Improved Security Evaluation of SPN Block Ciphers and its Applications in the Single-key Attack on SKINNY

In this paper, a new method for evaluating the integral property, truncated and impossible differentials for substitution-permutation network (SPN) block ciphers is proposed. The main assumption is an explicit description/expression of the internal state words in terms of the plaintext (ciphertext) words. By counting the number of times these words occur in the internal state expression, we can evaluate the resistance of a given block cipher to integral and impossible/truncated differential attacks more accurately than previous methods. More precisely, we explore the cryptographic consequences of uneven frequency of occurrences of plaintext (ciphertext) words appearing in the algebraic expression of the internal state words. This approach gives a new family of distinguishers employing different concepts such as the integral property, impossible/truncated differentials and the so-called zero-sum property. We then provide algorithms to determine the maximum number of rounds of such new types of distinguishers for SPN block ciphers. The potential and efficiency of this relatively simple method is confirmed through applications. For instance, in the case of SKINNY block cipher, several 10-round integral distinguishers, all of the 11-round impossible differentials, and a 7-round truncated differential could be determined. For the last case, using a single pair of plaintexts differing in three words so that (a = b = c) ≠ (a’ = b’ = c’), we are able to distinguish 7-round SKINNY from random permutations. More importantly, exploiting our distinguishers, we give the first practical attack on 11-round SKINNY-128-128 in the single-key setting (a theoretical attack reaches 16 rounds). Finally, using the same ideas, we provide a concise explanation on the existing distinguishers for round-reduced AES.

Download Full-text

Human-readable Proof of the Related-Key Security of AES-128

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2017.i2.59-83 ◽

2017 ◽

pp. 59-83 ◽

Cited By ~ 1

Author(s):

Khoongming Khoo ◽

Eugene Lee ◽

Thomas Peyrin ◽

Siang Meng Sim

Keyword(s):

Block Cipher ◽

Internal State ◽

Meaningful Information ◽

Key Schedule ◽

Simple Permutation ◽

Computer Based ◽

First Time ◽

Truncated Differential

The related-key model is now considered an important scenario for block cipher security and many schemes were broken in this model, even AES-192 and AES-256. Recently were introduced efficient computer-based search tools that can produce the best possible related-key truncated differential paths for AES. However, one has to trust the implementation of these tools and they do not provide any meaningful information on how to design a good key schedule, which remains a challenge for the community as of today. We provide in this article the first human-readable proof on the minimal number of active Sboxes in the related-key model for AES-128, without any help from a computer. More precisely, we show that any related-key differential path for AES-128 will respectively contain at least 0, 1, 3 and 9 active Sboxes for 1, 2, 3 and 4 rounds. Our proof is tight, not trivial, and actually exhibits for the first time the interplay between the key state and the internal state of an AES-like block cipher with an AES-like key schedule. As application example, we leverage our proofs to propose a new key schedule, that is not only faster (a simple permutation on the byte positions) but also ensures a higher number of active Sboxes than AES-128’s key schedule. We believe this is an important step towards a good understanding of efficient and secure key schedule designs.

Download Full-text

Improvements for Finding Impossible Differentials of Block Cipher Structures

Security and Communication Networks ◽

10.1155/2017/5980251 ◽

2017 ◽

Vol 2017 ◽

pp. 1-9 ◽

Cited By ~ 1

Author(s):

Yiyuan Luo ◽

Xuejia Lai

Keyword(s):

Block Cipher ◽

Search Time ◽

Block Ciphers ◽

Wu’S Method ◽

Wu's Method ◽

Impossible Differentials ◽

Improved Algorithm

We improve Wu and Wang’s method for finding impossible differentials of block cipher structures. This improvement is more general than Wu and Wang’s method where it can find more impossible differentials with less time. We apply it on Gen-CAST256, Misty, Gen-Skipjack, Four-Cell, Gen-MARS, SMS4, MIBS, Camellia⁎, LBlock, E2, and SNAKE block ciphers. All impossible differentials discovered by the algorithm are the same as Wu’s method. Besides, for the 8-round MIBS block cipher, we find 4 new impossible differentials, which are not listed in Wu and Wang’s results. The experiment results show that the improved algorithm can not only find more impossible differentials, but also largely reduce the search time.

