Showing papers on "Differential cryptanalysis published in 1993"

Differential Cryptanalysis of the Data Encryption Standard

Abstract: DES, the Data Encryption Standard, is one of several cryptographic standards. The authors of this text detail their cryptanalytic "attack" upon DES and several other systems, using creative and novel tactics to demonstrate how they broke DES up into 16 rounds of coding. The methodology used offers valuable insights to cryptographers and cryptanalysts alike in creating new encryption standards, strengthening current ones, and exploring new ways to test important data protection schemes. This book introduces a new cryptographic method, called differential cryptanalysis, which can be applied to analyze cryptosystems. It describes the cryptanalysis of DES, deals with the influence of its building blocks on security, and analyzes modified variants. The differential cryptanalysis of "Feal" and several other cryptosystems is also described. This method can also be used to cryptanalyze hash functions, as is exemplified by the cryptanalysis of "Snefru".

Use of a genetic algorithm in the cryptanalysis of simple substitution ciphers

Abstract: This paper considers a new approach to cryptanalysis based on the application of a directed random search algorithm called a genetic algorithm. It is shown that such a algorithm could be used to discover the key for a simple substitution cipher.

Cascade ciphers: The importance of being first

Abstract: The security of cascade ciphers, in which by definition the keys of the component ciphers are independent, is considered. It is shown by a counterexample that the intuitive result, formally stated and proved in the literature, that a cascade is at least as strong as the strongest component cipher, requires the uninterestingly restrictive assumption that the enemy cannot exploit information about the plaintext statistics. It is proved, for very general notions of breaking a cipher and of problem difficulty, that a cascade is at least as difficult to break as the first component cipher. A consequence of this result is that if the ciphers commute, then a cascade is at least as difficult to break as the most-difficult-to-break component cipher, i.e., the intuition that a cryptographic chain is at least as strong as its strongest link is then provably correct. It is noted that additive stream ciphers do commute, and this fact is used to suggest a strategy for designing secure practical ciphers. Other applications in cryptology are given of the arguments used to prove the cascade cipher result.

The use of genetic algorithms in cryptanalysis

Abstract: We consider the use of genetic algorithms (GAs) as powerful tools in the breaking of cryptographic systems. We show that GAs can greatly facilitate cryptanalysis by efficiently searching large keyspaces, and demonstrate their use with GENALYST, an order-based GA for breaking a classic cryptographic system.

Cryptanalysis of knapsack ciphers using genetic algorithms

Abstract: This paper is the second in a series of papers which examine a new method of cryptanalysis. This work focuses on the cryptanalysis of a knapsack cipher. It is based on the application of a directed random search algorithm called a genetic algorithm. It is shown that such a algorithm could be used to easily compromise even high density knapsack ciphers.

A New Approach to Block Cipher Design

Abstract: In this paper we apply the cryptographic finite state machine approach as introduced in [1] to the design of symmetric key block ciphers. Key words in the design approach are simplicity, uniformity, parallelism, distributed nonlinearity and high diffusion. 3-Way is a block cipher with a block and key length of 96 bits. Key components in the construction of 3-Way are a 3-bit nonlinear S-box and a linear mapping that can be described by modular polynomial multiplication in ℤ 2 12 . The arrangement of the components allows software implementations in the range of 10 Mbit/s on a modern PC and dedicated hardware implementations above 1 Gbit/s using standard technology (1.2μ CMOS). The cipher structure of 3-Way is shown to be surprisingly strong with respect to both linear and differential cryptanalysis.

Systematic generation of cryptographically robust S-boxes

Abstract: Substitution boxes (S-boxes) are a crucial component of DES-like block ciphers. This research addresses problems with previous approaches towards constructing S-boxes, and proposes a new definition for the robustness of S-boxes to differential cryptanalysis, which is the most powerful cryptanalytic attack known to date. A novel method based on group Hadamard matrices is developed to systematically generate S-boxes that satisfy a number of critical cryptographic properties. Among the properties are the high nonlinearity, the strict avalanche characteristics, the balancedness, the robustness against differential cryptanalysis, and the immunity to linear cryptanalysis. An example is provided to illustrate the S-box generating method.

Differential cryptanalysis of Lucifer

Abstract: Differential cryptanalysis was introduced as an approach to analyze the security of DES-like cryptosystems. The first example of a DES-like cryptosystem was Lucifer, the direct predecessor of DES, which is still believed by many people to be much more secure than DES, since it has 128 key bits, and since no attacks against (the full variant of) Lucifer were ever reported in the cryptographic literature. In this paper we introduce a new extension of differential cryptanalysis, devised to extend the class of vulnerable cryptosystems. This new extension suggests key-dependent characteristics, called conditional characteristics, selected to enlarge the characteristics' probabilities for keys in subsets of the key space. The application of conditional characteristics to Lucifer shows that more than half of the keys of Lucifer are insecure, and the attack requires about 236 complexity and chosen plaintexts to find these keys. The same extension can also be used to attack a new variant of DES, called RDES, which was designed to be immune against differential cryptanalysis. These new attacks flash new light on the design of DES, and show that the transition of Lucifer to DES strengthened the later cryptosystem.

Automated cryptanalysis of substitution ciphers

Abstract: We use simulated annealing to provide an automated method for the cryptanalysis of mono-alphabetic substitution ciphers. We prove the convergence of the algorithm and study its performance for a specific cooling schedule. We discuss the merits of this approach and show that it provides a simple, fast and elegant solution to the cryptanalysis problem which is also promising for more complex types of block ciphers.

Apparatus and method for data encryption with block selection keys and data encryption keys

Abstract: Disclosed is a data encryption apparatus strong to differential cryptanalysis, which is now the most influential cryptanalysis method. According to the data encryption apparatus, input data is divided into N blocks, 1 to N-1 blocks of which is selected by a first selection unit with a block selection key. Then the selected blocks of data is compressed into a single block of data in a first combination unit, and encrypted with a data encryption key in an F-function unit. A second combination unit combines the blocks of data not selected in the first selection unit with the output of the F-function unit by XOR. An output unit outputs N blocks of data arranged in the same order as the initial N blocks, in which the 1 to N-1 blocks selected in the first selection unit are outputted without any change, and the other blocks being the outputs of the second combination unit.

The Differential Cryptanalysis and Design of Natural Stream Ciphers

Abstract: This paper introduces the differential cryptanalysis of additive stream ciphers, and develops its theoretical basis. The relationships between differential and other types of stream cipher analysis are presented. The conservation laws of patterns and of mutual information are derived. The cryptographic significance of pattern distribution of keystream sequences is shown. The cryptographic transformation densities are introduced, and their relations with other cryptographic factors are summarized. This work is illustrated by reference to the design and security of additive natural stream ciphers, which are nonlinear filtered sequences driven by a counter rather than by a shift register.

Hash functions based on block ciphers: a synthetic approach

Abstract: Constructions for hash functions based on a block cipher are studied where the size of the hashcode is equal to the block length of the block cipher and where the key size is approximately equal to the block length. A general model is presented, and it is shown that this model covers 9 schemes that have appeared in the literature. Within this general model 64 possible schemes exist, and it is shown that 12 of these are secure; they can be reduced to 2 classes based on linear transformations of variables. The properties of these 12 schemes with respect to weaknesses of the underlying block cipher are studied. The same approach can be extended to study keyed hash functions (MAC's) based on block ciphers and hash functions based on modular arithmetic. Finally a new attack is presented on a scheme suggested by R. Merkle.

On Modes of Operation

Abstract: In this paper we study the modes of operation in which a cryptosystem, and in particular DES, can be used. This study shows that attempts to complicate the modes of operation weaken (in many cases) the resultant modes. We conclude that operation modes should be designed around the underlying cryptosystem without any attempt to use intermediate data as feedback, or to mix the feedback into an intermediate round. Thus, in particular, triple-DES used in CBC mode is more secure than a single-DES used in triple-CBC mode. Alternatively, if several encryptions are applied to each block, the best choice is to concatenate them to one long encryption, and build the mode of operation around it.

Differential cryptanalysis of hash functions based on block ciphers

Abstract: This paper describes a differential attack on several hash functions based on a block cipher. The emphasis will be on the results for cases where DES [8] is the underlying block cipher. It will briefly discuss the case of FEAL-N [19, 21].

Cryptanalysis of the CFB Mode of the DES with a Reduced Number of Rounds

Abstract: Three attacks on the DES with a reduced number of rounds in the Cipher Feedback Mode (CFB) are studied, namely a meet in the middle attack, a differential attack, and a linear attack. These attacks are based on the same principles as the corresponding attacks on the ECB mode, They are compared to the three basic attacks on the CFB mode. In 8-bit CFB and with 8 rounds in stead of 16, a differential attack with 239.4 chosen ciphertexts can find 3 key bits, and a linear attack with 231 known plaintexts can find 7 key bits. This suggests that it is not safe to reduce the number of rounds in order to improve the performance. Moreover, it is shown that the final permutation has some cryptographic significance in the CFB mode.

On the Distribution of Characteristics in Composite Permutations

Abstract: Differential cryptanalysis is a method of attacking iterated mappings which has been applied with varying success to a number of product ciphers and hash functions [1, 2], Let ? : Z2c x Z2m ? Z2mbe a mapping that consists of c 'control' bits and m 'data' bits. The mapping ? mapping contains 2c m-bit permutations ? i, : Z2m ? Z2m, 0 ? i ? 2c - 1, one of which is selected (multiplexed) by the control bits, and a substitution is then performed on the data bits using the selected permutation. Such mappings will be called composite permutations. The S-boxes of DES are composite permutations of the form Si : Z22 x Z24 ? Z24 with 2 control bits and 4 data bits.In differential cryptanalysis the attacker is interested in the largest entry in a given XOR table, and the fraction of the XOR table that is zero. In this paper we determine the distribution of characteristics in the XOR tables of composite permutations, which leads to approximations for the largest entry in the XOR table and the density of zero entries.

Advances in Cryptology - ASIACRYPT '91: International Conference on the Theory and Application of Cryptology, Fujiyoshida, Japan, November 11-14, 1991. Proceedings

Abstract: The transition from mechanisms to electronic computers, 1940 to 1950.- Cryptanalysis of LOKI.- Improving resistance to differential cryptanalysis and the redesign of LOKI.- A method to estimate the number of ciphertext pairs for differential cryptanalysis.- Construction of DES-like S-boxes based on Boolean functions satisfying the SAC.- The data base of selected permutations.- A framework for the design of one-way hash functions including cryptanalysis of Damgard's one-way function based on a cellular automaton.- How to construct a family of strong one way permutations.- On claw free families.- Sibling intractable function families and their applications.- A digital multisignature scheme based on the Fiat-Shamir scheme.- A generalized secret sharing scheme with cheater detection.- Generalized threshold cryptosystems.- Feistel type authentication codes.- Research activities on cryptology in korea.- On necessary and sufficient conditions for the construction of super pseudorandom permutations.- A construction of a cipher from a single pseudorandom permutation.- Optimal perfect randomizers.- A general purpose technique for locating key scheduling weaknesses in DES-like cryptosystems.- Results of switching-closure-test on FEAL.- IC-cards and telecommunication services.- Cryptanalysis of several conference key distribution schemes.- Revealing information with partial period correlations (extended abstract).- Extended majority voting and private-key algebraic-code encryptions.- A secure analog speech scrambler using the discrete cosine transform.- An oblivious transfer protocol and its application for the exchange of secrets.- 4 Move perfect ZKIP of knowledge with no assumption.- On the complexity of constant round ZKIP of possession of knowledge.- On the power of two-local random reductions.- A note on one-prover, instance-hiding zero-knowledge proof systems.- An efficient zero-knowledge scheme for the discrete logarithm based on smooth numbers.- An extension of zero-knowledge proofs and its applications.- Any language in IP has a divertible ZKIP.- A multi-purpose proof system - for identity and membership proofs.- Formal verification of probabilistic properties in cryptographic protocols.- Cryptography and machine learning.- Speeding up prime number generation.- Two efficient server-aided secret computation protocols based on the addition sequence.- On ordinary elliptic curve cryptosystems.- Cryptanalysis of another knapsack cryptosystem.- Collisions for Schnorr's hash function FFT-Hash presented at Crypto '91.- On NIST's proposed digital signature standard.- A known-plaintext attack of FEAL-4 based on the system of linear equations on difference.- Simultaneous attacks in differential cryptanalysis (getting more pairs per encryption).- Privacy, cryptographic pseudonyms, and the state of health.- Limitations of the Even-Mansour construction.

Differential Cryptanalysis of DES Variants

Abstract: In this chapter we attack several variants of DES: variants of DES with fewer than 16 rounds, variants with independent keys, variants with modified internal operations and S boxes, and the GDES variant.

Differential Cryptanalysis of FEAL

Abstract: FEAL was suggested as a software-oriented cryptosystem which can be eas­ily and efficiently implemented on microprocessors. The structure of FEAL is similar to DES with a modified F function, initial and final permutations and key scheduling algorithm. In the F function, the P permutation and the S boxes of DES are replaced by byte rotations and addition operations. The S boxes S0 and S1 of FEAL get two input bytes and calculate one output byte as S i (x, y) = ROL2(x + y + i (mod 256)), where ROL2 rotates its input byte two bits to the left. The F function gets a 32-bit input and a 16-bit subkey and calculates a 32-bit output by applying the S boxes four times sequentially. The initial and the final permutations are replaced by initial and final transformations, in which the whole 64-bit data is XORed with 64-bit subkeys and the right half of the data is XORed with the left half. Figure 6.1 describes the structure of an eight-round FEAL and its F function. The key scheduling algorithm is replaced by a key processing algorithm, which makes the subkeys depend on the key in a more complex way. The key processing algorithm and its F k function are described in Figure 6.2.

A reconstruction of the key to beale cipher number two

Abstract: A reconstruction of the key used to encrypt B2 (Beale Cipher Number 2) reveals greater statistical anomalies in Bl than previously reported by Gillogly [8]. The 1885 pamphlet versions of the ciphers are used in this analysis. Several explanations of these anomalies are discussed. The application of artificial intelligence techniques to automated cryptanalysis of the Beale Ciphers is discussed.

An algorithmic solution of sequential homophonic ciphers

Abstract: REMOVE_HOMOPHONES is a new cryptanalytic algorithm for the reduction of a sequential homophonic cipher without word divisions into a simple substitution cipher [8]. Sets of homophones, defined in the cipher alphabet, are detected algorithmically, without the use of either frequency analysis or trial-and-error backtracking, in a ciphertext-only attack. Given the output of REMOVE_HOMOPHONES, a simple substitution cipher, probabilistic relaxation [9,13] can complete the algorithmic solution of sequential homophonic ciphers without word divisions.

Introduction to Differential Cryptanalysis

Abstract: Differential cryptanalysis is a method which analyzes the effect of particular differences in plaintext pairs on the differences of the resultant ciphertext pairs. These differences can be used to assign probabilities to the possible keys and to locate the most probable key. This method usually works on many pairs of plaintexts with the same particular difference using the resultant ciphertext pairs. For DES and many other DES-like cryptosystems the difference is chosen as a fixed XORed value of the two plaintexts. In this introduction we show how these differences can be analyzed and exploited. Due to its importance, we use DES as the canonical example of an iterated cryptosystem, but try to make the definitions and theorems applicable to other cryptosystems as well.

Advances in Cryptology - CRYPTO '92: Twelfth Annual International Cryptology Conference, Santa Barbara, California, U. S. A., August 16-20, 1992, Proceedings

Abstract: Digital Signatures and Identification I.- Provably Unforgeable Signatures.- New Constructions of Fail-Stop Signatures and Lower Bounds.- Provably Secure and Practical Identification Schemes and Corresponding Signature Schemes.- An Efficient Digital Signature Scheme Based on an Elliptic Curve over the Ring Z n.- The Digital Signature Standard.- Designing and Detecting Trapdoors for Discrete Log Cryptosystems.- Response to Comments on the NIST Proposed Digital Signature Standard.- Applications and New Problems.- Wallet Databases with Observers.- Making Electronic Refunds Safer.- Fair Public-Key Cryptosystems.- Pricing via Processing or Combatting Junk Mail.- Secret Sharing I.- On the Information Rate of Secret Sharing Schemes.- New General Lower Bounds on the Information Rate of Secret Sharing Schemes.- Universally Ideal Secret Sharing Schemes.- Theory I.- Perfect Zero-Knowledge Arguments for NP Can Be Based on General Complexity Assumptions.- Low communication 2-prover zero-knowledge proofs for NP.- Invariant Signatures and Non-Interactive Zero-Knowledge Proofs are Equivalent.- On the Discrepancy between Serial and Parallel of Zero-Knowledge Protocols.- Cryptographic Functions.- On the Design of SP Networks from an Information Theoretic Point of View.- Partially-bent functions.- Digital Signatures and Identifcation II.- Practical Approaches to Attaining Security against Adaptively Chosen Ciphertext Attacks.- On the Security of the Permuted Kernel Identification Scheme.- Computational Number Theory.- Massively Parallel Computation of Discrete Logarithms.- A Quadratic Sieve on the n-Dimensional Cube.- Efficient Multiplication on Certain Nonsupersingular Elliptic Curves.- Speeding up Elliptic Cryptosystems by Using a Signed Binary Window Method.- On Generation of Probable Primes by Incremental Search.- Cryptography Education.- Kid Krypto.- Theory II.- On Defining Proofs of Knowledge.- Public Randomness in Cryptography.- Necessary and Sufficient Conditions for Collision-Free Hashing.- Certifying Cryptographic Tools: The Case of Trapdoor Permutations.- Key Distribution.- Protocols for Secret Key Agreement by Public Discussion Based on Common Information.- Perfectly-Secure Key Distribution for Dynamic Conferences.- DES.- Differential Cryptanalysis of the Full 16-round DES.- Iterative Characteristics of DES and s2-DES.- DES is not a Group.- A High-speed DES Implementation for Network Applications.- Secret Sharing II.- Threshold Schemes with Disenrollment.- Non-existence of homomorphic general sharing schemes for some key spaces.- An l-Span Generalized Secret Sharing Scheme.- Rump Session.- Provable Security Against Differential Cryptanalysis.- Content-Addressable Search Engines and DES-like Systems.- FFT-Hash-II is not yet Collision-free.

Advances in cryptology--EUROCRYPT '92 : Workshop on the Theory and Application of Cryptographic Techniques, Balatonfüred, Hungary, May 24-28, 1992 : proceedings

Abstract: Secret Sharing.- Graph Decompositions and Secret Sharing Schemes.- Classification of Ideal Homomorphic Threshold Schemes over Finite Abelian Groups.- Hash Functions.- F.F.T. Hashing is not Collision-free.- FFT-Hash II, Efficient Cryptographic Hashing.- Hash Functions Based on Block Ciphers.- Differential Cryptanalysis Mod 232 with Applications to MD5.- Block Ciphers.- A New Method for Known Plaintext Attack of FEAL Cipher.- On the construction of highly nonlinear permutations.- The One-Round Functions of the DES Generate the Alternating Group.- Stream Ciphers.- Correlation Via Linear Sequential Circuit Approximation of Combiners with Memory.- Convergence of a Bayesian Iterative Error-Correction Procedure on a Noisy Shift Register Sequence.- Suffix trees and string complexity.- Public Key I.- Attacks on Protocols for Server-Aided RSA Computation.- Public-Key Cryptosystems with Very Small Key Lengths.- Resource Requirements for the Application of Addition Chains in Modulo Exponentiation.- Factoring.- Massively parallel elliptic curve factoring.- The Eurocrypt'92 Controversial Issue Trapdoor Primes and Moduli.- The Eurocrypt'92 Controversial Issue Trapdoor Primes and Moduli.- Public Key II.- Fast Exponentiation with Precomputation.- Batch Diffie-Hellman Key Agreement Systems and their Application to Portable Communications.- High-Speed Implementation Methods for RSA Scheme.- Pseudo-random Permutation Generators.- A Simplified and Generalized Treatment of Luby-Rackoff Pseudorandom Permutation Generators.- How to Construct Pseudorandom and Super Pseudorandom Permutations from One Single Pseudorandom Function.- A Construction for Super Pseudorandom Permutations from A Single Pseudorandom Function.- Complexity Theory and Cryptography I.- How to Break a "Secure" Oblivious Transfer Protocol.- Uniform Results in Polynomial-Time Security.- Cryptographic Protocols Provably Secure Against Dynamic Adversaries.- Zero-Knowledge.- Secure Bit Commitment Function against Divertibility.- Non-Interactive Circuit Based Proofs and Non-Interactive Perfect Zero-knowledge with Preprocessing.- Tools for Proving Zero Knowledge.- Digital Signatures and Electronic Cash.- How to Make Efficient Fail-stop Signatures.- Which new RSA Signatures can be Computed from RSA Signatures, Obtained in a Specific Interactive Protocol?.- Transferred Cash Grows in Size.- Complexity Theory and Cryptography II.- Local Randomness in Candidate One-Way Functions.- How Intractable Is the Discrete Logarithm for a General Finite Group?.- Factoring with an Oracle.- Applications.- Secure Audio Teleconferencing: A Practical Solution.- Selected Papers from the Rump Session.- Secure Conference Key Distribution Schemes for Conspiracy Attack.- A Note on Discrete Logarithms with Special Structure.- A Remark on a Non-interactive Public-Key Distribution System.- Security Bounds for Parallel Versions of Identification Protocols.- Information-Theoretic Bounds for Authentication Frauds.- A Generalized Correlation Attack with a Probabilistic Constrained Edit Distance.- Systolic-Arrays for Modular Exponentiation Using Montgomery Method.- On the Development of a Fast Elliptic Curve Cryptosystem.- A Montgomery-Suitable Fiat-Shamir-Like Authentication Scheme.

Reconstruction of s^2DES S-boxes and their Immunity to Differential Cryptanalysis

Abstract: At Crypto'92, L.R. Knudsenn7] showed that s 2 DES is insuucient to assure against diierential attack. In this paper, we propose a provable design criterion to strengthen s 2 DES against diierential attack without disturbing its cryptographic structure. We show that new s 2 DES S-boxes can be constructed with our new design criteria and suggest new 8 s 2 DES S-boxes for replacing the current DES S-boxes. Simply called this algorithm as s 3 DES, the result of our estimation and Knudsen's recent analysis 9] give us that s 3 DES can resist against diierential attack better than DES and s 2 DES, i.e., breaking s 3 DES by diierential attack is less eecient than key-exhaustive search.

Chaotic Keystream Generators for Additive Stream Ciphers

Abstract: : Communications security is vital in the information age. For this reason, cryptography (the branch of cryptology dealing with the making of secure cipher systems; the other branch, cryptanalysis, attempts to break such systems) is no longer of concern only to the government, but also to private industry. We survey some current research concerning the generation of random and pseudorandom keystreams for use in cryptographic stream ciphers, including the use of chaotic discrete dynamical systems.