A new version of the RC6 algorithm, stronger against χ 2 cryptanalysis
|
|
- Tracy Shepherd
- 6 years ago
- Views:
Transcription
1 A new version of the RC6 algorithm, stronger against χ 2 cryptanalysis Routo Terada 1 Eduardo T. Ueda 2 1 Dept. of Computer Science University of São Paulo, Brazil rt@ime.usp.br 2 Dept. of Computer Science University of São Paulo, Brazil edutakeo@ime.usp.br Abstract We analyze the χ 2 cryptanalysis, one of the most successful cryptanalysis technique against the RC6 algorithm. We apply this type of cryptanalysis as distinctioncryptanalysisaswellaskey-recoverycryptanalysis. We present a modified version of RC6 by introducing a very simple data-dependent swapping function in its structure. The conclusions inferred by statistical experiments is that this modified version is stronger against the χ 2 cryptanalysis technique. Keywords: Cryptography, Block Cipher, RC6 Algorithm, χ 2 cryptanalysis 1 Motivations and preliminaries The RC6 algorithm, a symmetric block cipher, is a strengthened version of RC5 and was submitted to the NIST (National Institute of Standards and Technology) as an AES (Advanced Encryption Standard) candidate. Its authors are Ronald L. Rivest, Matthew J. B. Robshaw, Ray Sidney and Yiqun L. Yin (11), researchers at MIT (Massachusetts Institute of Technology) and RSA Labs. The hashing algorithm called MD6 presented by Ron Rivest (Invited Talk, CRYPTO Conference, August 2008) has various basic operations in common with RC6. The cryptanalysis technique called χ 2 was originally proposed by Serge Vaudenay (15) to cryptanalyze the DES algorithm. Baudron et al. (1) and Knudsen and Meier (5) were the first ones to apply the χ 2 technique on the RC6 algorithm, and their estimate is that RC6 reduced to 15 rounds is vulnerable (weak) against this type of cryptanalysis, with complexity Later, other researchers applied this type of cryptanalysis on the RC6 as well: (2)(3)(7)(8)(9)(10)(13). In (3) and (8) variants of RC6 were considered, called RC6W and RC6P, respectively. RC6W means RC6 without pre or post-whitening and RC6P means RC6 without post-whitening. Pre-whitening of RC6 is the addition of the S[0] and S[1] subkeys before the main loop, while post-whitening is the addition of the S[2r +2] and S[2r +3] subkeys just after the main loop (r is the number of rounds). Knudsen and Meier stated that to apply succesfully the χ 2 cryptanalysis on RC6 with 16 or more rounds is an open problem. But Miyaji and Takano Copyright c 2009, Australian Computer Society, Inc. This paper appeared at the Australasian Information Security Conference (AISC2009), Wellington, New Zealand, January Conferences in Research and Practice in Information Technology (CRPIT), Vol. 98, Ljiljana Brankovic and Willy Susilo, Ed. Reproduction for academic, not-for profit purposes permitted provided this text is included. in (9) proved that it is theoretically possible to cryptanalyze RC6 with 16 rounds using plaintexts. The χ 2 cryptanalysis applied on RC6 in (9) is the most effective one so far. In order to strengthen RC6 against the χ 2 cryptanalysis, we define a new version called RC6T that is obtained by adding a simple data-dependent swapping function, called T (), in each round. This function consists of swapping (exchanging) the two halves of a, e.g., 32 bit block, if the Hamming weigth of the block is odd, as defined below (where L and R are the left and right halves of the input block): ½ (R, L) if HWeight(LR) is odd T (L, R) = (L, R) if HWeight(LR) is even We show that RC6T with 13 rounds is as strong against the χ 2 cryptanalysis as the original RC6 with 15 rounds. As this paper shows, RC6T with fewer number of rounds than RC6 is as secure against the χ 2 cryptanalysis as RC6, so that we conjecture an eventual slowdown caused by implementation details of T () can be compensated by using RC6T with less number of rounds. The first author of this paper introduced the function T () to strengthen RC6 against Differential Cryptanalysis in (14). Input: Plaintextstoredinfourregisterswithw-bits: A, B, C, D r is the number of rounds 2r +4subkeys with w-bits stored in S[0,...,2r +3] Output: Ciphertext in A, B, C, D Algorithm: B = B + S[0] D = D + S[1] for i =1to r do{ B = T (B) D = T (D) t =(B (2B +1)) lg w u =(D (2D +1)) lg w A =((A t) u)+s[2i] C =((C u) t)+s[2i +1] (A, B, C, D) =(B,C, D,A) } A = A + S[2r +2] C = C + S[2r +3] Figure 1: Algorithm RC6T Figure 1 represents the RC6T algorithm with the T () function. The only difference to the original RC6
2 is the addition of B = T (B) and D = T (D) inside the main loop. From now on we will show that this version of RC6 is stronger against the χ 2 cryptanalysis than the original RC6 submitted as an AES candidate. 2 Statistical facts This section explains how to use the χ 2 statistical technique to distinguish a ciphertext with unknown probabilistic distribution p from another ciphertext with uniform probabilistic distribution π (4)(5)(6). Let X = X 0,X 1,...,X n 1 be independent random variables such that X i {a 0,a 1,...,a m 1 } with unknown probabilistic distribution p, andletn aj (X) be the number of times X takes on the value a j.the χ 2 statistics of X that estimates the distance between the observed distribution p and the expected uniform distribution π =(π 0, π 1,...,π m 1 ) is definided as: χ 2 = m 1 X i=0 (N ai (X) nπ i ) 2 nπ i. It is obvious that P m 1 j=0 N a j (X) =n, and since the probability of each π i is 1 m, as the distribution of π is uniform, we can simplify the equation above as follows: χ 2 = m n m 1 X i=0 ³ N ai (X) n m 2. In a χ 2 test, χ 2 statistics is compared to χ 2 a,m 1, the value for the χ 2 test with m 1 degrees of freedom with significance level a. Thus, after computing the χ 2 statistics, it is possible to make a decision of the following hypothesis test: ½ H0 : p = π (null hypothesis) H 1 : p 6=π (alternative hypothesis) The Tables 1 and 2 show the threshold values for the χ 2 distribution with 63, 255 and 1023 degrees of freedom. These values were used by Knudsen and Meier (5), however we consider only the case with 63 degrees of freedom. For example, for 63 degrees (level, χ 2 )=(0.95, 82) in Table 2 means that the χ 2 statistical value exceeds 82 only 5% ofthetimeifthe distribution of the observed X were in fact uniform. Table 1: χ 2 distribution with different degrees of freedom Level degrees of freedom degrees of freedom degrees of freedom Table 2: χ 2 distribution with different degrees of freedom Level degrees of freedom degrees of freedom degrees of freedom The Theorems 2.1 and 2.2 (9)(12), which follow, refer to χ 2 statistics and are very important for the χ 2 statistics. Theorem 2.1 When H 0 is true, the χ 2 statistics defined in this section follows the χ 2 distribution with degree of freedom approximately equal to m 1. In addition, the expected average and variance is computed by E H0 (χ 2 )=m 1 and V H0 (χ 2 )=2(m 1), respectively. Theorem 2.2 When H 1 is true, the χ 2 statistics defined in this section follows the non-central χ 2 distribution with degree of freedom approximately equal to m 1. Additionaly, the expected average and variance is computed by E H1 (χ 2 )=m 1+nθ and V H1 (χ 2 )= 2(m 1) + 4nθ, respectively, where nθ is called noncentral parameter and nθ = n P m 1 i=0 where P (a i ) is the probability that a i occurs. 