Showing papers on "Differential cryptanalysis published in 1991"
08 Apr 1991
TL;DR: It is shown that PES (8) and PES(16) are immune to differential cryptanalysis after sufficiently many rounds, and a new design principle for Markov ciphers, viz., that their transition probability matrices should not be symmetric is suggested.
Abstract: This paper considers the security of iterated block ciphers against the differential cryptanalysis introduced by Biham and Shamir. Differential cryptanalysis is a chosen-plaintext attack on secret-key block ciphers that are based on iterating a cryptographically weak function r times (e.g., the 16-round Data Encryption Standard (DES)). It is shown that the success of such attacks on an r-round cipher depends on the existence of (r-1)-round differentials that have high probabilities, where an i-round differential is defined as a couple (α, β) such that a pair of distinct plaintexts with difference α can result in a pair of i-th round outputs that have difference β, for an appropriate notion of "difference". The probabilities of such differentials can be used to determine a lower bound on the complexity of a differential cryptanalysis attack and to show when an r-round cipher is not vulnerable to such attacks. The concept of "Markov ciphers" is introduced for iterated ciphers because of its significance in differential cryptanalysis. If an iterated cipher is Markov and its round subkeys are independent, then the sequence of differences at each round output forms a Markov chain. It follows from a result of Biham and Shamir that DES is a Markov cipher. It is shown that, for the appropriate notion of "difference", the Proposed Encryption Standard (PES) of Lai and Massey, which is an 8-round iterated cipher, is a Markov cipher, as are also the mini-version of PES with block length 8, 16 and 32 bits. It is shown that PES(8) and PES(16) are immune to differential cryptanalysis after sufficiently many rounds. A detailed cryptanalysis of the full-size PES is given and shows that the very plausibly most probable 7-round differential has a probability about 2-58. A differential cryptanalysis attack of PES(64) based on this differential is shown to require all 264 possible encryptions. This cryptanalysis of PES suggested a new design principle for Markov ciphers, viz., that their transition probability matrices should not be symmetric. A minor modification of PES, consistent with all the original design principles, is proposed that satisfies this new design criterion. This modified cipher, called Improved PES (IPES), is described and shown to be highly resistant to differential cryptanalysis.
629 citations
Book•
01 Jan 1991
TL;DR: The BAA attacks on several classes of stream ciphers and the stability of linear complexity of sequences are studied.
Abstract: Stream ciphers.- The BAA attacks on several classes of stream ciphers.- Measure indexes on the security of stream ciphers.- The stability of linear complexity of sequences.- The period stability of sequences.- Summary and open problems.
481 citations
08 Apr 1991
TL;DR: In this article, it was shown that for a perfect nonlinear S-box, the number of input variables is at least twice the size of output variables, and two different construction methods were given.
Abstract: A perfect nonlinear S-box is a substitution transformation with evenly distributed directional derivatives. Since the method of differential cryptanalysis presented by E. Biham and A. Shamir makes use of nonbalanced directional derivatives, the perfect nonlinear S-boxes are immune to this attack. The main result is that for a perfect nonlinear S-box the number of input variables is at least twice the number of output variables. Also two different construction methods are given. The first one is based on the Maiorana-McFarland construction of bent functions and is easy and efficient to implement. The second method generalizes Dillon's construction of difference sets.
369 citations
Journal Article•
TL;DR: A perfect nonlinear S-box is a substitution transformation with evenly distributed directional derivatives and the number of input variables is at least twice thenumber of output variables.
Abstract: A perfect nonlinear S-box is a substitution transformation with evenly distributed directional derivatives. Since the method of differential cryptanalysis presented by E. Biham and A. Shamir makes use of nonbalanced directional derivatives, the perfect nonlinear S-boxes are immune to this attack. The main result is that for a perfect nonlinear S-box the number of input variables is at least twice the number of output variables. Also two different construction methods are given. The first one is based on the Maiorana-McFarland construction of bent functions and is easy and efficient to implement. The second method generalizes Dillon's construction of difference sets.
349 citations
11 Nov 1991
TL;DR: It is shown that this construction of a block cipher from a single pseudorandom permutation suffers from severe limitations that are immediately apparent if differential cryptanalysis is performed, leading the authors to question the relevance of computational complexity theory in practical conventional cryptography.
Abstract: In [1] a construction of a block cipher from a single pseudorandom permutation is proposed. In a complexity theoretical setting they prove that this scheme is secure against a polynomially bounded adversary. In this paper it is shown that this construction suffers from severe limitations that are immediately apparent if differential cryptanalysis [3] is performed. The fact that these limitations do not contradict the theoretical results obtained in [1] leads the authors to question the relevance of computational complexity theory in practical conventional cryptography.
111 citations
11 Aug 1991
TL;DR: Differential cryptanalytic methods are applied to the hash function Snefru and to the cryptosystems Khafre, REDOC-II, LOKI, and Lucifer.
Abstract: In [1,2] we introduced the notion of differential cryptanalysis based an chosen plaintext attacks. In [3,4] we described the application of differential cryptanalysis to Feal[13,12] and extended the method to known plaintext attacks. In this paper we apply differential cryptanalytic methods to the hash function Snefru[10] and to the cryptosystems Khafre[11], REDOC-II[6,7], LOKI[5] and Lucifer[8].
96 citations
08 Apr 1991
TL;DR: The applicability of differential cryptanalysis to the Feal family of encryption algorithms and to the N-Hash hash function is shown.
Abstract: In [1,2] we introduced the notion of differential cryptanalysis and described its application to DES[8] and several of its variants In this paper we show the applicability of differential cryptanalysis to the Feal family of encryption algorithms and to the N-Hash hash function
85 citations
08 Apr 1991
TL;DR: A method for combining several SSSCs is presented that allows to prove that the combined SSSC is at least as secure as any of the component ciphers, and an efficient algorithm is presented for finding a function of low degree that approximates a given Boolean function, if such an approximation exists.
Abstract: Self-synchronizing stream ciphers (SSSC) are a commonly used encryption technique for channels with low bit error rate but for which bit synchronization can present a problem. Most presently used such ciphers are based on a block cipher (e.g. DES) in 1-bit cipher feedback mode. In this paper, several alternative design approaches for SSSCs are proposed that are superior to the design based on a block cipher with respect to encryption speed and potentially also with respect to security. A method for combining several SSSCs is presented that allows to prove that the combined SSSC is at least as secure as any of the component ciphers. The problem of designing SSSCs is contrasted with the problem of designing conventional synchronous additive stream ciphers and it is shown that different security criteria must be applied.
Furthermore, an efficient algorithm is presented for finding a function of low degree that approximates a given Boolean function, if such an approximation exists. Its significance for the cryptographic security of SSSCs and its applications in coding theory are discussed.
84 citations
11 Nov 1991
TL;DR: It is shown that an XOR profile with carefully placed zeroes is required in order to avoid some variant forms of differential cryptanalysis, and permutation P needs to be chosen to prevent easy propagation of a constant XOR value back into the same S-box.
Abstract: Differential Cryptanalysis is currently the most powerful tool available for analysing block ciphers, and new block ciphers need to be designed to resist it. It has been suggested that the use of S-boxes based on bent functions, with a flat XOR profile, would be immune. However our studies of differential cryptanalysis, particularly applied to the LOKI cipher, have shown that this is not the case. In fact, this results in a relatively easily broken scheme. We show that an XOR profile with carefully placed zeroes is required. We also show that in order to avoid some variant forms of differential cryptanalysis, permutation P needs to be chosen to prevent easy propagation of a constant XOR value back into the same S-box. We redesign the LOKI cipher to form LOKI91, to illustrate these results, as well as to correct the key schedule to remove the formation of equivalent keys. We conclude with an overview of the security of the new cipher.
77 citations
11 Nov 1991
TL;DR: A new encryption primitive is proposed, which encrypts and decrypts a 64-bit block of data using a64-bit key, and a way to build private versions of LOKI is proposed.
Abstract: In [BrPiSe90] Brown, Pieprzyk and Seberry proposed a new encryption primitive, which encrypts and decrypts a 64-bit block of data using a 64-bit key. Furthermore they propose a way to build private versions of LOKI.
Book•
01 Dec 1991
TL;DR: A Statistical Attack of the FEAL-8 Cryptosystem and an Improved Linear Syndrome Algorithm in Cryptanalysis With Applications are presented.
Abstract: Cryptanalysis.- Differential Cryptanalysis of DES-like Cryptosystems.- A Statistical Attack of the FEAL-8 Cryptosystem.- An Improved Linear Syndrome Algorithm in Cryptanalysis With Applications.- Protocols.- Quantum Bit Commitment and Coin Tossing Protocols.- Security with Low Communication Overhead.- Fair Computation of General Functions in Presence of Immoral Majority.- One-Way Group Actions.- Algebra and Number Theory.- Solving Large Sparse Linear Systems Over Finite Fields.- On the Computation of Discrete Logarithms in Class Groups.- Matrix Extensions of the RSA Algorithm.- Constructing Elliptic Curve Cryptosystems in Characteristic 2.- Signatures and Authentication.- Identification Tokens - or: Solving The Chess Grandmaster Problem.- Arbitrated Unconditionally Secure Authentication Can Be Unconditionally Protected against Arbiter's Attacks.- Convertible Undeniable Signatures.- Unconditionally-Secure Digital Signatures.- Secret Sharing.- Geometric Shared Secret and/or Shared Control Schemes.- Some Improved Bounds on the Information Rate of Perfect Secret Sharing Schemes.- Collective Coin Tossing Without Assumptions nor Broadcasting.- Key Distribution.- A Key Distribution "Paradox".- A Modular Approach to Key Distribution.- Hash Functions.- Structural Properties of One-Way Hash Functions.- The MD4 Message Digest Algorithm.- Zero-Knowledge.- Achieving Zero-Knowledge Robustly.- Hiding Instances in Zero-Knowledge Proof Systems.- Multi-Language Zero Knowledge Interactive Proof Systems.- Publicly Verifiable Non-Interactive Zero-Knowledge Proofs.- Cryptographic Applications of the Non-Interactive Metaproof and Many-prover Systems.- Interactive Proofs with Provable Security against Honest Verifiers.- Randomness.- On the Universality of the Next Bit Test.- A Universal Statistical Test for Random Bit Generators.- On the Impossibility of Private Key Cryptography with Weakly Random Keys.- Applications.- How to Time-Stamp a Digital Document.- How to Utilize the Randomness of Zero-Knowledge Proofs.- Fast Software Encryption Functions.- CORSAIR: A Smart Card for Public Key Cryptosystems.- Design and Analysis I.- Fast Checkers for Cryptography.- Complexity Theoretic Issues Concerning Block Ciphers Related to D.E.S..- The Redoc II Cryptosystem.- A Recursive Construction Method of S-boxes Satisfying Strict Avalanche Criterion.- Design and Analysis II.- A Comparison of Practical Public-Key Cryptosystems based on Integer Factorization and Discrete Logarithms.- Nonlinear Parity Circuits and their Cryptographic Applications.- Cryptographic Significance of the Carry for Ciphers Based on Integer Addition.- Impromptu Talks.- Computation of Discrete Logarithms in Prime Fields.- Systolic Modular Multiplication.- Finding Four Million Large Random Primes.- The FEAL Cipher Family.- Discrete-Log With Compressible Exponents.
NEC1
TL;DR: S/N ratio introduced in the paper is a measure of the efficiency of the attack, and does NOT suggest how many pairs of ciphertexts are needed.
Abstract: Differential cryptanalysis introduced by Biham and Shamir in 1990 is one of the most powerful attacks to DES-like cryptosystems. This attack presumes on some tendency of the target cryptosystem. So the efficiency of the attack depends upon the conspicuousness of this tendency. S/N ratio introduced in the paper is to evaluate this conspicuousness. In other words, the S/N ratio is a measure of the efficiency of the attack. Nevertheless, S/N ratio does NOT suggest how many pairs of ciphertexts are needed.
Journal Article•
TL;DR: A long-standing proposal for modifying cipher block chaining to prevent data expansion is shown to be insecure in some circumstances and different modifications are presented which appear secure.
11 Nov 1991
TL;DR: In this paper, the use of several differences to attack a cipher simultaneously has been discussed, and the issues involved are briefly covered in Section 2.2.1 and Section 3.1.
Abstract: One aspect of differential cryptanalysis that appears to have been largely overlooked is the use of several differences to attack a cipher simultaneously. While the use of quartets and octets have been briefly described by Biham and Shamir [1], this was not carried to its logical conclusion — namely, how many different attacks can you use and still get an improvement. The issues involved are briefly covered here.
01 Oct 1991
TL;DR: Some measurement indexes on the security of stream ciphers derived from some spectrum-techniques-based cryptanalyses are summarized, and some results on the stability theory of streamciphers obtained by using spectral techniques are presented.
Abstract: Summarizes some spectrum-techniques-based analyses of some stream ciphers. The correlation analyses of some stream ciphers are discussed, and two BAA approaches to the cryptanalysis of some stream ciphers are presented. Some measurement indexes on the security of stream ciphers derived from some spectrum-techniques-based cryptanalyses are summarized. These indexes include the correlation-immune order of the combining functions of some binary additive stream ciphers, weight complexity, sphere complexity, variable-complexity distance, fixed-complexity distance, and weight period as well as sphere period of key streams. Some results on the stability theory of stream ciphers obtained by using spectral techniques are presented. >