Results 1  10
of
19
On Multiple Linear Approximations
 in the proceedings of Crypto 2004, Lecture Notes in Computer Science, vol 3152
, 2004
"... In this paper we study the long standing problem of information extraction from multiple linear approximations. We develop a formal statistical framework for block cipher attacks based on this technique and derive explicit and compact gain formulas for generalized versions of Matsui's Algori ..."
Abstract

Cited by 31 (0 self)
 Add to MetaCart
(Show Context)
In this paper we study the long standing problem of information extraction from multiple linear approximations. We develop a formal statistical framework for block cipher attacks based on this technique and derive explicit and compact gain formulas for generalized versions of Matsui's Algorithm 1 and Algorithm 2. The theoretical framework allows both approaches to be treated in a unified way, and predicts significantly improved attack complexities compared to current linear attacks using a single approximation. In order to substantiate the theoretical claims, we benchmarked the attacks against reducedround versions of DES and observed a clear reduction of the data and time complexities, in almost perfect correspondence with the predictions. The complexities are reduced by several orders of magnitude for Algorithm 1, and the significant improvement in the case of Algorithm 2 suggests that this approach may outperform the currently best attacks on the full DES algorithm.
On Probability of Success in Linear and Differential Cryptanalysis
"... Despite their widespread usage in block cipher security, linear and differential cryptanalysis still lack a robust treatment of their success probability, and the success chances of these attacks have commonly been estimated in a rather ad hoc fashion. In this paper, we present an analytical calcula ..."
Abstract

Cited by 28 (1 self)
 Add to MetaCart
Despite their widespread usage in block cipher security, linear and differential cryptanalysis still lack a robust treatment of their success probability, and the success chances of these attacks have commonly been estimated in a rather ad hoc fashion. In this paper, we present an analytical calculation of the success probability of linear and differential cryptanalytic attacks. The results apply to an extended sense of the term "success" where the correct key is found not necessarily as the highestranking candidate but within a set of highranking candidates. Experimental results show that the analysis provides accurate results in most cases, especially in linear cryptanalysis. In cases where the results are less accurate, as in certain cases of dierential cryptanalysis, the results are useful to provide approximate estimates of the success probability and the necessary plaintext requirement. The analysis also reveals that the attacked key length in differential cryptanalysis is one of the factors that affect the success probability directly besides the signaltonoise ratio and the available plaintext amount.
Statistical Attack on RC4 Distinguishing WPA
"... Abstract. In this paper we construct several tools for manipulating pools of biases in the analysis of RC4. Then, we show that optimized strategies can break WEP based on 4000 packets by assuming that the first bytes of plaintext are known for each packet. We describe similar attacks for WPA. Firstl ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we construct several tools for manipulating pools of biases in the analysis of RC4. Then, we show that optimized strategies can break WEP based on 4000 packets by assuming that the first bytes of plaintext are known for each packet. We describe similar attacks for WPA. Firstly, we describe a distinguisher for WPA of complexity 2 43 and advantage 0.5 which uses 2 40 packets. Then, based on several partial temporary key recovery attacks, we recover the full 128bit temporary key by using 2 38 packets. It works within a complexity of 2 96. So far, this is the best attack against WPA. We believe that our analysis brings further insights on the security of RC4. 1
New Features of Latin Dances: Analysis of Salsa, ChaCha, and Rumba
 In the proceedings of Fast Software Encryption FSE 2008, LNCS 5086
, 2008
"... Abstract. The stream cipher Salsa20 was introduced by Bernstein in 2005 as a candidate in the eSTREAM project, accompanied by the reduced versions Salsa20/8 and Salsa20/12. ChaCha is a variant of Salsa20 aiming at bringing better diffusion for similar performance. Variants of Salsa20 with up to 7 ro ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
(Show Context)
Abstract. The stream cipher Salsa20 was introduced by Bernstein in 2005 as a candidate in the eSTREAM project, accompanied by the reduced versions Salsa20/8 and Salsa20/12. ChaCha is a variant of Salsa20 aiming at bringing better diffusion for similar performance. Variants of Salsa20 with up to 7 rounds (instead of 20) have been broken by differential cryptanalysis, while ChaCha has not been analyzed yet. We introduce a novel method for differential cryptanalysis of Salsa20 and ChaCha, inspired by correlation attacks and related to the notion of neutral bits. This is the first application of neutral bits in stream cipher cryptanalysis. It allows us to break the 256bit version of Salsa20/8, to bring faster attacks on the 7round variant, and to break 6 and 7round ChaCha. In a second part, we analyze the compression function Rumba, built as the XOR of four Salsa20 instances and returning a 512bit output. We find collision and preimage attacks for two simplified variants, then we discuss differential attacks on the original version, and exploit a highprobability differential to reduce complexity of collision search from 2 256 to 2 79 for 3round Rumba. To prove the correctness of our approach we provide examples of collisions and nearcollisions on simplified versions. 1
Linear cryptanalysis of substitutionpermutation networks
, 2003
"... The subject of this thesis is linear cryptanalysis of substitutionpermutation networks (SPNs). We focus on the rigorous form of linear cryptanalysis, which requires the concept of linear hulls. First, we consider SPNs in which the sboxes are selected independently and uniformly from the set of al ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
(Show Context)
The subject of this thesis is linear cryptanalysis of substitutionpermutation networks (SPNs). We focus on the rigorous form of linear cryptanalysis, which requires the concept of linear hulls. First, we consider SPNs in which the sboxes are selected independently and uniformly from the set of all bijective n × n sboxes. We derive an expression for the expected linear probability values of such an SPN, and give evidence that this expression converges to the corresponding value for the true random cipher. This adds quantitative support to the claim that the SPN structure is a good approximation to the true random cipher. We conjecture that this convergence holds for a large class of SPNs. In addition, we derive a lower bound on the probability that an SPN with randomly selected sboxes is practically secure against linear cryptanalysis after a given number of rounds. For common block sizes, experimental evidence indicates that this probability rapidly approaches 1 with an increasing number of rounds.
On the Data Complexity of Statistical Attacks Against Block Ciphers
 In Cryptology ePrint
, 2009
"... Abstract. Many attacks on iterated block ciphers rely on statistical considerations using plaintext/ciphertext pairs to distinguish some part of the cipher from a random permutation. We provide here a simple formula for estimating the amount of plaintext/ciphertext pairs which is needed for such dis ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
Abstract. Many attacks on iterated block ciphers rely on statistical considerations using plaintext/ciphertext pairs to distinguish some part of the cipher from a random permutation. We provide here a simple formula for estimating the amount of plaintext/ciphertext pairs which is needed for such distinguishers and which applies to a lot of different scenarios (linear cryptanalysis, differentiallinear cryptanalysis, differential/truncated differential/impossible differential cryptanalysis). The asymptotic data complexities of all these attacks are then derived. Moreover, we give an efficient algorithm for computing the data complexity accurately.
How Far Can We Go Beyond Linear Cryptanalysis?,”Asiacrypt 2004
 of LNCS
, 2004
"... Abstract. Several generalizations of linear cryptanalysis have been proposed in the past, as well as very similar attacks in a statistical point of view. In this paper, we define a rigorous general statistical framework which allows to interpret most of these attacks in a simple and unified way. The ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Abstract. Several generalizations of linear cryptanalysis have been proposed in the past, as well as very similar attacks in a statistical point of view. In this paper, we define a rigorous general statistical framework which allows to interpret most of these attacks in a simple and unified way. Then, we explicitely construct optimal distinguishers, we evaluate their performance, and we prove that a block cipher immune to classical linear cryptanalysis possesses some resistance to a wide class of generalized versions, but not all. Finally, we derive tools which are necessary to set up more elaborate extensions of linear cryptanalysis, and to generalize the notions of bias, characteristic, and pilingup lemma. Keywords: Block ciphers, linear cryptanalysis, statistical cryptanalysis. 1 A Decade of Linear Cryptanalysis Linear cryptanalysis is a knownplaintext attack proposed in 1993 by Matsui[21, 22] to break DES [26], exploiting specific correlations between the input andthe output of a block cipher. Namely, the attack traces the statistical correlation between one bit of information about the plaintext and one bit of informationabout the ciphertext, both obtained linearly with respect to GF(2) L (where L is the block size of the cipher), by means of probabilistic linear expressions, aconcept previously introduced by TardyCorfdir and Gilbert [30]. Soon after, several attempts to generalize linear cryptanalysis are published:Kaliski and Robshaw [13] demonstrate how it is possible to combine several independent linear correlations depending on the same key bits. In [31], Vaudenaydefines another kind of attack on DES, called A^2attack, and shows that one canobtain an attack slightly less powerful than a linear cryptanalysis, but without the need to know precisely what happens in the block cipher. Harpes, Kramer,and Massey [7] replace the linear expressions with socalled I/O sums, i.e., balanced binaryvalued functions; they prove the potential effectiveness of such ageneralization by exhibiting a block cipher secure against conventional linear cryptanalysis but vulnerable to their generalization. Practical examples are theattack of Knudsen and Robshaw [15] against
Experimenting Linear Cryptanalysis
 Advanced Linear Cryptanalysis of Block and Stream Ciphers, vol, 7 of Cryptology and Information Security Series. IOS
, 2011
"... Since the publication of linear cryptanalysis in the early 1990s, the precise understanding of the statistical properties involved in such attacks has proven to be a challenging and computationally intensive problem. As a consequence, a number of strategies have been developed, in order to design b ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Since the publication of linear cryptanalysis in the early 1990s, the precise understanding of the statistical properties involved in such attacks has proven to be a challenging and computationally intensive problem. As a consequence, a number of strategies have been developed, in order to design block ciphers secure against
Linear Cryptanalysis of Non Binary Ciphers with an Application to SAFER
"... Abstract. In this paper we revisit distinguishing attacks. We show how to generalize the notion of linear distinguisher to arbitrary sets. Our thesis is that our generalization is the most natural one. We compare it with the one by Granboulan et al. from FSE’06 by showing that we can get sharp esti ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Abstract. In this paper we revisit distinguishing attacks. We show how to generalize the notion of linear distinguisher to arbitrary sets. Our thesis is that our generalization is the most natural one. We compare it with the one by Granboulan et al. from FSE’06 by showing that we can get sharp estimates of the data complexity and cumulate characteristics in linear hulls. As a proof of concept, we propose a better attack on their toy cipher TOY100 than the one that was originally suggested and we propose the best known plaintext attack on SAFER K/SK so far. This provides new directions to block cipher cryptanalysis even in the binary case. On the constructive side, we introduce DEAN18, a toy cipher which encrypts blocks of 18 decimal digits and we study its security. 1