47 results sorted by ID
Possible spell-corrected query: lpn structure
Quantum Periodic Distinguisher Construction: Symbolization Method and Automated Tool
Qun Liu, Haoyang Wang, Jinliang Wang, Boyun Li, Meiqin Wang
Secret-key cryptography
As one of the famous quantum algorithms, Simon's algorithm enables the efficient derivation of the period of periodic functions in polynomial time. However, the complexity of constructing periodic functions has hindered the widespread application of Simon's algorithm in symmetric-key cryptanalysis. Currently, aside from the exhaustive search-based testing method introduced by Canale et al. at CRYPTO 2022, there is no unified model for effectively searching for periodic distinguishers....
Impossible Boomerang Distinguishers Revisited
Xichao Hu, Lin Jiao, Dengguo Feng, Yonglin Hao, Xinxin Gong, Yongqiang Li, Siwei Sun
Attacks and cryptanalysis
The Impossible Boomerang Attack (IBA) has shown significant power in evaluating the security of block ciphers, such as AES. However, current studies still lack foundational theory, user guild and universal method for constructing IBDs. This paper addresses these gaps through comprehensive research. Theoretically, we establish a new framework for constructing a series of IBDs by differential propagation, state propagation, and generalized boomerang tables. We rigorously prove their inclusion...
Revisiting The Multiple of Property for SKINNY The Exact Computation of the number of right pairs
Hanbeom Shin, Insung Kim, Sunyeop Kim, Seonggyeom Kim, Deukjo Hong, Jaechul Sung, Seokhie Hong
Secret-key cryptography
At EUROCRYPT 2017, Grassi et al. proposed the multiple-of-8 property for 5-round AES, where the number $n$ of right pairs is a multiple of 8. At ToSC 2019, Boura et al. generalized the multiple-of property for a general SPN block cipher and applied it to block cipher SKINNY.
In this paper, we present that $n$ is not only a multiple but also a fixed value for SKINNY. Unlike the previous proof of generalization of multiple-of property using equivalence class, we investigate the...
Improving the Rectangle Attack on GIFT-64
Yincen Chen, Nana Zhang, Xuanyu Liang, Ling Song, Qianqian Yang, Zhuohui Feng
Attacks and cryptanalysis
GIFT is a family of lightweight block ciphers based on SPN structure and composed of two versions named GIFT-64 and GIFT-128. In this paper, we reevaluate the security of GIFT-64 against the rectangle attack under the related-key setting. Investigating the previous rectangle key recovery attack on GIFT-64, we obtain the core idea of improving the attack——trading off the time complexity of each attack phase. We flexibly guess part of the involved subkey bits to balance the time cost of each...
Towards Minimizing Non-linearity in Type-II Generalized Feistel Networks
Yuqing Zhao, Chun Guo, Weijia Wang
Secret-key cryptography
Recent works have revisited blockcipher structures to achieve MPC- and ZKP-friendly designs. In particular, Albrecht et al. (EUROCRYPT 2015) first pioneered using a novel structure SP networks with partial non-linear layers (P-SPNs) and then (ESORICS 2019) repopularized using multi-line generalized Feistel networks (GFNs). In this paper, we persist in exploring symmetric cryptographic constructions that are conducive to the applications such as MPC. In order to study the minimization of...
Where are the constants? New Insights On The Role of Round Constant Addition in The SymSum Distinguisher
Sahiba Suryawanshi, Dhiman Saha
Attacks and cryptanalysis
The current work makes a systematic attempt to describe the effect of the relative order of round constant ( RCon) addition in the round function of an SPN cipher on its algebraic structure. The observations are applied to the SymSum distinguisher, introduced by Saha et al. in FSE 2017 which is one of the best distinguishers on the SHA3 hash function reported in literature. Results show that certain ordering (referred to as Type-LCN) of RCon makes the distinguisher less effective but it...
On Two Factors Affecting the Efficiency of MILP Models in Automated Cryptanalyses
Shengyuan Xu, Xiutao Feng, Yongxing Wang
Foundations
In recent years, mixed integer linear programming (MILP, in short) gradually becomes a popular tool of automated cryptanalyses in symmetric ciphers, which can be used to search differential characteristics and linear approximations with high probability/correlation. A key problem in the MILP method is how to build a proper model that can be solved efficiently in the MILP solvers like Gurobi or Cplex. It is known that a MILP problem is NP-hard, and the numbers of variables and inequalities...
Decomposing Linear Layers
Christof Beierle, Patrick Felke, Gregor Leander, Sondre Rønjom
Secret-key cryptography
There are many recent results on reverse-engineering (potentially hidden) structure in cryptographic S-boxes. The problem of recovering structure in the other main building block of symmetric cryptographic primitives, namely, the linear layer, has not been paid that much attention so far. To fill this gap, in this work, we develop a systematic approach to decomposing structure in the linear layer of a substitution-permutation network (SPN), covering the case in which the specification of the...
Throwing Boomerangs into Feistel Structures: Application to CLEFIA, WARP, LBlock, LBlock-s and TWINE
Hosein Hadipour, Marcel Nageler, Maria Eichlseder
Attacks and cryptanalysis
Automatic tools to search for boomerang distinguishers have seen significant advances over the past few years. However, most previous work has focused on ciphers based on a Substitution Permutation Network (SPN), while analyzing the Feistel structure is of great significance. Boukerrou et al. recently provided a theoretical framework to formulate the boomerang switch over multiple Feistel rounds, but they did not provide an automatic tool to find distinguishers. In this paper, by enhancing...
