Differential cryptanalysis

About: Differential cryptanalysis is a research topic. Over the lifetime, 2131 publications have been published within this topic receiving 54681 citations.

Improving the Higher Order Differential Attack and Cryptanalysis of the KN Cipher

Abstract: Since the proposal of differential cryptanalysis and linear cryptanalysis in 1991 and 1993, respectively, the resistance to these cryptanalyses have been studied for many cryptosystems. Moreover, some block ciphers with provable security against differential and linear cryptanalysis have been proposed. One of them is the KN cipher proposed by Knudsen and Nyberg. The KN cipher is a prototype cipher with provable security against ordinary differential cryptanalysis, and has been proved to be secure against linear cryptanalysis, too. Recently a new method of attacking block ciphers, the higher order differential attack, was proposed, and Jakobsen and Knudsen showed that the KN cipher can be attacked by this method in FSE4. In this paper, we improve this attack to reduce both of the required chosen plaintexts and running time, and apply it to the cryptanalysis of the KN cipher. We show that, for the attacking of the KN cipher with 6 rounds, the number of required chosen plaintexts can be reduced by half and running time reduced from 241 to 214, and that all round keys can be derived in only 0.02 seconds on a Sun Ultra 1 (UltraSPARC 170MHz).

Differential Cryptanalysis of Two Joint Encryption and Error Correction Schemes

Abstract: In GLOBECOM'10, Adamo et al proposed an interesting encryption scheme, called Error Correction-Based Cipher (ECBC), working at the physical layer This scheme, together with its ancestor, Secret Error Correcting Code (SECC), belongs to the family of Joint Encryption and Error Correction (JEEC), which combines error correction and data encryption as one process to enable efficient implementations In this paper, we provide rigorous investigation on the security of ECBC and SECC to unveil their cryptographic strengths under chosen-plaintext attacks For ECBC, we found a 3-stage differential-style attack, which breaks the scheme with $O(k \times 2^{deg(f)} + 2^k)$ effort, where $deg(f)$ is the degree of the core cryptographic function $f$ For SECC, we found a similar attack of complexity $O(k \times 2^{k+1})$ Both of the attacks are significantly improved from exhaustive search, eg, $O(2^{2k+kn+n\times2^k})$ for ECBC and $O(2^{kn+ (k+n) \times 2^k})$ for SECC In addition, we exhibit that $f$ used in ECBC's implementation is particularly vulnerable to our attack, which allows the attacker to recover the secret generator matrix in $O(1)$ To mitigate this vulnerability, we propose a secure yet lightweight construction of $f$ achieving the maximum degree Finally, the core part of our attack against ECBC has been implemented utilizing GPU acceleration and demonstrated on a cluster GPU instance provided by Amazon EC2 Experimental results confirm that the original implementation of ECBC scheme can be broken in (almost) constant time (${<}04$ second) regardless of $k$, whereas the ECBC scheme enhanced by our proposed $f$ can withstand this attack to the maximum extent

Block ciphers sensitive to Gröbner : Basis attacks

Abstract: We construct and analyze Feistel and SPN ciphers that have a sound design strategy against linear and differential attacks but for which the encryption process can be described by very simple polynomial equations. For a block and key size of 128 bits, we present ciphers for which practical Grobner basis attacks can recover the full cipher key requiring only a minimal number of plaintext/ciphertext pairs. We show how Grobner bases for a subset of these ciphers can be constructed with neglegible computational effort. This reduces the key-recovery problem to a Grobner basis conversion problem. By bounding the running time of a Grobner basis conversion algorithm, FGLM, we demonstrate the existence of block ciphers resistant against differential and linear cryptanalysis but vulnerable against Grobner basis attacks.

Impossible differential cryptanalysis of reduced-round Camellia-256

Abstract: Camellia, a 128-bit block cipher that has been accepted by ISO/IEC as an international standard, is increasingly being used in many cryptographic applications. In this study, the authors present a new impossible differential attack on a reduced version of Camellia-256 without FL / FL -1 functions and whitening. First, the authors introduce a new extension of the hash table technique and then exploit it to attack 16 rounds of Camellia-256. When, in an impossible differential attack, the size of the target subkey space is large and the filtration, in the initial steps of the attack, is performed slowly, the extended hash table technique will be very useful. The proposed attack on Camellia-256 requires 2 124.1 known plaintexts and has a running time equivalent to about 2 249.3 encryptions. In terms of the number of attacked rounds, our result is the best published attack on Camellia-256.

Variable Size Block Encryption using Dynamic-key Mechanism (VBEDM)

Abstract: weak point of the existing block encryption scheme is that the plain text or encryption key could be easily exposed differential cryptanalysis or linear cryptanalysis, which is mostly used for decoding block encryption. This is because the encryption schemes have been designed for the fixed size encryption key. Another weak point of the existing block encryption algorithm is that it has a fixed permutation table and fixed number of encryption rounds. In order to overcome these weaknesses, an encryption algorithm using unlimited size of key and dynamically changing permutation table should be designed. A new encryption technique called Variable size Block Encryption using Dynamic-key Mechanism (VBEDM), which is designed with unlimited key size, dynamically changing permutation table based on the encryption key and variable block size for each round. To make the cryptanalyst hard to expose the plain text, from the array of compression algorithms the VBEDM uses a compression technique based on key. The compression used is not for compressing the text but for strengthening the encryption method. Because of its dynamic functionality in input block size, key size, permutation, number of rounds and compression it makes the crypt analyst too hard to analyzing the cipher text. This algorithm also uses a compression technique from an array of compression algorithm resulting in more confusion to the analyst.