Plaintext Pairs Research Articles

Cryptanalyzing an Image Encryption Scheme Using Synchronization of Memristor Chaotic Systems

This paper conducts a security analysis on an image encryption scheme that incorporates chaos synchronization and DNA encoding techniques. The scheme adheres to the typical Substitution–Permutation structure by introducing the DNA operation as a nonlinear component. Compared to the traditional chaotic ciphers, the designer claims that the scheme achieved better nonlinear properties through the DNA operation. However, the characteristics of the differential between some pairs of plaintexts and the corresponding ciphertexts can be exploited to break the permutation operation. Meanwhile, the substitution operation can also be cracked by checking the mapping between the intermediate variables inversely permuted from ciphertext and the corresponding plaintext. Given the weaknesses of the encryption scheme, we introduce effective strategies for the known-plaintext attack. Both rigorous theoretical analyses and detailed experimental results are provided to demonstrate the effectiveness of the attacks.

Collision in double-image encryption scheme based on spatial encoding and phase-truncation Fourier transforms.

In this paper, the security strength of a double-image cryptosystem using spatial encoding and phase-truncation Fourier transforms (PTFTs) is evaluated. Unlike the conventional PTFT-based cryptosystem, where two random phase masks (RPMs) are used as public keys to provide enough phase constrains in the estimation, in the improved cryptosystem, the RPM generated by a random amplitude mask (RAM) is treated as an unknown parameter. Due to this fixed RAM, the number of constraints in the estimation decreases to achieve high robustness against potential iterative attacks. Moreover, instead of two phase-only masks (POMs), here the two POMs and the RAM are utilized as the private keys in the improved cryptosystem; thus, the key space of the double-image cryptosystem has been enlarged. However, we noticed that the RAM used to encode plaintexts spatially and to generate the phase encryption key is independent of the plaintexts. This could be recovered by a known pair of plaintexts and the ciphertext. Once the information of the RAM is retrieved, the phase key RPM can also be produced making the cryptosystem vulnerable. Based on this finding, new hybrid algorithms, including a known-plaintext attack and a known key attack are proposed to crack the enhanced PTFT-based cryptosystem. The information of the plaintexts can be retrieved from one POM using the proposed algorithms without any knowledge of another POM and the corresponding ciphertext. Numerical simulations have been carried out to validate the information disclosure problem still exists in the double-image cryptosystem based on spatial encoding and PTFTs.

On the Cryptanalysis of a Simplified AES Using a Hybrid Binary Grey Wolf Optimization

Cryptosystem cryptanalysis is regarded as an NP-Hard task in modern cryptography. Due to block ciphers that are part of a modern cipher and have nonlinearity and low autocorrelation in their structure, traditional techniques and brute-force attacks suffer from breaking the key presented in traditional techniques, and brute-force attacks against modern cipher S-AES (simplified-advanced encryption standard) are complex. Thus, developing robust and reliable optimization with high searching capability is essential. Motivated by this, this paper attempts to present a novel binary hybridization algorithm based on the mathematical procedures of the grey wolf optimizer (GWO) and particle swarm optimization (PSO), named BPSOGWO, to deal with the cryptanalysis of (S-AES). The proposed BPSOGWO employs a known plaintext attack that requires only one pair of plaintext–ciphertext pairs instead of other strategies that require more pairs (i.e., it reduces the number of messages needed in an attack, and secret information such as plaintext-ciphertext pairs cannot be obtained easily). The comprehensive and statistical results indicate that the BPSOGWO is more accurate and provides superior results compared to other peers, where it improved the cryptanalysis accurateness of S-AES by 82.5%, 84.79%, and 79.6% compared to PSO, GA, and ACO, respectively. Furthermore, the proposed BPSOGWO retrieves the optimal key with a significant reduction in search space compared to a brute-force attack. Experiments show that combining the suggested fitness function with HPSOGWO resulted in a 109-fold reduction in the search space. In cryptanalysis, this is a significant factor. The results prove that BPSOGWO is a promising and effective alternative to attack the key employed in the S-AES cipher.

