For block ciphers,Bogdanov et al.found that there are some linear approximations satisfying that their biases are deterministically invariant under key difference.This property is called key difference invariant bias....For block ciphers,Bogdanov et al.found that there are some linear approximations satisfying that their biases are deterministically invariant under key difference.This property is called key difference invariant bias.Based on this property,Bogdanov et al.proposed a related-key statistical distinguisher and turned it into key-recovery attacks on LBlock and TWINE-128.In this paper,we propose a new related-key model by combining multidimensional linear cryptanalysis with key difference invariant bias.The main theoretical advantage is that our new model does not depend on statistical independence of linear approximations.We demonstrate our cryptanalysis technique by performing key recovery attacks on LBlock and TWINE-128.By using the relations of the involved round keys to reduce the number of guessed subkey bits.Moreover,the partial-compression technique is used to reduce the time complexity.We can recover the master key of LBlock up to 25 rounds with about 260.4 distinct known plaintexts,278.85 time complexity and 261 bytes of memory requirements.Our attack can recover the master key of TWINE-128 up to 28 rounds with about 261.5 distinct known plaintexts,2126.15 time complexity and 261 bytes of memory requirements.The results are the currently best ones on cryptanalysis of LBlock and TWINE-128.展开更多
For block ciphers,Bogdanov et al.found that there are some linear approximations satisfying that their biases are deterministically invariant under key difference.This property is called key difference invariant bias....For block ciphers,Bogdanov et al.found that there are some linear approximations satisfying that their biases are deterministically invariant under key difference.This property is called key difference invariant bias.Based on this property,Bogdanov et al.proposed a related-key statistical distinguisher and turned it into key-recovery attacks on LBlock and TWINE-128.In this paper,we propose a new related-key model by combining multidimensional linear cryptanalysis with key difference invariant bias.The main theoretical advantage is that our new model does not depend on statistical independence of linear approximations.We demonstrate our cryptanalysis technique by performing key recovery attacks on LBlock and TWINE-128.By using the relations of the involved round keys to reduce the number of guessed subkey bits.Moreover,the partial-compression technique is used to reduce the time complexity.We can recover the master key of LBlock up to 25 rounds with about 2^(60.4)distinct known plaintexts,2^(78.85)time complexity and 2^(61)bytes of memory requirements.Our attack can recover the master key of TWINE-128 up to 28 rounds with about 2^(61.5)distinct known plaintexts,2^(126.15)time complexity and 261 bytes of memory requirements.The results are the currently best ones on cryptanalysis of LBlock and TWINE-128.展开更多
NUSH is a block cipher as a candidate for NESSIE. NUSH is analyzed by linear crypt-analysis . The complexity δ = (ε , η) of the attack consists of data complexity ε and time complexity η. Three linear approximati...NUSH is a block cipher as a candidate for NESSIE. NUSH is analyzed by linear crypt-analysis . The complexity δ = (ε , η) of the attack consists of data complexity ε and time complexity η. Three linear approximations are used to analyze NUSH with 64-bit block. When |K| = 128 bits, the complexities of three attacks are (258, 2124), (260, 278) and (262, 255) respectively. When |K| = 192 bits, the complexities of three attacks are (258, 2157) (260, 2%) and (262, 258) respectively. When |K| = 256 bits, the complexities of three attacks are (258, 2125), (260, 278) and (262, 253) respectively. Three linear approximations are used to analyze NUSH with 128-bit block. When |K|= 128 bits, the complexities of three attacks are (2122, 295), (2124, 257) and (2126, 252) respectively. When |K| = 192 bits, the complexities of three attacks are (2122, 2142), (2124, 275) and (2126, 258) respectively. When |K|= 256 bits, the complexities of three attacks are (2122, 2168), (2124, 281) and (2126, 264) respectively. Two linear approximations are used to analyze NUSH with 256-bit block. When |K|= 128 bits, the complexities of two attacks are (2252, 2122) and (2254, 2119) respectively. When |K|= 192 bits, the complexities of two attacks are (2252, 2181) and (2254, 2177) respectively. When |K|=256 bits, the complexities of two attacks are (2252, 2240) and (2254, 2219) respectively. These results show that NUSH is not immune to linear cryptanalysis, and longer key cannot enhance the security of NUSH.展开更多
The block cipher used in the Chinese Wireless LAN Standard (WAPI), SMS4, was recently renamed as SM4, and became the block cipher standard issued by the Chinese government. This paper gives a method for finding the ...The block cipher used in the Chinese Wireless LAN Standard (WAPI), SMS4, was recently renamed as SM4, and became the block cipher standard issued by the Chinese government. This paper gives a method for finding the linear approximations of SMS4. With this method, 19-round one-dimensional approximations are given, which are used to improve the previous linear cryptanalysis of SMS4. The 19-round approximations hold with bias 2-62.27; we use one of them to leverage a linear attack on 23-round SMS4. Our attack improves the previous 23-round attacks by reducing the time complexity. Furthermore, the data complexity of our attack is further improved by the multidimensional linear approach.展开更多
In June 2013, the U.S. National Security Agency proposed two families of lightweight block ciphers, called SIMON and SPECK respectively. These ciphers are designed to perform excellently on both hardware and software ...In June 2013, the U.S. National Security Agency proposed two families of lightweight block ciphers, called SIMON and SPECK respectively. These ciphers are designed to perform excellently on both hardware and software platforms. In this paper, we mainly present zero-correlation linear cryptanalysis on various versions of SIMON. Firstly, by using miss- in-the-middle approach, we construct zero-correlation linear distinguishers of SIMON, and zero-correlation linear attacks are presented based oi1 careful analysis of key recovery phase. Secondly, multidimensional zero-correlation linear attacks are used to reduce the data complexity. Our zero-correlation linear attacks perform better than impossible differential attacks proposed by Abed et al. in ePrint Report 2013/568. Finally, we also use the divide-and-conquer technique to improve the results of linear cryptanalysis proposed by Javad et al. in ePrint Report 2013/663.展开更多
CAST-256, a first-round AES (Advanced Encryption Standard) candidate, is designed based on CAST-128. It is a 48-round Generalized-Feistel-Network cipher with ]28-bit block accepting 128, 160, 192, 224 or 256 bits ke...CAST-256, a first-round AES (Advanced Encryption Standard) candidate, is designed based on CAST-128. It is a 48-round Generalized-Feistel-Network cipher with ]28-bit block accepting 128, 160, 192, 224 or 256 bits keys. Its S-boxes are non-surjective with 8-bit input and 32-bit output. Wang et al. identified a 21-round linear approximation and gave a key recovery attack on 24-round CAST-256. In ASIACRYPT 2012, Bogdanov et al. presented the multidimensional zero-correlation linear cryptanalysis of 28 rounds of CAST-256. By observing the property of the concatenation of forward quad-round and reverse quad-round and choosing the proper active round function, we construct a linear approximation of 26-round CAST-256 and recover partial key information on 32 rounds of CAST-256. Our result is the best attack according to the number of rounds for CAST-256 without weak-key assumption so far.展开更多
The conception of orthomorphism has been generalized in this paper, and a counting formula on the generalized linear orthomorphism in the vector space over the Galois field with the arbitrary prime number p as the cha...The conception of orthomorphism has been generalized in this paper, and a counting formula on the generalized linear orthomorphism in the vector space over the Galois field with the arbitrary prime number p as the characteristic is obtained. Thus, the partial generation algorithm of generalized linear orthomorphism is achieved. The counting formula of the linear orthomorphism in the vector space over the finite field with characteristic 2 is the special case in our results. Furthermore, the generalized linear orthomorphism generated and discussed in this paper can gain the maximum branch number when they are designed as P-permutations.展开更多
This letter proposes algebraic attacks on two kinds of nonlinear filter generators with symmetric Boolean functions as the filter fimctions. Different fxom the classical algebraic attacks, the proposed attacks take th...This letter proposes algebraic attacks on two kinds of nonlinear filter generators with symmetric Boolean functions as the filter fimctions. Different fxom the classical algebraic attacks, the proposed attacks take the advantage of the combinational property of a linear feedback shift register (LFSR) and the symmetric Boolean function to obtain a tow-degree algebraic relation, and hence the complexities of the proposed attacks are independent of the algebraic immunity (AI) of the filter functions. It is shown that improper combining of the LFSR with the filter function can make the filter generator suffer from algebraic attacks. As a result, the bits of the LFSR must be selected properly to input the filter function with large AI in order to withstand the proposed algebraic attacks.展开更多
We consider direct solution to third order ordinary differential equations in this paper. Method of collection and interpolation of the power series approximant of single variable is considered to derive a linear mult...We consider direct solution to third order ordinary differential equations in this paper. Method of collection and interpolation of the power series approximant of single variable is considered to derive a linear multistep method (LMM) with continuous coefficient. Block method was later adopted to generate the independent solution at selected grid points. The properties of the block viz: order, zero stability and stability region are investigated. Our method was tested on third order ordinary differential equation and found to give better result when compared with existing methods.展开更多
低能耗轻量级分组密码(low energy lightweight block cipher,LELBC)算法是一种基于置换-替换-置换(permutation-substitution-permutation,PSP)结构的轻量级分组密码算法,主要适用于计算能力、存储空间及功耗受限的物联网终端设备,通...低能耗轻量级分组密码(low energy lightweight block cipher,LELBC)算法是一种基于置换-替换-置换(permutation-substitution-permutation,PSP)结构的轻量级分组密码算法,主要适用于计算能力、存储空间及功耗受限的物联网终端设备,通过对数据加密实现数据安全保障,因此对该算法安全性的准确评估尤为关键。为了深入研究该算法的安全性,首先建立S盒的差分-线性连通表,然后基于约束规划(constraint programming,CP)方法对S盒组件、中间层和整体结构进行数学建模,搜索得到概率为2-25.96的9轮差分-线性区分器,并进一步在这个区分器的基础上分别向前添加1轮,向后添加2轮,实现了对LELBC算法的12轮密钥恢复攻击,其中数据复杂度为228个明文,时间复杂度为2114.42次12轮加密。研究结果表明,相较于整体16轮,LELBC算法仍然具有足够轮数的安全冗余。展开更多
基金the National Natural Science Foundation of China(Grant No.61379138).
文摘For block ciphers,Bogdanov et al.found that there are some linear approximations satisfying that their biases are deterministically invariant under key difference.This property is called key difference invariant bias.Based on this property,Bogdanov et al.proposed a related-key statistical distinguisher and turned it into key-recovery attacks on LBlock and TWINE-128.In this paper,we propose a new related-key model by combining multidimensional linear cryptanalysis with key difference invariant bias.The main theoretical advantage is that our new model does not depend on statistical independence of linear approximations.We demonstrate our cryptanalysis technique by performing key recovery attacks on LBlock and TWINE-128.By using the relations of the involved round keys to reduce the number of guessed subkey bits.Moreover,the partial-compression technique is used to reduce the time complexity.We can recover the master key of LBlock up to 25 rounds with about 260.4 distinct known plaintexts,278.85 time complexity and 261 bytes of memory requirements.Our attack can recover the master key of TWINE-128 up to 28 rounds with about 261.5 distinct known plaintexts,2126.15 time complexity and 261 bytes of memory requirements.The results are the currently best ones on cryptanalysis of LBlock and TWINE-128.
基金supported by the National Natural Science Foundation of China(Grant No.61379138).
文摘For block ciphers,Bogdanov et al.found that there are some linear approximations satisfying that their biases are deterministically invariant under key difference.This property is called key difference invariant bias.Based on this property,Bogdanov et al.proposed a related-key statistical distinguisher and turned it into key-recovery attacks on LBlock and TWINE-128.In this paper,we propose a new related-key model by combining multidimensional linear cryptanalysis with key difference invariant bias.The main theoretical advantage is that our new model does not depend on statistical independence of linear approximations.We demonstrate our cryptanalysis technique by performing key recovery attacks on LBlock and TWINE-128.By using the relations of the involved round keys to reduce the number of guessed subkey bits.Moreover,the partial-compression technique is used to reduce the time complexity.We can recover the master key of LBlock up to 25 rounds with about 2^(60.4)distinct known plaintexts,2^(78.85)time complexity and 2^(61)bytes of memory requirements.Our attack can recover the master key of TWINE-128 up to 28 rounds with about 2^(61.5)distinct known plaintexts,2^(126.15)time complexity and 261 bytes of memory requirements.The results are the currently best ones on cryptanalysis of LBlock and TWINE-128.
基金This work was supported by 973 Project (Grant No. G1999035802) and the National Natural Science Foundation of China (Grant No. 19931010) .
文摘NUSH is a block cipher as a candidate for NESSIE. NUSH is analyzed by linear crypt-analysis . The complexity δ = (ε , η) of the attack consists of data complexity ε and time complexity η. Three linear approximations are used to analyze NUSH with 64-bit block. When |K| = 128 bits, the complexities of three attacks are (258, 2124), (260, 278) and (262, 255) respectively. When |K| = 192 bits, the complexities of three attacks are (258, 2157) (260, 2%) and (262, 258) respectively. When |K| = 256 bits, the complexities of three attacks are (258, 2125), (260, 278) and (262, 253) respectively. Three linear approximations are used to analyze NUSH with 128-bit block. When |K|= 128 bits, the complexities of three attacks are (2122, 295), (2124, 257) and (2126, 252) respectively. When |K| = 192 bits, the complexities of three attacks are (2122, 2142), (2124, 275) and (2126, 258) respectively. When |K|= 256 bits, the complexities of three attacks are (2122, 2168), (2124, 281) and (2126, 264) respectively. Two linear approximations are used to analyze NUSH with 256-bit block. When |K|= 128 bits, the complexities of two attacks are (2252, 2122) and (2254, 2119) respectively. When |K|= 192 bits, the complexities of two attacks are (2252, 2181) and (2254, 2177) respectively. When |K|=256 bits, the complexities of two attacks are (2252, 2240) and (2254, 2219) respectively. These results show that NUSH is not immune to linear cryptanalysis, and longer key cannot enhance the security of NUSH.
基金supported by the National Basic Research 973 Program of China under Grant Nos.2013CB834201 and 2013CB834205the Postdoctoral Science Foundation of China under Grant No.2013M540786the National Natural Science Foundation of China under Grant Nos.61202493 and 61103237
文摘The block cipher used in the Chinese Wireless LAN Standard (WAPI), SMS4, was recently renamed as SM4, and became the block cipher standard issued by the Chinese government. This paper gives a method for finding the linear approximations of SMS4. With this method, 19-round one-dimensional approximations are given, which are used to improve the previous linear cryptanalysis of SMS4. The 19-round approximations hold with bias 2-62.27; we use one of them to leverage a linear attack on 23-round SMS4. Our attack improves the previous 23-round attacks by reducing the time complexity. Furthermore, the data complexity of our attack is further improved by the multidimensional linear approach.
基金supported by the National Natural Science Foundation of China under Grant No.10871106
文摘For a class of generalized Feistel block ciphers, an explicit formula for the minimum numbers of linearly active S-boxes of any round r is presented.
基金This work was supported by the National Basic Research 973 Program of China under Grant No. 2013CB338002 and the National Natural Science Foundation of China under Grant Nos. 61272476, 61202420, and 61232009.
文摘In June 2013, the U.S. National Security Agency proposed two families of lightweight block ciphers, called SIMON and SPECK respectively. These ciphers are designed to perform excellently on both hardware and software platforms. In this paper, we mainly present zero-correlation linear cryptanalysis on various versions of SIMON. Firstly, by using miss- in-the-middle approach, we construct zero-correlation linear distinguishers of SIMON, and zero-correlation linear attacks are presented based oi1 careful analysis of key recovery phase. Secondly, multidimensional zero-correlation linear attacks are used to reduce the data complexity. Our zero-correlation linear attacks perform better than impossible differential attacks proposed by Abed et al. in ePrint Report 2013/568. Finally, we also use the divide-and-conquer technique to improve the results of linear cryptanalysis proposed by Javad et al. in ePrint Report 2013/663.
基金supported by the National Basic Research 973 Program of China under Grant No.2013CB834205the National Natural Science Foundation of China under Grant Nos.61133013,61070244 and 61103237+1 种基金the Program for New Century Excellent Talents in University of China under Grant No.NCET-13-0350the Interdisciplinary Research Foundation of Shandong University under Grant No.2012JC018
文摘CAST-256, a first-round AES (Advanced Encryption Standard) candidate, is designed based on CAST-128. It is a 48-round Generalized-Feistel-Network cipher with ]28-bit block accepting 128, 160, 192, 224 or 256 bits keys. Its S-boxes are non-surjective with 8-bit input and 32-bit output. Wang et al. identified a 21-round linear approximation and gave a key recovery attack on 24-round CAST-256. In ASIACRYPT 2012, Bogdanov et al. presented the multidimensional zero-correlation linear cryptanalysis of 28 rounds of CAST-256. By observing the property of the concatenation of forward quad-round and reverse quad-round and choosing the proper active round function, we construct a linear approximation of 26-round CAST-256 and recover partial key information on 32 rounds of CAST-256. Our result is the best attack according to the number of rounds for CAST-256 without weak-key assumption so far.
基金Supported by the National Natural Science Foundation of China (60970115, 91018008)
文摘The conception of orthomorphism has been generalized in this paper, and a counting formula on the generalized linear orthomorphism in the vector space over the Galois field with the arbitrary prime number p as the characteristic is obtained. Thus, the partial generation algorithm of generalized linear orthomorphism is achieved. The counting formula of the linear orthomorphism in the vector space over the finite field with characteristic 2 is the special case in our results. Furthermore, the generalized linear orthomorphism generated and discussed in this paper can gain the maximum branch number when they are designed as P-permutations.
基金Supported by the National Basic Research Program of China (No. 2007CB311201), the National Natural Science Foundation of China (No.60833008 No.60803149), and the Foundation of Guangxi Key Laboratory of Information and Communication (No.20902).
文摘This letter proposes algebraic attacks on two kinds of nonlinear filter generators with symmetric Boolean functions as the filter fimctions. Different fxom the classical algebraic attacks, the proposed attacks take the advantage of the combinational property of a linear feedback shift register (LFSR) and the symmetric Boolean function to obtain a tow-degree algebraic relation, and hence the complexities of the proposed attacks are independent of the algebraic immunity (AI) of the filter functions. It is shown that improper combining of the LFSR with the filter function can make the filter generator suffer from algebraic attacks. As a result, the bits of the LFSR must be selected properly to input the filter function with large AI in order to withstand the proposed algebraic attacks.
文摘We consider direct solution to third order ordinary differential equations in this paper. Method of collection and interpolation of the power series approximant of single variable is considered to derive a linear multistep method (LMM) with continuous coefficient. Block method was later adopted to generate the independent solution at selected grid points. The properties of the block viz: order, zero stability and stability region are investigated. Our method was tested on third order ordinary differential equation and found to give better result when compared with existing methods.