Download Full-text

Comparing Performances of Cypress Block Cipher and Modern Lighweight Block Ciphers on Different Platforms

2019 IEEE International Scientific-Practical Conference Problems of Infocommunications, Science and Technology (PIC S&T) ◽

10.1109/picst47496.2019.9061521 ◽

2019 ◽

Author(s):

Mariia Rodinko ◽

Roman Oliynykov

Keyword(s):

Block Cipher ◽

Block Ciphers

Download Full-text

Six shades lighter: a bit-serial implementation of the AES family

Journal of Cryptographic Engineering ◽

10.1007/s13389-021-00265-8 ◽

2021 ◽

Author(s):

Sergio Roldán Lombardía ◽

Fatih Balli ◽

Subhadeep Banik

Keyword(s):

Block Cipher ◽

Block Ciphers ◽

Authenticated Encryption ◽

Current Standard ◽

Asic Circuit ◽

The Family ◽

Encryption And Decryption ◽

Preliminary Version ◽

Reduction In Area ◽

Bit Serial

AbstractRecently, cryptographic literature has seen new block cipher designs such as , or that aim to be more lightweight than the current standard, i.e., . Even though family of block ciphers were designed two decades ago, they still remain as the de facto encryption standard, with being the most widely deployed variant. In this work, we revisit the combined one-in-all implementation of the family, namely both encryption and decryption of each as a single ASIC circuit. A preliminary version appeared in Africacrypt 2019 by Balli and Banik, where the authors design a byte-serial circuit with such functionality. We improve on their work by reducing the size of the compact circuit to 2268 GE through 1-bit-serial implementation, which achieves 38% reduction in area. We also report stand-alone bit-serial versions of the circuit, targeting only a subset of modes and versions, e.g., and . Our results imply that, in terms of area, and can easily compete with the larger members of recently designed family, e.g., , . Thus, our implementations can be used interchangeably inside authenticated encryption candidates such as , or in place of .

Download Full-text

Efficient Implementation of PRESENT and GIFT on Quantum Computers

Applied Sciences ◽

10.3390/app11114776 ◽

2021 ◽

Vol 11 (11) ◽

pp. 4776

Author(s):

Kyungbae Jang ◽

Gyeongju Song ◽

Hyunjun Kim ◽

Hyeokdong Kwon ◽

Hyunji Kim ◽

...

Keyword(s):

Block Cipher ◽

Search Algorithm ◽

Block Ciphers ◽

Quantum Circuits ◽

Security Level ◽

Symmetric Key ◽

Grover Search ◽

Target Block ◽

Symmetric Key Cryptography ◽

Grover Search Algorithm

Grover search algorithm is the most representative quantum attack method that threatens the security of symmetric key cryptography. If the Grover search algorithm is applied to symmetric key cryptography, the security level of target symmetric key cryptography can be lowered from n-bit to n2-bit. When applying Grover’s search algorithm to the block cipher that is the target of potential quantum attacks, the target block cipher must be implemented as quantum circuits. Starting with the AES block cipher, a number of works have been conducted to optimize and implement target block ciphers into quantum circuits. Recently, many studies have been published to implement lightweight block ciphers as quantum circuits. In this paper, we present optimal quantum circuit designs of symmetric key cryptography, including PRESENT and GIFT block ciphers. The proposed method optimized PRESENT and GIFT block ciphers by minimizing qubits, quantum gates, and circuit depth. We compare proposed PRESENT and GIFT quantum circuits with other results of lightweight block cipher implementations in quantum circuits. Finally, quantum resources of PRESENT and GIFT block ciphers required for the oracle of the Grover search algorithm were estimated.

Download Full-text

Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers

Lecture Notes in Computer Science - Progress in Cryptology - INDOCRYPT 2012 ◽

10.1007/978-3-642-34931-7_17 ◽

2012 ◽

pp. 283-302 ◽

Cited By ~ 22

Author(s):

Shengbao Wu ◽

Mingsheng Wang

Keyword(s):

Block Ciphers ◽

Automatic Search ◽

Impossible Differentials

Download Full-text

A New Block Cipher Based on Finite Automata Systems

International Journal on Perceptive and Cognitive Computing ◽

10.31436/ijpcc.v2i1.31 ◽

2016 ◽

Vol 2 (1) ◽

Author(s):

Gh Khaleel ◽

SHERZOD TURAEV ◽

M.I.M. Tamrin ◽

Imad F. Al-Shaikhli

Keyword(s):

Block Cipher ◽

Finite Automata ◽

Parallel Computations ◽

Block Ciphers ◽

Central Importance ◽

High Security ◽

Encryption And Decryption

The performance and security have central importance of cryptography field. Therefore, theneed to use block ciphers are become very important. This paper presents a new block cipher based on finiteautomata system. The proposed cryptosystem is executed based on parallel computations to reduce thedelay time. Moreover, to achieve high security, we use different machines (variant non-deterministicautomata accepters) as keys for encryption and decryption.

