Results 1  10
of
33
PRESENT: An UltraLightweight Block Cipher
 THE PROCEEDINGS OF CHES 2007
, 2007
"... With the establishment of the AES the need for new block ciphers has been greatly diminished; for almost all block cipher applications the AES is an excellent and preferred choice. However, despite recent implementation advances, the AES is not suitable for extremely constrained environments such ..."
Abstract

Cited by 149 (15 self)
 Add to MetaCart
(Show Context)
With the establishment of the AES the need for new block ciphers has been greatly diminished; for almost all block cipher applications the AES is an excellent and preferred choice. However, despite recent implementation advances, the AES is not suitable for extremely constrained environments such as RFID tags and sensor networks. In this paper we describe an ultralightweight block cipher, present. Both security and hardware efficiency have been equally important during the design of the cipher and at 1570 GE, the hardware requirements for present are competitive with today’s leading compact stream ciphers.
The Interpolation Attack on Block Ciphers
 In Fast Software Encryption
, 1997
"... In this paper we introduce a new method of attacks on block ciphers, the interpolation attack. This new method is useful for attacking ciphers using simple algebraic functions (in particular quadratic functions) as Sboxes. Also, ciphers of low nonlinear order are vulnerable to attacks based on hig ..."
Abstract

Cited by 71 (5 self)
 Add to MetaCart
(Show Context)
In this paper we introduce a new method of attacks on block ciphers, the interpolation attack. This new method is useful for attacking ciphers using simple algebraic functions (in particular quadratic functions) as Sboxes. Also, ciphers of low nonlinear order are vulnerable to attacks based on higher order differentials. Recently, Knudsen and Nyberg presented a 6round prototype cipher which is provably secure against ordinary differential cryptanalysis. We show how to attack the cipher by using higher order differentials and a variant of the cipher by the interpolation attack. It is possible to successfully cryptanalyse up to 32 rounds of the variant using about 2 32 chosen plaintexts with a running time less than 2 64 . Using higher order differentials, a new design concept for block ciphers by Kiefer is also shown to be insecure. Rijmen et al presented a design strategy for block ciphers and the cipher SHARK. We show that there exist ciphers constructed according to this des...
Twofish: A 128Bit Block Cipher
 in First Advanced Encryption Standard (AES) Conference
, 1998
"... Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bit ..."
Abstract

