[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Quick Mode and resistance to related-key cryptanalysis

Certainly one designs keying protocols with the idea that keys should be as independent as
possible, given the amount of effort available.  There are multiple reasons
for this, and related key cryptanalysis of particular ciphers is one of them.


>>> "Marcus Leech" <mleech@nortelnetworks.com> 03/29/99 12:15PM >>> wrote
 that Hilarie Orman wrote:
> What?  In the generic sense, of course you shouldn't be able to relate
> keys.  Is there a specific definition of "related key cryptanalysis"?

Yes, I recall early on a discussion about simple transformations
  of existing keys in Quick Mode exchanges, it is exactly those
  simple, predictable key changes, that makes related-key
  cryptanalysis work.  Granted, for many algorithms, related-key
  cryptanalysis is not particularly feasible, but for others, it's
  a concern.