Conditional Differential Cryptanalysis of NLFSR-Based Cryptosystems

Knellwolf, Simon; Meier, Willi; Naya-Plasencia, Maŕıa

doi:10.1007/978-3-642-17373-8_8

Cited by 99 publications

(116 citation statements)

References 16 publications

(28 reference statements)

Supporting

Mentioning

115

Contrasting

Order By: Relevance

“…Another possible approach it to carefully select the cube such that we obtain a practical distinguisher (as in Section 5.1). Then, we can try to apply several techniques that were developed to exploit similar distinguishers for key recovery (such as conditional differential cryptanalysis [19] and dynamic cube attacks [15]). However, these techniques seem to be better suited for stream ciphers built using feedback shift registers, rather than the SP-network design of Keccak.…”

Section: Keystream Prediction For 9-round Keccakmentioning

confidence: 99%

Cube Attacks and Cube-Attack-Like Cryptanalysis on the Round-Reduced Keccak Sponge Function

Dinur

Morawiecki

Pieprzyk

et al. 2015

Advances in Cryptology -- EUROCRYPT 2015

View full text Add to dashboard Cite

Abstract. In this paper, we comprehensively study the resistance of keyed variants of SHA-3 (Keccak) against algebraic attacks. This analysis covers a wide range of key recovery, MAC forgery and other types of attacks, breaking up to 9 rounds (out of the full 24) of the Keccak internal permutation much faster than exhaustive search. Moreover, some of our attacks on the 6-round Keccak are completely practical and were verified on a desktop PC. Our methods combine cube attacks (an algebraic key recovery attack) and related algebraic techniques with structural analysis of the Keccak permutation. These techniques should be useful in future cryptanalysis of Keccak and similar designs. Although our attacks break more rounds than previously published techniques, the security margin of Keccak remains large. For Keyak -a Keccak-based authenticated encryption scheme -the nominal number of rounds is 12 and therefore its security margin is smaller (although still sufficient).

show abstract

Section: Keystream Prediction For 9-round Keccakmentioning

confidence: 99%

Cube Attacks and Cube-Attack-Like Cryptanalysis on the Round-Reduced Keccak Sponge Function

Dinur

Morawiecki

Pieprzyk

et al. 2015

Advances in Cryptology -- EUROCRYPT 2015

View full text Add to dashboard Cite

show abstract

“…For KATAN-32 we present the best known differential attack. 1 In particular, our attack allows us to break 115 rounds of KATAN-32, which is 37 rounds more than previous work [13]. For this, our attack exploits the non-uniformity of the difference distribution after 91 rounds which is 20 rounds more than the previously best known differential characteristic.…”

Section: Our Contributionmentioning

confidence: 99%

“…We refer to [9] for more information. The currently best know differential attack on KATAN-32 is a conditional differential attack that can break up to 78 rounds (see [13]). The best attack overall breaks the full cipher slightly faster than exhaustive key search [12].…”

Section: Application To Katan32mentioning

confidence: 99%

An All-In-One Approach to Differential Cryptanalysis for Small Block Ciphers

Albrecht¹,

Leander²

2013

Selected Areas in Cryptography

View full text Add to dashboard Cite

Abstract. We present a framework that unifies several standard differential techniques. This unified view allows us to consider many, potentially all, output differences for a given input difference and to combine the information derived from them in an optimal way. We then propose a new attack that implicitly mounts several standard, truncated, impossible, improbable and possible future variants of differential attacks in parallel and hence allows to significantly improve upon known differential attacks using the same input difference. To demonstrate the viability of our techniques, we apply them to KATAN-32. In particular, our attack allows us to break 115 rounds of KATAN-32, which is 37 rounds more than previous work. For this, our attack exploits the non-uniformity of the difference distribution after 91 rounds which is 20 rounds more than the previously best known differential characteristic. Since our results still cover less than 1/2 of the cipher, they further strengthen our confidence in KATAN-32's resistance against differential attacks.

show abstract

“…Cryptanalytical results on the KATAN family have been presented in [12,2]. Recall that all three members of the KATAN family (i.e.…”

Section: Introductionmentioning

confidence: 99%

“…KATAN32, KATAN48, and KATAN64) have 254 rounds. Knellwolf et al [12] presented partial key recovery attacks (called "conditional differential cryptanalysis") against 78 rounds of KATAN32, 70 rounds of KATAN48, and 68 rounds of KATAN64 and concluded that the full versions of these ciphers seem to have sufficiently large number of rounds (254 rounds) to provide a confident security margin against their proposed attack. Bard et al [2] presented cube attacks against 60, 40, and 30 rounds, and algebraic attacks against 79, 64, 60 rounds of KATAN32, KATAN48 and KATAN64, respectively.…”

Section: Introductionmentioning

confidence: 99%

Fault Analysis of the KATAN Family of Block Ciphers

Abdul‐Latip

Reyhanitabar

Susilo

et al. 2012

Information Security Practice and Experience

View full text Add to dashboard Cite

Abstract. In this paper, we investigate the security of the KATAN family of block ciphers against differential fault attacks. KATAN consists of three variants with 32, 48 and 64-bit block sizes, called KATAN32, KATAN48 and KATAN64, respectively. All three variants have the same key length of 80 bits. We assume a single-bit fault injection model where the adversary is supposed to be able to corrupt a single random bit of the internal state of the cipher and this fault injection process can be repeated (by resetting the cipher); i.e., the faults are transient rather than permanent. First, we determine suitable rounds for effective fault injections by analyzing distributions of low-degree (mainly, linear and quadratic) polynomial equations obtainable using the cube and extended cube attack techniques. Then, we show how to identify the exact position of faulty bits within the internal state by precomputing difference characteristics for each bit position at a given round and comparing these characteristics with ciphertext differences (XOR of faulty and non-faulty ciphertexts) during the online phase of the attack. The complexity of our attack on KATAN32 is 2 59 computations and about 115 fault injections. For KATAN48 and KATAN64, the attack requires 2 55 computations (for both variants), while the required number of fault injections is 211 and 278, respectively.

show abstract

Conditional Differential Cryptanalysis of NLFSR-Based Cryptosystems

Cited by 99 publications

References 16 publications

Cube Attacks and Cube-Attack-Like Cryptanalysis on the Round-Reduced Keccak Sponge Function

Cube Attacks and Cube-Attack-Like Cryptanalysis on the Round-Reduced Keccak Sponge Function

An All-In-One Approach to Differential Cryptanalysis for Small Block Ciphers

Fault Analysis of the KATAN Family of Block Ciphers

Contact Info

Product

Resources

About