Study On Several Cryptanalysis Models On Block Ciphers

Block cipher is one of the most important primitives in protecting the informa-tion in the cyber space at present.Studying block ciphers consists of two main parts:the design and cryptanalysis.They are two complement directions and any progress in either direction will push the development of the system of block ciphers.In this paper,we focus on the the security analysis of block ciphers.We improved several important cryptanalysis methods and distinguishers in the at-tacks.The detailed cryptanalysis methods includes linear cryptanalysis,multidi-mensional linear cryptanalysis,multidimensional zero-correlation cryptanalysis,impossible differential cryptanalysis,zero-correlation cryptanalysis and integral cryptanalysis.Our work consists of(1)improving the attack procedures of mul-tidimensional linear cryptanalysis with ?2-method and multidimensional zero-correlation cryptanalysis;(2)introducing the dynamic key guessing techniques into the linear cryptanalysis of bit-oriented block ciphers,also improving the lin-ear attack on Simon and reducing the time complexity;(3)further studying on the links among impossible differential,zero-correlation and integral distinguishers,proposing more general method for transforming zero-correlation distinguishers into integral distinguisher and constructing more efficient equivalent conditions between impossible differential and zero-correlation distinguishers for Feistel-type ciphers.· Improving multidimensional linear cryptanalysis with ?2-method and multidimensional zero-correlation cryptanalysis.The multi-dimensional linear cryptanalysis and the multidimensional zero-correlation linear cryptanalysis are two popular cryptanalysis models in the attack on block ciphers.In the multidimensional lineax cryptanalysis with ?2-method(also the multidimensional zero-correlation linear cryptanalysis),the statis-tics used to distinguish the right key and wrong keys are calculated from the probability distribution of multidimensional(zero-correlation)linear ap-proximations.Here,we show that the statistics can be computed in a easier way,which comes from the empirical correlations of multidimensional(zero-correlation)linear approximations for random plaintext set.In this way,the computation cost of the probability distribution can be removed.In the situation where FFT technique can be applied to calculate the correlations,our proposed computing method for the statistics can decrease the time complexity of multidimensional(zero-correlation)linear cryptanalysis.As an illustration,Feistel network with the bijective round function consisting of the modular addition or XOR with subkey and CAST-256 have been attacked with our revised multidimensional zero-correlation lin-ear cryptanalysis.Our attacks on such kind of Feistel network are best according to the number of rounds and we improved the previous mul-tidimensional zero-correlation attack on CAST-256 from 28 rounds to 29 rounds.Compared with the best attack on multiple zero-correlation linear attack on 29-round CAST-256,our attack has the same complexity but no assumption of independence.Therefore our attack on CAST-256 is the best attack without any assumption.· Improved linear hull attack on Simon using dynamic key guess-ing techniques.Simon is a lightweight block cipher family proposed by NSA in 2013.It has drawn many cryptanalysts' attention and varieties of cryptanalysis results have been published,including differential,linear,impossible differential,integral cryptanalysis and so on.In this paper,we give the improved linear attacks on all reduced versions of SIMON with dy-namic key-guessing technique,which was firstly proposed to improve the differential attack on SIMON recently.The basic idea is as follows.At first,establish the boolean function of parity bit in the linear hull distinguisher.Since there are quite a few of"AND" operations,we can guess the keys in one side,then reduce the func-tion.In the following,we guess different keys for different situations,which helps decreasing the number of guessed key bits on average,further decreas-ing the time complesities.As a result,23-round SIMON32/64,24-round SIMON48/72,25-round SIMON48/96,30-round SIMON64/96,31-round Si-MON64/128,37-round SIMON96/96,38-round SIMON96/144,49-round SI-MON128/128,51-round SIMON128/192 and 53-round SIMON128/256 can be attacked.As faf as we know,our attacks on most reduced versions of SIMON are the best compared with the previous cryptanalysis results.However,this does not shake the security of SIMON family with full rounds..New links among zero-correlation,impossible differential and in-tegral distinguishers.Zero-correlation(ZC),impossible differential(ID)and integral cryptanalysis(IG)have been popular attacks on block ciphers and the links among them have been a focus topic in recent years.At ASI-ACRYPT'12,Bogdanov et al.revealed fundamental links between zero-correlation and integral distinguishers and proposed that ZC linear ap-proximations with independent masks can be transformed to an integral distinguisher.At ACNS'14,using a permutation matrix Blondeau et al.presented a link between impossible differential and zero-correlation distin-guishers for several structures.At CRYPTO'15,Sun et al.presented some new results for the equivalence among these three distinguishers.In this paper,we focus on how to construct the link from a ZC distin-guisher to an integral distinguisher for the situations where zero-correlation linear approximations have dependent masks,mainly equal and unequal for partial input and output masks.As a result,we provide the method to construct integral distinguisher from these zero-correlation linear approxi-mations,which is much easier to implement and can provide more efficient integral distinguisher compared with the previous methods.For the link be-tween impossible differential and zero-correlation distinguishers,we build an equivalence between ID and ZC distinguishers using invertible matrix,instead of permutation matrix.Finally,we give the equivalence between ID and ZC distinguishers for source heavy cipher SMS4-like,target heavy ci-pher MARS-like and Skipjack cipher with only Rule-A or only Rule-B round functions.Moreover,we identify an 18-round ZC distinguisher for Four-Cell from its 18-round ID distinguisher,but the previous ZC distinguisher for Four-Cell only can cover 12 rounds.