Cryptanalysis of FROG

D. Wagner, N. Ferguson, and B. Schneier

Second AES Candiate Conference, April 1999, to appear

ABSTRACT: We examine some attacks on the FROG cipher. First we give a differential attack which uses about 258 chosen plaintexts and very little time for the analysis; it works for about 2-33.0 of the keyspace. Then we describe a linear attack that uses 256 known texts and works for 2-31.8 of the keyspace. The linear attack can also be converted to a ciphertext-only attack using 264 known ciphertexts. Also, the decryption function of FROG is a lot weaker than the encryption function. We show a differential attack on the decryption function that requires 236 chosen ciphertexts and works on 2-29.3 of the keyspace. Using our best attack, an attacker with a sufficient number of cryptanalytical targets can expect to recover his first key after 256.7 work.

Taken together, these observations suggest that FROG is not a very strong candidate for the AES.

[full text - PDF (Acrobat)] [full text - Postscript]

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..