Showing papers on "Block cipher published in 1994"

Linear cryptanalysis method for DES cipher

Abstract: We introduce a new method for cryptanalysis of DES cipher, which is essentially a known-plaintext attack. As a result, it is possible to break 8-round DES cipher with 221 known-plaintexts and 16-round DES cipher with 247 known-plaintexts, respectively. Moreover, this method is applicable to an only-ciphertext attack in certain situations. For example, if plaintexts consist of natural English sentences represented by ASCII codes, 8-round DES cipher is breakable with 229 ciphertexts only.

Truncated and higher order differentials

Abstract: In [6] higher order derivatives of discrete functions were considered and the concept of higher order differentials was introduced. We introduce the concept of truncated differentials and present attacks on ciphers presumably secure against differential attacks, but vulnerable to attacks using higher order and truncated differentials. Also we give a differential attack using truncated differentials on DES reduced to 6 rounds using only 46 chosen plaintexts with an expected running time of about the time of 3,500 encryptions. Finally it is shown how to find a minimum nonlinear order of a block cipher using higher order differentials.

The Data Encryption Standard (DES) and its strength against attacks

Abstract: The Data Encryption Standard (DES) was developed by an IBM team around 1974 and adopted as a national standard in 1977. Since that time, many cryptanalysts have attempted to find shortcuts for breaking the system. In this paper, we examine one such attempt, the method of differential cryptanalysis, published by Biham and Shamir. We show some of the safeguards against differential cryptanalysis that were built into the system from the beginning, with the result that more than 10 15 bytes of chosen plaintext are required for this attack to succeed.

The First Experimental Cryptanalysis of the Data Encryption Standard

Abstract: This paper describes an improved version of linear cryptanalysis and its application to the first, successful computer experiment in breaking the full 16-round DES. The scenario is a known-plaintext attack based on two new linear approximate equations, each of which provides candidates for 13 secret key bits with negligible memory. Moreover, reliability of the key candidates is taken into consideration, which increases the success rate. As a result, the full 16-round DES is breakable with high success probability if 243 random plaintexts and their ciphertexts are available. The author carried out the first experimental attack using twelve computers to confirm this: he finally reached all of the 56 secret, key bits in fifty days, out of which forty days were spent for generating plaintexts and their ciphertexts and only ten days were spent for the actual key search.

Links between differential and linear cryptanalysis

Abstract: Linear cryptanalysis, introduced last year by Matsui, will most certainly open-up the way to new attack methods which may be made more efficient when compared or combined with differential cryptanalysis.

Theory and applications of cellular automata in cryptography

Abstract: This paper deals with the theory and application of Cellular Automata (CA) for a class of block ciphers and stream ciphers. Based on CA state transitions certain fundamental transformations are defined which are block ciphering functions of the proposed enciphering scheme, These fundamental transformations are found to generate the simple (alternating) group of even permutations which in turn is a subgroup of the permutation group, These functions are implemented with a class of programmable cellular automata (PCA) built around rules 51, 153, and 195. Further, high quality pseudorandom pattern generators built around rule 90 and 150 programmable cellular automata with a rule selector (i.e., combining function) has been proposed as running key generators in stream ciphers, Both the schemes provide better security against different types of attacks. With a simple, regular, modular and cascadable structure of CA, hardware implementation of such schemes idealy suit VLSI implementation. >

On correlation between the order of S-boxes and the strength of DES

Abstract: This paper introduces a practical algorithm for deriving the best differential characteristic and the best linear expression of DES. Its principle is based on a duality between differential cryptanalysis and linear cryptanalysis, and applicable to various block ciphers. Then using this program, we observe how the order of S-boxes affects the strength of DES. We show that the order of the S-boxes is well-arranged against differential cryptanalysis, though it is not the best choice. On the other hand, our experimental results indicate that it is a very weak choice in regard to linear cryptanalysis. In other words, DES can be strengthened by just rearranging the order of the S-boxes.

Linear approximation of block ciphers

Abstract: The results of this paper give the theoretical fundaments on which Matsui's linear cryptanalysis of the DES is based. As a result we obtain precise information on the assumptions explicitely or implicitely stated in [2] and show that the success of Algorithm 2 is underestimated in [2]. We also derive a formula for the strength of Algorithm 2 for DES-like ciphers and see what is its dependence on the plaintext distribution. Finally, it is shown how to achieve proven resistance against linear cryptanalysis.

Linear Cryptanalysis Using Multiple Approximations

Abstract: We present a technique which aids in the linear cryptanalysis of a block cipher and allows for a reduction in the amount of data required for a successful attack. We note the limits of this extension when applied to DES, but illustrate that it is generally applicable and might be exceptionally successful when applied to other block ciphers. This forces us to reconsider some of the initial attempts to quantify the resistance of block ciphers to linear cryptanalysis, and by taking account of this new technique we cover several issues which have not yet been considered.

On almost perfect nonlinear permutations

Abstract: In this paper basic properties of APN permutations, which can be used in an iterated secret-key block cipher as a round function to protect it from a differential cryptanalysis, are investigated. Several classes of almost perfect nonlinear permutations and other permutations in GF(2)n with good nonlinearity and high nonlinear order are presented. Included here are also three methods for constructing permutations with good nonlinearity.

A 177 Mb/s VLSI implementation of the International Data Encryption Algorithm

Abstract: A VLSI implementation of the International Data Encryption Algorithm is presented. Security considerations led to novel system concepts in chip design including protection of sensitive information and on-line failure detection capabilities. BIST was instrumental for reconciling contradicting requirements of VLSI testability and cryptographic security. The VLSI chip implements data encryption and decryption in a single hardware unit. All important standardized modes of operation of block ciphers, such as ECB, CBC, CFB, OFB, and MAC, are supported. In addition, new modes are proposed and implemented to fully exploit the algorithm's inherent parallelism. With a system clock frequency of 25 MHz the device permits a data conversion rate of more than 177 Mb/s. Therefore, the chip can be applied to on-line encryption in high-speed networking protocols like ATM or FDDI. >

Weak keys for IDEA

Abstract: Large classes of weak keys have been found for the block cipher algorithm IDEA, previously known as IPES [2]. IDEA has a 128- bit key and encrypts blocks of 64 bits. For a class of 223 keys IDEA exhibits a linear factor. For a certain class of 235 keys the cipher has a global characteristic with probability 1. For another class of 251 keys only two encryptions and solving a set of 16 nonlinear boolean equations with 12 variables is sufficient to test if the used key belongs to this class. If it does, its particular value can be calculated efficiently. It is shown that the problem of weak keys can be eliminated by slightly modifying the key schedule of IDEA.

On the security of the IDEA block cipher

Abstract: IDEA is an iterated block cipher proposed by Lai and Massey and is based on the design concept of "mixing operations from different algebraic groups". New arithmetic properties of the basic operations used in the round function are found and investigated with respect to the security of this block cipher. Evidence is given that these properties can be exploited in the cryptanalysis of the first 2 rounds of IDEA but that they are of no assistance in the cryptanalysis of the full IDEA block cipher containing 8 rounds.

Practically Secure Feistel Ciphers

Abstract: In this paper we give necessary design principles to be used, when constructing secure Feistel ciphers. We introducee a new concept, practical security against linear and differential attacks on Feistel ciphers. We give examples of such Feistel ciphers (practically) resistant to differential attacks, linear attacks and other attacks.

Linear cryptanalysis of stream ciphers

Abstract: Starting from recent results on a linear statistical weakness of keystream generators and on linear correlation properties of combiners with memory, linear cryptanalysis of stream ciphers based on the linear sequential circuit approximation of finite-state machines is introduced as a general method for assessing the strength of stream ciphers. The statistical weakness can be used to reduce the uncertainty of unknown plaintext and also to reconstruct the unknown structure of a keystream generator, regardless of the initial state. The linear correlations in arbitrary keystream generators can be used for divide and conquer correlation attacks on the initial state based on known plaintext or ciphertext only. Linear cryptanalysis of irregularly clocked shift registers as well as of arbitrary shift register based binary keystream generators proves to be feasible. In particular, the direct stream cipher mode of block ciphers, the basic summation generator, the shrinking generator, the clock-controlled cascade generator, and the modified linear congruential generators are analyzed. It generally appears that simple shift register based keystream generators are potentially vulnerable to linear cryptanalysis. A proposal of a novel, simple and secure keystream generator is also presented.

Linear cryptanalysis using multiple approximations and FEAL

Abstract: We describe the results of experiments on the use of multiple approximations in a linear cryptanalytic attack on FEAL; we pay particular attention to FEAL-8. While these attacks on FEAL are interesting in their own right, many important and intriguing issues in the use of multiple approximations are brought to light.

On the security of the CAST encryption algorithm

Abstract: We examine a new private key encryption algorithm referred to as CAST. Specifically, we investigate the security of the cipher with respect to linear cryptanalysis. From our analysis we conclude that it is easy to select S-boxes so that an efficient implementation or the CAST algorithm is demonstrably resistant to linear cryptanalysis. >

Advances in cryptology, EUROCRYPT '93 : Workshop on the Theory and Application of Cryptographic Techniques, Lofthus, Norway, May 23-27, 1993 : proceedings

Abstract: Authentication.- On the Relation Between A-Codes and Codes Correcting Independent Errors.- Optimal Authentication Systems.- Public Key.- Factoring Integers Using SIMD Sieves.- A New Elliptic Curve Based Analogue of RSA.- Weaknesses of a public-key cryptosystem based on factorizations of finite groups.- Block Ciphers.- Differentially uniform mappings for cryptography.- On Almost Perfect Nonlinear Permutations.- Two New Classes of Bent Functions.- Boolean functions satisfying a higher order strict avalanche criterion.- Secret Sharing.- Size of Shares and Probability of Cheating in Threshold Schemes.- Nonperfect Secret Sharing Schemes and Matroids.- Stream ciphers.- From the memoirs of a Norwegian cryptologist.- On the Linear Complexity of Products of Shift-Register Sequences.- Resynchronization Weaknesses in Synchronous Stream Ciphers.- Blind Synchronization of m-Sequences with Even Span.- On Constructions and Nonlinearity of Correlation Immune Functions.- Digital signatures.- Practical and Provably Secure Release of a Secret and Exchange of Signatures.- Subliminal Communication is Easy Using the DSA.- Can O.S.S. be Repaired? - Proposal for a New Practical Signature Scheme -.- Protocols I.- On a Limitation of BAN Logic.- Efficient Anonymous Channel and All/Nothing Election Scheme.- Untransferable Rights in a Client-Independent Server Environment.- Interactive Hashing Simplifies Zero-Knowledge Protocol Design.- Hash Functions.- One-Way Accumulators: A Decentralized Alternative to Digital Signatures.- The breaking of the AR Hash Function.- Collisions for the compression function of MD5.- How to Find and Avoid Collisions for the Knapsack Hash Function.- Payment Systems.- Single Term Off-Line Coins.- Improved Privacy in Wallets with Observers.- Distance-Bounding Protocols.- Cryptanalysis.- On the Distribution of Characteristics in Bijective Mappings.- On the Security of the IDEA Block Cipher.- Linear Cryptanalysis Method for DES Cipher.- New Types of Cryptanalytic Attacks Using Related Keys.- Protocols II.- Secret-Key Reconciliation by Public Discussion.- Global, Unpredictable Bit Generation Without Broadcast.- Rump Session.- On Schnorr's Preprocessing for Digital Signature Schemes.- Cryptanalysis of the Chang-Wu-Chen key distribution system.- An Alternate Explanation of two BAN-logic "failures".- The Consequences of Trust in Shared Secret Schemes.- Markov Ciphers and Alternating Groups.- On Key Distribution and Authentication in Mobile Radio Networks.

The design of substitution-permutation networks resistant to differential and linear cryptanalysis

Abstract: In this paper we examine a class of product ciphers referred to as substitution-permutation networks. We investigate the resistance of these cryptographic networks to two important attacks: differential cryptanalysis and linear cryptanalysis. In particular, we develop upper bounds on the differential characteristic probability and on the probability of a linear approximation as a function of the number of rounds of substitutions. Further, it is shown that using large S-boxes with good diffusion characteristics and replacing the permutation between rounds by an appropriate linear transformation is effective in improving the cipher security in relation to these two attacks.

Provable Security Against a Differential Attack

Abstract: The purpose of this paper is to show that there exist DES-like iterated ciphers, which are provably resistant against differential attacks The main result on the security of a DES-like cipher with independent round keys is Theorem 1, which gives an upper bound to the probability of s -round differentials, as defined in Markov Ciphers and Differential Cryptanalysis by X Lai et al and this upper bound depends only on the round function of the iterated cipher Moreover, it is shown that there exist functions such that the probabilities of differentials are less than or equal to 2 3-n , where n is the length of the plaintext block We also show a prototype of an iterated block cipher, which is compatible with DES and has proven security against differential attacks

The MacGuffin block cipher algorithm

Abstract: This paper introduces MacGuffin, a 64 bit “codebook” block cipher. Many of its characteristics (block size, application domain, performance and implementation structure) are similar to those of the U.S. Data Encryption Standard (DES). It is based on a Feistel network, in which the cleartext is split into two sides with one side repeatedly modified according to a keyed function of the other. Previous block ciphers of this design, such as DES, operate on equal length sides. MacGuffin is unusual in that it is based on a generalized unbalanced Feistel network (GUFN) in which each round of the cipher modifies only 16 bits according to a function of the other 48. We describe the general characteristics of MacGuffin architecture and implementation and give a complete specification for the 32-round, 128-bit key version of the cipher.

Linear Cryptanalysis of LOKI and s2DES

Abstract: This paper discusses linear cryptanalysis of LOKI89, LOKI91 and s2DES. Our computer program based on Matsui's search algorithm has completely determined their best linear approximate equations, which tell us applicability of linear cryptanalysis to each cryptosystem. As a result, LOKI89 and LOKI91 are resistant to linear cryptanalysis from the viewpoint of the best linear approximate probability, whereas s2DES is breakable by a known-plaintext attack faster than an exhaustive key search. Moreover, our search program, which is also applicable to differential cryptanalysis, has derived their best differential characteristics as well. These values give a complete proof that characteristics found by Knudsen are actually best.

Linear Cryptanalysis of the Fast Data Encipherment Algorithm

Abstract: This paper discusses the security of the Fast Data Encipherment Algorithm (FEAL) against Linear Cryptanalysis. It has been confirmed that the entire subkeys used in FEAL-8 can be derived with 225 pairs of known plaintexts and ciphertexts with a success rate approximately 70% spending about 1 hour using a WS (SPARCstation 10 Model 30). This paper also evaluates the security of FEAL-N in comparison with that of the Data Encryption Standard (DES).

Advances in cryptology--CRYPTO '94 : 14th Annual International Cryptology Conference, Santa Barbara, California, USA, August 21-25, 1994 : proceedings

Abstract: Block Ciphers: Differential and Linear Cryptanalysis.- The First Experimental Cryptanalysis of the Data Encryption Standard.- Linear Cryptanalysis of the Fast Data Encipherment Algorithm.- Differential-Linear Cryptanalysis.- Linear Cryptanalysis Using Multiple Approximations.- Schemes Based on New Problems.- Hashing with SL 2.- Design of Elliptic Curves with Controllable Lower Boundary of Extension Degree for Reduction Attacks.- Cryptographic Protocols Based on Discrete Logarithms in Real-quadratic Orders.- Signatures I.- Designated Confirmer Signatures and Public-Key Encryption are Equivalent.- Directed Acyclic Graphs, One-way Functions and Digital Signatures.- An Identity-Based Signature Scheme with Bounded Life-Span.- Implementation and Hardware Aspects.- More Flexible Exponentiation with Precomputation.- A Parallel Permutation Multiplier for a PGM Crypto-chip.- Cryptographic Randomness from Air Turbulence in Disk Drives.- Authentication and Secret Sharing.- Cryptanalysis of the Gemmell and Naor Multiround Authentication Protocol.- LFSR-based Hashing and Authentication.- New Bound on Authentication Code with Arbitration.- Multi-Secret Sharing Schemes.- Zero-Knowledge.- Designing Identification Schemes with Keys of Short Size.- Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols.- Language Dependent Secure Bit Commitment.- On the length of cryptographic hash-values used in identification schemes.- Signatures II.- Incremental Cryptography: The Case of Hashing and Signing.- An Efficient Existentially Unforgeable Signature Scheme and its Applications.- Combinatorics and its Applications.- Bounds for Resilient Functions and Orthogonal Arrays.- Tracing Traitors.- Number Theory.- Towards the Equivalence of Breaking the Diffie-Hellman Protocol and Computing Discrete Logarithms.- Fast Generation of Provable Primes Using Search in Arithmetic Progressions.- Cryptanalysis and Protocol Failures.- Attack on the Cryptographic Scheme NIKS-TAS.- On the Risk of Opening Distributed Keys.- Cryptanalysis of Cryptosystems based on Remote Chaos Replication.- Pseudo-Random Generation.- A Fourier Transform Approach to the Linear Complexity of Nonlinearly Filtered Sequences.- Block Ciphers: Design and Cryptanalysis.- The Security of Cipher Block Chaining.- A Chosen Plaintext Attack of the 16-round Khufu Cryptosystem.- Ciphertext Only Attack for One-way function of the MAP using One Ciphertext.- Pitfalls in Designing Substitution Boxes.- Secure Computations and Protocols.- A Randomness-Rounds Tradeoff in Private Computation.- Secure Voting Using Partially Compatible Homomorphisms.- Maintaining Security in the Presence of Transient Faults.

Cryptanalysis of McGuffin

Abstract: This paper shows that the actual proposal for an unbalanced Feistel network by Schneier and Blaze is as vulnerable to differential cryptanalysis as the DES

Block cipher processor

Abstract: PURPOSE:To enhance secrecy by section-dividing an input block to be subjected by an initial transposing part of a data randomizing par, moving a bit train in accordance with a key, and thereafter, and processing it in accordance with an intermediate key by plural stages of involution processing parts of a non- linear function part. CONSTITUTION:An input block of a plain text is divided in two by an initial transposing part of a data randomizing part 1, and also, each bit string is subjected to position movement by setting a key as an address becomes the left and the right blocks L, R, and is inputted to a first stage involution processing part 6. Subsequently, it is subjected to involution processing by a function corresponding to an intermediate key 1 formed, based on the key and the bit string is converted, the right and the left outputs R, L become the left and the right inputs L, R of the processing part 6 of the next respectively, and after the same repetition, from a reverse initial transposing part 5, a Fast Data Encipherment Algorithm (FEAL) cipher high in secrecy in outputted. Besides, decoding is also executed in the same way.

Advances in cryptology -- CRYPTO '93 : 13th Annual International Cryptology Conference, Santa Barbara, California, USA, August 22-26, 1993 : proceedings

Abstract: Cryptosystems- Efficient Signature Schemes Based on Birational Permutations- A new identification scheme based on syndrome decoding- The Shrinking Generator- Stream Ciphers and Cryptographic Functions- An Integrity Check Value Algorithm for Stream Ciphers- Nonlinearly Balanced Boolean Functions and Their Propagation Characteristics- Proof Systems and Zero-knowledge- A Low Communication Competitive Interactive Proof System for Promised Quadratic Residuosity- Secret Sharing and Perfect Zero Knowledge- One Message Proof Systems with Known Space Verifiers- Interactive Hashing can Simplify Zero-Knowledge Protocol Design Without Computational Assumptions- Secret Sharing- Fully Dynamic Secret Sharing Schemes- Multisecret Threshold Schemes- Secret Sharing Made Short- Number Theory and Algorithms- A Subexponential Algorithm for Discrete Logarithms over All Finite Fields- An implementation of the general number field sieve- On the factorization of RSA-120- Comparison of three modular reduction functions- Differential Cryptanalysis- Differential Cryptanalysis of Lucifer- Differential Attack on Message Authentication Codes- Cryptanalysis of the CFB mode of the DES with a reduced number of rounds- Weak Keys for IDEA- Complexity Theory- Entity Authentication and Key Distribution- On the Existence of Statistically Hiding Bit Commitment Schemes and Fail-Stop Signatures- Joint Encryption and Message-Efficient Secure Computation- Cryptographic Primitives Based on Hard Learning Problems- Applications- Extensions of Single-term Coins- Untraceable Off-line Cash in Wallet with Observers- Discreet Solitary Games- Authentication Codes- On Families of Hash Functions via Geometric Codes and Concatenation- On the Construction of Perfect Authentication Codes that Permit Arbitration- Codes for Interactive Authentication- Hash Functions- Hash functions based on block ciphers: a synthetic approach- Security of Iterated Hash Functions Based on Block Ciphers- Cryptanalysis- Improved Algorithms for the Permuted Kernel Problem- On the Distribution of Characteristics in Composite Permutations- Remark on the Threshold RSA Signature Scheme- Another Method for Attaining Security Against Adaptively Chosen Ciphertext Attacks- Attacks on the Birational Permutation Signature Schemes- Key Distribution- Interaction in Key Distribution Schemes- Secret-Key Agreement without Public-Key Cryptography- Broadcast Encryption

Cryptanalysis of tree-structured ciphers

Abstract: Tree structures have been proposed for both the construction of block ciphers by Kam and Davida (1979), and self-synchronous stream ciphers by Kuhn (1988). Attacks on these ciphers have been given by Anderson (1991), and Heys and Tavares (1993). Here the authors demonstrate that a more efficient attack can be conducted when the underlying Boolean functions for the cells are known. It is shown that this attack requires less than one third of the chosen ciphertext of Anderson's original attack on the Kuhn cipher.