## Multiplicative Differentials

### Cached

### Download Links

- [www.cs.berkeley.edu]
- [www.iacr.org]
- [www.cs.berkeley.edu]
- [hatswitch.org]
- DBLP

### Other Repositories/Bibliography

### BibTeX

@MISC{Borisov_multiplicativedifferentials,

author = {Nikita Borisov and Monica Chew and Rob Johnson and David Wagner},

title = {Multiplicative Differentials},

year = {}

}

### OpenURL

### Abstract

We present a new type of differential that is particularly suited to analyzing ciphers that use modular multiplication as a primitive operation. These differentials are partially inspired by the differential used to break Nimbus, and we generalize that result. We use these differentials to break the MultiSwap cipher that is part of the Microsoft Digital Rights Management subsystem, to derive a complementation property in the xmx cipher using the recommended modulus, and to mount a weak key attack on the xmx cipher for many other moduli. We also present weak key attacks on several variants of IDEA. We conclude that cipher designers may have placed too much faith in multiplication as a mixing operator, and that it should be combined with at least two other incompatible group operations.

### Citations

504 | Dierential Cryptanalysis of DES-like Cryptosystems
- Biham, Shamir
- 1991
(Show Context)
Citation Context ...iSwap, was designed by Microsoft and subsequently reverse-engineered and published on the Internet under the pseudonym Beale Screamer [12]. Differential cryptanalysis was invented by Biham and Shamir =-=[1]-=-. In the present paper, we apply the ideas of differential cryptanalysis using a non-standard group op-19 eration: multiplication modulo n. Daemen, van Linden, Govaerts, and Vandewalle have performed... |

432 |
Linear cryptanalysis method for DES cipher
- Matsui
- 1993
(Show Context)
Citation Context ... In Section 6 we use the multiplicative homomorphism (Z/2 32 Z) ∗ → (Z/2 16 Z) ∗ to recover MultiSwap keys ef£ciently. This technique is the multiplicative equivalent of Matsui’s linear cryptanalysis =-=[9]-=-. In a similar vein, Harpes, Kramer and Massey applied the quadratic residue multiplicative homomorphism QR: (Z/nZ) ∗ → Z/2Z, for n = 2 16 + 1, to attack IDEA [5]. Kelsey, Schneier and Wagner used the... |

114 | Markov ciphers and differential cryptanalysis
- Lai, Massey, et al.
- 1991
(Show Context)
Citation Context ... cipher [12], which is used in Microsoft’s Digital Rights Management system, and show that it is extremely vulnerable to multiplicative differential cryptanalysis. In Section 7, we study several IDEA =-=[7]-=- variants obtained by replacing additions with xors and show that these variants are vulnerable to weak key attacks using multiplicative differentials. As an example, we show that IDEA-X, a version of... |

45 | A generalisation of linear cryptanalysis and the applicability of Matsui’s piling-up lemma
- Harpes, Kramer, et al.
- 1995
(Show Context)
Citation Context ...lent of Matsui’s linear cryptanalysis [9]. In a similar vein, Harpes, Kramer and Massey applied the quadratic residue multiplicative homomorphism QR: (Z/nZ) ∗ → Z/2Z, for n = 2 16 + 1, to attack IDEA =-=[5]-=-. Kelsey, Schneier and Wagner used the reduction map Z/nZ → Z/mZ (a ring homomorphism), for n = 2 ℓ − 1 and m dividing n, in cryptanalysis[6]. 3 Two Examples To illustrate some of the ideas behind our... |

31 | Weak Keys for IDEA
- Daeman, Govaerts, et al.
- 1994
(Show Context)
Citation Context ...d this to break 2 rounds using differential cryptanalysis [10]. Daemen, Govaerts, and Vandewalle observed that −x mod 2 16 + 1 = x ⊕ 11 · · · 101 whenever x1, the second least signicant bit of x, is 1=-=[2]-=-. They showed that if certain IDEA subkeys are ±1, the algorithm can be broken with differential cryptanalysis. We use the same observation to £nd weak keys for a variant of IDEA in Section 7. The cla... |

24 | modn cryptanalysis, with applications against RC5P and M6
- Kelsey, Schneier, et al.
- 1999
(Show Context)
Citation Context ...hism QR: (Z/nZ) ∗ → Z/2Z, for n = 2 16 + 1, to attack IDEA [5]. Kelsey, Schneier and Wagner used the reduction map Z/nZ → Z/mZ (a ring homomorphism), for n = 2 ℓ − 1 and m dividing n, in cryptanalysis=-=[6]-=-. 3 Two Examples To illustrate some of the ideas behind our attacks, we give two examples of using multiplicative differentials to cryptanalyze simple ciphers. Throughout the paper, xi will represent ... |

12 |
On the security of the IDEA block cipher
- Meier
- 1994
(Show Context)
Citation Context ...was £rst proposed by Lai, Massey and Murphy [7]. Meier observed that part of the IDEA cipher often reduces to an af£ne transformation, and used this to break 2 rounds using differential cryptanalysis =-=[10]-=-. Daemen, Govaerts, and Vandewalle observed that −x mod 2 16 + 1 = x ⊕ 11 · · · 101 whenever x1, the second least signicant bit of x, is 1[2]. They showed that if certain IDEA subkeys are ±1, the algo... |

6 |
Microsoft’s digital rights management scheme - technical details
- Screamer”
(Show Context)
Citation Context ...dulo 2 32 . 6 MultiSwap The MultiSwap cipher is used in Microsoft’s Digital Rights Management subsystem and was £rst described in a report published on the Internet under the pseudonym Beale Screamer =-=[12]-=-. The cipher, shown in Figure 2, operates entirely on 32-bit words, maintains two words of internal state, s0 and s1, and uses 12 32-bit subkeys k0, . . . , k11. The subkeys k0, . . . , k4, k6, . . . ... |

2 | Propagation properties of multiplication modulo 2 - Daemen, Linden, et al. - 1992 |

2 |
Differential cryptanalysis of Nimbus
- Furman
- 2001
(Show Context)
Citation Context ...fferentials interact with other operations that are normally thought incompatible with multiplication, such as xor and bitwise permutations.18 Cipher Complexity Comments [Data] [Time] [Keys] all see =-=[4]-=- (previously known) xmx (standard version) 2 CP 2 all mult. complementation property (new) xmx (challenge version) 2 33 CP 2 33 2 −8 multiplicative differentials (new) MultiSwap 2 13 CP 2 25 all multi... |

2 |
The Nimbus cipher: A proposal for NESSIE
- Machado
- 2000
(Show Context)
Citation Context ...sider reduced-round variants. “CP” denotes chosen plaintexts, and “KP” denotes known plaintexts. After reviewing previous work in Section 2, we give two examples using the ciphers xmx [11] and Nimbus =-=[8]-=- to convey the ¤avor of these attacks in Section 3. In Section 4, we generalize these ideas and catalogue several common cipher primitives that preserve multiplicative differentials. We then focus on ... |

2 | XMX: a firmwareoriented block cipher based on modular multiplications - M’Raihi, Naccache, et al. - 1997 |

2 | Propagation properties of multiplication modulo 2 n − 1
- Daemen, Linden, et al.
- 1992
(Show Context)
Citation Context ..., Govaerts, and Vandewalle have performed a very thorough analysis of multiplication mod 2 ℓ − 1, how it relates to elementary bit-operations, and its potential for foiling differential cryptanalysis =-=[3]-=-. In Section 6 we use the multiplicative homomorphism (Z/2 32 Z) ∗ → (Z/2 16 Z) ∗ to recover MultiSwap keys ef£ciently. This technique is the multiplicative equivalent of Matsui’s linear cryptanalysis... |

1 | Propagation properties of multiplication modulo - Daemen, Linden, et al. - 1992 |

1 |
XMX: a £rmwareoriented block cipher based on modular multiplications
- M’Raihi, Naccache, et al.
- 1997
(Show Context)
Citation Context ... not need to consider reduced-round variants. “CP” denotes chosen plaintexts, and “KP” denotes known plaintexts. After reviewing previous work in Section 2, we give two examples using the ciphers xmx =-=[11]-=- and Nimbus [8] to convey the ¤avor of these attacks in Section 3. In Section 4, we generalize these ideas and catalogue several common cipher primitives that preserve multiplicative differentials. We... |