DOCSLIB.ORG

Integral Cryptanalysis of the BSPN Block Cipher

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Integral Cryptanalysis of the BSPN Block Cipher Integral Cryptanalysis of the BSPN Block Cipher Howard Heys Department of Electrical and Computer Engineering Memorial University [email protected] Abstract— In this paper, we investigate the application of inte- and decryption, thereby facilitating efficient implementations gral cryptanalysis to the Byte-oriented Substitution Permutation based on the re-use of components or memory when both Network (BSPN) block cipher. The BSPN block cipher has been encryption and decryption operations are required. In order shown to be an efficient block cipher structure, particularly for environments using 8-bit microcontrollers. In our analysis, to achieve involution, the use of involutory S-boxes and a we are able to show that integral cryptanalysis has limited linear transformation that is an involution are required. For success when applied to BSPN. A first order attack, based on BSPN, as defined in [1], no particular S-box is specified. a deterministic integral, is only applicable to structures with 3 However, the S-box is assumed to be 8 × 8 (where one input or fewer rounds, while higher order attacks and attacks using byte is replaced with an output byte) and must satisfy specific a probabilistic integral were found to be only applicable to structures with 4 or less rounds. Since a typical BSPN block properties, such as involution, small linear bias, and small cipher is recommended to have 8 or more rounds, it is expected maximum differential. that the BSPN structure is resistant to integral cryptanalysis. The BSPN is most notably characterized by its linear transformation, for which a specific function is defined. Let Index Terms— cryptography, block ciphers, cryptanalysis the block size of the cipher be N bytes or 8N bits with Ui = [U ;U ; :::; U ] and V = [V ;V ; :::; V ] representing the I. INTRODUCTION i1 i2 i8 j j1 j2 j8 i-th input and j-th output bytes of the linear transformation, The Byte-oriented Substitution Permutation Network respectively, where Uil 2 f0; 1g, Vjl 2 f0; 1g, 1 ≤ l ≤ 8, (BSPN) structure for use in block cipher design was first and 1 ≤ i; j ≤ N. The linear transformation is defined as the 1 proposed in [1] . BSPN is not a specific cipher proposal with summation of N − 1 bytes as in: defined components, but rather a structure for block cipher N architectures belonging to the class referred to as Substitu- M tion Permutation Networks (SPNs). The BSPN block cipher Vj = Ui (1) structure has been analyzed and proposed for applications i=1;i6=j using 8-bit microcontrollers. In [1], it is shown that a 64- where the summation of two bytes, X = [X1;X2; :::; X8], bit BSPN can be resistant to differential cryptanalysis [2] Xi 2 f0; 1g, and Y = [Y1;Y2; :::; Y8], Yi 2 f0; 1g, is defined and linear cryptanalysis [3] for 8 rounds of operations with as the bitwise XOR of the bytes, that is, X ⊕ Y = [X1 ⊕ a suitable selection for the S-boxes. In [4], a 64-bit BSPN Y1;X2 ⊕ Y2; :::; X8 ⊕ Y8]. cipher is analyzed for use in sensor nodes of wireless sensor The key scheduling process is not defined for BSPN, networks and is shown to be more energy efficient than but in [1] a process to generate the round keys using the implementations of the Advanced Encryption Standard (AES) full un-keyed cipher is suggested. A round key of a size [5]. The efficiency of BSPN is also discussed in Section II. equal to the block size is mixed into the cipher data by In general, SPNs are constructed with the datapath con- using a bitwise XOR. Note that the last round of an R sisting of rounds of key mixing, nonlinear byte substitution round cipher differs from the first R − 1 rounds in that the 2 (using an S-box), and a linear transformation . The principles linear transformation is replaced by a last layer of round key of SPN architectures are rooted in Shannon’s concept of a mixing, resulting in the requirement of R + 1 round keys. product cipher, constructed to ensure confusion and diffusion This is typical in SPN structures and is required in order [6]. SPNs can be efficiently implemented in both hardware to ensure that the decryption process (which is equivalent to and software and can be constructed to be secure. travelling backwards through Figure 1) is similar in structure Figure 1 illustrates the BSPN architecture. As proposed in to encryption. [1], BSPN is defined as an involution cipher. This property Although the BSPN structure does seem resistant to clas- allows the use of the same components for both encryption sical block cipher attacks such as differential and linear cryptanalysis, the applicability of integral cryptanalysis [7] 1Although the BSPN structure was proposed in [1], the first use of the label “BSPN” appears in [4]. has not been considered for the BSPN structure. However, 2Here, we use the term SPN to apply to ciphers with a general linear it is expected that modern block cipher proposals consider transformation for the “Permutation” layer, although, strictly, the first SPN’s resistance to the integral attack, particularly when the struc- proposed a permutation of bit ordering as the linear transformation. Our broad definition of an SPN allows AES to also be included in the class of ture might lead to susceptibility. Hence, in order to confirm SPNs. BSPN’s resistance to integral attacks, in this paper, we explore ! Plaintext! In an implementation of AES, 24 XORs of bytes and 4 xtime ! ! operations are required to execute MixColumns on 32 bits. ! ! ! For the full 128 bit block, this translates to the requirement ! ! Round!Key!Mixing! ! of 96 XORs plus 16 xtime operations. In comparison, for the Round!1! ! ! ! Substitution! ! ! ! ! ! ! 128-bit BSPN, the linear transformation requires 31 XORs to execute. This is achieved by (a) first computing the XOR of Linear!Transformation! ! all 16 bytes (using 15 XORs), followed by (b) 16 XORs, one ! Round!Key!Mixing! XOR of the resulting byte of (a) with each byte of the block. ! Hence, on a per-round basis, considering only the encryption Round!2! ! ! ! Substitution! ! ! ! ! ! operation, the linear transformation of BSPN requires no xtime operations and less than 1/3 of the XOR operations ! Linear!Transformation! ! ...! required to implement the AES linear transformation. ! Considering now decryption, the BSPN has even greater ! Round!Key!Mixing! advantage in efficiency. It is well known that the direct Round!R" ! ! ! Substitution! ! ! ! ! ! implementation of InvMixColumns operation of AES is much less efficient than the MixColumns operation used in en- ! Round!Key!Mixing! cryption. Conversely, the inverse linear transformation in the ! ! BSPN cipher is identical to the linear transformation used in ! encryption. (This follows from the fact that BSPN is designed ! Ciphertext! ! to be a cipher with involutory components.) Hence, the linear transformation operation of BSPN is substantially more Fig. 1. BSPN Structure efficient than AES for decryption. Further, since the S-boxes used for decryption in BSPN are identical to the S-boxes used in encryption (again, following from the involution nature of the application of integral cryptanalysis and determine the the cipher), then, while AES needs to store in memory both resulting strength of BSPN in relation to the attack. 256 bytes for the encryption S-box and 256 bytes for the decryption S-box, BSPN only requires the storage of one 256 byte table for the S-box. II. EFFICIENCY OF BSPN IMPLEMENTATIONS It can also be shown that BSPN can be very compactly Before we consider the application of integral cryptanalysis and efficiently implemented in target hardware environments to the BSPN cipher structure, we first discuss the value of the such as FPGAs and ASICs, as well as, microcontrollers with cipher in relation to the efficiency of its underlying operations. datapath widths larger than 8 bits. However, a full discussion Although the 64-bit version of the cipher is shown in [4] of this is outside the scope of this paper. to be efficient in the context of an 8-bit microcontroller implementation targeted to wireless sensor network nodes, III. INTEGRAL CRYPTANALYSIS this comparison is made relative to AES which has a 128-bit Integral cryptanalysis was first presented as an attack on block. Although it can be expected that in many embedded the Square block cipher (a predecessor of AES) and was applications, a 64-bit block is sufficient, even preferred for initially referred to as the Square attack [8]. Subsequently, efficiency, it would be interesting to consider the comparison similar attacks have been applied to various block cipher of a BSPN cipher similarly sized to AES. Hence, consider structures, under the names of saturation attack [9], structural a BSPN based on (1) with N = 16. In this case, as with cryptanalysis [10], integral cryptanalysis [7], and multiset AES, the S-box layer of BSPN requires 16 memory lookups cryptanalysis [11]. In our work, we use the terminology to achieve the necessary nonlinear substitutions for an 8-bit associated with integral cryptanalysis. We first describe a microcontroller implementation. In both ciphers, key mixing first order integral attack which makes use of a deterministic consists of XORing a block of round key bits with cipher integral. data. The appreciable difference then between the ciphers is The basic concept of integral cryptanalysis as applied to a the composition of the linear transformation. 64-bit block cipher is shown in Figure 2. Integral cryptanal- Consider first the encryption process. For AES, the linear ysis is a chosen plaintext attack, requiring the cryptanalyst to transformation consists of the ShiftRows and MixColumns obtain sets of ciphertexts corresponding to plaintexts with a operations, with the MixColumns operation requiring signifi- specific relationship.
Load more

Recommended publications
  • Cryptanalysis of Feistel Networks with Secret Round Functions Alex Biryukov, Gaëtan Leurent, Léo Perrin
    Cryptanalysis of Feistel Networks with Secret Round Functions Alex Biryukov, Gaëtan Leurent, Léo Perrin To cite this version: Alex Biryukov, Gaëtan Leurent, Léo Perrin. Cryptanalysis of Feistel Networks with Secret Round Functions. Selected Areas in Cryptography - SAC 2015, Aug 2015, Sackville, Canada. hal-01243130 HAL Id: hal-01243130 https://hal.inria.fr/hal-01243130 Submitted on 14 Dec 2015 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Cryptanalysis of Feistel Networks with Secret Round Functions ? Alex Biryukov1, Gaëtan Leurent2, and Léo Perrin3 1 [email protected], University of Luxembourg 2 [email protected], Inria, France 3 [email protected], SnT,University of Luxembourg Abstract. Generic distinguishers against Feistel Network with up to 5 rounds exist in the regular setting and up to 6 rounds in a multi-key setting. We present new cryptanalyses against Feistel Networks with 5, 6 and 7 rounds which are not simply distinguishers but actually recover completely the unknown Feistel functions. When an exclusive-or is used to combine the output of the round function with the other branch, we use the so-called yoyo game which we improved using a heuristic based on particular cycle structures.
    [Show full text]
  • Integral Cryptanalysis on Full MISTY1⋆
    Integral Cryptanalysis on Full MISTY1? Yosuke Todo NTT Secure Platform Laboratories, Tokyo, Japan [email protected] Abstract. MISTY1 is a block cipher designed by Matsui in 1997. It was well evaluated and standardized by projects, such as CRYPTREC, ISO/IEC, and NESSIE. In this paper, we propose a key recovery attack on the full MISTY1, i.e., we show that 8-round MISTY1 with 5 FL layers does not have 128-bit security. Many attacks against MISTY1 have been proposed, but there is no attack against the full MISTY1. Therefore, our attack is the first cryptanalysis against the full MISTY1. We construct a new integral characteristic by using the propagation characteristic of the division property, which was proposed in 2015. We first improve the division property by optimizing a public S-box and then construct a 6-round integral characteristic on MISTY1. Finally, we recover the secret key of the full MISTY1 with 263:58 chosen plaintexts and 2121 time complexity. Moreover, if we can use 263:994 chosen plaintexts, the time complexity for our attack is reduced to 2107:9. Note that our cryptanalysis is a theoretical attack. Therefore, the practical use of MISTY1 will not be affected by our attack. Keywords: MISTY1, Integral attack, Division property 1 Introduction MISTY [Mat97] is a block cipher designed by Matsui in 1997 and is based on the theory of provable security [Nyb94,NK95] against differential attack [BS90] and linear attack [Mat93]. MISTY has a recursive structure, and the component function has a unique structure, the so-called MISTY structure [Mat96].
    [Show full text]
  • Related-Key Statistical Cryptanalysis
    Related-Key Statistical Cryptanalysis Darakhshan J. Mir∗ Poorvi L. Vora Department of Computer Science, Department of Computer Science, Rutgers, The State University of New Jersey George Washington University July 6, 2007 Abstract This paper presents the Cryptanalytic Channel Model (CCM). The model treats statistical key recovery as communication over a low capacity channel, where the channel and the encoding are determined by the cipher and the specific attack. A new attack, related-key recovery – the use of n related keys generated from k independent ones – is defined for all ciphers vulnera- ble to single-key recovery. Unlike classical related-key attacks such as differential related-key cryptanalysis, this attack does not exploit a special structural weakness in the cipher or key schedule, but amplifies the weakness exploited in the basic single key recovery. The related- key-recovery attack is shown to correspond to the use of a concatenated code over the channel, where the relationship among the keys determines the outer code, and the cipher and the attack the inner code. It is shown that there exists a relationship among keys for which the communi- cation complexity per bit of independent key is finite, for any probability of key recovery error. This may be compared to the unbounded communication complexity per bit of the single-key- recovery attack. The practical implications of this result are demonstrated through experiments on reduced-round DES. Keywords: related keys, concatenated codes, communication channel, statistical cryptanalysis, linear cryptanalysis, DES Communicating Author: Poorvi L. Vora, [email protected] ∗This work was done while the author was in the M.S.
    [Show full text]
  • Optimization of Core Components of Block Ciphers Baptiste Lambin
    Optimization of core components of block ciphers Baptiste Lambin To cite this version: Baptiste Lambin. Optimization of core components of block ciphers. Cryptography and Security [cs.CR]. Université Rennes 1, 2019. English. NNT : 2019REN1S036. tel-02380098 HAL Id: tel-02380098 https://tel.archives-ouvertes.fr/tel-02380098 Submitted on 26 Nov 2019 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. THÈSE DE DOCTORAT DE L’UNIVERSITE DE RENNES 1 COMUE UNIVERSITE BRETAGNE LOIRE Ecole Doctorale N°601 Mathématique et Sciences et Technologies de l’Information et de la Communication Spécialité : Informatique Par Baptiste LAMBIN Optimization of Core Components of Block Ciphers Thèse présentée et soutenue à RENNES, le 22/10/2019 Unité de recherche : IRISA Rapporteurs avant soutenance : Marine Minier, Professeur, LORIA, Université de Lorraine Jacques Patarin, Professeur, PRiSM, Université de Versailles Composition du jury : Examinateurs : Marine Minier, Professeur, LORIA, Université de Lorraine Jacques Patarin, Professeur, PRiSM, Université de Versailles Jean-Louis Lanet, INRIA Rennes Virginie Lallemand, Chargée de Recherche, LORIA, CNRS Jérémy Jean, ANSSI Dir. de thèse : Pierre-Alain Fouque, IRISA, Université de Rennes 1 Co-dir. de thèse : Patrick Derbez, IRISA, Université de Rennes 1 Remerciements Je tiens à remercier en premier lieu mes directeurs de thèse, Pierre-Alain et Patrick.
    [Show full text]
  • New Cryptanalysis of Block Ciphers with Low Algebraic Degree
    New Cryptanalysis of Block Ciphers with Low Algebraic Degree Bing Sun1,LongjiangQu1,andChaoLi1,2 1 Department of Mathematics and System Science, Science College of National University of Defense Technology, Changsha, China, 410073 2 State Key Laboratory of Information Security, Graduate University of Chinese Academy of Sciences, China, 10039 happy [email protected], ljqu [email protected] Abstract. Improved interpolation attack and new integral attack are proposed in this paper, and they can be applied to block ciphers using round functions with low algebraic degree. In the new attacks, we can determine not only the degree of the polynomial, but also coefficients of some special terms. Thus instead of guessing the round keys one by one, we can get the round keys by solving some algebraic equations over finite field. The new methods are applied to PURE block cipher successfully. The improved interpolation attacks can recover the first round key of 8-round PURE in less than a second; r-round PURE with r ≤ 21 is breakable with about 3r−2 chosen plaintexts and the time complexity is 3r−2 encryptions; 22-round PURE is breakable with both data and time complexities being about 3 × 320. The new integral attacks can break PURE with rounds up to 21 with 232 encryptions and 22-round with 3 × 232 encryptions. This means that PURE with up to 22 rounds is breakable on a personal computer. Keywords: block cipher, Feistel cipher, interpolation attack, integral attack. 1 Introduction For some ciphers, the round function can be described either by a low degree polynomial or by a quotient of two low degree polynomials over finite field with characteristic 2.
    [Show full text]
  • Deep Learning-Based Cryptanalysis of Lightweight Block Ciphers
    Hindawi Security and Communication Networks Volume 2020, Article ID 3701067, 11 pages https://doi.org/10.1155/2020/3701067 Research Article Deep Learning-Based Cryptanalysis of Lightweight Block Ciphers Jaewoo So Department of Electronic Engineering, Sogang University, Seoul 04107, Republic of Korea Correspondence should be addressed to Jaewoo So; [email protected] Received 5 February 2020; Revised 21 June 2020; Accepted 26 June 2020; Published 13 July 2020 Academic Editor: Umar M. Khokhar Copyright © 2020 Jaewoo So. +is is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. Most of the traditional cryptanalytic technologies often require a great amount of time, known plaintexts, and memory. +is paper proposes a generic cryptanalysis model based on deep learning (DL), where the model tries to find the key of block ciphers from known plaintext-ciphertext pairs. We show the feasibility of the DL-based cryptanalysis by attacking on lightweight block ciphers such as simplified DES, Simon, and Speck. +e results show that the DL-based cryptanalysis can successfully recover the key bits when the keyspace is restricted to 64 ASCII characters. +e traditional cryptanalysis is generally performed without the keyspace restriction, but only reduced-round variants of Simon and Speck are successfully attacked. Although a text-based key is applied, the proposed DL-based cryptanalysis can successfully break the full rounds of Simon32/64 and Speck32/64. +e results indicate that the DL technology can be a useful tool for the cryptanalysis of block ciphers when the keyspace is restricted.
    [Show full text]
  • Cryptanalysis of Block Ciphers
    Cryptanalysis of Block Ciphers Jiqiang Lu Technical Report RHUL–MA–2008–19 30 July 2008 Royal Holloway University of London Department of Mathematics Royal Holloway, University of London Egham, Surrey TW20 0EX, England http://www.rhul.ac.uk/mathematics/techreports CRYPTANALYSIS OF BLOCK CIPHERS JIQIANG LU Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group Department of Mathematics Royal Holloway, University of London 2008 Declaration These doctoral studies were conducted under the supervision of Prof. Chris Mitchell. The work presented in this thesis is the result of original research carried out by myself, in collaboration with others, whilst enrolled in the Information Security Group of Royal Holloway, University of London as a candidate for the degree of Doctor of Philosophy. This work has not been submitted for any other degree or award in any other university or educational establishment. Jiqiang Lu July 2008 2 Acknowledgements First of all, I thank my supervisor Prof. Chris Mitchell for suggesting block cipher cryptanalysis as my research topic when I began my Ph.D. studies in September 2005. I had never done research in this challenging ¯eld before, but I soon found it to be really interesting. Every time I ¯nished a manuscript, Chris would give me detailed comments on it, both editorial and technical, which not only bene¯tted my research, but also improved my written English. Chris' comments are fantastic, and it is straightforward to follow them to make revisions. I thank my advisor Dr. Alex Dent for his constructive suggestions, although we work in very di®erent ¯elds.
    [Show full text]
  • Analyses of Curupira Block Cipher
    VIII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais 89 Analyses of Curupira Block Cipher Jorge Nakahara Jr 1jorge [email protected] Abstract. Curupira is a 96-bit block cipher, with keys of 96, 144 or 192 bits, and variable number of rounds, an algorithm described at SBRC 2007. This paper1 presents impossible-differential, boomerang and higher-order multiset attacks on reduced-round versions of Curupira, that were not previously considered in the security analysis by its designers. Also, we provide security analyses based solely on the block size and on the key size of the cipher, such as plaintext leakage and related-key attacks. Our analyses indicate new attacks on up to 6-round Curupira. 1. Introduction Curupira is a block cipher designed by Barreto and Simpl´ıcio and presented at SBRC 2007 [Barreto and Simpl´ıcio Jr 2007]. This cipher has a Substitution Permutation Net- work (SPN) structure, like the AES [AES 1997] and is based on the wide-trail design strategy [Daemen 1995]. In [Barreto and Simpl´ıcio Jr 2007], the designers of Curupira argued about its security under several attack settings. The best reported attack was the square or saturation attack [Daemen et al. 1997] on up to seven rounds of Curupira, with a complexity smaller than that of an exhaustive key search. In this paper, we describe impossible-differential (ID), boomerang and higher-order multiset attacks on reduced- round versions of Curupira. The motivation for the ID and boomerang attacks are the fact that these techniques exploit the cipher from both the encryption and decryption di- rections, namely, the corresponding distinguishers are based on differentials constructed from both ends of a given cipher.
    [Show full text]
  • Analysis of Linear Relationships in Block Ciphers
    Analysis of Linear Relationships in Block Ciphers by Muhammad Reza Z’aba Bachelor of Science (Computer) (Universiti Teknologi Malaysia) – 2004 Thesis submitted in accordance with the regulations for the Degree of Doctor of Philosophy Information Security Institute Faculty of Science and Technology Queensland University of Technology May 7, 2010 Keywords Block cipher, stream cipher, symmetric cipher, linear transformation, diffusion, cryptanalysis, fixed points, round function, key scheduling algorithm, integral attack, bit-pattern, algebraic analysis, system of equations, branch number, AES, ARIA, LEX, BES, Noekeon, PRESENT, Serpent, SMS4 i ii Abstract This thesis is devoted to the study of linear relationships in symmetric block ciphers. A block cipher is designed so that the ciphertext is produced as a nonlinear function of the plaintext and secret master key. However, linear re- lationships within the cipher can still exist if the texts and components of the cipher are manipulated in a number of ways, as shown in this thesis. There are four main contributions of this thesis. The first contribution is the extension of the applicability of integral attacks from word-based to bit- based block ciphers. Integral attacks exploit the linear relationship between texts at intermediate stages of encryption. This relationship can be used to recover subkey bits in a key recovery attack. In principle, integral attacks can be applied to bit-based block ciphers. However, specific tools to define the attack on these ciphers are not available. This problem is addressed in this thesis by introducing a refined set of notations to describe the attack. The bit pattern- based integral attack is successfully demonstrated on reduced-round variants of the block ciphers Noekeon, Present and Serpent.
    [Show full text]
  • Statistical Cryptanalysis of Block Ciphers
    STATISTICAL CRYPTANALYSIS OF BLOCK CIPHERS THÈSE NO 3179 (2005) PRÉSENTÉE À LA FACULTÉ INFORMATIQUE ET COMMUNICATIONS Institut de systèmes de communication SECTION DES SYSTÈMES DE COMMUNICATION ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE POUR L'OBTENTION DU GRADE DE DOCTEUR ÈS SCIENCES PAR Pascal JUNOD ingénieur informaticien dilpômé EPF de nationalité suisse et originaire de Sainte-Croix (VD) acceptée sur proposition du jury: Prof. S. Vaudenay, directeur de thèse Prof. J. Massey, rapporteur Prof. W. Meier, rapporteur Prof. S. Morgenthaler, rapporteur Prof. J. Stern, rapporteur Lausanne, EPFL 2005 to Mimi and Chlo´e Acknowledgments First of all, I would like to warmly thank my supervisor, Prof. Serge Vaude- nay, for having given to me such a wonderful opportunity to perform research in a friendly environment, and for having been the perfect supervisor that every PhD would dream of. I am also very grateful to the president of the jury, Prof. Emre Telatar, and to the reviewers Prof. em. James L. Massey, Prof. Jacques Stern, Prof. Willi Meier, and Prof. Stephan Morgenthaler for having accepted to be part of the jury and for having invested such a lot of time for reviewing this thesis. I would like to express my gratitude to all my (former and current) col- leagues at LASEC for their support and for their friendship: Gildas Avoine, Thomas Baign`eres, Nenad Buncic, Brice Canvel, Martine Corval, Matthieu Finiasz, Yi Lu, Jean Monnerat, Philippe Oechslin, and John Pliam. With- out them, the EPFL (and the crypto) would not be so fun! Without their support, trust and encouragement, the last part of this thesis, FOX, would certainly not be born: I owe to MediaCrypt AG, espe- cially to Ralf Kastmann and Richard Straub many, many, many hours of interesting work.
    [Show full text]
  • Improved Differential Fault Analysis on ARIA Using Small Number of Faults
    Improved Differential Fault Analysis on ARIA using Small Number of Faults ? ∗ Yuseop Lee a, Kitae Jeong a, Jaechul Sung b, Seokhie Hong a; aCenter for Information Security Technologies (CIST), Korea University, Republic of Korea bDepartment of Mathematics, University of Seoul, Republic of Korea Abstract In [15], Li et al. firstly proposed a differential fault analysis on ARIA-128. This attack requires average 45 random byte fault injections. In 2012, Park et al. proposed the improve DFA by using 33 random byte fault injection. Also Kim proposed differential fault analysis based on multi byte fault model. In this model, the number of fault injections is reduce to 13 and If access to the decryption oracle is allowed, only 7 faults are required. In this paper, we propose improved differential fault analysis on ARIA. Based on random byte fault model, the proposed attacks can recover the secret key of ARIA-128/192/256 by using 6 fault injections within a few minutes. Moreover, in cases of ARIA-128 and ARIA-256, it is possible to recover the secret key using only 4 fault injections under a fault assumption where an attacker can induce some faults during both encryption and decryption process, respectively. Our results on ARIA-192/256 are the first known DFA results on them. Key words: Differential fault analysis, Block cipher, ARIA, Cryptanalysis. Differential fault analysis (DFA) is one of the most well-known side-channel analysis on block ciphers. After Biham and Shamir first proposed a DFA on DES [1], it was applied to AES [2,8,11,18,20,?], Triple-DES [9], CLEFIA [4], SEED [10], ARIA [15,19,13], SMS4 and MacGuffin [16] and so on.
    [Show full text]
  • Improved Integral Cryptanalysis of FOX Block Cipher1
    Improved Integral Cryptanalysis of FOX Block Cipher1 Wu Wenling, Zhang Wentao, and Feng Dengguo State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing 100080, P. R. China E-mail:[email protected] Abstract. FOX is a new family of block ciphers presented recently, which is based upon some results on proven security and has high per- formances on various platforms. In this paper, we construct some distin- guishers between 3-round FOX and a random permutation of the blocks space. By using integral attack and collision-searching techniques, the distinguishers are used to attack on 4, 5, 6 and 7-round of FOX64, 4 and 5-round FOX128. The attack is more e±cient than previous in- tegral attack on FOX. The complexity of improved integral attack is 277:6 on 4-round FOX128, 2205:6 against 5-round FOX128 respectively. For FOX64, the complexity of improved integral attack is 245:4 on 4- round FOX64, 2109:4 against 5-round FOX64, 2173:4 against 6-round FOX64, 2237:4 against 7-round FOX64 respectively. Therefore, 4-round FOX64/64, 5-round FOX64/128, 6-round FOX64/192, 7-round FOX64/256 and 5-round FOX128/256 are not immune to the attack in this paper. Key words: Block cipher; FOX; Data complexity; Time complexity; Integral Cryptanalysis. 1 Introduction FOX[1] is a new family of block ciphers, which is the result of a joint project with the company MediaCrypt[2] AG in Zurich, Switzerland. Fox has two versions, both have a variable number rounds which depends on keysize: the ¯rst one FOX64/k/r has a 64-bit blocksize with a variable key length which is a multiple of 8 and up to 256 bits.
    [Show full text]