Abstract:We improve Wu and Wang’s method for finding impossible differentials of block cipher structures. This improvement is more general than Wu and Wang’s method where it can find more impossible differentials with less time. We apply it on Gen-CAST256, Misty, Gen-Skipjack, Four-Cell, Gen-MARS, SMS4, MIBS, Camellia⁎, LBlock, E2, and SNAKE block ciphers. All impossible differentials discovered by the algorithm are the same as Wu’s method. Besides, for the 8-round MIBS block cipher, we find 4 new impossible differenti… Show more
“…• H 1 : Guess the values of Z 6 [2,6] V 5 [3,6,9,12]. Compute the values of X 5 [3,6,9,12] X 5 [3,6,9,12].…”
Section: ) the Key Rocovery Phasementioning
confidence: 99%
“…• H 1 : Guess the values of Z 6 [2,6] V 5 [3,6,9,12]. Compute the values of X 5 [3,6,9,12] X 5 [3,6,9,12]. Store Z 6 [2,6] X 5 [3,6,9,12] in H 1 indexed by P [3,6,9,12], where P[3, 6, 9, 12] = X 5 [3,6,9,12].…”
Section: ) the Key Rocovery Phasementioning
confidence: 99%
“…So the value of k 0 [14] can be computed by k 0 [14] = P [14] ⊕ X 5 [14]. There are 2 b values of k 0 [0, 1,2,3,4,5,6,7,8,9,10,11,12,14,15] left.…”
Section: ) the Key Rocovery Phasementioning
confidence: 99%
“…46 encryptions, i.e., about 2 64.92 for QARMA-64 and 2 129.92 for QARMA-128. At this time, we recover one subkeys k 0 [0, 1,2,3,4,5,6,7,8,9,10,11,12,14,15]. Exhaustively search the remaining 17 cells of subkeys, the time complexity of which is about 2 × 2 17b = 2 17b+1 encryption, i.e., 2 69 for QARMA-64 and 2 137 for QARMA-128.…”
Section: Complexity Analysismentioning
confidence: 99%
“…Then we can obtain X i 4 = 0 and X 5 [5] = t 4 [5]. Next, guessing the value of Z 5 [0, 4, 12], we can obtain the value of V 5 [0, 4,12]. Similarly, guessing the values of V 6 [1,6,9,10,11,15] V 7 [1,9,13], we can compute the ordered sequence V 8 [1].…”
Section: A a 45-round Meet-in-middle Distinguisher Of Qarma-128mentioning
QARMA is a new tweakable block cipher used for memory encryption, the generation of short tags and the construction of the keyed hash functions in future. It adopts a three-round Even-Mansour scheme and supports 64 and 128 bits of block size, denoted by QARMA-64 and QARMA-128, respectively. Their tweak lengths equal the block sizes and their keys are twice as long as the blocks. In this paper, we improve the security analysis of reduced-version QARMA against impossible differential and meet-in-the-middle attacks. Specifically, first exploit some properties of its linear operations and the redundancy of key schedule. Based on them, we propose impossible differential attacks on 11-round QARMA-64/128, and meet-in-themiddle attacks on 10-round symmetric QARMA-128 and the last 12 rounds of asymmetric QARMA-128. Compared with the previously best known results on QARMA-64, our attack can recover 16 more bits of master key with the almost complexities. Compared with the previously best known results on symmetric QARMA-128, the memory complexity of our attack in Section IV is reduced by a factor of 2 48. Moreover, the meet-in-the-middle attack on 12-round QARMA-128 is the best known attack on QARMA-128 in terms of the number of rounds. INDEX TERMS Tweakable block ciphers, QARMA, meet-in-the-middle attacks, impossible differential cryptanalysis, tweaks.
“…• H 1 : Guess the values of Z 6 [2,6] V 5 [3,6,9,12]. Compute the values of X 5 [3,6,9,12] X 5 [3,6,9,12].…”
Section: ) the Key Rocovery Phasementioning
confidence: 99%
“…• H 1 : Guess the values of Z 6 [2,6] V 5 [3,6,9,12]. Compute the values of X 5 [3,6,9,12] X 5 [3,6,9,12]. Store Z 6 [2,6] X 5 [3,6,9,12] in H 1 indexed by P [3,6,9,12], where P[3, 6, 9, 12] = X 5 [3,6,9,12].…”
Section: ) the Key Rocovery Phasementioning
confidence: 99%
“…So the value of k 0 [14] can be computed by k 0 [14] = P [14] ⊕ X 5 [14]. There are 2 b values of k 0 [0, 1,2,3,4,5,6,7,8,9,10,11,12,14,15] left.…”
Section: ) the Key Rocovery Phasementioning
confidence: 99%
“…46 encryptions, i.e., about 2 64.92 for QARMA-64 and 2 129.92 for QARMA-128. At this time, we recover one subkeys k 0 [0, 1,2,3,4,5,6,7,8,9,10,11,12,14,15]. Exhaustively search the remaining 17 cells of subkeys, the time complexity of which is about 2 × 2 17b = 2 17b+1 encryption, i.e., 2 69 for QARMA-64 and 2 137 for QARMA-128.…”
Section: Complexity Analysismentioning
confidence: 99%
“…Then we can obtain X i 4 = 0 and X 5 [5] = t 4 [5]. Next, guessing the value of Z 5 [0, 4, 12], we can obtain the value of V 5 [0, 4,12]. Similarly, guessing the values of V 6 [1,6,9,10,11,15] V 7 [1,9,13], we can compute the ordered sequence V 8 [1].…”
Section: A a 45-round Meet-in-middle Distinguisher Of Qarma-128mentioning
QARMA is a new tweakable block cipher used for memory encryption, the generation of short tags and the construction of the keyed hash functions in future. It adopts a three-round Even-Mansour scheme and supports 64 and 128 bits of block size, denoted by QARMA-64 and QARMA-128, respectively. Their tweak lengths equal the block sizes and their keys are twice as long as the blocks. In this paper, we improve the security analysis of reduced-version QARMA against impossible differential and meet-in-the-middle attacks. Specifically, first exploit some properties of its linear operations and the redundancy of key schedule. Based on them, we propose impossible differential attacks on 11-round QARMA-64/128, and meet-in-themiddle attacks on 10-round symmetric QARMA-128 and the last 12 rounds of asymmetric QARMA-128. Compared with the previously best known results on QARMA-64, our attack can recover 16 more bits of master key with the almost complexities. Compared with the previously best known results on symmetric QARMA-128, the memory complexity of our attack in Section IV is reduced by a factor of 2 48. Moreover, the meet-in-the-middle attack on 12-round QARMA-128 is the best known attack on QARMA-128 in terms of the number of rounds. INDEX TERMS Tweakable block ciphers, QARMA, meet-in-the-middle attacks, impossible differential cryptanalysis, tweaks.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.