## Analysis of Involutional Ciphers:

### BibTeX

@MISC{Biryukov_analysisof,

author = {Alex Biryukov},

title = {Analysis of Involutional Ciphers:},

year = {}

}

### OpenURL

### Abstract

Abstract. In this paper we study structural properties of SPN ciphers in which both the S-boxes and the affine layers are involutions. We apply our observations to the recently designed Rijndael-like ciphers Khazad and Anubis, and show several interesting properties of these ciphers. We also show that 5-round Khazad has 2 64 weak keys under a “slide-witha-twist” attack distinguisher. This is the first cryptanalytic result which is better than exhaustive search for 5-round Khazad. Analysis presented in this paper is generic and applies to a large class of ciphers built from involutional components. 1

### Citations

225 |
The Design of Rijndael
- Daemen, Rijmen
- 2004
(Show Context)
Citation Context ...the European prestandardization project NESSIE [6]. These ciphers are the 64-bit 8-round SPN cipher Khazad [1] and the 128-bit 12-18-round cipher Anubis [2]. Both ciphers have Rijndael-like structure =-=[4]-=-. Khazad uses an MDS diffusion layer which provides complete diffusion after one round (branch number is 9), while Anubis has a slower, Rijndael-like diffusion. In both cases linear transformations of... |

52 | Advanced Slide Attacks
- Biryukov, Wagner
- 2000
(Show Context)
Citation Context ... properties can be exploited in attacks on round-reduced or full Khazad is a matter of further research. Finally, we use involutional structure of Khazad in order to mount sliding-with-a-twist attack =-=[3]-=- on 5-rounds of this cipher, which works for 2 64 out of 2 128 keys. This attack might be of independent interest, since it may be applied to any cipher with the structure P ◦ F ◦ Q , where F is an ar... |

27 |
New European Schemes for Signatures Integrity and Encryption. Portfolio of recommended cryptographic primitives. http://www.nessie.eu.org/index. html 7
- NESSIE
- 1995
(Show Context)
Citation Context ...yer are involutions) were not intensively studied. Recently two ciphers with this new property have been designed by Barreto and Rijmen and submitted to the European prestandardization project NESSIE =-=[6]-=-. These ciphers are the 64-bit 8-round SPN cipher Khazad [1] and the 128-bit 12-18-round cipher Anubis [2]. Both ciphers have Rijndael-like structure [4]. Khazad uses an MDS diffusion layer which prov... |

13 |
A collision attack on seven rounds of Rijndael
- Gilbert, Minier
- 2000
(Show Context)
Citation Context ...uare attack on 3-rounds (2 9 chosen plaintexts and 2 16 S-box lookups). Extended by 64-bit subkey guessing one gets an attack on 4-round Khazad (2 80 S-box lookups). Gilbert-Minier’s collision attack =-=[5]-=- which worked better than the square attack for Rijndael, will not work for Khazad since it will require full 64-bit block collisions which may happen only for equal inputs (in Rijndael one could prov... |

9 |
The KHAZAD legacy-level block cipher.” Submission to NESSIE
- Barreto, Rijmen
- 2000
(Show Context)
Citation Context ...two ciphers with this new property have been designed by Barreto and Rijmen and submitted to the European prestandardization project NESSIE [6]. These ciphers are the 64-bit 8-round SPN cipher Khazad =-=[1]-=- and the 128-bit 12-18-round cipher Anubis [2]. Both ciphers have Rijndael-like structure [4]. Khazad uses an MDS diffusion layer which provides complete diffusion after one round (branch number is 9)... |

4 |
The Anubis Block Cipher, Submission to the NESSIE Project
- Rijmen, Barreto
- 2000
(Show Context)
Citation Context ...esigned by Barreto and Rijmen and submitted to the European prestandardization project NESSIE [6]. These ciphers are the 64-bit 8-round SPN cipher Khazad [1] and the 128-bit 12-18-round cipher Anubis =-=[2]-=-. Both ciphers have Rijndael-like structure [4]. Khazad uses an MDS diffusion layer which provides complete diffusion after one round (branch number is 9), while Anubis has a slower, Rijndael-like dif... |

2 |
Mathematical Solution of the Enigma
- Rejewski
- 1982
(Show Context)
Citation Context ...tions without fixed points (in case S has no fixed points and unless k1 = k2) it consists of cycles of the same length in even numbers (this fact was central to the cryptanalysis of the Enigma cipher =-=[7]-=-). � The k1Sk2 layer is a parallel application of eight 8-bit permutations, each following the theorem above. Let us denote the number of cycles of the i th permutation by 2ni, then we can write the f... |