The (related-key) impossible boomerang attack and its application to the AES block cipher

The Advanced Encryption Standard (AES) is a 128-bit block cipher with a user key of 128, 192 or 256 bits, released by NIST in 2001 as the next-generation data encryption standard for use in the USA. It was adopted as an ISO international standard in 2005. Impossible differential cryptanalysis and the boomerang attack are powerful variants of differential cryptanalysis for analysing the security of a block cipher. In this paper, building on the notions of impossible differential cryptanalysis and the boomerang attack, we propose a new cryptanalytic technique, which we call the impossible boomerang attack, and then describe an extension of this attack which applies in a related-key attack scenario. Finally, we apply the impossible boomerang attack to break 6-round AES with 128 key bits and 7-round AES with 192/256 key bits, and using two related keys we apply the related-key impossible boomerang attack to break 8-round AES with 192 key bits and 9-round AES with 256 key bits. In the two-key related-key attack scenario, our results, which were the first to achieve this amount of attacked rounds, match the best currently known results for AES with 192/256 key bits in terms of the numbers of attacked rounds. The (related-key) impossible boomerang attack is a general cryptanalytic technique, and can potentially be used to cryptanalyse other block ciphers.     

Aggregated differentials and cryptanalysis of PP-1 and gost

In this paper we look at the security of two block ciphers which were both claimed in the published literature to be secure against differential crypt-analysis (DC). However, a more careful examination shows that none of these ciphers is very secure against... differential cryptanalysis, in particular if we consider attacks with sets of differentials. For both these ciphers we report new perfectly periodic (iterative) aggregated differential attacks which propagate with quite high probabilities. The first cipher we look at is GOST, a well-known Russian government encryption standard. The second cipher we look at is PP-1, a very recent Polish block cipher. Both ciphers were designed to withstand linear and differential cryptanalysis. Unhappily, both ciphers are shown to be much weaker than expected against advanced differential attacks. For GOST, we report better and stronger sets of differentials than the best currently known attacks presented at SAC 2000 [32] and propose the first attack ever able to distinguish 16 rounds of GOST from random permutation. For PP-1 we show that in spite of the fact, that its S-box has an optimal theoretical security level against differential cryptanalysis [17], [29], our differentials are strong enough to allow to break all the known versions of the PP-1 cipher.     

不可能差分密码分析研究进展

不可能差分分析作为差分分析的一种变体,是一种简单有效的密码分析方法,也是目前最常用的密码分析方法之一.该方法一经提出就得到了广泛应用,被用于分析大量的算法和密码结构.尤其是近年来对AES的攻击,得到了一系列非常好的攻击结果,使得不可能差分分析已成为对AES最有效的攻击方法之一.系统介绍了不可能差分分析的原理、常用技巧和攻击方法,并总结了目前的研究现状和已取得的攻击结果.最后,分析了不可能差分攻击的优缺点及其在设计和分析分组密码方面的作用.     

Constructing Symmetric Ciphers Using the CAST Design Procedure

This paper describes the CAST design procedure for constructing a family of DES-like Substitution-Permutation Network (SPN) cryptosystems which appear to have good resistance to differential cryptanalysis, linear cryptanalysis, and related-key cryptanalysis, along with a number of other desirable cryptographic properties. Details of the design choices in the procedure are given, including those regarding the component substitution boxes (s-boxes), the overall framework, the key schedule, and the round function. An example CAST cipher, an output of this design procedure, is presented as an aid to understanding the concepts and to encourage detailed analysis by the cryptologic community.     

Accurate estimates of the data complexity and success probability for various cryptanalyses

Many attacks on encryption schemes rely on statistical considerations using plaintext/ciphertext pairs to find some information on the key. We provide here simple formulae for estimating the data complexity and the success probability which can be applied to a lot of different scenarios (differential cryptanalysis, linear cryptanalysis, truncated differential cryptanalysis, etc.). Our work does not rely here on Gaussian approximation which is not valid in every setting but use instead a simple and general approximation of the binomial distribution and asymptotic expansions of the beta distribution.     

Cryptanalysis of multilinear maps from ideal lattices: revisited

Multilinear map is a central primitive in cryptography and Garg, Gentry and Halevi proposed the first approximate multilinear maps over ideal lattices (GGH13 map) at EUROCRYPT 2013. Ever since then, multilinear maps has caused the extensive concern and has found too numerous applications to name. Very recently, Hu and Jia put forward an efficient attack on the multipartite key exchange and witness encryption based on GGH13 map. In this paper, we describe another efficient cryptanalysis of GGH13 map, an augmented version of Hu and Jia’s attack on it. More specifically, we improve their attacking tools and propose a “downgrading” method, which enable us to get a low level encoding from a higher level encoding. As a result, we can break the multilinear computational Diffie–Hellman assumption in the GGH13 setting with great ease while Hu and Jia only dealt with the decisional version. Furthermore, by applying our augmented cryptanalysis straightforwardly, we break two schemes from GGH13 map published at CRYPTO 2013: attribute-based encryption for general circuits and identity-based aggregate signatures.     

Linear hulls with correlation zero and linear cryptanalysis of block ciphers

Linear cryptanalysis, along with differential cryptanalysis, is an important tool to evaluate the security of block ciphers. This work introduces a novel extension of linear cryptanalysis: zero-correlation linear cryptanalysis, a technique applicable to many block cipher constructions. It is based on linear approximations with a correlation value of exactly zero. For a permutation on n bits, an algorithm of complexity 2 ^n-1 is proposed for the exact evaluation of correlation. Non-trivial zero-correlation linear approximations are demonstrated for various block cipher structures including AES, balanced Feistel networks, Skipjack, CLEFIA, and CAST256. As an example, using the zero-correlation linear cryptanalysis, a key-recovery attack is shown on 6 rounds of AES-192 and AES-256 as well as 13 rounds of CLEFIA-256.     

Cryptanalysis of a chaos block cipher for wireless sensor network

Based on the analysis of a chaos block cipher for wireless sensor network (WSN), it is found that there is a fatal flaw in its security because the number of rounds is too small and the calculation precision of round function is too short. The scheme could be cryptanalyzed by utilizing differential cryptanalysis theory. First, the third round key is recovered by chosen plaintext attack according to the characteristics of the round function. Then, the second round key can be deduced from the relationship of the sub-keys between the second and the third rounds. Based on the above successful attacks, the first round key could also be broken by brute-force attack. Finally, by employing the characteristics of Feistel structure, the fourth round key could also be obtained. Since all round keys have been cryptanalyzed, the plaintext can then be decrypted. The encryption scheme is proven to be insecure consequently.     

Image encryption based on synchronization of fractional chaotic systems

This paper deals with a synchronization scheme for two fractional chaotic systems which is applied in image encryption. Based on Pecora and Carroll (PC) synchronization, fractional-order Lorenz-like system forms a master–slave configuration, and the sufficient conditions are derived to realize synchronization between these two systems via the Laplace transformation theory. An image encryption algorithm is introduced where the original image is encoded by a nonlinear function of a fractional chaotic state. Simulation results show that the original image is well masked in the cipher texts and recovered successfully through chaotic signals. Further, the cryptanalysis is conducted in detail through histogram, information entropy, key space and sensitivity to verify the high security.     

Impossible differential cryptanalysis using matrix method

The general strategy of impossible differential cryptanalysis is to first find impossible differentials and then exploit them for retrieving subkey material from the outer rounds of block ciphers. Thus, impossible differentials are one of the crucial factors to see how much the underlying block ciphers are resistant to impossible differential cryptanalysis. In this article, we introduce a widely applicable matrix method to find impossible differentials of block cipher structures whose round functions are bijective. Using this method, we find various impossible differentials of known block cipher structures: Nyberg’s generalized Feistel network, a generalized CAST256-like structure, a generalized MARS-like structure, a generalized RC6-like structure, Rijndael structures and generalized Skipjack-like structures. We expect that the matrix method developed in this article will be useful for evaluating the security of block ciphers against impossible differential cryptanalysis, especially when one tries to design a block cipher with a secure structure.     

