Results 1  10
of
14
Twofish: A 128Bit Block Cipher
 in First Advanced Encryption Standard (AES) Conference
, 1998
"... Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bit ..."
Abstract

Cited by 54 (8 self)
 Add to MetaCart
Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.
Hash Functions Based on Block Ciphers
 Proc. of EUROCRYPT 92
, 1993
"... . Iterated hash functions based on block ciphers are treated. Five attacks on an iterated hash function and on its round function are formulated. The wisdom of strengthening such hash functions by constraining the last block of the message to be hashed is stressed. Schemes for constructing mbit ..."
Abstract

Cited by 53 (7 self)
 Add to MetaCart
. Iterated hash functions based on block ciphers are treated. Five attacks on an iterated hash function and on its round function are formulated. The wisdom of strengthening such hash functions by constraining the last block of the message to be hashed is stressed. Schemes for constructing mbit and 2mbit hash round functions from mbit block ciphers are studied. A principle is formalized for evaluating the strength of hash round functions, viz., that applying computationally simple #in both directions# invertible transformations to the input and output of a hash round function yields a new hash round function with the same security. By applying this principle, four attacks on three previously proposed 2mbit hash round functions are formulated. Finally, three new hash round functions based on an mbit block cipher with a 2mbit key are proposed. 1 Introduction This paper is intended to provide a rather rounded treatment of hash functions that are obtained by iterati...
Unbalanced Feistel Networks and BlockCipher Design
 Fast Software Encryption, 3rd International Workshop Proceedings
, 1996
"... We examine a generalization of the concept of Feistel networks, which we call Unbalanced Feistel Networks (UFNs). Like conventional Feistel networks, UFNs consist of a series of rounds in which one part of the block operates on the rest of the block. However, in a UFN the two parts need not be of eq ..."
Abstract

Cited by 50 (5 self)
 Add to MetaCart
We examine a generalization of the concept of Feistel networks, which we call Unbalanced Feistel Networks (UFNs). Like conventional Feistel networks, UFNs consist of a series of rounds in which one part of the block operates on the rest of the block. However, in a UFN the two parts need not be of equal size. Removing this limitation on Feistel networks has interesting implications for designing ciphers secure against linear and differential attacks. We describe UFNs and a terminology for discussing their properties, present and analyze some UFN constructions, and make some initial observations about their security. It is notable that almost all the proposed ciphers that are based on Feistel networks follow the same design construction: half the bits operate on the other half. There is no inherent reason that this should be so; as we will demonstrate, it is possible to design Feistel networks across a much wider, richer design space. In this paper, we examine the nature of the...
The Classification of Hash Functions
, 1993
"... When we ask what makes a hash function `good', we usually get an answer which includes collision freedom as the main (if not sole) desideratum. However, we show here that given any collisionfree function, we can derive others which are also collisionfree, but cryptographically useless. This explai ..."
Abstract

Cited by 24 (3 self)
 Add to MetaCart
When we ask what makes a hash function `good', we usually get an answer which includes collision freedom as the main (if not sole) desideratum. However, we show here that given any collisionfree function, we can derive others which are also collisionfree, but cryptographically useless. This explains why researchers have not managed to find many interesting consequences of this property. We also prove Okamoto's conjecture that correlation freedom is strictly stronger than collision freedom. We go on to show that there are actually rather many properties which hash functions may need. Hash functions for use with RSA must be multiplication free, in the sense that one cannot find X , Y and Z such that h(X)h(Y ) = h(Z); and more complex requirements hold for other signature schemes. Universal principles can be proposed from which all the freedom properties follow, but like most theoretical principles, they do not seem to give much value to a designer; at the practical level, the main imp...
Cryptographic Modes of Operation for the Internet
, 2001
"... Introduction Modes that may be appropriate and secure in one application or environment sometimes fail badly in others. This is especially true of stream modes where, e.g., reuse of the same segment of keystream to protect different plaintext renders the cipher insecure. The circumstances that can ..."
Abstract

Cited by 15 (0 self)
 Add to MetaCart
Introduction Modes that may be appropriate and secure in one application or environment sometimes fail badly in others. This is especially true of stream modes where, e.g., reuse of the same segment of keystream to protect different plaintext renders the cipher insecure. The circumstances that can render a mode insecure are not always obvious, nor are the relevant characteristics of a particular application always apparent. Application and protocol designers, even those with experience and training in cryptography, cannot be expected to always identify accurately the requirements that must be met for a mode to be used securely or the conditions that apply to the application at hand. We strongly urge that, for each adopted mode, the standard include a clear statement of the requirements and assumptions that must be met in order for the mode to be used securely and what security properties the mode can be assumed to have and not have. Furthermore, we urge that detailed examples
RelatedKey Cryptanalysis of 3WAY, BihamDES,CAST, DESX, NewDES, RC2, and TEA
 DES, RC2, and TEA, Proceedings of the 1997 International Conference on Information and Communications Security
, 1997
"... We present new relatedkey attacks on the block ciphers 3WAY, BihamDES, CAST, DESX, NewDES, RC2, and TEA. Dierential relatedkey attacks allow both keys and plaintexts to be chosen with speci c dierences [KSW96]. Our attacks build on the original work, showing how to adapt the general attack ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
We present new relatedkey attacks on the block ciphers 3WAY, BihamDES, CAST, DESX, NewDES, RC2, and TEA. Dierential relatedkey attacks allow both keys and plaintexts to be chosen with speci c dierences [KSW96]. Our attacks build on the original work, showing how to adapt the general attack to deal with the diculties of the individual algorithms. We also give speci c design principles to protect against these attacks.
Keyschedule cryptanalysis of idea, gdes, gost, safer and tripledes
 In Advances in Cryptology  CRYPTO '96
, 1996
"... Abstract. We present new attacks on key schedules of block ciphers. These attacks are based on the principles of relatedkey di erential cryptanalysis: attacks that allowbothkeys and plaintexts to bechosen with speci c di erences. We show how these attacks can be exploited in actual protocols and cr ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Abstract. We present new attacks on key schedules of block ciphers. These attacks are based on the principles of relatedkey di erential cryptanalysis: attacks that allowbothkeys and plaintexts to bechosen with speci c di erences. We show how these attacks can be exploited in actual protocols and cryptanalyze the key schedules of a variety of algorithms, including threekey tripleDES. 1
A critical look at cryptographic hash function literature
 ECRYPT Hash Workshop
, 2007
"... Abstract. The cryptographic hash function literature has numerous hash function definitions and hash function requirements, and many of them disagree. This survey talks about the various definitions, and takes steps towards cleaning up the literature by explaining how the field has evolved and accur ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Abstract. The cryptographic hash function literature has numerous hash function definitions and hash function requirements, and many of them disagree. This survey talks about the various definitions, and takes steps towards cleaning up the literature by explaining how the field has evolved and accurately depicting the research aims people have today. 1
Architectural Techniques for Accelerating Subword Permutations with Repetitions
, 2003
"... We propose two new instructions, swperm and sieve, that can be used to efficiently complete an arbitrary bitlevel permutation of anbit word with or without repetitions. Permutations with repetitions are rearrangements of an ordered set in which elements may replace other elements in the set; such ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
We propose two new instructions, swperm and sieve, that can be used to efficiently complete an arbitrary bitlevel permutation of anbit word with or without repetitions. Permutations with repetitions are rearrangements of an ordered set in which elements may replace other elements in the set; such permutations are useful in cryptographic algorithms. On a fourway superscalar processor, we can complete an arbitrary 64bit permutation with repetitions of 1bit subwords in 11 instructions and only four cycles using the two proposed instructions. For subwords of size 4 bits or greater, we can perform an arbitrary permutation with repetitions of a 64bit register in a single cycle using a single swperm instruction. This improves upon previous results by requiring fewer instructions to permute 4bit or larger subwords packed in a 64bit register and fewer execution cycles for 1bit subwords on wide superscalar processors. We also demonstrate that we can accelerate the performance of the popular DES block cipher using the proposed instructions. We obtain a DES performance improvement of at least 55% in constrained embedded environments and an improvement of 71% on a fourway superscalar processor when applying DES as a cryptographic hash function.
Cryptanalysis of TWOPRIME
, 1998
"... Ding et al [DNRS97] propose a stream generator based on several layers. We present several attacks. First, we observe that the nonsurjectivity of a linear combination step allows us to recover half the key with minimal eort. Next, we show that the various bytes are insuciently mixed by these la ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Ding et al [DNRS97] propose a stream generator based on several layers. We present several attacks. First, we observe that the nonsurjectivity of a linear combination step allows us to recover half the key with minimal eort. Next, we show that the various bytes are insuciently mixed by these layers, enabling an attack similar to those on twoloop Vigenere ciphers to recover the remainder of the key. Combining these techniques lets us recover the entire TWOPRIME key. We require the generator to produce 2 blocks (2 bytes), or 19 hours worth of output, of which we examine about one million blocks (2 23 bytes); the computational workload can be estimated at 2 operations. Another set of attacks trades o texts for time, reducing the amount of known plaintext needed to just eight blocks (64 bytes), while needing 2 time and 2 space. We also show how to break two variants of TWOPRIME presented in the original paper.