On the Role of Key Schedules in Attacks on Iterated Ciphers

This paper considers iterated ciphers and their resistance against linear and differential cryptanalysis. In the theory of these attacks one assumes independence of the round keys in the ciphers. Very often though, the round keys are computed in a key schedule algorithm from a short key in a nonrandom fashion. In this paper it is shown by experiments that ciphers with complex key schedules resist both attacks better than ciphers with more straightforward key schedules. It is well-known that by assuming independent round keys the probabilities of differentials and linear hulls can be modeled by Markov chains and that for most such ciphers the distribution of the probabilities of these converge to the uniform distribution after some number of rounds. The presented experiments illustrate that some iterated ciphers with very simple key schedules will never reach this uniform distribution. Also the experiments show that ciphers with well-designed, complex key schedules reach the uniform distribution faster (using fewer rounds) than ciphers with poorly designed key schedules. As a side result it was found that there exist ciphers for which the differential of the highest probability for one fixed key is also the differential of the highest probability for any other key. It is believed that this is the first such example provided in the literature.

[1]  L. Knudsen Cryptanalysis of LOKI 91 , 1998 .

[2]  Jennifer Seberry,et al.  LOKI - A Cryptographic Primitive for Authentication and Secrecy Applications , 1990, AUSCRYPT.

[3]  Alex Biryukov,et al.  Slide Attacks , 1999, FSE.

[4]  Alfredo De Santis,et al.  Advances in Cryptology — EUROCRYPT'94 , 1994, Lecture Notes in Computer Science.

[5]  Kaisa Nyberg,et al.  Linear Approximation of Block Ciphers , 1994, EUROCRYPT.

[6]  Xuejia Lai,et al.  Markov Ciphers and Differential Cryptanalysis , 1991, EUROCRYPT.

[7]  Luke O'Connor,et al.  On the distribution of characteristics in bijective mappings , 1994, Journal of Cryptology.

[8]  Jovan Dj. Golic,et al.  A Unified Markow Approach to Differential and Linear Cryptanalysis , 1994, ASIACRYPT.

[9]  Eli Biham,et al.  New types of cryptanalytic attacks using related keys , 1994, Journal of Cryptology.

[10]  Jennifer Seberry,et al.  Advances in Cryptology — AUSCRYPT '92 , 1992, Lecture Notes in Computer Science.

[11]  Jennifer Seberry,et al.  Advances in Cryptology — AUSCRYPT '90 , 1990, Lecture Notes in Computer Science.

[12]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[13]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[14]  Eli Biham,et al.  Differential Cryptanalysis of the Data Encryption Standard , 1993, Springer New York.

[15]  Ralph Howard,et al.  Data encryption standard , 1987 .

[16]  Mitsuru Matsui,et al.  New Block Encryption Algorithm MISTY , 1997, FSE.

[17]  Mitsuru Matsui,et al.  Linear Cryptanalysis of LOKI and s2DES , 1994, ASIACRYPT.

[18]  Donald W. Davies,et al.  Advances in Cryptology — EUROCRYPT ’91 , 2001, Lecture Notes in Computer Science.

[19]  Lars R. Knudsen,et al.  Cryptanalysis of LOKI , 1991, ASIACRYPT.

[20]  Tsutomu Matsumoto,et al.  Incidence structures for key sharing , 1995 .

[21]  Mitsuru Matsui,et al.  On Correlation Between the Order of S-boxes and the Strength of DES , 1994, EUROCRYPT.

[22]  Tor Helleseth,et al.  Advances in Cryptology — EUROCRYPT ’93 , 2001, Lecture Notes in Computer Science.

[23]  Hideki Imai,et al.  Advances in Cryptology — ASIACRYPT '91 , 1991, Lecture Notes in Computer Science.