Related-Key Differential Attacks on Cobra-H64 and Cobra-H128

Cobra-H64 and Cobra-H128, which use data-dependent permutations as a main cryptographic primitive, are 64-bit and 128-bit iterated block ciphers with 128-bit and 256-bit keys, respectively. Since these ciphers use very simple key scheduling and controlled permutation (CP) for fast hardware encryption, they are suitable for wireless communications networks which require high-speed networks. Actually, these ciphers have better hardware performances than other ciphers used in security layers of wireless protocols (Wap, OMA, UMTS, IEEE 802.11 and so on). In this paper, however, we show that Cobra-H64 and Cobra-H128 are vulnerable to related-key differential attacks. We first describe how to construct full-round related-key differential characteristics of Cobra-H64 and Cobra-H128 with high probabilities and then we exploit them to attack full-round Cobra-H64 with a complexity of 215.5 and Cobra-H128 with a complexity of 244.

[1]  Information Security and Privacy , 1996, Lecture Notes in Computer Science.

[2]  Jongsung Kim,et al.  The Related-Key Rectangle Attack - Application to SHACAL-1 , 2004, ACISP.

[3]  Jongsung Kim,et al.  Related-Key Attacks on Reduced Rounds of SHACAL-2 , 2004, INDOCRYPT.

[4]  Sangjin Lee,et al.  A Chosen Plaintext Linear Attack on Block Cipher CIKS-1 , 2002, ICICS.

[5]  Computer Network Security , 2005 .

[6]  Seokhie Hong,et al.  Related-Key Attacks on DDP Based Ciphers: CIKS-128 and CIKS-128H , 2004, INDOCRYPT.

[7]  Eli Biham,et al.  Differential Cryptanalysis of the Data Encryption Standard , 1993, Springer New York.

[8]  Neal Koblitz,et al.  Advances in Cryptology — CRYPTO ’96 , 2001, Lecture Notes in Computer Science.

[9]  Bruce Schneier,et al.  Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA , 1997, ICICS.

[10]  N.D. Goots,et al.  Fast DDP-based ciphers: from hardware to software , 2003, 2003 46th Midwest Symposium on Circuits and Systems.

[11]  Seokhie Hong,et al.  Linear Cryptanalysis of SPECTR-H64 with Higher Order Differential Property , 2003, MMM-ACNS.

[12]  Aggelos Kiayias,et al.  Efficient Secure Group Signatures with Dynamic Joins and Keeping Anonymity Against Group Managers , 2005, Mycrypt.

[13]  Odysseas G. Koufopavlou,et al.  High Speed Networking Security: Design and Implementation of Two New DDP-Based Ciphers , 2005, Mob. Networks Appl..

[14]  Seokhie Hong,et al.  Related Key Differential Cryptanalysis of Full-Round SPECTR-H64 and CIKS-1 , 2004, ACISP.

[15]  Alfred Menezes,et al.  Progress in Cryptology — INDOCRYPT 2002 , 2002, Lecture Notes in Computer Science.

[16]  Anne Canteaut,et al.  Progress in Cryptology - INDOCRYPT 2004, 5th International Conference on Cryptology in India, Chennai, India, December 20-22, 2004, Proceedings , 2004, INDOCRYPT.

[17]  Nikolay A. Moldovyan,et al.  A cipher based on data-dependent permutations , 2001, Journal of Cryptology.

[18]  Victor A. Skormin,et al.  Information Assurance in Computer Networks , 2001, Lecture Notes in Computer Science.

[19]  Selçuk Kavut,et al.  Slide Attack on Spectr-H64 , 2002, INDOCRYPT.

[20]  Nikolay A. Moldovyan,et al.  Fast Ciphers for Cheap Hardware: Differential Analysis of SPECTR-H64 , 2003, MMM-ACNS.

[21]  Raphael C.-W. Phan,et al.  On Related-Key and Collision Attacks: The Case for the IBM 4758 Cryptoprocessor , 2004, ISC.

[22]  Nikolay A. Moldovyan,et al.  Fast Encryption Algorithm Spectr-H64 , 2001, MMM-ACNS.

[23]  Jongsung Kim,et al.  Related-Key Differential Attacks on Cobra-S128, Cobra-F64a, and Cobra-F64b , 2005, Mycrypt.

[24]  Bruce Schneier,et al.  Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES , 1996, CRYPTO.