## CryptoDB

### Meiqin Wang

#### Affiliation: Shandong University , China

#### Publications

**Year**

**Venue**

**Title**

2019

TOSC

Related-Tweak Statistical Saturation Cryptanalysis and Its Application on QARMA
Abstract

Statistical saturation attack takes advantage of a set of plaintext with some bits fixed while the others vary randomly, and then track the evolution of a non-uniform plaintext distribution through the cipher. Previous statistical saturation attacks are all implemented under single-key setting, and there is no public attack models under related-key/tweak setting. In this paper, we propose a new cryptanalytic method which can be seen as related-key/tweak statistical saturation attack by revealing the link between the related-key/tweak statistical saturation distinguishers and KDIB (Key Difference Invariant Bias) / TDIB (Tweak Difference Invariant Bias) ones. KDIB cryptanalysis was proposed by Bogdanov et al. at ASIACRYPT’13 and utilizes the property that there can exist linear trails such that their biases are deterministically invariant under key difference. And this method can be easily extended to TDIB distinguishers if the tweak is also alternated. The link between them provides a new and more efficient way to find related-key/tweak statistical saturation distinguishers in ciphers. Thereafter, an automatic searching algorithm for KDIB/TDIB distinguishers is also given in this paper, which can be implemented to find word-level KDIB distinguishers for S-box based key-alternating ciphers. We apply this algorithm to QARMA-64 and give related-tweak statistical saturation attack for 10-round QARMA-64 with outer whitening key. Besides, an 11-round attack on QARMA-128 is also given based on the TDIB technique. Compared with previous public attacks on QARMA including outer whitening key, all attacks presented in this paper are the best ones in terms of the number of rounds.

2018

TOSC

Cryptanalysis of AES-PRF and Its Dual
Abstract

A dedicated pseudorandom function (PRF) called AES-PRF was proposed by Mennink and Neves at FSE 2018 (ToSC 2017, Issue 3). AES-PRF is obtained from AES by using the output of the 5-th round as the feed-forward to the output state. This paper presents extensive security analysis of AES-PRF and its variants. Specifically, we consider unbalanced variants where the output of the s-th round is used as the feed-forward. We also analyze the security of “dual” constructions of the unbalanced variants, where the input state is used as the feed-forward to the output of the s-th round. We apply an impossible differential attack, zero-correlation linear attack, traditional differential attack, zero correlation linear distinguishing attack and a meet-in-the-middle attack on these PRFs and reduced round versions. We show that AES-PRF is broken whenever s ≤ 2 or s ≥ 6, or reduced to 7 rounds, and Dual-AES-PRF is broken whenever s ≤ 4 or s ≥ 8. Our results on AES-PRF improve the initial security evaluation by the designers in various ways, and our results on Dual-AES-PRF give the first insight to its security.

2018

TOSC

More Accurate Differential Properties of LED64 and Midori64
Abstract

In differential cryptanalysis, a differential is more valuable than the single trail belonging to it in general. The traditional way to compute the probability of the differential is to sum the probabilities of all trails within it. The automatic tool for the search of differentials based on Mixed Integer Linear Programming (MILP) has been proposed and realises the task of finding multiple trails of a given differential. The problem is whether it is reliable to evaluate the probability of the differential traditionally. In this paper, we focus on two lightweight block ciphers – LED64 and Midori64 and show the more accurate estimation of differential probability considering the key schedule. Firstly, an automated tool based on Boolean Satisfiability Problem (SAT) is put forward to accomplish the automatic search of differentials for ciphers with S-boxes and is applied to LED64 and Midori64. Secondly, we provide an automatic approach to detect the right pairs following a given differential, which can be exploited to calculate the differential property. Applying this technique to the STEP function of LED64, we discover some differentials with enhanced probability. As a result, the previous attacks relying upon high probability differentials can be improved definitely. Thirdly, we present a method to compute an upper-bound of the weak-key ratio for a given differential, which is utilised to analyse 4-round differentials of Midori64. We detect two differentials whose weak-key ratios are much lower than the expected 50%. More than 78% of the keys will make these two differentials being impossible differentials. The idea of the estimation for an upper-bound of the weak-key ratio can be employed for other ciphers and allows us to launch differential attacks more reliably. Finally, we introduce how to compute the enhanced differential probability and evaluate the size of keys achieving the improved probability. Such a property may incur an efficient weak-key attack. For a 4-round differential of Midori64, we obtain an improved differential property for a portion of keys.

2017

ASIACRYPT

2015

EPRINT

2010

EPRINT

Practical-time Attack on the Full MMB Block Cipher
Abstract

Modular Multiplication based Block Cipher (MMB) is a block cipher
designed by Daemen \emph{et al.} as an alternative to the IDEA block
cipher. In this paper, we give a practical-time attack on the full
MMB with adaptive chosen plaintexts and ciphertexts. By the
constructive sandwich distinguisher for 5 of the 6 rounds of MMB
with amazingly high probability 1, we give the key recovery attack
on the full MMB with data complexity $2^{40}$ and time complexity
$2^{13.4}$ MMB encryptions. Then a rectangle-like sandwich attack on
the full MMB is presented, with $2^{66.5}$ chosen plaintexts,
$2^{64}$ MMB encryptions and $2^{70.5}$ memory bytes. By the way, we
show an improved differential attack on the full MMB with data
complexity of $2^{96}$ chosen plaintexts and ciphertexts, time
complexity $2^{64}$ encryptions and $2^{66}$ bytes of memory.

2010

EPRINT

Effect of the Dependent Paths in Linear Hull
Abstract

Linear Hull is a phenomenon that there are a lot of linear paths
with the same data mask but different key masks for a block cipher.
In 1994, Nyberg presented the effect on the key-recovery attack such
as Algorithm 2 with linear hull, in which the required number of the
known plaintexts can be decreased compared with that in the attack
using individual linear path. In 2009, Murphy proved that Nyberg's
results can only be used to give a lower bound on the data
complexity and will be no use on the real linear cryptanalysis. In
fact, the linear hull have this kind of positive effect in linear
cryptanalysis for some keys instead of the whole key space. So the
linear hull can be used to improve the traditional linear
cryptanalysis for some weak keys. In the same year, Ohkuma gave the
linear hull analysis on PRESENT block cipher, and pointed that there
are $32\%$ weak keys of PRESENT which make the bias of a given
linear hull with multiple paths more than that of any individual
linear path. However, Murphy and Ohkuma have not considered the
dependency of the muti-path, and their results are based on the
assumption that the linear paths are independent. Actually, most of
the linear paths are dependent in the linear hull, and the
dependency of the linear paths means the dependency of the
equivalent key bits. In this paper, we will analyze the dependency
of the linear paths in linear hull and present the real effect of
linear hull with the dependent linear paths. Firstly, we give the
relation between the bias of a linear hull and its linear paths in
linear cryptanalysis. Secondly, we present the algorithm to compute
the rate of weak keys corresponding to the expect bias of the linear
hull. At last, we verify our algorithm by cryptanalyzing
reduced-round of PRESENT. Compared with the rate of weak keys under
the assumption of the independent linear paths, the dependency of
the linear paths will greatly reduce the rate of weak keys for a
given linear hull.

2007

EPRINT

Differential Cryptanalysis of PRESENT
Abstract

PRESENT is proposed by A.Bogdanov et al. in CHES 2007 for extremely
constrained environments such as RFID tags and sensor networks. In
this paper, we find out the differential characteristics for
r-round($5 \leq r \leq 15$), then give the differential
cryptanalysis on reduced-round variants of PRESENT. We attack
16-round PRESENT using $2^{64}$ chosen plaintexts, $2^{32}$ 6-bit
counters, and $2^{65}$ memory accesses.

#### Program Committees

- FSE 2018
- FSE 2017
- Asiacrypt 2017
- FSE 2016
- Asiacrypt 2016
- Asiacrypt 2014

#### Coauthors

- Andrey Bogdanov (5)
- Christina Boura (1)
- Huaifeng Chen (2)
- Jiazhe Chen (1)
- Tingting Cui (1)
- Zhenli Dai (1)
- Patrick Derbez (1)
- Xiaoyang Dong (1)
- Kai Fu (2)
- Yinghua Guo (1)
- Jian Guo (2)
- Lei Hu (2)
- Kai Hu (1)
- Senyang Huang (1)
- Tetsu Iwata (1)
- Keting Jia (2)
- Gregor Leander (1)
- Muzhou Li (1)
- Xiaoshuang Ma (1)
- Kaisa Nyberg (1)
- Bart Preneel (1)
- Kexin Qiao (1)
- Vincent Rijmen (1)
- Yu Sasaki (2)
- Danping Shi (1)
- Ling Song (1)
- Ling Sun (4)
- Yue Sun (2)
- Siwei Sun (3)
- Elmar Tischhauser (1)
- Yosuke Todo (1)
- Wei Wang (3)
- Xiaoyun Wang (4)
- Lei Wang (2)
- Haoyang Wang (1)
- Peng Wang (1)
- Long Wen (5)
- Guangwu Xu (1)
- Jingyuan Zhao (3)