Download:
by John Kelsey, Bruce Schneier, David Wagner
Proceedings 2nd Advanced Encryption Standard Candidate Conference
http://www.counterpane.com/safer.pdf
Add To MetaCart
Abstract:
We analyze the key schedule of the SAFER+ block cipher, focusing on the poor diffusion of key material through the cipher when using SAFER+ with 256-bit keys. We develop a meet-in-the-middle attack on 256-bit SAFER+ requiring 12 × 2 24 bytes of memory, 3 known plaintext/ciphertext pairs, and work approximately equivalent to 2 240 SAFER+ encryptions. We also develop a related-key attack on 256-bit SAFER+ requiring 3 × 2 32 chosen plaintexts under two keys with a chosen xor relationship, and work approximately equivalent to 2 200 SAFER+ encryptions. We consider a number of other keyschedule properties, such as equivalent keys, DES-style weak and semiweak keys, and key-dependent linear and differential characteristics. We fail to find any such properties, and offer some arguments why some of these are unlikely to exist. Finally, we propose an improvement to the SAFER+ key schedule which defends against our attacks, while causing no apparent weakening of the cipher to other attacks. 1
Citations
|
292
|
cryptanalysis method for DES cipher, in
– Matsui, Linear
- 1994
|
|
265
|
Differential Cryptanalysis of the Data Encryption Standard
– Biham, Shamir
- 1993
|
|
108
|
New types of cryptanalytic attacks using related keys
– Biham
- 1993
|
|
64
|
Slide attacks
– Biryukov, Wagner
- 1999
|
|
49
|
LOKI: A Cryptographic Primitive for Authentication and Secrecy Applications
– Brown, Pieprzyk, et al.
- 1990
|
|
45
|
SAFER K-64: A Byte-Oriented Block-Ciphering Algorithm
– Massey
- 1994
|
|
43
|
The CAST-256 Encryption Algorithm
– Adams, Gilchrist
|
|
37
|
A Generalization of Linear Cryptanalysis and the Applicability of Matsui's Piling-Up Lemma
– Harpes, Kramer, et al.
- 1995
|
|
36
|
Key-schedule cryptanalysis of
– Kelsey, Schneier, et al.
- 1996
|
|
30
|
Key-schedule cryptanalysis of 3-WAY
– Kelsey, Schneier, et al.
- 1996
|
|
19
|
A Key-Schedule Weakness in SAFER K-64
– Knudsen
- 1995
|
|
16
|
Partitioning Cryptanalysis
– Harpes, Massey
- 1997
|
|
13
|
Truncated and Higher Order Di#erentials
– Knudsen
- 1995
|
|
11
|
New Potentially `Weak' Keys for DES and LOKI
– Knudsen
- 1995
|
|
10
|
Nomination of SAFER+ as Candidate algorithm for the Advanced Encryption Standard (AES), Submission document from Cylink Corporation to NIST
– Massey, Khachatrian, et al.
- 1998
|
|
7
|
Partitioning cryptanalysis, Fast Software Encryption FSE’97
– Harpes, Massey
- 1997
|
|
7
|
Cryptanalysis of LOKI
– Knudsen
- 1993
|
|
6
|
A Generalization of Linear Cryptanalysis and the Applicability of
– Harpes, Kramer, et al.
- 1995
|
|
6
|
Cryptanalysis of S-1," sci.crypt Usenet posting
– Wagner
- 1995
|
|
4
|
LOKI: A Cryptographic Primitive for Authentication and
– Brown, Pieprzyk, et al.
- 1990
|
|
1
|
NBS77] National Bureau of Standards, NBS FIPS PUB 46, \Data Encryption Standard," National Bureau of Standards, U.S
– Schneier, Kelsey, et al.
- 1977
|