New Key-Independent Structural Properties of AES-Like Permutations

The Internet of Things (IoT) technology makes our lives very simple and convenient by interacting with sensors/devices around the world and using the smart data collected from them. However, IoT devices typically have a resource-constrained architecture, rendering them vulnerable to cyberattacks. The advent of lightweight cryptography provides an opportunity to meet the challenges of IoT. With the promotion of 5G (5th generation wireless systems) technology, the amount of data in IoT devices is bound to grow rapidly. The design and analysis of lightweight block cipher is still a hot issue that needs to be solved in the coming period of time, as it responds to the strong push of many national governments to adopt IoT systems in the management of public affairs. MANTIS is a new tweakable block cipher suitable for IoT with the goal of low-latency implementations and it has drawn lots of attention in the form of prior cryptanalysis. This work first reveals a novel property of MANTIS. The characteristic is established under the condition that there is a certain equivalence relation between the input pairs in a particular subspace and it is evidenced by the first introduction of a key-independent distinguisher for 6-round MANTIS. We obtain that the number of input plaintext pairs in the same equivalence class is always divisible by 8. Then, we demonstrate a general and comprehensive proof as why it has to exist. Additionally, we have successfully verified the validity of the distinguisher. Only 216 chosen plaintexts and 222 table lookups computational cost are required to guarantee that the success probability exceeds 99%. Moreover, we discover that the same kind of property holds for other AES-like permutations with the example of the lightweight hash function PHOTON. Finally, we put forward some future explorations in this promising field.

Algebraic Persistent Fault Analysis of SKINNY_64 Based on S_Box Decomposition

Algebraic persistent fault analysis (APFA), which combines algebraic analysis with persistent fault attacks, brings new challenges to the security of lightweight block ciphers and has received widespread attention since its introduction. Threshold Implementation (TI) is one of the most widely used countermeasures for side channel attacks. Inspired by this method, the SKINNY block cipher adopts the S_box decomposition to reduce the number of variables in the set of algebraic equations and the number of Conjunctive Normal Form (CNF) equations in this paper, thus speeding up the algebraic persistent fault analysis and reducing the number of fault ciphertexts. In our study, we firstly establish algebraic equations for full-round faulty encryption, and then analyze the relationship between the number of fault ciphertexts required and the solving time in different scenarios (decomposed S_boxes and original S_box). By comparing the two sets of experimental results, the success rate and the efficiency of the attack are greatly improved by using S_box decomposition. In this paper, We can recover the master key in a minimum of 2000s using 11 pairs of plaintext and fault ciphertext, while the key recovery cannot be done in effective time using the original S_box expression equations. At the same time, we apply S_box decomposition to another kind of algebraic persistent fault analysis, and the experimental results show that using S_box decomposition can effectively reduce the solving time and solving success rate under the same conditions.

Modified Hill Cipher Algorithm using Myszkowski Transposition to address Known-Plaintext attack

Abstract: Hill Cipher algorithm is a Polygraphic cipher known to be vulnerable to the Known-Plaintext attack. It is a type of attack wherein the attacker has access to a pair of Plaintext and Ciphertext. Possible leaked information can be used to reveal critical data which can include the private key that is used in the encryption of the plaintext. In this study, the researchers propose an improved scheme by incorporating Myszkowski transposition in the algorithm to address the specified problem. Runtime Test and Statistical test such as the Avalanche effect were used to evaluate the performance of the algorithm. The test yielded a 25.70% faster runtime based on previous modifications and a 52.78% Avalanche Effect. Randomness test such as the Monobit test, Runs Test and Longest Run of Ones in a Block test were applied to evaluate the ciphertext produced. The criterion for the Randomness Test requires its p-value to be greater than 0.01, the evaluation showed a 0.249, 0.167 and 0.368 p-value, respectively. The proposed scheme proved that the algorithm is cryptographically secure and efficient as all tests yielded favorable results. Keywords: Cryptography, Hill Cipher, Encryption, Decryption, Key Generation

Cryptanalysis of compressive interference-based optical encryption using a U-net deep learning network

We present a deep learning (DL) framework based on a U-type convolutional neural network (U-net) to analysis the security of optical interference-based encryption system with sparsity constraints. In the optical cryptosystem, two phase-only masks (POMs) can be obtained by using phase retrieval algorithm (PRA) with the constraints of complementary binary amplitude masks (BAMs). By integrating the interference technique and phase encoding, the encryption scheme achieves a high security level and is immune to conventional attack methods. Here, we investigate and construct a neural network architecture for evaluating the security of the cryptosystem based on the idea of U-net. In this method, we achieve the approximate equivalent model of the compressive interference-based optical cryptosystem by using a U-net model, which has been pre-trained by a series of ciphertext–plaintext pairs. It can be found that the cryptosystem can be broken by using the proposed DL network. The plaintexts can be retrieved from their corresponding ciphertexts without the use of security keys, such as the diffraction distances, the BAMs, etc. The results of numerical experiments are presented to show the good performance of our proposed DL-based method.

Practical Attacks on Reduced-Round 3D and Saturnin

Abstract 3D, an advanced encryption standard-like cipher employed three-dimensional structure, was proposed in 2008. Its recommended number of rounds is 22. Although the longest key recovery attack can currently reach 13 rounds, the complexity of existing attacks for >6 rounds seems to exceed the practically feasible complexity. Thus, a practical attack for 7-round 3D has yet to be developed. Recently, a lightweight block cipher called Saturnin has been selected as a second-round candidate in the National Institute of Standards and Technology standardization for lightweight cryptography. Saturnin also employs a three-dimensional structure and provides high security against quantum and classic attacks. In this paper, we investigate the yoyo attack on these two ciphers. Combined with the meet-in-the-middle technique, we apply the yoyo trick to 7-round 3D and recover the whole 512-bit secret key with $2^{15}$ plaintexts and adaptively chosen ciphertexts and $2^{16.5}$ complexity of full encryptions. To our best knowledge, it is the first practical key recovery attack for 7-round 3D to date. For Saturnin, we found a minor typo in its design report. The designers intended to make a super round containing two S-layers, but one was inadvertently omitted in the algorithm description. We propose a 5-super-round key recovery attack, which is suitable for both one-S-layer version and two-S-layer version. Since the round function of Saturnin has better diffusion, which leads that the meet-in-the-middle technique cannot be applied to this cipher directly. For the one-S-layer version, we address this problem by proposing a new technique called reducing key sets. This technique will fail on the other version, which proves the necessity of containing two S-layers in one-super-round. Finally, our attack requires $2^{39.1}$ plaintext pairs and adaptively chosen ciphertext pairs and $2^{46}$ one-round encryptions.

Security analysis of multiple permutation encryption adopt in reversible data hiding

In order to improve the security of reversible data hiding algorithm in encrypted images, Liu designed an image multi-permutation encryption algorithm. By combining bit-plane permutation with pixel-block permutation, the embedding capacity of the algorithm is improved, and the ability of the encryption algorithm to resist existing Ciphertext-Only and Known-Plaintext attack is effectively improved. To analyze the security performance of the encryption algorithm, a Known-plaintext attack method based on the Root Mean Square(RMS) of image block is proposed in this paper. Firstly, the permutation order of bit plane is estimated by using the invariant distribution ratio of 0 and 1 before and after image encryption, the original pixel values is restored. Then, according to the characteristics that the pixel values of the image remain unchanged during block permutation and intra-block pixel permutation, the image block RMS feature is defined to search and estimate the block permutation sequence. Image block RMS equivalence class is defined by the image block RMS value, the ratio of the maximum number of elements in the equivalence class to the total number of pixels is p, which determines the difficulty of known plaintext attack. For the common image test set, 96% of the images have a p-value of less than 0.1, and only 4% of the images have a p-value greater than 0.1. Experimental results show that, When p 0.1, the attacker can crack more than 80% of the image content by two pairs of plaintext and ciphertext.

New symmetric key cipher capable of digraph to single letter conversion utilizing binary system

In this paper, a new Playfair cipher built on bits level symmetric key cryptographic was proposed for the purpose of converting pairs of letters (digraphs) into single letters. The proposed algorithm is capable to overcome many of the shortcoming and vulnerabilities that exist in the current classical version of Playfair algorithm. The Playfair cipher is exceedingly complex than a classical substitution cipher, but still simple to hack using automated tactics. It is famous as a digraph cipher because two letters are exchanged by other two letters. This destroys any solo letter occurrence statistics, but the digraph statistics still unaffected (frequencies of two letters). Unluckily letter pairs have a flatter distribution than the one letter frequencies, so this intricacy matters for solving the code using pen and paper procedures. The suggested encryption process is conducted as follows; letters are first arranged in a spiral manner in Polybius square, afterwards, each pair will be replaced utilizing before-after technique if we are arranging pairs horizontally and down-up technique (vertically). The former process produces pairs of Plaintext that will be converted to binary bit stream then will be divided over blocks with stable sizes. Bits of these blocks are taken from pairs then fit them into square matrix of suitable order to put the concept of row-wise and revers row-wise matrix. Bits of this matrix are split into 2x2 square matrixes. The sub-matrixes are formed 8 bits. Here the XNOR operation is taken into consideration for bitwise operation to generate the keys for decryption and produce the cipher-text.

Improved Security Evaluation of SPN Block Ciphers and its Applications in the Single-key Attack on SKINNY

In this paper, a new method for evaluating the integral property, truncated and impossible differentials for substitution-permutation network (SPN) block ciphers is proposed. The main assumption is an explicit description/expression of the internal state words in terms of the plaintext (ciphertext) words. By counting the number of times these words occur in the internal state expression, we can evaluate the resistance of a given block cipher to integral and impossible/truncated differential attacks more accurately than previous methods. More precisely, we explore the cryptographic consequences of uneven frequency of occurrences of plaintext (ciphertext) words appearing in the algebraic expression of the internal state words. This approach gives a new family of distinguishers employing different concepts such as the integral property, impossible/truncated differentials and the so-called zero-sum property. We then provide algorithms to determine the maximum number of rounds of such new types of distinguishers for SPN block ciphers. The potential and efficiency of this relatively simple method is confirmed through applications. For instance, in the case of SKINNY block cipher, several 10-round integral distinguishers, all of the 11-round impossible differentials, and a 7-round truncated differential could be determined. For the last case, using a single pair of plaintexts differing in three words so that (a = b = c) ≠ (a’ = b’ = c’), we are able to distinguish 7-round SKINNY from random permutations. More importantly, exploiting our distinguishers, we give the first practical attack on 11-round SKINNY-128-128 in the single-key setting (a theoretical attack reaches 16 rounds). Finally, using the same ideas, we provide a concise explanation on the existing distinguishers for round-reduced AES.

Multiple Impossible Differentials Attack on AES-192

The security of AES-192 against multiple impossible differentials attack is studied in this paper. Based on two types of impossible differentials for 4-round AES, two 7-round attack trails of AES-192 with the same plaintext and ciphertext difference structure are proposed. A new optimum combination of these two attack trails is applied in our attack so that the plaintext pairs can be reused and data complexity can be reduced. Furthermore, this new optimum combination also can reduce the time complexity in the master key recovering phase. Our attack can also reduce the number of subkeys by key schedule considerations. For each attack trail, only 15-byte subkeys need to be guessed. Combined with the master key recovering technique based on the key schedule algorithm, the early abort technique for plaintext pairs, and the sieve method for plaintext pairs based on quick sort etc., we have obtained the best result so far in terms of time complexity for impossible differential cryptanalysis of AES-192. The time, memory, and data complexities are 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">109.2</sup> 7-round AES encryptions, 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">86.5</sup> bytes and 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">106.3</sup> chosen plaintexts, respectively.

Linear Cryptoanalysis of the Simplified AES Cipher Modified by Chaotic Sequences

This article introduces new symmetric key architectures based on a randomized version of the Simplified Advanced Encryption Standard (SAES). It is proposed a new technique to randomize the S-boxes of the original SAES employing chaotic sequences. Then, we study the linear criptanalysis of the proposed schemes. It is shown that, with the introduction of chaotic sequences, the adversary needs a larger number of pairs of plaintext and ciphertext to discover the bits of the key compared to the required by the SAES. Given these results, it is possible to evaluate the improvement of the proposed technique against linear cryptanalysis as compared to the original AES algorithm.

Application of Grover’s Quantum Algorithm for SDES Key Searching

The problem of finding the key of Simplified-DES (SDES)—a model of a block cipher DES—by Grover’s quantum algorithm is considered. Examples of application of Grover’s algorithm are presented. A quantum system with the minimum number of qubits is constructed that implements SDES key searching by a single pair of plaintext and ciphertext and requires only 19 qubits. This quantum circuit is simulated by using a Quipper quantum simulator.

Revisiting AES related-key differential attacks with constraint programming

The Advanced Encryption Standard (AES) is one of the most studied symmetric encryption schemes. During the last years, several attacks have been discovered in different adversarial models. In this paper, we focus on related-key differential attacks, where the adversary may introduce differences in plaintext pairs and also in keys. We show that Constraint Programming (CP) can be used to model these attacks, and that it allows us to efficiently find all optimal related-key differential characteristics for AES-128, AES-192 and AES-256. In particular, we improve the best related-key differential for the whole AES-256 and give the best related-key differential on 10 rounds of AES-192, which is the differential trail with the longest path. Those results allow us to improve existing related-key distinguishers, basic related-key attacks and q-multicollisions on AES-256.

Security performance analysis of a chaotic stream cipher

In this paper, the security performance analysis for a self-synchronization and closed-loop feedback-based chaotic stream cipher is given. According to the chosen-ciphertext attack method, it is found that under the condition of selecting the ciphertext as fixed value, the original chaotic iterative equation is degenerated into an asymptotically stable iterative one, so that the explicit function of state variables and key parameters can be obtained. Based on this idea, and according to the chosen-ciphertext attack method, a single key decipher algorithm is further investigated. Firstly, multiple pairs of plaintext–ciphertext are obtained by choosing the corresponding multiple frames of ciphertext as fixed values. Secondly, a set of possible estimated values for this single key is acquired by utilizing among one pair of plaintext–ciphertext. Finally, the only estimated value that satisfies all the conditions of multiple pairs of plaintext–ciphertext is determined, as an estimated value from the set of all possible estimated values. Security performance analysis results have shown that, under the condition that only one unknown key needs to be deciphered while the remaining keys are all known, the proposed algorithm can, respectively, decipher each individual key accurately. In addition, the attack complexity of the proposed method is lower than that of the exhaustive attack.

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced AES

At Eurocrypt 2017 the first secret-key distinguisher for 5-round AES - based on the “multiple-of-8” property - has been presented. Although it allows to distinguish a random permutation from an AES-like one, it seems rather hard to implement a key-recovery attack different than brute-force like using such a distinguisher. In this paper we introduce “Mixture Differential Cryptanalysis” on round-reduced AESlike ciphers, a way to translate the (complex) “multiple-of-8” 5-round distinguisher into a simpler and more convenient one (though, on a smaller number of rounds). Given a pair of chosen plaintexts, the idea is to construct new pairs of plaintexts by mixing the generating variables of the original pair of plaintexts. Here we theoretically prove that for 4-round AES the corresponding ciphertexts of the original pair of plaintexts lie in a particular subspace if and only if the corresponding pairs of ciphertexts of the new pairs of plaintexts have the same property. Such secret-key distinguisher - which is independent of the secret-key, of the details of the S-Box and of the MixColumns matrix (except for the branch number equal to 5) - can be used as starting point to set up new key-recovery attacks on round-reduced AES. Besides a theoretical explanation, we also provide a practical verification both of the distinguisher and of the attack.

