Differential cryptanalysis of Lucifer

Differential cryptanalysis was introduced as an approach to analyze the security of DES-like cryptosystems. The first example of a DES-like cryptosystem was Lucifer, the direct predecessor of DES, which is still believed by many people to be much more secure than DES, since it has 128 key bits, and since no attacks against (the full variant of) Lucifer were ever reported in the cryptographic literature. In this paper we introduce a new extension of differential cryptanalysis, devised to extend the class of vulnerable cryptosystems. This new extension suggests key-dependent characteristics, calledconditional characteristics, selected to increase the characteristics' probabilities for keys in subsets of the key space. The application of conditional characteristics to Lucifer shows that more than half of the keys of Lucifer are insecure, and the attack requires about 236 complexity and chosen plaintexts to find these keys. The same extension can also be used to attack a new variant of DES, called RDES, which was designed to be immune against differential cryptanalysis. These new attacks flash new light on the design of DES, and show that the transition of Lucifer to DES strengthened the later cryptosystem.

[1]  Luke O'Connor,et al.  On the distribution of characteristics in bijective mappings , 1994, Journal of Cryptology.

[2]  Ralph C. Merkle,et al.  Fast Software Encryption Functions , 1990, CRYPTO.

[3]  H. Feistel Cryptography and Computer Privacy , 1973 .

[4]  Eli Biham,et al.  Differential Cryptanalysis of Feal and N-Hash , 1991, EUROCRYPT.

[5]  A. Shimizu,et al.  Fast data encipherment algorithm FEAL-8 , 1978 .

[6]  Eli Biham,et al.  Differential Cryptanalysis of the Data Encryption Standard , 1993, Springer New York.

[7]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[8]  Ralph C. Merkle,et al.  A fast software one-way hash function , 1990, Journal of Cryptology.

[9]  Kenji Koyama,et al.  How to Strengthen DES-like Cryptosystems against Differential Cryptanalysis (Special Section on Cryptography and Information Security) , 1993 .

[10]  Ralph Howard,et al.  Data encryption standard , 1987 .

[11]  Carlisle M. Adams,et al.  On Immunity Against Biham and Shamir's "Differential Cryptanalysis" , 1992, Information Processing Letters.

[12]  Xuejia Lai,et al.  A Proposal for a New Block Encryption Standard , 1991, EUROCRYPT.

[13]  Xuejia Lai,et al.  Markov Ciphers and Differential Cryptanalysis , 1991, EUROCRYPT.

[14]  Stafford E. Tavares,et al.  An Expanded Set of S-box Design Criteria Based on Information Theory and its Relation to Differential-Like Attacks , 1991, EUROCRYPT.

[15]  Eli Biham,et al.  Differential Cryptanalysis of Snefru, Khafre, REDOC-II, LOKI and Lucifer , 1991, CRYPTO.

[16]  Arthur Sorkin,et al.  Lucifer, a Cryptographic Algorithm , 1984, Cryptologia.

[17]  Eli Biham,et al.  Differential Cryptanalysis of the Full 16-Round DES , 1992, Annual International Cryptology Conference.

[18]  Shoji Miyaguchi,et al.  Fast Data Encipherment Algorithm FEAL , 1987, EUROCRYPT.

[19]  Dorothy E. Denning,et al.  Cryptography and Data Security , 1982 .

[20]  Jennifer Seberry,et al.  LOKI - A Cryptographic Primitive for Authentication and Secrecy Applications , 1990, AUSCRYPT.

[21]  Luke O'Connor,et al.  On the Distribution of Characteristics in Composite Permutations , 1993, CRYPTO.

[22]  Jennifer Seberry,et al.  Improving Resistance to Differential Cryptanalysis and the Redesign of LOKI , 1991, ASIACRYPT.

[23]  Kaisa Nyberg,et al.  Perfect Nonlinear S-Boxes , 1991, EUROCRYPT.