## Analysis of Involutional Ciphers: Khazad And Anubis (2003)

Venue: | FAST SOFTWARE ENCRYPTION – 2003, LECTURES NOTES IN COMPUTER SCIENCE |

Citations: | 6 - 2 self |

### BibTeX

@INPROCEEDINGS{Biryukov03analysisof,

author = {Alex Biryukov},

title = {Analysis of Involutional Ciphers: Khazad And Anubis},

booktitle = {FAST SOFTWARE ENCRYPTION – 2003, LECTURES NOTES IN COMPUTER SCIENCE},

year = {2003},

pages = {4--5},

publisher = {Springer}

}

### OpenURL

### Abstract

In this paper we study structural properties of SPN ciphers in which both the S-boxes and the affine layers are involutions. We apply our observations to the recently designed Rijndael-like ciphers Khazad and Anubis, and show several interesting properties of these ciphers. We also show that 5-round Khazad has 2 weak keys under a "slide-with-a-twist" attack distinguisher. This is the first cryptanalytic result which is better than exhaustive search for 5-round Khazad. Analysis presented in this paper is generic and applies to a large class of ciphers built from involutional components.

### Citations

218 |
The Design of Rijndael
- Daemen, Rijmen
- 2002
(Show Context)
Citation Context ...the European prestandardization project NESSIE [6]. These ciphers are the 64-bit 8-round SPN cipher Khazad [1] and the 128-bit 12-18-round cipher Anubis [2]. Both ciphers have Rijndael-like structure =-=[4]-=-. Khazad uses an MDS di#usion layer which provides complete di#usion after one round (branch number is 9), while Anubis has a slower, Rijndael-like di#usion. In both cases linear transformations of th... |

51 | Wagner: Advanced Slide Attacks
- Biryukov, David
- 2000
(Show Context)
Citation Context ... properties can be exploited in attacks on round-reduced or full Khazad is a matter of further research. Finally, we use involutional structure of Khazad in order to mount sliding-with-a-twist attack =-=[3]-=- on 5-rounds of this cipher, which works for 2 64 out of 2 128 keys. This attack might be of independent interest, since it may be applied to any cipher with the structure P # F # Q , where F is an ar... |

13 |
A collision attack on seven rounds of Rijndael
- Gilbert, Minier
- 2000
(Show Context)
Citation Context ...uare attack on 3-rounds (2 9 chosen plaintexts and 2 16 S-box lookups). Extended by 64-bit subkey guessing one gets an attack on 4-round Khazad (2 80 S-box lookups). Gilbert-Minier's collision attack =-=[5]-=- which worked better than the square attack for Rijndael, will not work for Khazad since it will require full 64-bit block collisions which may happen only for equal inputs (in Rijndael one could prov... |

9 |
The KHAZAD legacy-level block cipher.” Submission to NESSIE
- Barreto, Rijmen
- 2000
(Show Context)
Citation Context ...two ciphers with this new property have been designed by Barreto and Rijmen and submitted to the European prestandardization project NESSIE [6]. These ciphers are the 64-bit 8-round SPN cipher Khazad =-=[1]-=- and the 128-bit 12-18-round cipher Anubis [2]. Both ciphers have Rijndael-like structure [4]. Khazad uses an MDS di#usion layer which provides complete di#usion after one round (branch number is 9), ... |

4 |
The Anubis Block Cipher, Submission to the NESSIE Project
- Rijmen, Barreto
- 2000
(Show Context)
Citation Context ...esigned by Barreto and Rijmen and submitted to the European prestandardization project NESSIE [6]. These ciphers are the 64-bit 8-round SPN cipher Khazad [1] and the 128-bit 12-18-round cipher Anubis =-=[2]-=-. Both ciphers have Rijndael-like structure [4]. Khazad uses an MDS di#usion layer which provides complete di#usion after one round (branch number is 9), while Anubis has a slower, Rijndael-like di#us... |

2 |
Mathematical Solution of the Enigma
- Rejewski
- 1982
(Show Context)
Citation Context ...ns without fixed points (in case S has no fixed points and unless k 1 = k 2 ) it consists of cycles of the same length in even numbers (this fact was central to the cryptanalysis of the Enigma cipher =-=[7]-=-). # The k 1 Sk 2 layer is a parallel application of eight 8-bit permutations, each following the theorem above. Let us denote the number of cycles of the i th permutation by 2n i , then we can write ... |

1 |
European Schemes for Signatures
- NESSIE
(Show Context)
Citation Context ...yer are involutions) were not intensively studied. Recently two ciphers with this new property have been designed by Barreto and Rijmen and submitted to the European prestandardization project NESSIE =-=[6]-=-. These ciphers are the 64-bit 8-round SPN cipher Khazad [1] and the 128-bit 12-18-round cipher Anubis [2]. Both ciphers have Rijndael-like structure [4]. Khazad uses an MDS di#usion layer which provi... |