DOCSLIB.ORG

Related-Key Boomerang and Rectangle Attacks: Theory and Experimental Analysis Jongsung Kim, Seokhie Hong, Bart Preneel, Eli Biham, Orr Dunkelman, and Nathan Keller

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Related-Key Boomerang and Rectangle Attacks: Theory and Experimental Analysis Jongsung Kim, Seokhie Hong, Bart Preneel, Eli Biham, Orr Dunkelman, and Nathan Keller IEEE TRANSACTIONS ON INFORMATION THEORY , VOL. ?, NO. ??,SEPTEMBER, 2009 1 Related-Key Boomerang and Rectangle Attacks: Theory and Experimental Analysis Jongsung Kim, Seokhie Hong, Bart Preneel, Eli Biham, Orr Dunkelman, and Nathan Keller Abstract— The related-key differential attack and the thus, related-key boomerang/rectangle attacks on block ciphers boomerang attack are two of the classical techniques in crypt- are valid in general. On the other hand, due to the dependence of analysis of block ciphers. In 2004, we introduced the related- the probabilities on the key, it is important to verify the validity of key boomerang and related-key rectangle attacks, which allow the attack experimentally whenever possible in order to measure to enjoy the benefits of these two techniques simultaneously. The its success probability. new techniques proved to be very powerful, and were used to devise the best known attacks against numerous block ciphers, Index Terms— Related-key Boomerang Attack, Related-Key culminating with the first attack on the full AES presented in Rectangle Attack, Experimental Analysis, KASUMI. 2009 and a practical-time attack on KASUMI (the cipher used in GSM and 3G telephony) presented in 2010. While the claimed applications of the related-key I. INTRODUCTION boomerang/rectangle technique are significant, most of HE related-key differential attack, introduced by Kelsey them have a major drawback: due to the extremely high et al. [23] in 1996, is an extension of differential crypt- complexity of the attacks, their validity cannot be verified T experimentally. Together with the lack of rigorous justification analysis [5] in which it is assumed that the adversary has of the probabilistic assumptions underlying the technique, it was control over the key difference, along with the control over claimed that these assumptions cannot be relied upon, and thus, the plaintext/ciphertext differences. Since its introduction, the attacks using the related-key boomerang/rectangle technique related-key differential attack was used to break reduced-round are not legitimate. These claims were formalized in a recent variants of various block ciphers, including a practical-time paper by Murphy [32] who presented scenarios in which the probabilistic assumptions fail, and questioned their validity. attack on 10-round AES-256 [15]. Moreover, although an In this paper we present a rigorous treatment of the attack model in which the adversary has control over the related-key boomerang/rectangle technique. In the first part key difference may seem unrealistic, a related-key differential of the paper, we devise optimal algorithms for the related- attack on the block cipher TEA [42] was used to devise a key boomerang/rectangle distinguishers using the Logarithmic practical attack on Microsoft’s Xbox architecture [43].1 Likelihood Ratio statistics. We study the exact independence assumptions the attacks rely upon, and compute the success The boomerang attack, introduced by Wagner [40] in 1999, probability of the attacks under these independence assumptions. is a differential-based attack in which the block cipher E is In the second part of the paper, we address the claims against treated as a cascade: E = E1 E0, and differentials of E0 the validity of the related-key boomerang/rectangle technique by ◦ and E1 are combined into a distinguisher for the entire cipher an extensive experimental analysis. We consider a specific case E in an adaptive chosen plaintext and ciphertext process. — the block cipher KASUMI — and perform an experimental verifications (with more than 248 encryptions) of a related-key The boomerang attack shows that bounding (from above) the boomerang distinguisher against it. The analysis shows that in probability of differential characteristics through E does not all attacks, the overall probability of the distinguisher (when assure immunity of E to differential-type attacks, and the averaged over different choices of plaintexts and keys) is close boomerang technique was indeed used to devise practical- to the theoretically predicted probability. However, it seems that time attacks against ciphers which are provably immune to the probability depends on the key, such that for some portion of the keys, the distinguisher holds with a higher probability conventional differential attacks, e.g., COCONUT98. than expected, while for the rest of the keys, the distinguisher The adaptive chosen plaintext/ciphertext nature of the fails completely. We conclude that the probability assumptions boomerang attack makes it less realistic in practical scenarios. underlying the technique make sense in real-life ciphers, and As a partial remedy of this issue, the attack was transformed Manuscript received ?? ?? ??; revised ?? ?? ??. This paper is partially into a chosen plaintext variant named the amplified boomerang based on the papers [26], [9], [10], [27] which appeared at ACISP 2004, attack [25] and later renamed as the rectangle attack [7]. The EUROCRYPT 2005, ASIACRYPT 2005 and FSE 2007, respectively. transformation is done by a birthday-paradox argument, which Jongsung Kim is with the Division of e-Business, Kyungnam University, 449, Wolyoung-dong, Masan, Kyungnam, Korea. leads to an increase in the data complexity of the attack. Seokhie Hong is with the Center for Information Security and Technolo- In 2004, Kim et al. [26], and independently, Biham et al. [9], gies(CIST), Korea University, Anam Dong, Sungbuk Gu, Seoul, Korea. introduced the related-key boomerang (RK-boomerang) and Bart Preneel is with the Department of Electrical Engineering ESAT/SCD- COSIC, Katholieke Universiteit Leuven, Kasteelpark Arenberg 10, B-3001 related-key rectangle (RK-rectangle) attacks – a combination Leuven-Heverlee, Belgium. Eli Biham is with Computer Science Department, Technion, Haifa 32000, 1In the Xbox architecture, the block cipher TEA was used in a Davies- Israel. Meyer mode as a compression function. In such cases, the key difference in Orr Dunkelman is with Computer Science Department, University of Haifa, the block cipher is transformed into the message difference of the compression 31905 Haifa, Israel. function, which indeed can be controlled by the adversary. In general, almost Nathan Keller is with Faculty of Mathematics and Computer Science, any related-key attack on a block cipher can be converted into a chosen Weizmann Institute of Science, P.O. Box 26, Rehovot 76100, Israel. message attack on a compression function based on it. IEEE TRANSACTIONS ON INFORMATION THEORY , VOL. ?, NO. ??,SEPTEMBER, 2009 2 of the boomerang technique with related-key differentials.2 It A. Our Contributions – Theoretical Results turns out that the combination allows to enjoy the strength of In the first part of this paper we present the first rigorous the related-key model twice, by using high-probability related- treatment of the (related-key) boomerang and rectangle dis- key differentials in both subciphers, E0 and E1. This makes tinguishers. We devise the optimal distinguishing algorithms the RK-boomerang/rectangle techniques much more effective using the Logarithmic Likelihood Ratio metric, and compute than other combined techniques, such as the related-key im- their success rate. We obtain and prove the following theorem: possible differential [22] and the related-key differential-linear n n Theorem 1: Let E = E1 E0 : 0, 1 0, 1 be a [11] attacks. block cipher. Consider encryptions◦ under{ } a secret→ { key}K and Since its introduction, the RK-boomerang/rectangle tech- related-keys whose differences are chosen by the adversary. nique was used to attack reduced-round variants of various Let block ciphers (e.g., IDEA, MISTY1, SHACAL-1, SHACAL- 2, and XTEA), and even full versions of widely used block 2 pˆ = max Pr [E0,K (P ) E0,K⊕∆K0 (P α)= β] , ciphers such as AES [14] and KASUMI [19]. α=0 ,∆K0 P ⊕ ⊕ β In parallel with the increasing popularity of the RK- 2 boomerang/rectangle technique, several researchers raised con- −1 −1 qˆ = max Pr E1,K (C) E1,K⊕∆K1 (C δ)= γ cerns about its theoretical validity. The main concern is that δ=0 ,∆K1 C ⊕ ⊕ γ the technique relies on randomness assumptions which are much stronger than the assumptions relied upon in standard 2 differential attacks (i.e., that the cipher is Markovian, see [6]), = max Pr [E1,K (X) E1,K⊕∆K1 (X γ)= δ] δ=0 ,∆K1 X ⊕ ⊕ γ and thus they can be inappropriate in real block ciphers. Indeed, while the “Markovity” assumption was treated rig- where E0,K (P ) denotes the partial encryption of P through orously and verified experimentally in many practical cases, −1 E0 under the key K and E (C) denotes the partial decryp- the exact randomness assumptions underlying the boomerang 1,K tion of C through E1 under the key K. Let 0 <c< 1. Under attack and the RK-boomerang/rectangle attack were never certain independence assumptions between the differentials treated rigorously, and in most practical cases, there was no that will be discussed below, given either possibility to verify them experimentally, due to the high • 2 unique adaptively chosen plaintexts and cipher- complexity of the attacks. 4c/(ˆpqˆ) texts, or These concerns are supported by a paper of Wang et al. [41] • √c 2n/2+2/pˆqˆ unique chosen plaintexts, published in 2008, that showed that all previously published · boomerang and related-key boomerang attacks on SHACAL- encrypted under four related-keys of the form K,K ∆K ,K ∆K ,K ∆K ∆K ,5 the RK- 1 fail, due to a failure of the randomness assumptions in ⊕ 0 ⊕ 1 ⊕ 0 ⊕ 1 the specific case of SHACAL-1.
Load more

Recommended publications
  • Improved Rectangle Attacks on SKINNY and CRAFT
    Improved Rectangle Attacks on SKINNY and CRAFT Hosein Hadipour1, Nasour Bagheri2 and Ling Song3( ) 1 Department of Mathematics and Computer Science, University of Tehran, Tehran, Iran, [email protected] 2 Electrical Engineering Department, Shahid Rajaee Teacher Training University, Tehran, Iran, [email protected] 3 Jinan University, Guangzhou, China [email protected] Abstract. The boomerang and rectangle attacks are adaptions of differential crypt- analysis that regard the target cipher E as a composition of two sub-ciphers, i.e., 2 2 E = E1 ◦ E0, to construct a distinguisher for E with probability p q by concatenat- ing two short differential trails for E0 and E1 with probability p and q respectively. According to the previous research, the dependency between these two differential characteristics has a great impact on the probability of boomerang and rectangle distinguishers. Dunkelman et al. proposed the sandwich attack to formalise such dependency that regards E as three parts, i.e., E = E1 ◦ Em ◦ E0, where Em contains the dependency between two differential trails, satisfying some differential propagation with probability r. Accordingly, the entire probability is p2q2r. Recently, Song et al. have proposed a general framework to identify the actual boundaries of Em and systematically evaluate the probability of Em with any number of rounds, and applied their method to accurately evaluate the probabilities of the best SKINNY’s boomerang distinguishers. In this paper, using a more advanced method to search for boomerang distinguishers, we show that the best previous boomerang distinguishers for SKINNY can be significantly improved in terms of probability and number of rounds.
    [Show full text]
  • Improved Related-Key Attacks on DESX and DESX+
    Improved Related-key Attacks on DESX and DESX+ Raphael C.-W. Phan1 and Adi Shamir3 1 Laboratoire de s´ecurit´eet de cryptographie (LASEC), Ecole Polytechnique F´ed´erale de Lausanne (EPFL), CH-1015 Lausanne, Switzerland [email protected] 2 Faculty of Mathematics & Computer Science, The Weizmann Institute of Science, Rehovot 76100, Israel [email protected] Abstract. In this paper, we present improved related-key attacks on the original DESX, and DESX+, a variant of the DESX with its pre- and post-whitening XOR operations replaced with addition modulo 264. Compared to previous results, our attack on DESX has reduced text complexity, while our best attack on DESX+ eliminates the memory requirements at the same processing complexity. Keywords: DESX, DESX+, related-key attack, fault attack. 1 Introduction Due to the DES’ small key length of 56 bits, variants of the DES under multiple encryption have been considered, including double-DES under one or two 56-bit key(s), and triple-DES under two or three 56-bit keys. Another popular variant based on the DES is the DESX [15], where the basic keylength of single DES is extended to 120 bits by wrapping this DES with two outer pre- and post-whitening keys of 64 bits each. Also, the endorsement of single DES had been officially withdrawn by NIST in the summer of 2004 [19], due to its insecurity against exhaustive search. Future use of single DES is recommended only as a component of the triple-DES. This makes it more important to study the security of variants of single DES which increase the key length to avoid this attack.
