scholarly journals Quantum Algorithm to Construct Linear Approximation of an S-Box

2019 ◽  
Vol 8 (4) ◽  
pp. 9096-9099
Keyword(s):  
Linear Approximation ◽  
Time Complexity ◽  
Block Cipher ◽  
Quantum Algorithm ◽  
Correctness Proof ◽  
Linear Approximations ◽  
Input Size ◽  
Non Linear ◽  
Classical Computing ◽  
Symmetric Block

Linear cryptanalysis, a Known-Plaintext Attack, for symmetric block cipher works by constructing linear approximations of the non-linear components of the cipher. The only component which introduces non-linearity in the symmetric block cipher is an S-box. Using classical computing algorithms, the best known solution to find a linear approximation of a non-linear function, in this case an S-box, requires 𝑶(𝟐 𝒏 ) queries to the S-box and 𝑶(𝟐 𝟐𝒏+𝒎) time-complexity, where 𝒏 is the input size of the S-box and 𝒎 is the output size. In this paper, a quantum algorithm is presented which can produce best linear approximations of a non-linear S-box using only 𝑶(𝟐 𝒎) queries to S-box with 𝑶(𝒏𝟐 𝒎) time-complexity. The proposed algorithm shows a significant improvement over the classical algorithm. Correctness proof of the proposed quantum algorithm is presented along with an example.

scholarly journals Resistance of SNOW-V against Fast Correlation Attacks

2021 ◽  
pp. 378-410
Author(s):  
Xinxin Gong ◽  
Bin Zhang
Keyword(s):  
Linear Approximation ◽  
Mobile Communication ◽  
Time Complexity ◽  
Stream Ciphers ◽  
Design Document ◽  
Linear Approximations ◽  
Correlation Attack ◽  
Correlation Attacks ◽  
Memory Complexity ◽  
Fast Correlation Attacks

SNOW-V is a new member in the SNOW family of stream ciphers, hoping to be competitive in the 5G mobile communication system. In this paper, we study the resistance of SNOW-V against bitwise fast correlation attacks by constructing bitwise linear approximations. First, we propose and summarize some efficient algorithms using the slice-like techniques to compute the bitwise linear approximations of certain types of composition functions composed of basic operations like ⊞, ⊕, Permutation, and S-box, which have been widely used in word-oriented stream ciphers such as SNOW-like ciphers. Then, using these algorithms, we find a number of stronger linear approximations for the FSM of the two variants of SNOW-V given in the design document, i.e., SNOW-V σ0 and SNOW-V⊞8, ⊞8. For SNOW-V σ0, where there is no byte-wise permutation, we find some bitwise linear approximations of the FSM with the SEI (Squared Euclidean Imbalance) around 2−37.34 and mount a bitwise fast correlation attack with the time complexity 2251.93 and memory complexity 2244, given 2103.83 keystream outputs, which improves greatly the results in the design document. For SNOW-V⊞8, ⊞8, where both of the two 32-bit adders in the FSM are replaced by 8-bit adders, we find our best bitwise linear approximations of the FSM with the SEI 2−174.14, while the best byte-wise linear approximation in the design document of SNOW-V has the SEI 2−214.80. Finally, we study the security of a closer variant of SNOW-V, denoted by SNOW-V⊞32, ⊞8, where only the 32-bit adder used for updating the first register is replaced by the 8-bit adder, while everything else remains identical. For SNOW-V⊞32, ⊞8, we derive many mask tuples yielding the bitwise linear approximations of the FSM with the SEI larger than 2−184. Using these linear approximations, we mount a fast correlation attack with the time complexity 2377.01 and a memory complexity 2363, given 2253.73 keystream outputs. Note that neither of our attack threatens the security of SNOW-V. We hope our research could further help in understanding bitwise linear approximation attacks and also the structure of SNOW-like stream ciphers.

scholarly journals New Linear Cryptanalysis of Chinese Commercial Block Cipher Standard SM4

2017 ◽  
Vol 2017 ◽  
pp. 1-10
Author(s):  
Yu Liu ◽  
Huicong Liang ◽  
Wei Wang ◽  
Meiqin Wang
Keyword(s):  
Wireless Communication ◽  
Linear Approximation ◽  
Block Cipher ◽  
Linear Cryptanalysis ◽  
Key Recovery ◽  
Linear Approximations ◽  
Partial Linear ◽  
Key Recovery Attack ◽  
Better Than

SM4 is a Chinese commercial block cipher standard used for wireless communication in China. In this paper, we use the partial linear approximation table of S-box to search for three rounds of iterative linear approximations of SM4, based on which the linear approximation for 20-round SM4 has been constructed. However, the best previous identified linear approximation only covers 19 rounds. At the same time, a linear approximation for 19-round SM4 is obtained, which is better than the known results. Furthermore, we show the key recovery attack on 24-round SM4 which is the best attack according to the number of rounds.