Key-Dependent S-Boxes and Differential Cryptanalysis

Key-dependent S-boxes gained some prominence in block cipher design when Twofish became an AES finalist. In this paper we make some observations on how the cryptanalyst might work with key-dependent S-boxes, we begin to develop a framework for the differential cryptanalysis of key-dependent S-boxes, and we introduce some basic techniques that were used in an analysis of reduced-round Twofish.     

Index Calculation Attacks on RSA Signature and Encryption

At Crypto ’85, Desmedt and Odlyzko described a chosen-ciphertext attack against plain RSA encryption. The technique can also be applied to RSA signatures and enables an existential forgery under a chosen-message attack. The potential of this attack remained untapped until a twitch in the technique made it effective against two very popular RSA signature standards, namely iso/iec 9796-1 and iso/iec 9796-2. Following these attacks, iso/iec 9796-1 was withdrawn and ISO/IEC 9796-2 amended. In this paper, we explain in detail Desmedt and Odlyzko’s attack as well as its application to the cryptanalysis of iso/iec 9796-2. AMS Classification: 11T71, 14G50, 94A60     

Identifying attributes and insecurity of a public-channel key exchange protocol using chaos synchronization

Klein et al. proposed a key exchange protocol using chaos synchronization. The first protocol comprises two parties with chaotic dynamics that are mutually coupled and undergo a synchronization process, at the end of which they can use their identical dynamical state as an encryption key. From cryptographic point of view, their key exchange protocol is a key agreement protocol. Klein et al. claimed that their key agreement can be carried out over a public channel. In order to increase the key space and decrease the precision of the calculation, they made an extension of the system to a network of N Lorenz equations. In this paper, we will provide a cryptanalysis of their key agreement protocol. We will first point out some weaknesses, and then show that their protocol is not secure against several attacks including impersonation attack.     

Provable security of block ciphers against linear cryptanalysis: a mission impossible?

In this paper, we are concerned with the security of block ciphers against linear cryptanalysis and discuss the distance between the so-called practical security approach and the actual theoretical security provided by a given cipher. For this purpose, we present a number of illustrative experiments performed against small (i.e. computationally tractable) ciphers. We compare the linear probability of the best linear characteristic and the actual best linear probability (averaged over all keys). We also test the key equivalence hypothesis. Our experiments illustrate both that provable security against linear cryptanalysis is not achieved by present design strategies and the relevance of the practical security approach. Finally, we discuss the (im)possibility to derive actual design criteria from the intuitions underlined in these experiments. F.-X. Standaert is a Postdoctoral researcher of the Belgian Fund for Scientific Research (FNRS).     

A novel image encryption algorithm using chaos and reversible cellular automata

In this paper, a novel image encryption scheme is proposed based on reversible cellular automata (RCA) combining chaos. In this algorithm, an intertwining logistic map with complex behavior and periodic boundary reversible cellular automata are used. We split each pixel of image into units of 4 bits, then adopt pseudorandom key stream generated by the intertwining logistic map to permute these units in confusion stage. And in diffusion stage, two-dimensional reversible cellular automata which are discrete dynamical systems are applied to iterate many rounds to achieve diffusion on bit-level, in which we only consider the higher 4 bits in a pixel because the higher 4 bits carry almost the information of an image. Theoretical analysis and experimental results demonstrate the proposed algorithm achieves a high security level and processes good performance against common attacks like differential attack and statistical attack. This algorithm belongs to the class of symmetric systems.     

A novel image encryption algorithm based on a 3D chaotic map

Recently [Solak E, Çokal C, Yildiz OT Biyikogˇlu T. Cryptanalysis of Fridrich’s chaotic image encryption. Int J Bifur Chaos 2010;20:1405-1413] cryptanalyzed the chaotic image encryption algorithm of [Fridrich J. Symmetric ciphers based on two-dimensional chaotic maps. Int J Bifur Chaos 1998;8(6):1259-1284], which was considered a benchmark for measuring security of many image encryption algorithms. This attack can also be applied to other encryption algorithms that have a structure similar to Fridrich’s algorithm, such as that of [Chen G, Mao Y, Chui, C. A symmetric image encryption scheme based on 3D chaotic cat maps. Chaos Soliton Fract 2004;21:749-761]. In this paper, we suggest a novel image encryption algorithm based on a three dimensional (3D) chaotic map that can defeat the aforementioned attack among other existing attacks. The design of the proposed algorithm is simple and efficient, and based on three phases which provide the necessary properties for a secure image encryption algorithm including the confusion and diffusion properties. In phase I, the image pixels are shuffled according to a search rule based on the 3D chaotic map. In phases II and III, 3D chaotic maps are used to scramble shuffled pixels through mixing and masking rules, respectively. Simulation results show that the suggested algorithm satisfies the required performance tests such as high level security, large key space and acceptable encryption speed. These characteristics make it a suitable candidate for use in cryptographic applications.     

