Showing papers on "Differential cryptanalysis published in 2000"
TL;DR: This work demonstrates side-channel attacks against three product ciphers - timing attack against IDEA, processor-flag attack against RC5, and Hamming weight attack against DES - and generalizes the research to other cryptosystems.
Abstract: Building on the work of Kocher (1996), Jaffe and Yun (1998), we discuss the notion of side-channel cryptanalysisc cryptanalysis using implementation data. We discuss the notion of side-channel attacks and the vulnerabilities they introduce, demonstrate side-channel attacks against three product ciphers - timing attack against IDEA, processor-flag attack against RC5, and Hamming weight attack against DES - and then generalize our research to other cryptosystems.
343 citations
10 Dec 2000
TL;DR: A5/1 is the stream cipher used in most European countries in order to ensure privacy of conversations on GSM mobile phones and is the best known result with respect to the total work complexity.
Abstract: A5/1 is the stream cipher used in most European countries in order to ensure privacy of conversations on GSM mobile phones. In this paper we describe an attack on this cipher with total work complexity 239.91 of A5/1 clockings, given 220.8 known plaintext. This is the best known result with respect to the total work complexity.
160 citations
10 Apr 2000
TL;DR: This work proves that the SPN structure with a maximal diffusion layer provides a provable security against differential cryptanalysis and linear cryptanalysis in the sense that the probability of each differential is bounded by pn, where p (respectively q) is the maximum differential probability of n S-boxes used in the substitution layer.
Abstract: In the SPN (Substitution-Permutation Network) structure, it is very important to design a diffusion layer to construct a secure block cipher against differential cryptanalysis and linear cryptanalysis. The purpose of this work is to prove that the SPN structure with a maximal diffusion layer provides a provable security against differential cryptanalysis and linear cryptanalysis in the sense that the probability of each differential (respectively linear hull) is bounded by pn (respectively qn), where p (respectively q) is the maximum differential (respectively liner hull) probability of n S-boxes used in the substitution layer. We will also give a provable security for the SPN structure with a semi-maximal diffusion layer against differential cryptanalysis and linear cryptanalysis.
87 citations
TL;DR: This paper attempts to organize the existing literature of block-cipher cryptanalysis in a way that students can use to learn cryptanalytic techniques and ways to break new algorithms.
Abstract: Studying cryptanalysis is difficult because there is no standard textbook, and no way of knowing which cryptanalytic problems are suitable for different levels of students. This paper attempts to organize the existing literature of block-cipher cryptanalysis in a way that students can use to learn cryptanalytic techniques and ways to break new algorithms.
56 citations
20 Aug 2000
TL;DR: A new model is put forward for understanding the security of symmetric-key primitives, such as block ciphers, that captures the fact that many such primitives often consist of iterating simpler constructs for a number of rounds, and may provide insight into theSecurity of such designs.
Abstract: We put forward a new model for understanding the security of symmetric-key primitives, such as block ciphers. The model captures the fact that many such primitives often consist of iterating simpler constructs for a number of rounds, and may provide insight into the security of such designs.
We completely characterize the security of four-round Luby-Rackoff ciphers in our model, and show that the ciphers remain secure even if the adversary is given black-box access to the middle two round functions. A similar result can be obtained for message authentication codes based on universal hash functions.
52 citations
14 Aug 2000
TL;DR: This paper presents the first result of differential cryptanalysis of GOST with reduced number of rounds with the idea of using a set of differential characteristics, which is a partitioning type, to reduce the influence of the key value upon the probability as well as get high differential probability.
Abstract: The block cipher GOST was proposed in former Soviet Union in 1989. In this paper we present the first result of differential cryptanalysis of GOST with reduced number of rounds. By introducing the idea of using a set of differential characteristics, which is a partitioning type, we can reduce the influence of the key value upon the probability as well as get high differential probability. Using 251 chosen plaintexts the key of 13-round GOST can be obtained. Next this differential cryptanalysis is expanded with combining related-key attack. Using 256 chosen plaintexts the key of 21 rounds of GOST can be obtained.
50 citations
08 Dec 2000
TL;DR: A simplified and round reduced version of MISTY1 that does not alter the security provability can be attacked with higher order differential cryptanalysis, and the attacking property is derived from the choice of an atomic component of the algorithm, namely one of the two MISTy1 S-boxes.
Abstract: MISTY1 is a block cipher whose design relies on an assertion of provable security against linear and differential cryptanalysis. Yet, a simplified and round reduced version of MISTY1 that does not alter the security provability can be attacked with higher order differential cryptanalysis. We managed to explain this attack by deriving the attacking property from the choice of an atomic component of the algorithm, namely one of the two MISTY1 S-boxes. This allowed us to classify the good and the bad S-boxes built with the same principles and to show that none of the S-boxes with optimal linear and differential properties has an optimal behaviour with respect to higher order differential cryptanalysis.
39 citations
Posted Content•
TL;DR: In this article, an algebraic attack on the A5/2 stream cipher is described, that determines the linear relations among the output sequence bits, and the vast majority of the unknown output bits can be reconstructed.
Abstract: An attack on the A5/2 stream cipher algorithm is described, that determines the linear relations among the output sequence bits. The vast majority of the unknown output bits can be reconstructed. The time complexity of the attack is proportional to 2. Introduction: A5 is the stream cipher algorithm used to encrypt the link from the telephone to the base station in the GSM system. According to [1], two versions of A5 exist: A5/1, the 'stronger' version, and A5/2, the 'weaker' version. The attacks on the A5/1, utilizing the birthday paradox, are described in [2, 3]. The attack on the A5/2 presented here is of algebraic nature. The scheme of the A5/2 algorithm is given in the Fig. 1. The LFSR R4 clocks the LFSRs R1; : : : ;R3 in the stop/go manner. The feedback polynomials of the registers are: g1(x) = 1 + x 14 + x + x + x, g2(x) = 1 + x 21 + x, g3(x) = 1 + x 8 + x + x + x, g4(x) = 1 + x 12 + x. The function F is the majority function F (x1; x2; x3) = x1x2 + x1x3 + x2x3. The communication in the GSM system is performed through frames. Each frame consists of 228 bits. For every frame to be enciphered, the initialization procedure takes place, that yields the initial state of the LFSRs on the basis of the 64-bit secret key K and the 22-bit frame number F . During the initialization, the bits of the secret key are rst imposed into all the LFSRs, at every clock pulse, without the stop/go clocking, starting from the LSB of each key byte. Then the bits of the frame number are imposed into all the LFSRs in the Instituto de F sica Aplicada (CSIC), Serrano 144, 28006 Madrid, Spain
35 citations
10 Jul 2000
TL;DR: Is it then impossible to construct a threshold cryptosystem in order to share the computation of a block cipher?
Abstract: Threshold cryptosystems use algebraic properties such as homomorphisms in order to allow several parties to jointly evaluate a cryptographic primitive. Several cryptographic primitives, however, avoid -by definition- the use of algebraic properties, or otherwise their security is compromised; this is the case, for instance, of block ciphers, pseudo-random functions, and pseudo-random permutations. Is it then impossible to construct a threshold cryptosystem in order to share the computation of a block cipher ?
33 citations
14 Aug 2000
TL;DR: This work presents and analyzes attacks on additive stream ciphers that rely on linear equations that hold with non-trivial probability in plaintexts that are encrypted using distinct keys, and defines linear redundancy to characterize the vulnerability of a plaintext source to these attacks.
Abstract: We present and analyze attacks on additive stream ciphers that rely on linear equations that hold with non-trivial probability in plaintexts that are encrypted using distinct keys. These attacks extend Biham's key collision attack and Hellman's time memory tradeoff attack, and can be applied to any additive stream cipher. We define linear redundancy to characterize the vulnerability of a plaintext source to these attacks.
We show that an additive stream cipher with an n-bit key has an effective key size of n-min(l, lgM) against the key collision attack, and of 2n/3+ lg(n/3) + max(n - l, 0) against the time memory tradeoff attack, when the the attacker knows l linear equations over the plaintext and has M ciphertexts encrypted with M distinct unknown secret keys.
Lastly, we analyze the IP, TCP, and UDP protocols and some typical protocol constructs, and show that they contain significant linear redundancy. We conclude with observations on the use of stream ciphers for Internet security.
27 citations
03 Dec 2000
TL;DR: It is the main result of this paper that the upper bound of r-round (r ≥ 15) differential probabilities are bounded by p4 if the maximum differential probability of a round function is p, and an impossible differential of this structure does not exist if r ≥ 16.
Abstract: In this paper we introduce a structure iterated by the rule A of Skipjack and show that this structure is provably resistant against differential or linear attacks. It is the main result of this paper that the upper bound of r-round (r ≥ 15) differential (or linear hull) probabilities are bounded by p4 if the maximum differential (or linear hull) probability of a round function is p, and an impossible differential of this structure does not exist if r ≥ 16. Application of this structure which can be seen as a generalized Feistel structure in a way to block cipher designs brings out the provable security against differential and linear attacks with some upper bounds of probabilities. We also propose an interesting conjecture.
17 Aug 2000
TL;DR: In this article, the authors show how a well-balanced trade-off between a generic workstation and dumb but fast reconfigurable hardware can lead to a more efficient implementation of a cryptanalysis than a full hardware or a full software implementation.
Abstract: This paper shows how a well-balanced trade-off between a generic workstation and dumb but fast reconfigurable hardware can lead to a more efficient implementation of a cryptanalysis than a full hardware or a full software implementation. A realistic cryptanalysis of the A5/1 GSM stream cipher is presented as an illustration of such trade-off. We mention that our cryptanalysis requires only a minimal amount of cipher output and cannot be compared to the attack recently announced by Alex Biryukov, Adi Shamir and David Wagner[2].
01 Jan 2000
TL;DR: Evaluated ciphers like Rijndael and a modi ed version of block cipher E2 have stronger security than E2 and the word-wise Markov (Feistel) cipher is evaluated, indicating that all three are provably secure against di erential cryptanalysis.
Abstract: We propose a new method for evaluating the security of block ciphers against di erential cryptanalysis and propose new structures for block ciphers. To this end, we de ne the word-wise Markov (Feistel) cipher and random output-di erential (Feistel) cipher and clarify the relations among the di erential, the truncated di erential and the impossible di erential cryptanalyses of the random output-di erential (Feistel) cipher. This random output-di erential (Feistel) cipher model uses a not too strong assumption because denying this approximation model is equivalent to denying truncated di erential cryptanalysis. Utilizing these relations, we evaluate the truncated di erential probability and the maximum average of di erential probability of the word-wise Markov (Feistel) ciphers like Rijndael, E2 and the modi ed version of block cipher E2. This evaluation indicates that all three are provably secure against di erential cryptanalysis, and that Rijndael and a modi ed version of block cipher E2 have stronger security than E2. keywords. truncated di erential cryptanalysis, truncated di erential probability, maximum average of di erential probability, generalized E2-like transformation, SPN-structure, word-wise Markov cipher, random output-di erential cipher
14 Aug 2000
TL;DR: A general stream cipher with memory in which each cipher-text symbol depends on both the current and previous plaintext symbols, as well as each plaintext symbol affects both theCurrent and previous ciphertext symbol, is pointed out.
Abstract: A general stream cipher with memory in which each cipher-text symbol depends on both the current and previous plaintext symbols, as well as each plaintext symbol depends on both the current and previous ciphertext symbols, is pointed out. It is shown how to convert any keystream generator into a stream cipher with memory and their security is discussed. It is proposed how to construct secure self-synchronizing stream ciphers, keyed hash functions, hash functions, and block ciphers from any secure stream cipher with memory. Rather new and unusual designs can thus be obtained, such as the designs of block ciphers and (keyed) hash functions based on clock-controlled shift registers only.
TL;DR: A weakness in the key schedule is shown that for almost every key there exists on the average three and a half other keys such that the encryptions of plaintexts different in one of eight bytes yield ciphertexts also different in only one byte.
Abstract: In this paper we analyze the block cipher SAFER K. First, we show a weakness in the key schedule, that has the effect that for almost every key there exists on the average three and a half other keys such that the encryptions of plaintexts different in one of eight bytes yield ciphertexts also different in only one byte. Moreover, the differences in the keys, plaintexts, and ciphertexts are in the same byte. This enables us to do a related-key chosen plaintext attack on SAFER K, which finds the secret key. Also, the security of SAFER K, when used in standard hashing modes, is greatly reduced, which is illustrated. Second, we propose a new key schedule for SAFER K avoiding these problems. Third, we do differential cryptanalysis of SAFER K. We consider truncated differentials and apply them in an attack on five-round SAFER K, which finds the secret key much faster than by an exhaustive search.
