论文信息 - A Key-schedule Weakness in SAFER K-64

A Key-schedule Weakness in SAFER K-64

In this paper we analyse SAFER K-64 and show a weakness in the key schedule. It has the effect that for almost every key K, there exists at least one different key K*, such that for many plaintexts the outputs after 6 rounds of encryption are equal. The output transformation causes the ciphertexts to differ in one of the 8 bytes. Also, the same types of keys encrypt even more pairs of plaintexts different in one byte to ciphertexts different only in the same byte. This enables us to do a related-key chosen plaintext attack on SAFER K-64, which finds 8 bits of the key requiring from 244 to about 247 chosen plaintexts.While our observations may have no greater impact on the security of SAFER K-64 when used for encryption in practice, it greatly reduces the security of the algorithm when used in hashing modes, which is illustrated. We give collisions for the well-known secure hash modes using a block cipher. Also we give a suggestion of how to improve the key schedule, such that our attacks are no longer possible.

Lars R. Knudsen | L. Knudsen

[1] Serge Vaudenay,et al. On the Need for Multipermutations: Cryptanalysis of MD4 and SAFER , 1994, FSE.

[2] Lars R. Knudsen,et al. Cryptanalysis of LOKI91 , 1992, AUSCRYPT.

[3] Xuejia Lai,et al. On the design and security of block ciphers , 1992 .

[4] James L. Massey,et al. SAFER K-64: A Byte-Oriented Block-Ciphering Algorithm , 1993, FSE.

[5] James L. Massey,et al. SAFER K-64: One Year Later , 1994, FSE.

[6] Lars R. Knudsen,et al. Block Ciphers: Analysis, Design and Applications , 1994 .

[7] Joos Vandewalle,et al. Computer Security and Industrial Cryptography , 1993, Lecture Notes in Computer Science.

[8] Bart Preneel,et al. Cryptographic hash functions , 2010, Eur. Trans. Telecommun..

[9] Joos Vandewalle,et al. Hash Functions Based on Block Ciphers: A Synthetic Approach , 1993, CRYPTO.

[10] Jean-Jacques Quisquater,et al. How Easy is Collision Search? Application to DES (Extended Summary) , 1990, EUROCRYPT.

[11] Carlo Harpes,et al. A Generalization of Linear Cryptanalysis and the Applicability of Matsui's Piling-Up Lemma , 1995, EUROCRYPT.

[12] Jennifer Seberry,et al. Advances in Cryptology — AUSCRYPT '92 , 1992, Lecture Notes in Computer Science.