## CryptoDB

### Ruilin Li

#### Publications

Year
Venue
Title
2016
EUROCRYPT
2015
EPRINT
2015
CRYPTO
2013
FSE
2010
EPRINT
Differential Fault Analysis (DFA) attack is a powerful cryptanalytic technique that could be used to retrieve the secret key by exploiting computational errors in the encryption (decryption) procedure. In the present paper, we propose a new DFA attack on SMS4 using a single fault. We show that if a random byte fault is induced into either the second, third, or forth word register at the input of the $28$-th round, the $128$-bit master key could be recovered with an exhaustive search of $22.11$ bits on average. The proposed attack makes use of the characteristic of the cipher's structure, the speciality of the diffusion layer, and the differential property of the S-box. Furthermore, it can be tailored to any block cipher employing a similar structure and an SPN-style round function as that of SMS4.
2010
EPRINT
In this paper, based on a differential property of two round Lai-Massay scheme in a fault model, we present an improved fault attack on the block cipher FOX64. Our improved method can deduce any round subkey through 4.25 faults on average (4 in the best case), and retrieve the whole round sub-keys through 45.45 faults on average (38 in the best case). The technique of the proposed attack in this paper can also be easily extended to other series of FOX.
2010
EPRINT
In this paper, we study the meet-in-the-middle attack against block cipher ARIA. We find some new 3-round and 4-round distinguish- ing properties of ARIA. Based on the 3-round distinguishing property, we can apply the meet-in-the-middle attack with up to 6 rounds for all versions of ARIA. Based on the 4-round distinguishing property, we can mount a successful attack on 8-round ARIA-256. Furthermore, the 4-round distinguishing property could be improved which leads to a 7-round attack on ARIA-192. The data and time complexities of 7-round attack are 2^120 and 2^185:3, respectively. The data and time complexities of 8-round attack are 2^56 and 2^251:6, respectively. Compared with the existing cryptanalytic results on ARIA, our 5-round attack has the lowest data and time complexities and the 6-round attack has the lowest data complexity. Moreover, it is shown that 8-round ARIA-256 is not immune to the meet-in-the-middle attack.
2010
EPRINT
E2 is a 128-bit block cipher which employs Feistel structure and 2-round SPN in round function. It is an AES candidate and was designed by NTT. In the former publications, E2 is supposed no more than 5-round impossible differential. In this paper, we describe some 6-round impossible differentials of E2. By using the 6-round impossible differential, we first present an attack on 9-round reduced version of E2-256 without IT Function(the initial transformation) and FT-Function(the Final transformation) function.
2010
EPRINT
Impossible differential cryptanalysis is a very popular tool for analyzing the security of modern block ciphers and the core of such attack is based on the existence of impossible differentials. Currently, most methods for finding impossible differentials are based on the miss-in-the-middle technique and they are very ad-hoc. In this paper, we concentrate SPN ciphers and propose several criteria on the linear transformation $P$ and its inversion $P^{-1}$ to characterize the existence of $3/4$-round impossible differentials. We further discuss the possibility to extend these methods to analyze $5/6$-round impossible differentials. Using these criteria, impossible differentials for reduced-round Rijndael are found that are consistent with the ones found before. New $4$-round impossible differentials are discovered for block cipher ARIA. And many $4$-round impossible differentials are firstly detected for a kind of SPN cipher that employs a $32\times32$ binary matrix proposed at ICISC 2006 as its diffusion layer.
2008
EPRINT
This paper studies the security of ARIA against impossible differential cryptanalysis. Firstly an algorithm is given to find many new 4-round impossible differentials of ARIA. Followed by such impossible differentials, we improve the previous impossible differential attack on 5/6-round ARIA. We also point out that the existence of such impossible differentials are due to the bad properties of the binary matrix employed in the diffusion layer.

#### Coauthors

Hoda AlKhzaimi (2)
Lei Cheng (2)
Jian Guo (1)
Ping Li (1)
Chao Li (9)
Heng Li (1)
Meicheng Liu (1)
Zhiqiang Liu (2)
Vincent Rijmen (3)
Bing Sun (9)
Xuehai Tang (1)
Qingju Wang (2)
Yuechuan Wei (1)
Jianxiong You (2)
Peng Zhang (1)