3 Measured correlations (π i P (a i)) 2 π i, Now we investigate the non-randomness of RC6 and RC6T with r rounds. This analysis is based on systematic experiments, considering some increasing number of rounds with 32-bit words (blocks). It is important to notice that the used plaintexts and keys were generated with uniform distribution, using a linear congruence method. As Knudsen and Meier (5), we used their method to show that detection and quantifying of nonrandomness can be measured for RC6 and RC6T with up to 5 rounds by software implementation. For this purpose, we used two types of testing, as we describe next. For both types (A 0,B 0,C 0,D 0 ) is a plaintext, (A r+2,b r+2,c r+2,d r+2 ) is a ciphertext after r rounds, lsb n (X) is the least significant n bits of X, anda b is the concatenation of a and b. Test 1: χ 2 of lsb 3 (A r+1 ) lsb 3 (C r+1 ) in the case lsb 5 (A 0 )=lsb 5 (C 0 )=0. Test 2: χ 2 of lsb 3 (A r+1 ) lsb 3 (C r+1 ) in the case lsb 5 (B 0 )=lsb 5 (D 0 )=0. We notice that Test 1 appliedtorc6andrc6t with EVEN number of rounds implies χ 2 values greater than for Test 2, for the same number of rounds. As well as Test 2 applied to RC6 and RC6T with ODD number of rounds implies χ 2 values greater than for Test 1, for the same number of rounds. Another point to observe with respect to the two types of testing is that the applied method assigns zero to 10 bits of each plaintext, so that the total number of distinct plaintexts that can be generated in the experiments is reduced from to The Tables 3 and 4 show the measured correlations for RC6 with Test 1 and Test 2, respectively. Notice that for these tests the χ 2 statistics are computed for integer values lsb 3 (A r+1 ) lsb 3 (C r+1 ) with 6 bits, and then, the expected value of the χ 2 statistics is 63. Table 3: Test 1 on RC6-32/r/16 with r =2, 4 rounds The Tables 5 and 6 show the measured correlations for RC6T with Test 1 and Test 2, respectively. Again, notice that for these tests the χ 2 statistics are computed for integer values lsb 3 (A r+1 ) lsb 3 (C r+1 )
3 Table 4: Test 2 on RC6-32/r/16 with r =3, 5 rounds with 6 bits, and then, the expected value of the χ 2 statistics is 63. WhenRC6Twith4 and 5 rounds are considered the values of the χ 2 statistics were computed for just one test, instead of taking the average of 10 tests, since the computational cost became very high, making it infeasible. Table 5: Test 1 on RC6T-32/r/16 with r = 2, 4 rounds Table 6: Test 2 on RC6T-32/r/16 with r = 3, 5 rounds The results in this section show clearly that more plaintexts are required to measure the χ 2 statistics for RC6T equivalent to the measured values for RC6, when the same number of rounds is considered. This implies that RC6T is stronger against the distinction and key-recovery cryptanalysis, as we show in the next sections. 4 Distinction cryptanalysis In this section we apply the results in the previous section to distinguish the algorithms RC6 and RC6T with a given number of rounds from a random permutation chosen from the set of all permutations. Cryptanalysis of this type is called distinction cryptanalysis, and is useful and relevant for the construction of key-recovery cryptanalysis, which is relatively more elaborated. The Figure 2 shows the distinction cryptanalysis proposed by Knudsen and Meier (5), which we applied to the algorithms RC6 and RC6T. The algorithm shown in Figure 2 analyzes a sequence of n plaintexts, deciding whether these values were ciphered by RC6 (or RC6T) or not. The condition 82 indicates that the algorithm returns the correct answer with 95% of certainty, according to the Tables 1 and 2. It is important to emphasize that the choice of the number of plaintexts n is dependent upon the number of rounds considered for each algorithm. Next, we show the distinction cryptanalysis applied on RC6 and RC6T. The Table 7 lists the results for the RC6-32/r/16 with r =2, 4 rounds considering the Test 1.Wecon- Input: Algorithm RC6(RC6T) or random permutation, Number n of texts; Output: Answers if the input is RC6(RC6T) or not; 1. consider n texts (A, B, C, D) ciphered with RC6(RC6T) or not; 2. for i =1to n do: j = lsb 3 (A i ) lsb 3 (C i ); increment array[j]; 3. compute χ 2 of array; 4. if ( computed χ 2 ) 82 then return The input is RC6(RC6T) ; else return The input is a random permutation ;. Figure 2: Distinction cryptanalysis cluded that 2 15 plaintexts are sufficient to distinguish a ciphered permutation with 2 rounds from a permutation chosen at random for 95% of cases, since with 2 15 plaintexts the measured value of χ 2, 92, isgreater than 82. Considering a factor of (= ) additional plaintexts at each 2 rounds, we estimate that for RC6 with r rounds, similar values are obtainable with 2 15 ( ) r 2 2 =2 7.85r 0.7 plaintexts and so, log 2 (#plaintexts) =7.85r 0.7. Table 7: Complexity to distinguish the RC6-32/r/16 using Test The values presented in Table 7 indicate that it is possible to distinguish RC6 with 14 rounds from a random permutation when we consider Test 1. Notice that to cryptanalyze 14 rounds we need plaintexts, and for 16 rounds, we need much more than 2 118, i.e., the number of available plaintexts. In Table 8 we have the results for RC6-32/r/16 with r =3, 5 rounds using Test 2.Observethat2 16 plaintexts are sufficient to distinguish a ciphered permutation with 3 rounds from a random permutation, since for 2 16 plaintexts the measured value of χ 2 is greater than 82. Notice yet that there exists a factor of 2 16 (= ) additional plaintexts to measure the equivalent values of χ 2 at each 2 rounds of RC6; thus we estimate that, with r rounds, similar results is obtainable with 2 16 (2 16 ) r 3 2 =2 8r 8 plaintexts. Hence, basedonrunsdonewithrc6,with3 and 5 rounds, we have that log 2 (#plaintexts) =8r 8 for the case of r rounds. The results in Table 8 indicate that it is possible to distinguish RC6 with up to 15 rounds from a random permutation when Test 2 is considered. Notice that for 17 rounds the number of required plaintexts is greater than
