Analysis of Linear Relationships in Block Ciphers by Muhammad Reza Z’aba Bachelor of Science (Computer) (Universiti Teknologi Malaysia) – 2004 Thesis submitted in accordance with the regulations for the Degree of Doctor of Philosophy Information Security Institute Faculty of Science and Technology Queensland University of Technology May 7, 2010 Keywords Block cipher, stream cipher, symmetric cipher, linear transformation, diffusion, cryptanalysis, fixed points, round function, key scheduling algorithm, integral attack, bit-pattern, algebraic analysis, system of equations, branch number, AES, ARIA, LEX, BES, Noekeon, PRESENT, Serpent, SMS4 i ii Abstract This thesis is devoted to the study of linear relationships in symmetric block ciphers A block cipher is designed so that the ciphertext is produced as a nonlinear function of the plaintext and secret master key However, linear relationships within the cipher can still exist if the texts and components of the cipher are manipulated in a number of ways, as shown in this thesis There are four main contributions of this thesis The first contribution is the extension of the applicability of integral attacks from word-based to bitbased block ciphers Integral attacks exploit the linear relationship between texts at intermediate stages of encryption This relationship can be used to recover subkey bits in a key recovery attack In principle, integral attacks can be applied to bit-based block ciphers However, specific tools to define the attack on these ciphers are not available This problem is addressed in this thesis by introducing a refined set of notations to describe the attack The bit patternbased integral attack is successfully demonstrated on reduced-round variants of the block ciphers Noekeon, Present and Serpent The second contribution is the discovery of a very small system of equations that describe the LEX-AES stream cipher LEX-AES is based heavily on the 128-bit-key (16-byte) Advanced Encryption Standard (AES) block cipher In one instance, the system contains 21 equations and 17 unknown bytes This is very close to the upper limit for an exhaustive key search, which is 16 bytes One only needs to acquire 36 bytes of keystream to generate the equations Therefore, the security of this cipher depends on the difficulty of solving this small system of equations The third contribution is the proposal of an alternative method to measure diffusion in the linear transformation of Substitution-Permutation-Network (SPN) block ciphers Currently, the branch number is widely used for this purpose It is useful for estimating the possible success of differential and linear iii attacks on a particular SPN cipher However, the measure does not give information on the number of input bits that are left unchanged by the transformation when producing the output bits The new measure introduced in this thesis is intended to complement the current branch number technique The measure is based on fixed points and simple linear relationships between the input and output words of the linear transformation The measure represents the average fraction of input words to a linear diffusion transformation that are not effectively changed by the transformation This measure is applied to the block ciphers AES, ARIA, Serpent and Present It is shown that except for Serpent, the linear transformations used in the block ciphers examined not behave as expected for a random linear transformation The fourth contribution is the identification of linear paths in the nonlinear round function of the SMS4 block cipher The SMS4 block cipher is used as a standard in the Chinese Wireless LAN Wired Authentication and Privacy Infrastructure (WAPI) and hence, the round function should exhibit a high level of nonlinearity However, the findings in this thesis on the existence of linear relationships show that this is not the case It is shown that in some exceptional cases, the first four rounds of SMS4 are effectively linear In these cases, the effective number of rounds for SMS4 is reduced by four, from 32 to 28 The findings raise questions about the security provided by SMS4, and might provide clues on the existence of a flaw in the design of the cipher iv Contents Front Matter i Keywords Abstract Table of Contents i iii v List of Figures xi List of Tables xiii List of Algorithms xvii Declaration xix Previously Published Material xxi Acknowledgements xxiii Introduction 1.1 Linearity in Block Ciphers 1.2 Aims and Contributions 1.3 Outline of Thesis Symmetric Ciphers 2.1 Overview of Symmetric Ciphers 10 2.1.1 2.1.2 Notation 11 Block Cipher 12 Substitution-Permutation-Network 13 Feistel Network 13 Modes of Operation 14 2.1.3 Stream Cipher 15 2.2 Basics of Block Cipher Cryptanalysis 15 2.2.1 Threat Model 15 2.2.2 Generic Attack Model 16 v Distinguishing Phase 17 Key Recovery Phase 17 2.3 2.2.3 Attack Complexities 17 Existing Cryptanalysis Techniques 18 2.3.1 2.3.2 2.3.3 Linear Cryptanalysis 19 Differential Cryptanalysis 21 Truncated and Higher-Order Differentials 23 2.3.4 2.3.5 Impossible Differentials 23 Boomerang and Rectangle Attacks 23 2.3.6 Integral Attack 25 Integral Properties 25 Tracing the Words using Properties 26 Distinguishing Phase 27 Key Recovery Phase 28 2.3.7 2.3.8 2.4 Application to the AES 29 Slide Attack 31 Related-Key Attacks 31 2.3.9 Algebraic Cryptanalysis 32 Analyzed Block Ciphers 33 2.4.1 2.4.2 2.4.3 2.4.4 AES 33 Encryption Algorithm 33 Key Scheduling Algorithm 35 Previous Cryptanalysis 36 ARIA 37 Previous Cryptanalysis 41 Noekeon 41 Previous Cryptanalysis 43 2.4.5 Serpent 44 Previous Cryptanalysis 47 PRESENT 47 2.4.6 Previous Cryptanalysis 49 SMS4 49 Encryption Algorithm 50 Key Scheduling Algorithm 51 Previous Cryptanalysis 52 vi 2.4.7 LEX-AES 52 Initialization 54 Keystream Generation 54 Previous Cryptanalysis 55 2.5 Summary and Conclusion 55 Integral Attack on Bit-Based Block Ciphers 57 3.1 Bit-Pattern-Based Integral Attack 59 3.1.1 The Bit-Pattern-Based Notations 59 3.1.2 3.1.3 Tracing the Bit Patterns 61 Linear Transformation 61 Nonlinear Transformation 62 The Generic Attack 63 Distinguishing Phase 64 Key Recovery Phase 64 Attack Extensions 65 3.2 Applications 66 3.2.1 Noekeon 66 3.5-round Distinguisher 66 3.2.2 4-round Key Recovery Attack 68 5-round Key Recovery Attack 69 Serpent 69 3.5-round Distinguisher 69 4-round Key Recovery Attack 71 3.2.3 5-round Key Recovery Attack 72 6-round Key Recovery Attack 73 PRESENT 73 3.5-round Distinguisher 74 4-round Key Recovery Attack 75 5-round Key Recovery Attack 76 6-round Key Recovery Attack 76 7-round Key Recovery Attack 76 3.3 Experimental Results 77 3.3.1 Format of Experiments 77 3.3.2 Discussion of Results 80 3.4 Discussion 80 vii 3.5 3.6 Related Work 81 Summary and Conclusion 82 Algebraic Analysis of LEX-AES 4.1 4.2 4.3 85 Preliminaries 86 Forming Equations to Describe LEX-AES 87 4.2.1 4.2.2 4.2.3 Keystream Generation Equations 87 Key Schedule Equations 93 Additional Substitutions 95 4.2.4 4.2.5 The Final System of Equations 96 Solving the Equations 96 4.2.6 Alternative Methods for Obtaining Equations 98 Forming Equations in Small Scale Variants of LEX-BES 99 4.3.1 BES 99 Encryption Algorithm 101 Key Scheduling Algorithm 102 4.3.2 4.3.3 LEX-BES 103 Initialization 103 Keystream Generation 103 Equation System for LEX-BES 104 Small Scale LEX-BES 105 Equation System for Small Scale LEX-BES 105 4.4 4.3.4 Experimental Results 106 Discussion 108 4.5 Summary and Conclusion 109 Diffusion in the Linear Transformations of SPN Block Ciphers 111 5.1 Preliminaries 112 5.1.1 Fixed Points in Random Permutations 113 5.1.2 5.2 5.3 Fixed Points in Linear Transformations 113 Rank of Random Matrices 114 Rank of Matrices of the Type A − I 116 5.1.3 Linear Diffusion Transformations using Nonsingular Matrices117 Measure of Diffusion Based on Fixed Points 117 Applications 119 5.3.1 AES 120 viii 216 BIBLIOGRAPHY [68] Orr Dunkelman and Nathan Keller A New Attack on the LEX Stream Cipher eSTREAM, ECRYPT Stream Cipher Project, Report 2008/016, 2008 Available at http://www.ecrypt.eu.org/stream/ [69] Orr Dunkelman and Nathan Keller A New Attack on the LEX Stream Cipher In Josef Pieprzyk, editor, Advances in Cryptology – ASIACRYPT 2008, 14th International Conference on the Theory and Application of Cryptology and Information Security, volume 5350 of Lecture Notes in Computer Science, pages 539–556 Springer-Verlag, 2008 [70] Orr Dunkelman, Nathan Keller, and Jongsung Kim Related-Key Rectangle Attack on the Full SHACAL-1 In Eli Biham and M Amr Youssef, editors, Selected Areas in Cryptography, 13th International Workshop, SAC 2006, volume 4356 of Lecture Notes in Computer Science, pages 28–44 Springer-Verlag, 2007 [71] Electronic Frontier Foundation Cracking DES: Secrets of Encryption Research, Wiretap Politics & Chip Design O’Reilly Media, 1998 [72] Electronic Frontier Foundation EFF DES Cracker Machine Brings Honesty to Crypto Debate: Electronic Frontier Foundation Proves that DES is not Secure Press Release, July 1998 Available at http://www eff.org/Privacy/Crypto/Crypto_misc/DESCracker/HTML/19980716_ eff_descracker_pressrel.html [73] Electronic Frontier Foundation RSA Code-Breaking Contest Again Won by Distributed.Net