Kexin Qiao

Automatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-oriented Block Ciphers

We propose two systematic methods to describe the differential property of an S-box with linear inequalities based on logical condition modelling and computational geometry respectively. In one method, inequalities are generated according to some conditional differential properties of the S-box; in the other method, inequalities are extracted from the H-representation of the convex hull of all possible differential patterns of the S-box. For the second method, we develop a greedy algorithm for selecting a given number of inequalities from the convex hull. Using these inequalities combined with Mixed-integer Linear Programming (MILP) technique, we propose an automatic method for evaluating the security of bit-oriented block ciphers against the (related-key) differential attack with several techniques for obtaining tighter security bounds, and a new tool for finding (related-key) differential characteristics automatically for bit-oriented block ciphers.

Analysis of AES, SKINNY, and Others with Constraint Programming

Search for different types of distinguishers are common tasks in symmetrickey cryptanalysis. In this work, we employ the constraint programming (CP) technique to tackle such problems. First, we show that a simple application of the CP approach proposed by Gerault et al. leads to the solution of the open problem of determining the exact lower bound of the number of active S-boxes for 6-round AES-128 in the related-key model. Subsequently, we show that the same approach can be applied in searching for integral distinguishers, impossible differentials, zero-correlation linear approximations, in both the single-key and related-(twea)key model. We implement the method using the open source constraint solver Choco and apply it to the block ciphers PRESENT, SKINNY, and HIGHT (ARX construction). As a result, we find 16 related-tweakey impossible differentials for 12-round SKINNY-64-128 based on which we construct an 18-round attack on SKINNY-64-128 (one target version for the crypto competition https://sites.google.com/site/skinnycipher announced at ASK 2016). Moreover, we show that in some cases, when equipped with proper strategies (ordering heuristic, restart and dynamic branching strategy), the CP approach can be very efficient. Therefore, we suggest that the constraint programming technique should become a convenient tool at hand of the symmetric-key cryptanalysts.

Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs

We present an invariant subspace attack on the block cipher Midori64, proposed at Asiacrypt 2015. Our analysis shows that Midori64 has a class of 2 32 weak keys. Under any such key, the cipher can be distinguished with only a single chosen query, and the key can be recovered in 2 16 time with two chosen queries. As both the distinguisher and the key recovery have very low complexities, we confirm our analysis by implementing the attacks. Some tweaks of round constants make Midori64 more resistant to the attacks, but some lead to even larger weak-key classes. To eliminate the dependency on the round constants, we investigate alternative S-boxes for Midori64 that provide certain level of security against the found invariant subspace attacks, regardless of the choice of the round constants. Our search for S-boxes is enhanced with a dedicated tool which evaluates the depth of any given 4-bit S-box that satisfies certain design criteria. The tool may be of independent interest to future S-box designs.

Improved Differential Analysis of Block Cipher PRIDE

In CRYPTO 2014 Albrecht et al. brought in a 20-round iterative lightweight block cipher PRIDE which is based on a good linear layer for achieving a tradeoff between security and efficiency. A recent analysis is presented by Zhao et al. Inspired by their work, we use an automatic search method to find out 56 iterative differential characteristics of PRIDE, containing 24 1-round iterative characteristics, based on three of them we construct a 15-round differential and perform a differential attack on the 19-round PRIDE, with data, time and memory complexity of 262, 263 and 271 respectively.

New Collision Attacks on Round-Reduced Keccak

In this paper, we focus on collision attacks against Keccak hash function family and some of its variants. Following the framework developed by Dinur et al. at FSE 2012 where 4-round collisions were found by combining 3-round differential trails and 1-round connectors, we extend the connectors one round further hence achieve collision attacks for up to 5 rounds. The extension is possible thanks to the large degree of freedom of the wide internal state. By linearization of all S-boxes of the first round, the problem of finding solutions of 2-round connectors are converted to that of solving a system of linear equations. However, due to the quick freedom reduction from the linearization, the system has solution only when the 3-round differential trails satisfy some additional conditions. We develop a dedicated differential trail search strategy and find such special differentials indeed exist. As a result, the first practical collision attack against 5-round SHAKE128 and two 5-round instances of the Keccak collision challenges are found with real examples. We also give the first results against 5-round Keccak-224 and 6-round Keccak collision challenges. It is remarked that the work here is still far from threatening the security of the full 24-round Keccak family.

Differential Analysis on Simeck and SIMON with Dynamic Key-Guessing Techniques

In CHES 2015, a new lightweight block cipher Simeck was proposed that combines good design components of SIMON and SPECK, two lightweight ciphers designed by NSA. As a great tool to improve differential attack, dynamic key-guessing techniques were proposed by Wang et al. that work well on SIMON. In this paper, we convert the dynamic key-guessing techniques to a program that can automatically give out the data in dynamic key-guessing procedure. With our tool, the differential security evaluation of SIMON and Simeck like block ciphers becomes very convenient. We apply the method to Simeck and four members of SIMON family. With a differential of lower Hamming weight we find by Mixed Integer Linear Programming method and differentials in Kolbl et al.’s work, we launch attacks on 21, 22-round Simeck32, 28-round Simeck48 and 34, 35-round Simeck64. Besides, by use of newly proposed differentials in CRYPTO 2015 we get new attack results on 22-round SIMON32/64, 24-round SIMON48/96, 28, 29-round SIMON64/96 and 29, 30-round SIMON64/128. As far as we are concerned, our results on SIMON64 are currently the best results.

Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON

摘要创新点密码算法的不同部件具有相同输入时的线性逼近的相关度计算不能应用堆积引理, 其计算是一个对线性分析结果有重要影响的难题。 充分考虑了 SIMON 分组密码算法不同运算的相关性, 通过化标准二次型的方法准确计算了轮函数线性逼近的相关度, 得到精确的线性分析结果。 基于混合整数线性规划建模, 找到了 SIMON 算法的多个版本的更好的线性迹和线性闭包, 给出了 SIMON 的更好的密钥恢复攻击结果。

Extending the Applicability of the Mixed-Integer Programming Technique in Automatic Differential Cryptanalysis

We focus on extending the applicability of the mixed-integer programming MIP based method in differential cryptanalysis such that more work can be done automatically. Firstly, we show how to use the MIP-based technique to obtain almost all high probability 2-round iterative related-key differential characteristics of PRIDE a block cipher proposed in CRYPTO 2014 automatically by treating the

Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher

g_i^{j}\cdot