nach oben

Designs, Codes and Cryptography

Erschienen in:

01.10.2015

A methodology for differential-linear cryptanalysis and its applications

verfasst von: Jiqiang Lu

Erschienen in: Designs, Codes and Cryptography | Ausgabe 1/2015

Einloggen, um Zugang zu erhalten

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Differential and linear cryptanalyses are powerful techniques for analysing the security of a block cipher. In 1994 Langford and Hellman published a combination of differential and linear cryptanalysis under two default independence assumptions, known as differential-linear cryptanalysis, which is based on the use of a differential-linear distinguisher constructed by concatenating a linear approximation with a (truncated) differential with probability 1. In 1995 Langford gave a general version of differential-linear cryptanalysis, so that a differential with a probability smaller than 1 can also be used to construct a differential-linear distinguisher; the general version was published in 2002 by Biham, Dunkelman and Keller with an elaborate explanation using an additional assumption. In this paper, we introduce a new methodology for differential-linear cryptanalysis under the original two assumptions, without using the additional assumption of Biham et al. The new methodology is more reasonable and more general than Langford and Biham et al.’s methodology; and apart from this advantage it can lead to some better cryptanalytic results than Langford and Biham et al.’s methodology and Langford and Hellman’s methodology. As examples, we apply it to 13 rounds of the DES block cipher, 10 rounds of the CTC2 block cipher and 12 rounds of the Serpent block cipher. The new methodology can be used to cryptanalyse other block ciphers, and block cipher designers should pay attention to this new methodology when designing a block cipher.

Vorheriger Artikel A class of six-weight cyclic codes and their weight distribution

Nächster Artikel Tactical decompositions of designs over finite fields

A more general condition is \(\beta \odot \gamma =c\), where \(c \in \{0,1\}\) is a constant. Without loss of generality, we consider the case with \(c=0\) throughout this paper.

We note that Biham et al. used a different assumption when reviewing the enhanced version in a few other papers, [13] say, where they assumed that \(\mathbb {E}_0(P) \odot \gamma = \mathbb {E}_0(P \oplus \alpha ) \odot \gamma \) holds with half a chance for the cases where \(\mathbb {E}_0(P) \oplus \mathbb {E}_0(P \oplus \alpha ) \ne \beta \), yielding the same probability value \(\frac{1}{2} + 2p\epsilon ^2\) as under Assumption 3. We treat this assumption as Assumption 3, though they are different.

Note that here a differential-linear distinguisher is treated as a linear approximation, so that we can use Theorem 1 for a differential-linear attack, but here we can replace \(m+1\) in Theorem 1 with \(m\), (since the term on the XOR of concerned key bits is cancelled in a differential-linear distinguisher). The same statement applies to the subsequent attacks, although we do not make any further explicit statements.

Note that there is a typo in the input mask of Round 7 of the 9-round linear approximation in [9], where the input mask should be \(0x00000010000A00000000000000000000\).

Anderson R., Biham E., Knudsen L.R.: Serpent: a new block cipher proposal. In: FSE 1998. Lecture Notes in Computer Science, vol. 1372, pp. 222–238. Springer, Heidelberg (1998).

Anderson R., Biham E., Knudsen L.R.: Serpent: a proposal for the Advanced Encryption Standard, NISTY AES Proposal (1998).

Biham E.: New types of cryptanalytic attacks using related keys. J. Cryptol. 7(4), 229–246 (1994).

Biham E., Biryukov A.: An improvement of Davies’ attack on DES. J. Cryptol. 10(3), 195–206 (1997).

Biham E., Shamir A.: Differential cryptanalysis of DES-like cryptosystems. In: CRYPTO 1990. Lecture Notes in Computer Science, vol. 537, pp. 2–21. Springer, Heidelberg (1990).

Biham E., Shamir A.: Differential cryptanalysis of DES-like cryptosystems. J. Cryptol. 4(1), 3–72 (1991).

Biham E., Shamir A.: Differential cryptanalysis of the full 16-round DES. In: CRYPTO 1992. Lecture Notes in Computer Science, vol. 740, pp. 487–496. Springer, Heidelberg (1993).

Biham E., Dunkelman O., Keller N.: The rectangle attack—rectangling the Serpent. In: EUROCRYPT 2001. Lecture Notes in Computer Science, vol. 2045, pp. 340–357. Springer, Heidelberg (2001).

Biham E., Dunkelman O., Keller N.: Linear cryptanalysis of reduced round Serpent. In: FSE 2001. Lecture Notes in Computer Science, vol. 2355, pp. 16–27. Springer, Heidelberg (2002).

