Results 1 
6 of
6
How far can we go beyond linear cryptanalysis
 Advances in Cryptology  Asiacrypt’04, volume 3329 of LNCS
, 2004
"... Abstract. Several generalizations of linear cryptanalysis have been proposed in the past, as well as very similar attacks in a statistical point of view. In this paper, we define a rigorous general statistical framework which allows to interpret most of these attacks in a simple and unified way. The ..."
Abstract

Cited by 37 (9 self)
 Add to MetaCart
Abstract. Several generalizations of linear cryptanalysis have been proposed in the past, as well as very similar attacks in a statistical point of view. In this paper, we define a rigorous general statistical framework which allows to interpret most of these attacks in a simple and unified way. Then, we explicitely construct optimal distinguishers, we evaluate their performance, and we prove that a block cipher immune to classical linear cryptanalysis possesses some resistance to a wide class of generalized versions, but not all. Finally, we derive tools which are necessary to set up more elaborate extensions of linear cryptanalysis, and to generalize the notions of bias, characteristic, and pilingup lemma.
How Far Can We Go Beyond Linear Cryptanalysis?,”Asiacrypt 2004
 of LNCS
, 2004
"... Abstract. Several generalizations of linear cryptanalysis have been proposed in the past, as well as very similar attacks in a statistical point of view. In this paper, we define a rigorous general statistical framework which allows to interpret most of these attacks in a simple and unified way. The ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Abstract. Several generalizations of linear cryptanalysis have been proposed in the past, as well as very similar attacks in a statistical point of view. In this paper, we define a rigorous general statistical framework which allows to interpret most of these attacks in a simple and unified way. Then, we explicitely construct optimal distinguishers, we evaluate their performance, and we prove that a block cipher immune to classical linear cryptanalysis possesses some resistance to a wide class of generalized versions, but not all. Finally, we derive tools which are necessary to set up more elaborate extensions of linear cryptanalysis, and to generalize the notions of bias, characteristic, and pilingup lemma. Keywords: Block ciphers, linear cryptanalysis, statistical cryptanalysis. 1 A Decade of Linear Cryptanalysis Linear cryptanalysis is a knownplaintext attack proposed in 1993 by Matsui[21, 22] to break DES [26], exploiting specific correlations between the input andthe output of a block cipher. Namely, the attack traces the statistical correlation between one bit of information about the plaintext and one bit of informationabout the ciphertext, both obtained linearly with respect to GF(2) L (where L is the block size of the cipher), by means of probabilistic linear expressions, aconcept previously introduced by TardyCorfdir and Gilbert [30]. Soon after, several attempts to generalize linear cryptanalysis are published:Kaliski and Robshaw [13] demonstrate how it is possible to combine several independent linear correlations depending on the same key bits. In [31], Vaudenaydefines another kind of attack on DES, called A^2attack, and shows that one canobtain an attack slightly less powerful than a linear cryptanalysis, but without the need to know precisely what happens in the block cipher. Harpes, Kramer,and Massey [7] replace the linear expressions with socalled I/O sums, i.e., balanced binaryvalued functions; they prove the potential effectiveness of such ageneralization by exhibiting a block cipher secure against conventional linear cryptanalysis but vulnerable to their generalization. Practical examples are theattack of Knudsen and Robshaw [15] against
Differential Attack on Message Authentication Codes
, 1994
"... We discuss the security of Message Authentication Code (MAC) schemes from the viewpoint of differential attack, and propose an attack that is effective against DESMAC and FEALMAC. The attack derives the secret authentication key in the chosen plaintext scenario. For example, DES(8round)MAC can b ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
We discuss the security of Message Authentication Code (MAC) schemes from the viewpoint of differential attack, and propose an attack that is effective against DESMAC and FEALMAC. The attack derives the secret authentication key in the chosen plaintext scenario. For example, DES(8round)MAC can be broken with 2 34 pairs of plain text, while FEAL8MAC can be broken with 2 22 pairs. The proposed attack is applicable to any MAC scheme, even if the 32bits are randomly selected from among the 64bits of ciphertext generated by a cryptosystem vulnerable to differential attack in the chosen plaintext scenario.
On the Data Complexity of Statistical Attacks Against Block Ciphers
 In Cryptology ePrint
, 2009
"... Abstract. Many attacks on iterated block ciphers rely on statistical considerations using plaintext/ciphertext pairs to distinguish some part of the cipher from a random permutation. We provide here a simple formula for estimating the amount of plaintext/ciphertext pairs which is needed for such dis ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
Abstract. Many attacks on iterated block ciphers rely on statistical considerations using plaintext/ciphertext pairs to distinguish some part of the cipher from a random permutation. We provide here a simple formula for estimating the amount of plaintext/ciphertext pairs which is needed for such distinguishers and which applies to a lot of different scenarios (linear cryptanalysis, differentiallinear cryptanalysis, differential/truncated differential/impossible differential cryptanalysis). The asymptotic data complexities of all these attacks are then derived. Moreover, we give an efficient algorithm for computing the data complexity accurately.
Linear Cryptanalysis of the Fast Data Encipherment Algorithm
 Advances in Cryptology  CRYPTO'94, SpringerVerlag 839
, 1994
"... Abstract. This paper discusses the security of the Fast Data Encipherment Algorithm (FEAL) against Linear Cryptanalysis. It has been confirmed that the entire subkeys used in FEAL–8 can be derived with 2 25 pairs of known plaintext and ciphertext with a success rate over 70% spending about 1 hour us ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Abstract. This paper discusses the security of the Fast Data Encipherment Algorithm (FEAL) against Linear Cryptanalysis. It has been confirmed that the entire subkeys used in FEAL–8 can be derived with 2 25 pairs of known plaintext and ciphertext with a success rate over 70% spending about 1 hour using a WS (SPARCstation 10 Model 30). This paper also evaluates the security of FEAL–N in comparison with that of the Data Encryption Standard (DES). 1
Experimental NonLinear Cryptanalysis
, 2003
"... Former research reports suggesting the idea of nonlinear cryptanalysis of block ciphers date back to the work of Harpes, on generalizations of Matsui's linear cryptanalytic attacks, presented at Eurocrypt '95. Also, the nonlinear approach was more explicitly stated in an attack against DES des ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Former research reports suggesting the idea of nonlinear cryptanalysis of block ciphers date back to the work of Harpes, on generalizations of Matsui's linear cryptanalytic attacks, presented at Eurocrypt '95. Also, the nonlinear approach was more explicitly stated in an attack against DES described by Knudsen and Robshaw at Eurocrypt'96 (again as an extension of the concept of linear cryptanalysis, in which binaryvalued nonlinear approximations are used to approximated the action of the Sboxes of DES). More recently, at Crypto'98, Shimoyama and Kaneko improved Knudsen and Robshaw's attack on DES using quadratic relations to approximate the DES Sboxes. Moreover, the research results of Van Dooren were also concerned with nonlinear approximations applied to two AES nalist block ciphers, Two sh and Serpent.