Differential-linear cryptanalysis and threshold signatures
Differential-linear cryptanalysis and threshold signatures
Cryptanalysis of Block Ciphers with Overdefined Systems of Equations
ASIACRYPT '02 Proceedings of the 8th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Enhancing Differential-Linear Cryptanalysis
ASIACRYPT '02 Proceedings of the 8th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
On Probability of Success in Linear and Differential Cryptanalysis
Journal of Cryptology
Improved and Multiple Linear Cryptanalysis of Reduced Round Serpent
Information Security and Cryptology
Algebraic and Slide Attacks on KeeLoq
Fast Software Encryption
Algebraic attacks on stream ciphers with linear feedback
EUROCRYPT'03 Proceedings of the 22nd international conference on Theory and applications of cryptographic techniques
Improved meet-in-the-middle attacks on reduced-round DES
INDOCRYPT'07 Proceedings of the cryptology 8th international conference on Progress in cryptology
Block ciphers sensitive to gröbner basis attacks
CT-RSA'06 Proceedings of the 2006 The Cryptographers' Track at the RSA conference on Topics in Cryptology
A methodology for differential-linear cryptanalysis and its applications
FSE'12 Proceedings of the 19th international conference on Fast Software Encryption
FSE'12 Proceedings of the 19th international conference on Fast Software Encryption
| Hi-index | 0.00 |
CTC is a toy cipher designed in order to assess the strength of algebraic attacks. While the structure of CTC is deliberately weak with respect to algebraic attacks, it was claimed by the designers that CTC is secure with respect to statistical attacks, such as differential and linear cryptanalysis. After a linear attack on CTC was presented, the cipher's linear transformation was tweaked to offer more diffusion, and specifically to prevent the existence of 1-bit to 1-bit approximations (and differentials) through the linear transformation. The new cipher was named CTC2, and was analyzed by the designers using algebraic techniques. In this paper we analyze the security of CTC2 with respect to differential and differential-linear attacks. The data complexities of our best attacks on 6-round, 7-round, and 8-round variants of CTC2 are 64, 215, and 237 chosen plaintexts, respectively, and the time complexities are dominated by the time required to encrypt the data. Our findings show that the diffusion of CTC2 is relatively low, and hence variants of the cipher with a small number of rounds are relatively weak, which may explain (to some extent) the success of the algebraic attacks on these variants.