## A new attack against khazad

### Cached

### Download Links

- [www.iacr.org]
- [www.iacr.org]
- [www.ssi.gouv.fr]
- DBLP

### Other Repositories/Bibliography

Venue: | in Proceedings of ASIACRYPT 2003 |

Citations: | 2 - 0 self |

### BibTeX

@INPROCEEDINGS{Muller_anew,

author = {Frédéric Muller},

title = {A new attack against khazad},

booktitle = {in Proceedings of ASIACRYPT 2003},

year = {},

pages = {347--358}

}

### OpenURL

### Abstract

Abstract. Khazad is a new block cipher initially proposed as a candidate to the NESSIE project. Its design is very similar to Rijndael, although it is a 64-bit block cipher. In this paper, we propose a new attack that can be seen as an extension of the Square attack. It takes advantage of redundancies between the round key derivation and the round function, and also exploits some algebraic observations over a few rounds. As a result, we can break 5 rounds of Khazad faster than exhaustive key search. This is the best known cryptanalytic result against Khazad. 1

### Citations

119 | The block cipher Square
- Daemen, Knudsen, et al.
- 1997
(Show Context)
Citation Context ...known cryptanalytic result against Khazad. 1 Introduction Many recent block ciphers are built using an iterative Substitution Permutation Network (SPN). This includes in particular Shark [14], Square =-=[5]-=-, Rijndael [6], Anubis [1] or Khazad [2]. These ciphers are generally designed to be immune against differential and linear cryptanalysis. However, a new powerful class of attack has emerged recently,... |

110 | Aes proposal: Rijndael
- Daemen, Rijmen
(Show Context)
Citation Context ...lytic result against Khazad. 1 Introduction Many recent block ciphers are built using an iterative Substitution Permutation Network (SPN). This includes in particular Shark [14], Square [5], Rijndael =-=[6]-=-, Anubis [1] or Khazad [2]. These ciphers are generally designed to be immune against differential and linear cryptanalysis. However, a new powerful class of attack has emerged recently, the “Square” ... |

109 | Algebraic cryptanalysis of Hidden Field Equations (HFE) Using Gröbner Bases
- Faugère, Joux
(Show Context)
Citation Context ... or to detect quickly if it has some solutions. Our attack uses thessecond strategy, and requires one application of the gauss algorithm on a 2 11 bits square matrix. In the light of recent progress (=-=[7]-=-, [16]), better techniques to directly solve the system could be considered. However, it seems unlikely the time complexity could be pushed below the length of the outside loop, namely 2 64 . Thus any... |

94 | Cryptanalysis of the HFE Public Key Cryptosystem by R elinearization
- Kipnis, Shamir
(Show Context)
Citation Context ...lytic techniques may be of interest in the future. 5.3 Other algebraic approaches In Section 3.3, we obtained a large multivariate, non linear system over GF(2). We used the relinearization technique =-=[15]-=-, that means replacing all monomials (which happen to be present in reduced number here) by new unknowns and apply usual linear algebra techniques. This technique is not the best method known to solve... |

56 | Improved cryptanalysis of Rijndael
- Ferguson, Kelsey, et al.
- 1978
(Show Context)
Citation Context ...f plaintexts, rather than on statistical properties for a single plaintext (or a pair of plaintexts). Since then, this technique has been successfully applied to many other block ciphers (see [3] and =-=[8]-=-). Currently, one of the best known attacks against Rijndael is Gilbert-Minier’s collision attack on 7-rounds [9] which can also be seen as an extension of the “Square” attack. Besides, a more generic... |

34 | Integral cryptanalysis
- KNUDSEN, WAGNER
(Show Context)
Citation Context ...ollision attack on 7-rounds [9] which can also be seen as an extension of the “Square” attack. Besides, a more generic name for this technique, namely the “integral” attack has been recently proposed =-=[10]-=-. We use this terminology in the present paper. Khazad is a 64-bit SPN block cipher with 8 rounds. It offers several interesting features. First, it achieves full diffusion over one round using an MDS... |

27 |
New European Schemes for Signatures Integrity and Encryption. Portfolio of recommended cryptographic primitives. http://www.nessie.eu.org/index. html 7
- NESSIE
- 1995
(Show Context)
Citation Context ...s are involution, so the only difference between encryption and decryption lies in the key scheduling. Thus the same security is expected in both directions.sKhazad was initially proposed as a NESSIE =-=[11]-=- candidate for 64 bits block cipher. However, it was not selected due to his low security margin [12]. In the Section 2, we provide some background about Khazad. Then, in Section 3 we present new obse... |

25 | The cipher SHARK
- Rijmen, Daemen, et al.
- 1996
(Show Context)
Citation Context ... is the best known cryptanalytic result against Khazad. 1 Introduction Many recent block ciphers are built using an iterative Substitution Permutation Network (SPN). This includes in particular Shark =-=[14]-=-, Square [5], Rijndael [6], Anubis [1] or Khazad [2]. These ciphers are generally designed to be immune against differential and linear cryptanalysis. However, a new powerful class of attack has emerg... |

18 |
The Khazad Legacy-Level Block Cipher
- Barreto, Rijmen
- 2000
(Show Context)
Citation Context ...d. 1 Introduction Many recent block ciphers are built using an iterative Substitution Permutation Network (SPN). This includes in particular Shark [14], Square [5], Rijndael [6], Anubis [1] or Khazad =-=[2]-=-. These ciphers are generally designed to be immune against differential and linear cryptanalysis. However, a new powerful class of attack has emerged recently, the “Square” attack which was initially... |

15 |
The Anubis Block Cipher
- Barreto, Rijmen
- 2000
(Show Context)
Citation Context ... against Khazad. 1 Introduction Many recent block ciphers are built using an iterative Substitution Permutation Network (SPN). This includes in particular Shark [14], Square [5], Rijndael [6], Anubis =-=[1]-=- or Khazad [2]. These ciphers are generally designed to be immune against differential and linear cryptanalysis. However, a new powerful class of attack has emerged recently, the “Square” attack which... |

13 |
A collision attack on seven rounds of Rijndael
- Gilbert, Minier
- 2000
(Show Context)
Citation Context ... this technique has been successfully applied to many other block ciphers (see [3] and [8]). Currently, one of the best known attacks against Rijndael is Gilbert-Minier’s collision attack on 7-rounds =-=[9]-=- which can also be seen as an extension of the “Square” attack. Besides, a more generic name for this technique, namely the “integral” attack has been recently proposed [10]. We use this terminology i... |

8 | Improved Square Attacks against Reduced–Round Hierocrypt
- Barreto, Rijmen, et al.
- 2001
(Show Context)
Citation Context ... We have the following relation P1 ◦ S(Zi ⊕ K ′′ ) = P1(K ′ ) ⊕ wi In addition, if we guess the byte P1(K ′ ), we obtain, for each i, a condition on K ′′ of the form (2) P1 ◦ S(known ⊕ K ′′ ) = known =-=(3)-=- While it is not straightforward to solve such a non linear system, we apparently obtain enough conditions to retrieve the value of K ′′ . Suppose we replace, in relation (3), the S-box by its exact a... |

7 | Analysis of Involutional Ciphers : Khazad and Anubis
- Biryukov
- 2003
(Show Context)
Citation Context ...ed at each round. Besides, Gilbert-Minier’s attack on Rijndael does not apply very well here, since it requires partial collision. New ideas to attack involutional ciphers have been recently proposed =-=[4]-=-. Indeed the cycle structure of 5-rounds Khazad presents some surprising properties. However these observations do not result yet on a concrete attack. Finally, the only cryptanalytic result on 5-roun... |

5 |
The AES block cipher in C
- Barreto
- 2003
(Show Context)
Citation Context ... against Khazad. 1 Introduction Many recent block ciphers are built using an iterative Substitution Permutation Network (SPN). This includes in particular Shark [14], Square [5], Rijndael [6], Anubis =-=[1]-=- or Khazad [2]. These ciphers are generally designed to be immune against differential and linear cryptanalysis. However, a new powerful class of attack has emerged recently, the “Square” attack which... |

1 |
Security Report D20, version 2-0. Available at http://www.cryptonessie.org
- NESSIE
(Show Context)
Citation Context .... Thus the same security is expected in both directions.sKhazad was initially proposed as a NESSIE [11] candidate for 64 bits block cipher. However, it was not selected due to his low security margin =-=[12]-=-. In the Section 2, we provide some background about Khazad. Then, in Section 3 we present new observations about this cipher that we later exploit to mount a 5-round attack. 2 Some background about K... |

1 |
Available at http://www.shoup.net
- library
(Show Context)
Citation Context ...he interpolation matrix M, we can build 2040 − 1976 = 64 linear conditions and thus detect the correct guess for the corresponding 8 bits of K. We programmed this algebraic step using the NTL library =-=[13]-=-. It turns out from our experiment that the kernel of M ′ has always rank 64 (although it would be no problem if its dimension was larger). Thus we obtain easily enough linear conditions to verify the... |