Cihangir Tezcan

Lightweight Block Ciphers Revisited: Cryptanalysis of Reduced Round PRESENT and HIGHT

Design and analysis of lightweight block ciphers have become more popular due to the fact that the future use of block ciphers in ubiquitous devices is generally assumed to be extensive. In this respect, several lightweight block ciphers are designed, of which Present and Hight are two recently proposed ones by Bogdanov et al. and Hong et al. respectively. In this paper, we propose new attacks on Present and Hight . Firstly, we present the first related-key cryptanalysis of 128-bit keyed Present by introducing 17-round related-key rectangle attack with time complexity approximately 2104 memory accesses. Moreover, we further analyze the resistance of Hight against impossible differential attacks by mounting new 26-round impossible differential and 31-round related-key impossible differential attacks where the former requires time complexity of 2119.53 reduced round Hight evaluations and the latter is slightly better than exhaustive search.

The Improbable Differential Attack: Cryptanalysis of Reduced Round CLEFIA

In this paper we present a new statistical cryptanalytic technique that we call improbable differential cryptanalysis which uses a differential that is less probable when the correct key is used. We provide data complexity estimates for this kind of attacks and we also show a method to expand impossible differentials to improbable differentials. By using this expansion method, we cryptanalyze 13, 14, and 15-round CLEFIA for the key sizes of length 128, 192, and 256 bits, respectively. These are the best cryptanalytic results on CLEFIA up to this date.

Improbable differential attacks on Present using undisturbed bits

In this study, we introduce a new criteria for evaluating S-boxes and attack Present by exploiting its S-box. Depending on the design of an S-box, when a specific difference is given as the input (resp. output) of the S-box, the difference of at least one of the output (resp. input) bits of the S-box may be guessed with probability 1. We call such bits undisturbed and they are helpful for constructing longer or better truncated, impossible or improbable differentials. Without using undisturbed bits, the longest improbable differential attack we could find for Present had a length of 7-rounds. However, we show that Presents S-box has 6 undisturbed bits and by using them, we can construct 10-round improbable differentials and attack Present reduced to 13 rounds. Hence, undisturbed bits should be avoided by S-box designers.

Differential Factors: Improved Attacks on SERPENT

A differential attack tries to capture the round keys corresponding to the S-boxes activated by a differential. In this work, we show that for a fixed output difference of an S-box, it may not be possible to distinguish the guessed keys that have a specific difference. We introduce these differences as differential factors. Existence of differential factors can reduce the time complexity of differential attacks and as an example we show that the \(10\), \(11\), and \(12\)-round differential-linear attacks of Dunkelman et al. on Serpent can actually be performed with time complexities reduced by a factor of 4, 4, and 8, respectively.

Relating Undisturbed Bits to Other Properties of Substitution Boxes

Recently it was observed that for a particular nonzero input difference to an S-Box, some bits in all the corresponding output differences may remain invariant. These specific invariant bits are called undisturbed bits. Undisturbed bits can also be seen as truncated differentials with probability \(1\) for an S-Box. The existence of undisturbed bits was found in the S-Box of Present and its inverse. A 13-round improbable differential attack on Present was provided by Tezcan and without using the undisturbed bits in the S-Box an attack of this type can only reach 7 rounds. Although the observation and the cryptanalytic application of undisturbed bits are given, their relation with other properties of an S-Box remain unknown. This paper presents some results on mathematical properties of S-Boxes having undisturbed bits. We show that an S-Box has undisturbed bits if any of its coordinate functions has a nontrivial linear structure. The relation of undisturbed bits with other cryptanalytic tools such as difference distribution table (DDT) and linear approximation table (LAT) are also given. We show that autocorrelation table is proven to be a more useful tool, compared to DDT, to obtain all nonzero input differences that yield undisturbed bits. Autocorrelation table can then be viewed as a counterpart of DDT for truncated differential cryptanalysis. Given an \(n \times m\) balanced S-Box, we state that the S-Box has undisturbed bits whenever the degree of any of its coordinate function is quadratic.

