Slide attacks and LC-weak keys in T-310

Courtois, Nicolas T.; Georgiou, Marios; Scarlata, Matteo

doi:10.1080/01611194.2018.1548392

Cited by 5 publications

(12 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It follows that the same linear characteristic works for any even number of rounds. It is also easy to see that [2,4,6] → [2,4,6] 2R P = 1.…”

Section: How Many Weak-keys Exist In T-310 ?mentioning

confidence: 99%

“…Here is another more complex result. 1 , f (6) ] → [1,5,15,33] which is true with probability exactly 1.0 for 6 rounds. P r o o f. We will show that the following holds Let X (i) denote values inside round i.…”

Section: A Second Detailed Example For 6 Roundsmentioning

confidence: 99%

“…For a long time an open problem was whether LC-weak keys can be used in cryptanalysis. One solution to this problem is presented in a new paper [6]. Not all key bits can yet be recovered by this method, therefore the question is not completely settled yet.…”

Section: How To Use Lc-weak Keys In Cryptanalysis?mentioning

confidence: 99%

“…Then it does NOT hold for 5 rounds, and we show here some counter-examples. We have found the following KT1 key which we will call 716 and another similar key 722: 716: P = 16,6,33,11,20,24,5,13,9,7,31,19,36,12,21,30,34,25,17,32,23 For these keys there exist differentials on the key only, which can be annihilated leading to no difference on the full 36-bit state of the cipher, this for only 5 rounds. This is closely related to the notion of "missing bits" in T-310, studied in [9].…”

Section: Related Key Collision Attacksmentioning

confidence: 99%

“…LC and RKDC, for example, key 718. 718: P = 3,18,33, 12,36,8,5,27,9,19,14,23,20,16,21,26,7,25,31,28,32,15,4,29,24,22,6. D = 0,4,36,12,24,16,20,8,32.…”

Section: Weak Keys Which Combine Lc-weakness With Rkdcmentioning

confidence: 99%

See 4 more Smart Citations

How Many Weak-Keys Exist in T-310 ?

Courtois

Scarlata

Georgiou³

2019

Tatra Mountains Mathematical Publications

Self Cite

View full text Add to dashboard Cite

T-310 is an important Cold War cipher. The cipher is extremely complex and it outputs extremely few bits from the internal state. A recent paper [Courtois, N. T.: Decryption oracle slide attacks on T-310, Cryptologia, 42 (2018), no. 3, 191–204] shows an example of a highly anomalous key such that T-310 can be broken by a slide attack with a decryption oracle. In this paper, we show that the same attacks are ALSO possible for regular keys which satisfy all the official KT1 requirements. Two other recent papers [Courtois, N. T.—Georgiou, M.—Scarlata, M.: Slide attacks and LC-weak keys in T-310, Cryptologia 43 (2019), no. 3, 175–189]; [Courtois, N. T.—Oprisanu, M. B.—Schmeh, K.: Linear cryptanalysis and block cipher design in East Germany in the 1970s, Cryptologia (published online), December 5, 2018] show that some of the KT1 keys are very weak w.r.t. Linear Cryptanalysis. In this paper, we show that a vast number of such weak keys exist and study the exact pre-conditions which make them weak. In addition we introduce a new third class of weak keys for RKDC (Related-Key Differential Cryptanalysis). We show that the original designers in the 1970s have ensured that these RKDC properties cannot happen for 4 rounds. We have discovered that these properties can happen for as few as 5 rounds for some keys, and for 10 to 16 rounds they become hard to avoid. The main reason why we study weak keys is to show that none of these properties occur by accident, rather that they are governed by precise pre-conditions which guarantee their existence, and countless other keys with the same properties exist. Eventually, this is how interesting attacks can be found.

show abstract

“…It follows that the same linear characteristic works for any even number of rounds. It is also easy to see that [2,4,6] → [2,4,6] 2R P = 1.…”

Section: How Many Weak-keys Exist In T-310 ?mentioning

confidence: 99%

Section: A Second Detailed Example For 6 Roundsmentioning

confidence: 99%

Section: How To Use Lc-weak Keys In Cryptanalysis?mentioning

confidence: 99%

Section: Related Key Collision Attacksmentioning

confidence: 99%

“…LC and RKDC, for example, key 718. 718: P = 3,18,33, 12,36,8,5,27,9,19,14,23,20,16,21,26,7,25,31,28,32,15,4,29,24,22,6. D = 0,4,36,12,24,16,20,8,32.…”

Section: Weak Keys Which Combine Lc-weakness With Rkdcmentioning

confidence: 99%

See 3 more Smart Citations

How Many Weak-Keys Exist in T-310 ?

Courtois

Scarlata

Georgiou³

2019

Tatra Mountains Mathematical Publications

Self Cite

View full text Add to dashboard Cite

show abstract

Construction of a polynomial invariant annihilation attack of degree 7 for T-310

Courtois¹,

Patrick²,

Abbondati³

2020

Cryptologia

Self Cite

View full text Add to dashboard Cite

Cryptographic attacks are typically constructed by blackbox methods and combinations of simpler properties, for example in [Generalised] Linear Cryptanalysis. In this article we work with a more recent white-box algebraic-constructive methodology. Polynomial invariant attacks on a block cipher are constructed explicitly through the study of the space of Boolean polynomials which does not have a unique factorization and solving the so-called Fundamental Equation (FE). Some recent invariant attacks are quite symmetric and exhibit some sort of clear structure, or work only when the Boolean function is degenerate. As a proof of concept we construct an attack where a highly irregular product of 7 polynomials is an invariant for any number of rounds for T-310 under certain conditions on the long term key and for any key and any IV. A key feature of our attack is that it works for any Boolean function which satisfies a specific annihilation property. We evaluate very precisely the probability that our attack works when the Boolean function is chosen uniformly at random.

show abstract

On security aspects of the ciphers T-310 and SKS with approved long-term keys

Killmann¹

2023

Cryptologia

View full text Add to dashboard Cite

Slide attacks and LC-weak keys in T-310

Cited by 5 publications

References 8 publications

How Many Weak-Keys Exist in T-310 ?

How Many Weak-Keys Exist in T-310 ?

Construction of a polynomial invariant annihilation attack of degree 7 for T-310

On security aspects of the ciphers T-310 and SKS with approved long-term keys

Contact Info

Product

Resources

About