Results 1  10
of
28
Twofish: A 128Bit Block Cipher
 in First Advanced Encryption Standard (AES) Conference
, 1998
"... Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bit ..."
Abstract

Cited by 56 (8 self)
 Add to MetaCart
Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.
Unbalanced Feistel Networks and BlockCipher Design
 Fast Software Encryption, 3rd International Workshop Proceedings
, 1996
"... We examine a generalization of the concept of Feistel networks, which we call Unbalanced Feistel Networks (UFNs). Like conventional Feistel networks, UFNs consist of a series of rounds in which one part of the block operates on the rest of the block. However, in a UFN the two parts need not be of eq ..."
Abstract

Cited by 52 (5 self)
 Add to MetaCart
We examine a generalization of the concept of Feistel networks, which we call Unbalanced Feistel Networks (UFNs). Like conventional Feistel networks, UFNs consist of a series of rounds in which one part of the block operates on the rest of the block. However, in a UFN the two parts need not be of equal size. Removing this limitation on Feistel networks has interesting implications for designing ciphers secure against linear and differential attacks. We describe UFNs and a terminology for discussing their properties, present and analyze some UFN constructions, and make some initial observations about their security. It is notable that almost all the proposed ciphers that are based on Feistel networks follow the same design construction: half the bits operate on the other half. There is no inherent reason that this should be so; as we will demonstrate, it is possible to design Feistel networks across a much wider, richer design space. In this paper, we examine the nature of the...
GAC  the Criterion for Global Avalanche Characteristics of Cryptographic Functions
 Journal of Universal Computer Science
, 1995
"... Abstract: We show that some widely accepted criteria for cryptographic functions, including the strict avalanche criterion (SAC) and the propagation criterion, have various limitations in capturing properties of vital importance to cryptographic algorithms, and propose a new criterion called GAC tom ..."
Abstract

Cited by 34 (3 self)
 Add to MetaCart
Abstract: We show that some widely accepted criteria for cryptographic functions, including the strict avalanche criterion (SAC) and the propagation criterion, have various limitations in capturing properties of vital importance to cryptographic algorithms, and propose a new criterion called GAC tomeasure the global avalanche characteristics of cryptographic functions. We also introduce two indicators related to the new criterion, one forecasts the sumofsquares while the other the absolute avalanche characteristics of a function. Lower and upper bounds on the two indicators are derived, and two methods are presented to construct cryptographic functions that achieve nearly optimal global avalanche characteristics. Category: E.3 1 Why the GAC In 1985, Webster and Tavares introduced the concept of the strict avalanche criterion (SAC) when searching for principles for designing DESlike data encryption algorithms [Web85, WT86]. A function is said to satisfy the SACif complementing asingle bit results inthe output ofthe function being complemented
Provable Security Against a Differential Attack
 Journal of Cryptology
, 1995
"... . The purpose of this paper is to show that there exist DESlike iterated ciphers, which are provably resistant against differential attacks. The main result on the security of a DESlike cipher with independent round keys is Theorem 1, which gives an upper bound to the probability of sround differe ..."
Abstract

Cited by 33 (2 self)
 Add to MetaCart
. The purpose of this paper is to show that there exist DESlike iterated ciphers, which are provably resistant against differential attacks. The main result on the security of a DESlike cipher with independent round keys is Theorem 1, which gives an upper bound to the probability of sround differentials, as defined in [4] and this upper bound depends only on the round function of the iterated cipher. Moreover, it is shown that there exist functions such that the probabilities of differentials are less than or equal to 2 3\Gamman , where n is the length of the plaintext block. We also show a prototype of an iterated block cipher, which is compatible with DES and has proven security against differential attacks. Key words. DESlike ciphers, Differential cryptanalysis, Almost perfect nonlinear permutations, Markov Ciphers. 1 Introduction A DESlike cipher is a block cipher based on iterating a function, called F, several times. Each iteration is called a round. The input to each rou...
SubstitutionPermutation Networks Resistant to Differential and Linear Cryptanalysis
 JOURNAL OF CRYPTOLOGY
, 1996
"... In this paper we examine a class of product ciphers referred to as substitutionpermutation networks. We investigate the resistance of these cryptographic networks to two important attacks: differential cryptanalysis and linear cryptanalysis. In particular, we develop upper bounds on the differenti ..."
Abstract

Cited by 29 (10 self)
 Add to MetaCart
In this paper we examine a class of product ciphers referred to as substitutionpermutation networks. We investigate the resistance of these cryptographic networks to two important attacks: differential cryptanalysis and linear cryptanalysis. In particular, we develop upper bounds on the differential characteristic probability and on the probability of a linear approximation as a function of the number of rounds of substitutions. Further, it is shown that using large Sboxes with good diffusion characteristics and replacing the permutation between rounds by an appropriate linear transformation is effective in improving the cipher security in relation to these two attacks.
New Classes of Almost Bent and Almost Perfect Nonlinear Functions
 IEEE Trans. Inform. Theory
, 2006
"... We construct infinite classes of almost bent and almost perfect nonlinear polynomials, which are affinely inequivalent to any sum of a power function and an affine function. ..."
Abstract

