D. Chaum and J.-H. Evertse, \Cryptanalysis of DES With a Reduced Number of Rounds," Advances in Cryptology|CRYPTO '85, Springer-Verlag, 1986, pp. 192-211.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....function in P . One measure of dissimilarity is to interpret an n bit function as a vector with 2 coordinates, and use the Hamming distance metric. Then for example, functions may be chosen so that they achieve a maximum distance from all functions that are ane [14] or have linear structures [4] (de ned below) Also we may consider a nonlinearity criterion to be robust if it is invariant under certain simple mappings such as ane transformations. Meier and Sta elbach [14] have shown that the distance to the set of linear functions, and the nonlinear order of a function [26] are both ....

....(that is, in the mapped domain certain key bits are degenerate) If this was the case then the cost of exhaustive search of the keyspace would be reduced. For DES, Reeds and Manferdelli [22] showed that no such factorization of the round mapping exists. Generalizing these ideas, Chaum and Evertse [4] de ned linear structures and devised an attack on DES which is less costly than exhaustive search when DES is restricted to fewer than 8 rounds. An n bit function f : Z 2 Z 2 is said to have a linear structure b 6= 0 2 Z 2 if and only if f(X) f(X b) is independent of X. Subsequently Lai ....

[Article contains additional citation context not shown here]

D. Chaum and J. H. Evertse. Cryptanalysis of DES with a reduced number of rounds. Advances in Cryptology, CRYPTO 85, H. C. Williams ed., Lecture Notes in Computer Science, vol. 218, Springer-Verlag, pages 192-211, 1986.

....Feedback (CFB) and Output Feedback (OFB) The DES has been the subject of several studies. One of the first properties that was discovered was the complementation property [10] it can be exploited to halve the number of operations for an exhaustive key search. Attacks have been described in [6, 7], but the most successful techniques are differential cryptanalysis introduced by E. Biham and A. Shamir [3] and linear cryptanalysis invented by M. Matsui [13] The first attack which is faster than exhaustive key search was the differential attack of [5] Most attacks on the DES are applicable ....

....exhaustive key search attack is that in this case it is not possible to perform the computations in parallel. 4 A meet in the middle attack One of the first attacks on the DES with a reduced number of rounds in ECB mode was the meet in the middle attack proposed by D. Chaum and J. H. Evertse [6]. The attack is faster than exhaustive search for N 6. The basic idea is to look for , data bits in a middle round that depend on a limited number 8 of key bits. First an exhaustive search is performed for these bits, and subsequently the remaining key bits are determined. In the case of the ....

[Article contains additional citation context not shown here]

D. Chaum and J.-H. Evertse, 'Cryptanalysis of DES with a reduced number of rounds," Advances in Cryptology, Proc. Crypro'85, LNCS 18, H.C. Williams, Ed., Springer-Verlag, 1985, pp. 192-211.

....a satisfactory solution to this problem but we will try an empirical approach such that, if the block size of a cryptosystem could be reduced into half sized cryptosystem recursively, some checked properties of the cryptosystem would be invariant. There was a similar approach to cryptanalyze DES [13] by reducing the number of rounds. If this method could be proved to be one solution of this problem, it can be of great use to evaluate the security of a cryptosystem. Putting aside this problem for the moment, we will check the cyclic properties (cycle length,number of disjoint cycles, ....

D. Chaum and J.H. Evertse, "Cryptanalysis of DES with a Reduced Number of Rounds", Advances in Cryptology, Proc. of CRYPTO'85, Springer-Verlag, pp.192-- 211, 1986.

....block cipher and two di#erent keys [MH81, OW91, OW95] 2.2 Linear Factors A linear factor is a fixed set of key bits whose complementation leaves the XOR of a fixed set of ciphertext bits unchanged; this weakness can be used to speed up an exhaustive key search. Six round DES has a linear factor [CE86]. 2.3 Weak Keys A weak key, K, is a key for which encryption is the same function as decryption. A pair of semi weak keys, K and K # , are keys for which encryption with K is the same as decryption with K # and vice versa. Both DES and LOKI89 have weak keys [Dav83, Cop86, MS87, Knu93a] 1 If ....

D. Chaum and J.-H. Evertse, "Cryptanalysis of DES With a Reduced Number of Rounds," Advances in Cryptology---CRYPTO '85, Springer-Verlag, 1986, pp. 192--211.

....simple relation, exist, finding collision for a cryptographic hash function based on a symmetric key block cipher becomes easier. 3. A clue to related key cryptanalysis [B94] may be found. 35 Copyright NTT 1998 All bits of master key equally influence all bits of subkeys A meet in the middle [CE86] attack becomes possible against an iterated cipher if one part of the master key influences a particular subkey. Satisfying this condition also yields immunity to related key cryptanalysis. Deriving subkeys or master key from other subkeys is computationally infeasible Most analytic attacks, ....

D. Chaum and J.-H. Evertse. Cryptanalysis of DES with a Reduced Number of Rounds. In H. C. Williams, editor, Advances in Cryptology --- CRYPTO'85, Volume 218 of Lecture Notes in Computer Science, pp. 192--211. SpringerVerlag, Berlin, Heidelberg, New York, 1986.

....been the subject of several studies. One of the first properties that was discovered was the complementation property [11] it can be exploited to halve the number of operations for an exhaustive key search. Other interesting properties have been identified in [8] Attacks have been described in [6, 7], but the most successful techniques are differential cryptanalysis introduced by E. Biham and A. Shamir [3] and linear cryptanalysis invented by M. Matsui [15] The first attack which is faster than exhaustive key search was the differential attack of [5] Most attacks N.F.W.O. postdoctoral ....

....exhaustive key search attack is that in this case it is not possible to perform the computations in parallel. 4 A meet in the middle attack One of the first attacks on the DES with a reduced number of rounds in ECB mode was the meet in the middle attack proposed by D. Chaum and J. H. Evertse [6]. The attack is faster than exhaustive search for N 6. The basic idea is to look for r data bits in a middle round that depend on a limited number s of key bits. First an exhaustive search is performed for these bits, and subsequently the remaining key bits are determined. In the case of the CFB ....

[Article contains additional citation context not shown here]

D. Chaum and J.-H. Evertse, "Cryptanalysis of DES with a reduced number of rounds," Advances in Cryptology, Proc. Crypto'85, LNCS 218, H.C. Williams, Ed., Springer-Verlag, 1985, pp. 192--211.

....require (at present) too much data to be practical. Other attacks, particularly some of those that were proposed in the 1980 s are only effective on reduced round versions because as the number of rounds is increased, they become very unwieldy or even infeasible to mount. Chaum and Evertse [27] considered the use of what they termed sequences of linear factors which would allow a meet in the middle attack to be mounted. Unfortunately it was also shown that their approach, as it stood, would not extend beyond eight rounds. Biham and Shamir [17] report that in 1987 Davies proposed a known ....

D. Chaum and J. Evertse. Cryptanalysis of DES with a reduced number of rounds, sequences of linear factors in block ciphers. In H.C. Williams, editor, Advances in Cryptology --- Crypto '85, volume 218 of Lecture Notes in Computer Science, pages 192--211, New York, 1986. Springer-Verlag.

....block cipher and two different keys [MH81, OW91, OW95] 2.2 Linear Factors A linear factor is a fixed set of key bits whose complementation leaves the XOR of a fixed set of ciphertext bits unchanged; this weakness can be used to speed up an exhaustive key search. Six round DES has a linear factor [CE86]. 2.3 Weak Keys A weak key, K, is a key for which encryption is the same function as decryption. A pair of semi weak keys, K and K 0 , are keys for which encryption with K is the same as decryption with K 0 and vice versa. Both DES and LOKI89 have weak keys [Dav83, Cop86, MS87, Knu93a] 1 ....

D. Chaum and J.-H. Evertse, "Cryptanalysis of DES With a Reduced Number of Rounds," Advances in Cryptology---CRYPTO '85, Springer-Verlag, 1986, pp. 192--211.

....simplified ciphers. The cryptographic literature documents a great variety of elementary attacks on DES, so there is no lack of ideas to try. Notably, MacGuffin has no obvious complementation properties to speed up exhaustive search, and is immune from Chaum and Evertse s meet in the middle attack [5] after more than 6 rounds. MacGuffin is about as resistant as DES against most other elementary attacks. Still, two slightly more sophisticated statistical attacks penetrated reducedround variants of MacGuffin successfully enough to be worrisome. The first uses Table 1. Statistical tests on DES ....

David Chaum and Jan-Hendrik Evertse. Cryptanalysis of DES with a reduced number of rounds. In Advances in Cryptology: CRYPTO '85, pages 192--211. Springer-Verlag, 1986.

....defined as the absence of a dependency between two parameters in a cipher. Degeneracy in the key allows the keyspace to be partitioned into several smaller subspaces that can be searched independently, and hence provides a divide and conquer approach to exhaustive search for the actual key [3][24] Any encryption function E can be implemented as a circuit, which permits E to be modeled as a system of boolean equations. Let E : Z n 2 Theta Z m 2 Z n 2 be an encryption function that maps n bit plaintexts to n bit ciphertexts, under the action of an m bit key. Let EK (X) be the ....

....cipher performs influences the set permutations realized by the cipher. Even and Goldreich [7] have noted that some permutations within S 2 n require at least (log(2 2 n ) n Delta 2 n rounds to be realized by DES like product ciphers. The meet in the middle attack of Chaum and Evertse [3] relies on the observation that a minimum number of rounds are required for a product cipher to establish dependencies between the key, plaintext and ciphertext. One open problem is then to determine the minimum number of rounds required to establish these dependencies, and also guarantee that the ....

D. Chaum and J.-H. Evertse. Cryptanalysis of DES with a reduced number of rounds. Advances in Cryptology, CRYPTO 85, H. C. Williams ed., Lecture Notes in Computer Science, vol. 218, Springer-Verlag, pages 192--211, 1986.

....in P . One measure of dissimilarity is to interpret an n bit function as a vector with 2 n coordinates, and use the Hamming distance metric. Then for example, functions may be chosen so that they achieve a maximum distance from all functions that are affine [14] or have linear structures [4] (defined below) Also we may consider a nonlinearity criterion to be robust if it is invariant under certain simple mappings such as affine transformations. Meier and Staffelbach [14] have shown that the distance to the set of linear functions, and the nonlinear order of a function [26] are both ....

....(that is, in the mapped domain certain key bits are degenerate) If this was the case then the cost of exhaustive search of the keyspace would be reduced. For DES, Reeds and Manferdelli [22] showed that no such factorization of the round mapping exists. Generalizing these ideas, Chaum and Evertse [4] defined linear structures and devised an attack on DES which is less costly than exhaustive search when DES is restricted to fewer than 8 rounds. An n bit function f : Z n 2 Z 2 is said to have a linear structure b 6= 0 2 Z n 2 if and only if f(X) Phi f(X b) is independent of X. ....

[Article contains additional citation context not shown here]

D. Chaum and J. H. Evertse. Cryptanalysis of DES with a reduced number of rounds. Advances in Cryptology, CRYPTO 85, H. C. Williams ed., Lecture Notes in Computer Science, vol. 218, Springer-Verlag, pages 192--211, 1986.

....avoids this type of complementation property. In fact, MacGuffin appears to have no obvious complementation properties at all. Thus, brute force key search of MacGuffin probably requires 2 128 trial encryptions a tremendously large figure. 4. 2 A meet in the middle attack Chaum and Evertse [24] show that DES 6 is vulnerable to a meet in the middle attack requiring a few known plaintexts and 2 54 trial encryptions. Variants with fewer rounds are even more susceptible to this attack. Their attack searches for a set S of data bits in a middle round and a set T of key bits so that any ....

David Chaum and Jan-Hendrik Evertse. Cryptanalysis of DES with a reduced number of rounds. In Advances in Cryptology: CRYPTO '85, pages 192--211. Springer-Verlag, 1986.

....are particularly applicable to product ciphers. We consider linear relationships between the plaintext and ciphertext bits, using elementary arguments from linear algebra, and then using linear relationships under real number addition based on canonical correlation analysis. Linear structures [4] are also examined, which are a form of linearity that leads to degeneracy in the key, meaning that certain bits do not affect the ciphertext. We show that most functions are not expected to have a linear structure, though even partial linearity in this respect leads to a powerful attack known as ....

....relationships between the plaintext and ciphertext bits, using elementary arguments from linear algebra. We also investigate the application of canonical correlation analysis to cryptanalysis, which examines linear relationships under real number addition. In x3 we consider linear structures [4], a form of linearity that leads to degeneracy in the key (here degeneracy means that when the influence of the key is modelled as a boolean function f , certain keys bits do not affect the function) We show that most functions are not expected to have linear structures, though even partial ....

[Article contains additional citation context not shown here]

D. Chaum and J.-H. Evertse. Cryptanalysis of DES with a reduced number of rounds. Advances in Cryptology, CRYPTO 85, H. C. Williams ed., Lecture Notes in Computer Science, vol. 218, Springer-Verlag, pages 192--211, 1986.

....the key was suggested in [9] The formal manipulations of these expressions may decrease the key search effort. Schaumuller Bichl[16, 17] studied this method and concluded that it requires an enormous amount of computer memory which makes the whole approach impractical. In 1987 Chaum and Evertse[2] showed that a meet in the middle attack can reduce the key search for DES reduced to a small number of rounds by the following factors: Number of Rounds Reduction Factor 4 2 19 5 2 9 6 2 2 7 They also showed that a slightly modified version of DES reduced to seven rounds can be solved ....

David Chaum, Jan-Hendrik Evertse, Cryptanalysis of DES with a reduced number of rounds, Sequences of linear factors in block ciphers, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of CRYPTO'85, pp. 192--211, 1985.

....property that halves the number of searched keys) has ever been reported in the open literature. The lack of progress in the cryptanalysis of the full DES led many researchers to analyse simplified variants of DES, and in particular variants of DES with fewer than 16 rounds. Chaum and Evertse[4] described an attack on reduced variants of DES, whose complexity is 2 54 for the six round variant. They showed that their attack is not applicable to variants with eight or more rounds. Davies[5] devised a known plaintext attack whose application to DES reduced to eight rounds analyzes 2 40 ....

David Chaum, Jan-Hendrik Evertse, Cryptanalysis of DES with a reduced number of rounds, Sequences of linear factors in block ciphers, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of CRYPTO'85, pp. 192--211, 1985.

No context found.

D. Chaum and J.-H. Evertse, \Cryptanalysis of DES With a Reduced Number of Rounds," Advances in Cryptology|CRYPTO '85, Springer-Verlag, 1986, pp. 192-211.

No context found.

David Chaum, Jan-Hendrik Evertse, Cryptanalysis of DES with a reduced number of rounds, Sequences of linear factors in block ciphers, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of CRYPTO'85, pp. 192--211, 1985.

No context found.

D. Chaum, J.-H. Evertse, Cryptanalysis of DES with a Reduced Number of Rounds, Sequences of Linear Factors in Block Ciphers, Advances in Cryptology, Proceedings of Crypto 85, pp. 192--211, 1985. This article was processed using the L A T E X macro package with LLNCS style

No context found.

David Chaum, Jan-Hendrik Evertse, Cryptanalysis of DES with a reduced number of rounds, Sequences of linear factors in block ciphers, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of CRYPTO'85, pp. 192--211, 1985.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC