Shaozhen Chen

Wentan Yi, Shaozhen Chen

The MISTY1 algorithm, proposed by Matsui in FSE 1997, is a block cipher with a 64-bit block size and a 128-bit key size. It was recommended by the European NESSIE project and the CRYPTREC project, and became one RFC in 2002 and an ISO standard in 2005, respectively. In this paper, we first investigate the properties of the FL linear function and identify 232 subkey- dependent zero-correlation linear approximations over 5-round MISTY1 with 3 FL layers. Fur- thermore, some observations on the FL, FO and FI functions are founded and based upon those observations, we select 27 subkey-dependent zero-correlation linear approximations and then, pro- pose the zero-correlation linear attacks on 7-round MISTY1 with 4 FL layers. Besides, for the case without FL layers, 27 zero-correlation linear approximations over 5-round MISTY1 are employed to the analysis of 7-round MISTY1. The zero-correlation linear attack on the 7-round with 4 FL layers needs about 2^{119:5} encryptions with 2^{62.9} known plaintexts and 2^61 memory bytes. For the attack on 7-round without FL layers, the data complexity is about 2^{63.9} known plaintexts, the time complexity is about 2^{81} encryptions and the memory requirements are about 2^{93} bytes. Both have lower time complexity than previous attacks.

Wentan Yi, Shaozhen Chen

MIBS is a light weight block cipher aimed at extremely constrained resources environments such as RFID tags and sensor networks. In this paper, we focus on improved key-recovery attacks on reduced-round MIBS with integral and zero-correlation linear cryptanalysis. By exploring the key-expanding properties and choosing suitable linear approximations with zero-correlation,13-round zero-correlation linear cryptanalysis were presented. Furthermore, we deduced some integral distinguishers from 8-round zero-correlation linear approximations using the relations between them, and as applications, we applied these integral distinguishers to the cryptanalysis of MIBS.

Wentan Yi, Shaozhen Chen, Kuanyang Wei

Block cipher ARIA was first proposed by some South Korean experts in 2003, and later, it was established as a Korean Standard block cipher algorithm by Korean Agency for Technology and Standards. In this paper, we focus on the security evaluation of ARIA block cipher against the recent zero-correlation linear cryptanalysis. In addition, Partial-sum technique and FFT (Fast Fourier Transform) technique are used to speed up the cryptanalysis, respectively. We first introduce some 4-round linear approximations of ARIA with zero-correlation, and then present some key-recovery attacks on 6/7-round ARIA-128/256 with Partial-sum technique and FFT technique.The key-recovery attack with Partial-sum technique on 6-round ARIA-128 needs 2^{123.6}known plaintexts (KPs), 2^{121} encryptions and 2^{90.3} bytes memory, and the attack with FFT technique requires 2^{124.1} KPs, 2^{121.5} encryptions and 2^{90.3}bytes memory. Moreover, applying Partial-sum technique, we can attack 7-round ARIA-256 with 2^{124.6} KPs, 2^{203.5} encryptions and 2^{152} bytes and 7-round ARIA-256 employing FFT technique, requires 2^{124.7} KPs, 2^{209.5} encryptions and 2^{152} bytes. Our results are the first zero-correlation linear cryptanalysis results on ARIA.

Wentan Yi, Shaozhen Chen

Block cipher E2, designed and submitted by Nippon Telegraph and Telephone Corporation, is a first-round Advanced Encryption Standard candidate. It employs a Feistel structure as global structure and two-layer substitution-permutation network structure in round function with initial transformation IT function before the first round and final transformation FT function after the last round. The design principles influences several more recent block ciphers including Camellia, an ISO/IEC standard cipher. In this paper, we focus on the key-recovery attacks on reduced-round E2-128/192 taking both IT and FT functions in consideration with integral cryptanalysis. We first improve the relations between zero-correlation linear approximations and integral distinguishers, and then deduce some integral distinguishers from zero-correlation linear approximations over 6 rounds of E2. Furthermore, we apply these integral distinguishers to break 6-round E2-128 with 2^{120} known plaintexts (KPs), 2^{115.4} encryptions and 2^{28} bytes memory. In addition, the attack on 7-round E2-192 requires 2^{120} KPs, 2^{167.2} encryptions and 2^{60} bytes memory.

Wentan Yi, Shaozhen Chen

The block cipher KASUMI is widely used for security in many synchronous wireless standards. It was proposed by ETSI SAGE for usage in 3GPP (3rd Generation Partnership Project) ciphering algorthms in 2001. There are a great deal of cryptanalytic results on KASUMI, however, its security evaluation against the recent zero-correlation linear attacks is still lacking so far. In this paper, we select some special input masks to refine the general 5-round zero-correlation linear approximations combining with some observations on the $FL$ functions and then propose the 6-round zero-correlation linear attack on KASUMI. Moreover, zero-correlation linear attacks on the last 7-round KASUMI are also introduced under some weak keys conditions. These weak keys take $2^{-14}$ of the whole key space. The new zero-correlation linear attack on the 6-round needs about $2^{85}$ encryptions with $2^{62.8}$ known plaintexts. For the attack under weak keys conditions on the last 7 round, the data complexity is about $2^{62.1}$ known plaintexts and the time complexity $2^{110.5}$ encryptions.