B. S. Kaliski, Y. L. Yin, On Differential and Linear Cryptanalysis of the RC5 Encryption Algorithm, Lecture Notes in Computer Science 963, Advances in Cryptology -- CRYPTO'95, pp.171--184, Springer-Verlag, 1995.  Home/Search   Document Not in Database   Summary   Related Articles   Check

.... our approach with a ciphertext only attack on 4 round RC5 using only 2 17 ciphertexts, and a known plaintext attack on 6 round RC5 (as of today this is the first knownplaintext attack on this cipher) with about 2 18 plaintext ciphertext pairs (the previous known plaintext attack on this cipher [10] required 2 57 for 6 round RC5 but it was found erroneous [25] We show new known plaintext attacks on seven round DES [22] with about 2 17 known plaintexts and on Lucifer [8] with about 2 13 known plaintexts. 1 Finally we show, that our attacks are applicable not only to ECB mode, but ....

....version of RC5 is referred to as: RC5 32 12 16. Another version with 64 bit words and 16 rounds was suggested for future 64 bit architectures (RC5 64 16 16) The main feature of the cipher is intensive use of data dependent rotations. We use a description of RC5 as a so called Feistel cipher from [10]. Denote by (L 0 ; R 0 ) the left and right halves of the plaintext, and let S i be the ith subkey from the expanded key table S generated before encryption. The particular expansion algorithm has no influence on our cryptanalysis. As in all previous attacks, we assume that the subkeys produced by ....

[Article contains additional citation context not shown here]

B. S. Kaliski, Y. L. Yin, On Differential and Linear Cryptanalysis of the RC5 Encryption Algorithm, Lecture Notes in Computer Science 963, Advances in Cryptology -- CRYPTO'95, pp.171--184, Springer-Verlag, 1995.

....choice of these parameters. Therefore we will focus on the nominal choice for the algorithm which is RC5 32 12 16. The security of RC5 relies on the heavy use of data dependent rotations. Kaliski and Yin analyzed the security of RC5 against differential and linear cryptanalysis at Crypto 95 [3]. Later Knudsen and Meier published improved differential attacks at Crypto 96 [4] and Selcuk showed some new results in linear cryptanalysis of RC5 at Fse 98 [5] Finally Biryukov and Kushilevitz improved the cryptanalysis of RC5 even further at Eurocrypt 98 [6] For now RC5 is shown to be ....

B. S. Kaliski and Y. L. Yin. On Differential and Linear Cryptanalysis of the RC5 Encryption Algorithm. In Advances in Cryptology - Crypto'95, LNCS 963, pages 171-184. Springer-Verlag, 1995.

....is one round. Then we face up to the addition rotation structure, which is itself an iteration of a simpler structure, composed of alternated rotations and additions. This structure presents a notable similarity with RC5 encryption algorithm, and can be analysed in the same way. Kaliski and Yin [Kal 95] have found a way to attack to RC5 with differential analysis focusing on characteristics for which the pair of inputs have the same rotations amount, because . if a pair of inputs to a half round have different rotation amounts, then the pair of outputs from the half round will differ in many ....

B. S. Kalisky, Y. L. Yin, On Differential and Linear Cryptanalysis of the RC5 Encryption Algorithm. Advances in Cryptology-CRYPTO'95, 171--184, 1995.

....it is unknown whether any such machine has been built, and DES is still very widely used, in part because of its continued resistance to sophisticated cryptanalytic attacks. For those concerned about the length of the keys used in DES there are a variety of options available, such as triple DES [3] or an alternative cipher like IDEA[4] Ron Rivest s DESX [8] or RC5 [7] with which longer keys can be used. However, for certain countries, among them the United States, the export of cryptographic products is a sensitive issue and the cryptographic length of the encryption key may be limited. ....