Accelerating the Best Trail Search on AES-Like Ciphers
Seonggyeom Kim, Deukjo Hong, Jaechul Sung, Seokhie Hong
Secret-key cryptography
In this study, we accelerate Matsui's search algorithm to search for the best differential and linear trails of AES-like ciphers. Our acceleration points are twofold. The first exploits the structure and branch number of an AES-like round function to apply strict pruning conditions to Matsui's search algorithm. The second employs permutation characteristics in trail search to reduce the inputs that need to be analyzed. We demonstrate the optimization of the search algorithm by obtaining the...
HARPOCRATES: An Approach Towards Efficient Encryption of Data-at-rest
Md Rasid Ali, Debranjan Pal, Abhijit Das, Dipanwita Roychowdhury
Secret-key cryptography
This paper proposes a new block cipher called HARPOCRATES, which is different from traditional SPN, Feistel, or ARX designs. The new design structure that we use is called the substitution convolution network. The novelty of the approach lies in that the substitution function does not use fixed S-boxes. Instead, it uses a key-driven lookup table storing a permutation of all 8-bit values. If the lookup table is sufficiently randomly shuffled, the round sub-operations achieve good confusion...
Transformer encoder-based Crypto-Ransomware Detection for Low-Power Embedded Processors
Hyunji Kim, Sejin Lim, Yeajun Kang, Wonwoong Kim, Hwajeong Seo
Applications
Crypto-ransomware has a process to encrypt the victim's files, and crypto-ransomware requests the victim for money for a key to decrypt the encrypted file. In this paper, we present new approaches to prevent crypto-ransomware by detecting block cipher algorithms for Internet of Things (IoT) platforms. The generic software of the AVR package and the lightweight block cipher library (FELICS) written in C language was trained through the neural network, and then we evaluated the result. Unlike...
Cache attack on MISTY1
Haopeng Fan, Wenhao Wang, Yongjuan Wang, Wenyu Zhang, Qingjun Yuan
Implementation
Side-channel attacks exploit information from physical implementations of cryptographic systems. Cache attacks have improved at recovering information by combining observations of the victim's cache access and knowledge of the cipher’s structure. Cache attacks have been implemented for most Feistel- and SPN-structured block cipher algorithms, but the security of algorithms for special structures has seen little attention.
We perform a Flush+Reload attack on MISTY1, a class of block cipher...
Output Prediction Attacks on Block Ciphers using Deep Learning
Hayato Kimura, Keita Emura, Takanori Isobe, Ryoma Ito, Kazuto Ogawa, Toshihiro Ohigashi
Secret-key cryptography
Cryptanalysis of symmetric-key ciphers, e.g., linear/differential cryptanalysis, requires an adversary to know the internal structures of the target ciphers. On the other hand, deep learning-based cryptanalysis has attracted significant attention because the adversary is not assumed to have knowledge about the target ciphers with the exception of the algorithm interfaces. Such cryptanalysis in a blackbox setting is extremely strong; thus, we must design symmetric-key ciphers that are secure...
Weak Tweak-Keys for the CRAFT Block Cipher
Gregor Leander, Shahram Rasoolzadeh
Secret-key cryptography
CRAFT is a lightweight tweakable Substitution-Permutation-Network (SPN) block cipher optimized for efficient protection of its implementations against Differential Fault Analysis (DFA) attacks. In this paper, we present an equivalent description of CRAFT up to a simple mapping on the plaintext, ciphertext and round tweakeys. We show that the new representation, for a sub-class of keys, leads to a new structure which is a Feistel network, with non-linear operation and key addition only on...
Key Dependency of Differentials: Experiments in the Differential Cryptanalysis of Block Ciphers Using Small S-boxes
Howard M. Heys
Secret-key cryptography
In this paper, we investigate the key dependency of differentials in block ciphers by examining the results of numerous experiments applied to the substitution-permutation network (SPN) structure using 4-bit S-boxes. In particular, we consider two cipher structures: a toy 16-bit SPN and a realistic 64-bit SPN. For both ciphers, we generate many different experimental results by inserting the S-boxes used in many lightweight cipher proposals and applying different forms of round key...
On Self-Equivalence Encodings in White-Box Implementations
Adrián Ranea, Bart Preneel
Secret-key cryptography
All academic methods to secure software implementations of block ciphers against adversaries with full control of the device have been broken. Despite the huge progress in the cryptanalysis of these white-box implementations, no recent progress has been made on the design side. Most of the white-box designs follow the CEJO framework, where each round is encoded by composing it with small random permutations. While several generic attacks have been proposed on the CEJO framework, no generic...
WARP : Revisiting GFN for Lightweight 128-bit Block Cipher
Subhadeep Banik, Zhenzhen Bao, Takanori Isobe, Hiroyasu Kubo, Fukang Liu, Kazuhiko Minematsu, Kosei Sakamoto, Nao Shibata, Maki Shigeri
Secret-key cryptography
In this article, we present WARP, a lightweight 128-bit block cipher with a 128-bit key. It aims at small-footprint circuit in the field of 128-bit block ciphers, possibly for a unified encryption and decryption functionality. The overall structure of WARP is a variant of 32-nibble Type-2 Generalized Feistel Network (GFN), with a permutation over nibbles designed to optimize the security and efficiency. We conduct a thorough security analysis and report comprehensive hardware and software...
Differential-ML Distinguisher: Machine Learning based Generic Extension for Differential Cryptanalysis
Tarun Yadav, Manoj Kumar
Foundations
Differential cryptanalysis is an important technique to evaluate the security of block ciphers. There exists several generalisations of differential cryptanalysis and it is also used in combination with other cryptanalysis techniques to improve the attack complexity. In 2019, usefulness of machine learning in differential cryptanalysis is introduced by Gohr to attack the lightweight block cipher SPECK. In this paper, we present a framework to extend the classical differential distinguisher...