    [Show full text]
  • Fault-Resilient Lightweight Cryptographic Block Ciphers for Secure Embedded Systems
    Rochester Institute of Technology RIT Scholar Works Theses 11-2014 Fault-Resilient Lightweight Cryptographic Block Ciphers for Secure Embedded Systems Kai Tian Follow this and additional works at: https://scholarworks.rit.edu/theses Recommended Citation Tian, Kai, "Fault-Resilient Lightweight Cryptographic Block Ciphers for Secure Embedded Systems" (2014). Thesis. Rochester Institute of Technology. Accessed from This Thesis is brought to you for free and open access by RIT Scholar Works. It has been accepted for inclusion in Theses by an authorized administrator of RIT Scholar Works. For more information, please contact [email protected]. Fault-Resilient Lightweight Cryptographic Block Ciphers for Secure Embedded Systems by Kai Tian A Thesis Submitted in Partial Fulfillment of the Requirements for the Degree of Master of Science in Electrical Engineering Supervised by Dr. Mehran Mozaffari-Kermani Department of Electrical and Microelectronic Engineering Kate Gleason College of Engineering Rochester Institute of Technology Rochester, NY November 2014 Approved By: Dr. Mehran Mozaffari-Kermani Assistant Professor – R.I.T. Dept. of Electrical and Microelectronic Engineering Dr. Dorin Patru Associate Professor – R.I.T. Dept. of Electrical and Microelectronic Engineering Dr. Reza Azarderakhsh Assistant Professor – R.I.T. Dept. of Computer Engineering Dr. Sohail A. Dianat Department Head - Professor –Dept. of Electrical and Microelectronic Engineering Acknowledgements I am grateful to my advisor, Dr. Mehran Mozaffari-Kermani, whose support and guidance helped me to understand the concepts clearly and complete my Masters. Special thanks also go to other professors, who helped me in my field of study, Dr. Dorin Patru, Dr. Reza Azarderakhsh and Dr. Marcin Lukowiak, for their constructive comments and participation.
    [Show full text]
  • Integral Cryptanalysis on Full MISTY1⋆
    Integral Cryptanalysis on Full MISTY1? Yosuke Todo NTT Secure Platform Laboratories, Tokyo, Japan [email protected] Abstract. MISTY1 is a block cipher designed by Matsui in 1997. It was well evaluated and standardized by projects, such as CRYPTREC, ISO/IEC, and NESSIE. In this paper, we propose a key recovery attack on the full MISTY1, i.e., we show that 8-round MISTY1 with 5 FL layers does not have 128-bit security. Many attacks against MISTY1 have been proposed, but there is no attack against the full MISTY1. Therefore, our attack is the first cryptanalysis against the full MISTY1. We construct a new integral characteristic by using the propagation characteristic of the division property, which was proposed in 2015. We first improve the division property by optimizing a public S-box and then construct a 6-round integral characteristic on MISTY1. Finally, we recover the secret key of the full MISTY1 with 263:58 chosen plaintexts and 2121 time complexity. Moreover, if we can use 263:994 chosen plaintexts, the time complexity for our attack is reduced to 2107:9. Note that our cryptanalysis is a theoretical attack. Therefore, the practical use of MISTY1 will not be affected by our attack. Keywords: MISTY1, Integral attack, Division property 1 Introduction MISTY [Mat97] is a block cipher designed by Matsui in 1997 and is based on the theory of provable security [Nyb94,NK95] against differential attack [BS90] and linear attack [Mat93]. MISTY has a recursive structure, and the component function has a unique structure, the so-called MISTY structure [Mat96].
    [Show full text]
  • Lecture Note 8 ATTACKS on CRYPTOSYSTEMS I Sourav Mukhopadhyay
    Lecture Note 8 ATTACKS ON CRYPTOSYSTEMS I Sourav Mukhopadhyay Cryptography and Network Security - MA61027 Attacks on Cryptosystems • Up to this point, we have mainly seen how ciphers are implemented. • We have seen how symmetric ciphers such as DES and AES use the idea of substitution and permutation to provide security and also how asymmetric systems such as RSA and Diffie Hellman use other methods. • What we haven’t really looked at are attacks on cryptographic systems. Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 1 • An understanding of certain attacks will help you to understand the reasons behind the structure of certain algorithms (such as Rijndael) as they are designed to thwart known attacks. • Although we are not going to exhaust all possible avenues of attack, we will get an idea of how cryptanalysts go about attacking ciphers. Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 2 • This section is really split up into two classes of attack: Cryptanalytic attacks and Implementation attacks. • The former tries to attack mathematical weaknesses in the algorithms whereas the latter tries to attack the specific implementation of the cipher (such as a smartcard system). • The following attacks can refer to either of the two classes (all forms of attack assume the attacker knows the encryption algorithm): Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 3 – Ciphertext-only attack: In this attack the attacker knows only the ciphertext to be decoded. The attacker will try to find the key or decrypt one or more pieces of ciphertext (only relatively weak algorithms fail to withstand a ciphertext-only attack).
    [Show full text]
  • New Security Proofs for the 3GPP Confidentiality and Integrity
    An extended abstract of this paper appears in Fast Software Encryption, FSE 2004, Lecture Notes in Computer Science, W. Meier and B. Roy editors, Springer-Verlag, 2004. This is the full version. New Security Proofs for the 3GPP Confidentiality and Integrity Algorithms Tetsu Iwata¤ Tadayoshi Kohnoy January 26, 2004 Abstract This paper analyses the 3GPP confidentiality and integrity schemes adopted by Universal Mobile Telecommunication System, an emerging standard for third generation wireless commu- nications. The schemes, known as f8 and f9, are based on the block cipher KASUMI. Although previous works claim security proofs for f8 and f90, where f90 is a generalized versions of f9, it was recently shown that these proofs are incorrect. Moreover, Iwata and Kurosawa (2003) showed that it is impossible to prove f8 and f90 secure under the standard PRP assumption on the underlying block cipher. We address this issue here, showing that it is possible to prove f80 and f90 secure if we make the assumption that the underlying block cipher is a secure PRP-RKA against a certain class of related-key attacks; here f80 is a generalized version of f8. Our results clarify the assumptions necessary in order for f8 and f9 to be secure and, since no related-key attacks are known against the full eight rounds of KASUMI, lead us to believe that the confidentiality and integrity mechanisms used in real 3GPP applications are secure. Keywords: Modes of operation, PRP-RKA, f8, f9, KASUMI, security proofs. ¤Dept. of Computer and Information Sciences, Ibaraki University, 4–12–1 Nakanarusawa, Hitachi, Ibaraki 316- 8511, Japan.
    [Show full text]
  • Hash Functions and the (Amplified) Boomerang Attack
    Hash Functions and the (Amplified) Boomerang Attack Antoine Joux1,3 and Thomas Peyrin2,3 1 DGA 2 France T´el´ecomR&D [email protected] 3 Universit´ede Versailles Saint-Quentin-en-Yvelines [email protected] Abstract. Since Crypto 2004, hash functions have been the target of many at- tacks which showed that several well-known functions such as SHA-0 or MD5 can no longer be considered secure collision free hash functions. These attacks use classical cryptographic techniques from block cipher analysis such as differential cryptanal- ysis together with some specific methods. Among those, we can cite the neutral bits of Biham and Chen or the message modification techniques of Wang et al. In this paper, we show that another tool of block cipher analysis, the boomerang attack, can also be used in this context. In particular, we show that using this boomerang attack as a neutral bits tool, it becomes possible to lower the complexity of the attacks on SHA-1. Key words: hash functions, boomerang attack, SHA-1. 1 Introduction The most famous design principle for dedicated hash functions is indisputably the MD-SHA family, firstly introduced by R. Rivest with MD4 [16] in 1990 and its improved version MD5 [15] in 1991. Two years after, the NIST publishes [12] a very similar hash function, SHA-0, that will be patched [13] in 1995 to give birth to SHA-1. This family is still very active, as NIST recently proposed [14] a 256-bit new version SHA-256 in order to anticipate the potential cryptanalysis results and also to increase its security with regard to the fast growth of the computation power.
    [Show full text]
  • Encryption Algorithm Trade Survey
    CCSDS Historical Document This document’s Historical status indicates that it is no longer current. It has either been replaced by a newer issue or withdrawn because it was deemed obsolete. Current CCSDS publications are maintained at the following location: http://public.ccsds.org/publications/ CCSDS HISTORICAL DOCUMENT Report Concerning Space Data System Standards ENCRYPTION ALGORITHM TRADE SURVEY INFORMATIONAL REPORT CCSDS 350.2-G-1 GREEN BOOK March 2008 CCSDS HISTORICAL DOCUMENT Report Concerning Space Data System Standards ENCRYPTION ALGORITHM TRADE SURVEY INFORMATIONAL REPORT CCSDS 350.2-G-1 GREEN BOOK March 2008 CCSDS HISTORICAL DOCUMENT CCSDS REPORT CONCERNING ENCRYPTION ALGORITHM TRADE SURVEY AUTHORITY Issue: Informational Report, Issue 1 Date: March 2008 Location: Washington, DC, USA This document has been approved for publication by the Management Council of the Consultative Committee for Space Data Systems (CCSDS) and reflects the consensus of technical panel experts from CCSDS Member Agencies. The procedure for review and authorization of CCSDS Reports is detailed in the Procedures Manual for the Consultative Committee for Space Data Systems. This document is published and maintained by: CCSDS Secretariat Space Communications and Navigation Office, 7L70 Space Operations Mission Directorate NASA Headquarters Washington, DC 20546-0001, USA CCSDS 350.2-G-1 i March 2008 CCSDS HISTORICAL DOCUMENT CCSDS REPORT CONCERNING ENCRYPTION ALGORITHM TRADE SURVEY FOREWORD Through the process of normal evolution, it is expected that expansion, deletion, or modification of this document may occur. This Recommended Standard is therefore subject to CCSDS document management and change control procedures, which are defined in the Procedures Manual for the Consultative Committee for Space Data Systems.
    [Show full text]
  • Multiple New Formulas for Cipher Performance Computing
    International Journal of Network Security, Vol.20, No.4, PP.788-800, July 2018 (DOI: 10.6633/IJNS.201807 20(4).21) 788 Multiple New Formulas for Cipher Performance Computing Youssef Harmouch1, Rachid Elkouch1, Hussain Ben-azza2 (Corresponding author: Youssef Harmouch) Department of Mathematics, Computing and Networks, National Institute of Posts and Telecommunications1 10100, Allal El Fassi Avenue, Rabat, Morocco (Email:[email protected] ) Department of Industrial and Production Engineering, Moulay Ismail University2 National High School of Arts and Trades, Mekns, Morocco (Received Apr. 03, 2017; revised and accepted July 17, 2017) Abstract are not necessarily commensurate properties. For exam- ple, an online newspaper will be primarily interested in Cryptography is a science that focuses on changing the the integrity of their information while a financial stock readable information to unrecognizable and useless data exchange network may define their security as real-time to any unauthorized person. This solution presents the availability and information privacy [14, 23]. This means main core of network security, therefore the risk analysis that, the many facets of the attribute must all be iden- for using a cipher turn out to be an obligation. Until now, tified and adequately addressed. Furthermore, the secu- the only platform for providing each cipher resistance is rity attributes are terms of qualities, thus measuring such the cryptanalysis study. This cryptanalysis can make it quality terms need a unique identification for their inter- hard to compare ciphers because each one is vulnerable to pretations meaning [20, 24]. Besides, the attributes can a different kind of attack that is often very different from be interdependent.
