We propose two systematic methods to describe the differential property of an S-box with linear inequalities based on logical condition modelling and computational geometry respectively. In one method, inequalities are generated according to some conditional differential properties of the S-box; in the other method, inequalities are extracted from the H-representation of the convex hull of all ...

Impossible differential cryptanalysis and zero-correlation linear cryptanalysis are two of the most useful cryptanalysis methods in the field of symmetric ciphers. Until now, there are several automatic search tools for impossible differentials such as U-method and UID-method, which are all independent of the non-linear S-boxes. Since the differential and linear properties can also contribute t...

Finding the longest impossible differentials is an essential assignment in proceeding impossible differential cryptanalysis. In this paper, we introduce a novel tool to search the longest truncated impossible differentials for word-oriented block ciphers with bijective S-boxes. It costs polynomial time to return a flag indicating whether a truncated differential is impossible under several filt...

Symmetric Cryptanalysis Improved (Pseudo) Preimage Attacks on Reduced-Round GOST and Grøstl-256 and Studies on Several Truncation Patterns for AES-like Compression Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Bingke Ma, Bao Li, Ronglin Hao, and Xiaoqian Li Improvement on the Method for Automatic Differential Analysis and Its Application to Two Lightwe...

In this paper, we present a higher order key partitioning meet-in-the-middle attack. Our attack is inspired by biclique cryptanalysis combined with higher order partitioning of the key. More precisely, we employ more than two equally sized disjoint sets of the key and drop the restrictions on the key partitioning process required for building the initial biclique structure. In other words, we s...

Round addition differential fault analysis using operation skipping for lightweight block ciphers with on-the-fly key scheduling is presented. For 64-bit KLEIN, it is shown that only a pair of correct and faulty ciphertexts can be used to derive the secret master key. For PRESENT, one correct ciphertext and two faulty ciphertexts are required to reconstruct the secret key. Furthermore, secret k...

Since AES and PRESENT are two international standard block ciphers representing the most elegant design strategies for byteoriented and bit-oriented designs respectively, we regard AES and PRESENT the two most significant candidates to scrutinize with respect to related-key differential attack. In EUROCRYPT 2010 and CRYPTO 2013, the security of AES with respect to related-key differential attac...

Key schedules in block ciphers are often highly simplified, which causes weakness that can be exploited in many attacks. At ASIACRYPT 2011, Dunkelman et al. proposed a technique using the weakness in the key schedule of AES, called key-bridging technique, to improve the overall complexity. The advantage of key-bridging technique is that it allows the adversary to deduce some sub-key bits from s...