Showing papers on "Differential cryptanalysis published in 2003"
••
NEC1
TL;DR: The results of applying an attack against the Data Encryption Standard (DES) implemented in some applications, using side-channel information based on CPU delay as proposed in (11), found that the cipher can be broken with 2 known plaintexts and 2 24 calculations at a success rate > 90%, using a personal computer with 600-MHz Pentium III.
Abstract: This paper presents the results of applying an attack against the Data Encryption Standard (DES) implemented in some applications, using side-channel information based on CPU delay as proposed in (11). This cryptanalysis technique uses side-channel information on encryption processing to select and collect effective plaintexts for cryptanalysis, and infers the information on the expanded key from the collected plaintexts. On applying this attack, we found that the cipher can be broken with 2 23 known plaintexts and 2 24 calculations at a success rate > 90%, using a personal computer with 600-MHz Pentium III. We discuss the feasibility of cache attack on ciphers that need many S-box look-ups, through reviewing the results of our experimental attacks on the block ciphers excluding DES, such as AES.
279 citations
••
TL;DR: This paper proposes convenient tools in order to study Pseudorandomness in connection with the Shannon Theory, the Carter–Wegman universal hash functions paradigm, and the Luby–Rackoff approach, which enables the construction of new ciphers with security proofs under specific models.
Abstract: Pseudorandomness is a classical model for the security of block ciphers. In this paper we propose convenient tools in order to study it in connection with the Shannon Theory, the Carter---Wegman universal hash functions paradigm, and the Luby---Rackoff approach. This enables the construction of new ciphers with security proofs under specific models. We show how to ensure security against basic differential and linear cryptanalysis and even more general attacks. We propose practical construction schemes.
194 citations
•
TL;DR: In this article, the authors present an analytical calculation of the success probability of differential and linear cryptanalytic attacks and reveal previously unnoticed factors affecting the success of an attack, such as the attacked key length in differential cryptanalysis, and apply to an extended sense of the term success where the correct key is found not necessarily as the highest-ranking candidate but within a set of highest ranking candidates.
Abstract: Despite their widespread usage in block cipher analysis, the success probability estimation of differential and linear cryptanalytic attacks has traditionally been carried out in a rather ad hoc fashion. In this paper, we present an analytical calculation of the success probability of these attacks. Besides providing a sound formulation of the success probabilities, the analysis reveals some previously unnoticed factors affecting the success of an attack, such as the attacked key length in differential cryptanalysis. The results apply to an extended sense of the term success where the correct key is found not necessarily as the highest-ranking candidate but within a set of highest-ranking candidates.
162 citations
••
TL;DR: This article presents a completely different attack on A5/1, based on ideas from correlation attacks, where the complexity of the proposed attack is almost independent of the shift-register length.
Abstract: A5/1 is a stream cipher used in the Global System for Mobile Communications (GSM) standard. Several time-memory tradeoff attacks against A5/1 have been proposed, most notably the attack by Biryukov, Shamir and Wagner (1978), which can break A5/1 in seconds using huge precomputation time and memory. This article presents a completely different attack on A5/1, based on ideas from correlation attacks. Whereas time-memory tradeoff attacks have a complexity which is exponential with the shift-register length, the complexity of the proposed attack is almost independent of the shift-register length. Our implementation of the suggested attack breaks A5/1 in a few minutes using 2-5 min of conversation plaintext.
152 citations
••
24 Feb 2003
TL;DR: The cryptanalysis of Rabbit did not reveal an attack better than exhaustive key search, but the cipher is characterized by a high performance in software with a measured encryption/decryption speed of 3.7 clock cycles per byte on a Pentium III processor.
Abstract: We present a new stream cipher, Rabbit, based on iterating a set of coupled non-linear functions. Rabbit is characterized by a high performance in software with a measured encryption/decryption speed of 3.7 clock cycles per byte on a Pentium III processor. We have performed detailed security analysis, in particular, correlation analysis and algebraic investigations. The cryptanalysis of Rabbit did not reveal an attack better than exhaustive key search.
127 citations
•
TL;DR: Barr et al. as mentioned in this paper presented a new stream cipher, called Rabbit, based on iterating a set of coupled non-linear functions, which is characterized by a high performance in software with a measured encryption/decryption speed of 3.7 clock cycles per byte on a Pentium III processor.
Abstract: We present a new stream cipher, Rabbit, based on iterating a set of coupled non-linear functions. Rabbit is characterized by a high performance in software with a measured encryption/decryption speed of 3.7 clock cycles per byte on a Pentium III processor. We have performed detailed security analysis, in particular, correlation analysis and algebraic investigations. The cryptanalysis of Rabbit did not reveal an attack better than exhaustive key search.
119 citations
••
TL;DR: This Letter explains how to break a very recent block cipher algorithm based on the logistic map, which uses a 128-bit external key to derive the initial condition and number of iterations, but in a weak way allowing for attack.
119 citations
••
08 Dec 2003TL;DR: In this paper, the security of a block cipher against IDC can be evaluated by impossible differential characteristics of block cipher structures whose round functions are bijective, such as Nyberg's generalized Feistel network, CAST256-like structure, Rijndael structure, and MARS-based structure.
Abstract: Impossible Differential Cryptanalysis(IDC) [4] uses impossible differential characteristics to retrieve a subkey material for the first or the last several rounds of block ciphers. Thus, the security of a block cipher against IDC can be evaluated by impossible differential characteristics. In this paper, we study impossible differential characteristics of block cipher structures whose round functions are bijective. We introduce a widely applicable method to find various impossible differential characteristics of block cipher structures. Using this method, we find various impossible differential characteristics of known block cipher structures: Nyberg’s generalized Feistel network, a generalized CAST256-like structure [14], a generalized MARS-like structure [14], a generalized RC6-like structure [14], and Rijndael structure.
116 citations
••
14 Aug 2003TL;DR: It can be shown that if in addition the Markov cipher has K-f round function and the hypothesis of stochastic equivalence for related keys holds, then the iterated cipher is resistant to related-key differential attacks after sufficiently many rounds.
Abstract: A related-key differential cryptanalysis is applied to the 192-bit key variant of AES. Although any 4-round differential trail has at least 25 active bytes, one can construct 5-round related-key differential trail that has only 15 active bytes and break six rounds with 2106 plaintext/ciphertext pairs and complexity 2112. The attack can be improved using truncated differentials. In this case, the number of required plaintext/ciphertext pairs is 281 and the complexity is about 286. Using impossible related-key differentials we can break seven rounds with 2111 plaintext/ciphertext pairs and computational complexity 2116. The attack on eight rounds requires 288 plaintext/ciphertext pairs and its complexity is about 2183 encryptions. In the case of differential cryptanalysis, if the iterated cipher is Markov cipher and the round keys are independent, then the sequence of differences at each round output forms a Markov chain and the cipher becomes resistant to differential cryptanalysis after sufficiently many rounds, but this is not true in the case of related-key differentials. It can be shown that if in addition the Markov cipher has K-f round function and the hypothesis of stochastic equivalence for related keys holds, then the iterated cipher is resistant to related-key differential attacks after sufficiently many rounds.
99 citations
•
TL;DR: In this paper, the XL method was adapted to solve over-defined quadratic systems, such as stream ciphers, and it was shown that it works perfectly well for such largely overdefined systems as ours.
Abstract: Many stream ciphers are built of a linear sequence generator and a non-linear output function f. There is an abundant literature on (fast) correlation attacks, that use linear approximations of f to attack the cipher. In this paper we explore higher degree approximations, much less studied. We reduce the cryptanalysis of a stream cipher to solving a system of multivariate equations that is overdefined (much more equations than unknowns). We adapt the XL method, introduced at Eurocrypt 2000 for overdefined quadratic systems, to solving equations of higher degree. Though the exact complexity of XL remains an open problem, there is no doubt that it works perfectly well for such largely overdefined systems as ours, and we confirm this by computer simulations. We show that using XL, it is possible to break stream ciphers that were known to be immune to all previously known attacks. For example, we cryptanalyse the stream cipher Toyocrypt accepted to the second phase of the Japanese government Cryptrec program. Our best attack on Toyocrypt takes 2 92 CPU clocks for a 128-bit cipher. The interesting feature of our XL-based higher order correlation attacks is, their very loose requirements on the known keystream needed. For example they may work knowing ONLY that the ciphertext is in English.
88 citations
••
TL;DR: This paper describes a simplified version of the Advanced Encryption Standard algorithm that has the advantage that examples can be worked by hand and it is easier for students to understand the real version.
Abstract: In this paper, we describe a simplified version of the Advanced Encryption Standard algorithm. This version can be used in the classroom for explaining the Advanced Encryption Standard. After presentation of the simplified version, it is easier for students to understand the real version. This simplified version has the advantage that examples can be worked by hand. We also describe attacks on this version using both linear and differential cryptanalysis. These too can be used in the classroom as a way of explaining those kinds of attacks.
•
TL;DR: In this paper, the statistical decision processes behind a linear and a differential cryptanalysis were considered and the shape of optimal linear and differential distinguishers was described. And the concept of sequential distinguisher was formalized and applied to various statistical attacks.
Abstract: In this paper, we consider the statistical decision processes behind a linear and a differential cryptanalysis. By applying techniques and concepts of statistical hypothesis testing, we describe precisely the shape of optimal linear and differential distinguishers and we improve known results of Vaudenay concerning their asymptotic behaviour. Furthermore, we formalize the concept of sequential distinguisher and we illustrate potential applications of such tools in various statistical attacks.
•
01 Jan 2003
TL;DR: This thesis focuses on stream ciphers built using Linear Feedback Shift Registers (LFSRs), a well-known standard for wireless communication, and an initial state recovery algorithm on E0, based on recently discovered correlations within the cipher.
Abstract: Stream ciphers are cryptographic primitives used to ensure privacy in digital communication. In this thesis we focus on stream ciphers built using Linear Feedback Shift Registers (LFSRs). Several different stream ciphers are analysed and new attacks are presented. In addition, two new stream ciphers are presented, both based on the same design.
The first attack is performed on SOBER-t16 and SOBER-t32. A new distinguishing attack is presented for simplified versions of the two ciphers, as well as for the complete version of SOBER-t16.
Next, the cipher A5/1, used in the GSM standard for mobile telephones, is analysed. The resulting attack is an initial state recovery attack which recovers the secret key using approximately 5 minutes of known keystream. The attack takes roughly 5 minutes to perform on today's standard PC.
Bluetooth is a well-known standard for wireless communication and the cipher responsible for the secrecy within that standard is called E0. An initial state recovery algorithm on E0 is presented, based on recently discovered correlations within the cipher. These new correlations are stronger than previously known. This attack, however, is only applicable to E0 in a theoretical perspective, since the required length of the observed keystream is longer than allowed in the Bluetooth standard.
Following this, two distinguishing attacks are presented targeting clock controlled generators; the shrinking generator and the self-shrinking generator. The attack on the shrinking generator is based on a new observation that the majority bits of a block surrounding the tap positions in the LFSR output also fulfils the linear recurrence equation. The attack on the self-shrinking generator identifies two new classes of weak feedback polynomials. For the first class, both a distinguishing attack and an initial state recovery attack are presented. This distinguishing attack is remarkable in the sense that the required length of the observed keystream only grows linearly in the length of the shift register. For the second class of weak feedback polynomials a distinguishing attack is given.
The final part of this thesis concerns the design of stream ciphers. Two new designs are presented, SNOW 1.0 and SNOW 2.0, the latter being an improvement on the former. These ciphers are designed to be very fast, especially in a software implementation.
01 Jan 2003
TL;DR: The cryptanalysis of the Tiny Encryption Algorithm is presented, which seems to be highly resistant to differential cryptanalysis, and achieves complete diffusion after only six rounds.
Abstract: The Tiny Encryption Algorithm (TEA) is a cryptographic algorithm designed to minimize memory footprint and maximize speed. It is a Feistel type cipher that uses operations from mixed (orthogonal) algebraic groups. This research presents the cryptanalysis of the Tiny Encryption Algorithm. In this research we inspected the most common methods in the cryptanalysis of a block cipher algorithm. TEA seems to be highly resistant to differential cryptanalysis, and achieves complete diffusion (where a one bit difference in the plaintext will cause approximately 32 bit differences in the cipher text) after only six rounds. Time performance on a modern desktop computer or workstation is very impressive.
