Results 1 
7 of
7
General Principles of Algebraic Attacks and New Design Criteria for Components of Symmetric Ciphers
 in AES 4 Conference, Bonn May 1012 2004, LNCS 3373
, 2005
"... Abstract. This paper is about the design of multivariate public key schemes, as well as block and stream ciphers, in relation to recent attacks that exploit various types of multivariate algebraic relations. We survey these attacks focusing on their common fundamental principles and on how to avoid ..."
Abstract

Cited by 14 (7 self)
 Add to MetaCart
Abstract. This paper is about the design of multivariate public key schemes, as well as block and stream ciphers, in relation to recent attacks that exploit various types of multivariate algebraic relations. We survey these attacks focusing on their common fundamental principles and on how to avoid them. From this we derive new very general design criteria, applicable for very different cryptographic components. These amount to avoiding (if possible) the existence of, in some sense “too simple” algebraic relations. Though many ciphers that do not satisfy this new paradigm probably still remain secure, the design of ciphers will never be the same again. Key Words: algebraic attacks, polynomial relations, multivariate equations, finite fields, design of cryptographic primitives, generalised linear cryptanalysis, multivariate public key encryption and signature schemes, HFE, Quartz, Sflash, stream ciphers, Boolean functions, combiners with memory, block ciphers, AES, Rijndael, Serpent, elimination methods, Gröbner bases. 1
The Inverse Sbox, Nonlinear Polynomial Relations and Cryptanalysis of Block Ciphers
 in AES 4 Conference, Bonn May 1012 2004, LNCS 3373
, 2005
"... Abstract. This paper is motivated by the design of AES. We consider a broader question of cryptanalysis of block ciphers having very good nonlinearity and diffusion. Can we expect anyway, to attacks such ciphers, clearly designed to render hopeless the main classical attacks? Recently a lot of atte ..."
Abstract

Cited by 8 (4 self)
 Add to MetaCart
Abstract. This paper is motivated by the design of AES. We consider a broader question of cryptanalysis of block ciphers having very good nonlinearity and diffusion. Can we expect anyway, to attacks such ciphers, clearly designed to render hopeless the main classical attacks? Recently a lot of attention have been drawn to the existence of multivariate algebraic relations for AES (and other) Sboxes. Then, if the XSLtype algebraic attacks on block ciphers [11] are shown to work well, the answer would be positive. In this paper we show that the answer is certainly positive for many other constructions of ciphers. This is not due to an algebraic attack, but to new types of generalised linear cryptanalysis, highlynonlinear in flavour. We present several constructions of somewhat special practical block ciphers, seemingly satisfying all the design criteria of AES and using similar Sboxes, and yet being extremely weak. They can be generalised, and evolve into general attacks that can be applied potentially to any block cipher. Key Words: block ciphers, AES, Rijndael, interpolation attack on block ciphers, fractional transformations, homographic functions, multivariate equations,
How Far Can We Go Beyond Linear Cryptanalysis?,”Asiacrypt 2004
 of LNCS
, 2004
"... Abstract. Several generalizations of linear cryptanalysis have been proposed in the past, as well as very similar attacks in a statistical point of view. In this paper, we define a rigorous general statistical framework which allows to interpret most of these attacks in a simple and unified way. The ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Abstract. Several generalizations of linear cryptanalysis have been proposed in the past, as well as very similar attacks in a statistical point of view. In this paper, we define a rigorous general statistical framework which allows to interpret most of these attacks in a simple and unified way. Then, we explicitely construct optimal distinguishers, we evaluate their performance, and we prove that a block cipher immune to classical linear cryptanalysis possesses some resistance to a wide class of generalized versions, but not all. Finally, we derive tools which are necessary to set up more elaborate extensions of linear cryptanalysis, and to generalize the notions of bias, characteristic, and pilingup lemma. Keywords: Block ciphers, linear cryptanalysis, statistical cryptanalysis. 1 A Decade of Linear Cryptanalysis Linear cryptanalysis is a knownplaintext attack proposed in 1993 by Matsui[21, 22] to break DES [26], exploiting specific correlations between the input andthe output of a block cipher. Namely, the attack traces the statistical correlation between one bit of information about the plaintext and one bit of informationabout the ciphertext, both obtained linearly with respect to GF(2) L (where L is the block size of the cipher), by means of probabilistic linear expressions, aconcept previously introduced by TardyCorfdir and Gilbert [30]. Soon after, several attempts to generalize linear cryptanalysis are published:Kaliski and Robshaw [13] demonstrate how it is possible to combine several independent linear correlations depending on the same key bits. In [31], Vaudenaydefines another kind of attack on DES, called A^2attack, and shows that one canobtain an attack slightly less powerful than a linear cryptanalysis, but without the need to know precisely what happens in the block cipher. Harpes, Kramer,and Massey [7] replace the linear expressions with socalled I/O sums, i.e., balanced binaryvalued functions; they prove the potential effectiveness of such ageneralization by exhibiting a block cipher secure against conventional linear cryptanalysis but vulnerable to their generalization. Practical examples are theattack of Knudsen and Robshaw [15] against
Linear Cryptanalysis of Non Binary Ciphers with an Application to SAFER
"... Abstract. In this paper we revisit distinguishing attacks. We show how to generalize the notion of linear distinguisher to arbitrary sets. Our thesis is that our generalization is the most natural one. We compare it with the one by Granboulan et al. from FSE’06 by showing that we can get sharp esti ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Abstract. In this paper we revisit distinguishing attacks. We show how to generalize the notion of linear distinguisher to arbitrary sets. Our thesis is that our generalization is the most natural one. We compare it with the one by Granboulan et al. from FSE’06 by showing that we can get sharp estimates of the data complexity and cumulate characteristics in linear hulls. As a proof of concept, we propose a better attack on their toy cipher TOY100 than the one that was originally suggested and we propose the best known plaintext attack on SAFER K/SK so far. This provides new directions to block cipher cryptanalysis even in the binary case. On the constructive side, we introduce DEAN18, a toy cipher which encrypts blocks of 18 decimal digits and we study its security. 1
RelatedKey Statistical Cryptanalysis
"... This paper studies the informationtheoretic limits of block cipher statistical keyrecovery attacks, which typically use several known plaintext/ciphertext (P/C) pairs to determine a single key. In particular, it studies relatedkey statistical key recovery, where the adversary uses n related keys, ..."
Abstract
 Add to MetaCart
(Show Context)
This paper studies the informationtheoretic limits of block cipher statistical keyrecovery attacks, which typically use several known plaintext/ciphertext (P/C) pairs to determine a single key. In particular, it studies relatedkey statistical key recovery, where the adversary uses n related keys, generated from k independent ones. Unlike classical relatedkey attacks such as differential relatedkey cryptanalysis, this attack does not exploit a special structural weakness in the cipher or key schedule, but amplifies the weakness exploited in singlekey recovery. Using classical results from information theory the paper shows that there exists a relationship among the keys for which the number of P/C pairs required per independent key bit is finite, for any probability of keyrecovery error. This may be compared to the unbounded number required per bit of the singlekeyrecovery attack; the adversarial advantage being similar to that of using errorcorrecting codes instead of repetition codes for channel communication. The paper also provides lower bounds on the number of P/C pairs required per independent key bit. The practical implications of the results are demonstrated through experiments on reducedround DES.