Provable security of block ciphers against linear cryptanalysis: a mission impossible? (original) (raw)
Related papers
New constructions in linear cryptanalysis of block ciphers
2000
At the beginning of the paper we describe the state of art in linear cryptanalysis of block ciphers. We present algorithms for finding best linear expressions proposed by Matsui [9] and Ohta . We sketch basic linear cryptanalysis (0R, 1R, 2R attacks) and the known extensions. We explain the advantages and the limitations of applying linear cryptanalysis and its extensions to block ciphers. In the second part of the paper we describe our proposal of a new extension to linear attack based on the application of a probabilistic counting method. It allows the reduction of two consecutive rounds and form the basis for mounting e.g. 3R attacks. We present experimental results of the implementation of this attack to the Data Encryption Standard.
Linear frameworks for block ciphers
2001
In this paper we generalize the structure of the ciphers Shark, Square, BKSQ, Crypton and Rijndael. We show that the linear components play an essential role in the effect of the nonlinear S-boxes in providing resistance against differential and linear cryptanalysis and provide upper bounds for the probability of differential characteristics and the correlation of linear approximations for the general structure. We show how good linear components can be constructed efficiently from Maximum-Distance Separable codes. The presented block cipher structure can make optimal use of a wide range of processor word lengths and its parallelism allows very fast dedicated hardware implementations. Ciphers with variable block length can be constructed by varying certain parameters in the presented structure.
Block Ciphers – Focus On The Linear Layer (feat. PRIDE
The linear layer is a core component in any substitutionpermutation network block cipher. Its design significantly influences both the security and the efficiency of the resulting block cipher. Surprisingly, not many general constructions are known that allow to choose trade-offs between security and efficiency. Especially, when compared to Sboxes, it seems that the linear layer is crucially understudied. In this paper, we propose a general methodology to construct good, sometimes optimal, linear layers allowing for a large variety of trade-offs. We give several instances of our construction and on top underline its value by presenting a new block cipher. PRIDE is optimized for 8-bit micro-controllers and significantly outperforms all academic solutions both in terms of code size and cycle count.
On the construction of block ciphers provably secure and not relying on any unproved hypotheses
Advances in Cryptology—CRYPTO'89 …, 1989
)Yuliang ZhengTsutomu MatsumotoHideki ImaiDivision of Electrical and Computer EngineeringYokohama National University156 Tokiwadai, Hodogaya, Yokohama, 240 JapanAugust 1989Abstract One of the ultimate goals of cryptography researchers is to constructa (secrete-key) block cipher which has the following ideal properties: (1) The cipheris provably secure, (2) Security of the cipher does not depend on any unprovedhypotheses, (3) The cipher can be easily implemented
A New Type of Attacks on Block Ciphers
Problems of Information Transmission, 2005
A new attack (called "gradient statistical") on block ciphers is suggested and experimentally investigated. We demonstrate the possibility of applying it to ciphers for which no attacks are known except for the exhaustive key search.
Block Ciphers-Focus On The Linear Layer (feat. PRIDE): Full Version
The linear layer is a core component in any substitutionpermutation network block cipher. Its design significantly influences both the security and the efficiency of the resulting block cipher. Surprisingly, not many general constructions are known that allow to choose trade-offs between security and efficiency. Especially, when compared to Sboxes, it seems that the linear layer is crucially understudied. In this paper, we propose a general methodology to construct good, sometimes optimal, linear layers allowing for a large variety of trade-offs. We give several instances of our construction and on top underline its value by presenting a new block cipher. PRIDE is optimized for 8-bit micro-controllers and significantly outperforms all academic solutions both in terms of code size and cycle count.
The Key-Dependent Attack on Block Ciphers
Lecture Notes in Computer Science, 2009
In this paper, we formalize an attack scheme using the keydependent property, called key-dependent attack. In this attack, the intermediate value, whose distribution is key-dependent, is considered. The attack determines whether a key is right by conducting statistical hypothesis test of the intermediate value. The time and data complexity of the key-dependent attack is also discussed. We also apply key-dependent attack on reduced-round IDEA. This attack is based on the key-dependent distribution of certain items in Biryukov-Demirci Equation. The attack on 5.5-round variant of IDEA requires 2 21 chosen plaintexts and 2 112.1 encryptions. The attack on 6-round variant requires 2 49 chosen plaintexts and 2 112.1 encryptions. Compared with the previous attacks, the key-dependent attacks on 5.5round and 6-round IDEA have the lowest time and data complexity, respectively.
Block ciphers, pseudorandom functions, and Natural Proofs
This paper takes a new step towards closing the troubling gap between pseudorandom functions (PRF) and their popular, bounded-input-length counterpart: block ciphers. This gap is both quantitative, because block-ciphers are more efficient than PRF in various ways, and methodological, because block-ciphers usually fit in the substitution-permutation network paradigm (SPN) which has no counterpart in PRF. We give several candidate PRF F i that are inspired by the SPN paradigm. This paradigm involves a "substitution function" (S-box). Our main candidates are: F 1 : {0, 1} n → {0, 1} n is an SPN whose S-box is a random function on b = O(lg n) bits, given as part of the seed. We prove unconditionally that F 1 resists attacks that run in time ≤ 2 ǫb. Setting b = ω(lg n) we obtain an inefficient PRF, which however seems to be the first such construction using the SPN paradigm. F 2 : {0, 1} n → {0, 1} n is an SPN where the S-box is (patched) field inversion, a common choice in block ciphers. F 2 is computable with Boolean circuits of size n•log O(1) n, and in particular with seed length n•log O(1) n. We prove that this candidate has exponential security 2 Ω(n) against linear and differential cryptanalysis. F 3 : {0, 1} n → {0, 1} is a non-standard variant on the SPN paradigm, where "states" grow in length. F 3 is computable with size n 1+ǫ , for any ǫ > 0, in the restricted circuit class TC 0 of unbounded fan-in majority circuits of constant-depth. We prove that F 3 is almost 3-wise independent. F 4 : {0, 1} n → {0, 1} uses an extreme setting of the SPN parameters (one round, one S-box, no diffusion matrix). The S-box is again (patched) field inversion. We prove that this candidate is a small-bias generator (for tests of weight up to 2 0.9n). Assuming the security of our candidates, our work also narrows the gap between the"Natural Proofs barrier" [Razborov & Rudich; JCSS '97] and existing lower bounds, in three models: unbounded-depth circuits, TC 0 circuits, and Turing machines. In particular, the efficiency of the circuits computing F 3 is related to a result by Allender and Koucky [JACM '10] who show that a lower bound for such circuits would imply a lower bound for TC 0 .
The interpolation attack on block ciphers
Lecture Notes in Computer Science, 1997
In this paper we introduce a new method of attacks on block ciphers, the interpolation attack. This new method is useful for attacking ciphers using simple algebraic functions (in particular quadratic functions) as S-boxes. Also, ciphers of low non-linear order are vulnerable to attacks based on higher order differentials. Recently, Knudsen and Nyberg presented a 6-round prototype cipher which is provably secure against ordinary differential cryptanalysis. We show how to attack the cipher by using higher order differentials and a variant of the cipher by the interpolation attack. It is possible to successfully cryptanalyse up to 32 rounds of the variant using about 232 chosen plaintexts with a running time less than 264 . Using higher order differentials, a new design concept for block ciphers by Kiefer is also shown to be insecure. Rijmen et al presented a design strategy for block ciphers and the cipher SHARK. We show that there exist ciphers constructed according to this design strategy which can be broken faster than claimed. In particular, we cryptanalyse 5 rounds of a variant of SHARK, which deviates only slightly from the proposed SHARK.
Cryptanalysis of Block Ciphers Using Almost-Impossible Differentials
In this paper, inspired from the notion of impossible differentials, we present a model to use differentials that are less probable than a random permutation. We introduce such a distinguisher for 2 rounds of Crypton, and present an attack on 6 rounds of this predecessor AES candidate. As a special case of this idea, we embed parts of the additional rounds around the impossible differential into the distinguisher to make a probabilistic distinguisher with more rounds. We show that with this change, the data complexity is increased but the time complexity may be reduced or increased. Then we discuss that this change in the impossible differential cryptanalysis is commodious and rational when the data complexity is low and time complexity is marginal.