DOCSLIB.ORG

Research Article Improved Integral Attacks on SIMON32 and SIMON48 with Dynamic Key-Guessing Techniques

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Research Article Improved Integral Attacks on SIMON32 and SIMON48 with Dynamic Key-Guessing Techniques Hindawi Security and Communication Networks Volume 2018, Article ID 5160237, 11 pages https://doi.org/10.1155/2018/5160237 Research Article Improved Integral Attacks on SIMON32 and SIMON48 with Dynamic Key-Guessing Techniques Zhihui Chu ,1,2 Huaifeng Chen ,1,2 Xiaoyun Wang ,1,2,3 Xiaoyang Dong ,3 and Lu Li 1,2 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan 250100, China 2School of Mathematics, Shandong University, Jinan 250100, China 3Institute for Advanced Study, Tsinghua University, Beijing 100084, China Correspondence should be addressed to Xiaoyun Wang; [email protected] Received 17 July 2017; Accepted 3 January 2018; Published 19 February 2018 Academic Editor: Barbara Masucci Copyright © 2018 Zhihui Chu et al. Tis is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. Dynamic key-guessing techniques, which exploit the property of AND operation, could improve the diferential and linear cryptanalytic results by reducing the number of guessed subkey bits and lead to good cryptanalytic results for SIMON. Tey have only been applied in diferential and linear attacks as far as we know. In this paper, dynamic key-guessing techniques are frst introduced in integral cryptanalysis. According to the features of integral cryptanalysis, we extend dynamic key-guessing techniques and get better integral cryptanalysis results than before. As a result, we present integral attacks on 24-round SIMON32, 24-round SIMON48/72, and 25-round SIMON48/96. In terms of the number of attacked rounds, our attack on SIMON32 is better than any previously known attacks, and our attacks on SIMON48 are the same as the best attacks. 1. Introduction SIMON has been extensively scrutinized [3–25]. As an ultralightweight primitive, SIMON is a very good target for Te integral attack, proposed by Daemen et al. [1], is an integral cryptanalysis. In integral cryptanalysis, Wang et al. important cryptanalytic technique for symmetric-key primi- [21] experimentally found an integral distinguisher for 14 tives. Te integral distinguisher is based on the property that rounds of SIMON32 and mounted a key-recovery attack on when some parts of the input (constant bits) of distinguishers 21-round SIMON32. At EUROCRYPT 2015, Todo proposed are held constant whereas the other parts (active bits) vary the division property [17], which is a generalized integral through all possibilities, the sum of all the output values property. Tis new technique enables the cryptographers to equals zero at some particular locations (balanced bits). In propagate the integral property in a more precise manner. the key recovery, the sum is random if the guessed key As a result, an 11-round integral distinguisher of SIMON48 is incorrect, while the sum is zero if the guessed key is was found. Subsequently, using the bit-based division prop- correct. As a powerful class of cryptanalytic techniques, erty, Todo and Morii proved the 14-round distinguisher of integral cryptanalysis has been applied to many block ciphers, SIMON32 theoretically in [18]. However, searching integral especially the ones with low-degree round functions. characteristics by the bit-based division property requires SIMON is a family of ten lightweight block ciphers much time and memory complexity. In order to overcome the designed by the US National Security Agency [2]. Te problem, Xiang et al. [23] proposed a state partition to achieve SIMON2�/�� family of lightweight block ciphers have clas- a trade-of between the accuracy of the integral distinguisher sical Feistel structures with 2�-bit block size and ��-bit key, and the time-memory complexity. Accordingly, Todo’s result where � is the word size. was improved by one round for SIMON48. Aferwards, MILP 2 Security and Communication Networks method was applied by Xiang et al. [22] to fnd integral thesingle-keymodel.Wepresentintegralattackson24- characteristics of some lightweight block ciphers, including round SIMON32, 24-round SIMON48/72, and 25-round a 15-round integral distinguisher for SIMON48. At ACNS SIMON48/96. In terms of the number of attacked rounds, 2016, some integral distinguishers of SIMON-like ciphers ourattackonSIMON32isbetterthananypreviouslyknown were constructed by Kondo et al. [10]. However, the block size attacks, and our attacks on SIMON48 are the same as the best considered is only 32 bits. Later in [7], with the equivalent- attacks. In order to verify the correctness of our approach, we subkey technique, Fu et al. presented integral attacks on implement the summation procedure of the integral attack 22-round SIMON32, 22-round SIMON48/72, and 23-round on 22-round SIMON32. A summary of our results is given in SIMON48/96. Good results [6, 13, 20] were achieved in Table 1. diferential and linear cryptanalysis, as well. Te cryptan- Outline.Tispaperisstructuredasfollows.Section2briefy alytic results that attack the most rounds of SIMON were describes the specifcation of SIMON and some integral obtained in [6], and these results were achieved by linear hull distinguishers. In Section 3, we discuss the time reduction cryptanalysis. Te most efcient diferential and linear attacks in integral cryptanalysis of bit-oriented block ciphers. In on SIMON were presented with the help of dynamic key- Section 4, we present improved integral attacks on SIMON32 guessing techniques. and SIMON48. In Section 4.1, we give the experimental result. With regard to dynamic key-guessing techniques, they Finally, Section 5 draws conclusions. were initially proposed to improve the diferential attacks on SIMON [20]. Te techniques, which exploit the property of AND operation, help reduce the average number of guessed 2. Preliminaries key bits signifcantly in diferential cryptanalysis. Ten they were applied to linear hull attacks on SIMON [6]. In both 2.1. Notations [6, 20], with the techniques above, the adversaries are able � to extend previous diferential (resp., linear hull) results on :thewordsize SIMON by 2 to 4 more rounds, using existing diferential ��:the�thbitofbitstring� (resp., linear hull) distinguishers. Subsequently, Qiao et al. �[�−�] (or �� −��):the�th to the �th bits of bit string � [13] released a tool, which provides the diferential security �� ,...,� �� �=�1,...,�� evaluation of SIMON given diferential distinguishers of high 1 � :theXORsumof ,where ,i.e., ⨁ � probability. Moreover, with newly proposed diferentials [9], �∈{�1,...,��} � Qiao et al. improved diferential attacks against SIMON, �‖�: concatenation of two bit strings � and � usingthetechniques.Alsointhediferentialcryptanalysis � � :theinputofround� or output of round (� − 1) and linear cryptanalysis of Simeck [26], good results [13, 27] � � � � ��,��: the lef and right halves of � ,thatis,� = have been obtained by using dynamic key-guessing tech- � � niques. Up to now, the dynamic key-guessing techniques have �� ‖�� � � � � only been combined with linear and diferential cryptanalysis ��,� (resp.��,�):the�th bit of bit string ��(resp.��) methods. Tere is no attempt to combine the dynamic key- �� ( �� −�� ) � � guessing techniques with integral attack so far. �,[�−�] or �,� �,� :the th to the th bits of bit �� Besides the above results under the single-key model, string � � � � the security of SIMON has also been evaluated under the ��,[�−�] (or ��,� −��,�):the�th to the �th bits of bit � related-key [11] and known-key [8] models. In the related-key string �� setting, Kondo et al. [11] constructed a 15-round related-key �� � impossible diferential distinguisher of SIMON32. :thesubkeyusedin th round �\{�� ,...,�� }:anewbitstring,ofwhichbitsare 1 � � {� ,...,� } Our Contributions. In this paper, we frst apply dynamic derived from bit string ,excluding �1 �� key-guessing techniques to integral attacks. In our improved ⊕:bitwiseXOR integral cryptanalysis, we extend dynamic key-guessing techniques to compute the sum, which is in the form of &: bitwise AND ∑� �(�, �) ⋅ �[�],where� is a nonlinear Boolean function �⋘�:alefcircularshifofbitstring� by � bits and �[�] are counters for �. Te dynamic key-guessing �[�], �[�], �[�]:countersforbitstring� techniques improve the time complexity of the computation � � signifcantly. Please see the following example. Suppose � (�): � (�) = ∑� �(�, �)⋅�[�],where� is a Boolean � �(�, �) = 1 ⊕ �1(�1,�1)&�2(�2,�2),where�=�1 ‖�2, function of � and � (actually, � (�) are counters for �) �=�1 ‖�2,and�1 and �2 aretwoBooleanfunctions.We �(�): �(�) = [(� ⋘ 1)&(� ⋘ 8)] ⊕ (� ⋘ 2) guess �1 atfrst;thenwesplit�=�1 ‖�2 into two sets: �(�) � �(�) �1 ={�|�1(�1,�1)=0}and �2 ={�|�1(�1,�1)=1}.We �:the th bit of bit string continue to compute the sum for each set. For set �1,thereis no need to guess �2 since �(�, �) = 1 when �∈�1.Finally, 2.2. Description of SIMON2�/��. SIMON2�/�� is a two- we sum them up. branch balanced Feistel network with 2�-bit block size and Using the dynamic key-guessing techniques, we present ��-bit key, where � isthewordsize.Tereare10variants improved integral attacks on SIMON32 and SIMON48 in for SIMON. Te parameters of SIMON32/64, SIMON48/72, Security and Communication Networks 3 Table 1: Summary of some related results for SIMON32 and SIMON48. Memory Success Attack Target Rounds Data Time Source (bytes) probability type 31 63 54 21 2 2 E 2 1 Integ. [21] 31 55.25 21 2 2 E-51% Dif. [20] 22 231 263 255.8 1 SIMON32/64 E Integ. [7] 32 58.76 22 2 2 E-31.5% Dif. [13] 31.19 57.19 61.84 56 23 2 2 TWO+2 A+2 E- 28% Lin. hull [6] 32 63 33.64 24 2 2 E 2 1 Integ. Section 4.3 18 ---1 Integ. [23] 47 71 42 22 2 2 E 2 1 Integ. [7] 47 63.25 SIMON48/72 23 2 2 E-48% Dif. [20] 47.92 69.92 67.89 56 24 2 2 ONE+2 A+2 E- - Lin. hull [6] 48 71 50 24 2 2 E 2 1 Integ. Appendix B.2 19 ---1 Integ. [23] 47 95 47 23 2 2 E 2 1 Integ. [7] 24 247 287.25 48 SIMON48/96 E-% Dif. [20] 48 78.99 24 2 2 E-47.5% Dif. [13] 47.92 91.92 89.89 80 25 2 2 TWO+2 A+2 E- - Lin.
Load more

Recommended publications
  • Integral Cryptanalysis on Full MISTY1⋆
    Integral Cryptanalysis on Full MISTY1? Yosuke Todo NTT Secure Platform Laboratories, Tokyo, Japan [email protected] Abstract. MISTY1 is a block cipher designed by Matsui in 1997. It was well evaluated and standardized by projects, such as CRYPTREC, ISO/IEC, and NESSIE. In this paper, we propose a key recovery attack on the full MISTY1, i.e., we show that 8-round MISTY1 with 5 FL layers does not have 128-bit security. Many attacks against MISTY1 have been proposed, but there is no attack against the full MISTY1. Therefore, our attack is the first cryptanalysis against the full MISTY1. We construct a new integral characteristic by using the propagation characteristic of the division property, which was proposed in 2015. We first improve the division property by optimizing a public S-box and then construct a 6-round integral characteristic on MISTY1. Finally, we recover the secret key of the full MISTY1 with 263:58 chosen plaintexts and 2121 time complexity. Moreover, if we can use 263:994 chosen plaintexts, the time complexity for our attack is reduced to 2107:9. Note that our cryptanalysis is a theoretical attack. Therefore, the practical use of MISTY1 will not be affected by our attack. Keywords: MISTY1, Integral attack, Division property 1 Introduction MISTY [Mat97] is a block cipher designed by Matsui in 1997 and is based on the theory of provable security [Nyb94,NK95] against differential attack [BS90] and linear attack [Mat93]. MISTY has a recursive structure, and the component function has a unique structure, the so-called MISTY structure [Mat96].
    [Show full text]
  • New Security Proofs for the 3GPP Confidentiality and Integrity
    An extended abstract of this paper appears in Fast Software Encryption, FSE 2004, Lecture Notes in Computer Science, W. Meier and B. Roy editors, Springer-Verlag, 2004. This is the full version. New Security Proofs for the 3GPP Confidentiality and Integrity Algorithms Tetsu Iwata¤ Tadayoshi Kohnoy January 26, 2004 Abstract This paper analyses the 3GPP confidentiality and integrity schemes adopted by Universal Mobile Telecommunication System, an emerging standard for third generation wireless commu- nications. The schemes, known as f8 and f9, are based on the block cipher KASUMI. Although previous works claim security proofs for f8 and f90, where f90 is a generalized versions of f9, it was recently shown that these proofs are incorrect. Moreover, Iwata and Kurosawa (2003) showed that it is impossible to prove f8 and f90 secure under the standard PRP assumption on the underlying block cipher. We address this issue here, showing that it is possible to prove f80 and f90 secure if we make the assumption that the underlying block cipher is a secure PRP-RKA against a certain class of related-key attacks; here f80 is a generalized version of f8. Our results clarify the assumptions necessary in order for f8 and f9 to be secure and, since no related-key attacks are known against the full eight rounds of KASUMI, lead us to believe that the confidentiality and integrity mechanisms used in real 3GPP applications are secure. Keywords: Modes of operation, PRP-RKA, f8, f9, KASUMI, security proofs. ¤Dept. of Computer and Information Sciences, Ibaraki University, 4–12–1 Nakanarusawa, Hitachi, Ibaraki 316- 8511, Japan.
    [Show full text]
  • Known and Chosen Key Differential Distinguishers for Block Ciphers
    Known and Chosen Key Differential Distinguishers for Block Ciphers Ivica Nikoli´c1?, Josef Pieprzyk2, Przemys law Soko lowski2;3, Ron Steinfeld2 1 University of Luxembourg, Luxembourg 2 Macquarie University, Australia 3 Adam Mickiewicz University, Poland [email protected], [email protected], [email protected], [email protected] Abstract. In this paper we investigate the differential properties of block ciphers in hash function modes of operation. First we show the impact of differential trails for block ciphers on collision attacks for various hash function constructions based on block ciphers. Further, we prove the lower bound for finding a pair that follows some truncated differential in case of a random permutation. Then we present open-key differential distinguishers for some well known round-reduced block ciphers. Keywords: Block cipher, differential attack, open-key distinguisher, Crypton, Hierocrypt, SAFER++, Square. 1 Introduction Block ciphers play an important role in symmetric cryptography providing the basic tool for encryp- tion. They are the oldest and most scrutinized cryptographic tool. Consequently, they are the most trusted cryptographic algorithms that are often used as the underlying tool to construct other cryp- tographic algorithms. One such application of block ciphers is for building compression functions for the hash functions. There are many constructions (also called hash function modes) for turning a block cipher into a compression function. Probably the most popular is the well-known Davies-Meyer mode. Preneel et al. in [27] have considered all possible modes that can be defined for a single application of n-bit block cipher in order to produce an n-bit compression function.
    [Show full text]
  • Differential-Linear Crypt Analysis
    Differential-Linear Crypt analysis Susan K. Langfordl and Martin E. Hellman Department of Electrical Engineering Stanford University Stanford, CA 94035-4055 Abstract. This paper introduces a new chosen text attack on iterated cryptosystems, such as the Data Encryption Standard (DES). The attack is very efficient for 8-round DES,2 recovering 10 bits of key with 80% probability of success using only 512 chosen plaintexts. The probability of success increases to 95% using 768 chosen plaintexts. More key can be recovered with reduced probability of success. The attack takes less than 10 seconds on a SUN-4 workstation. While comparable in speed to existing attacks, this 8-round attack represents an order of magnitude improvement in the amount of required text. 1 Summary Iterated cryptosystems are encryption algorithms created by repeating a simple encryption function n times. Each iteration, or round, is a function of the previ- ous round’s oulpul and the key. Probably the best known algorithm of this type is the Data Encryption Standard (DES) [6].Because DES is widely used, it has been the focus of much of the research on the strength of iterated cryptosystems and is the system used as the sole example in this paper. Three major attacks on DES are exhaustive search [2, 71, Biham-Shamir’s differential cryptanalysis [l], and Matsui’s linear cryptanalysis [3, 4, 51. While exhaustive search is still the most practical attack for full 16 round DES, re- search interest is focused on the latter analytic attacks, in the hope or fear that improvements will render them practical as well.
    [Show full text]
  • Algebraic and Slide Attacks on Keeloq
    Algebraic and Slide Attacks on KeeLoq Nicolas T. Courtois 1 Gregory V. Bard 2 David Wagner 3 1 - University College of London , UK 2 - Fordham University, NY , US 3 - University of California - Berkeley, US Algebraic and Slide Attacks on KeeLoq Roadmap • KeeLoq. • Direct algebraic attacks, – 160 rounds / 528 . Periodic structure => • Slide-Algebraic: – 216 KP and about 253 KeeLoq encryptions. • Slide-Determine: – 223 - 230 KeeLoq encryptions. 2 Courtois, Bard, Wagner, FSE 2008 Algebraic and Slide Attacks on KeeLoq KeeLoq Block cipher used to unlock doors and the alarm in Chrysler, Daewoo, Fiat, GM, Honda, Jaguar, Toyota, Volvo, Volkswagen, etc… 3 Courtois, Bard, Wagner, FSE 2008 Algebraic and Slide Attacks on KeeLoq Our Goal: To learn about cryptanalysis… Real life: brute force attacks with FPGA’s. 4 Courtois, Bard, Wagner, FSE 2008 Algebraic and Slide Attacks on KeeLoq How Much Worth is KeeLoq • Designed in the 80's by Willem Smit. • In 1995 sold to Microchip Inc for more than 10 Million of US$. ?? 5 Courtois, Bard, Wagner, FSE 2008 Algebraic and Slide Attacks on KeeLoq How Secure is KeeLoq According to Microchip, KeeLoq should have “a level of security comparable to DES”. Yet faster. Miserably bad cipher, main reason: its periodic structure: cannot be defended. The complexity of most attacks on KeeLoq does NOT depend on the number of rounds of KeeLoq. 6 Courtois, Bard, Wagner, FSE 2008 Algebraic and Slide Attacks on KeeLoq Remarks • Paying 10 million $ for a proprietary algorithm doesn ’t prevent it from being very weak. • In comparison, RSA Security has offered ( “only ”) 70 K$ as a challenge for breaking RC5.
    [Show full text]
  • TS 135 202 V7.0.0 (2007-06) Technical Specification
    ETSI TS 135 202 V7.0.0 (2007-06) Technical Specification Universal Mobile Telecommunications System (UMTS); Specification of the 3GPP confidentiality and integrity algorithms; Document 2: Kasumi specification (3GPP TS 35.202 version 7.0.0 Release 7) 3GPP TS 35.202 version 7.0.0 Release 7 1 ETSI TS 135 202 V7.0.0 (2007-06) Reference RTS/TSGS-0335202v700 Keywords SECURITY, UMTS ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 Important notice Individual copies of the present document can be downloaded from: http://www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http://portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http://portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authorized by written permission.
    [Show full text]
  • Miss in the Middle Attacks on IDEA and Khufu
    Miss in the Middle Attacks on IDEA and Khufu Eli Biham? Alex Biryukov?? Adi Shamir??? Abstract. In a recent paper we developed a new cryptanalytic techni- que based on impossible differentials, and used it to attack the Skipjack encryption algorithm reduced from 32 to 31 rounds. In this paper we describe the application of this technique to the block ciphers IDEA and Khufu. In both cases the new attacks cover more rounds than the best currently known attacks. This demonstrates the power of the new cryptanalytic technique, shows that it is applicable to a larger class of cryptosystems, and develops new technical tools for applying it in new situations. 1 Introduction In [5,17] a new cryptanalytic technique based on impossible differentials was proposed, and its application to Skipjack [28] and DEAL [17] was described. In this paper we apply this technique to the IDEA and Khufu cryptosystems. Our new attacks are much more efficient and cover more rounds than the best previously known attacks on these ciphers. The main idea behind these new attacks is a bit counter-intuitive. Unlike tra- ditional differential and linear cryptanalysis which predict and detect statistical events of highest possible probability, our new approach is to search for events that never happen. Such impossible events are then used to distinguish the ci- pher from a random permutation, or to perform key elimination (a candidate key is obviously wrong if it leads to an impossible event). The fact that impossible events can be useful in cryptanalysis is an old idea (for example, some of the attacks on Enigma were based on the observation that letters can not be encrypted to themselves).
