what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

cryptanalysis.html

cryptanalysis.html
Posted Dec 21, 1999

cryptanalysis.html

tags | java, encryption, steganography
SHA-256 | fca79ebd3e927fef1d40c2de61d99e5b7f5b789b049cbbbfe160ff744243f1ce

cryptanalysis.html

Change Mirror Download
<HTML>
<HEAD> <TITLE> Cryptanalysis of ICE </TITLE> </HEAD>
<BODY BGCOLOR="#d8d8d8" TEXT="#000080" LINK="#0000FF">
<H1> Cryptanalysis of ICE </H1>
<P>
As a new cipher, ICE has not yet undergone rigorous third-party
cryptanalysis. These are the results of the author's own cryptanalysis. </P>

<H3> Weak keys </H3>
<P>
ICE has no weak keys. Weak, or self-decrypting, keys are keys
which, if they are used to encrypt the same data twice, produce the
original unencrypted data. DES has four of them. </P>
<P>
There are no semi-weak keys either. Semi-weak keys come in pairs, where
the second key decrypts the first. DES has 16 of them, including the
four weak keys. </P>
<P>
A weak or semi-weak key occurs if there is another key that generates
an identical key schedule, but in the reverse order. These keys can be
found by setting up a series of linear (under XOR) equations expressing
the fact that the schedule of key 1 is the reverse of the schedule of
key 2, then solving the equations. The number of independent variables
in the solution gives the log base 2 of the number of weak keys. </P>
<P>
For ICE, there were 960 equations (16 rounds, 60 bits per round) and
129 variables (2 x 64-bit keys, plus an inversion bit). The solution
was "1=0", which means that there are no keys that satisfy the equations. </P>

<H3> Key inversion weaknesses </H3>
<P>
ICE has no key-inversion weaknesses. These occur when inverting
certain bits in the key and plaintext simply cause bits to invert
in the ciphertext. DES has one weakness of this sort. </P>
<P>
They are caused in DES by the fact that key bits are only used with
the XOR function. If both key and plaintext bits are inverted, the
inversions are cancelled out by the XOR function, and DES behaves
linearly. However, ICE also uses key bits to permute the outputs
of the E boxes, so if the key is inverted, the S-boxes will receive
totally different inputs. </P>

<H3> Differential cryptanalysis </H3>
<P>
ICE levels 1 and above cannot be broken by differential
cryptanalysis. However, there is a possibility that Thin-ICE
can be broken by a chosen-plaintext attack with roughly 2<SUP>56</SUP>
encryptions. This has been calculated by simply multiplying the
round-by-round probabilities, so it is not yet certain whether
it yields a valid attack. DES can be broken by differential
cryptanalysis with 2<SUP>47</SUP> encryptions. </P>
<P>
The use of keyed permutation after the E boxes means that an attacker
cannot know which S-box will be affected by a particular input bit.
However, since the keyed permutation acts to simply swap bits between
the left and right halves of a 32-bit value, the attacker can use inputs
whose leftmost 16 bits are the same as the rightmost 16 bits. This
enables the attacker to send known differences to the S-boxes, but
it usually also means that twice as many S-boxes have to be attacked
simultaneously, often with low-probability differences. This typically
at least squares the number of pairs required to achieve a result. </P>
<P>
The best input differences for attacking the ICE F-function are
<TT>b2d6b2d6</TT> and <TT>cad6cad6</TT>, both of which produce a
zero output difference with probability 4320/2<SUP>40</SUP>. They can be
combined into 5-round characteristics which have a probability of
2<SUP>-55.85</SUP>, and it is these characteristics that may be able to
break Thin-ICE, which is an 8-round cipher. </P>

<H3> Linear cryptanalysis </H3>
<P>
None of the ICE variants appear to be breakable by linear cryptanalysis.
Even Thin-ICE, the weakest variant, seems to need over 2<SUP>82</SUP>
encryptions to be reliably broken, but since it is only a 64-bit cipher,
there aren't that many plaintexts available. DES can be broken with
approximately 2<SUP>43</SUP> encryptions. </P>
<P>
The resistance of ICE to linear cryptanalysis is due to the larger
S-boxes, and to the keyed permutation, which roughly squares the effort
otherwise required. </P>

<H3> Related-key cryptanalysis </H3>
<P>
This attack relies on simple relations between subkeys in adjacent
rounds. ICE is not susceptible to this attack because it uses an
irregular key rotation schedule, meaning that there is no consistent
relationship between subkeys. DES is also resistant to this attack. </P>

<H3> Meet-in-the-middle attacks </H3>
<P>
If you encrypt data twice, with two different keys, you usually find
yourself susceptible to a meet-in-the-middle attack. That is why
Triple-DES is used instead of double encryption, despite the factor
of three speed penalty. </P>
<P>
ICE avoids this weakness in its extended variants by extending the
key schedule with insertions in the middle of the schedule. Although
ICE-<EM>n</EM> effectively encrypts the data <EM>n</EM> times with
<EM>n</EM> different 64-bit keys, it does this not by encrypting with
one key after another, but by doing half encryptions (i.e. the first
8 rounds) <EM>n</EM> times, then doing the second halves <EM>n</EM>
times. </P>

<H3> Codebook reconstruction attacks </H3>
<P>
It must be remembered that any 64-bit cipher can be broken under a
chosen-plaintext attack in 2<SUP>64</SUP> time and memory by simply
constructing a lookup table of all 2<SUP>64</SUP> possible
plaintext/ciphertext pairs. This is regardless of the key size and
how well the cipher has been designed. </P>
<P>
So it must be remembered that although the strength of ICE-<EM>n</EM>
under ciphertext-only attacks is probably 2<SUP>64<EM>n</EM></SUP>, the
strength of all ICE variants under chosen-plaintext is, at best,
2<SUP>64</SUP>.

</BODY>
</HTML>
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close