DOCSLIB.ORG

Decorrelation Theory Aslı Bay I&C, EPFL

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Decorrelation Theory Aslı Bay I&C, EPFL EDIC RESEARCH PROPOSAL 1 Decorrelation Theory Aslı Bay I&C, EPFL Abstract—This report is mainly about Decorrelation Theory. compute or bound the advantage of d-limited distinguisher The first part presents the overview of Decorrelation Theory in Luby-Rackoff model. He also finds a link between d- mainly security of block ciphers against iterated attacks. Then, limited adversaries and differential and linear attacks and a the second part gives a brief overview of security results of the block cipher C which is practically secure. The third part wider class of attacks called iterated attacks. However, the provides the differential-linear attack on full COCONUT98 practicality of tools in this theory is controversial, since it is whose security is proven by Decorrelation Theory. Finally, the hard the compute the exact adversaries’ advantage. Therefore, last part gives a brief overview of my future research. Vaudenay suggested to use some algebraic constructions called Index Terms—Decorelation Theory, Iterated Attacks, The decorrelation modules and proposed a provably secure block Block Cipher C, COCONUT98 cipher called COCONUT98 block cipher which resists to 2- limited adversaries [8]. However, decorrelation results of the I. INTRODUCTION cipher do not prove anything more than its resistance to 2- OST modern block ciphers are resistant to many limited adversary. That is, they do not give any guarantee of M cryptanalytic techniques such as linear cryptanalysis, its security against d-limited adversary for d > 2. Therefore, differential cryptanalysis, as well as their variants such as Wagner’s boomerang attack [5] breaks COCONUT98 with 38 boomerang attack, impossible differential attack, or rectangle complexity about 2 and Biham et al. [4] breaks it within a 33:7 attack. Even if the given cipher is resistant to the existing complexity about 2 by differential-linear attack. However, attacks, it is not guarantee that a new variant would not it is still practical to prove the several security results of a break the cipher. Therefore, instead of proving the security practical block cipher, if we take advantage of the symmetries of the construction to each individually, it is reasonable to within the distribution matrices. For example, the block cipher find a technique which provides a unique proof for a family C is a practically secure block cipher proposed by Baignres of attacks. For this reason, Vaudenay proposed Decorrelation and Finiasz [2], the exact advantage of 2-limited distinguisher Theory which provides tools to prove the security of the given is computed, as well as the advantage of differential and linear block cipher [8], [6], [7], [3]. attacks. Decorrelation theory provides tools to quantify the security The structure of this report is as follows: the first section of block ciphers against some family of attacks. It enables to provides a brief overview of Decorrelation Theory and explain the security of block ciphers against iterated attacks. The Proposal submitted to committee: September 14th, 2010; second section provides the security proofs of the block cipher Candidacy exam date: September 21st, 2010; Candidacy exam C. The last section gives the differential-linear attack on full committee: Exam president, thesis director, co-examiner. COCONUT98. Finally the last section gives a brief overview This research plan has been approved: of my future research. Date: ———————————— A. Terminology Definition 1: The perfect cipher C∗ denotes a random per- Doctoral candidate: ———————————— mutation uniformly distributed among all possible permuta- (name and signature) tions on the given set. Definition 2: In Luby-Rackoff model, an adversary is an infinitely powerful algorithm A which has an access to an Thesis director: ———————————— oracle O. The oracle O either implements a cipher C or the (name and signature) Perfect Cipher C∗. The adversary aims to distinguish a cipher C from C∗ by querying the oracle with limited number of ∗ (d) times. The advantage of the attacker is AdvA = jp − p j, Thesis co-director: ———————————— ∗ (if applicable) (name and signature) where p is the probability of accepting C (resp C ). Finally, the adversary output 1 (accept) or 0 (reject). Definition 3: Let a = (a1; ··· ; a16) be an array of 128-bits Doct. prog. director:———————————— where ai’s are 8-bit strings. The support of a is a four by four (R. Urbanke) (signature) array with the 0’s at the positions where the entry of a is equal to 0 with 1’s where the entry of a is nonzero. It is denoted by EDIC-ru/05.05.2009 SUPP(a). EDIC RESEARCH PROPOSAL 2 p−1 Definition 4: A prime p is a strong-prime, if 2 is prime. Since we consider average complexities of the attack with- p−1 and it is a strong-strong prime if p and 2 are both strong- out any information on the key, we will concentrate on the primes. average value of of linear probability E(LPC (a; b)) : The following are some notations used in the report: C −2m X (x1⊕x2)·a+(y1⊕y2)·b ⊕:bitwise Xor. ELP (a; b) = 2 (−1) 0·0: dot product. x1;x2;y1;y2 C wt(s): is the number of 1’s in the bit string s. · Pr[(x1; x2) !; (y1; y2)]: (4) II. DECORRELATION THEORY AND RESISTANCE AGAINST Vaudenay shows the link between the advantage of linear ITERATED ATTACKS distinguisher and 2-wise distribution matrix of C as: In [8], Vaudenay proposed Decorrelation Theory which r n r n Adv ≤ 3 3 n · jjj[C]2 − [C∗]2jjj + +3 3 provides tools to prove the security results in Luby-Rackoff Table I 1 M − 1 M − 1 model. In this model, the attacker (the algorithm) is only (5) limited by the number of data (plaintext/ciphertext pairs) where M is the size of the plaintext space and n is the number (limited to d queries) and is computationally unbounded. of iterations. When the d queries are made at once, the adversary is called nonadaptive and when each query is made according to the TABLE I LINEAR DISTINGUISHER outcome of the previous queries, it is called adaptive. A block Parameters: n, a characteristics (a; b),A cipher C is considered as a random permutation on a message- m Oracle: a permutation c block space M = f0; 1g due to the random choice of the 1.Initialize counter δ to zero secret key. The following defines the distribution matrix of a 1.for i = 1 to i = n random function: 2. pick X at random and obtain c(X) Definition 5: Let F be a random function from a given set 3. if X · a = c(X) · b increase the counter δ 4. end for M1 to a given set M2 and d be an integer, then the d-wise 5.if δ 2 A output 1, otherwise 0 d d d distribution matrix [F] of F is defined as a M1 ×M2- matrix where the (x,y)-entry of [F]d corresponding to the multipoints d d x = (x1; ··· ; xd) 2 M1 and y = (y1; ··· ; yd) 2 M2 is Differential cryptanalysis was proposed by Biham and defined as the probability that we simultaneously have F(xi) = Shamir in [14] which depends on a differential distinguisher d F yi for i = 1; ··· ; d. It is denoted by [F]x;y =Pr[x ! y]: shown in Table II. Differential probability is defined as There is no precise definition of decorrelation, however it C can be determined when the distribution matrix of the given DP (a; b) = PrX [C(X + a) = C(X) + b] (6) function (or a cipher) is compared with the distribution matrix Vaudenay shows that the advantage of the differential distin- of another function (or a cipher). When a random function guisher is: (or a cipher) has the same distribution matrix of the perfect n n function (or the perfect cipher), it has a perfect decorrelation. ∗ 2 ∗ 2 AdvTable II(C; C ) ≤ + jjj[C] − [C ] jjj1: (7) To compare two distribution matrices of two functions (or two M − 1 2 ciphers) we need to define decorrelation distance: Both Advantages 5 and 7 show that small (negligible) 2- Definition 6: Given two random functions F and G from wise decorrelation bias allows to prove that C is immune from a given set M1 to a given set M2 and d be an integer and against linear and differential cryptanalysis. Md×Md d d a distance D over matrix space R 1 2 , and D([F] ; [G] ) is called the d-wise decorrelation distance between F and G. TABLE II DIFFERENTIAL DISTINGUISHER If G is the ideal version of F, then D([F]d; [G]d) is called the d-wise decorrelation bias of F. Parameters: n, a characteristics (a; b) Oracle: a permutation c To compute the distance, the following matrix norms are 1.for i = 1 to i = n used according to the purpose: 2. pick X at random and obtain c(X) and c(X + a) X 3. if c(X + a) = c(X) + b output 1 and stop jjjAjjj1 = max jAx;yj (1) x 4. end for y 5.output 0 X X jjAjja = max ··· max jA(x1;··· ;xd);(y1;··· ;yd)j (2) x1 xd y1 yd Definition 7: A non-adaptive iterated distinguisher of order As mentioned before, Vaudenay finds connection between d and complexity n which is illustrated in Table III is defined 2-wise decorrelation bias and the advantage of the linear by d distinguisher and differential distinguisher of a given cipher. • ”a plaintext distribution” D on M 2d Linear cryptanalysis was proposed by Matsui [11], [12] is • ”a text function” T from M n a statistical attack which is based on a linear distinguisher • ”an acceptance function” A from f0; 1g to [0,1] depicted in Table I.
Load more

Recommended publications
  • Improved Rectangle Attacks on SKINNY and CRAFT
    Improved Rectangle Attacks on SKINNY and CRAFT Hosein Hadipour1, Nasour Bagheri2 and Ling Song3( ) 1 Department of Mathematics and Computer Science, University of Tehran, Tehran, Iran, [email protected] 2 Electrical Engineering Department, Shahid Rajaee Teacher Training University, Tehran, Iran, [email protected] 3 Jinan University, Guangzhou, China [email protected] Abstract. The boomerang and rectangle attacks are adaptions of differential crypt- analysis that regard the target cipher E as a composition of two sub-ciphers, i.e., 2 2 E = E1 ◦ E0, to construct a distinguisher for E with probability p q by concatenat- ing two short differential trails for E0 and E1 with probability p and q respectively. According to the previous research, the dependency between these two differential characteristics has a great impact on the probability of boomerang and rectangle distinguishers. Dunkelman et al. proposed the sandwich attack to formalise such dependency that regards E as three parts, i.e., E = E1 ◦ Em ◦ E0, where Em contains the dependency between two differential trails, satisfying some differential propagation with probability r. Accordingly, the entire probability is p2q2r. Recently, Song et al. have proposed a general framework to identify the actual boundaries of Em and systematically evaluate the probability of Em with any number of rounds, and applied their method to accurately evaluate the probabilities of the best SKINNY’s boomerang distinguishers. In this paper, using a more advanced method to search for boomerang distinguishers, we show that the best previous boomerang distinguishers for SKINNY can be significantly improved in terms of probability and number of rounds.
    [Show full text]
  • Integral Cryptanalysis on Full MISTY1⋆
    Integral Cryptanalysis on Full MISTY1? Yosuke Todo NTT Secure Platform Laboratories, Tokyo, Japan [email protected] Abstract. MISTY1 is a block cipher designed by Matsui in 1997. It was well evaluated and standardized by projects, such as CRYPTREC, ISO/IEC, and NESSIE. In this paper, we propose a key recovery attack on the full MISTY1, i.e., we show that 8-round MISTY1 with 5 FL layers does not have 128-bit security. Many attacks against MISTY1 have been proposed, but there is no attack against the full MISTY1. Therefore, our attack is the first cryptanalysis against the full MISTY1. We construct a new integral characteristic by using the propagation characteristic of the division property, which was proposed in 2015. We first improve the division property by optimizing a public S-box and then construct a 6-round integral characteristic on MISTY1. Finally, we recover the secret key of the full MISTY1 with 263:58 chosen plaintexts and 2121 time complexity. Moreover, if we can use 263:994 chosen plaintexts, the time complexity for our attack is reduced to 2107:9. Note that our cryptanalysis is a theoretical attack. Therefore, the practical use of MISTY1 will not be affected by our attack. Keywords: MISTY1, Integral attack, Division property 1 Introduction MISTY [Mat97] is a block cipher designed by Matsui in 1997 and is based on the theory of provable security [Nyb94,NK95] against differential attack [BS90] and linear attack [Mat93]. MISTY has a recursive structure, and the component function has a unique structure, the so-called MISTY structure [Mat96].
    [Show full text]
  • Linear Cryptanalysis: Key Schedules and Tweakable Block Ciphers
    Linear Cryptanalysis: Key Schedules and Tweakable Block Ciphers Thorsten Kranz, Gregor Leander and Friedrich Wiemer Horst Görtz Institute for IT Security, Ruhr-Universität Bochum, Germany {thorsten.kranz,gregor.leander,friedrich.wiemer}@rub.de Abstract. This paper serves as a systematization of knowledge of linear cryptanalysis and provides novel insights in the areas of key schedule design and tweakable block ciphers. We examine in a step by step manner the linear hull theorem in a general and consistent setting. Based on this, we study the influence of the choice of the key scheduling on linear cryptanalysis, a – notoriously difficult – but important subject. Moreover, we investigate how tweakable block ciphers can be analyzed with respect to linear cryptanalysis, a topic that surprisingly has not been scrutinized until now. Keywords: Linear Cryptanalysis · Key Schedule · Hypothesis of Independent Round Keys · Tweakable Block Cipher 1 Introduction Block ciphers are among the most important cryptographic primitives. Besides being used for encrypting the major fraction of our sensible data, they are important building blocks in many cryptographic constructions and protocols. Clearly, the security of any concrete block cipher can never be strictly proven, usually not even be reduced to a mathematical problem, i. e. be provable in the sense of provable cryptography. However, the concrete security of well-known ciphers, in particular the AES and its predecessor DES, is very well studied and probably much better scrutinized than many of the mathematical problems on which provable secure schemes are based on. This been said, there is a clear lack of understanding when it comes to the key schedule part of block ciphers.
    [Show full text]
  • Lecture Note 8 ATTACKS on CRYPTOSYSTEMS I Sourav Mukhopadhyay
    Lecture Note 8 ATTACKS ON CRYPTOSYSTEMS I Sourav Mukhopadhyay Cryptography and Network Security - MA61027 Attacks on Cryptosystems • Up to this point, we have mainly seen how ciphers are implemented. • We have seen how symmetric ciphers such as DES and AES use the idea of substitution and permutation to provide security and also how asymmetric systems such as RSA and Diffie Hellman use other methods. • What we haven’t really looked at are attacks on cryptographic systems. Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 1 • An understanding of certain attacks will help you to understand the reasons behind the structure of certain algorithms (such as Rijndael) as they are designed to thwart known attacks. • Although we are not going to exhaust all possible avenues of attack, we will get an idea of how cryptanalysts go about attacking ciphers. Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 2 • This section is really split up into two classes of attack: Cryptanalytic attacks and Implementation attacks. • The former tries to attack mathematical weaknesses in the algorithms whereas the latter tries to attack the specific implementation of the cipher (such as a smartcard system). • The following attacks can refer to either of the two classes (all forms of attack assume the attacker knows the encryption algorithm): Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 3 – Ciphertext-only attack: In this attack the attacker knows only the ciphertext to be decoded. The attacker will try to find the key or decrypt one or more pieces of ciphertext (only relatively weak algorithms fail to withstand a ciphertext-only attack).
    [Show full text]
  • New Security Proofs for the 3GPP Confidentiality and Integrity
    An extended abstract of this paper appears in Fast Software Encryption, FSE 2004, Lecture Notes in Computer Science, W. Meier and B. Roy editors, Springer-Verlag, 2004. This is the full version. New Security Proofs for the 3GPP Confidentiality and Integrity Algorithms Tetsu Iwata¤ Tadayoshi Kohnoy January 26, 2004 Abstract This paper analyses the 3GPP confidentiality and integrity schemes adopted by Universal Mobile Telecommunication System, an emerging standard for third generation wireless commu- nications. The schemes, known as f8 and f9, are based on the block cipher KASUMI. Although previous works claim security proofs for f8 and f90, where f90 is a generalized versions of f9, it was recently shown that these proofs are incorrect. Moreover, Iwata and Kurosawa (2003) showed that it is impossible to prove f8 and f90 secure under the standard PRP assumption on the underlying block cipher. We address this issue here, showing that it is possible to prove f80 and f90 secure if we make the assumption that the underlying block cipher is a secure PRP-RKA against a certain class of related-key attacks; here f80 is a generalized version of f8. Our results clarify the assumptions necessary in order for f8 and f9 to be secure and, since no related-key attacks are known against the full eight rounds of KASUMI, lead us to believe that the confidentiality and integrity mechanisms used in real 3GPP applications are secure. Keywords: Modes of operation, PRP-RKA, f8, f9, KASUMI, security proofs. ¤Dept. of Computer and Information Sciences, Ibaraki University, 4–12–1 Nakanarusawa, Hitachi, Ibaraki 316- 8511, Japan.
    [Show full text]
  • Hash Functions and the (Amplified) Boomerang Attack
    Hash Functions and the (Amplified) Boomerang Attack Antoine Joux1,3 and Thomas Peyrin2,3 1 DGA 2 France T´el´ecomR&D [email protected] 3 Universit´ede Versailles Saint-Quentin-en-Yvelines [email protected] Abstract. Since Crypto 2004, hash functions have been the target of many at- tacks which showed that several well-known functions such as SHA-0 or MD5 can no longer be considered secure collision free hash functions. These attacks use classical cryptographic techniques from block cipher analysis such as differential cryptanal- ysis together with some specific methods. Among those, we can cite the neutral bits of Biham and Chen or the message modification techniques of Wang et al. In this paper, we show that another tool of block cipher analysis, the boomerang attack, can also be used in this context. In particular, we show that using this boomerang attack as a neutral bits tool, it becomes possible to lower the complexity of the attacks on SHA-1. Key words: hash functions, boomerang attack, SHA-1. 1 Introduction The most famous design principle for dedicated hash functions is indisputably the MD-SHA family, firstly introduced by R. Rivest with MD4 [16] in 1990 and its improved version MD5 [15] in 1991. Two years after, the NIST publishes [12] a very similar hash function, SHA-0, that will be patched [13] in 1995 to give birth to SHA-1. This family is still very active, as NIST recently proposed [14] a 256-bit new version SHA-256 in order to anticipate the potential cryptanalysis results and also to increase its security with regard to the fast growth of the computation power.
    [Show full text]
  • Indistinguishability Amplification
    Indistinguishability Amplification Ueli Maurer Krzysztof Pietrzak Renato Renner [email protected] [email protected] [email protected] ETH Z¨urich ENS Paris Cambridge Abstract A random system is the abstraction of the input-output behavior of any kind of discrete system, in particular cryptographic systems. Many aspects of cryptographic security analyses and proofs can be seen as the proof that a certain random system (e.g. a block cipher) is indistinguishable from an ideal system (e.g. a random permutation), for different types of distinguishers. This paper presents a new generic approach to proving upper bounds on the distinguishing ad- vantage of a combined system, assuming upper bounds of various types on the component systems. For a general type of combination operation of systems (including the combination of functions or the cascade of permutations), we prove two amplification theorems. The first is a direct-product theorem, similar in spirit to the XOR-Lemma: The distinguishing advantage (or security) of the combination of two (possibly stateful) systems is twice the product of the individual distinguishing advantages, which is optimal. The second theorem states that the combination of systems is secure against some strong class of distinguishers, assuming only that the components are secure against some weaker class of attacks. As a corollary we obtain tight bounds on the adaptive security of the cascade and parallel composition of non-adaptively (or only random-query) secure component systems. A key technical tool of the paper is to show a tight two-way correspondence, previously only known to hold in one direction, between the distinguishing advantage of two systems and the probability of provoking an appropriately defined event on one of the systems.
    [Show full text]
  • Block Ciphers and the Data Encryption Standard
    Lecture 3: Block Ciphers and the Data Encryption Standard Lecture Notes on “Computer and Network Security” by Avi Kak ([email protected]) January 26, 2021 3:43pm ©2021 Avinash Kak, Purdue University Goals: To introduce the notion of a block cipher in the modern context. To talk about the infeasibility of ideal block ciphers To introduce the notion of the Feistel Cipher Structure To go over DES, the Data Encryption Standard To illustrate important DES steps with Python and Perl code CONTENTS Section Title Page 3.1 Ideal Block Cipher 3 3.1.1 Size of the Encryption Key for the Ideal Block Cipher 6 3.2 The Feistel Structure for Block Ciphers 7 3.2.1 Mathematical Description of Each Round in the 10 Feistel Structure 3.2.2 Decryption in Ciphers Based on the Feistel Structure 12 3.3 DES: The Data Encryption Standard 16 3.3.1 One Round of Processing in DES 18 3.3.2 The S-Box for the Substitution Step in Each Round 22 3.3.3 The Substitution Tables 26 3.3.4 The P-Box Permutation in the Feistel Function 33 3.3.5 The DES Key Schedule: Generating the Round Keys 35 3.3.6 Initial Permutation of the Encryption Key 38 3.3.7 Contraction-Permutation that Generates the 48-Bit 42 Round Key from the 56-Bit Key 3.4 What Makes DES a Strong Cipher (to the 46 Extent It is a Strong Cipher) 3.5 Homework Problems 48 2 Computer and Network Security by Avi Kak Lecture 3 Back to TOC 3.1 IDEAL BLOCK CIPHER In a modern block cipher (but still using a classical encryption method), we replace a block of N bits from the plaintext with a block of N bits from the ciphertext.
    [Show full text]
  • KLEIN: a New Family of Lightweight Block Ciphers
    KLEIN: A New Family of Lightweight Block Ciphers Zheng Gong1, Svetla Nikova1;2 and Yee Wei Law3 1Faculty of EWI, University of Twente, The Netherlands fz.gong, [email protected] 2 Dept. ESAT/SCD-COSIC, Katholieke Universiteit Leuven, Belgium 3 Department of EEE, The University of Melbourne, Australia [email protected] Abstract Resource-efficient cryptographic primitives become fundamental for realizing both security and efficiency in embedded systems like RFID tags and sensor nodes. Among those primitives, lightweight block cipher plays a major role as a building block for security protocols. In this paper, we describe a new family of lightweight block ciphers named KLEIN, which is designed for resource-constrained devices such as wireless sensors and RFID tags. Compared to the related proposals, KLEIN has ad- vantage in the software performance on legacy sensor platforms, while its hardware implementation can be compact as well. Key words. Block cipher, Wireless sensor network, Low-resource implementation. 1 Introduction With the development of wireless communication and embedded systems, we become increasingly de- pendent on the so called pervasive computing; examples are smart cards, RFID tags, and sensor nodes that are used for public transport, pay TV systems, smart electricity meters, anti-counterfeiting, etc. Among those applications, wireless sensor networks (WSNs) have attracted more and more attention since their promising applications, such as environment monitoring, military scouting and healthcare. On resource-limited devices the choice of security algorithms should be very careful by consideration of the implementation costs. Symmetric-key algorithms, especially block ciphers, still play an important role for the security of the embedded systems.
    [Show full text]
  • Known and Chosen Key Differential Distinguishers for Block Ciphers
    Known and Chosen Key Differential Distinguishers for Block Ciphers Ivica Nikoli´c1?, Josef Pieprzyk2, Przemys law Soko lowski2;3, Ron Steinfeld2 1 University of Luxembourg, Luxembourg 2 Macquarie University, Australia 3 Adam Mickiewicz University, Poland [email protected], [email protected], [email protected], [email protected] Abstract. In this paper we investigate the differential properties of block ciphers in hash function modes of operation. First we show the impact of differential trails for block ciphers on collision attacks for various hash function constructions based on block ciphers. Further, we prove the lower bound for finding a pair that follows some truncated differential in case of a random permutation. Then we present open-key differential distinguishers for some well known round-reduced block ciphers. Keywords: Block cipher, differential attack, open-key distinguisher, Crypton, Hierocrypt, SAFER++, Square. 1 Introduction Block ciphers play an important role in symmetric cryptography providing the basic tool for encryp- tion. They are the oldest and most scrutinized cryptographic tool. Consequently, they are the most trusted cryptographic algorithms that are often used as the underlying tool to construct other cryp- tographic algorithms. One such application of block ciphers is for building compression functions for the hash functions. There are many constructions (also called hash function modes) for turning a block cipher into a compression function. Probably the most popular is the well-known Davies-Meyer mode. Preneel et al. in [27] have considered all possible modes that can be defined for a single application of n-bit block cipher in order to produce an n-bit compression function.
    [Show full text]
  • Differential-Linear Crypt Analysis
    Differential-Linear Crypt analysis Susan K. Langfordl and Martin E. Hellman Department of Electrical Engineering Stanford University Stanford, CA 94035-4055 Abstract. This paper introduces a new chosen text attack on iterated cryptosystems, such as the Data Encryption Standard (DES). The attack is very efficient for 8-round DES,2 recovering 10 bits of key with 80% probability of success using only 512 chosen plaintexts. The probability of success increases to 95% using 768 chosen plaintexts. More key can be recovered with reduced probability of success. The attack takes less than 10 seconds on a SUN-4 workstation. While comparable in speed to existing attacks, this 8-round attack represents an order of magnitude improvement in the amount of required text. 1 Summary Iterated cryptosystems are encryption algorithms created by repeating a simple encryption function n times. Each iteration, or round, is a function of the previ- ous round’s oulpul and the key. Probably the best known algorithm of this type is the Data Encryption Standard (DES) [6].Because DES is widely used, it has been the focus of much of the research on the strength of iterated cryptosystems and is the system used as the sole example in this paper. Three major attacks on DES are exhaustive search [2, 71, Biham-Shamir’s differential cryptanalysis [l], and Matsui’s linear cryptanalysis [3, 4, 51. While exhaustive search is still the most practical attack for full 16 round DES, re- search interest is focused on the latter analytic attacks, in the hope or fear that improvements will render them practical as well.
    [Show full text]
  • Boomerang Analysis Method Based on Block Cipher
    International Journal of Security and Its Application Vol.11, No.1 (2017), pp.165-178 http://dx.doi.org/10.14257/ijsia.2017.11.1.14 Boomerang Analysis Method Based on Block Cipher Fan Aiwan and Yang Zhaofeng Computer School, Pingdingshan University, Pingdingshan, 467002 Henan province, China { Fan Aiwan} [email protected] Abstract This paper fused together the related key analysis and differential analysis and did multiple rounds of attack analysis for the DES block cipher. On the basis of deep analysis of Boomerang algorithm principle, combined with the characteristics of the key arrangement of the DES block cipher, the 8 round DES attack experiment and the 9 round DES attack experiment were designed based on the Boomerang algorithm. The experimental results show that, after the design of this paper, the value of calculation complexity of DES block cipher is only 240 and the analysis performance is greatly improved by the method of Boomerang attack. Keywords: block cipher, DES, Boomerang, Computational complexity 1. Introduction With the advent of the information society, especially the extensive application of the Internet to break the traditional limitations of time and space, which brings great convenience to people. However, at the same time, a large amount of sensitive information is transmitted through the channel or computer network, especially the rapid development of e-commerce and e-government, more and more personal information such as bank accounts require strict confidentiality, how to guarantee the security of information is particularly important [1-2]. The essence of information security is to protect the information system or the information resources in the information network from various types of threats, interference and destruction, that is, to ensure the security of information [3].
    [Show full text]