Impossible differential and square attacks: Cryptanalytic link and application to Skipjack (original) (raw)
Related papers
Lecture Notes in Computer Science, 2000
In this paper we introduce a structure iterated by the rule A of Skipjack and show that this structure is provably resistant against differential or linear attacks. It is the main result of this paper that the upper bound of r-round (r ≥ 15) differential(or linear hull) probabilities are bounded by p 4 if the maximum differential (or linear hull) probability of a round function is p, and an impossible differential of this structure does not exist if r ≥ 16. Application of this structure which can be seen as a generalized Feistel structure in a way to block cipher designs brings out the provable security against differential and linear attacks with some upper bounds of probabilities. We also propose an interesting conjecture.
Cryptanalysis of Block Ciphers Using Almost-Impossible Differentials
In this paper, inspired from the notion of impossible differentials, we present a model to use differentials that are less probable than a random permutation. We introduce such a distinguisher for 2 rounds of Crypton, and present an attack on 6 rounds of this predecessor AES candidate. As a special case of this idea, we embed parts of the additional rounds around the impossible differential into the distinguisher to make a probabilistic distinguisher with more rounds. We show that with this change, the data complexity is increased but the time complexity may be reduced or increased. Then we discuss that this change in the impossible differential cryptanalysis is commodious and rational when the data complexity is low and time complexity is marginal.
A unified method for finding impossible differentials of block cipher structures
Information Sciences, 2014
In this paper, we propose a systematic method for finding impossible differentials for block cipher structures, better than the Umethod introduced by Kim et al [4]. It is referred as a unified impossible differential finding method (UID-method). We apply the UID-method to some popular block ciphers such as Gen-Skipjack, Gen-CAST256, Gen-MARS, Gen-RC6, Four-Cell, SMS4 and give the detailed impossible differentials. By the UID-method, we find a 16-round impossible differential on Gen-Skipjack and a 19-round impossible differential on Gen-CAST256. Thus we disprove the Conjecture 2 proposed in Asiacrypt'00 [9] and the theorem in FSE'09 rump session presentation [8]. On Gen-MARS and SMS4, the impossible differentials find by the UID-method are much longer than that found by the U-method. On the Four-Cell block cipher, our result is the same as the best result previously obtained by case-bycase treatment.
On computational complexity of impossible differential cryptanalysis
Information Processing Letters, 2014
Impossible differential cryptanalysis is one of the conventional methods in the field of cryptanalysis of block ciphers. In this paper, a general model of an impossible differential attack is introduced. Then, according to this model, the concept of an ideal impossible differential attack is defined and it is proven that the time complexity of an ideal attack only depends on the number of involved round key bits in the attack.
New Impossible Differential Attacks on AES
2008
In this paper we apply impossible differential attacks to reduced round AES. Using various techniques, including the early abort approach and key schedule considerations, we significantly improve previously known attacks due to Bahrak-Aref and Phan. The improvement of these attacks leads to better impossible differential attacks on 7-round AES-128 and AES-192, as well as to better impossible differential attacks on 8-round AES-256.
Impossible Differential Cryptanalysis for Block Cipher Structures
2003
Impossible Differential Cryptanalysis(IDC) [4] uses impossible differential characteristics to retrieve a subkey material for the first or the last several rounds of block ciphers. Thus, the security of a block cipher against IDC can be evaluated by impossible differential characteristics. In this paper, we study impossible differential characteristics of block cipher structures whose round functions are bijective. We introduce a widely applicable method to find various impossible differential characteristics of block cipher structures. Using this method, we find various impossible differential characteristics of known block cipher structures: Nyberg’s generalized Feistel network, a generalized CAST256-like structure [14], a generalized MARS-like structure [14], a generalized RC6-like structure [14], and Rijndael structure.
Security analysis of SIMECK block cipher against related-key impossible differential
Information Processing Letters, 2019
SIMECK is a family of lightweight block ciphers that relies on Feistel structure. Being proposed at CHES in 2015, the round function of SIMECK is slightly modified from SIMON. A cipher in this family with K-bit key and nbit block is called SIMECKn/K, for n/K ∈ {32/64, 48/96, 64/128}. SIMECK has already received a number of third-party analyses. However, the security level on SIMECK against the related-key impossible differential has never been evaluated. In this paper, we consider related-key impossible differential distinguishers for the variants of SIMECK. We first propose some distinguishers on SIMECK using the miss-in-the-middle approach. More specifically, 15/16/19round related-key impossible differential distinguishers on SIMECK32/48/64 are presented first while the best previously known results were 11/15/17-round on SIMECK32/48/64 in the single-key setting. Afterwards, thanks to MILP approach, we automatically prove that these characteristics are the best relatedkey impossible differentials of SIMECK when we limit the input and output differences to 1 active bit.
IET Information Security, 2018
SIMECK is a family of three lightweight block ciphers designed by Yang et al., following the framework used by Beaulieu et al. from the United States National Security Agency to design SIMON and SPECK. In this study, the authors employ an improved miss-in-the-middle approach to find zero correlation linear distinguishers and impossible differentials on SIMECK48 and SIMECK64. Based on this novel technique, they will be able to present zero-correlation linear approximations for 15-round SIMECK48 and 17-round SIMECK64 and these zero-correlation linear approximations improve the previous best result by two rounds for SIMECK48 and SIMECK64. Moreover, they attack 27-round SIMECK48 and 31-round SIMECK64 based on these zero-correlation linear distinguishers. In addition, due to the duality of zero-correlation and impossible differential, they search for the impossible differential characteristics for SIMECK48 and SIMECK64 so that they will be able to present 15-round SIMECK48 and 17-round SIMECK64 while the best previously known results were 13-round impossible differentials for SIMECK48 and 15-round impossible differentials for SIMECK64. Moreover, they propose impossible differential attacks on 22round SIMECK48 and 24-round SIMECK64 based on these impossible differential characteristics. The results significantly improve the previous zero correlation attack and impossible differential characteristic results for these variants of SIMECK to the best of the authors' knowledge.
Provable security for 13 round Skipjack-like structure
Information Processing Letters, 2002
To prove a block cipher is secure against Differential Cryptanalysis one should show the maximum differential probability is a small enough value. We will prove that the maximum differential probability of a 13 round Skipjack-like structure is bounded by p 4 , where p is the maximum differential probability of round function.