Results 1  10
of
32
Tweakable block ciphers
, 2002
"... Abstract. We propose a new cryptographic primitive, the “tweakable block cipher. ” Such a cipher has not only the usual inputs—message and cryptographic key—but also a third input, the “tweak. ” The tweak serves much the same purpose that an initialization vector does for CBC mode or that a nonce do ..."
Abstract

Cited by 102 (4 self)
 Add to MetaCart
Abstract. We propose a new cryptographic primitive, the “tweakable block cipher. ” Such a cipher has not only the usual inputs—message and cryptographic key—but also a third input, the “tweak. ” The tweak serves much the same purpose that an initialization vector does for CBC mode or that a nonce does for OCB mode. Our proposal thus brings this feature down to the primitive blockcipher level, instead of incorporating it only at the higher modesofoperation levels. We suggest that (1) tweakable block ciphers are easy to design, (2) the extra cost of making a block cipher “tweakable ” is small, and (3) it is easier to design and prove modes of operation based on tweakable block ciphers.
Twofish: A 128Bit Block Cipher
 in First Advanced Encryption Standard (AES) Conference
, 1998
"... Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bit ..."
Abstract

Cited by 54 (8 self)
 Add to MetaCart
Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.
Cryptographic Hash Functions: A Survey
, 1995
"... This paper gives a survey on cryptographic hash functions. It gives an overview of all types of hash functions and reviews design principals and possible methods of attacks. It also focuses on keyed hash functions and provides the applications, requirements, and constructions of keyed hash functions ..."
Abstract

Cited by 35 (7 self)
 Add to MetaCart
This paper gives a survey on cryptographic hash functions. It gives an overview of all types of hash functions and reviews design principals and possible methods of attacks. It also focuses on keyed hash functions and provides the applications, requirements, and constructions of keyed hash functions.
GAC  the Criterion for Global Avalanche Characteristics of Cryptographic Functions
 Journal of Universal Computer Science
, 1995
"... Abstract: We show that some widely accepted criteria for cryptographic functions, including the strict avalanche criterion (SAC) and the propagation criterion, have various limitations in capturing properties of vital importance to cryptographic algorithms, and propose a new criterion called GAC tom ..."
Abstract

Cited by 34 (3 self)
 Add to MetaCart
Abstract: We show that some widely accepted criteria for cryptographic functions, including the strict avalanche criterion (SAC) and the propagation criterion, have various limitations in capturing properties of vital importance to cryptographic algorithms, and propose a new criterion called GAC tomeasure the global avalanche characteristics of cryptographic functions. We also introduce two indicators related to the new criterion, one forecasts the sumofsquares while the other the absolute avalanche characteristics of a function. Lower and upper bounds on the two indicators are derived, and two methods are presented to construct cryptographic functions that achieve nearly optimal global avalanche characteristics. Category: E.3 1 Why the GAC In 1985, Webster and Tavares introduced the concept of the strict avalanche criterion (SAC) when searching for principles for designing DESlike data encryption algorithms [Web85, WT86]. A function is said to satisfy the SACif complementing asingle bit results inthe output ofthe function being complemented
Cryptanalysis of LOKI 91
 Advances in Cryptology, AusCrypt 92, LNCS 718
, 1993
"... . In this paper we examine the redesign of LOKI, LOKI 91 proposed in [5]. First it is shown that there is no characteristic with a probability high enough to do a successful differential attack on LOKI 91. Secondly we show that the size of the image of the Ffunction in LOKI 91 is 8 13 \Theta 2 3 ..."
Abstract

Cited by 32 (7 self)
 Add to MetaCart
. In this paper we examine the redesign of LOKI, LOKI 91 proposed in [5]. First it is shown that there is no characteristic with a probability high enough to do a successful differential attack on LOKI 91. Secondly we show that the size of the image of the Ffunction in LOKI 91 is 8 13 \Theta 2 32 . Finally we introduce a chosen plaintext attack that reduces an exhaustive key search on LOKI 91 by almost a factor 4 using 2 33 + 2 chosen plaintexts. 1 Introduction In 1990 Brown et al [4] proposed a new encryption primitive, called LOKI, later renamed LOKI 89, as an alternative to the Data Encryption Standard (DES), with which it is interface compatible. Cryptanalysis showed weaknesses in LOKI 89 [2, 5, 8] and a redesign, LOKI 91 was proposed in [5]. The ciphers from the LOKI family are DESlike iterated block ciphers based on iterating a function, called the Ffunction, sixteen times. The block and key size is 64 bits. Each iteration is called a round. The input to each round is d...
Practically Secure Feistel Ciphers
 Fast Software Encryption, Cambridge Security Workshop Proceedings
, 1994
"... Abstract. In this paper we give necessary design principles to be used, when constructing secure Feistel ciphers. We introduce a new concept, practical security against linear and di erential attacks on Feistel ciphers. We give examples of such Feistel ciphers (practically) resistant to di erential ..."
Abstract

Cited by 27 (0 self)
 Add to MetaCart
Abstract. In this paper we give necessary design principles to be used, when constructing secure Feistel ciphers. We introduce a new concept, practical security against linear and di erential attacks on Feistel ciphers. We give examples of such Feistel ciphers (practically) resistant to di erential attacks, linear attacks and other attacks. 1
On the Distribution of Characteristics in Bijective Mappings
, 1994
"... Differential cryptanalysis is a method of attacking iterated mappings based on differences known as characteristics. The probability of a given characteristic is derived from the XOR tables associated with the iterated mapping. If ß is a mapping ß : Z m 2 ! Z m 2 , then for each \DeltaX; \DeltaY ..."
Abstract

Cited by 25 (4 self)
 Add to MetaCart
Differential cryptanalysis is a method of attacking iterated mappings based on differences known as characteristics. The probability of a given characteristic is derived from the XOR tables associated with the iterated mapping. If ß is a mapping ß : Z m 2 ! Z m 2 , then for each \DeltaX; \DeltaY 2 Z m 2 the XOR table for ß gives the number of input pairs of difference \DeltaX = X+X 0 for which ß(X)+ß(X 0 ) = \DeltaY . The complexity of a differential attack depends upon two properties of the XOR tables: the density of zero entries in the table, and the size of the largest entry in the table. In this paper we present the first results on the expected values of these properties for a general class of mappings ß. We prove that if ß : Z m 2 ! Z m 2 is a bijective mapping then the expected size of the largest entry in the XOR table for ß is bounded by 2m, while the fraction of the XOR table that is zero approaches e \Gamma 1 2 = 0:60653. We are then able to demonstrate tha...
Constructing symmetric ciphers using the CAST design procedure
 DESIGNS, CODES, AND CRYPTOGRAPHY
, 1997
"... This paper describes the CAST design procedure for constructing a family of DESlike SubstitutionPermutation Network (SPN) cryptosystems which appear to have good resistance to differential cryptanalysis, linear cryptanalysis, and relatedkey cryptanalysis, along with a number of other desirable ..."
Abstract

Cited by 21 (1 self)
 Add to MetaCart
This paper describes the CAST design procedure for constructing a family of DESlike SubstitutionPermutation Network (SPN) cryptosystems which appear to have good resistance to differential cryptanalysis, linear cryptanalysis, and relatedkey cryptanalysis, along with a number of other desirable cryptographic properties. Details of the design choices in the procedure are given, including those regarding the component substitution boxes (sboxes), the overall framework, the key schedule, and the round function. An example CAST cipher, an output of this design procedure, is presented as an aid to understanding the concepts and to encourage detailed analysis by the cryptologic community.
Systematic generation of cryptographically robust sboxes
 In Proceedings of the First ACM Conference on Computer and Communications Security
, 1993
"... Substitution boxes (Sboxes) are a crucial component of DESlike block ciphers. This research addresses problems with previous approaches towards constructing Sboxes, and proposes a new de nition for the robustness of Sboxes to differential cryptanalysis, which is the most powerful cryptanalytic a ..."
Abstract

Cited by 20 (10 self)
 Add to MetaCart
Substitution boxes (Sboxes) are a crucial component of DESlike block ciphers. This research addresses problems with previous approaches towards constructing Sboxes, and proposes a new de nition for the robustness of Sboxes to differential cryptanalysis, which is the most powerful cryptanalytic attack known to date. Anovel method based on group Hadamard matrices is developed to systematically generate Sboxes that satisfy a number of critical cryptographic properties. Among the properties are the high nonlinearity, the strict avalanche characteristics, the balancedness, the robustness against di erential cryptanalysis, and the immunity to linear cryptanalysis. An example is provided to illustrate the Sbox generating method. 1
NonLinear Approximations in Linear Cryptanalysis
 Advances in Cryptology, Proceedings Eurocrypt'96, LNCS 1070
, 1996
"... Abstract. By considering the role of nonlinear approximations in linear cryptanalysis we obtain a generalization of Matsui’s linear cryptanalytic techniques. This approach allows the cryptanalyst greater flexibility in mounting a linear cryptanalytic attack and we demonstrate the effectiveness of o ..."
Abstract

Cited by 19 (0 self)
 Add to MetaCart
Abstract. By considering the role of nonlinear approximations in linear cryptanalysis we obtain a generalization of Matsui’s linear cryptanalytic techniques. This approach allows the cryptanalyst greater flexibility in mounting a linear cryptanalytic attack and we demonstrate the effectiveness of our nonlinear techniques with some simple attacks on LOKI91. These attacks potentially allow for the recovery of seven additional bits of key information with less than 1/4 of the plaintext that is required using current linear cryptanalytic methods. 1