We present a new type of differential that is particularly suited to analyzing ciphers that use modular multiplication as a primitive operation. These differentials are partially inspired by the differential used to break Nimbus, and we generalize that result. We use these differentials to break the MultiSwap cipher that is part of the Microsoft Digital Rights Management subsystem, to derive a complementation property in the xmx cipher using the recommended modulus, and to mount a weak key attack on the xmx cipher for many other moduli. We also present weak key attacks on several variants of IDEA. We conclude that cipher designers may have placed too much faith in multiplication as a mixing operator, and that it should be combined with at least two other incompatible group operations.
KeywordsBlock Cipher Modular Multiplication Differential Pair Round Function Differential Attack
- 2.Joan Daemen, Rene Govaerts, and Joos Vandewalle. Weak keys for IDEA. In CRYPTO, pages 224–231, 1993.Google Scholar
- 3.Joan Daemen, Luc van Linden, Rene Govaerts, and Joos Vandewalle. Propagation properties of multiplication modulo 2n-1. In G. H. L. M. Heideman et.al., editor, Thirteenth Symp. on Information Theory in the Benelux, pages 111–118, Enschede (NL), 1–2 1992. Werkgemeen-schap Informatieen Communicatietheorie, Enschede (NL).Google Scholar
- 4.Vladimir Furman. Differential cryptanalysis of Nimbus. In Fast Software Encryption. Springer-Verlag, 2001.Google Scholar
- 5.Carlo Harpes, Gerhard G. Kramer, and James L. Massey. A Generalization of Linear Cryptanalysis and the Applicability of Matsui’s Piling-up Lemma. In EUROCRYPT’ 95. Springer-Verlag, May 1995.Google Scholar
- 6.John Kelsey, Bruce Schneier, and David Wagner. Mod n cryptanalysis, with applications against RC5P and M6. In Fast Software Encryption, pages 139–155, 1999.Google Scholar
- 7.Xuejia Lai, James L. Massey, and Sean Murphy. Markov ciphers and differential cryptanalysis. In EUROCRYPT’ 91. Springer-Verlag, 1991.Google Scholar
- 8.Alexis Warner Machado. The Nimbus cipher: A proposal for NESSIE. NESSIE Proposal, September 2000.Google Scholar
- 9.Mitsuru Matsui. Linear cryptanalysis method for DES cipher. In T. Helleseth, editor, EUROCRYPT’ 93, volume 765, pages 386–397, Berlin, 1994. Springer-Verlag.Google Scholar
- 10.Willi Meier. On the security of the IDEA block cipher. In EUROCRYPT’ 93, pages 371–385. Springer-Verlag, 1994.Google Scholar
- 11.David M’Raihi, David Naccache, Jacques Stern, and Serge Vaudenay. XMX: a firmware-oriented block cipher based on modular multiplications. In Fast Software Encryption. Springer-Verlag, 1997.Google Scholar
- 12.Beale Screamer. Microsoft’s digital rights management scheme—technical details. http://cryptome.org/ms-drm.htm, October 2001.