Cryptanalysis Of Several ISO Standard Block Ciphers

The block cipher plays an important role in cryptography, which is the core tech-nique of providing confidentiality and integrity protections in secure communication. It belongs to the symmetric-key ciphers that use the same key to encrypt and decrypt. Cryptanalysis of block ciphers can not only ensure their security application in practice by discovering the weakness of them, but also guide the design of new block ciphers. In previous years, with the competition of AES by NIST, the process of NESSIE and the CRYPTREC project, the security analysis of international standard ciphers has attracted a great amount of attentions from worldwide cryptology researchers, that greatly promoted the analysis and design of block ciphers.This thesis focus on the cryptanalysis of three international standard ciphers AES, Camellia and CLEFIA. We also propose some interesting properties of ciphers and get the best results of attack compared with the previous works.1. Cryptanalysis of9-Round AES-192/256The block cipher Rijndael was designed by Daemen and Rijmen in1997, and was selected as the Advanced Encryption Standard (AES) in2001by NIST. AES was also selected as an e-government recommended cipher by CRYPTREC in2002, NESSIE block cipher portfolio in2003and international standard by ISO/TEC18033-3in2005. It is a Substitution-Permutation Network (SPN) with variable key length of128,192,256, which are denoted as AES-128, AES-192and AES-256, respectively.The meet-in-the-middle (MITM) attack on AES was introduced by Demirci and Selcuk at FSE2008to improve the collision attack proposed by Gilbert and Minier. They constructed a4-round distinguisher to attack the7-round AES-192and8-round AES-256. At ASIACRYPT2010, Dunkelman, Keller and Shamir ex-ploited the differential enumeration and multiset ideas for MITM attack to reduce the high memory complexity in Demirci and Selcuk attack. Then combined with the data/time/memory tradeoff, they get the result of attack on7-round AES-128. Further-more, Derbez, Fouque and Jean presented a significant improvement of Dunkelman et al.’s attack at EUROCRYPT2013. Using the rebound-like idea, they gave the most efficient attacks on7-round AES-128and8-round AES-192/256. Besides, they introduced a5-round distinguisher to analyse9-round AES-256.In this paper, we focuse on key-recovery attacks on9-round AES-192and AES-256under single-key model with the framework of the meet-in-the-middle attack. A new technique named key-dependent sieve is introduced to further reduce the size of lookup table of the attack. We construct a5-round distinguisher and attack the9-round AES-192with2121chosen plaintexts,2187.59-round encryptions and2185128-bit words of memory. If the attack starts from the third round, the complexities would be further reduced by a factor of16. Moreover, we show that the whole attack is able to be sorted into a series of sub-attacks by using of the shared key information in the online and offline phases. That supports us to reduce the memory complexity of the attack without any cost of the data and time complexities, since we can perform the attack in streaming mode by working on each sub-attack independently and releasing the memories afterwards. For9-round attacks on AES-192and AES-256, the memory complexities are reduced by28and232times, respectively.2. Cryptanalysis of Reduced-Round CamelliaThe block cipher Camellia is a128-bit block cipher with variable key length of128,192and256, which are denoted as Camellia-128, Camellia-192and Camellia-256, respectively. Camellia was proposed by NTT and Mitsubishi in2000, and was selected as an e-government recommended cipher by CRYPTREC in2002, NESSIE block cipher portfolio in2003and international standard by ISO/IEC18033-3in 2005. In this paper, we study the security analysis of reduced-round Camellia with the methods of impossible differential attack and meet-in-the-middle attack.Firstly, we introduce a7-round impossible differential of Camellia including FL/FL-1layer. Utilizing impossible differential attack,10-round Camellia-128is breakable with2118.5chosen plaintexts and2123.510round encryptions. Moreover, the results of attack on10-round Camellia-192and11-round Camellia-256can also be improved. Further, we introduce a7-round impossible differentials of Camellia for weak keys, which can be used to attack the reduced-round Camellia under weak-key setting. The weak keys that work for the impossible differential take3/4of the whole key space, therefore, we can further get rid of the weak-key assumption and leverage the attacks to all keys by utilizing a method that is called the multiplied method. As a result, for the whole key space,10-round Camellia-128,11-round Camellia-192and12-round Camellia-256can be attacked with about2120,2184and2240encryptions, re-spectively. In addition, we are able to extend the attacks to12-round Camellia-192and14-round Camellia-256which include two FL/FL-1layers, provided that the attacks do not have to be started from the first round.Secondly, combined with the differential enumeration technique proposed by Dunkelman et al. at ASIACRYPT2010and other sophisticated techniques, we pro-pose a new7-round MITM property for Camellia-192and mount a12-round attack with2113chosen plaintexts,2180encryptions and2154128-bit memories. Furthermore, we present an8-round property of Camellia and achieve13-round attack on Camellia-256with2113chosen plaintexts,2232.7encryptions and2227128-bit memories. We also give a result of attack on14-round Camellia-256without whitening keys. To the best our knowledge, there are the most efficient results of cryptanalysis of reduced-round Camellia-192/256.3. Cryptanalysis of Reduced-Round CLEFIACLEFIA is a128-bit block cipher with variable key length of128,192and256, which are denoted as CLEFIA-128, CLEFIA-192and CLEFIA-256, respectively. It was proposed by Sony Corporation in2007,and was selected as an international standard by ISO/IEC29192-2in2011and e-Government recommended cipher by CRYPTREC project in2013.In this paper, taking advantage of the property of diffusion layer, we introduce a10-round truncated differential characteristic of CLEFIA, and give the key recovery at-tacks on13-round CLEFIA-128. Furthermore, we gave the attacks on14/15-round CLEFIA-192/256by applying the function reduction technique. More interest-ing, combined with the key schedule, we achieve an attack on14-round CLEFIA-128. Compared with the best results of previous attacks, we present the most efficient crypt-analysis of reduced-round CLEFIA.