不可能差分密码分析研究进展

不可能差分分析作为差分分析的一种变体,是一种简单有效的密码分析方法,也是目前最常用的密码分析方法之一.该方法一经提出就得到了广泛应用,被用于分析大量的算法和密码结构.尤其是近年来对AES的攻击,得到了一系列非常好的攻击结果,使得不可能差分分析已成为对AES最有效的攻击方法之一.系统介绍了不可能差分分析的原理、常用技巧和攻击方法,并总结了目前的研究现状和已取得的攻击结果.最后,分析了不可能差分攻击的优缺点及其在设计和分析分组密码方面的作用.     

Aggregated differentials and cryptanalysis of PP-1 and gost

In this paper we look at the security of two block ciphers which were both claimed in the published literature to be secure against differential crypt-analysis (DC). However, a more careful examination shows that none of these ciphers is very secure against... differential cryptanalysis, in particular if we consider attacks with sets of differentials. For both these ciphers we report new perfectly periodic (iterative) aggregated differential attacks which propagate with quite high probabilities. The first cipher we look at is GOST, a well-known Russian government encryption standard. The second cipher we look at is PP-1, a very recent Polish block cipher. Both ciphers were designed to withstand linear and differential cryptanalysis. Unhappily, both ciphers are shown to be much weaker than expected against advanced differential attacks. For GOST, we report better and stronger sets of differentials than the best currently known attacks presented at SAC 2000 [32] and propose the first attack ever able to distinguish 16 rounds of GOST from random permutation. For PP-1 we show that in spite of the fact, that its S-box has an optimal theoretical security level against differential cryptanalysis [17], [29], our differentials are strong enough to allow to break all the known versions of the PP-1 cipher.     

Zero-correlation linear cryptanalysis of reduced-round LBlock

Zero-correlation linear attack is a new method developed by Bogdanov et al. (ASIACRYPT 2012. LNCS, Springer, Berlin, 2012) for the cryptanalysis of block ciphers. In this paper we adapt the matrix method to find zero-correlation linear approximations. Then we present several zero-correlation linear approximations for 14 rounds of LBlock and describe a cryptanalysis for a reduced 22-round version of LBlock. After biclique attacks on LBlock revealed weaknesses in its key schedule, its designers presented a new version of the cipher with a revised key schedule. The attack presented in this paper does not exploit the structure of the key schedule or S-boxes used in the cipher. As a result, it is applicable to both variants of the LBlock as well as the block ciphers with analogous structures like TWINE. Moreover, we performed simulations on a small variant LBlock and present the first experimental results on the theoretical model of the multidimensional zero-correlation linear cryptanalysis method.     

The (related-key) impossible boomerang attack and its application to the AES block cipher

The Advanced Encryption Standard (AES) is a 128-bit block cipher with a user key of 128, 192 or 256 bits, released by NIST in 2001 as the next-generation data encryption standard for use in the USA. It was adopted as an ISO international standard in 2005. Impossible differential cryptanalysis and the boomerang attack are powerful variants of differential cryptanalysis for analysing the security of a block cipher. In this paper, building on the notions of impossible differential cryptanalysis and the boomerang attack, we propose a new cryptanalytic technique, which we call the impossible boomerang attack, and then describe an extension of this attack which applies in a related-key attack scenario. Finally, we apply the impossible boomerang attack to break 6-round AES with 128 key bits and 7-round AES with 192/256 key bits, and using two related keys we apply the related-key impossible boomerang attack to break 8-round AES with 192 key bits and 9-round AES with 256 key bits. In the two-key related-key attack scenario, our results, which were the first to achieve this amount of attacked rounds, match the best currently known results for AES with 192/256 key bits in terms of the numbers of attacked rounds. The (related-key) impossible boomerang attack is a general cryptanalytic technique, and can potentially be used to cryptanalyse other block ciphers.     

Upper bound of the length of truncated impossible differentials for AES

On the provable security of a block cipher against impossible differential cryptanalysis, the maximal length of impossible differentials is an essential aspect. Most previous work on finding impossible differentials for AES, omits the non-linear component (S-box), which is important for the security. In EUROCRYPT 2016, Sun et al. showed how to bound the length of impossible differentials of a SPN “structure” using the primitive index of its linear layer. They proved that there do not exist impossible differentials longer than four rounds for the AES “structure”, instead of the AES cipher. Since they do not consider the details of the S-box, their bound is not feasible for a concrete cipher. With their result, the upper bound of the length of impossible differentials for AES, is still unknown. We fill this gap in our paper. By revealing some important properties of the AES S-box, we further prove that even though the details of the S-box are considered, there do not exist truncated impossible differentials covering more than four rounds for AES, under the assumption that round keys are independent and uniformly random. Specially, even though the details of the S-box and key schedule are both considered, there do not exist truncated impossible differentials covering more than four rounds for AES-256.     

Resistance of a CAST-Like Encryption Algorithm to Linear and Differential Cryptanalysis

Linear cryptanalysis and differential cryptanalysis are two recently introduced, powerful methodologies for attacking private-key block ciphers. In this paper, we examine the application of these two cryptanalysis techniques to a CAST-like encryption algorithm. It is shown that, when randomly generated substitution boxes (s-boxes) are used in a CAST-like encryption algorithm, the resulting cipher is resistant to both the linear attack and the differential attack.     

Linear hulls with correlation zero and linear cryptanalysis of block ciphers

Linear cryptanalysis, along with differential cryptanalysis, is an important tool to evaluate the security of block ciphers. This work introduces a novel extension of linear cryptanalysis: zero-correlation linear cryptanalysis, a technique applicable to many block cipher constructions. It is based on linear approximations with a correlation value of exactly zero. For a permutation on n bits, an algorithm of complexity 2 ^n-1 is proposed for the exact evaluation of correlation. Non-trivial zero-correlation linear approximations are demonstrated for various block cipher structures including AES, balanced Feistel networks, Skipjack, CLEFIA, and CAST256. As an example, using the zero-correlation linear cryptanalysis, a key-recovery attack is shown on 6 rounds of AES-192 and AES-256 as well as 13 rounds of CLEFIA-256.     

The one-phase Hele-Shaw problem with singularities

In this article we analyze viscosity solutions of the one phase Hele-Shaw problem in the plane and the corresponding free boundaries near a singularity. We find, up to order of magnitude, the speed at which the free boundary moves starting from a wedge, cusp, or finger-type singularity. Maximum principle-type arguments play a key role in the analysis.     

Hyper-Lagrangian submanifolds of Hyperkähler manifolds and mean curvature flow

In this article, we define a new class of middle dimensional submanifolds of a Hyperkähler manifold which contains the class of complex Lagrangian submanifolds, and show that this larger class is invariant under the mean curvature flow. Along the flow, the complex phase map satisfies the generalized harmonic map heat equation. It is also related to the mean curvature vector via a first order differential equation. Moreover, we proved a result on nonexistence of Type I singularity.     

Degeneracies of generalized inverse,vector-valued padé approximants

Wynn used generalized inverses to interpret continued fractions containing vector-valued elements. This approach led to the introduction of generalized inverse, vector-valued Padé approximants (GIPAs). All possible cases of degeneracy of GIPAs are analysed in this paper. We derive linear equations for the coefficients of the denominator polynomial of a GIPA. The solution of these equations allows construction of a GIPA in all cases where such a GIPA exists. We show that the block structure of the table of GIPAs is precisely analogous to that of the Padé table.Communicated by Edward B. Saff.     

Updating the QR decomposition of block tridiagonal and block Hessenberg matrices

We present an efficient block-wise update scheme for the QR decomposition of block tridiagonal and block Hessenberg matrices. For example, such matrices come up in generalizations of the Krylov space solvers MinRes, SymmLQ, GMRes, and QMR to block methods for linear systems of equations with multiple right-hand sides. In the non-block case it is very efficient (and, in fact, standard) to use Givens rotations for these QR decompositions. Normally, the same approach is also used with column-wise updates in the block case. However, we show that, even for small block sizes, block-wise updates using (in general, complex) Householder reflections instead of Givens rotations are far more efficient in this case, in particular if the unitary transformations that incorporate the reflections determined by a whole block are computed explicitly. Naturally, the bigger the block size the bigger the savings. We discuss the somewhat complicated algorithmic details of this block-wise update, and present numerical experiments on accuracy and timing for the various options (Givens vs. Householder, block-wise vs. column-wise update, explicit vs. implicit computation of unitary transformations). Our treatment allows variable block sizes and can be adapted to block Hessenberg matrices that do not have the special structure encountered in the above mentioned block Krylov space solvers.     

Existence of solutions and periodic solutions for nonlinear evolution inclusions

In this paper we consider nonlinear-dependent systems with multivalued perturbations in the framework of an evolution triple of spaces. First we prove a surjectivity result for generalized pseudomonotone operators and then we establish two existence theorems: the first for a periodic problem and the second for a Cauchy problem. As applications we work out in detail a periodic nonlinear parabolic partial differential equation and an optimal control problem for a system driven by a nonlinear parabolic equation.     

Generalized cardinal B-splines: Stability, linear independence, and appropriate scaling matrices

Generalized cardinal B-splines are defined as convolution products of characteristic functions of self-affine lattice tiles with respect to a given integer scaling matrix. By construction, these generalized splines are refinable functions with respect to the scaling matrix and therefore they can be used to define a multiresolution analysis and to construct a wavelet basis. In this paper, we study the stability and linear independence properties of the integer translates of these generalized spline functions. Moreover, we give a characterization of the scaling matrices to which the construction of the generalized spline functions can be applied.     

Convergence of LR algorithm for a one-point spectrum tridiagonal matrix

We prove convergence for the basic LR algorithm on a real unreduced tridiagonal matrix with a one-point spectrum—the Jordan form is one big Jordan block. First we develop properties of eigenvector matrices. We also show how to deal with the singular case.     

Quaternionic hyperfunctions on five-dimensional varieties in ℍ2

In this article we introduce a new notion of differential forms to describe the cohomology associated to the sheaf of regular functions in several quaternionic variables. We then use these differential forms to introduce and describe concretely a sheaf of quaternionic hyperfunctions as boundary values of regular functions in two quaternionic variables. We show how these ideas can be generalized to the case of monogenic functions in two vector variables with values in a Clifford algebra.     

About the generalized LM-inverse and the weighted Moore-Penrose inverse

The recursive method for computing the generalized LM-inverse of a constant rectangular matrix augmented by a column vector is proposed in Udwadia and Phohomsiri (2007) [16] and [17]. The corresponding algorithm for the sequential determination of the generalized LM-inverse is established in the present paper. We prove that the introduced algorithm for computing the generalized LM-inverse and the algorithm for the computation of the weighted Moore-Penrose inverse developed by Wang and Chen (1986) in [23] are equivalent algorithms. Both of the algorithms are implemented in the present paper using the package MATHEMATICA. Several rational test matrices and randomly generated constant matrices are tested and the CPU time is compared and discussed.     

A new counting method to bound the number of active S-boxes in Rijndael and 3D

Security against differential and linear cryptanalysis is an essential requirement for modern block ciphers. This measure is usually evaluated by finding a lower bound for the minimum number of active S-boxes. The 128-bit block cipher AES which was adopted by National Institute of Standards and Technology (NIST) as a symmetric encryption standard in 2001 is a member of Rijndael family of block ciphers. For Rijndael, the block length and the key length can be independently specified to 128, 192 or 256 bits. It has been proved that for all variants of Rijndael the lower bound of the number of active S-boxes for any 4-round differential or linear trail is 25, and for 4r (\(r \ge 1\)) rounds 25r active S-boxes is a tight bound only for Rijndael with block length 128. In this paper, a new counting method is introduced to find tighter lower bounds for the minimum number of active S-boxes for several consecutive rounds of Rijndael with larger block lengths. The new method shows that 12 and 14 rounds of Rijndael with 192-bit block length have at least 87 and 103 active S-boxes, respectively. Also the corresponding bounds for Rijndael with 256-bit block are 105 and 120, respectively. Additionally, a modified version of Rijndael-192 is proposed for which the minimum number of active S-boxes is more than that of Rijndael-192. Moreover, we extend the method to obtain a better lower bound for the number of active S-boxes for the block cipher 3D. Our counting method shows that, for example, 20 and 22 rounds of 3D have at least 185 and 205 active S-boxes, respectively.     

Collapsing monoids consisting of permutations and constants

In this paper we determine all collapsing transformation monoids that contain at least one unary constant operation and whose nonconstant operations are permutations. Furthermore, we find an infinite family of transformation monoids that consist of at least three unary constant operations and some permutations for which the corresponding monoidal intervals are 2-element chains. This research is supported by Hungarian National Foundation for Scientific Research grant nos. T 37877 and K 60148.     

Gromov hyperbolicity through decomposition of metrics spaces II

In this article we study the hyperbolicity in the Gromov sense of metric spaces. We deduce the hyperbolicity of a space from the hyperbolicity of its “building block components,” which can be joined following an arbitrary scheme. These results are especially valuable since they simplify notably the topology and allow to obtain global results from local information. Some interesting theorems about the role of punctures and funnels on the hyperbolicity of Riemann surfaces can be deduced from the conclusions of this article.     

Provable security of block ciphers against linear cryptanalysis: a mission impossible?

In this paper, we are concerned with the security of block ciphers against linear cryptanalysis and discuss the distance between the so-called practical security approach and the actual theoretical security provided by a given cipher. For this purpose, we present a number of illustrative experiments performed against small (i.e. computationally tractable) ciphers. We compare the linear probability of the best linear characteristic and the actual best linear probability (averaged over all keys). We also test the key equivalence hypothesis. Our experiments illustrate both that provable security against linear cryptanalysis is not achieved by present design strategies and the relevance of the practical security approach. Finally, we discuss the (im)possibility to derive actual design criteria from the intuitions underlined in these experiments. F.-X. Standaert is a Postdoctoral researcher of the Belgian Fund for Scientific Research (FNRS).