Impossible differential cryptanalysis using matrix method

The general strategy of impossible differential cryptanalysis is to first find impossible differentials and then exploit them for retrieving subkey material from the outer rounds of block ciphers. Thus, impossible differentials are one of the crucial factors to see how much the underlying block ciphers are resistant to impossible differential cryptanalysis. In this article, we introduce a widely applicable matrix method to find impossible differentials of block cipher structures whose round functions are bijective. Using this method, we find various impossible differentials of known block cipher structures: Nyberg’s generalized Feistel network, a generalized CAST256-like structure, a generalized MARS-like structure, a generalized RC6-like structure, Rijndael structures and generalized Skipjack-like structures. We expect that the matrix method developed in this article will be useful for evaluating the security of block ciphers against impossible differential cryptanalysis, especially when one tries to design a block cipher with a secure structure.     

The (related-key) impossible boomerang attack and its application to the AES block cipher

The Advanced Encryption Standard (AES) is a 128-bit block cipher with a user key of 128, 192 or 256 bits, released by NIST in 2001 as the next-generation data encryption standard for use in the USA. It was adopted as an ISO international standard in 2005. Impossible differential cryptanalysis and the boomerang attack are powerful variants of differential cryptanalysis for analysing the security of a block cipher. In this paper, building on the notions of impossible differential cryptanalysis and the boomerang attack, we propose a new cryptanalytic technique, which we call the impossible boomerang attack, and then describe an extension of this attack which applies in a related-key attack scenario. Finally, we apply the impossible boomerang attack to break 6-round AES with 128 key bits and 7-round AES with 192/256 key bits, and using two related keys we apply the related-key impossible boomerang attack to break 8-round AES with 192 key bits and 9-round AES with 256 key bits. In the two-key related-key attack scenario, our results, which were the first to achieve this amount of attacked rounds, match the best currently known results for AES with 192/256 key bits in terms of the numbers of attacked rounds. The (related-key) impossible boomerang attack is a general cryptanalytic technique, and can potentially be used to cryptanalyse other block ciphers.     

Aggregated differentials and cryptanalysis of PP-1 and gost

In this paper we look at the security of two block ciphers which were both claimed in the published literature to be secure against differential crypt-analysis (DC). However, a more careful examination shows that none of these ciphers is very secure against... differential cryptanalysis, in particular if we consider attacks with sets of differentials. For both these ciphers we report new perfectly periodic (iterative) aggregated differential attacks which propagate with quite high probabilities. The first cipher we look at is GOST, a well-known Russian government encryption standard. The second cipher we look at is PP-1, a very recent Polish block cipher. Both ciphers were designed to withstand linear and differential cryptanalysis. Unhappily, both ciphers are shown to be much weaker than expected against advanced differential attacks. For GOST, we report better and stronger sets of differentials than the best currently known attacks presented at SAC 2000 [32] and propose the first attack ever able to distinguish 16 rounds of GOST from random permutation. For PP-1 we show that in spite of the fact, that its S-box has an optimal theoretical security level against differential cryptanalysis [17], [29], our differentials are strong enough to allow to break all the known versions of the PP-1 cipher.     

A new counting method to bound the number of active S-boxes in Rijndael and 3D

Security against differential and linear cryptanalysis is an essential requirement for modern block ciphers. This measure is usually evaluated by finding a lower bound for the minimum number of active S-boxes. The 128-bit block cipher AES which was adopted by National Institute of Standards and Technology (NIST) as a symmetric encryption standard in 2001 is a member of Rijndael family of block ciphers. For Rijndael, the block length and the key length can be independently specified to 128, 192 or 256 bits. It has been proved that for all variants of Rijndael the lower bound of the number of active S-boxes for any 4-round differential or linear trail is 25, and for 4r (\(r \ge 1\)) rounds 25r active S-boxes is a tight bound only for Rijndael with block length 128. In this paper, a new counting method is introduced to find tighter lower bounds for the minimum number of active S-boxes for several consecutive rounds of Rijndael with larger block lengths. The new method shows that 12 and 14 rounds of Rijndael with 192-bit block length have at least 87 and 103 active S-boxes, respectively. Also the corresponding bounds for Rijndael with 256-bit block are 105 and 120, respectively. Additionally, a modified version of Rijndael-192 is proposed for which the minimum number of active S-boxes is more than that of Rijndael-192. Moreover, we extend the method to obtain a better lower bound for the number of active S-boxes for the block cipher 3D. Our counting method shows that, for example, 20 and 22 rounds of 3D have at least 185 and 205 active S-boxes, respectively.     