and Electronic Frontier Foundation (EFF): DES Challenge III Broken in Record 22 Hours Press Release, January 1999 Available at http://www.eff.org/Privacy/Crypto/Crypto_misc/ DESCracker/HTML/19990119_deschallenge3.html [74] Jonathan Etrog and Matt J.B Robshaw Improved Cryptanalysis of Reduced-Round SMS4 In Roberto Avanzi, Liam Keliher, and Francesco Sica, editors, Selected Areas in Cryptography: 15th International Workshop, SAC 2008, volume 5381 of Lecture Notes in Computer Science, pages 51–65 Springer-Verlag, 2009 [75] Horst Feistel Cryptography and computer privacy Scientific American, 228(5):15–23, May 1973 BIBLIOGRAPHY 217 [76] Niels Ferguson, John Kelsey, Stefan Lucks, Bruce Schneier, Mike Stay, David Wagner, and Doug Whiting Improved Cryptanalysis of Rijndael In Bruce Schneier, editor, Fast Software Encryption: 7th International Workshop, FSE 2000, volume 1978 of Lecture Notes in Computer Science, pages 213–230 Springer-Verlag, 2001 [77] Niels Ferguson, Richard Schroeppel, and Doug Whiting A Simple Algebraic Representation of Rijndael In Serge Vaudenay and Amr M Youssef, editors, Selected Areas in Cryptography: 8th Annual International Workshop, SAC 2001, volume 2259 of Lecture Notes in Computer Science, pages 103–111 Springer-Verlag, 2001 [78] Ewan Fleischmann, Michael Gorski, and Stefan Lucks Attacking and 10 Rounds of AES-256 In Colin Boyd and Juan Gonz´alez, editors, Information Security and Privacy, 14th Australasian Conference, ACISP 2009, volume 5594 of Lecture Notes in Computer Science, pages 60–72 SpringerVerlag, 2009 [79] Ewan Fleischmann, Michael Gorski, and Stefan Lucks Attacking Reduced Rounds of the ARIA Block Cipher Cryptology ePrint Archive, Report 2009/334, July 2009 Available at http://eprint.iacr.org/2009/334/ [80] Henri Gilbert and Marine Minier A Collision Attack on Rounds of Rijndael In The Third Advanced Encryption Standard Candidate Conference, pages 230–241 NIST, 2000 Available at http://csrc.nist.gov/ CryptoToolkit/aes/round2/conf3/aes3conf.htm [81] Markus Grassl Bounds on the Minimum Distance of Linear Codes and Quantum Codes, 2009 Available at http://www.codetables.de [82] Charles M Grinstead and James L Snell Introduction to Probability American Mathematical Society, 2nd revised ed edition, 1997 [83] Otokar Gro˘sek and Pavol Zajac Efficient Selection of the AES-class MixColumns Parameters WSEAS Transactions on Information Science and Applications, 4(4):663–668, 2007 [84] Matt Henricksen Design, Implementation and Cryptanalysis of Modern Symmetric Ciphers PhD thesis, Queensland University of Technology, June 2005 218 BIBLIOGRAPHY [85] Miia Hermelin, Joo Yeon Cho, , and Kaisa Nyberg Multidimensional Linear Cryptanalysis of Reduced Round Serpent In Yi Mu, Willy Susilo, and Jennifer Seberry, editors, Information Security and Privacy, 13th Australasian Conference, ACISP 2008, volume 5107 of Lecture Notes in Computer Science, pages 203–215, Springer-Verlag, 2008 [86] Howard Heys Information Leakage of Feistel Ciphers IEEE Transactions on Information Theory, 47(1):23–35, January 2001 [87] Howard Heys and Stafford E Tavares Substitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis Journal of Cryptology, 9(1):1–19, 1996 [88] F H Hinsley and Alan Stripp Codebreakers: The inside story of Bletchley Park Oxford University Press, 1993 [89] Deukjo Hong, Jaechul Sung, Seokhie Hong, Jongin Lim, Sangjin Lee, Bonseok Koo, Changhoon Lee, Donghoon Chang, Jaesang Lee, Kitae Jeong, Hyun Kim, Jongsung Kim, and Seongtaek Chee HIGHT: A New Block Cipher Suitable for Low-Resource Device In Louis Goubin and Mitsuru Matsui, editors, Cryptographic Hardware and Embedded Systems – CHES 2006, 8th International Workshop, volume 4249 of Lecture Notes in Computer Science, pages 46–59 Springer-Verlag, 2006 [90] Goce Jakimoski and Yvo Desmedt Related-Key Differential Cryptanalysis of 192-bit Key AES Variants In Mitsuru Matsui and Robert J Zuccherato, editors, Selected Areas in Cryptography, 10th Annual International Workshop, SAC 2003, volume 3006 of Lecture Notes in Computer Science, pages 208–221 Springer-Verlag, 2004 [91] Wen Ji and Lei Hu New Description of SMS4 by an Embedding over GF(28 ) In K Srinathan, C Pandu Rangan, and Moti Yung, editors, Progress in Cryptology – INDOCRYPT 2007, 8th International Conference on Cryptology in India, volume 4859 of Lecture Notes in Computer Science, pages 238–251 Springer-Verlag, 2007 [92] Pascal Junod and Serge Vaudenay FOX: A New Family of Block Ciphers In Helena Handschuh and M Anwar Hasan, editors, Selected Areas in BIBLIOGRAPHY 219 Cryptography: 11th International Workshop, SAC 2004, volume 3357 of Lecture Notes in Computer Science, pages 114–129 Springer-Verlag, 2004 [93] David Kahn The Codebreakers: The Story of Secret Writing Scribner, 1996 [94] John B Kam and George I Davida Structured Design of SubstitutionPermutation Encryption Networks IEEE Transactions on Computers, C28(10):747–753, October 1979 [95] Ju-Sung Kang, Seokhie Hong, Sangjin Lee, Okyeon Yi, Choonsik Park, and Jongin Lim Practical and Provable Security against Differential and Linear Cryptanalysis for Substitution-Permutation Networks ETRI Journal, 23(4):158–167, December 2001 [96] Orhun Kara Reflection Cryptanalysis of Some Ciphers In Dipanwita R Chowdhury, Vincent Rijmen, and Abhijit Das, editors, Progress in Cryptology – INDOCRYPT 2008, volume 5365 of Lecture Notes in Computer Science, pages 294–307 Springer-Verlag, 2008 [97] Orhun Kara and Cevat Manap A New Class of Weak Keys for Blowfish In Alex Biryukov, editor, Fast Software Encryption, 14th International Workshop, FSE 2007, volume 4593 of Lecture Notes in Computer Science, pages 167–180 Springer-Verlag, 2007 [98] Liam Keliher, Henk Meijer, and Stafford E Tavares New Method for Upper Bounding the Maximum Average Linear Hull Probability for SPNs In Birgit Pfitzmann, editor, Advances in Cryptology – Eurocrypt 2001: International Conference on the Theory and Application of Cryptographic Techniques, volume 2045 of Lecture Notes in Computer Science, pages 420– 436 Springer-Verlag, 2001 [99] John Kelsey, Tadayoshi Kohno, and Bruce Schneier Amplified Boomerang Attacks Against Reduced-Round MARS and Serpent In Bruce Schneier, editor, Fast Software Encryption: 7th International Workshop, FSE 2000, volume 1978 of Lecture Notes in Computer Science, pages 75–93 SpringerVerlag, 2001 [100] John Kelsey, Bruce Schneier, and David Wagner Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES In Neal Koblitz, 220 BIBLIOGRAPHY editor, Advances in Cryptology – CRYPTO ’96, 16th Annual International Cryptology Conference, volume 1109 of Lecture Notes in Computer Science, pages 237–251 Springer-Verlag, 1996 [101] John Kelsey, Bruce Schneier, and David Wagner Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA In Yongfei Han, Tatsuaki Okamoto, and Sihan Qing, editors, Information and Communication Security, First International Conference, ICICS’97, volume 1334 of Lecture Notes in Computer Science, pages 233–246 SpringerVerlag, 1997 [102] Auguste Kerchkoffs La Cryptographie Militaire Journal des Sciences Militaires, 9:5–38, January 1883 [103] Jongsung Kim, Seokhie Hong, and Bart Preneel Related-Key Rectangle Attacks on Reduced AES-192 and AES-256 In Alex Biryukov, editor, Fast Software Encryption: 14th International Workshop, FSE 2007, volume 4593 of Lecture Notes in Computer Science, pages 225–241 SpringerVerlag, 2007 [104] Taehyun Kim, Jongsung Kim, Seokhie Hong, and Jaechul Sung Linear and Differential Cryptanalysis of Reduced SMS4 Block Cipher Cryptology ePrint Archive, Report 2008/281, 2008 Available at http://eprint iacr.org/2008/281/ [105] Aviad Kipnis and Adi Shamir Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization In Michael J Wiener, editor, Advances in Cryptology – CRYPTO ’99, 19th Annual International Cryptology Conference, volume 1666 of Lecture Notes in Computer Science, pages 19–30 Springer-Verlag, 1999 [106] Lars Knudsen Cryptanalysis of LOKI91 In Jennifer Seberry and Yuliang Zheng, editors, Advances in Cryptology – ASIACRYPT ’92, Workshop on the Theory and Application of Cryptographic Techniques, volume 718 of Lecture Notes in Computer Science, pages 22–35 Springer-Verlag, 1993 [107] Lars Knudsen Practically Secure Feistel Ciphers In Ross J Anderson, editor, Fast Software Encryption, Cambridge Security Workshop, volume BIBLIOGRAPHY 221 809 of Lecture Notes in Computer Science, pages 211–221 Springer-Verlag, 1994 [108] Lars Knudsen Truncated and Higher Order Differentials In Bart Preneel, editor, Fast Software Encryption: Second International Workshop, volume 1008 of Lecture Notes in Computer Science, pages 196–211 SpringerVerlag, 1995 [109] Lars Knudsen Contemporary Block Ciphers In Ivan Damgard, editor, Lectures on Data Security: Modern Cryptology in Theory and Practice, volume 1561 of Lecture Notes in Computer Science, pages 105–125 SpringerVerlag, 1999 [110] Lars Knudsen A Detailed Analysis of SAFER K Journal of Cryptology, 13(4):417–436, 2000 [111] Lars Knudsen and H˚ avard Raddum On Noekeon NESSIE Phase public reports, April 2001 Available at https://www.cosic.esat.kuleuven be/nessie/reports/ [112] Lars Knudsen and David Wagner Integral Cryptanalysis In Joan