COCONUT98

Abstract: Differential cryptanalysis analyzes ciphers by studying the development of differences during encryption. Linear cryptanalysis is similar but is based on studying approximate linear relations. In 1994, Langford and Hellman showed that both kinds of analysis can be combined together by a technique called differential-linear cryptanalysis, in which the differential part creates a linear approximation with probability 1. They applied their technique to 8-round DES. In this paper we present an enhancement of differential-linear cryptanalysis in which the inherited linear probability is smaller than 1. We use this extension to describe a differential-linear distinguisher for a 7-round reducedversion of DES, and to present the best known key-recovery attack on a 9-round reduced-version of DES. We use our enhanced technique to attack COCONUT98 with time complexity 233.7 encryptions and 227.7 chosen plaintexts.

Abstract: Differential cryptanalysis and linear cryptanalysis are the two best-known techniques for cryptanalysis of block ciphers. In 1994, Langford and Hellman introduced the differential-linear (DL) attack based on dividing the attacked cipher E into two subciphers \(E_0\) and \(E_1\) and combining a differential characteristic for \(E_0\) with a linear approximation for \(E_1\) into an attack on the entire cipher E. The DL technique was used to mount the best known attacks against numerous ciphers, including the AES finalist Serpent, ICEPOLE, COCONUT98, Chaskey, CTC2, and 8-round DES.

Abstract: In this paper we study the resistance of a block cipher against a class of general attacks which we call "iterated attacks". This class includes some elementary versions of differential and linear cryptanalysis. We prove that we can upper bound the complexity of the attack by using decorrelation techniques. Our main theorem enables to prove the security against these attacks (in our model) of some recently proposed block ciphers COCONUT98 and PEANUT98, as well as the AES candidate DFC.We outline that decorrelation to the order 2d is required for proving security against iterated attacks of order d.

Abstract: Differential cryptanalysis analyzes ciphers by studying the development of differences during encryption. Linear cryptanalysis is similar but is based on studying approximate linear relations. In 1994, Langford and Hellman showed that both kinds of analysis can be combined together by a technique called differential-linear cryptanalysis, in which the differential part creates a linear approximation with probability 1. They applied their technique to 8-round DES. In this paper we present an enhancement of differential-linear cryptanalysis in which the inherited linear probability is smaller than 1. We use this extension to describe a differential-linear distinguisher for a 7-round reduced-version of DES, and to present the best known key-recovery attack on a 9-round reduced-version of DES. We use our enhanced technique to attack COCONUT98 with time complexity 2 33.7 encryptions and 2 27.7 chosen plaintexts.