On hiding a plaintext length by preencryption

It is a well known fact that encryption schemes cannot hide a plaintext length when it is unbounded. We thus admit that an approximation of it may leak and we focus on hiding its precise value. Some standards such as TLS or SSH offer to do it by applying some pad-then-encrypt techniques. In this study, we investigate the information leakage when these techniques are used. We define the notion of padding scheme and its associated security. We show that when a padding length is uniformly distributed, the scheme is nearly optimal. We also show that the insecurity degrades linearly with the padding length.

Improbable Differential Attacks on Serpent using Undisturbed Bits

A recently introduced S-box evaluation criteria called undisturbed bits allow the attacker to construct longer truncated, impossible or improbable differentials. In this paper, we analyze the security of Serpent against impossible and improbable differential cryptanalysis for the first time and provide a 7-round improbable differential attack by using undisturbed bits of its S-boxes. Although these cryptanalytic techniques are discovered after Serpent was designed, our analysis shows that the cipher is secure against these kind of attacks. Moreover, it was shown that every 3 × 3 S-box contains undisturbed bits and a list of ciphers were provided whose 4 × 4 S-boxes contain undisturbed bits. In this study we provide undisturbed bits for larger S-boxes for the first time. Namely, the undisturbed bits for the 5 × 5 and 6 × 6 S-boxes of Fides and the 9 × 9 S-boxes of Kasumi and Misty.

Differential Attacks on Lightweight Block Ciphers PRESENT, PRIDE, and RECTANGLE Revisited

Differential distribution and linear approximation tables are the main security criteria for S-box designers. However, there are other S-box properties that, if overlooked by cryptanalysts, can result in erroneous results in theoretical attacks. In this paper we focus on two such properties, namely undisturbed bits and differential factors. We go on to identify several inconsistencies in published attacks against the lightweight block ciphers PRESENT, PRIDE, and RECTANGLE and present our corrections.

Improved improbable differential attacks on ISO standard CLEFIA

Improbable differential cryptanalysis is a recent attack technique that generalizes impossible differential cryptanalysis for block ciphers. In this paper, we give the most effective attacks known to date on the Clefia cipher using improbable differential cryptanalysis. Moreover, we provide a general data complexity calculation that can guide the cryptanalyst to choose the optimal improbable differential. On a related account, we consider the probability calculations used for improbable differential cryptanalysis. Recently, some examples were given where certain assumptions in these calculations do not hold. Although such cases exist, especially on small toy ciphers with insufficient diffusion, we provide experimental evidence which supports that the improbable differential attacks on Clefia and Present are valid. We provide the best known attacks on the ISO standard CLEFIA.We provide data complexity calculations to find the optimal improbable differential.We experimentally support that the previous attacks on PRESENT and CLEFIA are valid.

Differential Factors Revisited: Corrected Attacks on PRESENT and SERPENT

Differential factors, which prevent the attacker to distinguish some of the guessed keys corresponding to an active S-box during a differential attack on a block cipher, are recently introduced at Lightsec 2014 and used to reduce the time complexities of the previous differential-linear attacks on Serpent. Key recovery attacks generally consists of two parts: Key guess using the distinguisher and exhaustive search on the remaining key bits. Thus, we show that differential factors can reduce the time complexity of the former and increase the latter since the attacker does not need to guess the keys which cannot be distinguished. As an example for the latter, we show that the best known differential attack on Present overlooked its six differential factors and the corrected attack actually requires a time complexity increased by a factor of 64. Moreover, we show that differential factors also reduce data complexity of the differential attacks since less number of pairs are required to distinguish the correct key when the key space is reduced. This reduction in data complexity also reduces the time complexity. By using Serpents differential factors, we further reduce the data and time complexity of the differential-linear attacks on this cipher to obtain the best attacks.