In June 2013, the U.S. National Security Agency proposed two families of lightweight block ciphers, called SIMON and SPECK respectively. These ciphers are designed to perform excellently on both hardware and software ...In June 2013, the U.S. National Security Agency proposed two families of lightweight block ciphers, called SIMON and SPECK respectively. These ciphers are designed to perform excellently on both hardware and software platforms. In this paper, we mainly present zero-correlation linear cryptanalysis on various versions of SIMON. Firstly, by using miss- in-the-middle approach, we construct zero-correlation linear distinguishers of SIMON, and zero-correlation linear attacks are presented based oi1 careful analysis of key recovery phase. Secondly, multidimensional zero-correlation linear attacks are used to reduce the data complexity. Our zero-correlation linear attacks perform better than impossible differential attacks proposed by Abed et al. in ePrint Report 2013/568. Finally, we also use the divide-and-conquer technique to improve the results of linear cryptanalysis proposed by Javad et al. in ePrint Report 2013/663.展开更多
For block ciphers,Bogdanov et al.found that there are some linear approximations satisfying that their biases are deterministically invariant under key difference.This property is called key difference invariant bias....For block ciphers,Bogdanov et al.found that there are some linear approximations satisfying that their biases are deterministically invariant under key difference.This property is called key difference invariant bias.Based on this property,Bogdanov et al.proposed a related-key statistical distinguisher and turned it into key-recovery attacks on LBlock and TWINE-128.In this paper,we propose a new related-key model by combining multidimensional linear cryptanalysis with key difference invariant bias.The main theoretical advantage is that our new model does not depend on statistical independence of linear approximations.We demonstrate our cryptanalysis technique by performing key recovery attacks on LBlock and TWINE-128.By using the relations of the involved round keys to reduce the number of guessed subkey bits.Moreover,the partial-compression technique is used to reduce the time complexity.We can recover the master key of LBlock up to 25 rounds with about 260.4 distinct known plaintexts,278.85 time complexity and 261 bytes of memory requirements.Our attack can recover the master key of TWINE-128 up to 28 rounds with about 261.5 distinct known plaintexts,2126.15 time complexity and 261 bytes of memory requirements.The results are the currently best ones on cryptanalysis of LBlock and TWINE-128.展开更多
For block ciphers,Bogdanov et al.found that there are some linear approximations satisfying that their biases are deterministically invariant under key difference.This property is called key difference invariant bias....For block ciphers,Bogdanov et al.found that there are some linear approximations satisfying that their biases are deterministically invariant under key difference.This property is called key difference invariant bias.Based on this property,Bogdanov et al.proposed a related-key statistical distinguisher and turned it into key-recovery attacks on LBlock and TWINE-128.In this paper,we propose a new related-key model by combining multidimensional linear cryptanalysis with key difference invariant bias.The main theoretical advantage is that our new model does not depend on statistical independence of linear approximations.We demonstrate our cryptanalysis technique by performing key recovery attacks on LBlock and TWINE-128.By using the relations of the involved round keys to reduce the number of guessed subkey bits.Moreover,the partial-compression technique is used to reduce the time complexity.We can recover the master key of LBlock up to 25 rounds with about 2^(60.4)distinct known plaintexts,2^(78.85)time complexity and 2^(61)bytes of memory requirements.Our attack can recover the master key of TWINE-128 up to 28 rounds with about 2^(61.5)distinct known plaintexts,2^(126.15)time complexity and 261 bytes of memory requirements.The results are the currently best ones on cryptanalysis of LBlock and TWINE-128.展开更多
The block cipher used in the Chinese Wireless LAN Standard (WAPI), SMS4, was recently renamed as SM4, and became the block cipher standard issued by the Chinese government. This paper gives a method for finding the ...The block cipher used in the Chinese Wireless LAN Standard (WAPI), SMS4, was recently renamed as SM4, and became the block cipher standard issued by the Chinese government. This paper gives a method for finding the linear approximations of SMS4. With this method, 19-round one-dimensional approximations are given, which are used to improve the previous linear cryptanalysis of SMS4. The 19-round approximations hold with bias 2-62.27; we use one of them to leverage a linear attack on 23-round SMS4. Our attack improves the previous 23-round attacks by reducing the time complexity. Furthermore, the data complexity of our attack is further improved by the multidimensional linear approach.展开更多
基金This work was supported by the National Basic Research 973 Program of China under Grant No. 2013CB338002 and the National Natural Science Foundation of China under Grant Nos. 61272476, 61202420, and 61232009.
