known-key distinguishing attack

{{Short description|Cryptographic attack}}

In cryptography, a known-key distinguishing attack is an attack model against symmetric ciphers, whereby an attacker who knows the key can find a structural property in cipher, where the transformation from plaintext to ciphertext is not random. There is no common formal definition for what such a transformation may be. The chosen-key distinguishing attack is strongly related, where the attacker can choose a key to introduce such transformations.{{cite conference |url=https://eprint.iacr.org/2015/222 |author=Elena Andreeva |author2=Andrey Bogdanov |author3=Bart Mennink |date=8 July 2014 |title=Towards Understanding the Known-Key Security of Block Ciphers |conference=FSE 2014 }}

These attacks do not directly compromise the confidentiality of ciphers, because in a classical scenario, the key is unknown to the attacker. Known-/chosen-key distinguishing attacks apply in the "open key model" instead. They are known to be applicable in some situations where block ciphers are converted to hash functions, leading to practical collision attacks against the hash.{{cite conference |url=https://www.iacr.org/archive/fse2011/67330405/67330405.pdf |author=Yu Sasaki |author2=Kan Yasuda |date=2011 |title=Known-Key Distinguishers on 11-Round Feistel and Collision Attacks on Its Hashing Modes |conference=FSE 2011 }}

Known-key distinguishing attacks were first introduced in 2007 by Lars Knudsen and Vincent Rijmen in a paper that proposed such an attack against 7 out of 10 rounds of the AES cipher and another attack against a generalized Feistel cipher. Their attack finds plaintext/ciphertext pairs for a cipher with a known key, where the input and output have s least significant bits set to zero, in less than 2^s time (where s is fewer than half the block size).{{cite conference |url=https://www.iacr.org/archive/asiacrypt2007/48330316/48330316.pdf |author=Lars Knudsen |author2=Vincent Rijmen |date=2007 |title=Known-Key Distinguishers for Some Block Ciphers |conference=Asiacrypt 2007 }}

These attacks have also been applied to reduced-round Threefish (Skein){{cite web |url=https://www.schneier.com/blog/archives/2010/09/more_skein_news.html |author=Bruce Schneier |date=1 September 2010 |title=More Skein News |work=Schneier on Security |author-link=Bruce Schneier }}{{cite journal |author1=Dmitry Khovratovich |author2=Ivica Nikolic |author3=Christian Rechberger |date=20 October 2010 |title=Rotational Rebound Attacks on Reduced Skein |journal=Cryptology ePrint Archive |url=https://eprint.iacr.org/2010/538 }} and Phelix.{{cite journal |author=Yaser Esmaeili Salehani |author2=Hadi Ahmadi |date=2006 |title=A Chosen-key Distinguishing Attack on Phelix |citeseerx = 10.1.1.431.3015}}