Showing papers on "Differential cryptanalysis published in 2001"
TL;DR: Using the well-known principles in the cryptanalysis it is shown that these ciphers do not behave worse than the standard ones, opening in this way a novel approach to the design of block encryption cipher.
Abstract: This paper is devoted to the analysis of the impact of chaos-based techniques on block encryption ciphers. We present several chaos based ciphers. Using the well-known principles in the cryptanalysis we show that these ciphers do not behave worse than the standard ones, opening in this way a novel approach to the design of block encryption ciphers.
638 citations
TL;DR: The theoretical background of the wide trail design strategy, which was used to design Rijndael, the Advanced Encryption Standard (AES), and the own notation to describe differential and linear cryptanalysis are explained.
Abstract: We explain the theoretical background of the wide trail design strategy, which was used to design Rijndael, the Advanced Encryption Standard (AES). In order to facilitate the discussion, we introduce our own notation to describe differential and linear cryptanalysis. We present a block cipher structure and prove bounds on the resistance against differential and linear cryptanalysis.
214 citations
19 Aug 2001
TL;DR: In this paper, the authors study the security properties of on-line ciphers, which can take input plaintexts of large and varying lengths and output the ith block of the ciphertext after having processed only the first i blocks of the plaintext.
Abstract: We initiate a study of on-line ciphers. These are ciphers that can take input plaintexts of large and varying lengths and will output the ith block of the ciphertext after having processed only the first i blocks of the plaintext. Such ciphers permit length-preserving encryption of a data stream with only a single pass through the data. We provide security definitions for this primitive and study its basic properties. We then provide attacks on some possible candidates, including CBC with fixed IV. Finally we provide a construction called HCBC which is based on a given block cipher E and a family of AXU functions. HCBC is proven secure against chosen-plaintext attacks assuming that E is a PRP secure against chosen-plaintext attacks.
64 citations
06 May 2001
TL;DR: This paper presents attacks on reduced-round variants of both MISTy1 and MISTY2, without as well as with the key-dependent linear functions FL.
Abstract: The block ciphers MISTY1 and MISTY2 proposed by Matsui are based on the principle of provable security against differential and linear cryptanalysis. This paper presents attacks on reduced-round variants of both ciphers, without as well as with the key-dependent linear functions FL. The attacks employ collision-searching techniques and impossible differentials. KASUMI, a MISTY variant to be used in next generation cellular phones, can be attacked with the latter method faster than brute force when reduced to six sounds.
60 citations
Journal Article•
TL;DR: A construction called HCBC is provided, based on a given block cipher E and a family of AXU functions, which is proven secure against choosing-plaintext attacks assuming that E is a PRP secure against chosen-plain text attacks.
Abstract: We initiate a study of on-line ciphers. These are ciphers that can take input plaintexts of large and varying lengths and will output the ith block of the ciphertext after having processed only the first i blocks of the plaintext. Such ciphers permit length-preserving encryption of a data stream with only a single pass through the data. We provide security definitions for this primitive and study its basic properties. We then provide attacks on some possible candidates, including CBC with fixed IV. Finally we provide a construction called HCBC which is based on a given block cipher E and a family of AXU functions. HCBC is proven secure against chosen-plaintext attacks assuming that E is a PRP secure against chosen-plaintext attacks.
59 citations
09 Dec 2001
TL;DR: A nontrivial 9-round byte characteristic is shown, which may lead to a possible attack of reduced-round version of Camellia without input/output whitening, FL or FL-1 in a chosen plain text scenario.
Abstract: This paper describes truncated and impossible differential cryptanalysis of the 128-bit block cipher Camellia, which was proposed by NTT and Mitsubishi Electric Corporation Our work improves on the best known truncated and impossible differential cryptanalysis As a result, we show a nontrivial 9-round byte characteristic, which may lead to a possible attack of reduced-round version of Camellia without input/output whitening, FL or FL-1 in a chosen plain text scenario Previously, only 6-round differentials were known, which may suggest a possible attack of Camellia reduced to 8-rounds Moreover, we show a nontrivial 7-round impossible differential, whereas only a 5-round impossible differential was previously known This cryptanalysis is effective against general Feistel structures with round functions composed of S-D (Substitution and Diffusion) transformation
58 citations
TL;DR: The interpolation attack is introduced, useful for attacking ciphers that use simple algebraic functions (in particular quadratic functions) as S-boxes, and attacks based on higher-order differentials are introduced.
Abstract: In this paper an attack on block ciphers is introduced, the interpolation attack. This method is useful for attacking ciphers that use simple algebraic functions (in particular quadratic functions) as S-boxes. Also, attacks based on higher-order differentials are introduced. They are special and important cases of the interpolation attacks. The attacks are applied to several block ciphers, the six-round prototype cipher by Nyberg and Knudsen, which is provably secure against ordinary differential cryptanalysis, a modified version of the block cipher SHARK, and a block cipher suggested by Kiefer.
49 citations
06 Dec 2001
TL;DR: Currently proposed slide attacks can be still enhanced so that all currently published known-plaintext analytic technique can be applied to smaller part of a cipher with a weak keyscheduling part, and enables to declassify the unknown primitive used in a block cipher.
Abstract: Although many strong cryptanalytic tools exploit weaknesses in the data-randomizing part of a block cipher, relatively few general tools for cryptanalyzing on the other part, the key scheduling part, are known. A slide attack is an instance of attacks exploiting the keyschedule weakness. In this paper, currently proposed slide attacks can be still enhanced so that all currently published known-plaintext analytic technique can be applied to smaller part of a cipher with a weak keyscheduling part. As an example, we demonstrate applications of a slide attack to linear cryptanalysis, a DES variant case. In addition, we also show that our enhancement enables to declassify the unknown primitive used in a block cipher. We test a block cipher, GOST, and show how to de-classify the hidden 4-bit substitution tables.
44 citations
TL;DR: Three correlation theorems for Boolean functions are presented with applications to cryptanalysis of block cipher and stream ciphers.
41 citations
TL;DR: It is shown that GOST is secure against the linear cryptanalysis after five rounds and against the differential crypt analysis after seven rounds.
29 citations
Patent•
10 May 2001
TL;DR: In this article, a modified key which is a fixed secret key (K) combined with a varying random non-secret byte sequence (J) with same size as the keysize of key K was presented.
Abstract: The security of block cipher counter mode of operation can be improved, and stream ciphers can be converted to a “block-like” (stateless) mode of operation, by using a modified key which is a fixed secret key (K) combined with a varying random non-secret byte sequence (J) with same size as the keysize of key K. In accordance with various embodiments, the modified key can be generated by XORing the fixed secret key with a varying random sequence that is newly generated for each plaintext message. Alternatively, the fixed secret key can be modified with a variable, non-secret initialization vector and used with stream ciphers. In still another embodiment, the key and sequence are concatenated and passed through a mask generation function.
01 Jan 2001
TL;DR: It is shown that there are indeed attacks faster than exhaustive key search in LILI-128, and a related key attack which has very low complexity, and which could be of practical significance if the cipher were used in a certain rather natural way.
Abstract: LILI-128 is a stream cipher that was submitted to NESSIE. Strangely, the designers do not really seem to have tried to ensure that cryptanalysis is no easier than by exhaustive key search. We show that there are indeed attacks faster than exhaustive key search. We also demonstrate a related key attack which has very low complexity, and which could be of practical significance if the cipher were used in a certain rather natural way.
TL;DR: The linear components play an essential role in the effect of the nonlinearS-boxes in providing resistance against differential and linearcryptanalysis and provide upper bounds for the probability of differential characteristics and the correlation of linear approximations for the general structure.
Abstract: In this paper we generalize the structure of the ciphers Shark, Square, BKSQ, Crypton and Rijndael. We show that the linear components play an essential role in the effect of the nonlinear S-boxes in providing resistance against differential and linear cryptanalysis and provide upper bounds for the probability of differential characteristics and the correlation of linear approximations for the general structure. We show how good linear components can be constructed efficiently from Maximum-Distance Separable codes. The presented block cipher structure can make optimal use of a wide range of processor word lengths and its parallelism allows very fast dedicated hardware implementations. Ciphers with variable block length can be constructed by varying certain parameters in the presented structure.
Book•
31 Aug 2001
TL;DR: This book discusses Classical Cryptographic Techniques, Symmetric Computer-Based Cryptology, and Zero-Knowledge Identification Protocols, as well as law and issues Regarding Cryptography.
Abstract: 1. Origins, Examples, and Ideas in Cryptology. A Crypto-Chronology. Cryptology and Mathematics: Functions. Crypto: Models, Maxims, and Mystique. 2. Classical Cryptographic Techniques. Shift Ciphers and Modular Arithmetic. Affine Ciphers More Modular Arithmetic. Substitution Ciphers. Transposition Ciphers. Polyalphabetic Substitutions. Probability and Expectation. The Friedman and Kasiski Tests. Cryptanalysis of the Vingenere Cipher. The Hill Cipher Matrices. 3. Symmetric Computer-Based Cryptology. Number Representation. Boolean and Numerical Functions. Computational Complexity. Stream Ciphers and Feedback Shift Registers. Block Ciphers. Hash Functions. 4. Public-Key Cryptography. Primes, Factorization, and the Euclidean Algorithm. The Merkle-Hellman Knapsack. Fermat's Little Theorem. The RSA Public-Key Cryptosystem. Key Agreement. Digital Signatures. Zero-Knowledge Identification Protocols. 5. Case Studies and Issues. Case Study I: DES. Case Study II: PGP. Public-Key Infrastructure. Law and Issues Regarding Cryptography. Glossary. Bibliography. Table of Primes. Answers to Selected Exercises. Index.
22 Apr 2001
TL;DR: It is concluded that, although it can take significantly longer to resynchronize, SCFB mode can be used to provide self-synchronizing implementations for stream ciphers that are much more efficient than conventionalCFB mode and that have error propagation characteristics similar to CFB mode.
Abstract: In this paper, we examine a recently proposed mode of operation for block ciphers which we refer to as statistical cipher feedback (SCFB) mode. SCFB mode configures the block cipher as a keystream generator for use in a stream cipher such that it has the property of statistical self-synchronization, thereby allowing the stream cipher to recover from slips in the communications channel. Statistical self-synchronization involves feeding back ciphertext to the input of the keystream generator similar to the conventional cipher feedback (CFB) mode of block ciphers, except that the feedback only occurs when a special pattern is recognized in the ciphertext. In the paper, we examine the efficiency, resynchronization, and error propagation characteristics of SCFB and compare these to the conventional modes of CFB, output feedback (OFB), and counter mode. In particular, we study these characteristics of SCFB as a function of the synchronization pattern size. We conclude that, although it can take significantly longer to resynchronize, SCFB mode can be used to provide self-synchronizing implementations for stream ciphers that are much more efficient than conventional CFB mode and that have error propagation characteristics similar to CFB mode.
27 Mar 2001
TL;DR: This paper presents a new method to build up dynamic look-up tables (s-boxes) changing with every change of the secret key in addition to an evaluation criterion of block ciphers that leads to more secure block cipher systems.
Abstract: Block cipher systems are widely used in cryptographic applications. The main problem in implementing any block cipher system is the fixed structure of s-boxes elements. In this paper we present a new method to build up dynamic look-up tables (s-boxes) changing with every change of the secret key in addition to an evaluation criterion of block ciphers. This new approach leads to more secure block cipher systems and consequently solves the problem of the fixed structure block ciphers.
Journal Article•
TL;DR: This work investigates the relations between the functions which oppose a high resistance to linear cryptanalysis and to differential cryptanalysis, and investigates the links between the underlying properties.
Abstract: Most last-round attacks on iterated block ciphers provide some design criteria for the round function. Here, we focus on the links between the underlying properties. Most notably, we investigate the relations between the functions which oppose a high resistance to linear cryptanalysis and to differential cryptanalysis.
Journal Article•
Journal Article•
Journal Article•
TL;DR: A new stream cipher family whose output bits are produced by blocks, based on a new technique called crossing over which allows to vectorize stream ciphering by using nonlinear shift registers, which offers very high cryptographic security and much higher speed encryption.
Abstract: This paper presents a new stream cipher family whose output bits are produced by blocks. We particularly focus on the member of this family producing 128-bit blocks with a 256-bit key. The design is based on a new technique called crossing over which allows to vectorize stream ciphering by using nonlinear shift registers. These algorithms offer a very high cryptographic security and much higher speed encryption than any existing stream ciphers or block ciphers, particularly the AES candidates. A 1000 euros rewarded cryptanalysis challenge is proposed.
02 Apr 2001
TL;DR: This paper proves that the five round MISTY type structure is super-pseudorandom, and characterize its round security.
Abstract: The security of an iterated block cipher heavily depends on its structure as well as each round function. Matsui showed that MISTY type structure is faster and more robust than Feistel structure on linear cryptanalysis and differential cryptanalysis. On the other hand, Luby and Rackoff proved that the four round Feistel structure is superpseudorandom if each round function fi is a random function. This paper proves that the five round MISTY type structure is super-pseudorandom. We also characterize its round security.
02 Apr 2001
TL;DR: This revised version of the paper includes the exact computations of some probabilities and repairs the attack of the first half of Skipjack.
Abstract: This paper is motivated by some results presented by Knudsen, Robshaw and Wagner at Crypto'99, that described many attacks of reduced versions of Skipjack, some of them being erroneous. Differential cryptanalysis is based on distinguishers, any attack should prove that the events that triggers the analysis has not the same probability for the cipher than for a random function. In particular, the composition of differential for successive parts of a cipher should be done very carefully to lead to an attack.This revised version of the paper includes the exact computations of some probabilities and repairs the attack of the first half of Skipjack.
TL;DR: The paper demonstrates the effectiveness of information leakage as a measure of cipher security by relating information leakage to linear cryptanalysis and by determining a lower bound on the amount of data required in an attack from an upper bound on information leakage.
Abstract: We examine the information leakage between sets of plaintext and ciphertext bits in symmetric-key block ciphers. The paper demonstrates the effectiveness of information leakage as a measure of cipher security by relating information leakage to linear cryptanalysis and by determining a lower bound on the amount of data required in an attack from an upper bound on information leakage. As well, a model is developed which is used to estimate the upper bound on the information leakage of a general Feistel (1975) block cipher. For a cipher that fits the model well, the results of the analysis can be used as a measure in determining the number of rounds required for security against attacks based on information leakage. It is conjectured that the CAST-128 cipher fits the model well and using the model it is predicted that information leaked from 20 or fewer plaintext bits is small enough to make an attack on CAST-128 infeasible.
13 May 2001
TL;DR: This paper proposes a new model for stream ciphers which does not make use of LFSRs, and is based on a cascade of small substitution boxes (s-boxes) which has good statistical properties.
Abstract: Many stream cipher designs based on linear feedback shift registers (LFSRs) with non-linear combining functions are susceptible to various versions of the correlation attack. In this paper we propose a new model for stream ciphers which does not make use of LFSRs. Instead, our stream ciphers are based on a cascade of small substitution boxes (s-boxes). Like the RC4 stream cipher designed by Ron Rivest, the cascade stream cipher makes use of evolving s-boxes and pointers. However, instead of using one large s-box we employ a cascade of several small s-boxes. Two parameters of this family of stream ciphers are the size of the individual s-boxes and the length of the cascade. If we use n-bit s-boxes, then each output of the stream cipher is an n-bit block. By way of example, a cascade consisting of 16 2-bit s-boxes would have an effective key length which is adequate for most practical applications. The number of s-boxes in the cascade can be increased if we desire more security. Our studies to date indicate that the cascade cipher has good statistical properties. The new cascade stream cipher requires relatively little storage and executes efficiently in both hardware and software.
Book•
25 Apr 2001
TL;DR: Attacks on Additive Encryption of Redundant Plaintext and Implications on Internet Security and the Implementation of Cryptosystems Based on Real Quadratic Number Fields are analyzed.
