1 Evaluation of security 1.1. Differential cryptanalysis In extending differential cryptanalysis, Aoki , Kobayashi, and Moriai [1] greatly reduced the computational amount needed [2]. They determined that differential cryptanalysis could not be applied to FEAL with more than 32 rounds. Biham et al. [3] proposed a new cyptanalysis of Skipjack [4] using impossible differentials. Although regular ...

GIFT, a lightweight block cipher proposed at CHES2017, has been widely cryptanalyzed this years. This paper studies the differential diffusion characteristics of round function GIFT first, and proposes random nibble-based fault attack. The key recovery scheme is developed on statistical properties we found for distribution table S-box. A lot experiments had done experimental results show that o...

Zero correlation linear cryptanalysis is a novel key recovery technique for block ciphers proposed in [5]. It is based on linear approximations with probability of exactly 1/2 (which corresponds to the zero correlation). Some block ciphers turn out to have multiple linear approximations with correlation zero for each key over a considerable number of rounds. Zero correlation linear cryptanalysi...

Simon is a lightweight block cipher family proposed by NSA in 2013. It has drawn many cryptanalysts’ attention and varieties of cryptanalysis results have been published, including differential, linear, impossible differential, integral cryptanalysis and so on. In this paper, we give the improved linear attacks on all reduced versions of Simon with dynamic key-guessing technique, which was prop...

We propose a new method for evaluating the security of block ciphers against di erential cryptanalysis and propose new structures for block ciphers. To this end, we de ne the word-wise Markov (Feistel) cipher and random output-di erential (Feistel) cipher and clarify the relations among the di erential, the truncated di erential and the impossible di erential cryptanalyses of the random output-...

This paper deals with the security of MISTY structure with SPN round function. We study the lower bound of the number of active s-boxes for differential and linear characteristics of such block cipher construction. Previous result shows that the differential bound is consistent with the case of Feistel structure with SPN round function, yet the situation changes when considering the linear boun...

In this paper, we study applications of Bernstein-Vazirani algorithm and present several new methods to attack block ciphers. Specifically, we first present a quantum algorithm for finding the linear structures of a function. Based on it, we propose new quantum distinguishers for the 3-round Feistel scheme and a new quantum algorithm to recover partial key of the EvenMansour construction. After...

ICEPOLE is a CAESAR candidate with the intermediate level of robustness under nonce misuse circumstances in the original document. In particular, it was claimed that key recovery attack against ICEPOLE is impossible in the case of nonce misuse. ICEPOLE is strong against the differential cryptanalysis and linear cryptanalysis. In this paper, we developed the differential-linear attacks against I...