We assume that the domain extender is the Merkle-Damgård (MD) scheme and he message is padded by a ‘1', and minimum number of ‘0' s, followed by a fixed size length information so that the length of padded message is multiple of block length. Under this assumption, we analyze securities of the hash mode when the compression function follows the Davies-Meyer (DM) scheme and the underlying block cipher is one of the plain Feistel or Misty scheme or the generalized Feistel or Misty schemes with Substitution-Permutation (SP) round function. We do this work based on Meet-in-the-Middle (MitM) preimage attack techniques, and develop several useful initial structures.

One of Kaliski and Robshaw's algorithms, which is used for the linear attack on block ciphers with multiple linear approximations and introduced as Algorithm 2M in this paper, looks efficient but lacks any theoretical and mathematical description. It means there exists no way to estimate the data complexity required for the attack by the algorithm except experiments of the reduced variants. In this paper we propose a new algorithm using multiple linear approximation. We achieve the theoretical and mathematical analysis of its success probability. The new algorithm needs about 240.6 plaintexts to find 12 bits of secret key of 16-round DES with a success probability of about 86%.

In this paper, we discuss the impossible differential cryptanalysis for the block cipher Zodiac. The main design principles of Zodiac include simplicity and efficiency. However, the diffusion layer in its round function is too simple to offer enough security. The impossible differential cryptanalysis exploits such weakness in Zodiac. Our attack using a 14-round impossible characteristic derives the 128-bit master key of the full 16-round Zodiac faster than the exhaustive search. The efficiency of the attack compared with exhaustive search increases as the key size increases.

We present attacks on the generalized Feistel schemes, where each round function consists of a subkey XOR, S-boxes, and then a linear transformation (i.e. a Substitution-Permutation (SP) round function). Our techniques are based on rebound attacks. We assume that the S-boxes have a good differential property and the linear transformation has an optimal branch number. Under this assumption, we firstly describe known-key distinguishers on the type-1, -2, and -3 generalized Feistel schemes up to 21, 13 and 8 rounds, respectively. Then, we use the distinguishers to make several attacks on hash functions where Merkle-Damgård domain extender is used and the compression function is constructed with Matyas-Meyer-Oseas or Miyaguchi-Preneel hash modes from generalized Feistel schemes. Collision attacks are made for 11 rounds of type-1 Feistel scheme. Near collision attacks are made for 13 rounds of type-1 Feistel scheme and 9 rounds of type-2 Feistel scheme. Half collision attacks are made for 15 rounds of type-1 Feistel scheme, 9 rounds of type-2 Feistel scheme, and 5 rounds of type-3 Feistel scheme.

We present pseudo-preimage attacks on Davis-Meyer mode of reduced rounds of the block ciphers ARIA, Camellia, and Serpent by using Sasaki's framework. They yield preimage or second-preimage attacks on PGV hashing modes. We develop proper initial structures for applying meet-in-the-middle techniques to the block ciphers, by considering their diffusion layers, and propose a method to find matching-check equations for indirect partial matching technique with a binary matrix. These works enable us to attack 5 rounds of ARIA, 7 rounds of Camellia, and 4 rounds of Serpent faster than brute force attack.

In 1997, M. Matsui proposed secret-key cryptosystems called MISTY 1 and MISTY 2, which are 8- and 12-round block ciphers with a 64-bit block, and a 128-bit key. They are designed based on the principle of provable security against differential and linear cryptanalysis. In this paper we present large collections of weak-key classes encompassing 273 and 270 weak keys for 7-round MISTY 1 and 2 for which they are vulnerable to a related-key amplified boomerang attack. Under our weak-key assumptions, the related-key amplified boomerang attack can be applied to 7-round MISTY 1 and 2 with 254, 256 chosen plaintexts and 255.3 7-round MISTY 1 encryptions, 265 7-round MISTY 2 encryptions, respectively.

MDC-4 is the enhanced version of MDC-2, which is a well-known hash mode of block ciphers. However, it does not guarantee sufficient securities required for a cryptographic hash function. In the ideal cipher model, the MDC-4 compression function has the collision security bound close to 25n/8 and the preimage security bound close to 25n/4, where the underlying block cipher has the block size of n bits. We have studied how to improve MDC-4 with simple modification to strengthen its security. It is meaningful work because users often want to improve their familiar systems with low cost. In this paper, we achieve it by proposing MDC-4+, which is a light variation of MDC-4. We prove that MDC-4+ is much more secure than MDC-4 by showing that it has the collision security bound close to optimal 2n and the preimage security bound close to 24n/3. We also discuss its efficiency by comparing existing hash modes.

