Reflection cryptanalysis of some ciphers

Abstract

In this paper, we provide a theoretical infrastructure of the reflection attack. In addition, we mount the reflection attack on some ciphers such as GOST, DEAL and a variant of DES. The attack method exploits certain similarities among round functions which have not been utilized in the previous self-similarity attacks. As an illustration, we introduce a chosen plaintext attack on full-round GOST under the assumption that its S-boxes are bijective. The attack works on approximately 2224 keys and its complexity is 2192 steps with 232 chosen plaintexts. Also, we introduce a known plaintext attack on 30-round GOST, which works for any key. The key is recovered with 2224 steps by using only 232 known plaintexts. As another example, we deduce that the reflection attack works on DEAL for certain keys. For instance, a 192-bit DEAL-key can be identified as a weak key by using approximately 266 known plaintexts. Then, the key can be recovered with 2136 steps. The number of weak keys of 192-bit DEAL is roughly 280. © 2008 Springer Berlin Heidelberg.