[communications in computer and information science] digital information and communication...

H. Cherifi, J.M. Zain, and E. El-Qawasmeh (Eds.): DICTAP 2011, Part I, CCIS 166, pp. 521–534, 2011. © Springer-Verlag Berlin Heidelberg 2011

A New Approach of the Cryptographic Attacks

Otilia Cangea and Gabriela Moise

Petroleum-Gas University of Ploiesti, Romania Romania, 100680 Ploiesti, 39 Bucuresti Blvd.

[email protected], [email protected]

Abstract. In this paper, there is presented the taxonomy of possible attacks on ciphers in the cryptographic systems. The main attack techniques are linear, differential and algebraic cryptanalysis, each of them having particular features regarding the design of algorithms techniques. The cryptographic algorithms have to be designed to resist different kinds of attacks, so the mathematical functions of the encryption algorithms have to satisfy the cryptographic properties defined by Shannon. The paper proposes a new approach on the cryptographic attacks using an error regulation-based cryptanalysis.

Keywords: cryptographic attacks, intermediate key, error regulation-based cryptanalysis, fuzzy controller.

1 Introduction

The cryptographic attacks are techniques used to decipher a ciphertext without knowing the cryptographic keys. There are several types of attacks, according to the cryptographic techniques that are used.

The cryptographic systems are built on Shannon’s principle regarding the confusion and diffusion principles [1]. The confusion refers to a complex relationship between the plaintext and the ciphertext, therefore a cryptanalyst cannot use this relation in order to uncover the cryptographic key. The diffusion principle means that every bit of the plaintext and every bit of the cryptographic key affects a lot of bits of the ciphertext.

In 1883, Kerckhoff formulated the principle that a cryptosystem should be secure even if everything about the system, except the key, is public knowledge [2]. The principle is known as Kerckhoffs’ law, which was revised later by Shannon as follows: "the enemy knows the system being used" and known as Shannon’s maxima [1].

The schema of a cryptosystem is presented in Fig. 1. There are two main types of cryptosystems: symmetric-key cryptosystems and

asymmetric-key cryptosystems. In a symmetric-key cryptosystem, the encryption key and the decryption key are the same or can be derived one from the other. In an asymmetric-key cryptosystem, there is no relationship between the encryption and the

522 O. Cangea and G. Moise

decryption keys. Depending on the mode of codification, either a whole block of the message coded using the same key or bit by bit using different keys, the ciphers can be divided into block ciphers or stream ciphers.

Fig. 1. Schema of a cryptosystem

In the schema above, the attacker, namely Oscar, intercepts the ciphertext (c) and tries to recover the decryption key or the plaintext (p). Oscar can only read the message or he can change it and transmit to Bob a decayed ciphertext.

In this paper, there are presented various types of cryptographic attacks and it is proposed a new approach using an error regulation-based cryptanalysis.

The paper is organized as follows:

- the taxonomy of cryptographic attacks, emphasizing the mostly used techniques, namely linear, differential, and algebraic cryptanalysis;

- the proposal of a new model of cryptographic attack, i.e. error regulation-based cryptanalysis. The innovation consists in implementing the cryptographic attacks technique using the intermediate keys, on the basis of a feedback-type controller that performs the regulation of the cryptographic key;

- experimental results obtained using the proposed attack technique; - conclusions that underline the most important contributions of the paper.

2 Taxonomy of the Cryptographic Attacks

There are various cryptographic attacks. The sure attack is the brute force attack that consists in trying all the possible keys. This is not feasible while the lengths of the keys are bigger (nowadays the keys have at least 1024 bits) and the complexity of the algorithms causes a longer response time.

In order to define the taxonomy of the cryptographic attacks, one has to consider the information known by the cryptanalyst [3] and, within the taxonomies generated by these criteria, the cryptographic algorithms. The cryptanalyst known information refers to sets of plaintexts or ciphertexts and he has to uncover the cryptographic key. In the case of asymmetric cryptosystem, the cryptanalyst may possess the encryption key and has to find the decryption key.

The taxonomy of the cryptanalysis is presented in Fig. 2.

c p

Insecure channel

Sender Alice

Encryption algorithm

Decryption algorithm

Receiver Bob

Oscar

A New Approach of the Cryptographic Attacks 523

Fig. 2. Taxonomy of the cryptanalysis

In a known-plaintext attack, one (Oscar, in Fig. 1, for example) possesses a set of pairs of plaintexts and corresponding ciphertexts obtained with a certain key.

In a chosen-plaintext attack, one is able to prior choose a set of plaintexts, to encrypt them and to analyze the results.

Adaptive-chosen plaintext attack is based on the fact that one is able to choose in an adaptive (interactive) way a set of plaintexts and to obtain the corresponding ciphertext using a fixed key. In an adaptive chosen plaintext, a cryptanalyst adapts the attack based on prior results.

Types of attacks

Plaintext-based attacks

Ciphertext-based attacks

Known plaintext

Chosen plaintext

Adaptive chosen plaintext

Chosen ciphertext

Adaptive chosen ciphertext

Encryption key-based attacks

Ciphertext only/ Known cipher text

Linear attack

Differential attack

Algebraic attack Correlation attack


In a ciphertext-only attack, one possesses a set of ciphertexts (encoded with the same key).

Chosen-ciphertext attack enables the cryptanalyst to prior choose a set of ciphertexts, to decrypt them and to analyze the results.

Adaptive-chosen ciphertext allows the choice of a set of ciphertexts in an adaptive (interactive) way and obtaining the corresponding plaintexts (with a fixed key). In an adaptive chosen plaintext, a cryptanalyst adapts the attack based on prior results.

Encryption key-based attack is defined by the fact that one knows the encryption key and tries to uncover the decryption key.

The cryptographic algorithms use mainly statistical methods.

2.1 Linear Cryptanalysis

Matsui and Yamagishi first devised linear cryptanalysis in an attack on FEAL. It was extended by Matsui [4] to attack DES.

Linear cryptanalysis is a known plaintext attack which uses a linear approximation to describe the behavior of the block cipher. Given sufficient pairs of plaintext and corresponding ciphertext, bits of information about the key can be obtained, and increased amounts of data will usually give a higher probability of success.

There have been a variety of enhancements and improvements to the basic attack. Langford and Hellman [5] introduced an attack called differential-linear cryptanalysis that combines elements of differential cryptanalysis with those of linear cryptanalysis. Also, Kaliski and Robshaw [6] showed that a linear cryptanalytic attack using multiple approximations might allow a reduction in the amount of data required for a successful attack. Other issues, such as protecting ciphers against linear cryptanalysis, have also been considered by Nyberg [7] and Knudsen [8].

Initially, Matsui used 247 known plaintext-ciphertext pairs and later, in 1994, he refined the algorithm and demonstrated that it is enough to use 243 known plaintext-ciphertext pairs [4]. He implemented the algorithm in the C programming language and broke the DES cipher.

The number of necessary known plaintexts and the time depend on the number of rounds of the DES cipher. The results obtained by Matsui, using a PA-RISC/66MHz HP9750 computer and published in [9], are:

“8-round DES is breakable with 221 known-plaintexts in 40 seconds; 12-round DES is breakable with 233 known-plaintexts in 50 hours; 16-round DES is breakable with 247 known-plaintexts faster than an exhaustive

search for 56 key bits.” The main idea of the linear cryptanalysis is to approximate the non-linear block

using the following expression:

{ }( )

{ }( )

{ }( )kKjCiP

kji 56,,164,,164,,1 KKK ∈∈∈⊕=⎟

⎠⎞⎜

⎝⎛ ⊕⊕⎟

⎠⎞⎜

⎝⎛ ⊕ . (1)

where: KCP ,, represent 64-bits plaintext, 64-bits ciphertext, 56-bits key respectively,

and kji ,, indicate fixed bit locations.


The equation holds with a probability p for randomly plaintext and its

corresponding ciphertext. The probability 21p ≠ and the bias (magnitude) 2

1-p

state the effectiveness of linear approximation. The algorithms used to determine one bit and multiple bits of information about the key are based on a maximum likelihood method.

Matsui found the following linear approximation to break the DES cipher. For example, in order to break a 16-round DES using 247 known plaintext pairs, it is enough to solve the following equation:

( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( )( ) ( )[ ] ( ) ( ) ( ) ( ) ( ) ( )

( ) ( ) ( ) ( ) ( )2222442222

44224422231915,29

2418715161224187

151312119

8743111616

KKKKK

KKKKKKKCFC

CCCCPPPPP

LL

LLLHLLHHH

⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕=⊕

⊕⊕⊕⊕⊕⊕⊕⊕⊕ (2)

where:

