Markov Ciphers and Diierential Cryptanalysis
نویسندگان
چکیده
This paper considers the security of iterated block ciphers against the di erential cryptanalysis introduced by Biham and Shamir Di erential cryptanalysis is a chosen plaintext attack on secret key block ciphers that are based on iterating a cryptographically weak function r times e g the round Data Encryption Standard DES It is shown that the success of such attacks on an r round cipher depends on the existence of r round di erentials that have high probabilities where an i round di erential is de ned as a couple such that a pair of distinct plaintexts with di erence can result in a pair of i th round outputs that have di erence for an appropriate notion of di erence The probabilities of such di erentials can be used to determine a lower bound on the complexity of a di erential cryptanalysis attack and to show when an r round cipher is not vulnerable to such attacks The concept of Markov ciphers is introduced for iterated ciphers because of its signi cance in di erential cryptanalysis If an iterated cipher is Markov and its round subkeys are independent then the sequence of di erences at each round output forms a Markov chain It follows from a result of Biham and Shamir that DES is a Markov cipher It is shown that for the appropriate notion of di erence the Proposed Encryption Standard PES of Lai and Massey which is an round iterated cipher is a Markov cipher as are also the mini version of PES with block length and bits It is shown that PES and PES are immune to di erential cryptanalysis after su ciently many rounds A detailed cryptanalysis of the full size PES is given and shows that the very plausibly most probable round di erential has a probability about A di erential cryptanalysis attack of PES based on this di erential is shown to require all possible encryptions This cryptanalysis of PES suggested a new design principle for Markov ciphers viz that their transition probability matrices should not be symmetric A minor modi cation of PES consistent with all the original design principles is proposed that satis es this new design criterion This modi ed cipher called Improved PES IPES is described and shown to be highly resistant to di erential cryptanalysis Introduction Many secret key block ciphers are cryptosystems based on iterating a cryptographically weak function several times Each iteration is called a round The output of each round is a function of the output of the previous round and of a subkey derived from the full secret key by a key schedule algorithm Such a secret key block cipher with r iterations is called an r round iterated cipher For example the well known Data Encryption Standard DES is a round iterated cipher Di erential cryptanalysis introduced by Biham and Shamir in is a chosen plaintext at tack to nd the secret key of an iterated ciphers It analyzes the e ect of the di erence of a pair of plaintexts on the di erence of succeeding round outputs in an r round iterated cipher In Section we describe di erential cryptanalysis of a general r round iterated cipher in terms of r round di erentials instead of in terms of the i round characteristics used in The hypothesis of stochastic equivalence which has been implicitly assumed in di erential crypt analysis is explicitly formulated in Section It is pointed out that one of the two prerequisites for di erential cryptanalysis to succeed on an r round cipher is the existence of an r round di erential with high probability and it is shown that a lower bound on the complexity of di erential cryptanalysis can be obtained from the maximum di erential probability In Section Markov ciphers are de ned as iterated ciphers whose round functions satisfy the condition that the di erential probability is independent of the choice of one of the component plaintexts under an appropriate de nition of di erence It is shown that for a Markov cipher with independent subkeys the sequence of round di erences forms a Markov chain It follows from a result of Biham and Shamir that DES is a Markov cipher The study of di erential cryptanalysis for an r round Markov cipher is reduced to the study of the transition probabilities created by its round function In particular Markov chain techniques can be used to show whether the cipher is secure against di erential cryptanalysis after su ciently many rounds At Eurocrypt a new iterated cipher the Proposed Encryption Standard PES was in troduced by Lai and Massey The PES contains rounds plus an output transformation In Section standard PES with block length bits and mini versions of PES with block length and are considered These are all shown to be Markov ciphers The ciphers PES and PES are shown to be immune to di erential cryptanalysis after su ciently many rounds A detailed cryptanalysis of PES given in the Appendix shows that the very plausibly most likely one round di erential has probability about which leads to a round di erential with probability about Di erential cryptanalysis of PES based on this di erential requires the cryptanalyst to perform all possible encryptions The attacker thus obtains the secret key after encryptions which is much less than the encryptions of an exhaustive key search however the encryptions specify the entire mapping from plaintext to ciphertext
منابع مشابه
Designing product ciphers using Markov Chains
In this paper we consider the design of product ciphers based on Markov chains. We examine two particular chains which are related to the diierential and linear cryptanalysis attacks. Both of these chains approach the uniform distribution which indicates that appropriately designed ciphers are secure against these attacks. The maximum deviation from the uniform distribution can be used as guide...
متن کاملA New Criterion for the Design of 8 8 S-boxes in Private-key Ciphers
In this paper, we examine the security of the class of substitution-permutation private-key block ciphers with respect to linear and diierential crypt-analysis. A new S-box nonlinearity criterion is proposed and it is shown that S-boxes satisfying this criterion and having good diiusion improve remarkably the ability of an SPN to resist linear cryptanalysis and diierential cryptanalysis.
متن کاملResistance Against General Iterated Attacks
In this paper we study the resistance of a block cipher against any general iterated attack. This class of attacks includes diierential and linear cryptanalysis. We prove that we can upper bound the complexity of the attack by using Vaudenay's decorrelation technique. Our main theorem enables to prove the security of some recently proposed block ciphers COCONUT98 and PEANUT98. Since public-key ...
متن کاملDiierential Cryptanalysis of Feistel Ciphers and Diierentially -uniform Mappings
In this paper we study the round permutations (or S-boxes) which provide to Feistel ciphers the best resistance against diierential crypt-analysis. We prove that a Feistel cipher with any round keys and with at least 5 rounds resists any diierential attack if its round permutation is diierentially-uniform for a small. This improves an earlier result due to Nyberg and Knudsen which only held for...
متن کاملImproved Characteristics for Diierential Cryptanalysis of Hash Functions Based on Block Ciphers
In this paper we present an improvement of the diierential attack on hash functions based on block ciphers. By using the speciic properties of the collision attack on hash functions, we can greatly reduce the work factor to nd a pair that follows the characteristic. We propose a new family of diierential characteristics that is especially useful in combination with our improvement. Attacks on a...
متن کامل