Camellia is one of the widely used block ciphers, which has been included in the NESSIE block cipher portfolio and selected as a standard by ISO/IEC. In this study, the authors observe that there exist some interesting properties of the FL/FL functions in Camellia. With this observation they derive some weak keys for the cipher, based on which they present the first known 8-round zero-correlati...

We present a 5-round distinguisher for AES. We exploit this distinguisher to develop a meet-in-the-middle attack on 7 rounds of AES192 and 8 rounds of AES-256. We also give a time-memory tradeoff generalization of the basic attack which gives a better balancing between different costs of the attack. As an additional note, we state a new squarelike property of the AES algorithm.

In this note we consider the Shabal permutation function P as a block cipher with input Ap,Bp and key C,M and describe a distinguisher with a data complexity of 2 random inputs with a given difference. If the attacker can control one chosen bit of Bp, only 2 21 inputs with a given difference are required on average. This distinguisher does not appear to lead directly to an attack on the full Sh...

The boomerang attack is a new and very powerful cryptanalytic technique. However, due to the adaptive chosen plaintext and ciphertext nature of the attack, boomerang key recovery attacks that retrieve key material on both sides of the boomerang distinguisher are hard to mount. We also present a method for using a boomerang distinguisher, which enables retrieving subkey bits on both sides of the...

In this paper, we present new distinguishers of the MAC construction Alred and its specific instance Alpha-MAC based on AES, which is proposed by Daemen and Rijmen in 2005. For the Alred construction, we describe a general distinguishing attack which leads to a forgery attack directly. The complexity is 2 chosen messages and 2 queries with success probability 0.63. We also use a two-round colli...

This paper describes a meet-in-the-middle (MITM) attack against the round reduced versions of the block cipher mCrypton-64/96/128. We construct a 4-round distinguisher and lower the memory requirement from 2 to 2 using the differential enumeration technique. Based on the distinguisher, we launch a MITM attack on 7-round mCrypton-64/96/128 with complexities of 2 64-bit blocks and 2 encryptions. ...

Square is 8-round SPN structure block cipher and its round function and key schedule have been slightly modified to design building blocks of Rijndael. Key schedule of Square is simple and efficient but fully affine, so we apply a related-key attack on it. We find a 3-round related-key differential trail with probability 2−28, which have zero differences both on its input and output states, and...

Integral attacks form a powerful class of cryptanalytic techniques that have been widely used in the security analysis of block ciphers. The integral distinguishers are based on balanced properties holding with probability one. To obtain a distinguisher covering more rounds, an attacker will normally increase the data complexity by iterating through more plaintexts with a given structure under ...

Automatic modelling to search distinguishers with high probability covering as many rounds possible, such MILP, SAT/SMT, CP models, has become a very popular cryptanalysis topic today. In those the optimizing objective is usually or number of distinguishers. If we want recover secret key for round-reduced block cipher, there are two phases, i.e., finding an efficient distinguisher and performin...

We present the concept of greedy distinguishers and show how some simple observations and the well known greedy heuristic can be combined into a very powerful strategy (the Greedy Bit Set Algorithm) for efficient and systematic construction of distinguishers and nonrandomness detectors. We show how this strategy can be applied to a large array of stream and block ciphers, and we show that our m...