#### Abstract

At AES’00, a collision attack on 7-round reduced AES was proposed. In this paper, we apply this idea to seven SPN block ciphers, AES-192/256, Crypton-192/256, mCrypton-96/128, and Anubis. Applying our attacks on AES-192/256, we improve the attack result based on meet-in-the-middle attack (AES-192) and the attack result proposed in AES’00 (AES-256), respectively. Our attack result on Anubis is superior to known cryptanalytic result on it. In the cases of Crypton-192/256 and mCrypton-96/128, our attacks are applicable to 8-round reduced versions. The attack results on mCrypton-96/128 are more practical than known cryptanalytic results on them.

#### 1. Introduction

Recently, meet-in-the-middle attack has received attention. The attack procedure of meet-in-the-middle attack can be summarized as follows. Let be the message space and the key space. Suppose that and are two block ciphers and let . In this attack, an attacker tries to deduce from a given plaintext/ciphertext pair by trying to solve . In some cases, the equation is not tested for all the bits of the intermediate encryption value, but rather for only some of them. So far, many meet-in-the-middle attack results on block cipher have been proposed [1, 2]. On the other hand, Gilbert and Minier proposed a collision attack on -round of AES in [3]. This attack is a type of meet-in-the middle attack and exploits a -round distinguisher. In general, block cipher is completely deterministic, that is, if it is run again with the exact same input values, identical output values will be produced. Similarly, the different input values result in the different output values. However, it is possible that the different input values result in the output values of which the specific parts are the same. We call this case a collision.

In this paper, we apply the main idea of [3] to seven SPN block ciphers, such as AES-/ [4], Crypton [5], mCrypton-96/128 [6], and Anubis [7]. Table 1 shows our attack results on them. Rijndael was announced as the Advanced Encryption Standard (AES) in 2001. After DES, it is one of the most widely used and analyzed ciphers in the world. AES is a -bit block cipher and accepts key sizes of , and bits. These versions of AES are called AES-// and the number of rounds for these versions is , and , respectively. Our attacks on AES-/ require a computational complexity of encryptions with chosen plaintexts and memory bytes, respectively. Though our attacks on them are not applicable to the full AES-/, these are superior to the attack results of [1] (AES-) and [3] (AES-), respectively.

Crypton is a -bit block cipher submitted as a candidate for the AES proposal of NIST. This algorithm has a -round SPN structure with //-bit secret keys. According to the length of the secret keys, we call them Crypton-//, respectively. Our attack is applicable to -round reduced Crypton-/. To our knowledge, truncated differential cryptanalysis on -round reduced Crypton-/ has the best results on them, so far [8]. The attacks on an -round reduced Crypton-/ need the computational complexity of encryptions with chosen plaintexts and memory bytes, respectively. Compared to the attack results of [8], our attacks decrease the data complexity but increase the computational complexity.

A -bit block cipher mCrypton was designed as a reduced version of Crypton for a ubiquitous environment. It provides low-resource hardware implementation, which is suitable for low-end devices such as RFID tags and wireless sensor network. Several security aspects related to RFID tags and wireless sensor network have already been studied. mCrypton has rounds and supports the -bit secret keys. Our attack is applicable to mCrypton-/. We require the computational complexity of encryptions with chosen plaintexts and memory bytes. However, this is not the best result on them, since related-key impossible differential cryptanalysis on -round reduced mCrypton-/ was proposed in [9]. However, considering the attack assumption of a related-key attack, our attacks are more practical than it.

Anubis is a block cipher submitted to the NESSIE project and operates on data blocks of bits, accepting keys of length bits . It is a Rijndael variant that uses involutions for the various operations. Our attack is applicable to Anubis where the length of the secret key is longer than bits. We need the computational complexity of encryptions with chosen plaintexts and memory bytes. This result is superior to known cryptanalytic results on this algorithm.

The rest of this paper is organized as follows. In Section 2, we propose collision attacks on AES-/. Collision attacks on Crypton-/ and mCrypton-/ are introduced in Section 3. In Section 4, we present a collision attack on Anubis. In each section, we start with a brief description of the block cipher concerned. Finally, we give our conclusion in Section 5.

#### 2. Collision Attacks on 7-Round Reduced AES-192/256

First, we briefly present AES-/. And then we introduce collision attacks on AES-/. Note that the attack procedure on AES- is the same as that on AES-. Thus, for the simplicity of notations, we just call them AES-/ AES.

##### 2.1. AES-192/256

AES-/ are -bit block ciphers with /-bit secret keys. According to the length of the secret key, the number of rounds is and , respectively. Each internal state is treated as a byte matrix of size , where each byte represents a value in (see Figure 1).

In round , input/output values and round key are denoted by , and , respectively (AES-) or (AES-). A whitening key is denoted by . The round function of AES-/ applies the following four operations to the state matrix:(i)SubBytes (SB): applying the same invertible S-box times in parallel on each byte of the state;(ii)ShiftRows (SR): cyclic shift of each row (the th row is shifted by bytes to the left); (iii)MixColumns (MC): multiplication of each column by a constant matrix over ;(iv)AddRoundKey (ARK): XORing the state with a -bit round key.

The SB, SR, MC, and ARK transformations are applied to each round except that MC is omitted in the last round. Besides, before the first round, an extra ARK is applied, which we call a whitening key step. For the more detailed descriptions of AES-/, we refer to [4]. We omit the key schedules of them, as they do not affect our attacks.

##### 2.2. Finding a 4-Round Distinguisher of AES

In our attack on AES, we use a -round distinguisher of round 2*~*5. We consider an input value of round in AES which is constructed as follows: (i) : four -bit variables; (ii) : a fixed -bit constant .

By using , we can construct the following equations on . Here, means the entry of the coefficient matrix of MC :

Note that each , , , and depends on only one -bit variable and one -bit round key: , and .

Applying the above procedure repeatedly, as shown in (2), we can obtain an equation on an input value of round by using . Here, bold characters indicate

Note that this equation consists of five parts as follows: If we find different and which satisfy that each subpart including , that is, th rows of the first part, th rows of the second part, th rows of the third part, and th rows of the fourth part in (2), has the same value for a given , then is equal to . That is, for all , these and result in the same -bit value of four subparts (the length of the value in each subpart is bits). By the birthday paradox, we can obtain different and from with the probability of .

We can express by using as follows. Here, means the inverse of a function If we obtain different and satisfying , then is also equal to . Thus, from the above equation, we can construct the following equation. Here, means the entry of the coefficient matrix of For all , we can check that is equal to by using (5). That is, with the probability of , we can find different and satisfying (5) for all (among candidates).

On the other hand, our attack on AES recovers a -bit round key and the probability that (5) holds for one is . So, if we use only , the probability that (5) holds is . Since , we consider only .

##### 2.3. Collision Attack on a 7-Round Reduced AES

Now, we show how to exploit a -round distinguisher constructed in the previous subsection in order to attack a -round reduced AES.

Similarly to the previous subsection, can be expressed by using as follows: For the simplicity of notations, and in (6) are denoted by and , respectively.

Our attack procedure on AES is as follows (see Figure 2). (1)Construct plaintexts , where all byte values except are fixed constants, and obtain the corresponding ciphertexts (). Sort 's according to a -bit value . (2)For each , guess -bit round keys , , , , and compute the corresponding from the guessed round keys and by using (6) (e.g., guess to compute ). Sort according to the guessed round keys, and , and keep them in a table. (3)Select sets including output values of MC in round . Note that are fixed constants in all . In each , have different values but all contain the same . In the case of , they are different in each but the same in all . (4)Guess -bit round keys and construct sets including the corresponding from each in , and do the following:(i)choose different two sets and . By using the table constructed in Step 2, check that 25 pairs from and satisfy (5);(ii)if all 25 pairs satisfy (5), then output the corresponding 192-bit guessed round keys as the right round keys of AES.

The data complexity of this attack is chosen plaintexts and the memory complexity is memory bytes. The computational complexity depends on Step 2 heavily. Thus, it is about encryptions. Though this attack is not applicable to the full AES-/, this result is superior to the attack results of [1] (AES-192) and [3] (AES-256), respectively.

#### 3. Collision Attacks on 8-Round Reduced Crypton-192/256 and mCrypton-96/128

In this section, we present collision attacks on 8-round reduced Crypton-192/256 and mCrypton-96/128. Our attacks on 8-round reduced mCrypton-96/128 are similar to them on 8-round reduced Crypton-192/256. Thus, we mainly introduce the attacks on 8-round reduced Crypton-192/256. Furthermore, similarly to the attacks on AES-192/256, the attack procedure on Crypton-192 (mCrypton-96) is the same as that on Crypton-256 (mCrypton-128). Thus, for the simplicity of notations, we just call them Crypton-192/256 (mCrypton-96/128) and Crypton (mCrypton). First, we briefly present Crypton and mCrypton.

##### 3.1. Crypton and mCrypton

As shown in Figure 3(a), a 128-bit block cipher Crypton has a 12-round SPN structure with 128/192/2 56-bit secret keys and processes blocks of 128 bits in the form of 4 × 4 byte array (see Figure 4). Note that indices used in the internal state of Crypton are different from that of AES.

**(a)**

**(b)**

Similarly to AES-192/256, in round , we denote input/output values and round key , and , respectively . The round function of Crypton consists of the following four operations: (i): applying four S-boxes 4 times in parallel on each byte of the state. Note that two versions of are used according to rounds. In detail, is for odd rounds and is for even rounds;(ii): mixing each byte column of 4 × 4 array by using four masking bytes . Similarly to , two versions of are applied according to rounds ( is for odd rounds and is for even rounds);(iii): moving the byte at the th position to the th position;(iv): XORing the state with an 128-bit round key.

The round function consists of applying in sequence four operations, the S-box transformation , the bit permutation , the byte transposition , and the key addition , to the byte array. More specifically, the odd round function and the even round function are defined (for a round key ) as follows:(i) for odd rounds;(ii)for even rounds.

For the more detailed descriptions of Crypton, we refer to [5]. Similarly to our attacks on AES-192/256, our attacks on Crypton do not also consider the key schedule of this algorithm. Thus, we omit its key schedules.

mCrypton is a 64-bit lightweight block cipher designed for use in low-cost and resource-constrained applications such as RFID tags and sensors in wireless sensor networks. As shown in Figure 3(b), it has a 12-round SPN structure and supports the 64/96/128-bit secret keys. The overall structure of mCrypton is similar to Crypton except that mCrypton is based on nibble-oriented operations (note that Crypton is based on byte-oriented operations).

##### 3.2. Collision Attacks on an 8-Round Reduced Crypton

First, we explain the way to find a distinguisher of Crypton. By using a similar method in the attack on AES-192/256, we can also construct a 4-round distinguisher of Crypton. Furthermore, because of the weak diffusion property of Crypton, we can extend this distinguisher to a 5-round distinguisher of it. In detail, our attacks on an 8-round reduced Crypton consider a 5-round distinguisher of round 2*~*6.

Recall that, in the attack on AES-192/256, an equation on can be constructed by using . We apply this method to Crypton. As a result, we obtain an equation on by using . Similarly to AES-192/256, this equation consists of five parts as follows. Here, means a masking byte used in and “” is a bitwise AND operation

On the other hand, can be written by using as follows:

Thus, we use the following equation as a checking equation (note that, in the case of the attack on AES-192/256, a checking equation is (5))

The overall attack procedure is similar to the case of AES. Figure 5 presents our attack procedure on an 8-round reduced Crypton. The method to compute from is shown in

The complexities of this attack are as follows:(i) the data complexity: chosen plaintexts; (ii) the memory complexity: memory bytes; (iii) the computational complexity: encryptions.

So far, the best attack result was the truncated differential cryptanalysis on -round reduced Crypton-192/256 proposed in [8]. This attack requires the computational complexity of encryptions with chosen plaintexts, respectively. Compared to these results, our attack decreases the data complexity but increases the computational complexity.

##### 3.3. Collision Attacks on an 8-Round Reduced mCrypton

As shown in Figure 5, the attack procedure on mCrypton is the same as that on Crypton except that it is based on nibble-oriented operations (recall that Crypton is based on byte-oriented operations). In detail, our attack on mCrypton uses (9) as a checking equation and is computed from by using (10).

Since the size of internal state of mCrypton is half of that in Crypton, the complexities of the attack on mCrypton are half of them on Crypton. The complexities of the attack on mCrypton are as follows:(i) the data complexity: chosen plaintexts; (ii) the memory complexity: memory bytes; (iii) the computational complexity: encryptions.

In [9], related-key impossible differential cryptanalysis on 9-round reduced mCrypton-96/128 was proposed. The attack on a 9-round reduced mCrypton-96 needs the computational complexity of encryptions with chosen plaintexts. In the case of a 9-round reduced mCrypton-128, we need the computational complexity of encryptions with chosen plaintexts. To our knowledge, these are the best results on mCrypton-96/128. However, considering the attack assumption of a related-key attack, our attacks are more practical than it.

#### 4. Collision Attack on an 8-Round Reduced Anubis

First, we present Anubis, and then a collision attack on an -round reduced Anubis is introduced.

##### 4.1. Anubis

As shown in Figure 6, Anubis is a -bit block cipher with variable-length keys from bits to bits in steps of bits. The number of rounds depends on the length of the secret key: at least (for the -bit secret key), plus one extra round for each additional bits. For example, when the length of the secret key is bits, the number of rounds is .

Anubis processes blocks of bits in the form of byte array and uses the same indices as AES (see Figure 1). Similarly to block ciphers concerned in the previous sections, in round , we denote input/output values and round key , , and , respectively.

The round function of Anubis consists of sixteen S-box parallel lookups, a linear transformation (matrix transposition followed by multiplication by a constant MDS diffusion matrix), and the round key addition. These transformations are defined as follows:(i): applying the same S-box times in parallel on each byte of the state;(ii): moving the byte at the th position to the th position;(iii): multiplication of each column by a constant matrix over ; (iv): XORing the state with a -bit round key.

For the more detailed descriptions of Anubis, we refer to [7]. Similarly to the previous sections, we omit their key schedules, as they do not affect our attacks.

##### 4.2. Collision Attacks on an 8-Round Reduced Anubis

Our attack on an -round reduced Anubis is similar to the attacks on AES-/, Crypton-/, and mCrypton-/. In collision attack on an -round reduced Anubis, we use a -round distinguisher of round 2*~*6. By using a similar method of the attack introduced in the previous sections, we can obtain the following equation on by using :

On the other hand, can be written by using as follows: Thus, we use the following equation as a checking equation

The attack procedure on an -round reduced Anubis is similar to that on block ciphers proposed in the previous sections. Figure 7 presents our attack procedure on an -round reduced Anubis. In our attack, the method to compute from is The complexities of this attack is as follows:(i) the data complexity: chosen plaintexts; (ii) the memory complexity: memory bytes; (iii) the computational complexity: encryptions.

So far, the best attack results on Anubis are a collision attack and a square attack on a -round reduced version [11]. A collision attack on a -round reduced Anubis requires the computational complexity of encryptions with chosen plaintexts. In the case of a square attack on this algorithm, we need the computational complexity of encryptions with *~* chosen plaintexts. Thus, our attack result is superior to these cryptanalytic results.

#### 5. Conclusion

In this paper, we have introduced collision attacks on seven SPN block ciphers, 7-round reduced AES-192/256, 8-round reduced Crypton-192/256, 8-round reduced mCrypton-96/128, and an 8-round reduced Anubis. Our attacks are based on the idea of [3].

Our attacks on -round reduced AES-192/256 improve the attack results based on a type of meet-in-the-middle attack. Considering that the best attack results on Crypton-192/256 are those on 8-round reduced versions, our attacks on these algorithms are meaningful. Our attacks on 8-round reduced mCrypton-96/128 are not best results on mCrypton-96/128. However, considering that known best attack results on them are based on a related-key attack, our attacks are more practical than them. In the case of Anubis, our attack result is superior to known cryptanalytic result on this algorithm.

#### Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

#### Acknowledgments

This research was supported by the Ministry of Science, ICT & Future Planning (MSIP), Korea, under the Convergence Information Technology Research Center (C-ITRC) Support Program (NIPA-2013-H0301-13-3007), supervised by the National IT Industry Promotion Agency (NIPA).