John Kelsey, Bruce Schneier, and David Wagner. Key-schedule cryptanalysis of IDEA, G-DES, GOST, SAFER, and triple-DES. In Neal Koblitz, editor, Advances in Cryptology|CRYPTO '96, volume 1109 of Lecture Notes in Computer Science, pages 237-251. Springer-Verlag, 1996.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....boomerang attack, NESSIE. 1 Introduction The International Data Encryption Algorithm (IDEA) 8 10] is 64 bit block cipher using a 128 bit secret key. IDEA consists of eight rounds followed by an output transformation. In the last decade considerable cryptanalytic e#ort was concentrated on IDEA [1, 3 7, 11], however, despite that e#ort the cryptanalytic progress was very slow. Till now the best attack [1] breaks 4.5 rounds out of 8.5 rounds and it requires the knowledge of all 2 complexity of analysis is 2 . In the same decade some weak key classes for the full 8.5 round IDEA were found. In ....

Kelsey, J., Schneier, B., Wagner, D.: Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER and Triple-DES, Advances in Cryptology, Crypto'96, LNCS 1109, N. Koblitz, Ed., Springer-Verlag, 1996, 237--251.

....four. The concept of a related key attack was introduced by Biham [9] who also introduced the attack scenarios of the second of these variants, where encryptions under several keys are requested. Knudsen later described a related key attack on SAFER K [70] and Kelsey, Schneier, and Wagner [63] applied the related key attacks to a wide range of block ciphers. It may be argued that attacks with a chosen relation between keys are unrealistic. The attacker needs to obtain encryptions under several keys, and in some attacks even with chosen plaintexts. However there exist realistic ....

....unrealistic. The attacker needs to obtain encryptions under several keys, and in some attacks even with chosen plaintexts. However there exist realistic settings, in which an attacker may succeed in obtaining such encryptions. There also exist quite e#cient methods to preclude related key attacks [63, 35]. Interpolation attack In [58] Jakobsen and Knudsen introduced the interpolation attack. In this attack, an attacker constructs polynomials using pairs of plaintexts and ciphertexts. This is particularly easy if the components in the cipher can be expressed as easily described mathematical ....

[Article contains additional citation context not shown here]

J. Kelsey, B. Schneier, and D. Wagner. Key-schedule cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES. In Advances in Cryptology -- CRYPTO '96, LNCS 1109, pages 237--251. Springer, 1996.

....by giving a chosen plaintext attack of the first kind on LOKI 91 [10] reducing an exhaustive key search by almost a factor of four. Later Biham [2] introduced the second kind of related key attacks. Later Knudsen described a related key attack on SAFER K [12] and Kelsey, Schneier, and Wagner [8] applied the related key attacks to a wide range of block ciphers. It may be argued that the attacks with a chosen relation between the keys are unrealistic. The attacker need to get encryptions under several keys, in some attacks even with chosen plaintexts. However there exist realistic ....

....are unrealistic. The attacker need to get encryptions under several keys, in some attacks even with chosen plaintexts. However there exist realistic settings, in which an attacker may succeed to obtain such encryptions. Also, there exists quite e#cient methods to preclude the related key attacks [8, 6]. 16 A.7 Exhaustive key search This attack needs only a few known plaintext ciphertext pairs. An attacker simply tries all keys, one by one, and checks whether the given plaintext encrypts to the given ciphertext. Also, if the plaintext space is redundant, e.g. consists of Japanese text, the ....

J. Kelsey, B. Schneier, and D. Wagner. Key-schedule cryptanalysis of IDEA, G-DES, GOST, SAFER, and triple-DES. In Neal Koblitz, editor, Advances in Cryptology: CRYPTO'96, LNCS 1109, pages 237--251. Springer Verlag, 1996.

....that for most modes of operations for the DES [15] after the Revised May 15, 1998. 1 encryption of 2 33 blocks, equal ciphertext blocks can be expected and information is leaked about the plaintexts [5, 9, 12] Also, triple DES with three independent keys is vulnerable to a related key attack [7] with a running time about the same as the time of an exhaustive search over one DES key. The American National Standards Institute (ANSI) committee X9.F.1 is working on adopting a suite of modes for triple encryption with the DES [20] One of these modes is the Triple DES Cipher Block Chaining ....

J. Kelsey, B. Schneier, and D. Wagner. Key-schedule cryptanalysis of IDEA, G-DES, GOST, SAFER, and triple-DES. In Neal Koblitz, editor, Advances in Cryptology: CRYPTO'96, LNCS 1109, pages 237--251. Springer Verlag, 1996.

....time nearly equals 0 Type 2: required time is less than or equal to 3 Type 3: required time is greater than 3 as shown in Table 5. Ciphers classified as Type 1 have, with few exceptions, weakness in key scheduling, for example, DES [HMS 76, K95b] LOKI [K93a, K93b, B94, K95b] IDEA [KSW96] and SAFER K 64 [K95a] It seems di#cult to design secure key scheduling if the time requirement is nearly 0. On the other hand, as far as we know, there are no successful attacks on Type 3 ciphers. However, considering the demand for many small data encryption processes with a di#erent key, ....

....[HMS 76] Simple relation is deeply related to the weak key described in Section 7.3.1.1. We tried to construct a simple relation for E2 , however, we could not. 7.3. 4 Related key attack An attack on LOKI89 91 was presented [B94] Later, many applications were presented, for example in [KSW96] First, the attackers 1. find an iterative pattern of subkeys, or 2. set appropriate relations at certain intermediate rounds by controlling several keys. Since E2 key scheduling satisfies Requirement 5 in Section 6.4, we could not find any iterative pattern of subkeys. Moreover, since E2 ....

J. Kelsey, B. Schneier, and D. Wagner. Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES. In N. Koblitz, editor, Advances in Cryptology --- CRYPTO'96, Volume 1109 of Lecture Notes in Computer Science, pp. 237--251. Springer-Verlag, Berlin, Heidelberg, New York, 1996.

....[4] on key length requirements, it is suggested that private keys of length between 75 bits to 90 bits be used. Another approach is to use more than one short key, such as in triple DES where three (or two) 56 bit keys are used in the key schedule to give an effective key length of 112 bits [11] at extra computational cost. However, it is not possible to make direct comparisons between different cipher systems, based solely on their effective key lengths (i.e. resistance to a brute force attack) as there could be significant reductions in the effective key length for certain ....

J. Kelsey, B. Schneier, and D. Wagner. Key--Schedule Cryptanalysis of IDEA, G-- DES, GOST, SAFER, and Triple--DES. In N. Koblitz, editor, Proceedings of Advances in Cryptology--CRYPTO '96, number 1109 in LNCS, pages 237--251. Springer, 1996.

....cryptanalysis is another important category of attacks on block ciphers. Typical weaknesses exploited in key schedule cryptanalysis include weak keys or semi weak keys, equivalent keys, related keys and simple relations such as the complemetation property existing in DES (for details, see e.g. [13,14]) These weaknesses can be exploited to speed up an exhaustive key search or to mount related key attacks. Though most of these attacks on key schedules are not practical in normal use, they may be a serious flaw in certain circumstances (e.g. when a block cipher is used as a building block for ....

J.Kelsey, B.Schneier and D.Wagner, Key-schedule cryptanalysis of IDEA, DES, GOST, SAFER, and triple-DES, In Advances in Cryptology-CRYPTO'96, LNCS 1109, Springer-Verlag, 1996, pp.237-252.

....4 expanded keys as fE e [3] E e [2] E e [1] E e [0]g fE e [0] b 6 ; E e [3] b 6 ; E e [2] 16 ; E e [1] 24 g and compute the round keys for round r as K e [4r i] E e [i] Phi C e [r] Phi MC i for 0 i 3. 2 2. for odd rounds, update the second 4 expanded keys as fE e [7]; E e [6] E e [5] E e [4]g fE e [6] 16 ; E e [5] 8 ; E e [4] b 2 ; E e [7] b 2 g and compute the round keys for round r as K e [4r i] E e [i 4] Phi C e [r] Phi MC i for 0 i 3. 2.3.3 Generating decryption round keys For efficient decryption key schedule, we first ....

.... b 6 ; E e [2] 16 ; E e [1] 24 g and compute the round keys for round r as K e [4r i] E e [i] Phi C e [r] Phi MC i for 0 i 3. 2 2. for odd rounds, update the second 4 expanded keys as fE e [7] E e [6] E e [5] E e [4]g fE e [6] 16 ; E e [5] 8 ; E e [4] b 2 ; E e [7] b 2 g and compute the round keys for round r as K e [4r i] E e [i 4] Phi C e [r] Phi MC i for 0 i 3. 2.3.3 Generating decryption round keys For efficient decryption key schedule, we first observe that the transformations OE o = ffi o ffi and OE e = ffi e ffi are ....

[Article contains additional citation context not shown here]

J.Kelsey, B.Schneier and D.Wagner, Key-schedule cryptanalysis of IDEA, DES, GOST, SAFER, and triple-DES, In Advances in Cryptology-CRYPTO'96, LNCS 1109, Springer-Verlag, 1996, pp.237-252.

....into 8 32 bit words U [i] 0 i 7) U [i] k 4i 3 k 4i 2 k 4i 1 k 4i . 3. compute 8 expanded keys E e [i] using the basic transformations described before as follows: V e [3] V e [2] V e [1] V e [0] t = ffi fl o ffi oe P ffi o ) U[6] U [4] U[2] U[0] t ) V e [7] V e [6] V e [5]; V e [4] t = ffi fl e ffi oe Q ffi e ) U [7] U[5] U [3] U[1] t ) T 0 = V e [0] Phi V e [1] Phi V e [2] Phi V e [3] T 1 = V e [4] Phi V e [5] Phi V e [6] Phi V e [7] E e [i] V e [i] Phi T 1 for i = 0; 1; 2; 3; E e [i] V e [i] Phi T 0 for i = 4; 5; 6; 7; where P = ....

....4i 1 k 4i . 3. compute 8 expanded keys E e [i] using the basic transformations described before as follows: V e [3] V e [2] V e [1] V e [0] t = ffi fl o ffi oe P ffi o ) U[6] U [4] U[2] U[0] t ) V e [7] V e [6] V e [5] V e [4] t = ffi fl e ffi oe Q ffi e ) U [7] U[5]; U [3] U[1] t ) T 0 = V e [0] Phi V e [1] Phi V e [2] Phi V e [3] T 1 = V e [4] Phi V e [5] Phi V e [6] Phi V e [7] E e [i] V e [i] Phi T 1 for i = 0; 1; 2; 3; E e [i] V e [i] Phi T 0 for i = 4; 5; 6; 7; where P = P 3 ; P 2 ; P 1 ; P 0 ) t and Q = Q 3 ; Q 2 ; Q 1 ; Q 0 ....

[Article contains additional citation context not shown here]

J.Kelsey, B.Schneier and D.Wagner, Key-schedule cryptanalysis of IDEA, DES, GOST, SAFER, and triple-DES, In Advances in Cryptology-Crypto'96, LNCS 1109, Springer-Verlag, 1996, pp.237-252.

....original state at the end of encryption, since the total number of 5shifts during the 16 rounds is 28. If the faults affect the shifts of these registers, then in the following encryptions the key is changed to a related key. Related key cryptanalysis[3] or differential related key cryptanalysis[7] might be applied with DFA in such cases. We expect that linear cryptanalysis[12] can also be combined with DFA in some cases (in a similar way to differential linear cryptanalysis[10] especially when the identification of the fault position is highly reliable (or when the fault positions might ....

John Kelsey, Bruce Schneier, David Wagner, Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of CRYPTO'96, pp. 237--251, 1996.

No context found.

John Kelsey, Bruce Schneier, and David Wagner. Key-schedule cryptanalysis of IDEA, G-DES, GOST, SAFER, and triple-DES. In Neal Koblitz, editor, Advances in Cryptology|CRYPTO '96, volume 1109 of Lecture Notes in Computer Science, pages 237-251. Springer-Verlag, 1996.

No context found.

J. Kelsey, B. Schneier, and D. Wagner, \Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES," Advances in Cryptology|CRYPTO '96, Springer-Verlag, 1996, pp. 237-251.

No context found.

J. Kelsey, B. Schneier, and D. Wagner, \Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES," Advances in Cryptology | CRYPTO '96 Proceedings, Springer-Verlag, 1996, pp. 237-251.

No context found.

J. Kelsey, B. Schneier, and D. Wagner, \Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES," Advances in Cryptology|CRYPTO '96, Springer-Verlag, 1996, pp. 237-251.

....with 192 bit keys would be slower than exhaustive key search without these relations. Our attack in the next section also makes extensive use of the properties of the key schedule. 4 A 9 Round Related Key Attack Related key attacks were rst introduced by Biham in [Bih93] and later extended in [KSW96,KSW97]. We assume that the reader is familiar with the basics of related key cryptanalysis. The submission states that The key schedule of Rijndael, with its high di usion and non linearity, makes it very improbable that [related key attacks] can be successful for Rijndael [DR98, section 8.7] and ....

John Kelsey, Bruce Schneier, and David Wagner. Key-schedule cryptanalysis of IDEA, G-DES, GOST, SAFER, and triple-DES. In Neal Koblitz, editor, Advances in Cryptology|CRYPTO '96, volume 1109 of Lecture Notes in Computer Science, pages 237-251. Springer-Verlag, 1996.

No context found.

J. Kelsey, B. Schneier, and D. Wagner, \Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES," Advances in Cryptology | CRYPTO '96 Proceedings, Springer-Verlag, 1996, pp. 237-251.

....card. 6. 2 Conservative Design There has been considerable research in designing ciphers to be resistant to known attacks [Nyb91, Nyb93, OCo94a, OCo94b, OCo94c, Knu94a, Knu94b, Nyb94, DGV94b, Nyb95, NK95, Mat96, Nyb96] such as di erential [BS93] linear [Mat94] and related key cryptanalysis [Bih94, KSW96, KSW97]. This research has culminated in strong cipher designs CAST 128 [Ada97a] and MISTY [Mat97] are probably the most noteworthy as well as some excellent cryptanalytic theory. However, it is dangerous to rely solely on theory when designing ciphers. Ciphers provably secure against di erential ....

.... mechanisms built from DES [Knu95a] and the S 1 [Anon95] cipher was broken due to a bad key schedule design [Wag95a] Even worse, they can make attacks on the cipher easier, and some attacks on the cipher will be focused directly at the key schedule, such as related key di erential attacks [KSW96, KSW97]. These attacks can be especially devastating when the cipher is used in a hash function construction. Key schedules can be divided into several broad categories [CDN98] In some key schedules, knowledge of a round subkey uniquely speci es bits of other round subkeys. In some ciphers the bits are ....

[Article contains additional citation context not shown here]

J. Kelsey, B. Schneier, and D. Wagner, \Key-Schedule Cryptanalysis of IDEA, GDES, GOST, SAFER, and Triple-DES," Advances in Cryptology | CRYPTO '96 Proceedings, Springer-Verlag, 1996, pp. 237-251.

....Analysis of GOST GOST, the Russian encryption standard [19] was published in 1989. 9 Even after considerable amount of time and e ort, no progress in cryptanalysis of the standard was made in the open literature except for a brief overview of a GOST structure in [4] and a related key attack in [9]. In this section we apply slide techniques to GOST and thus are able to produce cryptanalytic results that shed some light on its internal structure. 8 Of course, these attacks will apply with the same complexity to DESX when the DES key k is known somehow. 9 It was translated into English in ....

J. Kelsey, B. Schneier, D. Wagner, Key-Schedule Cryptanalysis of IDEA, GDES, GOST, SAFER, and Triple-DES, proceedings of CRYPTO'96, pp.237-251, Springer Verlag, 1996.

.... Description of TREYFER TREYFER is a 64 bit block cipher MAC, with a 64 bit key, designed for a very constrained architectures (like a 8051 CPU with 1KB flash EPROM, 64 bytes RAM, 128 bytes EPROM and peak 1MHz instruction rate) The algorithm is as follows: for(r=0; r NumRounds; r ) text[8] = text[0] for(i=0; i 8; i ) text[i 1] text[i 1] Sbox[ key[i] text[i] 256] 1; rotate 1 left text[0] text[8] Here text is an eight byte plaintext, key is an eight byte key, S box denotes an 8x8 bit S box chosen at random, and NumRounds stands for 32 rounds. After 32 rounds of ....

.... (like a 8051 CPU with 1KB flash EPROM, 64 bytes RAM, 128 bytes EPROM and peak 1MHz instruction rate) The algorithm is as follows: for(r=0; r NumRounds; r ) text[8] text[0] for(i=0; i 8; i ) text[i 1] text[i 1] Sbox[ key[i] text[i] 256] 1; rotate 1 left text[0] text[8]; Here text is an eight byte plaintext, key is an eight byte key, S box denotes an 8x8 bit S box chosen at random, and NumRounds stands for 32 rounds. After 32 rounds of encryption text contains eight byte ciphertexts. One of the motivations behind the design of this cipher was that in spite of ....

J. Kelsey, B. Schneier, D. Wagner, Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES, CRYPTO'96, pp.237--251, 1996.

No context found.

John Kelsey, Bruce Schneier, and David Wagner. Key-schedule cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES. In Advances in Cryptology -- CRYPTO '96, volume 1109, pages 237--251, 1996.

No context found.

Kelsey, J., Schneier, B., Wagner, D.: Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES. Proceedings of Crypto'96, LNCS 1109, SpringerVerlag (1996) 237--251

No context found.

J. Kelsey, B. Schneier, and D. Wagner. Key-schedule cryptanalysis of IDEA, G-DES, GOST, SAFER, and triple-DES. In Neal Koblitz, editor, Advances in Cryptology: CRYPTO'96, LNCS 1109, pages 237--251. Springer Verlag, 1996.

No context found.

J. Kelsey, B. Schneier, and D. Wagner. Key-schedule cryptanalysis of idea, g-des, gost, safer and triple-des. In Advances in Cryptology - CRYPTO '96, page 237. Springer-Verlag, 1996.

No context found.

J. Kelsey, B. Schneier, and D. Wagner. Key-Schedule Cryptanalysis of IDEA, GDES, GOST, SAFER, and Triple-DES. In N. Koblitz, editor, Advances in Cryptology - Proceedings of CRYPTO'96, volume 1109, pages 237--251. Springer, 1996. Lecture Notes in Computer Science.

No context found.

J. Kelsey, B. Schneier and D. Wagner, #Key-schedule cryptanalysis of IDEA, GDES, GOST, SAFER, and Triple-DES," Advances in Cryptology, Proceedings Crypto'96, LNCS 1109, N. Koblitz, Ed., Springer-Verlag, 1996, pp. 237#252.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC