Results 1  10
of
17
Decorrelation: a theory for block cipher security
 Journal of Cryptology
, 2003
"... Abstract. Pseudorandomness is a classical model for the security of block ciphers. In this paper we propose convenient tools in order to study it in connection with the Shannon Theory, the CarterWegman universal hash functions paradigm, and the LubyRackoff approach. This enables the construction o ..."
Abstract

Cited by 46 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Pseudorandomness is a classical model for the security of block ciphers. In this paper we propose convenient tools in order to study it in connection with the Shannon Theory, the CarterWegman universal hash functions paradigm, and the LubyRackoff approach. This enables the construction of new ciphers with security proofs under specific models. We show how to ensure security against basic differential and linear cryptanalysis and even more general attacks. We propose practical construction schemes. 1
FOX: a New Family of Block Ciphers
 Selected Areas in CryptographySAC 2004,LNCS 2595
, 2004
"... In this paper, we describe the design of a new family of block cipher, named FOX and designed upon the request of MediaCrypt AG [23]. The main features ofthis design, besides a very high security level, are a large flexibility in terms of use ..."
Abstract

Cited by 27 (3 self)
 Add to MetaCart
(Show Context)
In this paper, we describe the design of a new family of block cipher, named FOX and designed upon the request of MediaCrypt AG [23]. The main features ofthis design, besides a very high security level, are a large flexibility in terms of use
Improving the time complexity of matsui’s linear cryptanalysis, Information Security and Cryptology
 ICISC 2007, 10th International Conference, Seoul, Korea, November 2930, 2007, Proceedings, Lecture Notes in Computer Science
, 2007
"... Abstract. This paper reports on an improvement of Matsui’s linear cryptanalysis that reduces the complexity of an attack with algorithm 2, by taking advantage of the Fast Fourier Transform. Using this improvement, the time complexity decreases from O(2 k ∗ 2 k) to O(k ∗ 2 k), where k is the number o ..."
Abstract

Cited by 12 (2 self)
 Add to MetaCart
(Show Context)
Abstract. This paper reports on an improvement of Matsui’s linear cryptanalysis that reduces the complexity of an attack with algorithm 2, by taking advantage of the Fast Fourier Transform. Using this improvement, the time complexity decreases from O(2 k ∗ 2 k) to O(k ∗ 2 k), where k is the number of bits in the keyguess. This improvement is very generic and can be applied against a broad variety of ciphers including SPN and Feistel schemes. In certain (practically meaningful) contexts, it also involves a reduction of the attacks data complexity (which is usually the limiting factor in the linear cryptanalysis of block ciphers). For illustration, the method is applied against the AES candidate Serpent and the speedup is given for exemplary attacks. Keywords: block ciphers, linear cryptanalysis, Fast Fourier Transform. 1
On the Data Complexity of Statistical Attacks Against Block Ciphers
 In Cryptology ePrint
, 2009
"... Abstract. Many attacks on iterated block ciphers rely on statistical considerations using plaintext/ciphertext pairs to distinguish some part of the cipher from a random permutation. We provide here a simple formula for estimating the amount of plaintext/ciphertext pairs which is needed for such dis ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
Abstract. Many attacks on iterated block ciphers rely on statistical considerations using plaintext/ciphertext pairs to distinguish some part of the cipher from a random permutation. We provide here a simple formula for estimating the amount of plaintext/ciphertext pairs which is needed for such distinguishers and which applies to a lot of different scenarios (linear cryptanalysis, differentiallinear cryptanalysis, differential/truncated differential/impossible differential cryptanalysis). The asymptotic data complexities of all these attacks are then derived. Moreover, we give an efficient algorithm for computing the data complexity accurately.
Cryptanalysis of CTC2
"... Abstract. CTC is a toy cipher designed in order to assess the strength of algebraic attacks. While the structure of CTC is deliberately weak with respect to algebraic attacks, it was claimed by the designers that CTC is secure with respect to statistical attacks, such as differential and linear cryp ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Abstract. CTC is a toy cipher designed in order to assess the strength of algebraic attacks. While the structure of CTC is deliberately weak with respect to algebraic attacks, it was claimed by the designers that CTC is secure with respect to statistical attacks, such as differential and linear cryptanalysis. After a linear attack on CTC was presented, the cipher’s linear transformation was tweaked to offer more diffusion, and specifically to prevent the existence of 1bit to 1bit approximations (and differentials) through the linear transformation. The new cipher was named CTC2, and was analyzed by the designers using algebraic techniques. In this paper we analyze the security of CTC2 with respect to differential and differentiallinear attacks. The data complexities of our best attacks on 6round, 7round, and 8round variants of CTC2 are 64, 2 15, and 2 37 chosen plaintexts, respectively, and the time complexities are dominated by the time required to encrypt the data. Our findings show that the diffusion of CTC2 is relatively low, and hence variants of the cipher with a small number of rounds are relatively weak, which may explain (to some extent) the success of the algebraic attacks on these variants. 1
New Methodologies for DifferentialLinear Cryptanalysis and Its Extensions
"... Abstract. In 1994 Langford and Hellman introduced differentiallinear cryptanalysis, which involves building a differentiallinear distinguisher by concatenating a linear approximation with such a (truncated) differential that with probability 1 does not affect the bit(s) concerned by the input mask ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In 1994 Langford and Hellman introduced differentiallinear cryptanalysis, which involves building a differentiallinear distinguisher by concatenating a linear approximation with such a (truncated) differential that with probability 1 does not affect the bit(s) concerned by the input mask of the linear approximation. In 2002 Biham, Dunkelman and Keller presented an enhanced approach to include the case when the differential has a probability smaller than 1; and in 2005 they proposed several extensions of differentiallinear cryptanalysis, including the highorder differentiallinear analysis, the differentialbilinear analysis and the differentialbilinearboomerang analysis. In this paper, we show that Biham et al.’s methodologies for computing the probabilities of a differentiallinear distinguisher, a highorder differentiallinear distinguisher, a differentialbilinear distinguisher and a differentialbilinearboomerang distinguisher do not have the generality to describe the analytic techniques. Thus the previous cryptanalytic results obtained by using these techniques of Biham et al. are questionable. Finally, from a mathematical point we give general methodologies for computing the probabilities. The new methodologies lead to some better cryptanalytic results, for example, differentiallinear attacks on 13round DES and 10round CTC2 with a 255bit block size and key.
How to Launch A Birthday Attack Against DES
"... Abstract We present a birthday attack against DES. It is entirely based on the relationship Li+1 = Ri and the simple key schedule in DES. It requires about 2 16 ciphertexts of the same R16, encrypted by the same key K. We conjecture it has a computational complexity of 248. Since the requirement for ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract We present a birthday attack against DES. It is entirely based on the relationship Li+1 = Ri and the simple key schedule in DES. It requires about 2 16 ciphertexts of the same R16, encrypted by the same key K. We conjecture it has a computational complexity of 248. Since the requirement for the birthday attack is more accessible than that for Differential cryptanalysis, Linear cryptanalysis or Davies ’ attack, it is of more practical significance.
Editor
, 2010
"... PU Public X PP Restricted to other programme participants (including the Commission services) RE Restricted to a group specified by the consortium (including the Commission services) CO Confidential, only for members of the consortium (including the Commission services) New developments in symmetric ..."
Abstract
 Add to MetaCart
PU Public X PP Restricted to other programme participants (including the Commission services) RE Restricted to a group specified by the consortium (including the Commission services) CO Confidential, only for members of the consortium (including the Commission services) New developments in symmetric key cryptanalysis