10.

Biham E., Dunkelman O., Keller N.: Enhancing differential-linear cryptanalysis. In: ASIACRYPT 2002. Lecture Notes in Computer Science, vol. 2501, pp. 254–266. Springer, Heidelberg (2002).

11.

Biham E., Dunkelman O., Keller N.: New results on boomerang and rectangle attacks. In: FSE 2002. Lecture Notes in Computer Science, vol. 2365, pp. 1–16. Springer, Heidelberg (2002).

12.

Biham E., Dunkelman O., Keller N.: Differential-linear cryptanalysis of Serpent. In: FSE 2003. Lecture Notes in Computer Science, vol. 2887, pp. 9–21. Springer, Heidelberg (2003).

13.

Biham E., Dunkelman O., Keller N.: New combined attacks on block ciphers. In: FSE 2005. Lecture Notes in Computer Science, vol. 3557, pp. 126–144. Springer, Heidelberg (2005).

14.

Collard B., Standaert F.-X., Quisquater J.-J.: Improved and multiple linear cryptanalysis of reduced round Serpent. In: Inscrypt 2007. Lecture Notes in Computer Science, vol. 4990, pp. 51–65. Springer, Heidelberg (2008).

15.

Collard B., Standaert F.-X., Quisquater J.-J.: Improved and multiple linear cryptanalysis of reduced round Serpent—description of the linear approximations. http://perso.uclouvain.be/fstandae/PUBLIS/47b.

16.

Courtois N.T.: CTC2 and fast algebraic attacks on block ciphers revisited. IACR ePrint report 2007/152 (2007).

17.

Courtois N.T., Pieprzyk J.: Cryptanalysis of block ciphers with overdefined systems of equations. In: ASIACRYPT 2002. Lecture Notes in Computer Science, vol. 2501, pp. 267–287. Springer, Heidelberg (2002).

18.

Daemen J., Rijmen V.: AES proposal: Rijndael. In: Proceedings of the First Advanced Encryption Standard Candidate Conference, NIST, Ventura, CA (1998).

19.

Davies, D.: Investigation of a potential weakness in the DES algorithm (1987) (unpublished manuscript).

20.

Davies D., Murphy S.: Pairs and triplets of DES S-boxes. J. Cryptol. 8(1), 1–25 (1995).

21.

Dunkelman O.: Techniques for cryptanalysis of block ciphers. Ph.D. thesis, Technion-Israel Institute of Technology, Israel (2006).

22.

Dunkelman O., Keller N.: Cryptanalysis of CTC2. In: CT-RSA 2009. Lecture Notes in Computer Science, vol. 5473, pp. 226–239. Springer, Heidelberg (2009).

23.

Dunkelman O., Indesteege S., Keller N.: A differential-linear attack on 12-round Serpent. In: INDOCRYPT 2008. Lecture Notes in Computer Science, vol. 5365, pp. 308–321. Springer, Heidelberg (2008).

24.

GNU Project, http://www.gnupg.org/oids.html.

25.

Handschuh H., Naccache D.: SHACAL. In: Proceedings of the First Open NESSIE Workshop (2000).

26.

Hawkes P.: Differential-linear weak key classes of IDEA. In: EUROCRYPT 1998. Lecture Notes in Computer Science, vol. 1403, pp. 112–126. Springer, Heidelberg (1998).

27.

Kelsey J., Schneier B., Wagner D.: Key-schedule cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES. In: CRYPTO 1996. Lecture Notes in Computer Science, vol. 1109, pp. 237–251. Springer, Heidelberg (1996).

28.

Kelsey J., Kohno T., Schneier B.: Amplified boomerang attacks against reduced-round MARS and Serpent. In: FSE 2000. Lecture Notes in Computer Science, vol. 1978, pp. 75–93. Springer, Heidelberg (2001).

29.

Kim J.: Combined differential, linear and related-key attacks on block ciphers and MAC algorithms. Ph.D. thesis, Katholieke Universiteit Leuven, Belgium (2006).

30.

Knudsen L.R.: Cryptanalysis of LOKI91. In: ASIACRYPT 1992. Lecture Notes in Computer Science, vol. 718, pp. 196–208. Springer, Heidelberg (1993).

31.

Knudsen L.R.: Trucated and higher order differentials. In: FSE 1994. Lecture Notes in Computer Science, vol. 1008, pp. 196–211. Springer, Heidelberg (1995).