    [Show full text]
  • Related-Key Statistical Cryptanalysis
    Related-Key Statistical Cryptanalysis Darakhshan J. Mir∗ Poorvi L. Vora Department of Computer Science, Department of Computer Science, Rutgers, The State University of New Jersey George Washington University July 6, 2007 Abstract This paper presents the Cryptanalytic Channel Model (CCM). The model treats statistical key recovery as communication over a low capacity channel, where the channel and the encoding are determined by the cipher and the specific attack. A new attack, related-key recovery – the use of n related keys generated from k independent ones – is defined for all ciphers vulnera- ble to single-key recovery. Unlike classical related-key attacks such as differential related-key cryptanalysis, this attack does not exploit a special structural weakness in the cipher or key schedule, but amplifies the weakness exploited in the basic single key recovery. The related- key-recovery attack is shown to correspond to the use of a concatenated code over the channel, where the relationship among the keys determines the outer code, and the cipher and the attack the inner code. It is shown that there exists a relationship among keys for which the communi- cation complexity per bit of independent key is finite, for any probability of key recovery error. This may be compared to the unbounded communication complexity per bit of the single-key- recovery attack. The practical implications of this result are demonstrated through experiments on reduced-round DES. Keywords: related keys, concatenated codes, communication channel, statistical cryptanalysis, linear cryptanalysis, DES Communicating Author: Poorvi L. Vora, [email protected] ∗This work was done while the author was in the M.S.
    [Show full text]
  • Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, Newdes, RC2, and TEA
    Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, NewDES, RC2, and TEA John Kelsey Bruce Schneier David Wagner Counterpane Systems U.C. Berkeley kelsey,schneier @counterpane.com [email protected] f g Abstract. We present new related-key attacks on the block ciphers 3- WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA. Differen- tial related-key attacks allow both keys and plaintexts to be chosen with specific differences [KSW96]. Our attacks build on the original work, showing how to adapt the general attack to deal with the difficulties of the individual algorithms. We also give specific design principles to protect against these attacks. 1 Introduction Related-key cryptanalysis assumes that the attacker learns the encryption of certain plaintexts not only under the original (unknown) key K, but also under some derived keys K0 = f(K). In a chosen-related-key attack, the attacker specifies how the key is to be changed; known-related-key attacks are those where the key difference is known, but cannot be chosen by the attacker. We emphasize that the attacker knows or chooses the relationship between keys, not the actual key values. These techniques have been developed in [Knu93b, Bih94, KSW96]. Related-key cryptanalysis is a practical attack on key-exchange protocols that do not guarantee key-integrity|an attacker may be able to flip bits in the key without knowing the key|and key-update protocols that update keys using a known function: e.g., K, K + 1, K + 2, etc. Related-key attacks were also used against rotor machines: operators sometimes set rotors incorrectly.
    [Show full text]
  • Report on the AES Candidates
    Rep ort on the AES Candidates 1 2 1 3 Olivier Baudron , Henri Gilb ert , Louis Granb oulan , Helena Handschuh , 4 1 5 1 Antoine Joux , Phong Nguyen ,Fabrice Noilhan ,David Pointcheval , 1 1 1 1 Thomas Pornin , Guillaume Poupard , Jacques Stern , and Serge Vaudenay 1 Ecole Normale Sup erieure { CNRS 2 France Telecom 3 Gemplus { ENST 4 SCSSI 5 Universit e d'Orsay { LRI Contact e-mail: [email protected] Abstract This do cument rep orts the activities of the AES working group organized at the Ecole Normale Sup erieure. Several candidates are evaluated. In particular we outline some weaknesses in the designs of some candidates. We mainly discuss selection criteria b etween the can- didates, and make case-by-case comments. We nally recommend the selection of Mars, RC6, Serp ent, ... and DFC. As the rep ort is b eing nalized, we also added some new preliminary cryptanalysis on RC6 and Crypton in the App endix which are not considered in the main b o dy of the rep ort. Designing the encryption standard of the rst twentyyears of the twenty rst century is a challenging task: we need to predict p ossible future technologies, and wehavetotake unknown future attacks in account. Following the AES pro cess initiated by NIST, we organized an op en working group at the Ecole Normale Sup erieure. This group met two hours a week to review the AES candidates. The present do cument rep orts its results. Another task of this group was to up date the DFC candidate submitted by CNRS [16, 17] and to answer questions which had b een omitted in previous 1 rep orts on DFC.
    [Show full text]