Related-key cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, NewDES, RC2, and TEA

  • John Kelsey
  • Bruce Schneier
  • David Wagner
Session 8: Block Ciphers
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1334)


We present new related-key attacks on the block ciphers 3WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA. Differential related-key attacks allow both keys and plaintexts to be chosen with specific differences [KSW96]. Our attacks build on the original work, showing how to adapt the general attack to deal with the difficulties of the individual algorithms. We also give specific design principles to protect against these attacks.


Hash Function Block Cipher Differential Characteristic Differential Cryptanalysis Fast Software Encryption 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [Ada94]
    C. Adams, “Simple and Effective Key Scheduling for Symmetric Ciphers,” Workshop on Selected Areas in Cryptography: SAC '94, 1994, pp 129–133.Google Scholar
  2. [Ada97]
    C. Adams, “Constructing Symmetric Ciphers Using the CAST Design Procedure,” Designs, Codes and Cryptography, v 12, n 3, 1997, to appear.Google Scholar
  3. [BB93]
    I. Ben-Aroya and E. Biham, “Differential Cryptanalysis of Lucifer,” Advances in Cryptology-CRYPTO '93, Springer-Verlag, 1994, pp. 187–199.Google Scholar
  4. [Ber97]
    D. Bernstein, personal communication, 1997.Google Scholar
  5. [Bih94]
    E. Biham, “New Types of Cryptanalytic Attacks Using Related Keys,” Advances in Cryptology-EUROCRYPT '93, Springer-Verlag, 1994, pp. 398–409.Google Scholar
  6. [BB94]
    E. Biham and A. Biryukov, “How to Strengthen DES Using Existing Hardware,” Advances in Cryptology-ASIA CRYPT '94, Springer-Verlag, pp. 398–412.Google Scholar
  7. [BS93]
    E. Biham and A. Shamir, “Differential Cryptanalysis of the Full 16-round DES,” Advances in Cryptology-CRYPTO '92, Springer-Verlag 1993, pp. 487–496.Google Scholar
  8. [Dae91]
    J. Daemen, “Limitations of the Even-Mansour Construction,” Advances in Cryptology-ASIA CRYPT '91, Springer-Verlag, 1992, pp. 495–498.Google Scholar
  9. [Dae94]
    J. Daemen, “A New Approach to Block Cipher Design,” Fast Software Encryption, Cambridge Security Workshop Proceedings, Springer-Verlag, 1994, pp. 18–32.Google Scholar
  10. [DK96]
    I.B. Damgard and L.R. Knudsen, “Multiple Encryption with Minimum Key,” Cryptography: Policy and Algorithms, Springer-Verlag, 1996, pp. 156–164.Google Scholar
  11. [DH79]
    W. Diffie and M.E. Hellman. “Privacy and Authentication: An Introduction to Cryptography”. Proceedings of the IEEE, vol 67 no 3, March 1979.Google Scholar
  12. [Fle96]
    R. Fleming, “An attack on a weakened version of TEA,” post to the sci.crypt newsgroup, October 1996.Google Scholar
  13. [GOST89]
    COST, Gosudarstvennyi Standard 28147-89, “Cryptographic Protection for Data Processing Systems,” Government Committee of the USSR for Standards, 1989.Google Scholar
  14. [KSW96]
    J. Kelsey, B. Schneier, and D. Wagner, “Key-Schedule Cryptanalysis of IDEA, G-DES, COST, SAFER, and Triple-DES,” Advances in Cryptology-CRYPTO '96, Springer-Verlag, 1996, pp. 237–251.Google Scholar
  15. [KPL93]
    K. Kim, S. Park, and S. Lee, “Reconstruction of 82 DES S-Boxes and their Immunity to Differential Cryptanalysis,” Proceedings of the 1993 Japan-Korea Workshop on Information Security and Cryptography, Seoul, Korea, 24–26 October 1993, pp. 282–291.Google Scholar
  16. [Knu93a]