4 Table 8: Complexity to distinguish RC6-32/r/16 using Test Distinction cryptanalysis of RC6T The Table 9 shows the results for RC6T-32/r/16 with r = 2, 4 rounds, considering Test 1. We have that plaintexts are sufficient to distinguish a ciphered permutation with 2 rounds from a randomly chosen permutation in 95% of cases. Observe the existence of a factor of (= ) additional plaintexts to measure equivalent values of χ 2 at each 2 rounds of RC6T; thus we estimate that, for RC6T with r rounds, similar values are obtainable with ( ) r 2 2 =2 8.9r+0.4 plaintexts. Therefore, based on our implementations, and the data shown in Table 9 we have that log 2 (#plaintexts) =8.9r +0.4 for r rounds. Table 9: Complexity to distinguish RC6T-32/r/16 using Test The values shown in Table 9 indicate that it is possibletocryptanalyzerc6twithupto12 rounds from a random permutation when we consider Test 1.We already know that 14 rounds of RC6 may be cryptanalyzed using Test 1 with plaintexts. But to cryptanalyze RC6T with 14 rounds, the number of required plaintexts is greater than InTable10wehavetheresultsofRC6T-32/r/16 with r = 3, 5 rounds using Test 2. Observe that plaintexts is an acceptable value to distinguish a ciphered permutation with 3 rounds from a random permutation. Furthermore, it is also possible to conclude that a factor of (= ) additional plaintexts are required to measure equivalent values of χ 2 at each 2 rounds. Thus, we estimate that for RC6T with r rounds, similar results are obtainable with ( ) r 3 2 =2 8.4r 2.6 plaintexts. Therefore, basedonresultsforrc6twith3 and 5 rounds, we conclude that log 2 (#plaintexts) =8.4r 2.6 when r rounds are considered. The results in Table 10 indicate that it is possible to distinguish RC6T with up to 13 rounds from a random permutation when we consider Test 2 presented in Section 3. With this test it is possible to cryptanalyze 15 rounds of RC6 with plaintexts, as already discussed before. But for 15 rounds of RC6T the number of required plaintexts is much greater than Key-recovery cryptanalysis This section presents a type of cryptanalysis developped by Isogai, Matsunaka and Miyaji (3) which recovers some bits of the subkeys used in the last round of RC6 or RC6T without post-whitening, denoted RC6P and RC6TP, respectively. This cryptanalysis is based on Test 2,andsetslsb 5 (B 0 ) and lsb 5 (D 0 ) as zero and considers lsb 3 (A r+1 ) and lsb 3 (C r+1 ) to compute the χ 2 statistics. To obtain similar values for a χ 2 test on r +2 rounds compared to r rounds, we assume that a factor of around 2 16 additional plaintexts are required. In (8) it is shown that it is unnecessary to consider alevelofsignificance of 0.95 as in (5) in order to recover the correct key. In the case of Test 2 a level of significance greater than 0.57 is sufficient to recover the key. It is evident that much less plaintexts are necessary for the cryptanalysis with a level a little greater than 0.57, if compared with Choose one plaintext (A 0,B 0,C 0,D 0 ) such that lsb 5 (B 0 )=lsb 5 (D 0 )=0and cipher it with r rounds. 2. For each (s a,s c), decipher y b y d with the key 0 s a, 0 s c with 1 round for z a z c, such that z = z a z c is a 6 bit integer. 3. For each s, x a,x c and z, update each vector incrementing count[s][x a][x c][z]. 4. For each s, x a and x c, compute χ 2 [s][x a][x c]. 5. Compute the average avg[s] of {χ 2 [s][x a][x c]} xa,xc for each s andreturnthevalues with the greatest avg[s] as lsb 2 (S[2r]) lsb 2 (S[2r +1]). Table 10: Complexity to distinguish RC6T-32/r/16 using Test Figure 3: Key recovery cryptanalysis The Figure 3 describes the cryptanalysis algorithm to recover the key applied to RC6P and RC6TP. Intuitively, the algorithm assigns zero to lsb 3 (B 0 ) and lsb 3 (D 0 ), computes the χ 2 statistics for integer values of 6 bits obtained by concatenating 3 bits of A r with 3 bits of C r and recovers lsb 2 (S[2r]),lsb 2 (S[2r+1]) used by r-th. round of RC6P and RC6TP. We use the following notation: (y b,y d )=(lsb 3 (B r+1 ),lsb 3 (D r+1 )), (x a,x c )=(lsb 5 (F (C r+1 )),lsb 5 (F (A r+1 ))), (s a,s c )= (lsb 2 (S[2r]),lsb 2 (S[2r +1])) (where F () is defined below) and s = s a s c,wherex a (respectively x c )isthe amount of rotation on A r (respectively C r )inther-
5 th. round of RC6P or RC6TP and F (x) =[x(2x +1) (mod 2 w )] log 2 w. The cryptanalysis algorithm to recover the key in Figure 3 can be generalized to recover e bits of the key, where e is an even integer. In this case, let z =(e +2); χ 2 is computed on z bits. The plaintexts for the cryptanalysis algorithm are grouped in 2 10 groups according to the value {x a,x c } and the average avg[s] is computed over each group. In other words, all the plaintexts are uniformly distributed in each group, as long as they are generated randomly for the experiments. To cryptanalyze RC6P, plaintexts were required in order to recover the right key with 95% of success probability. This fact was confirmed with 100 experiments, when the cryptanalysis was successful 95% of times, and the average of the χ 2 values of the right keys returned by the cryptanalysis algorithm was , which corresponds to a level of significance 0.57, approximately. By using the measured results in 100 experiments and knowing that it is necessary to have 2 16 additional plaintexts to obtain values of χ 2 equivalent in r +2 rounds compared to r rounds, we conclude that the number of plaintexts required to cryptanalyze RC6P with r rounds, with success probability 95%, isas follows: (2 16 ) r 3 2 =2 8r Notice that the factor 2 8 is due to the fact that the cryptanalysis algorithm runs only one deciphering round, implying a decreasing of the number of plaintexts. So, with log 2 (#texts)=8r 10.2 the cryptanalysis algorithm recovers the right key with success probability 95%. To analyze the time complexity, i.e., the cost of running the cryptanalysis algorithm, we let one unit of cost be an increment of the vector count[s][x a ][x c ][z]. As we have 2 4 pairs (s a,s c ) for each plaintext and each pair corresponds to an increment, then the total cost is given by: (# of plaintexts) 2 4 =2 8r =2 8r 6.2. Then, replacing the number of plaintexts available in this expression, which determines the number of required plaintexts to cryptanalyze RC6P, we conclude that the cryptanalysis is successful for 16 rounds of RC6P using plaintexts and units of cost. We apply