Results 1  10
of
84
Tweakable block ciphers
, 2002
"... Abstract. We propose a new cryptographic primitive, the “tweakable block cipher. ” Such a cipher has not only the usual inputs—message and cryptographic key—but also a third input, the “tweak. ” The tweak serves much the same purpose that an initialization vector does for CBC mode or that a nonce do ..."
Abstract

Cited by 102 (4 self)
 Add to MetaCart
Abstract. We propose a new cryptographic primitive, the “tweakable block cipher. ” Such a cipher has not only the usual inputs—message and cryptographic key—but also a third input, the “tweak. ” The tweak serves much the same purpose that an initialization vector does for CBC mode or that a nonce does for OCB mode. Our proposal thus brings this feature down to the primitive blockcipher level, instead of incorporating it only at the higher modesofoperation levels. We suggest that (1) tweakable block ciphers are easy to design, (2) the extra cost of making a block cipher “tweakable ” is small, and (3) it is easier to design and prove modes of operation based on tweakable block ciphers.
Links Between Differential and Linear Cryptanalysis
, 1994
"... Linear cryptanalysis, introduced last year by Matsui, will most certainly openup the way to new attack methods which may be made more efficient when compared or combined with differential cryptanalysis. This report exhibits new relations between linear and differential cryptanalysis and presents ne ..."
Abstract

Cited by 65 (4 self)
 Add to MetaCart
Linear cryptanalysis, introduced last year by Matsui, will most certainly openup the way to new attack methods which may be made more efficient when compared or combined with differential cryptanalysis. This report exhibits new relations between linear and differential cryptanalysis and presents new classes of functions which are optimally resistant to these attacks. In particular, we prove that linearresistant functions, which generally present Bent properties, are differentialresistant as well and thus, present Perfect Nonlinear properties. 1 On leave from D'el'egation G'en'erale de l'Armement Links between differential and linear cryptanalysis 1  I Introduction Matsui has introduced last year a new cryptanalysis method for DESlike cryptosystems [Mat94]. The idea of the method is to approximate the nonlinear Sboxes with linear forms. Beside, the performances of linear cryptanalysis seems next to differential cryptanalysis ones, though a little better. These similitudes s...
The Interpolation Attack on Block Ciphers
 In Fast Software Encryption
, 1997
"... In this paper we introduce a new method of attacks on block ciphers, the interpolation attack. This new method is useful for attacking ciphers using simple algebraic functions (in particular quadratic functions) as Sboxes. Also, ciphers of low nonlinear order are vulnerable to attacks based on hig ..."
Abstract

Cited by 61 (5 self)
 Add to MetaCart
In this paper we introduce a new method of attacks on block ciphers, the interpolation attack. This new method is useful for attacking ciphers using simple algebraic functions (in particular quadratic functions) as Sboxes. Also, ciphers of low nonlinear order are vulnerable to attacks based on higher order differentials. Recently, Knudsen and Nyberg presented a 6round prototype cipher which is provably secure against ordinary differential cryptanalysis. We show how to attack the cipher by using higher order differentials and a variant of the cipher by the interpolation attack. It is possible to successfully cryptanalyse up to 32 rounds of the variant using about 2 32 chosen plaintexts with a running time less than 2 64 . Using higher order differentials, a new design concept for block ciphers by Kiefer is also shown to be insecure. Rijmen et al presented a design strategy for block ciphers and the cipher SHARK. We show that there exist ciphers constructed according to this des...
How far can we go beyond linear cryptanalysis
 Advances in Cryptology  Asiacrypt’04, volume 3329 of LNCS
, 2004
"... Abstract. Several generalizations of linear cryptanalysis have been proposed in the past, as well as very similar attacks in a statistical point of view. In this paper, we define a rigorous general statistical framework which allows to interpret most of these attacks in a simple and unified way. The ..."
Abstract

Cited by 37 (9 self)
 Add to MetaCart
Abstract. Several generalizations of linear cryptanalysis have been proposed in the past, as well as very similar attacks in a statistical point of view. In this paper, we define a rigorous general statistical framework which allows to interpret most of these attacks in a simple and unified way. Then, we explicitely construct optimal distinguishers, we evaluate their performance, and we prove that a block cipher immune to classical linear cryptanalysis possesses some resistance to a wide class of generalized versions, but not all. Finally, we derive tools which are necessary to set up more elaborate extensions of linear cryptanalysis, and to generalize the notions of bias, characteristic, and pilingup lemma.
Independent onetime passwords
 USENIX Journal of Computing Systems
, 1996
"... Existing onetime password (OTP) schemes su er several drawbacks. Tokenbased systems are expensive, while softwarebased schemes rely on onetime passwords that are dependent oneachother. There are disadvantages to authentication schemes that rely on dependent OTP's. It is di cult to replicate the ..."
Abstract

Cited by 29 (2 self)
 Add to MetaCart
Existing onetime password (OTP) schemes su er several drawbacks. Tokenbased systems are expensive, while softwarebased schemes rely on onetime passwords that are dependent oneachother. There are disadvantages to authentication schemes that rely on dependent OTP's. It is di cult to replicate the authentication server without lowering security. Also, current authentication schemes based on dependent OTP's only authenticate the initial connection � the remainder of the session is assumed to be authenticated. Experience shows that connections can be hijacked. A new scheme for generating onetime passwords that are independent is presented. The independence property enables easy replication of the authentication server, and authentication that is persistent for the lifetime of a connection. This mechanism is also ideally suited for smart card applications. Our implementation and several applications are discussed. 1
Logical cryptanalysis as a SATproblem: Encoding and analysis
 In Journal of Automated Reasoning
, 2000
"... Abstract. Cryptographic algorithms play a key role in computer security and the formal analysis of their robustness is of utmost importance. Yet, logic and automated reasoning tools are seldom used in the analysis of a cipher, and thus one cannot often get the desired formal assurance that the ciphe ..."
Abstract

Cited by 22 (2 self)
 Add to MetaCart
Abstract. Cryptographic algorithms play a key role in computer security and the formal analysis of their robustness is of utmost importance. Yet, logic and automated reasoning tools are seldom used in the analysis of a cipher, and thus one cannot often get the desired formal assurance that the cipher is free from unwanted properties that may weaken its strength. In this paper, we claim that one can feasibly encode the lowlevel properties of stateoftheart cryptographic algorithms as SAT problems and then use efficient automated theoremproving systems and SATsolvers for reasoning about them. We call this approach logical cryptanalysis. In this framework, for instance, finding a model for a formula encoding an algorithm is equivalent to finding a key with a cryptanalytic attack. Other important properties, such as cipher integrity or algebraic closure, can also be captured as SAT problems or as quantified boolean formulae. SAT benchmarks based on the encoding of cryptographic algorithms can be used to effectively combine features of “realworld ” problems and randomly generated problems. Here we present a case study on the U.S. Data Encryption Standard (DES) and show how to obtain a manageable encoding of its properties. We have also tested three SAT provers, TABLEAU by Crawford and Auton, SATO by Zhang, and relSAT by Bayardo and Schrag, on the encoding of DES, and we discuss the reasons behind their different performance. A discussion of open problems and future research concludes the paper. Key words: cipher verification, Data Encryption Standard, logical cryptanalysis, propositional satisfiability, quantified boolean formulae, SAT benchmarks.
Propagation Characteristics and CorrelationImmunity of Highly Nonlinear Boolean Functions
 EUROCRYPT 2000, Lecture Notes in Comp. Sci
, 2000
"... Abstract. We investigate the link between the nonlinearity of a Boolean function and its propagation characteristics. We prove that highly nonlinear functions usually have good propagation properties regarding different criteria. Conversely, any Boolean function satisfying the propagation criterion ..."
Abstract

Cited by 22 (7 self)
 Add to MetaCart
Abstract. We investigate the link between the nonlinearity of a Boolean function and its propagation characteristics. We prove that highly nonlinear functions usually have good propagation properties regarding different criteria. Conversely, any Boolean function satisfying the propagation criterion with respect to a linear subspace of codimension 1 or 2 has a high nonlinearity. We also point out that most highly nonlinear functions with a threevalued Walsh spectrum can be transformed into 1resilient functions. 1
Degree of composition of highly nonlinear functions and applications to higher order differential cryptanalysis
 EUROCRYPT 2002
, 2002
"... To improve the security of iterated block ciphers, the resistance against linear cryptanalysis has been formulated in terms of provable security which suggests the use of highly nonlinear functions as round functions. Here, we show that some properties of such functions enable to find a new upper bo ..."
Abstract

Cited by 21 (6 self)
 Add to MetaCart
To improve the security of iterated block ciphers, the resistance against linear cryptanalysis has been formulated in terms of provable security which suggests the use of highly nonlinear functions as round functions. Here, we show that some properties of such functions enable to find a new upper bound for the degree of the product of its Boolean components. Such an improvement holds when all values occurring in the Walsh spectrum of the round function are divisible by a high power of 2. This result leads to a higher order differential attack on any 5round Feistel ciphers using an almost bent substitution function. We also show that the use of such a function is precisely the origin of the weakness of a reduced version of MISTY1 reported in [23, 1].
The wide trail design strategy
 in Proceedings of the 8th IMA International Conference on Cryptography and Coding (IMA ’01
, 2001
"... Abstract. We explain the theoretical background of the wide trail design strategy, which was used to design Rijndael, the Advanced Encryption Standard (AES). In order to facilitate the discussion, we introduce our own notation to describe differential and linear cryptanalysis. We present a block cip ..."
Abstract

Cited by 18 (0 self)
 Add to MetaCart
Abstract. We explain the theoretical background of the wide trail design strategy, which was used to design Rijndael, the Advanced Encryption Standard (AES). In order to facilitate the discussion, we introduce our own notation to describe differential and linear cryptanalysis. We present a block cipher structure and prove bounds on the resistance against differential and linear cryptanalysis. 1
DifferentialLinear Weak Key Classes of IDEA
 Advances in Cryptology  EUROCRYPT '98 Proceedings
, 1998
"... pmhQmaths.uq.edu.au Abstract. Large weak key classes of IDEA are found for which membership is tested with a differentiallinear test while encrypting with a single key. In particular, one in every 2' ' keys for 8.5round IDEA is weak. A relatedkey differentiallinear attack on 4round IDEA is pre ..."
Abstract

Cited by 17 (0 self)
 Add to MetaCart
pmhQmaths.uq.edu.au Abstract. Large weak key classes of IDEA are found for which membership is tested with a differentiallinear test while encrypting with a single key. In particular, one in every 2' ' keys for 8.5round IDEA is weak. A relatedkey differentiallinear attack on 4round IDEA is presented which is successful for all keys. Large weak key classes are found for 4.5 to 6.5round and 8round IDEA for which membership of these classes is tested using similar relatedkey differentiallinear tests.