Markov Ciphers and Differential Cryptanalysis
نویسندگان
چکیده
This paper considers the security of iterated block ciphers against the di erential cryptanalysis introduced by Biham and Shamir. Di erential cryptanalysis is a chosen-plaintext attack on secret-key block ciphers that are based on iterating a cryptographically weak function r times (e.g., the 16-round Data Encryption Standard (DES) ). It is shown that the success of such attacks on an r-round cipher depends on the existence of (r-1)-round di erentials that have high probabilities, where an i-round di erential is de ned as a couple ( ; ) such that a pair of distinct plaintexts with di erence can result in a pair of i-th round outputs that have di erence , for an appropriate notion of \di erence". The probabilities of such di erentials can be used to determine a lower bound on the complexity of a di erential cryptanalysis attack and to show when an r-round cipher is not vulnerable to such attacks. The concept of \Markov ciphers" is introduced for iterated ciphers because of its signi cance in di erential cryptanalysis. If an iterated cipher is Markov and its round subkeys are independent, then the sequence of di erences at each round output forms a Markov chain. It follows from a result of Biham and Shamir that DES is a Markov cipher. It is shown that, for the appropriate notion of \di erence", the Proposed Encryption Standard (PES) of Lai and Massey, which is an 8-round iterated cipher, is a Markov cipher, as are also the mini-version of PES with block length 8, 16 and 32 bits. It is shown that PES(8) and PES(16) are immune to di erential cryptanalysis after su ciently many rounds. A detailed cryptanalysis of the full-size PES is given and shows that the very plausibly most probable 7-round di erential has a probability about 2 . A di erential cryptanalysis attack of PES(64) based on this di erential is shown to
منابع مشابه
A new method for accelerating impossible differential cryptanalysis and its application on LBlock
Impossible differential cryptanalysis, the extension of differential cryptanalysis, is one of the most efficient attacks against block ciphers. This cryptanalysis method has been applied to most of the block ciphers and has shown significant results. Using structures, key schedule considerations, early abort, and pre-computation are some common methods to reduce complexities of this attack. In ...
متن کاملImpossible Differential Cryptanalysis of Reduced-Round Midori64 Block Cipher (Extended Version)
Impossible differential attack is a well-known mean to examine robustness of block ciphers. Using impossible differ- ential cryptanalysis, we analyze security of a family of lightweight block ciphers, named Midori, that are designed considering low energy consumption. Midori state size can be either 64 bits for Midori64 or 128 bits for Midori128; however, both vers...
متن کاملRelationships among Differential, Truncated Differential, Impossible Differential Cryptanalyses against Word-Oriented Block Ciphers like RIJNDAEL, E2
We propose a new method for evaluating the security of block ciphers against di erential cryptanalysis and propose new structures for block ciphers. To this end, we de ne the word-wise Markov (Feistel) cipher and random output-di erential (Feistel) cipher and clarify the relations among the di erential, the truncated di erential and the impossible di erential cryptanalyses of the random output-...
متن کاملOn the Role of Key Schedules in Attacks on Iterated Ciphers
This paper considers iterated ciphers and their resistance against linear and differential cryptanalysis. In the theory of these attacks one assumes independence of the round keys in the ciphers. Very often though, the round keys are computed in a key schedule algorithm from a short key in a nonrandom fashion. In this paper it is shown by experiments that ciphers with complex key schedules resi...
متن کاملStatistics of Correlation and Differentials in Block Ciphers
In this paper, we derive the statistical distributions of difference propagation probabilities and input-output correlations for random functions and block ciphers, for most of them for the first time. We show that these parameters have distributions that are well-studied in the field of statistics such as the normal, Poisson, Gamma and extreme value distributions. For Markov ciphers there exis...
متن کامل