Results 1  10
of
22
PRESENT: An UltraLightweight Block Cipher
 the proceedings of CHES 2007
, 2007
"... Abstract. With the establishment of the AES the need for new block ciphers has been greatly diminished; for almost all block cipher applications the AES is an excellent and preferred choice. However, despite recent implementation advances, the AES is not suitable for extremely constrained environmen ..."
Abstract

Cited by 68 (8 self)
 Add to MetaCart
Abstract. With the establishment of the AES the need for new block ciphers has been greatly diminished; for almost all block cipher applications the AES is an excellent and preferred choice. However, despite recent implementation advances, the AES is not suitable for extremely constrained environments such as RFID tags and sensor networks. In this paper we describe an ultralightweight block cipher, present. Both security and hardware efficiency have been equally important during the design of the cipher and at 1570 GE, the hardware requirements for present are competitive with today’s leading compact stream ciphers. 1
Decorrelation: a theory for block cipher security
 Journal of Cryptology
, 2003
"... Abstract. Pseudorandomness is a classical model for the security of block ciphers. In this paper we propose convenient tools in order to study it in connection with the Shannon Theory, the CarterWegman universal hash functions paradigm, and the LubyRackoff approach. This enables the construction o ..."
Abstract

Cited by 34 (4 self)
 Add to MetaCart
Abstract. Pseudorandomness is a classical model for the security of block ciphers. In this paper we propose convenient tools in order to study it in connection with the Shannon Theory, the CarterWegman universal hash functions paradigm, and the LubyRackoff approach. This enables the construction of new ciphers with security proofs under specific models. We show how to ensure security against basic differential and linear cryptanalysis and even more general attacks. We propose practical construction schemes. 1
A Tutorial on Linear and Differential Cryptanalysis
, 2001
"... : In this paper, we present a detailed tutorial on linear cryptanalysis and differential cryptanalysis, the two most significant attacks applicable to symmetrickey block ciphers. The intent of the paper is to present a lucid explanation of the attacks, detailing the practical application of the att ..."
Abstract

Cited by 25 (1 self)
 Add to MetaCart
: In this paper, we present a detailed tutorial on linear cryptanalysis and differential cryptanalysis, the two most significant attacks applicable to symmetrickey block ciphers. The intent of the paper is to present a lucid explanation of the attacks, detailing the practical application of the attacks to a cipher in a simple, conceptually revealing manner for the novice cryptanalyst. The tutorial is based on the analysis of a simple, yet realistically structured, basic SubstitutionPermutation Network cipher. Understanding the attacks as they apply to this structure is useful, as the Rijndael cipher, recently selected for the Advanced Encryption Standard (AES), has been derived from the basic SPN architecture. As well, experimental data from the attacks is presented as confirmation of the applicability of the concepts as outlined.
New method for upper bounding the maximum average linear hull probability for SPNs
 Advances in Cryptology— EUROCRYPT 2001, LNCS 2045
, 2001
"... Abstract. We present a new algorithm for upper bounding the maximum average linear hull probability for SPNs, a value required to determine provable security against linear cryptanalysis. The best previous result (Hong et al. [9]) applies only when the linear transformation branch number (B) is M or ..."
Abstract

Cited by 21 (9 self)
 Add to MetaCart
Abstract. We present a new algorithm for upper bounding the maximum average linear hull probability for SPNs, a value required to determine provable security against linear cryptanalysis. The best previous result (Hong et al. [9]) applies only when the linear transformation branch number (B) is M or (M + 1) (maximal case), where M is the number of sboxes per round. In contrast, our upper bound can be computed for any value of B. Moreover, the new upper bound is a function of the number of rounds (other upper bounds known to the authors are not). When B = M, our upper bound is consistently superior to [9]. When B = (M + 1), our upper bound does not appear to improve on [9]. On application to Rijndael (128bit block size, 10 rounds), we obtain the upper bound UB = 2 −75, corresponding to a lower bound on the data 8 complexity of UB = 278 (for 96.7 % success rate). Note that this does not demonstrate the existence of a such an attack, but is, to our knowledge, the first such lower bound.
Improving the Upper Bound on the Maximum Average Linear Hull Probability for Rijndael
, 2001
"... In [15], Keliher et al. present a new method for upper bounding the maximum average linear hull probability (MALHP) for SPNs, a value which is required to make claims about provable security against linear cryptanalysis. Application of this method to Rijndael (AES) yields an upper bound of UB = 2 \ ..."
Abstract

Cited by 15 (6 self)
 Add to MetaCart
In [15], Keliher et al. present a new method for upper bounding the maximum average linear hull probability (MALHP) for SPNs, a value which is required to make claims about provable security against linear cryptanalysis. Application of this method to Rijndael (AES) yields an upper bound of UB = 2 \Gamma75 when 7 or more rounds are approximated, corresponding to a lower bound on the data complexity of 32 UB = 2 80 (for a 96.7% success rate). In the current paper, we improve this upper bound for Rijndael by taking into consideration the distribution of linear probability values for the (unique) Rijndael 8 \Theta 8 sbox. Our new upper bound on the MALHP when 9 rounds are approximated is 2 \Gamma92 , corresponding to a lower bound on the data complexity of 2 97 (again for a 96.7% success rate). [This is after completing 43% of the computation; however, we believe that values have stabilizedsee Section 7.] Keywords: linear cryptanalysis, maximum average linear hull probability, provable security, Rijndael, AES 1
A Revised Version of CRYPTON  CRYPTON V1.0
 Fast Software Encryption  FSE’99, volume 1636 of LNCS
, 1999
"... . The block cipher CRYPTON has been proposed as a candidate algorithm for the Advanced Encryption Standard (AES). To fix some minor weakness in the key schedule and to remove some undesirable properties in Sboxes, we made some changes to the AES proposal, i.e., in the Sbox construction and key sch ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
. The block cipher CRYPTON has been proposed as a candidate algorithm for the Advanced Encryption Standard (AES). To fix some minor weakness in the key schedule and to remove some undesirable properties in Sboxes, we made some changes to the AES proposal, i.e., in the Sbox construction and key scheduling. This paper presents the revised version of CRYPTON and its preliminary analysis. 1 Motivations and Changes The block cipher CRYPTON has been proposed as a candidate algorithm for the AES [22]. Unfortunately, however, we couldn't have enough time to refine our algorithm at the time of submission. So, we later revised part of the AES proposal. This paper describes this revision and analyzes its security and efficiency. CRYPTON v1.0 is different from the AES proposal (v0.5) only in the Sbox construction and key scheduling. As we mentioned at the 1st AES candidate conference, we already had a plan to revise the CRYPTON key schedule. The previous key schedule was in fact expected from ...
Hermes8: A LowComplexity LowPower Stream Cipher
, 2006
"... Since stream ciphers have the reputation to be inefficient in software applications the new stream cipher Hermes8 has been developed. It is based on a 8bitarchitecture and an algorithm with low complexity. The two versions presented here are Hermes880 with 23 byte state and 10 byte key and furthe ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Since stream ciphers have the reputation to be inefficient in software applications the new stream cipher Hermes8 has been developed. It is based on a 8bitarchitecture and an algorithm with low complexity. The two versions presented here are Hermes880 with 23 byte state and 10 byte key and furthermore Hermes8128 with 37 byte state and 16 byte key. Both are suited to run efficiently on 8bit micro computers and dedicated hardware (e.g. for embedded systems). The estimated performance is up to one encrypted byte per 118 CPU cycles and one encrypted byte per nine cycles in hardware. The clarity and low complexity of the design supports cryptanalytic methods. The 8x8 sized SBOX provides the nonlinear function needed for proper confusion. Hermes8 uses the wellestablished AES SBOX, but works also excellent with welldesigned random SBOXes. Hermes8 withstands so far several `attacks' by means of statistical tests, e.g. the Strict Avalanche Criterion and FIPS 1402 are met successfully.
Linear cryptanalysis of substitutionpermutation networks
, 2003
"... The subject of this thesis is linear cryptanalysis of substitutionpermutation networks (SPNs). We focus on the rigorous form of linear cryptanalysis, which requires the concept of linear hulls. First, we consider SPNs in which the sboxes are selected independently and uniformly from the set of al ..."
Abstract

Cited by 4 (3 self)
 Add to MetaCart
The subject of this thesis is linear cryptanalysis of substitutionpermutation networks (SPNs). We focus on the rigorous form of linear cryptanalysis, which requires the concept of linear hulls. First, we consider SPNs in which the sboxes are selected independently and uniformly from the set of all bijective n × n sboxes. We derive an expression for the expected linear probability values of such an SPN, and give evidence that this expression converges to the corresponding value for the true random cipher. This adds quantitative support to the claim that the SPN structure is a good approximation to the true random cipher. We conjecture that this convergence holds for a large class of SPNs. In addition, we derive a lower bound on the probability that an SPN with randomly selected sboxes is practically secure against linear cryptanalysis after a given number of rounds. For common block sizes, experimental evidence indicates that this probability rapidly approaches 1 with an increasing number of rounds.
Modeling Linear Characteristics of SubstitutionPermutation Networks
 Sixth Annual International Workshop on Selected Areas in Cryptography (SAC’99), LNCS 1758
, 2000
"... In this paper we present a model for the bias values associated with linear characteristics of substitutionpermutation networks (SPN's). The first iteration of the model is based on our observation that for sufficiently large sboxes, the best linear characteristic usually involves one active sbox ..."
Abstract

Cited by 3 (3 self)
 Add to MetaCart
In this paper we present a model for the bias values associated with linear characteristics of substitutionpermutation networks (SPN's). The first iteration of the model is based on our observation that for sufficiently large sboxes, the best linear characteristic usually involves one active sbox per round. We obtain a result which allows us to compute an upper bound on the probability that linear cryptanalysis using such a characteristic is feasible, as a function of the number of rounds. We then generalize this result, upper bounding the probability that linear cryptanalysis is feasible when any linear characteristic may be used (no restriction on the number of active sboxes). The work of this paper indicates that the basic SPN structure provides good security against linear cryptanalysis based on linear characteristics after a reasonably small number of rounds. 1
Toward the true random cipher: On expected linear probability values for SPNs with randomly selected sboxes, chapter
 in Communications, Information and Network
, 2003
"... A block cipher, which is an important cryptographic primitive, is a bijective mapping from {0, 1} N to {0, 1} N (N is called the block size), parameterized by a key. In the true random cipher, each key results in a distinct mapping, and every mapping is realized by some key—this is generally taken t ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
A block cipher, which is an important cryptographic primitive, is a bijective mapping from {0, 1} N to {0, 1} N (N is called the block size), parameterized by a key. In the true random cipher, each key results in a distinct mapping, and every mapping is realized by some key—this is generally taken to be the ideal cipher model. We consider a fundamental block cipher architecture called a substitutionpermutation network (SPN). Specifically, we investigate expected linear probability (ELP) values for SPNs, which are the basis for a powerful attack called linear cryptanalysis. We show that if the substitution components (sboxes) of an SPN are randomly selected, then the expected value of any ELP entry converges to the corresponding value for the true random cipher, as the number of encryption rounds is increased. This gives quantitative support to the claim that the SPN structure is a practical approximation of the true random cipher.