An efficient self-adaptive model for chaotic image encryption algorithm

In this paper, an efficient self-adaptive model for chaotic image encryption algorithm is proposed. With the help of the classical structure of permutation-diffusion and double simple two-dimensional chaotic systems, an efficient and fast encryption algorithm is designed. However, different from most of the existing methods which are found insecure upon chosen-plaintext or known-plaintext attack in the process of permutation or diffusion, the keystream generated in both operations of our method is dependent on the plain-image. Therefore, different plain-images will have different keystreams in both processes even just only a bit is changed in the plain-image. This design can solve the problem of fixed chaotic sequence produced by the same initial conditions but for different images. Moreover, the operation speed is high because complex mathematical methods, such as Runge–Kutta method, of solving the high-dimensional partial differential equations are avoided. Numerical experiments show that the proposed self-adaptive method can well resist against chosen-plaintext and known-plaintext attacks, and has high security and efficiency.     

On the security analysis of an image scrambling encryption of pixel bit and its improved scheme based on self-correlation encryption

An image scrambling encryption scheme for pixel bits was presented by Ye [Ye GD. Image scrambling encryption algorithm of pixel bit based on chaos map. Pattern Recognit Lett 2010;31:347-54], which can be seen as one kind of typical binary image scrambling encryption considering from the bit-plain of size M × (8N). However, recently, some defects existing in the original image encryption scheme, i.e., Ye’s scheme, have been observed by Li and Lo [Li CQ, Lo KT. Optimal quantitative cryptanalysis of permutation-only multimedia ciphers against plaintext attacks. Signal Process 2011;91:949-54]. In the attack proposed by Li and Lo at least 3 + ⌈log₂(MN)⌉ plain images of size M × N are used to reveal the permutation matrix W = [w(i, k)] (i ∈ {1, 2, … , M}; k ∈ {1, 2, … , 8N}) which can be applied to recover the exact plain image. In the current paper, at first, one type of special plain image/cipher image is used to analyze the security weakness of the original image scrambling scheme under study. The final encryption vectors TM and TN or the decryption vectors TM′ and TN′ are revealed completely according to our attack. To demonstrate the performance of our attack, a quantified comparison is drawn between our attack and the attack proposed by Li and Lo. Compared with Li and Lo’s attack, our attack is more efficient in the general conditions. In particular, when the sizes of images satisfy the condition M = N or M ? 8N, the number of the used plain images/cipher images is at most 9, which is sharply less than 3 + ⌈log₂(MN)⌉ when M and N are of large size. To overcome the weaknesses of the original scheme, in this paper, an improved image scrambling encryption scheme is proposed. In the improved scheme, the idea of the “self-correlation” method is used to resist the chosen-plaintext attack/known-plaintext attack. The corresponding simulations and analyses illustrate that the improved encryption method has good cryptographic properties, and can overcome the weakness of the original image encryption scheme. Finally, farther improvement is briefly presented for the future work.     

A secure arithmetic coding based on Markov model

We propose a modification of the standard arithmetic coding that can be applied to multimedia coding standards at entropy coding stage. In particular, we introduce a randomized arithmetic coding scheme based on order-1 Markov model that achieves encryption by scrambling the symbols’ order in the model and choosing the relevant order’s probability randomly, which is done with higher compression efficiency and good security. Experimental results and security analyses indicate that the algorithm can not only resist to existing attacks based on arithmetic coding, but also be immune to other cryptanalysis.