.... Asiacrypt 94, pages 263 277, Springer Verlag, 1995. 2] J. Cowie, B. Dodson, R.M. Elkenbracht Huizing, A.K. Lenstra, P.L. Montgomery and J. Zayer. A world wide number field sieve factoring record: On to 512 bits. In Advances in Cryptology Asiacrypt 96, pages 382 394, Springer Verlag, 1996. [3] B.S. Kaliski Jr. and M.J.B. Robshaw. Multiple encryption: weighing up security and performance. Dr. Dobb s Journal, #243, pages 123 127, January 1996. 4] X. Lai, J.L. Massey and S. Murphy. Markov ciphers and differential cryptanalysis. In Advances in Cryptology Eurocrypt 91, pages 17 38, ....

[Article contains additional citation context not shown here]

B.S. Kaliski and Y.L. Yin. On differential and linear cryptanalysis of the RC5 encryption algorithm. In Advances in Cryptology---Crypto `95, pages 171--183, Springer-Verlag, 1995.

....function or a variant of it may be a suitable pseudorandom function for Bellare et al. s techniques, something which further research will determine. References [1] M. Bellare, R. Canetti and H. Krawczyk. Keying MD5 Message authentication via iterated pseudorandomness. In preparation. [2] Mihir Bellare, Roch Gurin and Phillip Rogaway. XOR MACs: New methods for message authentication using block ciphers. Accepted to Crypto 95. 3] Mihir Bellare, Joe Kilian and Phillip Rogaway. The security of cipher block chaining. In Yvo G. Desmedt, editor, Advances in Cryptology Crypto 94, ....

....hash function to message authentication, which is a practical solution, since MD5 is already trusted, and software for MD5 is widely available. For the long term, designing a message authentication code from scratch is perhaps a better solution. Mihir Bellare, Roch Gurin and Phillip Rogaway [2] describe techniques for such message authentication that are provably secure, under certain assumptions about the underlying functions. Their techniques are also highly parallelizable, a feature that the iterative approach lacks by definition. Bellare et al. s techniques assume the existence of ....

[Article contains additional citation context not shown here]

B. S. Kaliski Jr. and Y. L. Yin. On differential and linear cryptanalysis of the RC5 encryption algorithm. Accepted to Crypto '95.

....savings, and possibly faster implementation. Elliptic curves In 1985, Neal Koblitz and Victor Miller independently proposed using the group of points on an elliptic curve in existing discrete log cryptosystems. For an introduction to this subject, the reader is referred to the books by Koblitz [2] and Stinson [4] A more complete treatment is given by Menezes [3] Without going into all the details, an elliptic curve over a finite field F is the set of all solutions (also called points) x,y) x F, y F, to an equation of a special form. For example, if the finite field is F = Z p , the ....

....beneficial in applications where computational power and integrated circuit space is limited, such as smart cards, PCMCIA cards, and wireless devices. References [1] B. Dodson and A. Lenstra, NFS with four large primes: an explosive experiment , Advances in Cryptology CRYPTO 95, to appear. [2] N. Koblitz, A Course in Number Theory and Cryptography, Springer Verlag, New York, 1994. 3] A. Menezes, Elliptic Curve Public Key Cryptosystems, Kluwer Academic Publishers, Boston, 1993. 4] D. Stinson, Cryptography Theory and Practice, CRC Press, Boca Raton, 1995. the ASIC mentioned above ....

[Article contains additional citation context not shown here]

B.S. Kaliski and Y.L. Yin. On differential and linear cryptanalysis of the RC5 encryption algorithm. To appear at Crypto '95.

....choice for the algorithm, RC5 32 12 16, which has a 64 bit block size, 12 rounds, and a 128 bit key. The security of RC5 relies on the heavy use of data dependent rotations. The application of the two powerful attacks of differential and linear cryptanalysis to RC5 is considered by Kaliski and Yin [2], who show that the 12 round nominal cipher appears to be secure against both attacks. In [3] Knudsen and Meier extend the analysis of the differential attacks of RC5 and show that, by searching for appropriate plaintexts to use, the complexity of the attack can be reduced by a factor of up to ....

.... but are trivially determined using only a modest number of known plaintexts and ciphertexts: S 1 is simply determined using one known plaintext and using the relationship S 1 = L 2 Gamma R 0 , S 2 can be determined with a modest number of known plaintexts using, for example, linear cryptanalysis [2], and S 0 can be easily derived once S 1 and S 2 are determined using S 0 = R 2 Gamma S 2 ) L 2 ) Phi L 2 ] Gamma L 0 . 6 Experimental Results In this section we present the experimental results which validate the effectiveness of the attack. Both Methods A and B assume that the values of ....

B. S. Kaliski and Y. L. Yin. On Differential and Linear Cryptanalysis of the RC5 Encryption Algorithm. In Advances in Cryptology - Crypto'95, LNCS 963, pages 171-184. Springer-Verlag, 1995.

....choice of these parameters. Therefore we will focus on the nominal choice for the algorithm which is RC5 32 12 16. The security of RC5 relies on the heavy use of data dependent rotations. Kaliski and Yin analyzed the security of RC5 against differential and linear cryptanalysis at Crypto 95 [3]. Later Knudsen and Meier published improved differential attacks at Crypto 96 [4] and finally Selcuk shows some new results in linear cryptanalysis of RC5 at Fse 98 [5] For now RC5 is shown to be secure against differential cryptanalysis after 14 rounds, and against linear cryptanalysis after 6 ....

B. S. Kaliski and Y. L. Yin. On Differential and Linear Cryptanalysis of the RC5 Encryption Algorithm. In Advances in Cryptology - Crypto'95, LNCS 963, pages 171-184. Springer-Verlag, 1995.

.... approach with a ciphertext only attack on 4 round RC5 using only 2 17 ciphertexts, and a known plaintext attack on 6 round RC5 (as of today this is the first known plaintext attack on this cipher) with about 2 18 plaintext ciphertext pairs (the previous known plaintext attack on this cipher [8] required 2 57 for 6 round RC5 but it was found erroneous [22] We show a new known plaintext attack on seven round DES [19] with about 2 17 known plaintexts. 1 Finally we show, that our attacks are applicable not only to ECB mode, but also to the first block of the CBC (Cipher Block ....

....version of RC5 is referred to as: RC5 32 12 16. Another version with 64 bit words and 16 rounds was suggested for future 64 bit architectures (RC5 64 16 16) The main feature of the cipher is intensive use of data dependent rotations. We use a description of RC5 as a so called Feistel cipher from [8]. Denote by (L 0 ; R 0 ) the left and right halves of the plaintext, and let S i be the ith subkey from the expanded key table S generated before encryption. The particular expansion algorithm has no influence on our cryptanalysis. As in all previous attacks, we assume that the subkeys produced by ....

[Article contains additional citation context not shown here]

B. S. Kaliski, Y. L. Yin, On Differential and Linear Cryptanalysis of the RC5 Encryption Algorithm, Lecture Notes in Computer Science 963, Advances in Cryptology -- CRYPTO'95, pp.171--184, Springer-Verlag, 1995.

....of linear cryptanalysis is dependent on the function f that is used at each step of the iterated cipher. Because of its application to DES, much research is being conducted into the design of S boxes; see Section 4.6. There have been various attempts to apply linear cryptanalysis to other ciphers [68, 121, 122, 143, 145]. And while there have also been results which provide a more satisfying theoretical framework for assessing linear cryptanalysis [34] and other results consider its applicability in the average case [119] it is still not clear how to formulate some generic design technique which will protect a ....

....8.2 Status RC5 has only been available for public scrutiny for about six months at the time of writing, and this is not sufficient time to provide anywhere near a reasonable review of the cipher in the public domain. However, some early indications are quite promising. Work by Kaliski and Yin [68] have established the limits of certain differential and linear cryptanalytic attacks on RC5 and the twelve rounds proposed by Rivest do in fact appear to ensure that both attacks are impractical. Interestingly the major primitive used by Rivest, data dependent rotations, appears to be ....

B.S. Kaliski and Y.L. Yin. On differential and linear cryptanalysis of the RC5 encryption algorithm. In Advances in Cryptology --- Crypto '95, Lecture Notes in Computer Science, New York. Springer Verlag. To appear.

