Abstract
In this paper we consider the security of block ciphers which contain alternate layers of invertible S-boxes and affine mappings (there are many popular cryptosystems which use this structure, including the winner of the AES competition, Rijndael). We show that a five-layer scheme with 128-bit plaintexts and 8-bit S-boxes is surprisingly weak against what we call a multiset attack, even when all the S-boxes and affine mappings are key dependent (and thus completely unknown to the attacker). We tested the multiset attack with an actual implementation, which required just 216 chosen plaintexts and a few seconds on a single PC to find the 217 bits of information in all the unknown elements of the scheme.
Article PDF
Similar content being viewed by others
References
R. Anderson, E. Biham, L. Knudsen, Serpent: a proposal for the AES, in 1st AES Conference (1998)
E. Biham, Cryptanalysis of patarin’s 2-round public key system with S-boxes (2R), in Advances in Cryptology, Proceedings of EUROCRYPT’2000. Lecture Notes in Computer Science, vol. 1807 (Springer, Berlin, 2000), pp. 408–416
A. Biryukov, C. De Cannière, A. Braeken, B. Preneel, A toolbox for cryptanalysis: linear and affine equivalence algorithms, in Advances in Cryptology, Proceedings of EUROCRYPT’2003. Lecture Notes in Computer Science, vol. 2656 (Springer, Berlin, 2003), pp. 33–50
A. Biryukov, C. De Cannière, G. Dellkrantz, Cryptanalysis of SAFER++, in Advances in Cryptology, Proceedings of Crypto’03. Lecture Notes in Computer Science, vol. 2729 (Springer, Berlin, 2003). NES/DOC/KUL/WP5/028. Full version available at http://eprint.iacr.org/2003/109/
J. Daemen, L. Knudsen, V. Rijmen, The block cipher square, in Proceedings of FSE’97. Lecture Notes in Computer Science, vol. 1267 (Springer, Berlin, 1997), pp. 147–165
H. Gilbert, M. Minier, A collision attack on seven rounds of Rijndael, in Proceedings of the Third AES Candidate Conference (2000), pp. 230–241
L.R. Knudsen, D. Wagner, Integral cryptanalysis (extended abstract), in Fast Software Encryption, FSE 2002. Lecture Notes in Computer Science, vol. 2365 (Springer, Berlin, 2002), pp. 112–127
S. Lucks, Attacking seven rounds of Rijndael under 192-bit and 256-bit keys, in Proceedings of the Third AES Candidate Conference (2000), pp. 215–229
J. Nakahara Jr., B. Preneel, J. Vandewalle, Linear cryptanalysis of reduced-round versions of the SAFER block cipher family, in Fast Software Encryption, FSE 2000, ed. by B. Schneier, Lecture Notes in Computer Science, vol. 1978 (Springer, Berlin, 2001), pp. 244–261
J. Patarin, L. Goubin, Asymmetric cryptography with S-Boxes, in Proceedings of ICICS 97. Lecture Notes in Computer Science, vol. 1334 (Springer, Berlin, 1997), pp. 369–380
V. Rijmen, J. Daemen, The Design of Rijndael: AES—The Advanced Encryption Standard (Springer, Berlin, 2002)
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Bart Preneel
During this work, Alex Biryukov was with the Computer Science department of the Weizmann Institute of Science and with ESAT/SCD-COSIC at Katholieke Universiteit Leuven.
Rights and permissions
About this article
Cite this article
Biryukov, A., Shamir, A. Structural Cryptanalysis of SASAS. J Cryptol 23, 505–518 (2010). https://doi.org/10.1007/s00145-010-9062-1
Received:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00145-010-9062-1