In ARX structures, constants that are not rotational invariant are often injected into the state, in the form of round constants or as a result of using a fixed key. Rotational cryptanalysis cannot deal with such constants. Rotational cryptanalysis in the presence of constants, also known as rotational-XOR cryptanalysis, is a recently proposed statistical technique to attack ARX primitives. The...

In event-driven programming frameworks, such as Android, the client and the framework interact using callins (framework methods that the client invokes) and callbacks (client methods that the framework invokes). The protocols for interacting with these frameworks can often be described by finite-state machines we dub asynchronous typestates. Asynchronous typestates are akin to classical typesta...

HC-128 is an eSTREAM final portfolio stream cipher. Several authors have investigated its security and, in particular, distinguishing attacks have been considered. Still, no one has been able to provide a distinguisher stronger than the one presented by Wu in the original HC128 paper. In this paper we first argue that the keystream requirement in Wu’s original attack is underestimated by a fact...

Sosemanuk is a software-based stream cipher that has passed all three stages of the ECRYPT stream cipher project and is currently a member of the eSTREAM software portfolio. In the recent works on cryptanalysis of Sosemanuk, its relatively small inner state size of 384 bits was identified to be one of the reasons that the attacks were possible. In this paper, we show that another consequence of...

We show key recovery attacks on generic balanced Feistel ciphers. The analysis is based on the meet-in-the-middle technique and exploits truncated differentials that are present in the ciphers due to the Feistel construction. Depending on the type of round function, we differentiate and show attacks on two types of Feistels. For the first type, which is the most general Feistel, we show a 5-rou...

Distinguishers play an important role in Side Channel Analysis (SCA), where real world leakage information is compared against hypothetical predictions in order to guess at the underlying secret key. However, the direct relationship between leakages and predictions can be disrupted by the mathematical combining of d random values with each sensitive intermediate value of the cryptographic algor...

This paper reevaluates the security of GF-NLFSR, a new kind of generalized unbalanced Feistel network structure that was proposed at ACISP 2009. We show that GF-NLFSR itself reveals a very slow diffusion rate, which could lead to several distinguishing attacks. For GF-NLFSR containing n sub-blocks, we find an n-round integral distinguisher by algebraic methods and further use this integral to c...

Rijndael is a block cipher designed by V. Rijmen and J. Daemen and it was chosen in its 128-bit block version as AES by the NIST in October 2000. Three key lengths 128, 192 or 256 bits are allowed. In the original contribution describing Rijndael [4], two other versions have been described: Rijndael-256 and Rijndael-192 that respectively use plaintext blocks of length 256 bits and 192 bits unde...

Trivium is a stream cipher designed in 2005 by C. De Cannière and B. Preneel for the European project eSTREAM. It has successfully passed the first phase of the project and has been selected for a special focus in the second phase for the hardware portfolio of the project. Trivium has an internal state of size 288 bits and the key of length 80 bits. Although the design has a simple and elegant ...