Jiqiang Lu (2008) Cryptanalysis of Block Ciphers.
Full text access: Open
The block cipher is one of the most important primitives in modern cryptography, information and network security; one of the primary purposes of such ciphers is to provide confidentiality for data transmitted in insecure communication environments. To ensure that confidentiality is robustly provided, it is essential to investigate the security of a block cipher against a variety of cryptanalytic attacks. In this thesis, we propose a new extension of differential cryptanalysis, which we call the impossible boomerang attack. We describe the early abort technique for (related-key) impossible differential cryptanalysis and rectangle attacks. Finally, we analyse the security of a number of block ciphers that are currently being widely used or have recently been proposed for use in emerging cryptographic applications; our main cryptanalytic results are as follows. An impossible differential attack on 7-round AES when used with 128 or 192 key bits, and an impossible differential attack on 8-round AES when used with 256 key bits. An impossible boomerang attack on 6-round AES when used with 128 key bits, and an impossible boomerang attack on 7-round AES when used with 192 or 256 key bits. A related-key impossible boomerang attack on 8-round AES when used with 192 key bits, and a related-key impossible boomerang attack on 9-round AES when used with 256 key bits, both using two keys. An impossible differential attack on 11-round reduced Camellia when used with 128 key bits, an impossible differential attack on 12-round reduced Camellia when used with 192 key bits, and an impossible differential attack on 13-round reduced Camellia when used with 256 key bits. A related-key rectangle attack on the full Cobra-F64a, and a related-key differential attack on the full Cobra-F64b. A related-key rectangle attack on 44-round SHACAL-2. A related-key rectangle attack on 36-round XTEA. An impossible differential attack on 25-round reduced HIGHT, a related-key rectangle attack on 26-round reduced HIGHT, and a related-key impossible differential attack on 28-round reduced HIGHT. In terms of either the attack complexity or the numbers of attacked rounds, the attacks presented in the thesis are better than any previously published cryptanalytic results for the block ciphers concerned, except in the case of AES; for AES, the presented impossible differential attacks on 7-round AES used with 128 key bits and 8-round AES used with 256 key bits are the best currently published results on AES in a single key attack scenario, and the presented related-key impossible boomerang attacks on 8-round AES used with 192 key bits and 9-round AES used with 256 key bits are the best currently published results on AES in a related-key attack scenario involving two keys.
This is a Published version This version's date is: 30/07/2008 This item is peer reviewed
https://repository.royalholloway.ac.uk/items/7f16098c-7cb3-ef1e-fe21-77f65deb222b/1/
Deposited by () on 28-Jun-2010 in Royal Holloway Research Online.Last modified on 13-Dec-2010
[1] Kazumaro Aoki, Tetsuya Ichikawa, Masayuki Kanda, Mitsuru Matsui, ShihoMoriai, Junko Nakajima, and Toshio Tokita. Camellia: a 128-bit block ciphersuitable for multiple platforms | design and analysis. In D.R. Stinson andS.E. Tavares, editors, Proceedings of SAC '00 | The 7th Annual Workshopon Selected Areas in Cryptography, volume 2012 of Lecture Notes in ComputerScience, pages 39{56. Springer-Verlag, 2001.
[2] Behnam Bahrak and Mohammad Reza Aref. A novel impossible di®erenitalcryptanalysis of AES, In Proceedings of WEWoRc '07 | Western EuropeanWorkshop on Research in Cryptology. 2007.
[3] Eli Biham. New types of cryptanalytic attacks using related keys. In T. Helle-seth, editor, Advances in Cryptology - Proceedings of EUROCRYPT '93 |Workshop on the Theory and Application of Cryptographic Techniques, volume765 of Lecture Notes in Computer Science, pages 398{409. Springer-Verlag,1993.
[4] Eli Biham, Alex Biryukov, and Adi Shamir. Cryptanalysis of Skipjack reducedto 31 rounds using impossible di®erentials. In J. Stern, editor, Advances inCryptology - Proceedings of EUROCRYPT '99 | International Conferenceon the Theory and Application of Cryptographic Techniques, volume 1592 ofLecture Notes in Computer Science, pages 12{23. Springer-Verlag, 1999.
[5] Eli Biham, Alex Biryukov, and Adi Shamir. Miss in the middle attacks onIDEA and Khufu. In L.R. Knudsen, editor, Proceedings of FSE '99 | The 6thInternational Workshop on Fast Software Encryption, volume 1636 of LectureNotes in Computer Science, pages 124{138. Springer-Verlag, 1999.
[6] Eli Biham, Orr Dunkelman, and Nathan Keller. The rectangle attack |rectangling the Serpent. In B. P¯tzmann, editor, Advances in Cryptology -Proceedings of EUROCRYPT '01 | International Conference on the Theoryand Application of Cryptographic Techniques, volume 2045 of Lecture Notes inComputer Science, pages 340{357. Springer-Verlag, 2001.
