Security Analysis Of Several Lightweight Block Ciphers

With the rapid development of information technology,as the core technology to ensure information security,cryptography plays a more and more important role in modern information life.As an important branch of modern cryptography,the design and cryptanalysis of block ciphers are two opposite aspects of block cipher research.The goal of a cryptographic designer is to design a cryptographic algorithm that can resist all known attacks.At the same time,the cryptanalysts are trying to find the security vulnerabilities of the cryptographic algorithms and the methods that can be used to attack the cryptographic algorithms.The research of these two aspects promotes the development of the theory of block ciphers.With the development of the Internet of things,the micro computing devices,such as RFID chips and wireless sensor networks,are becoming more and more widely used.It has brought great convenience to people's life,more and more people pay attention to the security of information.In order to adapt to the characteristics of limited resources of micro computing equipments used on the Internet of materials,lightweight block ciphers which have low power consump-tion and low resource occupancy and meet the security requirements have been designed.Such as,TWINE,PRESENT,LED,LBlock,SIMON,SPECK and so on.The goal of lightweight block ciphers is to seek the best tradeoff between se-curity and performance.However,because the algorithm is constrained by the restricted environment,the security of algorithm is bound to be affected.There-fore,it is very important to evaluate the security of the lightweight algorithm.In 2005,Professor Wang Xiaoyun proposed the bit-based module differential crypt-analysis method and the message modification technique,broke the MD series Hash function,and caused the new interesting of the study of the Hash function-s.In block ciphers,because the key is unknown,how do we solve the conditional equation with key?For this difficult problem,we put forward the technology of dynamic key guessing,and made two important results.First,we fully study the special differential characteristics of roud function,and propose a dynamic key guessing technology,which greatly reduces the space of guessing keys.The difference characteristic of 4 bit S box is analyzed in detail,and the key guessing technique based on nibble operation is proposed to solve the condition equations and reduce the complexity of the attack.This method is used to evaluate the security of lightweight block cipher algorithms SIMON and LBlock.The main research results are briefly introduced as follows:? Dynamic key guessing differential analysis of SIMONIn 2013,NSA published the specifications of two lightweight block cipher fam-ilies SIMON and SPECK which can perform well both in hardware and software,respectively.The SIMON block cipher is a Feistel structure,and there are 10 suggested versions with different numbers of rounds.Since the release of SIMON algorithm,it caused a lot of attention in the field of cryptanalysis,and many methods are used in cryptanalysis of SIMON families,including differential anal-ysis,linear analysis,impossible differential analysis,linear hull cryptanalysis,zero correlation linear analysis,dynamic cube analysis etc.In 2013,Alkhzaimi and Lauridsen et al.presented the first security analysis of all the versions of SIMON.They gave differential analysis and the impossible differential analysis.In the same year,Alizadeh et al.presented the results of linear analysis and the impossible differential analysis.In 2014,Abed et al.p-resented linear,differential and impossible differential analysis for 5 versions.At FSE 2014,Biryukov and Velichkov found new differentials,as a result,19-round SIMON32,20-round SIMON48 and 26-round SIMON64 were attacked respective-ly.At INDOCRYPT 2014 Wang et al.presented integral attack,linear attack and impossible differential attack.Sun et al.presented a new tool for finding new differential characteristics automatically at ASIACRYPT 2014.At CRYP-TO 2015,Kolbl et al.derived an explicit formula for the squared correlation of SIMON-like round function.Based on this,and applied an approach based on SAT/SMT solvers to find the optimal linear trails for some versions of SIMON.Based on the idea of the model differential analysis method and the advanced message modification technique,this paper analyzed the special XOR differential characteristics of round function in depth,and apply bit analysis to the block cipher.Based on this,we proposed a dynamic key guessing technique is pro-posed in 2014.In this thesis,using the existing differential,we establish a series of sufficient bit condition equations to make the differential hold in the extend rounds by the bit cryptanalysis methods.The condition equations can be divid-ed into two classes.One class only depends on the plaintext and the ciphertext,and we select the plaintext by using these conditions to construct the data struc-ture and reduce the complexity of plaintext collection.It can also filter invalid pairs in advance and reduce the complexity of calculating the candidate key.The second class is related to the key,which is used to guess the key.At the same time,there are some redundant information in the second kinds of conditional equations.Based on these observations,in the process of attack,by chooseing different pairs and their corresponding bit equations,we can try to avoid guessing some of the subkeys or equivalent key bits that are included in these conditions.Under the same differential path,the method reduces the key guessing space in classical differential analysis by selecting plaintext and solving the corresponding bit equations.By using the proposed dynamic key guessing technique,the space of guess key is greatly reduced,and the key guessing efficiency of key recovery-phase in differential,impossible difference and linear analysis is improved.Applying this technique,we present the differential attacks on SIMON32,SI-MON48,SIMON64,SIMON96,and SIMON128 that can increase 2-4 more rounds than previous existing differential results which did not use the dynamic key-guessing technique.Especially,the attacks on 5 versions of SIMON including SI-MON64/96,SIMON64/128,SIMON96/96,SIMON128/128 and SIMON128/192 are currently the best results of the rounds,respectively in the single key mod-e.The dynamic key-guessing technique proposed in this paper has been applied to other works successfully,and got the obvious improvements compared to the classic attacks as well.At FSE 2016,Chen et al.gave linear hull analysis of SIMON by applying the dynamic key guessing technology in this paper,which is the best result in many versions.? Improved Impossible Differential Attack on Reduced-Round L-BlockThe block cipher LBlock was introduced by Wu and Zhang at ACNS 2011.As a lightweight primitive,LBlock has 64-bit block size and 80-bit key length.Since its proposal,the security of LBlock has been analyzed by various cryptanalysis methods,such as differential,impossible differential,integral,zero-correlation linear,cube cryptanalysis,biclique attacks and so on.Up to date,the impossible differential attack is a relatively effective method in terms of attacked rounds of LBlock.At ASIACRYPT 2014,Boura et al.proposed the latest impossible di:fferential result to attack 23-round LBlock with a time complexity of 275.36 and a data complexity of 259.The author also provided new generic formulas to compute the data,time and memory complexities of impossible differential attacks.The work has simplified the calculation of impossible differential analysis through a general formula.The number of bit-conditions ascends to 88 after extending the 14-round im-possible differential to attack 24-round LBlock.According to the formula given in previous literature,the smallest amount of input(or output)pairs N should be approximately 288 so that the 24-round attack is seemingly unavailable.In this paper,We make a more detailed study of the differential properties of 4 bit S-Boxeo.A new key-guessing technique based on:ibble is proposed to reduce the guessed key space greatly,which is similar to dynamic key-guessing technique that is valid for block ciphers based on bit operations such as SIMON.A series of differential condition equations axe established that make the differential hold in extend rounds.The relationship between equations is analyzed,and the rela?tion between the conditions is established.The precomputation tables is built by using the conditions only related to the ciphertexts,which help us to collect avail-able plaintext(ciphertext)pairs more efficiently.Filtering out invalid ciphertext pairs in advance can reduce data complexity and time complexity,and simplify operation in online process.Based on the key related conditions,some precom-putation tables are established to calculate the key more effectively and reduce the time complexity of filtering the wrong key.At the same time,we thoroughly explore the relations of the subkeys involved to find an optimal arrangement for key guessing.By using our techniques and combining with the precomputation tables and the optimal arrangement for key guessing,We lower the high complexity and make the 24-round attack a success with 277.50 encryptions and 259 chosen plaintexts by using our techniques.to the best of our knowledge,this attack is currently the best result on LBlock(except biclique attacks)in terms of the number of attacked rounds.