## Integral Cryptanalysis (extended abstract) (2002)

Venue: | Proceedings of Fast Software Encryption – FSE’02, number 2365 in Lecture Notes in Computer Science |

Citations: | 1 - 0 self |

### BibTeX

@INPROCEEDINGS{Knudsen02integralcryptanalysis,

author = {Lars Knudsen and David Wagner},

title = {Integral Cryptanalysis (extended abstract)},

booktitle = {Proceedings of Fast Software Encryption – FSE’02, number 2365 in Lecture Notes in Computer Science},

year = {2002},

pages = {112--127},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

This paper considers a cryptanalytic approach called integral cryptanalysis. It can be seen as a dual to differential cryptanalysis and applies to ciphers not vulnerable to differential attacks. The method is particularly applicable to block ciphers which use bijective components only.

### Citations

335 |
Differential Cryptanalysis of the Data Encryption Standard
- Biham, Shamir
- 1993
(Show Context)
Citation Context ...decades have seen considerable progress in understanding the basic operating principles of block ciphers. One of the most signicant advances was the introduction in 1990 of dierential cryptanalysis [3]. In dierential cryptanalysis, one considers the propagation of dierences between (pairs of) values. In this paper, we consider a cryptanalytic technique which considers the propagation of sums of (... |

110 | The block cipher Square
- Daemen, Knudsen, et al.
- 1997
(Show Context)
Citation Context ...subcomponents. In the remainder of this paper we give examples of integrals for a variety of ciphers. 3 Square, Rijndael, and Crypton In FSE'97 an integral attack was given on the block cipher Square =-=[5-=-]. This attack can be applied also to the ciphers Rijndael [7, 9] and Crypton [8]. All three ciphers are 128-bit block ciphers operating on bytes. The sixteen bytes are arranged in a 4 4 matrix. One ... |

107 | A.: Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials
- Biham, Biryukov, et al.
- 1999
(Show Context)
Citation Context ...her concepts First we note that integrals are somewhat similar to truncated dierentials [16, 15, 18]. In the latter, one often is only interested in whether the words in a pair are equal or dierent [2]. Thus integrals restricted to pairs of texts with only the values 0 and A coincide with such truncated dierentials. Integrals, though, can also represent texts with the value S; truncated dierentia... |

100 | AES proposal: Rijndael
- Daemen, Rijmen
- 1998
(Show Context)
Citation Context ...s of integrals for a variety of ciphers. 3 Square, Rijndael, and Crypton In FSE'97 an integral attack was given on the block cipher Square [5]. This attack can be applied also to the ciphers Rijndael =-=[7, 9-=-] and Crypton [8]. All three ciphers are 128-bit block ciphers operating on bytes. The sixteen bytes are arranged in a 4 4 matrix. One round of the ciphers consists of the addition of a subkey, a sub... |

99 | Truncated and higher order differentials
- Knudsen
- 2011
(Show Context)
Citation Context ...However, all integrals for the specific ciphers given in this paper are of probability one. Comparison with other concepts First we note that integrals are somewhat similar to truncated differentials =-=[16, 15, 18]-=-. In the latter, one often is only interested in whether the words in a pair are equal or different [2]. Thus integrals restricted to pairs of texts with only thes118 values 0 and A coincide with such... |

61 | The interpolation attack on block ciphers
- Jakobsen, Knudsen
- 1997
(Show Context)
Citation Context ...y be possible tosnd integrals even on fairly complicated round functions. 7 Integral-interpolation attacks An interesting property of integrals is that they can be combined with interpolation attacks =-=[13]-=-. Consider a cipher whosesrst half may be covered by an integral and whose second half may be approximated using a low-degree polynomial. Suppose that we have a set of chosen plaintext/ciphertext pair... |

61 |
New Block Encryption Algorithm MISTY
- Matsui
- 1997
(Show Context)
Citation Context ...ment is in the key-search part of the attack). Table 3 depicts this four-round fourth-order integral. 4 MISTY Integrals can be used to attack some reduced-round variants of Matsui's MISTY1 and MISTY2 =-=[24-=-]. We refer to the MISTY specications [24] for the description of these ciphers and for the notation used in the following. In earlier work, Sakurai and Zheng noted the following property of the MISTY... |

59 |
Higher order derivatives and differential cryptanalysis
- Lai
- 1994
(Show Context)
Citation Context ...e integrals a more powerful tool in some cases. Also, integrals are somewhat similar to higher-order differentials. Let (G, +) be an Abelian group. For a function f : G → G the first-order derivative =-=[21]-=- at the point a is defined as fa(x) = f(x + a) − f(x). This is the definition of a differential or characteristic that is traditionally used in cryptanalysis. One can extend the definition of differen... |

