Cryptography Reference
In-Depth Information
5.1
Differential and Linear Attacks on Block Ciphers
We explain our method of evaluating the security against differential cryptanal-
ysis [8]. We can apply a similar method to linear cryptanalysis [35] because of
its duality to differential cryptanalysis [16]. In order to do this, we compute up-
per bounds on the probabilities of differential characteristics with the following
method:
-
Make abstraction of the exact differences used in these characteristics and
then just consider patterns of active S-boxes.
-
Perform experiments with the Viterbi algorithm to compute lower bounds on
the minimum number of the active S-boxes, considering the MDS property.
We can observe that the minimum number of the active S-boxes for 24 rounds
is 24. Therefore the probabilities of differential characteristics of 24 rounds of
Lesamnta-LW are upperbounded by 2
−
144
because the maximum differential
probability of AES S-box is 2
−
6
. As a result, it is very unlikely to apply differ-
ential/linear attacks to the full Lesamnta-LW.
5.2
Collision Attacks Using the Message Modification
Wang et al. [46,47] showed methods for finding collisions for widely used hash
functions such as SHA-1. Their approach is based on the differential cryptanal-
ysis and the message modification technique which can be used to reduce the
attack complexity by using degrees of freedom in the message block space.
In the case of attacks on Lesamnta-LW using the above differential collision
finding methods, the attacker has to use messages of at least two blocks because
the message block is shorter than the chaining variable. Using multiple block
messages, he has some control over 384 bits of the input to the compression
function. However, out of these 384 bits, the only input bits over which he can
have control in a deterministic way are 128 bits, which correspond to the message
block input. He can have control over the remaining 256 bits corresponding to
the chaining variable input only in a probabilistic way. On the other hand, we
can show that the maximum differential characteristic probabilities for 44 rounds
of the mixing function and for 24 rounds of the key scheduling function are less
than 2
−
256
and 2
−
128
in the same way we did in Sect 5.1. Their methods for
finding collisions require a differential characteristic with a large probability and
a large degree of freedom in the message block space. Considering the limited
number of bits he can use in a deterministic way and differential characteristics
he can find which have a very small probability, we expect that it is very unlikely
to apply the differential collision finding methods to Lesamnta-LW.
5.3
Attacks on the Compression Function of Lesamnta
Recently, attacks [13] on the compression function of Lesamnta [25] have been
reported. Their main idea is to find some structure in round constants. More
specifically, the following properties in Lesamnta are exploited:
Search WWH ::
Custom Search