Cryptanalysis of FROG
D. Wagner, N. Ferguson, and B. Schneier
Second AES Candiate Conference, April 1999, to appear
ABSTRACT: We examine some attacks on the FROG cipher. First we give a differential attack which uses about 258 chosen plaintexts and very little time for the analysis; it works for about 2-33.0 of the keyspace. Then we describe a linear attack that uses 256 known texts and works for 2-31.8 of the keyspace. The linear attack can also be converted to a ciphertext-only attack using 264 known ciphertexts. Also, the decryption function of FROG is a lot weaker than the encryption function. We show a differential attack on the decryption function that requires 236 chosen ciphertexts and works on 2-29.3 of the keyspace. Using our best attack, an attacker with a sufficient number of cryptanalytical targets can expect to recover his first key after 256.7 work.
Taken together, these observations suggest that FROG is not a very strong candidate for the AES.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.