....1 RC5, which was invented by Rivest [21] in 1994, is also a block cipher with parameters that can be easily switched into a mode of 64 bit, or 128 bit, or 256 bit data encryption. RC5 is widely used in Internet communications [24] The security of RC5 was discussed at recent Crypto conferences [10, 12]. Until now, RC5 has been implemented in software. The approach developed in this paper can be applied to RC5, since RC5 has the same NLFSR structure as DES, only differing in their feedback functions. So, RC5 can be easily implemented in hardware in terms of its NLFSR architecture. For RC5, the ....

B.S. Kaliski and Y.L. Yin, On differential and linear cryptanalysis of RC5 encryption algorithm, Advances in Cryptology, Proceedings of Crypt'95, pp. 171-183, Lecture Notes in Computer Science, Springer-Verlag, 1995.

....bytes key, referred to as RC5 32 12 16. A novel feature of the algorithm is the use of datadependent rotations. The security of RC5 relies on the rotation operation and the mixed use of xor and addition of words. Kaliski and Yin evaluated RC5 with respect to differential and linear cryptanalysis [2]. It was shown that linear cryptanalysis is applicable only for versions of RC5 with a small number of rounds. Also, it was conjectured that the linear approximations in the analysis were optimal and that the use of 12 rounds for RC5 is sufficient to make both differential and linear cryptanalysis ....

....of RC5 one finds that there exist keys for which the attacks perform even better. This is somewhat surprising since RC5 has a very complex key schedule, but, as we will see, the existence of weak keys is not due to the key schedule itself. In the following we use the description of RC5 from [2]. Let (L 0 ; R 0 ) denote the left and right halves of the plaintext, respectively, and let S i be the ith subkey. Then the ciphertext (L 2r 1 ; R 2r 1 ) is defined by L 1 = L 0 S 0 R 1 = R 0 S 1 for i = 2 to 2r 1 do L i = R i Gamma1 R i = L i Gamma1 Phi R i Gamma1 ) R i Gamma1 ) ....

[Article contains additional citation context not shown here]

B. Kaliski and Y.L. Yin. On differential and linear cryptanalysis of the RC5 encryption algorithm. In D. Coppersmith, editor, Advances in Cryptology - CRYPTO'95, LNCS 963, pages 171--184. Springer Verlag, 1995.

....32 bit words, 12 rounds and a 16 byte key. This version of RC5 is referred to as: RC5 32 12 16. Another version with 64 bit words and 16 rounds was suggested for future 64 bit architectures (RC5 64 16 16) The main feature of the cipher is intensive use of data dependent rotations. Kaliski and Yin [3] evaluated the strength of the RC5 algorithm with respect to differential [1] and linear [6] attacks. They found a linear attack on RC5 with 6 rounds that uses 2 57 known plaintexts and whose plaintext requirement is impractical after 6 rounds 1 . Their differential attack on RC5 32 12 16 uses ....

....2 63 chosen plaintexts. An improvement of this attack by a factor of up to 512 was given by Knudsen and Meier [4] Their idea was to find plaintexts so that there are no rotations in the first few half rounds. Once these plaintexts have been identified the differential attack of Kaliski and Yin [3] can be performed with differentials of higher probability. The attack in [4] uses 2 54 chosen plaintexts 1 As of today no known plaintext attack on RC5, even with reduced number of rounds exists due to recent result [9] which found gaps in the linear attack on RC5 described in [3] on ....

[Article contains additional citation context not shown here]

B. S. Kaliski, Y. L. Yin, On Differential and Linear Cryptanalysis of the RC5 Encryption Algorithm, Lecture Notes in Computer Science 963, Advances in Cryptology -- CRYPTO'95, pp.171--184, Springer-Verlag, 1995.

....within RC2. The decision to restrict our attention to single bit differences facilitates analysis but is also motivated by a typical assumption that characteristics involving multiple bit differences over integer addition will generally hold with lower probability than single bit characteristics [6]. We note that other more complex techniques [2, 7] might open new avenues for the analysis of RC2. We will use e t to denote the 16 bit word with a single one bit in position t from the right, all other bits being set to zero. We also view the leftmost bit of a 16 bit word to be the most ....

