The function F of Dragon plays an important role on both the keystream generation and the internal state update. We analyze the function F of Dragon by linear cryptanalytic methods. Thanks to an efficient algorithm on linear approximations of the modular addition, we observed that there were a large number of approximations with significant correlations in the nonlinear components of the functi...

Side-channel attacks put the security of the implementations of cryptographic algorithms under threat. Secret information can be recovered by analyzing the physical measurements acquired during the computations and using key recovery distinguishing functions to guess the best candidate. Several generic and model based distinguishers have been proposed in the literature. In this work we describe...

In this paper, we improve an analysis algorithm and apply it to cryptanalysis of Salsa and ChaCha. We constructed a distinguisher of double-bit differentials to improve Aumasson’s single-bit differential cryptanalysis. This method has potential to apply to a wide range of stream ciphers; a double-bit correlation would be found in case that no single-bit correlation is found. However, there are ...

Camellia is a 128 bit block cipher proposed by NTT and Mitsubishi. We discuss the security of Camellia against the square attack. We find a 4 round distinguisher and construct a basic square attack. We can attack 5 round Camellia by guessing one byte subkey and using 2 chosen plaintexts. Cosidering the key schdule, we may extend this attack up to 9 round Camellia including the first FL/FL−1 fun...

In this paper we present a distinguisher targeting towards irregularly clocked filter generators. The attack is applied on the irregularly clocked stream cipher called LILI-II. LILI-II is the successor of the cipher LILI-128 and its design was published in [1]. There have been no known attacks better than exhaustive key search on LILI-II. Our attack is the first of this kind that distinguishes ...

We study the distinguishability of linearized Reed–Solomon (LRS) codes by defining and analyzing analogs square-code Overbeck distinguisher for classical Gabidulin codes, respectively. Our main results show that works generalized (GLRS) defined with trivial automorphism, whereas Overbeck-type can handle LRS in general setting. further how to recover code parameters from any generator matrix suc...

The privacy of most GSM phone conversations is currently protected by the 20+ years old A5/1 and A5/2 stream ciphers, which were repeatedly shown to be cryptographically weak. They will soon be replaced by the new A5/3 (and the soon to be announced A5/4) algorithm based on the block cipher KASUMI, which is a modified version of MISTY. In this paper we describe a new type of attack called a sand...

WIDEA is a family of block ciphers designed by Junod and Macchetti in 2009 as an extension of IDEA to larger block sizes (256 and 512 bits for the main instances WIDEA-4 and WIDEA-8) and larger key sizes (512 and 1024 bits, respectively). WIDEA-w is composed of w parallel copies of the IDEA block cipher, with an MDS matrix to provide diffusion between them. An important motivation was to use WI...

In the last ten years, multivariate cryptography has emerged as a possible alternative to public key cryptosystems based on hard computational problems from number theory. Notably, the HFE scheme [17] appears to combine efficiency and resistance to attacks, as expected from any public key scheme. However, its security is not yet completely understood. On one hand, since the security is related ...