Topic

# Linear cryptanalysis

About: Linear cryptanalysis is a research topic. Over the lifetime, 1777 publications have been published within this topic receiving 40900 citations.

##### Papers published on a yearly basis

##### Papers

More filters

•

01 Jan 1993TL;DR: This book introduces a new cryptographic method, called differential cryptanalysis, which can be applied to analyze cryptosystems, and describes the cryptanalysis of DES, deals with the influence of its building blocks on security, and analyzes modified variants.

Abstract: DES, the Data Encryption Standard, is one of several cryptographic standards. The authors of this text detail their cryptanalytic "attack" upon DES and several other systems, using creative and novel tactics to demonstrate how they broke DES up into 16 rounds of coding. The methodology used offers valuable insights to cryptographers and cryptanalysts alike in creating new encryption standards, strengthening current ones, and exploring new ways to test important data protection schemes. This book introduces a new cryptographic method, called differential cryptanalysis, which can be applied to analyze cryptosystems. It describes the cryptanalysis of DES, deals with the influence of its building blocks on security, and analyzes modified variants. The differential cryptanalysis of "Feal" and several other cryptosystems is also described. This method can also be used to cryptanalyze hash functions, as is exemplified by the cryptanalysis of "Snefru".

1,009 citations

••

20 Jan 1997TL;DR: A new 128-bit block cipher called Square, which concentrates on the resistance against differential and linear cryptanalysis, and the publication of the resulting cipher for public scrutiny is published.

Abstract: In this paper we present a new 128-bit block cipher called Square. The original design of Square concentrates on the resistance against differential and linear cryptanalysis. However, after the initial design a dedicated attack was mounted that forced us to augment the number of rounds. The goal of this paper is the publication of the resulting cipher for public scrutiny. A C implementation of Square is available that runs at 2.63 MByte/s on a 100 MHz Pentium. Our M68HC05 Smart Card implementation fits in 547 bytes and takes less than 2 msec. (4 MHz Clock). The high degree of parallellism allows hardware implementations in the Gbit/s range today.

759 citations

••

30 Aug 2009TL;DR: A new family of very efficient hardware oriented block ciphers divided into two flavors, which is more compact in hardware, as the key is burnt into the device (and cannot be changed), and achieves encryption speed of 12.5 KBit/sec.

Abstract: In this paper we propose a new family of very efficient hardware oriented block ciphers. The family contains six block ciphers divided into two flavors. All block ciphers share the 80-bit key size and security level. The first flavor, KATAN, is composed of three block ciphers, with 32, 48, or 64-bit block size. The second flavor, KTANTAN, contains the other three ciphers with the same block sizes, and is more compact in hardware, as the key is burnt into the device (and cannot be changed).
The smallest cipher of the entire family, KTANTAN32, can be implemented in 462 GE while achieving encryption speed of 12.5 KBit/sec (at 100 KHz). KTANTAN48, which is the version we recommend for RFID tags uses 588 GE, whereas KATAN64, the largest and most flexible candidate of the family, uses 1054 GE and has a throughput of 25.1 Kbit/sec (at 100 KHz).

733 citations

••

TL;DR: Using the well-known principles in the cryptanalysis it is shown that these ciphers do not behave worse than the standard ones, opening in this way a novel approach to the design of block encryption cipher.

Abstract: This paper is devoted to the analysis of the impact of chaos-based techniques on block encryption ciphers. We present several chaos based ciphers. Using the well-known principles in the cryptanalysis we show that these ciphers do not behave worse than the standard ones, opening in this way a novel approach to the design of block encryption ciphers.

638 citations

••

08 Apr 1991

TL;DR: It is shown that PES (8) and PES(16) are immune to differential cryptanalysis after sufficiently many rounds, and a new design principle for Markov ciphers, viz., that their transition probability matrices should not be symmetric is suggested.

Abstract: This paper considers the security of iterated block ciphers against the differential cryptanalysis introduced by Biham and Shamir. Differential cryptanalysis is a chosen-plaintext attack on secret-key block ciphers that are based on iterating a cryptographically weak function r times (e.g., the 16-round Data Encryption Standard (DES)). It is shown that the success of such attacks on an r-round cipher depends on the existence of (r-1)-round differentials that have high probabilities, where an i-round differential is defined as a couple (α, β) such that a pair of distinct plaintexts with difference α can result in a pair of i-th round outputs that have difference β, for an appropriate notion of "difference". The probabilities of such differentials can be used to determine a lower bound on the complexity of a differential cryptanalysis attack and to show when an r-round cipher is not vulnerable to such attacks. The concept of "Markov ciphers" is introduced for iterated ciphers because of its significance in differential cryptanalysis. If an iterated cipher is Markov and its round subkeys are independent, then the sequence of differences at each round output forms a Markov chain. It follows from a result of Biham and Shamir that DES is a Markov cipher. It is shown that, for the appropriate notion of "difference", the Proposed Encryption Standard (PES) of Lai and Massey, which is an 8-round iterated cipher, is a Markov cipher, as are also the mini-version of PES with block length 8, 16 and 32 bits. It is shown that PES(8) and PES(16) are immune to differential cryptanalysis after sufficiently many rounds. A detailed cryptanalysis of the full-size PES is given and shows that the very plausibly most probable 7-round differential has a probability about 2-58. A differential cryptanalysis attack of PES(64) based on this differential is shown to require all 264 possible encryptions. This cryptanalysis of PES suggested a new design principle for Markov ciphers, viz., that their transition probability matrices should not be symmetric. A minor modification of PES, consistent with all the original design principles, is proposed that satisfies this new design criterion. This modified cipher, called Improved PES (IPES), is described and shown to be highly resistant to differential cryptanalysis.

629 citations