Cited by 63 (8 self)
 Add to MetaCart
Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.
Attacks on Block Ciphers of Low Algebraic Degree
 Journal of Cryptology
, 2001
"... In this paper an attack on block ciphers is introduced, the interpolation attack. This method is useful for attacking ciphers that use simple algebraic functions (in particular quadratic functions) as Sboxes. Also, attacks based on higherorder differentials are introduced. They are special and imp ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
In this paper an attack on block ciphers is introduced, the interpolation attack. This method is useful for attacking ciphers that use simple algebraic functions (in particular quadratic functions) as Sboxes. Also, attacks based on higherorder differentials are introduced. They are special and important cases of the interpolation attacks. The attacks are applied to several block ciphers, the 6round prototype cipher by Knudsen and Nyberg, which is provably secure against ordinary differential cryptanalysis, a modified version of the block cipher SHARK, and a block cipher suggested by Kiefer.
Recent Developments in the Design of Conventional Cryptographic Algorithms
 Computer Security and Industrial Cryptography  State of the Art and Evolution, LNCS
, 1998
"... This paper examines proposals for three cryptographic primitives: block ciphers, stream ciphers, and hash functions. It provides an overview of the design principles of a large number of recent proposals, which includes the global structure, the number of rounds, the way of introducing nonlinearity ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
This paper examines proposals for three cryptographic primitives: block ciphers, stream ciphers, and hash functions. It provides an overview of the design principles of a large number of recent proposals, which includes the global structure, the number of rounds, the way of introducing nonlinearity and diffusion, and the key schedule. The software performance of about twenty primitives is compared based on highly optimized implementations for the Pentium. The goal of the paper is to provided a technical perspective on the wide variety of primitives that exist today.
On the Design of Linear Transformations for Substitution Permutation Encryption Networks
 School of Computer Science, Carleton University
, 1997
"... In this paper we study the security of Substitution Permutation Encryption Networks (SPNs) with randomly selected bijective substitution boxes and a randomly selected invertible linear transformation layer. In particular, our results show that for such a 64bit SPN using 8 2 8 sboxes, the number ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
(Show Context)
In this paper we study the security of Substitution Permutation Encryption Networks (SPNs) with randomly selected bijective substitution boxes and a randomly selected invertible linear transformation layer. In particular, our results show that for such a 64bit SPN using 8 2 8 sboxes, the number of sboxes involved in any 2 rounds of a linear approximation or a differential characteristic is equal to 8 with probability exceeding 0:8. For these SPNs the number of plaintext/ciphertext pairs that are required for the basic linear and differential cryptanalysis exceeds 2 within 6 rounds. We also provide two construction methods for involution linear transformations based on Maximum Distance Separable Codes.
On Feistel ciphers using optimal diffusion mappings across multiple rounds
 ASIACRYPT 2004, LNCS 3329
, 2004
"... Abstract. We study a recently proposed design approach of Feistel ciphers which employs optimal diffusion mappings across multiple rounds. This idea was proposed by Shirai and Shibutani at FSE2004, and the technique enables to improve the immunity against either differential or linear cryptanalysis ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We study a recently proposed design approach of Feistel ciphers which employs optimal diffusion mappings across multiple rounds. This idea was proposed by Shirai and Shibutani at FSE2004, and the technique enables to improve the immunity against either differential or linear cryptanalysis (but not both). In this paper, we present a theoretical explanation why the new design using three different matrices achieves the better immunity. In addition, we are able to prove conditions to improve the immunity against both differential and linear cryptanalysis. As a result, we show that this design approach guarantees at least R(m+1) active Sboxes in 3R consecutive rounds (R ≥ 2) where m is the number of Sboxes in a round. By using the guaranteed number of active Sboxes, we compare this design approach to other wellknown designs employed in SHARK, Rijndael, and MDSFeistel ciphers. Moreover, we show interesting additional properties of the new design approach.
Improved SQUARE Attacks against ReducedRound HIEROCRYPT
, 2001
"... We present improved SQU.aw, attacks against the NESSIE candidate block ciphers HIEROCRYPT3 and HIEROCRYPTL1, designed by Toshiba. We improve over the previous best known attack on 2.5 rounds of HIEROCRYPT3 by a factor of 2 28 computational steps with an attack on 3 rounds for 128bit keys, and ex ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
We present improved SQU.aw, attacks against the NESSIE candidate block ciphers HIEROCRYPT3 and HIEROCRYPTL1, designed by Toshiba. We improve over the previous best known attack on 2.5 rounds of HIEROCRYPT3 by a factor of 2 28 computational steps with an attack on 3 rounds for 128bit keys, and extend it to 3.5 rounds for longer keys. For HIEROCRYPTL1 we are able to attack up to 3.5 out of 6.5 rounds.
HigherOrder Cryptanalysis of Block Ciphers
, 1999
"... The theme in this thesis is design and analysis of block ciphers. Specifically, new attacks are described that successfully break cryptosystems in which the ciphertext is expressible as evaluations of some lowdegree polynomial in the plaintext with a low but nonnegligible probability. The attacks ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
(Show Context)
The theme in this thesis is design and analysis of block ciphers. Specifically, new attacks are described that successfully break cryptosystems in which the ciphertext is expressible as evaluations of some lowdegree polynomial in the plaintext with a low but nonnegligible probability. The attacks are particularly efficient against certain ciphers that are provably secure against differential and linear cryptanalysis.
On generalized Feistel structures using the diffusion switching mechanism
 IEICE Trans. Fundamentals
, 2008
"... Abstract. We study a recently proposed design approach of Feistel structure which employs diffusion matrices in a switching way. At ASIACRYPT 2004, Shirai and Preneel have proved that large numbers of Sboxes are guaranteed to be active if a diffusion matrix used in a round function is selected amo ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We study a recently proposed design approach of Feistel structure which employs diffusion matrices in a switching way. At ASIACRYPT 2004, Shirai and Preneel have proved that large numbers of Sboxes are guaranteed to be active if a diffusion matrix used in a round function is selected among multiple matrices. However the optimality of matrices required by the proofs sometimes pose restriction to find matrices suitable for actual blockciphers. In this paper, we extend their theory by replacing the condition of optimal mappings with generaltype mappings, consequently the restriction is eliminated. Moreover, by combining known lower bounds for usual Feistel structure, we establish a method to estimate the guaranteed number of active Sboxes for arbitrary round numbers. We also demonstrate how the generalization enables us to mount wide variety of diffusion mappings by showing concrete examples.