••
24 Feb 2003TL;DR: A related key attack against SHACAL-1 and a method for finding "slid pairs" for it was presented in this paper. And the Kaliski-Robshaw block cipher was shown to be vulnerable to a related-key attack.
Abstract: We cryptanalyse some block cipher proposals that are based on dedicated hash functions SHA-1 and MD5. We discuss a related-key attack against SHACAL-1 and present a method for finding ”slid pairs” for it. We also present simple attacks against MDC-MD5 and the Kaliski-Robshaw block cipher.
•
TL;DR: A related-key attack against SHACAL-1 is discussed and a method for finding slid pairs for it is presented and simple attacks against MDC-MD5 and the Kaliski-Robshaw block cipher are presented.
Abstract: We cryptanalyse some block cipher proposals that are based on dedicated hash functions SHA-1 and MD5 We discuss a related-key attack against SHACAL-1 and present a method for finding slid pairs for it We also present simple attacks against MDC-MD5 and the Kaliski-Robshaw block cipher
01 Jan 2003
TL;DR: Three optimization heuristics are presented which can be utilized in attacks on the transposition cipher, which are simulated annealing, genetic algorithm and tabu search and it is shown that each provides effective automated techniques for the cryptanalysis of the ciphertext.
Abstract: In this paper three optimization heuristics are presented which can be utilized in attacks on the transposition cipher. These heuristics are simulated annealing, genetic algorithm and tabu search. We will show that each of these heuristics provides effective automated techniques for the cryptanalysis of the ciphertext. The property which make this cipher vulnerable, is that it is not sophisticated enough to hide the inherent properties or statistics of the language of the plaintext. In Table 1 is shown the key and the encryption process of the previously described transposition cipher. It can be noticed that the random string "X" was appended to the end of the message to enforce a message length, which is a multiple of the block size. It is also clear that the decryption can be achieved by following the same process as encryption using the "inverse" of the encryption permutation. In this case
•
TL;DR: In this paper, chosen plaintext attacks on reduced rounds of the IDEA block cipher have been proposed based on the word structure of the algorithm and the observation that suitable plaintexts give rise to some special kind of distributions which provide a way to distinguish reduced round IDEA output from a random permutation with very few plaintext.
Abstract: In this paper we develop two new chosen plaintext attacks on reduced rounds of the IDEA block cipher. The attacks exploit the word structure of the algorithm and are based on the observation that suitable chosen plaintexts give rise to some special kind of distributions which provide a way to distinguish reduced round IDEA output from a random permutation with very few plaintexts. As a result, we develop an attack for 3.5 rounds of IDEA which requires only 103 chosen plaintexts. We have reduced the number of required plaintexts significantly up to 4 rounds. We also present some interesting properties of the reduced round variants of the cipher which have not been published before. The properties and the attacks bring a different approach to analyse the cipher.
••
TL;DR: The security of block ciphers referred to as substitution-permutation networks (SPNs) when the SPN has 2-round is examined and an upper bound on the maximum differential probability and the maximum linear hull probability is obtained.
••
25 Aug 2003TL;DR: This paper describes the MESH block ciphers, whose designs are based on the same group operations as the IDEA cipher, but with a number of novel features: flexible block sizes in steps of 32 bits; larger MA-boxes; distinct key-mixing layers for odd and even rounds; and new key schedule algorithms that achieve fast avalanche and avoid the weak keys of IDEA.
Abstract: This paper describes the MESH block ciphers, whose designs are based on the same group operations as the IDEA cipher, but with a number of novel features: flexible block sizes in steps of 32 bits (the block size of IDEA is fixed at 64 bits); larger MA-boxes; distinct key-mixing layers for odd and even rounds; and new key schedule algorithms that achieve fast avalanche and avoid the weak keys of IDEA. The software performance of MESH ciphers are estimated to be better or comparable to that of triple-DES. A number of attacks, such as truncated and impossible differentials, linear and Demirci’s attack, shows that more resources are required on the MESH ciphers than for IDEA, and indicates that both ciphers seem to have a large margin of security.
