, we apply these techniques to the symmetric key block cipher KASUMI which was developed by modifying MISTY1. As a result, we found new 4.5-round characteristics of KASUMI for the first time. We show that 7-round KASUMI is attackable with 263 data and 2120 encryptions.

  • A Performance Model for Reconfigurable Block Cipher Array Utilizing Amdahl's Law

    Tongzhou QU  Zibin DAI  Yanjiang LIU  Lin CHEN  Xianzhao XIA  

     
    PAPER-Computer System

      Pubricized:
    2022/02/17
      Vol:
    E105-D No:5
      Page(s):
    964-972

    The existing research on Amdahl's law is limited to multi/many-core processors, and cannot be applied to the important parallel processing architecture of coarse-grained reconfigurable arrays. This paper studies the relation between the multi-level parallelism of block cipher algorithms and the architectural characteristics of coarse-grain reconfigurable arrays. We introduce the key variables that affect the performance of reconfigurable arrays, such as communication overhead and configuration overhead, into Amdahl's law. On this basis, we propose a performance model for coarse-grain reconfigurable block cipher array (CGRBA) based on the extended Amdahl's law. In addition, this paper establishes the optimal integer nonlinear programming model, which can provide a parameter reference for the architecture design of CGRBA. The experimental results show that: (1) reducing the communication workload ratio and increasing the number of configuration pages reasonably can significantly improve the algorithm performance on CGRBA; (2) the communication workload ratio has a linear effect on the execution time.

  • Applying Byte-Shuffling to CLEFIA-Type Structure

    Kazuto SHIMIZU  Kosei SAKAMOTO  Takanori ISOBE  

     
    PAPER

      Pubricized:
    2021/12/07
      Vol:
    E105-A No:3
      Page(s):
    268-277

    Generalized Feistel Network (GFN) is widely used in block ciphers. CLEFIA is one of the GFN type-2 block ciphers. CLEFIA employs Diffusion Switching Mechanism (DSM) in its diffusion layer. DSM improves CLEFIA's security by increasing its number of active S-boxes, which is an indicator of security against differential and linear cryptanalyses. However, two matrices in DSM increase implementational cost. In this paper, we pursue the research question whether it is possible to achieve the same security as original CLEFIA with only one matrix without overhead in hardware. Our idea to answer the research question is applying byte-shuffling technique to CLEFIA. Byte-shuffling is an operation to shuffle 8-bit bytes. On the other hand, traditional GFN ciphers rotate 32-bit or larger words in their permutation layer. Since implementation of byte-shuffling is considered as cost-free in hardware, it adds no overhead in comparison with word rotation. Byte-shuffling has numerous shuffle patterns whereas word rotation has a few patterns. In addition, security property varies among the shuffle patterns. So, we have to find the optimal shuffle pattern(s) on the way to pursue the research question. Although one way to find the optimal shuffle pattern is evaluating all possible shuffle patterns, it is impractical to evaluate them since the evaluation needs much time and computation. We utilize even-odd byte-shuffling technique to narrow the number of shuffle patterns to be searched. Among numerous shuffle patterns, we found 168 shuffle patterns as the optimal shuffle patterns. They achieved full diffusion in 5 rounds. This is the same security as original CLEFIA. They achieved enough security against differential and linear cryptanalyses at 13th and 14th round, respectively, by active S-box evaluations. It is just one and two rounds longer than original CLEFIA. However, it is three and two rounds earlier than CLEFIA without DSM.

  • A Proof of Work Based on Key Recovery Problem of Cascade Block Ciphers with ASIC Resistance

    Takaki ASANUMA  Takanori ISOBE  

     
    PAPER

      Pubricized:
    2021/11/08
      Vol:
    E105-D No:2
      Page(s):
    248-255

    Hashcash, which is a Proof of Work (PoW) of bitcoin, is based on a preimage problem of hash functions of SHA-2 and RIPEMD. As these hash functions employ the Merkle-Damgard (MD) construction, a preimage can be found with negligible memory. Since such calculations can be accelerated by dedicated ASICs, it has a potential risk of a so-called 51% attack. To address this issue, we propose a new PoW scheme based on the key recovery problem of cascade block ciphers. By choosing the appropriate parameters, e.g., block sizes and key sizes of underlying block ciphers, we can make this problem a memory-hard problem such that it requires a lot of memory to efficiently solve it. Besides, we can independently adjust the required time complexity and memory complexity, according to requirements by target applications and progress of computational power.

  • Virtual Vault: A Practical Leakage Resilient Scheme Using Space-Hard Ciphers

    Yuji KOIKE  Takuya HAYASHI  Jun KURIHARA  Takanori ISOBE  

     
    PAPER

      Vol:
    E104-A No:1
      Page(s):
    182-189

    Due to the legal reform on the protection of personal information in US/Japan and the enforcement of the General Data Protection Regulation (GDPR) in Europe, service providers are obliged to more securely manage the sensitive data stored in their server. In order to protect this kind of data, they generally employ a cryptographic encryption scheme and secure key management schemes such as a Hardware Security Module (HSM) and Trusted Platform Module (TPM). In this paper, we take a different approach based on the space-hard cipher. The space-hard cipher has an interesting property called the space hardness. Space hardness guarantees sufficient security against the adversary who gains a part of key data, e.g., 1/4 of key data. Combined with a simple network monitoring technique, we develop a practical leakage resilient scheme Virtual Vault, which is secure against the snapshot adversary who has full access to the memory in the server for a short period. Importantly, Virtual Vault is deployable by only a low-price device for network monitoring, e.g. L2 switch, and software of space-hard ciphers and packet analyzer, while typical solutions require a dedicated hardware for secure key managements such as HSM and TPM. Thus, Virtual Vault is easily added on the existing servers which do not have such dedicated hardware.

  • Tweakable TWINE: Building a Tweakable Block Cipher on Generalized Feistel Structure

    Kosei SAKAMOTO  Kazuhiko MINEMATSU  Nao SHIBATA  Maki SHIGERI  Hiroyasu KUBO  Yuki FUNABIKI  Andrey BOGDANOV  Sumio MORIOKA  Takanori ISOBE  

     
    PAPER-Cryptography and Information Security

      Vol:
    E103-A No:12
      Page(s):
    1629-1639

    Tweakable block cipher (TBC) is an extension of conventional block cipher. We study how to build a TBC based on generalized Feistel structure (GFS), a classical block cipher construction. While known dedicated TBC proposals are based on substitution-permutation network (SPN), GFS has not been used for building TBC. In particular, we take 64-bit GFS block cipher TWINE and try to make it tweakable with a minimum change. To find a best one from a large number of candidates, we performed a comprehensive search with a help of mixed integer linear programming (MILP) solver. As a result, our proposal TWINE is quite efficient, has the same number of rounds as TWINE with extremely simple tweak schedule.

  • Key-Recovery Security of Single-Key Even-Mansour Ciphers

    Takanori ISOBE  Kyoji SHIBUTANI  

     
    PAPER-Cryptography and Information Security

      Vol:
    E103-A No:7
      Page(s):
    893-905

    In this paper, we explore the security of single-key Even-Mansour ciphers against key-recovery attacks. First, we introduce a simple key-recovery attack using key relations on an n-bit r-round single-key Even-Mansour cipher (r-SEM). This attack is feasible with queries of DTr=O(2rn) and $2^{ rac{2r}{r + 1}n}$ memory accesses, which is $2^{ rac{1}{r + 1}n}$ times smaller than the previous generic attacks on r-SEM, where D and T are the number of queries to the encryption function EK and the internal permutation P, respectively. Next, we further reduce the time complexity of the key recovery attack on 2-SEM by a start-in-the-middle approach. This is the first attack that is more efficient than an exhaustive key search while keeping the query bound of DT2=O(22n). Finally, we leverage the start-in-the-middle approach to directly improve the previous attacks on 2-SEM by Dinur et al., which exploit t-way collisions of the underlying function. Our improved attacks do not keep the bound of DT2=O(22n), but are the most time-efficient attacks among the existing ones. For n=64, 128 and 256, our attack is feasible with the time complexity of about $2^{n} cdot rac{1}{2 n}$ in the chosen-plaintext model, while Dinur et al.'s attack requires $2^{n} cdot rac{{ m log}(n)}{ n} $ in the known-plaintext model.

  • Security of Related-Key Differential Attacks on TWINE, Revisited

    Kosei SAKAMOTO  Kazuhiko MINEMATSU  Nao SHIBATA  Maki SHIGERI  Hiroyasu KUBO  Yuki FUNABIKI  Takanori ISOBE  

     
    LETTER

      Vol:
    E103-A No:1
      Page(s):
    212-214

    In this paper, we revisit related-key security of TWINE block cipher with 80-bit and 128-bit keys. Using an MILP-aided automatic search algorithm, we point out the previous evaluation of TWINE with a 80-bit key is wrong, and give a corrected evaluation result. Besides, we show a first security evaluation of TWINE with a 128-bit key in the related-key setting, which was infeasible due to the high computation cost in the original proposal.

  • New Classes of Efficient MDS Transformations

    Yubo LI  Kangquan LI  Longjiang QU  Chao LI  

     
    PAPER-Cryptography and Information Security

      Vol:
    E102-A No:11
      Page(s):
    1504-1511

    MDS transformation plays an important role in resisting against differential cryptanalysis (DC) and linear cryptanalysis (LC). Recently, M. Sajadieh, et al.[15] designed an efficient recursive diffusion layer with Feistel-like structures. Moreover, they obtained an MDS transformation which is related to a linear function and the inverse is as lightweight as itself. Based on this work, we consider one specific form of linear functions to get the diffusion layer with low XOR gates for the hardware implementation by using temporary registers. We give two criteria to reduce the construction space and obtain six new classes of lightweight MDS transformations. Some of our constructions with one bundle-based LFSRs have as low XOR gates as previous best known results. We expect that these results may supply more choices for the design of MDS transformations in the (lightweight) block cipher algorithm.

  • Improved Integral Attack on HIGHT

    Yuki FUNABIKI  Yosuke TODO  Takanori ISOBE  Masakatu MORII  

     
    PAPER-Cryptography and Information Security

      Vol:
    E102-A No:9
      Page(s):
    1259-1271

    HIGHT is a 64-bit block lightweight cipher, which adopts the ARX-based generalized Feistel network, and it accepts a 128-bit key. It is a standard encryption algorithm in South Korea and also is internationally standardized by ISO/IEC 18033-3. Therefore, many third-party cryptanalyses have been proposed against HIGHT. Impossible differential and integral attacks are applied to reduced-round HIGHT, and especially, the impossible differential attack causes the 27-round attack, which is the current best attack under the single-key setting. In this paper, we propose some improved integral attacks against HIGHT. We first apply the division property to HIGHT and find new 19-round integral characteristics, which are improved by two rounds compared with the previous best ones. We append 9-round key recovery to these characteristics and it enables us to attack 28-round HIGHT. Its time complexity is 2127.02 where 263 chosen plaintexts and 2117 memory are required. Moreover, we can attack 29-round HIGHT if the full codebook is used, where its time and memory complexities are 2126.07 and 2118, respectively. It improves by two rounds compared with the previous best attack.

  • Probabilistic Analysis of Differential Fault Attack on MIBS

    Yang GAO  Yong-juan WANG  Qing-jun YUAN  Tao WANG  Xiang-bin WANG  

     
    PAPER-Information Network

      Pubricized:
    2018/11/16
      Vol:
    E102-D No:2
      Page(s):
    299-306

    We propose a new method of differential fault attack, which is based on the nibble-group differential diffusion property of the lightweight block cipher MIBS. On the basis of the statistical regularity of differential distribution of the S-box, we establish a statistical model and then analyze the relationship between the number of faults injections, the probability of attack success, and key recovering bits. Theoretically, time complexity of recovering the main key reduces to 22 when injecting 3 groups of faults (12 nibbles in total) in 30,31 and 32 rounds, which is the optimal condition. Furthermore, we calculate the expectation of the number of fault injection groups needed to recover 62 bits in main key, which is 3.87. Finally, experimental data verifies the correctness of the theoretical model.

  • Meet-in-the-Middle Key Recovery Attacks on a Single-Key Two-Round Even-Mansour Cipher

    Takanori ISOBE  Kyoji SHIBUTANI  

     
    PAPER

      Vol:
    E102-A No:1
      Page(s):
    17-26

    We propose new key recovery attacks on the two-round single-key n-bit Even-Mansour ciphers (2SEM) that are secure up to 22n/3 queries against distinguishing attacks proved by Chen et al. Our attacks are based on the meet-in-the-middle technique which can significantly reduce the data complexity. In particular, we introduce novel matching techniques which enable us to compute one of the two permutations without knowing a part of the key information. Moreover, we present two improvements of the proposed attack: one significantly reduces the data complexity and the other reduces the time complexity. Compared with the previously known attacks, our attack first breaks the birthday barrier on the data complexity although it requires chosen plaintexts. When the block size is 64 bits, our attack reduces the required data from 245 known plaintexts to 226 chosen plaintexts with keeping the time complexity required by the previous attacks. Furthermore, by increasing the time complexity up to 262, the required data is further reduced to 28, and DT=270, where DT is the product of data and time complexities. We show that our data-optimized attack requires DT=2n+6 in general cases. Since the proved lower bound on DT for the single-key one-round n-bit Even-Mansour ciphers is 2n, our results imply that adding one round to one-round constructions does not sufficiently improve the security against key recovery attacks. Finally, we propose a time-optimized attacks on 2SEM in which, we aim to minimize the number of the invocations of internal permutations.

  • Impossible Differential Cryptanalysis of Fantomas and Robin

    Xuan SHEN  Guoqiang LIU  Chao LI  Longjiang QU  

     
    LETTER-Cryptography and Information Security

      Vol:
    E101-A No:5
      Page(s):
    863-866

    At FSE 2014, Grosso et al. proposed LS-designs which are a family of bitslice ciphers aiming at efficient masked implementations against side-channel analysis. They also presented two specific LS-designs, namely the non-involutive cipher Fantomas and the involutive cipher Robin. The designers claimed that the longest impossible differentials of these two ciphers only span 3 rounds. In this paper, for the two ciphers, we construct 4-round impossible differentials which are one round more than the longest impossible differentials found by the designers. Furthermore, with the 4-round impossible differentials, we propose impossible differential attacks on Fantomas and Robin reduced to 6 rounds (out of the full 12/16 rounds). Both of the attacks need 2119 chosen plaintexts and 2101.81 6-round encryptions.

  • Impossible Differential Attack on Reduced Round SPARX-128/256

    Muhammad ELSHEIKH  Mohamed TOLBA  Amr M. YOUSSEF  

     
    LETTER-Cryptography and Information Security

      Vol:
    E101-A No:4
      Page(s):
    731-733

    SPARX-128/256 is one of the two versions of the SPARX-128 block cipher family. It has 128-bit block size and 256-bit key size. SPARX has been developed using ARX-based S-boxes with the aim of achieving provable security against single-trail differential and linear cryptanalysis. In this letter, we propose 20-round impossible differential distinguishers for SPARX-128. Then, we utilize these distinguishers to attack 24 rounds (out of 40 rounds) of SPARX-128/256. Our attack has time complexity of 2232 memory accesses, memory complexity of 2160.81 128-bit blocks, and data complexity of 2104 chosen plaintexts.

  • On the Design Rationale of SIMON Block Cipher: Integral Attacks and Impossible Differential Attacks against SIMON Variants

    Kota KONDO  Yu SASAKI  Yosuke TODO  Tetsu IWATA  

     
    PAPER

      Vol:
    E101-A No:1
      Page(s):
    88-98

    SIMON is a lightweight block cipher designed by NSA in 2013. NSA presented the specification and the implementation efficiency, but they did not provide detailed security analysis nor the design rationale. The original SIMON has rotation constants of (1,8,2), and Kölbl et al. regarded the constants as a parameter (a,b,c), and analyzed the security of SIMON block cipher variants against differential and linear attacks for all the choices of (a,b,c). This paper complements the result of Kölbl et al. by considering integral and impossible differential attacks. First, we search the number of rounds of integral distinguishers by using a supercomputer. Our search algorithm follows the previous approach by Wang et al., however, we introduce a new choice of the set of plaintexts satisfying the integral property. We show that the new choice indeed extends the number of rounds for several parameters. We also search the number of rounds of impossible differential characteristics based on the miss-in-the-middle approach. Finally, we make a comparison of all parameters from our results and the observations by Kölbl et al. Interesting observations are obtained, for instance we find that the optimal parameters with respect to the resistance against differential attacks are not stronger than the original parameter with respect to integral and impossible differential attacks. Furthermore, we consider the security against differential attacks by considering differentials. From the result, we obtain a parameter that is potential to be better than the original parameter with respect to security against these four attacks.

  • Known-Key Attack on SM4 Block Cipher

    HyungChul KANG  Deukjo HONG  Jaechul SUNG  Seokhie HONG  

     
    PAPER-Cryptography and Information Security

      Vol:
    E100-A No:12
      Page(s):
    2985-2990

    We present the first known-key attack on SM4, which is the Chinese standard block cipher made for the wireless LAN WAPI. We make a known-key distinguisher using rebound techniques with the time complexity of 212.75. Then, with the distinguisher, we provide near-collision attacks on MMO and MP hash modes of SM4. Precisely, we find a 104-bit near-collision for 13 rounds of SM4 with the time complexity of 213.30 and a 32-bit near-collision for 17 rounds of SM4 with the time complexity of 212.91. They are much more efficient than generic attacks for the case of random permutation.

  • Improvements on Security Evaluation of AES against Differential Bias Attack

    Haruhisa KOSUGE  Hidema TANAKA  

     
    PAPER-Cryptography and Information Security

      Vol:
    E100-A No:11
      Page(s):
    2398-2407

    In ASIACRYPT2015, a new model for the analysis of block cipher against side-channel attack and a dedicated attack, differential bias attack, were proposed by Bogdanov et al. The model assumes an adversary who has leaked values whose positions are unknown and randomly chosen from internal states (random leakage model). This paper improves the security analysis on AES under the random leakage model. In the previous method, the adversary requires at least 234 chosen plaintexts; therefore, it is hard to recover a secret key with a small number of data. To consider the security against the adversary given a small number of data, we reestimate complexity. We propose another hypothesis-testing method which can minimize the number of required data. The proposed method requires time complexity more than t>260 because of time-data tradeoff, and some attacks are tractable under t≤280. Therefore, the attack is a threat for the long-term security though it is not for the short-term security. In addition, we apply key enumeration to the differential bias attack and propose two evaluation methods, information-theoretic evaluation and experimental one with rank estimation. From the evaluations on AES, we show that the attack is a practical threat for the long-term security.

  • Improved Multiple Impossible Differential Cryptanalysis of Midori128

    Mohamed TOLBA  Ahmed ABDELKHALEK  Amr M. YOUSSEF  

     
    LETTER-Cryptography and Information Security

      Vol:
    E100-A No:8
      Page(s):
    1733-1737

    Midori128 is a lightweight block cipher proposed at ASIACRYPT 2015 to achieve low energy consumption per bit. Currently, the best published impossible differential attack on Midori128 covers 10 rounds without the pre-whitening key. By exploiting the special structure of the S-boxes and the binary linear transformation layer in Midori128, we present impossible differential distinguishers that cover 7 full rounds including the mix column operations. Then, we exploit four of these distinguishers to launch multiple impossible differential attack against 11 rounds of the cipher with the pre-whitening and post-whitening keys.

1-20hit(83hit)