On Noekeon NES/DOC/UIB/WP3/009/1
نویسنده
چکیده
In this note we analyse Noekeon, a 128-bit block cipher submitted to the NESSIE project. It is shown that for six of seven S-boxes which satisfy the design criteria of the Noekeon designers the resulting block ciphers are vulnerable to either a differential attack, a linear attack or both. One conclusion is that Noekeon is not designed according to the wide trail strategy. Also, it is shown that there exist many related keys for which plaintexts of certain differences result in ciphertexts of certain differences with high probabilities. Noekeon has two key-schedules, one for applications where related-key attacks are not considered dangerous and one for applications where related-key attacks can be mounted. In this paper it is shown that for any given user-selected keys there are many related keys independently of which key-schedule is used.
منابع مشابه
A Differential Attack on Reduced-Round SC2000∗ NES/DOC/UIB/WP3/008/1
SC2000 is a 128-bit block cipher with key length of 128, 192 or 256 bits, developed by Fujitsu Laboratories LTD. For 128-bit keys, SC2000 consists of 6.5 rounds, and for 192and 256-bit keys it consists of 7.5 rounds. In this paper we demonstrate two different 3.5-round differential characteristics that hold with probabilities 2−106 and 2−107. These characteristics can be used to extract up to 3...
متن کاملTrawling Twofish (revisited) NES/DOC/UIB/WP3/004/a
Twofish is a 128-bit block cipher submitted as a candidate for the Advanced Encryption Standard (AES). It has a structure related to the Feistel structure and runs in 16 rounds. In this paper we consider mainly differentials of Twofish and show that there are differentials for Twofish for up to 16 rounds, predicting at least 32 bits of nontrivial information in every round. In addition, it hold...
متن کاملGeneralised S - Box Nonlinearity NES / DOC / UIB / WP 5 / 020 / A Matthew
In this paper the (effective) bias of certain generalised linear approximations to the S-box are considered. Whereas, in the literature, the cryptanalyst typically restricts this search to linear approximations over Z2, we here consider linear approximations over Z4 and, more generally still, consider approximations which are linear in the sense that they can be completely factorised into the t...
متن کاملNESSIE Document NES/DOC/SAG/WP3/018/3∗† About the NESSIE Submission BMGL: Synchronous Key-stream Generator with Provable Security‡
• Using a hybrid argument for probability distributions it is shown that given an adversaryA who is capable of distinguishing the complete pseudorandom sequence (resulting from λ steps of the BMGL generator) from truely random bits (with advantage at least δ) there must exist a related adversary B and a fixed iteration i (of the one-way function f) such that B can distinguish the result of the ...
متن کاملA Genome-Scale Model of Shewanella piezotolerans Simulates Mechanisms of Metabolic Diversity and Energy Conservation
Shewanella piezotolerans strain WP3 belongs to the group 1 branch of the Shewanella genus and is a piezotolerant and psychrotolerant species isolated from the deep sea. In this study, a genome-scale model was constructed for WP3 using a combination of genome annotation, ortholog mapping, and physiological verification. The metabolic reconstruction contained 806 genes, 653 metabolites, and 922 r...
متن کامل