Tomoyasu Suzaki

Cryptanalysis of DES Implemented on Computers with Cache

This paper presents the results of applying an attack against the Data Encryption Standard (DES) implemented in some applications, using side-channel information based on CPU delay as proposed in (11). This cryptanalysis technique uses side-channel information on encryption processing to select and collect effective plaintexts for cryptanalysis, and infers the information on the expanded key from the collected plaintexts. On applying this attack, we found that the cipher can be broken with 2 23 known plaintexts and 2 24 calculations at a success rate > 90%, using a personal computer with 600-MHz Pentium III. We discuss the feasibility of cache attack on ciphers that need many S-box look-ups, through reviewing the results of our experimental attacks on the block ciphers excluding DES, such as AES.

\textnormal{\textsc{TWINE}}: A Lightweight Block Cipher for Multiple Platforms

This paper presents a 64-bit lightweight block cipher \(\textnormal{\textsc{TWINE}}\) supporting 80 and 128-bit keys. \(\textnormal{\textsc{TWINE}}\) realizes quite small hardware implementation similar to the previous lightweight block cipher proposals, yet enables efficient software implementations on various CPUs, from micro-controllers to high-end CPUs. This characteristic is obtained by the use of generalized Feistel combined with an improved block shuffle, introduced at FSE 2010.

Impossible Differential Cryptanalysis of CLEFIA

This paper reports impossible differential cryptanalysis on the 128-bit block cipher CLEFIA that was proposed in 2007, including new 9-round impossible differentials for CLEFIA, and the result of an impossible differential attack using them. For the case of a 128-bit key, it is possible to apply the impossible differential attack to CLEFIA reduced to 12 rounds. The number of chosen plaintexts required is 2118.9and the time complexity is 2119. For key lengths of 192 bits and 256 bits, it is possible to apply impossible differential attacks to 13-round and 14-round CLEFIA. The respective numbers of chosen plaintexts required are 2119.8and 2120.3and the respective time complexities are 2146and 2212. These impossible differential attacks are the strongest method for attacking reduced-round CLEFIA.

A Distinguishing Attack on a Fast Software-Implemented RC4-Like Stream Cipher

In 2005, Gong proposed an RC4-like stream cipher capable of fast operation on a 32/64-bit processor. This stream cipher solved the RC4 problem of difficult 32/64-bit processing, a problem once thought impossible to solve. Operation of the cipher on 32- and 64-bit processors is about 3.1 and 6.2 times as fast, respectively, as that of the RC4 cipher. However, we have found a considerable bias in the output sequence of the RC4-like stream cipher. Using the bias along with the first two words of a keystream associated with approximately 230 secret keys allows us to build a distinguisher.

Cryptanalysis of CLEFIA using multiple impossible differentials

This paper reports impossible differential cryptanalysis on the 128-bit block cipher CLEFIA that was proposed in 2007. It is known that there are the 9-round impossible differentials in CLEFIA. This paper presents the several results of impossible differential attacks using multiple impossible differentials. For key lengths of 128, 192 and 256 bits, it is possible to apply impossible differential attacks to 12-round, 13-round and 14-round CLEFIA. For the case of a 128-bit key, this attack is the most efficient compared with previous results. For key lengths of 192 and 256 bits, the numbers of chosen plaintexts are the least.

On maximum differential probability of generalized Feistel

The maximum differential probability (MDP) is an important security measure for blockciphers. We investigate MDP of Type-2 generalized Feistel structure (Type-2 GFS), one of the most popular cipher architectures. Previously MDP of Type-2 GFS has been studied for partition number (number of sub-blocks) k = 2 by Aoki and Ohta, and k = 4 by Kim et al. These studies are based on ad-hoc case analysis and it seems rather difficult to analyze larger k by hand. In this paper, we abstract the idea of previous studies and generalize it for any k, and implement it using computers. We investigate Type-2 GFS of k = 4, 6, 8 and 10 with k+1 rounds, and obtain O(pk) bound for all cases, when the round function is invertible and its MDP is p. The bound for k = 4 is improved from Kim et al. and those for larger k are new. We also investigate an improvement of Type-2 GFS proposed by Suzaki and Minematsu, and obtain similar bounds as Type-2.

Cryptanalysis of Mir-1: A T-Function-Based Stream Cipher

This correspondence describes the cryptanalysis of Mir-1, a T-function based stream cipher proposed at eSTREAM (the ECRYPT Stream Cipher Project) in 2005. This cipher uses a multiword T-function, with four 64-bit words, as its basic structure. Mir-1 operations process the data in every 64 bits (one word) to generate a keystream. The correspondence discusses a distinguishing attack against Mir-1 that exploits the T-function characteristics and the Mir-1 initialization. With merely three or four initial vector pairs, this attack can distinguish a Mir-1 output sequence from a truly random number sequence. In this case, the amount of data theoretically needed for cryptanalysis is only 210 words. This correspondence also proposes a countermeasure that provides resistance against the attack described in this correspondence.