用不可能差分法分析12轮ESF算法

轻量级分组密码算法ESF是一种具有广义Feistel结构的32轮迭代型分组密码,轮函数具有SPN结构,分组长度为64比特,密钥长度为80比特。为了研究ESF算法抵抗不可能差分攻击的能力,基于一条8轮不可能差分路径,根据轮密钥之间的关系,通过向前增加2轮、向后增加2轮的方式,对12轮ESF算法进行了攻击。计算结果表明,攻击12轮ESF算法所需的数据复杂度为O(2⁵³),时间复杂度为O(260.43),由此说明12轮的ESF算法对不可能差分密码分析是不免疫的。     

SMS4算法的不可能差分攻击研究

为研究分组加密算法SMS4抵抗不可能差分攻击的能力,使用了14轮不可能差分路径,给出了相关攻击结果。基于1条14轮不可能差分路径,对16轮和18轮的SMS4算法进行了攻击,改进了关于17轮的SMS4的不可能差分攻击的结果,将数据复杂度降低到O(269.47)。计算结果表明:攻击16轮SMS4算法所需的数据复杂度为O(2¹⁰³),时间复杂度为O(2⁹²);攻击18轮的SMS4算法所需的数据复杂度为O(2¹⁰⁴),时间复杂度为O(2123.84)。     

Midori-64算法的截断不可能差分分析

分析了Midori-64算法在截断不可能差分攻击下的安全性.首先,通过分析Midori算法加、解密过程差分路径规律,证明了Midori算法在单密钥条件下的截断不可能差分区分器至多6轮,并对6轮截断不可能差分区分器进行了分类;其次,根据分类结果,构造了一个6轮区分器,并给出11轮Midori-64算法的不可能差分分析,恢复了128比特主密钥,其时间复杂度为2^121.4,数据复杂度为2^60.8,存储复杂度为2^96.5.     

Piccolo算法的相关密钥-不可能差分攻击

现有的对于Piccolo算法的安全性分析结果中,除Biclique分析外,以低于穷举搜索的复杂度最长仅攻击至14轮Piccolo-80和18轮Piccolo-128算法.通过分析Piccolo算法密钥扩展的信息泄漏规律,结合算法等效结构,利用相关密钥-不可能差分分析方法,基于分割攻击思想,分别给出了15轮Piccolo-80和21轮Piccolo-128含前向白化密钥的攻击结果.当选择相关密钥量为2⁸时,攻击所需的数据复杂度分别为2^58.6和2^62.3,存储复杂度分别为2^60.6和2^64.3,计算复杂度分别为2⁷⁸和2^82.5;在选择相关密钥量为2⁴时,攻击所需的数据复杂度均为2^62.6和2^62.3,存储复杂度分别为2^64.6和2^64.3,计算复杂度分别为2^77.93和2^124.45.分析结果表明,仅含前向白化密钥的15轮Piccolo-80算法和21轮Piccolo-128算法在相关密钥-不可能差分攻击下是不安全的.     

ESF算法的相关密钥不可能差分分析

ESF算法是一种具有广义Feistel结构的32轮迭代型轻量级分组密码。为研究ESF算法抵抗不可能差分攻击的能力,首次对ESF算法进行相关密钥不可能差分分析,结合密钥扩展算法的特点和轮函数本身的结构,构造了两条10轮相关密钥不可能差分路径。将一条10轮的相关密钥不可能差分路径向前向后分别扩展1轮和2轮,分析了13轮ESF算法,数据复杂度是260次选择明文对,计算量是223次13轮加密,可恢复18 bit密钥。将另一条10轮的相关密钥不可能差分路径向前向后都扩展2轮,分析了14轮ESF算法,数据复杂度是262选择明文对,计算复杂度是243.95次14轮加密,可恢复37 bit密钥。     

轻量级分组密码MIBS-80算法的Biclique分析

提出了针对轻量级分组密码算法 MIBS-80 的 Biclique 分析.利用两条独立的相关密钥差分路径,构造了4轮维度为4 的 Biclique 结构,在此基础上对密钥空间进行了划分,结合预计算技术,对每一个密钥子空间进行筛选以降低中间相遇攻击所需的计算复杂度,实施了对12 轮 MIBS-80 的密钥恢复攻击.攻击的数据复杂度为2⁵²个选择明文,计算复杂度约为2^77.13次12 轮 MIBS-80 加密,存储复杂度约为2^8.17,成功实施攻击的概率为1.与已有攻击方法相比,在存储复杂度及成功率方面具有优势.     

对简化轮数的SNAKE(2)算法的碰撞攻击

为了研究简化轮数的SNAKE(2)算法抵抗碰撞攻击的能力,根据算法的一个等价结构,给出了SNAKE(2)算法的一个6轮区分器。通过在此区分器前后加适当的轮数,对7/8/9轮的SNAKE(2)算法实施了攻击。其攻击的数据复杂度依次为O(2⁶)、O(26.52)、O(2¹⁵),时间复杂度依次为O(29.05)、O(218.32)、O(226.42),攻击结果优于对SNAKE(2)算法的Square攻击。     

Camellia-128的截断差分攻击改进

基于2001年ASIACRYPT（亚密会）会议上Sugita等人提出的9轮截断差分区分器, 提出了Camellia算法的10轮截断差分区分器。进一步地利用这个区分器和密钥恢复中的提前抛弃技术, 给出了12轮Camellia-128的攻击, 恢复出所有密钥的数据复杂度和时间复杂度分别为2⁹⁷和2¹²⁴。这个结果是目前针对Camellia算法的截断差分攻击中最好的。     

缩减轮数Crypton算法中间相遇攻击的改进

Crypton密码算法是韩国学者提出的一种AES候选算法。通过研究Crypton算法的结构特征和一类截断差分路径的性质,利用差分枚举技术权衡存储复杂度和数据复杂度,提出了4轮和4.5轮中间相遇区分器。新的区分器减少了预计算表中的多重集数量,降低了存储复杂度。基于4轮区分器首次给出对7轮Crypton-128的中间相遇攻击,时间复杂度为2¹¹³,数据复杂度为2¹¹³,存储复杂度为290.72。基于4.5轮区分器首次给出对8轮Crypton-192的中间相遇攻击,时间复杂度为2¹⁷²,数据复杂度为2¹¹³,存储复杂度为2¹³⁸。     

5轮Salsa20的代数-截断差分攻击

Salsa20 流密码算法是Estream 最终胜出的7 个算法之一.结合非线性方程的求解及Salsa20 的两个3 轮高概率差分传递链,对5 轮Salsa20 算法进行了代数-截断差分攻击.计算复杂度不大于O(2¹⁰⁵),数据复杂度为O(2¹¹),存储复杂度为O(2¹¹),成功率为97.72%.到目前为止,该攻击结果是对5 轮Salsa20 算法攻击最好的结果.     

A new impossible differential attack on SAFER ciphers

This paper presents an improved impossible differential cryptanalysis of SAFER ciphers, which uses the miss-in-the-middle technique developed by Biham et al. We analyze 3.75-round SAFER SK-64,¹ using 2⁴⁵ chosen plaintexts, 2³⁸ bytes memory and 2⁴² half round computations. Furthermore, the new impossible differential attack on 3.75-round SAFER+/128 uses 2⁷⁸ chosen plaintexts, 2⁷⁵ half round computations and 2⁶⁸ bytes memory. And attack on 3.75-round SAFER++/128 uses 2⁷⁸ data, 2⁶⁶ time, and 2⁶² memory.     

An improved impossible differential cryptanalysis of Zodiac

In this paper, we introduce a new impossible differential cryptanalysis of Zodiac that is considerably more effective than the one in the previous work (Hong et al., 2002). Using two new 13-round impossible differential characteristics and the early abort technique, this 3R-Attack breaks 128-bit key full-round Zodiac with complexity less than 2^71.3 encryptions, which is practical. This result is approximately 2⁴⁸ times better than what mentioned in the earlier work. Our result reveals depth of Zodiac’s weakness against impossible differential cryptanalysis due to its poor diffusion layer. We also obtain a tighter upper bound for time complexity.     

New impossible differential attacks on reduced-round Crypton

Crypton is a 128-bit block cipher which was submitted to the Advanced Encryption Standard competition. In this paper, we present two new impossible differential attacks to reduced-round Crypton. Using two new observations on the diffusion layer of Crypton, exploiting a 4-round impossible differential, and appropriately choosing three additional rounds, we mount the first impossible differential attack on 7-round Crypton. The proposed attacks require 2¹²¹ chosen plaintexts each. The first attack requires 2^125.2 encryptions. We then utilize more pre-computation and memory to reduce the time complexity to 2^116.2 encryptions in the second attack.     

Robin算法改进的6轮不可能差分攻击

Robin算法是Grosso等人在2014年提出的一个分组密码算法。研究该算法抵抗不可能差分攻击的能力。利用中间相错技术构造一条新的4轮不可能差分区分器,该区分器在密钥恢复阶段涉及到的轮密钥之间存在线性关系,在构造的区分器首尾各加一轮,对6轮Robin算法进行不可能差分攻击。攻击的数据复杂度为2118.8个选择明文,时间复杂度为293.97次6轮算法加密。与已有最好结果相比,在攻击轮数相同的情况下,通过挖掘轮密钥的信息,减少轮密钥的猜测量,进而降低攻击所需的时间复杂度,该攻击的时间复杂度约为原来的2?8。     

A related key impossible differential attack against 22 rounds of the lightweight block cipher LBlock

LBlock is a new lightweight block cipher proposed by Wu and Zhang (2011) [12] at ACNS 2011. It is based on a modified 32-round Feistel structure. It uses keys of length 80 bits and message blocks of length 64 bits.In this letter, we examine the security arguments given in the original article and we show that we can improve the impossible differential attack given in the original article on 20 rounds by constructing a 22-round related key impossible differential attack that relies on intrinsic weaknesses of the key schedule. This attack has a complexity of 2⁷⁰ cipher operations using 2⁴⁷ plaintexts. This result was already published in Minier and Naya-Plasencia (2011) [9].     

Cryptanalysis of full PRIDE block cipher

PRIDE is a lightweight block cipher proposed at CRYPTO 2014 by Albrecht et al., who claimed that the construction of linear layers is efficient and secure. In this paper, we investigate the key schedule and find eight 2-round iterative related-key differential characteristics, which can be used to construct 18-round related-key differentials. A study of the first subkey derivation function reveals that there exist three weak-key classes, as a result of which all the differences of subkeys for each round are identical. For the weak-key classes, we also find eight 2-round iterative related-key differential characteristics. Based on one of the related-key differentials, we launch an attack on the full PRIDE block cipher. The data and time complexity are 2³⁹ chosen plaintexts and 2⁹² encryptions, respectively. Moreover, by using multiple related-key differentials, we improve the cryptanalysis, which then requires 2^41.6 chosen plaintexts and 2^42.7 encryptions, respectively. Finally, we use two 17-round related-key differentials to analyze full PRIDE, which requires 2³⁵ plaintexts and 2^54.7 encryptions. These are the first results on full PRIDE, and show that the PRIDE block cipher is not secure against related-key differential attack.