Twofish is a 128-bit block cipher that accepts a variable-length key up to 256 bits. The cipher is a 16-round Feistel network with a bijective F function made up of four key-dependent 8-by-8-bit S-boxes, a fixed 4-by-4 maximum distance separable matrix over GF(2 8 ), a pseudo-Hadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8-bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.

We present the new block cipher SHARK. This cipher combines highly non-linear substitution boxes and maximum distance separable error correcting codes (MDS-codes) to guarantee a good diffusion. The cipher is resistant against differential and linear cryptanalysis after a small number of rounds. The structure of SHARK is such that a fast software implementation is possible, both for the encryption and the decryption. Our C-implementation of SHARK runs more than four times faster than SAFER and IDEA on a 64-bit architecture.

This paper describes the CAST design procedure for constructing a family of DES-like Substitution-Permutation Network (SPN) cryptosystems which appear to have good resistance to differential cryptanalysis, linear cryptanalysis, and related-key cryptanalysis, along with a number of other desirable cryptographic properties. Details of the design choices in the procedure are given, including those regarding the component substitution boxes (s-boxes), the overall framework, the key schedule, and the round function. An example CAST cipher, an output of this design procedure, is presented as an aid to understanding the concepts and to encourage detailed analysis by the cryptologic community.

This paper examines proposals for three cryptographic primitives: block ciphers, stream ciphers, and hash functions. It provides an overview of the design principles of a large number of recent proposals, which includes the global structure, the number of rounds, the way of introducing non-linearity and diffusion, and the key schedule. The software performance of about twenty primitives is compared based on highly optimized implementations for the Pentium. The goal of the paper is to provided a technical perspective on the wide variety of primitives that exist today.

. The cipher family SPEED (and an associated hashing mode) was recently proposed in Financial Cryptography '97. This paper cryptanalyzes that proposal, in two parts: First, we discuss several troubling potential weaknesses in the cipher. Next, we show how to efficiently break the SPEED hashing mode using differential related-key techniques, and propose a differential attack on 48-round SPEED. These results raise some significant questions about the security of the SPEED design. 1 Introduction In Financial Cryptography '97, Zheng proposed a new family of block ciphers, called SPEED [12]. One specifies a particular SPEED cipher by choosing parameters such as the block size and number of rounds; the variations are otherwise alike in their key schedule and round structure. Under the hood, SPEED is built out of an unbalanced Feistel network. Zheng also proposed a hash function based on running a SPEED block cipher in a slightly modified Davies-Meyer mode. One of the main contributions of t...

Abstract. This paper proposes a new higher order differential attack. The higher order differential attack proposed at FSE’97 by Jakobsen and Knudsen used exhaustive search for recovering the last round key. Our new attack improves the complexity to the cost of solving a linear system of equations. As an example we show the higher order differential attack of a CAST cipher with 5 rounds. The required number of chosen plaintexts is 2 17 and the required complexity is less than 2 25 times the computation of the round function. Our experimental results show that the last round key of the CAST cipher with 5 rounds can be recovered in less than 15 seconds on an UltraSPARC station. 1

This paper describes the MESH block ciphers, whose designs are based on the same group operations as the IDEA cipher, but with a number of novel features: flexible block sizes in steps of 32 bits (the block size of IDEA is fixed at 64 bits); larger MA-boxes; distinct key-mixing layers for odd and even rounds; and new key schedule algorithms that achieve fast avalanche and avoid the weak keys of IDEA. The software performance of MESH ciphers are estimated to be better or comparable to that of triple-DES. A number of attacks, such as truncated and impossible di#erentials, linear and Demirci's attack, shows that more resources are required on the MESH ciphers than for IDEA, and indicates that both ciphers seem to have a large margin of security.

Abstract. Recently, a new kind of Generalized Unbalanced Feistel Network, denoted as GUFN-n, is proposed by Choy et al. at ACISP 2009. The advantages of this structure are that it allows parallel computations for encryption and it can provide provable security against traditional differential and linear cryptanalysis given that the round function is bijective. For this new structure, the designers also found a (2n − 1)-round impossible differential and a (3n − 1)-round integral distinguisher. In this paper, we study distinguishing attacks on GUFN-n. We find an n 2-round integral distinguisher and show that it can be simply extended to an (n 2 + n − 2)-round higher-order integral distinguisher. Moreover, we point out that the n 2-round integral distinguisher corresponds to an n 2-round truncated differential with probability 1, based on which an impossible differential with up to (n 2 + n − 2)-round can be constructed. At last, we describe a variant structure of GUFN-n, denoted as GUFN ∗-n, where the round function is F (x ⊕ K). For this variant structure, we present a new kind of n 2-round non-surjective distinguisher and use it to attack GUFN ∗-n with very low data complexity.

Contents 1 Analysis of Camellia 3 1.1 Di#erential and Linear Cryptanalysis . . . . . . . . . . . . . . . . 3 1.2 Truncated Di#erentials . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2.1 Distinguishing attacks . . . . . . . . . . . . . . . . . . . . 5 1.2.2 The existence of di#erentials . . . . . . . . . . . . . . . . 7 1.3 The Key-schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1.4 The S-boxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 1.5 Other attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 A Block Ciphers in General 13 A.1 Di#erential cryptanalysis . . . . . . . . . . . . . . . . . . . . . . . 13 A.2 Truncated di#erentials . . . . . . . . . . . . . . . . . . . . . . . . 14 A.3 Higher order di#erentials . . . . . . . . . . . . . . . . . . . . . . . 14 A.4 Linear cryptanalysis . . . . . . . . . . . . . . . . . . . . . . . . . 14 A.5 Mod n cryptanalysis . . . . . . . . . . . .

A preliminary security assessment of cryptographic primitives submitted to the NESSIE project is given in this deliverable.