Choosing the most storage- and energy-e#cient block cipher specifically for wireless sensor networks (WSNs) is not as straightforward as it seems. To our knowledge so far, there is no systematic evaluation framework for the purpose. In this paper, we have identified the candidates of block ciphers suitable for WSNs based on existing literature.

Abstract. With the establishment of the AES the need for new block ciphers has been greatly diminished; for almost all block cipher applications the AES is an excellent and preferred choice. However, despite recent implementation advances, the AES is not suitable for extremely constrained environments such as RFID tags and sensor networks. In this paper we describe an ultra-lightweight block cipher, present. Both security and hardware efficiency have been equally important during the design of the cipher and at 1570 GE, the hardware requirements for present are competitive with today’s leading compact stream ciphers. 1

Abstract. Camellia is a 128 bit block cipher proposed by NTT and Mitsubishi. We discuss the security of Camellia against the square attack. We find a 4 round distinguisher and construct a basic square attack. We can attack 5 round Camellia by guessing one byte subkey and using 2 16 chosen plaintexts. Cosidering the key schdule, we may extend this attack up to 9 round Camellia including the first FL/FL −1 function layer. 1

Abstract. This paper presents two algorithms for solving the linear and the affine equivalence problem for arbitrary permutations (S-boxes). For a pair of n × n-bit permutations the complexity of the linear equivalence algorithm (LE) is O(n 3 2 n). The affine equivalence algorithm (AE) has complexity O(n 3 2 2n). The algorithms are efficient and allow to study linear and affine equivalences for bijective S-boxes of all popular sizes (LE is efficient up to n ≤ 32). Using these tools new equivalent representations are found for a variety of ciphers: Rijndael, DES, Camellia, Serpent, Misty, Kasumi, Khazad, etc. The algorithms are furthermore extended for the case of non-bijective n to m-bit S-boxes with a small value of |n − m | and for the case of almost equivalent S-boxes. The algorithms also provide new attacks on a generalized Even-Mansour scheme. Finally, the paper defines a new problem of S-box decomposition in terms of Substitution Permutations Networks (SPN) with layers of smaller S-boxes. Simple information-theoretic bounds are proved for such decompositions. Keywords: Linear, affine equivalence algorithm, S-boxes, Block-ciphers,

Abstract. This paper describes truncated and impossible differential cryptanalysis of the 128-bit block cipher Camellia, which was proposed by NTT and Mitsubishi Electric Corporation. Our work improves on the best known truncated and impossible differential cryptanalysis. As a result, we show a nontrivial 9-round byte characteristic, which may lead to a possible attack of reduced-round version of Camellia without input/output whitening, FL or FL −1 in a chosen plain text scenario. Previously, only 6-round differentials were known, which may suggest a possible attack of Camellia reduced to 8-rounds. Moreover, we show a nontrivial 7-round impossible differential, whereas only a 5-round impossible differential was previously known. This cryptanalysis is effective against general Feistel structures with round functions composed of S-D (Substitution and Diffusion) transformation.

This paper describes the efficient implementation of Maximum Distance Separable (MDS) mappings and Substitution-boxes (S-boxes) in gate-level hardware for application to Substitution-Permutation Network (SPN) block cipher design. Different implementations of parameterized MDS mappings and S-boxes are evaluated using gate count as the space complexity measure and gate levels traversed as the time complexity measure. On this basis, a method to optimize MDS codes for hardware is introduced by considering the complexity analysis of bit parallel multipliers. We also provide a general architecture to implement any invertible S-box which has low space and time complexities. As an example, two efficient implementations of Rijndael, the Advanced Encryption Standard (AES), are considered to examine the different tradeoffs between speed and time.

The subject of this thesis is linear cryptanalysis of substitution-permutation networks (SPNs). We focus on the rigorous form of linear cryptanalysis, which requires the concept of linear hulls. First, we consider SPNs in which the s-boxes are selected independently and uni-formly from the set of all bijective n × n s-boxes. We derive an expression for the expected linear probability values of such an SPN, and give evidence that this ex-pression converges to the corresponding value for the true random cipher. This adds quantitative support to the claim that the SPN structure is a good approximation to the true random cipher. We conjecture that this convergence holds for a large class of SPNs. In addition, we derive a lower bound on the probability that an SPN with ran-domly selected s-boxes is practically secure against linear cryptanalysis after a given number of rounds. For common block sizes, experimental evidence indicates that this probability rapidly approaches 1 with an increasing number of rounds.

This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at

The paper presents a methodology for the evaluation of the complexity and computational cost of different block ciphers, in order to be independent from the actual platforms they are implemented on. An analysis of three block ciphers selected by NESSIE (New European Schemes for Signatures, Integrity and Encryption) in 2003 - Rijndael, Camellia and Shacal-2 - is then provided using such methodology. First, the structure of all ciphers is described, so as to emphasize the different kinds of transformations required. Then, the schemes are compared in terms of basic operations (AND, OR, shifts) for each step, in such a way to evaluate their complexity and to provide effective guidelines regarding their implementation. Keywords: block ciphers, cipher complexity, performance evaluation, AES.

Abstract not found