HP represents the left 32 bits of P

LP represents the right 32 bits of P

HC represents the left 32 bits of C

LC represents the right 32 bits of C

iK represents the intermediate key in the i -th round

iF represents the function used in the i -th round

[ ]iA means the bit from the i -th position of the vector A

[ ] [ ] [ ] [ ]kk iAiiAiiiA ⊕⊕= KK 2121 ,,,

2.2 Differential Cryptanalysis

Differential cryptanalysis is a chosen plaintext attack that means the attacker selects inputs and examines the outputs trying to find the key. The method was developed by Biham and Shamir and presented in [10]. The differential cryptanalysis is based on

the following observation: the attacker knows that for a particular PΔ ( ji PPP ⊕=Δ is called input difference), a particular value CΔ ( ji CCC ⊕=Δis called output difference) occurs with a high probability. The pair ( )ji CC ,

represents the corresponding ciphertexts of the plaintexts pair ( )ji PP , . The pair

( )CP ΔΔ , is called differential characteristic.

Each S-box has associated a difference distribution table [11], in which each row corresponds to a given input difference and each column corresponds to a given output difference. The entries of the table represent the number of occurrences of the

output difference value ( CΔ ) corresponding to the given input difference ( PΔ ).


The input of any S-box has 6 bits and the output has 4 bits, so observing the differential behavior of any S-box, there are 642 possible inputs pairs ( )21, XX .

If ( ) 11 YXS = , ( ) 22 YXS = and 21 XXX ⊕=Δ , then 21 YYY ⊕=Δ .

Y1, Y2 and ΔY can have 16 possible values. The distribution on the differential output ΔY can be calculated by counting the occurrence of each value ΔY, when

( )21, XX varies on each 642 value.

The difference distribution table of S1 is presented in Table 1.

Table 1. The difference distribution table of S1

The differential distribution is highly non-uniform; for example, for 02=ΔX , 8,4,2,1,0=ΔY with the probability 0 and AY ,3=Δ with the

probability64

8.

So, it can be derived Table 2 for 02=ΔX .

Table 2. YΔ occurrences for 02=ΔX

YΔ 0 1 2 3 4 5 6 7 8 9 A B C D E F

Occurs 0 0 0 8 0 4 4 4 0 6 8 6 12 6 4 2

F→02 has 2 occurrences; calculating, it can be observed that the input pairs can be:

0000113

0000011

2

1

====

X

X or

0000113

0000011

1

2

====

X

X (3)

and

( ) ( ) ( ) ( ) 151331 1111 =⊕=⊕ SSSS (4)

In order to determine the key, let us consider two inputs to 1S , 0 and 2 ,

220 =⊕ and the output difference as F , according to the schema presented in Fig.3.

Input x’ Output y’0 1 2 3 4 5 6 7 8 9 A B C D E F

00 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 001 0 0 0 6 0 2 4 4 0 10 12 4 10 6 2 402 0 0 0 8 0 4 4 4 0 6 8 6 12 6 4 203 14 4 2 2 10 6 4 2 6 4 4 0 2 2 2 0... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ...3E 4 8 2 2 2 4 4 14 4 2 0 2 0 8 4 43F 4 4 4 2 4 0 2 4 4 2 4 8 8 6 2 2


Fig. 3. Key determining schema for a differential cryptanalysis

The corresponding relations are:

123303

321101

=⊕=⊕=⊕=⊕

(5)

and the possible keys are { }3,1 .

Considering more input and output differences, one can obtain more sets of possible keys. Intersecting these sets, it can be obtained the key used to the 1st round of the DES algorithm.

2.3 Algebraic Cryptanalysis

The algebraic attack is faster than the attacks presented above for some ciphers. This attack was presented by Courtois and Meier in 2003 for the stream cipher [12]. The algebraic cryptanalysis is a method used against both types of ciphers, i.e. stream cipher and block cipher, with a particular success on the stream cipher (special for LFSR-based keystream generator). The main idea of the algebraic attacks consists in finding a system of equations which expresses the dependence outputs (O)-inputs (I) and in solving of this system. A solution of the system gives the secret key.

The possible classes of equations relevant for the algebraic cryptanalysis are:

“• Class 1. Low-degree multivariate I/O relations; • Class 2. I/O equations with a small number monomials (can be of high or low

degree); • Class 3. Equations of very low degree (between 1 and 2), low non-linearity and

extreme sparsity that one can obtain by adding additional variables” [13].

An example of a system of nonlinear equations between the initial state of the LFSR,

( )bitslk and the output of keystream bit is:

( )( )( )( )( ) 2

1

0

zkLf

zkLf

zkf

==

= (6)


where L is a linear update function and tz represents the output of the keystream bit. Techniques to solve the system use the Linearization algorithms (XL, XSL) or Gröbner bases.

