Cipher | EPFL Graph Search

In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption—a series of well-defined steps that can be followed as a procedure. An alternative, less common term is encipherment. To encipher or encode is to convert information into cipher or code. In common parlance, "cipher" is synonymous with "code", as they are both a set of steps that encrypt a message; however, the concepts are distinct in cryptography, especially classical cryptography. Codes generally substitute different length strings of characters in the output, while ciphers generally substitute the same number of characters as are input. A code maps one meaning with another. Words and phrases can be coded as letters or numbers. Codes typically have direct meaning from input to key. Codes primarily function to save time. Ciphers are algorithmic. The given input must follow the cipher's process to be solved. Ciphers are commonly used to encrypt written information. Codes operated by s

Cryptanalysis of the full MMB Block Cipher

Jorge Nakahara, Yue Sun

The block cipher MMB was designed by Daemen, Govaerts and Vandewalle, in 1993, as an alternative to the IDEA block cipher. We exploit and describe unusual properties of the modular multiplication in ZZ232 −1 , which lead to a diﬀerential attack on the full 6-round MMB cipher (both versions 1.0 and 2.0). Further contributions of this paper include detailed square and linear cryptanalysis of MMB. Concerning diﬀerential cryptanalysis (DC), we can break the full MMB with 2118 chosen plaintexts, 295.91 6-round MMB encryptions and 264 counters, eﬀectively bypassing the cipher’s countermeasures against DC. For the square attack, we can recover the 128-bit user key for 4-round MMB with 234 chosen plaintexts, 2126.32 4-round encryptions and 264 mem- ory blocks. Concerning linear cryptanalysis, we present a key-recovery attack on 3-round MMB requiring 2114.56 known-plaintexts and 2126 en- cryptions. Moreover, we detail a ciphertext-only attack on 2-round MMB using 293.6 ciphertexts and 293.6 parity computations. These attacks do not depend on weak-key or weak-subkey assumptions, and are thus in- dependent of the key schedule algorithm.

Springer2009

Cryptanalysis of the full MMB block cipher

Jorge Nakahara, Yue Sun

The block cipher MMB was designed by Daemen, Govaerts and Vandewalle, in 1993, as an alternative to the IDEA block cipher. We exploit and describe unusual properties of the modular multiplication in

Z_{2^{32} - 1}

, which lead to a differential attack on the full 6-round MMB cipher (both versions 1.0 and 2.0). Further contributions of this paper include detailed square and linear cryptanalysis of MMB. Concerning differential cryptanalysis (DC), we can break the full MMB with 2^118 chosen plaintexts, 2^95.91 6-round MMB encryptions and 2^64 counters, effectively bypassing the cipher's countermeasures against DC. For the square attack, we can recover the 128-bit user key for 4-round MMB with 2^34 chosen plaintexts, 2^126.32 4-round encryptions and 2^64 memory blocks. Concerning linear cryptanalysis, we present a key-recovery attack on 3-round MMB requiring 2^114.56 known-plaintexts and 2^126 encryptions. Moreover, we detail a ciphertext-only attack on 2-round MMB using 2^93.6 ciphertexts and 2^93.6 parity computations. These attacks do not depend on weak-key or weak-subkey assumptions, and are thus independent of the key schedule algorithm.

2009

Cryptanalysis of Plantlet

Subhadeep Banik, Khashayar Barooti

Plantlet is a lightweight stream cipher designed by Mikhalev, Armknecht and Muller in IACR ToSC 2017. It has a Grain-like structure with two state registers of size 40 and 61 bits. In spite of this, the cipher does not seem to lose in security against generic Time-Memory-Data Tradeoff attacks due to the novelty of its design. The cipher uses a 80-bit secret key and a 90-bit IV. In this paper, we first present a key recovery attack on Plantlet that requires around 2^{76.26} Plantlet encryptions. The attack leverages the fact that two internal states of Plantlet that differ in the 43rd LFSR location are guaranteed to produce keystream that are either equal or unequal in 45 locations with probability 1. Thus an attacker can with some probability guess that when 2 segments of keystream blocks possess the 45 bit difference just mentioned, they have been produced by two internal states that differ only in the 43rd LFSR location. Thereafter by solving a system of polynomial equations representing the keystream bits, the attacker can find the secret key if his guess was indeed correct, or reach some kind of contradiction if his guess was incorrect. In the latter event, he would repeat the procedure for other keystream blocks with the given difference. We show that the process when repeated a finite number of times, does indeed yield the value of the secret key. In the second part of the paper, we observe that the previous attack was limited to internal state differences that occurred at time instances that were congruent to 0 mod 80. We further observe that by generalizing the attack to include internal state differences that are congruent to all equivalence classed modulo 80, we lower the total number of keystream bits required to perform the attack and in the process reduce the attack complexity to 2^{69.98} Plantlet encryptions.

2019

Cryptanalysis of the full MMB block cipher

Jorge Nakahara, Yue Sun

The block cipher MMB was designed by Daemen, Govaerts and Vandewalle, in 1993, as an alternative to the IDEA block cipher. We exploit and describe unusual properties of the modular multiplication in

Z_{2^{32} - 1}

2009