From Wikipedia, the free encyclopedia
DesignersSerge Vaudenay
First published1998
Related toDFC
Cipher detail
Key sizes256 bits
Block sizes64 bits
StructureDecorrelated Feistel cipher
Best public cryptanalysis
Wagner's boomerang attack uses about 216 adaptively-chosen plaintexts and ciphertexts, about 238 work, and succeeds with probability 99.96%.[1]
The differential-linear attack by Biham, et al. uses 227.7 chosen plaintexts and about 233.7 work, and has a 75.5% success rate.[2]

In cryptography, COCONUT98 (Cipher Organized with Cute Operations and N-Universal Transformation) is a block cipher designed by Serge Vaudenay in 1998. It was one of the first concrete applications of Vaudenay's decorrelation theory, designed to be provably secure against differential cryptanalysis, linear cryptanalysis, and even certain types of undiscovered cryptanalytic attacks.

The cipher uses a block size of 64 bits and a key size of 256 bits. Its basic structure is an 8-round Feistel network, but with an additional operation after the first 4 rounds, called a decorrelation module. This consists of a key-dependent affine transformation in the finite field GF(264). The round function makes use of modular multiplication and addition, bit rotation, XORs, and a single 8×24-bit S-box. The entries of the S-box are derived using the binary expansion of e as a source of "nothing up my sleeve numbers".[3]

Despite Vaudenay's proof of COCONUT98's security, in 1999 David Wagner developed the boomerang attack against it.[1] This attack, however, requires both chosen plaintexts and adaptive chosen ciphertexts, so is largely theoretical.[4] Then in 2002, Biham, et al. applied differential-linear cryptanalysis, a purely chosen-plaintext attack, to break the cipher.[2] The same team has also developed what they call a related-key boomerang attack, which distinguishes COCONUT98 from random using one related-key adaptive chosen plaintext and ciphertext quartet under two keys.[5]


  1. ^ a b David Wagner (March 1999). The Boomerang Attack (PDF). 6th International Workshop on Fast Software Encryption (FSE '99). Rome: Springer-Verlag. pp. 156–170. doi:10.1007/3-540-48519-8_12. Retrieved 7 October 2023.
  2. ^ a b Eli Biham, Orr Dunkelman, Nathan Keller (December 2002). Enhancing Differential-Linear Cryptanalysis (PDF/PostScript). Advances in Cryptology — Proceedings of ASIACRYPT 2002. Queenstown, New Zealand: Springer-Verlag. pp. 254–266. Retrieved 5 February 2007.{{cite conference}}: CS1 maint: multiple names: authors list (link)
  3. ^ Serge Vaudenay (February 1998). Provable Security for Block Ciphers by Decorrelation. 15th Annual Symposium on Theoretical Aspects of Computer Science (STACS '98). Paris: Springer-Verlag. pp. 249–275. Archived from the original (PostScript) on 23 April 2007. Retrieved 26 February 2007.
  4. ^ Serge Vaudenay (September 2003). "Decorrelation: A Theory for Block Cipher Security" (PDF). Journal of Cryptology. 16 (4): 249–286. doi:10.1007/s00145-003-0220-6. ISSN 0933-2790. S2CID 14252770. Archived from the original (PDF) on 21 February 2007. Retrieved 26 February 2007.
  5. ^ Biham, Dunkelman, Keller (May 2005). Related-Key Boomerang and Rectangle Attacks (PostScript). Advances in Cryptology — Proceedings of EUROCRYPT 2005. Aarhus: Springer-Verlag. pp. 507–525. Retrieved 16 February 2007.{{cite conference}}: CS1 maint: multiple names: authors list (link)[permanent dead link]