Cryptanalysis Of Several Symmetric Ciphers And Generic Structures

Due to the rapid development of the internet,information security plays an important role in the national security strategy.The central leading group for network security and information was established in Feb.2014,Mr.Xi stressed that there is no national security without information security.Cryptography is the infrastructure of the information security,which plays an critical role in pro-tecting the sensitive messages or policies from leakage.In cryptography,there are two kinds of algorithms,which are called public key algorithms and symmetric key algorithms.Symmetric key algorithms include block ciphers,stream ciphers,hash functions,and authenticated encryption(AE)algorithms.Usually,symmet-ric ciphers have several good properties,such as high speed,easy to implement in software or hardware,easy to be standardized,which has been the key part of the information security system.In this thesis,we explore the common structures of block cipher Feistel-SP and some common hashing modes MMO and Miyaguchi-Preneel modes,analyze the 3rd CAESAR competition candidate KETJE,study the ISO/IEC standard Camellia block cipher.In our cryptanalysis,some valuable properties of these ciphers are revealed,and based on these properties,some new attack models are constructed,and achieve some leading results.The results have been accepted by IACR conference FSE 2017 and RSA conference 2015.? Cryptanalysis of the International Cipher StructuresMost popular block ciphers apply iterated structures,including Feistel net-works,Substitution Permutation networks(SPN),et al.Feistel networks was proposed in 1973 and used by IBM's Lucifer cipher.It was designed by Horst Feistel and Don Coppersmith in 1973.Feistel networks gained respectability when the U.S.Federal Government 'adopted the DES(a cipher based on Lucifer,with changes made by the NSA).Like other components of the DES,the itera-tive nature of the Feistel construction makes implementing the cryptosystem in hardware easier(particularly on the hardware available at the time of DES's de-sign).For a 2n-bit block Feistel cipher with r rounds.Firstly,2n-bit P is divided into left and right part with length n-bit,denoted as(L0,R0).Then,r rounds iteration are applied.Fori = 1,2,…,r,Li=Ri-1 Ri=Li-1(?)F(Ri-1,ki).In ASIACRYPT 2013,cryptographers Isobe and Shibutani classify the Feistel networks into 3 groups,denoted as Feistel-1/2/3.Nowadays,both block ciphers and hash functions are important primitives in cryptography.In many cases,hash functions are based on block ciphers.For instance,if a block cipher and a hash function are both needed in a resource-restricted environment,such as smart cards,RFID tag,nodes in cars or other machines which work in very tiny embedded systems,many applications utilize a block cipher to construct a hash function in order to minimize the design and implementation cost.There are many popular schemes to construct hash func-tions based on a block cipher,including the Davies-Meyer(DM),Matyas-Meyer-Oseas(MMO)and Miyaguchi-Preneel(MP)hashing modes,which are all included in the PGV hashing schemes.Thus,the evaluation of the security of block ciphers used in these schemes is very important.Since Knudsen and Rij men proposed the known-key attacks in ASIACRYP-T 2007,the open-key model becomes more and more popular.As the other component of the open-key model,chosen-key model was applied to the full attacks on AES-256 by Biryukov et al.in CRYPTO 2009.In this paper,we explore how practically the chosen-key model affect the real-world cryptography and show that 11-round generic Feistel-SP block cipher is no longer safe in its hashing modes(MMO and MP mode)as there exist collision attacks.This work improves Sasaki and Yasuda's collision attacks by 2 rounds with two interesting techniques.First,we for the first time use the available degrees of freedom in the key to reduce the complexity of the inbound phase,which extends the previous 5-round inbound differential to a 7-round one.This results in a 12-round chosen-key distinguisher of Feistel-SP block cipher.Second,inspired by the idea of Wang et al.,we construct collisions using two blocks.The rebound attack is used in the second compression function.We carefully balance the freedom of the first block and the complexity of the rebound attack,and extend the chosen-key attack to a 11-round collision attack on its hashing modes(MMO and MP mode).? Cube-like Attack on Round-Reduced Initialization of KetjeThis paper studies the KECCAK-based authenticated encryption(AE)scheme KETJE SR against cube-like attacks.KETJE is one of the remaining 16 candidates of third round CAESAR competition,whose primary recommendation is KETJE SR,Although the cube-like method has been successfully applied to KETJE's sister ciphers,including KECCAK-MAC and KEYAK-another KECCAK-based AE scheme,similar attacks are missing for KETJE.For KETJE SR,the state(400-bit)is much smaller than KECCAK-MAC and KEYAK(1600-bit),thus the 128-bit key and cubes with the same dimension would occupy more lanes in KETJE SR.Hence,the number of key bits independent of the cube sum is very small,which makes the divide-and-conquer method(it has been applied to 7-round attack on KECCAK-MAC by Dinur et al.)can not be translated to KETJE SR trivially.This property seems to be the barrier for the translation of the previous cube-like attacks to KETJE SR.In this paper,we evaluate KETJE SR against the divide-and-conquer method.Firstly,by applying the linear structure technique,we find some 32/64-dimension cubes of KETJE SR that do not multiply with each other as well as some bits of the key in the first round.In addition,we introduce the new dynamic variable instead of the auxiliary variable(it was used in Dinur et al.'s divide-and-conquer attack to reduce the diffusion of the key)to reduce the diffusion of the key as well as the cube variables.Finally,we successfully launch a 6/7-round key recovery attack on KETJE SR v1 and v2(v2 is presented for the 3rd round CAESAR competition.).In 7-round attack,the complexity of online phase for KETJE SR v1 is 2113,while for KETJE SR v2,it is 297(the preprocessing complexity is the same).We claim 7-round reduced KETJE SR v2 is weaker than v1 against our attacks.In addition,some results on other KETJE instances and KETJE SR with smaller nonce are given.Those are the first results on KKETJE and bridge the gaps of cryptanalysis between its sister ciphers-KEYAK and the KECCAK keyed modes.· Cryptanalysis of Round-reduced CamelliaThe block cipher Camellia with 128-bit block size has variable key lengths of 128,192,256,named as Camellia-128,Camellia-192 and Camellia-256,respective-ly.It was proposed by NTT and Mitsubishi in 2000.Now Camellia has become a widely used block cipher as an e-government recommended cipher by CRYP-TREC.Besides,Camellia was selected as one of NESSIE block cipher portfolio and international standard by ISO/IEC 18033-3.Camellia is a widely used block cipher,which has been selected as an international standard by ISO/IEC.In this paper,we consider a new family of differentials of round-reduced Camellia-128 depending on different key subsets.There are totally 224 key subsets correspond-ing to 224 types of 8-round differentials,which cover a fraction of 1-1/215 of the keyspace.And each type of 8-round differential consists of 243 differentials.Com-bining with the multiple differential attack techniques,we give the key-dependent multiple differential attack on 10-round Camellia-128 with data complexity 291 and time complexity 2113.