Showing papers on "Differential cryptanalysis published in 1994"

Linear cryptanalysis method for DES cipher

Abstract: We introduce a new method for cryptanalysis of DES cipher, which is essentially a known-plaintext attack. As a result, it is possible to break 8-round DES cipher with 221 known-plaintexts and 16-round DES cipher with 247 known-plaintexts, respectively. Moreover, this method is applicable to an only-ciphertext attack in certain situations. For example, if plaintexts consist of natural English sentences represented by ASCII codes, 8-round DES cipher is breakable with 229 ciphertexts only.

Differentially uniform mappings for cryptography

Abstract: This work is motivated by the observation that in DES-like ciphers it is possible to choose the round functions in such a way that every non-trivial one-round characteristic has small probability. This gives rise to the following definition. A mapping is called differentially uniform if for every non-zero input difference and any output difference the number of possible inputs has a uniform upper bound. The examples of differentially uniform mappings provided in this paper have also other desirable cryptographic properties: large distance from affine functions, high nonlinear order and efficient computability.

The Data Encryption Standard (DES) and its strength against attacks

Abstract: The Data Encryption Standard (DES) was developed by an IBM team around 1974 and adopted as a national standard in 1977. Since that time, many cryptanalysts have attempted to find shortcuts for breaking the system. In this paper, we examine one such attempt, the method of differential cryptanalysis, published by Biham and Shamir. We show some of the safeguards against differential cryptanalysis that were built into the system from the beginning, with the result that more than 10 15 bytes of chosen plaintext are required for this attack to succeed.

The First Experimental Cryptanalysis of the Data Encryption Standard

Abstract: This paper describes an improved version of linear cryptanalysis and its application to the first, successful computer experiment in breaking the full 16-round DES. The scenario is a known-plaintext attack based on two new linear approximate equations, each of which provides candidates for 13 secret key bits with negligible memory. Moreover, reliability of the key candidates is taken into consideration, which increases the success rate. As a result, the full 16-round DES is breakable with high success probability if 243 random plaintexts and their ciphertexts are available. The author carried out the first experimental attack using twelve computers to confirm this: he finally reached all of the 56 secret, key bits in fifty days, out of which forty days were spent for generating plaintexts and their ciphertexts and only ten days were spent for the actual key search.

Higher Order Derivatives and Differential Cryptanalysis

Abstract: High-order derivatives of multi-variable functions are studied in this paper as a natural generalization of the basic concept used in differential cryptanalysis. Possible applications of such derivatives in cryptology are discussed.

Links between differential and linear cryptanalysis

Abstract: Linear cryptanalysis, introduced last year by Matsui, will most certainly open-up the way to new attack methods which may be made more efficient when compared or combined with differential cryptanalysis.

On correlation between the order of S-boxes and the strength of DES

Abstract: This paper introduces a practical algorithm for deriving the best differential characteristic and the best linear expression of DES. Its principle is based on a duality between differential cryptanalysis and linear cryptanalysis, and applicable to various block ciphers. Then using this program, we observe how the order of S-boxes affects the strength of DES. We show that the order of the S-boxes is well-arranged against differential cryptanalysis, though it is not the best choice. On the other hand, our experimental results indicate that it is a very weak choice in regard to linear cryptanalysis. In other words, DES can be strengthened by just rearranging the order of the S-boxes.

Differential-Linear Cryptanalysis

Abstract: This paper introduces a new chosen text attack on iterated cryptosystems, such as the Data Encryption Standard (DES). The attack is very efficient for 8-round DES,2 recovering 10 bits of key with 80% probability of success using only 512 chosen plaintexts. The probability of success increases to 95% using 768 chosen plaintexts. More key can be recovered with reduced probability of success. The attack takes less than 10 seconds on a SUN-4 workstation. While comparable in speed to existing attacks, this 8-round attack represents an order of magnitude improvement in the amount of required text.

Linear approximation of block ciphers

Abstract: The results of this paper give the theoretical fundaments on which Matsui's linear cryptanalysis of the DES is based. As a result we obtain precise information on the assumptions explicitely or implicitely stated in [2] and show that the success of Algorithm 2 is underestimated in [2]. We also derive a formula for the strength of Algorithm 2 for DES-like ciphers and see what is its dependence on the plaintext distribution. Finally, it is shown how to achieve proven resistance against linear cryptanalysis.

Linear Cryptanalysis Using Multiple Approximations

Abstract: We present a technique which aids in the linear cryptanalysis of a block cipher and allows for a reduction in the amount of data required for a successful attack. We note the limits of this extension when applied to DES, but illustrate that it is generally applicable and might be exceptionally successful when applied to other block ciphers. This forces us to reconsider some of the initial attempts to quantify the resistance of block ciphers to linear cryptanalysis, and by taking account of this new technique we cover several issues which have not yet been considered.

On almost perfect nonlinear permutations

Abstract: In this paper basic properties of APN permutations, which can be used in an iterated secret-key block cipher as a round function to protect it from a differential cryptanalysis, are investigated. Several classes of almost perfect nonlinear permutations and other permutations in GF(2)n with good nonlinearity and high nonlinear order are presented. Included here are also three methods for constructing permutations with good nonlinearity.

On Matsui's linear cryptanalysis

Abstract: In [9] Matsui introduced a new method of cryptanalysis, called Linear Cryptanalysis. This method was used to attack DES using 247 known plaintexts. In this paper we formalize this method and show that although in the details level this method is quite different from differential cryptanalysis, in the structural level they are very similar. For example, characteristics can be defined in linear cryptanalysis, but the concatenation rule has several important differences from the concatenation rule of differential cryptanalysis. We show that the attack of Davies on DES is closely related to linear cryptanalysis. We describe constraints on the size of S boxes caused by linear cryptanalysis. New results to Feal are also described.

Weak keys for IDEA

Abstract: Large classes of weak keys have been found for the block cipher algorithm IDEA, previously known as IPES [2]. IDEA has a 128- bit key and encrypts blocks of 64 bits. For a class of 223 keys IDEA exhibits a linear factor. For a certain class of 235 keys the cipher has a global characteristic with probability 1. For another class of 251 keys only two encryptions and solving a set of 16 nonlinear boolean equations with 12 variables is sufficient to test if the used key belongs to this class. If it does, its particular value can be calculated efficiently. It is shown that the problem of weak keys can be eliminated by slightly modifying the key schedule of IDEA.

Block Ciphers: Analysis, Design and Applications

Abstract: In this thesis we study cryptanalysis, applications and design of secret key block ciphers. In particular, the important class of Feistel ciphers is studied, which has a number of rounds, where in each round one applies a cryptographically weak function.

On the distribution of characteristics in bijective mappings

Abstract: Differential cryptanalysis is a method of attacking iterated mappings which has been applied with varying success to a number of product ciphers and hash functions [1,3]. The attack is based on predicting a series of differences ?Y1,?Y2..., ?Y?, known as a characteristic ?. Partial information about the key can be derived when the differences are correctly predicted. The probability of a given characteristic ? correctly predicting differences is derived from the XOR tables associated with the iterated mapping.Even though differential cryptanalysis has been applied successfully to a number of specific iterated mappings such as DES, FEAL and LOKI, the effectiveness of the attack against an arbitrary iterated mapping has not been considered. In this paper we derive the exact distribution of characteristics in XOR tables, and determine an upper bound on the probability of the most likely characteristic ? in a product cipher constructed from randomly selected S-boxes that are bijective mappings. From this upper bound we are then able to construct product ciphers for which all characteristics ? occur with low probability.

Automated Cryptanalysis of Transposition Ciphers

Abstract: In this paper we use simulated annealing for automatic cryptanalysis of transposition ciphers. Transposition ciphers are a class of ciphers that in conjunction with substitution ciphers form the basis of all modern symmetric algorithms. In transposition ciphers, a plaintext block is encrypted into a ciphertext block using a fixed permutation. We formulate cryptanalysis of the transposition cipher as a combinatorial optimization problem, and use simulated annealing to find the global minimum of a cost function which is a distance measure between a possible decipherment of the given ciphertext and a sample of plaintext language

Linear cryptanalysis of stream ciphers

Abstract: Starting from recent results on a linear statistical weakness of keystream generators and on linear correlation properties of combiners with memory, linear cryptanalysis of stream ciphers based on the linear sequential circuit approximation of finite-state machines is introduced as a general method for assessing the strength of stream ciphers. The statistical weakness can be used to reduce the uncertainty of unknown plaintext and also to reconstruct the unknown structure of a keystream generator, regardless of the initial state. The linear correlations in arbitrary keystream generators can be used for divide and conquer correlation attacks on the initial state based on known plaintext or ciphertext only. Linear cryptanalysis of irregularly clocked shift registers as well as of arbitrary shift register based binary keystream generators proves to be feasible. In particular, the direct stream cipher mode of block ciphers, the basic summation generator, the shrinking generator, the clock-controlled cascade generator, and the modified linear congruential generators are analyzed. It generally appears that simple shift register based keystream generators are potentially vulnerable to linear cryptanalysis. A proposal of a novel, simple and secure keystream generator is also presented.

On the security of the CAST encryption algorithm

Abstract: We examine a new private key encryption algorithm referred to as CAST. Specifically, we investigate the security of the cipher with respect to linear cryptanalysis. From our analysis we conclude that it is easy to select S-boxes so that an efficient implementation or the CAST algorithm is demonstrably resistant to linear cryptanalysis. >

Markov ciphers and alternating groups

Abstract: This paper includes some relations between differential cryptanalysis and group theory. The main result is the following: If the one-round functions of an r-round iterated cipher generate the alternating or the symmetric group, then for all corresponding Markov ciphers the chains of differences are irreducible and aperiodic.As an application it will be shown that if the hypothesis of stochastic equivalence holds for any of these corresponding Markov ciphers, then the DES and the IDEA(32) are secure against a differential cryptanalysis attack after sufficiently many rounds for these Markov ciphers.The section about IDEA(32) includes the result that the one-round functions of this algorithm generate the alternating group.

An improvement of Davies' attack on DES

Abstract: In this paper we improve Davies' attack [2] on DES to become capable of breaking the full 16-round DES faster than the exhaustive search. Our attack requires 250 complexity of the data collection and 250 the complexity of analysis. An alternative approach finds 24 key bits of DES with 252 known plaintexts and the data analysis requires only several minutes on a SPARC. Therefore, this is the third successful attack on DES, faster than brute force, after differential cryptanalysis [1] and linear cryptanalysis [5]. We also suggest criteria which make the S-boxes immune to this attack.

Performance of block ciphers and hash functions — One year later

Abstract: – The NIST Secure Hash Algorithm (SHA) has been replaced with a new algorithm, SHA-1 [10]. The reason for this change is that NIST (or NSA) discovered an attack against the original SHA algorithm [11]. – This year’s measurements are based on a faster implementation of GOST 28147. – This year’s measurements were made with a different Sun workstation. The new machine is significantly slower; as a result, all the figures in the “Sparc” column of the tables have changed. – Some stream ciphers have been included. Many of the most interesting new algorithms in 1994 were stream ciphers. In particular, 1994 saw the publication of what were alleged to be the specifications of two proprietary stream ciphers, RC4 1 and A5.

A Chosen Plaintext Attack of the 16-round Khufu Cryptosystem

Abstract: In 1990, Merkle proposed two fast software encryption functions, Khafre and Khufu, as possible replacements for DES [l]. In 1991, Biham and Shamir applied their differential cryptanalysis technique to Khafre [2], and obtained an efficient attack of the 16-round version and some bounds on the 24-round version. However, these attacks take advantage of the fact that the S-boxes used for Khafre are public; they cannot be applied to Khufu, which uses secret S-boxes, and no attack of Khufu has been proposed so far. In this paper, we present a chosen plaintext attack of the 16-round version of Khufu, which is based on differential properties of this algorithm. The derivation of first information concerning the secret key requires about 231 chosen plaintexts and 231 operations. Our estimate of the resources required for breaking the entire scheme is about 243 chosen plaintexts and about 243 operations.

The design of substitution-permutation networks resistant to differential and linear cryptanalysis

Abstract: In this paper we examine a class of product ciphers referred to as substitution-permutation networks. We investigate the resistance of these cryptographic networks to two important attacks: differential cryptanalysis and linear cryptanalysis. In particular, we develop upper bounds on the differential characteristic probability and on the probability of a linear approximation as a function of the number of rounds of substitutions. Further, it is shown that using large S-boxes with good diffusion characteristics and replacing the permutation between rounds by an appropriate linear transformation is effective in improving the cipher security in relation to these two attacks.

Provable Security Against a Differential Attack

Abstract: The purpose of this paper is to show that there exist DES-like iterated ciphers, which are provably resistant against differential attacks The main result on the security of a DES-like cipher with independent round keys is Theorem 1, which gives an upper bound to the probability of s -round differentials, as defined in Markov Ciphers and Differential Cryptanalysis by X Lai et al and this upper bound depends only on the round function of the iterated cipher Moreover, it is shown that there exist functions such that the probabilities of differentials are less than or equal to 2 3-n , where n is the length of the plaintext block We also show a prototype of an iterated block cipher, which is compatible with DES and has proven security against differential attacks

Cryptanalysis of Multiple Modes of Operation

Abstract: In recent years, several new attacks on DES were introduced. These attacks have led researchers to suggest stronger replacements for DES, and in particular new modes of operation for DES. The most popular new modes are triple DES variants, which are claimed to be as secure as triple DES. To speed up hardware implementations of these modes, and to increase the avalanche, many suggestions apply several standard modes sequentially. In this paper we study these multiple (cascade) modes of operation. This study shows that many multiple modes are much weaker than multiple DES, and their strength is comparable to a single DES.

Divide and conquer attacks on certain classes of stream ciphers

Abstract: In this paper it will be shown that two types of keystream generators for stream ciphers, originally thought to be secure, can be attacked using a known plaintext attack. This attack consists of a divide and conquer method.

Linear Cryptanalysis of LOKI and s2DES

Abstract: This paper discusses linear cryptanalysis of LOKI89, LOKI91 and s2DES. Our computer program based on Matsui's search algorithm has completely determined their best linear approximate equations, which tell us applicability of linear cryptanalysis to each cryptosystem. As a result, LOKI89 and LOKI91 are resistant to linear cryptanalysis from the viewpoint of the best linear approximate probability, whereas s2DES is breakable by a known-plaintext attack faster than an exhaustive key search. Moreover, our search program, which is also applicable to differential cryptanalysis, has derived their best differential characteristics as well. These values give a complete proof that characteristics found by Knudsen are actually best.

Linear Cryptanalysis of the Fast Data Encipherment Algorithm

Abstract: This paper discusses the security of the Fast Data Encipherment Algorithm (FEAL) against Linear Cryptanalysis. It has been confirmed that the entire subkeys used in FEAL-8 can be derived with 225 pairs of known plaintexts and ciphertexts with a success rate approximately 70% spending about 1 hour using a WS (SPARCstation 10 Model 30). This paper also evaluates the security of FEAL-N in comparison with that of the Data Encryption Standard (DES).

A Unified Markow Approach to Differential and Linear Cryptanalysis

Abstract: Differential and linear cryptanalysis are two attacks on product ciphers that use approximations of the round function F to derive information about the secret key. For the case of differential cryptanalysis, it is well-known that the probability of differentials can be modeled by a Markov chain, and it is known, for example, that the chain for DES converges to the uniform distribution. In this paper, a Markov chain for linear cryptanalysis is introduced as well and it is proved that both chains converge to the uniform distribution for almost all round functions F. This implies that in the independent random subkey model, almost all product ciphers become immune to both differential and linear cryptanalysis after a sufficient number of rounds.

Advances in cryptology--CRYPTO '94 : 14th Annual International Cryptology Conference, Santa Barbara, California, USA, August 21-25, 1994 : proceedings

Abstract: Block Ciphers: Differential and Linear Cryptanalysis.- The First Experimental Cryptanalysis of the Data Encryption Standard.- Linear Cryptanalysis of the Fast Data Encipherment Algorithm.- Differential-Linear Cryptanalysis.- Linear Cryptanalysis Using Multiple Approximations.- Schemes Based on New Problems.- Hashing with SL 2.- Design of Elliptic Curves with Controllable Lower Boundary of Extension Degree for Reduction Attacks.- Cryptographic Protocols Based on Discrete Logarithms in Real-quadratic Orders.- Signatures I.- Designated Confirmer Signatures and Public-Key Encryption are Equivalent.- Directed Acyclic Graphs, One-way Functions and Digital Signatures.- An Identity-Based Signature Scheme with Bounded Life-Span.- Implementation and Hardware Aspects.- More Flexible Exponentiation with Precomputation.- A Parallel Permutation Multiplier for a PGM Crypto-chip.- Cryptographic Randomness from Air Turbulence in Disk Drives.- Authentication and Secret Sharing.- Cryptanalysis of the Gemmell and Naor Multiround Authentication Protocol.- LFSR-based Hashing and Authentication.- New Bound on Authentication Code with Arbitration.- Multi-Secret Sharing Schemes.- Zero-Knowledge.- Designing Identification Schemes with Keys of Short Size.- Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols.- Language Dependent Secure Bit Commitment.- On the length of cryptographic hash-values used in identification schemes.- Signatures II.- Incremental Cryptography: The Case of Hashing and Signing.- An Efficient Existentially Unforgeable Signature Scheme and its Applications.- Combinatorics and its Applications.- Bounds for Resilient Functions and Orthogonal Arrays.- Tracing Traitors.- Number Theory.- Towards the Equivalence of Breaking the Diffie-Hellman Protocol and Computing Discrete Logarithms.- Fast Generation of Provable Primes Using Search in Arithmetic Progressions.- Cryptanalysis and Protocol Failures.- Attack on the Cryptographic Scheme NIKS-TAS.- On the Risk of Opening Distributed Keys.- Cryptanalysis of Cryptosystems based on Remote Chaos Replication.- Pseudo-Random Generation.- A Fourier Transform Approach to the Linear Complexity of Nonlinearly Filtered Sequences.- Block Ciphers: Design and Cryptanalysis.- The Security of Cipher Block Chaining.- A Chosen Plaintext Attack of the 16-round Khufu Cryptosystem.- Ciphertext Only Attack for One-way function of the MAP using One Ciphertext.- Pitfalls in Designing Substitution Boxes.- Secure Computations and Protocols.- A Randomness-Rounds Tradeoff in Private Computation.- Secure Voting Using Partially Compatible Homomorphisms.- Maintaining Security in the Presence of Transient Faults.