Abstract. We propose a new cryptographic primitive, the “tweakable block cipher. ” Such a cipher has not only the usual inputs—message and cryptographic key—but also a third input, the “tweak. ” The tweak serves much the same purpose that an initialization vector does for CBC mode or that a nonce does for OCB mode. Our proposal thus brings this feature down to the primitive block-cipher level, instead of incorporating it only at the higher modes-of-operation levels. We suggest that (1) tweakable block ciphers are easy to design, (2) the extra cost of making a block cipher “tweakable ” is small, and (3) it is easier to design and prove modes of operation based on tweakable block ciphers.

This paper describes an investigation of a potential weakness in DES which leads to a statistical property observable in plaintextciphertext pairs and dependent on the key. However, the number of encryptions of known plaintext needed to exploit this property is comparable to the number of encryptions of an exhaustive key search, so the \weakness " is mainly of theoretical interest.

. Rather than use a shared key directly to cryptographically process (e.g. encrypt or authenticate) data one can use it as a master key to derive subkeys, and use the subkeys for the actual cryptographic processing. This popular paradigm is called re-keying, and the expectation is that it is good for security. In this paper we provide concrete security analyses of various re-keying mechanisms and their usage. We show that re-keying does indeed \increase" security, eectively extending the lifetime of the master key and bringing signicant, provable security gains in practical situations. We quantify the security provided by dierent rekeying processes as a function of the security of the primitives they use, thereby enabling a user to choose between dierent re-keying processes given the constraints of some application. 1 Introduction Re-keying (also called key-derivation) is a commonly employed paradigm in computer security systems, about whose security benets users appe...

We investigate, in the Shannon model, the security of constructions corresponding to double and (two-key) triple DES. That is, we consider Fk1 (Fk2(\Delta)) and Fk1(F \Gamma 1 k2 (Fk1 (\Delta))) with the component functions being ideal ciphers. This models the resistance of these constructions to "generic" attacks like meet in the middle attacks. We obtain

We present new related-key attacks on the block ciphers 3WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA. Dierential related-key attacks allow both keys and plaintexts to be chosen with speci c dierences [KSW96]. Our attacks build on the original work, showing how to adapt the general attack to deal with the diculties of the individual algorithms. We also give speci c design principles to protect against these attacks.

Abstract. We present new attacks on key schedules of block ciphers. These attacks are based on the principles of related-key di erential cryptanalysis: attacks that allowbothkeys and plaintexts to bechosen with speci c di erences. We show how these attacks can be exploited in actual protocols and cryptanalyze the key schedules of a variety of algorithms, including three-key triple-DES. 1

We discuss the security of Message Authentication Code (MAC) schemes from the viewpoint of differential attack, and propose an attack that is effective against DES-MAC and FEAL-MAC. The attack derives the secret authentication key in the chosen plaintext scenario. For example, DES(8-round)-MAC can be broken with 2 34 pairs of plain text, while FEAL8-MAC can be broken with 2 22 pairs. The proposed attack is applicable to any MAC scheme, even if the 32-bits are randomly selected from among the 64-bits of ciphertext generated by a cryptosystem vulnerable to differential attack in the chosen plaintext scenario.

Weinvestigate, in the Shannon model, the security of constructions corresponding to double and #two-key# triple DES. That is, we consider F k1 #F k2 #### and F k1 #F ,1 k2 #F k1 ##### with the component functions being ideal ciphers. This models the resistance of these constructions to #generic" attacks like meet in the middle attacks. We obtain the #rst proof that composition actually increases the security in some meaningful sense. We compute a bound on the probability of breaking the double cipher as a function of the number of computations of the base cipher made, and the number of examples of the composed cipher seen, and show that the success probability is the square of that for a single key cipher. The same bound holds for the two-key triple cipher. The #rst bound is tight and shows that meet in the middle is the best possible generic attack against the double cipher. Keywords: Ciphers, cascaded ciphers, Shannon model, information theory, DES, Double DES, meet i...

Dierential Cryptanalysis, the main chosen-plaintext attack on DES-like cryptosystems, uses iterative characteristics for cryptanalyzing variants of DES with an arbitrary number of rounds.

This paper1 analyses all 24 possible round constructions using different combinations of the four round components of the AES cipher: SubBytes, ShiftRows, AddRoundKey and MixColumns. We investigate how the different round orderings affect the security of AES against differential, linear, multiset, impossible differential and boomerang attacks. The cryptographic strenght of each cipher variant was measured by the size of each distinguisher, their probability or correlation value and the number of active S-boxes. Our analyses indicate that all these permutations of the AES components have similar cryptographic strength (concerning these five attacks), although there are implementation advantages for certain permutations. Keywords: Active S-box, AES, cryptanalysis 1