Results 1  10
of
21
Tweakable block ciphers
, 2002
"... Abstract. We propose a new cryptographic primitive, the “tweakable block cipher. ” Such a cipher has not only the usual inputs—message and cryptographic key—but also a third input, the “tweak. ” The tweak serves much the same purpose that an initialization vector does for CBC mode or that a nonce do ..."
Abstract

Cited by 113 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We propose a new cryptographic primitive, the “tweakable block cipher. ” Such a cipher has not only the usual inputs—message and cryptographic key—but also a third input, the “tweak. ” The tweak serves much the same purpose that an initialization vector does for CBC mode or that a nonce does for OCB mode. Our proposal thus brings this feature down to the primitive blockcipher level, instead of incorporating it only at the higher modesofoperation levels. We suggest that (1) tweakable block ciphers are easy to design, (2) the extra cost of making a block cipher “tweakable ” is small, and (3) it is easier to design and prove modes of operation based on tweakable block ciphers.
How to protect DES against exhaustive key search
 Journal of Cryptology
, 1996
"... Abstract The block cipher DESX is defined by DESX k:k1:k2 (x) = k2 \Phi DES k (k1 \Phi x), where \Phi denotes bitwise exclusiveor. This construction was first suggested by Rivest as a computationallycheap way to protect DES against exhaustive keysearch attacks. This paper proves, in a formal mode ..."
Abstract

Cited by 93 (12 self)
 Add to MetaCart
Abstract The block cipher DESX is defined by DESX k:k1:k2 (x) = k2 \Phi DES k (k1 \Phi x), where \Phi denotes bitwise exclusiveor. This construction was first suggested by Rivest as a computationallycheap way to protect DES against exhaustive keysearch attacks. This paper proves, in a formal model, that the DESX construction is sound. We show that, when F is an idealized block cipher, FX
Twofish: A 128Bit Block Cipher
 in First Advanced Encryption Standard (AES) Conference
, 1998
"... Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bit ..."
Abstract

Cited by 58 (8 self)
 Add to MetaCart
(Show Context)
Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.
Mercy: A fast large block cipher for disk sector encryption
 Proc. Fast Software Encryption 2000, LNCS 1978
, 2000
"... Abstract. We discuss the special requirements imposed on the underlying cipher of systems which encrypt each sector of a disk partition independently, and demonstrate a certificational weakness in some existing block ciphers including Bellare and Rogaway’s 1999 proposal, proposing a new quantitative ..."
Abstract

Cited by 23 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We discuss the special requirements imposed on the underlying cipher of systems which encrypt each sector of a disk partition independently, and demonstrate a certificational weakness in some existing block ciphers including Bellare and Rogaway’s 1999 proposal, proposing a new quantitative measure of avalanche. To address these needs, we present Mercy, a new block cipher accepting large (4096bit) blocks, which uses a keydependent state machine to build a bijective F function for a Feistel cipher. Mercy achieves 9 cycles/byte on a Pentium compatible processor.
Block Ciphers and Stream Ciphers: The State of the Art, Cryptology ePrint Archive, 2004, Report 2004/094. Available at http://eprint.iacr.org/2004/094
"... Abstract. In these lecture notes we survey the state of the art in symmetric key encryption, in particular in the block ciphers and stream ciphers area. The areas of symmetric key encryption has been very active in the last five years due to growing interest from academic and industry research, stan ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In these lecture notes we survey the state of the art in symmetric key encryption, in particular in the block ciphers and stream ciphers area. The areas of symmetric key encryption has been very active in the last five years due to growing interest from academic and industry research, standardization efforts like AES, NESSIE and CRYPTREC, as well as due to ease of government control over export of cryptography.
New lightweight crypto algorithms for RFID
 IN: PROCEEDINGS OF THE 2007 IEEE INTERNATIONAL SYMPOSIUM ON CIRCUITS AND SYSTEMS. (2007
"... We propose a new block cipher, DESL (DES Lightweight extension), which is strong, compact and efficient 1. Due to its low area constraints DESL is especially suited for RFID (Radio Frequency Identification) devices. DESL is based on the classical DES (Data Encryption Standard) design, however, unli ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
We propose a new block cipher, DESL (DES Lightweight extension), which is strong, compact and efficient 1. Due to its low area constraints DESL is especially suited for RFID (Radio Frequency Identification) devices. DESL is based on the classical DES (Data Encryption Standard) design, however, unlike DES it uses a single Sbox repeated eight times. This approach makes it possible to considerably decrease chip size requirements. The Sbox has been highly optimized in such a way that DESL resists common attacks, i.e., linear and differential cryptanalysis, and the DaviesMurphyattack. Therefore DESL achieves a security level which is appropriate for many applications. Furthermore, we propose a lightweight implementation of DESL which requires 45 % less chip size and 86 % less clock cycles than the best AES implementations with regard to RFID applications. Compared to the smallest DES implementation published, our DESL design requires 38 % less transistors. Our 0.18µm DESL implementation requires a chip size of 7392 transistors (1848 gate equivalences) and is capable to encrypt a 64bit plaintext in 144 clock cycles. When clocked at 100 kHz, it draws an average current of only 0.89µA. These hardware figures are in the range of the best eSTREAM streamcipher candidates, comprising DESL as a new alternative for ultra lowcost encryption.
A Better Key Schedule for DESLike Ciphers
 in Advances in Cryptology: Proceedings of Pragocrypt '96
, 1996
"... Several DESlike ciphers aren’t utilizing their full potential strength, because of the short key and linear or otherwise easily tractable algorithms they use to generate their key schedules. Using DES as example, we show a way to generate round subkeys to increase the cipher strength substantially ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
(Show Context)
Several DESlike ciphers aren’t utilizing their full potential strength, because of the short key and linear or otherwise easily tractable algorithms they use to generate their key schedules. Using DES as example, we show a way to generate round subkeys to increase the cipher strength substantially by making relations between the round subkeys practically intractable. 1
Securing DES Sboxes against Three Robust Cryptanalysis
 Proceedings of the Workshop on Selected Areas in Cryptography (SAC '95
, 1995
"... In this paper, we propose an expanded set of design criteria for the generation of DESlike Sboxes which enable DES being immunized against three known robust cryptanalysis, i.e., differential, Improved Davies' and linear cryptanalysis and we also suggest a set of new 8 DESlike Sboxes generat ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
In this paper, we propose an expanded set of design criteria for the generation of DESlike Sboxes which enable DES being immunized against three known robust cryptanalysis, i.e., differential, Improved Davies' and linear cryptanalysis and we also suggest a set of new 8 DESlike Sboxes generated by our proposed design criteria in order to replace with the current 8 DES Sboxes. The computer simulation leads us to conclude that the breaking complexity of the strengthened DES (we call s 5 DES) by three powerful cryptanalysis is no more efficient than the keyexhaustive search. 1 Introduction Until now, three powerful cryptanalysis have been published to break DES (Data Encryption Standard) [1] more efficiently than the 56bit key exhaustive search. One is the DC (Differential Cryptanalysis) proposed by Biham and Shamir [2],[4] in 1990. The DC is a kind of chosen plaintext attack in a sense that an attacker has to choose 2 47 plaintexts and their corresponding ciphertexts to find an...
Cryptanalysis of PRESENTLike Ciphers with Secret SBoxes
 In FSE 2011, volume 6733 of Lecture Notes in Computer Science
, 2011
"... Abstract. At Eurocrypt 2001, Biryukov and Shamir investigated the security of AESlike ciphers where the substitutions and affine transformations are all keydependent and successfully cryptanalysed two and a half rounds. This paper considers PRESENTlike ciphers in a similar manner. We focus on the ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. At Eurocrypt 2001, Biryukov and Shamir investigated the security of AESlike ciphers where the substitutions and affine transformations are all keydependent and successfully cryptanalysed two and a half rounds. This paper considers PRESENTlike ciphers in a similar manner. We focus on the settings where the Sboxes are key dependent, and repeated for every round. We break one particular variant which was proposed in 2009 with practical complexity in a chosen plaintext/chosen ciphertext scenario. Extrapolating these results suggests that up to 28 rounds of such ciphers can be broken. Furthermore, we outline how our attack strategy can be applied to an extreme case where the Sboxes are chosen uniformly at random for each round and where the bit permutation is secret as well.