Improved Impossible Differential Attacks on Large-Block Rijndael (original) (raw)
Related papers
Improved Cryptanalysis of Rijndael
2000
We improve the best attack on Rijndael reduced to 6 rounds from complexity 2 72 to 2 44 . We also present the first known attacks on 7-and 8-round Rijndael. The attacks on 8-round Rijndael work for 192bit and 256-bit keys. Finally, we discuss the key schedule of Rijndael and describe a related-key attack that can break 9-round Rijndael with 256-bit keys.
Impossible Differential Cryptanalysis for Block Cipher Structures
2003
Impossible Differential Cryptanalysis(IDC) [4] uses impossible differential characteristics to retrieve a subkey material for the first or the last several rounds of block ciphers. Thus, the security of a block cipher against IDC can be evaluated by impossible differential characteristics. In this paper, we study impossible differential characteristics of block cipher structures whose round functions are bijective. We introduce a widely applicable method to find various impossible differential characteristics of block cipher structures. Using this method, we find various impossible differential characteristics of known block cipher structures: Nyberg’s generalized Feistel network, a generalized CAST256-like structure [14], a generalized MARS-like structure [14], a generalized RC6-like structure [14], and Rijndael structure.
On the Security of Rijndael-Like Structures against Differential and Linear Cryptanalysis
2002
Rijndael-like structure is a special case of SPN structure. The linear transformation of Rijndael-like structures consists of linear transformations of two types, the one is byte permutation π and the other is linear transformation θ = (θ1, θ2, θ3, θ4), where each of θi separately operates on each of the four columns of a state. Furthermore, π and θ have some interesting properties. In this paper, we present a new method for upper bounding the maximum differential probability and the maximum linear hull probability for Rijndael-like structures. By applying our method to Rijndael, we obtain that the maximum differential probability and the maximum linear hull probability for 4 rounds of Rijndael are bounded by 1.06 × 2 −96 .
New Impossible Differential Attacks on AES
2008
In this paper we apply impossible differential attacks to reduced round AES. Using various techniques, including the early abort approach and key schedule considerations, we significantly improve previously known attacks due to Bahrak-Aref and Phan. The improvement of these attacks leads to better impossible differential attacks on 7-round AES-128 and AES-192, as well as to better impossible differential attacks on 8-round AES-256.
Cryptanalysis of Block Ciphers Using Almost-Impossible Differentials
In this paper, inspired from the notion of impossible differentials, we present a model to use differentials that are less probable than a random permutation. We introduce such a distinguisher for 2 rounds of Crypton, and present an attack on 6 rounds of this predecessor AES candidate. As a special case of this idea, we embed parts of the additional rounds around the impossible differential into the distinguisher to make a probabilistic distinguisher with more rounds. We show that with this change, the data complexity is increased but the time complexity may be reduced or increased. Then we discuss that this change in the impossible differential cryptanalysis is commodious and rational when the data complexity is low and time complexity is marginal.
A unified method for finding impossible differentials of block cipher structures
Information Sciences, 2014
In this paper, we propose a systematic method for finding impossible differentials for block cipher structures, better than the Umethod introduced by Kim et al [4]. It is referred as a unified impossible differential finding method (UID-method). We apply the UID-method to some popular block ciphers such as Gen-Skipjack, Gen-CAST256, Gen-MARS, Gen-RC6, Four-Cell, SMS4 and give the detailed impossible differentials. By the UID-method, we find a 16-round impossible differential on Gen-Skipjack and a 19-round impossible differential on Gen-CAST256. Thus we disprove the Conjecture 2 proposed in Asiacrypt'00 [9] and the theorem in FSE'09 rump session presentation [8]. On Gen-MARS and SMS4, the impossible differentials find by the UID-method are much longer than that found by the U-method. On the Four-Cell block cipher, our result is the same as the best result previously obtained by case-bycase treatment.
Impossible Differential Cryptanalysis of Reduced-Round Midori64 Block Cipher
2017 14th International ISC (Iranian Society of Cryptology) Conference on Information Security and Cryptology (ISCISC), 2017
Impossible differential attack is a well-known mean to examine robustness of block ciphers. Using impossible differential cryptanalysis, we analyze security of a family of lightweight block ciphers, named Midori, that are designed considering low energy consumption. Midori state size can be either 64 bits for Midori64 or 128 bits for Midori128; however, both versions have key size equal to 128 bits. In this paper, we mainly study security of Midori64. To this end, we use various techniques such as early-abort, memory reallocation, miss-in-the-middle and turning to account the inadequate key schedule algorithm of Midori64. We first show two new 7-round impossible differential characteristics which are, to the best of our knowledge, the longest impossible differential characteristics found for Midori64. Based on the new characteristics, we mount three impossible differential attacks on 10, 11, and 12 rounds on Midori64 with 2 87.7 , 2 90.63 , and 2 90.51 time complexity, respectively, to retrieve the master-key.
New impossible differential attacks on reduced-round Crypton
2010
Crypton is a 128-bit block cipher which was submitted to the Advanced Encryption Standard competition. In this paper, we present two new impossible differential attacks to reduced-round Crypton. Using two new observations on the diffusion layer of Crypton, exploiting a 4-round impossible differential, and appropriately choosing three additional rounds, we mount the first impossible differential attack on 7round Crypton. The proposed attacks require 2 121 chosen plaintexts each. The first attack requires 2 125.2 encryptions. We then utilize more pre-computation and memory to reduce the time complexity to 2 116.2 encryptions in the second attack.
A Differential Bommerang Attack Against 7-round Rijndael
2004
In this paper, we report on our design of a choosen plaintext attack with work factor 2 to recover of the first and the last subkeys of a 7-round Rijndael, while differential cryptanalysis against Rijndael have been done for up to 6 rounds and reported in published papers. We found a 5-round boomerang characteristic for Rijndael, and designed a choosen plaintext attack based on this characteristic ,with work factor 2 to recover the 32 bits of the 1 round subkey and the 32 bits of the 7 round subkey. We also designed some simmilar attacks to recover other bits of subkeys of the first round and the last round. Therefore the work factor of this choosen plaintext attack to recover all bits of the first and the last subkeys of a 7-round Rijndael will be 2, that is less than exhaustive search. It meanes that a 7-round Rijndael will be compromised with differential boomerang cryptanalysis.
Impossible differential cryptanalysis of reduced–round Camellia–256
IET Information Security, 2011
Camellia, a 128-bit block cipher that has been accepted by ISO/IEC as an international standard, is increasingly being used in many cryptographic applications. In this study, the authors present a new impossible differential attack on a reduced version of Camellia-256 without FL/FL 21 functions and whitening. First, the authors introduce a new extension of the hash table technique and then exploit it to attack 16 rounds of Camellia-256. When, in an impossible differential attack, the size of the target subkey space is large and the filtration, in the initial steps of the attack, is performed slowly, the extended hash table technique will be very useful. The proposed attack on Camellia-256 requires 2 124.1 known plaintexts and has a running time equivalent to about 2 249.3 encryptions. In terms of the number of attacked rounds, our result is the best published attack on Camellia-256.