Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES

  • John Kelsey
  • Bruce Schneier
  • David Wagner
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1109)

Abstract

We present new attacks on key schedules of block ciphers. These attacks are based on the principles of related-key differential cryptanalysis: attacks that allow both keys and plaintexts to be chosen with specific differences. We show how these attacks can be exploited in actual protocols and cryptanalyze the key schedules of a variety of algorithms, including three-key triple-DES.

References

  1. [BR94]
    M. Bellare and P. Rogaway, “Optimal Asymmetric Encryption—How to Encrypt with RSA,” Advances in Cryptology—EUROCRYPT’ 94, Springer-Verlag, 1995, pp. 92–111.Google Scholar
  2. [BB93]
    I. Ben-Aroya and E. Biham, “Differential Cryptanalysis of Lucifer,” Advances in Cryptology CRYPTO’ 93, Springer-Verlag, 1994.Google Scholar
  3. [Ber83]
    T.A. Berson, “Long Key Variants of DES,” Advances in Cryptology: CRYPTO’ 82, Plenum Press, 1983, pp. 311–313.Google Scholar
  4. [Bih94]
    E. Biham, “New Types of Cryptanalytic Attacks Using Related Keys,” Advances in Cryptology—EUROCRYPT’ 93, Springer-Verlag, 1994, pp. 398–409.Google Scholar
  5. [BS93a]
    E. Biham and A. Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer-Verlag, 1993, pp. 187–199.Google Scholar
  6. [BS93b]
    E. Biham and A. Shamir, “Differential Cryptanalysis of the Full 16-round DES,” Advances in Cryptology—CRYPTO’ 92, Springer-Verlag 1993, pp. 487–496.Google Scholar
  7. [Bla93]
    M. Blaze, “A Cryptographic File System for UNIX,” 1st ACM Conference on Computer and Communications Security, ACM Press, 1993, pp. 9–16.Google Scholar
  8. [Bla94]
    M. Blaze, “Key Management in an Encrypting File System,” Proceedings of the 1994 USENIX Summer Tech. Conference, June 1994.Google Scholar
  9. [CW93]
    K.W. Campbell and M.J. Wiener, “DES is Not a Group,” Advances in Cryptology—CRYPTO’ 92, Springer-Verlag, 1993, pp. 512–520.Google Scholar
  10. [CE86]
    D. Chaum and J.-H. Evertse, “Cryptanalysis of DES With a Reduced Number of Rounds,” Advances in Cryptology—CRYPTO’ 85, Springer-Verlag, 1986, pp. 192–211.Google Scholar
  11. [Cop86]
    D. Coppersmith, “The Real Reason for Rivest’s Phenomenon,” Advances in Cryptology—CRYPTO’ 85, Springer-Verlag, 1986, pp. 535–536.Google Scholar
  12. [DGV93]
    J. Daemen, R. Govaerts, and J. Vanderwalle, “Block Ciphers Based on Modular Arithmetic,” Proceedings of the 3rd Symposium on State and Progress of Research in Cryptography, 1993, pp. 80–89.Google Scholar
  13. [Dav83]
    D.W. Davies, “Some Regular Properties of the DES,” Advances in Cryptology—CRYPTO’ 92, Plenum Press, 1983, pp. 89–96.Google Scholar
  14. [GOST89]
    GOST, Gosudarst vennyi Standard 28147-89, “Cryptographic Protection for Data Processing Systems,” Government Committee of the USSR for Standards, 1989.Google Scholar
  15. [GT78]
    E.K. Grossman and B. Tuckerman, “Analysis of a Weakened Feistel-like Cipher,” 1978 International Conference on Communications, Alger Press Limited, 1978, pp. 46.3.1–46.3.5.Google Scholar
  16. [Knu93a]
    L.R. Knudsen, “Cryptanalysis of LOKI,” Advances in Cryptology—ASIACRYPT’ 91, Springer-Verlag, 1993, pp. 22–35.Google Scholar
  17. [Knu93b]
    L.R. Knudsen, “Cryptanalysis of LOKI91,” Advances in Cryptology—AUSCRYPT’ 92, Springer-Verlag, 1993, pp. 196–208.Google Scholar
  18. [Knu94]
    L.R. Knudsen, “Practically Secure Feistel Ciphers,” Fast Software Encryption, Cambridge Security Workshop Proceedings, Springer-Verlag, 1994, pp. 211–221.Google Scholar
  19. [Knu95a]
    L.R. Knudsen, “New Potentially ‘Weak’ Keys for DES and LOKI,” Advances in Cryptology—EUROCRYPT’ 94, Springer-Verlag, 1995, pp. 419–424.Google Scholar
  20. [Knu95b]
    L.R. Knudsen, “A Key-schedule Weakness in SAFER K-64,” Advances in Cryptology—CRYPTO’ 95, Springer-Verlag, 1995, pp. 274–286.Google Scholar
  21. [Koc96]
    P.C. Kocher, “Timing Attack Cryptanalysis of Diffie-Hellman, RSA, and Other Systems,” Advances in Cryptology—CRYPTO’ 96, Springer-Verlag, 1996, this volume.Google Scholar
  22. [KP93]
    M. Kwan and J. Pieprzyk, “A General Purpose Technique for Locating Key Scheduling Weaknesses in DES-like Cryptosystems,” Advances in Cryptology—ASIACRYPT’ 91, Springer-Verlag, 1993, pp. 237–246.Google Scholar
  23. [LMM91]
    X. Lai, J. Massey, and S. Murphy, “Markov Ciphers and Differential Crypt-analysis,” Advances in Cryptology—CRYPTO’ 91, Springer-Verlag, 1991, pp. 17–38.Google Scholar
  24. [MB94]
    W. Mao and C. Boyd, “Development of Authentication Protocols: Some Misconceptions and a New Approach,” Computer Security Foundations Workshop VII, IEEE Computer Society Press, 1994, p. 178–86.Google Scholar
  25. [Mas94]
    J.L. Massey, “SAFER K-64: A Byte-Oriented Block-Ciphering Algorithm”, Fast Software Encryption, Cambridge Security Workshop Proceedings, Springer-Verlag, 1994, pp. 1–17.Google Scholar
  26. [Mer91]
    R.C. Merkle, “Fast Software Encryption Functions,” Advances in Cryptology—CRYPTO’ 90, Springer-Verlag, 1991, pp. 476–501.Google Scholar
  27. [MH81]
    R.C. Merkle and M. Hellman, “On the Security of Multiple Encryption,” Communications of the ACM, v. 24, n. 7, Jul 1981 pp. 465–467.CrossRefMathSciNetGoogle Scholar
  28. [MS87]
    J.H. Moore and G.J. Simmons, “Cycle Structure of the DES with Weak and Semi-Weak Keys,” Advances in Cryptology—CRYPTO’ 86, Springer-Verlag, 1987, pp. 3–32.Google Scholar
  29. [NBS77]
    National Bureau of Standards, NBS FIPS PUB 46, “Data Encryption Standard,” National Bureau of Standards, U.S. Department of Commerce, Jan 1977.Google Scholar
  30. [OW91]
    P.C. van Oorschot and M.J. Wiener, “A Known-Plaintext Attack on Two-Key Triple Encryption,” Advances in Cryptology—CRYPTO’ 90, Springer-Verlag, 1991, pp. 318–325.Google Scholar
  31. [OW95]
    P.C. van Oorschot and M.J. Wiener, “Parallel Collision Search with Cryptanalytic Applications,” to appear, 1995.Google Scholar
  32. [PA90a]
    A. Pfitzmann and R. Abmann, “Efficient Software Implementations of (Generalized) DES,” Proc. SECURICOM’ 90, Paris, 1990, pp. 139–158.Google Scholar
  33. [PA90b]
    A. Pfitzmann and R. Abmann, “More Efficient Software Implementations of (Generalized) DES,” Technical Report PfAb90, Interner Bericht 18/90, Fakultat for Informatik, Universitat Karlsruhe, 1990.Google Scholar
  34. [PKCS]
    RSA Data Security, Inc., “Public-Key Cryptography Standard (PKCS) #1: RSA Encryption Standard,” Version 1.5, Nov 1993.Google Scholar
  35. [Riv95]
    R.L. Rivest, “The RC5 Encryption Algorithm,” Fast Software Encryption, Second International Workshop Proceedings, Springer-Verlag, 1995, pp. 86–96.Google Scholar
  36. [RC94]
    P. Rogaway and D. Coppersmith, “A Software-Optimized Encryption Algorithm,” Fast Software Encryption, Cambridge Security Workshop Proceedings, Springer-Verlag, 1994, pp. 56–63.Google Scholar
  37. [Roo95]
    A. Roos, “A Class of Weak Keys in the RC4 Stream Cipher,” Vironix Software Laboratories, Westville, South Africa Sep 1995.Google Scholar
  38. [Sch94]
    B. Schneier, “Description of a New Variable-Length Key, 64-Bit Block Cipher (Blowfish),” Fast Software Encryption, Cambridge Security Workshop Proceedings, Springer-Verlag, 1994, pp. 191–204.Google Scholar
  39. [Sch96]
    B. Schneier, Applied Cryptography, Second Edition, John Wiley & Sons, 1996.Google Scholar
  40. [SM88]
    A. Shimizu and S. Miyaguchi, “Fast Data Encipherment Algorithm FEAL,” Advances in Cryptology—EUROCRYPT’ 87, Springer-Verlag, 1988, pp. 267–278.Google Scholar
  41. [TH93]
    G. Tsudik and E.V. Herreweghen, “On Simple and Secure Key Distribution,” 1st ACM Conference on Computer and Communications Security, Nov. 1993, pp. 49–57.Google Scholar
  42. [Vau96]
    S. Vaudenay, “On the Weak Keys in Blowfish,” Fast Software Encryption, Third International Workshop Proceedings, Springer-Verlag, 1996, pp. 27–32.Google Scholar
  43. [WN95]
    D. Wheeler and R. Needham, “TEA, a Tiny Encryption Algorithm,” Fast Software Encryption, Second International Workshop Proceedings, Springer-Verlag, 1995, pp. 97–110.Google Scholar
  44. [Win84]
    R. Winternitz, “Producing One-Way Hash Functions from DES,” Advances in Cryptology: Proceedings of Crypto 83, Plenum Press, 1984, pp. 203–207.Google Scholar
  45. [WH87]
    R. Winternitz and M. Hellman, “Chosen-key Attacks on a Block Cipher,” Cryptologia, v. 11, n. 1, Jan 1987, pp. 16–20.MATHCrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1996

Authors and Affiliations

  • John Kelsey
    • 1
  • Bruce Schneier
    • 1
  • David Wagner
    • 2
  1. 1.Counterpane SystemsMinneapolis
  2. 2.C.S. Div., Soda HallU.C. BerkeleyBerkeley

Personalised recommendations