Cryptography Reference
In-Depth Information
G
2
proceed identically. Since at each query there are at most
q
previous
P
(resp.
P
−
1
) output values already defined, we have
q
2
2
n
.
|
Pr(
E
2
)
−
Pr(
E
1
)
|≤
(4)
At this stage we stop building chain of games and we upper bound the probability
Pr(
E
2
) directly. We claim that
q
2
n−
(
c
O
+
c
I
)
.
Pr(
E
2
)
≤
(5)
Let
x
denote the
q
th query of the attacker, define the following variables for
i
=1
,...,N
and
j
=1
,...,M
:
-
a
i
=numberof
P
oracle queries made so far which are in
A
i
,
-
a
i
=numberof
P
−
1
oracle answers given so far which fell in
A
i
,
-
b
j
=numberof
P
−
1
oracle queries made so far which are in
B
j
,
-
b
j
=numberof
P
oracle answers given so far which fell in
B
j
.
Suppose that
x
is a query to
P
and that
x
A
i
for some
i
.Wehavesofar
a
i
+
a
i
points in
A
i
whose
B
j
sets are already defined. Hence the event
E
2
will occur only
if the uniformly random (in
∈
n
)answerof
P
falls in one of those output sets,
so it will happen in this query with probability
{
0
,
1
}
a
i
+
a
i
M
≤
|D
I
|
M
1
≤
=
2
n−
(
c
I
+
c
O
)
,
using
a
i
+
a
i
≤|
D
I
|
(since the game did not stop so far). Similarly, if
x
is
aqueryto
P
−
1
and
x
∈
B
j
for some
j
,then
E
2
will occur in this query with
b
j
+
b
j
N
≤
|D
O
|
N
1
probability
2
n−
(
c
I
+
c
O
)
. It follows that
E
2
occurs among the
first
q
queries with probability bounded by (5), as claimed. This completes the
proofoftheLemma.
≤
=
5
Differential Trails for Specific Block Ciphers
We have searched for differential trails in the following ciphers: Crypton,
Hierocrypt-3, SAFER++, and Square. Specifically, we have tried to build stan-
dard and/or truncated trails, which can be used in a rebound-type attack. For
some of the ciphers, the probabilities for the both standard and truncated dif-
ferential trails were higher than in a random permutation. In this case, only the
trails (which are usually truncated) with higher probability are presented.
The trails for the chosen-key distinguishers were built upon the trails for
the known-key distinguishers by increasing the number of the full active middle
rounds which can be covered for free when a proper subkey is fixed. When
n
-bit
key is used, with an invertible key schedule that produces
s
-bit subkeys, then the
chosen-key distinguisher has
n
s
more rounds then the known-key distinguisher.
Due to space limitation, we will not give a full description of the attacked
ciphers, but rather, introduce them briefly using the original notions and defini-
tions from the source papers.
Search WWH ::
Custom Search