Cryptanalysis For Iterated Block Function

As one of the most important structures for the design of block cipher and hashfunction, iterated block is easy to be analyzed and assessed for its well arranged structure, and, moreover, perfect confusion and diffusion effect can be achieved after roundfunction being iterated several times, with the higher security and the lowercomputational overhead for software and hardware. Because of such notable strongpoints, iterated block structure plays a leading role during the design for block cipherand Hash function, so it has been an important research direction in the cipher analysisto analyze the security of cipher functions.In this dissertation, security cryptanalysis for iterated block function is the mainthought. In several representative functions, the effectiveness of these algorithms isresearched by using different analysis methods, such as differential cryptanalysis,collision attack, preimage attack, distinguisher construction, and so on. In addition, thewhole structure security of Iterated block cipher functions is also studied. It can bedescribed as follows.Firstly, the collision attack on MD5is discussed. Bit tracing technology can beused to track differential bits, differential route can be controlled by using of messagemodification and non-linear function, and then, the technical details of collision attackare analyzed in depth. At the same time, the preimage attack on MD5is studied. Byusing “Neutral word”, the constructional method and process about initial structure andtransitional structure are explored.Secondly, the present2-round free-starting collision attack mechanism is improved,based on the message exchanging feature in BLAKE algorithm and the reversibility ofG function. A2-round free-starting approximate collision can be within5words byadjusting message bits and initial state. Then, the free-starting differential route analysisfor6-round BLAKE-32algorithm is executed by using meet-in-the-middle attacktechnology. The results show that the probability to generate collision is very low. Thefree-starting preimage attack for3-round BLAKE algorithm is also carried out by usingsegmentation linking method, which reduces the computational complexity. TheB spreading features for1-bit and2-bit differential input and differential features forlinearizing the G functions in BLAKE algorithm are analyzed, and the probability andeffectiveness of linearing-differential attacks against the algorithm are verified carefully.And then, the integral properties of squashing function in Gr stl-512algorithm areresearched. Considering the feature about bad diffusivity of round function, the11-round integral distinguisher is first proposed by adopting the osmosis technology, inwhich, the time complexity is lower than that in present10-round integral distinguisher,so the best result achieved. The differential cryptanalysis to the substitution method ofsquashing function in Gr stl-256and Gr stl-512is carried out by using of the constitutenumbers of MixColumn in round function. It can be deduced that10-round iteration inGr stl-256and14-round iteration in Gr stl-512are sufficient to resist differentialcryptanalysis by evaluating the lower bound number of multi-round iteration activeS-box. Besides, the6-round impossible differential distinguisher for the squashingfunction in Gr stl-512algorithm is built. It shows the stochastic capability of iterationblock module in a certain extent, which contributes to design new analysis methods.Lastly, the design idea for Sandwich-Boomerang distinguisher is proposed, basedon the analysis on the features of CLEFIA algorithm, and then,8-roundSandwich-Boomerang distinguisher is constructed from CLEFIA algorithm. Thesuccessful probability to discriminate is much higher than that of stochastic module. Byusing this distinguisher,2-round key retrieval process in10-round CLEFIA algorithm isshown in our dissertation for the successful probability is higher obviously, and the datacomplexity and time complexity is much lower notably than that of exhaustive search.