Cryptanalysis Of Block Cipher SAFER, CAST-256 And PRIDE

Research of block cipher is an important direction in modern cryptography, which consists of design principle, cryptanalytic methods, operating mode, detection and e-valuation. Among these, design and cryptanalysis are paradox which can also help each other. Cryptanalysis of block ciphers can not only ensure their security applica-tion in practice by discovering the weakness of them, but also guide the design of new block ciphers. And stronger design is a new challenge for cryptanalyst.In previous years, study on block cipher started from DES class block cipher. Since 1990’s, people studied further into block cipher of DES class, especially the linear cryptanalysis and differential cryptanalysis came out sequentially and became a powerful tools, which make people study new class for block cipher. Then block cipher IDEA of SP network appears to change the role of DES for block cipher.With the competition of AES by NIST and the process of NESSIE in last century, the security analysis of candidates, international standard ciphers has attracted a great amount of attentions from worldwide researchers, which greatly promoted the analysis and design of block ciphers.This thesis focus on the cryptanalysis of several important block ciphers in the pro-cess of standardization, including AES candidates SAFER+, CAST-256 and NESSIE candidate SAFER++, and lightweight block cipher PRIDE. We also discover some interesting properties of ciphers and present our results compared with the previous works.1. New Impossible Differential Attack on SAFER Block Cipher FamilySAFER block cipher family consists of SAFER K, SAFER SK, SAFER+and SAFER++. As the first proposed block cipher of them, SAFER K is strengthened by SAFER SK with improved key schedule. SAFER+is designed as an AES candi-date and Bluetooth uses a customized version of it for security. SAFER++, a vari-ant of SAFER+, is among the cryptographic primitives selected for the second phase of the NESSIE project. In this paper, we take advantage of properties of the linear transformation and S-boxes to identify new impossible differentials for SAFER SK, SAFER+, and SAFER++. Moreover, we give the impossible differential attacks on 4-round SAFER SK/128 and 4-round SAFER+/128(256),5-round SAFER++/128 and 5.5-round SAFER++/256. Our attacks significantly improve previously known impos-sible differential attacks on them. Specifically, our attacks on SAFER+are the best attack in terms of number of rounds.2. Improved linear analysis of CAST-256CAST-256, a first-round AES candidate, is designed based on CAST-128. It is a 48 rounds Generalized-Feistel-Network cipher with 128 bits block accepting 128,160, 192,224 or 256 bits keys. Its S-boxes are non-surjective with 8-bit input and 32-bit output. Wang et al. identified a 21-round linear approximation and gave a key recov-ery attack on 24-round CAST-256. In ASIACRYPT’12, Bogdanov et al. presented the multidimensional zero-correlation linear cryptanalysis of 28 rounds of CAST-256. By observing the property of the concatenation of forward quad-round and reverse quad-round and choosing the proper active round function, we construct a linear ap-proximation of 26-round CAST-256 and recover partial key information on 32 rounds of CAST-256. Our result is the best attack according to the number of rounds for CAST-256 without weak key assumption so far.3. Differential Analysis on Light Weight Block Cipher PRIDEThe lightweight block cipher PRIDE designed by Albrecht et al., appears in CRYPTO 2014. The designers claim that their method of constructing linear layer is good both in security and efficiency. In this paper, we find 16 different 2-round iterative characteristics utilizing the weaknesses of S-box and linear layer, construct several 15-round differentials. Based on one of the differentials, we launch differential attack on 18-round PRIDE. The data, time and memory complexity are 260,266 and 264, respectively.