[ISN] Cryptanalysis of Frog, an AES Candidate

From: mea culpa (jerichoat_private)
Date: Tue Aug 18 1998 - 16:13:42 PDT

  • Next message: mea culpa: "[ISN] Utilities worker lands in jail"

    From: schneierat_private (Bruce Schneier)
    Results Announcement:
    D. Wagner, N. Ferguson, and B. Schneier, "Cryptanalysis of Frog,"
    Counterpane Systems Report, Aug 1998.
    We examine some attacks on the FROG cipher.  First we give a differential
    attack which uses about $2^{58}$ chosen plaintexts and very little time
    for the analysis; it works for about $2^{-33.0}$ of the keyspace.  Then we
    describe a linear attack which uses $2^{56}$ known texts and works for
    $2^{-31.8}$ of the keyspace.  The linear attack can also be converted to a
    ciphertext-only attack using $2^{64}$ known ciphertexts.  Also, the
    decryption function of FROG is a lot weaker than the encryption function. 
    We show a differential attack on the decryption function that requires
    $2^{36}$ chosen ciphertexts and works on $2^{-29.3}$ of the keyspace. 
    Using our best attack an attacker with a sufficient number of
    cryptanalytical targets can expect to recover his first key after
    $2^{56.7}$ work.  Taken together, these observations suggest that FROG is
    not a very strong candidate for the AES. 
    This paper is available at http://www.counterpane.com/publish.html, and
    will be made available at the AES Workshop next week. 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: New Dimensions International [www.newdimensions.net]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:01:28 PDT