DOCSLIB.ORG

Impossible Differentials in Twofish

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Impossible Differentials in Twofish Twofish Technical Report #5 Impossible differentials in Twofish Niels Ferguson∗ October 19, 1999 Abstract We show how an impossible-differential attack, first applied to DEAL by Knudsen, can be applied to Twofish. This attack breaks six rounds of the 256-bit key version using 2256 steps; it cannot be extended to seven or more Twofish rounds. Keywords: Twofish, cryptography, cryptanalysis, impossible differential, block cipher, AES. Current web site: http://www.counterpane.com/twofish.html 1 Introduction 2.1 Twofish as a pure Feistel cipher Twofish is one of the finalists for the AES [SKW+98, As mentioned in [SKW+98, section 7.9] and SKW+99]. In [Knu98a, Knu98b] Lars Knudsen used [SKW+99, section 7.9.3] we can rewrite Twofish to a 5-round impossible differential to attack DEAL. be a pure Feistel cipher. We will demonstrate how Eli Biham, Alex Biryukov, and Adi Shamir gave the this is done. The main idea is to save up all the ro- technique the name of `impossible differential', and tations until just before the output whitening, and applied it with great success to Skipjack [BBS99]. apply them there. We will use primes to denote the In this report we show how Knudsen's attack can values in our new representation. We start with the be applied to Twofish. We use the notation from round values: [SKW+98] and [SKW+99]; readers not familiar with R0 = ROL(Rr;0; (r + 1)=2 ) the notation should consult one of these references. r;0 b c R0 = ROR(Rr;1; (r + 1)=2 ) r;1 b c R0 = ROL(Rr;2; r=2 ) 2 The attack r;2 b c R0 = ROR(Rr;3; r=2 ) r;3 b c Knudsen's 5-round impossible differential works for To get the same output we update the rule to com- any Feistel cipher where the round function is in- pute the output whitening. vertible. Twofish has some additional rotations in the datapath which make things a bit more compli- C0 = ROR(Rn;2; n=2 ) K4 cated. It turns out that these extra rotations do not b c ⊕ C1 = ROL(Rn;3; n=2 ) K5 complicate the attack, but only its description. To b c ⊕ C2 = ROR(Rn;0; (n + 1)=2 ) K6 avoid these complications we first rewrite Twofish as b c ⊕ a pure Feistel cipher. C3 = ROL(Rn;1; (n + 1)=2 ) K7 b c ⊕ ∗Counterpane Internet Security, Inc. 1 where n is the number of rounds. Of course, n = 16 (0; α). We can draw the following conclusions: the for the full cipher but we will be attacking reduced- difference after round 1 (0; α), the difference after round versions and that would affect the rotation round 4 is (0; α), the difference after round 2 is (β; α) amounts. for some nonzero β, and the difference after round We now have to adjust the round function to the 3 is (γ; α) for some nonzero γ. We trivially get that new representation. The input to the round func- β = γ, but more interesting is the output difference of the round function in the third round. As the tion of round r consists of (Rr;0 0;Rr;0 1). At the be- ginning of the round function we undo the rotates difference in the right half after round 2 is equal to the difference in the right half after round 3, we con- to get the original (Rr;0;Rr;1), and apply the orig- clude that the output difference of the round func- inal F -function to get (Fr;0;Fr;1). We then apply appropriate rotates to the outputs, namely: tion in the third round must be zero. As the input difference to the round function in the third round is nonzero and the round function is bijective, we get Fr;0 0 = ROL(Fr;0; r=2 ) b c a contradiction. We conclude that the differential F 0 = ROR(Fr;1; (r + 2)=2 ) r;1 b c (0; α) (0; α) is a 5-round impossible differential. 7! We can now write the update rule: 2.3 Finding the last round key R0 = ROL(Rr+1;0; (r + 2)=2 ) r+1;0 b c = ROL(ROR(Rr;2 Fr;0; 1); (r + 2)=2 ) To use this impossible differential we search for ⊕ b c plaintext pairs that exhibit a 6-round differential of = ROL(Rr;2; r=2 ) ROL(Fr;0; r=2 ) b c ⊕ b c the form (0; α) (δ; α) for any α = 0. = R0 F 0 7! 6 r;2 ⊕ r;0 Our first task is to find pairs of this form. Fix an Rr0 +1;1 = ROR(Rr+1;1; (r + 2)=2 ) 64 b c 8-byte value A, and let Bi take on all 2 possi- = ROR(ROL(Rr;3; 1) Fr;1; (r + 2)=2 ) ble 8-byte values. Encrypt each of the plaintexts ⊕ b c = R0 ROR(Fr;1; (r + 2)=2 ) (A; Bi) to produce (Ci;Di), and sort them by the r;3 ⊕ b c value Bi Di. Any pair of encryptions that has the = R0 F 0 r;3 ⊕ r;1 same B ⊕ D produces a difference of the correct R = R i i r0 +1;2 r;0 0 form. As⊕ there are 2127 pairs and a 64-bit restric- 63 Rr0 +1;3 = Rr;0 1 tion, we expect to get about 2 pairs with the right form of differential. As we can see from these formulas, the combining If we ignore the output whitening for a moment, function used to mix the output of the round func- we can now try each possible round key for the last tion and the right half is now a simple xor. round with each of the differentials that we found, All in all we can replace the one-bit rotations in and compute what the differential would be after Twofish by round-dependent rotations at the input the fifth round. We know that this cannot be of the and output of the round function, and by some suit- form (0; α), so any key value that produces this dif- able rotations just before the output whitening. ference after five rounds must be wrong. We keep To make it easier to follow the differentials through track of which key values we have determined are the cipher we make one more change. Instead of wrong until the key space is sparse enough to apply having a swap after each round, we apply the round other methods. functions alternating from left to right and from Each 6-round differential of the form (0; α) (δ; α) right to left. This is the representation that we will eliminates about one in 264 of the possible7! keys for use for the rest of this paper. If the number of rounds the last round, so a single structure of 264 plain- is even we need a swap just before the output whiten- texts that generates 263 of these differentials will re- ing, but we will ignore this as it does not affect any duce the key space by about one bit. We can of of the attacks. course generate many more structures to generate more suitable differential pairs. 2.2 The impossible differential 2.4 128-bit keys We will now look at a particular differential for five rounds. The xor input difference (written as two 64- To make this attack work for 128-bit keys we have bit quantities) is of the form (0; α) for some nonzero to arrange these computations in a proper way; oth- α, and the output difference after 5 rounds is also erwise we end up decrypting 264 ciphertexts for one 2 round for each of the 2128 possible keys of the last 2.6 256-bit keys round, which is obviously more work than an ex- haustive search. For 256-bit keys the S-box key is 128 bits long. The basic attack thus has an overall complexity of about The best way we see to arrange this is to guess 2192 steps. the 64-bit S-box key S. For the two ciphertexts Even with the whitening we can perform this attack. of the differential pair we decrypt part of the last All that is required is to guess 64 bits of the post- round, stopping at the point where the round keys whitening key. This brings the attack complexity get added in. We now know that adding the round to 2256 steps, but as we mentioned before each step key to these two outputs is not allowed to produce might very well be faster than a single encryption. a specific xor-differential. We assume that we can generate the set of disallowed round keys very fast We can also push the attack through one more round in constant time (on average). without whitening. In the 7-round cipher we use the 5-round impossible differential (α; 0) (α; 0) All in all we have to compute the F 0-function (i.e. F in the middle five rounds. We look for7! differen- without the key additions) of the last round about tial pairs for the 7-round cipher that have the form 128 2 times, and have to generate the forbidden set (α; ) (α; δ). These can be generated by encrypt- 127 of round keys 2 times to get a 1-bit reduction ing random7! plaintexts, and sorting them by the xor 127 in the key space. The remaining 2 keys can be of the first half of the plaintext with the first half exhaustively searched.
Load more

Recommended publications
  • Blockchain Beyond Cryptocurrency Or Is Private Chain a Hoax Or How I Lose Money in Bitcoin but Still Decide to Get in the Research
    Blockchain Beyond Cryptocurrency Or Is Private Chain a Hoax Or How I Lose Money in Bitcoin but still Decide to Get in the Research Hong Wan Edward P. Fitts Department of Industrial and Systems Engineering Sept 2019 In this talk: • Blockchain and trust • Different kinds of blockchain • Cases and Examples • Discussions First Things First https://images.app.goo.gl/JuNznV8dZKTaHWEf9 Disclaimer Block and Chain https://youtu.be/SSo_EIwHSd4 https://youtu.be/SSo_EIwHSd4 Blockchain Design Questions • Who can access data: Private vs. Public • Who can validate data/add block: Permissioned vs Permissionless • Consensus to be used: Trade-off among security and efficiency. https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&ved=2ahUKEwinjN2s7_DkAhXlmeAKHXxhAIUQjRx6BAgBEAQ&url=ht tps%3A%2F%2F101blockchains.com%2Fconsensus-algorithms-blockchain%2F&psig=AOvVaw23pKh4qS8W_xgyajJ3aFl9&ust=1569669093339830 Bad News First • “Private blockchains are completely uninteresting… -- the only reason to operate one is to ride on the blockchain hype…” Bruce Schneier Tonight we will talk about cryptocurrencies… .everything you don’t understand money combined by everything you don’t understand about computers…. Cryptocurrencies: Last Week Tonight with John Oliver (HBO) https://www.schneier.com/blog/archives/2019/02/blockchain_and_.html http://shorturl.at/ahsRU, shorturl.at/gETV2 https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&ved=2ahUKEwj- https://d279m997dpfwgl.cloudfront.net/wp/2017/11/Trustp72L7vDkAhVjQt8KHU18CjsQjRx6BAgBEAQ&url=https%3A%2F%2Fwww.wbur.org%2Fonpoint%2F2017%2F11%2F20%2Fwho-can-cropped.jpg-you-
    [Show full text]
  • Simple Substitution and Caesar Ciphers
    Spring 2015 Chris Christensen MAT/CSC 483 Simple Substitution Ciphers The art of writing secret messages – intelligible to those who are in possession of the key and unintelligible to all others – has been studied for centuries. The usefulness of such messages, especially in time of war, is obvious; on the other hand, their solution may be a matter of great importance to those from whom the key is concealed. But the romance connected with the subject, the not uncommon desire to discover a secret, and the implied challenge to the ingenuity of all from who it is hidden have attracted to the subject the attention of many to whom its utility is a matter of indifference. Abraham Sinkov In Mathematical Recreations & Essays By W.W. Rouse Ball and H.S.M. Coxeter, c. 1938 We begin our study of cryptology from the romantic point of view – the point of view of someone who has the “not uncommon desire to discover a secret” and someone who takes up the “implied challenged to the ingenuity” that is tossed down by secret writing. We begin with one of the most common classical ciphers: simple substitution. A simple substitution cipher is a method of concealment that replaces each letter of a plaintext message with another letter. Here is the key to a simple substitution cipher: Plaintext letters: abcdefghijklmnopqrstuvwxyz Ciphertext letters: EKMFLGDQVZNTOWYHXUSPAIBRCJ The key gives the correspondence between a plaintext letter and its replacement ciphertext letter. (It is traditional to use small letters for plaintext and capital letters, or small capital letters, for ciphertext. We will not use small capital letters for ciphertext so that plaintext and ciphertext letters will line up vertically.) Using this key, every plaintext letter a would be replaced by ciphertext E, every plaintext letter e by L, etc.
    [Show full text]
  • On the Decorrelated Fast Cipher (DFC) and Its Theory
    On the Decorrelated Fast Cipher (DFC) and Its Theory Lars R. Knudsen and Vincent Rijmen ? Department of Informatics, University of Bergen, N-5020 Bergen Abstract. In the first part of this paper the decorrelation theory of Vaudenay is analysed. It is shown that the theory behind the propo- sed constructions does not guarantee security against state-of-the-art differential attacks. In the second part of this paper the proposed De- correlated Fast Cipher (DFC), a candidate for the Advanced Encryption Standard, is analysed. It is argued that the cipher does not obtain prova- ble security against a differential attack. Also, an attack on DFC reduced to 6 rounds is given. 1 Introduction In [6,7] a new theory for the construction of secret-key block ciphers is given. The notion of decorrelation to the order d is defined. Let C be a block cipher with block size m and C∗ be a randomly chosen permutation in the same message space. If C has a d-wise decorrelation equal to that of C∗, then an attacker who knows at most d − 1 pairs of plaintexts and ciphertexts cannot distinguish between C and C∗. So, the cipher C is “secure if we use it only d−1 times” [7]. It is further noted that a d-wise decorrelated cipher for d = 2 is secure against both a basic linear and a basic differential attack. For the latter, this basic attack is as follows. A priori, two values a and b are fixed. Pick two plaintexts of difference a and get the corresponding ciphertexts.
    [Show full text]
  • Report on the AES Candidates
    Rep ort on the AES Candidates 1 2 1 3 Olivier Baudron , Henri Gilb ert , Louis Granb oulan , Helena Handschuh , 4 1 5 1 Antoine Joux , Phong Nguyen ,Fabrice Noilhan ,David Pointcheval , 1 1 1 1 Thomas Pornin , Guillaume Poupard , Jacques Stern , and Serge Vaudenay 1 Ecole Normale Sup erieure { CNRS 2 France Telecom 3 Gemplus { ENST 4 SCSSI 5 Universit e d'Orsay { LRI Contact e-mail: [email protected] Abstract This do cument rep orts the activities of the AES working group organized at the Ecole Normale Sup erieure. Several candidates are evaluated. In particular we outline some weaknesses in the designs of some candidates. We mainly discuss selection criteria b etween the can- didates, and make case-by-case comments. We nally recommend the selection of Mars, RC6, Serp ent, ... and DFC. As the rep ort is b eing nalized, we also added some new preliminary cryptanalysis on RC6 and Crypton in the App endix which are not considered in the main b o dy of the rep ort. Designing the encryption standard of the rst twentyyears of the twenty rst century is a challenging task: we need to predict p ossible future technologies, and wehavetotake unknown future attacks in account. Following the AES pro cess initiated by NIST, we organized an op en working group at the Ecole Normale Sup erieure. This group met two hours a week to review the AES candidates. The present do cument rep orts its results. Another task of this group was to up date the DFC candidate submitted by CNRS [16, 17] and to answer questions which had b een omitted in previous 1 rep orts on DFC.
    [Show full text]
  • Development of the Advanced Encryption Standard
    Volume 126, Article No. 126024 (2021) https://doi.org/10.6028/jres.126.024 Journal of Research of the National Institute of Standards and Technology Development of the Advanced Encryption Standard Miles E. Smid Formerly: Computer Security Division, National Institute of Standards and Technology, Gaithersburg, MD 20899, USA [email protected] Strong cryptographic algorithms are essential for the protection of stored and transmitted data throughout the world. This publication discusses the development of Federal Information Processing Standards Publication (FIPS) 197, which specifies a cryptographic algorithm known as the Advanced Encryption Standard (AES). The AES was the result of a cooperative multiyear effort involving the U.S. government, industry, and the academic community. Several difficult problems that had to be resolved during the standard’s development are discussed, and the eventual solutions are presented. The author writes from his viewpoint as former leader of the Security Technology Group and later as acting director of the Computer Security Division at the National Institute of Standards and Technology, where he was responsible for the AES development. Key words: Advanced Encryption Standard (AES); consensus process; cryptography; Data Encryption Standard (DES); security requirements, SKIPJACK. Accepted: June 18, 2021 Published: August 16, 2021; Current Version: August 23, 2021 This article was sponsored by James Foti, Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology (NIST). The views expressed represent those of the author and not necessarily those of NIST. https://doi.org/10.6028/jres.126.024 1. Introduction In the late 1990s, the National Institute of Standards and Technology (NIST) was about to decide if it was going to specify a new cryptographic algorithm standard for the protection of U.S.
    [Show full text]
  • A Tutorial on the Implementation of Block Ciphers: Software and Hardware Applications
    A Tutorial on the Implementation of Block Ciphers: Software and Hardware Applications Howard M. Heys Memorial University of Newfoundland, St. John's, Canada email: [email protected] Dec. 10, 2020 2 Abstract In this article, we discuss basic strategies that can be used to implement block ciphers in both software and hardware environments. As models for discussion, we use substitution- permutation networks which form the basis for many practical block cipher structures. For software implementation, we discuss approaches such as table lookups and bit-slicing, while for hardware implementation, we examine a broad range of architectures from high speed structures like pipelining, to compact structures based on serialization. To illustrate different implementation concepts, we present example data associated with specific methods and discuss sample designs that can be employed to realize different implementation strategies. We expect that the article will be of particular interest to researchers, scientists, and engineers that are new to the field of cryptographic implementation. 3 4 Terminology and Notation Abbreviation Definition SPN substitution-permutation network IoT Internet of Things AES Advanced Encryption Standard ECB electronic codebook mode CBC cipher block chaining mode CTR counter mode CMOS complementary metal-oxide semiconductor ASIC application-specific integrated circuit FPGA field-programmable gate array Table 1: Abbreviations Used in Article 5 6 Variable Definition B plaintext/ciphertext block size (also, size of cipher state) κ number
    [Show full text]
  • Episode 230: Click Here to Kill Everybody
    Episode 230: Click Here to Kill Everybody Stewart Baker: [00:00:03] Welcome to Episode 230 of The Cyberlaw Podcast brought to you by Steptoe & Johnson. We are back and full of energy. Thank you for joining us. We're lawyers talking about technology, security, privacy, and government. And if you want me to talk about hiking through the rain forest of Costa Rica and just how tough my six-year-old granddaughter is, I'm glad to do that too. But today I'm joined by our guest interviewee Bruce Schneier, an internationally renowned technologist, privacy and security guru, and the author of the new book, Click Here to Kill Everybody: Security and Survival in a Hyper-Connected World. We'll be talking to him shortly. For the News Roundup, we have Jamil Jaffer, who's the founder of the estimable and ever-growing National Security Institute. He's also an adjunct professor at George Mason University. Welcome, Jamil. Jamil Jaffer: [00:00:57] Thanks, Stewart. Good to be here. Stewart Baker: [00:00:58] And David Kris, formerly the assistant attorney general in charge of the Justice Department's National Security Division. David, welcome. David Kris: [00:01:07] Thank, you. Good to be here. Stewart Baker: [00:01:08] And he is with his partner in their latest venture, Nate Jones, veteran of the Justice Department, the National Security Council, and Microsoft where he was an assistant general counsel. Nate, welcome. Nate Jones: [00:01:23] Thank you. Stewart Baker: [00:01:25] I'm Stewart Baker, formerly with the NSA and DHS and the host of today's program.
    [Show full text]
  • The SKINNY Family of Block Ciphers and Its Low-Latency Variant MANTIS (Full Version)
    The SKINNY Family of Block Ciphers and its Low-Latency Variant MANTIS (Full Version) Christof Beierle1, J´er´emy Jean2, Stefan K¨olbl3, Gregor Leander1, Amir Moradi1, Thomas Peyrin2, Yu Sasaki4, Pascal Sasdrich1, and Siang Meng Sim2 1 Horst G¨ortzInstitute for IT Security, Ruhr-Universit¨atBochum, Germany [email protected] 2 School of Physical and Mathematical Sciences Nanyang Technological University, Singapore [email protected], [email protected], [email protected] 3 DTU Compute, Technical University of Denmark, Denmark [email protected] 4 NTT Secure Platform Laboratories, Japan [email protected] Abstract. We present a new tweakable block cipher family SKINNY, whose goal is to compete with NSA recent design SIMON in terms of hardware/software perfor- mances, while proving in addition much stronger security guarantees with regards to differential/linear attacks. In particular, unlike SIMON, we are able to provide strong bounds for all versions, and not only in the single-key model, but also in the related-key or related-tweak model. SKINNY has flexible block/key/tweak sizes and can also benefit from very efficient threshold implementations for side-channel protection. Regarding performances, it outperforms all known ciphers for ASIC round-based implementations, while still reaching an extremely small area for serial implementations and a very good efficiency for software and micro-controllers im- plementations (SKINNY has the smallest total number of AND/OR/XOR gates used for encryption process). Secondly, we present MANTIS, a dedicated variant of SKINNY for low-latency imple- mentations, that constitutes a very efficient solution to the problem of designing a tweakable block cipher for memory encryption.
    [Show full text]
  • The Long Road to the Advanced Encryption Standard
    The Long Road to the Advanced Encryption Standard Jean-Luc Cooke CertainKey Inc. [email protected], http://www.certainkey.com/˜jlcooke Abstract 1 Introduction This paper will start with a brief background of the Advanced Encryption Standard (AES) process, lessons learned from the Data Encryp- tion Standard (DES), other U.S. government Two decades ago the state-of-the-art in cryptographic publications and the fifteen first the private sector cryptography was—we round candidate algorithms. The focus of the know now—far behind the public sector. presentation will lie in presenting the general Don Coppersmith’s knowledge of the Data design of the five final candidate algorithms, Encryption Standard’s (DES) resilience to and the specifics of the AES and how it dif- the then unknown Differential Cryptanaly- fers from the Rijndael design. A presentation sis (DC), the design principles used in the on the AES modes of operation and Secure Secure Hash Algorithm (SHA) in Digital Hash Algorithm (SHA) family of algorithms Signature Standard (DSS) being case and will follow and will include discussion about point[NISTDSS][NISTDES][DC][NISTSHA1]. how it is directly implicated by AES develop- ments. The selection and design of the DES was shrouded in controversy and suspicion. This very controversy has lead to a fantastic acceler- Intended Audience ation in private sector cryptographic advance- ment. So intrigued by the NSA’s modifica- tions to the Lucifer algorithm, researchers— This paper was written as a supplement to a academic and industry alike—powerful tools presentation at the Ottawa International Linux in assessing block cipher strength were devel- Symposium.
    [Show full text]
  • Twofish Algorithm for Encryption and Decryption
    © 2019 JETIR January 2019, Volume 6, Issue 1 www.jetir.org (ISSN-2349-5162) TWOFISH ALGORITHM FOR ENCRYPTION AND DECRYPTION *1 Anil G. Sawant,2 Dr. Vilas N. Nitnaware, 3Pranali Dengale, 4Sayali Garud, 5Akshay Gandewar *1 Research Scholar (Asst. Professor) ,2 Principal, 3Student, 4Student, 5Student *1 JJT University, Rajasthan, India (Trinity College of Engineering and Research, Pune), 2 D. Y. Patil School of Engineering Academy, Pune, India, 3Trinity College of Engineering and Research Pune, 4Trinity College of Engineering and Research, Pune5 Trinity College of Engineering and Research, Pune. Email:* [email protected], [email protected], [email protected], [email protected], [email protected] Abstract - In this paper, a novel VLSI architecture of the TWOFISH block cipher is presented. TWOFISH is one of the most secure cryptographic algorithm. The characteristic features of the TWOFISH Algorithm are good security margin and has fast encryption/decryption in software, moderately fast in hardware and moderate flexibility. Based on the loop-folding technique combined with efficient hardware mapping, the architecture of twofish Algorithm can make data encryption/ decryption more efficient and secure. To demonstrate the correctness of our Algorithm , a prototype chip for the architecture has been implemented. The chip can achieve an encryption rate and low power consumption while operating clock rate. Designed TWOFISH cryptographic algorithm improved the MDS block that improved a process speed, and decreased complexity and power consumption. Therefore, the chip can be applied to encryption in high-speed networking protocols like ATM networks. This paper will be implemented in Xilinx 14.2 in Verilog HDL. Keywords - Verilog , MDS, PHT, DES, Function F and h.
    [Show full text]
  • Integrals Go Statistical: Cryptanalysis of Full Skipjack Variants
    Integrals Go Statistical: Cryptanalysis of Full Skipjack Variants B Meiqin Wang1,2( ), Tingting Cui1, Huaifeng Chen1,LingSun1,LongWen1, and Andrey Bogdanov3 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan 250100, China [email protected] 2 State Key Laboratory of Cryptology, P.O. Box 5159, Beijing 100878, China 3 Technical University of Denmark, Kongens Lyngby, Denmark Abstract. Integral attacks form a powerful class of cryptanalytic tech- niques that have been widely used in the security analysis of block ciphers. The integral distinguishers are based on balanced properties holding with probability one. To obtain a distinguisher covering more rounds, an attacker will normally increase the data complexity by iter- ating through more plaintexts with a given structure under the strict limitation of the full codebook. On the other hand, an integral property can only be deterministically verified if the plaintexts cover all possible values of a bit selection. These circumstances have somehow restrained the applications of integral cryptanalysis. In this paper, we aim to address these limitations and propose a novel statistical integral distinguisher where only a part of value sets for these input bit selections are taken into consideration instead of all possible values. This enables us to achieve significantly lower data complexities for our statistical integral distinguisher as compared to those of tradi- tional integral distinguisher. As an illustration, we successfully attack the full-round Skipjack-BABABABA for the first time, which is the variant of NSA’s Skipjack block cipher. Keywords: Block cipher · Statistical integral · Integral attack · Skipjack-BABABABA 1 Introduction Integral attack is an important cryptanalytic technique for symmetric-key ciphers, which was originally proposed by Knudsen as a dedicated attack against Square cipher [7].
    [Show full text]
  • Bruce Schneier 2
    Committee on Energy and Commerce U.S. House of Representatives Witness Disclosure Requirement - "Truth in Testimony" Required by House Rule XI, Clause 2(g)(5) 1. Your Name: Bruce Schneier 2. Your Title: none 3. The Entity(ies) You are Representing: none 4. Are you testifying on behalf of the Federal, or a State or local Yes No government entity? X 5. Please list any Federal grants or contracts, or contracts or payments originating with a foreign government, that you or the entity(ies) you represent have received on or after January 1, 2015. Only grants, contracts, or payments related to the subject matter of the hearing must be listed. 6. Please attach your curriculum vitae to your completed disclosure form. Signatur Date: 31 October 2017 Bruce Schneier Background Bruce Schneier is an internationally renowned security technologist, called a security guru by the Economist. He is the author of 14 books—including the New York Times best-seller Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World—as well as hundreds of articles, essays, and academic papers. His influential newsletter Crypto-Gram and blog Schneier on Security are read by over 250,000 people. Schneier is a fellow at the Berkman Klein Center for Internet and Society at Harvard University, a Lecturer in Public Policy at the Harvard Kennedy School, a board member of the Electronic Frontier Foundation and the Tor Project, and an advisory board member of EPIC and VerifiedVoting.org. He is also a special advisor to IBM Security and the Chief Technology Officer of IBM Resilient.
    [Show full text]