Cryptanalysis Of Several Classic Structures For Symmetric Ciphers

The structure of symmetric ciphers mainly includes block ciphers,stream ciphers,hash functions,and message authentication codes.They have advantages of fast software and hardware implementation,and small storage.They are widely used and have become the core components in data encryption,message authentication and key management in the security of information and network space.Therefore,it has a great significance to study the security of symmetric ciphers.There are many cryptanalysis techniques on symmetric ciphers,and meet-in-the-middle attack and truncated differential attack are two basic among them.Meet-in-the-middle attack is a cryptanalysis technique based on distinguishers,which was proposed by Diffie and Hellman when they analyzed the algorithm of 3DES.After a series of improvements,it has now become a common cryptanalysis method to analyze the security of cipher algorithms.It includes an offline phase to establish the meet-in-the-middle table and an online phase to recovery subkeys.Truncated differential attack is a cryptanalysis method and derives from differential cryptanalysis.Differential cryptanalysis needs to find a high probability differential path from a block cipher algorithm to launch attack.However,this condition is too strong for many block cipher algorithms.In order to reduce the requirement,cryptographers propose the truncated differential cryptanalysis,which only needs to find differences in few bit positions or even one bit position from the whole block length,and can attack the block cipher algorithm or reduced vision.In this paper,we are major in discussing the security of the structure of two classic symmetric ciphers,based on meet-in-the-middle attack and truncated differential attack.Up until to now,some attacks had been made on them,which only reach a few rounds of reduced versions in public literature,and all of them have some restrictions on properties of the round function.However,we reduced the requirement during our attacks.The main research contents and results of this paper are as follows.(1)The first is an attack on the 3-line generalized Feistel structure.We consider the meet-in-the-middle attack under the chosen-ciphertext condition,and the key length is one third of the block length.For the 3-line generalized Feistel-2,a 9-round distinguisher is constructed,achieving an attack with 10 rounds of key recovery.For the 3-line generalized Feistel-3,we select its equivalent structure and find a 13-round distinguisher.Under some common conditions,a 17-round attack is launched.(2)The second is an attack on the 4-line generalized Feistel structure,and we still consider choosing the meet-in-the-middle attack under chosen-ciphertext.In the contracting type-I structure of the 4-line generalized Feistel,SM4,the encryption standard of China is selected,and an 11-round distinguisher is built,which can achieve an attack with 13 rounds of key recovery.For the balanced type-II structure,we need not any restrictions on the round function or the nonlinear layer,and construct a 7-round universal distinguisher.