The algebraic attack is a new form of attack that requires knowledge on many keystream elements and a huge memory. In spite of good theoretical results and estimations, the algebraic attack is not yet practically feasible.

3 A New Model of a Cryptographic Attack

The authors now propose a Known Plaintext Attack (KPA), using a regulation technique well-known in systems theory, namely a feedback type error regulation.

The controller used in the cryptanalysis can be a fuzzy controller or an unconventional controller. This technique of cryptanalysis is named error regulation-based cryptanalysis and it is exemplified on a simple algorithm.

The encryption function is defined as ( ) cpeek = and the decryption function is

defined as ( ) pcddk = .

In order to simplify the problem, it is considered a symmetric cryptosystem and

one assumes that kkk de == .

Let us consider iK the keys space with t bits, ( )tiiii kkkK ,,, 21 K= , where j

ik is

0 or 1. The set of pairs of plaintexts and ciphertexts is noted with

( ) ( ){ }ikiii peccpS == ,, and ( ) nSCard = .

The objective of the error regulation-based cryptanalysis system is to determine the key k .

An important concept in the cryptanalysis terminology is the uniqueness distance. Shannon [1] defined the uniqueness distance as the length of an original ciphertext needed to break the cipher by reducing the number of possible spurious keys to zero in a brute force attack. That is, after trying every possible key, there should be just one decipherment that makes sense, namely the expected amount of cipher text needed to completely determine the key, assuming the underlying message has redundancy.

In the same respect, the Hamming distance between two Boolean vectors yx, is

equal with the number of positions in which they differ and it is noted with ( )yxd , [14].

We have to determine the key k , therefore ( ) ( ) Scpcpe iiiik ∈∀= ,, .

The schema of the error regulation-based cryptanalysis system is represented in Fig.4.

The cryptanalysis technique consists in performing the following operations:

1. a random key is selected and the c′ cipher of a given p plaintext is calculated

using this key;

2. the errorε as the Hamming distance between c and c′ is calculated;


3. the controller block contains a certain method for the key determination, based on an analysis of the error value;

4. the key used for the plaintext encryption is generated; 5. the above steps repeat until the error is minimized, using pairs of plaintexts-

ciphertexts from the known information set.

Fig. 4. Schema of the error regulation-based cryptanalysis system

PO represent the performance objectives. These are defined using the set of pairs known plaintexts and their correspondent ciphertexts:

( ) ( ){ }ikiii peccpS == ,, with ( )s

iiii pppp ,,, 21 K= , ( )siiii cccc ,,, 21 K= ,

where i takes values from 1 to n , where n is greater than the uniqueness distance. ε represents the error and it is defined as the Hamming distance between two

vectors. The block of regulation of the cryptographic key contains various cryptographic

attacks. The innovation consists in implementing the cryptographic attacks technique using the intermediate keys, on the basis of a feedback-type controller that performs the regulation of the cryptographic key.

The output c′ is the cipher obtained using the key generated by the regulation block.

Possible scenarios that may be implemented are:

• if the obtained error is too big (that is, it has a bigger value than half of the maximum dimension of S ), then the intermediate keys will be significantly changed (none of the bits of the previously found key will be preserved);

• if the obtained error is small, there will be selected a set of possible keys for which some of the bits will be changed;

• if the obtained error is around the value 2n , it can be started with a

differential cryptanalysis. This type of attack generates a set of possible keys. These keys will be used in a linear cryptanalysis.

For example, let us consider the pair ( )0,0=p and ( )1,1=c

The key is ( )21 , kkk = .

The encryption function is 11 kp ⊕ , 22 kp ⊕ .

ccd , ccPO , Regulation of the cryptographic key

Encryption process

k c


For example, it is chosen the intermediate key ( )0,0=ik .

Applying the given encryption function, it is obtained the cipher ( )0,0=ic that

determines a big error (the number of bits that differ is maximum, equal to the length of the cipher).

Consequently, none of the bits of the intermediate key ik are preserved, and a new

key, having extreme values, is chosen. So, it is chosen the key ( )1,1=fk that

generates the 0 error. A possible controller, which can be used in an error regulation-based cryptanalysis,

is a fuzzy controller. The fuzzy controller is based on rules. The strategy of command generation used in

this type of controller is implemented by means of an inference mechanism and uses a more or less natural language. A fuzzy controller may have as an associate an equivalent controller that uses conventional techniques. The inputs and the outputs of a fuzzy controller are discrete or fuzzy.

An architectural model of a fuzzy controller for processes control comprises the following components [15]:

• crisp-fuzzy conversion module ; • knowledge base; • decision making module based on fuzzy-inference motor reasoning; • fuzzy-crisp conversion module.

A fuzzy controller diagram for process control is presented in Fig. 5.

Fig. 5. A fuzzy controller diagram

The pre-processing block transforms the measured values from the measurement equipments before introducing them into the crisp-fuzzy conversion module.

The functions that can be performed by the pre-processing block are:

• normalizing or scaling the input domain to a standard values domain by using a bijective function, defined from the measured data domain to the universe domain;

• errors reduction or disposal; • combining many measurements in order to obtain key pointers; • sampling of the universe domain into a number of segments. The scaling

function can be linear, nonlinear or mixed;

Crisp-fuzzy conversion

Fuzzy-crisp conversion

Rules base

Inference model

Pre-processing

Post-processing


• performing approximation operations; • determining development tendencies.

The crisp-fuzzy conversion block transforms the crisp values into fuzzy ones. The aim of this module is to allow the construction of a rules base, a fuzzy segmenting of the input spaces, output spaces respectively, and the determination of the linguistic variables used in formulation of the rules from the knowledge base [15]. The linguistic variable from the hypothesis describes an input fuzzy space, and the linguistic variable from the consequence describes an output fuzzy space.

There are seven linguistic terms used in most of the fuzzy control applications, namely:

NB-negative big, NM-negative medium, NS-negative small, ZE-zero, PS-positive small, PM-positive medium, PB-positive big.

The most used membership functions have triangular or trapezium shapes.

The triangular model of the membership function of m center and d shifting is defined according to formula 7.

( )⎪⎩

⎪⎨⎧ +≤≤−−−=

otherwise

dmxdmd

xmxdm

,0

,1,ϕ , Rm∈ , 0>d (7)

The trapezium model of the membership function is defined as

( )

⎪⎪⎪

⎩

⎪⎪⎪

⎨

⎧

><

≤<−−

≤≤

<≤−−

=

dxorax

dxcdc

dxcxb

bxaab

ax

xdcba

,0

,

,1

,

,,,ϕ , where dcba <<< . (8)

The rules base block contains a set of rules. The linguistic controller contains rules of an if-then format.

A fuzzy rule is a construction of an if-then type performed using the fuzzy implication [15].

An example of a fuzzy rule is

If 1x is 1A and 2x is 2A , then y is B .

In order to define a fuzzy regulation in an error regulation-based cryptanalysis system, the concepts presented below are required.

The measurement of nearness between two code words c and c′ is defined as

( ) ( )n

ccdccnearness ′=′ ,, (9)

and it is obvious that ( ) 1,0 ≤′≤ ccnearness .


The fuzzy membership function for a codeword c to be equal to a given c′ is

defined as

( ) ( )⎩⎨⎧ <≤=′

=′otherwisez

zzccnearnessifc

1,0 0ϕ (10)

The fuzzyfication is performed by computing the membership functions and the defuzzyfication is performed by using the method of the weight center.

The linguistic variables and the linguistic associated terms are presented in Table 3.

Table 3. Linguistic variables and linguistic associated terms

If ε is ZE (zero), then k is R (right).

If ε is PS (positive small), then k is C (close).

If ε is PM (positive medium), then k is F (far).

If ε is PB (positive big), then k is VF (very far).

The universe for the k variable is given by the keys space with t bits.

The universe for the error is given by the rational numbers from the interval [ ]1,0 .

The proposed model makes possible to determine the decryption key by approximating it using intermediate keys. In the same time, it provides the opportunity to use fuzzy cryptanalysis, with a more precisely quantifying of the information theory concepts, in order to build more accurate cryptographic systems and to evaluate their strength or weakness.

4 Experimental Results

The experimental results presented in this section were obtained considering the following pair plaintext-ciphertext: ( )1,0,1,0,1,1=p and ( )0,0,0,1,0,0=c . A

comparison in terms of the number of intermediate keys needed to obtain the correct one was performed considering some classic cryptographic attacks and the error regulation-based cryptanalysis technique proposed by the authors.

Linguistic variable Variable type Linguistic terms Error ( ) Input ZE

PS PM PB

k Output R C F VF


First, the decryption key was determined by approximating it using the intermediate keys, according to the cryptanalysis technique described in the proposed model.