Cited by 25 (10 self)
 Add to MetaCart
We construct infinite classes of almost bent and almost perfect nonlinear polynomials, which are affinely inequivalent to any sum of a power function and an affine function.
An infinite class of quadratic APN functions which are Not Equivalent To power mappings
 PROCEEDINGS OF THE IEEE INTERNATIONAL SYMPOSIUM ON INFORMATION THEORY 2006
, 2005
"... We exhibit an infinite class of almost perfect nonlinear quadratic polynomials from F 2 n to F 2 n (n 12, n divisible by 3 but not by 9). We prove that these functions are EAinequivalent to any power function. In the forthcoming version of the present paper we will proof that these function ..."
Abstract

Cited by 24 (6 self)
 Add to MetaCart
We exhibit an infinite class of almost perfect nonlinear quadratic polynomials from F 2 n to F 2 n (n 12, n divisible by 3 but not by 9). We prove that these functions are EAinequivalent to any power function. In the forthcoming version of the present paper we will proof that these functions are CCZinequivalent to any Gold function and to any Kasami function, in particular for n = 12, they are therefore CCZinequivalent to power functions.
Degree of composition of highly nonlinear functions and applications to higher order differential cryptanalysis
 EUROCRYPT 2002
, 2002
"... To improve the security of iterated block ciphers, the resistance against linear cryptanalysis has been formulated in terms of provable security which suggests the use of highly nonlinear functions as round functions. Here, we show that some properties of such functions enable to find a new upper bo ..."
Abstract

Cited by 21 (6 self)
 Add to MetaCart
To improve the security of iterated block ciphers, the resistance against linear cryptanalysis has been formulated in terms of provable security which suggests the use of highly nonlinear functions as round functions. Here, we show that some properties of such functions enable to find a new upper bound for the degree of the product of its Boolean components. Such an improvement holds when all values occurring in the Walsh spectrum of the round function are divisible by a high power of 2. This result leads to a higher order differential attack on any 5round Feistel ciphers using an almost bent substitution function. We also show that the use of such a function is precisely the origin of the weakness of a reduced version of MISTY1 reported in [23, 1].
Relationships among nonlinearity criteria
 In Advances in Cryptology  EUROCRYPT'94, volume 950, Lecture Notes in Computer Science
, 1995
"... Abstract. An important question in designing cryptographic functions including substitution boxes (Sboxes) is the relationships among the various nonlinearity criteria each of which indicates the strength or weakness of a cryptographic function against a particular type of cryptanalytic attacks. In ..."
Abstract

Cited by 14 (7 self)
 Add to MetaCart
Abstract. An important question in designing cryptographic functions including substitution boxes (Sboxes) is the relationships among the various nonlinearity criteria each of which indicates the strength or weakness of a cryptographic function against a particular type of cryptanalytic attacks. In this paper we reveal, for the rst time, interesting connections among the strict avalanche characteristics, di erential characteristics, linear structures and nonlinearity of quadratic Sboxes. In addition, we show that our proof techniques allow us to treat in a uni ed fashion all quadratic permutations, regardless of the underlying construction methods. This greatly simpli es the proofs for a number of known results on nonlinearity characteristics of quadratic permutations. As a byproduct, we obtain a negative answer to an open problem regarding the existence of di erentially 2uniform quadratic permutations on an even dimensional vector space. 1 Nonlinearity Criteria
Resistance of Balanced Sboxes to Linear and Differential Cryptanalysis
"... : In this letter, we study the marginal density of the XOR distribution table, and the linear approximation table entries of regular substitution boxes (sboxes). Based on this, we show that the fraction of good sboxes (with regard to immunity against linear and differential cryptanalysis) increas ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
: In this letter, we study the marginal density of the XOR distribution table, and the linear approximation table entries of regular substitution boxes (sboxes). Based on this, we show that the fraction of good sboxes (with regard to immunity against linear and differential cryptanalysis) increases dramatically with the number of input variables. Introduction Differential cryptanalysis [1], and linear cryptanalysis [3] are currently the most powerful cryptanalytic attacks on privatekey block ciphers. The complexity of differential cryptanalysis depends on the size of the largest entry in the XOR table, the total number of zeroes in the XOR table, and the number of nonzero entries in the first column in that table [1], [8]. The complexity of linear cryptanalysis depends on the size of the largest entry in the linear approximation table (LAT). One requirement in sbox design is to have a balanced sbox (also known as a regular sbox). This means that each output symbol should app...