the same type of attack on algorithm RC6T without post-whitening, denoted RC6TP. Accordingtothemeasuresoftheχ 2 tests in Section 3, considering Test 2,approximately2 17 additional plaintexts are required to obtain χ 2 values equivalent for r +2rounds compared to r rounds. Systematic experiments done as before, for RC6P, indicate that plaintexts are required in each experiment in order to recover the right key of RC6TP with 95% of success probability. This fact was verified with 100 experiments, where the cryptanalysis was succesful 95% of times, and the average of the χ 2 values of the right keys returned by the cryptanalysis algorithm was , which corresponds to a level of 0.57, approximately. Considering the results obtained with these 100 experiments and knowing that 2 17 plaintexts are required to achieve χ 2 values equivalent in r+2 rounds compared to r rounds, the number of required plaintexts to cryptanalyze RC6TP with r rounds and probability of success 95% is given by: (2 17 ) r 3 2 =2 8.5r 6.8. We notice there is a factor of due to the fact that the cryptanalysis algorithm runs only one deciphering round, which decreases the number of plaintexts. Thus, with log 2 (#texts) = 8.5r 6.8 the cryptanalysis recovers the right key with success probability 95%. We also analyze the time complexity, i.e., the running cost. For this purpose, one unit of cost is one increment of the vector count[s][x a ][x c ][z]. As we have 2 4 pairs (s a,s c ) for each plaintext and each pair corresponds to an increment, the running cost is: (# plaintexts) 2 4 =2 8.5r =2 8.5r 2.8. Replacing the number of available plaintexts in this expression, which determines the amount of required plaintexts to cryptanalyze RC6TP, we conclude that the cryptanalysis is successful for 14 rounds of RC6TP using plaintexts and units of cost. From the results obtained in this Section, the overall conclusion is that RC6TP is stronger against this type of cryptanalysis than RC6P, since the introduction of the swapping function T () implied that 14 rounds is weak (i.e., at least 15 rounds are necessary to counter-attack), insteadof 16 rounds of RC6P (i.e., at least 17 rounds are necessary to counter-attack). 7 Conclusions Based on computational experiments we estimated that a distinction cryptanalysis is successful for RC6 with up to 15 rounds. For 15 rounds, plaintexts are required to cryptanalyze RC6. However, the experiments showed that for RC6T with up to 13 rounds can be distinguished from a random permutation. For 13 rounds, plaintexts are required to cryptanalyze RC6T. We implemented the key-recovery cryptanalysis as well, of type chosen-plaintext cryptanalysis, against RC6 without post-whitening (RC6P), proposed in (3). The analysis of our experimental data for this cryptanalysis showed that 16 rounds of RC6P can be cryptanalyzed using plaintexts with probability 95% of successfully recovering the right secret key. We applied the same cryptanalysis against RC6T without post-whitening (i.e., RC6TP) and verified that fewer rounds can be cryptanalyzed, i.e., less rounds are required to counter-attack RC6TP than RC6P. For RC6TP, the experiments showed that 14 rounds can be cryptanalyzed using plaintexts with success probability 95%. The overall conclusion is that the introduction of the simple data-dependent swapping function T () in the RC6 algorithm strengthens significantly against the χ 2 cryptanalysis. With RC6T, a greater number of plaintexts are required to achieve χ 2 values similar to the ones obtained for the original RC6. We got the same conclusion with respect to the distinction cryptanalysis (to distinguish the output of RC6T from a random permutation) and the key-recovery cryptanalysis (to recover the right key) with high probability. References [1] Baudron,O., H. Gilbert, L. Granboulan, H. Handschuh, A. Joux, P. Nguyen, F. Noilhan, D. Pointcheval, T. Pornin, G. Poupard, J. Stern, S. Vaudenay (1999), Report on the AES candidates, papers/baudron1.pdf
6 [2] Gilbert, H., H. Handschuh, A. Joux, S. Vaudenay (2000), A Statistical Attack on RC6, 7th, Fast Software Encryption Workshop, B. Schneier, ed., Springer-Verlag, LNCS 1978, pp [3] Isogai,N.,T.Matsunaka,A.Miyaji(2003),Optimized χ 2 -cryptanalysis against RC6, Applied Cryptography and Network Security, pages [4] Kelsey, J., B. Schneier, D. Wagner (1999), Mod n Cryptanalysis, with Applications Against RC5P and M6, Lecture Notes in Computer Science, volume 1636, pages , Springer-Verlag, London, UK, url = [5] Knudsen, L. R., W. Meier (2000), Correlations in RC6 with a Reduced Number of Rounds, Proceedings of the 7th International Workshop on Fast Software Encryption, ISBN , Springer-Verlag, London, UK [6] Knuth, D. E. (1981), The Art of Computer Programming, Volume 2, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, volume 2, edition 2 [7] Miyaji, A., M. Nonaka (2003), Cryptanalysis of Reduced-Round RC6 without Whitening, IEICE Transactions on Fundamentals, Inst. of Electronics, Communications and Computer Sciences, pages 19-30, volume E86-A, number 1 [8] Miyaji, A., M. Nonaka (2202), Cryptanalysis of the Reduced-Round RC6, International Conference on Information and Communications Security, pages [9] Miyaji, A., T. Takano, (2005) On the Success Probability of χ 2 -cryptanalysis on RC6, Australasian Conference on Information Security and Privacy, pages [10] Miyaji, A., T. Takano (2007) Evaluation of the security of RC6 against the χ 2 -attack, IEICE Transactions on Fundamentals, Inst. of Electronics, Communications and Computer Sciences, vol. E90-A, No.1(2007), [11] Rivest, R. L., M. J. B. Robshaw, R. Sidney and Y. L. Yin (1998), The RC6 Block Cipher. Version 1.1, url = [12] Ryabko, B. (2003), Adaptive Chi-Square Test and Its Application to Some Cryptographic Problems, Cryptology eprint Archive, url = [13] Takenaka, M., T. Shimoyama, T. Koshiba (2004), Theoretical Analysis of χ 2 Attack on RC6, IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, pages 28-35, volume E87-A, number 1 [14] Terada, R., I. Corrêa Jr.(2003), A stronger version of RC6 against Differential Cryptanalysis. In: Symposium on Cryptography and Information Security, 2003, Hamamatsu. Procdgs. of the Symposium on Cryptography and Information Security Tokyo, Japan : Inst. of Electronics, Information and Communication Engineers, v pages 11D04-11D09. [15] Vaudenay, S. (1996), An Experiment on DES Statistical Cryptanalysis, ACM Conference on Computer and Communications Security, pages , url =
Correlation Attack to the Block Cipher RC5. and the Simplied Variants of RC6. 3 Fujitsu Laboratories LTD.
Correlation Attack to the Block Cipher RC5 and the Simplied Variants of RC6 Takeshi Shimoyama 3, Kiyofumi Takeuchi y, Juri Hayakawa y 3 Fujitsu Laboratories LTD. 4-1-1 Kamikodanaka, Nakahara-ku, Kawasaki
More informationStatistical Analysis of chi-square A. Author(s)ISOGAI, Norihisa; MIYAJI, Atsuko; NO
JAIST Reposi https://dspace.j Title Statistical Analysis of chi-square A Author(s)ISOGAI, Norihisa; MIYAJI, Atsuko; NO Citation IEICE TRANSACTIONS on Fundamentals o Electronics, Communications and Comp
More informationLinear Cryptanalysis of RC5 and RC6
Linear Cryptanalysis of RC5 and RC6 Johan Borst, Bart Preneel, and Joos Vandewalle K.U. Leuven, Dept. Elektrotechniek-ESAT/COSIC Kardinaal Mercierlaan 94, B-3001 Heverlee Belgium Johan.Borst@esat.kuleuven.ac.be
More informationLinear Cryptanalysis
Linear Cryptanalysis Linear cryptanalysis is a powerful method of cryptanalysis introduced by Matsui in 1993 [11]. It is a known plaintext attack in which the attacker studies the linear approximations
More informationImproved Analysis of Some Simplified Variants of RC6
Improved Analysis of Some Simplified Variants of RC6 Scott Contini 1, Ronald L. Rivest 2, M.J.B. Robshaw 1, and Yiqun Lisa Yin 1 1 RSA Laboratories, 2955 Campus Drive San Mateo, CA 94403, USA {scontini,matt,yiqun}@rsa.com
More informationTowards Provable Security of Substitution-Permutation Encryption Networks
Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,
More informationAnalysis of SHA-1 in Encryption Mode
Analysis of SHA- in Encryption Mode [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 00, vol. 00 of Lecture Notes in Computer Science, pp. 70 83, Springer-Verlag, 00.] Helena Handschuh, Lars
More informationSOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies
SOBER Cryptanalysis Daniel Bleichenbacher and Sarvar Patel {bleichen,sarvar}@lucent.com Bell Laboratories Lucent Technologies Abstract. SOBER is a new stream cipher that has recently been developed by
More informationFurther improving security of Vector Stream Cipher
NOLTA, IEICE Paper Further improving security of Vector Stream Cipher Atsushi Iwasaki 1a) and Ken Umeno 2 1 Fukuoka Institute of Technology Wajiro-higashi, Higashiku, Fukuoka 811-0295, Japan 2 Graduate
More informationAlgebraic Techniques in Differential Cryptanalysis
Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London FSE 2009, Leuven, 24.02.2009 Martin Albrecht and Carlos
More informationExperiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL
More informationMod n Cryptanalysis, with Applications Against RC5P and M6
Mod n Cryptanalysis, with Applications Against RC5P and M6 John Kelsey, Bruce Schneier, and David Wagner Abstract. We introduce mod n cryptanalysis, a form of partitioning attack that is effective against
More informationLow-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512
Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512 Takanori Isobe and Taizo Shirai Sony Corporation 1-7-1 Konan, Minato-ku, Tokyo 108-0075, Japan {Takanori.Isobe,Taizo.Shirai}@jp.sony.com
More informationRelated-Key Rectangle Attack on Round-reduced Khudra Block Cipher
Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher Xiaoshuang Ma 1,2 Kexin Qiao 1,2 1 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy
More informationDifferential Attack on Five Rounds of the SC2000 Block Cipher
Differential Attack on Five Rounds of the SC2 Block Cipher Jiqiang Lu Department of Mathematics and Computer Science, Eindhoven University of Technology, 56 MB Eindhoven, The Netherlands lvjiqiang@hotmail.com
More informationAn average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and
An average case analysis of a dierential attack on a class of SP-networks Luke O'Connor Distributed Systems Technology Centre, and Information Security Research Center, QUT Brisbane, Australia Abstract
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationLinear Cryptanalysis of Reduced-Round PRESENT
Linear Cryptanalysis of Reduced-Round PRESENT Joo Yeon Cho 1 Helsinki University of Technology, Finland 2 Nokia A/S, Denmark joo.cho@tkk.fi Abstract. PRESENT is a hardware-oriented block cipher suitable
More informationjorge 2 LSI-TEC, PKI Certification department
Linear Analysis of reduced-round CAST-28 and CAST-256 Jorge Nakahara Jr, Mads Rasmussen 2 UNISANTOS, Brazil jorge nakahara@yahoo.com.br 2 LSI-TEC, PKI Certification department mads@lsitec.org.br Abstract.
More informationOn the Weak State in GGHN-like Ciphers
2012 Seventh International Conference on Availability, Reliability and Security On the Weak State in GGH-like Ciphers Aleksandar Kircanski Dept. of Computer Science and Software Engineering Concordia University
More informationImproved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON
Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON Danping Shi 1,2, Lei Hu 1,2, Siwei Sun 1,2, Ling Song 1,2, Kexin Qiao 1,2, Xiaoshuang Ma 1,2 1 State Key Laboratory of Information
More informationVMPC One-Way Function and Stream Cipher
VMPC One-Way Function and Stream Cipher Bartosz Zoltak http://www.vmpcfunction.com bzoltak@vmpcfunction.com This paper was presented at FSE 04, Delhi, India, 5-7.FEB.2004 Copyright by IACR Abstract. A
More informationDistinguishers for the Compression Function and Output Transformation of Hamsi-256
Distinguishers for the Compression Function and Output Transformation of Hamsi-256 Jean-Philippe Aumasson Emilia Käsper Lars Ramkilde Knudsen Krystian Matusiewicz Rune Ødegård Thomas Peyrin Martin Schläffer
More informationStatistical Properties of the Square Map Modulo a Power of Two
Statistical Properties of the Square Map Modulo a Power of Two S. M. Dehnavi, A. Mahmoodi Rishakani, M. R. Mirzaee Shamsabad 3, Einollah Pasha Kharazmi University, Faculty of Mathematical and Computer
More informationImproved Cascaded Stream Ciphers Using Feedback
Improved Cascaded Stream Ciphers Using Feedback Lu Xiao 1, Stafford Tavares 1, Amr Youssef 2, and Guang Gong 3 1 Department of Electrical and Computer Engineering, Queen s University, {xiaolu, tavares}@ee.queensu.ca
More informationStream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden
Dept. of EIT, Lund University, P.O. Box 118, 221 00 Lund, Sweden thomas@eit.lth.se May 16, 2011 Outline: Introduction to stream ciphers Distinguishers Basic constructions of distinguishers Various types
More informationDifferential Cryptanalysis of the Stream Ciphers Py, Py6 and Pypy
Differential Cryptanalysis of the Stream Ciphers Py, Py6 and Pypy Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven, ESAT/SCD-COSIC Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium wu.hongjun,bart.preneel@esat.kuleuven.be
More informationCube attack in finite fields of higher order
Cube attack in finite fields of higher order Andrea Agnesse 1 Marco Pedicini 2 1 Dipartimento di Matematica, Università Roma Tre Largo San Leonardo Murialdo 1, Rome, Italy 2 Istituto per le Applicazioni
More informationImpossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128
Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com
More informationLinear Cryptanalysis Using Multiple Approximations
Linear Cryptanalysis Using Multiple Approximations Burton S. Kaliski Jr. and M.J.B. Robshaw RSA Laboratories 100 Marine Parkway Redwood City, CA 94065, USA Abstract. We present a technique which aids in
More information3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis
3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis TANAKA Hidema, TONOMURA Yuji, and KANEKO Toshinobu A multi rounds elimination method for higher order differential cryptanalysis
More informationEssential Algebraic Structure Within the AES
Essential Algebraic Structure Within the AES Sean Murphy and Matthew J.B. Robshaw Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20 0EX, U.K. s.murphy@rhul.ac.uk m.robshaw@rhul.ac.uk
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationChapter 1 - Linear cryptanalysis.
Chapter 1 - Linear cryptanalysis. James McLaughlin 1 Introduction. Linear cryptanalysis was first introduced by Mitsuru Matsui in [12]. The cryptanalyst attempts to find a linear equation x 1... x i =
More informationParallel Cube Tester Analysis of the CubeHash One-Way Hash Function
Parallel Cube Tester Analysis of the CubeHash One-Way Hash Function Alan Kaminsky Department of Computer Science B. Thomas Golisano College of Computing and Information Sciences Rochester Institute of
More informationEnhancing the Signal to Noise Ratio
Enhancing the Signal to Noise Ratio in Differential Cryptanalysis, using Algebra Martin Albrecht, Carlos Cid, Thomas Dullien, Jean-Charles Faugère and Ludovic Perret ESC 2010, Remich, 10.01.2010 Outline
More informationOn the Security of NOEKEON against Side Channel Cube Attacks
On the Security of NOEKEON against Side Channel Cube Attacks Shekh Faisal Abdul-Latip 1,2, Mohammad Reza Reyhanitabar 1, Willy Susilo 1, and Jennifer Seberry 1 1 Center for Computer and Information Security
More informationLinear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015
Kaisa Nyberg Department of Computer Science Aalto University School of Science s 2 r t S3, Sackville, August 11, 2015 Outline Linear characteristics and correlations Matsui s algorithms Traditional statistical
More informationVirtual isomorphisms of ciphers: is AES secure against differential / linear attack?
Alexander Rostovtsev alexander. rostovtsev@ibks.ftk.spbstu.ru St. Petersburg State Polytechnic University Virtual isomorphisms of ciphers: is AES secure against differential / linear attack? In [eprint.iacr.org/2009/117]
More informationComputers and Mathematics with Applications
Computers and Mathematics with Applications 61 (2011) 1261 1265 Contents lists available at ScienceDirect Computers and Mathematics with Applications journal homepage: wwwelseviercom/locate/camwa Cryptanalysis
More informationSimple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)
Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia) Henry Ng Henry.Ng.a@gmail.com Abstract. A new cryptographic pseudorandom number generator Cilia is presented. It hashes
More informationOn the Salsa20 Core Function
On the Salsa20 Core Function Julio Cesar Hernandez-Castro, Juan M. E. Tapiador, and Jean-Jacques Quisquater Crypto Group, DICE, Universite Louvain-la-Neuve Place du Levant, 1 B-1348 Louvain-la-Neuve, Belgium
More informationWays of Doubling Block Size of Feistel Ciphers Used in Some Candidates for the AES
Ways of Doubling Block Size of Feistel Ciphers Used in Some Candidates for the AS Bohuslav Rudolf b.rudolf@nbu.cz National Security Authority P. O. Box 49, 15 6, Prague 56 Abstract We describe and discuss
More informationA Sound Method for Switching between Boolean and Arithmetic Masking
A Sound Method for Switching between Boolean and Arithmetic Masking Louis Goubin CP8 Crypto Lab, SchlumbergerSema 36-38 rue de la Princesse, BP45 78430 Louveciennes Cedex, France Louis.Goubin@louveciennes.tt.slb.com
More informationNew Results on Boomerang and Rectangle Attacks
New Results on Boomerang and Rectangle Attacks Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haia 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationDistinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network
Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense
More informationDifferential Cache Trace Attack Against CLEFIA
Differential Cache Trace Attack Against CLEFIA Chester Rebeiro and Debdeep Mukhopadhyay Dept. of Computer Science and Engineering Indian Institute of Technology Kharagpur, India {chester,debdeep}@cse.iitkgp.ernet.in
More informationOn Feistel Ciphers Using Optimal Diffusion Mappings Across Multiple Rounds
On Feistel Ciphers Using Optimal Diffusion Mappings Across Multiple Rounds Taizo Shirai 1, and Bart Preneel 2 1 Sony Corporation, Tokyo, Japan taizo.shirai@jp.sony.com 2 ESAT/SCD-COSIC, Katholieke Universiteit
More informationWeaknesses in the HAS-V Compression Function
Weaknesses in the HAS-V Compression Function Florian Mendel and Vincent Rijmen Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, A-8010
More informationCryptanalysis of two knapsack public-key cryptosystems
Cryptanalysis of two knapsack public-key cryptosystems Jingguo Bi 1, Xianmeng Meng 2, and Lidong Han 1 {jguobi,hanlidong}@sdu.edu.cn mengxm@sdfi.edu.cn 1 Key Laboratory of Cryptologic Technology and Information
More informationOn the invertibility of the XOR of rotations of a binary word
On the invertibility of the XOR of rotations of a binary word Ronald L. Rivest November 10, 2009 Abstract We prove the following result regarding operations on a binary word whose length is a power of
More informationComplementing Feistel Ciphers
Complementing Feistel Ciphers Alex Biryukov 1 and Ivica Nikolić 2 1 University of Luxembourg 2 Nanyang Technological University, Singapore alex.biryukov@uni.lu inikolic@ntu.edu.sg Abstract. In this paper,
More informationCryptanalysis of the Stream Cipher DECIM
Cryptanalysis of the Stream Cipher DECIM Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven, ESAT/SCD-COSIC Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium {wu.hongjun, bart.preneel}@esat.kuleuven.be
More informationOn Correlation Between the Order of S-boxes and the Strength of DES
On Correlation Between the Order of S-boxes and the Strength of DES Mitsuru Matsui Computer & Information Systems Laboratory Mitsubishi Electric Corporation 5-1-1, Ofuna, Kamakura, Kanagawa, 247, Japan
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationCryptanalysis of a Multistage Encryption System
Cryptanalysis of a Multistage Encryption System Chengqing Li, Xinxiao Li, Shujun Li and Guanrong Chen Department of Mathematics, Zhejiang University, Hangzhou, Zhejiang 310027, China Software Engineering
More informationCryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000
Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000 Amr Youssef 1 and Guang Gong 2 1 Center for Applied Cryptographic Research Department of Combinatorics & Optimization 2 Department of Electrical
More informationAn Analysis of the RC4 Family of Stream Ciphers against Algebraic Attacks
Proc 8th Australasian Information Security Conference AISC 010, Brisbane, Australia An Analysis of the RC4 Family of Stream Ciphers against Algebraic Attacks Kenneth Koon-Ho Wong 1 Gary Carter 1 Ed Dawson
More informationExpanding Weak-key Space of RC4
[DOI: 10.2197/ipsjjip.22.357] Recommended Paper Expanding Weak-key Space of RC4 Atsushi agao 1,a) Toshihiro Ohigashi 2 Takanori Isobe 1 Masakatu Morii 1 Received: July 7, 2013, Accepted: ovember 1, 2013
More informationIntegrals go Statistical: Cryptanalysis of Full Skipjack Variants
Integrals go Statistical: Cryptanalysis of ull Skipjack Variants Meiqin Wang mqwang@sdu.edu.cn Joint Work with Tingting Cui, Huaifeng Chen, Ling Sun, Long Wen, Andrey Bogdanov Shandong University, China;
More informationNear Optimal Algorithms for Solving Differential Equations of Addition with Batch Queries
A shortened version of this paper appears under the same title in the proceedings of Indocrypt 2005 (S. Maitra, C.E. Venimadhavan, R. Venkatesan (eds.)), LNCS, Springer-Verlag. Near Optimal Algorithms
More informationSecurity of the AES with a Secret S-box
Security of the AES with a Secret S-box Tyge Tiessen, Lars R Knudsen, Stefan Kölbl, and Martin M Lauridsen {tyti,lrkn,stek,mmeh}@dtudk DTU Compute, Technical University of Denmark, Denmark Abstract How
More informationOn related-key attacks and KASUMI: the case of A5/3
On related-key attacks and KASUMI: the case of A5/3 Phuong Ha Nguyen 1, M.J.B. Robshaw 2, Huaxiong Wang 1 1 Nanyang Technological University, Singapore 2 Applied Cryptography Group, Orange Labs, France
More informationThe Security of Abreast-DM in the Ideal Cipher Model
The Security of breast-dm in the Ideal Cipher Model Jooyoung Lee, Daesung Kwon The ttached Institute of Electronics and Telecommunications Research Institute Yuseong-gu, Daejeon, Korea 305-390 jlee05@ensec.re.kr,ds
More informationA (Second) Preimage Attack on the GOST Hash Function
A (Second) Preimage Attack on the GOST Hash Function Florian Mendel, Norbert Pramstaller, and Christian Rechberger Institute for Applied Information Processing and Communications (IAIK), Graz University
More informationLinear Cryptanalysis of Reduced-Round Speck
Linear Cryptanalysis of Reduced-Round Speck Tomer Ashur Daniël Bodden KU Leuven and iminds Dept. ESAT, Group COSIC Address Kasteelpark Arenberg 10 bus 45, B-3001 Leuven-Heverlee, Belgium tomer.ashur-@-esat.kuleuven.be
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationSome New Weaknesses in the RC4 Stream Cipher
Some ew Weaknesses in the RC4 Stream Cipher Jing Lv (B), Bin Zhang, and Dongdai Lin 2 Laboratory of Trusted Computing and Information Assurance, Institute of Software, Chinese Academy of Sciences, 0090
More informationType 1.x Generalized Feistel Structures
Noname manuscript No. (will be inserted by the editor) Type 1.x Generalized eistel Structures Shingo Yanagihara Tetsu Iwata Received: date / Accepted: date Abstract We formalize the Type 1.x Generalized
More informationXMX: A Firmware-oriented Block Cipher Based on Modular Multiplications
XMX: A Firmware-oriented Block Cipher Based on Modular Multiplications [Published in E. Biham, Ed., Fast Software Encrytion, vol. 1267 of Lecture Notes in Computer Science, pp. 166 171, Springer-Verlag,
More informationImproved Multiple Impossible Differential Cryptanalysis of Midori128
Improved Multiple Impossible Differential Cryptanalysis of Midori128 Mohamed Tolba, Ahmed Abdelkhalek, and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University,
More informationRevisit and Cryptanalysis of a CAST Cipher
2017 3rd International Conference on Electronic Information Technology and Intellectualization (ICEITI 2017) ISBN: 978-1-60595-512-4 Revisit and Cryptanalysis of a CAST Cipher Xiao Zhou, Jingwei Li, Xuejia
More informationThe SHA Family of Hash Functions: Recent Results
The SHA Family of Hash Functions: Recent Results Christian Rechberger Vincent Rijmen {Christian.Rechberger,Vincent.Rijmen}@iaik.tugraz.at Institute for Applied Information Processing and Communications
More informationCRYPTOGRAPHIC PROPERTIES OF ADDITION MODULO 2 n
