The Data Encryption Standard (DES) is the best known and most widely used cryptosystem for civilian applications. It was developed at IBM and adopted by the National Buraeu of Standards in the mid 70's, and has successfully withstood all the attacks published so far in the open literature. In this paper we develop a new type of cryptanalytic attack which can break the reduced variant of DES with eight rounds in a few minutes on a PC and can break any reduced variant of DES (with up to 15 rounds) in less than 2 56 operations. The new attack can be applied to a variety of DES-like substitution/permutation cryptosystems, and demonstrates the crucial role of the (unpublished) design rules.

In this paper we develop the first known attack which is capable of breaking the full 16 round DES in less than the 2 55 complexity of exhaustive search. The data analysis phase computes the key by analyzing about 2 36 ciphertexts in 2 37 time. The 2 36 usable ciphertexts are obtained during the data collection phase from a larger pool of 2 47 chosen plaintexts by a simple bit repetition criteria which discards more than 99.9% of the ciphertexts as soon as they are generated. While earlier versions of differential attacks were based on huge counter arrays, the new attack requires negligible memory and can be carried out in parallel on up to 2 33 disconnected processors with linear speedup. In addition, the new attack can be carried out even if the analyzed ciphertexts are derived from up to 2 33 different keys due to frequent key changes during the data collection phase. The attack can be carried out incrementally with any number of available ciphertexts, and its probabil...

. Large classes of weak keys have been found for the block cipher algorithm IDEA, previously known as IPES [?]. IDEA has a 128bit key and encrypts blocks of 64 bits. For a class of 2 23 keys IDEA exhibits a linear factor. For a certain class of 2 35 keys the cipher has a global characteristic with probability 1. For another class of 2 51 keys only two encryptions and solving a set of 16 nonlinear boolean equations with 12 variables is sufficient to test if the used key belongs to this class. If it does, its particular value can be calculated efficiently. It is shown that the problem of weak keys can be eliminated by slightly modifying the key schedule of IDEA. 1 Introduction At Eurocrypt '90 the block cipher proposal PES (Proposed Encryption Standard) was presented [?]. At Eurocrypt '91 the same authors presented a modification of PES, called IPES (Improved PES) [?]. The reason for this modification were new insights based on differential cryptanalysis [?]. IPES has become comme...

In this paper, we give a general framework for the analysis of block ciphers using the statistical technique of likelihood estimation. We show how various recent successful cryptanalyses of block ciphers can be regarded in this framework. By analysing the SAFER block cipher in this framework we expose a cryptographic weakness of that cipher. Key Words. Statistical Inference, Likelihood Estimation, Block Ciphers, DES, SAFER, Cryptanalysis, Differential Cryptanalysis, Linear Cryptanalysis. This author acknowledges the support of the Nuffield Foundation. 1 1 Introduction In this paper we set up a general framework for analysing block ciphers. In this framework the plaintext and ciphertext spaces are partitioned into a number of classes. We consider the probabilities of a plaintext in a given plaintext class being encrypted to a ciphertext in a given ciphertext class under different keys. For a judicious choice of partitions of plaintext and ciphertext spaces, these probabilities ...

This paper examines proposals for three cryptographic primitives: block ciphers, stream ciphers, and hash functions. It provides an overview of the design principles of a large number of recent proposals, which includes the global structure, the number of rounds, the way of introducing non-linearity and diffusion, and the key schedule. The software performance of about twenty primitives is compared based on highly optimized implementations for the Pentium. The goal of the paper is to provided a technical perspective on the wide variety of primitives that exist today.

Three attacks on the DES with a reduced number of rounds in the Cipher Feedback Mode (CFB) are studied, namely a meet in the middle attack, a differential attack, and a linear attack. These attacks are based on the same principles as the corresponding attacks on the ECB mode. They are compared to the three basic attacks on the CFB mode. In 8-bit CFB and with 8 rounds in stead of 16, a differential attack with 2 sg'4 chosen ciphertexts can find 3 key bits, and a linear attack with 2 sx known plalntexts can find 7 key bits. This suggests that it is not safe to reduce the number of rounds in order to improve the performance. Moreover, it is shown that the final permutation has some cryptographic significance in the CFB mode.

Abstract not found

Abstract. We present new attacks on key schedules of block ciphers. These attacks are based on the principles of related-key di erential cryptanalysis: attacks that allowbothkeys and plaintexts to bechosen with speci c di erences. We show how these attacks can be exploited in actual protocols and cryptanalyze the key schedules of a variety of algorithms, including three-key triple-DES. 1

In this paper we introduce a novel meet-in-the-middle attack on the IDEA block cipher. The attack consists of a precomputation and an elimination phase. The attack reduces the number of required plaintexts significantly for 4 and 4.5 rounds, and, to the best of our knowledge, it is the first attack on the 5-round IDEA.

S(ubstitution)-boxes are quite important components of modern symmetric cryptosystems (in particular, block ciphers) in the sense that S-boxes bring nonlinearity to block ciphers and strengthen their cryptographic security. An S-box is said to satisfy the strict avalanche criterion (SAC), if and only if for any single input bit of the S-box, the inversion of it changes each output bit with probability one half. In this thesis, with the concrete proof of cryptographical properties of S-boxes satisfying the SAC, we propose a variety of provable construction methods for S-boxes satisfying the SAC. For Boolean S-boxes satisfying the SAC, we can construct and enlarge them by using concatenation, Kronecker (or direct) product, and dyadic shift. For bijective S-boxes satisfying the SAC, when an n-bit input Boolean function and an n-bit input bijective function satisfying the SAC are given, the combined function is proved to become an (n+1)-bit bijective function satisfying the SAC as well. A...