213.184.17.126: {{Mvar}}

2024-12-19T17:18:47Z

New page

{{DISPLAYTITLE:Mod {{Mvar|n}} cryptanalysis}}
{{Short description|Attack applicable to block and stream ciphers}}
{{no footnotes|date=August 2017}}
In [[cryptography]], '''mod {{Mvar|n}} cryptanalysis''' is an [[cryptanalysis|attack]] applicable to [[block cipher|block]] and [[stream cipher]]s. It is a form of [[partitioning cryptanalysis]] that exploits unevenness in how the [[cipher]] operates over [[equivalence class]]es (congruence classes) [[modular arithmetic|modulo {{Mvar|n}}]]. The method was first suggested in 1999 by [[John Kelsey (cryptanalyst)|John Kelsey]], [[Bruce Schneier]], and [[David A. Wagner|David Wagner]] and applied to RC5P (a variant of [[RC5]]) and [[M6 (cipher)|M6]] (a family of block ciphers used in the [[FireWire]] standard). These attacks used the properties of binary addition and bit rotation modulo a [[Fermat prime]].

==Mod 3 analysis of RC5P==
For RC5P, analysis was conducted modulo 3. It was observed that the operations in the cipher (rotation and addition, both on 32-bit words) were somewhat biased over congruence classes mod 3. To illustrate the approach, consider left rotation by a single bit:

: <math>X \lll 1=\left\{\begin{matrix} 2X, & \mbox{if } X < 2^{31} \\ 2X + 1 - 2^{32}, & \mbox{if } X \geq 2^{31}\end{matrix}\right.</math>

Then, because

: <math>2^{32} \equiv 1\pmod 3,\,</math>

it follows that

: <math>X \lll 1 \equiv 2X\pmod 3.</math>

Thus left rotation by a single bit has a simple description modulo 3. Analysis of other operations (data dependent rotation and modular addition) reveals similar, notable biases. Although there are some theoretical problems analysing the operations in combination, the bias can be detected experimentally for the entire cipher. In (Kelsey et al., 1999), experiments were conducted up to seven rounds, and based on this they conjecture that as many as 19 or 20 rounds of RC5P can be [[distinguishing attack|distinguished from random]] using this attack. There is also a corresponding method for recovering the secret [[key (cryptography)|key]].

Against M6 there are attacks mod 5 and mod 257 that are even more effective.

==References==
* {{cite conference
| author = [[John Kelsey (cryptanalyst)|John Kelsey]], [[Bruce Schneier]], [[David A. Wagner|David Wagner]]
| title = Mod n Cryptanalysis, with Applications Against RC5P and M6.
| conference = [[Fast Software Encryption]], Sixth International Workshop Proceedings
| pages = 139–155
| publisher = [[Springer-Verlag]]
| date = March 1999
| location = [[Rome]]
| url = http://www.schneier.com/paper-mod3.html
| format = [[PDF]]/[[PostScript]]
| access-date = 2007-02-12 }}
* {{cite journal
| author = [[Vincent Rijmen]]
| title = "mod n" Cryptanalysis of Rabbit
| version = [[White paper]], Version 1.0
| publisher = [[Cryptico]]
| date = 2003-12-01
| url = http://www.cryptico.com/Files/filer/wp_modn_analysis.pdf
| access-date = 2007-02-12 }}
* {{cite journal
|author1=Toshio Tokita |author2=Tsutomu Matsumoto | title = On Applicability of Differential Cryptanalysis, Linear Cryptanalysis and Mod n Cryptanalysis to an Encryption Algorithm [[M8 (cipher)|M8]] (ISO9979-20)
| journal = Ipsj Journal
| volume = 42
| issue = 8 }}

{{Cryptography navbox | block}}

[[Category:Cryptographic attacks]]
[[Category:Modular arithmetic]]

Mod n cryptanalysis - Revision history

213.184.17.126: {{Mvar}}