Cryptanalysis of Rijndael S-box and improvement

By the discovered correlation between linear functions over GF(qⁿ) and matrices over GF(q), a new scheme is presented to resolve the algebraic expression of Rijndael S-box in this paper. This new scheme has the advantage of predetermining in the case of a given random basis over GF(qⁿ). The reason why only nine terms are involved in the algebraic expression of Rijndael S-box is presented, which corrects the available inaccurate illustration. An improved AES S-box is presented to improve the complexity of AES S-box algebraic expression with terms increasing from 9 to 255 and algebraic degree invariable. The improved AES S-box also has good properties of Boolean functions in SAC and balance, and is capable of attacking against differential cryptanalysis with high reliable security. We finally summarize all the available methods to determine the algebraic expression of Rijndael S-box.     

Linear hulls with correlation zero and linear cryptanalysis of block ciphers

Linear cryptanalysis, along with differential cryptanalysis, is an important tool to evaluate the security of block ciphers. This work introduces a novel extension of linear cryptanalysis: zero-correlation linear cryptanalysis, a technique applicable to many block cipher constructions. It is based on linear approximations with a correlation value of exactly zero. For a permutation on n bits, an algorithm of complexity 2 ^n-1 is proposed for the exact evaluation of correlation. Non-trivial zero-correlation linear approximations are demonstrated for various block cipher structures including AES, balanced Feistel networks, Skipjack, CLEFIA, and CAST256. As an example, using the zero-correlation linear cryptanalysis, a key-recovery attack is shown on 6 rounds of AES-192 and AES-256 as well as 13 rounds of CLEFIA-256.     

Truncated differential based known-key attacks on round-reduced SIMON

At Crypto 2015, Blondeau, Peyrin and Wang proposed a truncated-differential-based known-key attack on full PRESENT, a nibble oriented lightweight block cipher with an SPN structure. The truncated difference they used is derived from the existing multidimensional linear characteristics. An innovative technique of their work is the design of a MITM layer added before the characteristic that covers extra rounds with a complexity lower than that of a generic construction. We notice that there are good linear hulls for bit-oriented block cipher SIMON corresponding to highly qualified truncated differential characteristics. Based on these characteristics, we propose known-key distinguishers on round-reduced SIMON block cipher family, which is bit oriented and has a Feistel structure. Similar to the MITM layer, we design a specific start-from-the-middle method for pre-adding extra rounds with complexities lower than generic bounds. With these techniques, we launch basic known-key attacks on round-reduced SIMON. We also involve some key guessing technique and further extend the basic attacks to more rounds. Our known-key attacks can reach as many as 29/32/38/48/63-rounds of SIMON32/48/64/96/128, which comes quite close to the full number of rounds. To the best of our knowledge, these are the first known-key results on the block cipher SIMON.     

不可能差分密码分析研究进展

不可能差分分析作为差分分析的一种变体,是一种简单有效的密码分析方法,也是目前最常用的密码分析方法之一.该方法一经提出就得到了广泛应用,被用于分析大量的算法和密码结构.尤其是近年来对AES的攻击,得到了一系列非常好的攻击结果,使得不可能差分分析已成为对AES最有效的攻击方法之一.系统介绍了不可能差分分析的原理、常用技巧和攻击方法,并总结了目前的研究现状和已取得的攻击结果.最后,分析了不可能差分攻击的优缺点及其在设计和分析分组密码方面的作用.     

Some examples of historical cryptanalysis

The term “historical cryptanalysis” is introduced and defined as the solving of cryptograms whose keys have been lost or misplaced. Numerous examples of such cryptograms, many undeciphered since their deposit in archives hundreds of years ago, still exist and may contain important historical and literary information. Credit is given to previous investigators in this field, who often performed individual cryptanalytic feats of great brilliance. A new approach of international coordinated research in historical cryptanalysis--bringing together the scholars who discover cryptographic materials and those who can help with their cryptanalysis--is discussed.A few examples of solved cryptograms are presented to demonstrate some of the methods used to encipher and cryptanalyze information. Included are a Papal cipher containing information about the election of the king of Poland in 1573, a German cryptogram written by a participant in a key event of the Counter-Reformation--the choice of the archbishop of Cologne in 1583, a Venetian cipher from 1630 whose key may have been eaten to preserve the cipher's security, a Russian cryptanalyst's worksheet from the time of Catherine the Great, and a military cipher from the American Civil War.     

The Individuation of Causal Powers by Events (and Consequences of the Approach)

In this paper, I explore the notion of a “causal power,” particularly as it is relevant to a theory of properties whereby properties are individuated by the causal powers they bestow on the objects that instantiate them. I take as my target certain eliminativist positions that argue that certain kinds of properties (or relations) do not exist because they fail to bestow unique causal powers on objects. In reply, I argue that the notion of causal powers is inextricably bound up with our notion of what an event is, and not only is there disagreement as to which theory of events is appropriate, but on the three prevailing theories, it can be shown that the eliminativists arguments do not follow.     

A comprehensive theory of representation for mathematics education

Representation is a difficult concept. Behaviorists wanted to get rid of it; many researchers prefer other terms like “conception” or “reasoning” or even “encoding;” and many cognitive science resarchers have tried to avoid the problem by reducing thinking to production rules.There are at least two simple and naive reasons for considering representation as an important subject for scientific study. The first one is that we all experience representation as a stream of internal images, gestures and words. The second one is that the words and symbols we use to communicate do not refer directly to reality but to represented entities: objects, properties, relationships, processes, actions, and constructs, about which there is no automatic agreement between two persons. It is the purpose of this paper to analyse this problem, and to try to connect it with an original analysis of the role of action in representation. The issue is important for mathematics education and even for the epistemology of mathematics, as mathematical concepts have their first roots in the action on, and in the representation of, the physical and social world; even though there may be a great distance today between that pragmatical and empirical source, and the sophisticated concepts of contemporary mathematics.     

A necessary and sufficient condition of convexity for SOC reformulation of trust-region subproblem with two intersecting cuts

We consider the extended trust-region subproblem with two linear inequalities. In the “nonintersecting” case of this problem, Burer et al. have proved that its semi-definite programming relaxation with second-order-cone reformulation (SDPR-SOCR) is a tight relaxation. In the more complicated “intersecting” case, which is discussed in this paper, so far there is no result except for a counterexample for the SDPR-SOCR. We present a necessary and sufficient condition for the SDPR-SOCR to be a tight relaxation in both the “nonintersecting” and “intersecting” cases. As an application of this condition, it is verified easily that the “nonintersecting” SDPR-SOCR is a tight relaxation indeed. Furthermore, as another application of the condition, we prove that there exist at least three regions among the four regions in the trust-region ball divided by the two intersecting linear cuts, on which the SDPR-SOCR must be a tight relaxation. Finally, the results of numerical experiments show that the SDPR-SOCR can work efficiently in decreasing or even eliminating the duality gap of the nonconvex extended trust-region subproblem with two intersecting linear inequalities indeed.     

On complexity of round transformations

A modern block cipher consists of round transformations, which are obtained by alternatively applying permutations (P-boxes) and substitutions (S-boxes). Clearly, the most important attribute of a block cipher is its security. However, with respect to the hardware implementation, a good block cipher has to have a reasonable complexity as well. In this paper, we study complexity of round transformations satisfying some basic security criteria. There are several ways to define the complexity of a round transformation, and to choose “necessary” security criteria. It turns out, that for our purpose, it is suitable to view a round transformation as a single Boolean function, not separating it into S-boxes and P-boxes. We require that the Boolean function F possesses some fundamental properties imposed on each block cipher for security reasons; namely, we require that the function is a strictly non-linear bijection and that it has a good diffusion. The total number of variables in the normal algebraic form of the component functions of F is taken as its complexity. We find the minimum complexity of such functions, and this way we establish a lower bound on complexity of all round transformations. To show that the lower bound is the best possible, we construct a round transformation F^′ attaining the bound. We stress that it is not an aspiration of this paper to construct a round transformation which would be of practical use; F^′ is useful only from the theoretical point of view.     

One-Time Pad as a nonlinear dynamical system

The One-Time Pad (OTP) is the only known unbreakable cipher, proved mathematically by Shannon in 1949. In spite of several practical drawbacks of using the OTP, it continues to be used in quantum cryptography, DNA cryptography and even in classical cryptography when the highest form of security is desired (other popular algorithms like RSA, ECC, AES are not even proven to be computationally secure). In this work, we prove that the OTP encryption and decryption is equivalent to finding the initial condition on a pair of binary maps (Bernoulli shift). The binary map belongs to a family of 1D nonlinear chaotic and ergodic dynamical systems known as Generalized Luröth Series (GLS). Having established these interesting connections, we construct other perfect secrecy systems on the GLS that are equivalent to the One-Time Pad, generalizing for larger alphabets. We further show that OTP encryption is related to Randomized Arithmetic Coding – a scheme for joint compression and encryption.     

A block cipher with dynamic S-boxes based on tent map

In this paper, a block encryption scheme based on dynamic substitution boxes (S-boxes) is proposed. Firstly, the difference trait of the tent map is analyzed. Then, a method for generating S-boxes based on iterating the tent map is presented. The plaintexts are divided into blocks and encrypted with different S-boxes. The cipher blocks are obtained by 32 rounds of substitution and left cyclic shift. To improve the security of the cryptosystem, a cipher feedback is used to change the state value of the tent map, which makes the S-boxes relate to the plaintext and enhances the confusion and diffusion properties of the cryptosystem. Since dynamic S-boxes are used in the encryption, the cryptosystem does not suffer from the problem of fixed structure block ciphers. Theoretical and experimental results indicate that the cryptosystem has high security and is suitable for secure communications.     

Design of solids for antigravity motion illusion

This paper presents a method for designing solid shapes containing slopes where orientation appears opposite to the actual orientation when observed from a unique vantage viewpoint. The resulting solids generate a new type of visual illusion, which we call “impossible motion”, in which balls placed on the slopes appear to roll uphill thereby defying the law of gravity. This is possible because a single retinal image lacks depth information and human visual perception tries to interpret images as the most familiar shape even though there are infinitely many possible interpretations. We specify the set of all possible solids represented by a single picture as the solution set of a system of equations and inequalities, and then relax the constraints in such a way that the antigravity slopes can be reconstructed. We present this design procedure with examples.     

Tweaking a block cipher: multi-user beyond-birthday-bound security in the standard model

In this paper, we present a generic construction to create a secure tweakable block cipher from a secure block cipher. Our construction is very natural, requiring four calls to the underlying block cipher for each call of the tweakable block cipher. Moreover, it is provably secure in the standard model while keeping the security degradation minimal in the multi-user setting. In more details, if the underlying blockcipher E uses n-bit blocks and 2n-bit keys, then our construction is proven secure against multi-user adversaries using up to roughly \(2^n\) time and queries as long as E is a secure block cipher.     

Relating Differential Distribution Tables to Other Properties of of Substitution Boxes

Due to the success of differential and linear attacks on a large number of encryption algorithms, it is important to investigate relationships among various cryptographic, including differential and linear, characteristics of an S-box (substitution box). After discussing a precise relationship among three tables, namely the difference, auto-correlation and correlation immunity distribution tables, of an S-box, we develop a number of results on various properties of S-boxes. More specifically, we show (1) close connections among three indicators of S-boxes, (2) a tight lower bound on the sum of elements in the leftmost column of its differential distribution table, (3) a non-trivial and tight lower bound on the differential uniformity of an S-box, and (4) two upper bounds on the nonlinearity of S-boxes (one for a general, not necessarily regular, S-box and the other for a regular S-box).     

Cryptanalysis of a chaos block cipher for wireless sensor network

Based on the analysis of a chaos block cipher for wireless sensor network (WSN), it is found that there is a fatal flaw in its security because the number of rounds is too small and the calculation precision of round function is too short. The scheme could be cryptanalyzed by utilizing differential cryptanalysis theory. First, the third round key is recovered by chosen plaintext attack according to the characteristics of the round function. Then, the second round key can be deduced from the relationship of the sub-keys between the second and the third rounds. Based on the above successful attacks, the first round key could also be broken by brute-force attack. Finally, by employing the characteristics of Feistel structure, the fourth round key could also be obtained. Since all round keys have been cryptanalyzed, the plaintext can then be decrypted. The encryption scheme is proven to be insecure consequently.     

Design of an image encryption scheme based on a multiple chaotic map

In order to solve the problem that chaos is degenerated in limited computer precision and Cat map is the small key space, this paper presents a chaotic map based on topological conjugacy and the chaotic characteristics are proved by Devaney definition. In order to produce a large key space, a Cat map named block Cat map is also designed for permutation process based on multiple-dimensional chaotic maps. The image encryption algorithm is based on permutation–substitution, and each key is controlled by different chaotic maps. The entropy analysis, differential analysis, weak-keys analysis, statistical analysis, cipher random analysis, and cipher sensibility analysis depending on key and plaintext are introduced to test the security of the new image encryption scheme. Through the comparison to the proposed scheme with AES, DES and Logistic encryption methods, we come to the conclusion that the image encryption method solves the problem of low precision of one dimensional chaotic function and has higher speed and higher security.