Results 11  20
of
72
Improving the Upper Bound on the Maximum Average Linear Hull Probability for Rijndael
, 2001
"... In [15], Keliher et al. present a new method for upper bounding the maximum average linear hull probability (MALHP) for SPNs, a value which is required to make claims about provable security against linear cryptanalysis. Application of this method to Rijndael (AES) yields an upper bound of UB = 2 \ ..."
Abstract

Cited by 14 (6 self)
 Add to MetaCart
In [15], Keliher et al. present a new method for upper bounding the maximum average linear hull probability (MALHP) for SPNs, a value which is required to make claims about provable security against linear cryptanalysis. Application of this method to Rijndael (AES) yields an upper bound of UB = 2 \Gamma75 when 7 or more rounds are approximated, corresponding to a lower bound on the data complexity of 32 UB = 2 80 (for a 96.7% success rate). In the current paper, we improve this upper bound for Rijndael by taking into consideration the distribution of linear probability values for the (unique) Rijndael 8 \Theta 8 sbox. Our new upper bound on the MALHP when 9 rounds are approximated is 2 \Gamma92 , corresponding to a lower bound on the data complexity of 2 97 (again for a 96.7% success rate). [This is after completing 43% of the computation; however, we believe that values have stabilizedsee Section 7.] Keywords: linear cryptanalysis, maximum average linear hull probability, provable security, Rijndael, AES 1
Attacks on Block Ciphers of Low Algebraic Degree
 Journal of Cryptology
, 2001
"... In this paper an attack on block ciphers is introduced, the interpolation attack. This method is useful for attacking ciphers that use simple algebraic functions (in particular quadratic functions) as Sboxes. Also, attacks based on higherorder differentials are introduced. They are special and imp ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
In this paper an attack on block ciphers is introduced, the interpolation attack. This method is useful for attacking ciphers that use simple algebraic functions (in particular quadratic functions) as Sboxes. Also, attacks based on higherorder differentials are introduced. They are special and important cases of the interpolation attacks. The attacks are applied to several block ciphers, the 6round prototype cipher by Knudsen and Nyberg, which is provably secure against ordinary differential cryptanalysis, a modified version of the block cipher SHARK, and a block cipher suggested by Kiefer.
On the complexity of Matsui’s attack
 in Selected Areas in Cryptography, SAC 2001
, 2001
"... Abstract. Linear cryptanalysis remains the most powerful attack against DES at this time. Given 2 43 known plaintextciphertext pairs, Matsui expected a complexity of less than 2 43 DES evaluations in 85 % of the cases for recovering the key. In this paper, we present a theoretical and experimental ..."
Abstract

Cited by 13 (2 self)
 Add to MetaCart
Abstract. Linear cryptanalysis remains the most powerful attack against DES at this time. Given 2 43 known plaintextciphertext pairs, Matsui expected a complexity of less than 2 43 DES evaluations in 85 % of the cases for recovering the key. In this paper, we present a theoretical and experimental complexity analysis of this attack, which has been simulated 21 times using the idle time of several computers. The experimental results suggest a complexity upperbounded by 2 41 DES evaluations in 85 % of the case, while more than the half of the experiments needed less than 2 39 DES evaluations. In addition, we give a detailed theoretical analysis of the attack complexity.
A new characterization of almost bent functions
 Fast Software Encryption 99, LNCS 1636, L. Knudsen edt
, 1999
"... Abstract. We study the functions from F m 2 into F m 2 for odd m which oppose an optimal resistance to linear cryptanalysis. These functions are called almost bent. It is known that almost bent functions are also almost perfect nonlinear, i.e. they also ensure an optimal resistance to differential c ..."
Abstract

Cited by 12 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We study the functions from F m 2 into F m 2 for odd m which oppose an optimal resistance to linear cryptanalysis. These functions are called almost bent. It is known that almost bent functions are also almost perfect nonlinear, i.e. they also ensure an optimal resistance to differential cryptanalysis but the converse is not true. We here give a necessary and sufficient condition for an almost perfect nonlinear function to be almost bent. This notably enables us to exhibit some infinite families of power functions which are not almost bent. 1
Related key attacks on reduced round KASUMI
 Fast Software Encryption, FSE 2001
, 2002
"... Abstract. This paper describes related key attacks on five and six round KASUMI. The five round attack requires the encryption of approximately 2 19 chosen plaintext pairs X and X ∗ under keys K and K ∗ respectively where K and K ∗ differ in only one bit, and requires a maximum of a little over 2 33 ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
(Show Context)
Abstract. This paper describes related key attacks on five and six round KASUMI. The five round attack requires the encryption of approximately 2 19 chosen plaintext pairs X and X ∗ under keys K and K ∗ respectively where K and K ∗ differ in only one bit, and requires a maximum of a little over 2 33 trials to recover the entire key. The sixround attack requires a smaller number of chosen plaintext encryptions than the five round attack, and recovers the entire key in a maximum of 2 112 trials. 1
On nonpseudorandomness from block ciphers with provable immunity against linear cryptanalysis
, 1996
"... Weakness of a block cipher, which has provable immunity against linear cryptanalysis, is investigated. To this end, the round transformation used in MISTY, which is a data encryption algorithm recently proposed by M. Matsui from Mitsubishi Electric Corporation, is compared to the round transformati ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
Weakness of a block cipher, which has provable immunity against linear cryptanalysis, is investigated. To this end, the round transformation used in MISTY, which is a data encryption algorithm recently proposed by M. Matsui from Mitsubishi Electric Corporation, is compared to the round transformation of DES from the point of view of pseudorandom generation. An important property of the MISTY cipher is that, in terms of theoretically provable resistance against linear and differential cryptanalysis, which are the most powerful cryptanalytic attacks known to date, it is more robust than the Data Encryption Standard or DES. This property can be attributed to the application of a new round transform in the MISTY cipher, which is obtained by changing the location of the basic roundfunction in a transform used in DES. Cryptographic roles of the transform used in the MISTY cipher are the main focus of this paper. Our research reveals that when used for constructing pseudorandom permutati...
Practical and Provable Security against Differential And Linear Cryptanalysis for SubstitutionPermutation Networks
 ETRI Journal
, 2001
"... this paper, we refer to a permutation layer as a "diffusion layer' for the sake of clarity. Most diffusion layers have appropriate matrix representations, since they are linear transformations over 158 JuSung Kang et aL ETRI Journal, Volume 23, Number 4, December 2001 some finite fields a ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
(Show Context)
this paper, we refer to a permutation layer as a "diffusion layer' for the sake of clarity. Most diffusion layers have appropriate matrix representations, since they are linear transformations over 158 JuSung Kang et aL ETRI Journal, Volume 23, Number 4, December 2001 some finite fields and have onetoone correspondence to an appropriate matrix. With these matrix representations, we study the practical and provaNe security against differential and linear cryptanalysis
Exact Maximum Expected Differential and Linear Probability for 2Round Advanced Encryption Standard (AES)
 Standard (AES),” Technical Report, IACR ePrint Archive (http://eprint.iacr.org, Paper
, 2005
"... Provable security of a block cipher against di#erential / linear cryptanalysis is based on the maximum expected di#erential / linear probability (MEDP / MELP) over T 2 core rounds. Over the past few years, several results have provided increasingly tight upper and lower bounds in the case T = ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
(Show Context)
Provable security of a block cipher against di#erential / linear cryptanalysis is based on the maximum expected di#erential / linear probability (MEDP / MELP) over T 2 core rounds. Over the past few years, several results have provided increasingly tight upper and lower bounds in the case T = 2 for the Advanced Encryption Standard (AES).
Linear Cryptanalysis of RC5 and RC6
 PROCEEDINGS OF FAST SOFTWARE ENCRYPTION, LECTURE NOTES IN COMPUTER SCIENCE
, 1999
"... In this paper we evaluate the resistance of the block cipher RC5 against linear cryptanalysis. We describe a known plaintext attack that can break RC532 (blocksize 64) with 10 rounds and RC564 (blocksize 128) with 15 rounds. In order to do this we use techniques related to the use of multiple ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
(Show Context)
In this paper we evaluate the resistance of the block cipher RC5 against linear cryptanalysis. We describe a known plaintext attack that can break RC532 (blocksize 64) with 10 rounds and RC564 (blocksize 128) with 15 rounds. In order to do this we use techniques related to the use of multiple linear approximations. Furthermore the success of the attack is largely based on the linear hulleffect. To our knowledge, at this moment these are the best known plaintext attacks on RC5, which have negligible storage requirements and do not make any assumption on the plaintext distribution. Furthermore we discuss the impact of our attacking method on the AEScandidate RC6, whose design was based on RC5.
Potential Flaws in the Conjectured Resistance of MARS to Linear Cryptanalysis (Extended Abstract)
 PUBLIC COMMENTS ON AES CANDIDATE ALGORITHMS  ROUND 2, 2000 (AVAILABLE AT HTTP://CSRC. NIST.GOV/ENCRYPTION/AES/ROUND2/PUBCMNTS.HTM) # EMAIL: MARO@ISL.NTT.CO.JP 21264 (500MHZ), 21164 (500MHZ), 21064 (266MHZ), AND 2 PENTIUM II (400MHZ
, 2000
"... In this note we consider the conjectured resistance of MARS to linear cryptanalysis and discover that some of the existing analysis may well be flawed. ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
In this note we consider the conjectured resistance of MARS to linear cryptanalysis and discover that some of the existing analysis may well be flawed.