Block ciphers

From CryptoLUX
Jump to: navigation, search

Attacks on the full AES-256 and AES-192

We attack the full AES-192 and the full AES-256 in the related-key model with the boomerang attacks. The paper is submitted to a conference.

FAQ on the attacks

Attacks on reduced AES

Attacks on SIMON and SPECK


  • Automatic Search for Differential Trails in ARX Ciphers (Extended Version). Alex Biryukov, Vesselin Velichkov. We propose a tool for automatic search for differential trails in ARX ciphers. By introducing the concept of a partial difference distribution table (pDDT) we extend Matsui's algorithm, originally proposed for DES-like ciphers, to the class of ARX ciphers. To the best of our knowledge this is the first application of Matsui's algorithm to ciphers that do not have S-boxes. The tool is applied to the block ciphers TEA, XTEA, SPECK and RAIDEN. For RAIDEN we find an iterative characteristic on all 32 rounds that can be used to break the full cipher using standard differential cryptanalysis. This is the first cryptanalysis of the cipher in a non-related key setting. Differential trails on 9, 10 and 13 rounds are found for SPECK32, SPECK48 and SPECK64 respectively. The 13 round trail covers half of the total number of rounds. These are the first public results on the security analysis of SPECK. For TEA multiple full (i.e. not truncated) differential trails are reported for the first time, while for XTEA we confirm the previous best known trail reported by Hong et al. We also show closed formulas for computing the exact additive differential probabilities of the left and right shift operations. slides

The source code of the tool is publicly available as part of a larger toolkit for the analysis of ARX at the following address: .

Structural Reverse-Engineering

  • On Reverse-Engineering S-Boxes with Hidden Design Criteria or Structure. Alex Biryukov, Léo Perrin (2015). We describe several method that can be used to try and reverse-engineer an S-Box for which only the look-up table is known. We apply these techniques to the S-box of the NSA's Skipjack cipher and deduce several things. First, this S-Box was engineered; it could not have been picked according to some criteria from a feasibly large set of random S-Boxes. Second, its linear properties were optimized, possibly using a metric we describe in the paper.

Lightweight Block Ciphers