Near Optimal Algorithms for Solving Differential Equations of Addition with Batch Queries

Combination of modular addition (+) and exclusive-or (⊕) is one of the widely used symmetric cipher components. The paper investigates the strength of modular addition against differential cryptanalysis (DC) where the differences of inputs and outputs are expressed as XOR. In particular, we solve two very frequently used equations (1) and (2) , known as the differential equations of addition (DEA), with a set of batch queries. In a companion paper, presented at ACISP’05, we improved the algorithm by Muller (at FSE’04) to design optimal algorithms to solve the equations with adaptive queries. However, a nontrivial solution with batch queries has remained open. The major contributions of this paper are (i) determination of lower bounds on the required number of batch queries to solve the equations and (ii) design of two algorithms which solve them with queries close to optimal. Our algorithms require 2n−−2 and 6 queries to solve (1) and (2) where the lower bounds are (theoretically proved) and 4 (based on extensive experiments) respectively (n is the bit-length of x,y,α,β,γ). This exponential lower bound is an important theoretical benchmark which certifies (1) as strong against DC. On the other hand, the constant number of batch queries to solve (2) discovers a major weakness of modular addition against DC. Muller, at FSE’04, showed a key recovery attack on the Helix stream cipher (presented at FSE’03) with 212adaptive chosen plaintexts (ACP). At ACISP 2005, we improved the data complexity of the attack to 210.41. However, the complexity of the attack with chosen plaintexts (CP) was unknown. Using our results we recover the secret key of the Helix cipher with only 235.64chosen plaintexts (CP) which has so far been the only CP attack on this cipher (under the same assumption as that of Muller’s attack). Considering the abundant use of this component, the results seem useful to evaluate the security of many block ciphers against DC.

[1]  Willi Meier,et al.  Cryptographic Significance of the Carry for Ciphers Based on Integer Addition , 1990, CRYPTO.

[2]  David Thomas,et al.  The Art in Computer Programming , 2001 .

[3]  Josef Pieprzyk,et al.  Cryptanalysis of Block Ciphers with Overdefined Systems of Equations , 2002, ASIACRYPT.

[4]  Aggelos Kiayias,et al.  Traceable Signatures , 2004, EUROCRYPT.

[5]  Shai Halevi,et al.  MARS - a candidate cipher for AES , 1999 .

[6]  Xuejia Lai,et al.  Markov Ciphers and Differential Cryptanalysis , 1991, EUROCRYPT.

[7]  Thomas A. Berson,et al.  Differential Cryptanalysis Mod 2^32 with Applications to MD5 , 1992, EUROCRYPT.

[8]  Information Security and Privacy , 1996, Lecture Notes in Computer Science.

[9]  Iyad A. Ajwa,et al.  Grobner Bases Algorithm , 1995 .

[10]  Martin E. Hellman,et al.  A cryptanalytic time-memory trade-off , 1980, IEEE Trans. Inf. Theory.

[11]  Alex Biryukov,et al.  Slide Attacks , 1999, FSE.

[12]  Bruce Schneier,et al.  The Twofish encryption algorithm: a 128-bit block cipher , 1999 .

[13]  Johan Wallén Linear Approximations of Addition Modulo 2n , 2003, FSE.

[14]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[15]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[16]  A. Shamir,et al.  Cryptanalysis of the HFE Public Key Cryptosystem , 1999 .

[17]  Adi Shamir,et al.  Cryptographic Applications of T-Functions , 2003, Selected Areas in Cryptography.

[18]  Frédéric Muller Differential Attacks against the Helix Stream Cipher , 2004, FSE.

[19]  Bart Preneel,et al.  Solving Systems of Differential Equations of Addition , 2005, ACISP.

[20]  Bruce Schneier,et al.  Helix: Fast Encryption and Authentication in a Single Cryptographic Primitive , 2003, FSE.

[21]  J. Faugère A new efficient algorithm for computing Gröbner bases (F4) , 1999 .

[22]  Philippe Dumas,et al.  On the Additive Differential Probability of Exclusive-Or , 2004, FSE.

[23]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[24]  David A. Wagner,et al.  The Boomerang Attack , 1999, FSE.

[25]  Bart Preneel,et al.  Solving Systems of Differential Equations of Addition (Extended Abstract) , 2005 .

[26]  Shiho Moriai,et al.  Efficient Algorithms for Computing Differential Properties of Addition , 2001, FSE.

[27]  Adi Shamir,et al.  New Cryptographic Primitives Based on Multiword T-Functions , 2004, FSE.