Shoji Miyaguchi, The FEAL cipher family, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of CRYPTO'90, pp. 627--638, 1990.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....the number of rounds was increased to eight, while the F function was not changed. Feal 8 was broken by the differential cryptanalytic chosen plaintext attack described in this paper. As a result, two new versions were added to the family: FealN [6] with any even number N of rounds, and Feal NX[7] with an extended 128 bit key. In addition, The designers proposed a more complex eight round version called N Hash[8] as a cryptographically strong hash function which maps arbitrarily long inputs into 128 bit values. Recently, two chosen plaintext attacks on Feal were published. The one analyses ....

....ciphertexts for this attack. Using 2000 pairs it finds the key with almost 100 success rate. The program uses 280K bytes of memory. 4 Cryptanalysis of Feal N and Feal NX with N 31 rounds Feal N[6] was suggested as an N round extension of Feal 8 after our attack on Feal 8 was announced. Feal NX[7] is similar to Feal N but uses a longer 128 bit key and a different key processing algorithm. Since our attack ignores the key processing algorithm and finds the actual subkeys, we can apply it to both Feal N and Feal NX with identical complexity and performance. The attack on Feal with an ....

Shoji Miyaguchi, The FEAL cipher family, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of CRYPTO'90, pp. 627--638, 1990.

....2000 ciphertexts (1000 pairs) and the Feal 4 cryptosystem can be broken with just eight ciphertexts and one of their plaintexts. As a reaction to our attack on Feal 8, its creators introduced Feal N[11] with any even number of rounds N. They suggest the use of Feal N with 16 and 32 rounds. Feal NX[12] is similar to Feal N with the extension of the key size to 128 bits. Nevertheless, Feal N and Feal NX can be broken for any N 31 rounds faster than exhaustive search. Differential cryptanalytic techniques are applicable to hash functions, in addition to cryptosystems. For example, the following ....

Shoji Miyaguchi, The FEAL cipher family, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of CRYPTO'90, pp. 627-- 638, 1990.

....the number of ciphertexts reduce the average investment in each found key. The last tradeoff is also valid for even m s. Key Theoretic Ciphers Size Strength 56 2 28 DES 40 2 20 US exportable ciphers 64 2 32 LOKI[7,6] Feal N[20] SAFER SK64[15] 80 2 40 Skipjack 128 2 64 Feal NX[19], SAFER SK128[15] IDEA[14] k 2 k=2 Any cipher Table 3. The Complexities of Attacking Ciphers. Scheme Key Theoretic Required Size Strength Ciphertexts Double DES 112 2 56 1 Two key triple DES 112 2 56 2 56 3 MAK DES[9] 112 2 56 2 56 Three key triple DES 168 2 84 2 28 Any scheme ....

....for each found key are valid also in this case. Table 4 summarizes the complexities of attacking many multiple encryption schemes. When modes of operation with random initial values are used, and the keysize is Key Steps Ciphers Size 80 2 72 Skipjack 112 2 88 3 MAK DES 128 2 96 Feal NX[19], SAFER SK128[15] IDEA[14] Table 5. The Complexities of Attacking Modes (such as CBC) with Random Initial Values. larger than the blocksize, the attack has the results described in Table 5. The simplest countermeasure against this attack is to reduce the frequency of key replacement; this ....

Shoji Miyaguchi, The FEAL cipher family, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of CRYPTO'90, pp. 627--638, 1990.

....by triple DES (whose 168 bits of key were assumed to make it practically invulnerable) essentially the same attack can break it with essentially the same number of given ciphertexts. Differential Fault Analysis can break many additional secret key cryptosystems, including IDEA[9] RC5[19] and Feal[21,16,14,15]. Some ciphers, such as Khufu[13] Khafre[13] and Blowfish[20] compute their S boxes from the key material. In such ciphers, it may be even possible to extract the S boxes themselves, and the keys, using the techniques of Differential Fault Analysis. Differential Fault Analysis can also be applied ....

Shoji Miyaguchi, The FEAL cipher family, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of CRYPTO'90, pp. 627--638, 1990.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC