Showing papers on "Differential cryptanalysis published in 1997"

The Interpolation Attack on Block Ciphers

Abstract: In this paper we introduce a new method of attacks on block ciphers, the interpolation attack. This new method is useful for attacking ciphers using simple algebraic functions (in particular quadratic functions) as S-boxes. Also, ciphers of low non-linear order are vulnerable to attacks based on higher order differentials. Recently, Knudsen and Nyberg presented a 6-round prototype cipher which is provably secure against ordinary differential cryptanalysis. We show how to attack the cipher by using higher order differentials and a variant of the cipher by the interpolation attack. It is possible to successfully cryptanalyse up to 32 rounds of the variant using about 232 chosen plaintexts with a running time less than 264. Using higher order differentials, a new design concept for block ciphers by Kiefer is also shown to be insecure. Rijmen et al presented a design strategy for block ciphers and the cipher SHARK. We show that there exist ciphers constructed according to this design strategy which can be broken faster than claimed. In particular, we cryptanalyse 5 rounds of a variant of SHARK, which deviates only slightly from the proposed SHARK.

Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA

Abstract: We present new related-key attacks on the block ciphers 3WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA. Differential related-key attacks allow both keys and plaintexts to be chosen with specific differences [KSW96]. Our attacks build on the original work, showing how to adapt the general attack to deal with the difficulties of the individual algorithms. We also give specific design principles to protect against these attacks.

Constructing Symmetric Ciphers Using the CAST Design Procedure

Abstract: This paper describes the CAST design procedure for constructing a family of DES-like Substitution-Permutation Network (SPN) cryptosystems which appear to have good resistance to differential cryptanalysis, linear cryptanalysis, and related-key cryptanalysis, along with a number of other desirable cryptographic properties. Details of the design choices in the procedure are given, including those regarding the component substitution boxes (s-boxes), the overall framework, the key schedule, and the round function. An example CAST cipher, an output of this design procedure, is presented as an aid to understanding the concepts and to encourage detailed analysis by the cryptologic community.

An improvement of Davies' attack on DES

Abstract: In this paper we improve Davies' attack [2] on DES to become capable of breaking the full 16-round DES faster than the exhaustive search. Our attack requires 250 known plaintexts and 250 complexity of analysis. If independent subkeys are used, a variant of this attack can find 26 bits out of the 768 key bits using 252 known plaintexts. All the 768 bits of the subkeys can be found using 260 known plaintexts. The data analysis requires only several minutes on a SPARC workstation. Therefore, this is the third successful attack on DES, faster than brute force, after differential cryptanalysis [1] and linear cryptanalysis [5]. We also suggest criteria which make the S-boxes immune to this attack.

A Family of Trapdoor Ciphers

Abstract: This paper presents several methods to construct trapdoor block ciphers. A trapdoor cipher contains some hidden structure; knowledge of this structure allows an attacker to obtain information on the key or to decrypt certain ciphertexts. Without this trapdoor information the block cipher seems to be secure. It is demonstrated that for certain block ciphers, trapdoors can be built-in that make the cipher susceptible to linear cryptanalysis; however, finding these trapdoors can be made very hard, even if one knows the general form of the trapdoor. In principle such a trapdoor can be used to design a public key encryption scheme based on a conventional block cipher.

On Weaknesses of Non–surjective Round Functions

Abstract: We propose a new attack on Feistel ciphers with a non-surjective round function such as the CAST cipher family and LOKI91. We extend the attack towards block ciphers that use a non-uniformly distributed round function and apply the extended attack to the CAST family. This attack demonstrates that the round function of a Feistel cipher with six to eight rounds needs to be surjective and sufficiently uniform.

Recent Developments in the Design of Conventional Cryptographic Algorithms

Abstract: This paper examines proposals for three cryptographic primitives: block ciphers, stream ciphers, and hash functions. It provides an overview of the design principles of a large number of recent proposals, which includes the global structure, the number of rounds, the way of introducing non-linearity and diffusion, and the key schedule. The software performance of about twenty primitives is compared based on highly optimized implementations for the Pentium. The goal of the paper is to provided a technical perspective on the wide variety of primitives that exist today.

On the Security of Remotely Keyed Encryption

Abstract: The purpose of remotely keyed encryption is to efficiently realize a secret-key block cipher by sharing the computational burden between a fast untrusted device and a slow device trusted with the key. This paper deals with how to define the security of remotely keyed encryption schemes. Since the attacker can take over the slow device and actually take part in the encryption process, common definitions of the security of block ciphers have to be reconsidered.

Asymmetric cryptography with S-Boxes Is it easier than expected to design efficient asymmetric cryptosystems?

Abstract: In this paper, we study some new “candidate” asymmetric cryptosystems based on the idea of hiding one or two rounds of small S-box computations with secret functions of degree one or two. The C” scheme of [10] (when its n i values are small can be seen as a very special case of these schemes. This C” scheme was broken in [11] due to unexpected algebraic properties. In the new schemes, those algebraic properties generally do not exist. Nevertheless, we will see that most of the “new” algorithms can also be broken and we deduce some very different cryptanalysis of C”.

The Design of the ICE Encryption Algorithm

Abstract: This paper describes the design and implementation of the ICE cryptosystem, a 64-bit Feistel block cipher. It describes the design process, with the various aims and tradeoffs involved. It also introduces the concept of keyed permutation to improve resistance to differential and linear cryptanalysis, and the use of an extensible key schedule to achieve an explict tradeoff between speed and security.

Block Ciphers - A Survey

Abstract: In this paper we give a short overview of the state of the art of secret key block ciphers. We focus on the main application of block ciphers, namely for encryption. The most important known attacks on block ciphers are linear cryptanalysis and differential cryptanalysis. Linear cryptanalysis makes use of so-called linear hulls i.e., the parity of a subset of ciphertext bits with a probability sufficiently far away from one half. Differential cryptanalysis makes use of so-called differentials (A, B),i.e., a pair of plaintexts with difference A, which after a certain number of rounds result in a difference B with a high probability. The hulls and differentials can be used to derive (parts of) the secret key.

A parallel genetic algorithm for cryptanalysis of the polyalphabetic substitution cipher

Abstract: A new method for attacking the simple substitution cipher is presented which utilises a parallel version of the genetic algorithm. A suitable strategy is devised which allows communication between a number of parallel nodes each solving a separate part of the problem. An analysis of the fitness function is also performed.

Cryptanalysis of Ladder-DES

Abstract: Feistel ciphers are very common and very important in the design and analysis of blockciphers, especially due to four reasons: (1) Many (DES-like) ciphers are based on Feistel’s construction. (2) Luby and Rackoff proved the security of a four-round Feistel construction when the round functions are random. (3) Recently several provably secure ciphers were suggested, which use other (assumed secure) ciphers as the round function. (4) Other such ciphers use this construction as attempts to improve the security of other ciphers (e.g., to improve the security of DES).

Hash Functions and MAC Algorithms Based on Block Ciphers

Abstract: This paper reviews constructions of hash functions and MAC algorithms based on block ciphers. It discusses the main requirements for these cryptographic primitives, motivates these constructions, and presents the state of the art of both attacks and security proofs.

Resistance of a CAST-Like Encryption Algorithm to Linearand Differential Cryptanalysis

Abstract: Linear cryptanalysis and differential cryptanalysis are two recently introduced, powerful methodologies for attacking private-key block ciphers. In this paper, we examine the application of these two cryptanalysis techniques to a CAST-like encryption algorithm. It is shown that, when randomly generated substitution boxes (s-boxes) are used in a CAST-like encryption algorithm, the resulting cipher is resistant to both the linear attack and the differential attack.

Duality of Boolean functions and its cryptographic significance

Abstract: Recent advances in interpolation and high order differential cryptanalysis have highlighted the cryptographic significance of Boolean functions with a high algebraic degree. However, compared with other nonlinearity criteria such propagation, resiliency, differential and linear characteristics, apparently little progress has been made in relation to algebraic degree in the context of cryptography. The aim of this work is to research into relationships between algebraic degree and other nonlinearity criteria. Making use of duality properties of Boolean functions, we have obtained several results that are related to lower bounds on nonlinearity, as well as on the number of terms, of Boolean functions. We hope that these results would stimulate the research community's interest in further exploring this important area.

Improving the Higher Order Differential Attack and Cryptanalysis of the KN Cipher

Abstract: Since the proposal of differential cryptanalysis and linear cryptanalysis in 1991 and 1993, respectively, the resistance to these cryptanalyses have been studied for many cryptosystems. Moreover, some block ciphers with provable security against differential and linear cryptanalysis have been proposed. One of them is the KN cipher proposed by Knudsen and Nyberg. The KN cipher is a prototype cipher with provable security against ordinary differential cryptanalysis, and has been proved to be secure against linear cryptanalysis, too. Recently a new method of attacking block ciphers, the higher order differential attack, was proposed, and Jakobsen and Knudsen showed that the KN cipher can be attacked by this method in FSE4. In this paper, we improve this attack to reduce both of the required chosen plaintexts and running time, and apply it to the cryptanalysis of the KN cipher. We show that, for the attacking of the KN cipher with 6 rounds, the number of required chosen plaintexts can be reduced by half and running time reduced from 241 to 214, and that all round keys can be derived in only 0.02 seconds on a Sun Ultra 1 (UltraSPARC 170MHz).

System and method for constructing block ciphers

Abstract: An efficient block cipher that operates on blocks of arbitrarily large size. A block is permuted by recursively using relatively small random functions in an N-round Feistel construction, where N is an integer. The security of the invention is closely related to the difficulty of solving the Numerical Matching with Target Sums problem, an NP Complete problem which cannot presently be solved analytically using known mathematical techniques. The memory required for the cipher's random functions increases linearly with block size, rather than exponentially as with known Feistel constructions. The invention can be efficiently and practically implemented in software at speeds comparable to the speeds of known ciphers.

On Non-Pseudorandomness from Block Ciphers with Provable Immunity Against Linear Cryptanalysis (Special Section on Cryptography and Information Security)

Abstract: 0 On non-pseudorandomness from block ciphers with provable immunity against linear cryptanalysis Abstract: Weakness of a block cipher, which has provable immunity against linear cryptanalysis, is investigated. To this end, the round transformation used in MISTY, which is a data encryption algorithm recently proposed by M. Matsui from Mitsubishi Electric Corporation, is compared to the round transformation of DES from the point of view of pseudorandom generation. An important property of the MISTY cipher is that, in terms of theoretically provable resistance against linear and diieren-tial cryptanalysis, which are the most powerful cryptanalytic attacks known to date, it is more robust than the Data Encryption Standard or DES. This property can be attributed to the application of a new round transform in the MISTY cipher, which is obtained by changing the location of the basic round-function in a transform used in DES. Cryptographic roles of the transform used in the MISTY cipher are the main focus of this paper. Our research reveals that when used for constructing pseudorandom permutations, the transform employed by the MISTY cipher is inferior to the transform in DES, though the former is superior to the latter in terms of strength against linear and diierential attacks. More speciically, we show that a 3-round (4-round, respectively) concatenation of transforms used in the MISTY cipher is not a pseudorandom (super pseudorandom, respectively) permutation. For comparison, we note that with three (four, respectively) rounds, transforms used in DES yield a pseudorandom (super pseudorandom, respectively) permutation. Another contribution of this paper is to show that a 3-round concatenation of transforms used in (the preliminary version of) the MISTY cipher has an algebraic property, which may open a door for various cryptanalytic attacks. These results clearly indicate that provable immunity against linear and diierential cryptanalysis is not adequate for designing a secure block cipher, and the security of the MISTY cipher will remain open until a close examination of its resistance is conducted against other cryptanalytic attacks than the linear or diierential attack.

Linearly weak keys of RC5

Abstract: The author examines the application of linear cryptanalysis to the RC5 private-key cipher and shows that there are expected to be weak keys for which the attack is applicable to many rounds. It is demonstrated that, for the 12-round nominal RC5 version with a 64 bit block size and a 128 bit key, there are 2/sup 28/ weak keys for which only /spl sim/2/sup 17/ known plaintexts are required to break the cipher. There are 268 keys for which the cipher is theoretically breakable, requiring /spl sim/2/sup 57/ known plaintexts. The analysis highlights the sensitivity of RC5 security to its key scheduling algorithm.

Differential cryptanalysis of RC5

Abstract: In this paper we investigate the strength of the secret-key algorithm RC5 proposed by Ron Rivest. The target version of RC5 works on words of 32 bits, has 12 rounds and a user-selected key of 128 bits. Kaliski and Yin estimated the strength of RC5 by differential and linear cryptanalysis. They conjectured that their linear analysis is optimal and that the use of 12 rounds for RC5 is sufficient to make both differential and linear cryptanalysis impractical. In this paper we show that the differential analysis made by Kaliski and Yin is not optimal. We give differential attacks better by up to a factor of 512. Also we show that RC5 has many weak keys with respect to differential attacks. This weakness relies on the structure of the cipher and not on the key schedule. Finally we discuss some possible extensions of our attacks and some modifications of RC5 in order to improve the resistance against our differential attacks.

Cryptographic Permutations Based on BOOT Decompositions of Walsh Matrices

Abstract: To guarantee security and privacy in data transmission and archival applications, adequate efficient bulk encryption techniques are necessary which are able to cope with the vast amounts of data involved. Experience has shown that block-oriented symmetric product ciphers constitute an adequate design paradigm for resolving this task, since they can offer a very high level of security as well as very high encryption rates.

A new criterion for the design of 8/spl times/8 S-boxes in private-key ciphers

Abstract: We examine the security of the class of substitution permutation private key block ciphers with respect to linear and differential cryptanalysis. A new S box nonlinearity criterion is proposed and it is shown that S boxes satisfying this criterion and having good diffusion improve remarkably the ability of an SPN to resist linear cryptanalysis and differential cryptanalysis.

Cryptanalysis of 'nonlinear-parity circuits' proposed at Crypto '90

Abstract: Koyama and Terada (1991) proposed a family of cryptographic functions for application to symmetric block ciphers. The authors show that this family of circuits is affine over GF(2). More explicitly, for any specific key K, the ciphertext Y is related to the plaintext X by the simple affine relation Y=M/sub K/X/spl otimes/d/sub K/ where M/sub K/ is an n/spl times/n non singular binary matrix and d/sub K/ is an n/spl times/1 binary vector n where n is the block length of the cipher. This renders this family of ciphers completely insecure as it can be broken with only n+1 linearly independent plaintext blocks and their corresponding ciphertext blocks.

Automated statistical methods for measuring the strength of block ciphers

Abstract: A block cipher is one of the most common forms of algorithms used for data encryption. This paper describes an efficient set of statistical methods for analysing the security of these algorithms under the black-box approach. The procedures can be fully automated, which provides the designer or user of a block cipher with a useful set of tools for security analysis.

The analysis of a new class of unbalanced CAST ciphers

Abstract: The original CAST cipher is an efficient and secure private key block cipher designed to be an alternative to DES. We present a new class of unbalanced CAST ciphers which employ the same structure of S box and round function as the original CAST cipher but has a lower memory requirement. Furthermore, we investigate the security of the ciphers with respect to differential and linear cryptanalysis. The result of analysis shows that unbalanced CAST ciphers with appropriate parameters are resistant to differential and linear cryptanalysis.

On the Security of Self-Synchronous Ciphers

Abstract: Self-synchronous encryption can provide private communications across channels that are prone to bit-slip (insertion/deletion) errors. Under these conditions, conventional synchronous stream ciphers suffer catastrophic message loss, whereas self-synchronous ciphers (SSCs) automatically re-synchronise after a short error burst, with no additional circuitry or protocols. In this paper we point out some security problems of SSCs which are unavoidable, basically due to the fact that all of their input is sliding ciphertext, which may be chosen by a cryptanalyst. Although apparently similar in structure to nonlinear filter generator stream ciphers, self-synchronous ciphers are subject to quite different cryptanalytic attacks, which we briefly describe. Finally, we present a new class of designs for SSCs which are intended to resist sliding input attacks by maintaining a uniform distribution of internal data values in the feedback stage and subsequently.

A new class of unbalanced CAST ciphers and its security analysis

Abstract: The original CAST cipher is an efficient and secure private-key block cipher designed to be an alternative to the Data Encryption Standard (DES). In this thesis, we present a new class of unbalanced CAST ciphers which employs the same structure of S-box and round function of the original CAST cipher but has a lower memory requirement. Unbalanced CAST ciphers with one or two 8x32 S-boxes in the round function require only 1/4 or 1/2 the memory of the original CAST cipher, respectively. -- This thesis examines the application of differential and linear cryptanalysis, two of the most powerful methodologies for attacking private-key block ciphers, to the unbalanced CAST ciphers. The results of analysis show that a 48-round unbalanced CAST cipher with one 8 x 32 S-box and a 24-round unbalanced CAST cipher with two 8 x 32 S-boxes, both of which are equivalent to a 12-round original CAST cipher in efficiency, are resistant to both differential and linear cryptanalysis. -- We also investigate the unbalanced CAST ciphers from the perspective of information theory. The results suggest that the maximum static and dynamic input-output bit information leakages for the unbalanced CAST ciphers constructed by 8 x 32 S-boxes are much smaller than for DES. -- The conclusion reached by the thesis is that unbalanced CAST ciphers can be considered to be efficient, secure ciphers which require less memory than the original CAST cipher.