Advertisement

Journal of Cryptology

, Volume 23, Issue 4, pp 505–518 | Cite as

Structural Cryptanalysis of SASAS

  • Alex Biryukov
  • Adi Shamir
Article

Abstract

In this paper we consider the security of block ciphers which contain alternate layers of invertible S-boxes and affine mappings (there are many popular cryptosystems which use this structure, including the winner of the AES competition, Rijndael). We show that a five-layer scheme with 128-bit plaintexts and 8-bit S-boxes is surprisingly weak against what we call a multiset attack, even when all the S-boxes and affine mappings are key dependent (and thus completely unknown to the attacker). We tested the multiset attack with an actual implementation, which required just 216 chosen plaintexts and a few seconds on a single PC to find the 217 bits of information in all the unknown elements of the scheme.

Key words

Cryptanalysis Structural cryptanalysis Multiset attack Block ciphers Substitution permutation networks Substitution affine networks Rijndael AES 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [1]
    R. Anderson, E. Biham, L. Knudsen, Serpent: a proposal for the AES, in 1st AES Conference (1998) Google Scholar
  2. [2]
    E. Biham, Cryptanalysis of patarin’s 2-round public key system with S-boxes (2R), in Advances in Cryptology, Proceedings of EUROCRYPT’2000. Lecture Notes in Computer Science, vol. 1807 (Springer, Berlin, 2000), pp. 408–416 Google Scholar
  3. [3]
    A. Biryukov, C. De Cannière, A. Braeken, B. Preneel, A toolbox for cryptanalysis: linear and affine equivalence algorithms, in Advances in Cryptology, Proceedings of EUROCRYPT’2003. Lecture Notes in Computer Science, vol. 2656 (Springer, Berlin, 2003), pp. 33–50 Google Scholar
  4. [4]
    A. Biryukov, C. De Cannière, G. Dellkrantz, Cryptanalysis of SAFER++, in Advances in Cryptology, Proceedings of Crypto’03. Lecture Notes in Computer Science, vol. 2729 (Springer, Berlin, 2003). NES/DOC/KUL/WP5/028. Full version available at http://eprint.iacr.org/2003/109/ CrossRefGoogle Scholar
  5. [5]
    J. Daemen, L. Knudsen, V. Rijmen, The block cipher square, in Proceedings of FSE’97. Lecture Notes in Computer Science, vol. 1267 (Springer, Berlin, 1997), pp. 147–165 Google Scholar
  6. [6]
    H. Gilbert, M. Minier, A collision attack on seven rounds of Rijndael, in Proceedings of the Third AES Candidate Conference (2000), pp. 230–241 Google Scholar
  7. [7]
    L.R. Knudsen, D. Wagner, Integral cryptanalysis (extended abstract), in Fast Software Encryption, FSE 2002. Lecture Notes in Computer Science, vol. 2365 (Springer, Berlin, 2002), pp. 112–127 CrossRefGoogle Scholar
  8. [8]
    S. Lucks, Attacking seven rounds of Rijndael under 192-bit and 256-bit keys, in Proceedings of the Third AES Candidate Conference (2000), pp. 215–229 Google Scholar
  9. [9]
    J. Nakahara Jr., B. Preneel, J. Vandewalle, Linear cryptanalysis of reduced-round versions of the SAFER block cipher family, in Fast Software Encryption, FSE 2000, ed. by B. Schneier, Lecture Notes in Computer Science, vol. 1978 (Springer, Berlin, 2001), pp. 244–261 CrossRefGoogle Scholar
  10. [10]
    J. Patarin, L. Goubin, Asymmetric cryptography with S-Boxes, in Proceedings of ICICS 97. Lecture Notes in Computer Science, vol. 1334 (Springer, Berlin, 1997), pp. 369–380 Google Scholar
  11. [11]
    V. Rijmen, J. Daemen, The Design of Rijndael: AES—The Advanced Encryption Standard (Springer, Berlin, 2002) zbMATHGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2010

Authors and Affiliations

  1. 1.University of LuxembourgFSTCLuxembourg-KirchbergLuxembourg
  2. 2.Computer Science DepartmentThe Weizmann InstituteRehovotIsrael

Personalised recommendations