Financial Information Security

ABSTRACT Normally, it has been believed that the initial values of cryptographic schemes do not need to be managed secretly unlike the secret keys. However, we show that multiple modes of operation of block ciphers can suffer a loss of security by the state of the initial values. We consider several attacks according to the environment of the initial values; known-IV attack, known-in-advance-IV attack, and replayed-and-known-IV attack. Our attacks on cascaded three-key triple modes of operation requires 3-7 blocks of plaintexts (or ciphertexts) and 3 256-9 256 encryptions. We also give the attacks on multiple modes proposed by Biham.

With chosen-IV chosen texts, David Wagner has analyzed the multiple modes of operation proposed by Eli Biham in FSE'98. However, his method is too unrealistic. We use only known-IV chosen texts to attack many triple modes of operation which are combined with cascade operations. 123 triple modes are analyzed with complexities less than E. Biham's results. Our work shows that the securities of many triple modes decrease when the initial values are exposed.

We examine the diffusion layers of some block ciphers referred to as substitution-permutation networks. We investigate the practical and provable security of these diffusion layers against differential and linear cryptanalysis. First, in terms of practical security, we show that the minimum number of differentially active S-boxes and that of linearly active S-boxes are generally not identical and propose some special conditions in which those are identical. We also study the optimal diffusion effect for some diffusion layers according to their constraints. Second, we obtain the results that the consecutive two rounds of SPN structure provide provable security against differential and linear cryptanalysis, i.e., we prove that the probability of each differential (resp. linear hull) of the consecutive two rounds of SPN structure with a maximal diffusion layer is bounded by p n (resp. q n ) and that of each differential (resp. linear hull) of the SDS function with a semi-maximal diffusion layer is bounded by p n-1 (resp. q n-1 ), where p and q are maximum differential and linear probabilities of the substitution layer, respectively.