S. Moriai, K. Aoki, and K. Ohta. Key-dependency of linear probability of RC5. IEICE Trans. Fundamentals, E80-A(1):9--18, 1997.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....lowest 5 bits of w 2 affect this operation) This operation can be approximated as either a binary or unary operation, depending on whether the rotation amount is included or excluded from the approximation. Approximations of data dependent rotation were investigated by Moriai, Aoki and Ohta in [10], where the following is proven: Theorem 2 ( 10] For two masks X 1 ; X 3 , denote by ae(X 1 ; X 3 ) the number of different rotation amounts n 32 such that X 3 = X 1 n. Then, the approximation (X 1 ffi w 1 ) Phi (X 2 ffi w 2 ) Phi (X 3 ffi w 3 ) has bias of ae(X 1 ; X 2 ) 64 provided ....

....operation can be approximated as either a binary or unary operation, depending on whether the rotation amount is included or excluded from the approximation. Approximations of data dependent rotation were investigated by Moriai, Aoki and Ohta in [10] where the following is proven: Theorem 2 ([10]) For two masks X 1 ; X 3 , denote by ae(X 1 ; X 3 ) the number of different rotation amounts n 32 such that X 3 = X 1 n. Then, the approximation (X 1 ffi w 1 ) Phi (X 2 ffi w 2 ) Phi (X 3 ffi w 3 ) has bias of ae(X 1 ; X 2 ) 64 provided that X 2 32=ae(X 1 ; X 3 ) and it has zero bias ....

S. Moriai, K. Aoki, and K. Ohta. Key-dependency of linear probability of RC5. IEICE Trans. Fundamentals, E80-A(1):9--18, 1997.

....b in t different ways, then the bias of the approximation is given by ae = t 32 32 Gammat 32 Theta 1 2 . It is possible to use heavier masks Gamma a so that Gamma a can be rotated on to Gamma b in several different ways (t 1) ensuring an increased bias. However, studies on RC5 [24, 9] demonstrate that the more bits there are in Gamma a , the harder it is to use the approximation effectively across the integer addition. With RC6 we have another problem since it is difficult to use such multiple bit approximations across the quadratic function. The best option for the ....

S. Moriai, K. Aoki, and K. Ohta. Key-dependency of linear probability of RC5. March 1996. To appear in IEICE Trans. Fundamentals.

....lowest 5 bits of w 2 affect this operation) This operation can be approximated as either a binary or unary operation, depending on whether the rotation amount is included or excluded from the approximation. Approximations of data dependent rotation were investigated by Moriai, Aoki and Ohta in [10], where the following is proven: Theorem 2 ( 10] Fo r t wo ma s k s X 1 ;X 3 , denote by ##X 1 ;X 3 # the number of different rotation amounts n#32 such that X 3 = X 1 ##n. 6 Then, the approximation #X 1 # w 1 # # #X 2 # w 2 # # #X 3 # w 3 # has bias of ##X 1 ;X 2 #=64 provided that X 2 # ....

....operation can be approximated as either a binary or unary operation, depending on whether the rotation amount is included or excluded from the approximation. Approximations of data dependent rotation were investigated by Moriai, Aoki and Ohta in [10] where the following is proven: Theorem 2 ([10]) Fo r t wo ma s k s X 1 ;X 3 , denote by ##X 1 ;X 3 # the number of different rotation amounts n#32 such that X 3 = X 1 ##n. 6 Then, the approximation #X 1 # w 1 # # #X 2 # w 2 # # #X 3 # w 3 # has bias of ##X 1 ;X 2 #=64 provided that X 2 # 32=##X 1 ;X 3 #, and it has zero bias otherwise. 7 ....

S. Moriai, K. Aoki, and K. Ohta. Key-dependency of linear probability of RC5. IEICE Trans. Fundamentals, E80-A(1):9--18, 1997.

....agreed that 56 bit keys, as offered by the DES standard [5] offer marginal protection against a committed adversary. Indeed, theoretical studies have been performed showing that it is possible to build a specialized DES cracker computer that could crack keys in mere hours by exhaustive search [9]. However, it is unknown whether any such machine has been built, and DES is still very widely used, in part because of its continued resistance to sophisticated cryptanalytic attacks. For those concerned about the length of the keys used in DES there are a variety of options available, such as ....

....CryptoBytes, Vol. 1, No. 2, pages 5 12. 7] R. Rivest. The RC5 encryption algorithm. In Proceedings of 2nd Workshop on Fast Software Encryption, pages 86 96, Springer Verlag, 1995. 8] P. Rogaway. The Security of DESX. RSA Laboratories CryptoBytes, Vol. 2, No. 2, Summer 1996, pages 8 11. [9] M.J. Wiener. Efficient DES key search. Technical Report TR 244, School of Computer Science, Carleton University, Ottawa, Canada, May 1994. 2 Among other incentives in a renewed search effort could be the opportunity for material gain if future efforts allow the finder of the correct key to ....

[Article contains additional citation context not shown here]

Moriai, K. Aoki, and K. Ohta. Key-dependency of linear probability of RC5. March 1996. To appear in IEICE Trans. Fundamentals.

....performance. The inner loop, however, is based around the same half round found in RC5. RC5 was intentionally designed to be extremely simple, to invite analysis shedding light on the security provided by extensive use of data dependent rotations. Since RC5 was proposed in 1995, various studies [2, 4, 7, 10, 14, 18] have provided a greater understanding of how RC5 s structure and operations contribute to its security. While no practical attack on RC5 has been found, the studies provide some interesting theoretical attacks, generally based on the fact that the rotation amounts in RC5 do not depend on all of ....

S. Moriai, K. Aoki, and K. Ohta. Key-dependency of linear probability of RC5. March 1996. To appear in IEICE Trans. Fundamentals.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC