Results 1  10
of
18
On The Design Of SBoxes
, 1986
"... each of which contains n bits, or avalanche variables. If this procedure is repeated for all i such that 1 < i < m, and one half of the avalanche variables are equal to 1 for each i, then the function f has good avalanche effect. Of course this method can be pursued only if m is fairly small; other ..."
Abstract

Cited by 108 (8 self)
 Add to MetaCart
each of which contains n bits, or avalanche variables. If this procedure is repeated for all i such that 1 < i < m, and one half of the avalanche variables are equal to 1 for each i, then the function f has good avalanche effect. Of course this method can be pursued only if m is fairly small; otherwise, the number of plaintext vectors becomes too large. If that is the case then the best that can be done is to take a random sample of plaintext vectors X, and for each value of i calculate all the avalanche vectors V i . If approximately one half the resulting avalanche variables are equal to 1 for all values of i, then we can conclude that the function has a good avalanche effect. THE STRICT AVALANCHE CRITERION AND THE INDEPENBENCE OF AVALANCHE VARIABLES The concepts of completeness and the avalanche effect can be combined to define a new prope
Truncated and Higher Order Differentials
 Fast Software Encryption  Second International Workshop, Leuven, Belgium, LNCS 1008
, 1995
"... In [6] higher order derivatives of discrete functions were considered and the concept of higher order differentials was introduced. We introduce the concept of truncated differentials and present attacks on ciphers presumably secure against differential attacks, but vulnerable to attacks using highe ..."
Abstract

Cited by 97 (9 self)
 Add to MetaCart
In [6] higher order derivatives of discrete functions were considered and the concept of higher order differentials was introduced. We introduce the concept of truncated differentials and present attacks on ciphers presumably secure against differential attacks, but vulnerable to attacks using higher order and truncated differentials. Also we give a differential attack using truncated differentials on DES reduced to 6 rounds using only 46 chosen plaintexts with an expected running time of about the time of 3,500 encryptions. Finally it is shown how to find a minimum nonlinear order of a block cipher using higher order differentials.
On the Security of Multiple Encryption
 COMMUNICATIONS OF THE ACM
, 1981
"... Double encryption has been suggested to strengthen the Federal Data Encryption Standard (DES). A recent proposal suggests that using two 56bit keys but enciphering 3 times (encrypt with a first key, decrypt with a second key, then encrypt with the first key again) increases security over simple do ..."
Abstract

Cited by 47 (0 self)
 Add to MetaCart
Double encryption has been suggested to strengthen the Federal Data Encryption Standard (DES). A recent proposal suggests that using two 56bit keys but enciphering 3 times (encrypt with a first key, decrypt with a second key, then encrypt with the first key again) increases security over simple double encryption. This paper shows that although either technique significantly improves security over single encryption, the new technique does not significantly increase security over simple double encryption. Cryptanalysis of the 112bit key requires about 2^56 operations and words of memory, using a chosen plaintext attack. While DES is used as an example, the technique is applicable to any similar cipher.
An Experiment on DES Statistical Cryptanalysis
, 1995
"... Linear cryptanalysis and differential cryptanalysis are the most important methods of attack against block ciphers. Their efficiency have been demonstrated against several ciphers, including the Data Encryption Standard. We prove that both of them can be considered, improved and joined in a more gen ..."
Abstract

Cited by 36 (10 self)
 Add to MetaCart
Linear cryptanalysis and differential cryptanalysis are the most important methods of attack against block ciphers. Their efficiency have been demonstrated against several ciphers, including the Data Encryption Standard. We prove that both of them can be considered, improved and joined in a more general statistical framework. We also show that the very same results as those obtained in the case of DES can be found without any linear analysis and we slightly improve them into an attack with theoretical complexity 2 42:9 . We can apply another statistical attack  the Ø 2 cryptanalysis  on the same characteristics without a definite idea of what happens in the encryption process. It appears to be roughly as efficient as both differential and linear cryptanalysis. We propose a new heuristic method to find good characteristics. It has found an attack against DES absolutely equivalent to Matsui's one by following a distinct path.
Cryptographic Hash Functions: A Survey
, 1995
"... This paper gives a survey on cryptographic hash functions. It gives an overview of all types of hash functions and reviews design principals and possible methods of attacks. It also focuses on keyed hash functions and provides the applications, requirements, and constructions of keyed hash functions ..."
Abstract

Cited by 35 (7 self)
 Add to MetaCart
This paper gives a survey on cryptographic hash functions. It gives an overview of all types of hash functions and reviews design principals and possible methods of attacks. It also focuses on keyed hash functions and provides the applications, requirements, and constructions of keyed hash functions.
The Use of Bent Sequences to Achieve HigherOrder Strict Avalanche Criterion in SBox Design
, 1990
"... : Recently, Pieprzyk and Finkelstein described a construction procedure for the substitution boxes (sboxes) of SubstitutionPermutation Network cryptosystems which yielded sboxes of high nonlinearity. Shortly afterward, in seemingly unrelated work, Yarlagadda and Hershey discussed the analysis and ..."
Abstract

Cited by 18 (3 self)
 Add to MetaCart
: Recently, Pieprzyk and Finkelstein described a construction procedure for the substitution boxes (sboxes) of SubstitutionPermutation Network cryptosystems which yielded sboxes of high nonlinearity. Shortly afterward, in seemingly unrelated work, Yarlagadda and Hershey discussed the analysis and synthesis of binary bent sequences of length 4 k , for k a positive integer. In this paper, we report on work which not only extends the results of both of these papers, but also combines them through the concept of "higher orders" of the Strict Avalanche Criterion for Boolean functions. We discuss the implications for sbox design and the use of such sboxes in the construction of DESlike cryptosystems. 1 The authors are with the Department of Electrical Engineering, Queen's University at Kingston, Ontario, K7L 3N6 2 The Use of Bent Sequences to Achieve HigherOrder Strict Avalanche Criterion in SBox Design 1 Introduction Substitution boxes (sboxes) are a critical component of ...
B.: A Toolbox for Cryptanalysis: Linear and Affine Equivalence Algorithms
 Proceedings of EUROCRYPT 2003
, 2003
"... Abstract. This paper presents two algorithms for solving the linear and the affine equivalence problem for arbitrary permutations (Sboxes). For a pair of n × nbit permutations the complexity of the linear equivalence algorithm (LE) is O(n 3 2 n). The affine equivalence algorithm (AE) has complexit ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
Abstract. This paper presents two algorithms for solving the linear and the affine equivalence problem for arbitrary permutations (Sboxes). For a pair of n × nbit permutations the complexity of the linear equivalence algorithm (LE) is O(n 3 2 n). The affine equivalence algorithm (AE) has complexity O(n 3 2 2n). The algorithms are efficient and allow to study linear and affine equivalences for bijective Sboxes of all popular sizes (LE is efficient up to n ≤ 32). Using these tools new equivalent representations are found for a variety of ciphers: Rijndael, DES, Camellia, Serpent, Misty, Kasumi, Khazad, etc. The algorithms are furthermore extended for the case of nonbijective n to mbit Sboxes with a small value of n − m  and for the case of almost equivalent Sboxes. The algorithms also provide new attacks on a generalized EvenMansour scheme. Finally, the paper defines a new problem of Sbox decomposition in terms of Substitution Permutations Networks (SPN) with layers of smaller Sboxes. Simple informationtheoretic bounds are proved for such decompositions. Keywords: Linear, affine equivalence algorithm, Sboxes, Blockciphers,
The Design of the ICE Encryption Algorithm
 Fast Software Encryption, 4th International Workshop Proceedings
, 1997
"... . This paper describes the design and implementation of the ICE cryptosystem, a 64bit Feistel block cipher. It describes the design process, with the various aims and tradeoffs involved. It also introduces the concept of keyed permutation to improve resistance to differential and linear cryptan ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
. This paper describes the design and implementation of the ICE cryptosystem, a 64bit Feistel block cipher. It describes the design process, with the various aims and tradeoffs involved. It also introduces the concept of keyed permutation to improve resistance to differential and linear cryptanalysis, and the use of an extensible key schedule to achieve an explict tradeoff between speed and security. 1 Introduction The Data Encryption Standard (DES) [8] has been widely used as an international standard since its introduction in 1977. However, in the years since its release, a number of vulnerabilities have come to light. These include susceptibility to differential cryptanalysis [2], susceptibility to linear cryptanalysis [7], a key/plaintext complementation weakness [4], four weak and twelve semiweak keys [4], a fixed 56bit key size, inefficient software performance, and an absence of public design criteria. While tripleDES [10] provides a larger key size at 112 bits, thi...
Imprimitive permutation groups and trapdoors in iterated block ciphers
 6th International Workshop, FSE’99
, 1999
"... Abstract. An iterated block cipher can be regarded as a means of producing a set of permutations of a message space. Some properties of the group generated by the round functions of such a cipher are known to be of cryptanalytic interest. It is shown here that if this group acts imprimitively on the ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
Abstract. An iterated block cipher can be regarded as a means of producing a set of permutations of a message space. Some properties of the group generated by the round functions of such a cipher are known to be of cryptanalytic interest. It is shown here that if this group acts imprimitively on the message space then there is an exploitable weakness in the cipher. It is demonstrated that a weakness of this type can be used to construct a trapdoor that may be difficult to detect. An example of a DESlike cipher, resistant to both linear and differential cryptanalysis that generates an imprimitive group and is easily broken, is given. Some implications for block cipher design are noted. 1
Cryptanalysis of the CFB mode of the DES with a reduced number of rounds
, 1993
"... Three attacks on the DES with a reduced number of rounds in the Cipher Feedback Mode (CFB) are studied, namely a meet in the middle attack, a differential attack, and a linear attack. These attacks are based on the same principles as the corresponding attacks on the ECB mode. They are compared to th ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
Three attacks on the DES with a reduced number of rounds in the Cipher Feedback Mode (CFB) are studied, namely a meet in the middle attack, a differential attack, and a linear attack. These attacks are based on the same principles as the corresponding attacks on the ECB mode. They are compared to the three basic attacks on the CFB mode. In 8bit CFB and with 8 rounds in stead of 16, a differential attack with 2 sg'4 chosen ciphertexts can find 3 key bits, and a linear attack with 2 sx known plalntexts can find 7 key bits. This suggests that it is not safe to reduce the number of rounds in order to improve the performance. Moreover, it is shown that the final permutation has some cryptographic significance in the CFB mode.