Differential cryptanalysis

About: Differential cryptanalysis is a research topic. Over the lifetime, 2131 publications have been published within this topic receiving 54681 citations.

Joint data and key distribution of simple, multiple, and multidimensional linear cryptanalysis test statistic and its impact to data complexity

Abstract: The power of a statistical attack is inversely proportional to the number of plaintexts needed to recover information on the encryption key. By analyzing the distribution of the random variables involved in the attack, cryptographers aim to provide a good estimate of the data complexity of the attack. In this paper, we analyze the hypotheses made in simple, multiple, and multidimensional linear attacks that use either non-zero or zero correlations, and provide more accurate estimates of the data complexity of these attacks. This is achieved by taking, for the first time, into consideration the key variance of the statistic for both the right and wrong keys. For the family of linear attacks considered in this paper, we differentiate between the attacks which are performed in the known-plaintext and those in the distinct-known-plaintext model.

Polytopic Cryptanalysis

Abstract: Standard differential cryptanalysis uses statistical dependencies between the difference of two plaintexts and the difference of the respective two ciphertexts to attack a cipher. Here we introduce polytopic cryptanalysis which considers interdependencies between larger sets of texts as they traverse through the cipher. We prove that the methodology of standard differential cryptanalysis can unambiguously be extended and transferred to the polytopic case including impossible differentials. We show that impossible polytopic transitions have generic advantages over impossible differentials. To demonstrate the practical relevance of the generalization, we present new low-data attacks on round-reduced DES and AES using impossible polytopic transitions that are able to compete with existing attacks, partially outperforming these.

XFC: A Framework for eXploitable Fault Characterization in Block Ciphers

Abstract: Fault attacks recover secret keys by exploiting faults injected during the execution of a block cipher. However, not all faults are exploitable and every exploitable fault is associated with an offline complexity to determine the key. The ideal fault attack would recover maximum key bits with minimum offline effort. Finding the ideal fault attack for a block cipher is a laborious manual task, which can take several months to years before such an attack is discovered. In this paper, we present a framework that would analyze block ciphers for their vulnerabilities to faults and automatically predict whether a differential fault attack would be successful. The framework, which we call XFC, uses colors to analyze the fault propagation and exploitability in the cipher. XFC would be able to (a) predict the key bits that can be derived by the fault attack and (b) estimate the offline complexity. It can thus be used to identify the ideal fault attack for a block cipher. As a proof of concept, we have applied XFC to the block ciphers AES, CLEFIA and SMS4 and were able to automatically derive fault attacks that correspond to the best known till date in the single fault model.

Cryptographically secure substitutions based on the approximation of mixing maps

Abstract: In this paper, we explore, following Shannon's suggestion that diffusion should be one of the ingredients of resistant block ciphers, the feasibility of designing cryptographically secure substitutions (think of S-boxes, say) via approximation of mixing maps by periodic transformations. The expectation behind this approach is, of course, that the nice diffusion properties of such maps will be inherited by their approximations, at least if the convergence rate is appropriate and the associated partitions are sufficiently fine. Our results show that this is indeed the case and that, in principle, block ciphers with close-to-optimal immunity to linear and differential cryptanalysis (as measured by the linear and differential approximation probabilities) can be designed along these guidelines. We provide also practical examples and numerical evidence for this approximation philosophy.

Cryptanalysis of the a5/2 algorithm.

Abstract: An attack on the A5/2 stream cipher algorithm is described, that determines the linear relations among the output sequence bits. The vast majority of the unknown output bits can be reconstructed. The time complexity of the attack is proportional to 2. Introduction: A5 is the stream cipher algorithm used to encrypt the link from the telephone to the base station in the GSM system. According to [1], two versions of A5 exist: A5/1, the 'stronger' version, and A5/2, the 'weaker' version. The attacks on the A5/1, utilizing the birthday paradox, are described in [2, 3]. The attack on the A5/2 presented here is of algebraic nature. The scheme of the A5/2 algorithm is given in the Fig. 1. The LFSR R4 clocks the LFSRs R1; : : : ;R3 in the stop/go manner. The feedback polynomials of the registers are: g1(x) = 1 + x 14 + x + x + x, g2(x) = 1 + x 21 + x, g3(x) = 1 + x 8 + x + x + x, g4(x) = 1 + x 12 + x. The function F is the majority function F (x1; x2; x3) = x1x2 + x1x3 + x2x3. The communication in the GSM system is performed through frames. Each frame consists of 228 bits. For every frame to be enciphered, the initialization procedure takes place, that yields the initial state of the LFSRs on the basis of the 64-bit secret key K and the 22-bit frame number F . During the initialization, the bits of the secret key are rst imposed into all the LFSRs, at every clock pulse, without the stop/go clocking, starting from the LSB of each key byte. Then the bits of the frame number are imposed into all the LFSRs in the Instituto de F sica Aplicada (CSIC), Serrano 144, 28006 Madrid, Spain