Journal of Cryptology

, Volume 9, Issue 1, pp 21–34 | Cite as

Differential cryptanalysis of Lucifer

  • Ishai Ben-Aroya
  • Eli Biham
Article
  • 191 Downloads

Abstract

Differential cryptanalysis was introduced as an approach to analyze the security of DES-like cryptosystems. The first example of a DES-like cryptosystem was Lucifer, the direct predecessor of DES, which is still believed by many people to be much more secure than DES, since it has 128 key bits, and since no attacks against (the full variant of) Lucifer were ever reported in the cryptographic literature. In this paper we introduce a new extension of differential cryptanalysis, devised to extend the class of vulnerable cryptosystems. This new extension suggests key-dependent characteristics, calledconditional characteristics, selected to increase the characteristics' probabilities for keys in subsets of the key space. The application of conditional characteristics to Lucifer shows that more than half of the keys of Lucifer are insecure, and the attack requires about 236 complexity and chosen plaintexts to find these keys. The same extension can also be used to attack a new variant of DES, called RDES, which was designed to be immune against differential cryptanalysis. These new attacks flash new light on the design of DES, and show that the transition of Lucifer to DES strengthened the later cryptosystem.

Keywords

Differential cryptanalysis Lucifer RDES 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [1]
    C. M. Adams, On immunity against Biham and Shamir's “differential cryptanalysis”,Information Processing Letters, Vol. 41, No. 2, pp. 77–80, 1992.CrossRefGoogle Scholar
  2. [2]
    E. Biham and A. Shamir, Differential cryptanalysis of DES-like cryptosystems,Journal of Cryptology, Vol. 4, No. 1, pp. 3–72, 1991.CrossRefGoogle Scholar
  3. [3]
    E. Biham and A. Shamir, Differential cryptanalysis of FEAL and N-Hash (extended abstract),Advances in Cryptology, Proceedings of EUROCRYPT'91, Lecture Notes in Computer Science, Springer-Verlag, Berlin, pp. 1–16, 1991.Google Scholar
  4. [4]
    E. Biham and A. Shamir, Differential cryptanalysis of Snefru, Khafre, REDOC-II, LOKI and Lucifer (extended abstract),Advances in Cryptology, Proceedings of CRYPTO '91, Springer-Verlag, Berlin, pp. 156–171, 1991.Google Scholar
  5. [5]
    E. Biham and A. Shamir, Differential cryptanalysis of the full 16-round DES,Advances in Cryptology, Proceedings of CRYPTO '91, Lecture Notes in Computer Science, Springer-Verlag, Berlin, pp. 487–496, 1992.Google Scholar
  6. [6]
    E. Biham and A. Shamir,Differential Cryptanalysis of the Data Encryption Standard, Springer-Verlag, New York, 1993.Google Scholar
  7. [7]
    L. Brown, M. Kwan, J. Pieprzyk, and J. Seberry, Improving resistance to differential cryptanalysis and the redesign of LOKI,Advances in Cryptology, Proceedings of ASIACRYPT '91, Lecture Notes in Computer Science, Springer-Verlag, Berlin, pp. 36–50, 1991.Google Scholar
  8. [8]
    L. Brown, J. Pieprzyk, and J. Seberry, LOKI—a cryptographic primitive for authentication and secrecy applications,Advances in Cryptology, Proceedings of AUSCRYPT '90, Lecture Notes in Computer Science, Springer-Verlag, Berlin, pp. 229–236, 1990.Google Scholar
  9. [9]
    M. H. Dawson and S. E. Tavares, An expanded set of S-box design criteria based on information theory and its relation to differential-like attacks,Advances in Cryptology, Proceedings of EUROCRYPT '91, Lecture Notes in Computer Science, Springer-Verlag, Berlin, pp. 352–367, 1991.Google Scholar
  10. [10]
    H. Feistel, Cryptography and data security,Scientific American, Vol. 228, No. 5, pp. 15–23, May 1973.PubMedGoogle Scholar
  11. [11]
    K. Koyama and R. Terada, How to strengthen DES-like cryptosystems against differential cryptanalysis,IEICE Transactions on Fundamentals of Electronics, Communications and Computer Science, Vol. E76-A, No. 1, pp. 63–69, January 1993.Google Scholar
  12. [12]
    X. Lai and J. L. Massey, A proposal for a new block encryption standard,Advances in Cryptology, Proceedings of EUROCRYPT '90, Lecture Notes in Computer Science, Springer-Verlag, Berlin, pp. 389–404, 1990.Google Scholar
  13. [13]
    X. Lai, J. L. Massey, and S. Murphy, Markov ciphers and differential cryptanalysis,Advances in Cryptology, Proceedings of EUROCRYPT '91, Lecture Notes in Computer Science, Springer-Verlag, Berlin, pp. 17–38, 1991.Google Scholar
  14. [14]
    R. C. Merkle, A fast software one-way hash function,Journal of Cryptology, Vol. 3, No. 1, pp. 43–58, 1990.CrossRefGoogle Scholar
  15. [15]
    R. C. Merkle, Fast software encryption functions,Advances in Cryptology, Proceedings of CRYPTO '90, Lecture Notes in Computer Science, Springer-Verlag, Berlin, pp. 476–501, 1990.Google Scholar
  16. [16]
    S. Miyaguchi, K. Ohta, and M. Iwata, 128-Bit hash function (N-Hash),Proceedings of SECURICOM '90, pp. 123–137, March 1990.Google Scholar
  17. [17]
    S. Miyaguchi, A. Shiraishi, and A. Shimizu, Fast data encryption algorithm FEAL-8,Review of Electrical Communications Laboratories, Vol. 36, No. 4, pp. 433–437, 1988.Google Scholar
  18. [18]
    National Bureau of Standards,Data Encryption Standard, U.S. Department of Commerce, FIPS Publication 46, January 1977.Google Scholar
  19. [19]
    K. Nyberg, Perfect nonlinear S-boxes,Advances in Cryptology, Proceedings of EUROCRYPT '91, Lecture Notes in Computer Science, Springer-Verlag, Berlin, pp. 378–386, 1991.Google Scholar
  20. [20]
    L. O'Connor, On the distribution of characteristics in bijective mappings,Advances in Cryptology, Proceedings of EUROCRYPT '93, Lecture Notes in Computer Science, Springer-Verlag, Berlin, pp. 360–370, 1993.Google Scholar
  21. [21]
    L. O'Connor, On the distribution of characteristics in composite permutations,Advances in Cryptology, Proceedings of CRYPTO '93, Lecture Notes in Computer Science, Springer-Verlag, Berlin, pp. 403–412, 1993.Google Scholar
  22. [22]
    A. Shimizu and S. Miyaguchi, Fast data encryption algorithm FEAL,Advances in Cryptology, Proceedings of EUROCRYPT '87, Lecture Notes in Computer Science, Springer-Verlag, Berlin, pp. 267–278, 1987.Google Scholar
  23. [23]
    A. Sorkin, Lucifer, a cryptographic algorithm,Cryptologia, Vol. 8, No. 1, pp. 22–41, January 1984.Google Scholar
  24. [24]
    M. C. Wood, Technical report, Cryptech Inc., Jamestown, NY July 1990.Google Scholar

Copyright information

© International Association for Cryptologic Research 1996

Authors and Affiliations

  • Ishai Ben-Aroya
    • 1
  • Eli Biham
    • 1
  1. 1.Computer Science DepartmentTechnion-Israel Institute of TechnologyHaifaIsrael

Personalised recommendations