文摘In June 2013, the U.S. National Security Agency proposed two families of lightweight block ciphers, called SIMON and SPECK respectively. These ciphers are designed to perform excellently on both hardware and software platforms. In this paper, we mainly present zero-correlation linear cryptanalysis on various versions of SIMON. Firstly, by using miss- in-the-middle approach, we construct zero-correlation linear distinguishers of SIMON, and zero-correlation linear attacks are presented based oi1 careful analysis of key recovery phase. Secondly, multidimensional zero-correlation linear attacks are used to reduce the data complexity. Our zero-correlation linear attacks perform better than impossible differential attacks proposed by Abed et al. in ePrint Report 2013/568. Finally, we also use the divide-and-conquer technique to improve the results of linear cryptanalysis proposed by Javad et al. in ePrint Report 2013/663.
基金the National Natural Science Foundation of China(Grant No.61379138).
文摘For block ciphers,Bogdanov et al.found that there are some linear approximations satisfying that their biases are deterministically invariant under key difference.This property is called key difference invariant bias.Based on this property,Bogdanov et al.proposed a related-key statistical distinguisher and turned it into key-recovery attacks on LBlock and TWINE-128.In this paper,we propose a new related-key model by combining multidimensional linear cryptanalysis with key difference invariant bias.The main theoretical advantage is that our new model does not depend on statistical independence of linear approximations.We demonstrate our cryptanalysis technique by performing key recovery attacks on LBlock and TWINE-128.By using the relations of the involved round keys to reduce the number of guessed subkey bits.Moreover,the partial-compression technique is used to reduce the time complexity.We can recover the master key of LBlock up to 25 rounds with about 260.4 distinct known plaintexts,278.85 time complexity and 261 bytes of memory requirements.Our attack can recover the master key of TWINE-128 up to 28 rounds with about 261.5 distinct known plaintexts,2126.15 time complexity and 261 bytes of memory requirements.The results are the currently best ones on cryptanalysis of LBlock and TWINE-128.
基金supported by the National Natural Science Foundation of China(Grant No.61379138).
文摘For block ciphers,Bogdanov et al.found that there are some linear approximations satisfying that their biases are deterministically invariant under key difference.This property is called key difference invariant bias.Based on this property,Bogdanov et al.proposed a related-key statistical distinguisher and turned it into key-recovery attacks on LBlock and TWINE-128.In this paper,we propose a new related-key model by combining multidimensional linear cryptanalysis with key difference invariant bias.The main theoretical advantage is that our new model does not depend on statistical independence of linear approximations.We demonstrate our cryptanalysis technique by performing key recovery attacks on LBlock and TWINE-128.By using the relations of the involved round keys to reduce the number of guessed subkey bits.Moreover,the partial-compression technique is used to reduce the time complexity.We can recover the master key of LBlock up to 25 rounds with about 2^(60.4)distinct known plaintexts,2^(78.85)time complexity and 2^(61)bytes of memory requirements.Our attack can recover the master key of TWINE-128 up to 28 rounds with about 2^(61.5)distinct known plaintexts,2^(126.15)time complexity and 261 bytes of memory requirements.The results are the currently best ones on cryptanalysis of LBlock and TWINE-128.
基金supported by the National Basic Research 973 Program of China under Grant Nos.2013CB834201 and 2013CB834205the Postdoctoral Science Foundation of China under Grant No.2013M540786the National Natural Science Foundation of China under Grant Nos.61202493 and 61103237
文摘The block cipher used in the Chinese Wireless LAN Standard (WAPI), SMS4, was recently renamed as SM4, and became the block cipher standard issued by the Chinese government. This paper gives a method for finding the linear approximations of SMS4. With this method, 19-round one-dimensional approximations are given, which are used to improve the previous linear cryptanalysis of SMS4. The 19-round approximations hold with bias 2-62.27; we use one of them to leverage a linear attack on 23-round SMS4. Our attack improves the previous 23-round attacks by reducing the time complexity. Furthermore, the data complexity of our attack is further improved by the multidimensional linear approach.
