Improved Impossible Differentials and Zero-Correlation Linear Hulls of New Structure III

Impossible differential cryptanalysis and zero-correlation linear cryptanalysis are two kinds of most effective tools for evaluating the security of block ciphers. In those attacks, the core step is to construct a distinguisher as long as possible. In this paper, we focus on the security of New Structure III, which is a kind of block cipher structure with excellent resistance against differential and linear attacks. While the best previous result can only exploit one-round linear layer P to construct impossible differential and zero-correlation linear distinguishers, we try to exploit more rounds to find longer distinguishers. Combining the Miss-in-the-Middle strategy and the characteristic matrix method proposed at EUROCRYPT 2016, we could construct 23-round impossible differentials and zero-correlation linear hulls when the linear layer P satisfies some restricted conditions. To our knowledge, both of them are 1 round longer than the best previous works concerning the two cryptanalytical methods. Furthermore, to show the effectiveness of our distinguishers, the linear layer of the round function is specified to the permutation matrix of block cipher SKINNY which was proposed at CRYPTO 2016. Our results indicate that New Structure III has weaker resistance against impossible differential and zero-correlation linear attacks, though it possesses good differential and linear properties.

Searching for impossible subspace trails and improved impossible differential characteristics for SIMON-like block ciphers

In this paper, we greatly increase the number of impossible differentials for SIMON and SIMECK by eliminating the 1-bit constraint in input/output difference, which is the precondition to ameliorate the complexity of attacks. We propose an algorithm which can greatly reduce the searching complexity to find such trails efficiently since the search space exponentially expands to find impossible differentials with multiple active bits. There is another situation leading to the contradiction in impossible differentials except for miss-in-the-middle. We show how the contradiction happens and conclude the precondition of it defined as miss-from-the-middle. It makes our results more comprehensive by applying these two approach simultaneously. This paper gives for the first time impossible differential characteristics with multiple active bits for SIMON and SIMECK, leading to a great increase in the number. The results can be verified not only by covering the state-of-art, but also by the MILP model.

Impossible Differential Distinguishers of Two Generalized Feistel Structures

Generalized Feistel structures are widely used in the design of block ciphers. In this paper, we focused on retrieving impossible differentials for two kinds of generalized Feistel structures: CAST256-like structure with Substitution-Permutation (SP) or Substitution-Permutation-Substitution (SPS) round functions (named CAST256SP and CAST256SPS, respectively) and MARS-like structure with SP/SPS round function (named MARSSP and MARSSPS, respectively). Known results show that for bijective round function, CAST256-like structures and MARS-like structures have (m2−1) and (2m−1) rounds impossible differentials, respectively. By our observation, there existed (m2+m) rounds impossible differentials in CAST256SP and (3m−3) rounds impossible differentials in MARSSPS (this result does not require the P layer to be invertible). When the diffusion layer satisfied some special conditions, CAST256SPS had (m2+m−1) rounds impossible differentials and MARSSPS had (3m−3) rounds impossible differentials.

A New Automatic Tool Searching for Impossible Differential of NIST Candidate ACE

The ACE algorithm is a candidate of the Lightweight Cryptography standardization process started by the National Institute of Standards and Technology (NIST) of the USA that passed the first round and successfully entered the second round. It is designed to achieve a balance between hardware cost and software efficiency for both authenticated encryption with associated data (AEAD) and hashing functionalities. This paper focuses on the impossible differential attack against the ACE permutation, which is the core component of the ACE algorithm. Based on the method of characteristic matrix, we build an automatic searching algorithm that can be used to search for structural impossible differentials and give the optimal permutation for ACE permutation and other SPN ciphers. We prove that there is no impossible differential of ACE permutation longer than 9 steps and construct two 8-step impossible differentials. In the end, we give the optimal word permutation against impossible differential cryptanalysis, which is π′=(2,4,1,0,3), and a safer word XOR structure of ACE permutation.

An Effective Simulation Analysis of Transient Electromagnetic Multiple Faults

Embedded encryption devices and smart sensors are vulnerable to physical attacks. Due to the continuous shrinking of chip size, laser injection, particle radiation and electromagnetic transient injection are possible methods that introduce transient multiple faults. In the fault analysis stage, the adversary is unclear about the actual number of faults injected. Typically, the single-nibble fault analysis encounters difficulties. Therefore, in this paper, we propose novel ciphertext-only impossible differentials that can analyze the number of random faults to six nibbles. We use the impossible differentials to exclude the secret key that definitely does not exist, and then gradually obtain the unique secret key through inverse difference equations. Using software simulation, we conducted 32,000 random multiple fault attacks on Midori. The experiments were carried out to verify the theoretical model of multiple fault attacks. We obtain the relationship between fault injection and information content. To reduce the number of fault attacks, we further optimized the fault attack method. The secret key can be obtained at least 11 times. The proposed ciphertext-only impossible differential analysis provides an effective method for random multiple faults analysis, which would be helpful for improving the security of block ciphers.

Improved Security Evaluation of SPN Block Ciphers and its Applications in the Single-key Attack on SKINNY

In this paper, a new method for evaluating the integral property, truncated and impossible differentials for substitution-permutation network (SPN) block ciphers is proposed. The main assumption is an explicit description/expression of the internal state words in terms of the plaintext (ciphertext) words. By counting the number of times these words occur in the internal state expression, we can evaluate the resistance of a given block cipher to integral and impossible/truncated differential attacks more accurately than previous methods. More precisely, we explore the cryptographic consequences of uneven frequency of occurrences of plaintext (ciphertext) words appearing in the algebraic expression of the internal state words. This approach gives a new family of distinguishers employing different concepts such as the integral property, impossible/truncated differentials and the so-called zero-sum property. We then provide algorithms to determine the maximum number of rounds of such new types of distinguishers for SPN block ciphers. The potential and efficiency of this relatively simple method is confirmed through applications. For instance, in the case of SKINNY block cipher, several 10-round integral distinguishers, all of the 11-round impossible differentials, and a 7-round truncated differential could be determined. For the last case, using a single pair of plaintexts differing in three words so that (a = b = c) ≠ (a’ = b’ = c’), we are able to distinguish 7-round SKINNY from random permutations. More importantly, exploiting our distinguishers, we give the first practical attack on 11-round SKINNY-128-128 in the single-key setting (a theoretical attack reaches 16 rounds). Finally, using the same ideas, we provide a concise explanation on the existing distinguishers for round-reduced AES.