## CryptoDB

### Chao Li

#### Publications

Year
Venue
Title
2015
EPRINT
2015
CRYPTO
2014
EPRINT
2013
FSE
2010
EPRINT
In this paper, based on a differential property of two round Lai-Massay scheme in a fault model, we present an improved fault attack on the block cipher FOX64. Our improved method can deduce any round subkey through 4.25 faults on average (4 in the best case), and retrieve the whole round sub-keys through 45.45 faults on average (38 in the best case). The technique of the proposed attack in this paper can also be easily extended to other series of FOX.
2010
EPRINT
E2 is a 128-bit block cipher which employs Feistel structure and 2-round SPN in round function. It is an AES candidate and was designed by NTT. In the former publications, E2 is supposed no more than 5-round impossible differential. In this paper, we describe some 6-round impossible differentials of E2. By using the 6-round impossible differential, we first present an attack on 9-round reduced version of E2-256 without IT Function(the initial transformation) and FT-Function(the Final transformation) function.
2010
EPRINT
Differential Fault Analysis (DFA) attack is a powerful cryptanalytic technique that could be used to retrieve the secret key by exploiting computational errors in the encryption (decryption) procedure. In the present paper, we propose a new DFA attack on SMS4 using a single fault. We show that if a random byte fault is induced into either the second, third, or forth word register at the input of the $28$-th round, the $128$-bit master key could be recovered with an exhaustive search of $22.11$ bits on average. The proposed attack makes use of the characteristic of the cipher's structure, the speciality of the diffusion layer, and the differential property of the S-box. Furthermore, it can be tailored to any block cipher employing a similar structure and an SPN-style round function as that of SMS4.
2010
EPRINT
In this paper, we study the meet-in-the-middle attack against block cipher ARIA. We find some new 3-round and 4-round distinguish- ing properties of ARIA. Based on the 3-round distinguishing property, we can apply the meet-in-the-middle attack with up to 6 rounds for all versions of ARIA. Based on the 4-round distinguishing property, we can mount a successful attack on 8-round ARIA-256. Furthermore, the 4-round distinguishing property could be improved which leads to a 7-round attack on ARIA-192. The data and time complexities of 7-round attack are 2^120 and 2^185:3, respectively. The data and time complexities of 8-round attack are 2^56 and 2^251:6, respectively. Compared with the existing cryptanalytic results on ARIA, our 5-round attack has the lowest data and time complexities and the 6-round attack has the lowest data complexity. Moreover, it is shown that 8-round ARIA-256 is not immune to the meet-in-the-middle attack.
2010
EPRINT
Impossible differential cryptanalysis is a very popular tool for analyzing the security of modern block ciphers and the core of such attack is based on the existence of impossible differentials. Currently, most methods for finding impossible differentials are based on the miss-in-the-middle technique and they are very ad-hoc. In this paper, we concentrate SPN ciphers and propose several criteria on the linear transformation $P$ and its inversion $P^{-1}$ to characterize the existence of $3/4$-round impossible differentials. We further discuss the possibility to extend these methods to analyze $5/6$-round impossible differentials. Using these criteria, impossible differentials for reduced-round Rijndael are found that are consistent with the ones found before. New $4$-round impossible differentials are discovered for block cipher ARIA. And many $4$-round impossible differentials are firstly detected for a kind of SPN cipher that employs a $32\times32$ binary matrix proposed at ICISC 2006 as its diffusion layer.
2009
FSE
2008
EPRINT
This paper mainly discussed the impossible differerential crypt- analysis on CLEFIA which was proposed in FSE2007. New 9-round impossible differentials which are difrererent from the previous ones are discovered. Then these differerences are applied to the attack of reduced-CLEFIA. For 128-bit case, it is possible to apply an impossible differen-tial attack to 12-round CLEFIA which requires 2^110.93 chosen plaintexts and the time complexity is 2^111. For 192/256-bit cases, it is possible to apply impossible differential attack to 13-round CLEFIA and the chosen plaintexts and time complexity are 2^111.72 and 2^158 respectively. For 256-bit cases, it needs 2^112.3 chosen plaintexts and no more than 2^199 encryptions to attack 14-round CLEFIA and 2^113 chosen plaintexts to attack 15-round 256-bit CLEFIA with the time complexity less than 2^248 encryptions.
2008
EPRINT
The extended Walsh spectrum of a new family of APN functions is computed out. It turns out that the walsh spectrum of these functions are the same as that of Gold functions.
2008
EPRINT
This paper studies the security of ARIA against impossible differential cryptanalysis. Firstly an algorithm is given to find many new 4-round impossible differentials of ARIA. Followed by such impossible differentials, we improve the previous impossible differential attack on 5/6-round ARIA. We also point out that the existence of such impossible differentials are due to the bad properties of the binary matrix employed in the diffusion layer.
2008
EPRINT
In this paper, we describe a method to construct (n, m, t) resilient functions which satisfy multiple cryptographic criteria including high nonlinearity, good resiliency, high algebraic degree, and nonexistence of nonzero linear structure. Given a [u, m, t+1] linear code, we show that it is possible to construct (n, m, t) resilient functions with multiple good cryptographic criteria, where 2m<u<n.
2008
EPRINT
It is proved that the construction and enumeration of the number of balanced symmetric functions over GF(p) are equivalent to solving an equation system and enumerating the solutions. Furthermore, we give an lower bound on number of balanced symmetric functions over GF(p), and the lower bound provides best known results.
2006
EPRINT
Preneel, Govaerts, and Vandewalle[14](PGV) considered 64 most basic ways to construct a hash function from a block cipher, and regarded 12 of those 64 schemes as secure. Black, Pogaway and Shrimpton[3](BRS) provided a formal and quantitative treatment of those 64 constructions and proved that, in black-box model, the 12 schemes ( group-1 ) that PGV singled out as secure really are secure. By step ping outside of the Merkle-Damgard[4] approach to analysis, an additional 8 (group-2) of the 64 schemes are just as collision resistant as the first group of schemes. Tight upper and lower bounds on collision resistance of those 20 schemes were given. In this paper, those collision resistance and preimage resistance bounds are improved, which shows that, in black box model, collision bounds of those 20 schemes are same. In Group-1 schemes, 8 out of 12 can find fixed point easily. Bounds on second preimage, multicollisions of Joux[6], fixed-point multicollisons[8] and combine of the two kinds multicollisions are also given. From those bounds, Group-1 schemes can also be deviled into two group.
2005
EPRINT
This paper gives a construction method which can get a large class of Boolean functions with maximum algebraic immunity(AI) from one such giving function. Our constructions get more functions than any previous construction. The cryptographic properties, such as balance, algebraic degree etc, of those functions are studied. It shows that we can construct Boolean functions with better cryptographic properties, which gives the guidance for the design of Boolean functions to resist algebraic attack, and helps to design good cryptographic primitives of cryptosystems. From these constructions, we show that the count of the Boolean functions with maximum AI is bigger than ${2^{2^{n-1}}}$ for $n$ odd, bigger than ${2^{2^{n-1}+\frac{1}{2}\binom{n}{\frac{n}{2}} }}$ for $n$ even, which confirms the computer simulation result that such boolean functions are numerous. As far as we know, this is the first bound about this count.