[7] Eli Biham, Orr Dunkelman, and Nathan Keller. Enhancing di®erential-linearcryptanalysis. In Y. Zheng, editor, Advances in Cryptology - Proceedings ofASIACRYPT '02 | The 8th International Conference on the Theory andApplication of Cryptology and Information Security, volume 2501 of LectureNotes in Computer Science, pages 254{266. Springer-Verlag, 2002.
[8] Eli Biham, Orr Dunkelman, and Nathan Keller. New results on boomerang andrectangle attacks. In J. Daemen and V. Rijmen, editors, Proceedings of FSE'02 | The 9th International Workshop on Fast Software Encryption, volume2365 of Lecture Notes in Computer Science, pages 1{16. Springer-Verlag, 2002.
[9] Eli Biham, Orr Dunkelman, and Nathan Keller. Related-key boomerang andrectangle attacks. In R. Cramer, editor, Advances in Cryptology - Proceedingsof EUROCRYPT '05 | The 24th Annual International Conference on theTheory and Applications of Cryptographic Techniques, volume 3494 of LectureNotes in Computer Science, pages 507{525. Springer-Verlag, 2005.
[10] Eli Biham, Orr Dunkelman, and Nathan Keller. Related-key impossible dif-ferential attacks on 8-round AES-192. In D. Pointcheval, editor, Proceedingsof CT-RSA '06 | Cryptographers' Track at the RSA Conference 2006, vol-ume 3860 of Lecture Notes in Computer Science, pages 21{33. Springer-Verlag,2006.
[11] Eli Biham and Nathan Keller. Cryptanalysis of reduced variants of Rijndael.In Proceedings of The Third Advanced Encryption Standard Candidate Con-ference. NIST, 2000.
[12] Eli Biham and Adi Shamir. Di®erential cryptanalysis of DES-like cryptosys-tems. In A. Menezes and S.A. Vanstone, editors, Advances in Cryptology -Proceedings of CRYPTO '90 | The 10th Annual International CryptologyConference, volume 537 of Lecture Notes in Computer Science, pages 2{21.Springer-Verlag, 1990.
[13] Eli Biham and Adi Shamir. Di®erential cryptanalysis of the Data EncryptionStandard. Springer-Verlag, 1993.
[14] Eli Biham and Adi Shamir. Di®erential cryptanalysis of the full 16-round DES.In E.F. Brickell, editor, Advances in Cryptology - Proceedings of CRYPTO'92 | The 12th Annual International Cryptology Conference, volume 740 ofLecture Notes in Computer Science, pages 487{496. Springer-Verlag, 1993.
[15] Alex Biryukov. The boomerang attack on 5 and 6-round reduced AES. InH. Dobbertin, V. Rijmen, and A. Sowa, editors, Proceedings of AES '04 |The 4th International Conference on Advanced Encryption Standard, volume3373 of Lecture Notes in Computer Science, pages 11{15. Springer-Verlag,2005.
[16] Jung Hee Cheon, MunJu Kim, Kwangjo Kim, Jung-Yeun Lee, and SungWooKang. Improved impossible di®erential cryptanalysis of Rijndael and Cryp-ton. In K. Kim, editor, Proceedings of ICISC '01 | The 4th InternationalConference on Information Security and Cryptology, volume 2288 of LectureNotes in Computer Science, pages 39{49. Springer-Verlag, 2001.
[17] Nicolas Courtois. Feistel schemes and bi-linear cryptanalysis. In M.K.Franklin, editor, Advances in Cryptology - Proceedings of CRYPTO '04 |The 24th Annual International Cryptology Conference, volume 3152 of Lec-ture Notes in Computer Science, pages 23{40. Springer-Verlag, 2004.
[18] Nicolas Courtois and Josef Pieprzyk. Cryptanalysis of block ciphers withoverdelned systems of equations. In Y. Zheng, editor, Advances in Cryptology- Proceedings of ASIACRYPT '02 | The 8th International Conference on theTheory and Application of Cryptology and Information Security, volume 2501of Lecture Notes in Computer Science, pages 267{287. Springer-Verlag, 2002.
[19] CRYPTREC | Cryptography Research and Evaluatin Committees, report2002. http://www.ipa.go.jp/security/enc/CRYPTREC/index-e.html.
[20] Joan Daemen, Lars R. Knudsen, and Vincent Rijmen. The block cipher Square.In E. Biham, editor, Proceedings of FSE '97 | The 4th International Work-shop on Fast Software Encryption, volume 1267 of Lecture Notes in ComputerScience, pages 149{165. Springer-Verlag, 1997.
[21] Joan Daemen and Vincent Rijmen. AES proposal: Rijndael. In Proceedings ofThe First Advanced Encryption Standard Candidate Conference. NIST, 1998.
[22] Huseyin Demirci and Ali Aydin Selcuk. A meet-in-the-middle attack on 8-round AES. In K. Nyberg, editor, Proceedings of FSE '08 | The 15th Inter-national Workshop on Fast Software Encryption, volume ? of Lecture Notesin Computer Science, pages ?{? Springer-Verlag, 2008.
[23] Whit¯eld Di±e and Martin Hellman. New directions in cryptography. IEEETransactions on Information Theory, IT-22:644{654, 19767.
[24] Lei Duo, Chao Li, and Keqin Feng. New observation on Camellia. In B. Pre-neel and S.E. Tavares, editors, Proceedings of SAC '05 | The 12th AnnualWorkshop on Selected Areas in Cryptography, volume 3897 of Lecture Notesin Computer Science, pages 51{64. Springer-Verlag, 2006.
[25] Niels Ferguson, John Kelsey, Stefan Lucks, Bruce Schneier, Mike Stay,David Wagner, and Doug Whiting. Improved cryptanalysis of Rijndael. InB. Schneier, editor, Proceedings of FSE '00 | The 7th International Work-shop on Fast Software Encryption, volume 1978 of Lecture Notes in ComputerScience, pages 213{230. Springer-Verlag, 2001.
[26] Henri Gilbert and Marine Minier. A collision attack on 7 rounds of Rijn-dael. In Proceedings of The Third Advanced Encryption Standard CandidateConference. NIST, 2000.
[27] Nick D. Goots, Boris V. Izotov, Alexander A. Moldovyan, and Nick A.Moldovyan. Fast ciphers for cheap hardware: di®erential analysis of SPECTR-H64. In Vladimir Gorodetsky, Igor V. Kotenko, and Victor A. Skormin, edi-tors, Proceedings of MMM-ACNS '03 | The Second International Workshopon Mathematical Methods, Models, and Architectures for Computer NetworkSecurity, volume 2776 of Lecture Notes in Computer Science, pages 449{452.Springer-Verlag, 2003.
[28] Nick D. Goots, Boris V. Izotov, Alexander A. Moldovyan, and Nick A.Moldovyan. Modern cryptography: protect your data with fast block ciphers.A-LIST Publishing, 2003.
[29] Nick D. Goots, Alexander A. Moldovyan, and Nick A. Moldovyan. Fast encryp-tion algorithm SPECTR-H64. In Vladimir I. Gorodetski, Victor A. Skormin,and Leonard J. Popyack, editors, Proceedings of MMM-ACNS '01 | Interna-tional Workshop on Information Assurance in Computer Networks: Methods,Models, and Architectures for Network Security, volume 2052 of Lecture Notesin Computer Science, pages 275{286. Springer-Verlag, 2001.
[30] Nick D. Goots, Alexander A. Moldovyan, Nick A. Moldovyan, and D.H. Sum-merville. Fast DDP-based ciphers: from hardware to software. In Proceedingsof the 46th IEEE Midwest International Symposium on Circuits and Systems,pages 770{773, 2003.
[31] Helena Handschuh and David Naccache. SHACAL. In Proceedings of The FirstOpen NESSIE Workshop, 2000. Archive available at https://www.cosic.esat.kuleuven.be/nessie/workshop/submissions.html.
[32] Helena Handschuh and David Naccache. SHACAL. NESSIE, 2001. Archiveavailable at https://www.cosic.esat.kuleuven.be/nessie/tweaks.html.
[33] Yasuo Hatano, Hiroki Sekine, and Toshinobu Kaneko. Higher order di®erentialattack of Camellia(II). In K. Nyberg and H.M. Heys, editors, Proceedings ofSAC '02 | The 9th Annual Workshop on Selected Areas in Cryptography,volume 2595 of Lecture Notes in Computer Science, pages 39{56. Springer-Verlag, 2003.
[34] Philip Hawkes. Di®erential-linear weak key classes of IDEA. In K. Nyberg,editor, Advances in Cryptology - Proceedings of EUROCRYPT '98 | Interna-tional Conference on the Theory and Application of Cryptographic Techniques,volume 1403 of Lecture Notes in Computer Science, pages 112{126. Springer-Verlag, 1998.
[35] Yeping He and Sihan Qing. Square attack on reduced Camellia cipher. InS. Qing, T. Okamoto, and J. Zhou, editors, Proceedings of ICICS '01 | TheThird International Conference on Information and Communications Security,volume 2229 of Lecture Notes in Computer Science, pages 238{245. Springer-Verlag, 2001.
[36] Martin E. Hellman. A cryptanalytic time-memory trade-o®. IEEE Transac-tions on Information Theory, IT-26(4):401{406, 1980. IEEE Press.
[37] Deukjo Hong, Jaechul Sung, Seokhie Hong, Jongin Lim, Sangjin Lee, Bon-SeokKoo, Changhoon Lee, Donghoon Chang, Jesang Lee, Kitae Jeong, Hyun Kim,Jongsung Kim, and Seongtaek Chee. HIGHT: a new block cipher suitablefor low-resource device. In L. Goubin and M. Matsui, editors, Proceedingsof CHES '06 | The 8th International Workshop on Cryptographic Hardwareand Embedded Systems, volume 4249 of Lecture Notes in Computer Science,pages 46{59. Springer-Verlag, 2006.
[38] Seokhie Hong, Deukjo Hong, Youngdai Ko, Donghoon Chang, Wonil Lee, andSangjin Lee. Di®erential cryptanalysis of TEA and XTEA. In J. Lim andD. Lee, editors, Proceedings of ICISC '03 | The 6th International Confer-ence on Information Security and Cryptology, volume 2791 of Lecture Notesin Computer Science, pages 402{417. Springer-Verlag, 2003.
[39] Seokhie Hong, Jongsung Kim, Guil Kim, Jaechul Sung, Changhoon Lee, ,and Sangjin Lee. Impossible di®erential attack on 30-round SHACAL-2. InT. Johansson and S. Maitra, editors, Proceedings of INDOCRYPT '03 | The4th International Conference on Cryptology in India, volume 2904 of LectureNotes in Computer Science, pages 97{106. Springer-Verlag, 2003.
[40] Seokhie Hong, Jongsung Kim, Sangjin Lee, , and Bart Preneel. Related-key rectangle attacks on reduced versions of SHACAL-1 and AES-192. InH. Gilbert and H. Handschuh, editors, Proceedings of FSE '05 | The 12thInternational Workshop on Fast Software Encryption, volume 3557 of LectureNotes in Computer Science, pages 368{383. Springer-Verlag, 2005.
[41] The Institute of Electrical and Electronics Engineers (IEEE). http://grouper.ieee.org/groups/802/11.
[42] International Standardization of Organization (ISO), International Standard {ISO/IEC 18033-3, Information technology { Security techniques { Encryptionalgorithms { Part 3: Block ciphers, July, 2005.
[43] International Standardization of Organization (ISO), International Standard{ISO/IEC 8802-11: Wireless LAN Medium Access Control (MAC) and PhysicalLayer (PHY) speci¯cations. http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=39777.
[44] The Internet Engineering Task Force (IETF), RFC 4301 { Security Architec-ture for the Internet Protocol, December, 2005.
[45] Goce Jakimoski and Yvo Desmedt. Related-key di®erential cryptanalysis of192-bit key AES variants. In M. Matsui and R.J. Zuccherato, editors, Pro-ceedings of SAC '03 | The 10th Annual Workshop on Selected Areas in Cryp-tography, volume 3006 of Lecture Notes in Computer Science, pages 208{221.Springer-Verlag, 2004.
[46] Burton S. Kaliski Jr. and Matthew J.B. Robshaw. Linear cryptanalysis usingmultiple approximations. In Y. Desmedt, editor, Advances in Cryptology -Proceedings of CRYPTO '94 | The 14th Annual International CryptologyConference, volume 839 of Lecture Notes in Computer Science, pages 26{39.Springer-Verlag, 1994.
[47] Ari Juels. RFID security and privacy: a research survey. IEEE Journal onSelected Areas in Communications, 24(2):381{394, 2006.
[48] John Kelsey, Tadayoshi Kohno, and Bruce Schneier. Ampli¯ed boomerangattacks against reduced-round MARS and Serpent. In B. Schneier, editor,Proceedings of FSE '00 | The 7th International Workshop on Fast SoftwareEncryption, volume 1978 of Lecture Notes in Computer Science, pages 75{93.Springer-Verlag, 2001.
[49] John Kelsey, Bruce Schneier, and David Wagner. Key-schedule cryptanaly-sis of IDEA, G-DES, GOST, SAFER, and Triple-DES. In N. Koblitz, editor,Advances in Cryptology - Proceedings of CRYPTO '96 | The 16th Annual In-ternational Cryptology Conference, volume 1109 of Lecture Notes in ComputerScience, pages 237{251. Springer-Verlag, 1996.
[50] John Kelsey, Bruce Schneier, and David Wagner. Related-key cryptanalysis of3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA. In Y. Han,T. Okamoto, and S. Qing, editors, Proceedings of ICICS '97 | The First In-ternational Conference on Information and Communications Security, volume1334 of Lecture Notes in Computer Science, pages 233{246. Springer-Verlag,1997.
[51] Auguste Kerckho®s. La cryptographie militaire. Journal des sciences mili-taires, IX:5{83, 1883.
[52] Jongsung Kim, Seokhie Hong, and Bart Preneel. Related-key rectangle attackson reduced AES-192 and AES-256. In A. Biryukov, editor, Proceedings of FSE'07 | The 14th International Workshop on Fast Software Encryption, volume4593 of Lecture Notes in Computer Science, pages 225{241. Springer-Verlag,2007.
[53] Jongsung Kim, Guil Kim, Seokhie Hong, Sangjin Lee, and Dowon Hong.The related-key rectangle attack | application to SHACAL-1. In H. Wang,J. Pieprzyk, and V. Varadharajan, editors, Proceedings of ACISP '04 | The9th Australasian Conference on Information Security and Privacy, volume3108 of Lecture Notes in Computer Science, pages 123{136. Springer-Verlag,2004.
[54] Jongsung Kim, Guil Kim, Sangjin Lee, Jongin Lim, and Junghwan Song.Related-key attacks on reduced rounds of SHACAL-2. In A. Canteaut andK. Viswanathan, editors, Proceedings of INDOCRYPT '04 | The 5th Inter-national Conference on Cryptology in India, volume 3348 of Lecture Notes inComputer Science, pages 175{190. Springer-Verlag, 2004.
[55] Lars R. Knudsen. Cryptanalysis of LOKI91. In J. Seberry and Y. Zheng, edi-tors, Advances in Cryptology - Proceedings of ASIACRYPT '92 | Workshopon the Theory and Application of Cryptographic Techniques, volume 718 ofLecture Notes in Computer Science, pages 196{208. Springer-Verlag, 1993.
[56] Lars R. Knudsen. Trucated and higher order di®erentials. In B. Preneel, editor,Proceedings of FSE '94 | The Second International Workshop on Fast Soft-ware Encryption, volume 1008 of Lecture Notes in Computer Science, pages196{211. Springer-Verlag, 1995.
[57] Lars R. Knudsen. DEAL | a 128-bit block cipher. Technical report, Depart-ment of Informatics, University of Bergen, Norway, 1998.
[58] Lars R. Knudsen and John E. Mathiassen. A chosen-plaintext linear attackon DES. In B. Schneier, editor, Proceedings of FSE '00 | The 7th Interna-tional Workshop on Fast Software Encryption, volume 1978 of Lecture Notesin Computer Science, pages 262{272. Springer-Verlag, 2001.
[59] Lars R. Knudsen and Matthew J.B. Robshaw. Non-linear approximationsin linear cryptoanalysis. In U.M. Maurer, editor, Advances in Cryptology -Proceedings of EUROCRYPT '96 | International Conference on the Theoryand Application of Cryptographic Techniques, volume 1070 of Lecture Notes inComputer Science, pages 224{236. Springer-Verlag, 1996.
[60] Lars R. Knudsen and David Wagner. Integral cryptanalysis. In J. Daemen andV. Rijmen, editors, Proceedings of FSE '02 | The 9th International Work-shop on Fast Software Encryption, volume 2365 of Lecture Notes in ComputerScience, pages 112{127. Springer-Verlag, 2002.
[61] Youngdai Ko, Seokhie Hong, Wonil Lee, Sangjin Lee, and Ju-Sung Kang. Re-lated key di®erential attacks on 27 rounds of XTEA and full-round GOST. InB. Roy and W. Meier, editors, Proceedings of FSE '04 | The 11th Interna-tional Workshop on Fast Software Encryption, volume 3017 of Lecture Notesin Computer Science, pages 299{316. Springer-Verlag, 2004.
[62] Youngdai Ko, Changhoon Lee, Seokhie Hong, and Sangjin Lee. Related keydi®erential cryptanalysis of full-round SPECTR-H64 and CIKS-1. In H.Wang,J. Pieprzyk, and V. Varadharajan, editors, Proceedings of ACISP '04 | The9th Australasian Conference on Information Security and Privacy, volume3108 of Lecture Notes in Computer Science, pages 137{148. Springer-Verlag,2004.
[63] Youngdai Ko, Changhoon Lee, Seokhie Hong, Jaechul Sung, and Sangjin Lee.Related-key attacks on ddp based ciphers: CIKS-128 and CIKS-128H. InA. Canteaut and K. Viswanathan, editors, Proceedings of INDOCRYPT '04| The 5th International Conference on Cryptology in India, volume 3348 ofLecture Notes in Computer Science, pages 191{205. Springer-Verlag, 2004.
[64] Ulrich KÄuhn. Cryptanalysis of reduced-round MISTY. In B. P¯tzmann, ed-itor, Advances in Cryptology - Proceedings of EUROCRYPT '01 | Interna-tional Conference on the Theory and Application of Cryptographic Techniques,volume 2045 of Lecture Notes in Computer Science, pages 325{339. Springer-Verlag, 2001.
[65] Xuejia Lai. Higher order derivatives and di®erential cryptanalysis. Communi-cations and Cryptography, pages 227{233, 1994. Kluwer Academic Publishers.
[66] Xuejia Lai and James L. Massey. A proposal for a new block encryptionstandard. In I. Damgard, editor, Advances in Cryptology - Proceedings of EU-ROCRYPT '90 | Workshop on the Theory and Application of CryptographicTechniques, volume 473 of Lecture Notes in Computer Science, pages 389{404.Springer-Verlag, 1991.
[67] Suzan K. Langford and Martin E. Hellman. Di®erential-linear cryptanalysis.In Y. Desmedt, editor, Advances in Cryptology - Proceedings of CRYPTO'94 | The 14th Annual International Cryptology Conference, volume 839 ofLecture Notes in Computer Science, pages 17{25. Springer-Verlag, 1994.
[68] Changhoon Lee, Jongsung Kim, Seokhie Hong, Jaechul Sung, and SangjinLee. Related-key di®erential attacks on Cobra-S128, Cobra-F64a and Cobra-F64b. In E. Dawson and S. Vaudenay, editors, Proceedings of Mycrypt '05 |The First International Conference on Cryptology in Malaysia, volume 3715of Lecture Notes in Computer Science, pages 244{262. Springer-Verlag, 2005.
[69] Changhoon Lee, Jongsung Kim, Jaechul Sung, Seokhie Hong, Sangjin Lee, andDukjae Moon. Related-key di®erential attacks on Cobra-H64 and Cobra-H128.In N.P. Smart, editor, Proceedings of IMA Cryptography and Coding '05 |The 10th IMA International Conference on Cryptography and Coding, volume3796 of Lecture Notes in Computer Science, pages 201{219. Springer-Verlag,2005.
[70] Eunjin Lee, Deukjo Hong, Donghoon Chang, Seokhie Hong, and Jongin Lim.A weak key class of XTEA for a related-key rectangle attack. In P.Q. Nguyen,editor, Proceedings of Vietcrypt '06 | The First International ConferenceonCryptology in Vietnam, volume 4341 of Lecture Notes in Computer Science,pages 286{297. Springer-Verlag, 2006.
[71] Seonhee Lee, Seokhie Hong, Sangjin Lee, Jongin Lim, and Seonhee Yoon.Truncated di®erential cryptanalysis of Camellia. In K. Kim, editor, Proceed-ings of ICISC '01 | The 4th International Conference on Information Secu-rity and Cryptology, volume 2288 of Lecture Notes in Computer Science, pages32{38. Springer-Verlag, 2002.
[72] B.W. Lindgren and G.W. Mcelrath. Introduction to PROBABILITY andSTATISTICS | third edition. The Macmillan Company, 1969.
[73] Helger Lipmaa and Shiho Moriai. E±cient algorithms for computing di®eren-tial properties of addition. In M. Matsui, editor, Proceedings of FSE '01 |The 8th International Workshop on Fast Software Encryption, volume 2355 ofLecture Notes in Computer Science, pages 336{350. Springer-Verlag, 2001.
[74] Jiqiang Lu. Cryptanalysis of reduced versions of the HIGHT block cipher fromCHES 2006. In K. Nam and G. Rhee, editors, Proceedings of ICISC '07 |The 10th International Conference on Information Security and Cryptology,volume 4817 of Lecture Notes in Computer Science, pages 11{26. Springer-Verlag, 2007.
[75] Jiqiang Lu. Related-key rectangle attack on 36 rounds of the XTEA blockcipher. International Journal of Information Security, ?:?{?, 2008.
[76] Jiqiang Lu and Jongsung Kim. Attacking 44 rounds of the SHACAL-2 blockcipher using related-key rectangle cryptanalysis. IEICE Transactions on Fun-damentals of Electronics, Communications and Computer Sciences, 91-A:?{?,2008.
[77] Jiqiang Lu, Jongsung Kim, Nathan Keller, and Orr Dunkelman. Di®eren-tial and rectangle attacks on reduced-round SHACAL-1. In R. Barua andT. Lange, editors, Progress in Cryptology - INDOCRYPT '06 | The 7th In-ternational Conference on Cryptology in India, volume 4329 of Lecture Notesin Computer Science, pages 17{31. Springer-Verlag, 2006.
[78] Jiqiang Lu, Jongsung Kim, Nathan Keller, and Orr Dunkelman. Related-key rectangle attack on 42-round SHACAL-2. In S.K. Katsikas, J. Lopez,M. Backes, and B. Preneel, editors, Proceedings of ISC '06 | The 9th Inter-national Conference on Information Security, volume 4176 of Lecture Notes inComputer Science, pages 85{100. Springer-Verlag, 2006.
[79] Jiqiang Lu, Jongsung Kim, Nathan Keller, and Orr Dunkelman. Improvingthe e±ciency of impossible di®erential cryptanalysis of reduced Camellia andMISTY1. In T. Malkin, editor, Proceedings of CT-RSA '08 | Cryptographers'Track at the RSA Conference 2008, volume 4964 of Lecture Notes in ComputerScience, pages 370{386. Springer-Verlag, 2008.
[80] Jiqiang Lu, Changhoon Lee, and Jongsung Kim. Related-key attacks on thefull-round Cobra-F64a and Cobra-F64b. In R.D. Prisco and M. Yung, editors,Proceedings of SCN '06 | The Fifth International Conference on Securityand Cryptography for Networks, volume 4116 of Lecture Notes in ComputerScience, pages 95{110. Springer-Verlag, 2006.
[81] Stefan Lucks. Attacking seven rounds of Rijndael under 192-bit and 256-bitkeys. In Proceedings of The Third Advanced Encryption Standard CandidateConference. NIST, 2000.
[82] Stefan Lucks. The saturation attack|a bait for Two¯sh. In M. Matsui, editor,Proceedings of FSE '01 | The 8th International Workshop on Fast SoftwareEncryption, volume 2355 of Lecture Notes in Computer Science, pages 1{15.Springer-Verlag, 2002.
[83] Mitsuru Matsui. Linear cryptanalysis method for DES cipher. In T. Helleseth,editor, Advances in Cryptology - Proceedings of EUROCRYPT '93 | Work-shop on the Theory and Application of Cryptographic Techniques, volume 765of Lecture Notes in Computer Science, pages 386{397. Springer-Verlag, 1994.
[84] Mitsuru Matsui and Atsuhiro Yamagishi. A new method for known plaintextattack of FEAL cipher. In R.A. Rueppel, editor, Advances in Cryptology -Proceedings of EUROCRYPT '92 | Workshop on the Theory and Applica-tion of Cryptographic Techniques, volume 658 of Lecture Notes in ComputerScience, pages 81{91. Springer-Verlag, 1993.
[85] Alexander A. Moldovyan and Nick A. Moldovyan. A cipher based on data-dependent permutations. Journal of Cryptology, 15(1):61{72, 2002. Springer.
[86] Dukjae Moon, Kyungdeok Hwang, Wonil Lee, Sangjin Lee, and Jongin Lim.Impossible di®erential cryptanalysis of reduced round XTEA and TEA. InJ. Daemen and V. Rijmen, editors, Proceedings of FSE '02 | The 9th In-ternational Workshop on Fast Software Encryption, volume 2365 of LectureNotes in Computer Science, pages 49{60. Springer-Verlag, 2002.
[87] Sean Murphy. The cryptanalysis of FEAL-4 with 20 chosen plaintexts. Journalof Cryptology, 2(3):145{154, 1990. Springer.
[88] Roger M. Needham and David J. Wheeler. TEA extensions. Technical report,the Computer Laboratory, University of Cambridge, 1997. Archive availableat http://www.cl.cam.ac.uk/ftp/users/djw3/xtea.ps.
[89] NESSIE | New European Schemes for Signatures, Integrity, and Encryption,¯nal report. https://www.cosic.esat.kuleuven.be/nessie/Bookv015.pdf.
[90] NIST | National Institute of Standards and Technology, Advanced Encryp-tion Standard (AES), FIPS-197, 2001.
[91] NIST | National Institute of Standards and Technology, Data EncryptionStandard (DES), FIPS-46, 1977.
[92] NIST | National Institute of Standards and Technology, Secure Hash Stan-dard, FIPS 180-1, 1995.
[93] NIST | National Institute of Standards and Technology, Secure Hash Stan-dard, FIPS 180-2, 2002.
[94] Kaisa Nyberg. Linear approximation of block ciphers. In A.D. Santis, editor,Advances in Cryptology - Proceedings of EUROCRYPT '94 | Workshop onthe Theory and Application of Cryptographic Techniques, volume 950 of LectureNotes in Computer Science, pages 439{444. Springer-Verlag, 1994.
[95] Kaisa Nyberg and Lars R. Knudsen. Provable security against di®erentialcryptanalysis. In E.F. Brickell, editor, Advances in Cryptology - Proceedings ofCRYPTO '92 | the 12th Annual International Cryptology Conference, volume740 of Lecture Notes in Computer Science, pages 566{574. Springer-Verlag,1993.
[96] Raphael C.-W. Phan. Impossible di®erential cryptanalysis of 7-round Ad-vanced Encryption Standard (AES). Information Processing Letters, 91:33{38,2004. Elsevier Science.
[97] Akihiro Shimizu and Shoji Miyaguchi. Fast data encipherment algorithmFEAL. In D. Chaum and W.L. Price, editors, Advances in Cryptology - Pro-ceedings of EUROCRYPT '87 | Workshop on the Theory and Application ofCryptographic Techniques, volume 304 of Lecture Notes in Computer Science,pages 267{278. Springer-Verlag, 1988.
[98] Yongsup Shin, Jongsung Kim, Guil Kim, Seokhie Hong, and Sangjin Lee.Di®erential-linear type attacks on reduced rounds of SHACAL-2. In H. Wang,J. Pieprzyk, and V. Varadharajan, editors, Proceedings of ACISP '04 | The9th Australasian Conference on Information Security and Privacy, volume3108 of Lecture Notes in Computer Science, pages 110{122. Springer-Verlag,2004.
[99] Taizo Shirai. Di®erential, linear, boomerang and rectangle cryptanalysis ofreduced-round Camellia. In Proceedings of The Third NESSIE Workshop,2002.
[100] Nicolas Sklavos, Nick A. Moldovyan, and Odysseas G. Koufopavlou. A newDDP-based cipher CIKS-128H: architecture, design and VLSI implementationoptimization of CBC-encryption and hashing over 1 GBPS. In Proceedings ofThe 46th IEEE Midwest International Symposium on Circuits and Systems,pages 463{466, 2003.
[101] Nicolas Sklavos, Nick A. Moldovyan, and Odysseas G. Koufopavlou. Highspeed networking security: design and implementation of two new DDP-basedciphers. Mobile Networks and Applications, 10(1{2):219{231, 2005. KluwerAcademic Publishers.
[102] Makoto Sugita, Kazukuni Kobara, and Hideki Imai. Security of reduced ver-sion of the block cipher Camellia against truncated and impossible di®erentialcryptanalysis. In C. Boyd, editor, Advances in Cryptology - Proceedings ofASIACRYPT '01 | The 7th International Conference on the Theory andApplication of Cryptology and Information Security, volume 2248 of LectureNotes in Computer Science, pages 193{207. Springer-Verlag, 2001.
[103] David Wagner. The boomerang attack. In L.R. Knudsen, editor, Proceedingsof FSE '99 | The 6th International Workshop on Fast Software Encryption,volume 1636 of Lecture Notes in Computer Science, pages 156{170. Springer-Verlag, 1999.
[104] GaoliWang. Related-key rectangle attack on 43-round SHACAL-2. In E. Daw-son and D.S. Wong, editors, Proceedings of ISPEC '07 | The Third Interna-tional Conference on Information Security Practice and Experience, volume4464 of Lecture Notes in Computer Science, pages 33{42. Springer-Verlag,2007.
[105] Gaoli Wang, Nathan Keller, and Orr Dunkelman. The delicate issues of addi-tion with respect to XOR di®erences. In C. Adams, A. Miri, and M. Wiener,editors, Proceedings of SAC '07 | The 14th Annual Workshop on SelectedAreas in Cryptography, volume 4876 of Lecture Notes in Computer Science,pages 212{231. Springer-Verlag, 2008.
[106] David J. Wheeler and Roger M. Needham. TEA, a tiny encryption algo-rithm. In B. Preneel, editor, Proceedings of FSE '94 | The Second Interna-tional Workshop on Fast Software Encryption, volume 1008 of Lecture Notesin Computer Science, pages 363{366. Springer-Verlag, 1995.
[107] Wenling Wu, Dengguo Feng, and Hua Chen. Collision attack and pseudo-randomness of reduced-round Camellia. In H. Handschuh and M.A. Hasan,editors, Proceedings of SAC '04 | The 11th Annual Workshop on SelectedAreas in Cryptography, volume 3357 of Lecture Notes in Computer Science,pages 256{270. Springer-Verlag, 2005.
[108] Wenling Wu, Wentao Zhang, and Dengguo Feng. Impossible di®erential crypt-analysis of reduced-round ARIA and Camellia. Journal of Computer Scienceand Technology, 22(3):449{456, 2007. Springer.
[109] Yongjin Yeom, Sangwoo Park, and Iljun Kim. On the security of Camelliaagainst the square attack. In J. Daemen and V. Rijmen, editors, Proceedingsof FSE '02 | The 9th International Workshop on Fast Software Encryption,volume 2356 of Lecture Notes in Computer Science, pages 89{99. Springer-Verlag, 2002.
[110] Yongjin Yeom, Sangwoo Park, and Iljun Kim. A study of integral type crypt-analysis on Camellia. In Proceedings of The 2003 Symposium on Cryptographyand Information Security, pages 453{456, 2003.
[111] Wentao Zhang, Wenling Wu, and Dengguo Feng. New results on impossi-ble di®erential cryptanalysis of reduced AES. In K.-H. Nam and G. Rhee,editors, Proceedings of ICISC '07 | The 10th International Conference onInformation Security and Cryptology, volume 4817 of Lecture Notes in Com-puter Science, pages 239{250. Springer-Verlag, 2007.
[112] Wentao Zhang, Lei Zhang, WenlingWu, and Dengguo Feng. Improved related-key impossible di®erential attacks on reduced-round AES-192. In E. Bihamand A.M. Youssef, editors, Proceedings of SAC '06 | The 13th Annual Work-shop on Selected Areas in Cryptography, volume 4356 of Lecture Notes in Com-puter Science, pages 15{27. Springer-Verlag, 2007.
[113] Wentao Zhang, Lei Zhang, Wenling Wu, and Dengguo Feng. Related-keydi®erential-linear attacks on reduced AES-192. In K. Srinathan, C. PanduRangan, and M. Yung, editors, Proceedings of INDOCRYPT '07 | The 8thInternational Conference on Cryptology in India, volume 4859 of Lecture Notesin Computer Science, pages 73{85. Springer-Verlag, 2007.