    L.R. Knudsen, “Cryptanalysis of LOKI,” Advances in CryptologyASIACRYPT '91, Springer-Verlag, 1993, pp. 22–35.Google Scholar
  17. [Knu93b]
    L.R. Knudsen, “Cryptanalysis of LOKI91,” Advances in CryptologyAUSCRYPT '92, Springer-Verlag, 1993, pp. 196–208.Google Scholar
  18. [Knu94]
    L.R. Knudsen, “Block Ciphers-Analysis, Design, Applications,” Ph.D. dissertation, Aarhus University, Nov 1994.Google Scholar
  19. [Knu95]
    L.R. Knudsen, “A Key-schedule Weakness in SAFER K-64,” Advances in Cryptology-CRYPTO '95, Springer-Verlag, 1995, pp. 274–286.Google Scholar
  20. [KR96]
    J. Kilian and P. Rogaway, “How to protect DES against exhaustive key search,” Advances in Cryptology-CRYPTO '96, Springer-Verlag, 1996, pp. 252–267.Google Scholar
  21. [LMM91]
    X. Lai, J. Massey, and S. Murphy, “Markov Ciphers and Differential Cryptanalysis,” Advances in Cryptology-CRYPTO '91, Springer-Verlag, 1991, pp. 17–38.Google Scholar
  22. [Mas94]
    J.L. Massey, “SAFER K-64: A Byte-Oriented Block-Ciphering Algorithm”, Fast Software Encryption, Cambridge Security Workshop Proceedings, Springer-Verlag, 1994, pp. 1–17.Google Scholar
  23. [PA90a]
    A. Pfitzmann and R. Abmann, “Efficient Software Implementations of (Generalized) DES,” Proc. SECURICOM '90, Paris, 1990, pp. 139–158.Google Scholar
  24. [PA90b]
    A. Pfitzmann and R. Abmann, “More Efficient Software Implementations of (Generalized) DES,” Technical Report PfAb90, Interner Bericht 18/90, Fakultat fur Informatik, Universitat Karlsruhe, 1990. http://∼sirene/lit/abstr90.html#PfAss-90Google Scholar
  25. [RIPE92]
    Research and Development in Advanced Communication Technologies in Europe, RIPE Integrity Primitives: Final Report of RACE Integrity Primitives Evaluation (R1040), RACE, Jun 1992.Google Scholar
  26. [Riv95]
    R. Rivest, personal communication.Google Scholar
  27. [Riv97]
    R. Rivest, “A Description of the RC2(r) Encryption Algorithm,” InternetDraft, work in progress, June 1997, /draft-rivest-rc2desc-00.txtGoogle Scholar
  28. [RC94]
    P. Rogaway and D. Coppersmith, “A Software-Optimized Encryption Algorithm,” Fast Software Encryption, Cambridge Security Workshop Proceedings, Springer-Verlag, 1994, pp. 56–63.Google Scholar
  29. [Sch94]
    B. Schneier, “Description of a New Variable-Length Key, 64-Bit Block Cipher (Blowfish),” Fast Software Encryption, Cambridge Security Workshop Proceedings, Springer-Verlag, 1994, pp. 191–204.Google Scholar
  30. [Sco85]
    R. Scott, “Wide Open Encryption Design Offers Flexible Implementations,” Cryptologia, v. 9, n. 1, Jan 1985, pp. 75–90.Google Scholar
  31. [Sco96]
    R. Scott, “Revision of NewDES,” personal communication, also posted to the sci.crypt newsgroup on the Internet, May 1996.Google Scholar
  32. [WN95]
    D. Wheeler and R. Needham, “TEA, a Tiny Encryption Algorithm,” Fast Software Encryption, Second International Workshop Proceedings, Springer-Verlag, 1995, pp. 97–110.Google Scholar
  33. [Win84]
    R. Winternitz, “Producing One-Way Hash Functions from DES,” Advances in Cryptology: Proceedings of Crypto 83, Plenum Press, 1984, pp. 203–207.Google Scholar
  34. [WH87]
    R. Winternitz and M. Hellman, “Chosen-key Attacks on a Block Cipher,” Cryptologia, v. 11, n. 1, Jan 1987, pp. 16–20.Google Scholar

Copyright information

© Springer-Verlag 1997

Authors and Affiliations

  • John Kelsey
    • 1
  • Bruce Schneier
    • 1
  • David Wagner
    • 2
  1. 1.Counterpane SystemsUSA
  2. 2.U. C. BerkeleyUSA

Personalised recommendations