Linear cryptanalysis method for DES cipher
02 Jan 1994-pp 386-397
TL;DR: A new method is introduced for cryptanalysis of DES cipher, which is essentially a known-plaintext attack, that is applicable to an only-ciphertext attack in certain situations.
Abstract: We introduce a new method for cryptanalysis of DES cipher, which is essentially a known-plaintext attack. As a result, it is possible to break 8-round DES cipher with 221 known-plaintexts and 16-round DES cipher with 247 known-plaintexts, respectively. Moreover, this method is applicable to an only-ciphertext attack in certain situations. For example, if plaintexts consist of natural English sentences represented by ASCII codes, 8-round DES cipher is breakable with 229 ciphertexts only.
Citations
More filters
Book•
14 Feb 2002
TL;DR: The underlying mathematics and the wide trail strategy as the basic design idea are explained in detail and the basics of differential and linear cryptanalysis are reworked.
Abstract: 1. The Advanced Encryption Standard Process.- 2. Preliminaries.- 3. Specification of Rijndael.- 4. Implementation Aspects.- 5. Design Philosophy.- 6. The Data Encryption Standard.- 7. Correlation Matrices.- 8. Difference Propagation.- 9. The Wide Trail Strategy.- 10. Cryptanalysis.- 11. Related Block Ciphers.- Appendices.- A. Propagation Analysis in Galois Fields.- A.1.1 Difference Propagation.- A.l.2 Correlation.- A. 1.4 Functions that are Linear over GF(2).- A.2.1 Difference Propagation.- A.2.2 Correlation.- A.2.4 Functions that are Linear over GF(2).- A.3.3 Dual Bases.- A.4.2 Relationship Between Trace Patterns and Selection Patterns.- A.4.4 Illustration.- A.5 Rijndael-GF.- B. Trail Clustering.- B.1 Transformations with Maximum Branch Number.- B.2 Bounds for Two Rounds.- B.2.1 Difference Propagation.- B.2.2 Correlation.- B.3 Bounds for Four Rounds.- B.4 Two Case Studies.- B.4.1 Differential Trails.- B.4.2 Linear Trails.- C. Substitution Tables.- C.1 SRD.- C.2 Other Tables.- C.2.1 xtime.- C.2.2 Round Constants.- D. Test Vectors.- D.1 KeyExpansion.- D.2 Rijndael(128,128).- D.3 Other Block Lengths and Key Lengths.- E. Reference Code.
3,444 citations
10 Sep 2007
TL;DR: An ultra-lightweight block cipher, present, which is competitive with today's leading compact stream ciphers and suitable for extremely constrained environments such as RFID tags and sensor networks.
Abstract: With the establishment of the AES the need for new block ciphers has been greatly diminished; for almost all block cipher applications the AES is an excellent and preferred choice. However, despite recent implementation advances, the AES is not suitable for extremely constrained environments such as RFID tags and sensor networks. In this paper we describe an ultra-lightweight block cipher, present . Both security and hardware efficiency have been equally important during the design of the cipher and at 1570 GE, the hardware requirements for present are competitive with today's leading compact stream ciphers.
2,202 citations
Cites background from "Linear cryptanalysis method for DES..."
...Differential [3] and linear [32] cryptanalysis are among the most powerful techniques available to the cryptanalyst....
[...]
Book•
01 Jan 2001
TL;DR: In almost 600 pages of riveting detail, Ross Anderson warns us not to be seduced by the latest defensive technologies, never to underestimate human ingenuity, and always use common sense in defending valuables.
Abstract: Gigantically comprehensive and carefully researched, Security Engineering makes it clear just how difficult it is to protect information systems from corruption, eavesdropping, unauthorized use, and general malice. Better, Ross Anderson offers a lot of thoughts on how information can be made more secure (though probably not absolutely secure, at least not forever) with the help of both technologies and management strategies. His work makes fascinating reading and will no doubt inspire considerable doubt--fear is probably a better choice of words--in anyone with information to gather, protect, or make decisions about. Be aware: This is absolutely not a book solely about computers, with yet another explanation of Alice and Bob and how they exchange public keys in order to exchange messages in secret. Anderson explores, for example, the ingenious ways in which European truck drivers defeat their vehicles' speed-logging equipment. In another section, he shows how the end of the cold war brought on a decline in defenses against radio-frequency monitoring (radio frequencies can be used to determine, at a distance, what's going on in systems--bank teller machines, say), and how similar technology can be used to reverse-engineer the calculations that go on inside smart cards. In almost 600 pages of riveting detail, Anderson warns us not to be seduced by the latest defensive technologies, never to underestimate human ingenuity, and always use common sense in defending valuables. A terrific read for security professionals and general readers alike. --David Wall Topics covered: How some people go about protecting valuable things (particularly, but not exclusively, information) and how other people go about getting it anyway. Mostly, this takes the form of essays (about, for example, how the U.S. Air Force keeps its nukes out of the wrong hands) and stories (one of which tells of an art thief who defeated the latest technology by hiding in a closet). Sections deal with technologies, policies, psychology, and legal matters.
1,852 citations
Journal Article•
TL;DR: In this paper, the authors describe an ultra-lightweight block cipher, present, which is suitable for extremely constrained environments such as RFID tags and sensor networks, but it is not suitable for very large networks such as sensor networks.
Abstract: With the establishment of the AES the need for new block ciphers has been greatly diminished; for almost all block cipher applications the AES is an excellent and preferred choice. However, despite recent implementation advances, the AES is not suitable for extremely constrained environments such as RFID tags and sensor networks. In this paper we describe an ultra-lightweight block cipher, present . Both security and hardware efficiency have been equally important during the design of the cipher and at 1570 GE, the hardware requirements for present are competitive with today's leading compact stream ciphers.
1,750 citations
17 Aug 1997
TL;DR: This work states that this attack is applicable only to public key cryptosystems such as RSA, and not to secret key algorithms such as the Data Encryption Standard (DES).
Abstract: In September 1996 Boneh, Demillo, and Lipton from Bellcore announced a new type of cryptanalytic attack which exploits computational errors to find cryptographic keys. Their attack is based on algebraic properties of modular arithmetic, and thus it is applicable only to public key cryptosystems such as RSA, and not to secret key algorithms such as the Data Encryption Standard (DES).
1,662 citations
Cites methods from "Linear cryptanalysis method for DES..."
...We expect that linear cryptanalysis[12] can also be combined with DFA in some cases (in a similar way to di erential-linear cryptanalysis[10]), especially when the identi cation of the fault position is highly reliable (or when the fault positions might be chosen by the attacker)....
[...]
References
More filters
11 Aug 1990
TL;DR: A new type of cryptanalytic attack is developed which can break the reduced variant of DES with eight rounds in a few minutes on a personal computer and can break any reduced variantof DES (with up to 15 rounds) using less than 256 operations and chosen plaintexts.
Abstract: The Data Encryption Standard (DES) is the best known and most widely used cryptosystem for civilian applications. It was developed at IBM and adopted by the National Bureau of Standards in the mid 1970s, and has successfully withstood all the attacks published so far in the open literature. In this paper we develop a new type of cryptanalytic attack which can break the reduced variant of DES with eight rounds in a few minutes on a personal computer and can break any reduced variant of DES (with up to 15 rounds) using less than 256 operations and chosen plaintexts. The new attack can be applied to a variety of DES-like substitution/permutation cryptosystems, and demonstrates the crucial role of the (unpublished) design rules.
2,494 citations
Book•
01 Nov 1986TL;DR: A comparison of the Knapsack as a Nonlinear Function and Nonlinear Combining Functions with Memory, and the Summation Principle, which helps clarify the role of memory in the generation of sequences.
Abstract: 1. Introduction.- 2. Stream Ciphers.- 2.1. Theoretical versus Practical Security.- 2.2. The Key Stream Generator.- 2.3. The Synchronization (Problem) of Stream Ciphers.- 3. Algebraic Tools.- 3.1. Finite Fields and Polynomials.- 3.2. Linear Feedback Shift Registers (LFSRs) and Sequences.- 3.3. Minimal Polynomial and Traces.- 4. Random Sequences and Linear Complexity.- 5. Nonlinear Theory of Periodic Sequences.- 5.1. Nonlinear Operations on Phases of a Sequence with Irreducible Minimal Polynomial.- 5.2. Nonlinear Operations on Sequences with Distinct Minimal Polynomials.- 5.3. Correlation-Immunity of Memoryless Combining Functions.- 5.4. Summary and Conclusions.- 6. Multiple Speed: An Additional Parameter in Secure Sequence Generation.- 6.1. The Simulated Linear Feedback Shift Register.- 6.2. A Random Number Generator Suggested by a Linear Cipher Problem.- 6.2.1. The Random Sequence Generator.- 6.2.2. Analysis of the Random Sequence Generator.- 6.2.3. Extensions and Comments.- 7. The Knapsack as a Nonlinear Function.- 7.1. The Significance of the Knapsack for Secrecy Systems.- 7.2. Addition is a Cryptographically Useful Function.- 7.3. The Knapsack in GF(2)-Arithmetic.- 8. The Hard Knapsack Stream Cipher.- 8.1. System Description.- 8.2. Analysis of the Knapsack Stream Cipher.- 8.3. Conclusions and Design Considerations.- 8.4. Simulation Results of Small Scale Knapsack Stream Ciphers.- 9. Nonlinear Combining Functions with Memory.- 9.1. Correlation Immunity.- 9.2. The Summation Principle.- 9.3. Summary and Conclusions.- Literature References.
766 citations
01 Jan 1991
TL;DR: The applicability of differential cryptanalysis to the Feal family of encryption algorithms and to the N-Hash hash function is shown.
Abstract: In [1,2] we introduced the notion of differential cryptanalysis and described its application to DES[8] and several of its variants. In this paper we show the applicability of differential cryptanalysis to the Feal family of encryption algorithms and to the N-Hash hash function.
618 citations
16 Aug 1992
TL;DR: The first known attack is developed which is capable of breaking the full 16 round DES in less than the 255 complexity of exhaustive search and can be carried out in parallel on up to 233 disconnected processors with linear speedup.
Abstract: In this paper we develop the first known attack which is capable of breaking the full 16 round DES in less than the 255 complexity of exhaustive search. The data analysis phase computes the key by analyzing about 236 ciphertexts in 237 time. The 236 usable ciphertexts are obtained during the data collection phase from a larger pool of 247 chosen plaintexts by a simple bit repetition criteria which discards more than 99.9% of the ciphertexts as soon as they are generated. While earlier versions of differential attacks were based on huge counter arrays, the new attack requires negligible memory and can be carried out in parallel on up to 233 disconnected processors with linear speedup. In addition, the new attack can be carried out even if the analyzed ciphertexts are derived from up to 233 different keys due to frequent key changes during the data collection phase. The attack can be carried out incrementally with any number of available ciphertexts, and its probability of success grows linearly with this number (e.g., when 229 usable ciphertexts are generated from a smaller pool of 240 plaintexts, the analysis time decreases to 230 and the probability of success is about 1%).
318 citations