Ling Song

Automatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-oriented Block Ciphers

We propose two systematic methods to describe the differential property of an S-box with linear inequalities based on logical condition modelling and computational geometry respectively. In one method, inequalities are generated according to some conditional differential properties of the S-box; in the other method, inequalities are extracted from the H-representation of the convex hull of all possible differential patterns of the S-box. For the second method, we develop a greedy algorithm for selecting a given number of inequalities from the convex hull. Using these inequalities combined with Mixed-integer Linear Programming (MILP) technique, we propose an automatic method for evaluating the security of bit-oriented block ciphers against the (related-key) differential attack with several techniques for obtaining tighter security bounds, and a new tool for finding (related-key) differential characteristics automatically for bit-oriented block ciphers.

Automatic Security Evaluation of Block Ciphers with S-bP Structures Against Related-Key Differential Attacks

Counting the number of active S-boxes is a common way to evaluate the security of symmetric key cryptographic schemes against differential attack. Based on Mixed Integer Linear Programming (MILP), Mouha et al. proposed a method to accomplish this task automatically for word-oriented symmetric-key ciphers with SPN structures. However, this method can not be applied directly to block ciphers of SPN structures with bitwise permutation diffusion layers (S-bP structures), due to its ignorance of the diffusion effect derived collaboratively by nonlinear substitution layers and bitwise permutation layers. In this paper we extend Mouha et al.’s method for S-bP structures by introducing new representations for exclusive-or (XOR) differences to describe bit/word level differences simultaneously and by taking the collaborative diffusion effect of S-boxes and bitwise permutations into account. Our method is applied to the block cipher PRESENT-80, an international standard for lightweight symmetric key cryptography, to automatically evaluate its security against differential attacks. We obtain lower bounds on the numbers of active S-boxes in the single-key model for full 31-round PRESENT-80 and in related-key model for round-reduced PRESENT-80 up to 12 rounds, and therefore automatically prove that the full-round PRESENT-80 is secure against single-key differential attack, and the cost of related-key differential attack on the full-round PRESENT-80 is close to that of an exhaustive search: the best related-key differential characteristic for full PRESENT-80 is upper bounded by \(2^{-72}\).

Differential Fault Attack on the PRINCE Block Cipher

PRINCE is a new lightweight block cipher proposed at the ASIACRYPT’2012 conference. In this paper two observations on the linear layer of the cipher are presented. Based on the observations a differential fault attack is applied to the cipher under a random nibble-level fault model, aiming to use fault injections as few as possible. The attack uniquely determines the 128-bit key of the cipher using less than 7 fault injections on average. In the case with 4 fault injections, the attack limits the size of key space to less than 218.

Improved Differential Analysis of Block Cipher PRIDE

In CRYPTO 2014 Albrecht et al. brought in a 20-round iterative lightweight block cipher PRIDE which is based on a good linear layer for achieving a tradeoff between security and efficiency. A recent analysis is presented by Zhao et al. Inspired by their work, we use an automatic search method to find out 56 iterative differential characteristics of PRIDE, containing 24 1-round iterative characteristics, based on three of them we construct a 15-round differential and perform a differential attack on the 19-round PRIDE, with data, time and memory complexity of 262, 263 and 271 respectively.

Match Box Meet-in-the-Middle Attacks on the SIMON Family of Block Ciphers

SIMON is a family of lightweight block ciphers designed by the U.S National Security Agency in 2013. In this paper, we analyze the resistance of the SIMON family of block ciphers against the recent match box meet-in-the-middle attack which was proposed in FSE 2014. Our attack particularly exploits the weaknesses of the linear key schedules of SIMON. Since the data available to the adversary is rather limited in many concrete applications, it is worthwhile to assess the security of SIMON against such low-data attacks.

Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON

摘要创新点密码算法的不同部件具有相同输入时的线性逼近的相关度计算不能应用堆积引理, 其计算是一个对线性分析结果有重要影响的难题。 充分考虑了 SIMON 分组密码算法不同运算的相关性, 通过化标准二次型的方法准确计算了轮函数线性逼近的相关度, 得到精确的线性分析结果。 基于混合整数线性规划建模, 找到了 SIMON 算法的多个版本的更好的线性迹和线性闭包, 给出了 SIMON 的更好的密钥恢复攻击结果。

Related-Key Impossible Differential Analysis of Full Khudra

Khudra is a block cipher proposed by Souvik Kolay and Debdeep Mukhopadhyay in the SPACE 2014 conference which is applicable to Field Programmable Gate Arrays (FPGAs). It is an 18-round lightweight cipher based on recursive Feistel structure, with a 64-bit block size and 80-bit key size. The designers indicated that 18 rounds of Khudra provide sufficient security margin for related key attacks. But in this paper, we obtain \(2^{16}\) 14-round related-key impossible differentials of Khudra, and based on these related-key impossible differentials for 32 related keys, we launch an attack on the full Khudra with data complexity of \(2^{63}\) related-key chosen-plaintexts, time complexity of about \(2^{68.46}\) encryptions and memory complexity of \(2^{64}\). This is the first known attack on full Khudra.

Extending the Applicability of the Mixed-Integer Programming Technique in Automatic Differential Cryptanalysis

We focus on extending the applicability of the mixed-integer programming MIP based method in differential cryptanalysis such that more work can be done automatically. Firstly, we show how to use the MIP-based technique to obtain almost all high probability 2-round iterative related-key differential characteristics of PRIDE a block cipher proposed in CRYPTO 2014 automatically by treating the

Improved Algebraic and Differential Fault Attacks on the KATAN Block Cipher

g_i^{j}\cdot