Download Full-text

Crypto-Archaeology: unearthing design methodology of DES s-boxes

10.7287/peerj.preprints.3285v1 ◽

2017 ◽

Author(s):

Sankhanil Dey ◽

Ranjan Ghosh

Keyword(s):

Boolean Function ◽

Boolean Functions ◽

Design Methodology ◽

Block Cipher ◽

Block Ciphers ◽

Public Domain ◽

Differential Cryptanalysis ◽

Linear Cryptanalysis ◽

Strict Avalanche Criterion ◽

Independence Criterion

US defence sponsored the DES program in 1974 and released it in 1977. It remained as a well-known and well accepted block cipher until 1998. Thirty-two 4-bit DES S-Boxes are grouped in eight each with four and are put in public domain without any mention of their design methodology. S-Boxes, 4-bit, 8-bit or 32-bit, find a permanent seat in all future block ciphers. In this paper, while looking into the design methodology of DES S-Boxes, we find that S-Boxes have 128 balanced and non-linear Boolean Functions, of which 102 used once, while 13 used twice and 92 of 102 satisfy the Boolean Function-level Strict Avalanche Criterion. All the S-Boxes satisfy the Bit Independence Criterion. Their Differential Cryptanalysis exhibits better results than the Linear Cryptanalysis. However, no S-Boxes satisfy the S-Box-level SAC analyses. It seems that the designer emphasized satisfaction of Boolean-Function-level SAC and S-Box-level BIC and DC, not the S-Box-level LC and SAC.

Download Full-text

Different Types of Attacks on Block Ciphers

International Journal of Recent Technology and Engineering - 2 ◽

10.35940/ijrte.c4214.099320 ◽

2020 ◽

Vol 9 (3) ◽

pp. 28-31

Keyword(s):

Block Cipher ◽

Classical Method ◽

System Of Nonlinear Equations ◽

Algebraic Attack ◽

Differential Attack ◽

Different Types ◽

Important Challenge ◽

Impossible Differential ◽

Linear Differential ◽

Truncated Differential

Cryptanalysis is a very important challenge that faces cryptographers. It has several types that should be well studied by cryptographers to be able to design cryptosystem more secure and able to resist any type of attacks. This paper introduces six types of attacks: Linear, Differential , Linear-Differential, Truncated differential Impossible differential attack and Algebraic attacks. In this paper, algebraic attack is used to formulate the substitution box(S-box) of a block cipher to system of nonlinear equations and solve this system by using a classical method called Grobner  Bases . By Solving these equations, we made algebraic attack on S-box.

Download Full-text

Provably Quantum-Secure Tweakable Block Ciphers

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2021.i1.337-377 ◽

2021 ◽

pp. 337-377

Author(s):

Akinori Hosoyamada ◽

Tetsu Iwata

Keyword(s):

Polynomial Time ◽

Provable Security ◽

Block Cipher ◽

Block Ciphers ◽

Quantum Superposition ◽

Quantum Cryptanalysis ◽

Classical Setting ◽

Time Quantum ◽

Symmetric Key ◽

Arbitrary Quantum

Recent results on quantum cryptanalysis show that some symmetric key schemes can be broken in polynomial time even if they are proven to be secure in the classical setting. Liskov, Rivest, and Wagner showed that secure tweakable block ciphers can be constructed from secure block ciphers in the classical setting. However, Kaplan et al. showed that their scheme can be broken by polynomial time quantum superposition attacks, even if underlying block ciphers are quantum-secure. Since then, it remains open if there exists a mode of block ciphers to build quantum-secure tweakable block ciphers. This paper settles the problem in the reduction-based provable security paradigm. We show the first design of quantum-secure tweakable block ciphers based on quantum-secure block ciphers, and present a provable security bound. Our construction is simple, and when instantiated with a quantum-secure n-bit block cipher, it is secure against attacks that query arbitrary quantum superpositions of plaintexts and tweaks up to O(2n/6) quantum queries. Our security proofs use the compressed oracle technique introduced by Zhandry. More precisely, we use an alternative formalization of the technique introduced by Hosoyamada and Iwata.

Download Full-text