lect1  Lecture 16

Modern Methods of Cryptanalysis. AES candidates

1. We have finished Slide attacks by showing: complementary slide and  sliding with a twist techniques. We have seen slide attacks on 2K, 4K-Feistel schemes, and on DESX and Even-Mansour schemes (see references below).

2. We have seen Differential-Linear Cryptanalysis of 8-round DES.
This attack uses a 3-round truncated differential which preserves zero difference in 36 output bits at the input to the 4th round. Among these are the bits of the best 3-round linear approximation. Thus we cover 8 rounds of DES with 3 round differential, 3 round linear approximation, and two rounds of key-guessing (the 1st and the last). Since we are working with pairs the bias of 3-round approximation is squared (write 3-round approximations for each plaintexts and combine them canceling  out the common inputs) and thus attack works as long as p^{-4} is small. The gain is the 3 differential rounds that we add to the linear pattern.

3. We have seen descriptions of RC4,  RC5,  IDEA, Serpent, Rijndael.
 

Reading for the lecture

1. A. Biryukov, D.Wagner,
    Advanced Slide Attacks, proceedings of Eurocrypt'2000, 2000.
[extension of earlier paper, with complementation and twist ideas. Attacks on various constructions.]

2. S.Even and Y.Mansour,  A Construction of a Cipher From a Single Pseudorandom Permutation, Journal of Cryptology 10:151-161 (1997) 1997.

[this paper studies Shannon's construction SimpleCipher-FixedMixingTransform-SimpleCipher in order to show that complex keyschedule is not necessary.]

3. J. Kilian and P. Rogaway, How to protect DES against exhaustive key search; Advances in Cryptology - CRYPTO '96, Lecture Notes in Computer Science, Vol.
1109, N. Koblitz, ed., Springer-Verlag, 1996, pp. 252-267.

[this paper discusses security of DESX in a black-box model, and gives security proofs similar to Even-Mansour style]

4. Susan K. Langford, Martin E. Hellman, Differential-linear Cryptanalysis. PhD thesis [on-line].
[detailed description of differential, linear and combined differential-linear attacks]