The Experts below are selected from a list of 22674 Experts worldwide ranked by ideXlab platform
David Wagner - One of the best experts on this subject based on the ideXlab platform.
-
Towards a unifying view of block cipher Cryptanalysis
Fast Software Encryption, 2004Co-Authors: David WagnerAbstract:We introduce commutative diagram Cryptanalysis, a frame-work for expressing certain kinds of attacks on product ciphers. We show that many familiar attacks, including linear Cryptanalysis, differential Cryptanalysis, differential-linear Cryptanalysis, mod n attacks, truncated differential Cryptanalysis, impossible differential Cryptanalysis, higher-order differential Cryptanalysis, and interpolation attacks can be ex-pressed within this framework. Thus, we show that commutative diagram attacks provide a unifying view into the field of block cipher cryptanal-ysis. Then, we use the language of commutative diagram Cryptanalysis to compare the power of many previously known attacks. Finally, we introduce two new attacks, generalized truncated differential cryptanaly-sis and bivariate interpolation, and we show how these new techniques generalize and unify many previous attack methods.
-
FSE - Towards a Unifying View of Block Cipher Cryptanalysis
Fast Software Encryption, 2004Co-Authors: David WagnerAbstract:We introduce commutative diagram Cryptanalysis, a framework for expressing certain kinds of attacks on product ciphers. We show that many familiar attacks, including linear Cryptanalysis, differential Cryptanalysis, differential-linear Cryptanalysis, mod n attacks, truncated differential Cryptanalysis, impossible differential Cryptanalysis, higher-order differential Cryptanalysis, and interpolation attacks can be expressed within this framework. Thus, we show that commutative diagram attacks provide a unifying view into the field of block cipher Cryptanalysis. Then, we use the language of commutative diagram Cryptanalysis to compare the power of many previously known attacks. Finally, we introduce two new attacks, generalized truncated differential Cryptanalysis and bivariate interpolation, and we show how these new techniques generalize and unify many previous attack methods.
-
Integral Cryptanalysis
2002Co-Authors: Lars R. Knudsen, David WagnerAbstract:This paper considers a cryptanalytic approach called integral Cryptanalysis. It can be seen as a dual to differential Cryptanalysis and applies to ciphers not vulnerable to differential attacks. The method is particularlyapplicable to block ciphers which use bijective components only.
-
side channel Cryptanalysis of product ciphers
Journal of Computer Security, 2000Co-Authors: John Kelsey, David Wagner, Bruce Schneier, Chris HallAbstract:Building on the work of Kocher (1996), Jaffe and Yun (1998), we discuss the notion of side-channel Cryptanalysisc Cryptanalysis using implementation data. We discuss the notion of side-channel attacks and the vulnerabilities they introduce, demonstrate side-channel attacks against three product ciphers - timing attack against IDEA, processor-flag attack against RC5, and Hamming weight attack against DES - and then generalize our research to other cryptosystems.
Benoît Gérard - One of the best experts on this subject based on the ideXlab platform.
-
Multiple Differential Cryptanalysis: Theory and Practice
2011Co-Authors: Céline Blondeau, Benoît GérardAbstract:Differential Cryptanalysis is a well-known statistical attack on block ciphers. We present here a generalisation of this attack called multiple differential Cryptanalysis. We study the data complexity, the time complexity and the success probability of such an attack and we experimentally validate our formulas on a reduced version of PRESENT. Finally, we propose a multiple differential Cryptanalysis on 18-round PRESENT for both 80-bit and 128-bit master keys.
-
FSE - Multiple differential Cryptanalysis: theory and practice
Fast Software Encryption, 2011Co-Authors: Céline Blondeau, Benoît GérardAbstract:Differential Cryptanalysis is a well-known statistical attack on block ciphers. We present here a generalisation of this attack called multiple differential Cryptanalysis. We study the data complexity, the time complexity and the success probability of such an attack and we experimentally validate our formulas on a reduced version of PRESENT. Finally, we propose a multiple differential Cryptanalysis on 18-round PRESENT for both 80-bit and 128-bit master keys.
-
Multiple Differential Cryptanalysis: Theory and Practice (Corrected).
2011Co-Authors: Céline Blondeau, Benoît GérardAbstract:Differential Cryptanalysis is a well-known statistical attack on block ciphers. We present here a generalisation of this attack called multiple differential Cryptanalysis. We study the data complexity, the time complexity and the success probability of such an attack and we experimentally validate our formulas on a reduced version of PRESENT. Finally, we propose a multiple differential Cryptanalysis on 18-round PRESENT for both 80-bit and 128-bit master keys.
-
Accurate estimates of the data complexity and success probability for various cryptanalyses
Designs Codes and Cryptography, 2011Co-Authors: Céline Blondeau, Benoît Gérard, Jean-pierre TillichAbstract:Many attacks on encryption schemes rely on statistical considerations using plaintext/ciphertext pairs to find some information on the key. We provide here simple formulae for estimating the data complexity and the success probability which can be applied to a lot of different scenarios (differential Cryptanalysis, linear Cryptanalysis, truncated differential Cryptanalysis, etc.). Our work does not rely here on Gaussian approximation which is not valid in every setting but use instead a simple and general approximation of the binomial distribution and asymptotic expansions of the beta distribution.
-
On the Data Complexity of Statistical Attacks Against Block Ciphers
2009Co-Authors: Céline Blondeau, Benoît GérardAbstract:Many attacks on iterated block ciphers rely on statistical considerations using plaintext/ciphertext pairs to distinguish some part of the cipher from a random permutation. We provide here a simple formula for estimating the amount of plaintext/ciphertext pairs which is needed for such distinguishers and which applies to a lot of different scenarios (linear Cryptanalysis, differentiallinear Cryptanalysis, differential/truncated differential/impossible differential Cryptanalysis). The asymptotic data complexities of all these attacks are then derived. Moreover, we give an efficient algorithm for computing the data complexity accurately.
Xiaoyun Wang - One of the best experts on this subject based on the ideXlab platform.
-
FSE - Improved Linear Hull Attack on Round-Reduced Simon with Dynamic Key-Guessing Techniques
Fast Software Encryption, 2016Co-Authors: Huaifeng Chen, Xiaoyun WangAbstract:Simon is a lightweight block cipher family proposed by NSA in 2013. It has drawn many cryptanalysts' attention and varieties of Cryptanalysis results have been published, including differential, linear, impossible differential, integral Cryptanalysis and so on. In this paper, we give the improved linear attacks on all reduced versions of Simon with dynamic key-guessing technique, which was proposed to improve the differential attack on Simon recently. By establishing the boolean function of parity bit in the linear hull distinguisher and reducing the function according to the property of AND operation, we can guess different subkeys or equivalent subkeys for different situations, which decrease the number of key bits involved in the attack and decrease the time complexity in a further step. As a result, 23-round Simon32/64, 24-round Simon48/72, 25-round Simon48/96, 30-round Simon64/96, 31-round Simon64/128, 37-round Simon96/96, 38-round Simon96/144, 49-round Simon128/128, 51-round Simon128/192 and 53-round Simon128/256 can be attacked. As far as we know, our attacks on most reduced versions of Simon are the best compared with the previous Cryptanalysis results. However, this does not shake the security of Simon family with full rounds.
-
improved linear hull attack on round reduced simon with dynamic key guessing techniques
Fast Software Encryption, 2016Co-Authors: Huaifeng Chen, Xiaoyun WangAbstract:Simon is a lightweight block cipher family proposed by NSA in 2013. It has drawn many cryptanalysts' attention and varieties of Cryptanalysis results have been published, including differential, linear, impossible differential, integral Cryptanalysis and so on. In this paper, we give the improved linear attacks on all reduced versions of Simon with dynamic key-guessing technique, which was proposed to improve the differential attack on Simon recently. By establishing the boolean function of parity bit in the linear hull distinguisher and reducing the function according to the property of AND operation, we can guess different subkeys or equivalent subkeys for different situations, which decrease the number of key bits involved in the attack and decrease the time complexity in a further step. As a result, 23-round Simon32/64, 24-round Simon48/72, 25-round Simon48/96, 30-round Simon64/96, 31-round Simon64/128, 37-round Simon96/96, 38-round Simon96/144, 49-round Simon128/128, 51-round Simon128/192 and 53-round Simon128/256 can be attacked. As far as we know, our attacks on most reduced versions of Simon are the best compared with the previous Cryptanalysis results. However, this does not shake the security of Simon family with full rounds.
-
Differential-algebraic Cryptanalysis of reduced-round of Serpent-256
Science China Information Sciences, 2010Co-Authors: Meiqin Wang, Xiaoyun Wang, Lucas C. K. HuiAbstract:Differential Cryptanalysis is a general cryptanalytic tool that makes use of differentials over some rounds of a cipher, combined with some key bit guesses of one or two rounds. This paper introduces a new Cryptanalysis strategy of block ciphers named differential-algebraic Cryptanalysis. The idea of differential-algebraic Cryptanalysis is to find a differential with high probability and build the multivariable system equations for the last few rounds. The subkey values of the last few rounds can be obtained by filtering the solutions of system equations instead of guessing all possible subkey values. We use the differential-algebraic Cryptanalysis to break 8-round Serpent-256. Our attack can recover the 256-bit key with 283 chosen plaintexts, 2180.4 8-round Serpent-256 encryptions and 2176.7 bytes memory. Compared with the previous differential Cryptanalysis results, both the data complexity and the time complexity are reduced, but the memory requirements are increased. The time complexity and the memory requirements are very close, and a time-memory tradeoff is exploited.
-
Cryptanalysis of self-shrinking generator
Electronics Letters, 2003Co-Authors: Lizhen Yang, Kefei Chen, Xiaoyun WangAbstract:A simple Cryptanalysis of the self-shrinking generator with very short keystream for the case of unknown connection polynomial is provided. The expected complexity of this Cryptanalysis is 21.5L when the length of the LFSR of the generator is L.
Céline Blondeau - One of the best experts on this subject based on the ideXlab platform.
-
Multiple Differential Cryptanalysis: Theory and Practice
2011Co-Authors: Céline Blondeau, Benoît GérardAbstract:Differential Cryptanalysis is a well-known statistical attack on block ciphers. We present here a generalisation of this attack called multiple differential Cryptanalysis. We study the data complexity, the time complexity and the success probability of such an attack and we experimentally validate our formulas on a reduced version of PRESENT. Finally, we propose a multiple differential Cryptanalysis on 18-round PRESENT for both 80-bit and 128-bit master keys.
-
FSE - Multiple differential Cryptanalysis: theory and practice
Fast Software Encryption, 2011Co-Authors: Céline Blondeau, Benoît GérardAbstract:Differential Cryptanalysis is a well-known statistical attack on block ciphers. We present here a generalisation of this attack called multiple differential Cryptanalysis. We study the data complexity, the time complexity and the success probability of such an attack and we experimentally validate our formulas on a reduced version of PRESENT. Finally, we propose a multiple differential Cryptanalysis on 18-round PRESENT for both 80-bit and 128-bit master keys.
-
Multiple Differential Cryptanalysis: Theory and Practice (Corrected).
2011Co-Authors: Céline Blondeau, Benoît GérardAbstract:Differential Cryptanalysis is a well-known statistical attack on block ciphers. We present here a generalisation of this attack called multiple differential Cryptanalysis. We study the data complexity, the time complexity and the success probability of such an attack and we experimentally validate our formulas on a reduced version of PRESENT. Finally, we propose a multiple differential Cryptanalysis on 18-round PRESENT for both 80-bit and 128-bit master keys.
-
Accurate estimates of the data complexity and success probability for various cryptanalyses
Designs Codes and Cryptography, 2011Co-Authors: Céline Blondeau, Benoît Gérard, Jean-pierre TillichAbstract:Many attacks on encryption schemes rely on statistical considerations using plaintext/ciphertext pairs to find some information on the key. We provide here simple formulae for estimating the data complexity and the success probability which can be applied to a lot of different scenarios (differential Cryptanalysis, linear Cryptanalysis, truncated differential Cryptanalysis, etc.). Our work does not rely here on Gaussian approximation which is not valid in every setting but use instead a simple and general approximation of the binomial distribution and asymptotic expansions of the beta distribution.
-
On the Data Complexity of Statistical Attacks Against Block Ciphers
2009Co-Authors: Céline Blondeau, Benoît GérardAbstract:Many attacks on iterated block ciphers rely on statistical considerations using plaintext/ciphertext pairs to distinguish some part of the cipher from a random permutation. We provide here a simple formula for estimating the amount of plaintext/ciphertext pairs which is needed for such distinguishers and which applies to a lot of different scenarios (linear Cryptanalysis, differentiallinear Cryptanalysis, differential/truncated differential/impossible differential Cryptanalysis). The asymptotic data complexities of all these attacks are then derived. Moreover, we give an efficient algorithm for computing the data complexity accurately.
Jie Sun - One of the best experts on this subject based on the ideXlab platform.
-
Quantum differential Cryptanalysis
Quantum Information Processing, 2015Co-Authors: Qing Zhou, Zhigang Zhang, Jie SunAbstract:In this paper, we propose a quantum version of the differential Cryptanalysis which offers a quadratic speedup over the existing classical one and show the quantum circuit implementing it. The quantum differential Cryptanalysis is based on the quantum minimum/maximum-finding algorithm, where the values to be compared and filtered are obtained by calling the quantum counting algorithm. Any cipher which is vulnerable to the classical differential Cryptanalysis based on counting procedures can be cracked more quickly under this quantum differential attack.
