Results 1  10
of
15
Linear Cryptanalysis Using Multiple Approximations
 Advances in Cryptology  CRYPTO '94 Proceedings
, 1994
"... Abstract. We present a technique which aids in the linear cryptanalysis of a block cipher and allows for a reduction in the amount of data required for a successful attack. We note the limits of this extension when applied to DES, but illustrate that it is generally applicable and might be exception ..."
Abstract

Cited by 50 (2 self)
 Add to MetaCart
Abstract. We present a technique which aids in the linear cryptanalysis of a block cipher and allows for a reduction in the amount of data required for a successful attack. We note the limits of this extension when applied to DES, but illustrate that it is generally applicable and might be exceptionally successful when applied to other block ciphers. This forces us to reconsider some of the initial attempts to quantify the resistance of block ciphers to linear cryptanalysis, and by taking account of this new technique we cover several issues which have not yet been considered. 1
Likelihood Estimation For Block Cipher Keys
, 1994
"... In this paper, we give a general framework for the analysis of block ciphers using the statistical technique of likelihood estimation. We show how various recent successful cryptanalyses of block ciphers can be regarded in this framework. By analysing the SAFER block cipher in this framework we ..."
Abstract

Cited by 13 (2 self)
 Add to MetaCart
In this paper, we give a general framework for the analysis of block ciphers using the statistical technique of likelihood estimation. We show how various recent successful cryptanalyses of block ciphers can be regarded in this framework. By analysing the SAFER block cipher in this framework we expose a cryptographic weakness of that cipher. Key Words. Statistical Inference, Likelihood Estimation, Block Ciphers, DES, SAFER, Cryptanalysis, Differential Cryptanalysis, Linear Cryptanalysis. This author acknowledges the support of the Nuffield Foundation. 1 1 Introduction In this paper we set up a general framework for analysing block ciphers. In this framework the plaintext and ciphertext spaces are partitioned into a number of classes. We consider the probabilities of a plaintext in a given plaintext class being encrypted to a ciphertext in a given ciphertext class under different keys. For a judicious choice of partitions of plaintext and ciphertext spaces, these probabilities ...
Linear cryptanalysis of substitutionpermutation networks
, 2003
"... The subject of this thesis is linear cryptanalysis of substitutionpermutation networks (SPNs). We focus on the rigorous form of linear cryptanalysis, which requires the concept of linear hulls. First, we consider SPNs in which the sboxes are selected independently and uniformly from the set of al ..."
Abstract

Cited by 4 (3 self)
 Add to MetaCart
The subject of this thesis is linear cryptanalysis of substitutionpermutation networks (SPNs). We focus on the rigorous form of linear cryptanalysis, which requires the concept of linear hulls. First, we consider SPNs in which the sboxes are selected independently and uniformly from the set of all bijective n × n sboxes. We derive an expression for the expected linear probability values of such an SPN, and give evidence that this expression converges to the corresponding value for the true random cipher. This adds quantitative support to the claim that the SPN structure is a good approximation to the true random cipher. We conjecture that this convergence holds for a large class of SPNs. In addition, we derive a lower bound on the probability that an SPN with randomly selected sboxes is practically secure against linear cryptanalysis after a given number of rounds. For common block sizes, experimental evidence indicates that this probability rapidly approaches 1 with an increasing number of rounds.
Differential Attack on Message Authentication Codes
, 1994
"... We discuss the security of Message Authentication Code (MAC) schemes from the viewpoint of differential attack, and propose an attack that is effective against DESMAC and FEALMAC. The attack derives the secret authentication key in the chosen plaintext scenario. For example, DES(8round)MAC can b ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
We discuss the security of Message Authentication Code (MAC) schemes from the viewpoint of differential attack, and propose an attack that is effective against DESMAC and FEALMAC. The attack derives the secret authentication key in the chosen plaintext scenario. For example, DES(8round)MAC can be broken with 2 34 pairs of plain text, while FEAL8MAC can be broken with 2 22 pairs. The proposed attack is applicable to any MAC scheme, even if the 32bits are randomly selected from among the 64bits of ciphertext generated by a cryptosystem vulnerable to differential attack in the chosen plaintext scenario.
Linear Cryptanalysis of the Fast Data Encipherment Algorithm
 Advances in Cryptology  CRYPTO'94, SpringerVerlag 839
, 1994
"... Abstract. This paper discusses the security of the Fast Data Encipherment Algorithm (FEAL) against Linear Cryptanalysis. It has been confirmed that the entire subkeys used in FEAL–8 can be derived with 2 25 pairs of known plaintext and ciphertext with a success rate over 70% spending about 1 hour us ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Abstract. This paper discusses the security of the Fast Data Encipherment Algorithm (FEAL) against Linear Cryptanalysis. It has been confirmed that the entire subkeys used in FEAL–8 can be derived with 2 25 pairs of known plaintext and ciphertext with a success rate over 70% spending about 1 hour using a WS (SPARCstation 10 Model 30). This paper also evaluates the security of FEAL–N in comparison with that of the Data Encryption Standard (DES). 1
Experimental NonLinear Cryptanalysis
, 2003
"... Former research reports suggesting the idea of nonlinear cryptanalysis of block ciphers date back to the work of Harpes, on generalizations of Matsui's linear cryptanalytic attacks, presented at Eurocrypt '95. Also, the nonlinear approach was more explicitly stated in an attack against DES des ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Former research reports suggesting the idea of nonlinear cryptanalysis of block ciphers date back to the work of Harpes, on generalizations of Matsui's linear cryptanalytic attacks, presented at Eurocrypt '95. Also, the nonlinear approach was more explicitly stated in an attack against DES described by Knudsen and Robshaw at Eurocrypt'96 (again as an extension of the concept of linear cryptanalysis, in which binaryvalued nonlinear approximations are used to approximated the action of the Sboxes of DES). More recently, at Crypto'98, Shimoyama and Kaneko improved Knudsen and Robshaw's attack on DES using quadratic relations to approximate the DES Sboxes. Moreover, the research results of Van Dooren were also concerned with nonlinear approximations applied to two AES nalist block ciphers, Two sh and Serpent.
New Methodologies for DifferentialLinear Cryptanalysis and Its Extensions
"... Abstract. In 1994 Langford and Hellman introduced differentiallinear cryptanalysis, which involves building a differentiallinear distinguisher by concatenating a linear approximation with such a (truncated) differential that with probability 1 does not affect the bit(s) concerned by the input mask ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. In 1994 Langford and Hellman introduced differentiallinear cryptanalysis, which involves building a differentiallinear distinguisher by concatenating a linear approximation with such a (truncated) differential that with probability 1 does not affect the bit(s) concerned by the input mask of the linear approximation. In 2002 Biham, Dunkelman and Keller presented an enhanced approach to include the case when the differential has a probability smaller than 1; and in 2005 they proposed several extensions of differentiallinear cryptanalysis, including the highorder differentiallinear analysis, the differentialbilinear analysis and the differentialbilinearboomerang analysis. In this paper, we show that Biham et al.’s methodologies for computing the probabilities of a differentiallinear distinguisher, a highorder differentiallinear distinguisher, a differentialbilinear distinguisher and a differentialbilinearboomerang distinguisher do not have the generality to describe the analytic techniques. Thus the previous cryptanalytic results obtained by using these techniques of Biham et al. are questionable. Finally, from a mathematical point we give general methodologies for computing the probabilities. The new methodologies lead to some better cryptanalytic results, for example, differentiallinear attacks on 13round DES and 10round CTC2 with a 255bit block size and key.