Motivated by applications in advanced cryptographic protocols,research on arithmetizationoriented symmetric primitives has been rising in the field of symmetric cryptography in recent years.In this paper,the authors f...Motivated by applications in advanced cryptographic protocols,research on arithmetizationoriented symmetric primitives has been rising in the field of symmetric cryptography in recent years.In this paper,the authors focus on on the collision attacks for a family of arithmetization-oriented symmetric ciphers GMiMCHash.The authors firstly enhance the algebraically controlled differential attacks proposed by introducing more variables.Then,combining algebraic attacks and differential attacks,the authors propose algebraic-differential attacks on GMi MCHash.This attack method is shown to be effective by experiments on toy versions of GMi MCHash.The authors further introduce some tricks to reduce the complexities of algebraic-differential attacks and improve the success probability of finding collisions.展开更多
Nonlinear feedback shift register(NFSR)is one of the most important cryptographic primitives in lightweight cryptography.At ASIACRYPT 2010,Knellwolf et al.proposed conditional differential attack to perform a cryptana...Nonlinear feedback shift register(NFSR)is one of the most important cryptographic primitives in lightweight cryptography.At ASIACRYPT 2010,Knellwolf et al.proposed conditional differential attack to perform a cryptanalysis on NFSR-based cryptosystems.The main idea of conditional differential attack is to restrain the propagation of the difference and obtain a detectable bias of the difference of the output bit.QUARK is a lightweight hash function family which is designed by Aumasson et al.at CHES 2010.Then the extended version of QUARK was published in Journal of Cryptology 2013.In this paper,we propose an improved conditional differential attack on QUARK.One improvement is that we propose a method to select the input difference.We could obtain a set of good input differences by this method.Another improvement is that we propose an automatic condition imposing algorithm to deal with the complicated conditions efficiently and easily.It is shown that with the improved conditional differential attack on QUARK,we can detect the bias of output difference at a higher round of QUARK.Compared to the current literature,we find a distinguisher of U-QUARK/D-QUARK/S-QUARK/C-QUARK up to 157/171/292/460 rounds with increasing 2/5/33/8 rounds respectively.We have performed the attacks on each instance of QUARK on a 3.30 GHz Intel Core i5 CPU,and all these attacks take practical complexities which have been fully verified by our experiments.As far as we know,all of these results have been the best thus far.展开更多
An embedded cryptosystem needs higher reconfiguration capability and security. After analyzing the newly emerging side-channel attacks on elliptic curve cryptosystem (ECC), an efficient fractional width-w NAF (FWNA...An embedded cryptosystem needs higher reconfiguration capability and security. After analyzing the newly emerging side-channel attacks on elliptic curve cryptosystem (ECC), an efficient fractional width-w NAF (FWNAF) algorithm is proposed to secure ECC scalar multiplication from these attacks. This algorithm adopts the fractional window method and probabilistic SPA scheme to reconfigure the pre-computed table, and it allows designers to make a dynamic configuration on pre-computed table. And then, it is enhanced to resist SPA, DPA, RPA and ZPA attacks by using the random masking method. Compared with the WBRIP and EBRIP methods, our proposals has the lowest total computation cost and reduce the shake phenomenon due to sharp fluctuation on computation performance.展开更多
This paper presents a method for differen- tial collision attack of reduced FOX block cipher based on 4-round distinguishing property. It can be used to attack 5, 6 and 7-round FOX64 and 5-round FOX128. Our attack has...This paper presents a method for differen- tial collision attack of reduced FOX block cipher based on 4-round distinguishing property. It can be used to attack 5, 6 and 7-round FOX64 and 5-round FOX128. Our attack has a precomputation phase, but it can be obtained before attack and computed once for all. This attack on the reduced to 4-round FOX64 requires only 7 chosen plaintexts, and performs 242.8 4-round FOX64 encryptions. It could be extended to 5 (6, 7)-round FOX64 by a key exhaustive search behind the fourth round.展开更多
Recently,a round-robin differential phase-shift(RRDPS) protocol was proposed[Nature 509,475(2014)],in which the amount of leakage is bounded without monitoring the signal disturbance.Introducing states of the phas...Recently,a round-robin differential phase-shift(RRDPS) protocol was proposed[Nature 509,475(2014)],in which the amount of leakage is bounded without monitoring the signal disturbance.Introducing states of the phase-encoded Bennett-Brassard 1984 protocol(PE-BB84) to the RRDPS,this paper presents another quantum key distribution protocol called round-robin differential quadrature phase-shift(RRDQPS) quantum key distribution.Regarding a train of many pulses as a single packet,the sender modulates the phase of each pulse by one of {0,π/2,π,3π/2},then the receiver measures each packet with a Mach-Zehnder interferometer having a phase basis of 0 or π/2.The RRDQPS protocol can be implemented with essential similar hardware to the PE-BB84,so it has great compatibility with the current quantum system.Here we analyze the security of the RRDQPS protocol against the intercept-resend attack and the beam-splitting attack.Results show that the proposed protocol inherits the advantages arising from the simplicity of the RRDPS protocol and is more robust against these attacks than the original protocol.展开更多
The sufficient conditions for keeping desired differential path of MD5 was discussed. By analyzing the expanding of subtraction difference, differential characters of Boolean functions, and the differential characters...The sufficient conditions for keeping desired differential path of MD5 was discussed. By analyzing the expanding of subtraction difference, differential characters of Boolean functions, and the differential characters of shift rotation, the sufficient conditions for keeping desired differential path could be obtained. From the differential characters of shift rotation, the lacked sufficient conditions were found. Then an algorithm that reduces the number of trials for finding collisions were presented. By restricting search space, search operation can be reduced to 2 34 for the first block and 2 30 for the second block. The whole attack on the MD5 can be accomplished within 20 hours using a PC with 1.6 G CPU.展开更多
This article aims at designing a new Multivariate Quadratic (MQ) public-key scheme to avoid the linearization attack and differential attack against the Matsumoto-Imai (MI) scheme. Based on the original scheme, our ne...This article aims at designing a new Multivariate Quadratic (MQ) public-key scheme to avoid the linearization attack and differential attack against the Matsumoto-Imai (MI) scheme. Based on the original scheme, our new scheme, named the Multi-layer MI (MMI) scheme, has a structure of multi-layer central map. Firstly, this article introduces the MI scheme and describes linearization attack and differential attack; then prescribes the designation of MMI in detail, and proves that MMI can resist both linearization attack and differential attack. Besides, this article also proves that MMI can resist recent eXtended Linearization (XL)-like methods. In the end, this article concludes that MMI also maintains the efficiency of MI.展开更多
In order to improve the efficiency and success rate of the side channel attack,the utility of side channel information of the attack object must be analyzed and evaluated before the attack implementation.Based on the ...In order to improve the efficiency and success rate of the side channel attack,the utility of side channel information of the attack object must be analyzed and evaluated before the attack implementation.Based on the study of side-channel attack techniques,a method is proposed in this paper to analyze and evaluate the utility of side channel information and the evaluation indexes of comentropy,Signal-to-Noise Ratio(SNR)are introduced.On this basis,the side channel information(power and electromagnetic)of a side channel attack experiment board is analyzed and evaluated,and the Data Encryption Standard(DES)cipher algorithm is attacked with the differential power attack method and differential electromagnetic attack method.The attack results show the effectiveness of the analysis and evaluation method proposed in this paper.展开更多
In this paper we present an attack on 30-round SIMON64, which improves the best results on SIMON64 by 1 round. We use a 23-round differential characteristic which was proposed by Itai et al in 2015 to construct a 30-r...In this paper we present an attack on 30-round SIMON64, which improves the best results on SIMON64 by 1 round. We use a 23-round differential characteristic which was proposed by Itai et al in 2015 to construct a 30-round extended differential characteristized by adding 4 rounds on the top and 3 round on the bottom. Furthermore, we utilize all of the sufficient bit-conditions of the 30-round differential to compute a set of corresponding subkeys. Then we distribute the plaintext pairs over the 286 lists corresponding to the 86-bit subkeys. If a list contains two or more pairs, we regard the subkeys corresponding to the list as candidate subkeys. The time complexity of our attack on 30-round SIMON64/96 (SIMON64/128) is 286.2 (21182) with a success probability of 0.61, while the data complexity and the memory complexity are 263.3 and 290 bytes, respectively.展开更多
By using the coding properties and statistic properties of the plaintext,the differential properties of the key stream sequences generated by a nonlinear combined generator were analyzed.Then a differential attack alg...By using the coding properties and statistic properties of the plaintext,the differential properties of the key stream sequences generated by a nonlinear combined generator were analyzed.Then a differential attack algorithm on the nonlinear combined sequences was proposed.At last,an attack example adopting the differential attack algorithm was presented.展开更多
In EUROCRYPT 2017,a new structure-difference property,say“a-multiple-of-8”was proposed on 5-round AES.Inspired by the idea,yoyo attacks and mixture differential attacks were proposed yielding new records on data and...In EUROCRYPT 2017,a new structure-difference property,say“a-multiple-of-8”was proposed on 5-round AES.Inspired by the idea,yoyo attacks and mixture differential attacks were proposed yielding new records on data and computational complexities for key-recovery attacks against 5-round AES.In this paper,the authors attempt to apply the idea of mixture differential cryptanalysis to Midori64.Midori is a lightweight block cipher proposed at ASIACRYPT 2015.Although the structure of Midori is similar to AES,the MixColumn matrix of Midori is not MDS.Based on this observation,the authors present a class of deterministic differential trails on 2-round Midori.Then combined with the yoyo trick,a new type of 4-round retracing boomerang distinguishers is obtained on Midori.Based on the new 4-round distinguishers,a key-recovery attack on 6-round Midori64 is given that requires only 2^(27)computational complexity,2^(29)chosen plaintexts,2^(20)adaptively chosen ciphertexts.The key-recovery attack has been experimentally verified.展开更多
In this paper, we present a fast attack algorithm to find two-block collision of hash function MD5. The algorithm is based on the two-block collision differential path of MD5 that was presented by Wang et al. in the C...In this paper, we present a fast attack algorithm to find two-block collision of hash function MD5. The algorithm is based on the two-block collision differential path of MD5 that was presented by Wang et al. in the Conference EUROCRYPT 2005. We found that the derived conditions for the desired collision differential path were not sufficient to guarantee the path to hold and that some conditions could be modified to enlarge the collision set. By using technique of small range searching and omitting the computing steps to check the characteristics in the attack algorithm, we can speed up the attack of MD5 efficiently. Compared with the Advanced Message Modification technique presented by Wang et al., the small range searching technique can correct 4 more conditions for the first iteration differential and 3 more conditions for the second iteration differential, thus improving the probability and the complexity to find collisions. The whole attack on the MD5 can be accomplished within 5 hours using a PC with Pentium4 1.70GHz CPU.展开更多
Abstract In this paper, we give a fast attack against hash function HAVAL-128. HAVAL was presented by Y. L. Zheng et al. at Auscrypto'92. It can be processed in 3, 4 or 5 passes, and produces 128, 160, 192, or 224-bi...Abstract In this paper, we give a fast attack against hash function HAVAL-128. HAVAL was presented by Y. L. Zheng et al. at Auscrypto'92. It can be processed in 3, 4 or 5 passes, and produces 128, 160, 192, or 224-bit fingerprint. We break the HAVAL with 128-bit fingerprint. The conclusion is that, given any 1024-bit message ra, we just make some modifications about m, and the modified message ra can collide with another message m only with probability 1/2^7, where m = m + △m, in which △m is a fixed difference selected in advance. In addition, two collision examples for HAVAL-128 are given in this paper.展开更多
基金supported by the National Natural Science Foundation of China under Grant No.61972393the Climbing Program from Institute of Information Engineering CAS under Grant No.E3Z0221112。
文摘Motivated by applications in advanced cryptographic protocols,research on arithmetizationoriented symmetric primitives has been rising in the field of symmetric cryptography in recent years.In this paper,the authors focus on on the collision attacks for a family of arithmetization-oriented symmetric ciphers GMiMCHash.The authors firstly enhance the algebraically controlled differential attacks proposed by introducing more variables.Then,combining algebraic attacks and differential attacks,the authors propose algebraic-differential attacks on GMi MCHash.This attack method is shown to be effective by experiments on toy versions of GMi MCHash.The authors further introduce some tricks to reduce the complexities of algebraic-differential attacks and improve the success probability of finding collisions.
基金This work was supported by the National Natural Science Foundation of China(Grant No.61872359,62122085 and 61936008)the National Key R&D Program of China(Grant No.2020YFB1805402),and the Youth Innovation Promotion Association of Chinese Academy of Sciences.
文摘Nonlinear feedback shift register(NFSR)is one of the most important cryptographic primitives in lightweight cryptography.At ASIACRYPT 2010,Knellwolf et al.proposed conditional differential attack to perform a cryptanalysis on NFSR-based cryptosystems.The main idea of conditional differential attack is to restrain the propagation of the difference and obtain a detectable bias of the difference of the output bit.QUARK is a lightweight hash function family which is designed by Aumasson et al.at CHES 2010.Then the extended version of QUARK was published in Journal of Cryptology 2013.In this paper,we propose an improved conditional differential attack on QUARK.One improvement is that we propose a method to select the input difference.We could obtain a set of good input differences by this method.Another improvement is that we propose an automatic condition imposing algorithm to deal with the complicated conditions efficiently and easily.It is shown that with the improved conditional differential attack on QUARK,we can detect the bias of output difference at a higher round of QUARK.Compared to the current literature,we find a distinguisher of U-QUARK/D-QUARK/S-QUARK/C-QUARK up to 157/171/292/460 rounds with increasing 2/5/33/8 rounds respectively.We have performed the attacks on each instance of QUARK on a 3.30 GHz Intel Core i5 CPU,and all these attacks take practical complexities which have been fully verified by our experiments.As far as we know,all of these results have been the best thus far.
基金supported by the National Natural Science Foundation of China(60373109)Ministry of Science and Technologyof China and the National Commercial Cryptography Application Technology Architecture and Application DemonstrationProject(2008BAA22B02).
文摘An embedded cryptosystem needs higher reconfiguration capability and security. After analyzing the newly emerging side-channel attacks on elliptic curve cryptosystem (ECC), an efficient fractional width-w NAF (FWNAF) algorithm is proposed to secure ECC scalar multiplication from these attacks. This algorithm adopts the fractional window method and probabilistic SPA scheme to reconfigure the pre-computed table, and it allows designers to make a dynamic configuration on pre-computed table. And then, it is enhanced to resist SPA, DPA, RPA and ZPA attacks by using the random masking method. Compared with the WBRIP and EBRIP methods, our proposals has the lowest total computation cost and reduce the shake phenomenon due to sharp fluctuation on computation performance.
基金This work has been performed in the Project "The Research on the New Analysis in Block Ciphers" supported by the Fundamental Research Funds for the Central Universities of China,the National Natural Science Foundation of China,the 111 Project of China,the Scientific Research Foundation of Education Department of Shaanxi Provincial Government of China
文摘This paper presents a method for differen- tial collision attack of reduced FOX block cipher based on 4-round distinguishing property. It can be used to attack 5, 6 and 7-round FOX64 and 5-round FOX128. Our attack has a precomputation phase, but it can be obtained before attack and computed once for all. This attack on the reduced to 4-round FOX64 requires only 7 chosen plaintexts, and performs 242.8 4-round FOX64 encryptions. It could be extended to 5 (6, 7)-round FOX64 by a key exhaustive search behind the fourth round.
基金Project supported by the National Natural Science Foundation of China(Grant Nos.61505261 and 11304397)the National Basic Research Program of China(Grant No.2013CB338002)
文摘Recently,a round-robin differential phase-shift(RRDPS) protocol was proposed[Nature 509,475(2014)],in which the amount of leakage is bounded without monitoring the signal disturbance.Introducing states of the phase-encoded Bennett-Brassard 1984 protocol(PE-BB84) to the RRDPS,this paper presents another quantum key distribution protocol called round-robin differential quadrature phase-shift(RRDQPS) quantum key distribution.Regarding a train of many pulses as a single packet,the sender modulates the phase of each pulse by one of {0,π/2,π,3π/2},then the receiver measures each packet with a Mach-Zehnder interferometer having a phase basis of 0 or π/2.The RRDQPS protocol can be implemented with essential similar hardware to the PE-BB84,so it has great compatibility with the current quantum system.Here we analyze the security of the RRDQPS protocol against the intercept-resend attack and the beam-splitting attack.Results show that the proposed protocol inherits the advantages arising from the simplicity of the RRDPS protocol and is more robust against these attacks than the original protocol.
文摘The sufficient conditions for keeping desired differential path of MD5 was discussed. By analyzing the expanding of subtraction difference, differential characters of Boolean functions, and the differential characters of shift rotation, the sufficient conditions for keeping desired differential path could be obtained. From the differential characters of shift rotation, the lacked sufficient conditions were found. Then an algorithm that reduces the number of trials for finding collisions were presented. By restricting search space, search operation can be reduced to 2 34 for the first block and 2 30 for the second block. The whole attack on the MD5 can be accomplished within 20 hours using a PC with 1.6 G CPU.
基金Supported by the National High Technology Research and Development Program of China(863Program)(No.2009-aa012201)Key Library of Communication Technology(No.9140C1103040902)
文摘This article aims at designing a new Multivariate Quadratic (MQ) public-key scheme to avoid the linearization attack and differential attack against the Matsumoto-Imai (MI) scheme. Based on the original scheme, our new scheme, named the Multi-layer MI (MMI) scheme, has a structure of multi-layer central map. Firstly, this article introduces the MI scheme and describes linearization attack and differential attack; then prescribes the designation of MMI in detail, and proves that MMI can resist both linearization attack and differential attack. Besides, this article also proves that MMI can resist recent eXtended Linearization (XL)-like methods. In the end, this article concludes that MMI also maintains the efficiency of MI.
