M. Matsui, A. Yamagishi. A New Method for Known Plaintext Attack of FEAL Cipher, Proceedings of Conference EUROCRYPT'92, pp. 81-91.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....cryptanalysis, both methods will be described, separately. 2 Linear Cryptanalysis Linear cryptanalysis (LC) is a cryptanalytic technique that dates back to the works of Tardy Corfdir and Gilbert on FEAL 4 and FEAL 6 [1] and the attack by Matsui and Yamaguishi against the FEAL block cipher [6], and subsequently improved by Matsui against DES [5] The LC technique explores binary valued linear approximations (also called linear relations) between a subset of the plaintext, ciphertext and (sub)key bits. A linear relation expresses a statistical correlation between input, output and key ....

M. Matsui, A. Yamagishi, \A new method for known plaintext attack on FEAL cipher," Advances in Cryptology, Eurocrypt'92, LNCS 658, R.A. Rueppel, Ed., Springer-Verlag, 1993, pp. 81-91.

....Weight of a vector a is the number of non zero bytes in a The bit Hamming Weight of a vector a is the number of non zero bits in a. 4 Linear Cryptanalysis Linear cryptanalysis is a known plaintext attack due to Matsui and Yamagishi. This technique was used against the FEAL cipher in 1993 (see [11]) and against the DES cipher in 1994 (see [10] Some terminology is needed for the following analysis: De nition 3. nR attack) An nR attack, in the current context, stands for a linear cryptanalytic attack on subkeys embedded in n rounds of an iterated cipher, surrounding a given linear ....

....(3) to hold with the given bias. This key class represents a fraction of 2 of the key space, or a set of size, 2 128 122 (for 128 bit keys, for example) It is estimated that N = 8 (2 known plaintext ciphertext pairs are needed for a high success rate linear attack [10, 11]. Since, in practice the most signi cant bit of the subkey bytes combined via exclusive or, K 6 , are not uniquely determined, the complexity of the attack is 2 12 8 8 partial 3 round SAFER computations. Finally, the following linear relation can be used to attack four rounds of ....

M. Matsui, A. Yamagishi, \A New Method for Known Plaintext Attack on FEAL Cipher," Advances in Cryptology, Proceedings Eurocrypt'92, LNCS 658, R.A. Rueppel, Ed., Springer-Verlag, 1993, pp. 81-91.

....depends on the attacking algorithm that is used. Here # is called the deviation and # = # is called the bias (note that in the literature different names are sometimes used) The technique was used by Matsui in 1993 [82] to analyse DES, after a preliminary version of the attack on FEAL in 1992 [84]. A linear cryptanalysis has complexity approximately the inverse square of the bias of the linear approximation. The concept of linear hulls, extending this technique, was introduced in [90] Mod n cryptanalysis In [64] a generalisation of the linear attacks is considered. This attack is ....

M. Matsui and A. Yamagishi. A new method for known plaintext attack of FEAL cipher. In Advances in Cryptology -- EUROCRYPT '92, LNCS 658, pages 81--91. Springer, 1992.

....cipher, or at least that they may provide some insight in potential weaknesses in the original cipher. 4 Linear Cryptanalysis of SAFER 4. 1 Linear Cryptanalysis Linear cryptanalysis is a statistical, known plaintext attack introduced by Matsui and Yamagishi in 1992 in an attack against FEAL [19]. It was extended to DES in 1993 [18] The attack explores (approximate) linear relations between plaintext, ciphertext and subkey bits. Linear approximations for an iterated cipher are usually made by combining approximations for each round. If X i = x n ; xn 1 ; x 2 ; x 1 ) is an n bit ....

M. Matsui, A. Yamagishi, \A new method for known plaintext attack on FEAL cipher," Advances in Cryptology, Proceedings Eurocrypt'92, LNCS 658, R.A. Rueppel, Ed., Springer-Verlag, 1993, pp. 81-91.

....GF (2 n ) be a function of nonlinear order d. Then any dth order di#erential is a constant. Consequently, any (d 1)st order di#erential is zero. A. 4 Linear cryptanalysis Linear cryptanalysis was proposed by Matsui in 1993 [16] A preliminary version of the attack on FEAL was described in 1992 [18]. Linear cryptanalysis [16] is a known plaintext attack in which the attacker exploits linear approximations of some bits of the plaintext, the ciphertext and the key. In the attack 15 on the DES (or on DES like iterated ciphers) the linear approximations are obtained by combining approximations ....

M. Matsui and A. Yamagishi. A new method for known plaintext attack of FEAL cipher. In R. Rueppel, editor, Advances in Cryptology - EUROCRYPT '92, LNCS 658, pages 81--91. Springer Verlag, 1992.

....enforcement. Since evidence of security of various cryptographic primitives is usually indirect, new discoveries in cryptanalysis often change the conception of security of various security primitives. For example, introduction of differential cryptanalysis (Murphy 1990) and linear cryptanalysis (Matsui Yamagishi 1992) have proven weak presumably strong cryptosystems and hash functions. Yet, well designed cryptosystems, such as DES (1977) remain immune on these attacks 2 . The knowledge of new cryptanalytic techniques is, of course, subsequently translated into the knowledge of proper cipher design but ....

Matsui, M. & Yamagishi, A. (1992) A New Method for Known Plaintext Attack of FEAL Cipher. Advances in Cryptology - Eurocrypt'92, pp.81-91. Springer-Verlag.

....the number of pairs of plaintexts and corresponding ciphertexts, N , and the approximate probability, p # , and 3) an estimation of the memory size and the processing amount of the attack. 2 Linear Cryptanalysis 2. 1 Notations and Preliminaries The modified FEAL and its modified F function [MY92] are analyzed here. The S Boxes, S 0 and S 1 , of FEAL are defined as S i (x, y) ROL2(x y i (mod 256) where ROL2 rotates its input two bits to the left. We use the similar notations and defines the right most bit of each symbol as the 0 th bit, which is the lowest bit, as well as in the ....

M. Matsui and A. Yamagishi, "A New Method for Known Plaintext Attack of FEAL Cipher," EUROCRYPT'92

....key, since E ( Gamma1) s W 8 has constant diagonals. This partition corresponds to the minimal sufficient statistic for estimating s = Phi 8 i=1 k 2i )ae. 5 Linear Cryptanalysis In this Section, we show how the technique of linear cryptanalysis applied by Matsui and Yamagishi to FEAL [17], and by Matsui to DES [15] 16] can be viewed in the likelihood framework. Linear cryptanalysis is very similar to the analysis of S box pairs analysed in the previous Section. Linear cryptanalysis essentially considers projections onto linear (1 dimensional) subspaces, rather than the ....

M. Matsui and A. Yamagishi. A new Method of Known Plaintext Attack of the FEAL cipher. In Advances in Cryptology, Proceedings of EUROCRYPT 92, pages 81--91. Springer--Verlag LNCS 658, 1993.

....attacks of Biham and Shamir. Significantly, however, it differs from these attacks in that it requires only known plaintext rather than chosen plaintext and can, in general, be considered a more practical threat to cryptosystems than differential cryptanalysis. Introduced by Matsui and Yamagishi [95] at Eurocrypt 92, linear cryptanalysis was used against the FEAL cipher [139] This attack was then refined by Matsui and used on DES with very exciting results [92, 91] See Section 4.4 for more details. The aim of a linear cryptanalytic attack on a cipher is to find an effective linear ....

....soon found to be lacking. FEAL s first incarnation was as a four round version, and an immediate attack was provided by den Boer [43] Later Murphy supplied an attack that required only 20 chosen plaintexts [102] The eight round version of FEAL did not fare much better. A wide range of attacks [54, 15, 95, 11, 122, 5, 63] have together shown that the eight round version of FEAL is insecure and they have cast doubts on any of the remaining versions of FEAL that have been proposed. The remaining versions are FEAL N with any even number of rounds and FEAL NX with extended 128 bit keys [99] Unfortunately even these ....

M. Matsui and A. Yamagishi. A new method for known plaintext attack of FEAL cipher. In R.A. Rueppel, editor, Advances in Cryptology --- Eurocrypt '92, volume 658 of Lecture Notes in Computer Science, pages 81--91, Berlin, 1992. Springer-Verlag. 60 Block Ciphers

....of this approach is, that cryptanalysis of the resulting systems is difficult as the internal structure is complicated. Security cannot be guaranteed. Indeed, in the last years new methods like differential or linear cryptanalysis pointed out some block ciphers as insecure, see e.g. 2] and [8]. In this paper, we propose a novel concept for designing secure block ciphers, an improved development of the scheme described in [5] The cryptosystem is not built up from iterated round functions, there is only a simple Author is member of Graduiertenkolleg Effizienz und Komplexitat von ....

M. Matsui, A. Yamagishi. A New Method for Known Plaintext Attack of FEAL Cipher, Proceedings of Conference EUROCRYPT'92, pp. 81-91.

....by exhaustive attack using an appropriate number of ciphertext pairs in the chosen plaintext scenario. DES(8 round) can be broken with 2 15 plaintext pairs, and FEAL8 can be broken with 2 10 plaintext pairs. Some known plaintext attacks on these iterated cryptosystems have also been proposed [CG91, K91, MY92, M93]. In this paper, we analyze the security of MAC schemes from the viewpoint of di#erential attack. Since the left half 32 bits of ciphertext in CBC mode is used as MAC, the following question is important to establishing the security of MAC schemes: Is di#erential attack e#ective against the MAC ....

....of the checking method to break FEAL16 MAC. It is an open problem to estimate the su#cient number of pairs for the counting method. Note that these attacks are applicable to FEAL MAC only in the chosen plaintext attack, though some known plaintext attacks are pointed out to ciphertext case [CG91, MY92, K91]. It is an open problem to break MAC schemes in the known plaintext attack. 5 Experimental Results The purpose of this experiment is to estimate the su#cient number of right pairs to derive the subkey K1. We will describe experimental results on FEAL8 MAC using the attack technique cut o# the ....

[Article contains additional citation context not shown here]

M. Matsui and A. Yamagishi, "A New Method for Known Plaintext Attack of FEAL Cipher," EUROCRYPT'92

No context found.

M. Matsui, A. Yamagishi. A New Method for Known Plaintext Attack of FEAL Cipher, Proceedings of Conference EUROCRYPT'92, pp. 81-91.

No context found.

M. Matsui and A. Yamagishi, "A new method for known plaintext attack of FEAL cipher," in Proceedings of Eurocrypt'92 (R. A. Rueppel, ed.), no. 658 in Lecture Notes in Computer Science, pp. 81--91, Springer-Verlag, 1992.

No context found.

Mitsuru Matsui, Atsuhiro Yamagishi, A New Method for Known Plaintext Attack of FEAL Cipher, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of EUROCRYPT'92, pp. 81--91, 1992.

No context found.

Mitsuru Matsui, Atsuhiro Yamagishi, A New Method for Known Plaintext Attack of FEAL Cipher, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of EUROCRYPT'92, pp. 81--91, 1992.

No context found.

Mitsuru Matsui, Atsuhiro Yamagishi, A New Method for Known Plaintext Attack of FEAL Cipher, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of EUROCRYPT'92, pp. 81--91, 1992.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC