Ruilin Li

Links among Impossible Differential, Integral and Zero Correlation Linear Cryptanalysis

As two important cryptanalytic methods, impossible differential and integral cryptanalysis have attracted much attention in recent years. Although relations among other cryptanalytic approaches have been investigated, the link between these two methods has been missing. The motivation in this paper is to fix this gap and establish links between impossible differential cryptanalysis and integral cryptanalysis.

Impossible differential cryptanalysis of SPN ciphers

Impossible differential cryptanalysis is a very popular tool for analysing the security of modern block ciphers and the core of such attack is based on the existence of impossible differentials. Currently, most methods for finding impossible differentials are based on the miss-in-the-middle technique and they are very ad hoc. In this study, the authors concentrate on substitution–permutation network (SPN) ciphers whose diffusion layer is defined by a linear transformation P. Based on the theory of linear algebra, the authors propose several criteria on P and its inversion P-1 to characterise the existence of 3/4-round impossible differentials. The authors further discuss the possibility to extend these methods to analyse 5/6-round impossible differentials. Using these criteria, impossible differentials for reduced-round Rijndael are found that are consistent with the ones found before. New 4-round impossible differentials are discovered for block cipher ARIA. Many 4-round impossible differentials are firstly detected for a kind of SPN cipher that employs a 32×32 binary matrix proposed at ICISC 2006 as its diffusion layer. It is concluded that the linear transformation should be carefully designed in order to protect the cipher against impossible differential cryptanalysis.

Impossible differential cryptanalysis of 13-round CLEFIA-128

Abstract: Block cipher plays an important role in the domain of information security. CLEFIA is a 128-bit block cipher proposed by SONY Corporation in FSE 2007. Using the previous 9-round impossible differentials, the redundancy in the key schedule and the early-abort technique, we present the first successful impossible differential cryptanalysis of 13-round CLEFIA-128 in this paper. The data and time complexities of the attack with the whitening layers are 2^1^1^9^.^4 and 2^1^2^5^.^5^2, respectively. And for the attack without the whitening layers, more relationships among the subkeys can be used, thus the data and time complexities are reduced to 2^1^1^1^.^3 and 2^1^1^7^.^5, respectively. As far as we know, the presented results are the best compared with the previously published cryptanalytic results on reduced-round CLEFIA-128.

Differential Fault Analysis on SMS4 using a single fault

Differential Fault Analysis (DFA) attack is a powerful cryptanalytic technique that could be used to retrieve the secret key by exploiting computational errors in the encryption (decryption) procedure. In this paper, we propose a new DFA attack on SMS4 using a single fault. We show that if a random byte fault is induced into either the second, third, or fourth word register at the input of the 28-th round, the 128-bit key could be recovered with an exhaustive search of 22.11 bits on average. The proposed attack makes use of the characteristic of the ciphers structure and its round function. Furthermore, it can be tailored to any block cipher employing a similar structure and an SPN-style round function as that of SMS4.

A meet-in-the-middle attack on reduced-round ARIA

Abstract: In this paper, the meet-in-the-middle attack against block cipher ARIA is presented for the first time. Some new 3-round and 4-round distinguishing properties of ARIA are found. Based on the 3-round distinguishing property, we can apply the meet-in-the-middle attack with up to 6 rounds for all versions of ARIA. Based on the 4-round distinguishing property, we can mount a successful attack on 8-round ARIA-256 for the first time. Furthermore, the 4-round distinguishing property could be improved which leads to a 7-round attack on ARIA-192. Compared with the existing cryptanalytic results on ARIA, the meet-in-the-middle attack has a huge precomputation and memory complexities. However, we can do the precomputation once and for all. These results show that 8-round ARIA-256 is not immune to the meet-in-the-middle attack.

Cryptanalysis of a generalized unbalanced feistel network structure

This paper reevaluates the security of GF-NLFSR, a new kind of generalized unbalanced Feistel network structure that was proposed at ACISP 2009. We show that GF-NLFSR itself reveals a very slow diffusion rate, which could lead to several distinguishing attacks. For GF-NLFSR containing n sub-blocks, we find an n2-round integral distinguisher by algebraic methods and further use this integral to construct an (n2 + n - 2)-round impossible differential distinguisher. Compared with the original (3n - 1)-round integral and (2n - 1)-round impossible differential, ours are significantly better. Another contribution of this paper is to introduce a kind of nonsurjective attack by analyzing a variant structure of GF-NLFSR, whose provable security against differential and linear cryptanalysis can also be provided. The advantage of the proposed non-surjective attack is that traditional non-surjective attack is only applicable to Feistel ciphers with non-surjective (non-uniform) round functions, while ours could be applied to block ciphers with bijective ones. Moreover, its data complexity is O(l) with l the block length.

SQUARE attack on block ciphers with low algebraic degree

By using an algebraic method, the mathematical foundation of SQUARE attack is studied in this paper. We point out that a SQUARE distinguisher exists if and only if the degree of the polynomial function between n-bit input which is active and n-bit output which is balanced is ⩽ 2n − 2. And the algebraic method can also be used to determine the property of a balanced set after passed through a nonlinear S-box, by which in some cases we can find a SQUARE distinguisher with more rounds. The validity of SQUARE attack and the influence of the choice of S-box are also studied. If the round function of a Feistel cipher has a low algebraic degree, a SQUARE attack cannot recover the right keys in some special cases. However, SQUARE attack on SPN ciphers always holds. The relations among SQUARE attack and some other cryptanalytic method are studied, showing that if a cipher is breakable by SQUARE attack, then it is also breakable by the interpolation attack.

A Low Data Complexity Attack on the GMR-2 Cipher Used in the Satellite Phones

The GMR-1 and GMR-2 stream ciphers, which are used in the satellite phones, have been reconstructed by Driessen et al. recently. The GMR-1 cipher is shown to be a proprietary variant of the GSM A5/2 algorithm, thus it could be cracked using the previous known method. For the newly designed GMR-2 cipher, by observing a non-uniform behavior of its component, Driessen et al. proposed an efficient known plaintext attack to recover the encryption key (a session key with 64-bit) with approximately 5–6 frames (50–65 bytes) of keystream.

Fault analysis study of the block cipher FOX64

FOX is a family of symmetric block ciphers from MediaCrypt AG that helps to secure digital media, communications, and storage. The high-level structure of FOX is the so-called (extended) Lai–Massey scheme. This paper presents a detailed fault analysis of the block cipher FOX64, the 64-bit version of FOX, based on a differential property of two-round Lai–Massey scheme in a fault model. Previous fault attack on FOX64 shows that each round-key (resp. whole round-keys) could be recovered through 11.45 (resp. 183.20) faults on average. Our proposed fault attack, however, can deduce any round-key (except the first one) through 4.25 faults on average (4 in the best case), and retrieve the whole round-keys through 43.31 faults on average (38 in the best case). This implies that the number of needed faults in the fault attack on FOX64 can be significantly reduced. Furthermore, the technique introduced in this paper can be extended to other series of the block cipher family FOX.

Security evaluation of MISTY structure with SPN round function

Abstract This paper deals with the security of MISTY structure with SPN round function. We study the lower bound of the number of active s-boxes for differential and linear characteristics of such block cipher construction. Previous result shows that the differential bound is consistent with the case of Feistel structure with SPN round function, yet the situation changes when considering the linear bound. We carefully revisit such issue, and prove that the same bound in fact could be obtained for linear characteristic. This result combined with the previous one thus demonstrates a similar practical secure level for both Feistel and MISTY structures. Besides, we also discuss the resistance of MISTY structure with SPN round function against other kinds of cryptanalytic approaches including the integral cryptanalysis and impossible differential cryptanalysis. We confirm the existence of 6-round integral distinguishers when the linear transformation of the round function employs a binary matrix (i.e., the element in the matrix is either 0 or 1), and briefly describe how to characterize 5 / 6 / 7 -round impossible differentials through the matrix-based method.