Abstract
In this paper we present a differential attack on the block cipher PP-1 which was designed at Poznan University of Technology. Complexity of the attack is smaller than that of brute force attack for every version of the cipher (for every block length). The attack is possible is spite of the fact that the S-box exhibits optimal security against the differential cryptanalysis. The attack is based on the fact that the design of the cipher S-box and permutation were constructed independently. The permutation operates on individual bits, and in the XOR profile table of S-box 1 bit to 1 bit transitions are possible. It allows constructing a simple one-round differential characteristic which is almost iterative with the probability 1.5 · 2-6. By 9 times concatenation of the characteristic and its relaxation in the last round we obtained a 10-round characteristic with the probability 2-48.7. Using this characteristic with 1R attack makes differential cryptanalysis of full 11-round cipher with complexity smaller than exhaustive search possible. By carefully exploiting similar characteristics it is possible to find analogous attacks on different versions of cipher PP-1, with higher a larger of rounds.
Highlights
Differential cryptanalysis [1] is, next to linear cryptanalysis [2, 3] and algebraic attacks [4] one of three fundamental, general methods of cryptanalysis of Michal Misztal block ciphers [5]
The aim of the paper is to show that even completely new designed block ciphers can be attacked with differential cryptanalysis if they are not carefully constructed
Using cipertexts of plaintext pairs, in which the third and the fifth bytes are inactive and using outputs given from the differential characteristic (Table 14) we look for a candidate for round subkeys (24 bits)
Summary
Differential cryptanalysis [1] is, next to linear cryptanalysis [2, 3] and algebraic attacks [4] one of three fundamental, general methods of cryptanalysis of. Applied permutation operates on individual bits, but independently designed involutional S-box shows in its XOR profile that differential transitions with only one active bit on input to one active bit on output are possible It means that diffusion in the cipher is quite poor. C and extra extension with the last round allows finding a 10-round differential characteristic with the probability 2−48.7 This characteristic can be used in 1R attack on the full 11-round version of the cipher with complexity lower than exhaustive search complexity 264.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