Daeman and Vincent Rijmen, editors, Fast Software Encryption: 9th International Workshop, FSE 2002, volume 2365 of Lecture Notes in Computer Science, pages 112–127 Springer-Verlag, 2002 [113] Tadayoshi Kohno, John Kelsey, and Bruce Schneier Preliminary Cryptanalysis of Reduced-Round Serpent In The Third Advanced Encryption Standard Candidate Conference, pages 195–211 NIST, 2000 Available at http://csrc.nist.gov/CryptoToolkit/aes/round2/ conf3/aes3conf.htm [114] Bon Wook Koo, Hwan Seok Jang, and Jung Hwan Song Constructing and Cryptanalysis of a 16 × 16 Binary Matrix as a Diffusion Layer In Kijoon Chae and Moti Yung, editors, Information Security Applications, 4th International Workshop, WISA 2003, volume 2908 of Lecture Notes in Computer Science, pages 489–503 Springer-Verlag, 2004 [115] Bon Wook Koo, Hwan Seok Jang, and Jung Hwan Song On Constructing of a 32 × 32 Binary Matrix as a Diffusion Layer for a 256-Bit Block Cipher 222 BIBLIOGRAPHY Layer In Min Surp Rhee and Byoungcheon Lee, editors, Information Security and Cryptology – ICISC 2006: 9th International Conference, volume 4296 of Lecture Notes in Computer Science, pages 51–64 Springer-Verlag, 2006 [116] Daesung Kwon, Jaesung Kim, Sangwoo Park, Soo Hak Sung, Yaekwon Sohn, Jung Hwan Song, Yongjin Yeom, E-Joong Yoon, Sangjin Lee, Jaewon Lee, Seongtaek Chee, Daewan Han, and Jin Hong New Block Cipher: ARIA In Jong In Lim and Dong Hoon Lee, editors, Information Security and Cryptology – ICISC 2003: 6th International Conference, volume 2971 of Lecture Notes in Computer Science, pages 432–445 Springer-Verlag, 2004 [117] RSA Laboratories RSA’s DES Challenge III is solved in record time, January 1999 Available at http://www.rsasecurity.com/rsalabs/node asp?id=2108 [118] Xuejia Lai On the Design and Security of Block Ciphers Hartung-Gorre Verlag, 1992 [119] Xuejia Lai Higher Order Derivatives and Differential Cryptanalysis In Communications and Cryptography: Two Sides of One Tapestry, pages 227 – 233 Khluwer Academic Publishers, 1994 [120] Xuejia Lai and James L Massey A Proposal for a New Block Encryption Standard In Ivan Damg˚ ard, editor, Advances in Cryptology – EUROCRYPT ’90: Workshop on the Theory and Application of Cryptographic Techniques, volume 473 of Lecture Notes in Computer Science, pages 389– 404 Springer-Verlag, 1991 [121] Xuejia Lai, James L Massey, and Sean Murphy Markov Ciphers and Differential Cryptanalysis In Donald W Davies, editor, Advances in Cryptology – EUROCRYPT ’91: Workshop on the Theory and Application of Cryptographic Techniques, volume 547 of Lecture Notes in Computer Science, pages 17–38 Springer-Verlag, 1991 [122] Susan Landau Designing Cryptography for the New Century Communications of the Association for Computing Machinery, 43(5):115–120, May 2000 BIBLIOGRAPHY 223 [123] Gregor Leander, Christof Paar, Axel Poschmann, and Kai Schramm New Lightweight DES Variants In Alex Biryukov, editor, Fast Software Encryption: 14th International Workshop, FSE 2007, volume 4593 of Lecture Notes in Computer Science, pages 196–210 Springer-Verlag, 2007 [124] Ruilin Li, Bing Sun, Peng Zhang, and Chao Li New Impossible Differential Cryptanalysis of ARIA Cryptology ePrint Archive, Report 2008/227, May 2008 Available at http://eprint.iacr.org/2008/227/ [125] Fen Liu, Wen Ji, Lei Hu, Jintai Ding, Shuwang Lv, Andrei Pyshkin, and Ralf-Philipp Weinmann Analysis of the SMS4 Block Cipher In Josef Pieprzyk, Hossein Ghodosi, and Ed Dawson, editors, Information Security and Privacy: 12th Australasian Conference, ACISP 2007, volume 4586 of Lecture Notes in Computer Science, pages 158–170 Springer-Verlag, 2007 [126] Jiqiang Lu Attacking Reduced-Round Versions of the SMS4 Block Cipher in the Chinese WAPI Standard In Sihan Qing, Hideki Imai, and Guilin Wang, editors, Information and Communications Security, 9th International Conference, ICICS 2007, volume 4861 of Lecture Notes in Computer Science, pages 306–318 Springer-Verlag, 2007 [127] Jiqiang Lu, Orr Dunkelman, Nathan Keller, and Jongsung Kim New Impossible Differential Attacks on AES In Dipanwita R Chowdhury, Vincent Rijmen, and Abhijit Das, editors, Progress in Cryptology – INDOCRYPT 2008, volume 5365 of Lecture Notes in Computer Science, pages 279–293 Springer-Verlag, 2008 [128] Stefan Lucks Attacking Seven Rounds of Rijndael under 192-bit and 256bit Keys In The Third Advanced Encryption Standard Candidate Conference, pages 215–229 National Institute of Standards and Technology, 2000 [129] Stefan Lucks The Saturation Attack - A Bait for Twofish In Mitsuru Matsui, editor, Fast Software Encryption: 8th International Workshop, FSE 2001, volume 2355 of Lecture Notes in Computer Science, pages 1–15 Springer-Verlag, 2002 [130] Florence J MacWilliams and Neil J Sloane The Theory of ErrorCorrecting Codes North-Holland Publishing Company, 1977 224 BIBLIOGRAPHY [131] Mitsuru Matsui The First Experimental Cryptanalysis of the Data Encryption Standard In Yvo G Desmedt, editor, Advances in Cryptology – CRYPTO ’94: 14th Annual International Cryptology Conference, volume 839 of Lecture Notes in Computer Science, pages 1–11 Springer-Verlag, 1994 [132] Mitsuru Matsui Linear Cryptanalysis Method for DES Cipher In Tor Helleseth, editor, Advances in Cryptology – EUROCRYPT ’93: Workshop on the Theory and Application of Cryptographic Techniques, volume 765 of Lecture Notes in Computer Science, pages 386–397 Springer-Verlag, 1994 [133] Alfred J Menezes, Paul C van Oorschot, and Scott A Vanstone Handbook of Applied Cryptography CRC Press, 1997 Available at http://www cacr.math.uwaterloo.ca/hac/ [134] Gordon E Moore Cramming More Components onto Integrated Circuits Electronics, 38(8):114–117, April 1965 Available at http://www.intel com/technology/mooreslaw/index.htm [135] Gordon E Moore Cramming More Components onto Integrated Circuits Proceedings of the IEEE, 86(1):82–85, January 1998 [136] Sean Murphy and Matthew J B Robshaw Essential Algebraic Structure within the AES In Moti Yung, editor, Advances in Cryptology – CRYPTO 2002: 22nd Annual International Cryptology Conference, volume 2442 of Lecture Notes in Computer Science, pages 1–16 Springer-Verlag, 2002 ´ [137] Jorge Nakahara, Jr and Elcio Abrah˜ao A New Involutory MDS Matrix for the AES International Journal of Network Security, 9(2):109–116, 2009 [138] Jorge Nakahara, Jr., Vincent Rijmen, Bart Preneel, and Joos Vandewalle The MESH Block Ciphers In Kijoon Chae and Moti Yung, editors, Information Security Applications, 4th International Workshop, WISA 2003, volume 2908 of Lecture Notes in Computer Science, pages 458–473 Springer-Verlag, 2004 [139] Jorge Nakahara, Jr., Pouyan Sepehrdad, Bingsheng Zhang, and Meiqin Wang Linear (Hull) and Algebraic Cryptanalysis of the Block Cipher PRESENT In Juan A Garay, Atsuko Miyaji, and Akira Otsuka, editors, BIBLIOGRAPHY 225 Cryptology and Network Security, 8th International Conference, CANS 2009, volume 5888 of Lecture Notes in Computer Science, pages 58–75 Springer-Verlag, 2009 [140] Jorge Nakahara, Jr., Joos Vandewalle, and Bart Preneel Diffusion Analysis of Feistel Networks In A Barb´e, E C van der Meulen, and P Vanroose, editors, 20th Symposium on Information Theory in the Benelux, pages 101– 108 Werkgemeenschap voor Informatie- en Communicatietheorie, 1999 [141] National Bureau of Standards Data Encryption Standard Federal Information Processing Standards (FIPS) 46, 1977 [142] National Institute of Standards and Technology Announcing request for candidate algorithm nominations for the Advanced Encryption Standard (AES), September 1997 Available at http://csrc.nist.gov/ CryptoToolkit/aes/ [143] National Institute of Standards and Technology NIST Announces Encryption Standard Finalists, August 1999 Available at http://csrc.nist gov/archive/aes/round2/AESpressrelease-990809.pdf [144] National Institute of Standards and Technology Advanced Encryption Standard Federal Information Processing Standard (FIPS) 197, November 2001 Available at http://csrc.nist.gov/publications/fips/ [145] National Security Research Institute Specification of ARIA, Version 0.8, 2003 Available at http://nsri.etri.re.kr/ [146] National Security Research Institute Specification of ARIA, Version 1.0, 2005 Available at http://nsri.etri.re.kr/ [147] New European Schemes for Signatures, Integrity and Encryption Call for Cryptographic Primitives, March 2000 Available at https://www.cosic esat.kuleuven.ac.be/nessie/ [148] New European Schemes for Signatures, Integrity, and Encryption Final report of European project number IST-1999-12324, named New European Schemes for Signatures, Integrity, and Encryption, April 2004 Available at https://www.cosic.esat.kuleuven.ac.be/nessie/ 226 BIBLIOGRAPHY [149] Office of State Commercial Cryptography Administration, P.R China The SMS4 Block Cipher (in Chinese), 2006 Available at http://www.oscca gov.cn/UpFile/200621016423197990.pdf [150] Kenji Ohkuma Weak Keys of Reduced-Round PRESENT for Linear Cryptanalysis In Michael J Jacobson Jr., Vincent Rijmen, and Reihaneh Safavi-Naini, editors, Selected Areas in Cryptography: 16th Annual International Workshop, SAC 2009, volume 5867 of Lecture Notes in Computer Science, pages 249–265 Springer-Verlag, 2009 [151] Kenji Ohkuma, Hirofumi Muratani, Fumihiko Sano, and Shinichi Kawamura The Block Cipher Hierocrypt In Douglas R Stinson and Stafford Tavares, editors, Selected Areas in Cryptography: 7th Annual International Workshop, SAC 2000, volume 2012 of Lecture Notes in Computer Science, pages 72–88 Springer-Verlag, 2001 ¨ [152] Onur Ozen, Kerem Varıcı, Cihangir Tezcan, and C ¸ elebi Kocair Lightweight Block Ciphers Revisited: Cryptanalysis of Reduced Round PRESENT and HIGHT In Colin Boyd and Juan Gonz´alez, editors, Information Security and Privacy, 14th Australasian Conference, ACISP 2009, volume 5594 of Lecture Notes in Computer Science, pages 90–107 Springer-Verlag, 2009 [153] Raphael C.