DOCSLIB.ORG

New Impossible Differential Cryptanalysis of ARIA

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
New Impossible Differential Cryptanalysis of ARIA New Impossible Di®erential Cryptanalysis of ARIA Ruilin Li, Bing Sun, Peng Zhang and Chao Li Department of Mathematics and System Sciences, Science College, National University of Defense Technology, Changsha, 410073, P.R.China, [email protected] fhappy come,[email protected] lichao [email protected] Abstract. This paper studies the security of ARIA against impossible di®erential cryptanalysis. Firstly an algorithm is given to ¯nd many new 4-round impossible di®erentials of ARIA. Followed by such impossible di®erentials, we improve the previous impossible di®erential attack on 5/6-round ARIA. We also point out that the existence of such impossible di®erentials are due to the bad properties of the binary matrix employed in the di®usion layer. Key Words: Block Cipher, Impossible Di®erential, ARIA 1 Introduction ARIA[1] is a 128-bit block cipher designed by a group of Korean experts in 2003 which later was established as a Korean Standard by the Ministry of Commerce, Industry and Energy. ARIA supports key length of 128/192/256 bits, and the most interesting characteristic is its involution based on the special usage of neighbouring confusion layer and involutional di®usion layer[2]. The security of ARIA was initially analyzed by its designers, including dif- ferential cryptanalysis, linear cryptanalysis, truncated di®erential cryptanaly- sis, impossible di®erential cryptanalysis, higher order di®erential cryptanalysis, square attack and interpolation attack[1]. Later Alex Biryukov etc. performed an evaluation of ARIA, but they focused on truncated di®erential cryptanalysis and dedicated linear cryptanalysis[3]. Wu etc. ¯rstly found a non-trivial 4-round impossible di®erential path which led to a 6-round attack of ARIA requiring about 2121 chosen plaintexts and about 2112 encryptions[4]. Impossible di®erential cryptanalysis, independently found by Knudsen[6] and Biham[7], uses one or more di®erentials with probability 0 called impossible dif- ferential. Unlike di®erential cryptanalysis[5] which recoveries the key through the obvious advantage of a high probability di®erential characteristic, impossi- ble di®erential cryptanalysis is a sieving attack which excludes the candidate keys until only one key left using some impossible di®erential path. Since its 2 Ruilin Li, Bing Sun, Peng Zhang and Chao Li emergence, impossible di®erential cryptanalysis has been applied to attack many well-known block ciphers such as AES[9{11], recently a newly designed block ci- pher CLEFIA[12{14] and so on. Impossible di®erential is usually built in a miss-in-the-middle manner[8], i.e. given an input di®erence ®, we can go forward with probabolity 1 to some dif- ference γ, meanwhile from the output di®erence ¯, we can go backward with probability 1 to another di®erence ±, but then we get some contradictions be- tween γ and ±, thus we get an impossible di®erence ® 9 ¯. In [7], some auto- mated technique called Shrinking was introduced as an e±cient algorithm to ¯nd impossible di®erential of a new block cipher, but such method relates to the structure of the block cipher at a large extent and doesn't focus too much on the detail of components in the round function. In this paper we observe that due to some bad properties of the binary matrix used in the di®usion layer, we can ¯nd many new impossible di®erentials of ARIA, and the impossible di®erentials found in [4] are some special cases in ours. Based on such new impossible di®erentials and the Early Abort T echnique introduced in [4, 5, 15], we mount an e±cient attack on 5/6 reduced round of ARIA. Table 4 summaries our main cryptanalytic results compared with the previous impossible di®erential attack on ARIA. The rest of the paper is organized as follows. In section 2 we briefly describe the block cipher ARIA. In section 3 we give some bad properties of the di®usion layer. In section 4, we present an algorithm to ¯nd many new 4-round impossible di®erential. Section 5 is our improved attack on the 5/6-reduced round ARIA. We concludes this paper in Section 6. 2 Preliminaries 2.1 Description of ARIA ARIA is an SPN style block cipher, and the number of the rounds are 12/14/16 corresponding to key of 128/192/256 bit. In this paper the plaintext, as well as the input and output of the round function, the ciphertext are treated as 4 £ 4 matrices over GF (28)4£4 or a 16-byte vectors over GF (28)16 and we call them states. The round function of ARIA constitutes 3 basic operations: the Substitution Layer, the Di®usion Layer and the Round Key Addition. An N round ARIA ¯rstly applies a Round Key Addition, then iterates the round function N ¡ 1 times, the last round is the same but excludes the di®usion layer. The whole structure is depicted in Fig. 1 and the 3 basic operations are as follows: Round Key Addition(RKA): a 128-bit round key is simply XORed to the state. The round key is derived from the cipher key by means of the key schedule. For the detail of the key schedule, we refer to [1]. Substitution Layer(SL): a non-linear byte substitution operates on each byte of the state independently. In ARIA this is implemented by two S-boxes s1 8 and s2 de¯ned by a±ne transformations of the inverse function over GF (2 ). New Impossible Di®erential Cryptanalysis of ARIA 3 Di®usion Layer(DL): a 16£16 involution binary matrix with branch num- ber 8 was selected to improve the di®usion e®ect and increase e±ciency in both hardware and software implementations. plaintext x0 x4 x8 x12 x1 x5 x9 x13 RKA SL DL RKA x2 x6 x10 x14 x3 x7 x11 x15 SL DL RKA 4!! 4!! 4!! 4!! 4!! 4!! SL DL RKA z0 z4 z8 z12 SL RKA z1 z5 z9 z13 z2 z6 z10 z14 z3 z7 z11 z15 ciphertext Fig. 1. Overall Structure of ARIA 2.2 Notions In this paper, we will use the following notations: P or P 0 the 128-bit plaintext C or C0 the 128-bit ciphertext 8 X some 16-byte state denoted by (x0; ¢ ¢ ¢ ; x15) where xi 2 GF (2 ) ¢X the XOR (©) di®erence of X h(X) the number of non-zero byte in X I O Xi (Xi ) the input (resp. output) of round i S D Xi (Xi ) value after application of SL(resp. DL) of round i ¤ ¤ Xi;j the j-th byte of Xi , where ¤ 2 fI; O; S; Dg 4 Ruilin Li, Bing Sun, Peng Zhang and Chao Li 3 Some Observations On the Di®usion Layer of ARIA In [2], the authors presented an excellent algorithm (implementation of A can be performed e±ciently) to construct a binary matrix A satisfying the following conditions: (1) the branch number of A is 8 which is the best when A 2 GF (2)16£16; (2) A is involution, i.e. A2 = I, where I is identical transformation; (3) resistance against truncated di®erential cryptanalysis; (4) resistance against impossible di®erential cryptanalysis. Such binary matrix A was later employed as the di®usion layer in ARIA. In this section, we will use X to denote the input to the DL, and Y to denote the output of the DL. Both X and Y can be treated as 16-byte vectors, then A can be seen as a linear map from GF (28)16 to GF (28)16, we denote such transformation by Y = AX as follow. 0 1 0 1 0 1 y0 0001101011000110 x0 B C B C B C B y1 C B0010010111001001C B x1 C B C B C B C B y2 C B0100101000111001C B x2 C B C B C B C B y3 C B1000010100110110C B x3 C B C B C B C B y4 C B1010010010010011C B x4 C B C B C B C B y5 C B0101100001100011C B x5 C B C B C B C B y6 C B1010000101101100C B x6 C B C B C B C B y7 C B0101001010011100C B x7 C B C = B C £ B C B y8 C B1100100100100101C B x8 C B C B C B C B y9 C B1100011000011010C B x9 C B C B C B C By10C B0011011010000101C Bx10C B C B C B C By11C B0011100101001010C Bx11C B C B C B C By12C B0110001101011000C Bx12C B C B C B C By13C B1001001110100100C Bx13C @y14A @1001110001010010A @x14A y15 0110110010100001 x15 Let ¤i = ftj0 · t · 15;Ai;t = 1g(0 · i · 15). It is obviously that ¤i is a good description of the dependency between output yi and the input byte positions of X. After pondering such ¤i's in table 1 thoroughly, we can get the following propositions: Proposition 1. Let A be de¯ned as above, then, for any 0 · i 6= j · 15, there (i;j) 8 16 (i;j) exits E ½ GF (2 ) such that for any X 2 E , yi = 0 and yj 6= 0. Proof. From table 1, for any 0 · i 6= j · 15, ¤ij , ¤j ¡ ¤i 6= ;. Chose an arbitrary element of ¤ij, say k, then for l = 0; 1; ¢ ¢ ¢ 15, let 8 8 <>® if l = k; where 0 6= ® 2 GF (2 ) xl = 0 if l 2 ¤i [ ¤j; l 6= k :> ¯ others, where ¯ 2 GF (28) : New Impossible Di®erential Cryptanalysis of ARIA 5 Table 1. The dependency between output yi and input byte positions of X ¤0 f3,4,6,8,9,13,14g ¤8 f0,1,4,7,10,13,15g ¤1 f2,5,7,8,9,12,15g ¤9 f0,1,5,6,11,12,14g ¤2 f1,4,6,10,11,12,15g ¤10 f2,3,5,6,8,13,15g ¤3 f0,5,7,10,11,13,14g ¤11 f2,3,4,7,9,12,14g ¤4 f0,2,5,8,11,14,15g ¤12 f1,2,6,7,9,11,12g ¤5 f1,3,4,9,10,14,15g ¤13 f0,3,6,7,8,10,13g ¤6 f0,2,7,9,10,12,13g ¤14 f0,3,4,5,9,11,14g ¤7 f1,3,6,8,11,12,13g ¤15 f1,2,4,5,8,10,15g and let (i;j) Ek = fXjX = (x0; ¢ ¢ ¢ ; x15)g; S then, E(i;j) = E(i;j) satis¯es all the conditions in Proposition 1.
Load more

Recommended publications
  • Report on the AES Candidates
    Rep ort on the AES Candidates 1 2 1 3 Olivier Baudron , Henri Gilb ert , Louis Granb oulan , Helena Handschuh , 4 1 5 1 Antoine Joux , Phong Nguyen ,Fabrice Noilhan ,David Pointcheval , 1 1 1 1 Thomas Pornin , Guillaume Poupard , Jacques Stern , and Serge Vaudenay 1 Ecole Normale Sup erieure { CNRS 2 France Telecom 3 Gemplus { ENST 4 SCSSI 5 Universit e d'Orsay { LRI Contact e-mail: [email protected] Abstract This do cument rep orts the activities of the AES working group organized at the Ecole Normale Sup erieure. Several candidates are evaluated. In particular we outline some weaknesses in the designs of some candidates. We mainly discuss selection criteria b etween the can- didates, and make case-by-case comments. We nally recommend the selection of Mars, RC6, Serp ent, ... and DFC. As the rep ort is b eing nalized, we also added some new preliminary cryptanalysis on RC6 and Crypton in the App endix which are not considered in the main b o dy of the rep ort. Designing the encryption standard of the rst twentyyears of the twenty rst century is a challenging task: we need to predict p ossible future technologies, and wehavetotake unknown future attacks in account. Following the AES pro cess initiated by NIST, we organized an op en working group at the Ecole Normale Sup erieure. This group met two hours a week to review the AES candidates. The present do cument rep orts its results. Another task of this group was to up date the DFC candidate submitted by CNRS [16, 17] and to answer questions which had b een omitted in previous 1 rep orts on DFC.
    [Show full text]
  • New Cryptanalysis of Block Ciphers with Low Algebraic Degree
    New Cryptanalysis of Block Ciphers with Low Algebraic Degree Bing Sun1,LongjiangQu1,andChaoLi1,2 1 Department of Mathematics and System Science, Science College of National University of Defense Technology, Changsha, China, 410073 2 State Key Laboratory of Information Security, Graduate University of Chinese Academy of Sciences, China, 10039 happy [email protected], ljqu [email protected] Abstract. Improved interpolation attack and new integral attack are proposed in this paper, and they can be applied to block ciphers using round functions with low algebraic degree. In the new attacks, we can determine not only the degree of the polynomial, but also coefficients of some special terms. Thus instead of guessing the round keys one by one, we can get the round keys by solving some algebraic equations over finite field. The new methods are applied to PURE block cipher successfully. The improved interpolation attacks can recover the first round key of 8-round PURE in less than a second; r-round PURE with r ≤ 21 is breakable with about 3r−2 chosen plaintexts and the time complexity is 3r−2 encryptions; 22-round PURE is breakable with both data and time complexities being about 3 × 320. The new integral attacks can break PURE with rounds up to 21 with 232 encryptions and 22-round with 3 × 232 encryptions. This means that PURE with up to 22 rounds is breakable on a personal computer. Keywords: block cipher, Feistel cipher, interpolation attack, integral attack. 1 Introduction For some ciphers, the round function can be described either by a low degree polynomial or by a quotient of two low degree polynomials over finite field with characteristic 2.
    [Show full text]
  • ICEBERG : an Involutional Cipher Efficient for Block Encryption in Reconfigurable Hardware
    1 ICEBERG : an Involutional Cipher Efficient for Block Encryption in Reconfigurable Hardware. Francois-Xavier Standaert, Gilles Piret, Gael Rouvroy, Jean-Jacques Quisquater, Jean-Didier Legat UCL Crypto Group Laboratoire de Microelectronique Universite Catholique de Louvain Place du Levant, 3, B-1348 Louvain-La-Neuve, Belgium standaert,piret,rouvroy,quisquater,[email protected] Abstract. We present a fast involutional block cipher optimized for re- configurable hardware implementations. ICEBERG uses 64-bit text blocks and 128-bit keys. All components are involutional and allow very effi- cient combinations of encryption/decryption. Hardware implementations of ICEBERG allow to change the key at every clock cycle without any per- formance loss and its round keys are derived “on-the-fly” in encryption and decryption modes (no storage of round keys is needed). The result- ing design offers better hardware efficiency than other recent 128-key-bit block ciphers. Resistance against side-channel cryptanalysis was also con- sidered as a design criteria for ICEBERG. Keywords: block cipher design, efficient implementations, reconfigurable hardware, side-channel resistance. 1 Introduction In October 2000, NIST (National Institute of Standards and Technology) se- lected Rijndael as the new Advanced Encryption Standard. The selection pro- cess included performance evaluation on both software and hardware platforms. However, as implementation versatility was a criteria for the selection of the AES, it appeared that Rijndael is not optimal for reconfigurable hardware im- plementations. Its highly expensive substitution boxes are a typical bottleneck but the combination of encryption and decryption in hardware is probably as critical. In general, observing the AES candidates [1, 2], one may assess that the cri- teria selected for their evaluation led to highly conservative designs although the context of certain cryptanalysis may be considered as very unlikely (e.g.
    [Show full text]
  • A Brief Outlook at Block Ciphers
    A Brief Outlook at Block Ciphers Pascal Junod Ecole¶ Polytechnique F¶ed¶eralede Lausanne, Suisse CSA'03, Rabat, Maroc, 10-09-2003 Content F Generic Concepts F DES / AES F Cryptanalysis of Block Ciphers F Provable Security CSA'03, 10 septembre 2003, Rabat, Maroc { i { Block Cipher P e d P C K K CSA'03, 10 septembre 2003, Rabat, Maroc { ii { Block Cipher (2) F Deterministic, invertible function: e : {0, 1}n × K → {0, 1}n d : {0, 1}n × K → {0, 1}n F The function is parametered by a key K. F Mapping an n-bit plaintext P to an n-bit ciphertext C: C = eK(P ) F The function must be a bijection for a ¯xed key. CSA'03, 10 septembre 2003, Rabat, Maroc { iii { Product Ciphers and Iterated Block Ciphers F A product cipher combines two or more transformations in a manner intending that the resulting cipher is (hopefully) more secure than the individual components. F An iterated block cipher is a block cipher involving the sequential repeti- tion of an internal function f called a round function. Parameters include the number of rounds r, the block bit size n and the bit size k of the input key K from which r subkeys ki (called round keys) are derived. For invertibility purposes, the round function f is a bijection on the round input for each value ki. CSA'03, 10 septembre 2003, Rabat, Maroc { iv { Product Ciphers and Iterated Block Ciphers (2) P K f k1 f k2 f kr C CSA'03, 10 septembre 2003, Rabat, Maroc { v { Good and Bad Block Ciphers F Flexibility F Throughput F Estimated Security Level CSA'03, 10 septembre 2003, Rabat, Maroc { vi { Data Encryption Standard (DES) F American standard from (1976 - 1998).
    [Show full text]
  • Decorrelation: a Theory for Block Cipher Security
    J. Cryptology (2003) 16: 249–286 DOI: 10.1007/s00145-003-0220-6 © 2003 International Association for Cryptologic Research Decorrelation: A Theory for Block Cipher Security Serge Vaudenay Swiss Federal Institute of Technology (EPFL), CH-1015 Lausanne, Switzerland Serge.Vaudenay@epfl.ch Communicated by Eli Biham Received 30 July 2002 and revised 15 May 2003 Online publication 15 August 2003 Abstract. Pseudorandomness is a classical model for the security of block ciphers. In this paper we propose convenient tools in order to study it in connection with the Shannon Theory, the Carter–Wegman universal hash functions paradigm, and the Luby– Rackoff approach. This enables the construction of new ciphers with security proofs under specific models. We show how to ensure security against basic differential and linear cryptanalysis and even more general attacks. We propose practical construction schemes. Key words. Block ciphers, Cryptanalysis, Pseudorandomness. 1. Introduction Conventional encryption is used in order to enforce confidentiality of communications in a network. Following the Kerckhoffs principles [34], schemes are defined by three public algorithms: a key generation scheme, an encryption scheme, and a decryption scheme. Two parties willing to communicate confidentially can generate a private key which is used as a parameter for encryption and decryption. Here encryption and decryption are formalized as functions C and D, respectively, such that D(C(x)) = x for any message x. In 1949 Shannon formalized the notion of secrecy [59]. He formally proved the uncon- ditional security (in his security model) of the Vernam cipher which had been published in 1926 [71]. Unfortunately, this scheme happens to be quite expensive to implement for networking because the sender and the receiver need to be synchronized, and they need quite cumbersome huge keys.
    [Show full text]
  • SEA a Scalable Encryption Algorithm for Small Embedded Applications
    SEA a Scalable Encryption Algorithm for Small Embedded Applications Fran»cois-Xavier Standaert1;2, Gilles Piret1, Neil Gershenfeld2, Jean-Jacques Quisquater1 1UCL Crypto Group Laboratoire de Micro¶electronique Universit¶eCatholique de Louvain Place du Levant, 3, B-1348 Louvain-La-Neuve, Belgium 2Center for Bits and Atoms Massachusetts Institute of Technology 20 Ames Street, Cambridge, MA 02139, USA fstandaert,piret,[email protected], [email protected] Abstract. Most present symmetric encryption algorithms result from a tradeo® between implementation cost and resulting performances. In ad- dition, they generally aim to be implemented e±ciently on a large variety of platforms. In this paper, we take an opposite approach and consider a context where we have very limited processing resources and throughput requirements. For this purpose, we propose low-cost encryption routines (i.e. with small code size and memory) targeted for processors with a limited instruction set (i.e. AND, OR, XOR gates, word rotation and mod- ular addition). The proposed design is parametric in the text, key and processor size, provably secure against linear/di®erential cryptanalysis, allows e±cient combination of encryption/decryption and “on-the-fly” key derivation. Target applications for such routines include any context requiring low-cost encryption and/or authentication. 1 Introduction Resource constrained encryption does not have a long history in symmetric cryp- tography. Noticeable examples of such ciphers are the Tiny Encryption Algo- rithm TEA [32] or Yuval's proposal [33]. However, both of them are relatively old and do not provide provable security against attacks such as linear and di®eren- tial cryptanalysis.
    [Show full text]
  • Statistical Cryptanalysis of Block Ciphers
    STATISTICAL CRYPTANALYSIS OF BLOCK CIPHERS THÈSE NO 3179 (2005) PRÉSENTÉE À LA FACULTÉ INFORMATIQUE ET COMMUNICATIONS Institut de systèmes de communication SECTION DES SYSTÈMES DE COMMUNICATION ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE POUR L'OBTENTION DU GRADE DE DOCTEUR ÈS SCIENCES PAR Pascal JUNOD ingénieur informaticien dilpômé EPF de nationalité suisse et originaire de Sainte-Croix (VD) acceptée sur proposition du jury: Prof. S. Vaudenay, directeur de thèse Prof. J. Massey, rapporteur Prof. W. Meier, rapporteur Prof. S. Morgenthaler, rapporteur Prof. J. Stern, rapporteur Lausanne, EPFL 2005 to Mimi and Chlo´e Acknowledgments First of all, I would like to warmly thank my supervisor, Prof. Serge Vaude- nay, for having given to me such a wonderful opportunity to perform research in a friendly environment, and for having been the perfect supervisor that every PhD would dream of. I am also very grateful to the president of the jury, Prof. Emre Telatar, and to the reviewers Prof. em. James L. Massey, Prof. Jacques Stern, Prof. Willi Meier, and Prof. Stephan Morgenthaler for having accepted to be part of the jury and for having invested such a lot of time for reviewing this thesis. I would like to express my gratitude to all my (former and current) col- leagues at LASEC for their support and for their friendship: Gildas Avoine, Thomas Baign`eres, Nenad Buncic, Brice Canvel, Martine Corval, Matthieu Finiasz, Yi Lu, Jean Monnerat, Philippe Oechslin, and John Pliam. With- out them, the EPFL (and the crypto) would not be so fun! Without their support, trust and encouragement, the last part of this thesis, FOX, would certainly not be born: I owe to MediaCrypt AG, espe- cially to Ralf Kastmann and Richard Straub many, many, many hours of interesting work.
    [Show full text]
  • Recent Developments in the Design of Conventional Cryptographic Algorithms
    Recent Developments in the Design of Conventional Cryptographic Algorithms Bart Preneel?, Vincent Rijmen??, and Antoon Bosselaers Katholieke Universiteit Leuven, Dept. Electrical Engineering–ESAT Kardinaal Mercierlaan 94, B–3001 Heverlee, Belgium bart.preneel,vincent.rijmen,antoon.bosselaers @esat.kuleuven.ac.be { } Abstract. This paper examines proposals for three cryptographic prim- itives: block ciphers, stream ciphers, and hash functions. It provides an overview of the design principles of a large number of recent proposals, which includes the global structure, the number of rounds, the way of in- troducing non-linearity and diffusion, and the key schedule. The software performance of about twenty primitives is compared based on highly op- timized implementations for the Pentium. The goal of the paper is to provided a technical perspective on the wide variety of primitives that exist today. 1 Introduction An increasing number of applications uses software implementations of crypto- graphic algorithms in order to provide an acceptable security level at a low cost. An important constraint is that the performance of the application should be influenced as little as possible by the introduction of cryptography. The design of secure cryptographic primitives which achieve very high software performance is a challenging problem for the cryptologic research community. This paper intends to report on the state of the art on this problem. The best which can be achieved currently is to design fast primitives with some provable properties, but the general paradigm is still a ‘trial-and-error’ procedure, which consists of the publication of candidate algorithms and an evaluation by cryptanalysts. In this process, the cryptographic community gath- ers knowledge on how to design cryptographic algorithms.
    [Show full text]
  • New Directions in Cryptanalysis of Block Ciphers
    Journal of Computer Science 5 (12): 1091-1094, 2009 ISSN 1549-3636 © 2009 Science Publications New Directions in Cryptanalysis of Block Ciphers Davood RezaeiPour and Mohamad Rushdan Md Said Institute for Mathematical Research, University Putra Malaysia, 43400 UPM Serdang, Selangor Darul Ehsan, Malaysia Abstract: Problem statement: The algebraic expression of the Advanced Encryption Standard (AES) RIJNDAEL S-box involved only 9 terms. The selected mapping for RIJNDAEL S-box has a simple algebraic expression. This enables algebraic manipulations which can be used to mount interpolation attack. Approach: The interpolation attack was introduced as a cryptanalytic attack against block ciphers. This attack is useful for cryptanalysis using simple algebraic functions as S-boxes. Results: In this study, we presented an improved AES S-box with good properties to improve the complexity of AES S-box algebraic expression with terms increasing to 255. Conclusion: The improved S-box is resistant against interpolation attack. We can develop the derivatives of interpolation attack using the estimations of S-box with less nonlinearity. Key words: Block cipher, AES, S-box, interpolation attack, Lagrange interpolation formula INTRODUCTION In this article, we first describe the main parts of AES (RIJNDAEL) which consists of the individual The interpolation attack is a technique for attacking transformations and AES S-box. We will introduce the block ciphers built from simple algebraic functions. A interpolation attack with considering of the points of block cipher algorithm may not include any algebraic weakness and strength in AES S-box. Finally, we will property that can be efficiently distinguishable, since an discuss the manner of doing interpolation attack using the different representations of AES S-box.
    [Show full text]
  • On the Interpolation Attacks on Block Ciphers 111
    On the Interp olation Attacks on Blo ck Ciphers A.M. Youssef and G. Gong Center for Applied Cryptographic Research Department of Combinatorics and Optimization UniversityofWaterlo o, Waterlo o, ON N2L 3G1 fa2youssef, [email protected] o.ca Abstract. The complexityofinterp olation attacks on blo ck ciphers de- p ends on the degree of the p olynomial approximation and/or on the numb er of terms in the p olynomial approximation expression. In some situations, the round function or the S-b oxes of the blo ck cipher are expressed explicitly in terms of algebraic function, yet in many other o ccasions the S-b oxes are expressed in terms of their Bo olean function representation. In this case, the cryptanalyst has to evaluate the algebraic description of the S-b oxes or the round function using the Lagrange in- terp olation formula. A natural question is what is the e ect of the choice of the irreducible p olynomial used to construct the nite eld on the degree of the resulting p olynomial . Another question is whether or not there exists a simple linear transformation on the input or output bits of the S-b oxes (or the round function) such that the resulting p olynomial has a less degree or smaller numb er of non-zero co ecients. In this pap er we give an answer to these questions. We also present an explicit relation between the Lagrange interp olation formula and the Galois Field Fourier Transform. Keywords: Blo ck cipher, cryptanalysis, interp olation attack, nite elds, Ga- lois Field Fourier Transform 1 Intro duction Gong and Golomb[7]intro duced a new criterion for the S-b ox design.
    [Show full text]
  • CRYPTREC Report 2008 暗号技術監視委員会報告書
    CRYPTREC Report 2008 平成21年3月 独立行政法人情報通信研究機構 独立行政法人情報処理推進機構 「暗号技術監視委員会報告」 目次 はじめに ······················································· 1 本報告書の利用にあたって ······································· 2 委員会構成 ····················································· 3 委員名簿 ······················································· 4 第 1 章 活動の目的 ··················································· 7 1.1 電子政府システムの安全性確保 ··································· 7 1.2 暗号技術監視委員会············································· 8 1.3 電子政府推奨暗号リスト········································· 9 1.4 活動の方針····················································· 9 第 2 章 電子政府推奨暗号リスト改訂について ·························· 11 2.1 改訂の背景 ··················································· 11 2.2 改訂の目的 ··················································· 11 2.3 電子政府推奨暗号リストの改訂に関する骨子······················ 11 2.3.1 現リストの構成の見直し ·································· 12 2.3.2 暗号技術公募の基本方針 ·································· 14 2.3.3 2009 年度公募カテゴリ ···································· 14 2.3.4 今後のスケジュール ······································ 15 2.4 電子政府推奨暗号リスト改訂のための暗号技術公募(2009 年度) ····· 15 2.4.1 公募の概要 ·············································· 16 2.4.2 2009 年度公募カテゴリ ···································· 16 2.4.3 提出書類 ················································ 17 2.4.4 評価スケジュール(予定) ·································· 17 2.4.5 評価項目 ················································ 18 2.4.6 応募暗号説明会の開催 ···································· 19 2.4.7 ワークショップの開催 ···································· 19 2.5
    [Show full text]
  • Lecture Notes in Computer Science 2365 Edited by G
    Lecture Notes in Computer Science 2365 Edited by G. Goos, J. Hartmanis, and J. van Leeuwen 3 Berlin Heidelberg New York Barcelona Hong Kong London Milan Paris Tokyo Joan Daemen Vincent Rijmen (Eds.) Fast Software Encryption 9th International Workshop, FSE 2002 Leuven, Belgium, February 4-6, 2002 Revised Papers 13 Series Editors Gerhard Goos, Karlsruhe University, Germany Juris Hartmanis, Cornell University, NY, USA Jan van Leeuwen, Utrecht University, The Netherlands Volume Editors Joan Daemen Proton World Zweefvliegtuigstraat 10 1130 Brussel, Belgium E-mail: [email protected] Vincent Rijmen Cryptomathic Lei 8A 3000 Leuven, Belgium E-mail: [email protected] Cataloging-in-Publication Data applied for Die Deutsche Bibliothek - CIP-Einheitsaufnahme Fast software encryption : 9th international workshop ; revised papers / FSE 2002, Leuven, Belgium, February 2002. Joan Daemen ; Vincent Rijmen (ed.). - Berlin ; Heidelberg ; New York ; Barcelona ; Hong Kong ; London ; Milan ; Paris ; Tokyo : Springer, 2002 (Lecture notes in computer science ; Vol. 2365) ISBN 3-540-44009-7 CR Subject Classication (1998): E.3, F.2.1, E.4, G.4 ISSN 0302-9743 ISBN 3-540-44009-7 Springer-Verlag Berlin Heidelberg New York This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microlms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer-Verlag.
    [Show full text]