A unified method for finding impossible differentials of block cipher structures (original) (raw)
Related papers
Impossible Differential Cryptanalysis for Block Cipher Structures
2003
Impossible Differential Cryptanalysis(IDC) [4] uses impossible differential characteristics to retrieve a subkey material for the first or the last several rounds of block ciphers. Thus, the security of a block cipher against IDC can be evaluated by impossible differential characteristics. In this paper, we study impossible differential characteristics of block cipher structures whose round functions are bijective. We introduce a widely applicable method to find various impossible differential characteristics of block cipher structures. Using this method, we find various impossible differential characteristics of known block cipher structures: Nyberg’s generalized Feistel network, a generalized CAST256-like structure [14], a generalized MARS-like structure [14], a generalized RC6-like structure [14], and Rijndael structure.
Cryptanalysis of Block Ciphers Using Almost-Impossible Differentials
In this paper, inspired from the notion of impossible differentials, we present a model to use differentials that are less probable than a random permutation. We introduce such a distinguisher for 2 rounds of Crypton, and present an attack on 6 rounds of this predecessor AES candidate. As a special case of this idea, we embed parts of the additional rounds around the impossible differential into the distinguisher to make a probabilistic distinguisher with more rounds. We show that with this change, the data complexity is increased but the time complexity may be reduced or increased. Then we discuss that this change in the impossible differential cryptanalysis is commodious and rational when the data complexity is low and time complexity is marginal.
Improved Impossible Differential Attacks on Large-Block Rijndael
Lecture Notes in Computer Science, 2013
In this paper, we present more powerful 6-round impossible differentials for large-block Rijndael-224 and Rijndael-256 than the ones used by Zhang et al. in ISC 2008. Using those, we can improve the previous impossible differential cryptanalysis of both 9-round Rijndael-224 and Rijndael-256. The improvement can lead to 10-round attack on Rijndael-256 as well. With 2 198.1 chosen plaintexts, an attack is demonstrated on 9-round Rijndael-224 with 2 195.2 encryptions and 2 140.4 bytes memory. Increasing the data complexity to 2 216 plaintexts, the time complexity can be reduced to 2 130 encryptions and the memory requirements to 2 93.6 bytes. For 9-round Rijndael-256, we provide an attack requiring 2 229.3 chosen plaintexts, 2 194 encryptions, and 2 139.6 bytes memory. Alternatively, with 2 245.3 plaintexts, an attack with a reduced time of 2 127.1 encryptions and a memory complexity of 2 90.9 bytes can be mounted. With 2 244.2 chosen plaintexts, we can attack 10-round Rijndael-256 with 2 253.9 encryptions and 2 186.8 bytes of memory.
On computational complexity of impossible differential cryptanalysis
Information Processing Letters, 2014
Impossible differential cryptanalysis is one of the conventional methods in the field of cryptanalysis of block ciphers. In this paper, a general model of an impossible differential attack is introduced. Then, according to this model, the concept of an ideal impossible differential attack is defined and it is proven that the time complexity of an ideal attack only depends on the number of involved round key bits in the attack.
Security analysis of SIMECK block cipher against related-key impossible differential
Information Processing Letters, 2019
SIMECK is a family of lightweight block ciphers that relies on Feistel structure. Being proposed at CHES in 2015, the round function of SIMECK is slightly modified from SIMON. A cipher in this family with K-bit key and nbit block is called SIMECKn/K, for n/K ∈ {32/64, 48/96, 64/128}. SIMECK has already received a number of third-party analyses. However, the security level on SIMECK against the related-key impossible differential has never been evaluated. In this paper, we consider related-key impossible differential distinguishers for the variants of SIMECK. We first propose some distinguishers on SIMECK using the miss-in-the-middle approach. More specifically, 15/16/19round related-key impossible differential distinguishers on SIMECK32/48/64 are presented first while the best previously known results were 11/15/17-round on SIMECK32/48/64 in the single-key setting. Afterwards, thanks to MILP approach, we automatically prove that these characteristics are the best relatedkey impossible differentials of SIMECK when we limit the input and output differences to 1 active bit.
IET Information Security, 2018
SIMECK is a family of three lightweight block ciphers designed by Yang et al., following the framework used by Beaulieu et al. from the United States National Security Agency to design SIMON and SPECK. In this study, the authors employ an improved miss-in-the-middle approach to find zero correlation linear distinguishers and impossible differentials on SIMECK48 and SIMECK64. Based on this novel technique, they will be able to present zero-correlation linear approximations for 15-round SIMECK48 and 17-round SIMECK64 and these zero-correlation linear approximations improve the previous best result by two rounds for SIMECK48 and SIMECK64. Moreover, they attack 27-round SIMECK48 and 31-round SIMECK64 based on these zero-correlation linear distinguishers. In addition, due to the duality of zero-correlation and impossible differential, they search for the impossible differential characteristics for SIMECK48 and SIMECK64 so that they will be able to present 15-round SIMECK48 and 17-round SIMECK64 while the best previously known results were 13-round impossible differentials for SIMECK48 and 15-round impossible differentials for SIMECK64. Moreover, they propose impossible differential attacks on 22round SIMECK48 and 24-round SIMECK64 based on these impossible differential characteristics. The results significantly improve the previous zero correlation attack and impossible differential characteristic results for these variants of SIMECK to the best of the authors' knowledge.
Differential Cryptanalysis on Block Ciphers: New Research Directions
International Journal of Computer Applications
Differential Cryptanalysis is a powerful technique in cryptanalysis, applied to symmetric-key block ciphers. It is a chosen plain-text attack which means the cryptanalyst has some sets of the plain-text and the corresponding cipher-text pairs of his choice. These pairs of the plain-text are related by a constant difference. Basically it is the study of how differences in input information can affect the resultant difference at the output. In this paper, differential cryptanalysis is applied on substitutionpermutation network and data encryption standards cipher. The survey is based on the analysis of a simple, yet realistically structured, basic Substitution-Permutation Network cipher. Along with this, the paper also presents our contribution in this paper as well as our future research work.
Impossible differential and square attacks: Cryptanalytic link and application to Skipjack
This paper shows a surprising similarity between the construction of, respectively, impossible differentials and square distinguishers. This observation is illustrated by comparing two attacks on IDEA (Biham & al., FSE'99 [2], Nakahara & al., 2001 [7]). Using this similarity, we also derive a 16-round square distinguisher on Skipjack, directly based on the impossible differential attack presented in (Biham & al., Eurocrypt'99 [1]). However it is not the best square distinguisher we can find for Skipjack; this one is 19 rounds long. We use it to attack up to 24 rounds of Skipjack. Although this result is clearly not as good as those obtained by impossible differential on Skipjack, it must be pointed out that it is the first time that so big a part (24 rounds out of 32) of a non-square-like cipher is attacked using the square attack. Finally, we discuss the strong and weak points of respectively impossible differential and square attacks.
Impossible Differential Cryptanalysis of Reduced-Round Midori64 Block Cipher
2017 14th International ISC (Iranian Society of Cryptology) Conference on Information Security and Cryptology (ISCISC), 2017
Impossible differential attack is a well-known mean to examine robustness of block ciphers. Using impossible differential cryptanalysis, we analyze security of a family of lightweight block ciphers, named Midori, that are designed considering low energy consumption. Midori state size can be either 64 bits for Midori64 or 128 bits for Midori128; however, both versions have key size equal to 128 bits. In this paper, we mainly study security of Midori64. To this end, we use various techniques such as early-abort, memory reallocation, miss-in-the-middle and turning to account the inadequate key schedule algorithm of Midori64. We first show two new 7-round impossible differential characteristics which are, to the best of our knowledge, the longest impossible differential characteristics found for Midori64. Based on the new characteristics, we mount three impossible differential attacks on 10, 11, and 12 rounds on Midori64 with 2 87.7 , 2 90.63 , and 2 90.51 time complexity, respectively, to retrieve the master-key.
Lecture Notes in Computer Science, 2000
In this paper we introduce a structure iterated by the rule A of Skipjack and show that this structure is provably resistant against differential or linear attacks. It is the main result of this paper that the upper bound of r-round (r ≥ 15) differential(or linear hull) probabilities are bounded by p 4 if the maximum differential (or linear hull) probability of a round function is p, and an impossible differential of this structure does not exist if r ≥ 16. Application of this structure which can be seen as a generalized Feistel structure in a way to block cipher designs brings out the provable security against differential and linear attacks with some upper bounds of probabilities. We also propose an interesting conjecture.