![]() | This article is rated C-class on Wikipedia's
content assessment scale. It is of interest to the following WikiProjects: | |||||||||||||
|
An XXTEA differential attack demonstration
Reference post: http://groups.google.com/group/sci.crypt/browse_thread/thread/5ed40f85e693ef04 Further investigation needs to be done with respect to the viability of this algorithms security.
-Anon. —Preceding unsigned comment added by 78.46.82.176 ( talk) 18:45, 17 December 2008 (UTC)
From the article: "the algorithm was presented in an unpublished technical report in October 1998 (Wheeler and Needham, 1998)."
By "unpublished" do the editors mean an "unpublished work" in the copyright law sense of "author has not distributed copies of the work to the public", or only in the sense of "this article was first published outside of scholarly journals"? -- Damian Yerrick ( talk | stalk) 03:04, 4 October 2007 (UTC)
If I use the code provided in the article, without modification, in my own programs, what license would it be covered under? GFDL seems to be a strange license to release source code under. Is the code in the public domain, or covered by some other license like the GPL? Algebra 00:10, 11 October 2007 (UTC)
If anyone can provide a reference to a cryptologic research paper explaining this simple phenomenon, please do. If not, please write one. Currently I only have a working C source code of a program that quickly finds partial state collisions for 3 full cycles of XXTEA or for 6 full cycles of an XXTEA-like cipher with 16-bit words with a total time*memory complexity naturally equal to 248. It's a simple demonstration of this natural quality of all such incomplete UFN constructions that are meant to support arbitrarily large blocks. A change in any given number of words cannot cover the entire unbounded block after any fixed number of cycles, therefore partial state collisions will always occur. For XXTEA, it is as complex as finding a collision between two 6-word (192-bit) random numbers, iterating the cipher through which the change will be canceled out on every cycle leaving the rest of the block unaffected. This 296 search is easily accellerated by a time-memory trade-off. My guess is that once found, such partial collisions can assist in key recovery with a simple algebraic or guess-and-determine attack. So personally, I would advise to use 8 full cycles for 128-bit security. Ruptor 23:35, 30 October 2007 (UTC)
I think the cryptanalysis be Yarrkov is currently misrepresented, and I'd like to use the talk page in order to avoid an edit war. In particular the author does indeed seem to claim that the attack using 259 chosen messages works against 6 rounds. Since this is too time consuming to verify in experiments, the author did the experiments with reduced round variants that require significantly less chosen messages. 178.195.225.28 ( talk) 13:27, 9 September 2012 (UTC)
The image in the summary does not look accurate, Xr-1 and Xr+1 need to be switched. According to the specification y, which holds the data for the next block, is shifted by 2 and 3; and z, holding the data from the previous block, as being shifted by 5 and 4. The specification also has z XOR the sub-key and y XOR the delta multiple, the image shows the opposite to all these. — Preceding unsigned comment added by Informalmunch ( talk • contribs) 23:06, 22 January 2015 (UTC)
I can go ahead and edit the image, citing the original artist if they arn't around to do it themselves Informalmunch ( talk) 16:33, 18 February 2015 (UTC)
![]() | This article is rated C-class on Wikipedia's
content assessment scale. It is of interest to the following WikiProjects: | |||||||||||||
|
An XXTEA differential attack demonstration
Reference post: http://groups.google.com/group/sci.crypt/browse_thread/thread/5ed40f85e693ef04 Further investigation needs to be done with respect to the viability of this algorithms security.
-Anon. —Preceding unsigned comment added by 78.46.82.176 ( talk) 18:45, 17 December 2008 (UTC)
From the article: "the algorithm was presented in an unpublished technical report in October 1998 (Wheeler and Needham, 1998)."
By "unpublished" do the editors mean an "unpublished work" in the copyright law sense of "author has not distributed copies of the work to the public", or only in the sense of "this article was first published outside of scholarly journals"? -- Damian Yerrick ( talk | stalk) 03:04, 4 October 2007 (UTC)
If I use the code provided in the article, without modification, in my own programs, what license would it be covered under? GFDL seems to be a strange license to release source code under. Is the code in the public domain, or covered by some other license like the GPL? Algebra 00:10, 11 October 2007 (UTC)
If anyone can provide a reference to a cryptologic research paper explaining this simple phenomenon, please do. If not, please write one. Currently I only have a working C source code of a program that quickly finds partial state collisions for 3 full cycles of XXTEA or for 6 full cycles of an XXTEA-like cipher with 16-bit words with a total time*memory complexity naturally equal to 248. It's a simple demonstration of this natural quality of all such incomplete UFN constructions that are meant to support arbitrarily large blocks. A change in any given number of words cannot cover the entire unbounded block after any fixed number of cycles, therefore partial state collisions will always occur. For XXTEA, it is as complex as finding a collision between two 6-word (192-bit) random numbers, iterating the cipher through which the change will be canceled out on every cycle leaving the rest of the block unaffected. This 296 search is easily accellerated by a time-memory trade-off. My guess is that once found, such partial collisions can assist in key recovery with a simple algebraic or guess-and-determine attack. So personally, I would advise to use 8 full cycles for 128-bit security. Ruptor 23:35, 30 October 2007 (UTC)
I think the cryptanalysis be Yarrkov is currently misrepresented, and I'd like to use the talk page in order to avoid an edit war. In particular the author does indeed seem to claim that the attack using 259 chosen messages works against 6 rounds. Since this is too time consuming to verify in experiments, the author did the experiments with reduced round variants that require significantly less chosen messages. 178.195.225.28 ( talk) 13:27, 9 September 2012 (UTC)
The image in the summary does not look accurate, Xr-1 and Xr+1 need to be switched. According to the specification y, which holds the data for the next block, is shifted by 2 and 3; and z, holding the data from the previous block, as being shifted by 5 and 4. The specification also has z XOR the sub-key and y XOR the delta multiple, the image shows the opposite to all these. — Preceding unsigned comment added by Informalmunch ( talk • contribs) 23:06, 22 January 2015 (UTC)
I can go ahead and edit the image, citing the original artist if they arn't around to do it themselves Informalmunch ( talk) 16:33, 18 February 2015 (UTC)