Bozhan Su

Near-Collisions on the Reduced-Round Compression Functions of Skein and BLAKE

The SHA-3 competition organized by NIST [1] aims to find a new hash standard as a replacement of SHA-2. Till now, 14 submissions have been selected as the second round candidates, including Skein and BLAKE, both of which have components based on modular addition, rotation and bitwise XOR (ARX). In this paper, we propose improved near-collision attacks on the reduced-round compression functions of Skein and BLAKE. The attacks are based on linear differentials of the modular additions. The computational complexity of near-collision attacks on a 4-round compression function of BLAKE-32, 4-round and 5-round compression functions of BLAKE-64 are 221, 216 and 2216 respectively, and the attacks on 20-round compression functions of Skein-256, Skein-512 and a 24-round compression function of Skein-1024 have a complexity of 297, 252 and 2452 respectively.

Some New Observations on the SMS4 Block Cipher in the Chinese WAPI Standard

SMS4 is a 128-bit block cipher used in the WAPI standard in wireless networks in China. The cipher has attracted much attention in the past two years. This paper consists of two parts. The first part is on the design of the linear diffusion layer L of SMS4. Some new observations on L are present, which open out the design rationales of L and such class functions to a great extent. The second part is on the differential attack against SMS4. A class of 18-round differential characteristics with a higher probability is given. Then a simple differential attack on 22-round SMS4 is present, which is an improvement of the previous work, thus our attack becomes the best known one on SMS4. Furthermore, we make a remark on the construction of differential characteristics of SMS4.

Extending higher-order integral: an efficient unified algorithm of constructing integral distinguishers for block ciphers

In this paper, we give an extension of the concept of higher-order integral, which can make us design better higher-order integral distinguishers for some block ciphers (structures). Using the new extension, we present a unified algorithm of searching for the best possible higher-order integral distinguishers for block ciphers. We adopt the inside-out approach, trying to predict the behavior of a set of carefully chosen data, not only along encryption direction, but also along decryption direction. Applying the unified algorithm, we search for the best possible higher-order integral distinguishers of Gen-SMS4 structure, Gen-Fourcell structure and Present. For Gen-SMS4 structure and Present, the best higher-order integral distinguishers given by our algorithm are better than the best results known so far. For Gen-Fourcell structure, the best higher-order integral distinguishers given by our algorithm are the same as the best results known so far. We expect that the inside-out method is helpful to understand higher-order integral of block ciphers better, and the unified algorithm presented in this paper can be used as a tool for efficiently evaluating the security of a block cipher against integral cryptanalysis.

Preimage attacks on step-reduced SM3 hash function

This paper proposes a preimage attack on SM3 hash function reduced to 30 steps. SM3 is an iterated hash function based on the Merkle-Damgard design. It is a hash function used in applications such as the electronic certification service system in China. Our cryptanalysis is based on the Meet-in-the-Middle (MITM) attack. We utilize several techniques such as initial structure, partial matching and message compensation to improve the standard MITM preimage attack. Moreover, we use some observations on the SM3 hash function to optimize the computation complexity. Overall, a preimage of 30 steps SM3 hash function can be computed with a complexity of 2249 SM3 compression function computation, and requires a memory of 216. As far as we know, this is yet the first preimage result on the SM3 hash function.

Full-round differential attack on TWIS block cipher

The 128-bit block cipher TWIS was proposed by Ojha et al in 2009. It is a lightweight block cipher and its design is inspired from CLEFIA. In this paper, we first study the properties of TWIS structure, and as an extension we also consider the generalized TWIS-type structure named G-TWIS cipher whose block size and round number are 4m and n repectively, where n and m are any positive integers. Then we present a series of 10-round differential distinguishers for TWIS and an n-round differential distinguisher for G-TWIS whose probabilities are all equal to 1. It shows that 10-round TWIS cipher and n-round G-TWIS cipher can be distinguished efficiently from random permutation.

Hyper-Sbox view of AES-like permutations: a generalized distinguisher

Grostl[1] is one of the second round candidates of the SHA-3 competition[2] hosted by NIST, which aims to find a new hash standard. In this paper, we studied equivalent expressions of the generalized AES-like permutation. We found that four rounds of the AES-like permutation can be regarded as a Hyper-Sbox. Then we further analyzed the differential properties of both Super-Sbox and Hyper-Sbox. Based on these observations, we give an 8-round truncated differential path of the generalized AES-like permutation, which can be used to construct a distinguisher of 8-round Grostl-256 permutation with 264 time and 264 memory. This is the best known distinguisher of reduced-round Grostl permutation.

Some results on cryptanalysis of SMS4 block cipher

SMS4 is a 128-bit block cipher used in the WAPI standard in wireless networks in China. The cipher has attracted much attention in the past several years. This paper consists of two parts. The first part is on the design of the linear diffusion layer L of SMS4. Some observations on L are present, which open out the design rationales of L and such class functions to a great extent. The second part is on the differential attack against SMS4. An effective 19-round differential characteristic is presented. Then, a simple differential attack on 23-round SMS4 is given, which is the best known attack on SMS4 so far.