....user of RC2 there is circumstantial evidence that linear cryptanalysis is unlikely to pose a threat to RC2. Such attacks appear to be ineffective for ciphers that mix integer addition and bitwise operations unless the approximation can be limited to the least significant bits across an addition [6]. Such a restriction appears unlikely as an extension of the current approximation into a third MIXING round illustrates: 4 Note that the whole issue of key dependence in linear cryptanalysis is a complex one that is rarely addressed in detail. step R[0] R[1] R[2] R[3] round 3 e1 Phi e2 ....

B.S. Kaliski and Y.L. Yin. On differential and linear cryptanalysis of the RC5 encryption algorithm. In D. Coppersmith, editor, Advances in Cryptology --- Crypto '95, volume 963 of Lecture Notes in Computer Science, pages 171--184, 1995. Springer Verlag.

....gives a good illustration of the relative diffusive effect of RC6 and its weakened variants. It also illustrates the role of the quadratic function in the security of RC6. Basic differential style attacks attempt to predict and control the change from one round to the next during encryption [5]. Improved attacks on RC5 [2, 8] do not attempt to predict the difference quite so closely. Instead, they rely on the relatively slow diffusive effect of RC5 to ensure that any change propagating through the cipher remains manageable and to some extent predictable. Even though single bit starting ....

B.S. Kaliski and Y.L. Yin. On differential and linear cryptanalysis of the RC5 encryption algorithm. In D. Coppersmith, editor, Advances in Cryptology --- Crypto '95, volume 963 of Lecture Notes in Computer Science, pages 171--184, 1995. Springer Verlag.

....performance. The inner loop, however, is based around the same half round found in RC5. RC5 was intentionally designed to be extremely simple, to invite analysis shedding light on the security provided by extensive use of data dependent rotations. Since RC5 was proposed in 1994, various studies [2, 4, 8, 9, 14, 31] have provided a greater understanding of how RC5 s structure and operations contribute to its security. While no practical attack on RC5 has been found, the studies provide some interesting theoretical attacks, generally based on the fact that the rotation amounts in RC5 do not depend on all of ....

....that the estimates we derive for the full cipher will provide the reader with a reasonably accurate picture of the security provided by RC6. 2.2. 1 Differential cryptanalysis of RC5 Since the publication of RC5, there have been several results on the strength of RC5 against differential attacks [2, 8, 14]. Analysis of RC5 [8, 9] has shown that the most advantageous strategy for a cryptanalyst is to use differences that do not affect the rotation amount. In fact, once there is a difference in the rotation amount, a very quick avalanche of change takes place that appears to thwart existing ....

[Article contains additional citation context not shown here]

B.S. Kaliski and Y.L. Yin. On differential and linear cryptanalysis of the RC5 encryption algorithm. In D. Coppersmith, editor, Advances in Cryptology --- Crypto '95, volume 963 of Lecture Notes in Computer Science, pages 171--184, 1995. Springer Verlag.

....performance. The inner loop, however, is based around the same half round found in RC5. RC5 was intentionally designed to be extremely simple, to invite analysis shedding light on the security provided by extensive use of data dependent rotations. Since RC5 was proposed in 1995, various studies [2, 4, 7, 10, 14, 18] have provided a greater understanding of how RC5 s structure and operations contribute to its security. While no practical attack on RC5 has been found, the studies provide some interesting theoretical attacks, generally based on the fact that the rotation amounts in RC5 do not depend on all of ....

....interest, particularly when support for 64 bit arithmetic in C improves. However we merely mention this as an aside here. 5. 2 Good performance for a given level of security Since the publication of RC5 there have been several notable papers providing substantive progress in the analysis of RC5 [2, 7, 10, 18]. While the latest techniques demonstrate that RC5 32=12=b, i.e. a 12 round version of RC5, might not be suitable for longer term security needs, these attacks currently fall short of providing any real avenue for practical attack against a 16 round version. Most existing cryptanalytic results on ....

B.S. Kaliski and Y.L. Yin. On differential and linear cryptanalysis of the RC5 encryption algorithm. In D. Coppersmith, editor, Advances in Cryptology --- Crypto '95, volume 963 of Lecture Notes in Computer Science, pages 171--184, 1995. Springer Verlag.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC