DOCSLIB.ORG

Camellia: a 128-Bit Block Cipher Suitable for Multiple Platforms — Design and Analysis —

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Camellia: a 128-Bit Block Cipher Suitable for Multiple Platforms — Design and Analysis — Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms — Design and Analysis — Kazumaro Aoki† Tetsuya Ichikawa‡ Masayuki Kanda† Mitsuru Matsui‡ Shiho Moriai† Junko Nakajima‡ Toshio Tokita‡ †Nippon Telegraph and Telephone Corporation 1-1 Hikarinooka, Yokosuka, Kanagawa, 239-0847 Japan {maro,kanda,shiho}@isl.ntt.co.jp ‡Mitsubishi Electric Corporation 5-1-1 Ofuna, Kamakura, Kanagawa, 247-8501 Japan {ichikawa,matsui,june15,tokita}@iss.isl.melco.co.jp Abstract. We present a new 128-bit block cipher High level of security. The recent advances in called Camellia. Camellia supports 128-bit block size cryptanalytic techniques are remarkable. A quantita- and 128-, 192-, and 256-bit keys, i.e. the same inter- tive evaluation of security against powerful cryptana- face specifications as the Advanced Encryption Stan- lytic techniques such as differential cryptanalysis [4] and dard (AES). Efficiency on both software and hardware linear cryptanalysis [21] is considered to be essential platforms is a remarkable characteristic of Camellia in in designing any new block cipher. We evaluated the addition to its high level of security. It is confirmed that security of Camellia by utilizing state-of-art cryptana- Camellia provides strong security against differential lytic techniques. We have confirmed that Camellia has and linear cryptanalysis. Compared to the AES final- no differential and linear characteristics that hold with ists, i.e. MARS, RC6, Rijndael, Serpent, and Twofish, probability more than 2−128. Moreover, Camellia was Camellia offers at least comparable encryption speed designed to offer security against other advanced crypt- in software and hardware. An optimized implementa- analytic attacks including higher order differential at- tion of Camellia in assembly language can encrypt on tacks [15, 12], interpolation attacks [12, 2], related-key a Pentium III (800MHz) at the rate of more than 276 attacks [5, 18], truncated differential attacks [15, 26], Mbits per second, which is much faster than the speed boomerang attacks [29], and slide attacks [6, 7]. of an optimized DES implementation. In addition, a distinguishing feature is its small hardware design. The Efficiency on multiple platforms. As crypto- hardware design, which includes both encryption and graphic systems are needed in various applications, en- decryption, occupies approximately 11K gates, which cryption algorithms that can be implemented efficiently is the smallest among all existing 128-bit block ciphers on a wide range of platforms are desirable, however, few as far as we know. 128-bit block ciphers are suitable for both software and hardware implementation. Camellia was designed to of- fer excellent efficiency in hardware and software imple- mentations, including gate count for hardware design, 1 Introduction memory requirements in smart card implementations, as well as performance on multiple platforms. This paper presents a 128-bit block cipher called Camellia consists of only 8-by-8-bit substitution ta- Camellia, which was jointly developed by NTT and bles (s-boxes) and logical operations that can be ef- Mitsubishi Electric Corporation. Camellia supports ficiently implemented on a wide variety of platforms. 128-bit block size and 128-, 192-, and 256-bit key Therefore, it can be implemented efficiently in software, lengths, and so offers the same interface specifications including the 8-bit processors used in low-end smart as the Advanced Encryption Standard (AES). The de- cards, 32-bit processors widely used in PCs, and 64-bit sign goals of Camellia are as follows. processors. Camellia doesn’t use 32-bit integer addi- 1 tions and multiplications, which are extensively used in some software-oriented 128-bit block ciphers. Such M(128) operations perform well on platforms providing a high kw kw degree of support, e.g., Pentium II/III or Athlon, but 1(64) 2(64) not as well on others. These operations can cause a L0(64) R0(64) k k k longer critical path and larger hardware implementa- 1(64), 2(64), 3(64), L R k 0(64) 0(64) k4(64), k5(64), k 6(64) 1(64) tion requirements. 6-Round F s The -boxes of Camellia are designed to minimize L1(64) R1(64) k 2(64) hardware size. The four s-boxes are affine equivalent to F -1 8 kl1(64) FL FL kl2(64) the inversion function in the finite field GF(2 ). More- L R 8 k 2(64) 2(64) k7(64), k8(64), k9(64), 3(64) over, we reduced the inversion function in GF(2 )to F 4 k k k a few GF(2 ) arithmetic operations. It enabled us to 10(64), 11(64), 12(64) 6-Round L3(64) R3(64) implement the s-boxes by fewer gate counts. k 4(64) F The key schedule is simple and shares part of its pro- FL FL -1 kl3(64) kl4(64) L4(64) R4(64) cedure with encryption. It supports on-the-key sub- k 5(64) F key generation and subkeys are computable in any or- k13(64), k14(64), k15(64), k k k 16(64), 17(64), 18(64) L5(64) R 5(64) der. The memory requirement for generating subkeys is 6-Round k 6(64) quite small; an efficient implementation requires about F 32-byte RAM for 128-bit keys and about 64-byte RAM L18(64) R18(64) for 192- and 256-bit keys. kw3(64) kw4(64) Future developments. NTT and Mitsubishi Elec- C(128) tric Corporation will propose Camellia in response to the call for contributions from ISO/IEC JTC 1/SC 27, aiming at its being adopted as an international stan- Figure 1: Encryption procedure of Camellia for 128-bit dard. We will submit Camellia to NESSIE (New Euro- keys pean Schemes for Signature, Integrity, and Encryption) project as a strong cryptographic primitive. 2.1 Notations XL the left-half data of X. Outline of the paper. This paper is organized as XR the right-half data of X. follows: Section 2 describes the notations and high-level ⊕ bitwise exclusive-OR operation. structure of Camellia. Section 3 defines each compo- || concatenation of two operands. nents of the cipher. Section 4 describes the rationale >>>n rotation to the right by n bits. behind Camellia’s design. In Section 5 we evaluate <<<n rotation to the left by n bits. Camellia’s strength against known attacks. Section 6 ∩ bitwise AND operation. contains the performance of Camellia. We conclude in ∪ bitwise OR operation. Section 7. 0x hexadecimal representation. 2.2 Encryption for 128-bit keys Camellia 2 Structure of First a 128-bit plaintext M is XORed with kw1||kw2 and separated into two 64-bit data L0 and R0, i.e., M ⊕ Camellia uses an 18-round Feistel structure for 128- (kw1||kw2)=L0||R0. Then, the following operations bit keys, and a 24-round Feistel structure for 192- and are performed from r = 1 to 18, except for r =6and 256-bit keys, with additional input/output whitenings 12; and logical functions called the FL-function and FL−1- function inserted every 6 rounds. Figures 1 shows an Lr = Rr−1 ⊕ F (Lr−1,kr), overview of encryption using 128-bit keys. The key Rr = Lr−1. schedule generates 64-bit subkeys kwt (t =1, 2, 3, 4) for input/output whitenings, ku (u =1, 2,...,r)for For r = 6 and 12, the following is carried out; round functions and klv(v =1, 2,...,r/3 − 2) for FL- FL−1 K L0 R ⊕ F L ,k , and -functions from the secret key . r = r−1 ( r−1 r) 2 0 R = L −1, r r Table 1: The key schedule constants L FL L0 ,kl , r = ( r r/3−1) 0xA09E667F3BCC908B R FL−1 R0 ,kl . Σ1 r = ( r r/3) Σ2 0xB67AE8584CAA73B2 0xC6EF372FE94F82BE Lastly, R18 and L18 are concatenated and XORed Σ3 0x54FF53A5F1D36F1C with kw3||kw4. The resultant value is the 128-bit ci- Σ4 0x10E527FADE682D1D phertext, i.e., C =(R18||L18) ⊕ (kw3||kw4). Σ5 Σ6 0xB05688C2B3E6C1FD 2.3 Encryption for 192- and 256-bit keys Similarly to the encryption for 128-bit keys, first a 128- “keys” in the Feistel network. They are defined as con- M kw ||kw bit plaintext is XORed with 1 2 and separated tinuous values from the second hexadecimal place to the L R M ⊕ kw ||kw into two 64-bit data 0 and 0, i.e., ( 1 2)= seventeenth hexadecimal place of the hexadecimal rep- L ||R 0 0. Then, the following operations are performed resentation of the square root of the i-th prime. These r r from = 1 to 24, except for = 6, 12, and 18; constant values are shown in Table 1. Lr = Rr−1 ⊕ F (Lr−1,kr), The 64-bit subkeys kwt, ku,andklv are generated R L . r = r−1 from KL, KR, KA,andKB. The subkeys are generated by rotating K , K , K ,andK and taking the left- r L R A B For = 6, 12, and 18, the following are performed; or right-half of them. Details are shown in Tables 2 L0 R ⊕ F L ,k , and 3. r = r−1 ( r−1 r) R0 L , r = r−1 0 Lr = FL(L ,kl2r/6−1), r K K R FL−1 R0 ,kl . L(128) R(128) r = ( r 2r/6) Lastly, R24 and L24 are concatenated and XORed with kw3||kw4. The resultant value is the 128-bit ci- Σ1(64) phertext, i.e., C =(R24||L24) ⊕ (kw3||kw4). F Σ 2.4 Decryption 2(64) F The decryption procedure of Camellia canbedonein K the same way as the encryption procedure by reversing R(128) the order of the subkeys, which is one of merits of Feis- tel networks.
Load more

Recommended publications
  • Camellia: a 128-Bit Block Cipher Suitable for Multiple Platforms
    gopyright x nd witsuishi iletri gorp ortion PHHHEPHHI g mel l iX e IPVEfit flo k gipher uitle for wultiple ltforms y z y uzumro eoki etsuyshikw wsyuki und z y z z witsuru wtsui hiho worii tunkoxkjim oshio okit y xipp on elegrph nd elephone gorp ortion IEI rikrino okD okosukD ungwD PQWEHVRU tpn fmroDkndDshihogdislFnttFoFjp z witsuishi iletri gorp ortion SEIEI yfunD umkurD ungwD PRUEVSHI tpn fihikwDmtsuiDjuneISDtokitgdissFislFmeloFoFjp er IFHX tuly IQD PHHH er PFHX eptemer PTD PHHI estrtF e present new IPVEit lo k ipher lled gmel liF gmelli supp orts IPVEit lo ksizend IPVED IWPED nd PSTEit keysD iFeF the sme interfe sp eitions s the edvned inryption tndrd @eiAF iieny on oth softE wre nd hrdwre pltforms is remrkle hrteristi of gmelli in ddition to its high level of seurityF st is onrmed tht gmelli provides strong seurity ginst dierentil nd liner ryptnlysisF gompred to the ei nlistsD iFeF weD gTD ijndelD erp entD nd woshD gmelli oers t lest omprle enryption sp eed in softwre nd hrdwreF en optimized implementtion of gmelE li in ssemly lnguge n enrypt on entiums s s @IFIQqrzA t the rte of RUI wits p er seondF sn dditionD distinguishing feture is its smll hrdwre designF e hrdwre implementtionD whih inludes enryptionD deryptionD nd the key shedule for IPVEit keysD o upies only VFIPu gtes using HFIV"m gwy esg lirryF his is in the smllest lss mong ll existing IPVEit lo k iphersF gopyright x nd witsuishi iletri gorp ortion PHHHEPHHI gontents I sntro dution I P hesign tionle Q PFI p Efuntion X X X X X X X X X X X X X X X X X X X X X X X X X
    [Show full text]
  • Integral Cryptanalysis on Full MISTY1⋆
    Integral Cryptanalysis on Full MISTY1? Yosuke Todo NTT Secure Platform Laboratories, Tokyo, Japan [email protected] Abstract. MISTY1 is a block cipher designed by Matsui in 1997. It was well evaluated and standardized by projects, such as CRYPTREC, ISO/IEC, and NESSIE. In this paper, we propose a key recovery attack on the full MISTY1, i.e., we show that 8-round MISTY1 with 5 FL layers does not have 128-bit security. Many attacks against MISTY1 have been proposed, but there is no attack against the full MISTY1. Therefore, our attack is the first cryptanalysis against the full MISTY1. We construct a new integral characteristic by using the propagation characteristic of the division property, which was proposed in 2015. We first improve the division property by optimizing a public S-box and then construct a 6-round integral characteristic on MISTY1. Finally, we recover the secret key of the full MISTY1 with 263:58 chosen plaintexts and 2121 time complexity. Moreover, if we can use 263:994 chosen plaintexts, the time complexity for our attack is reduced to 2107:9. Note that our cryptanalysis is a theoretical attack. Therefore, the practical use of MISTY1 will not be affected by our attack. Keywords: MISTY1, Integral attack, Division property 1 Introduction MISTY [Mat97] is a block cipher designed by Matsui in 1997 and is based on the theory of provable security [Nyb94,NK95] against differential attack [BS90] and linear attack [Mat93]. MISTY has a recursive structure, and the component function has a unique structure, the so-called MISTY structure [Mat96].
    [Show full text]
  • Zero Correlation Linear Cryptanalysis on LEA Family Ciphers
    Journal of Communications Vol. 11, No. 7, July 2016 Zero Correlation Linear Cryptanalysis on LEA Family Ciphers Kai Zhang, Jie Guan, and Bin Hu Information Science and Technology Institute, Zhengzhou 450000, China Email: [email protected]; [email protected]; [email protected] Abstract—In recent two years, zero correlation linear Zero correlation linear cryptanalysis was firstly cryptanalysis has shown its great potential in cryptanalysis and proposed by Andrey Bogdanov and Vicent Rijmen in it has proven to be effective against massive ciphers. LEA is a 2011 [2], [3]. Generally speaking, this cryptanalytic block cipher proposed by Deukjo Hong, who is the designer of method can be concluded as “use linear approximation of an ISO standard block cipher - HIGHT. This paper evaluates the probability 1/2 to eliminate the wrong key candidates”. security level on LEA family ciphers against zero correlation linear cryptanalysis. Firstly, we identify some 9-round zero However, in this basic model of zero correlation linear correlation linear hulls for LEA. Accordingly, we propose a cryptanalysis, the data complexity is about half of the full distinguishing attack on all variants of 9-round LEA family code book. The high data complexity greatly limits the ciphers. Then we propose the first zero correlation linear application of this new method. In FSE 2012, multiple cryptanalysis on 13-round LEA-192 and 14-round LEA-256. zero correlation linear cryptanalysis [4] was proposed For 13-round LEA-192, we propose a key recovery attack with which use multiple zero correlation linear approximations time complexity of 2131.30 13-round LEA encryptions, data to reduce the data complexity.
    [Show full text]
  • SAEB: a Lightweight Blockcipher-Based AEAD Mode of Operation
    SAEB: A Lightweight Blockcipher-Based AEAD Mode of Operation Yusuke Naito1, Mitsuru Matsui1, Takeshi Sugawara2 and Daisuke Suzuki1 1 Mitsubishi Electric Corporation, Japan {Naito.Yusuke@ce,Matsui.Mitsuru@ab,Suzuki.Daisuke@bx}.MitsubishiElectric.co.jp 2 The University of Electro-Communications, Japan [email protected] Abstract. Lightweight cryptography in computationally constrained devices is ac- tively studied. In contrast to advances of lightweight blockcipher in the last decade, lightweight mode of operation is seemingly not so mature, yet it has large impact in performance. Therefore, there is a great demand for lightweight mode of oper- ation, especially that for authenticated encryption with associated data (AEAD). Among many known properties of conventional modes of operation, the following four properties are essential for constrained devices: 1. Minimum State Size: the state size equals to a block size of a blockcipher. 2. Inverse Free: no need for a blockcipher decryption. 3. XOR Only: only XOR is needed in addition to a blockcipher encryption. 4. Online: a data block is processed only once. The properties 1 and 4 contribute to small memory usage, and the properties 2 and 3 contribute to small program/circuit footprint. On top of the above properties, the fifth property regarding associated data (AD) is also important for performance: 5. Efficient Handling of Static AD: static AD can be precomputed. We design a lightweight blockcipher-based AEAD mode of operation called SAEB: the first mode of operation that satisfies all the five properties to the best of our knowledge. Performance of SAEB is evaluated in various software and hardware platforms.
    [Show full text]
  • On the Decorrelated Fast Cipher (DFC) and Its Theory
    On the Decorrelated Fast Cipher (DFC) and Its Theory Lars R. Knudsen and Vincent Rijmen ? Department of Informatics, University of Bergen, N-5020 Bergen Abstract. In the first part of this paper the decorrelation theory of Vaudenay is analysed. It is shown that the theory behind the propo- sed constructions does not guarantee security against state-of-the-art differential attacks. In the second part of this paper the proposed De- correlated Fast Cipher (DFC), a candidate for the Advanced Encryption Standard, is analysed. It is argued that the cipher does not obtain prova- ble security against a differential attack. Also, an attack on DFC reduced to 6 rounds is given. 1 Introduction In [6,7] a new theory for the construction of secret-key block ciphers is given. The notion of decorrelation to the order d is defined. Let C be a block cipher with block size m and C∗ be a randomly chosen permutation in the same message space. If C has a d-wise decorrelation equal to that of C∗, then an attacker who knows at most d − 1 pairs of plaintexts and ciphertexts cannot distinguish between C and C∗. So, the cipher C is “secure if we use it only d−1 times” [7]. It is further noted that a d-wise decorrelated cipher for d = 2 is secure against both a basic linear and a basic differential attack. For the latter, this basic attack is as follows. A priori, two values a and b are fixed. Pick two plaintexts of difference a and get the corresponding ciphertexts.
    [Show full text]
  • FIPS 140-2 Non-Proprietary Security Policy Oracle Linux 7 NSS
    FIPS 140-2 Non-Proprietary Security Policy Oracle Linux 7 NSS Cryptographic Module FIPS 140-2 Level 1 Validation Software Version: R7-4.0.0 Date: January 22nd, 2020 Document Version 2.3 © Oracle Corporation This document may be reproduced whole and intact including the Copyright notice. Title: Oracle Linux 7 NSS Cryptographic Module Security Policy Date: January 22nd, 2020 Author: Oracle Security Evaluations – Global Product Security Contributing Authors: Oracle Linux Engineering Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA 94065 U.S.A. Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 oracle.com Copyright © 2020, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. Oracle specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This document may reproduced or distributed whole and intact including this copyright notice. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Oracle Linux 7 NSS Cryptographic Module Security Policy i TABLE OF CONTENTS Section Title
    [Show full text]
  • Internet Engineering Task Force (IETF) S. Kanno Request for Comments: 6367 NTT Software Corporation Category: Informational M
    Internet Engineering Task Force (IETF) S. Kanno Request for Comments: 6367 NTT Software Corporation Category: Informational M. Kanda ISSN: 2070-1721 NTT September 2011 Addition of the Camellia Cipher Suites to Transport Layer Security (TLS) Abstract This document specifies forty-two cipher suites for the Transport Security Layer (TLS) protocol to support the Camellia encryption algorithm as a block cipher. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6367. Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
    [Show full text]
  • Hemiunu Used Numerically Tagged Surface Ratios to Mark Ceilings Inside the Great Pyramid Hinting at Designed Spaces Still Hidden Within
    Archaeological Discovery, 2018, 6, 319-337 http://www.scirp.org/journal/ad ISSN Online: 2331-1967 ISSN Print: 2331-1959 Hemiunu Used Numerically Tagged Surface Ratios to Mark Ceilings inside the Great Pyramid Hinting at Designed Spaces Still Hidden Within Manu Seyfzadeh Institute for the Study of the Origins of Civilization (ISOC)1, Boston University’s College of General Studies, Boston, USA How to cite this paper: Seyfzadeh, M. Abstract (2018). Hemiunu Used Numerically Tagged Surface Ratios to Mark Ceilings inside the In 1883, W. M. Flinders Petrie noticed that the vertical thickness and height Great Pyramid Hinting at Designed Spaces of certain stone courses of the Great Pyramid2 of Khufu/Cheops at Giza, Still Hidden Within. Archaeological Dis- Egypt markedly increase compared to those immediately lower periodically covery, 6, 319-337. https://doi.org/10.4236/ad.2018.64016 and conspicuously interrupting a general trend of progressive course thinning towards the summit. Having calculated the surface area of each course, Petrie Received: September 10, 2018 further noted that the courses immediately below such discrete stone thick- Accepted: October 5, 2018 Published: October 8, 2018 ness peaks tended to mark integer multiples of 1/25th of the surface area at ground level. Here I show that the probable architect of the Great Pyramid, Copyright © 2018 by author and Khufu’s vizier Hemiunu, conceptualized its vertical construction design using Scientific Research Publishing Inc. surface areas based on the same numerical principles used to design his own This work is licensed under the Creative Commons Attribution International mastaba in Giza’s western cemetery and conspicuously used this numerical License (CC BY 4.0).
    [Show full text]
  • Report on the AES Candidates
    Rep ort on the AES Candidates 1 2 1 3 Olivier Baudron , Henri Gilb ert , Louis Granb oulan , Helena Handschuh , 4 1 5 1 Antoine Joux , Phong Nguyen ,Fabrice Noilhan ,David Pointcheval , 1 1 1 1 Thomas Pornin , Guillaume Poupard , Jacques Stern , and Serge Vaudenay 1 Ecole Normale Sup erieure { CNRS 2 France Telecom 3 Gemplus { ENST 4 SCSSI 5 Universit e d'Orsay { LRI Contact e-mail: [email protected] Abstract This do cument rep orts the activities of the AES working group organized at the Ecole Normale Sup erieure. Several candidates are evaluated. In particular we outline some weaknesses in the designs of some candidates. We mainly discuss selection criteria b etween the can- didates, and make case-by-case comments. We nally recommend the selection of Mars, RC6, Serp ent, ... and DFC. As the rep ort is b eing nalized, we also added some new preliminary cryptanalysis on RC6 and Crypton in the App endix which are not considered in the main b o dy of the rep ort. Designing the encryption standard of the rst twentyyears of the twenty rst century is a challenging task: we need to predict p ossible future technologies, and wehavetotake unknown future attacks in account. Following the AES pro cess initiated by NIST, we organized an op en working group at the Ecole Normale Sup erieure. This group met two hours a week to review the AES candidates. The present do cument rep orts its results. Another task of this group was to up date the DFC candidate submitted by CNRS [16, 17] and to answer questions which had b een omitted in previous 1 rep orts on DFC.
    [Show full text]
  • Cryptanalysis of a Reduced Version of the Block Cipher E2
    Cryptanalysis of a Reduced Version of the Block Cipher E2 Mitsuru Matsui and Toshio Tokita Information Technology R&D Center Mitsubishi Electric Corporation 5-1-1, Ofuna, Kamakura, Kanagawa, 247, Japan [email protected], [email protected] Abstract. This paper deals with truncated differential cryptanalysis of the 128-bit block cipher E2, which is an AES candidate designed and submitted by NTT. Our analysis is based on byte characteristics, where a difference of two bytes is simply encoded into one bit information “0” (the same) or “1” (not the same). Since E2 is a strongly byte-oriented algorithm, this bytewise treatment of characteristics greatly simplifies a description of its probabilistic behavior and noticeably enables us an analysis independent of the structure of its (unique) lookup table. As a result, we show a non-trivial seven round byte characteristic, which leads to a possible attack of E2 reduced to eight rounds without IT and FT by a chosen plaintext scenario. We also show that by a minor modification of the byte order of output of the round function — which does not reduce the complexity of the algorithm nor violates its design criteria at all —, a non-trivial nine round byte characteristic can be established, which results in a possible attack of the modified E2 reduced to ten rounds without IT and FT, and reduced to nine rounds with IT and FT. Our analysis does not have a serious impact on the full E2, since it has twelve rounds with IT and FT; however, our results show that the security level of the modified version against differential cryptanalysis is lower than the designers’ estimation.
    [Show full text]
  • Provable Security Evaluation of Structures Against Impossible Differential and Zero Correlation Linear Cryptanalysis ⋆
    Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation Linear Cryptanalysis ⋆ Bing Sun1,2,4, Meicheng Liu2,3, Jian Guo2, Vincent Rijmen5, Ruilin Li6 1 College of Science, National University of Defense Technology, Changsha, Hunan, P.R.China, 410073 2 Nanyang Technological University, Singapore 3 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, P.R. China, 100093 4 State Key Laboratory of Cryptology, P.O. Box 5159, Beijing, P.R. China, 100878 5 Dept. Electrical Engineering (ESAT), KU Leuven and iMinds, Belgium 6 College of Electronic Science and Engineering, National University of Defense Technology, Changsha, Hunan, P.R.China, 410073 happy [email protected] [email protected] [email protected] [email protected] [email protected] Abstract. Impossible differential and zero correlation linear cryptanal- ysis are two of the most important cryptanalytic vectors. To character- ize the impossible differentials and zero correlation linear hulls which are independent of the choices of the non-linear components, Sun et al. proposed the structure deduced by a block cipher at CRYPTO 2015. Based on that, we concentrate in this paper on the security of the SPN structure and Feistel structure with SP-type round functions. Firstly, we prove that for an SPN structure, if α1 → β1 and α2 → β2 are possi- ble differentials, α1|α2 → β1|β2 is also a possible differential, i.e., the OR “|” operation preserves differentials. Secondly, we show that for an SPN structure, there exists an r-round impossible differential if and on- ly if there exists an r-round impossible differential α → β where the Hamming weights of both α and β are 1.
    [Show full text]
  • New Comparative Study Between DES, 3DES and AES Within Nine Factors
    JOURNAL OF COMPUTING, VOLUME 2, ISSUE 3, MARCH 2010, ISSN 2151-9617 152 HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/ New Comparative Study Between DES, 3DES and AES within Nine Factors Hamdan.O.Alanazi, B.B.Zaidan, A.A.Zaidan, Hamid A.Jalab, M.Shabbir and Y. Al-Nabhani ABSTRACT---With the rapid development of various multimedia technologies, more and more multimedia data are generated and transmitted in the medical, also the internet allows for wide distribution of digital media data. It becomes much easier to edit, modify and duplicate digital information .Besides that, digital documents are also easy to copy and distribute, therefore it will be faced by many threats. It is a big security and privacy issue, it become necessary to find appropriate protection because of the significance, accuracy and sensitivity of the information. , which may include some sensitive information which should not be accessed by or can only be partially exposed to the general users. Therefore, security and privacy has become an important. Another problem with digital document and video is that undetectable modifications can be made with very simple and widely available equipment, which put the digital material for evidential purposes under question. Cryptography considers one of the techniques which used to protect the important information. In this paper a three algorithm of multimedia encryption schemes have been proposed in the literature and description. The New Comparative Study between DES, 3DES and AES within Nine Factors achieving an efficiency, flexibility and security, which is a challenge of researchers. Index Terms—Data Encryption Standared, Triple Data Encryption Standared, Advance Encryption Standared.
    [Show full text]