Huihui Yap

EPCBC: a block cipher suitable for electronic product code encryption

In this paper, we present EPCBC, a lightweight cipher that has 96-bit key size and 48-bit/96-bit block size. This is suitable for Electronic Product Code (EPC) encryption, which uses low-cost passive RFID-tags and exactly 96 bits as a unique identifier on the item level. EPCBC is based on a generalized PRESENT with block size 48 and 96 bits for the main cipher structure and customized key schedule design which provides strong protection against related-key differential attacks, a recent class of powerful attacks on AES. Related-key attacks are especially relevant when a block cipher is used as a hash function. In the course of proving the security of EPCBC, we could leverage on the extensive security analyses of PRESENT, but we also obtain new results on the differential and linear cryptanalysis bounds for the generalized PRESENT when the block size is less than 64 bits, and much tighter bounds otherwise. Further, we analyze the resistance of EPCBC against integral cryptanalysis, statistical saturation attack, slide attack, algebraic attack and the latest higher-order differential cryptanalysis from FSE 2011 [11]. Our proposed cipher would be the most efficient at EPC encryption, since for other ciphers such as AES and PRESENT, it is necessary to encrypt 128-bit blocks (which results in a 33% overhead being incurred). The efficiency of our proposal therefore leads to huge market implications. Another contribution is an optimized implementation of PRESENT that is smaller and faster than previously published results.

Cryptographic Properties and Application of a Generalized Unbalanced Feistel Network Structure

In this paper, we study GF-NLFSR, a Generalized Unbalanced Feistel Network (GUFN) which can be considered as an extension of the outer function FO of the KASUMI block cipher. We prove upper bounds for the differential and linear hull probabilities for any n + 1 rounds of an n -cell GF-NLFSR. Besides analyzing security against differential and linear cryptanalysis, we provide a frequency distribution for upper bounds on the true differential and linear hull probabilities. We also demonstrate a (2n *** 1)-round impossible differential distinguisher and a (3n *** 1)-round integral attack distinguisher on the n -cell GF-NLFSR. As an application, we design a new block cipher Four-Cell based on a 4-cell GF-NLFSR. We prove the security of Four-Cell against differential, linear, and boomerang attack. Based on the 7-round impossible differential and 11-round integral attack distinguisher, we set the number of rounds of Four-Cell to be 25 for protection against these attacks. Furthermore, Four-Cell can be shown to be secure against other attacks such as higher order differential attack, cube attack, interpolation attack, XSL attack and slide attack.

FOAM: Searching for Hardware-Optimal SPN Structures and Components with a Fair Comparison

In this article, we propose a new comparison metric, the figure of adversarial merit FOAM, which combines the inherent security provided by cryptographic structures and components with their implementation properties. To the best of our knowledge, this is the first such metric proposed to ensure a fairer comparison of cryptographic designs. We then apply this new metric to meaningful use cases by studying Substitution-Permutation Network permutations that are suited for hardware implementations, and we provide new results on hardware-friendly cryptographic building blocks. For practical reasons, we considered linear and differential attacks and we restricted ourselves to fully serial and round-based implementations. We explore several design strategies, from the geometry of the internal state to the size of the S-box, the field size of the diffusion layer or even the irreducible polynomial defining the finite field. We finally test all possible strategies to provide designers an exhaustive approach in building hardware-friendly cryptographic primitives according to area or FOAM metrics, also introducing a model for predicting the hardware performance of round-based or serial-based implementations. In particular, we exhibit new diffusion matrices circulant or serial that are surprisingly more efficient than the current best known, such as the ones used in AES , LED and PHOTON .

Cryptographic properties and application of a Generalized Unbalanced Feistel Network structure

In this paper, we study GF-NLFSR, a Generalized Unbalanced Feistel Network (GUFN) which can be considered as an extension of the outer function FO of the KASUMI block cipher. We show that the differential and linear probabilities of any n + 1 rounds of an n-cell GF-NLFSR are both bounded by p2, where the corresponding probability of the round function is p. Besides analyzing security against differential and linear cryptanalysis, we provide a frequency distribution for upper bounds on the true differential and linear hull probabilities. From the frequency distribution, we deduce that the proportion of input-output differences/mask values with probability bounded by pn is close to 1 whereas only a negligible proportion has probability bounded by p2. We also recall an n2-round integral attack distinguisher and (n2 + n − 2)-round impossible differential distinguisher on the n-cell GF-NLFSR by Li et al. and Wu et al. As an application, we design a new 30-round block cipher Four-Cell +  based on a 4-cell GF-NLFSR. We prove the security of Four-Cell +  against differential, linear, and boomerang attack. Four-Cell +  also resists existing key recovery attacks based on the 16-round integral attack distinguisher and 18-round impossible differential distinguisher. Furthermore, Four-Cell +  can be shown to be secure against other attacks such as higher order differential attack, cube attack, interpolation attack, XSL attack and slide attack.

SPN-hash: improving the provable resistance against differential collision attacks

Collision resistance is a fundamental property required for cryptographic hash functions. One way to ensure collision resistance is to use hash functions based on public key cryptography (PKC) which reduces collision resistance to a hard mathematical problem, but such primitives are usually slow. A more practical approach is to use symmetric-key design techniques which lead to faster schemes, but collision resistance can only be heuristically inferred from the best probability of a single differential characteristic path. We propose a new hash function design with variable hash output sizes of 128, 256, and 512 bits, that reduces this gap. Due to its inherent Substitution-Permutation Network (SPN) structure and JH mode of operation, we are able to compute its differential collision probability using the concept of differentials. Namely, for each possible input differences, we take into account all the differential paths leading to a collision and this enables us to prove that our hash function is secure against a differential collision attack using a single input difference. None of the SHA-3 finalists could prove such a resistance. At the same time, our hash function design is secure against pre-image, second pre-image and rebound attacks, and is faster than PKC-based hashes. Part of our design includes a generalization of the optimal diffusion used in the classical wide-trail SPN construction from Daemen and Rijmen, which leads to near-optimal differential bounds when applied to non-square byte arrays. We also found a novel way to use parallel copies of a serial matrix over the finite field GF(24), so as to create lightweight and secure byte-based diffusion for our design. Overall, we obtain hash functions that are fast in software, very lightweight in hardware (about 4625 GE for the 256-bit hash output) and that provide much stronger security proofs regarding collision resistance than any of the SHA-3 finalists.

An Analysis of the Compact XSL Attack on BES and Embedded SMS4

The XSL attack when applied on BES-128 has been shown to have an attack complexity of 2100, which is faster than exhaustive search. However at FSE 2007, Lim and Khoo analyzed the eprint XSL attack on BES and showed that the attack complexity should be 2401. Later at IEEE-YCS 2008, Qu and Liu counter-proposed that the compact XSL attack on BES-128 works and has complexity 297. In this paper, we point out some errors in the attack of Qu and Liu. We also show that the complexity of the compact XSL attack on BES-128 is at least 2209.15. At Indocrypt 2007, Ji and Hu claimed that the eprint XSL attack on ESMS4 has complexity 277. By the same method we used to analyze BES, we also show that the complexity of compact XSL attack on ESMS4 is at least 2216.58. Our analysis adapts the approach of Lim and Khoo to the compact XSL attack, and improves on it by considering the T *** method that grows the number of equations.

Parallelizing the camellia and SMS4 block ciphers

The n-cell GF-NLFSR (Generalized Feistel-NonLinear Feedback Shift Register) structure [8] is a generalized unbalanced Feistel network that can be considered as a generalization of the outer function FO of the KASUMI block cipher. An advantage of this cipher over other n-cell generalized Feistel networks, e.g. SMS4 [11] and Camellia [5], is that it is parallelizable for up to n rounds. In hardware implementations, the benefits translate to speeding up encryption by up to n times while consuming less area and power. At the same time n-cell GF-NLFSR structures offer similar proofs of security against differential cryptanalysis as conventional n-cell Feistel structures. We also ensure that parallelized versions of Camellia and SMS4 are resistant against other block cipher attacks such as linear, boomerang, integral, impossible differential, higher order differential, interpolation, slide, XSL and related-key differential attacks.

Parallelisable variants of Camellia and SMS4 block cipher: p-Camellia and p-SMS4

We propose two parallelisable variants of Camellia and SMS4 block ciphers based on the n-cell GF-NLFSR. The n-cell generalised Feistel-non-linear feedback shift register GF-NLFSR structure Choy et al., 2009a is a generalised unbalanced Feistel network that can be considered as a generalisation of the outer function FO of the KASUMI block cipher. An advantage of this cipher over other n-cell generalised Feistel networks, e.g., SMS4 Diffe and Ledin, 2008 and Camellia Aokiet al., 2001, is that it is parallelisable for up to n rounds. In hardware implementations, the benefits translate to speeding up encryption by up to n times while consuming similar area and significantly less power. At the same time, n-cell GF-NLFSR structures offer similar proofs of security against differential cryptanalysis as conventional n-cell Feistel structures. In this paper, we prove security against differential, linear and boomerang attacks. We also show that the selected number of rounds are conservative enough to provide high security margin against other known attacks such as integral, impossible differential, higher order differential, interpolation, slide, XSL and related-key differential attacks.