••
21 Sep 2003
TL;DR: Performed security estimation has shown that twelve-round cipher SPECTR-H64 is secure against differential attack and the extension box is a critical element of this cipher.
Abstract: Performed security estimation has shown that twelve-round cipher SPECTR-H64 is secure against differential attack and the extension box is a critical element of this cipher. A modified eight-round version SPECTR-H64 + is proposed.
••
01 Apr 2003TL;DR: For an odd prime p, quadratic p-ary bent functions defined on finite fields are given from the families of p-ARY sequences with optimal correlation property, that is, perfect nonlinear functions from the finite field Fp m to its prime field F p.
Abstract: It is known that a bent function corresponds to a perfect nonlinear function, which makes it difficult to do the differential cryptanalysis in DES and in many other block ciphers. In this paper, for an odd prime p, quadratic p-ary bent functions defined on finite fields are given from the families of p-ary sequences with optimal correlation property. And quadratic p-ary bent functions, that is, perfect nonlinear functions from the finite field Fp m to its prime field F p are constructed by using the trace functions.
••
09 Jul 2003TL;DR: A new design is proposed that eliminates the need for known plaintext entirely and employs "data compression" as a basic tool for generating a hidden information channel, highlighting the need to only encrypt compressed strings when a block cipher with a secret design must be used.
Abstract: There has been much recent research in designing symmetric ciphers with backdoors that have either public designs or black-box designs. Current Digital Rights Management needs have resurrected the use of hidden ciphers (which were traditionally suggested by the government as black-box designs) in the form of obfuscated "white-box" algorithms. A recent backdoor proposal is the Monkey cipher which is intended to have a secret design and that can be implemented using any deterministic trapdoor one-way function. Monkey leaks information about its user's key to the designer. The primary drawback of Monkey is that it requires the designer (attacker) to obtain a sufficient number of ciphertexts all under the same symmetric key, such that each contains one known plaintext bit. In this paper a new design is proposed that eliminates the need for known plaintext entirely. Also, whereas Monkey reveals one plaintext bit of each ciphertext to the reverse-engineer (i.e., an entity that tries to learn the black-box device), our solution only leaks a bound on the message entropy to the reverse-engineer, while requiring that the designer obtain a sufficient number of ciphertexts that encrypt messages with a requisite level of redundancy. The information leakage method we use employs "data compression" as a basic tool for generating a hidden information channel. This highlights the need to only encrypt compressed strings when a block cipher with a secret design must be used.
••
27 Dec 2003TL;DR: A fitness measure based on the differential characteristics of the SPN is proposed and complete problem formulation is described, showing the complexity of the proposed attack to be less than half of normal differential cryptanalysis of the same SPN.
Abstract: In this paper, a method to discover the key of a substitution permutation network (SPN) using genetic algorithms is described A fitness measure based on the differential characteristics of the SPN is proposed and complete problem formulation is described The complexity of the proposed attack is shown to be less than half of normal differential cryptanalysis of the same SPN
••
08 Dec 2003TL;DR: A simple way of creating new and efficient distinguishers for cryptographic primitives such as block ciphers or hash functions is introduced and is successfully applied over reduced round versions of the block cipher TEA, which is proven to be weak with less than five rounds.
Abstract: A simple way of creating new and efficient distinguishers for cryptographic primitives such as block ciphers or hash functions is introduced. This technique is then successfully applied over reduced round versions of the block cipher TEA, which is proven to be weak with less than five rounds.
••
24 Feb 2003TL;DR: A slightly modified version of the IDEA-X cipher, called IDEA X/2, was presented in this article, and an attack on this cipher was presented at FSE 2002.
Abstract: IDEA is a 64-bit block cipher with a 128-bit key designed by J. Massey and X. Lai. At FSE 2002 a slightly modified version called IDEA-X was attacked using multiplicative differentials. In this paper we present a less modified version of IDEA we call IDEA-X/2, and an attack on this cipher. This attack also works on IDEA-X, and improves on the attack presented at FSE 2002.
•
TL;DR: A four round Luby-Rackoff cipher is constructed, operating over finite groups of characteristic greater than 2, that is not only completely secure against adaptive chosen plaintext and ciphertext attacks, but has better time / space complexity and uses fewer random bits than all previously considered Luby, Rackoff ciphers of equivalent security in the literature.
Abstract: This work initiates a study of Luby-Rackoff ciphers when the bitwise exclusive-or (XOR) operation in the underlying Feistel network is replaced by a binary operation in an arbitrary finite group. We obtain various interesting results in this context: - First, we analyze the security of three-round Feistel ladders over arbitrary groups. We examine various Luby-Rackoff ciphers known to be insecure when XOR is used. In some cases, we can break these ciphers over arbitrary Abelian groups and in other cases, however, the security remains an open problem. - Next, we construct a four round Luby-Rackoff cipher, operating over finite groups of characteristic greater than 2, that is not only completely secure against adaptive chosen plaintext and ciphertext attacks, but has better time / space complexity and uses fewer random bits than all previously considered Luby-Rackoff ciphers of equivalent security in the literature. Surprisingly, when the group is of characteristic 2 (i.e., the underlying operation on strings is bitwise exclusive-or), the cipher can be completely broken in a constant number of queries. Notably, for the former set of results dealing with three rounds (where we report no difference) we need new techniques. However for the latter set of results dealing with four rounds (where we prove a new theorem) we rely on a generalization of known techniques albeit requires a new type of hash function family, called a monosymmetric hash function family, which we introduce in this work. We also discuss the existence (and construction) of this function family over various groups, and argue the necessity of this family in our construction. Moreover, these functions can be very easily and efficiently implemented on most current microprocessors thereby rendering the four round construction very practical.
••
09 Jul 2003TL;DR: It is pointed out that enhanced implementations of the Rijndael cipher (AES) against timing cryptanalysis and simple power crypt analysis (SPA) may unfortunately become more vulnerable to the differential power cryptanalysis (DPA).
Abstract: Recently, many research works have been conducted about how to carry out physical cryptanalysis on cryptographic devices by exploiting any possible leaked information through side channels. Research results were also reported on how to develop countermeasures against existing physical cryptanalysis. However, very little attention has been paid to deal with the possible mutual relationship between different kinds of physical cryptanalysis when designing a specific countermeasure. In this paper, it is pointed out that enhanced implementations of the Rijndael cipher (AES) against timing cryptanalysis and simple power cryptanalysis (SPA) may unfortunately become more vulnerable to the differential power cryptanalysis (DPA). Technically speaking, based on Sommer's work and experiments presented in CHES 2000, this new DPA on the above mentioned Rijndael implementations enables a much more significant observable peak within the differential power trace. This makes the DPA attack be more easier with fewer required power traces.
••
TL;DR: This paper quantifies immunity to cryptolinear attacks in terms of the approximation speed of the map f by the periodic Tn, and shows that the most resistant block ciphers are expected when the approximated dynamical system is mixing.
Abstract: During the last years a new approach to construct safe block and stream ciphers has been developed using the theory of dynamical systems. Since a block cryptosystem is generally, from the mathematical point of view, a family (parametrized by the keys) of permutations of n-bit numbers, one of the main problems of this approach is to adapt the dynamics defined by a map f to the block structure of the cryptosystem. In this paper we propose a method based on the approximation of f by periodic maps Tn (v.g. some interval exchange transformations). The approximation of automorphisms of measure spaces by periodic automorphisms was introduced by Halmos and Rohlin. One important aspect studied in our paper is the relation between the dynamical properties of the map f (say, ergodicity or mixing) and the immunity of the resulting cipher to cryptolinear attacks, which is currently one of the standard benchmarks for cryptosystems to be considered secure. Linear cryptanalysis, first proposed by M. Matsui, exploits some statistical inhomogeneities of expressions called linear approximations for a given cipher. Our paper quantifies immunity to cryptolinear attacks in terms of the approximation speed of the map f by the periodic Tn. We show that the most resistant block ciphers are expected when the approximated dynamical system is mixing.