The Full Wiki

More info on COCONUT98

COCONUT98: Wikis


Note: Many of our articles have direct quotes from sources you can cite, within the Wikipedia article! This article doesn't yet, but we're working on it! See more info or our list of citable articles.


From Wikipedia, the free encyclopedia

Designers Serge Vaudenay
First published 1998
Related to DFC
Cipher detail
Key sizes 256 bits
Block sizes 64 bits
Structure Decorrelated Feistel cipher
Rounds 8
Best public cryptanalysis
Wagner's boomerang attack uses about 216 adaptively-chosen plaintexts and ciphertexts, about 238 work, and succeeds with probability 99.96%.
The differential-linear attack by Biham, et al. uses 227.7 chosen plaintexts and about 233.7 work, and has a 75.5% success rate.

In cryptography, COCONUT98 (Cipher Organized with Cute Operations and N-Universal Transformation) is a block cipher designed by Serge Vaudenay in 1998. It was one of the first concrete applications of Vaudenay's decorrelation theory, designed to be provably secure against differential cryptanalysis, linear cryptanalysis, and even certain types of undiscovered cryptanalytic attacks.

The cipher uses a block size of 64 bits and a key size of 256 bits. Its basic structure is an 8-round Feistel network, but with an additional operation after the first 4 rounds, called a decorrelation module. This consists of a key-dependent affine transformation in the finite field GF(264). The round function makes use of modular multiplication and addition, bit rotation, XORs, and a single 8×24-bit S-box. The entries of the S-box are derived using the binary expansion of e as a source of "nothing up my sleeve numbers".[1]

Despite Vaudenay's proof of COCONUT98's security, in 1999 David Wagner developed the boomerang attack against it.[2] This attack, however, requires both chosen plaintexts and adaptive chosen ciphertexts, so is largely theoretical.[3] Then in 2002, Biham, et al. applied differential-linear cryptanalysis, a purely chosen-plaintext attack, to break the cipher.[4] The same team has also developed what they call a related-key boomerang attack, which distinguishes COCONUT98 from random using one related-key adaptive chosen plaintext and ciphertext quartet under two keys.[5]


  1. ^ Serge Vaudenay (February 1998). "Provable Security for Block Ciphers by Decorrelation" (PostScript). 15th Annual Symposium on Theoretical Aspects of Computer Science (STACS '98). Paris: Springer-Verlag. pp. 249–275. Retrieved 2007-02-26.  
  2. ^ David Wagner (March 1999). "The Boomerang Attack" (PDF/PostScript). 6th International Workshop on Fast Software Encryption (FSE '99). Rome: Springer-Verlag. pp. 156–170. Retrieved 2007-02-05.  
  3. ^ Serge Vaudenay (September 2003). "Decorrelation: A Theory for Block Cipher Security" (PDF). Journal of Cryptology 16 (4): 249–286. doi:10.1007/s00145-003-0220-6. ISSN 0933-2790. Retrieved 2007-02-26.  
  4. ^ Eli Biham, Orr Dunkelman, Nathan Keller (December 2002). "Enhancing Differential-Linear Cryptanalysis" (PDF/PostScript). Advances in Cryptology — Proceedings of ASIACRYPT 2002. Queenstown, New Zealand: Springer-Verlag. pp. 254–266. Retrieved 2007-02-05.  
  5. ^ Biham, Dunkelman, Keller (May 2005). "Related-Key Boomerang and Rectangle Attacks" (PostScript). Advances in Cryptology — Proceedings of EUROCRYPT 2005. Aarhus: Springer-Verlag. pp. 507–525. Retrieved 2007-02-16.  


Got something to say? Make a comment.
Your name
Your email address