L.R.Knudsen, "Cryptanalysis of LOKI91," Advances in Cryptology --- AUSCRYPT'92, Lecture Notes in Computer Science 718, pp.196--208, Springer-Verlag, 1993.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....there is no equivalent set of subkeys generated from distinct secret keys. Therefore, we expect that there are no distinct secret keys both of which encrypt each of many plaintexts into the same ciphertext. 5. 9 Slide Attack In [6, 7] the slide attacks were introduced, based on earlier work in [5, 14]. In particular it was shown that iterated ciphers with identical round functions, that is, equal structures and equal subkeys in the round functions, are susceptible to slide attacks. In Camellia, FL and FL 1 functions are inserted between every 6 rounds of a Feistel network to provide ....

L.R.Knudsen, "Cryptanalysis of LOKI91," Advances in Cryptology --- AUSCRYPT'92, Lecture Notes in Computer Science 718, pp.196--208, Springer-Verlag, 1993.

.... [Vau96] IDEA [LMM91] has several classes of keys detectable with just two chosen plaintext encryptions [DGV93] The key schedule in LOKI91 allows two di#erent keys to have several round keys in common; this reduces the e#ective keyspace by almost a factor of four using 2 33 chosen plaintexts [Knu93b]. Due to the weak mixing in its key schedule, RC4 has a class of detectable keys [Roo95] One out of 256 keys are detectable, and a detectable key has about a 13.8 chance of revealing 16 bits of the key in the first output byte. Lucifer has di#erential characteristics which are conditional on the ....

....round [GT78] 4 With hindsight, the ideas used in their known plaintext attack seem similar to the general approach of Biham s related key attacks, though their paper predated Biham s by 16 years. Others have used similar techniques to exploit key schedule weaknesses in chosen plaintext attacks [Knu93b]. Let SK i be the ith round subkey generated from master key K under the key schedule. Biham s attack takes advantage of a related key pair (K, K # ) such that SK i = SK # i 1 for nearly all i, by noting that the action of rounds 1 to r 1 with master key K is equivalent to the action of rounds ....

L.R. Knudsen, "Cryptanalysis of LOKI91," Advances in Cryptology--- AUSCRYPT '92, Springer-Verlag, 1993, pp. 196--208.

....specifies how the key is to be changed; known related key attacks are those where the key di#erence is known, but cannot be chosen by the attacker. We emphasize that the attacker knows or chooses the relationship between keys, not the actual key values. These techniques have been developed in [Knu93b, Bih94, KSW96]. Related key cryptanalysis is a practical attack on key exchange protocols that do not guarantee key integrity an attacker may be able to flip bits in the key without knowing the key and key update protocols that update keys using a known function: e.g. K, K 1, K 2, etc. Related key ....

....incorporated linear key schedules (e.g. DES) designing this type of key schedule appears to be a subtle and di#cult task. Many ciphers linear key schedules have been shown to be quite weak: we have cryptanalyzed TEA, 3 WAY, and GOST [KSW96] and others have cryptanalyzed LOKI [Knu93a] LOKI91 [Knu93b], Lucifer [BB93] and SAFER [Knu95] To protect against the known related key attacks, we propose several attackoriented design goals. To avoid the subkey rotation attacks [Bih94] round subkeys should be generated di#erently, so that each key bit a#ects nearly every round, but not always in ....

L.R. Knudsen, "Cryptanalysis of LOKI91," Advances in Cryptology--- AUSCRYPT '92, Springer-Verlag, 1993, pp. 196--208.

....The advantage of the latter is that the S boxes are more compact, and can be more easily implemented in applications where the ROM or RAM for large tables is not available. Algebraic S boxes can result in S boxes that are vulnerable to di#erential cryptanalysis: Mur90] against FEAL, and [Knu93a, Knu93b] against LOKI. Higher order di#erential cryptanalysis is especially powerful against algorithms with simple algebraic S boxes [Knu95b, JK97, SMK98] Both tabular and algebraic techniques, however, can be used to generate S boxes with given cryptographic properties, simply by testing the results of ....

L.R. Knudsen, "Cryptanalysis of LOKI91," Advances in Cryptology --- AUSCRYPT '92, Springer-Verlag, 1993, pp. 196--208.

....The advantage of the latter is that the S boxes are more compact, and can be more easily implemented in applications where the ROM or RAM for large tables is not available. Algebraic S boxes can result in S boxes that are vulnerable to differential cryptanalysis: Mur90] against FEAL, and [Knu93a, Knu93b] against LOKI. Higher order differential cryptanalysis is especially powerful against algorithms with simple algebraic S boxes [Knu95b, JK97, SMK98] Both tabular and algebraic techniques, however, can be used to generate S boxes with given cryptographic properties, simply by testing the results ....

L.R. Knudsen, "Cryptanalysis of LOKI91," Advances in Cryptology --- AUSCRYPT '92, Springer-Verlag, 1993, pp. 196--208.

.... [Vau96] IDEA [LMM91] has several classes of keys detectable with just two chosen plaintext encryptions [DGV93] The key schedule in LOKI91 allows two different keys to have several round keys in common; this reduces the effective keyspace by almost a factor of four using 2 33 chosen plaintexts [Knu93b]. Due to the weak mixing in its key schedule, RC4 has a class of detectable keys [Roo95] One out of 256 keys are detectable, and a detectable key has about a 13.8 chance of revealing 16 bits of the key in the first output byte. Lucifer has differential characteristics which are conditional on ....