    [Show full text]
  • Shift Cipher Substitution Cipher Vigenère Cipher Hill Cipher
    Lecture 2 Classical Cryptosystems Shift cipher Substitution cipher Vigenère cipher Hill cipher 1 Shift Cipher • A Substitution Cipher • The Key Space: – [0 … 25] • Encryption given a key K: – each letter in the plaintext P is replaced with the K’th letter following the corresponding number ( shift right ) • Decryption given K: – shift left • History: K = 3, Caesar’s cipher 2 Shift Cipher • Formally: • Let P=C= K=Z 26 For 0≤K≤25 ek(x) = x+K mod 26 and dk(y) = y-K mod 26 ʚͬ, ͭ ∈ ͔ͦͪ ʛ 3 Shift Cipher: An Example ABCDEFGHIJKLMNOPQRSTUVWXYZ 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 • P = CRYPTOGRAPHYISFUN Note that punctuation is often • K = 11 eliminated • C = NCJAVZRCLASJTDQFY • C → 2; 2+11 mod 26 = 13 → N • R → 17; 17+11 mod 26 = 2 → C • … • N → 13; 13+11 mod 26 = 24 → Y 4 Shift Cipher: Cryptanalysis • Can an attacker find K? – YES: exhaustive search, key space is small (<= 26 possible keys). – Once K is found, very easy to decrypt Exercise 1: decrypt the following ciphertext hphtwwxppelextoytrse Exercise 2: decrypt the following ciphertext jbcrclqrwcrvnbjenbwrwn VERY useful MATLAB functions can be found here: http://www2.math.umd.edu/~lcw/MatlabCode/ 5 General Mono-alphabetical Substitution Cipher • The key space: all possible permutations of Σ = {A, B, C, …, Z} • Encryption, given a key (permutation) π: – each letter X in the plaintext P is replaced with π(X) • Decryption, given a key π: – each letter Y in the ciphertext C is replaced with π-1(Y) • Example ABCDEFGHIJKLMNOPQRSTUVWXYZ πBADCZHWYGOQXSVTRNMSKJI PEFU • BECAUSE AZDBJSZ 6 Strength of the General Substitution Cipher • Exhaustive search is now infeasible – key space size is 26! ≈ 4*10 26 • Dominates the art of secret writing throughout the first millennium A.D.
    [Show full text]
  • Improbable Differential from Impossible Differential
    Improbable Differential from Impossible Differential: On the Validity of the Model C´elineBlondeau Aalto University, School of Science, Department of Information and Computer Science [email protected] Abstract. Differentials with low probability are used in improbable dif- ferential cryptanalysis to distinguish a cipher from a random permuta- tion. Due to large diffusion, finding such differentials for actual ciphers re- mains a challenging task. At Indocrypt 2010, Tezcan proposed a method to derive improbable differential distinguishers from impossible differ- ential ones. In this paper, we discuss the validity of the assumptions made in the computation of the improbable differential probabilities. In particular, we show based on experiments that such improbable differ- ential cryptanalysis can fail. The validity of the improbable differential cryptanalyses on PRESENT and CLEFIA is discussed. Keywords:improbable differential, impossible differential, truncated differential, PRESENT, CLEFIA 1 Introduction Since the introduction of differential cryptanalysis [2] in the beginning of the 90's, many generalizations of this attack have been proposed to cryptanalyse a large number of block ciphers. While most of them exploit differentials with high probability, in the impossible differential cryptanalysis context [1] attackers take advantage of zero-probability differentials. Recently a variation of this attack called improbable differential cryptanalysis have been introduced by Tezcan [21] at Indocrypt 2010 and by Mala, Dakhilalian and Shakiba [15]. In this context, differentials with low probabilities are used to distinguish the cipher from a random permutation. While in theory this attack could be efficient on some ciphers, in practice, it may be hard to find differentials or truncated differentials with such small prob- abilities.
