New impossible differential attacks on reduced-round Crypton
Introduction
The block cipher Crypton [1] which is based on the Square cipher [2], was proposed as a candidate algorithm for the Advanced Encryption Standard (AES). Crypton has several interesting features. Except the key schedule, the encryption and decryption processes are strictly identical. Crypton is highly parallelizable and flexible, and so well suited for efficient implementation on both hardware and software. Furthermore, Crypton inherits from Square some provable security against differential and linear cryptanalysis. However, to ensure a higher level of security and to fix some minor weaknesses in the key schedule, the designers made some modifications in the S-box construction and the key schedule. This modified version is denoted by Crypton V1.0 [3]. Since the AES competition, its candidate algorithms and so Crypton have attracted a significant amount of attention from worldwide cryptology researchers. In this paper, we reevaluate the security of Crypton against impossible differential attack. Since we do not make use the properties of S-boxes and the key schedule, our results hold for both of the initial and the modified versions of Crypton.
Impossible differential cryptanalysis, an extension of the differential attack [4], is one of the most powerful methods used for block cipher cryptanalysis. This method was first introduced by Biham [5] and Knudsen [6] independently. Impossible differential attacks use differentials that hold with probability zero (impossible differentials) to eliminate the wrong keys and leave the right key.
Previous impossible differential attacks, which can be applied up to 6 rounds of Crypton are as follows. First in Asiacrypt'99, Seki and Kaneko proposed an attack to five rounds of Crypton [7]. Their attack requires 283.4 plaintexts and has a running time equivalent to about 243 5-round encryptions. Later, Cheon et al. in ICISC'01 [8] presented two impossible differential attacks on 6-round Crypton. The best attack of [8] requires 293.5 plaintexts and its time complexity is about 2110.5 6-round encryptions.
In this paper, using a 4-round impossible differential, and appropriately adding three additional rounds to this differential, we present two impossible differential attacks on 7-round Crypton. Also the proposed attacks use two new observations about the diffusion layer of Crypton. The first observation helps us to find the transition probabilities in rounds added to the 4-round impossible differential. The second observation gives a non-probabilistic relation between the ciphertext and an intermediate value in the last round. This observation accelerates the filtration of pairs and thus reduces the complexity of the attacks. The proposed attacks require 2121 chosen plaintexts. The first one has a time complexity equivalent to 2125.2 encryptions, while using additional pre-computation and memory, the second attack has a running time equivalent to 2116.2 encryptions. We summarize our results along with previously known results on Crypton in Table 1. In this table, time complexity is measured in encryption units.
The rest of this paper is organized as follows: Section 2 provides a short description of Crypton and Section 3 describes two important properties of its diffusion layer. A 4-round impossible differential of Crypton, which is more comprehensive than that of previous works, is introduced in Section 4. In Section 5 we propose our new impossible differential attacks on 7-round Crypton and investigate their complexities. Finally, we conclude the paper in Section 6.
Section snippets
Description of Crypton
The 128-bit block cipher Crypton [1] has a 12-round SPN (Substitution-Permutation Network) structure that supports key sizes up to 256 bits. A 128-bit data is represented by a 4 × 4 matrix of bytes as in Fig. 1.
One round of Crypton applies the following four operations to the state matrix:
- •
γo and γe are byte-wise nonlinear substitutions which are applied to odd rounds and even rounds, respectively.
- •
πo and πe are linear bit permutations which are applied to odd rounds and even rounds, respectively.
New observations on Crypton
In this section we give two important observations on the diffusion layer of the Crypton. We remind that the word transformation π (each of πo and πe) has the branch number 4 as a map from 4-byte inputs to 4-byte outputs. That is, if the input pair has i ɛ {1, 2, 3, 4} non-zero differences out of four bytes, then the output difference has at least max {1, 4 − i} non-zero differences.
For an optimum linear transformation, with a uniform distribution and branch number 5, the probability for each byte
4-Round impossible differentials of Crypton
In this section, we introduce a 4-round impossible differential property of Crypton in its general form. The impossible differential states that given a pair of (xiI,x′iI) which are equal in all bytes except one, then Δxi + 3γ cannot be zero in at least two rows.
Fig. 3 illustrates this impossible differential property in one of its possible cases. The boxes with a black circle in them refer to bytes with non-zero difference, while the boxes with “?” in them refer to bytes with unknown difference
Impossible differential attack on 7 rounds of Crypton
In this section, we present two impossible differential attacks on 7-round Crypton with the first addition of subkey σK0 and the final transformation φe. Both attacks are based on a special case of the 4-round impossible differential introduced in Section 4. Fig. 4 illustrates the attacks. The only difference between these two attacks is their scenarios such that the second attack utilizes some additional pre-computations which enhances the time complexity. As depicted in Fig. 4, in order to
Conclusion
Two impossible differential attacks on 7-round Crypton have been proposed in this paper. These attacks use a 4-round impossible differential to retrieve the whole of the 7th round subkey. Both attacks require 2121 plaintexts, while the first one has a time complexity equivalent to 2125.2 encryptions and the other requires 2116.2 encryptions. A collection of techniques, including two new observations of Section 3, appropriate selection of additional rounds and using three hash tables, caused the
Hamid Mala received his B.S. and M.S. degrees in Electrical Engineering from Isfahan University of Technology (IUT) in 2003 and 2006, respectively. Since January 2006, he is a Ph.D. student at the Department of Electrical and Computer Engineering, Isfahan University of Technology. His research interests are the design and cryptanalysis of block ciphers and digital signatures.
References (8)
Crypton: A New 128-bit Block Cipher
- et al.
The Block Cipher Square
- et al.
Differential cryptanalysis of DES-like cryptosystems
Journal of Cryptology
(1991)
Cited by (8)
Non-isomorphic biclique cryptanalysis of full-round Crypton
2015, Computer Standards and InterfacesCitation Excerpt :An impossible differential attack on 6 rounds of Crypton V1.0 was introduced in ICISC'01 [13]. Later, this result was improved to an impossible differential attack on 7 rounds of Crypton V1.0 with data complexity of 2121 chosen plaintexts and time complexity of 2116.2 7-round encryptions, which is the best known single key attack on this block cipher [14]. Also, there is a related-key impossible differential attack on 9 rounds which requires 2105 chosen plaintexts and 2243.8 9-round encryptions [15].
Improved meet-in-the-middle attacks on round-reduced crypton-256
2019, Journal of Cryptologic ResearchMaking the Impossible Possible
2018, Journal of CryptologyImpossible Differential Attack on Crypton
2017, Jisuanji Yanjiu yu Fazhan/Computer Research and DevelopmentImproved meet-in-the-middle attacks on Crypton and mCrypton
2017, IET Information SecurityImproved meet-in-the-middle attacks on crypton and mCrypton
2017, KSII Transactions on Internet and Information Systems
Hamid Mala received his B.S. and M.S. degrees in Electrical Engineering from Isfahan University of Technology (IUT) in 2003 and 2006, respectively. Since January 2006, he is a Ph.D. student at the Department of Electrical and Computer Engineering, Isfahan University of Technology. His research interests are the design and cryptanalysis of block ciphers and digital signatures.
Mohsen Shakiba received his B.S. and M.S. degrees in Electrical Engineering from Ferdowsi University of Mashhad and Isfahan University of Technology in 2003 and 2008, respectively. Now he is a Ph.D. student at Isfahan University of Technology since January 2009. His main research interests include information theory and cryptanalysis of block ciphers.
Mohammad Dakhilalian received his B.S. and Ph.D. degrees in Electrical Engineering from Isfahan University of Technology (IUT) in 1989 and 1998, respectively and M.S. degree in Electrical Engineering from Tarbiat Modarres University in 1993. He was an Assistant Professor of Faculty of Information and Communication Technology, Ministry of ICT, Tehran, Iran in 1999–2001. He joined IUT in 2001 and is an Assistant Professor in Electrical and Computer Engineering Department. His current research interests are cryptography and data security.
- 1
Tel.: +98 3113915445.