Different Cryptanalytic Attacks On Block Ciphers Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.


It is a method where we can study without knowing the secret information and can determine the actual meaning of encrypted information. It is a study of various decrypting methods. So, when any cipher is created we must take certain primitive measures to counter the cryptanalysis into account. As there are various methods in cryptanalysis, there must be adequate counter measures to withstand these various methods.

Different Cryptanalytic attacks on Block Ciphers

Secure messages are encrypted using Block ciphers without knowing the secret key. When we are creating Block Ciphers we need to consider its security against the Cryptanalysis. It will often lead to flaws and attacks from others if we do not consider adequate security measures. Here we are going to deal with various Block cipher cryptanalytic techniques and different attacks on Block ciphers are described. Hence, here we can study different types of attacks and the better ones among those attacks.

Under the control of secret key let us take 'k' block ciphers secret key encryption algorithms that can encrypt 'n' bits of plain text messages in to an un intelligible cipher text at a time. When we are designing a block cipher the security is considered against cryptanalysis, this cryptanalysis involves studying typically how resistant a cipher can act against Distinguishing and key recovery attacks. Coming to the definition of Distinguishing attacks which allows someone to differentiate between the black box with cipher Ek and a random permutation that shows in a cipher structure. Key recovery attacks are the attacks where an cryptanalyst tries to achieve the secret key K where any plaintext can be recovered from cipher text. Cryptanalysis plays an important role in how secure a cipher is, how the principles of the design are sound enough and any flaws in the structure during the design of the cipher. There are numerous methods in the cryptanalysis for the block ciphers. So, for any cryptanalysis it is a hard task for understanding the concepts of block cipher cryptanalysis where in this subject there is no specific textbook. The only references which are suitable for an aspiring cryptanalyst are the journals and the papers proceeded in the conferences.

Examples of block ciphers include AES, DES etc use a shared key to encrypt the required text and cryptanalysis on various block ciphers are hard to handle and hence different primitive measures and processes are implemented in order to reduce or completely eliminate the risk of cryptanalytic attacks on block ciphers.

There are different types of attacks depending on what information Eve can obtain and how far she can interfere in Alice and Bob communication.

1)Ciphertext-only attack:It is assumed that only certain type of Encrypted blocks are captured by Eve in this type of attack.This requires just guessing of the plaintext which is already associated.

2)Known Plaintext attack:It is an attack where the intruder has access to the Ciphertext and some known pieces of the Plaintext data.

3)Chosen-Plaintext attack:It is an attack where the cryptanalyst has some known plaintexts from which he can know the corresponding ciphertexts.In the worst scenario of this attack, after calculating the secret key it might expose the secret information.

4)Chosen-ciphertext attack:This attack requires Eve to have some control over the Ciphertexts which are sent to Bob and should be capable to monitor the decrypted messages.

5)Adaptively chosen-Plaintext/Ciphertext attack:To mount some of the attacks givben above,Eve should obtain the encryptions and the decryptions of a series of cipher blocks.When there is chance of a block depending on the previous blocks obtained,the attack is called 'adaptive'.

Differential Cryptanalysis: Differential cryptanalysis is a process in which from the set of plaintexts cipher texts can be achieved, that means this is one type of cryptanalysis attack on plaintext. This attack is mainly done by computing the differences between several cipher text .Differential is nothing but the resulting differences in the pair. In block ciphers we use s-boxes to encrypt the text and here Differential cryptanalysis we use those s-boxes to represent their properties. First in order to recover key in differential cryptanalysis, from a large number of plaintext the cipher text pairs are recovered by the attacker. Here in this case differential is nothing but the total number of rounds minus one. In order to attack on block ciphers using cryptanalysis the attacker must know the possible round key used in preparing the block.

In order for an attack to be successful one must select the input difference appropriately. Since this differential cryptanalysis is known by much number of people the algorithm developed must be such that it should counter this attack.

Linear Cryptanalysis: In this type of attack for an action of cipher we calculate the number of approximations. Linear cryptanalytic attacks are more often used over block ciphers, attacks both block ciphers and stream ciphers. New cipher designs are required to provide security against linear cryptanalysis. Linear cryptanalysis consists of two parts. In the first step for all the plain text, key, cipher text whose probabilities are close to 1 or 0 we calculate the linear equation relating cipher text, plain text, key. We derive the key in the second stage using linear equations from the first step along with known plain text and cipher text. Linear cryptanalysis is nothing but x-or operation of two variables consisting of binary values. Since the linear cryptanalytic equations vary in probability, the probability of any equation relating key, cipher text and plain text would be equal to1/2.

Higher order Differential Cryptanalysis: Higher order differential cryptanalysis is also an attack against block ciphers. This cryptanalytic attack is more powerful than differential cryptanalysis as this attack is used on various ciphers, whereas the difference between two texts are discussed in differential cryptanalysis.

Truncated Differential Cryptanalysis: Here in truncated cryptanalysis the differences are determined partially and it is used to attack block ciphers. It is similar to differential cryptanalysis. Truncated cryptanalysis is used to predict some bits or some parts of data from the entire block.

Impossible Differential Cryptanalysis: Block ciphers are the main target for these impossible differential cryptanalysis. This attack is done against block ciphers and is similar to differential cryptanalysis. At some intermediate state of cipher algorithm the differences are obtained by impossible differential cryptanalysis where as original differential cryptanalysis finds the differences for cipher with higher than expected probabilities.

Multiset attacks:After dicovering the linear and differential cryptanalysis,the cryptographers atarted to design a specific kind of ciphers which can minimize both the maximum probability of differential characterstics and maximum correlation of linear characterstics.In these ciphers,Square is one of the them.the designers increased the number of rounds and the cipher resulting was published together with the new attack and this was referred as "Square attack".The Square attack doesn't get affected for by the specific design for the indidvisual components,but depends on how these components are interconnected ,which are considered as blackboxes.One more intresting feature of this attack is not probabilistic.

When this attack is in process,a different set of multisets are used

1)Constant multiset:This is a type of multiset which consists of a single value repeated a no. of times.

2)Permutation and Saturation multiset:In this all the possible 2m values contains only once.

3)Even multiset:This multiset in which a present value occurs a even number fo times.

4)Balanced multiset:This attack takes place when the XOR of all the values is zero.

Unknown key share attack:

unknown key share attack is one of cryptanalysis which can be used against key distribution and authentication protocal, here after ciphertext transmission and decipherment are done ke integrity checking takes place. Here same and secure session key is used in all the applicatons. unknown shared key attaks are similar to man in the middle attacks suppose if A transmitts a message from B, an attacker in the middle accesses the message in the middle and can modify the message and resends it to the receiver(B). In this unknown key share attack both the user and the receiver share a same key.

RFID and cryptanalysis on RFID's :


Radio frequency Identification (RFID) is a wireless technology that uses radio waves to exchange data. The data is exchanged between the reader and the electronic tag attached to the object. RFID's are mainly used for purpose of identification and tracking.

The advantages of RFID are making them a replacement for the bar code readers in the 21st century. The main advantages of RFID's that make them preferable over barcode scanners are, they can be read if passed within proximity to an RFID reader. The reader of an RFID tag need not be within line of sight of the tag to read the information. RFID tags can be read large number at a time.

RFID can be passive, active and battery associated passive (BAP). Passive RFID doesn't have a battery on them. Active RFID have battery on them and always broadcasts a signal. Bap's have a low power battery which is activated in presence of an RFID reader.

Applications of RFID:

RFID's have applications in many fields. The y are used in electronic vehicle registration to vehicle tracking and vehicle transport payments, public transits, product racking in major retails stores, hospitals to identify patients, library book tracking, passports, universities and schools and even for tracking humans.

Security in RFID:

The illicit tracking of RFID's is the major concern. RFID tags can be read by anyone, which poses a great risk for personal location privacy. More over the RFIDs are susceptible to DOS attacks. This leaves the organization in not providing the services to consumers. Even buffer overflow techniques can be used to exploit the RFID systems.

RFID Protocols:

Many protocols are present for providing authentication security to the RFID tags. In this paper a Light weight RFID protocol (SASI) is described and the cryptanalysis of the SASI protocol is explained.

SASI is a new ultra lightweight RFID authentication protocol which provides strong integrity and authentication. RFID authentication protocols are classified into different types based on the computational costs and the operations supported on the tags. The major classifications are

Full- fledged class:

This class contains protocols that support cryptographic functions like symmetric encryption, cryptographic functions like symmetric cryptography and public key cryptographic algorithms.

Simple Class:

This class supports the random number generator and one - way hashing on the tags.

Light weight class:

Light weight class refers to the protocols that have random number generators, CRC (Cyclic redundancy checks) and some other techniques which don't contain hashing techniques.

Ultra light Weight class:

These protocols involve simple operations like XOR, AND, OR.

The SASI protocol falls into the category of Ultra light weight class due to its usage of the XOR, AND and OR functions for providing authentication.

Working of SASI protocol:

The SASI protocol has three major parts. They are Tag, reader and Backend. The backend is server which shares keys with each and every tag. The communication channel reader and the backend is assumed to be secure. Each tag is identified by a static identification (ID). Each tag also shares a pseudonym (IDS) and two pair of keys (K1/K2) with the back end server. Each of the above identifiers will be of length 96bits.

The authentication using SASI is done in three stages. They are

Tag Identification Phase.

Mutual Authentication phase.

Updating phase.

Tag identification phase:

The reader first searches the tag for a tag identification number. If it finds one the reader matches the tag identification with the one available in the backend database. If it finds a matched entry it goes into next authentication phase otherwise it searches for the Identification tag.

Mutual authentication phase:

The reader generates two random integers' n1 and n2. These values are used to generate three number A, B and C. A series of operations are performed using these values and K1 and k2 compliments to authenticate the system. If the verification is succeeds then a number D called response value is generated.

Updating phase:

After reader receiving the D value, it uses it to verify local variables. The tag and the reader now update their keys and pseudonyms. Thus the secure authentication can be done.

The confirmation of the synchronization of the values K1 and K2 is the main asset of the SASI protocol. This property makes the SASI protocol hard to crack with the possible de-synchronization attacks.

Cryptanalysis of the SASI protocol:

Though the SASI protocol is immutable to some kind of attacks but it is not totally immune. The cryptanalysis shows that the SASI protocol did not satisfy the objective of untraceability. The relationship between the bitwise operators used within SASI can be exploited to break it.

The model used by the author for breaking SASI protocol is Juels-Weis Untraceability model. The different phases of attacks in this model are

Phase 1 (learning):

The adversary A performs a man in the middle attack in this phase. The adversary sends execute, Send and corrupt queries to the tag and the reader. The Adversary eavesdrops on the messages send between the reader and the Tag. He can modify, insert or delete the messages.

Phase 2 (Challenge):

The adversary tries to send new tag identifiers each time there by trying to learn which tag identifier corresponds to which tag and even to know whether the tag identifier they tried or not. If it is correct the reader is supposed to move on to the next phase of authentication the SASI Model.

Phase3 (Guessing):

The guessing phase tells the chances of Adversary winning the game which in turn represents the success of adversary in breaking the untraceability of the SASI protocol.

By using the above model the authors of the paper showed that the adversary can win the game once in four times. The adversary can get to break the untraceability model once in four tries at an average. Hence we can say that the SASI protocol didn't achieve complete untraceability