Attack on Six Rounds of CRYPTON
In this paper we present an attack on a reduced round version of Crypton. The attack is based on the dedicated Square attack. We explain why the attack also works on Crypton and prove that the entire 256-bit user key for 6 rounds of Crypton can be recovered with a complexity of 256 encryptions, whereas for Srypton 272 encryptions are required to recover the 128-bit user key.
- 1.J. Borst, “Weak keys of Crypton,” technical comment submitted to NIST.Google Scholar
- 2.J. Daemen, L. Knudsen and V. Rijmen, “The block cipher Square,” Fast Software Encryption, LNCS 1267, E. Biham, Ed., Springer-Verlag, 1997, pp. 149–165.Google Scholar
- 3.Lim, “CRYPTON: A New 128-bit Block Cipher,” available from .Google Scholar
- 4.Lim, “Specification and Analysis of Crypton Version 1.0,” FSE’ 99, these proceedings.Google Scholar
- 6.S. Vaudenay, “Weak keys in Crypton,” announcement on NIST’s electronic AES forum, cf. .Google Scholar