论文信息 - On Non-Pseudorandomness from Block Ciphers with Provable Immunity Against Linear Cryptanalysis (Special Section on Cryptography and Information Security)

On Non-Pseudorandomness from Block Ciphers with Provable Immunity Against Linear Cryptanalysis (Special Section on Cryptography and Information Security)

0 On non-pseudorandomness from block ciphers with provable immunity against linear cryptanalysis Abstract: Weakness of a block cipher, which has provable immunity against linear cryptanalysis, is investigated. To this end, the round transformation used in MISTY, which is a data encryption algorithm recently proposed by M. Matsui from Mitsubishi Electric Corporation, is compared to the round transformation of DES from the point of view of pseudorandom generation. An important property of the MISTY cipher is that, in terms of theoretically provable resistance against linear and diieren-tial cryptanalysis, which are the most powerful cryptanalytic attacks known to date, it is more robust than the Data Encryption Standard or DES. This property can be attributed to the application of a new round transform in the MISTY cipher, which is obtained by changing the location of the basic round-function in a transform used in DES. Cryptographic roles of the transform used in the MISTY cipher are the main focus of this paper. Our research reveals that when used for constructing pseudorandom permutations, the transform employed by the MISTY cipher is inferior to the transform in DES, though the former is superior to the latter in terms of strength against linear and diierential attacks. More speciically, we show that a 3-round (4-round, respectively) concatenation of transforms used in the MISTY cipher is not a pseudorandom (super pseudorandom, respectively) permutation. For comparison, we note that with three (four, respectively) rounds, transforms used in DES yield a pseudorandom (super pseudorandom, respectively) permutation. Another contribution of this paper is to show that a 3-round concatenation of transforms used in (the preliminary version of) the MISTY cipher has an algebraic property, which may open a door for various cryptanalytic attacks. These results clearly indicate that provable immunity against linear and diierential cryptanalysis is not adequate for designing a secure block cipher, and the security of the MISTY cipher will remain open until a close examination of its resistance is conducted against other cryptanalytic attacks than the linear or diierential attack.

K. Sakurai | Yuliang Zheng

[1] H. Feistel. Cryptography and Computer Privacy , 1973 .

[2] J.L. Smith,et al. Some cryptographic techniques for machine-to-machine data communications , 1975, Proceedings of the IEEE.

[3] Silvio Micali,et al. How to construct random functions , 1986, JACM.

[4] Ralph Howard,et al. Data encryption standard , 1987 .

[5] Michael Luby,et al. How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1986, CRYPTO.

[6] Hideki Imai,et al. On the Construction of Block Ciphers Provably Secure and Not Relying on Any Unproved Hypotheses , 1989, CRYPTO.

[7] Hideki Imai,et al. Impossibility and Optimality Results on Constructing Pseudorandom Permutations (Extended Abstract) , 1989, EUROCRYPT.

[8] Josef Pieprzyk,et al. How to Construct Pseudorandom Permutations from Single Pseudorandom Functions , 1991, EUROCRYPT.

[9] Yuliang Zheng. Principles for Designing Secure Block Ciphers and One-Way Hash Functions , 1990 .

[10] Babak Sadeghiyan,et al. A Construction for Super Pseudorandom Permutations from A Single Pseudorandom Function , 1992, EUROCRYPT.

[11] Mitsuru Matsui,et al. Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.