32.

Knudsen L.R., Mathiassen J.E.: A chosen-plaintext linear attack on DES. In: FSE 2000. Lecture Notes in Computer Science, vol. 1978, pp. 262–272. Springer, Heidelberg (2001).

33.

Kohno T., Kelsey J., Schneier B.: Preliminary cryptanalysis of reduced-round Serpent. In: Proceedings of the Third AES Candidate Conference (2000).

34.

Kunz-Jacques S., Muller F.: New improvements of Davies-Murphy cryptanalysis. In: ASIACRYPT 2005. Lecture Notes in Computer Science, vol. 3788, pp. 425–442. Springer, Heidelberg (2005).

35.

Lai X., Massey J.L., Murphy S.: Markov ciphers and differential cryptanalysis. In: EUROCRYPT 1991. Lecture Notes in Computer Science, vol. 547, pp. 17–38. Springer, Heidelberg (1991).

36.

Langford S.K.: Differential-linear cryptanalysis and threshold signatures. Ph.D. thesis, Stanford University, USA (1995).

37.

Langford S.K., Hellman M.E.: Differential-linear cryptanalysis. In: CRYPTO 1994. Lecture Notes in Computer Science, vol. 839, pp. 17–25. Springer, Heidelberg (1994).

38.

Lu J.: Cryptanalysis of block ciphers. Ph.D. thesis, University of London, UK (2008).

39.

Lu J.: New methodologies for differential-linear cryptanalysis and its extensions. Cryptology ePrint Archive, Report 2010/025 (2010). http://eprint.iacr.org/2010/025.

40.

Lu J.: A methodology for differential-linear cryptanalysis and its applications (extended abstract). In: FSE 2012. Lecture Notes in Computer Science, vol. 7549, pp. 69–89. Springer, Heidelberg (2012).

41.

Matsui M.: Linear cryptanalysis method for DES cipher. In: EUROCRYPT 1993. Lecture Notes in Computer Science, vol. 765, pp. 386–397. Springer, Heidelberg (1994).

42.

Matsui M.: The first experimental cryptanalysis of the Data Encryption Standard. In: CRYPTO 1994. Lecture Notes in Computer Science, vol. 839, pp. 1–11. Springer, Heidelberg (1994).

43.

Matsui M., Yamagishi A.: A new method for known plaintext attack of FEAL cipher. In: EUROCRYPT 1992. Lecture Notes in Computer Science, vol. 658, pp. 81–91. Springer, Heidelberg (1993).

44.

National Bureau of Standards (NBS), Data Encryption Standard (DES), FIPS-46 (1977).

45.

National Institute of Standards and Technology (NIST), Advanced Encryption Standard (AES), FIPS-197 (2001).

46.

Selçuk A.A.: On probability of success in linear and differential cryptanalysis. J. Cryptol. 21(1), 131–147 (2008).

47.

Vaudenay S.: Provable security for block ciphers by decorrelation. In: STACS 1998. Lecture Notes in Computer Science, vol. 1373, pp. 249–275. Springer, Heidelberg (1998).

48.

Wagner D.: The boomerang attack. In: FSE 1999. Lecture Notes in Computer Science, vol. 1636, pp. 156–170. Springer, Heidelberg (1999).

49.

Wang X.Y., Hui L.C.K., Chow K.P., Chong C.F., Tsang W.W., Chan H.W.: The differential cryptanalysis of an AES finalist - Serpent. Technical report TR-2000-04, Department of Computer Science and Information Systems, The University of Hong Kong, China (2000). http://www.cs.hku.hk/research/techreps/document/TR-2000-04.

Titel: A methodology for differential-linear cryptanalysis and its applications
verfasst von: Jiqiang Lu
Publikationsdatum: 01.10.2015
Verlag: Springer US
Erschienen in: Designs, Codes and Cryptography / Ausgabe 1/2015
Print ISSN: 0925-1022
Elektronische ISSN: 1573-7586
DOI: https://doi.org/10.1007/s10623-014-9985-x

Springer Professional

A methodology for differential-linear cryptanalysis and its applications

Abstract

Premium Partner

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Weitere Artikel der Ausgabe 1/2015

Bent vectorial functions and linear codes from o-polynomials

Tactical decompositions of designs over finite fields

Minimal logarithmic signatures for the unitary group

Entanglement-assisted quantum codes from arbitrary binary linear codes

Differentially 4-uniform bijections by permuting the inverse function

A class of six-weight cyclic codes and their weight distribution

Premium Partner