A noise source is an essential component of random bit generator, and is either an application or a device to provide entropy from analog noise. In 2008, Colesa et al. first proposed two software strategies for constructing noise source based on race conditions. However, Colesa et al.'s designs require a lot of threads and even suffer from a low bit rate. Moreover, setting a parameter for each system is complicated since the parameter is related to the entropy and the bit rate at the same time. In this paper, we propose new constructions of noise source based on race conditions. We call them NSRC-1 and NSRC-2. The bit rate of our designs is improved by up to 819 times higher on multi-core systems with high entropy. The parameter adjustment becomes straightforward by removing the relation between the parameter and the entropy. Additionally, since NSRC-1 and 2 require only two threads at once, they are more available software-based methods for harvesting entropy not only on general devices but also on mobile devices.

We present the first known-key attack on SM4, which is the Chinese standard block cipher made for the wireless LAN WAPI. We make a known-key distinguisher using rebound techniques with the time complexity of 212.75. Then, with the distinguisher, we provide near-collision attacks on MMO and MP hash modes of SM4. Precisely, we find a 104-bit near-collision for 13 rounds of SM4 with the time complexity of 213.30 and a 32-bit near-collision for 17 rounds of SM4 with the time complexity of 212.91. They are much more efficient than generic attacks for the case of random permutation.

We give some attacks on the DBL hash modes MDC-4 and MJH. Our preimage attack on the MDC-4 hash function requires the time complexity O(23n/2) for the block length n of the underlying block cipher, which significantly improves the previous results. Our collision attack on the MJH hash function has a time complexity less than 2124 for n=128. Our preimage attack on the the MJH compression function finds a preimage with the time complexity of 2n. It is converted to a preimage attack on the hash function with the time complexity of O(23n/2). As far as we know, any cryptanalytic result for MJH has not been published before. Our results are helpful for understanding the security of the hash modes together with their security proofs.

In this study, we focus on evaluating the false-positive probability of the Demirci-Selçuk meet-in-the-middle attack, particularly within the context of configuring precomputed tables with multisets. During the attack, the adversary effectively reduces the size of the key space by filtering out the wrong keys, subsequently recovering the master key from the reduced key space. The false-positive probability is defined as the probability that a wrong key will pass through the filtering process. Due to its direct impact on the post-filtering key space size, the false-positive probability is an important factor that influences the complexity and feasibility of the attack. However, despite its significance, the false-positive probability of the multiset-based Demirci-Selçuk meet-in-the-middle attack has not been thoroughly discussed, to the best of our knowledge. We generalize the Demirci-Selçuk meet-in-the-middle attack and present a sophisticated method for accurately calculating the false-positive probability. We validate our methodology through toy experiments, demonstrating its high precision. Additionally, we propose a method to optimize an attack by determining the optimal format of precomputed data, which requires the precise false-positive probability. Applying our approach to previous attacks on AES and ARIA, we have achieved modest improvements. Specifically, we enhance the memory complexity and time complexity of the offline phase of previous attacks on 7-round AES-128/192/256, 7-round ARIA-192/256, and 8-round ARIA-256 by factors ranging from 20.56 to 23. Additionally, we have improved the overall time complexity of attacks on 7-round ARIA-192/256 by factors of 20.13 and 20.42, respectively.

Differential factors, introduced by Tezcan and Özbudak at LightSec 2014, are properties of the S-boxes that equalize the counters of some guessed keys, thereby reducing the key space for the key guess process. Differential factors have been used to reduce the key space for the attacks on SERPENT, PRESENT, PRIDE, and RECTANGLE. In this paper, we demonstrate that some differential factors do not actually reduce the key space for the differential-linear attack on SERPENT and the related-key differential attack on RECTANGLE. Moreover, by comparing these instances with the differential attack on PRESENT, where differential factors do have an effect, we identify a sufficient condition for the practical use of differential factors. This condition enables preemptive identification of differential factors that could impact the key space for attacks on other ciphers.

The Sparkle permutation family is used as an underlying building block of the authenticated encryption scheme Schwaemm, and the hash function Esch which are a part of one of finalists in the National Institute of Standards and Technology (NIST) lightweight cryptography standardization process. In this paper, we present distinguishing attacks on 6-round Sparkle384 and 7-round Sparkle512. We used divide-and-conquer approach and the fact that Sparkle permutations are keyless, as a different approach from designers’ long trail strategy. Our attack on Sparkle384 requires much lower time complexity than existing best one; our attack on Sparkle512 is best in terms of the number of attacked rounds, as far as we know. However, our results do not controvert the security claim of Sparkle designers.