Showing papers on "Differential cryptanalysis published in 2002"

Integral Cryptanalysis

Abstract: This paper considers a cryptanalytic approach called integral cryptanalysis. It can be seen as a dual to differential cryptanalysis and applies to ciphers not vulnerable to differential attacks. The method is particularlyapplicable to block ciphers which use bijective components only.

Higher order correlation attacks, XL algorithm and cryptanalysis of Toyocrypt

Abstract: Many stream ciphers are built of a linear sequence generator and a non-linear output function f. There is an abundant literature on (fast) correlation attacks, that use linear approximations of f to attack the cipher. In this paper we explore higher degree approximations, much less studied. We reduce the cryptanalysis of a stream cipher to solving a system of multivariate equations that is overdefined (much more equations than unknowns). We adapt the XL method, introduced at Eurocrypt 2000 for overdefined quadratic systems, to solving equations of higher degree. Though the exact complexity of XL remains an open problem, there is no doubt that it works perfectly well for such largely overdefined systems as ours, and we confirm this by computer simulations. We show that using XL, it is possible to break stream ciphers that were known to be immune to all previously known attacks. For example, we cryptanalyse the stream cipher Toyocrypt accepted to the second phase of the Japanese government Cryptrec program. Our best attack on Toyocrypt takes 292 CPU clocks for a 128-bit cipher. The interesting feature of our XL-based higher order correlation attacks is, their very loose requirements on the known keystream needed. For example they may work knowing ONLY that the ciphertext is in English.

A tutorial on linear and differential cryptanalysis

Abstract: In this paper, we present a detailed tutorial on linear cryptanalysis and differential cryptanalysis, the two most significant attacks applicable to symmetric-key block ciphers. The intent of the paper is to present a lucid explanation of the attacks, detailing the practical application of the attacks to a cipher in a simple, conceptually revealing manner for the novice cryptanalyst. The tutorial is based on the analysis of a simple, yet realistically structured, basic Substitution-Permutation Network cipher. Understanding the attacks as they apply to this structure is useful, as the Rijndael cipher, recently selected for the Advanced Encryption Standard (AES), has been derived from the basic SPN architecture. As well, experimental data from the attacks is presented as confirmation of the applicability of the concepts as outlined.

Cryptanalysis of Stream Ciphers with Linear Masking

Abstract: We describe a cryptanalytical technique for distinguishing some stream ciphers from a truly random process. Roughly, the ciphers to which this method applies consist of a "non-linear process" (say, akin to a round function in block ciphers), and a "linear process" such as an LFSR (or even fixed tables). The output of the cipher can be the linear sum of both processes. To attack such ciphers, we look for any property of the "non-linear process" that can be distinguished from random. In addition, we look for a linear combination of the linear process that vanishes. We then consider the same linear combination applied to the cipher's output, and try to find traces of the distinguishing property.In this report we analyze two specific "distinguishing properties". One is a linear approximation of the non-linear process, which we demonstrate on the stream cipher SNOW. This attack needs roughly 295 words of output, with work-load of about 2100. The other is a "low-diffusion" attack, that we apply to the cipher Scream-0. The latter attack needs only about 243 bytes of output, using roughly 250 space and 280 time.

Enhancing Differential-Linear Cryptanalysis

Abstract: Differential cryptanalysis analyzes ciphers by studying the development of differences during encryption. Linear cryptanalysis is similar but is based on studying approximate linear relations. In 1994, Langford and Hellman showed that both kinds of analysis can be combined together by a technique called differential-linear cryptanalysis, in which the differential part creates a linear approximation with probability 1. They applied their technique to 8-round DES. In this paper we present an enhancement of differential-linear cryptanalysis in which the inherited linear probability is smaller than 1. We use this extension to describe a differential-linear distinguisher for a 7-round reducedversion of DES, and to present the best known key-recovery attack on a 9-round reduced-version of DES. We use our enhanced technique to attack COCONUT98 with time complexity 233.7 encryptions and 227.7 chosen plaintexts.

Degree of Composition of Highly Nonlinear Functions and Applications to Higher Order Differential Cryptanalysis

Abstract: To improve the security of iterated block ciphers, the resistance against linear cryptanalysis has been formulated in terms of provable security which suggests the use of highly nonlinear functions as round functions. Here, we show that some properties of such functions enable to find a new upper bound for the degree of the product of its Boolean components. Such an improvement holds when all values occurring in the Walsh spectrum of the round function are divisible bya high power of 2. This result leads to a higher order differential attack on any 5-round Feistel ciphers using an almost bent substitution function. We also show that the use of such a function is precisely the origin of the weakness of a reduced version of MISTY1 reported in [23, 1].

Degree of composition of highly nonlinear functions and applications to higher order differential cryptanalysis

Abstract: To improve the security of iterated block ciphers, the resistance against linear cryptanalysis has been formulated in terms of provable security which suggests the use of highly nonlinear functions as round functions. Here, we show that some properties of such functions enable to find a new upper bound for the degree of the product of its Boolean components. Such an improvement holds when all values occurring in the Walsh spectrum of the round function are divisible by a high power of 2. This result leads to a higher order differential attack on any 5-round Feistel ciphers using an almost bent substitution function. We also show that the use of such a function is precisely the origin of the weakness of a reduced version of MISTY1 reported in [23, 1].

Linear cryptanalysis of Bluetooth stream cipher

Abstract: A general linear iterative cryptanalysis method for solving binary systems of approximate linear equations which is also applicable to keystream generators producing short keystream sequences is proposed. A linear cryptanalysis method for reconstructing the secret key in a general type of initialization schemes is also developed. A large class of linear correlations in the Bluetooth combiner, unconditioned or conditioned on the output or on both the output and one input, are found and characterized. As a result, an attack on the Bluetooth stream cipher that can reconstruct the 128-bit secret key with complexity about 2 70 from about 45 initializations is proposed. In the precomputation stage, a database of about 2 80 103-bit words has to be sorted out.

Mini advanced encryption standard (mini-aes): a testbed for cryptanalysis students

Abstract: In this paper, we present a mini version of Rijndael, the symmetric-key block cipher selected as the Advanced Encryption Standard (AES) recently. Mini-AES has all the parameters significantly reduced while at the same time preserving its original structure. It is meant to be a purely educational cipher and is not considered secure for actual applications. The purpose is such that once undergraduate students and amateur cryptanalysts have grasped the basic principles behind how Mini-AES works, it will be easy for them to move on to the real AES. At the same time, an illustration of how the Square attack can be applied to Mini-AES is presented in the hope that Mini-AES would also serve as a testbed for students to begin their cryptanalysis efforts.

Improved Cryptanalysis of MISTY1

Abstract: The block cipher MISTY1 [9] proposed for the NESSIE project [11] is a Feistel network augmented with key-dependent linear FL functions. The proposal allows a variable number of rounds provided that it is a multiple of four.Here we present a new attack - the Slicing Attack - on the 4-round version, which makes use of the special structure and position of these key-dependent linear FL functions. While the FL functions were introduced to make attacks harder, they also present a subtle weakness in the 4-round version of the cipher.

On the Applicability of Distinguishing Attacks Against Stream Ciphers.

Abstract: We demonstrate that the existence of distinguishing attacks against stream ciphers is unrelated to their security in practical use, and in particular that the amount of data required to perform a distinguishing attack is unrelated to the key length of the cipher. The implication for the NESSIE Project is that no submitted symmetric cipher would be accepted under the unpublished rules for distinguishing attacks, not even the block ciphers in Counter Mode or Out-

Related-Cipher Attacks

Abstract: We formally introduce the concept of related-cipher attack. In this paper, we consider the related ciphers as block ciphers with the same round function but with different round numbers. If their key schedules do not depend on the total round number, then related-cipher attack could be applied if the same key is used. We applied this attack to block cipher SQUARE and show that SQUARE is vulnerable to this attack. We also show that a new AES key schedule proposed at ACISP02 is weaker than the original one under this attack. We then classify the differential attacks into three categories: related-message attack (the original differential cryptanalysis), related-key attack and related-cipher attack. These attacks should be taken into consideration in cipher design.

Cryptanalysis of Block Ciphers: A Survey

Abstract: This report summarizes readings in the area of the crypt- analysis of block ciphers. Historically, the academic field started in 1981 with the first CRYPTO conference and observations on some undesir- able properties of the DES. Practically, most cryptanalytic techniques were developed in the 1990s. A number of them are variants of two decisive progresses in the field. Dierential cryptanalysis was found by Biham and Shamir and presented at CRYPTO 90. Linear cryptanaly- sis was developed by Matsui and presented at EUROCRYPT 93. From these times plenty of papers tried to take advantage of these techniques in dierent attempts to break public ciphers and some of these papers introduced original improvements. These two techniques also led to the development of criteria for security evaluation of block ciphers. Recently designed block ciphers like the Advanced Encryption Standard Rijndael have been based on the idea of provable security against these two attacks and their improvements. This work tries to list and give an intuitive de- scription of the most important cryptanalytic techniques published up to 2002. No technical details are given and the interested reader is referred to the bibliography if exhaustive information is requested.

A Chosen Plaintext Linear Attack on Block Cipher CIKS-1

Abstract: In this paper, we firstly evaluate the resistance of the reduced 5-round version of the block cipher CIKS-1 against linear cryptanalysis (LC). A feature of the CIKS-1 is the use of both Data-Dependent permutations(DDP) and internal key scheduing which consist in datadapendent transformation of the round subkeys. Taking into account the structure of CIKS-1 we investigate linear approximation. That is, we consider 16 linear approximations with p = 3/4 for 16 parallel modulo 22 additions to construct one-round linear approximation and derive one-round linear approximation with the probability of P = 1/2 + 2-17 by Piling-Up lemma. Also we estimate that the P is a valid probability of one-round approximation and achieve that the probability P for oneround approximation is better than 1/2 +2-17 through experiments. Then we construct 3-round linear approximation with P = 1/2 +2-17 using this one-round approximation and can attack the reduced 5-round CIKS-1 with 64-bit block by LC. In conclusion, we present that our attack requires about 236 chosen plaintexts with a probability of success of 78.5 % and 1/5 × 232 × 236 ? 265.7 encryption times to recover last round(5-round) key. In addition, we discuss a few improvements of the cipher CIKS-1.

Key-Dependent S-Boxes and Differential Cryptanalysis

Abstract: Key-dependent S-boxes gained some prominence in block cipher design when Twofish became an AES finalist. In this paper we make some observations on how the cryptanalyst might work with key-dependent S-boxes, we begin to develop a framework for the differential cryptanalysis of key-dependent S-boxes, and we introduce some basic techniques that were used in an analysis of reduced-round Twofish.

Amplified Boomerang Attack against Reduced-Round SHACAL

Abstract: SHACAL is a 160-bit block cipher based on the hash standard SHA-1, as a submission to NESSIE. SHACAL uses the XOR, modular addition operation and the functions of bit-by-bit manner. These operations and functions make the differential cryptanalysis difficult, i.e, it is hard to find a long differential characteristic with high probability. But, we can find short differential characteristics with high probabilities. Using this fact, we discuss the security of SHACAL against an amplified boomerang attack. We find a 36-step boomerang-distinguisher and present attacks on reduced-round SHACAL with various key sizes. We can attack 39-step SHACAL with 256-bit key, and 47-step SHACAL with 512-bit key. In addition, we present differential attacks of reduced-round SHACAL with various key sizes.

Luby-Rackoff Ciphers: Why XOR Is Not So Exclusive

Abstract: This work initiates a study of Luby-Rackoff ciphers when the bitwise exclusive-or (XOR) operation in the underlying Feistel network is replaced by a binary operation in an arbitrary finite group. We obtain various interesting results in this context: -First, we analyze the security of three-round Feistel ladders over arbitrary groups. We examine various Luby-Rackoff ciphers known to be insecure when XOR is used. In some cases, we can break these ciphers over arbitrary Abelian groups and in other cases, however, the security remains an open problem. -Next, we construct a four round Luby-Rackoff cipher, operating over finite groups of characteristic greater than 2, that is not only completely secure against adaptive chosen plaintext and ciphertext attacks, but has better time / space complexity and uses fewer random bits than all previously considered Luby-Rackoff ciphers of equivalent security in the literature. Surprisingly, when the group is of characteristic 2 (i.e., the underlying operation on strings is bitwise exclusive-or), the cipher can be completely broken in a constant number of queries.Notably, for the former set of results dealing with three rounds (where we report no difference) we need new techniques. However for the latter set of results dealing with four rounds (where we prove a new theorem) we rely on a generalization of known techniques albeit requires a new type of hash function family, called a monosymmetric hash function family, which we introduce in this work. We also discuss the existence (and construction) of this function family over various groups, and argue the necessity of this family in our construction. Moreover, these functions can be very easily and efficiently implemented on most current microprocessors thereby rendering the four round construction very practical.

Impossible Differential Cryptanalysis of Reduced Round XTEA and TEA

Abstract: We present the impossible differential cryptanalysis of the block cipher XTEA[7] and TEA[6] The core of the design principle of these block ciphers is an easy implementation and a simplicity But this simplicity dose not offer a large diffusion property Our impossible differential cryptanalysis of reduced-round versions of XTEA and TEA is based on this fact We will show how to construct a 12-round impossible characteristic of XTEA We can then derive 128-bit user key of the 14- round XTEA with 2625 chosen plaintexts and 285 encryption times using the 12-round impossible characteristic In addition, we will show how to construct a 10-round impossible characteristic of TEA Then we can derive 128-bit user key of the 11-round TEA with 2525 chosen plaintexts and 284 encryption times using the 10-round impossible characteristic

On probability of success in linear and differential cryptanalysis

Abstract: Despite their widespread usage in block cipher analysis, the success probability estimation of differential and linear cryptanalytic attacks has traditionally been carried out in a rather ad hoc fashion. In this paper, we present an analytical calculation of the success probability of these attacks. Besides providing a sound formulation of the success probabilities, the analysis reveals some previously unnoticed factors affecting the success of an attack, such as the attacked key length in differential cryptanalysis. The results apply to an extended sense of the term "success" where the correct key is found not necessarily as the highest-ranking candidate but within a set of highest-ranking candidates.

Multiple Linear Cryptanalysis of a Reduced Round RC6

Abstract: In this paper, we apply multiple linear cryptanalysis to a reduced round RC6 block cipher. We show that 18-round RC6 with weak key is breakable by using the multiple linear attack.

Round Security and Super-Pseudorandomness of MISTY Type Structure

Abstract: The security of an iterated block cipher heavily depends on its structure as well as each round function. Matsui showed that MISTY type structure is faster and more robust than Feistel structure on linear cryptanalysis and differential cryptanalysis. On the other hand, Luby and Rackoff proved that the four round Feistel structure is super-pseudorandom if each round function f i is a random function. This paper proves that the five round MISTY type structure is super-pseudorandom. We also characterize its round security.

Application of multilayer perceptron networks in symmetric block ciphers

Abstract: In this paper, the applicability of using multilayer perceptron (MLP) networks in symmetric block ciphers is explored. A prototype symmetric block cipher is proposed. It employs an MLP network that decides on the algorithm used for encryption. The MLP network is, in turn, dependent on the secret key. By employing a mutation algorithm comprised of cryptographically proven modular arithmetic and Feistel networks, it is hoped that such a symmetric block cipher will be resistant to modern cryptanalytic attacks, such as differential and linear attacks.

The block cipher SC2000

Abstract: In this paper, we propose a new symmetric key block cipher SC2000 with 128-bit block length and 128-,192-,256-bit key lengths The block cipher is constructed by piling two layers: one is a Feistel structure layer and the other is an SPN structure layer Each operation used in two layers is S-box or logical operation, which has been well studied about security It is a strong feature of the cipher that the fast software implementations are available by using the techniques of putting together S-boxes in various ways and of the Bitslice implementation

Differential cryptanalysis of Q

Abstract: Q is a block cipher based on Rijndael and Serpent, which was submitted as a candidate to the NESSIE project by Leslie McBride The submission document of Q describes 12 one-round iterative characteristics with probability 2 -18 each On 7 rounds these characteristics have probability 2 -126 , and the author of Q claims that these are the best 7-round characteristics We find additional one-round characteristics that can be extended to more rounds We also combine the characteristics into differentials We present several differential attacks on the full cipher Our best attack on the full Q with 128-bit keys (8 rounds) uses 2 105 chosen plaintexts and has a complexity of 2 77 encryptions Our best attack on the full Q with larger key sizes (9 rounds) uses 2 125 chosen ciphertexts, and has a complexity of 2 96 for 192-bit keys, and 2 128 for 256-bit keys

Security of a Wide Trail Design

Abstract: The wide trail design strategy claims to design ciphers that are both efficient and secure against linear and differential cryptanalysis. Rijndael, the AES, was designed along the principles of this strategy. We survey the recent results on Rijndael and examine whether the design strategy has fulfilled its promise.

Differential and linear cryptanalysis of a reduced-round SC2000

Abstract: We analyze the security of the SC2000 block cipher against both differential and linear attacks SC2000 is a six-and-a-half-round block cipher, which has a unique structure that includes both the Feistel and Substitution-Permutation Network (SPN) structures Taking the structure of SC2000 into account, we investigate one- and two-round iterative differential and linear characteristics We present two-round iterative differential characteristics with probability 2 -58 and two-round iterative linear characteristics with probability 2 -56 These characteristics, which we obtained through a search, allowed us to attack four-and-a-half-round SC2000 in the 128-bit user-key case Our differential attack needs 2 103 pairs of chosen plaintexts and 2 20 memory accesses and our linear attack needs 2 11517 known plaintexts and 2 4232 memory accesses, or 2 10432 known plaintexts and 2 8332 memory accesses

New Experimental Results in Differential — Linear Cryptanalysis of Reduced Variants of DES

Abstract: At the beginning of the paper we give an overview of the linear and differential cryptanalysis of block ciphers. We describe two extensions of linear cryptanalysis (analysis with multiple expressions [7] and differentiallinear cryptanalysis [10] which form the basis of the conducted experiments. Then we describe the functioning of truncated differentials [1,8] and the usage of differential structures [1,2,3].

Cryptanalysis of S-DES.

Abstract: This paper describes an effort to attack S-DES using differential cryptanalysis and linear cryptanalysis. S-DES is a reduced version of the Data Encryption Standard (DES). It also includes a discussion on the subject of cryptology and a literature survey of useful papers regarding cryptography and cryptanalysis. This paper is meant as a tutorial on the fundamentals of differential cryptanalysis and linear cryptanalysis of a Feistel cipher.