Results 1  10
of
15
An AllInOne Approach to Differential Cryptanalysis for Small Block Ciphers ⋆
"... Abstract. We present a framework that unifies several standard differential techniques. This unified view allows us to consider many, potentially all, output differences for a given input difference and to combine the information derived from them in an optimal way. We then propose a new attack that ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We present a framework that unifies several standard differential techniques. This unified view allows us to consider many, potentially all, output differences for a given input difference and to combine the information derived from them in an optimal way. We then propose a new attack that implicitly mounts several standard, truncated, impossible, improbable and possible future variants of differential attacks in parallel and hence allows to significantly improve upon known differential attacks using the same input difference. To demonstrate the viability of our techniques, we apply them to KATAN32. In particular, our attack allows us to break 115 rounds of KATAN32, which is 37 rounds more than previous work. For this, our attack exploits the nonuniformity of the difference distribution after 91 rounds which is 20 rounds more than the previously best known differential characteristic. Since our results still cover less than 1/2 of the cipher, they further strengthen our confidence in KATAN32’s resistance against differential attacks.
New Links between Differential and Linear Cryptanalysis
 In EUROCRYPT’13, LNCS 7881
, 2013
"... Abstract. Recently, a number of relations have been established among previously known statistical attacks on block ciphers. Leander showed in 2011 that statistical saturation distinguishers are on average equivalent to multidimensional linear distinguishers. Further relations between these two typ ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Recently, a number of relations have been established among previously known statistical attacks on block ciphers. Leander showed in 2011 that statistical saturation distinguishers are on average equivalent to multidimensional linear distinguishers. Further relations between these two types of distinguishers and the integral and zerocorrelation distinguishers were established by Bogdanov et al. [6]. Knowledge about such relations is useful for classification of statistical attacks in order to determine those that give essentially complementary information about the security of block ciphers. The purpose of the work presented in this paper is to explore relations between differential and linear attacks. The mathematical link between linear and differential attacks was discovered by Chabaud and Vaudenay already in 1994, but it has never been used in practice. We will show how to use it for computing accurate estimates of truncated differential probabilities from accurate estimates of correlations of linear approximations. We demonstrate this method in practice and give the first instantiation of multiple differential cryptanalysis using the LLR statistical test on PRESENT. On a more theoretical side, we establish equivalence between a multidimensional linear distinguisher and a truncated differential distinguisher, and show that certain zerocorrelation linear distinguishers exist if and only if certain impossible differentials exist.
The Resistance of PRESENT80 Against RelatedKey Differential Attacks
"... Abstract. We examine the security of the 64bit lightweight block cipher PRESENT80 against relatedkey differential attacks. With a computer search we are able to prove that no relatedkey differential characteristic exists with probability higher than 2 −64 for the fullround PRESENT80. To overco ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We examine the security of the 64bit lightweight block cipher PRESENT80 against relatedkey differential attacks. With a computer search we are able to prove that no relatedkey differential characteristic exists with probability higher than 2 −64 for the fullround PRESENT80. To overcome the exponential (in the state and key sizes) computational complexity we use truncated differences, however as the key schedule is not nibble oriented, we switch to actual differences and apply early abort techniques to prune the treebased search. With a new method called extended split approach we are able to make the whole search feasible and we implement and run it in real time. Our approach targets the PRESENT80 cipher however, with small modifications can be reused for other lightweight ciphers as well. 1
RECTANGLE: A Bitslice UltraLightweight Block Cipher Suitable for Multiple Platforms
"... Abstract. In this paper, we propose a new lightweight block cipher named RECTANGLE. The main idea of the design of RECTANGLE is to allow lightweight and fast implementations using bitslice techniques. RECTANGLE uses an SPnetwork. The substitution layer consists of 16 4 × 4 Sboxes in parallel. The ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we propose a new lightweight block cipher named RECTANGLE. The main idea of the design of RECTANGLE is to allow lightweight and fast implementations using bitslice techniques. RECTANGLE uses an SPnetwork. The substitution layer consists of 16 4 × 4 Sboxes in parallel. The permutation layer is composed of 3 rotations. As shown in this paper, RECTANGLE offers great performance in both hardware and software environment, which proves enough flexibility for different application scenario. The following are 3 main advantages of RECTANGLE. First, RECTANGLE is extremely hardwarefriendly. For the 80bit key version, a onecycleperround parallel implementation only needs 1467 gates for a throughput of 246 Kbits/sec at 100KHz clock and an energy efficiency of 1.11 pJ/bit. Second, RECTANGLE achieves a very competitive software speed among the existing lightweight block ciphers due to its bitslice style. Using 128bit SSE instructions, a bitslice implementation of RECTANGLE reaches an average encryption speed of about 5.38 cycles/byte for messages around 1000 bytes. Last but not least. We propose new design criteria for 4×4 Sboxes. RECTANGLE uses such a new type of Sbox. Due to our careful selection of the Sbox and the asymmetric design of the permutation layer, RECTANGLE achieves a very good securityperformance tradeoff. Our extensive and deep security analysis finds distinguishers for up to 14 rounds only, and the highest number of rounds that we can attack, is 18 (out of 25).
Improved Differential Attacks on Reduced SIMON Versions?
"... Abstract. SIMON is a family of lightweight block ciphers which are designed by the U.S National Security Agency in 2013. In this paper, we improve the previous differential attacks on SIMON family of block ciphers by considering some bitdifference equations. Combining with some new observations on ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Abstract. SIMON is a family of lightweight block ciphers which are designed by the U.S National Security Agency in 2013. In this paper, we improve the previous differential attacks on SIMON family of block ciphers by considering some bitdifference equations. Combining with some new observations on key guess policies of SIMON family, we mount differential attacks on 21
Zerocorrelation Linear Cryptanalysis of Reducedround LBlock. IACR Cryptology ePrint Archive
, 2013
"... Abstract Zerocorrelation linear attack is a new method for cryptanalysis of block ciphers developed by . In this paper we adapt the matrix method to find zerocorrelation linear approximations. Then we present several zerocorrelation linear approximations for 14 rounds of LBlock and describe a cr ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract Zerocorrelation linear attack is a new method for cryptanalysis of block ciphers developed by . In this paper we adapt the matrix method to find zerocorrelation linear approximations. Then we present several zerocorrelation linear approximations for 14 rounds of LBlock and describe a cryptanalysis for 22 rounds of the reduced LBlock. After biclique attacks on LBlock revealed weaknesses in its key schedule, its designers presented a new version of the cipher with a revised key schedule. The attack presented in this paper is applicable to LBlock structure independently of the key scheduling. The attack needs distinct known plaintexts which is a more realistic attack model in comparison with impossible differential cryptanalysis which uses chosen plaintext pairs. Moreover, we performed simulations on an small variant LBlock and present the first experimental results on the theoretical model of the multidimensional zerocorrelation linear cryptanalysis method.
Cryptographic analysis of all 4 x 4  bit sboxes
 SAC 2011. LNCS
, 2011
"... Abstract. We present cryptanalytic results of an exhaustive search of all 16! bijective 4bit SBoxes. Previously affine equivalence classes have been exhaustively analyzed in 2007 work by Leander and Poschmann. We extend on this work by giving further properties of the optimal SBox linear equivale ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We present cryptanalytic results of an exhaustive search of all 16! bijective 4bit SBoxes. Previously affine equivalence classes have been exhaustively analyzed in 2007 work by Leander and Poschmann. We extend on this work by giving further properties of the optimal SBox linear equivalence classes. In our main analysis we consider two SBoxes to be cryptanalytically equivalent if they are isomorphic up to the permutation of input and output bits and a XOR of a constant in the input and output. We have enumerated all such equivalence classes with respect to their differential and linear properties. These equivalence classes are equivalent not only in their differential and linear bounds but also have equivalent algebraic properties, branch number and circuit complexity. We describe a “golden ” set of Sboxes that have ideal cryptographic properties. We also present a comparison table of SBoxes from a dozen published cryptographic algorithms.
A Cryptanalysis of HummingBird2: The Differential Sequence Analysis
"... Abstract. Hummingbird2 is one recent design of lightweight block ciphers that enables compact hardware implementations, ultralow power consumption and stringent response time as specified in ISO180006C. In this paper, we present cryptanalytic results on the full version of this cipher using two p ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Hummingbird2 is one recent design of lightweight block ciphers that enables compact hardware implementations, ultralow power consumption and stringent response time as specified in ISO180006C. In this paper, we present cryptanalytic results on the full version of this cipher using two pairs of related keys. We discover that the differential sequences for the last invocation of the round function can be computed by running the full cipher, due to which the search space for the key can be reduced. Base upon this observation, we propose a probabilistic attack encompassing two phases, preparation phase and key recovery phase. The preparation phase, requiring 2 80 effort in time, reaches the internal states satisfying particular conditions with 0.5 probability. In the key recovery phase, by using the proposed differential sequence analysis (DSA) against the encryption (decryption resp.), 36bit (another 44bit resp.) of the 128bit key could be recovered. Additionally, the rest 48bit of the key can be exhaustively searched and the overall time complexity of this phase is 2 48.14. Note that the proposed attack, though exhibiting an interesting tradeoff between success probability and time complexity, is only of a theoretical interest at the moment and does not affect the practical security of the Hummingbird2.
Another Look at Normal Approximations in Cryptanalysis
, 2015
"... Statistical analysis of attacks on symmetric ciphers often require assuming the normal behaviour of a test statistic. Typically such an assumption is made in an asymptotic sense. In this work, we consider concrete versions of some important normal approximations that have been made in the literature ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
Statistical analysis of attacks on symmetric ciphers often require assuming the normal behaviour of a test statistic. Typically such an assumption is made in an asymptotic sense. In this work, we consider concrete versions of some important normal approximations that have been made in the literature. To do this, we use the BerryEsséen theorem to derive explicit bounds on the approximation errors. Analysing these error bounds in the cryptanalytic context throws up several surprising results. One important implication is that this puts in doubt the applicability of the order statistics based approach for analysing key recovery attacks on block ciphers. This approach has been earlier used to obtain several results on the data complexities of (multiple) linear and differential cryptanalysis. The nonapplicability of the order statistics based approach puts a question mark on the data complexities obtained using this approach. Fortunately, we are able to recover all of these results by utilising the hypothesis testing framework. Detailed consideration of the error in normal approximation also has implications for χ2 and the loglikelihood ratio (LLR) based test statistics. The normal approximation of the χ2 test statistics has some serious and counterintuitive restrictions. One such restriction is that for multiple linear cryptanalysis as the number of linear approximations grows so does the requirement on the number of plaintextciphertext pairs for the approximation to be proper. The issue
Knownkey distinguisher on full PRESENT
 Advances in Cryptology  CRYPTO 2015  35th Annual Cryptology Conference
"... Abstract. In this article, we analyse the knownkey security of the standardized PRESENT lightweight block cipher. Namely, we propose a knownkey distinguisher on the full PRESENT, both 80 and 128bit key versions. We first leverage the very latest advances in differential cryptanalysis on PRESENT ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In this article, we analyse the knownkey security of the standardized PRESENT lightweight block cipher. Namely, we propose a knownkey distinguisher on the full PRESENT, both 80 and 128bit key versions. We first leverage the very latest advances in differential cryptanalysis on PRESENT, which are as strong as the best linear cryptanalysis in terms of number of attacked rounds. Differential properties are much easier to handle for a knownkey distinguisher than linear properties, and we use a bias on the number of collisions on some predetermined input/output bits as distinguishing property. In order to reach the full PRESENT, we eventually introduce a new meetinthemiddle layer to propagate the differential properties as far as possible. Our techniques have been implemented and verified on the small scale variant of PRESENT. While the knownkey security model is very generous with the attacker, it makes sense in practice since PRESENT has been proposed as basic building block to design lightweight hash functions, where no secret is manipulated. Our distinguisher can for example apply to the compression function obtained by placing PRESENT in a DaviesMeyer mode. We emphasize that this is the very first attack that can reach the full number of rounds of the PRESENT block cipher. Key words: PRESENT, knownkey model, distinguisher, differential cryptanalysis, linear cryptanalysis. 1