Methods for Linear and Differential Cryptanalysis of Elastic Block Ciphers

Abstract

The elastic block cipher design employs the round function of a given, b-bit block cipher in a black box fashion, embedding it in a network structure to construct a family of ciphers in a uniform manner. The family is parameterized by block size, for any size between band 2b. The design assures that the overall workload for encryption is proportional to the block size. When considering the approach taken in elastic block ciphers, the question arises as to whether cryptanalysis results, including methods of analysis and bounds on security, for the original fixed-sized cipher are lost or, since original components of the cipher are used, whether previous analysis can be applied or reused in some manner. With this question in mind, we analyze elastic block ciphers and consider the security against two basic types of attacks, linear and differential cryptanalysis. We show how they can be related to the corresponding security of the fixed-length version of the cipher. Concretely, we develop techniques that take advantage of relationships between the structure of the elastic network and the original version of the cipher, independently of the cipher. This approach demonstrates how one can build upon existing components to allow cryptanalysis within an extended structure (a topic which may be of general interest outside of elastic block ciphers). We show that any linear attack on an elastic block cipher can be converted efficiently into a linear attack on the fixed-length version of the cipher by converting the equations used to attack the elastic version to equations for the fixed-length version. We extend the result to any algebraic attack. We then define a general method for deriving the differential characteristic bound of an elastic block cipher using the differential bound on a single round of the fixed-length version of the cipher. The structure of elastic block ciphers allows us to use a state transition method to compute differentials for the elastic version from differentials of the round function of the original cipher.