文摘In order to improve the efficiency and success rate of the side channel attack,the utility of side channel information of the attack object must be analyzed and evaluated before the attack implementation.Based on the study of side-channel attack techniques,a method is proposed in this paper to analyze and evaluate the utility of side channel information and the evaluation indexes of comentropy,Signal-to-Noise Ratio(SNR)are introduced.On this basis,the side channel information(power and electromagnetic)of a side channel attack experiment board is analyzed and evaluated,and the Data Encryption Standard(DES)cipher algorithm is attacked with the differential power attack method and differential electromagnetic attack method.The attack results show the effectiveness of the analysis and evaluation method proposed in this paper.
基金Supported by the National Natural Science Foundation of China(61373142,61572125)Dissertation Innovation Funds(112-06-0019025)
文摘In this paper we present an attack on 30-round SIMON64, which improves the best results on SIMON64 by 1 round. We use a 23-round differential characteristic which was proposed by Itai et al in 2015 to construct a 30-round extended differential characteristized by adding 4 rounds on the top and 3 round on the bottom. Furthermore, we utilize all of the sufficient bit-conditions of the 30-round differential to compute a set of corresponding subkeys. Then we distribute the plaintext pairs over the 286 lists corresponding to the 86-bit subkeys. If a list contains two or more pairs, we regard the subkeys corresponding to the list as candidate subkeys. The time complexity of our attack on 30-round SIMON64/96 (SIMON64/128) is 286.2 (21182) with a success probability of 0.61, while the data complexity and the memory complexity are 263.3 and 290 bytes, respectively.
基金supported by the National Natural Science Foundation of China(No.60573028)Research Foundation of National University of Defense Technology(No.JC-02-02).
文摘By using the coding properties and statistic properties of the plaintext,the differential properties of the key stream sequences generated by a nonlinear combined generator were analyzed.Then a differential attack algorithm on the nonlinear combined sequences was proposed.At last,an attack example adopting the differential attack algorithm was presented.
文摘In EUROCRYPT 2017,a new structure-difference property,say“a-multiple-of-8”was proposed on 5-round AES.Inspired by the idea,yoyo attacks and mixture differential attacks were proposed yielding new records on data and computational complexities for key-recovery attacks against 5-round AES.In this paper,the authors attempt to apply the idea of mixture differential cryptanalysis to Midori64.Midori is a lightweight block cipher proposed at ASIACRYPT 2015.Although the structure of Midori is similar to AES,the MixColumn matrix of Midori is not MDS.Based on this observation,the authors present a class of deterministic differential trails on 2-round Midori.Then combined with the yoyo trick,a new type of 4-round retracing boomerang distinguishers is obtained on Midori.Based on the new 4-round distinguishers,a key-recovery attack on 6-round Midori64 is given that requires only 2^(27)computational complexity,2^(29)chosen plaintexts,2^(20)adaptively chosen ciphertexts.The key-recovery attack has been experimentally verified.
基金Supported by the National Natural Science Foundation of China under Grant No. 60573032.
文摘In this paper, we present a fast attack algorithm to find two-block collision of hash function MD5. The algorithm is based on the two-block collision differential path of MD5 that was presented by Wang et al. in the Conference EUROCRYPT 2005. We found that the derived conditions for the desired collision differential path were not sufficient to guarantee the path to hold and that some conditions could be modified to enlarge the collision set. By using technique of small range searching and omitting the computing steps to check the characteristics in the attack algorithm, we can speed up the attack of MD5 efficiently. Compared with the Advanced Message Modification technique presented by Wang et al., the small range searching technique can correct 4 more conditions for the first iteration differential and 3 more conditions for the second iteration differential, thus improving the probability and the complexity to find collisions. The whole attack on the MD5 can be accomplished within 5 hours using a PC with Pentium4 1.70GHz CPU.
基金the National Natural Science Foundation of China(Grant No.90304009) the“973 Project”(Grant No.G19990358).
文摘Abstract In this paper, we give a fast attack against hash function HAVAL-128. HAVAL was presented by Y. L. Zheng et al. at Auscrypto'92. It can be processed in 3, 4 or 5 passes, and produces 128, 160, 192, or 224-bit fingerprint. We break the HAVAL with 128-bit fingerprint. The conclusion is that, given any 1024-bit message ra, we just make some modifications about m, and the modified message ra can collide with another message m only with probability 1/2^7, where m = m + △m, in which △m is a fixed difference selected in advance. In addition, two collision examples for HAVAL-128 are given in this paper.