01 Jan 2000
TL;DR: The design principles of the block cipher KASUMI are reviewed—especially its resistance against the basic forms of linear and differential cryptanalysis.
Abstract: In this paper, we discuss some of theory of provable security against differential and linear cryptanalysis. We also review the design principles of the block cipher KASUMI—especially its resistance against the basic forms of linear and differential cryptanalysis.
TL;DR: This paper shows that Akelarre with any number of rounds is weak even under a ciphertext only attack, illustrating that mixing two (presumably) strong ciphers is not always a good idea.
Abstract: At the SAC'96 the iterated block cipher, Akelarre, was proposed. Akelarre uses components of the block ciphers RC5 and IDEA and is conjectured strong with four rounds. This paper shows that Akelarre with any number of rounds is weak even under a ciphertext only attack. This illustrates that mixing two (presumably) strong ciphers is not always a good idea.
Book•
01 Jan 2000
TL;DR: The power of the Dealer in Non-interactive Zero-Knowledge Proof Systems and how to Exploit Nonces or Redundancy in Plaintexts for Efficient Cryptography.
Abstract: Cryptanalysis I.- Cryptanalytic Time/Memory/Data Tradeoffs for Stream Ciphers.- Cryptanalysis of the RSA Schemes with Short Secret Exponent from Asiacrypt '99.- Why Textbook ElGamal and RSA Encryption Are Insecure.- Cryptanalysis of the TTM Cryptosystem.- Attacking and Repairing Batch Verification Schemes.- IACR Distinguished Lecture.- Cryptography Everywhere.- Digital Signatures.- Security of Signed ElGamal Encryption.- From Fixed-Length to Arbitrary-Length RSA Padding Schemes.- Towards Signature-Only Signature Schemes.- A New Forward-Secure Digital Signature Scheme.- Unconditionally Secure Digital Signature Schemes Admitting Transferability.- Protocols I.- Efficient Secure Multi-party Computation.- Mix and Match: Secure Function Evaluation via Ciphertexts.- A Length-Invariant Hybrid Mix.- Attack for Flash MIX.- Distributed Oblivious Transfer.- Number Theoretic Algorithms.- Key Improvements to XTR.- Security of Cryptosystems Based on Class Groups of Imaginary Quadratic Orders.- Weil Descent of Elliptic Curves over Finite Fields of Characteristic Three.- Construction of Hyperelliptic Curves with CM and Its Application to Cryptosystems.- Symmetric-Key Schemes I.- Provable Security for the Skipjack-like Structure against Differential Cryptanalysis and Linear Cryptanalysis.- On the Pseudorandomness of Top-Level Schemes of Block Ciphers.- Exploiting Multiples of the Connection Polynomial in Word-Oriented Stream Ciphers.- Encode-Then-Encipher Encryption: How to Exploit Nonces or Redundancy in Plaintexts for Efficient Cryptography.- Protocols II.- Verifiable Encryption, Group Encryption, and Their Applications to Separable Group Signatures and Signature Sharing Schemes.- Addition of El Gamal Plaintexts.- Improved Methods to Perform Threshold RSA.- Commital Deniable Proofs and Electronic Campaign Finance.- Provably Secure Metering Scheme.- Invited Lecture.- CRYPTREC Project Cryptographic Evaluation Project for the Japanese Electronic Government.- Fingerprinting.- Anonymous Fingerprinting with Direct Non-repudiation.- Efficient Anonymous Fingerprinting with Group Signatures.- Zero-Knowledge and Provable Security.- Increasing the Power of the Dealer in Non-interactive Zero-Knowledge Proof Systems.- Zero-Knowledge and Code Obfuscation.- A Note on Security Proofs in the Generic Model.- Boolean Functions.- On Relationships among Avalanche, Nonlinearity, and Correlation Immunity.- Cryptanalysis II.- Cryptanalysis of the Yi-Lam Hash.- Power Analysis, What Is Now Possible...- Pseudorandomness.- Concrete Security Characterizations of PRFs and PRPs: Reductions and Applications.- Symmetric-Key Schemes II.- The Security of Chaffing and Winnowing.- Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm.- Increasing the Lifetime of a Key: A Comparative Analysis of the Security of Re-keying Techniques.- Proofs of Security for the Unix Password Hashing Algorithm.- Public-Key Encryption and Key Distribution.- Trapdooring Discrete Logarithms on Elliptic Curves over Rings.- Strengthening McEliece Cryptosystem.- Password-Authenticated Key Exchange Based on RSA.- Round-Efficient Conference Key Agreement Protocols with Provable Security.
14 Aug 2000
TL;DR: A new family of symmetric block ciphers based on group bases is introduced, which enables us to construct a trivial 8-bit Caesar cipher as well as a strong 256-bit cipher with 512-bit key, both from the same specification.
Abstract: We introduce a new family of symmetric block ciphers based on group bases. The main advantage of our approach is its full scalability. It enables us to construct, for instance, a trivial 8-bit Caesar cipher as well as a strong 256-bit cipher with 512-bit key, both from the same specification. We discuss the practical aspects of the design, especially the choice of carrier groups, generation of random group bases and an efficient factorization algorithm. We also describe how the cryptographic properties of the system are optimized, and analyze the influence of parameters on its security. Finally we present some experimental results regarding the speed and security of concrete ciphers from the family.
01 Aug 2000
01 Aug 2000
01 Jan 2000
TL;DR: Two applications of quantum algorithms to information security are discussed; the first is the cryptanalysis of block ciphers using Grover’s algorithm and the second is the strength evaluation of blockciphersUsing Brassard, $\mathrm{H}\emptyset \math rm{y}\mathrm {e}\mathRM{r}$, Tapp”s algorithm.
Abstract: Grover invented a quantum algorithm that finds a solution in only $O(\sqrt{2^{n}})$ steps whereas the exhaustive search algorithm needs $O(2^{n})$ steps on average. Brassard, $\mathrm{H}\emptyset \mathrm{y}\mathrm{e}\mathrm{r}$, Tapp construct an algorithm that counts the number of the solutions for a searching problem. We discuss two applications of quantum algorithms to information security; the first is the cryptanalysis of block ciphers using Grover’s algorithm and the second is the strength evaluation of block ciphers using Brassard, $\mathrm{H}\emptyset \mathrm{y}\mathrm{e}\mathrm{r}$, Tapp’s algorithm.
10 Dec 2000
TL;DR: A new block cipher called DONUT which is made by two pairwise perfect decorrelation modules is suggested which is secure against boomerang attack.
Abstract: Vaudenay[1] proposed a new way of protecting block ciphers against classes of attacks, which was based on the notion of decorrelation He also suggested two block cipher families COCONUT and PEANUT Wagner[2] suggested a new differential-style attack called boomerang attack and cryptanalysed COCONUT'98 In this paper we will suggest a new block cipher called DONUT which is made by two pairwise perfect decorrelation modules DONUT is secure against boomerang attack
TL;DR: An interactive cryptanalysis software based on the Kasiski test, and a novel use of the Index of Coincidence (IC) concept are designed and implemented, showing that cryptanalysis is possible for very short text lengths where classical cryptanalysis methods fail.
Abstract: Though it dates back centuries, Vigenere Cipher is still a practical encryption method that can be edffciently used for many applications. We have designed and implemented an interactive cryptanalysis software based on the Kasiski test, and a novel use of the Index of Coincidence (IC) concept. Our results show that cryptanalysis is possible for very short text lengths where classical cryptanalysis methods fail. Furthermore, we have observed that our software which is designed to work on English based ciphertexts, can be successfully executed on ciphertexts based on other languages. Along the way, we also compute and report the IC values for Turkish and some other languages under a diffierent number of enciphering alphabets.
07 Mar 2000
TL;DR: Values computed from the derivation of the expected resistance of SPNs to linear cryptanalysis based on approximate linear hulls show that an SPN with a practical block size is expected to be secure against this attack after a reasonably small number of rounds.
Abstract: Block ciphers are an important class of cryptographic algorithms, often used for the efficient encryption of large volumes of information. They can serve as cryptographic primitives in larger security frameworks, for example, the systems used to conduct secure e-commerce over the Internet. A block cipher is a objective mapping from N bits to N bits (N is called the block size) parameterized by a bitstring called a key, denoted k. Typically k is secret, known only to the communicating parties. Common block sizes are 64 and 128 bits. The input to a block cipher is called a plaintext, and the output is called a ciphertext. We consider a fundamental block cipher architecture known as a substitution-permutation network (SPN). Specifically, we investigate the resistance of SPNs to linear cryptanalysis, one of the most powerful attacks on block ciphers. Previous work on linear cryptanalysis of SPNs has been based on approximations known as linear characteristics, and has made use of two assumptions which do not hold in general. In order to demonstrate provable security of a block cipher against linear cryptanalysis, it is necessary to remove these two assumptions. This requires considering linear cryptanalysis based on families of approximations known as approximate linear hulls. The main contribution of this work is the derivation of the expected resistance of SPNs to linear cryptanalysis based on approximate linear hulls. Values computed from our result show that an SPN with a practical block size is expected to be secure against this attack after a reasonably small number of rounds.
Journal Article•
TL;DR: DecDecorrelated Fast Cipher (DFC) as discussed by the authors is based on a decorrelation technique that provides provable security against several classes of attacks (in particular the basic version of E. Biham and A. Shamir's (1993) Differential Cryptanalysis as well as M. Matsui's (1994) Linear Cryptanalysis).
Abstract: In response to the call for candidates issued by the National Institute for Standards and Technologies (the Advanced Encryption Standard project) the Ecole Normale Superieure proposed a candidate called DFC (Decorrelated Fast Cipher). DFC is based on a decorrelation technique that provides provable security against several classes of attacks (in particular the basic version of E. Biham and A. Shamir's (1993) Differential Cryptanalysis as well as M. Matsui's (1994) Linear Cryptanalysis). From a practical point of view, this algorithm is naturally very efficient when it is implemented on 64-bit processors. The authors describe the implementation of DFC on a very low cost smart card based on the Motorola 6805 processor. The performances obtained prove that DFC is also well suited for low cost device applications
Journal Article•
01 Jan 2000
TL;DR: A new extension to linear attack based on the application of a probabilistic counting method that allows the reduction of two consecutive rounds and form the basis for mounting e.g. 3R attacks.
Abstract: At the beginning of the paper we describe the state of art in linear cryptanalysis of block ciphers. We present algorithms for finding best linear expressions proposed by Matsui (9) and Ohta (11). We sketch basic linear cryptanalysis (0R, 1R, 2R attacks) and the known extensions. We explain the advantages and the limitations of applying linear cryptanalysis and its extensions to block ciphers. In the second part of the paper we describe our proposal of a new extension to linear attack based on the application of a probabilistic counting method. It allows the reduction of two consecutive rounds and form the basis for mounting e.g. 3R attacks. We present experimental results of the implementation of this attack to the Data Encryption Standard.
08 Dec 2000
TL;DR: It is proved that in the case of 4 rounds encryption function, these three types provide an equal strength against higher order differential attack and that inThe case of 5 or more rounds, R-type is weaker than C-type and L-type, and it is shown that these facts also hold similarly for probabilistic higher orders differential attack.
Abstract: We study on the security against higher order differential attack on block ciphers with two-block structure which have provable security against differential and linear cryptanalysis. The two-block structures are classified three types according to the location of round function such as C(Center)-type, R(Right)-type, and L(Left)-type. We prove that in the case of 4 rounds encryption function, these three types provide an equal strength against higher order differential attack and that in the case of 5 or more rounds, R-type is weaker than C-type and L-type. Moreover, we show that these facts also hold similarly for probabilistic higher order differential attack.
Journal Article•
TL;DR: The results show that LOKI97 does not meet the needs of AES (advanced encryption standard), and the authors can get the 92 -bit subkey with 2 50 known plaintexts and the success rate is 0.967.
Abstract: In this paper, LOKI97 is analyzed using linear cryptanalysis. The results show that LOKI97 does not meet the needs of AES (advanced encryption standard). Using algorithm 1 of linear cryptanalysis, the authors can get the 92 -bit subkey with 2 50 known plaintexts and the success rate is 0.977; using algorithm 2 of linear cryptanalysis, it is possible to break LOKI97 with 2 45 known plaintexts and the success rate is 0.967.