New impossible differential attacks on reduced-round Crypton

https://doi.org/10.1016/j.csi.2009.11.011Get rights and content

Abstract

Crypton is a 128-bit block cipher which was submitted to the Advanced Encryption Standard competition. In this paper, we present two new impossible differential attacks to reduced-round Crypton. Using two new observations on the diffusion layer of Crypton, exploiting a 4-round impossible differential, and appropriately choosing three additional rounds, we mount the first impossible differential attack on 7-round Crypton. The proposed attacks require 2121 chosen plaintexts each. The first attack requires 2125.2 encryptions. We then utilize more pre-computation and memory to reduce the time complexity to 2116.2 encryptions in the second attack.

Introduction

The block cipher Crypton [1] which is based on the Square cipher [2], was proposed as a candidate algorithm for the Advanced Encryption Standard (AES). Crypton has several interesting features. Except the key schedule, the encryption and decryption processes are strictly identical. Crypton is highly parallelizable and flexible, and so well suited for efficient implementation on both hardware and software. Furthermore, Crypton inherits from Square some provable security against differential and linear cryptanalysis. However, to ensure a higher level of security and to fix some minor weaknesses in the key schedule, the designers made some modifications in the S-box construction and the key schedule. This modified version is denoted by Crypton V1.0 [3]. Since the AES competition, its candidate algorithms and so Crypton have attracted a significant amount of attention from worldwide cryptology researchers. In this paper, we reevaluate the security of Crypton against impossible differential attack. Since we do not make use the properties of S-boxes and the key schedule, our results hold for both of the initial and the modified versions of Crypton.

Impossible differential cryptanalysis, an extension of the differential attack [4], is one of the most powerful methods used for block cipher cryptanalysis. This method was first introduced by Biham [5] and Knudsen [6] independently. Impossible differential attacks use differentials that hold with probability zero (impossible differentials) to eliminate the wrong keys and leave the right key.

Previous impossible differential attacks, which can be applied up to 6 rounds of Crypton are as follows. First in Asiacrypt'99, Seki and Kaneko proposed an attack to five rounds of Crypton [7]. Their attack requires 283.4 plaintexts and has a running time equivalent to about 243 5-round encryptions. Later, Cheon et al. in ICISC'01 [8] presented two impossible differential attacks on 6-round Crypton. The best attack of [8] requires 293.5 plaintexts and its time complexity is about 2110.5 6-round encryptions.

In this paper, using a 4-round impossible differential, and appropriately adding three additional rounds to this differential, we present two impossible differential attacks on 7-round Crypton. Also the proposed attacks use two new observations about the diffusion layer of Crypton. The first observation helps us to find the transition probabilities in rounds added to the 4-round impossible differential. The second observation gives a non-probabilistic relation between the ciphertext and an intermediate value in the last round. This observation accelerates the filtration of pairs and thus reduces the complexity of the attacks. The proposed attacks require 2121 chosen plaintexts. The first one has a time complexity equivalent to 2125.2 encryptions, while using additional pre-computation and memory, the second attack has a running time equivalent to 2116.2 encryptions. We summarize our results along with previously known results on Crypton in Table 1. In this table, time complexity is measured in encryption units.

The rest of this paper is organized as follows: Section 2 provides a short description of Crypton and Section 3 describes two important properties of its diffusion layer. A 4-round impossible differential of Crypton, which is more comprehensive than that of previous works, is introduced in Section 4. In Section 5 we propose our new impossible differential attacks on 7-round Crypton and investigate their complexities. Finally, we conclude the paper in Section 6.

Section snippets

Description of Crypton

The 128-bit block cipher Crypton [1] has a 12-round SPN (Substitution-Permutation Network) structure that supports key sizes up to 256 bits. A 128-bit data is represented by a 4 × 4 matrix of bytes as in Fig. 1.

One round of Crypton applies the following four operations to the state matrix:

  • γo and γe are byte-wise nonlinear substitutions which are applied to odd rounds and even rounds, respectively.

  • πo and πe are linear bit permutations which are applied to odd rounds and even rounds, respectively.

New observations on Crypton

In this section we give two important observations on the diffusion layer of the Crypton. We remind that the word transformation π (each of πo and πe) has the branch number 4 as a map from 4-byte inputs to 4-byte outputs. That is, if the input pair has i ɛ {1, 2, 3, 4} non-zero differences out of four bytes, then the output difference has at least max {1, 4  i} non-zero differences.

For an optimum linear transformation, with a uniform distribution and branch number 5, the probability for each byte

4-Round impossible differentials of Crypton

In this section, we introduce a 4-round impossible differential property of Crypton in its general form. The impossible differential states that given a pair of (xiI,xiI) which are equal in all bytes except one, then Δxi + 3γ cannot be zero in at least two rows.

Fig. 3 illustrates this impossible differential property in one of its possible cases. The boxes with a black circle in them refer to bytes with non-zero difference, while the boxes with “?” in them refer to bytes with unknown difference

Impossible differential attack on 7 rounds of Crypton

In this section, we present two impossible differential attacks on 7-round Crypton with the first addition of subkey σK0 and the final transformation φe. Both attacks are based on a special case of the 4-round impossible differential introduced in Section 4. Fig. 4 illustrates the attacks. The only difference between these two attacks is their scenarios such that the second attack utilizes some additional pre-computations which enhances the time complexity. As depicted in Fig. 4, in order to

Conclusion

Two impossible differential attacks on 7-round Crypton have been proposed in this paper. These attacks use a 4-round impossible differential to retrieve the whole of the 7th round subkey. Both attacks require 2121 plaintexts, while the first one has a time complexity equivalent to 2125.2 encryptions and the other requires 2116.2 encryptions. A collection of techniques, including two new observations of Section 3, appropriate selection of additional rounds and using three hash tables, caused the

Hamid Mala received his B.S. and M.S. degrees in Electrical Engineering from Isfahan University of Technology (IUT) in 2003 and 2006, respectively. Since January 2006, he is a Ph.D. student at the Department of Electrical and Computer Engineering, Isfahan University of Technology. His research interests are the design and cryptanalysis of block ciphers and digital signatures.

References (8)

  • C.H. Lim

    Crypton: A New 128-bit Block Cipher

  • J. Daemen et al.

    The Block Cipher Square

  • C.H. Lim
  • E. Biham et al.

    Differential cryptanalysis of DES-like cryptosystems

    Journal of Cryptology

    (1991)
There are more references available in the full text version of this article.

Cited by (8)

  • Non-isomorphic biclique cryptanalysis of full-round Crypton

    2015, Computer Standards and Interfaces
    Citation Excerpt :

    An impossible differential attack on 6 rounds of Crypton V1.0 was introduced in ICISC'01 [13]. Later, this result was improved to an impossible differential attack on 7 rounds of Crypton V1.0 with data complexity of 2121 chosen plaintexts and time complexity of 2116.2 7-round encryptions, which is the best known single key attack on this block cipher [14]. Also, there is a related-key impossible differential attack on 9 rounds which requires 2105 chosen plaintexts and 2243.8 9-round encryptions [15].

  • Making the Impossible Possible

    2018, Journal of Cryptology
  • Impossible Differential Attack on Crypton

    2017, Jisuanji Yanjiu yu Fazhan/Computer Research and Development
  • Improved meet-in-the-middle attacks on crypton and mCrypton

    2017, KSII Transactions on Internet and Information Systems
View all citing articles on Scopus

  1. Download : Download full-size image
Hamid Mala received his B.S. and M.S. degrees in Electrical Engineering from Isfahan University of Technology (IUT) in 2003 and 2006, respectively. Since January 2006, he is a Ph.D. student at the Department of Electrical and Computer Engineering, Isfahan University of Technology. His research interests are the design and cryptanalysis of block ciphers and digital signatures.

  1. Download : Download full-size image
Mohsen Shakiba received his B.S. and M.S. degrees in Electrical Engineering from Ferdowsi University of Mashhad and Isfahan University of Technology in 2003 and 2008, respectively. Now he is a Ph.D. student at Isfahan University of Technology since January 2009. His main research interests include information theory and cryptanalysis of block ciphers.

  1. Download : Download full-size image
Mohammad Dakhilalian received his B.S. and Ph.D. degrees in Electrical Engineering from Isfahan University of Technology (IUT) in 1989 and 1998, respectively and M.S. degree in Electrical Engineering from Tarbiat Modarres University in 1993. He was an Assistant Professor of Faculty of Information and Communication Technology, Ministry of ICT, Tehran, Iran in 1999–2001. He joined IUT in 2001 and is an Assistant Professor in Electrical and Computer Engineering Department. His current research interests are cryptography and data security.

1

Tel.: +98 3113915445.

View full text