On Differential and Linear Cryptanalysis of the RC5 Encryption Algorithm

Kaliski, Burt; Yin, Yiqun Lisa

doi:10.1007/3-540-44750-4_14

Cited by 50 publications

(61 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Because of the fact that (14) has a bigger bias than (15), 'traditionally' approximations on the LSB have been considered to be most useful for a linear attack (see [KY95,KY98]). Using Approximations (9), (10) and (14) one can derive the following iterative approximation for one round of RC5.…”

Section: Key Dependency and Piling-upmentioning

confidence: 99%

Linear Cryptanalysis of RC5 and RC6

Borst

Preneel

Vandewalle

1999

Fast Software Encryption

View full text Add to dashboard Cite

Abstract. In this paper we evaluate the resistance of the block cipher RC5 against linear cryptanalysis. We describe a known plaintext attack that can break RC5-32 (blocksize 64) with 10 rounds and RC5-64 (blocksize 128) with 15 rounds. In order to do this we use techniques related to the use of multiple linear approximations. Furthermore the success of the attack is largely based on the linear hull-effect. To our knowledge, at this moment these are the best known plaintext attacks on RC5, which have negligible storage requirements and do not make any assumption on the plaintext distribution. Furthermore we discuss the impact of our attacking method on the AES-candidate RC6, whose design was based on RC5.

show abstract

Section: Key Dependency and Piling-upmentioning

confidence: 99%

Linear Cryptanalysis of RC5 and RC6

Borst

Preneel

Vandewalle

1999

Fast Software Encryption

View full text Add to dashboard Cite

show abstract

“…RC5 has been extensively studied from a regular cryptanalysis point of view. See for example [9,8,18].…”

Section: Probing Rc5mentioning

confidence: 99%

Probing Attacks On Tamper-Resistant Devices

Handschuh

Paillier

Stern

1999

Cryptographic Hardware and Embedded Systems

View full text Add to dashboard Cite

Abstract. This paper describes a new type of attack on tamper-resistant cryptographic hardware. We show that by locally observing the value of a few RAM or adress bus bits (possibly a single one) during the execution of a cryptographic algorithm, typically by the mean of a probe (needle), an attacker could easily recover information on the secret key being used; our attacks apply to public-key cryptosystems such as RSA or El Gamal, as well as to secret-key encryption schemes including DES and RC5.

show abstract

“…Furthermore in our analysis we shall be interested in how single-bit differences behave within RC2. The decision to restrict our attention to single-bit differences facilitates analysis but is also motivated by a typical assumption that characteristics involving multiple-bit differences over integer addition will generally hold with lower probability than single-bit characteristics [6]. We note that other more complex techniques [2,7] might open new avenues for the analysis of RC2.…”

Section: Differential Cryptanalysis Of Rc2mentioning

confidence: 99%

“…Such attacks appear to be ineffective for ciphers that mix integer addition and bitwise operations unless the approximation can be limited to the least significant bits across an addition [6]. Such a restriction appears unlikely as an extension of the current approximation into a third MIXING round illustrates: Nevertheless, there are complex interactions between the individual steps of RC2 and these often provide unintuitive results.…”

Section: The Effectiveness Of Linear Cryptanalysismentioning

confidence: 99%