Wentao Zhang

RECTANGLE: a bit-slice lightweight block cipher suitable for multiple platforms

In this paper, we propose a new lightweight block cipher named RECTANGLE. The main idea of the design of RECTANGLE is to allow lightweight and fast implementations using bit-slice techniques. RECTANGLE uses an SP-network. The substitution layer consists of 16 4×4 S-boxes in parallel. The permutation layer is composed of 3 rotations. As shown in this paper, RECTANGLE offers great performance in both hardware and software environment, which provides enough flexibility for different application scenario. The following are 3 main advantages of RECTANGLE. First, RECTANGLE is extremely hardware-friendly. For the 80-bit key version, a one-cycle-per-round parallel implementation only needs 1600 gates for a throughput of 246 Kbits/s at 100 kHz clock and an energy efficiency of 3.0 pJ/bit. Second, RECTANGLE achieves a very competitive software speed among the existing lightweight block ciphers due to its bit-slice style. Using 128-bit SSE instructions, a bit-slice implementation of RECTANGLE reaches an average encryption speed of about 3.9 cycles/byte for messages around 3000 bytes. Last but not least, we propose new design criteria for the RECTANGLE S-box. Due to our careful selection of the S-box and the asymmetric design of the permutation layer, RECTANGLE achieves a very good security-performance tradeoff. Our extensive and deep security analysis shows that the highest number of rounds that we can attack, is 18 (out of 25).摘要创新点本论文提出一个新的轻量级分组密码 RECTANGLE. RECTANGLE 具有以下 4 个特点: (1.) 具有很好的抵抗数学类攻击的安全冗余度; (2). 容易进行侧信道防护; (3). 设计基于比特切片技术, 同时具有很好的硬件和软件实现; (4). 我们公开了 RECTANGLE 的设计准则. RECTANGLE 的 S 盒选取, 我们提出了新的设计准则; RECTANGLE 的 P 置换设计也非常关键, RECTANGLE 的 P 置换仅由 3 次循环移位组成, 同时适合硬件和软件实现; RECTANGLE 的 S 盒和 P 置换组合在一起, 使整体的密码算法具有很弱的差分/线性路径的聚集, 从而使 RECTANGLE 具有很好的安全性和实现效率的折中.

Impossible differential cryptanalysis of reduced-round ARIA and Camellia

This paper studies the security of the block ciphers ARIA and Camellia against impossible differential cryptanalysis. Our work improves the best impossible differential cryptanalysis of ARIA and Camellia known so far. The designers of ARIA expected no impossible differentials exist for 4-round ARIA. However, we found some nontrivial 4-round impossible differentials, which may lead to a possible attack on 6-round ARIA. Moreover, we found some nontrivial 8-round impossible differentials for Camellia, whereas only 7-round impossible differentials were previously known. By using the 8-round impossible differentials, we presented an attack on 12-round Camellia without FL/FL1 layers.

New results on impossible differential cryptanalysis of reduced AES

In this paper, we present some new results on impossible differential cryptanalysis of reduced AES, which update the best known impossible differential attacks on reduced AES. First, we present some new attacks on 6-round AES (for all the three key length). Second, we extend to 7-round AES, also for all the three key variants. Especially for 128-bit keys, the best known results can attack up to 7 rounds using square attack and collision attack respectively, but their complexity are both marginal either on data or on time (ie. require nearly the entire codebook, or close to key exhaustive search). In this sense, our attack is the first non-marginal one on 7-round AES with 128-bit keys. Thirdly, we extend to 8 rounds for 256-bit keys, which is also non-marginal compared with the best non-related-key attacks so far. Finally, we give an improvement of the 7-round attack for 192-bit keys in R.C.W. Phans paper, which makes the time complexity reduced greatly.

Improved related-key impossible differential attacks on reduced-round AES-192

In this paper, we present several new related-key impossible differential attacks on 7- and 8-round AES-192, following the work of Eli Biham et al. [6] and Jakimoski et al. [10]. We choose another relation of the related keys, start attacks from the very beginning (instead of the third round in [6]) so that the data and time complexities are improved largely, and only two related keys are needed instead of 32 in the attacks of [6]. Furthermore, we point out and correct an error in [6] when they attacked 8-round AES-192, then present our revised attacks. Finally, we give a new related-key differential attack on 7-round AES-192, which mainly uses a property of MixColumns operation of AES.

