On computational complexity of impossible differential cryptanalysis (original) (raw)
Related papers
Cryptanalysis of Block Ciphers Using Almost-Impossible Differentials
In this paper, inspired from the notion of impossible differentials, we present a model to use differentials that are less probable than a random permutation. We introduce such a distinguisher for 2 rounds of Crypton, and present an attack on 6 rounds of this predecessor AES candidate. As a special case of this idea, we embed parts of the additional rounds around the impossible differential into the distinguisher to make a probabilistic distinguisher with more rounds. We show that with this change, the data complexity is increased but the time complexity may be reduced or increased. Then we discuss that this change in the impossible differential cryptanalysis is commodious and rational when the data complexity is low and time complexity is marginal.
Impossible Differential Cryptanalysis for Block Cipher Structures
2003
Impossible Differential Cryptanalysis(IDC) [4] uses impossible differential characteristics to retrieve a subkey material for the first or the last several rounds of block ciphers. Thus, the security of a block cipher against IDC can be evaluated by impossible differential characteristics. In this paper, we study impossible differential characteristics of block cipher structures whose round functions are bijective. We introduce a widely applicable method to find various impossible differential characteristics of block cipher structures. Using this method, we find various impossible differential characteristics of known block cipher structures: Nyberg’s generalized Feistel network, a generalized CAST256-like structure [14], a generalized MARS-like structure [14], a generalized RC6-like structure [14], and Rijndael structure.
A unified method for finding impossible differentials of block cipher structures
Information Sciences, 2014
In this paper, we propose a systematic method for finding impossible differentials for block cipher structures, better than the Umethod introduced by Kim et al [4]. It is referred as a unified impossible differential finding method (UID-method). We apply the UID-method to some popular block ciphers such as Gen-Skipjack, Gen-CAST256, Gen-MARS, Gen-RC6, Four-Cell, SMS4 and give the detailed impossible differentials. By the UID-method, we find a 16-round impossible differential on Gen-Skipjack and a 19-round impossible differential on Gen-CAST256. Thus we disprove the Conjecture 2 proposed in Asiacrypt'00 [9] and the theorem in FSE'09 rump session presentation [8]. On Gen-MARS and SMS4, the impossible differentials find by the UID-method are much longer than that found by the U-method. On the Four-Cell block cipher, our result is the same as the best result previously obtained by case-bycase treatment.
To A Differential Attack for Symmetric Block Cipher
This article discusses in detail the issues related to the effective conduct of differential cryptanalysis for modern symmetric block data encryption algorithms. For this purpose, an additional stage is introduced to organize a differential attack for symmetric block ciphers. As the first stage of a differential attack, it is proposed to build an attack model, in this case, an action model, which will allow for a reasonable time and an acceptable number of cleartext-ciphertext pairs to calculate the encryption subkey used.
Provable Security against Impossible Differential Cryptanalysis Application to CS-Cipher
In this document we present a new way to bound the probability of occurrence of an n-round differential in the context of differential cryptanalysis. Hence this new model allows us to claim proof of resistance against impossible differential cryptanalysis, as defined by Biham and al. in 1999. This work will be described through the example of CS-Cipher, to which, assuming some non-trivial hypothesis, provable security against impossible differential cryptanalysis is obtained.
Differential Cryptanalysis on Block Ciphers: New Research Directions
International Journal of Computer Applications
Differential Cryptanalysis is a powerful technique in cryptanalysis, applied to symmetric-key block ciphers. It is a chosen plain-text attack which means the cryptanalyst has some sets of the plain-text and the corresponding cipher-text pairs of his choice. These pairs of the plain-text are related by a constant difference. Basically it is the study of how differences in input information can affect the resultant difference at the output. In this paper, differential cryptanalysis is applied on substitutionpermutation network and data encryption standards cipher. The survey is based on the analysis of a simple, yet realistically structured, basic Substitution-Permutation Network cipher. Along with this, the paper also presents our contribution in this paper as well as our future research work.
Impossible Differential Cryptanalysis of Reduced-Round Midori64 Block Cipher
2017 14th International ISC (Iranian Society of Cryptology) Conference on Information Security and Cryptology (ISCISC), 2017
Impossible differential attack is a well-known mean to examine robustness of block ciphers. Using impossible differential cryptanalysis, we analyze security of a family of lightweight block ciphers, named Midori, that are designed considering low energy consumption. Midori state size can be either 64 bits for Midori64 or 128 bits for Midori128; however, both versions have key size equal to 128 bits. In this paper, we mainly study security of Midori64. To this end, we use various techniques such as early-abort, memory reallocation, miss-in-the-middle and turning to account the inadequate key schedule algorithm of Midori64. We first show two new 7-round impossible differential characteristics which are, to the best of our knowledge, the longest impossible differential characteristics found for Midori64. Based on the new characteristics, we mount three impossible differential attacks on 10, 11, and 12 rounds on Midori64 with 2 87.7 , 2 90.63 , and 2 90.51 time complexity, respectively, to retrieve the master-key.
IET Information Security, 2018
SIMECK is a family of three lightweight block ciphers designed by Yang et al., following the framework used by Beaulieu et al. from the United States National Security Agency to design SIMON and SPECK. In this study, the authors employ an improved miss-in-the-middle approach to find zero correlation linear distinguishers and impossible differentials on SIMECK48 and SIMECK64. Based on this novel technique, they will be able to present zero-correlation linear approximations for 15-round SIMECK48 and 17-round SIMECK64 and these zero-correlation linear approximations improve the previous best result by two rounds for SIMECK48 and SIMECK64. Moreover, they attack 27-round SIMECK48 and 31-round SIMECK64 based on these zero-correlation linear distinguishers. In addition, due to the duality of zero-correlation and impossible differential, they search for the impossible differential characteristics for SIMECK48 and SIMECK64 so that they will be able to present 15-round SIMECK48 and 17-round SIMECK64 while the best previously known results were 13-round impossible differentials for SIMECK48 and 15-round impossible differentials for SIMECK64. Moreover, they propose impossible differential attacks on 22round SIMECK48 and 24-round SIMECK64 based on these impossible differential characteristics. The results significantly improve the previous zero correlation attack and impossible differential characteristic results for these variants of SIMECK to the best of the authors' knowledge.
We propose a new method for evaluating the security of block ciphers against dierential cryptanalysis and propose new structures for block ciphers. To this end, we dene the word-wise Markov (Feistel) cipher and random output-dierential (Feistel) cipher and clarify the relations among the dierential, the truncated dierential and the impossible dierential cryptanalyses of the random output-dierential (Feistel) cipher. This random output-dierential (Feistel) cipher model uses a not too strong assumption because denying this approximation model is equivalent t o denying truncated dierential cryptanalysis. Utilizing these relations, we e v aluate the truncated dierential probability and the maximum average of dierential probability of the word-wise Markov (Feistel) ciphers like Rijndael, E2 and the modied version of block cipher E2. This evaluation indicates that all three are provably secure against dierential cryptanalysis, and that Rijndael and a modied version of block cipher E2 have stronger security than E2.