Research on the Security Level of μ2 against Impossible Differential cryptanalysis

Kai Zhang,Xuejia Lai,Jie Guan,Bin Hu 한국인터넷정보학회 2022 KSII Transactions on Internet and Information Syst Vol.16 No.3

In the year 2020, a new lightweight block cipher μ2 is proposed. It has both good software and hardware performance, and it is especially suitable for constrained resource environment. However, the security evaluation on μ2 against impossible differential cryptanalysis seems missing from the specification. To fill this gap, an impossible differential cryptanalysis on μ2 is proposed. In this paper, firstly, some cryptographic properties on μ2 are proposed. Then several longest 7-round impossible differential distinguishers are constructed. Finally, an impossible differential cryptanalysis on μ2 reduced to 10 rounds is proposed based on the constructed distinguishers. The time complexity for the attack is about 269.63 10-round μ2 encryptions, the data complexity is O(248), and the memory complexity is 263.57 Bytes. The reported result indicates that μ2 reduced to 10 rounds can’t resist against impossible differential cryptanalysis.

Gohr의 Speck32/64 신경망 구분자에 대한 분석과 Simon32/64에의 응용

성효은,유현도,염용진,강주성,Seong, Hyoeun,Yoo, Hyeondo,Yeom, Yongjin,Kang, Ju-Sung 한국정보보호학회 2022 정보보호학회논문지 Vol.32 No.2

Aron Gohr proposed a cryptanalysis method based on deep learning technology for the lightweight block cipher Speck. This is a method that enables a chosen plaintext attack with higher accuracy than the classical differential cryptanalysis. In this paper, by using the probability distribution, we analyze the mechanism of such deep learning based cryptanalysis and propose the results applied to the lightweight block cipher Simon. In addition, we examine that the probability distributions of the predicted values of the neural networks within the cryptanalysis working processes are different depending upon the characteristics of round functions of Speck and Simon, and suggest a direction to improve the efficiency of the neural distinguisher which is the core technology of Aron Gohr's cryptanalysis.

128-bit Block Cipher Circle-g의 설계와 분석

임웅택 부천대학 2002 論文集 Vol.23 No.-

본 논문에서는 18-라운드 feistel 구조를 갖는 128-bit 블록 암호알고리즘 Circle-g를 설계하고, 차분공격(differential cryptanalysis)과 선형공격(linear cryptanalysis)을 통해 안정성을 분석하였다. Circle-g의 F-함수는 2-라운드만에 완전 확산(diffusion)이 일어나도록 설계되었다. 이러한 우수한 확산효과로 인해 9-라운드 DC 특성이 구성될 확률은 2-136로, 9-라운드 선형특성이 구성될 확률은 2-168로 분석되었다. 결과적으로 Circle-g는 128-bit 비밀키를 적용하였을 경우 9-라운드 이상이면 DC나 LC 공격은 전수(exhaustive)조사 방법보다 효율성이 떨어지는 것으로 분석되었다. In this paper, we designed a 128-bit block cipher, Circle-g, which has 18-round feistel structure and analyzed its secureness by the differential cryptanalysis and linear cryptanalysis. We could have full diffusion effect from the two rounds of the Circle-g. Because of the strong diffusion effect of the F-function of the algorithm, we could get a 9-round DC characteristic with probability 2-136 and a LC characteristic with probability 2-168. For the Circle-g with 128-bit key, there is no shortcut attack, which is more efficient than the exhaustive key search, for more than 9 rounds of the algorithm.

변형된 Feistel 구조를 이용한 Circle-g의 설계와 분석

임웅택,전문석 한국컴퓨터산업학회 2004 컴퓨터産業敎育學會論文誌 Vol.5 No.3

본 논문에서는 18-라운드 변형된 Feistel 구조를 갖는 128-bit 블록 암호알고리즘 Circle-g를 설계하고, 차분공격(differential cryptanalysis)과 선형공격(linear cryptanalysis)을 통해 안정성을 분석하였다. Circle-g의 f-함수는 2-라운드만에 완전 확산(diffusion)이 일어나도록 설계되었다. 이러한 우수한 확산효과로 인해 9-라운드 차분특성이 구성될 확률은 2^{-144}로, 12-라운드 선형특성이 구성될 확률은 2^{-144}로 분석되었다. 결과적으로 Circle-g는 128-bit 비밀키를 적용하였을 경우 12-라운드 이상이면 차분공격이나 선형공격은 전수(exhaustive)조사 방법보다 효율성이 떨어지는 것으로 분석되었다. In this paper, we designed a 128-bits block cipher, Circle-g, which has 18-rounds modified Feistel structure and analyzed its secureness by the differential cryptanalysis and linear cryptanalysis. We could have full diffusion effect from the two rounds of the Circle-g. Because of the strong diffusion effect of the F-function of the algorithm, we could get a 9-rounds DC characteristic with probability 2^{-144} and a 12-rounds LC characteristic with probability 2^{-144}. For the Circle-g with 128-bit key, there is no shortcut attack, which is more efficient than the exhaustive key search, for more than 12 rounds of the algorithm.

Zero-Correlation Linear Cryptanalysis of Reduced Round ARIA with Partial-sum and FFT

( Wen-tan Yi ),( Shao-zhen Chen ),( Kuan-yang Wei ) 한국인터넷정보학회 2015 KSII Transactions on Internet and Information Syst Vol.9 No.1

Block cipher ARIA was first proposed by some South Korean experts in 2003, and later, it was established as a Korean Standard block cipher algorithm by Korean Agency for Technology and Standards. In this paper, we focus on the security evaluation of ARIA block cipher against the recent zero-correlation linear cryptanalysis. In addition, Partial-sum technique and FFT (Fast Fourier Transform) technique are used to speed up the cryptanalysis, respectively. We first introduce some 4-round linear approximations of ARIA with zero-correlation, and then present some key-recovery attacks on 6/7-round ARIA-128/256 with the Partial-sum technique and FFT technique. The key-recovery attack with Partial-sum technique on 6-round ARIA-128 needs 2^123.6 known plaintexts (KPs), 2¹²¹encryptions and 2^90.3 bytes memory, and the attack with FFT technique requires 2^124.1KPs, 2^121.5 encryptions and 2^90.3 bytes memory. Moreover, applying Partial-sum technique, we can attack 7-round ARIA-256 with 2^124.6KPs, 2^203.5 encryptions and 2¹⁵² bytes memory and 7-round ARIA-256 employing FFT technique, requires 2^124.7KPs, 2^209.5 encryptions and 2¹⁵² bytes memory . Our results are the first zero-correlation linear cryptanalysis results on ARIA.

Feistel 변형 구조에 대한 통계적 분석 기법에 증명 가능한 안전성

김종성(Jongsung Kim),박종혁(Jong Hyuk Park) 한국정보기술학회 2009 한국정보기술학회논문지 Vol.7 No.1

Main statistical cryptanalysis of block ciphers is differential and linear attacks. Thus in order to design secure block ciphers they should be resistant to these attacks. In this paper, we extend the range of block cipher structures to have provable security against differential cryptanalysis and linear cryptanalysis. Precisely, we present a new Feistel-varient structure and we prove that differential (linear) probabilities for a 3-round block cipher structure are upper bounded by p<SUP>2</SUP>(q<SUP>2</SUP>) if the maximum differential (linear) probability of the round function is p(q) and the round function is a bijective function. Our result can be effectively used when one tries to design block ciphers with provable security against differential cryptanalysis and linear cryptanalysis.

Multidimensional Differential-Linear Cryptanalysis of ARIA Block Cipher

Wen-Tan Yi,Jiongjiong Ren,Shao-Zhen Chen 한국전자통신연구원 2017 ETRI Journal Vol.39 No.1

ARIA is a 128-bit block cipher that has been selected as a Korean encryption standard. Similar to AES, it is robust against differential cryptanalysis and linear cryptanalysis. In this study, we analyze the security of ARIA against differential-linear cryptanalysis. We present five rounds of differential-linear distinguishers for ARIA, which can distinguish five rounds of ARIA from random permutations using only 284.8 chosen plaintexts. Moreover, we develop differential-linear attacks based on six rounds of ARIA-128 and seven rounds of ARIA-256. This is the first multidimensional differential-linear cryptanalysis of ARIA and it has lower data complexity than all previous results. This is a preliminary study and further research may obtain better results in the future.

Seven New Block Cipher Structures with Provable Security against Differential Cryptanalysis

KIM, Jongsung,LEE, Changhoon,SUNG, Jaechul,HONG, Seokhie,LEE, Sangjin,LIM, Jongin The Institute of Electronics, Information and Comm 2008 IEICE transactions on fundamentals of electronics, Vol.91 No.10

<P>The design and analysis of block ciphers is an established field of study which has seen significant progress since the early 1990s. Nevertheless, what remains on an interesting direction to explore in this area is to design block ciphers with provable security against powerful known attacks such as differential and linear cryptanalysis. In this paper we introduce seven new block cipher structures, named Feistel-variant A, B, CLEFIA and MISTY-FO-variant A, B, C, D structures, and show that these structures are provably resistant against differential cryptanalysis. The main results of this paper are that the average differential probabilities over at least 2 rounds of Feistel-variant A structure and 1 round of Feistel-variant B structure are both upperbounded by <I>p</I><SUP>2</SUP>, while the average differential probabilities over at least 5 rounds of CLEFIA, MISTY-FO-variant A, B, C and D structures are upperbounded by <I>p</I><SUP>4</SUP>+2<I>p</I><SUP>5</SUP>, <I>p</I><SUP>4</SUP>, <I>p</I><SUP>4</SUP>, 2<I>p</I><SUP>4</SUP> and 2<I>p</I><SUP>4</SUP>, respectively, if the maximum differential probability of a round <I>F</I> function is <I>p</I>. We also give provable security for the Feistel-variant A, B and CLE-FIA structures against linear cryptanalysis. Our results are attained under the assumption that all of components in our proposed structures are bijective. We expect that our results are useful to design block ciphers with provable security against differential and linear cryptanalysis.</P>

Deep Learning Assisted Differential Cryptanalysis for the Lightweight Cipher SIMON

( Wenqiang Tian ),( Bin Hu ) 한국인터넷정보학회 2021 KSII Transactions on Internet and Information Syst Vol.15 No.2

SIMON and SPECK are two families of lightweight block ciphers that have excellent performance on hardware and software platforms. At CRYPTO 2019, Gohr first introduces the differential cryptanalysis based deep learning on round-reduced SPECK32/64, and finally reduces the remaining security of 11-round SPECK32/64 to roughly 38 bits. In this paper, we are committed to evaluating the safety of SIMON cipher under the neural differential cryptanalysis. We firstly prove theoretically that SIMON is a non-Markov cipher, which means that the results based on conventional differential cryptanalysis may be inaccurate. Then we train a residual neural network to get the 7-, 8-, 9-round neural distinguishers for SIMON32/64. To prove the effectiveness for our distinguishers, we perform the distinguishing attack and key-recovery attack against 15-round SIMON32/64. The results show that the real ciphertexts can be distinguished from random ciphertexts with a probability close to 1 only by 28.7 chosen-plaintext pairs. For the key-recovery attack, the correct key was recovered with a success rate of 23%, and the data complexity and computation complexity are as low as 28 and 220.1 respectively. All the results are better than the existing literature. Furthermore, we briefly discussed the effect of different residual network structures on the training results of neural distinguishers. It is hoped that our findings will provide some reference for future research.

대칭적인 블록 암호화 알고리즘을 기반으로 한 효율적인 다이내믹 네트워크 보안 방법

송병호,양성기,배상현 한국컴퓨터정보학회 2008 韓國컴퓨터情報學會論文誌 Vol.13 No.4

The existing block encryption algorithms have been designed for the encryption key value to be unchanged and applied to the round functions of each block, and enciphered. Therefore, it has such a weak point that the plaintext or encryption key could be easily exposed by differential cryptanalysis or linear cryptanalysis, both are the most powerful methods for decoding block encryption of a round repeating structure. Dynamic cipher has the property that the key-size, the number of round, and the plaintext-size are scalable simultaneously. Dynamic network is the unique network satisfying these characteristics among the networks for symmetric block ciphers. We analyze the strength of Dynamic network for meet-in-the-middle attack, linear cryptanalysis, and differential cryptanalysis. Also, In this paper we propose a new network called Dynamic network for symmetric block ciphers. 현재의 블록 암호화 알고리즘은 암호화키 값을 변환하지 않고 설계되며, 각각의 블록의 라운드 함수들을 적용하며 암호화 한다. 그러므로, 반복적인 라운드 구조의 블록암호화 기법을 위한 가장 강력한 방법들인 차분 암호 분석법 또는 선형 암호 분석법에 의해 평문이나 암호화키는 쉽게 노출 된다는 취약점을 가지고 있다. 다이내믹 암호는 키의 크기, 라운드의 수, 그리고 평문의 길이가 동시에 측정될 수 있는 특성을 가지고 있다. 다이내믹 네트워크는 대칭적 블록 암호들에 대한 네트워크들 속에서 이러한 특성들을 만족시키는 독특한 네트워크이다. 우리는 중간 결과에 의한 공격, 선형 암호 분석법, 그리고 차분 암호 분석법에 대한 다이내믹 네트워크의 강력함을 분석한다. 또한, 본 논문에서 대칭적인 블록 암호를 위한 다이내믹 네트워크라 불리는 새 네트워크 방식을 제안한다.