Trawling Twofish (revisited) NES/DOC/UIB/WP3/004/a
نویسنده
چکیده
Twofish is a 128-bit block cipher submitted as a candidate for the Advanced Encryption Standard (AES). It has a structure related to the Feistel structure and runs in 16 rounds. In this paper we consider mainly differentials of Twofish and show that there are differentials for Twofish for up to 16 rounds, predicting at least 32 bits of nontrivial information in every round. In addition, it holds that for any fixed user-selected key it is possible, at least in theory, to find one good pair of plaintexts following the differential through all 16 rounds. Also, we use these findings to try and distinguish (reduced) Twofish from a randomly chosen permutation.
منابع مشابه
A Differential Attack on Reduced-Round SC2000∗ NES/DOC/UIB/WP3/008/1
SC2000 is a 128-bit block cipher with key length of 128, 192 or 256 bits, developed by Fujitsu Laboratories LTD. For 128-bit keys, SC2000 consists of 6.5 rounds, and for 192and 256-bit keys it consists of 7.5 rounds. In this paper we demonstrate two different 3.5-round differential characteristics that hold with probabilities 2−106 and 2−107. These characteristics can be used to extract up to 3...
متن کاملOn Noekeon NES/DOC/UIB/WP3/009/1
In this note we analyse Noekeon, a 128-bit block cipher submitted to the NESSIE project. It is shown that for six of seven S-boxes which satisfy the design criteria of the Noekeon designers the resulting block ciphers are vulnerable to either a differential attack, a linear attack or both. One conclusion is that Noekeon is not designed according to the wide trail strategy. Also, it is shown tha...
متن کاملGeneralised S - Box Nonlinearity NES / DOC / UIB / WP 5 / 020 / A Matthew
In this paper the (effective) bias of certain generalised linear approximations to the S-box are considered. Whereas, in the literature, the cryptanalyst typically restricts this search to linear approximations over Z2, we here consider linear approximations over Z4 and, more generally still, consider approximations which are linear in the sense that they can be completely factorised into the t...
متن کاملNESSIE Document NES/DOC/SAG/WP3/018/3∗† About the NESSIE Submission BMGL: Synchronous Key-stream Generator with Provable Security‡
• Using a hybrid argument for probability distributions it is shown that given an adversaryA who is capable of distinguishing the complete pseudorandom sequence (resulting from λ steps of the BMGL generator) from truely random bits (with advantage at least δ) there must exist a related adversary B and a fixed iteration i (of the one-way function f) such that B can distinguish the result of the ...
متن کاملKey Separation in Twofish
In [Mur00], Murphy raises questions about key separation in Twofish. We discuss this property of the Twofish key schedule, and compare it with other block ciphers. While every block cipher has this property in some abstract sense, the specific structure of Twofish makes it an interesting property to consider. We explain why we don’t believe this property leads to any interesting attacks on Twof...
متن کامل