The Twofish encryption algorithm: a 128-bit block cipher
The Twofish encryption algorithm: a 128-bit block cipher
Cryptographic Significance of the Carry for Ciphers Based on Integer Addition
CRYPTO '90 Proceedings of the 10th Annual International Cryptology Conference on Advances in Cryptology
Differential Cryptanalysis of DES-like Cryptosystems
CRYPTO '90 Proceedings of the 10th Annual International Cryptology Conference on Advances in Cryptology
FSE '99 Proceedings of the 6th International Workshop on Fast Software Encryption
FSE '99 Proceedings of the 6th International Workshop on Fast Software Encryption
Efficient Algorithms for Computing Differential Properties of Addition
FSE '01 Revised Papers from the 8th International Workshop on Fast Software Encryption
Markov ciphers and differential cryptanalysis
EUROCRYPT'91 Proceedings of the 10th annual international conference on Theory and application of cryptographic techniques
Differential cryptanalysis mod 232 with applications to MD5
EUROCRYPT'92 Proceedings of the 11th annual international conference on Theory and application of cryptographic techniques
Efficient authentication for mobile and pervasive computing
ICICS'10 Proceedings of the 12th international conference on Information and communications security
Authenticated encryption: how reordering can impact performance
ACNS'12 Proceedings of the 10th international conference on Applied Cryptography and Network Security
Differential-linear attacks against the stream cipher Phelix
FSE'07 Proceedings of the 14th international conference on Fast Software Encryption
Hi-index | 0.00 |
Combination of modular addition (+) and exclusive-or (⊕) is one of the widely used symmetric cipher components. The paper investigates the strength of modular addition against differential cryptanalysis (DC) where the differences of inputs and outputs are expressed as XOR. In particular, we solve two very frequently used equations (1) and (2) , known as the differential equations of addition (DEA), with a set of batch queries. In a companion paper, presented at ACISP’05, we improved the algorithm by Muller (at FSE’04) to design optimal algorithms to solve the equations with adaptive queries. However, a nontrivial solution with batch queries has remained open. The major contributions of this paper are (i) determination of lower bounds on the required number of batch queries to solve the equations and (ii) design of two algorithms which solve them with queries close to optimal. Our algorithms require 2n−−2 and 6 queries to solve (1) and (2) where the lower bounds are (theoretically proved) and 4 (based on extensive experiments) respectively (n is the bit-length of x,y,α,β,γ). This exponential lower bound is an important theoretical benchmark which certifies (1) as strong against DC. On the other hand, the constant number of batch queries to solve (2) discovers a major weakness of modular addition against DC. Muller, at FSE’04, showed a key recovery attack on the Helix stream cipher (presented at FSE’03) with 212adaptive chosen plaintexts (ACP). At ACISP 2005, we improved the data complexity of the attack to 210.41. However, the complexity of the attack with chosen plaintexts (CP) was unknown. Using our results we recover the secret key of the Helix cipher with only 235.64chosen plaintexts (CP) which has so far been the only CP attack on this cipher (under the same assumption as that of Muller’s attack). Considering the abundant use of this component, the results seem useful to evaluate the security of many block ciphers against DC.