Quantum splines for non-linear approximations

2020 ◽  
Author(s):  
Antonio Macaluso ◽  
Luca Clissa ◽  
Stefano Lodi ◽  
Claudio Sartori
Keyword(s):  
Linear Approximations ◽  
Non Linear

scholarly journals On Quantum Algorithm for Binary Search and Its Computational Complexity

2015 ◽  
Vol 22 (03) ◽  
pp. 1550019 ◽  
Author(s):  
S. Iriyama ◽  
M. Ohya ◽  
I.V. Volovich
Keyword(s):  
Computational Complexity ◽  
Time Complexity ◽  
Quantum Algorithm ◽  
Binary Search ◽  
Search Problem

A new quantum algorithm for the search problem and its computational complexity are discussed. Its essential part is the use of the so-called chaos amplifier, [8, 9, 10, 13]. It is shown that for the search problem containing [Formula: see text] objects time complexity of the method is polynomial in [Formula: see text].

scholarly journals Multidimensional linear cryptanalysis with key difference invariant bias for block ciphers

Cybersecurity ◽  
2021 ◽  
Vol 4 (1) ◽  
Author(s):  
Wenqin Cao ◽  
Wentao Zhang
Keyword(s):  
Time Complexity ◽  
Block Ciphers ◽  
Linear Cryptanalysis ◽  
Compression Technique ◽  
Key Recovery ◽  
Linear Approximations ◽  
Theoretical Advantage ◽  
Multidimensional Linear ◽  
Multidimensional Linear Cryptanalysis ◽  
Key Recovery Attacks

AbstractFor block ciphers, Bogdanov et al. found that there are some linear approximations satisfying that their biases are deterministically invariant under key difference. This property is called key difference invariant bias. Based on this property, Bogdanov et al. proposed a related-key statistical distinguisher and turned it into key-recovery attacks on LBlock and TWINE-128. In this paper, we propose a new related-key model by combining multidimensional linear cryptanalysis with key difference invariant bias. The main theoretical advantage is that our new model does not depend on statistical independence of linear approximations. We demonstrate our cryptanalysis technique by performing key recovery attacks on LBlock and TWINE-128. By using the relations of the involved round keys to reduce the number of guessed subkey bits. Moreover, the partial-compression technique is used to reduce the time complexity. We can recover the master key of LBlock up to 25 rounds with about 260.4 distinct known plaintexts, 278.85 time complexity and 261 bytes of memory requirements. Our attack can recover the master key of TWINE-128 up to 28 rounds with about 261.5 distinct known plaintexts, 2126.15 time complexity and 261 bytes of memory requirements. The results are the currently best ones on cryptanalysis of LBlock and TWINE-128.

scholarly journals On the optimality of non-linear computations for symmetric key primitives

2018 ◽  
Vol 12 (4) ◽  
pp. 241-259
Author(s):  
Avik Chakraborti ◽  
Nilanjan Datta ◽  
Mridul Nandi
Keyword(s):  
Block Cipher ◽  
Linear Mapping ◽  
Authenticated Encryption ◽  
Non Linear ◽  
Minimum Number ◽  
Symmetric Key ◽  
Linear Block

Abstract A block is an n-bit string, and a (possibly keyed) block-function is a non-linear mapping that maps one block to another, e.g., a block-cipher. In this paper, we consider various symmetric key primitives with {\ell} block inputs and raise the following question: what is the minimum number of block-function invocations required for a mode to be secure? We begin with encryption modes that generate {\ell^{\prime}} block outputs and show that at least {(\ell+\ell^{\prime}-1)} block-function invocations are necessary to achieve the PRF security. In presence of a nonce, the requirement of block-functions reduces to {\ell^{\prime}} blocks only. If {\ell=\ell^{\prime}} , in order to achieve SPRP security, the mode requires at least {2\ell} many block-function invocations. We next consider length preserving r-block (called chunk) online encryption modes and show that, to achieve online PRP security, each chunk should have at least {2r-1} many and overall at least {2r\ell-1} many block-functions for {\ell} many chunks. Moreover, we show that it can achieve online SPRP security if each chunk contains at least {2r} non-linear block-functions. We next analyze affine MAC modes and show that an integrity-secure affine MAC mode requires at least {\ell} many block-function invocations to process an {\ell} block message. Finally, we consider affine mode authenticated encryption and show that in order to achieve INT-RUP security or integrity security under a nonce-misuse scenario, either (i) the number of non-linear block-functions required to generate the ciphertext is more than {\ell} or (ii) the number of extra non-linear block-functions required to generate the tag depends on {\ell} .

Sign in / Sign up

Export Citation Format

Share Document