Markov Ciphers and Differential Cryptanalysis
This paper considers the security of iterated block ciphers against the differential cryptanalysis introduced by Biham and Shamir. Differential cryptanalysis is a chosen-plaintext attack on secret-key block ciphers that are based on iterating a cryptographically weak function r times (e.g., the 16-round Data Encryption Standard (DES)). It is shown that the success of such attacks on an r-round cipher depends on the existence of (r-l)-round differentials that have high probabilities, where an i-round differential is defined as a couple (α,β) such that a pair of distinct plaintexts with difference α can result in a pair of i-th round outputs that have difference β, for an appropriate notion of "difference". The probabilities of such differentials can be used to determine a lower bound on the complexity of a differenbtial cryptanalysis attack and to show when an r-round cipher is notvulnerable to such attacks. The concept of "Markov ciphers" is introduced for iterated ciphers because of its significance in differential cryptanalysis. If an iterated cipher is Markov and its round subkeys are independent, then the sequence of differences at each round output forms a Markov chain. It follows from a result of Biham and Shamir that DES is a Markov cipher. It is shown that, for the appropriate notion of "differendce", the Proposed Encryption Standard (PES) of Lai and Massey, which is an 8-round iterated cipher, is a Markov cipher, as are also the mini-version of PES with block length 8, 16 and 32 bits. It is shown that PES (8) and PES (16) are immune to differential cryptanalysis after sufficiently many rounds. A detailed cryptanlaysis of the full-size PES is given and shown that the very plausibly most probable 7-round differential has a probability about 2-58. A differential cryptanalysis attack of PES (64) based on this differential is shown to require all 2 64 possible encryptions. This cryptanalysis of PES suggested a new design principle for Markov ciphers, viz., that their transition probability matrices should not be symmetric. A minor modification of PES, consisten with all the original design principle, is proposed that satisfies this new design criterion. This modified cipher, called Improved PES (IPES), is described and shown to be highly resitant to differential cryptanalysis.
版权说明：以下全部内容由来学嘉上传于 2011年05月11日 10时19分58秒，版权归本人所有。