DOCSLIB.ORG

Copyrighted Material

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Copyrighted Material Swenson bindex.tex V1 - 01/29/2008 1:28pm Page 229 Index A attacks addition, sum of two points, 53–57 boomerang attack, 220–222 AddRoundKey operation, Rijndael encryption brute force attack, 150–151 algorithm, 123, 127 chosen-ciphertext attack, 150 Adleman, Leonard, 49 chosen-plaintext attack, 150 Advanced Encryption Standard ciphertext-only attack, 149 (AES)/Rijndael), Rijndael encryption collision attack, 162 algorithm, 123–127 Hellman time-space trade-off, affine equations, 168 153–154 algebra, 43–48 interpolation attack, 222–223 associativity, 45 known-plaintext attack, 149 finitefields,45–48 meet-in-the-middle attack, 151–152 functions in, 44 miss-in-the-middle attack, 217–218 identity elements, 44–45 pre-image attack, 162 inverse elements, 44–45 probable plaintext attack, 149–150 operations in, 43–44 slide attack, 158–162 algorithm(s),62–67 exponential-time, 63, 68 factorization, categorizing, 68 B linear, 63 baby-step giant-step algorithm, 82–83 order (Big-Oh), 62–64 analysis of, 83 polynomial-time, 63 discrete logarithm, computing, 82–83 running time, 63–64 bias and storage complexity,COPYRIGHTED 63 linear MATERIAL cryptanalysis, 169, 175–178 subexponential, 63 random number generators, 144 superpolynomial-time, 63 big endian, 92, 94 writing binary numbers, conversion to hexidecimal best approach, 64–65 (table), 93 invented programming language, 64 binary XOR long division, 125–126 programming language, 64 binomial coefficient, 27 pseudocode, 64 birthday paradox inPython, 65–67 collision in, 32–33, 162 alphabets, keyed alphabets, 4–5 as cryptographic tool, 36 AND operator, 93 probability, measuring, 32–36 associativity, algebraic, 45 bit mask, 104 asymmetric logarithms, defined, 91 bitoperations,94–95 229 Swenson bindex.tex V1 - 01/29/2008 1:28pm Page 230 230 Index ■ B–C block ciphers hashing algorithm, 37–38 Advanced Encryption Standard chosen-ciphertext attacks, 150 (AES)/Rijndael), 122–129 chosen-plaintext attacks, 150, 158, 160 block in, 91 cipher(s) blowfish, 120–122 keying, 4–6 cipher block chaining (CBC), 131–132 monoalphabetic, 2–4 cipher feedback mode (CFM), 133 polyalphabetic, 7–8 counter (CTR) mode, 133 transposition, 9–10 Data Encryption Standard (DES), 110–114 cipher block chaining (CBC), 131–132 defined, 2, 91 decryption algorithms, 131 electronic codebook (ECB), 129–131 encryption algorithm, 131 fast encipherment algorithm (FEAL), cipher feedback mode (CFM), 133 114–119 keystream, 133 Feistel structures, 106–109 ciphertext-only attack, 149 hash algorithms, 138–142 COCONUT98 algorithm, 222 message digests, 137, 140–141 coin flip, probability, 26 one-time pad, 145–146 collision(s) output feedback (OFB) mode, 133 in birthday paradox, 32–33, 162 padding, 132–133 chain collision, 155, 157 P-boxes, 98–101 defined, 162 productciphers,95–96 probability of, 32–33 random number generators, 143–145 and rainbow tables, 157 shift registers, 100 collision attacks Skipjack, 134–136 defined, 162 stream cipher, 133 types of, 162 substitution-permutation networks, 100–106 columnar transposition ciphers substitutions, 96–98 breaking block replay, and electronic codebook (ECB), digraph, 18–20 130–131 sliding window technique, 19–21 Blowfish, 120–122 trigraph,18–20 compared to DES, 120 elements of, 9–10 encryption algorithm, 121 commutative group, 45 key schedule, 120–121 complementation slide attacks, 161–162 P-values, 120–121 complete set of residues (CSR), 41 round function, 121–122 complex numbers, defined, 39 S-boxes, 120–121 conditional characteristics, 213–214 Boolean expressions, in Python, 67 conditionals, in Python, 67 boomerang attack, 220–222 congruence bruteforcealgorithms,68–70 congruence class, 41 advantages of, 70 defined, 40 analysis of, 69–70 Euler totient, 42–43 for discrete logarithms, 82 modulus,40–41 factoringby,68–70 continued fraction factorization, 79–80 pre-computing, 82 analysis of, 79 brute force attacks, 150–151 continued fractions, defined, 79 advantages of, 151 floor function, 79 bytes, 92 quadraticresidues,finding, 79–80 counter (CTR) mode, 133 C cryptanalysis Caesar cipher, 2–3 columnar transposition ciphers, breaking, chain collisions, 155, 157 18–21 characteristic differential cryptanalysis, 195–226 conditional characteristics, 213–214 double columnar transposition ciphers, differential cryptanalysis, 196 breaking,21–23 iterative, 200, 207 hash functions, 162–163 S-boxes, combining, 200–201 linear cryptanalysis, 167–192 checksums monoalphabetic ciphers, breaking, 11–15 functions of, 139 polyalphabetic ciphers, breaking, 15–18 Swenson bindex.tex V1 - 01/29/2008 1:28pm Page 231 Index ■ C–E 231 random number generators, 163–165 s-box differentials, 197–201 time-space trade-offs, 151–158 second-order differentials, 214–215 cryptanalysis algorithms, as finite, 39–40 truncated differentials, 216–217 cryptograms, 1 Diffie-Hellman Key Exchange Protocol cryptographic hash algorithm as discrete logarithm, 81 defined, 38 elements of, 51–52 digital signatures, 138–139 with elliptical curve, 59 one-way hashes, 38 on finite field, 81 cryptographic hash functions, 138–139 digital signatures, cryptographic hash cryptoquips, 1 algorithm, 138–139 cyclic redundancy checks (CRC), 139–140 digraph, columnar transposition ciphers, breaking,18–20 D discretelogarithm(s),51–52,81–86 Daemen, Joan, 123 baby-step giant-step algorithm, 82–83 Data Encryption Standard (DES), 110–114 brute force method, 82 DESX, 113 compared to continuous logarithm, 51 differential cryptanalysis, 207–210 defined, 81 encryption algorithm, 110 Diffie-Hellman Key Exchange Protocol, key schedule, 111 51–52, 59, 81 linear cryptanalysis, 181–184 elements of, 51 Randomized DES, 213–214 index calculus method, 86 round function, 110–112 Pollard’s λ logarithmfor,83–85 successor to. See Advanced Encryption Pollard’s rho (ρ) methodfor,83–85 Standard (AES)/Rijndael) distinguished endpoint method, 156 3DES, 112–113, 152, 225–226 divisibility, prime numbers, 39 decryption algorithms double columnar transpositions cipher block chaining (CBC), 131 breaking Feistel structures, 109 method of, 21–22 Rijndael algorithm, 127–128 elements of, 10 Skipjack, 136 demultiplexing E fast encipherment algorithm (FEAL), Easy1 cipher 117–118 differential cryptanalysis, 197–198, 201–202, Python code for, 104 205 dependence linear cryptanalysis, 175–179 dependent events, 28 operation of, 102 versus independent events, 28 in Python, 102–106, 116–117 probability, measuring, 27–32 substitution-permutation networks, 101–102 dice roll, probability, 27–28 electronic codebook (ECB), 129–131 differential cryptanalysis weaknesses of, 130–131 advantages of, 210–211 El Gamal public key encryption, 81 boomerang attack, 220–222 elliptical curve factorization method (ECM), characteristic, 213–214 77–78 characteristics in, 196 analysis of, 78 Data Encryption Standard (DES), 207–210 factoring example, 77–78 defined, 195 elliptic curve(s), 52–59 differential-linear cryptanalysis, 211–212 defined, 52 differentials in, 196 Diffie-Hellman Key Exchange Protocol Easy1 cipher, 197–198, 201–202, 205 applied to, 59 fast encipherment algorithm (FEAL), 207 infinity, point at, 53–55 Feistel structures, 206–207 operations, performing, 58 higher-order differentials, 214–215 points,adding,53–57 impossible differentials, 217–219 tanget to curve, 55 interpolation attack, 222–223 Weierstrass form, 53 key derivative, 202–203 elliptic curve cryptography, 57–59 probability, 196, 210 advantages of, 52 in Python, 203–206 information, representing as points on related-key attack, 223–226 curve,57–58 Swenson bindex.tex V1 - 01/29/2008 1:28pm Page 232 232 Index ■ E–I encryption algorithms round function, 106–109 blowfish, 121 slide attacks, 160 cipher block chaining (CBC), 131 unbalanced, 107 Data Encryption Standard (DES), 110 Fermat’s difference of squares, 70–72 Feistel structures, 107–108 analysis of, 72 Rijndael algorithm, 123–127 factoring with, 70–72 Skipjack, 134–135 Fermat’s little theorem, and Pollard’s p − 1 Euclidean algorithm, 46–48 method,75–76 defined, 47 finite fields extended Euclidean algorithm, 48 defined, 45 inverse of finite field, finding, 46–48 as Galois fields, 45 Euler totient theorem, 42–43 inverses, Euclidean algorithm, 46–48 exponential factoring, 68–70 flipping, and XOR operator, 94 bruteforce,68–70 floor function, continued fraction discrete logarithms, 81–86 factorization, 79 elliptical curve factorization method (ECM), fraction(s), continued fractions, 79 77–78 frequency analysis Fermat’s difference of squares, 70–72 frequency distribution table, producing, Pollard’s p − 1 method,75–76 11–13 Pollard’s rho (ρ) method,72–75 monoalphabetic ciphers, breaking, 11–12 square forms factorization, 76–77 functions subexponential factoring, 78–81 algebraic, 44 exponential time algorithms, defined, 63, 68 in Python, 67 extended Euclidean algorithm elements of, 48 G with RSA algorithm, 50 Galois fields, finite fields as, 45 general number field sieve, factoring by, F 80–81 factorial, of number, defined, 27 German Enigma machine, 217 factoring-based cryptography, 49–51 glue operator, 94 RSA algorithm, 49–51 GOST cipher, related-key attack, 224 factorization greatest common divisor (GCD), 39 elements of, 61–62 group(s) elliptical curve factorization method (ECM), abelian group, 45 77–78 commutative group, 45 factoring problem, in cryptography, 49 exponential factoring methods, 67–78 index calculus method, 86 H hash algorithms and RSA algorithm, 62 checksums, 139 speed, meaning of, 67–68 collision attack, 37 subexponential factoring methods, 78–81 cryptographic hashes, 37–38 See also individual methods fast encipherment algorithm (FEAL),
Load more

Recommended publications
  • Integral Cryptanalysis on Full MISTY1⋆
    Integral Cryptanalysis on Full MISTY1? Yosuke Todo NTT Secure Platform Laboratories, Tokyo, Japan [email protected] Abstract. MISTY1 is a block cipher designed by Matsui in 1997. It was well evaluated and standardized by projects, such as CRYPTREC, ISO/IEC, and NESSIE. In this paper, we propose a key recovery attack on the full MISTY1, i.e., we show that 8-round MISTY1 with 5 FL layers does not have 128-bit security. Many attacks against MISTY1 have been proposed, but there is no attack against the full MISTY1. Therefore, our attack is the first cryptanalysis against the full MISTY1. We construct a new integral characteristic by using the propagation characteristic of the division property, which was proposed in 2015. We first improve the division property by optimizing a public S-box and then construct a 6-round integral characteristic on MISTY1. Finally, we recover the secret key of the full MISTY1 with 263:58 chosen plaintexts and 2121 time complexity. Moreover, if we can use 263:994 chosen plaintexts, the time complexity for our attack is reduced to 2107:9. Note that our cryptanalysis is a theoretical attack. Therefore, the practical use of MISTY1 will not be affected by our attack. Keywords: MISTY1, Integral attack, Division property 1 Introduction MISTY [Mat97] is a block cipher designed by Matsui in 1997 and is based on the theory of provable security [Nyb94,NK95] against differential attack [BS90] and linear attack [Mat93]. MISTY has a recursive structure, and the component function has a unique structure, the so-called MISTY structure [Mat96].
    [Show full text]
  • Lecture Note 8 ATTACKS on CRYPTOSYSTEMS I Sourav Mukhopadhyay
    Lecture Note 8 ATTACKS ON CRYPTOSYSTEMS I Sourav Mukhopadhyay Cryptography and Network Security - MA61027 Attacks on Cryptosystems • Up to this point, we have mainly seen how ciphers are implemented. • We have seen how symmetric ciphers such as DES and AES use the idea of substitution and permutation to provide security and also how asymmetric systems such as RSA and Diffie Hellman use other methods. • What we haven’t really looked at are attacks on cryptographic systems. Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 1 • An understanding of certain attacks will help you to understand the reasons behind the structure of certain algorithms (such as Rijndael) as they are designed to thwart known attacks. • Although we are not going to exhaust all possible avenues of attack, we will get an idea of how cryptanalysts go about attacking ciphers. Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 2 • This section is really split up into two classes of attack: Cryptanalytic attacks and Implementation attacks. • The former tries to attack mathematical weaknesses in the algorithms whereas the latter tries to attack the specific implementation of the cipher (such as a smartcard system). • The following attacks can refer to either of the two classes (all forms of attack assume the attacker knows the encryption algorithm): Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 3 – Ciphertext-only attack: In this attack the attacker knows only the ciphertext to be decoded. The attacker will try to find the key or decrypt one or more pieces of ciphertext (only relatively weak algorithms fail to withstand a ciphertext-only attack).
    [Show full text]
  • New Security Proofs for the 3GPP Confidentiality and Integrity
    An extended abstract of this paper appears in Fast Software Encryption, FSE 2004, Lecture Notes in Computer Science, W. Meier and B. Roy editors, Springer-Verlag, 2004. This is the full version. New Security Proofs for the 3GPP Confidentiality and Integrity Algorithms Tetsu Iwata¤ Tadayoshi Kohnoy January 26, 2004 Abstract This paper analyses the 3GPP confidentiality and integrity schemes adopted by Universal Mobile Telecommunication System, an emerging standard for third generation wireless commu- nications. The schemes, known as f8 and f9, are based on the block cipher KASUMI. Although previous works claim security proofs for f8 and f90, where f90 is a generalized versions of f9, it was recently shown that these proofs are incorrect. Moreover, Iwata and Kurosawa (2003) showed that it is impossible to prove f8 and f90 secure under the standard PRP assumption on the underlying block cipher. We address this issue here, showing that it is possible to prove f80 and f90 secure if we make the assumption that the underlying block cipher is a secure PRP-RKA against a certain class of related-key attacks; here f80 is a generalized version of f8. Our results clarify the assumptions necessary in order for f8 and f9 to be secure and, since no related-key attacks are known against the full eight rounds of KASUMI, lead us to believe that the confidentiality and integrity mechanisms used in real 3GPP applications are secure. Keywords: Modes of operation, PRP-RKA, f8, f9, KASUMI, security proofs. ¤Dept. of Computer and Information Sciences, Ibaraki University, 4–12–1 Nakanarusawa, Hitachi, Ibaraki 316- 8511, Japan.
    [Show full text]
  • Known and Chosen Key Differential Distinguishers for Block Ciphers
    Known and Chosen Key Differential Distinguishers for Block Ciphers Ivica Nikoli´c1?, Josef Pieprzyk2, Przemys law Soko lowski2;3, Ron Steinfeld2 1 University of Luxembourg, Luxembourg 2 Macquarie University, Australia 3 Adam Mickiewicz University, Poland [email protected], [email protected], [email protected], [email protected] Abstract. In this paper we investigate the differential properties of block ciphers in hash function modes of operation. First we show the impact of differential trails for block ciphers on collision attacks for various hash function constructions based on block ciphers. Further, we prove the lower bound for finding a pair that follows some truncated differential in case of a random permutation. Then we present open-key differential distinguishers for some well known round-reduced block ciphers. Keywords: Block cipher, differential attack, open-key distinguisher, Crypton, Hierocrypt, SAFER++, Square. 1 Introduction Block ciphers play an important role in symmetric cryptography providing the basic tool for encryp- tion. They are the oldest and most scrutinized cryptographic tool. Consequently, they are the most trusted cryptographic algorithms that are often used as the underlying tool to construct other cryp- tographic algorithms. One such application of block ciphers is for building compression functions for the hash functions. There are many constructions (also called hash function modes) for turning a block cipher into a compression function. Probably the most popular is the well-known Davies-Meyer mode. Preneel et al. in [27] have considered all possible modes that can be defined for a single application of n-bit block cipher in order to produce an n-bit compression function.
    [Show full text]
  • Differential-Linear Crypt Analysis
    Differential-Linear Crypt analysis Susan K. Langfordl and Martin E. Hellman Department of Electrical Engineering Stanford University Stanford, CA 94035-4055 Abstract. This paper introduces a new chosen text attack on iterated cryptosystems, such as the Data Encryption Standard (DES). The attack is very efficient for 8-round DES,2 recovering 10 bits of key with 80% probability of success using only 512 chosen plaintexts. The probability of success increases to 95% using 768 chosen plaintexts. More key can be recovered with reduced probability of success. The attack takes less than 10 seconds on a SUN-4 workstation. While comparable in speed to existing attacks, this 8-round attack represents an order of magnitude improvement in the amount of required text. 1 Summary Iterated cryptosystems are encryption algorithms created by repeating a simple encryption function n times. Each iteration, or round, is a function of the previ- ous round’s oulpul and the key. Probably the best known algorithm of this type is the Data Encryption Standard (DES) [6].Because DES is widely used, it has been the focus of much of the research on the strength of iterated cryptosystems and is the system used as the sole example in this paper. Three major attacks on DES are exhaustive search [2, 71, Biham-Shamir’s differential cryptanalysis [l], and Matsui’s linear cryptanalysis [3, 4, 51. While exhaustive search is still the most practical attack for full 16 round DES, re- search interest is focused on the latter analytic attacks, in the hope or fear that improvements will render them practical as well.
    [Show full text]
  • Report on the AES Candidates
    Rep ort on the AES Candidates 1 2 1 3 Olivier Baudron , Henri Gilb ert , Louis Granb oulan , Helena Handschuh , 4 1 5 1 Antoine Joux , Phong Nguyen ,Fabrice Noilhan ,David Pointcheval , 1 1 1 1 Thomas Pornin , Guillaume Poupard , Jacques Stern , and Serge Vaudenay 1 Ecole Normale Sup erieure { CNRS 2 France Telecom 3 Gemplus { ENST 4 SCSSI 5 Universit e d'Orsay { LRI Contact e-mail: [email protected] Abstract This do cument rep orts the activities of the AES working group organized at the Ecole Normale Sup erieure. Several candidates are evaluated. In particular we outline some weaknesses in the designs of some candidates. We mainly discuss selection criteria b etween the can- didates, and make case-by-case comments. We nally recommend the selection of Mars, RC6, Serp ent, ... and DFC. As the rep ort is b eing nalized, we also added some new preliminary cryptanalysis on RC6 and Crypton in the App endix which are not considered in the main b o dy of the rep ort. Designing the encryption standard of the rst twentyyears of the twenty rst century is a challenging task: we need to predict p ossible future technologies, and wehavetotake unknown future attacks in account. Following the AES pro cess initiated by NIST, we organized an op en working group at the Ecole Normale Sup erieure. This group met two hours a week to review the AES candidates. The present do cument rep orts its results. Another task of this group was to up date the DFC candidate submitted by CNRS [16, 17] and to answer questions which had b een omitted in previous 1 rep orts on DFC.
    [Show full text]
  • On Quantum Slide Attacks Xavier Bonnetain, María Naya-Plasencia, André Schrottenloher
    On Quantum Slide Attacks Xavier Bonnetain, María Naya-Plasencia, André Schrottenloher To cite this version: Xavier Bonnetain, María Naya-Plasencia, André Schrottenloher. On Quantum Slide Attacks. 2018. hal-01946399 HAL Id: hal-01946399 https://hal.inria.fr/hal-01946399 Preprint submitted on 6 Dec 2018 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. On Quantum Slide Attacks Xavier Bonnetain1,2, María Naya-Plasencia2 and André Schrottenloher2 1 Sorbonne Université, Collège Doctoral, F-75005 Paris, France 2 Inria de Paris, France Abstract. At Crypto 2016, Kaplan et al. proposed the first quantum exponential acceleration of a classical symmetric cryptanalysis technique: they showed that, in the superposition query model, Simon’s algorithm could be applied to accelerate the slide attack on the alternate-key cipher. This allows to recover an n-bit key with O(n) quantum time and queries. In this paper we propose many other types of quantum slide attacks, inspired by classical techniques including sliding with a twist, complementation slide and mirror slidex. These slide attacks on Feistel networks reach up to two round self-similarity with modular additions inside branch or key-addition operations.
    [Show full text]
  • Thesis Submitted for the Degree of Doctor of Philosophy
    Optimizations in Algebraic and Differential Cryptanalysis Theodosis Mourouzis Department of Computer Science University College London A thesis submitted for the degree of Doctor of Philosophy January 2015 Title of the Thesis: Optimizations in Algebraic and Differential Cryptanalysis Ph.D. student: Theodosis Mourouzis Department of Computer Science University College London Address: Gower Street, London, WC1E 6BT E-mail: [email protected] Supervisors: Nicolas T. Courtois Department of Computer Science University College London Address: Gower Street, London, WC1E 6BT E-mail: [email protected] Committee Members: 1. Reviewer 1: Professor Kenny Paterson 2. Reviewer 2: Dr Christophe Petit Day of the Defense: Signature from head of PhD committee: ii Declaration I herewith declare that I have produced this paper without the prohibited assistance of third parties and without making use of aids other than those specified; notions taken over directly or indirectly from other sources have been identified as such. This paper has not previously been presented in identical or similar form to any other English or foreign examination board. The following thesis work was written by Theodosis Mourouzis under the supervision of Dr Nicolas T. Courtois at University College London. Signature from the author: Abstract In this thesis, we study how to enhance current cryptanalytic techniques, especially in Differential Cryptanalysis (DC) and to some degree in Al- gebraic Cryptanalysis (AC), by considering and solving some underlying optimization problems based on the general structure of the algorithm. In the first part, we study techniques for optimizing arbitrary algebraic computations in the general non-commutative setting with respect to sev- eral metrics [42, 44].
    [Show full text]
  • Linear-XOR and Additive Checksums Don't Protect Damgård-Merkle
    Linear-XOR and Additive Checksums Don’t Protect Damg˚ard-Merkle Hashes from Generic Attacks Praveen Gauravaram1! and John Kelsey2 1 Technical University of Denmark (DTU), Denmark Queensland University of Technology (QUT), Australia. [email protected] 2 National Institute of Standards and Technology (NIST), USA [email protected] Abstract. We consider the security of Damg˚ard-Merkle variants which compute linear-XOR or additive checksums over message blocks, inter- mediate hash values, or both, and process these checksums in computing the final hash value. We show that these Damg˚ard-Merkle variants gain almost no security against generic attacks such as the long-message sec- ond preimage attacks of [10,21] and the herding attack of [9]. 1 Introduction The Damg˚ard-Merkle construction [3, 14] (DM construction in the rest of this article) provides a blueprint for building a cryptographic hash function, given a fixed-length input compression function; this blueprint is followed for nearly all widely-used hash functions. However, the past few years have seen two kinds of surprising results on hash functions, that have led to a flurry of research: 1. Generic attacks apply to the DM construction directly, and make few or no assumptions about the compression function. These attacks involve attacking a t-bit hash function with more than 2t/2 work, in order to violate some property other than collision resistance. Exam- ples of generic attacks are Joux multicollision [8], long-message second preimage attacks [10,21] and herding attack [9]. 2. Cryptanalytic attacks apply to the compression function of the hash function.
    [Show full text]
  • CRYPTANALYSIS of GOST in the MULTIPLE-KEY SCENARIO 1. The
    Ø Ñ ÅØÑØÐ ÈÙ ÐØÓÒ× DOI: 10.2478/tmmp-2013-0035 Tatra Mt. Math. Publ. 57 (2013), 45–63 CRYPTANALYSIS OF GOST IN THE MULTIPLE-KEY SCENARIO Nicolas T. Courtois ABSTRACT. GOST 28147-89 is a well-known 256-bit block cipher. In 2010 GOST was submitted to ISO, to become an international standard. Then many academic attacks which allow to break full GOST faster than brute force have been found. The fastest known single-key attack on GOST for 264 of data is 2179 of [Courtois, N.: An improved differential attack on full GOST, Cryptol- ogy ePrint Archive, Report 2012/138, http://eprint.iacr.org/2012/138]and for 232 of data it is 2191 of [Courtois, N.: Algebraic complexity reduction and cryptanalysis of GOST, Preprint, 2010–13, http://eprint.iacr.org/2011/626]. Other results are slower but require significantly less memory [Courtois, N.: Al- gebraic complexity reduction and cryptanalysis of GOST, Preprint, 2010–2013, http://eprint.iacr.org/2011/626], [Dinur, I.—Dunkelman, O.—Shamir, A.: Improved attacks on full GOST, in: Fast Software Encryption—FSE ’12, 19th Internat. Workshop, Washington, USA, 2012, Lecture Notes in Comput. Sci., Vol. 7549, Springer, Berlin, 2012, pp. 9–28, http://eprint.iacr.org/2011/558/]. The common stereotype is that these will be “the best” attacks on GOST. However, ciphers are not used in practice with single keys, on the contrary. In this paper we intend to show that there exist attacks on GOST which are more versatile and even somewhat more “practical” than the best single key attack. We argument that multiple random key attacks not single key attacks, are more practical and more likely to be executed in the real life.
    [Show full text]
  • Miss in the Middle Attacks on IDEA and Khufu
    Miss in the Middle Attacks on IDEA and Khufu Eli Biham? Alex Biryukov?? Adi Shamir??? Abstract. In a recent paper we developed a new cryptanalytic techni- que based on impossible differentials, and used it to attack the Skipjack encryption algorithm reduced from 32 to 31 rounds. In this paper we describe the application of this technique to the block ciphers IDEA and Khufu. In both cases the new attacks cover more rounds than the best currently known attacks. This demonstrates the power of the new cryptanalytic technique, shows that it is applicable to a larger class of cryptosystems, and develops new technical tools for applying it in new situations. 1 Introduction In [5,17] a new cryptanalytic technique based on impossible differentials was proposed, and its application to Skipjack [28] and DEAL [17] was described. In this paper we apply this technique to the IDEA and Khufu cryptosystems. Our new attacks are much more efficient and cover more rounds than the best previously known attacks on these ciphers. The main idea behind these new attacks is a bit counter-intuitive. Unlike tra- ditional differential and linear cryptanalysis which predict and detect statistical events of highest possible probability, our new approach is to search for events that never happen. Such impossible events are then used to distinguish the ci- pher from a random permutation, or to perform key elimination (a candidate key is obviously wrong if it leads to an impossible event). The fact that impossible events can be useful in cryptanalysis is an old idea (for example, some of the attacks on Enigma were based on the observation that letters can not be encrypted to themselves).
    [Show full text]
  • Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1
    International Journal of Grid and Distributed Computing Vol. 10, No. 11 (2017), pp.79-98 http://dx.doi.org/10.14257/ijgdc.2017.10.11.08 Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1 Rahul Saha1, G. Geetha2, Gulshan Kumar3 and Hye-Jim Kim4 1,3School of Computer Science and Engineering, Lovely Professional University, Punjab, India 2Division of Research and Development, Lovely Professional University, Punjab, India 4Business Administration Research Institute, Sungshin W. University, 2 Bomun-ro 34da gil, Seongbuk-gu, Seoul, Republic of Korea Abstract Cryptography has always been a core component of security domain. Different security services such as confidentiality, integrity, availability, authentication, non-repudiation and access control, are provided by a number of cryptographic algorithms including block ciphers, stream ciphers and hash functions. Though the algorithms are public and cryptographic strength depends on the usage of the keys, the ciphertext analysis using different functions and operations used in the algorithms can lead to the path of revealing a key completely or partially. It is hard to find any survey till date which identifies different operations and functions used in cryptography. In this paper, we have categorized our survey of cryptographic functions and operations in the algorithms in three categories: block ciphers, stream ciphers and cryptanalysis attacks which are executable in different parts of the algorithms. This survey will help the budding researchers in the society of crypto for identifying different operations and functions in cryptographic algorithms. Keywords: cryptography; block; stream; cipher; plaintext; ciphertext; functions; research problems 1. Introduction Cryptography [1] in the previous time was analogous to encryption where the main task was to convert the readable message to an unreadable format.
    [Show full text]