Twofish is a 128-bit block cipher that accepts a variable-length key up to 256 bits. The cipher is a 16-round Feistel network with a bijective F function made up of four key-dependent 8-by-8-bit S-boxes, a fixed 4-by-4 maximum distance separable matrix over GF(2 8 ), a pseudo-Hadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8-bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.

We examine a generalization of the concept of Feistel networks, which we call Unbalanced Feistel Networks (UFNs). Like conventional Feistel networks, UFNs consist of a series of rounds in which one part of the block operates on the rest of the block. However, in a UFN the two parts need not be of equal size. Removing this limitation on Feistel networks has interesting implications for designing ciphers secure against linear and differential attacks. We describe UFNs and a terminology for discussing their properties, present and analyze some UFN constructions, and make some initial observations about their security. It is notable that almost all the proposed ciphers that are based on Feistel networks follow the same design construction: half the bits operate on the other half. There is no inherent reason that this should be so; as we will demonstrate, it is possible to design Feistel networks across a much wider, richer design space. In this paper, we examine the nature of the...

. The purpose of this paper is to show that there exist DESlike iterated ciphers, which are provably resistant against differential attacks. The main result on the security of a DES-like cipher with independent round keys is Theorem 1, which gives an upper bound to the probability of s-round differentials, as defined in [4] and this upper bound depends only on the round function of the iterated cipher. Moreover, it is shown that there exist functions such that the probabilities of differentials are less than or equal to 2 3\Gamman , where n is the length of the plaintext block. We also show a prototype of an iterated block cipher, which is compatible with DES and has proven security against differential attacks. Key words. DES-like ciphers, Differential cryptanalysis, Almost perfect nonlinear permutations, Markov Ciphers. 1 Introduction A DES-like cipher is a block cipher based on iterating a function, called F, several times. Each iteration is called a round. The input to each rou...

In this paper we examine a class of product ciphers referred to as substitution-permutation networks. We investigate the resistance of these cryptographic networks to two important attacks: differential cryptanalysis and linear cryptanalysis. In particular, we develop upper bounds on the differential characteristic probability and on the probability of a linear approximation as a function of the number of rounds of substitutions. Further, it is shown that using large S-boxes with good diffusion characteristics and replacing the permutation between rounds by an appropriate linear transformation is effective in improving the cipher security in relation to these two attacks.

Abstract: We show that some widely accepted criteria for cryptographic functions, including the strict avalanche criterion (SAC) and the propagation criterion, have various limitations in capturing properties of vital importance to cryptographic algorithms, and propose a new criterion called GAC tomeasure the global avalanche characteristics of cryptographic functions. We also introduce two indicators related to the new criterion, one forecasts the sum-of-squares while the other the absolute avalanche characteristics of a function. Lower and upper bounds on the two indicators are derived, and two methods are presented to construct cryptographic functions that achieve nearly optimal global avalanche characteristics. Category: E.3 1 Why the GAC In 1985, Webster and Tavares introduced the concept of the strict avalanche criterion (SAC) when searching for principles for designing DES-like data encryption algorithms [Web85, WT86]. A function is said to satisfy the SACif complementing asingle bit results inthe output ofthe function being complemented

We exhibit an infinite class of almost perfect nonlinear quadratic polynomials from F 2 n to F 2 n (n 12, n divisible by 3 but not by 9). We prove that these functions are EA-inequivalent to any power function. In the forthcoming version of the present paper we will proof that these functions are CCZ-inequivalent to any Gold function and to any Kasami function, in particular for n = 12, they are therefore CCZ-inequivalent to power functions.

We construct infinite classes of almost bent and almost perfect nonlinear polynomials, which are affinely inequivalent to any sum of a power function and an affine function.

Abstract. To improve the securityof iterated block ciphers, the resistance against linear cryptanalysis has been formulated in terms of provable securitywhich suggests the use of highlynonlinear functions as round functions. Here, we show that some properties of such functions enable to find a new upper bound for the degree of the product of its Boolean components. Such an improvement holds when all values occurring in the Walsh spectrum of the round function are divisible bya high power of 2. This result leads to a higher order differential attack on any 5-round Feistel ciphers using an almost bent substitution function. We also show that the use of such a function is preciselythe origin of the weakness of a reduced version of MISTY1 reported in [23, 1].

Abstract. An important question in designing cryptographic functions including substitution boxes (S-boxes) is the relationships among the various nonlinearity criteria each of which indicates the strength or weakness of a cryptographic function against a particular type of cryptanalytic attacks. In this paper we reveal, for the rst time, interesting connections among the strict avalanche characteristics, di erential characteristics, linear structures and nonlinearity of quadratic S-boxes. In addition, we show that our proof techniques allow us to treat in a uni ed fashion all quadratic permutations, regardless of the underlying construction methods. This greatly simpli es the proofs for a number of known results on nonlinearity characteristics of quadratic permutations. As a by-product, we obtain a negative answer to an open problem regarding the existence of di erentially 2-uniform quadratic permutations on an even dimensional vector space. 1 Nonlinearity Criteria

This paper studies resilient functions which have applications in fault-tolerant distributed computing, quantum cryptographic key distribution and random sequence generation for stream ciphers. We present a number of methods for synthesizing resilient functions. An interesting aspect of these methods is that they are applicable both to linear and to nonlinear resilient functions. Our second major contribution is to show that every linear resilient function can be transformed into a large number of nonlinear resilient functions with the same parameters. As a result, we obtain resilient functions that are highly nonlinear and have a high algebraic degree. 1 Introduction A (n; m; t)-resilient function is an n-input m-output function F with the property that it runs through every possible output m-tuple an equal number of times when t arbitrary inputs are fixed and the remaining n \Gamma t inputs runs through all the 2 n\Gammat input tuples once. The concept was introduced by Chor et ...