Cryptanalytic Methods And Their Applications On Block Ciphers

With the rapid development of computer network and communication technology,information security problems are increasingly serious. Block cipher plays an importantrole in the domain of information security, and it has many attractive features such ashigh-speed, easy for standardization, and efficient for both software and hardware im-plementations. Block cipher is usually the core encryption algorithm in information andnetwork security for data encryption, data signature, authentication and key management.This thesis mainly concentrates on some cryptanalytic methods of block ciphers, includ-ing integral cryptanalysis, impossible differential cryptanalysis and Meet-in-the-Middleattack. By using these methods, we analyze some known block ciphers, such as CLEFIA,3D cipher, ARIA, Camellia. The main contents and fruits of this thesis are outlined asfollows:1. According to the structure properties of CLEFIA, two new8-round higher orderintegral distinguishers are presented, and the8-round distinguishers originally found bythedesignersareshowntobewrong. Furthermore,byusingthenewdistinguishers,partialsum technique and combining the round key with the whitening key, we can attack10-round CLEFIA-128,11-round CLEFIA-192and12-round CLEFIA-256. Both data andtime complexities of our attack are better than those given by the designers.2. The5-round impossible differentials have been extended to6-round by investigat-ing the encryption components of3D cipher. Based on the6-round impossible differen-tialsand the equivalentstructureof3Dcipher, effectiveimpossibledifferentialattackscanbe made on7-round and8-round3D cipher. By using the redundancy in the key sched-ule, these attacks can be extended to9-round. Moreover, according to deeply studyingthe structure properties of3D, some new6-round impossible differentials are found. Byusing the new6-round impossible differentials, Early-Abort technology and the precom-putation technology (a method that reduce the time complexity at the cost of increasingthe memory complexity), we present the first attack on11-round3D cipher. As far as weknow, this is the best cryptanalytic result on3D cipher in single-secret-key model.3. The security of CLEFIA-128against impossible differential attack is evaluated.After carefully investigating the key schedule of CLEFIA-128, we find some common bits between the subkeys used in the first two rounds and the13th round, thus we canguess less subkey bits in the key search phase. According to this redundance, the previ-ous9-round impossible differentials and the Early-Abort technique, we present the firstsuccessful impossible differential cryptanalysis of13-round CLEFIA-128, including theattack with whitening layers and the attack without whitening layers.4. The meet-in-the-middle attack against block cipher ARIA is presented for the firsttime. According to the properties of the nonlinear layer and linear layer of ARIA, wededuce some3-round distinguishers of ARIA-128and4-round ones of ARIA-256. Byusing these distinguishers, we apply meet-in-the-middle attacks on5-/6-round ARIA-128and8-roundARIA-256. Furthermore,weimprovedthe4-rounddistinguishersandpresenta7-round attack on ARIA-192. These results show that7-round ARIA-192and8-roundARIA-256are not immune to the meet-in-the-middle attacks.5. The security of Camellia without FL/FL1functions and whitening against themeet-in-the-middle attack is discussed for the first time. Some new equivalent struc-tures of Camellia are constructed, and based on which some7-/8-round distinguishersare found. We make a meet-in-the-middle attack on12-round Camellia-192based onthe7-round distinguisher. By exploiting the property of the key schedule, we can attack15-/16-round Camellia-256based on the8-round distinguisher. Compared with the ex-isting attacks on reduced-round Camellia, the data complexities of our attacks decrease alot while the time complexities increase a little. Additionally, the resistance of reduced-roundCamellia-128againstmeet-in-the-middleattackisdiscussed. Wepresentapracticalattack on8-round Camellia-128while the previously published cryptanalytic attacks on8-round Camellia-128are all non-practical.