Twofish is a 128-bit block cipher that accepts a variable-length key up to 256 bits. The cipher is a 16-round Feistel network with a bijective F function made up of four key-dependent 8-by-8-bit S-boxes, a fixed 4-by-4 maximum distance separable matrix over GF(2 8 ), a pseudo-Hadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8-bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.

. Cryptographic algorithms are more efficiently implemented in custom hardware than in software running on general-purpose processors. However, systems which use hardware implementations have significant drawbacks: they are unable to respond to flaws discovered in the implemented algorithm or to changes in standards. In this paper we show how reconfigurable computing offers high performance yet flexible solutions for cryptographic algorithms. We focus on PipeRench, a reconfigurable fabric that supports implementations which can yield better than custom-hardware performance and yet maintains all the flexibility of software based systems. PipeRench is a pipelined reconfigurable fabric which virtualizes hardware, enabling large circuits to be run on limited physical hardware. We present implementations for Crypton, IDEA, RC6, and Twofish on PipeRench and an extension of PipeRench, PipeRench . We also describe how various proposed AES algorithms could be implemented on PipeRe...

The goal of this submission is to provide a framework and platform to compare stream ciphers not only on their security level but also based on their energy consumption, performance and area cost. We describe the basic hardware assumptions, give the area, delay and power consumption values of some existing stream ciphers and give guidelines for the designs of future algorithms. Keywords: E0, A5/1, RC4, hardware implementation, power consumption 1

. The cipher family SPEED (and an associated hashing mode) was recently proposed in Financial Cryptography '97. This paper cryptanalyzes that proposal, in two parts: First, we discuss several troubling potential weaknesses in the cipher. Next, we show how to efficiently break the SPEED hashing mode using differential related-key techniques, and propose a differential attack on 48-round SPEED. These results raise some significant questions about the security of the SPEED design. 1 Introduction In Financial Cryptography '97, Zheng proposed a new family of block ciphers, called SPEED [12]. One specifies a particular SPEED cipher by choosing parameters such as the block size and number of rounds; the variations are otherwise alike in their key schedule and round structure. Under the hood, SPEED is built out of an unbalanced Feistel network. Zheng also proposed a hash function based on running a SPEED block cipher in a slightly modified Davies-Meyer mode. One of the main contributions of t...

Abstract. The Feistel structure is well-known as a good structure for building block ciphers, due to its property of invertibility. It can be made non-invertible by fixing the left half of the input to 0, and by discarding the left half of the output bits. It then becomes suitable as a hash function construction. This paper uses the structure to build a hash function called F-Hash, which is immune to recent attack styles. Generally the security of such structures is discussed using Random Oracle Models. In this paper, a more precise evaluation method, based upon conditional probability, is given.

A secure hash structure in Random Oracle Model may not be a secure model in true design. In this paper, we give an integrated proof method on security proof of iterated hash structure. Based on the proof method, we can distinguish the security of Merkel-Damagård structure, wide-pipe hash, double-pipe hash and 3c hash and know the requirement of true design on compression function, and give a new recommend structure. At last, we give new hash structure, MAC structure, encryption model, which use same block cipher round function and key schedule algorithm, the security proofs on those structures are given.

most basic ways to construct a hash function from a block cipher, and regarded 12 of those 64 schemes as secure. Black, Pogaway and Shrimpton[3](BRS) provided a formal and quantitative treatment of those 64 constructions and proved that, in black-box model, the 12 schemes ( group − 1) that PGV singled out as secure really are secure. By stepping outside of the Merkle-Damg˚ard[4] approach to analysis, an additional 8 (group − 2) of the 64 schemes are just as collision resistant as the first group of schemes. Tight upper and lower bounds on collision resistance of those 20 schemes were given. In this paper, those collision resistance and preimage resistance bounds are improved, which shows that, in black box model, collision bounds of those 20 schemes are same. In Group − 1 schemes, 8 out of 12 can find fixed point easily. Bounds on second preimage, multicollisions of Joux[6], fixed-point multicollisons[8] and combine of the two kinds multicollisions are also given. From those bound, Group − 1 schemes can also be deviled into two group. Key Words: Hash Function, Block Cipher, M-D Construction 1