52 | Improved cryptanalysis of Rijndael
- Ferguson, Kelsey, et al.
- 2001
(Show Context)
Citation Context ...s of integrals for a variety of ciphers. 3 Square, Rijndael, and Crypton In FSE'97 an integral attack was given on the block cipher Square [5]. This attack can be applied also to the ciphers Rijndael =-=[7, 9-=-] and Crypton [8]. All three ciphers are 128-bit block ciphers operating on bytes. The sixteen bytes are arranged in a 4 4 matrix. One round of the ciphers consists of the addition of a subkey, a sub... |

47 | K-64: A Byte-Oriented Block-Ciphering Algorithm
- Massey, SAFER
- 1994
(Show Context)
Citation Context ...d Xiao [12] to describe this general class of attacks. Also, in [6] the attack was described in terms of \lambda-sets" and applied also to reduced-round versions of the ciphers SHARK [27] and SAF=-=ER K [23-=-]. Since their introduction, integrals have been used to cryptanalyse reducedround versions of Square [5], SAFER K [18], SAFER+ [12], Crypton [8], Rijndael [9], Twosh [22], Hierocrypt [1], IDEA [25], ... |

25 | Cryptanalysis of block ciphers with probabilistic non-linear relations of low degree
- Jakobsen
- 1462
(Show Context)
Citation Context ...l be approximately d 2 s chosen texts and d 2 2 s + d 3 work. It is an open question whether these techniques may be eectively extended to apply where we have a probabilistic polynomial relation [14=-=]-=- or rational polynomial relation [13] for the last half of the cipher. Although we do not know of any concrete examples where this combination yields improved attacks, we conjecture that the opportuni... |

22 | The cipher SHARK
- Rijmen, Daemen, et al.
- 1996
(Show Context)
Citation Context ...and Yu, Zhang, and Xiao [12] to describe this general class of attacks. Also, in [6] the attack was described in terms of \lambda-sets" and applied also to reduced-round versions of the ciphers S=-=HARK [27-=-] and SAFER K [23]. Since their introduction, integrals have been used to cryptanalyse reducedround versions of Square [5], SAFER K [18], SAFER+ [12], Crypton [8], Rijndael [9], Twosh [22], Hierocrypt... |

21 | Truncated differentials of SAFER
- Knudsen, Berson
(Show Context)
Citation Context ...However, all integrals for the specific ciphers given in this paper are of probability one. Comparison with other concepts First we note that integrals are somewhat similar to truncated differentials =-=[16, 15, 18]-=-. In the latter, one often is only interested in whether the words in a pair are equal or different [2]. Thus integrals restricted to pairs of texts with only thes118 values 0 and A coincide with such... |

14 | Structural cryptanalysis of SASAS
- Biryukov, Shamir
- 2010
(Show Context)
Citation Context ...this class of techniques seems to be of broad interest. Recently Biryukov and Shamir applied a variant of integral cryptanalysis to an SP-network with secret S-boxes and secret linear transformations =-=[4-=-]. They called their technique the multi-set attack, where one distinguishes between whether all values in a multi-set are equal, are all dierent, all occur an even number of times, and where the excl... |

14 |
Truncated and higher order di erentials
- Knudsen
- 1994
(Show Context)
Citation Context .... However, all integrals for the specic ciphers given in this paper are of probability one. Comparison with other concepts First we note that integrals are somewhat similar to truncated dierentials [1=-=6, 15, 18-=-]. In the latter, one often is only interested in whether the words in a pair are equal or dierent [2]. Thus integrals restricted to pairs of texts with only the values 0 and A coincide with such trun... |

11 |
Generalized Feistel Networks
- Nyberg
- 1996
(Show Context)
Citation Context ...our cryptanalytic results. For MISTY, all results are key-recovery attacks of the full cipher (including the FL functions). \Gen. Feistel" are key-recovery attacks of the generalised Feistel netw=-=orks [26]-=- with 64-bit blocks and bijective 8-bit S-boxes. All attacks use chosen plaintexts. Cipher (rounds) Complexity Comments [Data] [Time] MISTY1 (4) 2 20 2 89 see [19] (previously known) MISTY1 (4) 2 22:2... |

10 | Cryptanalysis of Reduced-Round MISTY
- Kühn
- 2001
(Show Context)
Citation Context ... of the generalised Feistel networks [26] with 64-bit blocks and bijective 8-bit S-boxes. All attacks use chosen plaintexts. Cipher (rounds) Complexity Comments [Data] [Time] MISTY1 (4) 2 20 2 89 see =-=[19]-=- (previously known) MISTY1 (4) 2 22:25 2 45 see [20] (previously known) MISTY1 (4) 2 38 2 62 see [19] (previously known) MISTY1 (4) 25 2 27 integrals (new) MISTY1 (5) 2 34 2 48 integrals (new) MISTY2 ... |

10 | Y.: On Non-Pseudorandomness from Block Ciphers with Provable immunity Against Linear Cryptanalysis
- Sakurai, Zheng
- 1997
(Show Context)
Citation Context ... MISTY specications [24] for the description of these ciphers and for the notation used in the following. In earlier work, Sakurai and Zheng noted the following property of the MISTY2 round function [=-=28]-=-. Let F (x; y) denote the left half of the output of Table 3. A four-round fourth-order integral for Rijndael with 2 32 texts. A 4 0 C C C C A 4 0 C C C C A 4 0 C C C C A 4 0 ! A 4 0 C C C A 4 0 C C C... |

9 |
Higher Order Derivations and Dierential Cryptanalysis," Communications and Cryptography: Two Sides of One Tapestry
- Lai
- 1994
(Show Context)
Citation Context ...make integrals a more powerful tool in some cases. Also, integrals are somewhat similar to higher-order dierentials. Let (G; +) be an Abelian group. For a function f : G ! G thesrst-order derivative [21] at the point a is dened as f a (x) = f(x + a) f(x): This is the denition of a dierential or characteristic that is traditionally used in cryptanalysis. One can extend the denition of dierentials... |

8 |
Attack on six round of Crypton
- D'Halluin, Bijnens, et al.
(Show Context)
Citation Context ...a variety of ciphers. 3 Square, Rijndael, and Crypton In FSE'97 an integral attack was given on the block cipher Square [5]. This attack can be applied also to the ciphers Rijndael [7, 9] and Crypton =-=[8-=-]. All three ciphers are 128-bit block ciphers operating on bytes. The sixteen bytes are arranged in a 4 4 matrix. One round of the ciphers consists of the addition of a subkey, a substitution of eac... |

7 | Improved SQUARE attacks against reduced-round HIEROCRYPT
- Barreto, Rijmen, et al.
- 2001
(Show Context)
Citation Context ...and SAFER K [23]. Since their introduction, integrals have been used to cryptanalyse reducedround versions of Square [5], SAFER K [18], SAFER+ [12], Crypton [8], Rijndael [9], Twosh [22], Hierocrypt [=-=1]-=-, IDEA [25], and Camellia [10]. We have shown here additional examples of applications of integrals. Thus, this class of techniques seems to be of broad interest. Recently Biryukov and Shamir applied ... |

7 |
Linear frameworks for block ciphers
- Daemen, Knudsen, et al.
(Show Context)
Citation Context ...25 2 27 integrals (new) MISTY1 (5) 2 34 2 48 integrals (new) MISTY2 (5) 2 20 2 89 see [19] (previously known) MISTY2 (5) 2 38 2 62 see [19] (previously known) MISTY2 (4) 9 2 55 integrals (new) MISTY2 =-=(6)-=- 2 34 2 71 integrals (new) Gen. Feistel (13) 2 9:6 2 32 basic integral (new) Gen. Feistel (14) 2 10:6 2 56 basic integral (new) Gen. Feistel (14) 2 16 2 24 second-order integral (new) Gen. Feistel (15... |

7 |
Truncated di#erentials of SAFER
- Knudsen, Berson
- 1996
(Show Context)
Citation Context .... However, all integrals for the specic ciphers given in this paper are of probability one. Comparison with other concepts First we note that integrals are somewhat similar to truncated dierentials [1=-=6, 15, 18-=-]. In the latter, one often is only interested in whether the words in a pair are equal or dierent [2]. Thus integrals restricted to pairs of texts with only the values 0 and A coincide with such trun... |

7 |
A Detailed Analysis of SAFER K
- Knudsen
(Show Context)
Citation Context .... However, all integrals for the specic ciphers given in this paper are of probability one. Comparison with other concepts First we note that integrals are somewhat similar to truncated dierentials [1=-=6, 15, 18-=-]. In the latter, one often is only interested in whether the words in a pair are equal or dierent [2]. Thus integrals restricted to pairs of texts with only the values 0 and A coincide with such trun... |

3 |
Square Attack on Reduced Camellia Cipher
- HE, S
(Show Context)
Citation Context ... introduction, integrals have been used to cryptanalyse reducedround versions of Square [5], SAFER K [18], SAFER+ [12], Crypton [8], Rijndael [9], Twosh [22], Hierocrypt [1], IDEA [25], and Camellia [=-=10]-=-. We have shown here additional examples of applications of integrals. Thus, this class of techniques seems to be of broad interest. Recently Biryukov and Shamir applied a variant of integral cryptana... |

2 |
Ciphers: State of the Art”. Copies of transparencies for lecture at
- Knudsen, “Block
- 1997
(Show Context)
Citation Context ... [5], but under a different name: these techniques were previously described as “the Square attack”, instead of “integrals.” The name “integrals” has since been proposed independently by both Knudsen =-=[17]-=- and Yu, Zhang, and Xiao [12] to describe this general class of attacks. Also, in [6] the attack was described in terms of “lambda-sets” and applied also to reduced-round versions of the ciphers SHARK... |

2 |
The Saturation Attack—a Bait for Twofish”, Fast Software Encryption
- Lucks
- 2001
(Show Context)
Citation Context ...hers SHARK [27] and SAFER K [23]. Since their introduction, integrals have been used to cryptanalyse reducedround versions of Square [5], SAFER K [18], SAFER+ [12], Crypton [8], Rijndael [9], Twofish =-=[22]-=-, Hierocrypt [1], IDEA [25], and Camellia [10]. We have shown here additional examples of applications of integrals. Thus, this class of techniques seems to be of broad interest. Recently Biryukov and... |

1 |
Integral cryptanalysis of SAFER
- Hu, Zhang, et al.
- 1999
(Show Context)
Citation Context ...ame: these techniques were previously described as \the Square attack", instead of \integrals." The name \integrals" has since been proposed independently by both Knudsen [17] and Yu, Z=-=hang, and Xiao [12] to d-=-escribe this general class of attacks. Also, in [6] the attack was described in terms of \lambda-sets" and applied also to reduced-round versions of the ciphers SHARK [27] and SAFER K [23]. Since... |

1 |
Ciphers: State of the Art". Copies of transparencies for lecture at
- Knudsen, \Block
- 1997
(Show Context)
Citation Context ...n [5], but under a dierent name: these techniques were previously described as \the Square attack", instead of \integrals." The name \integrals" has since been proposed independently by=-= both Knudsen [17] and -=-Yu, Zhang, and Xiao [12] to describe this general class of attacks. Also, in [6] the attack was described in terms of \lambda-sets" and applied also to reduced-round versions of the ciphers SHARK... |

1 |
Improved Cryptanalysis of MISTY1," These proceedings
- Kuhn
- 1999
(Show Context)
Citation Context ...t blocks and bijective 8-bit S-boxes. All attacks use chosen plaintexts. Cipher (rounds) Complexity Comments [Data] [Time] MISTY1 (4) 2 20 2 89 see [19] (previously known) MISTY1 (4) 2 22:25 2 45 see =-=[20]-=- (previously known) MISTY1 (4) 2 38 2 62 see [19] (previously known) MISTY1 (4) 25 2 27 integrals (new) MISTY1 (5) 2 34 2 48 integrals (new) MISTY2 (5) 2 20 2 89 see [19] (previously known) MISTY2 (5)... |

1 |
The Saturation Attack|a Bait for Two Fast Software Encryption 2001
- Lucks
(Show Context)
Citation Context ...phers SHARK [27] and SAFER K [23]. Since their introduction, integrals have been used to cryptanalyse reducedround versions of Square [5], SAFER K [18], SAFER+ [12], Crypton [8], Rijndael [9], Twosh [=-=22]-=-, Hierocrypt [1], IDEA [25], and Camellia [10]. We have shown here additional examples of applications of integrals. Thus, this class of techniques seems to be of broad interest. Recently Biryukov and... |

1 |
Improved Cryptanalysis of MISTY1,” These proceedings
- Kühn
(Show Context)
Citation Context ...t blocks and bijective 8-bit S-boxes. All attacks use chosen plaintexts. Cipher (rounds) Complexity Comments [Data] [Time] MISTY1 (4) 2 20 2 89 see [19] (previously known) MISTY1 (4) 2 22.25 2 45 see =-=[20]-=- (previously known) MISTY1 (4) 2 38 2 62 see [19] (previously known) MISTY1 (4) 25 2 27 integrals (new) MISTY1 (5) 2 34 2 48 integrals (new) MISTY2 (5) 2 20 2 89 see [19] (previously known) MISTY2 (5)... |