Systematic and Random Searches for Compact 4-Bit and 8-Bit Cryptographic S-Boxes
Christophe Clavier, Léo Reynaud
Secret-key cryptography
Obtaining compact, while cryptographically strong, S-boxes is a challenging task required for hardware implementations of lightweight cryptography. Contrarily to 4-bit permutations design which is somewhat well understood, 8-bit permutations have mainly been investigated only through structured S-boxes built from 4-bit ones by means of Feistel, MISTY or SPN schemes. In this paper, we depart from this common habit and search for compact designs directly in the space of 8-bit permutations. We...
Full-Round Differential Attack on DoT Block Cipher
Manoj Kumar
Secret-key cryptography
The lightweight encryption design DoT was published by Patil et al in 2019. It
is based on SPN (substitution permutation network) structure. Its block and key
size are 64-bit and 128-bit respectively. In this paper, we analyse the security of
DoT against differential attack and present a series of differential distinguishers
for full-round DOT. Our analysis proves that DoT we can be distinguished from
a random permutation with probability equal to 2^62. Diffusion layer of DoT is...
Provable Security of Substitution-Permutation Networks
Yevgeniy Dodis, Jonathan Katz, John Steinberger, Aishwarya Thiruvengadam, Zhe Zhang
Secret-key cryptography
Many modern block ciphers are constructed based on the paradigm of substitution-permutation networks (SPNs). But, somewhat surprisingly---especially in comparison with Feistel networks, which have been analyzed by dozens of papers going back to the seminal work of Luby and Rackoff---there are essentially no provable-security results about SPNs. In this work, we initiate a comprehensive study of the security of SPNs as strong pseudorandom permutations when the underlying "$S$-box" is...
Improved Meet-in-the-Middle Attacks on Reduced-Round Kalyna-128/256 and Kalyna-256/512
Li Lin, Wenling Wu
Secret-key cryptography
Kalyna is an SPN-based block cipher that was selected during Ukrainian National Public Cryptographic Competition (2007-2010)
and its slight modification was approved as the new encryption standard of Ukraine. In this paper, we focus on the key-recovery attacks on reduced-round Kalyna-128/256 and Kalyna-256/512 with meet-in-the-middle method. The differential enumeration technique and key-dependent sieve technique which are popular to analyze AES are used to attack them. Using the ...
Strong 8-bit Sboxes with Efficient Masking in Hardware
Erik Boss, Vincent Grosso, Tim Güneysu, Gregor Leander, Amir Moradi, Tobias Schneider
Implementation
Block ciphers are arguably the most important cryptographic primitive in practice. While their security against mathematical attacks is rather well understood, physical threats such as side-channel analysis (SCA) still pose a major challenge for their security. An effective countermeasure to thwart SCA is using a cipher representation that applies the threshold implementation (TI) concept. However, there are hardly any results available on how this concept can be adopted for block ciphers...
Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation Linear Cryptanalysis
Bing Sun, Meicheng Liu, Jian Guo, Vincent Rijmen, Ruilin Li
Secret-key cryptography
Impossible differential and zero correlation linear cryptanalysis are two of the most important cryptanalytic vectors. To characterize the impossible differentials and zero correlation linear hulls which are independent of the choices of the non-linear components, Sun et al. proposed the structure deduced by a block cipher at CRYPTO 2015. Based on that, we concentrate in this paper on the security of the SPN structure and Feistel structure with SP-type round functions. Firstly, we prove that...
Truncated Differential Based Known-Key Attacks on Round-Reduced Simon
Yonglin Hao, Willi Meier
Secret-key cryptography
At Crypto 2015, Blondeau, Peyrin and Wang proposed a truncated-differential-based known-key attack on full PRESENT, a nibble oriented lightweight blockcipher with a SPN structure.
The truncated difference they used is derived from the existing multidimensional linear characteristics.
An innovative technique of their work is the design of a MITM layer added before the characteristic that covers extra rounds with a complexity lower than that of a generic construction.
We notice that there...
A New Encryption Standard of Ukraine: The Kalyna Block Cipher
Roman Oliynykov, Ivan Gorbenko, Oleksandr Kazymyrov, Victor Ruzhentsev, Oleksandr Kuznetsov, Yurii Gorbenko, Oleksandr Dyrda, Viktor Dolgov, Andrii Pushkaryov, Ruslan Mordvinov, Dmytro Kaidalov
Secret-key cryptography
The Kalyna block cipher was selected during Ukrainian National Public Cryptographic Competition (2007-2010) and its slight modification was approved as the new encryption standard of Ukraine in 2015. Main requirements for Kalyna were both high security level and high performance of software implementation on general-purpose 64-bit CPUs. The cipher has SPN-based (Rijndael-like) structure with increased MDS matrix size, a new set of four different S-boxes, pre- and postwhitening using modulo...
New Observation on Division Property
Bing Sun, Xin Hai, Wenyu Zhang, Lei Cheng, Zhichao Yang
Feistel structure is among the most popular choices for designing ciphers. Recently, 3-round/5-round integral distinguishers for Feistel structures with non-bijective/bijective round functions are presented. At EUROCRYPT 2015, Todo proposed the Division Property to effectively construct integral distinguishers for both Feistel and SPN structures. In this paper, firstly, it is proved that if X, which is a subset of F_2^n, has the division property D_k^n, the number of elements in X is at...
Links among Impossible Differential, Integral and Zero Correlation Linear Cryptanalysis
Bing Sun, Zhiqiang Liu, Vincent Rijmen, Ruilin Li, Lei Cheng, Qingju Wang, Hoda Alkhzaimi, Chao Li
As two important cryptanalytic methods, impossible differential cryptanalysis and integral cryptanalysis have attracted much attention in recent years. Although relations among other important cryptanalytic approaches have been investigated, the link between these two methods has been missing. The motivation in this paper is to fix this gap and establish links between impossible differential cryptanalysis and integral cryptanalysis.
Firstly, by introducing the concept of structure and dual...
Structural Evaluation by Generalized Integral Property
Yosuke Todo
Secret-key cryptography
In this paper, we show structural cryptanalyses against two popular networks, i.e., the Feistel Network and the Substitute-Permutation Network (SPN). Our cryptanalyses are distinguishing attacks by an improved integral distinguisher. The integral distinguisher is one of the most powerful attacks against block ciphers, and it is usually constructed by evaluating the propagation characteristic of integral properties, e.g., the ALL or BALANCE property. However, the integral property does not...
FOAM: Searching for Hardware-Optimal SPN Structures and Components with a Fair Comparison
Khoongming Khoo, Thomas Peyrin, Axel Y. Poschmann, Huihui Yap
Implementation
In this article, we propose a new comparison metric, the figure of adversarial merit (FOAM), which combines the inherent security provided by cryptographic structures and components with their implementation properties. To the best of our knowledge, this is the first such metric proposed to ensure a fairer comparison of cryptographic designs. We then apply this new metric to meaningful use cases by studying Substitution-Permutation Network permutations that are suited for hardware...
2014/326
Last updated: 2019-04-09
FeW: A Lightweight Block Cipher
Manoj Kumar, Saibal K Pal, Anupama Panigrahi
Secret-key cryptography
In this paper, we propose a new lightweight block cipher called FeW which encrypts 64-bit plaintext using key size 80/128 bits and produces 64-bit ciphertext. FeW is a software oriented design with the aim of achieving high efficiency in software based environments. We use a mix of Feistel and generalised Feistel structures (referred as Feistel-M structure hereinafter) to enhance the security of our design against basic cryptanalytic attacks like differential, linear, impossible...
SCARE of Secret Ciphers with SPN Structures
Matthieu Rivain, Thomas Roche
Side-Channel Analysis (SCA) is commonly used to recover secret keys involved in the implementation of publicly known cryptographic algorithms. On the other hand, Side-Channel Analysis for Reverse Engineering (SCARE) considers an adversary who aims at recovering the secret design of some cryptographic algorithm from its implementation. Most of previously published SCARE attacks enable the recovery of some secret parts of a cipher design --{\it e.g.} the substitution box(es)-- assuming that...
Automatic Security Evaluation of Block Ciphers with S-bP Structures against Related-key Differential Attacks
Siwei Sun, Lei Hu, Ling Song, Yonghong Xie, Peng Wang
Counting the number of active S-boxes is a common way to evaluate the security of symmetric key cryptographic schemes against differential attack. Based on Mixed Integer Linear Programming (MILP), Mouha et al proposed a method to accomplish this task automatically for word-oriented symmetric-key ciphers with SPN structures. However, this method can not be applied directly to block ciphers of SPN structures with bitwise permutation diffusion layers (S-bP structures), due to its ignorance of...
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128
Pierre-Alain Fouque, Jérémy Jean, Thomas Peyrin
Secret-key cryptography
While the symmetric-key cryptography community has now a good
experience on how to build a secure and efficient fixed permutation,
it remains an open problem how to design a key-schedule for block
ciphers, as shown by the numerous candidates broken in the related-key
model or in a hash function setting. Provable security against
differential and linear cryptanalysis in the related-key scenario is
an important step towards a better understanding of its construction.
Using a structural...
SPN-Hash: Improving the Provable Resistance Against Differential Collision Attacks
Jiali Choy, Huihui Yap, Khoongming Khoo, Jian Guo, Thomas Peyrin, Axel Poschmann, Chik How Tan
Foundations
Collision resistance is a fundamental property required for cryptographic hash functions. One way to ensure collision resistance is to use hash functions based on public key cryptography (PKC) which reduces collision resistance to a hard mathematical problem, but such primitives are usually slow. A more practical approach is to use symmetric-key design techniques which lead to faster schemes, but collision resistance can only be heuristically inferred from the best probability of a single...
Substitution-permutation networks, pseudorandom functions, and Natural Proofs
Eric Miles, Emanuele Viola
Foundations
This paper takes a new step towards closing the troubling gap between
pseudorandom functions (PRF) and their popular, bounded-input-length
counterparts. This gap is both quantitative, because these counterparts are more efficient than PRF in various ways, and methodological, because these counterparts usually fit in the substitution-permutation network paradigm (SPN) which has not been used to construct PRF.
We give several candidate PRF F_i that are inspired by the SPN paradigm. This...
Fault-propagation Pattern Based DFA on SPN Structure Block Ciphers using Bitwise Permutation, with Application to PRESENT and PRINTcipher
Xin-jie Zhao, Tao Wang, Shi-ze Guo
This paper proposes a novel fault-propagation pattern based differential fault analysis method - FPP-DFA, and proves its feasibility on SPN structure block ciphers using bitwise permutation, such as PRESENT and PRINTcipher. Simulated experiments demonstrate that, with the fault model of injecting one nibble fault into the r-2th round substitution layer, on average 8 and 16 faulty samples can reduce the master key search space of PRESENT-80/128 to $2^{14.7}$ and $2^{21.1}$ respectively, and...
Security Evaluation of MISTY Structure with SPN Round Function
Ruilin Li, Chao Li, Jinshu Su, Bing Sun
Secret-key cryptography
This paper deals with the security of MISTY structure with SPN round function. We study the lower bound of the number of active s-boxes for differential and linear characteristics of such block cipher construction. Previous result shows that the differential bound is consistent with the case of Feistel structure with SPN round function, yet the situation changes when considering the linear bound. We carefully revisit such issue, and prove that the same bound in fact could be obtained for...
