On optimal size in truncated differential attacks

Nicolas T. Courtois; Theodosis Mourouzis; Anna Grocholewska-Czuryło; Jean-Jacques Quisquater

doi:10.1556/012.2015.52.2.1314

On optimal size in truncated differential attacks

Studia Scientiarum Mathematicarum Hungarica ◽

10.1556/012.2015.52.2.1314 ◽

2015 ◽

Vol 52 (2) ◽

pp. 246-254 ◽

Cited By ~ 2

Author(s):

Nicolas T. Courtois ◽

Theodosis Mourouzis ◽

Anna Grocholewska-Czuryło ◽

Jean-Jacques Quisquater

Keyword(s):

Block Cipher ◽

Ad Hoc ◽

Differential Cryptanalysis ◽

Optimal Size ◽

Potential Space ◽

Differential Attack ◽

Pass Through ◽

Differential Attacks ◽

Differential Properties ◽

Truncated Differential

Differential Cryptanalysis (DC) is one of the oldest known attacks on block ciphers. DC is based on tracking of changes in the differences between two messages as they pass through the consecutive rounds of encryption. However DC remains very poorly understood. In his textbook written in the late 1990s Schneier wrote that against differential cryptanalysis, GOST is “probably stronger than DES”. In fact Knudsen have soon proposed more powerful advanced differential attacks however the potential space of such attacks is truly immense. To this day there is no method which allows to evaluate the security of a cipher against such attacks in a systematic way. Instead, attacks are designed and improved in ad-hoc ways with heuristics [6–13,21]. The best differential attack known has time complexity of 2179 [13]. In this paper we show that for a given block cipher there exists an optimal size for advanced differential properties. This new understanding allows to considerably reduce the space to be searched for “good” truncated differential properties suitable for an attack.

Download Full-text

Provable Security Against a Differential Attack

DAIMI Report Series ◽

10.7146/dpb.v23i473.6946 ◽

1994 ◽

Vol 23 (473) ◽

Cited By ~ 1

Author(s):

Kaisa Nyberg ◽

Lars Ramkilde Knudsen

Keyword(s):

Upper Bound ◽

Provable Security ◽

Block Cipher ◽

Differential Cryptanalysis ◽

Font Size ◽

Differential Attack ◽

Round Function ◽

Differential Attacks

The purpose of this paper is to show that there exist DES-like iterated ciphers, which are provably resistant against differential attacks. The main result on the security of a DES-like cipher with independent round keys is Theorem 1, which gives an upper bound to the probability of s-round differentials, as defined in Markov Ciphers and Differential Cryptanalysis by X. Lai et al. and this upper bound depends only on the round function of the iterated cipher. Moreover, it is shown that there exist functions such that the probabilities of differentials are less than or equal to 23-n, where n is the length of the plaintext block. We also show a prototype of an iterated block cipher, which is compatible with DES and has proven security against differential attacks.

Download Full-text

Clustering Related-Tweak Characteristics: Application to MANTIS-6

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2018.i2.111-132 ◽

2018 ◽

pp. 111-132

Author(s):

Maria Eichlseder ◽

Daniel Kales

Keyword(s):

Block Cipher ◽

Differential Cryptanalysis ◽

Differential Attack ◽

Key Recovery ◽

Popular Approach ◽

Differential Characteristic ◽

Clustering Approach ◽

Tweakable Block Cipher ◽

Key Recovery Attack ◽

Truncated Differential

The TWEAKEY/STK construction is an increasingly popular approach for designing tweakable block ciphers that notably uses a linear tweakey schedule. Several recent attacks have analyzed the implications of this approach for differential cryptanalysis and other attacks that can take advantage of related tweakeys. We generalize the clustering approach of a recent differential attack on the tweakable block cipher MANTIS5 and describe a tool for efficiently finding and evaluating such clusters. More specifically, we consider the set of all differential characteristics compatible with a given truncated characteristic, tweak difference, and optional constraints for the differential. We refer to this set as a semi-truncated characteristic and estimate its probability by analyzing the distribution of compatible differences at each step. We apply this approach to find a semi-truncated differential characteristic for MANTIS6 with probability about 2−67.73 and derive a key-recovery attack with a complexity of about 255.09 chosen-plaintext queries and 255.52 computations. The data-time product is 2110.61 << 2126.

Download Full-text

Different Types of Attacks on Block Ciphers

International Journal of Recent Technology and Engineering - 2 ◽

10.35940/ijrte.c4214.099320 ◽

2020 ◽

Vol 9 (3) ◽

pp. 28-31

Keyword(s):

Block Cipher ◽

Classical Method ◽

System Of Nonlinear Equations ◽

Algebraic Attack ◽

Differential Attack ◽

Different Types ◽

Important Challenge ◽

Impossible Differential ◽

Linear Differential ◽

Truncated Differential

Cryptanalysis is a very important challenge that faces cryptographers. It has several types that should be well studied by cryptographers to be able to design cryptosystem more secure and able to resist any type of attacks. This paper introduces six types of attacks: Linear, Differential , Linear-Differential, Truncated differential Impossible differential attack and Algebraic attacks. In this paper, algebraic attack is used to formulate the substitution box(S-box) of a block cipher to system of nonlinear equations and solve this system by using a classical method called Grobner  Bases . By Solving these equations, we made algebraic attack on S-box.

Download Full-text

Partial and Higher Order Differentials and Applications to the DES

BRICS Report Series ◽

10.7146/brics.v2i9.19512 ◽

1995 ◽

Vol 2 (9) ◽

Cited By ~ 1

Author(s):

Lars Ramkilde Knudsen

Keyword(s):

Block Cipher ◽

Higher Order ◽

Differential Attack ◽

Running Time ◽

Differential Attacks ◽

Derivatives Of ◽

Discrete Functions

In 1994 Lai considered higher order derivatives of discrete functions and introduced the concept of higher order differentials. We introduce the concept of partial differentials and present attacks on ciphers presumably secure against differential attacks, but vulnerable to attacks using higher order and partial differentials. Also we examine the DES for partial and higher order differentials and give a differential attack using partial differentials on DES reduced to 6 rounds using only 46 chosen plaintexts with an expected running time of about the time of 3,500 encryptions. Finally it is shown how to find a minimum nonlinear order of a block cipher using higher order differentials.

Download Full-text

Towards Provable Security of Rijndael-Like Spn Ciphers Against Differential Attacks

Tatra Mountains Mathematical Publications ◽

10.2478/v10127-012-0046-4 ◽

2012 ◽

Vol 53 (1) ◽

pp. 189-199

Author(s):

Victor Ruzhentsev ◽

Victor Dolgov

Keyword(s):

Provable Security ◽

Differential Attack ◽

Differential Attacks ◽

Truncated Differential

ABSTRACT The strength of Rijndael-like ciphers to the truncated differential attack is considered. Theorems about the absence of effective truncated (byte) differential characteristics and effective truncated (byte) differentials for ciphers with sufficient number of rounds are proved.

Download Full-text

Security of a New Cryptographic Hash Function - Titanium

Indonesian Journal of Electrical Engineering and Computer Science ◽

10.11591/ijeecs.v10.i3.pp1244-1250 ◽

2018 ◽

Vol 10 (3) ◽

pp. 1244

Author(s):

Abdullah Nazeeh Saleh ◽

Mohammad A. Al-Ahmad

Keyword(s):

Hash Function ◽

Random Function ◽

Block Cipher ◽

Security Analysis ◽

Differential Cryptanalysis ◽

Brute Force ◽

Cryptographic Hash Function ◽

Design Choice ◽

Differential Attacks

This paper introduces the security analysis of Titanium hash function that uses SF block cipher and follows sponge construction. A brief description of the sponge function and the design choice of Titanium are introduced. Basic security criteria of random function have been presented and studied on Titanium and then, differential cryptanalysis on Titanium has been performed and showed the resistance of it on the most recent differential attacks. A table of security discussions finalizes the paper and describes the complexity of Titanium on brute force cryptanalysis.

Download Full-text

Subspace Trail Cryptanalysis and its Applications to AES

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2016.i2.192-225 ◽

2017 ◽

pp. 192-225

Author(s):

Lorenzo Grassi ◽

Christian Rechberger ◽

Sondre Rønjom

Keyword(s):

Block Cipher ◽

Data Complexity ◽

Secret Key ◽

Differential Attack ◽

Key Recovery ◽

Special Cases ◽

Impossible Differential ◽

The One ◽

Truncated Differential ◽

Key Recovery Attacks

We introduce subspace trail cryptanalysis, a generalization of invariant subspace cryptanalysis. With this more generic treatment of subspaces we do no longer rely on specific choices of round constants or subkeys, and the resulting method is as such a potentially more powerful attack vector. Interestingly, subspace trail cryptanalysis in fact includes techniques based on impossible or truncated differentials and integrals as special cases. Choosing AES-128 as the perhaps most studied cipher, we describe distinguishers up to 5-round AES with a single unknown key. We report (and practically verify) competitive key-recovery attacks with very low data-complexity on 2, 3 and 4 rounds of AES. Additionally, we consider AES with a secret S-Box and we present a (generic) technique that allows to directly recover the secret key without finding any information about the secret S-Box. This approach allows to use e.g. truncated differential, impossible differential and integral attacks to find the secret key. Moreover, this technique works also for other AES-like constructions, if some very common conditions on the S-Box and on the MixColumns matrix (or its inverse) hold. As a consequence, such attacks allow to better highlight the security impact of linear mappings inside an AES-like block cipher. Finally, we show that our impossible differential attack on 5 rounds of AES with secret S-Box can be turned into a distinguisher for AES in the same setting as the one recently proposed by Sun, Liu, Guo, Qu and Rijmen at CRYPTO 2016

Download Full-text

An Improved Truncated Differential Cryptanalysis of Klein

Tatra Mountains Mathematical Publications ◽

10.1515/tmmp-2016-0036 ◽

2016 ◽

Vol 67 (1) ◽

pp. 135-147

Author(s):

Shahram Rasoolzadeh ◽

Zahra Ahmadian ◽

Mahmoud Salmasizadeh ◽

Mohammad Reza Aref

Keyword(s):

Block Cipher ◽

Slight Modification ◽

Secret Key ◽

Differential Attack ◽

Key Recovery ◽

Recovery Method ◽

Software And Hardware ◽

State Size ◽

Truncated Differential ◽

Better Than

Abstract KLEIN is a family of lightweight block ciphers which was proposed at RFIDSec 2011 by Gong et. al. It has three versions with 64, 80 or 96-bit key size, all with a 64-bit state size. It uses 16 identical 4-bit S-boxes combined with two AES’s MixColumn transformations for each round. This approach allows compact implementations of KLEIN in both low-end software and hardware. Such an unconventional combination attracts the attention of cryptanalysts, and several security analyses have been published. The most successful one was presented at FSE 2014 which was a truncated differential attack. They could attack up to 12, 13 and 14 rounds out of total number of 12, 16 and 20 rounds for KLEIN-64, -80 and -96, respectively. In this paper, we present improved attacks on three versions of KLEIN block cipher, which recover the full secret key with better time and data complexities for the previously analyzed number of rounds. The improvements also enable us to attack up to 14 and 15 rounds for KLEIN-80 and -96, respectively, which are the highest rounds ever analyzed. Our improvements are twofold: the first, finding two new truncated differential paths with probabilities better than that of the previous ones, and the second, a slight modification in the key recovery method which makes it faster.

Download Full-text

New Truncated Differential Cryptanalysis on 3D Block Cipher

Information Security Practice and Experience - Lecture Notes in Computer Science ◽

10.1007/978-3-642-29101-2_8 ◽

2012 ◽

pp. 109-125 ◽

Cited By ~ 1

Author(s):

Takuma Koyama ◽

Lei Wang ◽

Yu Sasaki ◽

Kazuo Sakiyama ◽

Kazuo Ohta

Keyword(s):

Block Cipher ◽

Differential Cryptanalysis ◽

Truncated Differential

Download Full-text

Accurate Estimate of the Advantage of Impossible Differential Attacks

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2017.i3.169-191 ◽

2017 ◽

pp. 169-191 ◽

Cited By ~ 1

Author(s):

Céline Blondeau

Keyword(s):

Time Complexity ◽

Block Cipher ◽

Poisson Approximation ◽

Accurate Estimate ◽

Random Permutations ◽

Differential Attack ◽

Impossible Differential ◽

Impossible Differential Attack ◽

Differential Attacks ◽

Multivariate Hypergeometric Distribution

Impossible differential attacks, which are taking advantage of differentials that cannot occur, are powerful attacks for block cipher primitives. The power of such attacks is often measured in terms of the advantage — number of key-bits found during the key sieving phase — which determines the time complexity of the exhaustive key search phase. The statistical model used to compute this advantage has been introduced in the seminal work about the resistance of the DEAL cipher to impossible differential attacks. This model, which has not been modified since the end of the 1990s, is implicitly based on the Poisson approximation of the binomial distribution. In this paper, we investigate this commonly used model and experimentally illustrate that random permutations do not follow it. Based on this observation, we propose more accurate estimates of the advantage of an impossible differential attack. The experiments illustrate the accuracy of the estimate derived from the multivariate hypergeometric distribution. The maximal advantage –using the full codebook– of an impossible differential attack is also derived.

Download Full-text