Differential cryptanalysis

About: Differential cryptanalysis is a research topic. Over the lifetime, 2131 publications have been published within this topic receiving 54681 citations.

Degree of Composition of Highly Nonlinear Functions and Applications to Higher Order Differential Cryptanalysis

Abstract: To improve the security of iterated block ciphers, the resistance against linear cryptanalysis has been formulated in terms of provable security which suggests the use of highly nonlinear functions as round functions. Here, we show that some properties of such functions enable to find a new upper bound for the degree of the product of its Boolean components. Such an improvement holds when all values occurring in the Walsh spectrum of the round function are divisible bya high power of 2. This result leads to a higher order differential attack on any 5-round Feistel ciphers using an almost bent substitution function. We also show that the use of such a function is precisely the origin of the weakness of a reduced version of MISTY1 reported in [23, 1].

On Differential and Linear Crytoanalysis of the RC5 Encryption Algorithm

Abstract: This paper analyzes the security of the RC5 encryption algorithm against differential and linear cryptanalysis. RC5 is a new block cipher recently designed by Ron Rivest. It has a variable word size, a variable number of rounds, and a variable-length secret key. In RC5, the secret key is used to fill an expanded key table which is then used in encryption. Both our differential and linear attacks on RC5 recover every bit of the expanded key table without any exhaustive search. However, the plaintext requirement is strongly dependent on the number of rounds. For 64-bit block size, our differential attack on nine-round RC5 uses 245 chosen plaintext pairs (about the same as DES), while 262 pairs are needed for 12-round RC5. Similarly, our linear attack on live-round RC5 uses 247 known plaintexts (about the same as DES), and the plaintext requirement is impractical for more than six rounds. We conjecture that the linear approximations used in our linear cryptanalysis are optimal. Thus, we conclude that Rivest's suggested use of 12 rounds is sufficient to make differential and linear cryptanalysis of RC5 impractical.

Cryptanalysis of Block Ciphers with Probabilistic Non-linear Relations of Low Degree

Abstract: Using recent results from coding theory, it is shown how to break block ciphers operating on GF(q) where the ciphertext is expressible as evaluations of an unknown univariate polynomial of low degree m over the plaintext with a typically low but non-negligible, probability Μ. The method employed is essentially Sudan's algorithm for decoding Reed-Solomon codes beyond the error-correction diameter. The known-plaintext attack needs n = 2m/Μ 2 plaintext/ciphertext pairs and the running time is polynomial in n. Furthermore, it is shown how to discover more general non-linear relations p(x, y)= 0 between plaintext x and ciphertext y that hold with small probability Μ. The second attack needs access to n = (2m/Μ)2 plaintext/ciphertext pairs where m = degp and its running time is also polynomial in n. As a demonstration, we break up to 10 rounds of a cipher constructed by Nyberg and Knudsen provably secure against differential and linear cryptanalysis.

Cryptanalysis of S-box-only chaotic image ciphers against chosen plaintext attack

Abstract: S-boxes have been widely used as a base of new encryption strategies. Recently, the utilization of S-box becomes popular in image ciphers as a main approach to performing substitution. Based on a general model of S-box-only image ciphers, this paper performs a cryptanalysis on the performance of these kinds of ciphers against chosen plaintext attack. The cryptanalytic findings have been concluded that not only S-box-only image ciphers are practically insecure against chosen plaintext attack, but also the computational complexity of the attack is only O(128L), where L is the total number of pixels with respect to the image. Moreover, a real S-box-only chaotic image cipher is tested as an example analysis to demonstrate our assertion. Finally, we give four corresponding improvement ideas that help to design a secure cryptosystem based on S-boxes.