This paper considers the security of iterated block ciphers against the differential cryptanalysis introduced by Biham and Shamir. Differential cryptanalysis is a chosen-plaintext attack on secret-key block ciphers that are based on iterating a cryptographically weak function r times (e.g., the 16-round Data Encryption Standard (DES) ). It is shown that the success of such attacks on an r-round cipher depends on the existence of (r-1)-round differentials that have high probabilities, where an i-round differential is defined as a couple (a, p) such that a pair of distinct plaintexts with difference a can result in a pair of i-th round outputs that have difference p, for an appropriate notion of "difference". The probabilities of such differentials can be used to determine a lower bound on the complexity of a differential cryptanalysis attack and to show when an r-round cipher is not vulnerable to such attacks. The concept of "Markov ciphers" is introduced for iterated ciphers because of its significance in differential cryptanalysis. If an iterated cipher is Markov and its round subkeys are independent, then the sequence of differences at each round output forms a Markov chain. It follows from a result of Biham and Shamir that DES is a Markov cipher. It is shown that, for the appropriate notion of "difference", the Proposed Encryption Standard (PES) of Lai and Masey, which is an 8-round iterated cipher, is a Markov cipher, as are also the mini-version of PES with block length 8, 16 and 32 bits. It is shown that PES(8) and PES(16) are immune to differential cryptanalysis after sufficiently many rounds. A detailed cryptanalysis of the full-size PES is given and shows that the very plausibly most probable 7-round differential has a probability about 2-58. A differential cryptanalysis attack of PES (64)
Abstract. MD4 is a hash function developed by Rivest in 1990. It serves as the basis for most of the dedicated hash functions such as MD5, SHAx, RIPEMD, and HAVAL. In 1996, Dobbertin showed how to find collisions of MD4 with complexity equivalent to 2 20 MD4 hash computations. In this paper, we present a new attack on MD4 which can find a collision with probability 2 −2 to 2 −6 , and the complexity of finding a collision doesn't exceed 2 8 MD4 hash operations. Built upon the collision search attack, we present a chosen-message pre-image attack on MD4 with complexity below 28 . Furthermore, we show that for a weak message, we can find another message that produces the same hash value. The complexity is only a single MD4 computation, and a random message is a weak message with probability 2 −122 .The attack on MD4 can be directly applied to RIPEMD which has two parallel copies of MD4, and the complexity of finding a collision is about 2 18 RIPEMD hash operations.
A new secret-key block cipher is proposed as a candidate for a new encryption standard. In the proposed cipher, the plaintext and the ciphertext are 64 bit blocks, while the secret key is 128 bit long. The cipher is based on the design concept of "mixing operations from different algebraic groups". The cipher structure was chosen to provide confusion and diffusion and to facilitate both hardware and software implementations.
White-Box attack context is the setting that the attacker has total access to the software execution and can observe or manipulate the dynamic execution of whole or part of the algorithms. In order to protect AES software operated in such context, Chow et al. designed an obfuscated AES implementation with a set of key-dependent look-up tables, which was proposed at SAC 2002. However, Billet et al. showed that Chow's strategy was insecure and the secret key can be extracted with time complexity of 2 30 . Billet's attack works because the ShiftRows has no effect on Chow's scheme, the obfuscations of the key can be divided into smaller ones and removed with the help of specific characters of the MixColumns operation in AES. In this paper, we present a secure implementation of White-Box AES, the main difference lies in ShiftRows operation. It is now embedded in matrices product, the output encodings has the same size as the output of MixColumns operation (32bits). Thus the obfuscation of the key cannot be divided into smaller ones or removed by using Billet's attack technique. Thus, our scheme can resist Billet's attack. It is more secure than Chow's.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.