CRYPTOGRAPHIC PROPERTIES OF ADDITION MODULO 2 n S. M. DEHNAVI, A. MAHMOODI RISHAKANI, M. R. MIRZAEE SHAMSABAD, HAMIDREZA MAIMANI, EINOLLAH PASHA Abstract. The operation of modular addition modulo a power
More informationRelated-key Attacks on the Py-family of Ciphers and an Approach to Repair the Weaknesses
Related-key Attacks on the Py-family of Ciphers and an Approach to Repair the Weaknesses Gautham Sekar, Souradyuti Paul and Bart Preneel Katholieke Universiteit Leuven, Dept. ESAT/COSIC, Kasteelpark Arenberg
More informationImpossible differential and square attacks: Cryptanalytic link and application to Skipjack
UCL Crypto Group Technical Report Series Impossible differential and square attacks: Cryptanalytic link and application to Skipjack Gilles Piret Jean-Jacques Quisquater REGARDS GROUPE http://www.dice.ucl.ac.be/crypto/
More informationImproving the Time Complexity of Matsui s Linear Cryptanalysis
Improving the Time Complexity of Matsui s Linear Cryptanalysis B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group, Université Catholique de Louvain Abstract. This paper reports on an improvement
More informationAn Algebraic Framework for Cipher Embeddings
An Algebraic Framework for Cipher Embeddings C. Cid 1, S. Murphy 1, and M.J.B. Robshaw 2 1 Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20 0EX, U.K. 2 France Télécom
More informationComputing the biases of parity-check relations
Computing the biases of parity-check relations Anne Canteaut INRIA project-team SECRET B.P. 05 7853 Le Chesnay Cedex, France Email: Anne.Canteaut@inria.fr María Naya-Plasencia INRIA project-team SECRET
More informationThe Indistinguishability of the XOR of k permutations
The Indistinguishability of the XOR of k permutations Benoit Cogliati, Rodolphe Lampe, Jacques Patarin University of Versailles, France Abstract. Given k independent pseudorandom permutations f 1,...,
More informationSecurity of Random Feistel Schemes with 5 or more Rounds
Security of Random Feistel Schemes with 5 or more Rounds Jacques Patarin Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract. We study cryptographic attacks on random
More informationA New Technique for Multidimensional Linear Cryptanalysis with Applications on Reduced Round Serpent
A New Technique for Multidimensional Linear Cryptanalysis with Applications on Reduced Round Serpent Joo Yeon Cho, Miia Hermelin, and Kaisa Nyberg Helsinki University of Technology, Department of Information
More informationZero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA
Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA Andrey Bogdanov, Meiqin Wang Technical University of Denmark, Shandong University, China ESC 2013,
More informationDistinguishing Attack on Common Scrambling Algorithm
410 The International Arab Journal of Information Technology, Vol. 12, No. 4, July 2015 Distinguishing Attack on Common Scrambling Algorithm Kai Zhang and Jie Guan Zhengzhou Information Science and Technology
More informationA New Knapsack Public-Key Cryptosystem Based on Permutation Combination Algorithm
A New Knapsack Public-Key Cryptosystem Based on Permutation Combination Algorithm Min-Shiang Hwang Cheng-Chi Lee Shiang-Feng Tzeng Department of Management Information System National Chung Hsing University
More informationAll-Or-Nothing Transforms Using Quasigroups
All-Or-Nothing Transforms Using Quasigroups Stelios I Marnas, Lefteris Angelis, and George L Bleris Department of Informatics, Aristotle University 54124 Thessaloniki, Greece Email: {marnas,lef,bleris}@csdauthgr
More informationCryptanalysis of PRESENT-like ciphers with secret S-boxes
Cryptanalysis of PRESENT-like ciphers with secret S-boxes Julia Borghoff Lars Knudsen Gregor Leander Søren S. Thomsen DTU, Denmark FSE 2011 Cryptanalysis of Maya Julia Borghoff Lars Knudsen Gregor Leander
More informationFurther progress in hashing cryptanalysis
Further progress in hashing cryptanalysis Arjen K. Lenstra Lucent Technologies, Bell Laboratories February 26, 2005 Abstract Until further notice all new designs should use SHA-256. Existing systems using
More informationImproved Impossible Differential Cryptanalysis of Rijndael and Crypton
Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,
More informationDK-2800 Lyngby, Denmark, Mercierlaan 94, B{3001 Heverlee, Belgium,
The Interpolation Attack on Block Ciphers? Thomas Jakobsen 1 and Lars R. Knudsen 2 1 Department of Mathematics, Building 303, Technical University of Denmark, DK-2800 Lyngby, Denmark, email:jakobsen@mat.dtu.dk.
More informationBiomedical Security. Overview 9/15/2017. Erwin M. Bakker
Biomedical Security Erwin M. Bakker Overview Cryptography: Algorithms Cryptography: Protocols Pretty Good Privacy (PGP) / B. Schneier Workshop Biomedical Security Biomedical Application Security (guest
More informationDifferential and Rectangle Attacks on Reduced-Round SHACAL-1
Differential and Rectangle Attacks on Reduced-Round SHACAL-1 Jiqiang Lu 1, Jongsung Kim 2,3, Nathan Keller 4, and Orr Dunkelman 5 1 Information Security Group, Royal Holloway, University of London Egham,
More informationDifferential properties of power functions
Differential properties of power functions Céline Blondeau, Anne Canteaut and Pascale Charpin SECRET Project-Team - INRIA Paris-Rocquencourt Domaine de Voluceau - B.P. 105-8153 Le Chesnay Cedex - France
More informationAffine equivalence in the AES round function
Discrete Applied Mathematics 148 (2005) 161 170 www.elsevier.com/locate/dam Affine equivalence in the AES round function A.M. Youssef a, S.E. Tavares b a Concordia Institute for Information Systems Engineering,
More informationGurgen Khachatrian Martun Karapetyan
34 International Journal Information Theories and Applications, Vol. 23, Number 1, (c) 2016 On a public key encryption algorithm based on Permutation Polynomials and performance analyses Gurgen Khachatrian
More informationWeek 7 An Application to Cryptography
SECTION 9. EULER S GENERALIZATION OF FERMAT S THEOREM 55 Week 7 An Application to Cryptography Cryptography the study of the design and analysis of mathematical techniques that ensure secure communications
More informationCryptanalysis of block EnRUPT
Cryptanalysis of block EnRUPT Elias Yarrkov 2010-10-08 (revised 2010-10-12) Abstract EnRUPT is a cryptographic primitive with a variable block and key length. We show several attacks on it that stem from
More informationDeterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA
Deterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA Noboru Kunihiro 1 and Kaoru Kurosawa 2 1 The University of Electro-Communications, Japan kunihiro@iceuecacjp
More informationCryptanalysis on An ElGamal-Like Cryptosystem for Encrypting Large Messages
Cryptanalysis on An ElGamal-Like Cryptosystem for Encrypting Large Messages MEI-NA WANG Institute for Information Industry Networks and Multimedia Institute TAIWAN, R.O.C. myrawang@iii.org.tw SUNG-MING
More information