....round [GT78] With hindsight, the ideas used in their known plaintext attack seem similar to the general approach of Biham s related key attacks, though their paper predated Biham s by 16 years. Others have used similar techniques to exploit key schedule weaknesses in chosen plaintext attacks [Knu93b]. Let SK i be the ith round subkey generated from master key K under the key schedule. Biham s attack takes advantage of a related key pair (K; K 0 ) such that SK i = SK 0 i 1 for nearly all i, by noting that the action of rounds 1 to r Gamma 1 with master key K is equivalent to the action ....

L.R. Knudsen, "Cryptanalysis of LOKI91," Advances in Cryptology--- AUSCRYPT '92, Springer-Verlag, 1993, pp. 196--208.

....specifies how the key is to be changed; known related key attacks are those where the key difference is known, but cannot be chosen by the attacker. We emphasize that the attacker knows or chooses the relationship between keys, not the actual key values. These techniques have been developed in [Knu93b, Bih94, KSW96] Related key cryptanalysis is a practical attack on key exchange protocols that do not guarantee key integrity an attacker may be able to flip bits in the key without knowing the key and key update protocols that update keys using a known function: e.g. K, K 1, K 2, etc. ....

....incorporated linear key schedules (e.g. DES) designing this type of key schedule appears to be a subtle and difficult task. Many ciphers linear key schedules have been shown to be quite weak: we have cryptanalyzed TEA, 3 WAY, and GOST [KSW96] and others have cryptanalyzed LOKI [Knu93a] LOKI91 [Knu93b] Lucifer [BB93] and SAFER [Knu95] To protect against the known related key attacks, we propose several attackoriented design goals. To avoid the subkey rotation attacks [Bih94] round subkeys should be generated differently, so that each key bit affects nearly every round, but not always in ....

L.R. Knudsen, "Cryptanalysis of LOKI91," Advances in Cryptology--- AUSCRYPT '92, Springer-Verlag, 1993, pp. 196--208.

....on larger blocks of bits. Because of the strong diffusion over many rounds, we believe that truncated differential attacks are not applicable to Serpent. 5. 8 Related Keys As the key schedule uses rotations and S boxes, it is highly unlikely that keys can be found that allow related key attacks [8, 15, 16]. Moreover, different rounds of Serpent use different S boxes, so even if related keys were found, related key attacks would not be applicable. Serpent has none of the simpler vulnerabilities that can result from exploitable symmetries in the key schedule: there are no weak keys, semi weak keys, ....

LR Knudsen, "Cryptanalysis of LOKI91", in Advances in Cryptology --- Auscrypt'92 Springer LNCS

....diffusion over many rounds, we believe that truncated differential attacks are not applicable to Serpent. 5. 8 Related Keys As the key schedule uses rotations and S boxes, and as we XOR the round number into the prekey, it is highly unlikely that keys can be found that allow related key attacks [9, 20, 21]. Moreover, different rounds of Serpent use different S boxes, so even if related keys were found, related key attacks would not be applicable. Serpent has none of the simpler vulnerabilities that can result from exploitable symmetries in the key schedule: there are no weak keys, semi weak keys, ....

LR Knudsen, "Cryptanalysis of LOKI91", in Advances in Cryptology --- Auscrypt '92 Springer LNCS v 718 pp 196--208

....di#usion over many rounds, we believe that truncated di#erential attacks are not applicable to Serpent. 5. 8 Related Keys As the key schedule uses rotations and S boxes, and as we XOR the round number into the prekey, it is highly unlikely that keys can be found that allow related key attacks [9, 20, 21]. Moreover, di#erent rounds of Serpent use di#erent S boxes, so even if related keys were found, related key attacks would not be applicable. Serpent has none of the simpler vulnerabilities that can result from exploitable symmetries in the key schedule: there are no weak keys, semi weak keys, ....

LR Knudsen, "Cryptanalysis of LOKI91", in Advances in Cryptology --- Auscrypt '92 Springer LNCS v 718 pp 196--208

..... In any case, linear attacks are infeasible. 4. 3 Other Attacks Related Keys: As the key schedule uses rotations and S boxes, with different S boxes in different rounds, and as we XOR the round number into the prekey, it is highly unlikely that keys can be found that allow related key attacks [4, 11, 12]. Serpent has none of the simpler vulnerabilities that can result from exploitable symmetries in the key schedule: there are no weak keys, semi weak keys, equivalent keys, or complementation properties. Higher Order Differential Cryptanalysis: Attacks based on dth order differentials [14, 16] are ....

LR Knudsen, "Cryptanalysis of LOKI91", in Advances in Cryptology --- Auscrypt '92 Springer LNCS v 718 pp 196--208

....becomes key dependent, in our opinion the intention of the design has not been reached. The best 3 round iterative characteristic that can be used in our attack has a probability of 2 Gamma13 , which is higher than the probability of 2 Gamma16 of the best 3 round characteristic for LOKI 91 [6] (a similar block cipher that makes use of four identical 12 to 8 bit S boxes) We have also demonstrated a practical attack on the fast version Thin ICE. In its basic form it finds the secret key in 25 of the cases using 2 23 chosen plaintexts, and in 95 of the cases using 2 27 plaintexts. ....

L. Knudsen, "Cryptanalysis of LOKI'91," Advances in Cryptology -- AusCrypt'92 Proceedings, LNCS 718, J. Seberry and Y. Zheng, Eds., Springer-Verlag, 1993, pp. 196--208.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC