Zero-Correlation Linear Cryptanalysis with FFT and Improved Attacks on ISO Standards Camellia and CLEFIA

Abstract. As two important cryptanalytic methods, impossible differential cryptanalysis and integral cryptanalysis have attracted much attention in recent years. Although relations among other important cryptanalytic approaches have been investigated, the link between these two methods has been missing. The motivation in this paper is to fix this gap and establish links between impossible differential cryptanalysis and integral cryptanalysis.Firstly, by introducing the concept of structure and dual structure, we prove that a → b is an impossible differential of a structure E if and only if it is a zero correlation linear hull of the dual structure E ⊥ . More specifically, constructing a zero correlation linear hull of a Feistel structure with SP -type round function where P is invertible, is equivalent to constructing an impossible differential of the same structure with P T instead of P . Constructing a zero correlation linear hull of an SPN structure is equivalent to constructing an impossible differential of the same structure with (P −1 ) T instead of P . Meanwhile, our proof shows that the automatic search tool presented by Wu and Wang could find all impossible differentials of both Feistel structures with SP -type round functions and SPN structures, which is useful in provable security of block ciphers against impossible differential cryptanalysis.Secondly, by establishing some boolean equations, we show that a zero correlation linear hull always indicates the existence of an integral distinguisher while a special integral implies the existence of a zero correlation linear hull. With this observation we improve the integral distinguishers of Feistel structures by 1 round, build a 24-round integral distinguisher of CAST-256 based on which we propose the best known key recovery attack on reduced round CAST-256 in the non-weak key model, present a 12-round integral distinguisher of SMS4 and an 8-round integral distinguisher of Camellia without F L/F L −1 . Moreover, this result provides a novel way for establishing integral distinguishers and converting known plaintext attacks to chosen plaintext attacks.Finally, we conclude that an r-round impossible differential of E always leads to an r-round integral distinguisher of the dual structure E ⊥ . In the case that E and E ⊥ are linearly equivalent, we derive a direct link between impossible differentials and integral distinguishers of E . Specifically, we obtain that an r-round impossible differential of an SPN structure, which adopts a bit permutation as its linear layer, always indicates the existence of an r-round integral distinguisher. Based on this newly established link, we deduce that impossible differentials of SNAKE(2), PRESENT, PRINCE and ARIA, which are independent of the choices of the S-boxes, always imply the existence of integral distinguishers.Our results could help to classify different cryptanalytic tools. Furthermore, when designing a block cipher, the designers need to demonstrate that the cipher has sufficient security margins against impo...

Section: Structure and Dual Structurementioning

confidence: 99%

Links Among Impossible Differential, Integral and Zero Correlation Linear Cryptanalysis

Sun

Liu

Rijmen

et al. 2015

“…If we know ∆x i and ∆x i+2 , using the differential property of S, we can get the active bytes of y i [0]. Using the same method, if we know ∆x i and ∆x i+2 , we can get the active bytes of y i [2], y i+1 [0] and y i+1 [2] as well. So if we get the special truncated differential trail, we can prune some guessed-cells.…”

Section: Feistel Ciphers With Efficient Tabulation Techniquementioning

confidence: 99%

“…In the backward direction, using ∆x i+10 [2][0], [2][0],we can deduce ∆x i+6 . By the differential property of S, this can deduce Round-i…”

Section: F0 F1mentioning

confidence: 99%

See 1 more Smart Citation

Improved Meet-in-the-Middle Distinguisher on Feistel Schemes

Zheng

2016

Abstract. Improved meet-in-the-middle cryptanalysis with efficient tabulation technique has been shown to be a very powerful form of cryptanalysis against SPN block ciphers. However, few literatures show the effectiveness of this cryptanalysis against Balanced-Feistel-Networks (BFN) and Generalized-Feistel-Networks (GFN) ciphers due to the stagger of affected trail and special truncated differential trail. In this paper, we describe a versatile and powerful algorithm for searching the best improved meet-in-the-middle distinguisher with efficient tabulation technique on word-oriented BFN and GFN block ciphers, which is based on recursion and greedy algorithm. To demonstrate the usefulness of our approach, we show key recovery attacks on 14/16-round CLEFIA-192/256 which are the best attacks. We also propose key recovery attacks on 13/15-round Camellia-192/256 (without F L/F L −1 ).

“…A significant body of analysis papers has been published on the roundreduced versions of CLEFIA [18,19,14,17,15,10,16,9,6], all for the singlekey model, but the analysis based on related keys is missing. Often this type of analysis can cover a higher number of rounds but requires the cipher to have a relatively simple and almost linear key schedule.…”

Section: Introductionmentioning

confidence: 99%

Low Probability Differentials and the Cryptanalysis of Full-Round CLEFIA-128

Emami

Ling

Nikolić

et al. 2014

Abstract. So far, low probability differentials for the key schedule of block ciphers have been used as a straightforward proof of security against related-key differential analysis. To achieve resistance, it is believed that for cipher with k-bit key it suffices the upper bound on the probability to be 2 −k . Surprisingly, we show that this reasonable assumption is incorrect, and the probability should be (much) lower than 2 −k . Our counter example is a related-key differential analysis of the well established block cipher CLEFIA-128. We show that although the key schedule of CLEFIA-128 prevents differentials with a probability higher than 2 −128 , the linear part of the key schedule that produces the round keys, and the Feistel structure of the cipher, allow to exploit particularly chosen differentials with a probability as low as 2 −128 . CLEFIA-128 has 2 14 such differentials, which translate to 2 14 pairs of weak keys. The probability of each differential is too low, but the weak keys have a special structure which allows with a divide-and-conquer approach to gain an advantage of 2 7 over generic analysis. We exploit the advantage and give a membership test for the weak-key class and provide analysis of the hashing modes. The proposed analysis has been tested with computer experiments on small-scale variants of CLEFIA-128. Our results do not threaten the practical use of CLEFIA.