COCONUT98
Encyclopedia
In cryptography
, COCONUT98 (Cipher Organized with Cute Operations and N-Universal Transformation) is a block cipher
designed by Serge Vaudenay
in 1998. It was one of the first concrete applications of Vaudenay's decorrelation theory
, designed to be provably secure
against differential cryptanalysis
, linear cryptanalysis
, and even certain types of undiscovered cryptanalytic attacks.
The cipher uses a block size
of 64 bits and a key size
of 256 bits. Its basic structure is an 8-round Feistel network
, but with an additional operation after the first 4 rounds, called a decorrelation module. This consists of a key-dependent affine transformation
in the finite field
GF(264). The round function makes use of modular multiplication and addition
, bit rotation, XORs, and a single 8×24-bit S-box
. The entries of the S-box are derived using the binary expansion of e
as a source of "nothing up my sleeve number
s".
Despite Vaudenay's proof of COCONUT98's security, in 1999 David Wagner developed the boomerang attack
against it. This attack, however, requires both chosen plaintexts
and adaptive chosen ciphertexts
, so is largely theoretical. Then in 2002, Biham, et al. applied differential-linear cryptanalysis, a purely chosen-plaintext attack, to break the cipher. The same team has also developed what they call a related-key
boomerang attack, which distinguishes COCONUT98 from random using one related-key adaptive chosen plaintext and ciphertext quartet under two keys.
Cryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...
, COCONUT98 (Cipher Organized with Cute Operations and N-Universal Transformation) is a block cipher
Block cipher
In cryptography, a block cipher is a symmetric key cipher operating on fixed-length groups of bits, called blocks, with an unvarying transformation. A block cipher encryption algorithm might take a 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext...
designed by Serge Vaudenay
Serge Vaudenay
Serge Vaudenay is a well-known French cryptographer.Serge Vaudenay entered the École Normale Supérieure in Paris as a normalien student in 1989. In 1992, he passed the agrégation in mathematics. He did his PhD at the computer science laboratory of École Normale Supérieure, and defended it in 1995...
in 1998. It was one of the first concrete applications of Vaudenay's decorrelation theory
Decorrelation theory
In cryptography, decorrelation theory is a system developed by Serge Vaudenay for designing block ciphers to be provably secure against differential cryptanalysis, linear cryptanalysis, and even undiscovered cryptanalytic attacks meeting certain broad criteria...
, designed to be provably secure
Provable security
In cryptography, a system has provable security if its security requirements can be stated formally in an adversarial model, as opposed to heuristically, with clear assumptions that the adversary has access to the system as well as enough computational resources...
against differential cryptanalysis
Differential cryptanalysis
Differential cryptanalysis is a general form of cryptanalysis applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash functions. In the broadest sense, it is the study of how differences in an input can affect the resultant difference at the output...
, linear cryptanalysis
Linear cryptanalysis
In cryptography, linear cryptanalysis is a general form of cryptanalysis based on finding affine approximations to the action of a cipher. Attacks have been developed for block ciphers and stream ciphers...
, and even certain types of undiscovered cryptanalytic attacks.
The cipher uses a block size
Block size (cryptography)
In modern cryptography, symmetric key ciphers are generally divided into stream ciphers and block ciphers. Block ciphers operate on a fixed length string of bits. The length of this bit string is the block size...
of 64 bits and a key size
Key size
In cryptography, key size or key length is the size measured in bits of the key used in a cryptographic algorithm . An algorithm's key length is distinct from its cryptographic security, which is a logarithmic measure of the fastest known computational attack on the algorithm, also measured in bits...
of 256 bits. Its basic structure is an 8-round Feistel network
Feistel cipher
In cryptography, a Feistel cipher is a symmetric structure used in the construction of block ciphers, named after the German-born physicist and cryptographer Horst Feistel who did pioneering research while working for IBM ; it is also commonly known as a Feistel network. A large proportion of block...
, but with an additional operation after the first 4 rounds, called a decorrelation module. This consists of a key-dependent affine transformation
Affine transformation
In geometry, an affine transformation or affine map or an affinity is a transformation which preserves straight lines. It is the most general class of transformations with this property...
in the finite field
Finite field
In abstract algebra, a finite field or Galois field is a field that contains a finite number of elements. Finite fields are important in number theory, algebraic geometry, Galois theory, cryptography, and coding theory...
GF(264). The round function makes use of modular multiplication and addition
Modular arithmetic
In mathematics, modular arithmetic is a system of arithmetic for integers, where numbers "wrap around" after they reach a certain value—the modulus....
, bit rotation, XORs, and a single 8×24-bit S-box
Substitution box
In cryptography, an S-Box is a basic component of symmetric key algorithms which performs substitution. In block ciphers, they are typically used to obscure the relationship between the key and the ciphertext — Shannon's property of confusion...
. The entries of the S-box are derived using the binary expansion of e
E (mathematical constant)
The mathematical constant ' is the unique real number such that the value of the derivative of the function at the point is equal to 1. The function so defined is called the exponential function, and its inverse is the natural logarithm, or logarithm to base...
as a source of "nothing up my sleeve number
Nothing up my sleeve number
In cryptography, nothing up my sleeve numbers are any numbers which, by their construction, are above suspicion of hidden properties. They are used in creating cryptographic functions such as hashes and ciphers. These algorithms often need randomized constants for mixing or initialization purposes...
s".
Despite Vaudenay's proof of COCONUT98's security, in 1999 David Wagner developed the boomerang attack
Boomerang attack
In cryptography, the boomerang attack is a method for the cryptanalysis of block ciphers based on differential cryptanalysis. The attack was published in 1999 by David Wagner, who used it to break the COCONUT98 cipher....
against it. This attack, however, requires both chosen plaintexts
Chosen-plaintext attack
A chosen-plaintext attack is an attack model for cryptanalysis which presumes that the attacker has the capability to choose arbitrary plaintexts to be encrypted and obtain the corresponding ciphertexts. The goal of the attack is to gain some further information which reduces the security of the...
and adaptive chosen ciphertexts
Adaptive chosen-ciphertext attack
An adaptive chosen-ciphertext attack is an interactive form of chosen-ciphertext attack in which an attacker sends a number of ciphertexts to be decrypted, then uses the results of these decryptions to select subsequent ciphertexts...
, so is largely theoretical. Then in 2002, Biham, et al. applied differential-linear cryptanalysis, a purely chosen-plaintext attack, to break the cipher. The same team has also developed what they call a related-key
Related-key attack
In cryptography, a related-key attack is any form of cryptanalysis where the attacker can observe the operation of a cipher under several different keys whose values are initially unknown, but where some mathematical relationship connecting the keys is known to the attacker...
boomerang attack, which distinguishes COCONUT98 from random using one related-key adaptive chosen plaintext and ciphertext quartet under two keys.