2010/201
Last updated: 2010-09-26
Impossible Differential Cryptanalysis on E2
Yuechuan Wei, Ruilin Li, Ping Li, Chao Li
Secret-key cryptography
E2 is a 128-bit block cipher which employs Feistel structure and 2-round SPN in round function. It is an AES candidate and was designed by NTT. In the former publications, E2 is supposed no
more than 5-round impossible differential. In this paper, we describe some 6-round impossible differentials
of E2. By using the 6-round impossible differential, we first present an attack on 9-round reduced version
of E2-256 without IT Function(the initial transformation) and FT-Function(the Final...
Related-Key Boomerang Attack on Block Cipher SQUARE
Bonwook Koo, Yongjin Yeom, Junghwan Song
Secret-key cryptography
Square is 8-round SPN structure block cipher and its round function and key schedule have been slightly modified to design building blocks of Rijndael. Key schedule of Square is simple and efficient but fully affie, so we apply a related-key attack on it.
We find a 3-round related-key differential trail with probability 2^28, which have zero differences both on its input and output states, and this trail is called the local collision in [5]. By extending of this related-key differential, we...
Differential Fault Analysis on SMS4 Using a Single Fault
Ruilin Li, Bing Sun, Chao Li, Jianxiong You
Secret-key cryptography
Differential Fault Analysis (DFA) attack is a powerful cryptanalytic
technique that could be used to retrieve the secret key by
exploiting computational errors in the encryption (decryption) procedure. In the present paper, we propose a new DFA attack on SMS4 using a single fault. We show that if a random byte fault is induced into either the second, third, or fourth word register at the input of the $28$-th round, the 128-bit master key could be recovered with an exhaustive search of...
Further Improved Differential Fault Analysis on Camellia by Exploring Fault Width and Depth
Xin-jie Zhao, Tao Wang
In this paper, we present two further improved differential fault analysis methods on Camellia by exploring fault width and depth. Our first method broadens the fault width of previous Camellia attacks, injects multiple byte faults into the rth round left register to recover multiple bytes of the rth round equivalent key, and obtains Camellia-128,192/256 key with at least 8 and 12 faulty ciphertexts respectively; our second method extends fault depth of previous Camellia attacks, injects one...
An Improved Differential Fault Attack on Camellia
ZHAO Xin-jie, WANG Tao
The S-box lookup is one of the most important operations in cipher algorithm design, and also is the most effective part to prevent traditional linear and differential attacks, however, when the physical implementation of the algorithm is considered, it becomes the weakest part of cryptosystems. This paper studies an active fault based implementation attack on block ciphers with S-box. Firstly, it proposes the basic DFA model and then presents two DFA models for Feistel and SPN structure...
FOX Algorithm Implementation: a hardware design approach
Colm O'Keeffe, Emanuel Popovici
Implementation
Encryption algorithms are becoming more necessary to ensure data is securely transmitted over insecure communication
channels. FOX is a recently developed algorithm and its structure is based on the already proven IDEA (International
Data Encryption Algorithm) cipher.
FOX is a symmetric (private key) block cipher. Its top-level structure uses the Lai-Massey scheme and the round
functions used in the scheme are substitution permutation networks (SPN). Its flexibility lies in the fact that it...
Security Assessment of Hierocrypt and Rijndael against the Differential and Linear Cryptanalysis (Extended Abstract)
Kenji Ohkuma, Hideo Shimizu, Fumihiko Sano, Shinichi Kawamura
Secret-key cryptography
The authors analyze the security of Hierocrypt-3(128-bit) and Hierocrypt-L1(64-bit) designed on the nested SPN(NSPN) structure against the differential and linear cryptanalysis, and found that they are sufficiently secure, e.g., the maximum average differential and linear hull probabilities (MACP and MALHP) are bounded by $2^{-96}$ for 4-round of Hierocrypt-3; those probabilities are bounded by $2^{-48}$ for 4-round of Hierocrypt-L1. The authors get these results by extending the provable...
Dual of New Method for Upper Bounding the Maximum Average Linear Hull Probability for SPNs
Liam Keliher, Henk Meijer, Stafford Tavares
Secret-key cryptography
In [3], we present a new algorithm for computing an upper bound on
the maximum average linear hull probability (MALHP) for the SPN
symmetric cipher structure, a value required to make claims about
provable security against linear cryptanalysis. This algorithm
improves on existing work in that the resulting upper bound is a
function of the number of encryption rounds (other upper bounds
known to the authors are not), and moreover, it can be computed
for an SPN with any linear transformation...
As one of the famous quantum algorithms, Simon's algorithm enables the efficient derivation of the period of periodic functions in polynomial time. However, the complexity of constructing periodic functions has hindered the widespread application of Simon's algorithm in symmetric-key cryptanalysis. Currently, aside from the exhaustive search-based testing method introduced by Canale et al. at CRYPTO 2022, there is no unified model for effectively searching for periodic distinguishers....
The Impossible Boomerang Attack (IBA) has shown significant power in evaluating the security of block ciphers, such as AES. However, current studies still lack foundational theory, user guild and universal method for constructing IBDs. This paper addresses these gaps through comprehensive research. Theoretically, we establish a new framework for constructing a series of IBDs by differential propagation, state propagation, and generalized boomerang tables. We rigorously prove their inclusion...
At EUROCRYPT 2017, Grassi et al. proposed the multiple-of-8 property for 5-round AES, where the number $n$ of right pairs is a multiple of 8. At ToSC 2019, Boura et al. generalized the multiple-of property for a general SPN block cipher and applied it to block cipher SKINNY. In this paper, we present that $n$ is not only a multiple but also a fixed value for SKINNY. Unlike the previous proof of generalization of multiple-of property using equivalence class, we investigate the...
GIFT is a family of lightweight block ciphers based on SPN structure and composed of two versions named GIFT-64 and GIFT-128. In this paper, we reevaluate the security of GIFT-64 against the rectangle attack under the related-key setting. Investigating the previous rectangle key recovery attack on GIFT-64, we obtain the core idea of improving the attack——trading off the time complexity of each attack phase. We flexibly guess part of the involved subkey bits to balance the time cost of each...
Recent works have revisited blockcipher structures to achieve MPC- and ZKP-friendly designs. In particular, Albrecht et al. (EUROCRYPT 2015) first pioneered using a novel structure SP networks with partial non-linear layers (P-SPNs) and then (ESORICS 2019) repopularized using multi-line generalized Feistel networks (GFNs). In this paper, we persist in exploring symmetric cryptographic constructions that are conducive to the applications such as MPC. In order to study the minimization of...
The current work makes a systematic attempt to describe the effect of the relative order of round constant ( RCon) addition in the round function of an SPN cipher on its algebraic structure. The observations are applied to the SymSum distinguisher, introduced by Saha et al. in FSE 2017 which is one of the best distinguishers on the SHA3 hash function reported in literature. Results show that certain ordering (referred to as Type-LCN) of RCon makes the distinguisher less effective but it...
In recent years, mixed integer linear programming (MILP, in short) gradually becomes a popular tool of automated cryptanalyses in symmetric ciphers, which can be used to search differential characteristics and linear approximations with high probability/correlation. A key problem in the MILP method is how to build a proper model that can be solved efficiently in the MILP solvers like Gurobi or Cplex. It is known that a MILP problem is NP-hard, and the numbers of variables and inequalities...
There are many recent results on reverse-engineering (potentially hidden) structure in cryptographic S-boxes. The problem of recovering structure in the other main building block of symmetric cryptographic primitives, namely, the linear layer, has not been paid that much attention so far. To fill this gap, in this work, we develop a systematic approach to decomposing structure in the linear layer of a substitution-permutation network (SPN), covering the case in which the specification of the...
Automatic tools to search for boomerang distinguishers have seen significant advances over the past few years. However, most previous work has focused on ciphers based on a Substitution Permutation Network (SPN), while analyzing the Feistel structure is of great significance. Boukerrou et al. recently provided a theoretical framework to formulate the boomerang switch over multiple Feistel rounds, but they did not provide an automatic tool to find distinguishers. In this paper, by enhancing...
In this study, we accelerate Matsui's search algorithm to search for the best differential and linear trails of AES-like ciphers. Our acceleration points are twofold. The first exploits the structure and branch number of an AES-like round function to apply strict pruning conditions to Matsui's search algorithm. The second employs permutation characteristics in trail search to reduce the inputs that need to be analyzed. We demonstrate the optimization of the search algorithm by obtaining the...
This paper proposes a new block cipher called HARPOCRATES, which is different from traditional SPN, Feistel, or ARX designs. The new design structure that we use is called the substitution convolution network. The novelty of the approach lies in that the substitution function does not use fixed S-boxes. Instead, it uses a key-driven lookup table storing a permutation of all 8-bit values. If the lookup table is sufficiently randomly shuffled, the round sub-operations achieve good confusion...
Crypto-ransomware has a process to encrypt the victim's files, and crypto-ransomware requests the victim for money for a key to decrypt the encrypted file. In this paper, we present new approaches to prevent crypto-ransomware by detecting block cipher algorithms for Internet of Things (IoT) platforms. The generic software of the AVR package and the lightweight block cipher library (FELICS) written in C language was trained through the neural network, and then we evaluated the result. Unlike...
Side-channel attacks exploit information from physical implementations of cryptographic systems. Cache attacks have improved at recovering information by combining observations of the victim's cache access and knowledge of the cipher’s structure. Cache attacks have been implemented for most Feistel- and SPN-structured block cipher algorithms, but the security of algorithms for special structures has seen little attention. We perform a Flush+Reload attack on MISTY1, a class of block cipher...
Cryptanalysis of symmetric-key ciphers, e.g., linear/differential cryptanalysis, requires an adversary to know the internal structures of the target ciphers. On the other hand, deep learning-based cryptanalysis has attracted significant attention because the adversary is not assumed to have knowledge about the target ciphers with the exception of the algorithm interfaces. Such cryptanalysis in a blackbox setting is extremely strong; thus, we must design symmetric-key ciphers that are secure...
CRAFT is a lightweight tweakable Substitution-Permutation-Network (SPN) block cipher optimized for efficient protection of its implementations against Differential Fault Analysis (DFA) attacks. In this paper, we present an equivalent description of CRAFT up to a simple mapping on the plaintext, ciphertext and round tweakeys. We show that the new representation, for a sub-class of keys, leads to a new structure which is a Feistel network, with non-linear operation and key addition only on...
In this paper, we investigate the key dependency of differentials in block ciphers by examining the results of numerous experiments applied to the substitution-permutation network (SPN) structure using 4-bit S-boxes. In particular, we consider two cipher structures: a toy 16-bit SPN and a realistic 64-bit SPN. For both ciphers, we generate many different experimental results by inserting the S-boxes used in many lightweight cipher proposals and applying different forms of round key...
All academic methods to secure software implementations of block ciphers against adversaries with full control of the device have been broken. Despite the huge progress in the cryptanalysis of these white-box implementations, no recent progress has been made on the design side. Most of the white-box designs follow the CEJO framework, where each round is encoded by composing it with small random permutations. While several generic attacks have been proposed on the CEJO framework, no generic...
In this article, we present WARP, a lightweight 128-bit block cipher with a 128-bit key. It aims at small-footprint circuit in the field of 128-bit block ciphers, possibly for a unified encryption and decryption functionality. The overall structure of WARP is a variant of 32-nibble Type-2 Generalized Feistel Network (GFN), with a permutation over nibbles designed to optimize the security and efficiency. We conduct a thorough security analysis and report comprehensive hardware and software...
Differential cryptanalysis is an important technique to evaluate the security of block ciphers. There exists several generalisations of differential cryptanalysis and it is also used in combination with other cryptanalysis techniques to improve the attack complexity. In 2019, usefulness of machine learning in differential cryptanalysis is introduced by Gohr to attack the lightweight block cipher SPECK. In this paper, we present a framework to extend the classical differential distinguisher...
Obtaining compact, while cryptographically strong, S-boxes is a challenging task required for hardware implementations of lightweight cryptography. Contrarily to 4-bit permutations design which is somewhat well understood, 8-bit permutations have mainly been investigated only through structured S-boxes built from 4-bit ones by means of Feistel, MISTY or SPN schemes. In this paper, we depart from this common habit and search for compact designs directly in the space of 8-bit permutations. We...
The lightweight encryption design DoT was published by Patil et al in 2019. It is based on SPN (substitution permutation network) structure. Its block and key size are 64-bit and 128-bit respectively. In this paper, we analyse the security of DoT against differential attack and present a series of differential distinguishers for full-round DOT. Our analysis proves that DoT we can be distinguished from a random permutation with probability equal to 2^62. Diffusion layer of DoT is...
Many modern block ciphers are constructed based on the paradigm of substitution-permutation networks (SPNs). But, somewhat surprisingly---especially in comparison with Feistel networks, which have been analyzed by dozens of papers going back to the seminal work of Luby and Rackoff---there are essentially no provable-security results about SPNs. In this work, we initiate a comprehensive study of the security of SPNs as strong pseudorandom permutations when the underlying "$S$-box" is...
Kalyna is an SPN-based block cipher that was selected during Ukrainian National Public Cryptographic Competition (2007-2010) and its slight modification was approved as the new encryption standard of Ukraine. In this paper, we focus on the key-recovery attacks on reduced-round Kalyna-128/256 and Kalyna-256/512 with meet-in-the-middle method. The differential enumeration technique and key-dependent sieve technique which are popular to analyze AES are used to attack them. Using the ...
Block ciphers are arguably the most important cryptographic primitive in practice. While their security against mathematical attacks is rather well understood, physical threats such as side-channel analysis (SCA) still pose a major challenge for their security. An effective countermeasure to thwart SCA is using a cipher representation that applies the threshold implementation (TI) concept. However, there are hardly any results available on how this concept can be adopted for block ciphers...
Impossible differential and zero correlation linear cryptanalysis are two of the most important cryptanalytic vectors. To characterize the impossible differentials and zero correlation linear hulls which are independent of the choices of the non-linear components, Sun et al. proposed the structure deduced by a block cipher at CRYPTO 2015. Based on that, we concentrate in this paper on the security of the SPN structure and Feistel structure with SP-type round functions. Firstly, we prove that...
At Crypto 2015, Blondeau, Peyrin and Wang proposed a truncated-differential-based known-key attack on full PRESENT, a nibble oriented lightweight blockcipher with a SPN structure. The truncated difference they used is derived from the existing multidimensional linear characteristics. An innovative technique of their work is the design of a MITM layer added before the characteristic that covers extra rounds with a complexity lower than that of a generic construction. We notice that there...
The Kalyna block cipher was selected during Ukrainian National Public Cryptographic Competition (2007-2010) and its slight modification was approved as the new encryption standard of Ukraine in 2015. Main requirements for Kalyna were both high security level and high performance of software implementation on general-purpose 64-bit CPUs. The cipher has SPN-based (Rijndael-like) structure with increased MDS matrix size, a new set of four different S-boxes, pre- and postwhitening using modulo...
Feistel structure is among the most popular choices for designing ciphers. Recently, 3-round/5-round integral distinguishers for Feistel structures with non-bijective/bijective round functions are presented. At EUROCRYPT 2015, Todo proposed the Division Property to effectively construct integral distinguishers for both Feistel and SPN structures. In this paper, firstly, it is proved that if X, which is a subset of F_2^n, has the division property D_k^n, the number of elements in X is at...
As two important cryptanalytic methods, impossible differential cryptanalysis and integral cryptanalysis have attracted much attention in recent years. Although relations among other important cryptanalytic approaches have been investigated, the link between these two methods has been missing. The motivation in this paper is to fix this gap and establish links between impossible differential cryptanalysis and integral cryptanalysis. Firstly, by introducing the concept of structure and dual...
In this paper, we show structural cryptanalyses against two popular networks, i.e., the Feistel Network and the Substitute-Permutation Network (SPN). Our cryptanalyses are distinguishing attacks by an improved integral distinguisher. The integral distinguisher is one of the most powerful attacks against block ciphers, and it is usually constructed by evaluating the propagation characteristic of integral properties, e.g., the ALL or BALANCE property. However, the integral property does not...
In this article, we propose a new comparison metric, the figure of adversarial merit (FOAM), which combines the inherent security provided by cryptographic structures and components with their implementation properties. To the best of our knowledge, this is the first such metric proposed to ensure a fairer comparison of cryptographic designs. We then apply this new metric to meaningful use cases by studying Substitution-Permutation Network permutations that are suited for hardware...
In this paper, we propose a new lightweight block cipher called FeW which encrypts 64-bit plaintext using key size 80/128 bits and produces 64-bit ciphertext. FeW is a software oriented design with the aim of achieving high efficiency in software based environments. We use a mix of Feistel and generalised Feistel structures (referred as Feistel-M structure hereinafter) to enhance the security of our design against basic cryptanalytic attacks like differential, linear, impossible...
Side-Channel Analysis (SCA) is commonly used to recover secret keys involved in the implementation of publicly known cryptographic algorithms. On the other hand, Side-Channel Analysis for Reverse Engineering (SCARE) considers an adversary who aims at recovering the secret design of some cryptographic algorithm from its implementation. Most of previously published SCARE attacks enable the recovery of some secret parts of a cipher design --{\it e.g.} the substitution box(es)-- assuming that...
Counting the number of active S-boxes is a common way to evaluate the security of symmetric key cryptographic schemes against differential attack. Based on Mixed Integer Linear Programming (MILP), Mouha et al proposed a method to accomplish this task automatically for word-oriented symmetric-key ciphers with SPN structures. However, this method can not be applied directly to block ciphers of SPN structures with bitwise permutation diffusion layers (S-bP structures), due to its ignorance of...
While the symmetric-key cryptography community has now a good experience on how to build a secure and efficient fixed permutation, it remains an open problem how to design a key-schedule for block ciphers, as shown by the numerous candidates broken in the related-key model or in a hash function setting. Provable security against differential and linear cryptanalysis in the related-key scenario is an important step towards a better understanding of its construction. Using a structural...
Collision resistance is a fundamental property required for cryptographic hash functions. One way to ensure collision resistance is to use hash functions based on public key cryptography (PKC) which reduces collision resistance to a hard mathematical problem, but such primitives are usually slow. A more practical approach is to use symmetric-key design techniques which lead to faster schemes, but collision resistance can only be heuristically inferred from the best probability of a single...
This paper takes a new step towards closing the troubling gap between pseudorandom functions (PRF) and their popular, bounded-input-length counterparts. This gap is both quantitative, because these counterparts are more efficient than PRF in various ways, and methodological, because these counterparts usually fit in the substitution-permutation network paradigm (SPN) which has not been used to construct PRF. We give several candidate PRF F_i that are inspired by the SPN paradigm. This...
This paper proposes a novel fault-propagation pattern based differential fault analysis method - FPP-DFA, and proves its feasibility on SPN structure block ciphers using bitwise permutation, such as PRESENT and PRINTcipher. Simulated experiments demonstrate that, with the fault model of injecting one nibble fault into the r-2th round substitution layer, on average 8 and 16 faulty samples can reduce the master key search space of PRESENT-80/128 to $2^{14.7}$ and $2^{21.1}$ respectively, and...
This paper deals with the security of MISTY structure with SPN round function. We study the lower bound of the number of active s-boxes for differential and linear characteristics of such block cipher construction. Previous result shows that the differential bound is consistent with the case of Feistel structure with SPN round function, yet the situation changes when considering the linear bound. We carefully revisit such issue, and prove that the same bound in fact could be obtained for...
E2 is a 128-bit block cipher which employs Feistel structure and 2-round SPN in round function. It is an AES candidate and was designed by NTT. In the former publications, E2 is supposed no more than 5-round impossible differential. In this paper, we describe some 6-round impossible differentials of E2. By using the 6-round impossible differential, we first present an attack on 9-round reduced version of E2-256 without IT Function(the initial transformation) and FT-Function(the Final...
Square is 8-round SPN structure block cipher and its round function and key schedule have been slightly modified to design building blocks of Rijndael. Key schedule of Square is simple and efficient but fully affie, so we apply a related-key attack on it. We find a 3-round related-key differential trail with probability 2^28, which have zero differences both on its input and output states, and this trail is called the local collision in [5]. By extending of this related-key differential, we...
Differential Fault Analysis (DFA) attack is a powerful cryptanalytic technique that could be used to retrieve the secret key by exploiting computational errors in the encryption (decryption) procedure. In the present paper, we propose a new DFA attack on SMS4 using a single fault. We show that if a random byte fault is induced into either the second, third, or fourth word register at the input of the $28$-th round, the 128-bit master key could be recovered with an exhaustive search of...
In this paper, we present two further improved differential fault analysis methods on Camellia by exploring fault width and depth. Our first method broadens the fault width of previous Camellia attacks, injects multiple byte faults into the rth round left register to recover multiple bytes of the rth round equivalent key, and obtains Camellia-128,192/256 key with at least 8 and 12 faulty ciphertexts respectively; our second method extends fault depth of previous Camellia attacks, injects one...
The S-box lookup is one of the most important operations in cipher algorithm design, and also is the most effective part to prevent traditional linear and differential attacks, however, when the physical implementation of the algorithm is considered, it becomes the weakest part of cryptosystems. This paper studies an active fault based implementation attack on block ciphers with S-box. Firstly, it proposes the basic DFA model and then presents two DFA models for Feistel and SPN structure...
Encryption algorithms are becoming more necessary to ensure data is securely transmitted over insecure communication channels. FOX is a recently developed algorithm and its structure is based on the already proven IDEA (International Data Encryption Algorithm) cipher. FOX is a symmetric (private key) block cipher. Its top-level structure uses the Lai-Massey scheme and the round functions used in the scheme are substitution permutation networks (SPN). Its flexibility lies in the fact that it...
The authors analyze the security of Hierocrypt-3(128-bit) and Hierocrypt-L1(64-bit) designed on the nested SPN(NSPN) structure against the differential and linear cryptanalysis, and found that they are sufficiently secure, e.g., the maximum average differential and linear hull probabilities (MACP and MALHP) are bounded by $2^{-96}$ for 4-round of Hierocrypt-3; those probabilities are bounded by $2^{-48}$ for 4-round of Hierocrypt-L1. The authors get these results by extending the provable...
In [3], we present a new algorithm for computing an upper bound on the maximum average linear hull probability (MALHP) for the SPN symmetric cipher structure, a value required to make claims about provable security against linear cryptanalysis. This algorithm improves on existing work in that the resulting upper bound is a function of the number of encryption rounds (other upper bounds known to the authors are not), and moreover, it can be computed for an SPN with any linear transformation...