    [Show full text]
  • Pseudorandomness of Basic Structures in the Block Cipher KASUMI
    Pseudorandomness of Basic Structures in the Block Cipher KASUMI Ju-Sung Kang, Bart Preneel, Heuisu Ryu, Kyo Il Chung, and Chee Hang Park The notion of pseudorandomness is the theoretical I. INTRODUCTION foundation on which to consider the soundness of a basic structure used in some block ciphers. We examine the A block cipher is a family of permutations on a message pseudorandomness of the block cipher KASUMI, which space indexed by a secret key. Luby and Rackoff [1] will be used in the next-generation cellular phones. First, we introduced a theoretical model for the security of block ciphers prove that the four-round unbalanced MISTY-type by using the notion of pseudorandom and super-pseudorandom transformation is pseudorandom in order to illustrate the permutations. A pseudorandom permutation can be interpreted pseudorandomness of the inside round function FI of as a block cipher that cannot be distinguished from a truly KASUMI under an adaptive distinguisher model. Second, random permutation regardless of how many polynomial we show that the three-round KASUMI-like structure is not encryption queries an attacker makes. A super-pseudorandom pseudorandom but the four-round KASUMI-like structure permutation can be interpreted as a block cipher that cannot be is pseudorandom under a non-adaptive distinguisher model. distinguished from a truly random permutation regardless of how many polynomial encryption and decryption queries an attacker makes. Luby and Rackoff used a Feistel-type transformation defined by the typical two-block structure of the block cipher DES in order to construct pseudorandom and super-pseudorandom permutations from pseudorandom functions [1].
    [Show full text]
  • 1. Classical Cryptography
    1. Classical Cryptography Some Simple Cryptosystems • Shift Cipher, • Substitution Cipher, • Affine Cipher, • Vigenere Cipher, • Hill Cipher, • Permutation Cipher, • Stream Cipher Modular Arithmetic, Number theory, and Group Cryptanalysis The RSA Cryptosystem 1 Classical Cryptography Definition 1.1: A cryptosystem is a five-tuple (P, C, H, E, D), where the following conditions are satisfied: 1. P is a finite set of possible plaintexts 2. C is a finite set of possible ciphertexts 3. H the keyspace, is a finite set of possible keys 4. For each K H, there is an encryption rule eK E : P C and a corresponding decryption rule dK D: C P such that x C, dK (eK(x)) = x Oscar x y x Alice Encrypter Decrypter Bob Secure chanel K Key source 2 Modular Arithmetic Definition 1.2: Suppose a and b are integers, and m is positive integer. Then we write a b (mod m) if m divides b-a. • a b mod m if and only if (a-b) = km for some k •Zm the equivalence class under mod m • Canonical form Zm = {0,1,2,…,m-1}, we use the positive remainder as the standard representation. • -1 m -1 mod m • (Zm, +, 0) is a Group . + is closed . Associative: (a + b) + c = a + (b + c) . Commutative: a + b = b + a (abelian group) . 0 is the identity for +: a + 0 = a + 0 = a . Additive inverse: (-a) + a = a + (-a) = 0 3 Modular Arithmetic • (Zm, +, , 0, 1) is a Ring . +, are closed . +, are associative and commutative (abelian ring) . Operation distributes over +: a (b + c) = a b + a c .
    [Show full text]
  • Differential-Linear Cryptanalysis Revisited
    Differential-Linear Cryptanalysis Revisited C´elineBlondeau1 and Gregor Leander2 and Kaisa Nyberg1 1 Department of Information and Computer Science, Aalto University School of Science, Finland fceline.blondeau, [email protected] 2 Faculty of Electrical Engineering and Information Technology, Ruhr Universit¨atBochum, Germany [email protected] Abstract. Block ciphers are arguably the most widely used type of cryptographic primitives. We are not able to assess the security of a block cipher as such, but only its security against known attacks. The two main classes of attacks are linear and differential attacks and their variants. While a fundamental link between differential and linear crypt- analysis was already given in 1994 by Chabaud and Vaudenay, these at- tacks have been studied independently. Only recently, in 2013 Blondeau and Nyberg used the link to compute the probability of a differential given the correlations of many linear approximations. On the cryptana- lytical side, differential and linear attacks have been applied on different parts of the cipher and then combined to one distinguisher over the ci- pher. This method is known since 1994 when Langford and Hellman presented the first differential-linear cryptanalysis of the DES. In this paper we take the natural step and apply the theoretical link between linear and differential cryptanalysis to differential-linear cryptanalysis to develop a concise theory of this method. We give an exact expression of the bias of a differential-linear approximation in a closed form under the sole assumption that the two parts of the cipher are independent. We also show how, under a clear assumption, to approximate the bias effi- ciently, and perform experiments on it.
    [Show full text]