1. It is chosen the start key ( )0,0,0,0,0,01 =k and it is calculated the

ciphertext ( )1,0,1,0,1,11 =c

2. It is calculated the error 6/51 =ε , as the Hamming distance between c

and 1c

3. Based on the analysis of the key value, according to the fuzzy rules, the obtained cipher determines a big error, PB-type, and the key is VF, that imposes a change of the majority of the key bits. There are performed the following operations:

( ) 6/1)1,0,0,1,0,0(0,0,1,1,1,1 222 =→=→= εck

a PS-type error,

corresponding to a C key, that leads to the correct key after six more steps needed to consequently modify one bit at a time.

4. The final correct key is the 8th:

( ) 0)0,0,0,1,0,0(1,0,1,1,1,1 888 =→=→= εck

The conclusion is that, in this case with favorable choices, the encryption key is obtained using 7 intermediate keys.

Using the brute force attack, that consists in verifying all the possible keys, starting

with the same initial key ( )0,0,0,0,0,0=ik and consequently modifying a single

bit, then 2 bits and so forth, the number of intermediate keys is 70143546561 =+×+×+×++ . For bigger lengths of the key (usually

1024), the number of intermediate keys is increasing and the response time is longer. In terms of linear cryptanalysis, the encryption key is obtained by solving the

equation (1), so that every bit of the encryption key is precisely and quickly determined, with no intermediate keys needed.

As for the differential cryptanalysis, this method requires at least an additional pair of plaintext-ciphertext, that is extra information, in order to obtain the differential characteristics and more sets of possible keys.

5 Conclusions

Understanding cryptographic attacks is important to the science of cryptography, as they represent threads for the security of a cryptographic system by finding a weakness in their structure and, thus, serves to improve cryptographic algorithms.

Considering the taxonomy of the mostly used attack techniques on ciphers in cryptographic systems, the paper proposes a new approach of the cryptographic attacks by means of an error regulation-based cryptanalysis. By implementing the algorithm defining the proposed model, on the basis of a feedback fuzzy controller that ensures the regulation of the key, advantages in terms of accuracy, efficiency, and improved operating time can be emphasized. The authors consider that the


proposed technique may be classified between the linear and the differential cryptanalysis techniques and it has better performances than the brute force attack.

As future direction, one may consider software implementation of the proposed model on more complex algorithms, in order to simulate and validate it.

References

1. Shannon, C.E.: Communication Theory of Secrecy Systems. Bell System Technical Journal 28(4), 656–715 (1949)

2. Kerckhoff, A.: La cryptographie militaire. Journal des sciences militaires IX, 5–38 (1883), http://petitcolas.net/fabien/kerckhoffs/

3. Keliher, L.: Linear Cryptanalysis of Substitution-Permutation Networks (2003), http://mathcs.mta.ca/faculty/lkeliher/publications.html

4. Matsui, M.: The First Experimental Cryptanalysis of the Data Encryption Standard. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 1–11. Springer, Heidelberg (1994)

5. Langford, S.K., Hellman, M.E.: Differential-linear cryptanalysis. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 17–25. Springer, Heidelberg (1994)

6. Kaliski Jr., B.S., Robshaw, M.J.B.: Linear cryptanalysis using multiple approximations. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 26–39. Springer, Heidelberg (1994)

7. Nyberg, K.: Linear approximation of block ciphers. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 439–444. Springer, Heidelberg (1995)

8. Knudsen, L.R.: A key-schedule weakness in SAFER K-64. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 274–286. Springer, Heidelberg (1995)

9. Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)

10. Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 2–21. Springer, Heidelberg (1991)

11. Difference Distribution Tables of DES, http://www.cs.technion.ac.il/~cs236506/ddt/DES.html

12. Courtois, N.T., Meier, W.: Algebraic Attacks on Stream Ciphers with Linear Feedback. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 345–359. Springer, Heidelberg (2003)

13. Courtois, N.T., Bard, G.V.: Algebraic cryptanalysis of the data encryption standard. In: Galbraith, S.D. (ed.) Cryptography and Coding 2007. LNCS, vol. 4887, pp. 152–169. Springer, Heidelberg (2007)

14. Pless, V.: Introduction to Theory of Error Correcting Codes. Wiley & Sons, New York (1982)

15. Vaduva, I., Albeanu, G.: Introduction in Fuzzy Modeling. University of Bucharest Publishing House (2004)

[communications in computer and information science] digital information and communication...

Documents