scholarly journals Weak Keys of Reduced-Round PRESENT for Linear Cryptanalysis

2009 ◽  
pp. 249-265 ◽  
Author(s):  
Kenji Ohkuma
Keyword(s):  
Linear Cryptanalysis ◽  
Weak Keys

scholarly journals Improved zero-correlation linear cryptanalysis of reduced-round Camellia under weak keys

2016 ◽  
Vol 10 (2) ◽  
pp. 95-103 ◽  
Author(s):  
Zhiqiang Liu ◽  
Dawu Gu ◽  
Bing Sun ◽  
Qingju Wang ◽  
Kerem Varici
Keyword(s):  
Linear Cryptanalysis ◽  
Weak Keys ◽  
Zero Correlation

scholarly journals How Many Weak-Keys Exist in T-310 ?

2019 ◽  
Vol 73 (1) ◽  
pp. 61-82
Author(s):  
Nicolas T. Courtois ◽  
Matteo Scarlata ◽  
Marios Georgiou
Keyword(s):  
Cold War ◽  
Block Cipher ◽  
Internal State ◽  
Differential Cryptanalysis ◽  
Linear Cryptanalysis ◽  
Vast Number ◽  
Weak Keys ◽  
Slide Attacks ◽  
Slide Attack ◽  
Decryption Oracle

Abstract T-310 is an important Cold War cipher. The cipher is extremely complex and it outputs extremely few bits from the internal state. A recent paper [Courtois, N. T.: Decryption oracle slide attacks on T-310, Cryptologia, 42 (2018), no. 3, 191–204] shows an example of a highly anomalous key such that T-310 can be broken by a slide attack with a decryption oracle. In this paper, we show that the same attacks are ALSO possible for regular keys which satisfy all the official KT1 requirements. Two other recent papers [Courtois, N. T.—Georgiou, M.—Scarlata, M.: Slide attacks and LC-weak keys in T-310, Cryptologia 43 (2019), no. 3, 175–189]; [Courtois, N. T.—Oprisanu, M. B.—Schmeh, K.: Linear cryptanalysis and block cipher design in East Germany in the 1970s, Cryptologia (published online), December 5, 2018] show that some of the KT1 keys are very weak w.r.t. Linear Cryptanalysis. In this paper, we show that a vast number of such weak keys exist and study the exact pre-conditions which make them weak. In addition we introduce a new third class of weak keys for RKDC (Related-Key Differential Cryptanalysis). We show that the original designers in the 1970s have ensured that these RKDC properties cannot happen for 4 rounds. We have discovered that these properties can happen for as few as 5 rounds for some keys, and for 10 to 16 rounds they become hard to avoid. The main reason why we study weak keys is to show that none of these properties occur by accident, rather that they are governed by precise pre-conditions which guarantee their existence, and countless other keys with the same properties exist. Eventually, this is how interesting attacks can be found.

Results of Linear Cryptanalysis Using Linear Sieve Methods

2009 ◽  
Vol E92-A (5) ◽  
pp. 1347-1355
Author(s):  
Yukiyasu TSUNOO ◽  
Hiroki NAKASHIMA ◽  
Hiroyasu KUBO ◽  
Teruo SAITO ◽  
Takeshi KAWABATA
Keyword(s):  
Linear Cryptanalysis ◽  
Sieve Methods

Immunity of Lightweight DES Algorithm (DESL) Against Linear Cryptanalysis Attack

2019 ◽  
Vol 28 (1) ◽  
pp. 381-387
Author(s):  
Bassam Aboshsha ◽  
Mohamed Dessouky ◽  
Rabie Ramadan ◽  
Ayman EL-SAYED
Keyword(s):  
Linear Cryptanalysis

Zero-Correlation Linear Cryptanalysis of Reduced-Round SIMON

2015 ◽  
Vol 30 (6) ◽  
pp. 1358-1369 ◽  
Author(s):  
Xiao-Li Yu ◽  
Wen-Ling Wu ◽  
Zhen-Qing Shi ◽  
Jian Zhang ◽  
Lei Zhang ◽  
...  
Keyword(s):  
Linear Cryptanalysis ◽  
Zero Correlation

scholarly journals Crypto-Archaeology: unearthing design methodology of DES s-boxes

2017 ◽  
Author(s):  
Sankhanil Dey ◽  
Ranjan Ghosh
Keyword(s):  
Boolean Function ◽  
Boolean Functions ◽  
Design Methodology ◽  
Block Cipher ◽  
Block Ciphers ◽  
Public Domain ◽  
Differential Cryptanalysis ◽  
Linear Cryptanalysis ◽  
Strict Avalanche Criterion ◽  
Independence Criterion

US defence sponsored the DES program in 1974 and released it in 1977. It remained as a well-known and well accepted block cipher until 1998. Thirty-two 4-bit DES S-Boxes are grouped in eight each with four and are put in public domain without any mention of their design methodology. S-Boxes, 4-bit, 8-bit or 32-bit, find a permanent seat in all future block ciphers. In this paper, while looking into the design methodology of DES S-Boxes, we find that S-Boxes have 128 balanced and non-linear Boolean Functions, of which 102 used once, while 13 used twice and 92 of 102 satisfy the Boolean Function-level Strict Avalanche Criterion. All the S-Boxes satisfy the Bit Independence Criterion. Their Differential Cryptanalysis exhibits better results than the Linear Cryptanalysis. However, no S-Boxes satisfy the S-Box-level SAC analyses. It seems that the designer emphasized satisfaction of Boolean-Function-level SAC and S-Box-level BIC and DC, not the S-Box-level LC and SAC.

scholarly journals Multidimensional linear cryptanalysis with key difference invariant bias for block ciphers

Cybersecurity ◽  
2021 ◽  
Vol 4 (1) ◽  
Author(s):  
Wenqin Cao ◽  
Wentao Zhang
Keyword(s):  
Time Complexity ◽  
Block Ciphers ◽  
Linear Cryptanalysis ◽  
Compression Technique ◽  
Key Recovery ◽  
Linear Approximations ◽  
Theoretical Advantage ◽  
Multidimensional Linear ◽  
Multidimensional Linear Cryptanalysis ◽  
Key Recovery Attacks

AbstractFor block ciphers, Bogdanov et al. found that there are some linear approximations satisfying that their biases are deterministically invariant under key difference. This property is called key difference invariant bias. Based on this property, Bogdanov et al. proposed a related-key statistical distinguisher and turned it into key-recovery attacks on LBlock and TWINE-128. In this paper, we propose a new related-key model by combining multidimensional linear cryptanalysis with key difference invariant bias. The main theoretical advantage is that our new model does not depend on statistical independence of linear approximations. We demonstrate our cryptanalysis technique by performing key recovery attacks on LBlock and TWINE-128. By using the relations of the involved round keys to reduce the number of guessed subkey bits. Moreover, the partial-compression technique is used to reduce the time complexity. We can recover the master key of LBlock up to 25 rounds with about 260.4 distinct known plaintexts, 278.85 time complexity and 261 bytes of memory requirements. Our attack can recover the master key of TWINE-128 up to 28 rounds with about 261.5 distinct known plaintexts, 2126.15 time complexity and 261 bytes of memory requirements. The results are the currently best ones on cryptanalysis of LBlock and TWINE-128.

Sign in / Sign up

Export Citation Format

Share Document