Abstract: Cryptanalysis I- Analysis of IS-95 CDMA Voice Privacy- Attacks on Additive Encryption of Redundant Plaintext and Implications on Internet Security- Cryptanalysis of the "Augmented Family of Cryptographic Parity Circuits" Proposed at ISW'97- Block Ciphers - New Designs- Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms - Design andAnalysis- DFCv2- The Block Cipher Hierocrypt- Symmetric Block Ciphers Based on Group Bases- Elliptic Curves and Efficient Implementations- Speeding up the Arithmetic on Koblitz Curves of Genus Two- On Complexity of Polynomial Basis Squaring in F2m- Security Protocols and Applications- Dynamic Multi-threshold Metering Schemes- Chained Stream Authentication- A Global PMI for Electronic Content Distribution- Block Ciphers and Hash Functions- A Polynomial-Time Universal Security Amplifier in the Class of Block Ciphers- Decorrelation over Infinite Domains: The Encrypted CBC-MAC Case- HAS-V: A New Hash Function with Variable Output Length- Boolean Functions and Stream Ciphers- On Welch-Gong Transformation Sequence Generators- Modes of Operation of Stream Ciphers- LILI Keystream Generator- Improved Upper Bound on the Nonlinearity of High Order Correlation Immune Functions- Public Key Systems- Towards Practical Non-interactive Public Key Cryptosystems Using Non-maximal Imaginary Quadratic Orders (Extended Abstract)- On the Implementation of Cryptosystems Based on Real Quadratic Number Fields (Extended Abstract)- Cryptanalysis II- Root Finding Interpolation Attack- Differential Cryptanalysis of Reduced Rounds of GOST- Practical Security Evaluation against Differential and Linear Cryptanalyses for Feistel Ciphers with SPN Round Function
16 Dec 2001
TL;DR: In this paper, the authors investigate the relations between the functions which oppose a high resistance to linear cryptanalysis and to differential cryptanalysis, and investigate the links between the underlying properties.
Abstract: Most last-round attacks on iterated block ciphers provide some design criteria for the round function. Here, we focus on the links between the underlying properties. Most notably, we investigate the relations between the functions which oppose a high resistance to linear cryptanalysis and to differential cryptanalysis.
02 Apr 2001
TL;DR: In this article, the authors of Q describe 12 one-round iterative characteristics with probability 2-18 each on 7 rounds, and the author of Q claims that these are the best 7-round characteristics.
Abstract: Q is a block cipher based on Rijndael and Serpent, which was submitted as a candidate to the NESSIE project by Leslie McBrideThe submission document of Q describes 12 one-round iterative characteristics with probability 2-18 each On 7 rounds these characteristics have probability 2-126, and the author of Q claims that these are the best 7- round characteristics We find additional one-round characteristics that can be extended to more rounds We also combine the characteristics into differentials We present several differential attacks on the full cipher Our best attack on the full Q with 128-bit keys (8 rounds) uses 2105 chosen plaintexts and has a complexity of 277 encryptionsOur best attack on the full Q with larger key sizes (9 rounds) uses 2125 chosen ciphertexts, and has a complexity of 296 for 192-bit keys, and 2128 for 256-bit keys
Posted Content•
TL;DR: A new family of very fast stream ciphers called COS (for “crossing over system”) has been proposed by Filiol and Fontaine, and seems to have been adopted for at least one commercial standard.
Abstract: A new family of very fast stream ciphers called COS (for “crossing over system”) has been proposed by Filiol and Fontaine, and seems to have been adopted for at least one commercial standard. COS(2,128) Mode I and COS(2,128) Mode II are particular members of this family for which the authors proposed a cryptanalysis challenge. The ciphers accept secret keys of 256, 192 or 128 bits. In this note we cryptanalyse both of these ciphers, using a small amount of known keystream — with negligible effort in the case of Mode II, and with effort well below that required for a single DES key search in the case of Mode I.
02 Apr 2001
TL;DR: In this paper, the authors presented two new differential properties of multiplication operations with probability about 1/2, which they used to design a one-round iterative characteristic of Nimbus and iterate it to a characteristic of the full cipher with probability 1/32.
Abstract: Nimbus is a block cipher submitted as a candidate to the NESSIE project by Alexis Machado. Like many other ciphers Nimbus combines multiplication operations with XOR operations, a common technique to protect against various kinds of cryptanalysis.In this paper we present two new differential properties of multiplication operations with probability about 1/2 which we use to design a one-round iterative characteristic of Nimbus.W e iterate it to a characteristic of the full cipher with probability 1/32, which in turn we use to attack the full cipher and find all the key material using 256 chosen plaintexts and 210 complexity. Thus, we show that the inclusion of multiplication operations in a cipher does not necessarily protect against attacks.