References of "Wang, Qingju 50030521"
     in
Bookmark and Share    
Full Text
Peer Reviewed
See detailAn Algebraic Formulation of the Division Property: Revisiting Degree Evaluations, Cube Attacks, and Key-Independent Sums
Hu, Kai; Sun, Siwei; Wang, Meiqin et al

in 26th Annual International Conference on the Theory and Application of Cryptology and Information Security- ASIACRYPT 2020 (2020, August 16)

Detailed reference viewed: 92 (1 UL)
Full Text
Peer Reviewed
See detailAn Algebraic Attack on Ciphers with Low-Degree Round Functions: Application to Full MiMC
Eichlseder, Maria; Grassi, Lorenzo; Lüftenegger, Reinhard et al

in 26th Annual International Conference on the Theory and Application of Cryptology and Information Security - ASIACRYPT 2020 (2020, August 16)

Detailed reference viewed: 83 (1 UL)
Full Text
Peer Reviewed
See detailAlzette: A 64-Bit ARX-box (Feat. CRAX and TRAX)
Beierle, Christof; Biryukov, Alex UL; Cardoso Dos Santos, Luan UL et al

in Micciancio, Daniele; Ristenpart, Thomas (Eds.) Advances in Cryptology -- CRYPTO 2020, 40th Annual International Cryptology Conference, CRYPTO 2020, Santa Barbara, CA, USA, August 17-21, 2020, Proceedings, Part III (2020, August)

S-boxes are the only source of non-linearity in many symmetric primitives. While they are often defined as being functions operating on a small space, some recent designs propose the use of much larger ... [more ▼]

S-boxes are the only source of non-linearity in many symmetric primitives. While they are often defined as being functions operating on a small space, some recent designs propose the use of much larger ones (e.g., 32 bits). In this context, an S-box is then defined as a subfunction whose cryptographic properties can be estimated precisely. We present a 64-bit ARX-based S-box called Alzette, which can be evaluated in constant time using only 12 instructions on modern CPUs. Its parallel application can also leverage vector (SIMD) instructions. One iteration of Alzette has differential and linear properties comparable to those of the AES S-box, and two are at least as secure as the AES super S-box. As the state size is much larger than the typical 4 or 8 bits, the study of the relevant cryptographic properties of Alzette is not trivial. We further discuss how such wide S-boxes could be used to construct round functions of 64-, 128- and 256-bit (tweakable) block ciphers with good cryptographic properties that are guaranteed even in the related-tweak setting. We use these structures to design a very lightweight 64-bit block cipher (Crax) which outperforms SPECK-64/128 for short messages on micro-controllers, and a 256-bit tweakable block cipher (Trax) which can be used to obtain strong security guarantees against powerful adversaries (nonce misuse, quantum attacks). [less ▲]

Detailed reference viewed: 134 (16 UL)
Full Text
Peer Reviewed
See detailLightweight AEAD and Hashing using the Sparkle Permutation Family
Beierle, Christof UL; Biryukov, Alex UL; Cardoso Dos Santos, Luan UL et al

in IACR Transactions on Symmetric Cryptology (2020), 2020(S1), 208-261

We introduce the Sparkle family of permutations operating on 256, 384 and 512 bits. These are combined with the Beetle mode to construct a family of authenticated ciphers, Schwaemm, with security levels ... [more ▼]

We introduce the Sparkle family of permutations operating on 256, 384 and 512 bits. These are combined with the Beetle mode to construct a family of authenticated ciphers, Schwaemm, with security levels ranging from 120 to 250 bits. We also use them to build new sponge-based hash functions, Esch256 and Esch384. Our permutations are among those with the lowest footprint in software, without sacrificing throughput. These properties are allowed by our use of an ARX component (the Alzette S-box) as well as a carefully chosen number of rounds. The corresponding analysis is enabled by the long trail strategy which gives us the tools we need to efficiently bound the probability of all the differential and linear trails for an arbitrary number of rounds. We also present a new application of this approach where the only trails considered are those mapping the rate to the outer part of the internal state, such trails being the only relevant trails for instance in a differential collision attack. To further decrease the number of rounds without compromising security, we modify the message injection in the classical sponge construction to break the alignment between the rate and our S-box layer. [less ▲]

