Hiroyasu Kubo

Impossible Differential Cryptanalysis of CLEFIA

This paper reports impossible differential cryptanalysis on the 128-bit block cipher CLEFIA that was proposed in 2007, including new 9-round impossible differentials for CLEFIA, and the result of an impossible differential attack using them. For the case of a 128-bit key, it is possible to apply the impossible differential attack to CLEFIA reduced to 12 rounds. The number of chosen plaintexts required is 2118.9and the time complexity is 2119. For key lengths of 192 bits and 256 bits, it is possible to apply impossible differential attacks to 13-round and 14-round CLEFIA. The respective numbers of chosen plaintexts required are 2119.8and 2120.3and the respective time complexities are 2146and 2212. These impossible differential attacks are the strongest method for attacking reduced-round CLEFIA.

Improving cache attacks by considering cipher structure

A concrete attack using side channel information from cache memory behaviour was proposed for the first time at ISITA 2002. The attack uses the difference between execution times associated with S-box cache-hits and cache-misses to recover the intermediate key. Recently, a theoretical estimation of the number of messages needed for the attack was proposed and it was reported that the average method obtains key information with fewer messages than maximum threshold or intermediate threshold method. Taking the structure of cipher into account, this paper provided the cache attack in which the average method is embodied, and provides improved key estimation. This paper includes the study on the attack that exploits internal collision.

A Distinguishing Attack on a Fast Software-Implemented RC4-Like Stream Cipher

In 2005, Gong proposed an RC4-like stream cipher capable of fast operation on a 32/64-bit processor. This stream cipher solved the RC4 problem of difficult 32/64-bit processing, a problem once thought impossible to solve. Operation of the cipher on 32- and 64-bit processors is about 3.1 and 6.2 times as fast, respectively, as that of the RC4 cipher. However, we have found a considerable bias in the output sequence of the RC4-like stream cipher. Using the bias along with the first two words of a keystream associated with approximately 230 secret keys allows us to build a distinguisher.

Cryptanalysis of Mir-1: A T-Function-Based Stream Cipher

This correspondence describes the cryptanalysis of Mir-1, a T-function based stream cipher proposed at eSTREAM (the ECRYPT Stream Cipher Project) in 2005. This cipher uses a multiword T-function, with four 64-bit words, as its basic structure. Mir-1 operations process the data in every 64 bits (one word) to generate a keystream. The correspondence discusses a distinguishing attack against Mir-1 that exploits the T-function characteristics and the Mir-1 initialization. With merely three or four initial vector pairs, this attack can distinguish a Mir-1 output sequence from a truly random number sequence. In this case, the amount of data theoretically needed for cryptanalysis is only 210 words. This correspondence also proposes a countermeasure that provides resistance against the attack described in this correspondence.

Shorter bit sequence is enough to break stream cipher LILI-128

LILI-128 is the stream cipher proposed as a candidate cipher for the New European Schemes for Signatures, Integrity, and Encryption (NESSIE) Project. Some methods of breaking it more efficiently than an exhaustive search for its secret key have been found already. The authors propose a new method, which uses shorter bit sequence to break LILI-128 successfully. An attack that can be made with less data can be a more practical threat. With only 2/sup 7/ bits of keystream, this method can break LILI-128 successfully. The efficiency of our attack depends on the memory size. For example, with 2/sup 99.1/ computations, our attack breaks LILI-128, if 2/sup 28.6/-bit memory is available.