Integral attack is a powerful method to recover the secret key of block cipher by exploiting a characteristic that a set of outputs after several rounds encryption has ( integral distinguisher). Recently, Todo proposed a new algorithm to construct integral distinguisher with division property. However, the existence of integral distinguisher which holds in additional rounds can not be denied by...

This paper describes saturation attacks on reduced-round versions of Skipjack. To begin with, we will show how to construct a 16-round distinguisher which distinguishes 16 rounds of Skipjack from a random permutation. The distinguisher is used to attack on 18(5∼22) and 23(5∼27) rounds of Skipjack. We can also construct a 20-round distinguisher based on the 16-round distinguisher. This distingui...

We present an efficient algorithm that can distinguish the keystream of WPA from that of a generic instance of RC4 with a packet complexity of O(N), where N denotes the size of the internal permutation of RC4. In practice, our distinguisher requires approximately 2 packets; thus making it the best known distinguisher of WPA to date. This is a significantly improved distinguisher than the previo...

Integral distinguisher is the main factor of integral attack. Conventionally, higher order integral distinguisher is obtained as an extension of first order integral (conventional algorithm). The algorithm was applied to many subblock-based block ciphers, however, the conventional algorithm has some problems. We find other integral distinguisher of two sub block-based block ciphers, TWINE and L...

At Eurocrypt 2017 the first secret-key distinguisher for 5-round AES has been presented. Although it allows to distinguish a random permutation from an AES-like one, it seems (rather) hard to exploit such a distinguisher in order to implement a key-recovery attack different than brute-force like. In this paper we introduce “Mixture Differential Cryptanalysis”, a new technique to set up new secr...

In this paper, we present a distinguisher for the permutation of SIMD-512 with complexity 2. We extend the attack to a distinguisher for the compression function with complexity 2. The attack is based on the application of the boomerang attack for hash functions. Starting from the middle of the compression function we use techniques from coding theory to search for two differential characterist...

CubeHash is one of the round 2 candidates of the public SHA-3 competition hosted by NIST. It was designed by Bernstein. In this paper we find a new distinguisher to distinguish CubeHash compression function from a random function. This distinguisher principle is based on rotational analysis that formally introduced by Khovratovich and Nikolic. In order to use this technique, we need to compute ...

This dissertation is concerned with cryptanalysis of E0, the stream cipher used in the short-range wireless radio standard Bluetooth, and of its generalization by means of correlation attacks. It consists of three parts. In the first part, we propose an E0-like combiner with memory as the core stream cipher. First, we formulate a systematic and simple method to compute the correlations. An uppe...

This paper presents a new type of distinguisher for the shrinking generator and the alternating-step generator with known feedback polynomial and for the multiplexor generator. For the former the distinguisher is more efficient than existing ones and for the latter it results in a complete breakdown of security. The distinguisher is conceptually very simple and lends itself to theoretical analy...