Showing papers on "Differential cryptanalysis published in 2006"
Journal Article•
TL;DR: In this paper, a new stream cipher construction based on block cipher design principles is proposed, where the building blocks used in block ciphers are replaced by equivalent stream cipher components.
Abstract: In this paper, we propose a new stream cipher construction based on block cipher design principles The main idea is to replace the building blocks used in block ciphers by equivalent stream cipher components In order to illustrate this approach, we construct a very simple synchronous stream cipher which provides a lot of flexibility for hardware implementations, and seems to have a number of desirable cryptographic properties
332 citations
Book•
16 Aug 2006TL;DR: This work will examine some algebraic aspects of the AES and consider a number of algebraic techniques that could be used in the analysis of the cipher, and focus on the large, though surprisingly simple, systems of multivariate quadratic equations derived from the encryption operation.
Abstract: Since being officially selected as the new Advanced Encryption Standard (AES), Rijndael has continued to receive great attention and has had its security continuously evaluated by the cryptographic community.
Rijndael is a cipher with a simple, elegant and highly algebraic structure. Its selection as the AES has led to a growing interest in the study of algebraic properties of block ciphers, and in particular algebraic techniques that can be used in their cryptanalysis.
In these notes we will examine some algebraic aspects of the AES and consider a number of algebraic techniques that could be used in the analysis of the cipher. In particular, we will focus on the large, though surprisingly simple, systems of multivariate quadratic equations derived from the encryption operation, and consider some approaches that could be used when attempting to solve these systems.
These notes refer to an invited talk given at the Fourth Conference on the Advanced Encryption Standard (AES4) in May 2004, and are largely based on[4].
94 citations
23 Jan 2006
TL;DR: The fundamental principles behind today's state of the art in block cipher cryptanalysis are reviewed.
Abstract: Since the introduction of the Data Encryption Standard (DES) in the mid-1970s, block ciphers have played an ever-increasing role in cryptology. Because of the growing number of practical applications relying on their security,block ciphers have received, and are still receiving, a substantial amount of attention from academic cryptanalysts. This has led, over the last decades,to the development of several general techniques to analyze the security of block ciphers. This paper reviews the fundamental principles behind today's state of the art in block cipher cryptanalysis.
63 citations
TL;DR: It is shown how {alpha}{eta} used in conjunction with any standard stream cipher such as the Advanced Encryption Standard provides an additional, qualitatively different layer of security from physical encryption against known-plaintext attacks on the key.
Abstract: We review the notion of a classical random cipher and its advantages. We sharpen the usual description of random ciphers to a particular mathematical characterization suggested by the salient feature responsible for their increased security. We describe a concrete system known as $\ensuremath{\alpha}\ensuremath{\eta}$ and show that it is equivalent to a random cipher in which the required randomization is affected by coherent-state quantum noise. We describe the currently known security features of $\ensuremath{\alpha}\ensuremath{\eta}$ and similar systems, including lower bounds on the unicity distances against ciphertext-only and known-plaintext attacks. We show how $\ensuremath{\alpha}\ensuremath{\eta}$ used in conjunction with any standard stream cipher such as the Advanced Encryption Standard provides an additional, qualitatively different layer of security from physical encryption against known-plaintext attacks on the key. We refute some claims in the literature that $\ensuremath{\alpha}\ensuremath{\eta}$ is equivalent to a nonrandom stream cipher.
51 citations
13 Feb 2006
TL;DR: In this paper, the Grobner bases for a subset of these ciphers can be constructed with neglegible computational effort, which reduces the key-recovery problem to a Grobners basis conversion problem.
Abstract: We construct and analyze Feistel and SPN ciphers that have a sound design strategy against linear and differential attacks but for which the encryption process can be described by very simple polynomial equations. For a block and key size of 128 bits, we present ciphers for which practical Grobner basis attacks can recover the full cipher key requiring only a minimal number of plaintext/ciphertext pairs. We show how Grobner bases for a subset of these ciphers can be constructed with neglegible computational effort. This reduces the key–recovery problem to a Grobner basis conversion problem. By bounding the running time of a Grobner basis conversion algorithm, FGLM, we demonstrate the existence of block ciphers resistant against differential and linear cryptanalysis but vulnerable against Grobner basis attacks.
44 citations
Journal Article•
TL;DR: Theoretical bounds on the performance of the HD cipher in terms of security and error correction are derived and it is shown that the proposed HD cipher provides security equivalent to Rijndael cipher against linear and differential cryptanalysis.
Abstract: In this paper we combine the error correction and encryption functionality into one block cipher, which we call High Diffusion (HD) cipher. The error correcting property of this cipher is due to the novel error correction code which we call High Diffusion code used in its diffusion layer. Theoretical bounds on the performance of the HD cipher in terms of security and error correction are derived. We show that the proposed HD cipher provides security equivalent to Rijndael cipher against linear and differential cryptanalysis. Experiments based on a four round HD cipher reveal that traditional concatenated systems using the Rijndael cipher followed by Reed Solomon codes require 89% more expansion to match the performance of HD cipher.
37 citations
17 Aug 2006
TL;DR: It is shown how to combine differential cryptanalysis applied to the first few rounds of the cipher with power attacks to extract the secret key from intermediate unmasked (unknown).
Abstract: At FSE 2003 and 2004, Akkar and Goubin presented several masking methods to protect iterated block ciphers such as DES against Differential Power Analysis and higher-order variations thereof. The underlying idea is to randomize the first few and last few rounds of the cipher with independent masks at each round until all intermediate values depend on a large number of secret key bits, thereby disabling power attacks on subsequent inner rounds. We show how to combine differential cryptanalysis applied to the first few rounds of the cipher with power attacks to extract the secret key from intermediate unmasked (unknown). values, even when these already depend on all secret key bits. We thus invalidate the widely believed claim that it is sufficient to protect the outer rounds of an iterated block cipher against side-channel attacks.
35 citations
Journal Article•
TL;DR: In this article, the authors investigated the security of array-based stream ciphers (or PRBG's) against certain types of distinguishing attacks in a unified way, and pointed out that the most useful characteristic of an array, namely, the association of array elements with unique indices, may turn out to be the origins of the distinguishing attacks if adequate caution is not maintained.
Abstract: Stream ciphers play an important role in symmetric cryptology because of their suitability in high speed applications where block ciphers fall short. A large number of fast stream ciphers or pseudorandom bit generators (PRBG's) can be found in the literature that are based on arrays and simple operations such as modular additions, rotations and memory accesses (e.g. RC4, RC4A, Py, Py6. ISAAC etc.). This paper investigates the security of array-based stream ciphers (or PRBG's) against certain types of distinguishing attacks in a unified way. We argue, counter-intuitively, that the most useful characteristic of an array, namely, the association of array-elements with unique indices, may turn out to be the origins of distinguishing attacks if adequate caution is not maintained. In short, an adversary may attack a cipher simply exploiting the dependence of array-elements on the corresponding indices. Most importantly, the weaknesses are not eliminated even if the indices and the array-elements are made to follow uniform distributions separately. Exploiting these weaknesses we build distinguishing attacks with reasonable advantage on five recent stream ciphers (or PRBG's), namely, Py6 (2005, Biham et al.), IA, ISAAC (1996, Jenkins Jr.), NGG, GGHN (2005, Gong et al.) with data complexities 2 68.61 , 2 32.59 , 2 16.89 , 2 32.89 and 2 32.89 respectively. In all the cases we worked under the assumption that the key-setup algorithms of the ciphers produced uniformly distributed internal states. We only investigated the mixing of bits in the keystream generation algorithms. In hindsight, we also observe that the previous attacks on the other array-based stream ciphers (e.g. Py, etc.), can also be explained in the general framework developed in this paper. We hope that our analyses will be useful in the evaluation of the security of stream ciphers based on arrays and modular addition.
34 citations
30 Aug 2006
TL;DR: A related-key rectangle attack on 42-round SHACAL-2 was presented in this article, which requires 2243.38 chosen plaintexts and has a running time of 2488.37.
Abstract: Based on the compression function of the hash function standard SHA-256, SHACAL-2 is a 64-round block cipher with a 256-bit block size and a variable length key of up to 512 bits. In this paper, we present a related-key rectangle attack on 42-round SHACAL-2, which requires 2243.38 related-key chosen plaintexts and has a running time of 2488.37. This is the best currently known attack on SHACAL-2.
31 citations
TL;DR: A new class of error-correcting codes (HD-codes) with built-in security features that are used in the diffusion layer of the proposed cipher and are as resistant to linear and differential cryptanalysis as the Rijndael cipher.
Abstract: Securing transmission over a wireless network is especially challenging, not only because of the inherently insecure nature of the medium, but also because of the highly error-prone nature of the wireless environment. In this paper, we take a joint encryption-error correction approach to ensure secure and robust communication over the wireless link. In particular, we design an error-correcting cipher (called the high diffusion cipher) and prove bounds on its error-correcting capacity as well as its security. Towards this end, we propose a new class of error-correcting codes (HD-codes) with built-in security features that we use in the diffusion layer of the proposed cipher. We construct an example, 128-bit cipher using the HD-codes, and compare it experimentally with two traditional concatenated systems: (a) AES (Rijndael) followed by Reed-Solomon codes, (b) Rijndael followed by convolutional codes. We show that the HD-cipher is as resistant to linear and differential cryptanalysis as the Rijndael. We also show that any chosen plaintext attack that can be performed on the HD cipher can be transformed into a chosen plaintext attack on the Rijndael cipher. In terms of error correction capacity, the traditional systems using Reed-Solomon codes are comparable to the proposed joint error-correcting cipher and those that use convolutional codes require 10% more data expansion in order to achieve similar error correction as the HD-cipher. The original contributions of this work are (1) design of a new joint error-correction-encryption system, (2) design of a new class of algebraic codes with built-in security criteria, called the high diffusion codes (HD-codes) for use in the HD-cipher, (3) mathematical properties of these codes, (4) methods for construction of the codes, (5) bounds on the error-correcting capacity of the HD-cipher, (6) mathematical derivation of the bound on resistance of HD cipher to linear and differential cryptanalysis, (7) experimental comparison of the HD-cipher with the traditional systems.
30 citations
19 Apr 2006
TL;DR: This work considers the integration of block cipher cryptanalysis techniques into a particular type of side-channel attack, the differential fault attack (DFA), and applies the DFA on the AES key schedule or on intermediate states within the AES and exploits distinguishers based on Square attacks and impossible differential cryptanalysis to cover the remaining rounds.
Abstract: We introduce the notion of amplified side-channel attacks, i.e. the application of block cipher cryptanalysis techniques to amplify effects exploitable by side-channel attacks. Such an approach is advantageous since it fully exploits the special characteristics of each technique in situations where each thrives the most. As an example, we consider the integration of block cipher cryptanalysis techniques into a particular type of side-channel attack, the differential fault attack (DFA). In more detail, we apply the DFA on the AES key schedule or on intermediate states within the AES and then exploit distinguishers based on Square attacks and impossible differential cryptanalysis to cover the remaining rounds. The use of techniques from conventional differential cryptanalysis in DFAs is not new; however, to the best of our knowledge, more advanced differential-like attack techniques have so far not been applied in collaboration with DFA. Further, while previous DFA attacks can only be mounted if faults are induced in the last or first (but with more restrictions) few rounds, our attacks alternatively show that even when faults are induced into some middle rounds, the DFA attacks still work, complementing existing results in literature; and thus showing that DFA attacks work regardless of where faults are induced. This is of importance because redundancy is a costly countermeasure against DFA and thus it is vital to study which rounds have to be protected. We hope that this completes the picture on the applicability of DFAs to block ciphers, and motivates thoughts into applying other advanced block cipher cryptanalysis techniques into other types of side-channel attacks.
Dissertation•
01 Jan 2006
TL;DR: A set of algorithms and data structures for multidimensional cryptanalysis when distributions over a large probability space have to be constructed and results of cryptanalysis for various cryptographic primitives, such as A5/1, Grain, SNOW 2.0, Scream, Dragon, VMPC, RC4, and RC4A are included.
Abstract: In the world of cryptography, stream ciphers are known as primitives used to ensure privacy over a communication channel. One common way to build a stream cipher is to use a keystream generator to produce a pseudo-random sequence of symbols. In such algorithms, the ciphertext is the sum of the keystream and the plaintext, resembling the one-time pad principal. Although the idea behind stream ciphers is simple, serious investigation of these primitives has started only in the late 20th century. Therefore, cryptanalysis and design of stream ciphers are important. In recent years, many designs of stream ciphers have been proposed in an effort to find a proper candidate to be chosen as a world standard for data encryption. That potential candidate should be proven good by time and by the results of cryptanalysis. Different methods of analysis, in fact, explain how a stream cipher should be constructed. Thus, techniques for cryptanalysis are also important. This thesis starts with an overview of cryptography in general, and introduces the reader to modern cryptography. Later, we focus on basic principles of design and analysis of stream ciphers. Since statistical methods are the most important cryptanalysis techniques, they will be described in detail. The practice of statistical methods reveals several bottlenecks when implementing various analysis algorithms. For example, a common property of a cipher to produce n-bit words instead of just bits makes it more natural to perform a multidimensional analysis of such a design. However, in practice, one often has to truncate the words simply because the tools needed for analysis are missing. We propose a set of algorithms and data structures for multidimensional cryptanalysis when distributions over a large probability space have to be constructed. This thesis also includes results of cryptanalysis for various cryptographic primitives, such as A5/1, Grain, SNOW 2.0, Scream, Dragon, VMPC, RC4, and RC4A. Most of these results were achieved with the help of intensive use of the proposed tools for cryptanalysis. (Less)
Posted Content•
TL;DR: This work improves on the best known cryptanalysis of the stream cipher Py by using a hidden Markov model for the carry bits in addition operations where a certain distinguishing event takes place, and constructing from it an “optimal distinguisher” for the bias in the output bits which makes more use of the information available.
Abstract: We improve on the best known cryptanalysis of the stream cipher Py by using a hidden Markov model for the carry bits in addition operations where a certain distinguishing event takes place, and constructing from it an “optimal distinguisher” for the bias in the output bits which makes more use of the information available. We provide a general means to efficiently measure the efficacy of such a hidden Markov model based distinguisher, and show that our attack improves on the previous distinguisher by a factor of 2 in the number of samples needed. Given 2 bytes of output we can distinguish Py from random with advantage greater than 1 2 , or given only a single stream of 2 bytes we have advantage 0.03.
10 Jul 2006
TL;DR: In this paper, the first step of cryptanalysis for the HFE cryptosystem is taken, which consists in distinguishing HFE public keys from random systems of quadratic equations, and two distinguishers are provided: the first one has polynomial complexity and subexponential advantage; the second has sub-exponential complexity and advantage close to one.
Abstract: The HFE cryptosystem was the subject of several cryptanalytic studies, sometimes successful, but always heuristic. To contrast with this trend, this work goes back to the beginnning and achieves in a provable way a first step of cryptanalysis which consists in distinguishing HFE public keys from random systems of quadratic equations. We provide two distinguishers: the first one has polynomial complexity and subexponential advantage; the second has subexponential complexity and advantage close to one. These distinguishers are built on the differential methodology introduced at Eurocrypt'05 by Fouque & al. Their rigorous study makes extensive use of combinatorics in binary vector spaces. This combinatorial approach is novel in the context of multivariate schemes. We believe that the alliance of both techniques provides a powerful framework for the mathematical analysis of multivariate schemes
01 Jan 2006
TL;DR: In this article, the authors propose a method to solve the problem of "uniformity" and "uncertainty" in the context of health care, and propose a solution.
Abstract: 1
30 Aug 2006
TL;DR: This work adapted and optimized the Binary Decision Diagram attack of Krause, for the specific details of E0, and describes practical experience with BDD-based cryptanalysis, which so far has been a theoretical concept.
Abstract: In this paper we analyze the E0 cipher, which is the cipher used in the Bluetooth specifications. We adapted and optimized the Binary Decision Diagram attack of Krause, for the specific details of E0. Our method requires 128 known bits of the keystream in order to recover the initial value of the four LFSR's in the E0 system. We describe several variants which we built to lower the complexity of the attack. We evaluated our attack against the real (non-reduced) E0 cipher. Our best attack can recover the initial value of the four LFSR's, for the first time, with a realistic space complexity of 223 (84MB RAM), and with a time complexity of 287. This attack can be massively parallelized to lower the overall time complexity. Beyond the specifics of E0, our work describes practical experience with BDD-based cryptanalysis, which so far has mostly been a theoretical concept.
11 Dec 2006
TL;DR: This paper mounts rectangle attacks on the first 51 rounds and a series of inner 52 rounds of SHACAL-1, and also mount differential attacks onThe best currently known cryptanalytic results on SHACal-1 in an one key attack scenario are presented.
Abstract: SHACAL-1 is an 80-round block cipher with a 160-bit block size and a key of up to 512 bits. In this paper, we mount rectangle attacks on the first 51 rounds and a series of inner 52 rounds of SHACAL-1, and also mount differential attacks on the first 49 rounds and a series of inner 55 rounds of SHACAL-1. These are the best currently known cryptanalytic results on SHACAL-1 in an one key attack scenario.
Journal Article•
TL;DR: In this paper, the E 0 cipher was analyzed and the Binary Decision Diagram attack of Krause was adapted and optimized for the specific details of E 0, which is the cipher used in the Bluetooth specifications.
Abstract: In this paper we analyze the E 0 cipher, which is the cipher used in the Bluetooth specifications We adapted and optimized the Binary Decision Diagram attack of Krause, for the specific details of E 0 Our method requires 128 known bits of the keystream in order to recover the initial value of the four LFSR's in the E 0 system We describe several variants which we built to lower the complexity of the attack We evaluated our attack against the real (non-reduced) E 0 cipher Our best attack can recover the initial value of the four LFSR's, for the first time, with a realistic space complexity of 2 23 (84MB RAM), and with a time complexity of 2 87 This attack can be massively parallelized to lower the overall time complexity Beyond the specifics of E 0 , our work describes practical experience with BDD-based cryptanalysis, which so far has mostly been a theoretical concept
TL;DR: The Xi framework is presented, which is designed to compactly describe the block cipher cryptanalysis techniques regardless of their individual differences, with the additional capabilities of allowing specification of the technical details of each different type of attack and of comparison of their respective strengths.
Abstract: Block ciphers provide confidentiality by encrypting confidential messages into unintelligible form, which are irreversible without knowledge of the secret key used. During the design of a block cipher, its security against cryptanalysis must be considered. History has shown that a cipher designed without an adequate treatment of this would often lead to flaws and attacks by other researchers, sometimes devastatingly so. The problem for an aspiring cipher designer is that there are no standard texts on block cipher cryptanalysis because it is a fast changing field. The commonly available references are academic journals and conference proceedings, which may not be easy to grasp for researchers new to cryptanalysis. This paper presents the Xi framework, which is designed to compactly describe the block cipher cryptanalysis techniques regardless of their individual differences. This provides the cryptanalyst with a general framework to describe attacks on block ciphers, with the additional capabilities of allowing specification of the technical details of each different type of attack and of comparison of their respective strengths. Comparing different distinguishes in this framework also allows us to see natural generalizations and trigger nice open problems. We then show how to apply this Xi framework to the description of various attacks on popular and recent block ciphers
01 Jan 2006
TL;DR: This paper gives a general framework for the analysis of block ciphers using the statistical technique of likelihood estimation and analysing the SAFER block cipher in this framework exposes a cryptographic weakness of that cipher.
Abstract: In this paper, we give a general framework for the analysis of block ciphers using the statistical technique of likelihood estimation. We show how various recent successful cryptanalyses of block ciphers can be regarded in this framework. By analysing the SAFER block cipher in this framework we expose a cryptographic weakness of that cipher.
03 Dec 2006
TL;DR: KFC is the first practical block cipher to propose tight security proofs of resistance against large classes of attacks, including most classical cryptanalysis (such as linear and differential cryptanalysis, taking hull effect in consideration in both cases), and results from the decorrelation theory are extended to the whole KFC construction.
Abstract: We introduce KFC, a block cipher based on a three round Feistel scheme. Each of the three round functions has an SPN-like structure for which we can either compute or bound the advantage of the best d-limited adaptive distinguisher, for any value of d. Using results from the decorrelation theory, we extend these results to the whole KFC construction. To the best of our knowledge, KFC is the first practical (in the sense that it can be implemented) block cipher to propose tight security proofs of resistance against large classes of attacks, including most classical cryptanalysis (such as linear and differential cryptanalysis, taking hull effect in consideration in both cases, higher order differential cryptanalysis, the boomerang attack, differential-linear cryptanalysis, and others).
07 May 2006
TL;DR: Using ant colony optimization for automated cryptanalysis of classical simple substitution ciphers proved to be very effective on various sets of encoding keys.
Abstract: In this paper, we investigate the use of Ant Colony Optimization (ACO) for automated cryptanalysis of classical simple substitution ciphers. Based on our experiments, ACO-based attacks proved to be very effective on various sets of encoding keys.
04 Jan 2006
TL;DR: This paper derives the statistical distributions of difference propagation probabilities and input-output correlations for random functions and block ciphers, for most of them for the first time, and shows that these parameters have distributions that are well-studied in the field of statistics such as the normal, Poisson, Gamma and extreme value distributions.
Abstract: In this paper, we derive the statistical distributions of difference propagation probabilities and input-output correlations for random functions and block ciphers, for most of them for the first time. We show that these parameters have distributions that are well-studied in the field of statistics such as the normal, Poisson, Gamma and extreme value distributions. For Markov ciphers there exists a solid theory that expresses bounds on the complexity of differential and linear cryptanalysis in terms of average difference propagation probabilities and average correlations, where the average is taken over the keys. The propagation probabilities and correlations exploited in differential and linear cryptanalysis actually depend on the key and hence so does the attack complexity. Markov theory does not make statements on the distributions of these fixed-key properties but rather makes the assumption that their values will be close to the average for the vast majority of keys. This assumption is made explicit in the form of the hypothesis of stochastic equivalence. In this paper, we study the distributions of propagation properties that are relevant in the resistance of key-alternating ciphers against differential and linear cryptanalysis. Key-alternating ciphers are basically iterative ciphers where round keys are applied by an XOR operation in between unkeyed rounds and are a sub-class of Markov ciphers. We give the distributions of fixed-key difference propagation probability and fixed-key correlation of iterative ciphers. We show that for key-alternating ciphers, the hypothesis of stochastic equivalence can be discarded. In its place comes the explicit formulation of the distribution of fixed-key differential probability (DP) of a differential in terms of its expected differential probability (EDP) and the distribution of the fixed-key linear probability (or rather potential) (LP) of a linear approximation (or hull) in terms of its expected linear probability (ELP). Here the ELP and EDP are defined by disregarding the key schedule of the block cipher and taking the average over independently selected round keys, instead of over all cipher keys. Proving these distributions requires no assumptions standardly made in Markov cipher theory as perfectly uniform behavior, independently acting rounds or the technique of averaging over keys. For key-alternating ciphers, we show that if the EDP is equal to 2−n with n the block length, the fixed-key DP has the same distribution as in a random n-bit cipher. The same holds for the ELP and the corresponding fixed-key LP. Finally we present a statistical technique for computing bounds on the EDP based on the distribution of probabilities of differential characteristics and of the ELP based on the distribution of LP of linear characteristics.
06 Jun 2006
TL;DR: The rainbow attack on stream ciphers filtered by Maiorana-McFarland functions is presented, which replaces the time-memory-data trade-off attack with the rainbow attack of Oeshlin, which offers better performance and implementation advantages.
Abstract: In this paper, we present the rainbow attack on stream ciphers filtered by Maiorana-McFarland functions. This can be considered as a generalization of the time-memory-data trade-off attack of Mihaljevic and Imai on Toyocrypt. First, we substitute the filter function in Toyocrypt (which has the same size as the LFSR) with a general Maiorana-McFarland function. This allows us to apply the attack to a wider class of stream ciphers. Moreover, our description replaces the time-memory-data trade-off attack with the rainbow attack of Oeshlin, which offers better performance and implementation advantages. Second, we highlight how the choice of different Maiorana-McFarland functions can affect the effectiveness of our attack. Third, we show that the attack can be modified to apply on filter functions which are smaller than the LFSR or on filter-combiner stream ciphers. This allows us to cryptanalyze other configurations commonly found in practice. Finally, filter functions with vector output are sometimes used in stream ciphers to improve the throughput. Therefore the case when the Maiorana-McFarland functions have vector output is investigated. We found that the extra speed comes at the price of additional weaknesses which make the attacks easier.
Journal Article•
TL;DR: KFC as mentioned in this paper is a block cipher based on a three-round Feistel scheme, where each of the three rounds functions has an SPN-like structure for which we can either compute or bound the advantage of the best d-limited adaptive distinguisher, for any value of d. Using results from the decorrelation theory, we extend these results to the whole KFC construction.
Abstract: We introduce KFC, a block cipher based on a three round Feistel scheme. Each of the three round functions has an SPN-like structure for which we can either compute or bound the advantage of the best d-limited adaptive distinguisher, for any value of d. Using results from the decorrelation theory, we extend these results to the whole KFC construction. To the best of our knowledge, KFC is the first practical (in the sense that it can be implemented) block cipher to propose tight security proofs of resistance against large classes of attacks, including most classical cryptanalysis (such as linear and differential cryptanalysis, taking hull effect in consideration in both cases, higher order differential cryptanalysis, the boomerang attack, differential-linear cryptanalysis, and others).
Journal Article•
TL;DR: In this article, the Grobner basis attack was used to recover the full cipher key with only a minimal number of plaintext/ciphertext pairs and neglegible computational effort.
Abstract: We construct and analyze Feistel and SPN ciphers that have a sound design strategy against linear and differential attacks but for which the encryption process can be described by very simple polynomial equations. For a block and key size of 128 bits, we present ciphers for which practical Grobner basis attacks can recover the full cipher key requiring only a minimal number of plaintext/ciphertext pairs. We show how Grobner bases for a subset of these ciphers can be constructed with neglegible computational effort. This reduces the key-recovery problem to a Grobner basis conversion problem. By bounding the running time of a Grobner basis conversion algorithm, FGLM, we demonstrate the existence of block ciphers resistant against differential and linear cryptanalysis but vulnerable against Grobner basis attacks.
08 May 2006
TL;DR: The main results of this paper are that the 5-round differential probabilities of these structures are upperbounded by p4+2p5 and p4, respectively, if the maximum differential probability of a round function is p.
Abstract: In this paper we introduce two new block cipher structures, named RC6-like structure and MISTY-FO-like structure, and show that these structures are provably resistant against differential attack. The main results of this paper are that the 5-round differential probabilities of these structures are upperbounded by p4+2p5 and p4, respectively, if the maximum differential probability of a round function is p. We also discuss a provable security for the RC6-like structure against LC. Our results are attained under the assumption that all of components in our proposed structures are bijective.
TL;DR: This paper gives a brief overview of this ``overdefined system of equations'' (OSE) attack and shows how the attack may be avoided through the use of round functions constructed according to the CAST design procedure.
Abstract: Recently, Courtois and Pieprzyk proposed a class of algebraic attacks on symmetric block ciphers that takes advantage of a previously-unexploited property of substitution boxes, or s-boxes, in the round function. This paper gives a brief overview of this ``overdefined system of equations'' (OSE) attack and shows how the attack may be avoided through the use of round functions constructed according to the CAST design procedure. Such round functions contain a variety of protection mechanisms, including s-boxes of large dimension, a circular key-dependent rotation step, and combinations of operators from different algebraic groups.
18 Dec 2006
TL;DR: Systematic experiments on heuristic-based attacks of modified versions of data encryption standard (DES) with 48 bits are presented for the first time, with a novel contribution of combining the features of differential cryptanalysis and heuristic optimisation methods.
Abstract: Cryptanalysis of ciphers has been successfully demonstrated through several techniques such as brute force attack, linear and differential cryptanalysis and heuristic optimisation methods. To demonstrate the power of heuristic optimisation techniques for attacks of modern-day ciphers, we present for the first time systematic experiments on heuristic-based attacks of modified versions of data encryption standard (DES) with 48 bits. A novel contribution of this work lies in combining the features of differential cryptanalysis and heuristic optimisation methods. This is possible by using differential cryptanalysis to obtain 42 bits of the key whereas the remaining missing 14 key bits are obtained through heuristic optimisation methods by a choice of suitable composite fitness function to capture this combined use of both these approaches. The studies reported in this paper will be useful for the attacks of other similar ciphers.
06 Sep 2006
TL;DR: This investigation shows that the full 16-round Cobra-F64a can be broken by the related-key rectangle attack and that theFull 20-round Cobra-F 64b can be broke by therelated-key differential attack.
Abstract: Cobra-F64a and Cobra-F64b, designed for firmware-oriented applications, are 64-bit Data-dependent Permutation based block ciphers with 128 key bits, which consist of 16 and 20 rounds, respectively. In this paper, we investigate their security against related-key attacks. Our investigation shows that the full 16-round Cobra-F64a can be broken by our related-key rectangle attack and that the full 20-round Cobra-F64b can be broken by our related-key differential attack.