TY - GEN
T1 - Cryptanalysis of CTC2
AU - Dunkelman, Orr
AU - Keller, Nathan
PY - 2009
Y1 - 2009
N2 - CTC is a toy cipher designed in order to assess the strength of algebraic attacks. While the structure of CTC is deliberately weak with respect to algebraic attacks, it was claimed by the designers that CTC is secure with respect to statistical attacks, such as differential and linear cryptanalysis. After a linear attack on CTC was presented, the cipheŕs linear transformation was tweaked to offer more diffusion, and specifically to prevent the existence of 1-bit to 1-bit approximations (and differentials) through the linear transformation. The new cipher was named CTC2, and was analyzed by the designers using algebraic techniques. In this paper we analyze the security of CTC2 with respect to differential and differential-linear attacks. The data complexities of our best attacks on 6-round, 7-round, and 8-round variants of CTC2 are 64, 215, and 237 chosen plaintexts, respectively, and the time complexities are dominated by the time required to encrypt the data. Our findings show that the diffusion of CTC2 is relatively low, and hence variants of the cipher with a small number of rounds are relatively weak, which may explain (to some extent) the success of the algebraic attacks on these variants.
AB - CTC is a toy cipher designed in order to assess the strength of algebraic attacks. While the structure of CTC is deliberately weak with respect to algebraic attacks, it was claimed by the designers that CTC is secure with respect to statistical attacks, such as differential and linear cryptanalysis. After a linear attack on CTC was presented, the cipheŕs linear transformation was tweaked to offer more diffusion, and specifically to prevent the existence of 1-bit to 1-bit approximations (and differentials) through the linear transformation. The new cipher was named CTC2, and was analyzed by the designers using algebraic techniques. In this paper we analyze the security of CTC2 with respect to differential and differential-linear attacks. The data complexities of our best attacks on 6-round, 7-round, and 8-round variants of CTC2 are 64, 215, and 237 chosen plaintexts, respectively, and the time complexities are dominated by the time required to encrypt the data. Our findings show that the diffusion of CTC2 is relatively low, and hence variants of the cipher with a small number of rounds are relatively weak, which may explain (to some extent) the success of the algebraic attacks on these variants.
UR - http://www.scopus.com/inward/record.url?scp=67650159619&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-00862-7_15
DO - 10.1007/978-3-642-00862-7_15
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:67650159619
SN - 9783642008610
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 226
EP - 239
BT - Topics in Cryptology - CT-RSA 2009 - The Cryptographers' Track at the RSA Conference 2009, Proceedings
T2 - Cryptographers' Track at the RSA Conference, CT-RSA 2009
Y2 - 20 April 2009 through 24 April 2009
ER -