Improved differential attack on 30-round SIMON64

In this paper we present an attack on 30-round SIMON64, which improves the best results on SIMON64 by 1 round. We use a 23-round differential characteristic which was proposed by Itai et al in 2015 to construct a 30-round extended differential characteristized by adding 4 rounds on the top and 3 round on the bottom. Furthermore, we utilize all of the sufficient bit-conditions of the 30-round differential to compute a set of corresponding subkeys. Then we distribute the plaintext pairs over the 286 lists corresponding to the 86-bit subkeys. If a list contains two or more pairs, we regard the subkeys corresponding to the list as candidate subkeys. The time complexity of our attack on 30-round SIMON64/96 (SIMON64/128) is 286.2 (2118.2) with a success probability of 0.61, while the data complexity and the memory complexity are 263.3 and 290 bytes, respectively.

Attack on Optical Double Random Phase Encryption Based on the Principle of Ptychographical Imaging**Supported by the National Natural Science Foundation of China under Grant Nos 61575197 and 61307018, the K. C. Wong Education Foundation, the President Fund of University of Chinese Academy of Sciences, and the Fusion Funds of Research and Education of Chinese Academy of Sciences.

The principle of ptychography is applied in known plain text attack on the double random phase encoding (DRPE) system. We find that with several pairs of plain texts and cipher texts, the model of attack on DRPE can be converted to the model of ptychographical imaging. Owing to the inherent merits of the ptychographical imaging, the DRPE system can be breached totally in a fast and nearly perfect way, which is unavailable for currently existing attack methods. Further, since the decryption keys can be seen as an object to be imaged from the perspective of imaging, the ptychographical technique may be a kind of new direction to further analysis of the security of other encryption systems based on double random keys.

An algorithm for NTRU problems and cryptanalysis of the GGH multilinear map without a low-level encoding of zero

Let$\mathbf{f}$and$\mathbf{g}$be polynomials of a bounded Euclidean norm in the ring$\mathbb{Z}[X]/\langle X^{n}+1\rangle$. Given the polynomial$[\mathbf{f}/\mathbf{g}]_{q}\in \mathbb{Z}_{q}[X]/\langle X^{n}+1\rangle$, the NTRU problem is to find$\mathbf{a},\mathbf{b}\in \mathbb{Z}[X]/\langle X^{n}+1\rangle$with a small Euclidean norm such that$[\mathbf{a}/\mathbf{b}]_{q}=[\mathbf{f}/\mathbf{g}]_{q}$. We propose an algorithm to solve the NTRU problem, which runs in$2^{O(\log ^{2}\unicode[STIX]{x1D706})}$time when$\Vert \mathbf{g}\Vert ,\Vert \mathbf{f}\Vert$, and$\Vert \mathbf{g}^{-1}\Vert$are within some range. The main technique of our algorithm is the reduction of a problem on a field to one on a subfield. The GGH scheme, the first candidate of an (approximate) multilinear map, was recently found to be insecure by the Hu–Jia attack using low-level encodings of zero, but no polynomial-time attack was known without them. In the GGH scheme without low-level encodings of zero, our algorithm can be directly applied to attack this scheme if we have some top-level encodings of zero and a known pair of plaintext and ciphertext. Using our algorithm, we can construct a level-$0$encoding of zero and utilize it to attack a security ground of this scheme in the quasi-polynomial time of its security parameter using the parameters suggested by Garg, Gentry and Halevi [‘Candidate multilinear maps from ideal lattices’,Advances in cryptology — EUROCRYPT 2013(Springer, 2013) 1–17].