Building on the work of Kocher [Koc96], Jaffe, and Yun [KJY98], we discuss the notion of side-channel cryptanalysis: cryptanalysis using implementation data. We discuss the notion of side-channel attacks and the vulnerabilities they introduce, demonstrate side-channel attacks against three product ciphers -- timing attack against IDEA, processor-flag attack against RC5, and Hamming weight attack against DES -- and then generalize our research to other cryptosystems.

Twofish is a 128-bit block cipher that accepts a variable-length key up to 256 bits. The cipher is a 16-round Feistel network with a bijective F function made up of four key-dependent 8-by-8-bit S-boxes, a fixed 4-by-4 maximum distance separable matrix over GF(2 8 ), a pseudo-Hadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8-bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.

This document contains several sections of the CAST-256 AES Submission Package delivered to NIST on June 9 th , 1998. All complete submissions received by NIST will be made public in late August at the First AES Candidate Conference, but the following material is being made available now so that public analysis of the CAST-256 algorithm may begin (see, for example, http://www.ii.uib.no/~larsr/aes.html for the current status of submitted algorithms). Many thanks are due to those who worked with me in the (long, challenging, frustrating, and very enjoyable!) design and analysis phases that ultimately led to the detailed specification given below: Howard Heys (Memorial University); Stafford Tavares (Queen's University); and Michael Wiener (Entrust). As well, many thanks are due to the two who did the various implementations on a variety of platforms (Reference C, Optimized C, Optimized Java, and even M6811 Assembler): Serge Mister and Ian Clysdale (both

Much of the security of a block cipher based on the Feistel network depends on the properties of the substitution boxes (s-boxes) used in the round function. Although many desirable properties have been studied, relatively little work has been done to determine to what degree these properties are achievable in practice. This paper presents one effort to construct large, cryptographically secure s-boxes, contrasting theoretical and practical limitations, and highlighting areas for future research.

We present new related-key attacks on the block ciphers 3WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA. Dierential related-key attacks allow both keys and plaintexts to be chosen with speci c dierences [KSW96]. Our attacks build on the original work, showing how to adapt the general attack to deal with the diculties of the individual algorithms. We also give speci c design principles to protect against these attacks.

This note describes a technique for generating large non-singular matrices with blocks of full rank. While this may be of independent interest, our motivation arises in the white-box implementation of cryptographic algorithms with S-boxes. 1

An important component of iterative, block ciphers is the key schedule. In most ciphers, a master key of speci#ed length is manipulated to create round subkeys. This manipulation is known as the key schedule. A strong key schedule means a cipher will be more resistant to various forms of attacks, such as di#erential and linear cryptanalysis. In this paper, the Advanced Encryption Standard#AES# candidates are classi#ed according to their key schedules. 1 The Classi#cation Schedule The most powerful methods of analysis of iterative block ciphers such as the Data Encryption Standard#DES# #4# are attacks which aim to reveal round subkeys. These methods include di#erential #5# and linear cryptanalysis #9#. In #1#, the authors introduced a new classi#cation scheme for iterative block ciphers based on their key schedules. In essence, this scheme creates two categories of ciphers based on whether or not knowledge of a round subkey generated by the key schedule reveals any information about ot...

This document is an Internet Draft. Internet Drafts are working

This paper describes and analyzes the MARS symmetric-key encryption algorithm which is a new block cipher submitted to NIST for consideration as the Advanced Encryption Standard (AES). MARS supports 128-bit blocks and a variable key size. It is designed to take advantage of the powerful operations supported in today's computers, resulting in a much improved security/performance tradeoff over existing ciphers. Specifically, in MARS we use a unique combination of S-box lookups, multiplications and data-dependent rotations. MARS has a heterogeneous structure, with cryptographic core rounds that are wrapped by simpler mixing rounds. The cryptographic core rounds provide strong resistance to all known cryptanalytical attacks, while the mixing rounds provide good avalanche and offer very wide security margins to thwart new (yet unknown) attacks. Our C implementation of MARS runs at rates of 85 Mbit/sec on a 200 MHz PowerPC, and 65 Mbit/sec on a 200 MHz Pentium-Pro. The cryptographi...

This document specifies how to incorporate CAST-128 (RFC2144) into the S/MIME Cryptographic Message Syntax (CMS) as an additional algorithm for symmetric encryption. The relevant OIDs and processing steps are provided so that CAST-128 may be included in the CMS specification (RFC2630) for symmetric content and key encryption. The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document (in uppercase, as shown) are to be interpreted as described in [RFC2119]. 1. Motivation S/MIME (Secure/Multipurpose Internet Mail Extensions) [SMIME2, SMIME3] is a set of specifications for the secure transport of MIME objects. In the current (S/MIME v3) specifications the mandatoryto -implement symmetric algorithm for content encryption and key encryption is triple-DES (3DES). While this is perfectly acceptable in many cases because the security of 3DES is generally considered to be high, for some environments 3DES may be seen to be too slow...