Results 11  20
of
31
MeetintheMiddle and Impossible Differential Fault Analysis on AES
"... Abstract. Since the early work of Piret and Quisquater on fault attacks against AES at CHES 2003, many works have been devoted to reduce the number of faults and to improve the time complexity of this attack. This attack is very efficient as a single fault is injected on the third round before the e ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Since the early work of Piret and Quisquater on fault attacks against AES at CHES 2003, many works have been devoted to reduce the number of faults and to improve the time complexity of this attack. This attack is very efficient as a single fault is injected on the third round before the end, and then it allows to recover the whole secret key in 2 32 intimeandmemory.However,sincethisattack,itisanopenproblem to know if provoking a fault at a former round of the cipher allows to recover the key. Indeed, since two rounds of AES achieve a full diffusion and adding protections against fault attack decreases the performance, some countermeasures propose to protect only the three first and last rounds. In this paper, we give an answer to this problem by showing two practical cryptographic attacks on one round earlier of AES128 and for all keysize variants. The first attack requires 10 faults and its complexity is around 2 40 in time and memory, an improvement allows only 5 faults and its complexity in memory is reduced to 2 24 while the second one requires either 1000 or 45 faults depending on fault model and recovers the secret key in around 2 40 in time and memory.
Automatic Search of Truncated Impossible Differentials and Applications
"... Abstract. Finding the longest impossible differentials is an essential assignment in proceeding impossible differential cryptanalysis. In this paper, we introduce a novel tool to search the longest truncated impossible differentials for wordoriented block ciphers with bijective Sboxes. It costs po ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Finding the longest impossible differentials is an essential assignment in proceeding impossible differential cryptanalysis. In this paper, we introduce a novel tool to search the longest truncated impossible differentials for wordoriented block ciphers with bijective Sboxes. It costs polynomial time to return a flag indicating whether a truncated differential is impossible under several filter conditions. To demonstrate the strength of our tool, we show that it allows to automatically find the longest truncated impossible differentials for many wordoriented block ciphers. It independently rediscovers all known truncated impossible differentials on nine round CLEFIA. What’s more, it finds new and longest truncated impossible differentials for the AES, ARIA, Camellia without F L and F L −1 layers, E2, MIBS, LBlock and Piccolo. Finally, we give an impossible differential of 14round LBlock to illustrate that our tool is more powerful than the Umethod and UIDmethod. We expect that the tool proposed in this paper will be useful for evaluating the security of block ciphers against impossible differentials, especially when one tries to design a wordoriented block cipher with bijective Sboxes. Key words: wordoriented block ciphers, truncated impossible differentials, difference propagation system, Umethod, UIDmethod 1
A New Involutory MDS Matrix for the AES
, 2006
"... This paper proposes a new, large diffusion layer for the AES block cipher. This new layer replaces the ShiftRows and MixColumns operations by a new involutory matrix in every round. The objective is to provide complete diffusion in a single round, thus sharply improving the overall cipher security. ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
This paper proposes a new, large diffusion layer for the AES block cipher. This new layer replaces the ShiftRows and MixColumns operations by a new involutory matrix in every round. The objective is to provide complete diffusion in a single round, thus sharply improving the overall cipher security. Moreover, the new matrix elements have low Hammingweight in order to provide equally good performance for both the encryption and decryption operations. We use the Cauchy matrix construction instead of circulant matrices such as in the AES. The reason is that circulant matrices cannot be simultaneously MDS and involutory.
Improved “Partial Sums”based Square Attack on AES
"... Abstract. The Square attack as a means of attacking reduced round variants of AES was described in the initial description of the Rijndael block cipher. This attack can be applied to AES, with a relatively small number of chosen plaintextciphertext pairs, reduced to less than six rounds in the case ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. The Square attack as a means of attacking reduced round variants of AES was described in the initial description of the Rijndael block cipher. This attack can be applied to AES, with a relatively small number of chosen plaintextciphertext pairs, reduced to less than six rounds in the case of AES128 and seven rounds otherwise and several extensions to this attack have been described in the literature. In this paper we describe new variants of these attacks that have a smaller time complexity than those present in the literature. Specifically, we demonstrate that the quantity of chosen plaintextciphertext pairs can be halved producing the same reduction in the time complexity. We also demonstrate that the time complexity can be halved again for attacks applied to AES128 and reduced by a smaller factor for attacks applied to AES192. This is achieved by eliminating hypotheses onthefly when bytes in consecutive subkeys are related because of the key schedule.
New Birthday Attacks on Some MACs Based on Block Ciphers ⋆
"... Abstract. This paper develops several new techniques of cryptanalyzing MACs based on block ciphers, and is divided into two parts. The first part presents new distinguishers of the MAC construction Alred and its specific instance AlphaMAC based on AES. For the Alred construction, we first describ ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. This paper develops several new techniques of cryptanalyzing MACs based on block ciphers, and is divided into two parts. The first part presents new distinguishers of the MAC construction Alred and its specific instance AlphaMAC based on AES. For the Alred construction, we first describe a general distinguishing attack which leads to a forgery attack directly with the complexity of the birthday attack. A 2round collision differential path of AlphaMAC is adopted to construct a new distinguisher with about 265.5 chosen messages and 265.5 queries. One of the most important results is to use this new distinguisher to recover the internal state, which is an equivalent subkey of AlphaMAC. Moreover, our distinguisher on Alred construction can be applied to the MACs based on CBC and CFB encryption modes. The second part describes the first impossible differential attack on MACsPelican, MTMACAES and PCMACAES. Using the birthday attack, enough message pairs that produce the inner nearcollision with some specific differences are detected, then the impossible differential attack on 4round AES to the above mentioned MACs is performed. For Pelican, our attack recovers its internal state, which is an equivalent subkey. For MTMACAES, the attack turns out to be a subkey recovery attack directly. The complexity of the two attacks is 285.5 chosen messages and 285.5 queries. For PCMACAES, we recover its 256bit key with 285.5 chosen messages and 2128 queries.
Practical Complexity Differential Cryptanalysis and Fault Analysis of AES
"... This paper presents a survey of practical complexity differential cryptanalysis of AES and compares this to attacks that have been proposed for differential fault analysis. Naturally, the attacks in each vein of research are applicable in the other but use different models. In this paper we draw f ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
This paper presents a survey of practical complexity differential cryptanalysis of AES and compares this to attacks that have been proposed for differential fault analysis. Naturally, the attacks in each vein of research are applicable in the other but use different models. In this paper we draw from both topics to improve attacks proposed in the literature. We reevaluate the socalled Square attack and the use of impossible differentials in terms of differential fault analysis using a weaker model than previously considered in the literature. Furthermore, we propose two new attacks applicable to both differential cryptanalysis and differential fault analysis. The first is a differential cryptanalysis of fourround AES based on a differential that occurs with a nonnegligible probability. The second is an application of the Square attack to a fiveround AES that requires 2 8 ciphertexts and a time complexity equivalent to approximately 2 37.5 AES encryptions.
Low Data Complexity Attacks on AES
"... Abstract. The majority of currentattacks on reducedroundvariants of blockciphersseekstomaximize thenumberofroundsthatcanbebroken, using less data than the entire codebook and less time than exhaustive key search. In this paper, we pursue a different approach, restricting the data available to the a ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. The majority of currentattacks on reducedroundvariants of blockciphersseekstomaximize thenumberofroundsthatcanbebroken, using less data than the entire codebook and less time than exhaustive key search. In this paper, we pursue a different approach, restricting the data available to the adversary to a few plaintext/ciphertext pairs. We show that consideration of such attacks (which received little attention in recent years) serves an important role in assessing the security of block ciphers and of other cryptographic primitives based on block ciphers. In particular, we show that these attacks can be leveraged to more complex attacks, either on the block cipher itself or on other primitives (e.g., stream ciphers, MACs, or hash functions) that use a small number of rounds of the block cipher as one of their components. As a case study, we consider the AES — the most widely used block cipher, whose round function is used in various cryptographic primitives. We present attacks on up to four rounds of AES that require at most 10 known/chosen plaintexts. We then apply these attacks to cryptanalyze a variant of the stream cipher LEX, and to mount a new known plaintext attack on 6round AES.
Fortification of AES with . . .
"... MDS Matrix has an important role in the design of Rijndael Cipher and is the most expensive component of the cipher. It is also used as a perfect diffusion primitive in some other block ciphers. In this paper, we propose a ..."
Abstract
 Add to MetaCart
MDS Matrix has an important role in the design of Rijndael Cipher and is the most expensive component of the cipher. It is also used as a perfect diffusion primitive in some other block ciphers. In this paper, we propose a