Results 1  10
of
32
Parallel Collision Search with Cryptanalytic Applications
 Journal of Cryptology
, 1996
"... A simple new technique of parallelizing methods for solving search problems which seek collisions in pseudorandom walks is presented. This technique can be adapted to a wide range of cryptanalytic problems which can be reduced to finding collisions. General constructions are given showing how to ad ..."
Abstract

Cited by 145 (3 self)
 Add to MetaCart
A simple new technique of parallelizing methods for solving search problems which seek collisions in pseudorandom walks is presented. This technique can be adapted to a wide range of cryptanalytic problems which can be reduced to finding collisions. General constructions are given showing how to adapt the technique to finding discrete logarithms in cyclic groups, finding meaningful collisions in hash functions, and performing meetinthemiddle attacks such as a knownplaintext attack on double encryption. The new technique greatly extends the reach of practical attacks, providing the most costeffective means known to date for defeating: the small subgroup used in certain schemes based on discrete logarithms such as Schnorr, DSA, and elliptic curve cryptosystems; hash functions such as MD5, RIPEMD, SHA1, MDC2, and MDC4; and double encryption and threekey triple encryption. The practical significance of the technique is illustrated by giving the design for three $10 million custom machines which could be built with current technology: one finds elliptic curve logarithms in GF(2 ) thereby defeating a proposed elliptic curve cryptosystem in expected time 32 days, the second finds MD5 collisions in expected time 21 days, and the last recovers a doubleDES key from 2 known plaintexts in expected time 4 years, which is four orders of magnitude faster than the conventional meetinthemiddle attack on doubleDES. Based on this attack, doubleDES offers only 17 more bits of security than singleDES.
Truncated and Higher Order Differentials
 Fast Software Encryption  Second International Workshop, Leuven, Belgium, LNCS 1008
, 1995
"... In [6] higher order derivatives of discrete functions were considered and the concept of higher order differentials was introduced. We introduce the concept of truncated differentials and present attacks on ciphers presumably secure against differential attacks, but vulnerable to attacks using highe ..."
Abstract

Cited by 97 (9 self)
 Add to MetaCart
In [6] higher order derivatives of discrete functions were considered and the concept of higher order differentials was introduced. We introduce the concept of truncated differentials and present attacks on ciphers presumably secure against differential attacks, but vulnerable to attacks using higher order and truncated differentials. Also we give a differential attack using truncated differentials on DES reduced to 6 rounds using only 46 chosen plaintexts with an expected running time of about the time of 3,500 encryptions. Finally it is shown how to find a minimum nonlinear order of a block cipher using higher order differentials.
PRESENT: An UltraLightweight Block Cipher
 THE PROCEEDINGS OF CHES 2007
, 2007
"... With the establishment of the AES the need for new block ciphers has been greatly diminished; for almost all block cipher applications the AES is an excellent and preferred choice. However, despite recent implementation advances, the AES is not suitable for extremely constrained environments such ..."
Abstract

Cited by 68 (8 self)
 Add to MetaCart
With the establishment of the AES the need for new block ciphers has been greatly diminished; for almost all block cipher applications the AES is an excellent and preferred choice. However, despite recent implementation advances, the AES is not suitable for extremely constrained environments such as RFID tags and sensor networks. In this paper we describe an ultralightweight block cipher, present. Both security and hardware efficiency have been equally important during the design of the cipher and at 1570 GE, the hardware requirements for present are competitive with today’s leading compact stream ciphers.
Twofish: A 128Bit Block Cipher
 in First Advanced Encryption Standard (AES) Conference
, 1998
"... Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bit ..."
Abstract

Cited by 54 (8 self)
 Add to MetaCart
Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.
A Generalization of Linear Cryptanalysis and the Applicability of Matsui's Pilingup Lemma
, 1995
"... . Matsui's linear cryptanalysis for iterated block ciphers is generalized by replacing his linear expressions with I#O sums. For a single round, an I#O sum is the XOR of a balanced binaryvalued function of the round input and a balanced binaryvalued function of the round output. The basic attack i ..."
Abstract

Cited by 44 (5 self)
 Add to MetaCart
. Matsui's linear cryptanalysis for iterated block ciphers is generalized by replacing his linear expressions with I#O sums. For a single round, an I#O sum is the XOR of a balanced binaryvalued function of the round input and a balanced binaryvalued function of the round output. The basic attack is described and conditions for it to be successful are given. A procedure for #nding e#ective I#O sums, i.e., I#O sums yielding successful attacks, is given. A cipher contrived to be secure against linear cryptanalysis but vulnerable to this generalization of linear cryptanalysis is given. Finally, it is argued that the ciphers IDEA and SAFER K64 are secure against this generalization. Keywords. Linear cryptanalysis, di#erential cryptanalysis, pilingup lemma, IDEA, SAFER. 1 Introduction Linear cryptanalysis, whichwas introduced by Matsui in #Mat93# to attack DES, is an attack that applies to any iterated block cipher. In this paper, wedevelop a generalized version of linear cryptanalysis...
Chaos and Cryptography: Block Encryption Ciphers Based on Chaotic Maps
 IEEE Transactions on Circuits and SystemsI: Fundamental Theory and Applications
, 2001
"... Abstract—This paper is devoted to the analysis of the impact of chaosbased techniques on block encryption ciphers. We present several chaos based ciphers. Using the wellknown principles in the cryptanalysis we show that these ciphers do not behave worse than the standard ones, opening in this way ..."
Abstract

Cited by 35 (0 self)
 Add to MetaCart
Abstract—This paper is devoted to the analysis of the impact of chaosbased techniques on block encryption ciphers. We present several chaos based ciphers. Using the wellknown principles in the cryptanalysis we show that these ciphers do not behave worse than the standard ones, opening in this way a novel approach to the design of block encryption ciphers. Index Terms—Block encryption ciphers, chaos, cryptography, Sboxes. I.
Amplified Boomerang Attacks Against ReducedRound MARS and Serpent
 MARS and Serpent, in the preproceedings of the Fast Software Encryption Workshop 2000
, 2000
"... . We introduce a new cryptanalytic technique based on Wagner 's boomerang and insideout attacks. We first describe this new attack in terms of the original boomerang attack, and then demonstrate its use on reducedround variants of the MARS core and Serpent. Our attack breaks eleven rounds of t ..."
Abstract

Cited by 29 (2 self)
 Add to MetaCart
. We introduce a new cryptanalytic technique based on Wagner 's boomerang and insideout attacks. We first describe this new attack in terms of the original boomerang attack, and then demonstrate its use on reducedround variants of the MARS core and Serpent. Our attack breaks eleven rounds of the MARS core with 2 65 chosen plaintexts, 2 70 memory, and 2 229 partial decryptions. Our attack breaks eight rounds of Serpent with 2 114 chosen plaintexts, 2 119 memory, and 2 179 partial decryptions. 1 Introduction MARS [BCD+98] and Serpent [ABK98] are block ciphers that have been proposed as AES candidates [NIST97a,NIST97b]. More recently, both were chosen as AES finalists. We have spent considerable time in the last few months cryptanalyzing both ciphers, with the bulk of our results appearing in [KS00,KKS00]. During our work on MARS, we developed a new class of attack based on David Wagner's boomerang and insideout attacks [Wag99]. In this paper, we present this new cl...
A Tutorial on Linear and Differential Cryptanalysis
, 2001
"... : In this paper, we present a detailed tutorial on linear cryptanalysis and differential cryptanalysis, the two most significant attacks applicable to symmetrickey block ciphers. The intent of the paper is to present a lucid explanation of the attacks, detailing the practical application of the att ..."
Abstract

Cited by 25 (1 self)
 Add to MetaCart
: In this paper, we present a detailed tutorial on linear cryptanalysis and differential cryptanalysis, the two most significant attacks applicable to symmetrickey block ciphers. The intent of the paper is to present a lucid explanation of the attacks, detailing the practical application of the attacks to a cipher in a simple, conceptually revealing manner for the novice cryptanalyst. The tutorial is based on the analysis of a simple, yet realistically structured, basic SubstitutionPermutation Network cipher. Understanding the attacks as they apply to this structure is useful, as the Rijndael cipher, recently selected for the Advanced Encryption Standard (AES), has been derived from the basic SPN architecture. As well, experimental data from the attacks is presented as confirmation of the applicability of the concepts as outlined.
The Cipher SHARK
 FAST SOFTWARE ENCRYPTION, THIRD INTERNATIONAL WORKSHOP
, 1996
"... We present the new block cipher SHARK. This cipher combines highly nonlinear substitution boxes and maximum distance separable error correcting codes (MDScodes) to guarantee a good diffusion. The cipher is resistant against differential and linear cryptanalysis after a small number of rounds ..."
Abstract

Cited by 22 (3 self)
 Add to MetaCart
We present the new block cipher SHARK. This cipher combines highly nonlinear substitution boxes and maximum distance separable error correcting codes (MDScodes) to guarantee a good diffusion. The cipher is resistant against differential and linear cryptanalysis after a small number of rounds. The structure of SHARK is such that a fast software implementation is possible, both for the encryption and the decryption. Our Cimplementation of SHARK runs more than four times faster than SAFER and IDEA on a 64bit architecture.
Partitioning Cryptanalysis
 Fast Software Encryption, 4th International Workshop Proceedings
, 1997
"... . Matsui's linear cryptanalysis for iterated block ciphers is generalized to an attack called #. This attack exploits a weakness that can be described by an e#ective partitionpair, i.e., a partition of the plaintext set and a partition of the nexttolastround output set such that, for every key, ..."
Abstract

Cited by 19 (0 self)
 Add to MetaCart
. Matsui's linear cryptanalysis for iterated block ciphers is generalized to an attack called #. This attack exploits a weakness that can be described by an e#ective partitionpair, i.e., a partition of the plaintext set and a partition of the nexttolastround output set such that, for every key, the nexttolastround outputs are nonuniformly distributed over the blocks of the second partition when the plaintexts are chosen uniformly at random from a particular block of the #rst partition. The lastround attack by #is formalized and requirements for it to be successful are stated. The success probability is approximated and a procedure for #nding e#ective partitionpairs is formulated. The usefulness of #is demonstrated by applying it successfully to six rounds of the DES. Keywords. Iterated block ciphers, linear cryptanalysis , #, DES. 1 Introduction In cryptography, frequent use is made of iterated block ciphers in which a keyed function, called the round function, is iterated r ...