## Truncated and Higher Order Differentials (1995)

Venue: | Fast Software Encryption - Second International Workshop, Leuven, Belgium, LNCS 1008 |

Citations: | 101 - 9 self |

### BibTeX

@INPROCEEDINGS{Knudsen95truncatedand,

author = {Lars R. Knudsen},

title = {Truncated and Higher Order Differentials},

booktitle = {Fast Software Encryption - Second International Workshop, Leuven, Belgium, LNCS 1008},

year = {1995},

pages = {196--211},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

In [6] higher order derivatives of discrete functions were considered and the concept of higher order differentials was introduced. We introduce the concept of truncated differentials and present attacks on ciphers presumably secure against differential attacks, but vulnerable to attacks using higher order and truncated differentials. Also we give a differential attack using truncated differentials on DES reduced to 6 rounds using only 46 chosen plaintexts with an expected running time of about the time of 3,500 encryptions. Finally it is shown how to find a minimum nonlinear order of a block cipher using higher order differentials.

### Citations

544 | Differential Cryptanalysis of DES-like Cryptosystems
- Biham, Shamir
- 1991
(Show Context)
Citation Context ...ng time of about the time of 3,500 encryptions. Finally it is shown how to find a minimum nonlinear order of a block cipher using higher order differentials. 1 Introduction Differential cryptanalysis =-=[1]-=- was introduced by Biham and Shamir. Lai considered higher order derivatives of discrete functions [6] and the concept of higher order differentials was introduced. As a special case binary functions ... |

356 |
Differential Cryptanalysis of the Data Encryption Standard
- Biham, Shamir
- 1993
(Show Context)
Citation Context ...the outputs from that S-box are always equal, independent of the values of the inputs to other S-boxes. These truncated differentials are used to a wide extent in Biham and Shamirs attacks on the DES =-=[1, 2]-=-. The output of an S-box affects the inputs of at most six S-boxes in the following round, because of the P-permutation, see Table 1. This fact can be used to construct a four round truncated differen... |

144 |
Differentially Uniform Mappings for Cryptography
- Nyberg
- 1994
(Show Context)
Citation Context ...cated differential. More formally, let (a; b) be an i-round differential. If a 0 is a subsequence of a and b 0 is a subsequence of b, then (a 0 ; b 0 ) is called an i round truncated differential. In =-=[7]-=- it is shown that the functions f(x) = x \Gamma1 in GF(2 n ), where f(x) = 0 for x = 0, are differentially 2-uniform for odd n and differentially 4uniform for even n, i.e. the highest probability of a... |

62 |
Higher order derivatives and differential cryptanalysis
- Lai
(Show Context)
Citation Context ...der of a block cipher using higher order differentials. 1 Introduction Differential cryptanalysis [1] was introduced by Biham and Shamir. Lai considered higher order derivatives of discrete functions =-=[6]-=- and the concept of higher order differentials was introduced. As a special case binary functions were considered, which is relevant for cryptanalysis of block ciphers. The cryptographic significance ... |

45 |
Provable security against a differential cryptanalysis
- Nyberg, Knudsen
- 1993
(Show Context)
Citation Context ...ctions were considered, which is relevant for cryptanalysis of block ciphers. The cryptographic significance of higher order differentials was discussed, but no applications given. Knudsen and Nyberg =-=[8]-=- showed that block ciphers exist secure against a differential attack using first order differentials, as proposed by Biham and Shamir. In this paper we introduce the concept of truncated differential... |

38 |
Differential-Linear Cryptanalysis
- Langford, Hellman
- 1994
(Show Context)
Citation Context ...ds on a PC. 2 There are possible variations of the above attack, which are listed in Table 2. It should be noted that the linear attack combined with differential 'techniques' by Hellman and Langford =-=[4]-=- exploits the same phenomenon as in our attack, but the two attacks are different. Finally we note that in [10] Preneel et al. considered, what they call reduced exors, in differential attacks on the ... |

29 |
Block ciphers { analysis, design and applications
- Knudsen
- 1994
(Show Context)
Citation Context ...). Proof: The first statement is proved in [8] and that the second derivative is a constant follows from Prop. 5. The actual constant can be computed in a straightforward way and is omitted here (see =-=[5]-=-). 2 We implemented the attack of Th. 11 counting on both the fourth and fifth round key using second order differentials in a five round Feistel cipher with f(x) of Lemma 12 as round function and wit... |

26 |
Results of an initial attempt to cryptanalyze the NBS Data Encryption Standard
- Hellman, Merkle, et al.
- 1976
(Show Context)
Citation Context .... Set i = 1 2. Compute y1 = \Delta a 1 ;:::;a i EK (x1) and y2 = \Delta a 1 ;:::;a i EK (x2) 3. If y1 = y2 output i and stop 4. If isr output i and stop 5. Set i = i + 1 and go to step (2) If in step =-=(3)-=-, y1 6= y2 then the nonlinear order is greater than i according to Prop. 6. If y1 = y2 then the nonlinear order may be greater than i, because it is possible for other values of x 0 1 and x 0 2 that y... |

3 |
The method of formal coding
- Schaumuller-Bichl
- 1982
(Show Context)
Citation Context ...blance with truncated differentials. No. of chosen plaintexts No. of key bits found 7 8 16 18 31 33 46 45 Table 2. Complexities of our attacks on DES with 6 rounds. 6 Computing the Nonlinear Order In =-=[11]-=- it was considered to cryptanalyse the DES by the method of formal coding. The conclusion was that this is hardly possible. It was shown also that the nonlinear order of any of the 8 S-boxes in the DE... |

1 |
Differential cryptanalysis of the CFB mode
- Preneel, Nuttin, et al.
- 1993
(Show Context)
Citation Context ...ed that the linear attack combined with differential 'techniques' by Hellman and Langford [4] exploits the same phenomenon as in our attack, but the two attacks are different. Finally we note that in =-=[10]-=- Preneel et al. considered, what they call reduced exors, in differential attacks on the DES in CFB mode. The reduced exors have some resemblance with truncated differentials. No. of chosen plaintexts... |