Detailed reference viewed: 69 (13 UL)
Full Text
Peer Reviewed
See detailFinding Bit-Based Division Property for Ciphers with Complex Linear Layers
Hu, Kai; Wang, Qingju UL; Wang, Meiqin

in IACR Transactions on Symmetric Cryptology (2020), (1),

Detailed reference viewed: 36 (0 UL)
Full Text
Peer Reviewed
See detailLinks between Division Property and Other Cube Attack Variants
Hao, Yonglin; Jiao, Lin; Li, Chaoyun et al

in IACR Transactions on Symmetric Cryptology (2020), (1),

Detailed reference viewed: 141 (4 UL)
Full Text
Peer Reviewed
See detailModeling for Three-Subset Division Property without Unknown Subset and Improved Cube Attacks
Hao, Yonglin; Leander, Gregor; Meier, Willi et al

in 39th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT 2020), Croatia 10-14 May 2020 (2020, January)

Detailed reference viewed: 47 (2 UL)
Full Text
Peer Reviewed
See detailImproved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly
Wang, Qingju UL; Hao, Honglin; Todo, Yosuke et al

in IEEE Transactions on Computers (2019), 68(10), 1470-1486

At CRYPTO 2017 and IEEE Transactions on Computers in 2018, Todo et al. proposed the division property based cube attack method making it possible to launch cube attacks with cubes of dimensions far beyond ... [more ▼]

At CRYPTO 2017 and IEEE Transactions on Computers in 2018, Todo et al. proposed the division property based cube attack method making it possible to launch cube attacks with cubes of dimensions far beyond practical reach. However, assumptions are made to validate their attacks. In this paper, we further formulate the algebraic properties of the superpoly in one framework to facilitate cube attacks in more successful applications: we propose the “flag” technique to enhance the precision of MILP models, which enable us to identify proper non-cube IV assignments; a degree evaluation algorithm is presented to upper bound the degree of the superpoly s.t. the superpoly can be recovered without constructing its whole truth table and overall complexity of the attack can be largely reduced; we provide a divide-and-conquer strategy to Trivium-like stream ciphers namely Trivium, Kreyvium, TriviA-SC1/2 so that the large scale MILP models can be split into several small solvable ones enabling us to analyze Trivium-like primitives with more than 1000 initialization rounds; finally, we provide a term enumeration algorithm for finding the monomials of the superpoly, so that the complexity of many attacks can be further reduced. We apply our techniques to attack the initialization of several ciphers namely 839-round Trivium, 891-round Kreyvium, 1009-round TriviA-SC1, 1004-round TriviA-SC2, 184-round Grain-128a and 750-round Acorn respectively. [less ▲]

Detailed reference viewed: 102 (3 UL)
Full Text
See detailAlzette: A 64-bit ARX-box
Beierle, Christof UL; Biryukov, Alex UL; Cardoso Dos Santos, Luan UL et al

E-print/Working paper (2019)

S-boxes are the only source of non-linearity in many symmetric primitives. While they are often defined as being functions operating on a small space, some recent designs propose the use of much larger ... [more ▼]

S-boxes are the only source of non-linearity in many symmetric primitives. While they are often defined as being functions operating on a small space, some recent designs propose the use of much larger ones (e.g., 32 bits). In this context, an S-box is then defined as a subfunction whose cryptographic properties can be estimated precisely. In this paper, we present a 64-bit ARX-based S-box called Alzette, which can be evaluated in constant time using only 12 instructions on modern CPUs. Its parallel application can also leverage vector (SIMD) instructions. One iteration of Alzette has differential and linear properties comparable to those of the AES S-box, while two iterations are at least as secure as the AES super S-box. Since the state size is much larger than the typical 4 or 8 bits, the study of the relevant cryptographic properties of Alzette is not trivial. [less ▲]

Detailed reference viewed: 91 (5 UL)
Full Text
Peer Reviewed
See detailImproved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly
Wang, Qingju UL; Hao, Yonglin; Todo, Yosuke et al

in 38th Annual International Cryptology Conference (CRYPTO 2018), Santa Barbara 19-23 Aug 2018 (2018, April 29)

Detailed reference viewed: 127 (7 UL)
Full Text
Peer Reviewed
See detailZero-Sum Partitions of PHOTON Permutations
Wang, Qingju UL; Grassi, Lorenzo; Rechberger, Christian

in Smart, Nigel P. (Ed.) Topics in Cryptology - CT-RSA 2018 - The Cryptographers' Track at the RSA Conference 2018, San Francisco, CA, USA, April 16-20, 2018 Proceedings (2018, April)

Detailed reference viewed: 86 (0 UL)