Applying MILP Method to Searching Integral Distinguishers Based on Division Property for 6 Lightweight Block Ciphers

Division property is a generalized integral property proposed by Todo at EUROCRYPT 2015, and very recently, Todo et al. proposed bit-based division property and applied to SIMON32 at FSE 2016. However, this technique can only be applied to block ciphers with block size no larger than 32 due to its high time and memory complexity. In this paper, we extend Mixed Integer Linear Programming (MILP) method, which is used to search differential characteristics and linear trails of block ciphers, to search integral distinguishers of block ciphers based on division property with block size larger than 32.

Improved Impossible Differential Cryptanalysis of Reduced-Round Camellia

The block cipher Camellia has now been adopted as an international standard by ISO/IEC, and it has also been selected to be Japanese CRYPTREC e-government recommended cipher and in the NESSIE block cipher portfolio. Most recently, Wu et al constructed some 8-round impossible differentials of Camellia, and presented an attack on 12-round Camellia-192/256 in [5]. Later in [6], Lu et al improved the above attack by using the same 8-round impossible differential and some new observations on the diffusion transformation of Camellia. Considering that all these previously known impossible differential attacks on Camellia have not taken the key scheduling algorithm into account, in this paper we exploit the relations between the round subkeys of Camellia, together with some novel techniques in the key recovery process to improve the impossible differential attack on Camellia up to 12-round Camellia-128 and 16-round Camellia-256. The data complexities of the two attacks are 265 and 289 respectively, and the time complexities of the two attacks are less than 2111.5 and 2222.1 respectively. The presented results are better than any previously published cryptanalytic results on Camellia without the FL/FL ? 1 functions and whitening layers.

Cryptanalysis of Reduced-Round SMS4 Block Cipher

SMS4 is a 128-bit block cipher used in the WAPI standard. WAPI is the Chinese national standard for securing Wireless LANs. Since the specification of SMS4 was not released until January 2006, there have been only a few papers analyzing this cipher. In this paper, firstly we present a kind of 5-round iterative differential characteristic of SMS4 whose probability is about 2? 42. Then based on this kind of iterative differential characteristic, we present a rectangle attack on 16-round SMS4 and a differential attack on 21-round SMS4. As far as we know, these are the best cryptanalytic results on SMS4.

Related-key differential-linear attacks on reduced AES-192

In this paper, we study the security of AES-192 against related-key differential-linear cryptanalysis, which is the first attempt using this technique. Among our results, we present two variant attacks on 7-round AES-192 and one attack on 8 rounds using a 5-round relatedkey differential-linear distinguisher. One key point of the construction of the distinguisher is the special property of MC operation of AES. Compared with the best known results of related-key impossible differential attacks and related-key rectangle attacks on AES-192, the results presented in this paper are not better than them, but the work is a new attempt, and we hope further work may be done to derive better results in the future.

Integral cryptanalysis of reduced FOX block cipher

FOX is a family of block ciphers presented recently, which is based upon some results of provable security and has high performances on various platforms. In this paper, we construct some distinguishers between 3-round FOX and a random permutation of the blocks space. By using integral attack and collision-searching techniques, the distinguishers are used to attack 4, 5, 6 and 7-round FOX64, 4 and 5-round FOX128. The attack is more efficient than previous integral attacks on FOX. The complexity of improved integral attack is 277.6 on 4-round FOX128, 2205.6 against 5-round FOX128 respectively. For FOX64, the complexity of improved integral attack is 245.4 on 4-round FOX64, 2109.4 against 5-round FOX64, 2173.4 against 6-round FOX64, 2237.4 against 7-round FOX64 respectively. Therefore, 4-round FOX64/64, 5-round FOX64/128, 6-round FOX64/192, 7-round FOX64/256 and 5-round FOX128/256 are not immune to the attack in this paper.

Some New Observations on the SMS4 Block Cipher in the Chinese WAPI Standard

SMS4 is a 128-bit block cipher used in the WAPI standard in wireless networks in China. The cipher has attracted much attention in the past two years. This paper consists of two parts. The first part is on the design of the linear diffusion layer L of SMS4. Some new observations on L are present, which open out the design rationales of L and such class functions to a great extent. The second part is on the differential attack against SMS4. A class of 18-round differential characteristics with a higher probability is given. Then a simple differential attack on 22-round SMS4 is present, which is an improvement of the previous work, thus our attack becomes the best known one on SMS4. Furthermore, we make a remark on the construction of differential characteristics of SMS4.