Cryptanalysis of C2

  • Julia Borghoff
  • Lars R. Knudsen
  • Gregor Leander
  • Krystian Matusiewicz
Conference paper

DOI: 10.1007/978-3-642-03356-8_15

Volume 5677 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Borghoff J., Knudsen L.R., Leander G., Matusiewicz K. (2009) Cryptanalysis of C2. In: Halevi S. (eds) Advances in Cryptology - CRYPTO 2009. Lecture Notes in Computer Science, vol 5677. Springer, Berlin, Heidelberg

Abstract

We present several attacks on the block cipher C2, which is used for encrypting DVD Audio discs and Secure Digital cards. C2 has a 56 bit key and a secret 8 to 8 bit S-box. We show that if the attacker is allowed to choose the key, the S-box can be recovered in 224 C2 encryptions. Attacking the 56 bit key for a known S-box can be done in complexity 248. Finally, a C2 implementation with a 8 to 8 bit secret S-box (equivalent to 2048 secret bits) and a 56 bit secret key can be attacked in 253.5 C2 encryptions on average.

Keywords

block cipher S-box recovery key recovery boomerang attack C2 Cryptomeria 
Download to read the full conference paper text

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Julia Borghoff
    • 1
  • Lars R. Knudsen
    • 1
  • Gregor Leander
    • 1
  • Krystian Matusiewicz
    • 1
  1. 1.DTU MathematicsTechnical University of DenmarkDenmark