Known-key distinguishing attack

In cryptography, a known-key distinguishing attack is an attack model against symmetric ciphers, whereby an attacker who knows the key can find a structural property in cipher, where the transformation from plaintext to ciphertext is not random. There is no common formal definition for what such a transformation may be. The chosen-key distinguishing attack is strongly related, where the attacker can choose a key to introduce such transformations.^[1]

These attacks do not directly compromise the confidentiality of ciphers, because in a classical scenario, the key is unknown to the attacker. Known-/chosen-key distinguishing attacks apply in the "open key model" instead.^[1] They are known to be applicable in some situations where block ciphers are converted to hash functions, leading to practical collision attacks against the hash.^[2]

Known-key distinguishing attacks were first introduced in 2007 by Lars Knudsen and Vincent Rijmen^[1] in a paper that proposed such an attack against 7 out of 10 rounds of the AES cipher and another attack against a generalized Feistel cipher. Their attack finds plaintext/ciphertext pairs for a cipher with a known key, where the input and output have s least significant bits set to zero, in less than 2^s time (where s is fewer than half the block size).^[3]

These attacks have also been applied to reduced-round Threefish (Skein)^[4][5] and Phelix.^[6]

See also

• Distinguishing attack
• Pseudorandom permutation
• Ciphertext indistinguishability

References

Further reading

• Yu Sasaki, Kan Yasuda. "Formalizing Known-Key “Distinguishers” - New Attacks on Feistel Ciphers" (PDF). Slides from CRYPTO 2010 Rump Session. 

Block ciphers (security summary) Common algorithms AES Blowfish DES (Internal Mechanics, Triple DES) Serpent Twofish Less common algorithms Camellia CAST-128 IDEA RC2 RC5 SEED ARIA Skipjack TEA XTEA Other algorithms 3-Way Akelarre Anubis BaseKing BassOmatic BATON BEAR and LION CAST-256 Chiasmus CIKS-1 CIPHERUNICORN-A CIPHERUNICORN-E CLEFIA CMEA Cobra COCONUT98 Crab Cryptomeria/C2 CRYPTON CS-Cipher DEAL DES-X DFC E2 FEAL FEA-M FROG G-DES GOST Grand Cru Hasty Pudding cipher Hierocrypt ICE IDEA NXT Intel Cascade Cipher Iraqi KASUMI KeeLoq KHAZAD Khufu and Khafre KN-Cipher Ladder-DES Libelle LOKI (97, 89/91) Lucifer M6 M8 MacGuffin Madryga MAGENTA MARS Mercy MESH MISTY1 MMB MULTI2 MultiSwap New Data Seal NewDES Nimbus NOEKEON NUSH PRESENT Q RC6 REDOC Red Pike S-1 SAFER SAVILLE SC2000 SHACAL SHARK Simon SMS4 Speck Spectr-H64 Square SXAL/MBAL Threefish Treyfer UES Xenon xmx XXTEA Zodiac Design Feistel network Key schedule Lai-Massey scheme Product cipher S-box P-box SPN Avalanche effect Block size Key size Key whitening (Whitening transformation) Attack (cryptanalysis) Brute-force (EFF DES cracker) MITM (Biclique attack, 3-subset MITM attack) Linear (Piling-up lemma) Differential (Impossible Truncated Higher-order) Differential-linear Distinguishing (Known-key) Integral/Square Boomerang Mod n Related-key Slide Rotational Timing XSL Interpolation Partitioning Davies' Rebound Weak key Tau Chi-square Time/memory/data tradeoff Standardization AES process CRYPTREC NESSIE Utilization Initialization vector Mode of operation Padding Cryptography History of cryptography Cryptanalysis Outline of cryptography Symmetric-key algorithm Block cipher Stream cipher Public-key cryptography Cryptographic hash function Message authentication code Random numbers Steganography Portal