Results 1  10
of
36
Linear Cryptanalysis Using Multiple Approximations
 Advances in Cryptology  CRYPTO '94 Proceedings
, 1994
"... Abstract. We present a technique which aids in the linear cryptanalysis of a block cipher and allows for a reduction in the amount of data required for a successful attack. We note the limits of this extension when applied to DES, but illustrate that it is generally applicable and might be exception ..."
Abstract

Cited by 67 (2 self)
 Add to MetaCart
Abstract. We present a technique which aids in the linear cryptanalysis of a block cipher and allows for a reduction in the amount of data required for a successful attack. We note the limits of this extension when applied to DES, but illustrate that it is generally applicable and might be exceptionally successful when applied to other block ciphers. This forces us to reconsider some of the initial attempts to quantify the resistance of block ciphers to linear cryptanalysis, and by taking account of this new technique we cover several issues which have not yet been considered. 1
Likelihood Estimation For Block Cipher Keys
, 1994
"... In this paper, we give a general framework for the analysis of block ciphers using the statistical technique of likelihood estimation. We show how various recent successful cryptanalyses of block ciphers can be regarded in this framework. By analysing the SAFER block cipher in this framework we ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
(Show Context)
In this paper, we give a general framework for the analysis of block ciphers using the statistical technique of likelihood estimation. We show how various recent successful cryptanalyses of block ciphers can be regarded in this framework. By analysing the SAFER block cipher in this framework we expose a cryptographic weakness of that cipher. Key Words. Statistical Inference, Likelihood Estimation, Block Ciphers, DES, SAFER, Cryptanalysis, Differential Cryptanalysis, Linear Cryptanalysis. This author acknowledges the support of the Nuffield Foundation. 1 1 Introduction In this paper we set up a general framework for analysing block ciphers. In this framework the plaintext and ciphertext spaces are partitioned into a number of classes. We consider the probabilities of a plaintext in a given plaintext class being encrypted to a ciphertext in a given ciphertext class under different keys. For a judicious choice of partitions of plaintext and ciphertext spaces, these probabilities ...
Linear cryptanalysis of substitutionpermutation networks
, 2003
"... The subject of this thesis is linear cryptanalysis of substitutionpermutation networks (SPNs). We focus on the rigorous form of linear cryptanalysis, which requires the concept of linear hulls. First, we consider SPNs in which the sboxes are selected independently and uniformly from the set of al ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
(Show Context)
The subject of this thesis is linear cryptanalysis of substitutionpermutation networks (SPNs). We focus on the rigorous form of linear cryptanalysis, which requires the concept of linear hulls. First, we consider SPNs in which the sboxes are selected independently and uniformly from the set of all bijective n × n sboxes. We derive an expression for the expected linear probability values of such an SPN, and give evidence that this expression converges to the corresponding value for the true random cipher. This adds quantitative support to the claim that the SPN structure is a good approximation to the true random cipher. We conjecture that this convergence holds for a large class of SPNs. In addition, we derive a lower bound on the probability that an SPN with randomly selected sboxes is practically secure against linear cryptanalysis after a given number of rounds. For common block sizes, experimental evidence indicates that this probability rapidly approaches 1 with an increasing number of rounds.
Differential Attack on Message Authentication Codes
, 1994
"... We discuss the security of Message Authentication Code (MAC) schemes from the viewpoint of differential attack, and propose an attack that is effective against DESMAC and FEALMAC. The attack derives the secret authentication key in the chosen plaintext scenario. For example, DES(8round)MAC can b ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
We discuss the security of Message Authentication Code (MAC) schemes from the viewpoint of differential attack, and propose an attack that is effective against DESMAC and FEALMAC. The attack derives the secret authentication key in the chosen plaintext scenario. For example, DES(8round)MAC can be broken with 2 34 pairs of plain text, while FEAL8MAC can be broken with 2 22 pairs. The proposed attack is applicable to any MAC scheme, even if the 32bits are randomly selected from among the 64bits of ciphertext generated by a cryptosystem vulnerable to differential attack in the chosen plaintext scenario.
Linear Cryptanalysis of the Fast Data Encipherment Algorithm
, 1994
"... This paper discusses the security of the Fast Data Encipherment Algorithm (FEAL) against Linear Cryptanalysis. It has been confirmed that the entire subkeys used in FEAL8 can be derived with 2^25 pairs of known plaintext and ciphertext with a success rate over 70% spending about 1 hour using a WS ( ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
This paper discusses the security of the Fast Data Encipherment Algorithm (FEAL) against Linear Cryptanalysis. It has been confirmed that the entire subkeys used in FEAL8 can be derived with 2^25 pairs of known plaintext and ciphertext with a success rate over 70% spending about 1 hour using a WS (SPARCstation 10 Model 30). This paper also evaluates the security of FEALN in comparison with that of the Data Encryption Standard (DES).
Automatic Search for Differential Trails in ARX Ciphers (extended version)
"... Abstract. We propose a tool 1 for automatic search for differential trails in ARX ciphers. By introducing the concept of a partial difference distribution table (pDDT) we extend Matsui’s algorithm, originally proposed for DESlike ciphers, to the class of ARX ciphers. To the best of our knowledge th ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We propose a tool 1 for automatic search for differential trails in ARX ciphers. By introducing the concept of a partial difference distribution table (pDDT) we extend Matsui’s algorithm, originally proposed for DESlike ciphers, to the class of ARX ciphers. To the best of our knowledge this is the first application of Matsui’s algorithm to ciphers that do not have Sboxes. The tool is applied to the block ciphers TEA, XTEA, SPECK and RAIDEN. For RAIDEN we find an iterative characteristic on all 32 rounds that can be used to break the full cipher using standard differential cryptanalysis. This is the first cryptanalysis of the cipher in a nonrelated key setting. Differential trails on 9, 10 and 13 rounds are found for SPECK32, SPECK48 and SPECK64 respectively. The 13 round trail covers half of the total number of rounds. These are the first public results on the security analysis of SPECK. For TEA multiple full (i.e. not truncated) differential trails are reported for the first time, while for XTEA we confirm the previous best known trail reported by Hong et al.. We also show closed formulas for computing the exact additive differential probabilities of the left and right shift operations.
New Methodologies for DifferentialLinear Cryptanalysis and Its Extensions
"... Abstract. In 1994 Langford and Hellman introduced differentiallinear cryptanalysis, which involves building a differentiallinear distinguisher by concatenating a linear approximation with such a (truncated) differential that with probability 1 does not affect the bit(s) concerned by the input mask ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In 1994 Langford and Hellman introduced differentiallinear cryptanalysis, which involves building a differentiallinear distinguisher by concatenating a linear approximation with such a (truncated) differential that with probability 1 does not affect the bit(s) concerned by the input mask of the linear approximation. In 2002 Biham, Dunkelman and Keller presented an enhanced approach to include the case when the differential has a probability smaller than 1; and in 2005 they proposed several extensions of differentiallinear cryptanalysis, including the highorder differentiallinear analysis, the differentialbilinear analysis and the differentialbilinearboomerang analysis. In this paper, we show that Biham et al.’s methodologies for computing the probabilities of a differentiallinear distinguisher, a highorder differentiallinear distinguisher, a differentialbilinear distinguisher and a differentialbilinearboomerang distinguisher do not have the generality to describe the analytic techniques. Thus the previous cryptanalytic results obtained by using these techniques of Biham et al. are questionable. Finally, from a mathematical point we give general methodologies for computing the probabilities. The new methodologies lead to some better cryptanalytic results, for example, differentiallinear attacks on 13round DES and 10round CTC2 with a 255bit block size and key.