Cryptanalysis On Some Symmetric Encryption Algorithms

Symmetric encryption system is one of the two systems in cryptography technology.So far,dozens of symmetric encryption algor ithms have been proposed.Among these algor ithms,AES is the most renowned one.As a matter of fact,it was established as the advanced encryption standard of U.S.government by the U.S.National Institution of Standards and Technology?NIST?in 2001.Over the last fifteen years,AES has been widely used around the world.Besides,many newly proposed Hash functions and block ciphers adopt the concept of AES structure in their own designs,such as the new encryption standard of Ukraine-Kalyna.Due to its popularity and importance,the security of AES is considered as one of the hottest research fields in cryptanalysis.Many cryptanalysis techniques are utilized by scholars to analyze this cipher,for instance,the related-key attack,bicilque attack,meet-in-the-middle attack,impossible differential attack and so on.By now,researches have shown that bicilque attack can be used to attack full AES.In addition,related-key attack is demonstrated to be useful in the attacks of full AES-192 and AES-256.This paper will re-evaluate the securities of AES-192 and Kalyna-128/256 against the meet-in-the-middle attack in the single-key model.The following is the main results of this paper.First of all,this paper introduces a 9-round meet-in-the-middle attack on AES-192.The starting point is a new observation on 5-round AES-192.By adopting the property of MC operation in AES,the new observation discovers that a specific 248-bit ordered sequence is defined by 37 byte parameters.Furthermore,if under the condition that the massage pair follows the pre-defined differential characteristic,these 37 byte parameters can be calculated by 22 byte variants by using the efficient differential enumeration technique.Therefore,the specific ordered sequence can assume utmost 2¹⁷⁶ values.With this observation,a new 5-round distinguisher for AES-192 is constructed.Then the distinguisher is extended by one round at the beginning and three rounds at the end so as to launch a 9-round meet-in-the-middle attack on AES-192.In detail,the new attack has a data complexity of 2¹¹³ chosen plaintexts,a memory requirement of 2177 128-bit blocks and a time complexity of 2¹⁸⁹ 9-round AES encryptions.Secondly,this paper improves the previous 9-round meet-in-the-middle attack on Kalyna-128/256 proposed by Akshima et al.This can be done by employing a more optimal differential path.The advantage of this differential path is that it allows the adversary to reduce the time complexity in the pre-computation phase.For both attacks,the time complexity is determined by the pre-computation phase.Hence,the time complexity of the whole attack is now reduced to 2^238.8 9-round Kalyna-128/256 encryptions.Besides,compared to the previous attack,the improved attack has a much lower memory complexity of 2^226.7 128-bit blocks.Finally,this paper notes that if the 6-round distinguisher for Kanlyna-128/256 is located between the second round and the seventh round,there will be more available key relations.This means that the adversary can utilize the key-dependent sieve to filter more wrong sequences in advance.As a result,this paper presents another 6-round distinguisher for Kanlyna-128/256.When applying it to the attack of Kalyna-128/256,however,the pre-whitening key addition module 2⁶⁴ makes it difficult to add one round at the beginning.For this reason,the attack has to start from the 2nd round.After adding 4 rounds in the forward direction,this paper breaks a total of 10 rounds of Kalyna-128/256.With data/time/memory tradeoff,the data/time/memory complexities of this attack are 2¹¹⁵,2^253.3 and 2^253.8,respectively.