Abstract
Integral attack is an extremely important and extensively investigated cryptanalytic tool for symmetric-key primitives. In this paper, we improve the integral attack against bit-oriented ciphers. First, we propose the match-through-the-Sbox technique based on a specific property of the Sbox. Instead of computing the inverse of the Sbox in partial decryption, we independently calculate two Boolean functions which accept less input bits. The time complexity is thus reduced and the number of attacked rounds will be stretched. Second, we devise an easy-to-implement algorithm for construction of the integral distinguisher, which is then proved to be very effective for constructing lower order distinguishers. It shows SIMON 32, 48, 64, 96 and 128 has 13-, 14-, 17-, 21- and 25-round integral distinguisher, respectively, significantly improving the recent results from EUROCRYPT 2015. Finally, our techniques are applied to several ciphers. We attack one more round than the previous best integral attack for PRESENT and first evaluate the securities of SIMON family (except for SIMON 32) and RECTANGLE with integral attack.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Albrecht, M.R., Driessen, B., Kavun, E.B., Leander, G., Paar, C., Yalçın, T.: Block ciphers – focus on the linear layer (feat. PRIDE). In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 57–76. Springer, Heidelberg (2014)
Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The SIMON and SPECK families of lightweight block ciphers. Cryptology ePrint Archive, Report 2013/404 (2013). http://eprint.iacr.org/
Bogdanov, A.A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007)
Borghoff, J., Canteaut, A., Güneysu, T., Kavun, E.B., Knezevic, M., Knudsen, L.R., Leander, G., Nikov, V., et al.: PRINCE – a low-latency block cipher for pervasive computing applications. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 208–225. Springer, Heidelberg (2012)
Daemen, J., Knudsen, L.R., Rijmen, V.: The block cipher SQUARE. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 149–165. Springer, Heidelberg (1997)
Ferguson, N., Kelsey, J., Lucks, S., Schneier, B., Stay, M., Wagner, D., Whiting, D.L.: Improved cryptanalysis of Rijndael. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 213–230. Springer, Heidelberg (2001)
Knudsen, L.R., Wagner, D.: Integral cryptanalysis. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 112–127. Springer, Heidelberg (2002)
Sasaki, Y., Wang, L.: Comprehensive study of integral analysis on 22-round LBlock. In: Kwon, T., Lee, M.-K., Kwon, D. (eds.) ICISC 2012. LNCS, vol. 7839, pp. 156–169. Springer, Heidelberg (2013)
Sasaki, Y., Wang, L.: Meet-in-the-middle technique for integral attacks against feistel ciphers. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 234–251. Springer, Heidelberg (2013)
Todo, Y.: Structural evaluation by generalized integral property. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 287–314. Springer, Heidelberg (2015)
Todo, Y., Aoki, K.: FFT key recovery for integral attack. In: Gritzalis, D., Kiayias, A., Askoxylakis, I. (eds.) CANS 2014. LNCS, vol. 8813, pp. 64–81. Springer, Heidelberg (2014)
Wu, S., Wang, M.: Integral attacks on reduced-round PRESENT. In: Qing, S., Zhou, J., Liu, D. (eds.) ICICS 2013. LNCS, vol. 8233, pp. 331–345. Springer, Heidelberg (2013)
Yap, H., Khoo, K., Poschmann, A., Henricksen, M.: EPCBC - a block cipher suitable for electronic product code encryption. In: Lin, D., Tsudik, G., Wang, X. (eds.) CANS 2011. LNCS, vol. 7092, pp. 76–97. Springer, Heidelberg (2011)
Z’aba, M.R., Raddum, H., Henricksen, M., Dawson, E.: Bit-pattern based integral attack. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 363–381. Springer, Heidelberg (2008)
Zhang, W., Bao, Z., Lin, D., Rijmen, V., Yang, B., Verbauwhede, I.: RECTANGLE: a bit-slice ultra-lightweight block cipher suitable for multiple platforms. Cryptology ePrint Archive, Report 2014/084 (2014). http://eprint.iacr.org/
Zhang, W., Su, B., Wu, W., Feng, D., Wu, C.: Extending higher-order integral: an efficient unified algorithm of constructing integral distinguishers for block ciphers. In: Bao, F., Samarati, P., Zhou, J. (eds.) ACNS 2012. LNCS, vol. 7341, pp. 117–134. Springer, Heidelberg (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
AÂ Details of Step 3
AÂ Details of Step 3
Compute \(\mathop \bigoplus \limits _{{\varLambda _s}} (Y^8[32] \oplus Y^8[0])\) for \(0 \le s < N\).