-W Phan Impossible Differential Cryptanalysis of 7-round Advanced Encryption Standard (AES) Information Processing Letters, 91(1):33–38, July 2004 [154] Gilles-Fran¸cois Piret Block Ciphers: Security Proofs, Cryptanalysis, Design, and Fault Attacks PhD thesis, Universit´e Catholique de Louvain, January 2005 Available at http://www.di.ens.fr/~piret/ [155] Vincent Rijmen Cryptanalysis and Design of Iterated Block Ciphers PhD thesis, Katholieke Universiteit Leuven, October 1997 [156] John Riordan An Introduction to Combinatorial Analysis Princeton University Press, 1980 [157] Wolfgang Ch Schmid and Rudolf Sch¨ urer MinT, the online database for optimal parameters of (t, m, s)-nets, 2009 Available at http://mint sbg.ac.at/ Accessed on 12 August 2009 BIBLIOGRAPHY 227 [158] Bruce Schneier Applied Cryptography John Wiley & Sons, 2nd edition, 1996 [159] Bruce Schneier and John Kelsey Unbalanced Feistel Networks and Block Cipher Design In Fast Software Encryption: Third International Workshop, volume 1039 of Lecture Notes in Computer Science, pages 121–144 Springer-Verlag, 1996 [160] Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson The Twofish Encryption Algorithm John Wiley & Sons, 1999 [161] Adi Shamir On the Security of DES In Hugh C Williams, editor, Advances in Cryptology – CRYPTO ’85, volume 218 of Lecture Notes in Computer Science, pages 280–281 Springer-Verlag, 1986 [162] Claude E Shannon Communication Theory of Secrecy Systems Bell System Technical Journal, 28(7):656–715, 1949 [163] Taizo Shirai and Kyoji Shibutani Improving Immunity of Feistel Ciphers against Differential Cryptanalysis by Using Multiple MDS Matrices In Bimal Roy and Willi Meier, editors, Fast Software Encryption: 11th International Workshop, FSE 2004, volume 3017 of Lecture Notes in Computer Science, pages 260–278 Springer-Verlag, 2004 [164] Taizo Shirai, Kyoji Shibutani, Toru Akishita, Shiho Moriai, and Tetsu Iwata The 128-bit Blockcipher CLEFIA In Alex Biryukov, editor, Fast Software Encryption: 14th International Workshop, FSE 2007, volume 4593 of Lecture Notes in Computer Science, pages 181–195 SpringerVerlag, 2007 [165] Beomsik Song and Jennifer Seberry Further Observations on the Structure of the AES Algorithm In Thomas Johansson, editor, Fast Software Encryption: 10th International Workshop, FSE 2003, volume 2887 of Lecture Notes in Computer Science, pages 223–234 Springer-Verlag, 2003 [166] Arthur Sorkin Lucifer A Cryptographic Algorithm Cryptologia, 8(1):22– 42, January 1984 228 BIBLIOGRAPHY [167] Douglas R Stinson Cryptography Theory and Practice Chapman & Hall / CRC, 2nd edition, 2002 [168] Deniz Toz and Orr Dunkelman Strength of MISTY1 without FL Function for Higher Order Differential Attack In Liqun Chen, Mark Dermot Ryan, and Guilin Wang, editors, Information and Communications Security, 10th International Conference, ICICS 2008, volume 5308 of Lecture Notes in Computer Science, pages 141–156 Springer-Verlag, 2008 [169] Jacobus H van Lint and Richard M Wilson A Course in Combinatorics Cambridge University Press, 1992 [170] H˚ avard Raddum and Igor Semaev New Technique for Solving Sparse Equation Systems Cryptology ePrint Archive, Report 2006/475, December 2006 Available at http://eprint.iacr.org/2006/475/ [171] Serge Vaudenay On the Lai-Massey Scheme In Kwok-Yan Lam, Eiji Okamoto, and Chaoping Xing, editors, Advances in Cryptology – ASIACRYPT’99, International Conference on the Theory and Application of Cryptology and Information Security, volume 1716 of Lecture Notes in Computer Science, pages 8–19 Springer-Verlag, 1999 ˇ [172] Val´er Canda and Tran van Trung Scalable Block Ciphers based on Feistellike Structure Tatra Mountains Mathematical Publications, 25(0):39–66, 2002 [173] David Wagner The Boomerang Attack In Lars Knudsen, editor, Fast Software Encryption: 6th International Workshop, FSE’99, volume 1636 of Lecture Notes in Computer Science, pages 156–170 Springer-Verlag, 1999 [174] Meiqin Wang Differential Cryptanalysis of Reduced-Round PRESENT In Serge Vaudenay, editor, Progress in Cryptology - AFRICACRYPT 2008, First International Conference on Cryptology in Africa, volume 5023 of Lecture Notes in Computer Science, pages 40–49 Springer-Verlag, 2008 [175] A F Webster and Stafford E Tavares On the Design of S-Boxes In Hugh C Williams, editor, Advances in Cryptology – CRYPTO ’85, volume 218 of Lecture Notes in Computer Science, pages 523–534 Springer-Verlag, 1986 BIBLIOGRAPHY 229 [176] Yuechuan Wei, Bing Sun, and Chao Li New Integral Distinguisher for Rijndael-256 Cryptology ePrint Archive, Report 2009/559, 17 November 2009 Available at http://eprint.iacr.org/2009/559/ [177] Hongjun Wu and Bart Preneel Resynchronization Attacks on WG and LEX In Matthew J B Robshaw, editor, Fast Software Encryption: 13th International Workshop, FSE 2006, volume 4047 of Lecture Notes in Computer Science, pages 422–432 Springer-Verlag, 2006 [178] Wenling Wu, Wentao Zhang, and Dengguo Feng Impossible Differential Cryptanalysis of ARIA and Camellia Cryptology ePrint Archive, Report 2006/350, October 2006 Available at http://eprint.iacr.org/2006/ 350/ [179] Muhammad Reza Z’aba, Leonie Simpson, Ed Dawson, and Kenneth Wong Linearity within the SMS4 Block Cipher In The 5th China International Conference on Information Security and Cryptology, Inscrypt 2009 (to appear), Lecture Notes in Computer Science Springer-Verlag, 2010 [180] Muhammad Reza Z’aba, H˚ avard Raddum, Matt Henricksen, and Ed Dawson Bit-Pattern Based Integral Attack In Kaisa Nyberg, editor, Fast Software Encryption: 15th International Workshop, FSE 2008, volume 5086 of Lecture Notes in Computer Science, pages 363–381 Springer-Verlag, 2008 [181] Muhammad Reza Z’aba, H˚ avard Raddum, Leonie Simpson, Ed Dawson, Matt Henricksen, and Kenneth Wong Algebraic Analysis of LEX In Ljiljana Brankovic and Willy Susilo, editors, Australasian Information Security Conference (AISC 2009), volume 91 of Conferences in Research and Practice in Information Technology (CRPIT), pages 33–45 Australian Computer Society, 2009 [182] Muhammad Reza Z’aba, Kenneth Wong, Leonie Simpson, and Ed Dawson Algebraic Analysis of Small Scale LEX-BES In The 2nd International Cryptology Conference 2010 (Cryptology 2010), Malaysia (to appear), 2010 [183] Lei Zhang, Wentao Zhang, and Wenling Wu Cryptanalysis of ReducedRound SMS4 Block Cipher In Yi Mu, Willy Susilo, and Jennifer Seberry, editors, Information Security and Privacy, 13th Australasian Conference, 230 BIBLIOGRAPHY ACISP 2008, volume 5107 of Lecture Notes in Computer Science, pages 216–229 Springer-Verlag, 2008 [184] Wentao Zhang, Wenling Wu, and Dengguo Feng New Results on Impossible Differential Cryptanalysis of Reduced AES In Kil-Hyun Nam and Gwangsoo Rhee, editors, Information Security and Cryptology – ICISC 2007, 10th International Conference, volume 4817 of Lecture Notes in Computer Science, pages 239–250 Springer-Verlag, 2007 [185] Wentao Zhang, Wenling Wu, Dengguo Feng, and Bozhan Su Some New Observations on the SMS4 Block Cipher in the Chinese WAPI Standard In Feng Bao, Hui Li, and Guilin Wang, editors, Information Security Practice and Experience, 5th International Conference, ISPEC 2009, volume 5451 of Lecture Notes in Computer Science, pages 324–335 Springer-Verlag, 2009 [186] Wentao Zhang, Wenling Wu, Lei Zhang, and Dengguo Feng Improved Related-Key Impossible Differential Attacks on Reduced-Round AES-192 In Eli Biham and Amr M Youssef, editors, Selected Areas in Cryptography, 13th International Workshop, SAC 2006, volume 4356 of Lecture Notes in Computer Science, pages 15–27 Springer-Verlag, 2007 [187] Wentao Zhang, Lei Zhang, Wenling Wu, and Dengguo Feng RelatedKey Differential-Linear Attacks on Reduced AES-192 In K Srinathan, C Pandu Rangan, and Moti Yung, editors, Progress in Cryptology – INDOCRYPT 2007, 8th International Conference on Cryptology in India, volume 4859 of Lecture Notes in Computer Science, pages 73–85 SpringerVerlag, 2007 ... is to investigate linear relationships in block ciphers The existence of nonlinear components in the round function of block ciphers does not necessarily eliminate the linear relationships in these... thesis investigates linear relationships in block ciphers The investigation includes the analysis of block cipher components used in stream ciphers The output of a block cipher is a nonlinear... certain ways Furthermore, for particular inputs, the nonlinear components will also be shown to exhibit some linear behaviour 1.1 Linearity in Block Ciphers Linearity exists in block ciphers mainly