Results 1  10
of
27
How far can we go beyond linear cryptanalysis
 Advances in Cryptology  Asiacrypt’04, volume 3329 of LNCS
, 2004
"... Abstract. Several generalizations of linear cryptanalysis have been proposed in the past, as well as very similar attacks in a statistical point of view. In this paper, we define a rigorous general statistical framework which allows to interpret most of these attacks in a simple and unified way. The ..."
Abstract

Cited by 37 (9 self)
 Add to MetaCart
Abstract. Several generalizations of linear cryptanalysis have been proposed in the past, as well as very similar attacks in a statistical point of view. In this paper, we define a rigorous general statistical framework which allows to interpret most of these attacks in a simple and unified way. Then, we explicitely construct optimal distinguishers, we evaluate their performance, and we prove that a block cipher immune to classical linear cryptanalysis possesses some resistance to a wide class of generalized versions, but not all. Finally, we derive tools which are necessary to set up more elaborate extensions of linear cryptanalysis, and to generalize the notions of bias, characteristic, and pilingup lemma.
A general construction of tweakable block ciphers and different modes of operations
 In Helger Lipmaa, Moti Yung, and Dongdai Lin, editors, Inscrypt, volume 4318 of Lecture Notes in Computer Science
, 2006
"... Abstract. This work builds on earlier work by Rogaway at Asiacrypt 2004 on tweakable block cipher (TBC) and modes of operations. Our first contribution is to generalize Rogaway’s TBC construction by working over a ring R and by the use of a masking sequence of functions. The ring R can be instantiat ..."
Abstract

Cited by 11 (6 self)
 Add to MetaCart
Abstract. This work builds on earlier work by Rogaway at Asiacrypt 2004 on tweakable block cipher (TBC) and modes of operations. Our first contribution is to generalize Rogaway’s TBC construction by working over a ring R and by the use of a masking sequence of functions. The ring R can be instantiated as either GF (2 n) or as Z2 n. Further, over GF (2n), efficient instantiations of the masking sequence of functions can be done using either a binary Linear Feedback Shift Register (LFSR); a powering construction; a cellular automata map; or by using a word oriented LFSR. Rogaway’s TBC construction was built from the powering construction over GF (2 n). Our second contribution is to use the general TBC construction to instantiate constructions of various modes of operations including authenticated encryption (AE) and message authentication code (MAC). In particular, this gives rise to a family of efficient onepass AE mode of operation. Out of these, the mode of operation obtained by the use of word oriented LFSR promises to provide a masking method which is more efficient than the one used in the well known AE protocol called OCB. 3 Keywords: tweakable block cipher, modes of operations, AE, MAC, AEAD. 1
Towards a Unifying View of Block Cipher Cryptanalysis
, 2004
"... We introduce commutative diagram cryptanalysis, a framework for expressing certain kinds of attacks on product ciphers. We show that many familiar attacks, including linear cryptanalysis, di#erential cryptanalysis, di#erentiallinear cryptanalysis, mod n attacks, truncated di#erential cryptanaly ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
We introduce commutative diagram cryptanalysis, a framework for expressing certain kinds of attacks on product ciphers. We show that many familiar attacks, including linear cryptanalysis, di#erential cryptanalysis, di#erentiallinear cryptanalysis, mod n attacks, truncated di#erential cryptanalysis, impossible di#erential cryptanalysis, higherorder di#erential cryptanalysis, and interpolation attacks can be expressed within this framework. Thus, we show that commutative diagram attacks provide a unifying view into the field of block cipher cryptanalysis.
Composition does not imply adaptive security
 In Advances in Cryptology — CRYPTO ’05
, 2005
"... Abstract. We study the question whether the sequential or parallel composition of two functions, each indistinguishable from a random function by nonadaptive distinguishers is secure against adaptive distinguishers. The sequential composition of F(.) and G(.) is the function G(F(.)), the parallel c ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
Abstract. We study the question whether the sequential or parallel composition of two functions, each indistinguishable from a random function by nonadaptive distinguishers is secure against adaptive distinguishers. The sequential composition of F(.) and G(.) is the function G(F(.)), the parallel composition is F(.) ⋆ G(.) where ⋆ is some group operation. It has been shown that composition indeed gives adaptive security in the information theoretic setting, but unfortunately the proof does not translate into the more interesting computational case. In this work we show that in the computational setting composition does not imply adaptive security: If there is a prime order cyclic group where the decisional DiffieHellman assumption holds, then there are functions F and G which are indistinguishable by nonadaptive polynomially timebounded adversaries, but whose parallel composition can be completely broken (i.e. we recover the key) with only three adaptive queries. We give a similar result for sequential composition. Interestingly, we need
PseudoRandom Functions and Parallelizable Modes of Operations of a Block Cipher
"... Abstract. This paper considers the construction and analysis of pseudorandom functions (PRFs) with specific reference to modes of operations of a block cipher. In the context of message authentication codes (MACs), earlier independent work by Bernstein and Vaudenay show how to reduce the analysis o ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
Abstract. This paper considers the construction and analysis of pseudorandom functions (PRFs) with specific reference to modes of operations of a block cipher. In the context of message authentication codes (MACs), earlier independent work by Bernstein and Vaudenay show how to reduce the analysis of relevant PRFs to some probability calculations. In the first part of the paper, we revisit this result and use it to prove a general result on constructions which use a PRF with a “small ” domain to build a PRF with a “large ” domain. This result is used to analyse two new parallelizable PRFs which are suitable for use as MAC schemes. The first scheme, called iPMAC, is based on a block cipher and improves upon the wellknown PMAC algorithm. The improvements consist in faster masking operations and the removal of a design stage discrete logarithm computation. The second scheme, called VPMAC, uses a keyed compression function rather than a block cipher. The only previously known compression function based parallelizable PRF is called the protected counter sum (PCS) and is due to Bernstein. VPMAC improves upon PCS by requiring lesser number of calls to the compression function. The second part of the paper takes a new look at the construction and analysis of modes of operations for authenticated encryption (AE) and for authenticated encryption with associated data (AEAD). Usually, the most complicated part in the security analysis of such modes is the analysis of authentication
Probability distributions of correlation and differentials in block ciphers. Cryptology ePrint Archive, Report 2005/212
, 2005
"... In this paper, we derive the probability distributions of difference propagation probabilities and inputoutput correlations for random functions and block ciphers, for several of them for the first time. We show that these parameters have distributions that are wellstudied in the field of probabil ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
In this paper, we derive the probability distributions of difference propagation probabilities and inputoutput correlations for random functions and block ciphers, for several of them for the first time. We show that these parameters have distributions that are wellstudied in the field of probability such as the normal, Poisson, Gamma and extreme value distributions. For Markov ciphers there exists a solid theory that expresses bounds on the complexity of differential and linear cryptanalysis in terms of average difference propagation probabilities and average correlations, where the average is taken over the keys. The propagation probabilities and correlations exploited in differential and linear cryptanalysis actually depend on the key and hence so does the attack complexity. The theory of Markov ciphers does not make statements on the distributions of these fixedkey properties but rather makes the assumption that their values will be close to the average for the vast majority of keys. This assumption is made explicit in the form of the hypothesis of stochastic equivalence.
How Far Can We Go Beyond Linear Cryptanalysis?,”Asiacrypt 2004
 of LNCS
, 2004
"... Abstract. Several generalizations of linear cryptanalysis have been proposed in the past, as well as very similar attacks in a statistical point of view. In this paper, we define a rigorous general statistical framework which allows to interpret most of these attacks in a simple and unified way. The ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Abstract. Several generalizations of linear cryptanalysis have been proposed in the past, as well as very similar attacks in a statistical point of view. In this paper, we define a rigorous general statistical framework which allows to interpret most of these attacks in a simple and unified way. Then, we explicitely construct optimal distinguishers, we evaluate their performance, and we prove that a block cipher immune to classical linear cryptanalysis possesses some resistance to a wide class of generalized versions, but not all. Finally, we derive tools which are necessary to set up more elaborate extensions of linear cryptanalysis, and to generalize the notions of bias, characteristic, and pilingup lemma. Keywords: Block ciphers, linear cryptanalysis, statistical cryptanalysis. 1 A Decade of Linear Cryptanalysis Linear cryptanalysis is a knownplaintext attack proposed in 1993 by Matsui[21, 22] to break DES [26], exploiting specific correlations between the input andthe output of a block cipher. Namely, the attack traces the statistical correlation between one bit of information about the plaintext and one bit of informationabout the ciphertext, both obtained linearly with respect to GF(2) L (where L is the block size of the cipher), by means of probabilistic linear expressions, aconcept previously introduced by TardyCorfdir and Gilbert [30]. Soon after, several attempts to generalize linear cryptanalysis are published:Kaliski and Robshaw [13] demonstrate how it is possible to combine several independent linear correlations depending on the same key bits. In [31], Vaudenaydefines another kind of attack on DES, called A^2attack, and shows that one canobtain an attack slightly less powerful than a linear cryptanalysis, but without the need to know precisely what happens in the block cipher. Harpes, Kramer,and Massey [7] replace the linear expressions with socalled I/O sums, i.e., balanced binaryvalued functions; they prove the potential effectiveness of such ageneralization by exhibiting a block cipher secure against conventional linear cryptanalysis but vulnerable to their generalization. Practical examples are theattack of Knudsen and Robshaw [15] against
On the Data Complexity of Statistical Attacks Against Block Ciphers
 In Cryptology ePrint
, 2009
"... Abstract. Many attacks on iterated block ciphers rely on statistical considerations using plaintext/ciphertext pairs to distinguish some part of the cipher from a random permutation. We provide here a simple formula for estimating the amount of plaintext/ciphertext pairs which is needed for such dis ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
Abstract. Many attacks on iterated block ciphers rely on statistical considerations using plaintext/ciphertext pairs to distinguish some part of the cipher from a random permutation. We provide here a simple formula for estimating the amount of plaintext/ciphertext pairs which is needed for such distinguishers and which applies to a lot of different scenarios (linear cryptanalysis, differentiallinear cryptanalysis, differential/truncated differential/impossible differential cryptanalysis). The asymptotic data complexities of all these attacks are then derived. Moreover, we give an efficient algorithm for computing the data complexity accurately.
Proving the security of AES substitutionpermutation network
 Selected Areas in Cryptography, SAC 05, volume 3897 of LNCS
, 2006
"... Abstract. In this paper we study the substitutionpermutation network (SPN) on which AES is based. We introduce AES ∗ , a SPN identical to AES except that fixed Sboxes are replaced by random and independent permutations. We prove that this construction resists linear and differential cryptanalysis ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
Abstract. In this paper we study the substitutionpermutation network (SPN) on which AES is based. We introduce AES ∗ , a SPN identical to AES except that fixed Sboxes are replaced by random and independent permutations. We prove that this construction resists linear and differential cryptanalysis with 4 inner rounds only, despite the huge cumulative effect of multipath characteristics that is induced by the symmetries of AES. We show that the DP and LP terms both tend towards 1/(2 128 −1) very fast when the number of round increases. This proves a conjecture by Keliher, Meijer, and Tavares. We further show that AES ∗ is immune to any iterated attack of order 1 after 10 rounds only, which substantially improves a previous result by Moriai and Vaudenay.