Attacks on the full AES-256 and AES-192
- Distinguisher and Related-Key Attack on the Full AES-256. A shorter version will appear in the proceedings of CRYPTO'2009.
- AES-256 non-randomness examples. We show non-randomness of AES-256 in the open key attack model. This demonstrates that AES-256 has properties which an ideal cipher should not have. The distinguisher runs several hours on a PC.
- Related-Key Attack on the Full AES-192 and AES-256. In this paper we show new attacks on AES which extend the results of our CRYPTO paper by working for all the keys and not just for a weak key class.
We attack the full AES-192 and the full AES-256 in the related-key model with the boomerang attacks. The paper is submitted to a conference.
- Implementation of the attack on AES-256.
Attacks on reduced AES
- Key Recovery Attacks of Practical Complexity on AES Variants With Up To 10 Rounds. Alex Biryukov, Orr Dunkelman, Nathan Keller, Dmitry Khovratovich, Adi Shamir. We show practical related-key attacks on 8-, 9-, and 10-round AES-256.
Attacks on SIMON and SPECK
- Differential Analysis of Block Ciphers SIMON and SPECK. Alex Biryukov, Arnab Roy, and Vesselin Velichkov. This paper was accepted at FSE'14. We apply a recently proposed method to improve the best known differentials and differential trails for several versions of both lightweight block ciphers SIMON and SPECK, thus improving the current best attacks.
- Automatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers: Application to AES, Camellia, Khazad and Others. Alex Biryukov, Ivica Nikolić. We present a tool for automatic search of RK differential characteristics in byte oriented ciphers. We used the tool to find the best RK characteristics in AES-128, AES-192, AES-256, byte-Camellia and Khazad.
- Search for Related-key Differential Characteristics in DES-like ciphers. Alex Biryukov, Ivica Nikolić. We present a tool for automatic search of RK differential characteristics in bit-oriented DES-like ciphers. We show that instead of brute-forcing the space of all possible differences in the master key and the plaintext, it is computationally more efficient to try only a reduced set of input-output differences of three consecutive S-box layers.
- Automatic Search for Differential Trails in ARX Ciphers (Extended Version). Alex Biryukov, Vesselin Velichkov. We propose a tool for automatic search for differential trails in ARX ciphers. By introducing the concept of a partial difference distribution table (pDDT) we extend Matsui's algorithm, originally proposed for DES-like ciphers, to the class of ARX ciphers. To the best of our knowledge this is the first application of Matsui's algorithm to ciphers that do not have S-boxes. The tool is applied to the block ciphers TEA, XTEA, SPECK and RAIDEN. For RAIDEN we find an iterative characteristic on all 32 rounds that can be used to break the full cipher using standard differential cryptanalysis. This is the first cryptanalysis of the cipher in a non-related key setting. Differential trails on 9, 10 and 13 rounds are found for SPECK32, SPECK48 and SPECK64 respectively. The 13 round trail covers half of the total number of rounds. These are the first public results on the security analysis of SPECK. For TEA multiple full (i.e. not truncated) differential trails are reported for the first time, while for XTEA we confirm the previous best known trail reported by Hong et al. We also show closed formulas for computing the exact additive differential probabilities of the left and right shift operations. slides
The source code of the tool is publicly available as part of a larger toolkit for the analysis of ARX at the following address: https://github.com/vesselinux/yaarx .
- On Reverse-Engineering S-Boxes with Hidden Design Criteria or Structure. Alex Biryukov, Léo Perrin (2015). We describe several method that can be used to try and reverse-engineer an S-Box for which only the look-up table is known. We apply these techniques to the S-box of the NSA's Skipjack cipher and deduce several things. First, this S-Box was engineered; it could not have been picked according to some criteria from a feasibly large set of random S-Boxes. Second, its linear properties were optimized, possibly using a metric we describe in the paper.
- Cryptanalysis of Feistel Networks with Secret Round Functions. Alex Biryukov, Gaëtan Leurent, Léo Perrin (2015). We investigate Feistel Networks with completely secret round functions. We show how the so-called yoyo game can be used to recover efficiently the full codebook of every Feistel function for up to 5 rounds when XOR is used. We also present a guess-and-determine attack which is less efficient but that works regardless of the operation used.
Lightweight Block Ciphers
- Lightweight Block ciphers review. Alex Biryukov, Léo Perrin (2014). We are maintaining a review of all the lightweight block ciphers that have been published. It is available here.
- SPARX: A Family of ARX-based Lightweight Block Ciphers with Provable Bounds. Daniel Dinu, Léo Perrin, Aleksei Udovenko, Vesselin Velichkov, Johann Großschädl, Alex Biryukov (2016).