From Surf Wiki (app.surf) — the open knowledge base
COCONUT98
Block cipher
Block cipher
| Field | Value |
|---|---|
| name | COCONUT98 |
| designers | Serge Vaudenay |
| publish date | 1998 |
| related to | DFC |
| key size | 256 bits |
| block size | 64 bits |
| structure | Decorrelated Feistel cipher |
| rounds | 8 |
| cryptanalysis | Wagner's boomerang attack uses about 216 adaptively-chosen plaintexts and ciphertexts, about 238 work, and succeeds with probability 99.96%. |
| The differential-linear attack by Biham, et al. uses 2<sup>27.7</sup> chosen plaintexts and about 2<sup>33.7</sup> work, and has a 75.5% success rate.<ref name | dlc/ |
The differential-linear attack by Biham, et al. uses 227.7 chosen plaintexts and about 233.7 work, and has a 75.5% success rate.
In cryptography, COCONUT98 (Cipher Organized with Cute Operations and N-Universal Transformation) is a block cipher designed by Serge Vaudenay in 1998. It was one of the first concrete applications of Vaudenay's decorrelation theory, designed to be provably secure against differential cryptanalysis, linear cryptanalysis, and even certain types of undiscovered cryptanalytic attacks.
The cipher uses a block size of 64 bits and a key size of 256 bits. Its basic structure is an 8-round Feistel network, but with an additional operation after the first 4 rounds, called a decorrelation module. This consists of a key-dependent affine transformation in the finite field GF(264). The round function makes use of modular multiplication and addition, bit rotation, XORs, and a single 8×24-bit S-box. The entries of the S-box are derived using the binary expansion of e as a source of "nothing up my sleeve numbers".
Despite Vaudenay's proof of COCONUT98's security, in 1999 David Wagner developed the boomerang attack against it. This attack, however, requires both chosen plaintexts and adaptive chosen ciphertexts, so is largely theoretical. Then in 2002, Biham, et al. applied differential-linear cryptanalysis, a purely chosen-plaintext attack, to break the cipher. The same team has also developed what they call a related-key boomerang attack, which distinguishes COCONUT98 from random using one related-key adaptive chosen plaintext and ciphertext quartet under two keys.
References
References
- Serge Vaudenay. (February 1998). "Provable Security for Block Ciphers by Decorrelation". [[Springer-Verlag]].
- David Wagner. (March 1999). "The Boomerang Attack". Springer-Verlag.
- Serge Vaudenay. (September 2003). "Decorrelation: A Theory for Block Cipher Security". [[Journal of Cryptology]].
- [[Eli Biham]], [[Orr Dunkelman]], [[Nathan Keller]]. (December 2002). "Enhancing Differential-Linear Cryptanalysis". Springer-Verlag.
- Biham, Dunkelman, Keller. (July 2017). "Related-Key Boomerang and Rectangle Attacks". Springer-Verlag.
This article was imported from Wikipedia and is available under the Creative Commons Attribution-ShareAlike 4.0 License. Content has been adapted to SurfDoc format. Original contributors can be found on the article history page.
Ask Mako anything about COCONUT98 — get instant answers, deeper analysis, and related topics.
Research with MakoFree with your Surf account
Create a free account to save articles, ask Mako questions, and organize your research.
Sign up freeThis content may have been generated or modified by AI. CloudSurf Software LLC is not responsible for the accuracy, completeness, or reliability of AI-generated content. Always verify important information from primary sources.
Report