[PDF] Top 20 Improved Linear Cryptanalysis of Reduced-round SIMON

... 14-round linear approximations with an average squared correlation ≤ 2 −32 for ...found linear approximations which were estimated before using only a single linear characteristic rather than ... See full document

... Regarding SIMON-64, the squared correlation matrix which we are able to build and process holds masks with Hamming weight ≤ ...many linear trails for some days or weeks can yield better ...for SIMON- ... See full document

... study searching for differential trails. We show that we are able to find differential trails for 2 rounds of ChaCha at bit-level, and 6 rounds at word level. Secondly, we present the experiments checking for ... See full document

... a linear or differential trail, only the binary values representing the activity of S-boxes concern ...for cryptanalysis of block ciphers recently so that [FWG + 16, XZBL16, AAA + 15, SBA17, BJK + 16, CJF + ... See full document

... Since the compression functions belonging to the RIPEMD family use a two-branch parallel structure sharing the same initial chaining value, the left and right branches can be regarded as somehow connected in the first ... See full document

... Related work. Since its publication in 2013, Speck has received a number of cryptanaly- ses, most of which focus on statistical analyses such as differential and linear cryptanalysis. In order to find good ... See full document

... In this section, we improve the preimage attack on 6-round GOST-512 in [31]. First we reduce the time complexity from 2 505 to 2 496 by removing the unnecessary Meet-in-the- Middle (MitM) step. Then we show a ... See full document

... the linear layer which are friendly to both software and hardware ...its linear layer design based on the strategy of subfield construction has been further investigated in [1] and ... See full document

... In FSE 2012, Wu et al.[29] proposed the first pseudo preimage attack on Grøstl hash function. In [30], Zou et al. found out the attack of Wu et al. could be divided into two-phase MitM attacks, then they could use the ... See full document

... combined linear (XOR, bit shift, bit rotation) and non-linear (modular addition) operations and it- erating them for many rounds, ARX algorithms have become more resistance against differential and ... See full document

... zero-correlation linear hulls of SIMON32 and SIMON48 respectively by using miss-in-the-middle ...zero-correlation linear cryptanalysis, they are the currently best impossible differential attacks for ... See full document

... Sparx. At ASIACRYPT’16, Dinu et al. introduced Sparx [8], the first ARX- based family of block ciphers that provides provable bounds on the maximal length of differential characteristics and linear trails. ... See full document

... In [1], the authors commented that “we note that the described complexities may be improved by choosing a smaller γ”. However, for a long time (since 2008), it has never been studied how much improvement can ... See full document

... Cube-attack-like cryptanalysis on round-reduced Keccak was proposed by Dinur et ...integer linear programming (MILP) model for cube- attack-like cryptanalysis on keyed Keccak , which ... See full document

... [13], linear and differential attack [26], truncated differential attacks [15,18,27], collision attack [30], square attacks [19,20], impossible differential attacks [22,25,31,23,21], meet-in-the-middle attacks ... See full document

... of Simon and ...for Simon-32/64 and Simeck-32/64, ...on Simon-32/64 and ...be improved by 2 rounds leading to 27 round key recovery ... See full document

... on linear combinations of secret variables (such a combination can either be a singleton bit, or a linear combination of several secret bits), which we refer to here as effective secret ... See full document

... key. Round function of Present , which is depicted in Figure 1, is same for both versions of Present and consists of standard op- erations such as subkey XOR, substitution and permutation: At the beginning of each ... See full document

... of linear trails in Simon in a more accurate way, which we then use to obtain additional rounds from existing ...for reduced-round variants of the ...best cryptanalysis for Simon32 and ... See full document

... Explanation: We have in total 2 63 .2 3 = 2 66 pairs of plaintexts (P , P 0 ) that satisfy P ⊕ P 0 ∈ [0000002200000080]. A proportion 2 10 /2 64 is ex- pected to have a ciphertext difference C ⊕ C 0 ∈ [0A50002209010008] ... See full document