-
We guess 12-bit subkey: \({K^{10}}[i] \oplus {K^{10}}[i + 32],{K^{10}}[i + 16],{K^{10}}[i + 48]\) for \(i \in \{0,2,8,10\} \), and compute the value of \({Y^9}[0] \oplus {Y^9}[32]\), \({Y^9}[8] \oplus {Y^9}[40]\) for each ciphertext. Count how many times each 14-bit value appears: \({Y^9}[0] \oplus {Y^9}[32]\), \({Y^9}[8] \oplus {Y^9}[40]\) and \({Y^{10}}[i] \oplus {Y^{10}}[i + 32],{Y^{10}}[i + 16],{Y^{10}}[i + 48]\) for \(i \in \{4,6,12,14\} \). And then pick the values which appear odd times.
-
Guess 3 subkey bits, \({K^{10}}[4] \oplus {K^{10}}[36],{K^{10}}[20]\) and \({K^{10}}[52]\). Compress the data into at most \({2^{12}}\) values of \({Y^9}[0] \oplus {Y^9}[32]\), \({Y^9}[16]\), \({Y^9}[8] \oplus {Y^9}[40]\) and \({Y^{10}}[i] \oplus {Y^{10}}[i + 32],{Y^{10}}[i + 16],{Y^{10}}[i + 48]\) for \(i \in \{6,12,14\} \), which appear odd times.
-
Guess 3 subkey bits, \({K^{10}}[12] \oplus {K^{10}}[44],{K^{10}}[28]\) and \({K^{10}}[60]\). Compress the data into \({2^{10}}\) texts of \({Y^9}[0] \oplus {Y^9}[32]\), \({Y^9}[16,48]\), \({Y^9}[8] \oplus {Y^9}[40]\) and \({Y^{10}}[i] \oplus {Y^{10}}[i + 32],{Y^{10}}[i + 16],{Y^{10}}[i + 48]\) for \(i \in \{6,14\} \).
-
Guess 3 subkey bits, \({K^{10}}[6] \oplus {K^{10}}[38],{K^{10}}[22]\) and \({K^{10}}[54]\). Compress the data into \({2^{8}}\) texts of \({Y^9}[0] \oplus {Y^9}[32]\), \({Y^9}[16,24,48]\), \({Y^9}[8] \oplus {Y^9}[40]\) and \({Y^{10}}[14] \oplus {Y^{10}}[46],{Y^{10}}[30],{Y^{10}}[62]\).
-
Guess 3 subkey bits, \({K^{10}}[14] \oplus {K^{10}}[46],{K^{10}}[30]\) and \({K^{10}}[62]\). Compress the data into \({2^{6}}\) texts of \({Y^9}[0] \oplus {Y^9}[32]\), \({Y^9}[16,24,48,56]\), \({Y^9}[8] \oplus {Y^9}[40]\).
-
Guess 3 subkey bits, \({K^{9}}[0] \oplus {K^{10}}[32],{K^{10}}[16]\) and \({K^{10}}[48]\). Compress the data into \({2^{4}}\) texts of \({Y^8}[0]\), \({Y^9}[24,56]\), \({Y^9}[8] \oplus {Y^9}[40]\).
-
Guess 3 subkey bits, \({K^{9}}[8] \oplus {K^{10}}[40],{K^{10}}[24]\) and \({K^{10}}[56]\). Compress the data into \({2^{2}}\) texts of \({Y^8}[0,32]\).
-
Compute \(\mathop \bigoplus \limits _{{\varLambda _s}} ({Y^8}[32] \oplus {Y^8}[0])\) for \(0 \le s < N\) and save the 30-bit guessed subkey \(K_2\) in a hash table \({H'}\) indexed by the corresponding N-bit result.
The time complexity is \({2^{30}} + {2^{29}} + {2^{30}} + {2^{31}} + {2^{32}} + {2^{33}} + {2^{34}} = {2^{35}}\) computations of the Sbox.
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Zhang, H., Wu, W., Wang, Y. (2016). Integral Attack Against Bit-Oriented Block Ciphers. In: Kwon, S., Yun, A. (eds) Information Security and Cryptology - ICISC 2015. ICISC 2015. Lecture Notes in Computer Science(), vol 9558. Springer, Cham. https://doi.org/10.1007/978-3-319-30840-1_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-30840-1_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-30839-5
Online ISBN: 978-3-319-30840-1
eBook Packages: Computer ScienceComputer Science (R0)