Abstract. We propose a new cryptographic primitive, the “tweakable block cipher. ” Such a cipher has not only the usual inputs—message and cryptographic key—but also a third input, the “tweak. ” The tweak serves much the same purpose that an initialization vector does for CBC mode or that a nonce does for OCB mode. Our proposal thus brings this feature down to the primitive block-cipher level, instead of incorporating it only at the higher modes-of-operation levels. We suggest that (1) tweakable block ciphers are easy to design, (2) the extra cost of making a block cipher “tweakable ” is small, and (3) it is easier to design and prove modes of operation based on tweakable block ciphers.

In this paper we introduce a new method of attacks on block ciphers, the interpolation attack. This new method is useful for attacking ciphers using simple algebraic functions (in particular quadratic functions) as S-boxes. Also, ciphers of low non-linear order are vulnerable to attacks based on higher order differentials. Recently, Knudsen and Nyberg presented a 6-round prototype cipher which is provably secure against ordinary differential cryptanalysis. We show how to attack the cipher by using higher order differentials and a variant of the cipher by the interpolation attack. It is possible to successfully cryptanalyse up to 32 rounds of the variant using about 2 32 chosen plaintexts with a running time less than 2 64 . Using higher order differentials, a new design concept for block ciphers by Kiefer is also shown to be insecure. Rijmen et al presented a design strategy for block ciphers and the cipher SHARK. We show that there exist ciphers constructed according to this des...

Linear cryptanalysis, introduced last year by Matsui, will most certainly open-up the way to new attack methods which may be made more efficient when compared or combined with differential cryptanalysis. This report exhibits new relations between linear and differential cryptanalysis and presents new classes of functions which are optimally resistant to these attacks. In particular, we prove that linear-resistant functions, which generally present Bent properties, are differential-resistant as well and thus, present Perfect Nonlinear properties. 1 On leave from D'el'egation G'en'erale de l'Armement Links between differential and linear cryptanalysis 1 --- I Introduction Matsui has introduced last year a new cryptanalysis method for DES-like cryptosystems [Mat94]. The idea of the method is to approximate the non-linear S-boxes with linear forms. Beside, the performances of linear cryptanalysis seems next to differential cryptanalysis ones, though a little better. These similitudes s...

Abstract. Several generalizations of linear cryptanalysis have been proposed in the past, as well as very similar attacks in a statistical point of view. In this paper, we define a rigorous general statistical framework which allows to interpret most of these attacks in a simple and unified way. Then, we explicitely construct optimal distinguishers, we evaluate their performance, and we prove that a block cipher immune to classical linear cryptanalysis possesses some resistance to a wide class of generalized versions, but not all. Finally, we derive tools which are necessary to set up more elaborate extensions of linear cryptanalysis, and to generalize the notions of bias, characteristic, and piling-up lemma.

Existing one-time password (OTP) schemes su er several drawbacks. Token-based systems are expensive, while software-based schemes rely on one-time passwords that are dependent oneachother. There are disadvantages to authentication schemes that rely on dependent OTP's. It is di cult to replicate the authentication server without lowering security. Also, current authentication schemes based on dependent OTP's only authenticate the initial connection � the remainder of the session is assumed to be authenticated. Experience shows that connections can be hijacked. A new scheme for generating one-time passwords that are independent is presented. The independence property enables easy replication of the authentication server, and authentication that is persistent for the lifetime of a connection. This mechanism is also ideally suited for smart card applications. Our implementation and several applications are discussed. 1

Abstract. We investigate the link between the nonlinearity of a Boolean function and its propagation characteristics. We prove that highly nonlinear functions usually have good propagation properties regarding different criteria. Conversely, any Boolean function satisfying the propagation criterion with respect to a linear subspace of codimension 1 or 2 has a high nonlinearity. We also point out that most highly nonlinear functions with a three-valued Walsh spectrum can be transformed into 1-resilient functions. 1

Abstract. Cryptographic algorithms play a key role in computer security and the formal analysis of their robustness is of utmost importance. Yet, logic and automated reasoning tools are seldom used in the analysis of a cipher, and thus one cannot often get the desired formal assurance that the cipher is free from unwanted properties that may weaken its strength. In this paper, we claim that one can feasibly encode the low-level properties of state-of-theart cryptographic algorithms as SAT problems and then use efficient automated theorem-proving systems and SAT-solvers for reasoning about them. We call this approach logical cryptanalysis. In this framework, for instance, finding a model for a formula encoding an algorithm is equivalent to finding a key with a cryptanalytic attack. Other important properties, such as cipher integrity or algebraic closure, can also be captured as SAT problems or as quantified boolean formulae. SAT benchmarks based on the encoding of cryptographic algorithms can be used to effectively combine features of “real-world ” problems and randomly generated problems. Here we present a case study on the U.S. Data Encryption Standard (DES) and show how to obtain a manageable encoding of its properties. We have also tested three SAT provers, TABLEAU by Crawford and Auton, SATO by Zhang, and rel-SAT by Bayardo and Schrag, on the encoding of DES, and we discuss the reasons behind their different performance. A discussion of open problems and future research concludes the paper. Key words: cipher verification, Data Encryption Standard, logical cryptanalysis, propositional satisfiability, quantified boolean formulae, SAT benchmarks.

pmhQmaths.uq.edu.au Abstract. Large weak key classes of IDEA are found for which mem-bership is tested with a differential-linear test while encrypting with a single key. In particular, one in every 2' ' keys for 8.5-round IDEA is weak. A related-key differential-linear attack on 4-round IDEA is pre-sented which is successful for all keys. Large weak key classes are found for 4.5- to 6.5-round and 8-round IDEA for which membership of these classes is tested using similar related-key differential-linear tests.

Abstract. To improve the securityof iterated block ciphers, the resistance against linear cryptanalysis has been formulated in terms of provable securitywhich suggests the use of highlynonlinear functions as round functions. Here, we show that some properties of such functions enable to find a new upper bound for the degree of the product of its Boolean components. Such an improvement holds when all values occurring in the Walsh spectrum of the round function are divisible bya high power of 2. This result leads to a higher order differential attack on any 5-round Feistel ciphers using an almost bent substitution function. We also show that the use of such a function is preciselythe origin of the weakness of a reduced version of MISTY1 reported in [23, 1].

Block and stream ciphers are made from Boolean functions that usually require a compromise between several conflicting cryptographic criteria. Although some constructions exist to generate Boolean functions satisfying one or more criteria, such as balance and high nonlinearity, there are often drawbacks to them such as low nonlinear order. In this paper we present a new algorithm for simple modification of a Boolean function truth table to improve both nonlinearity and balance. We also show how to modify a balanced function in two truth table positions so that the nonlinearity is increased and the balance is maintained. When the algorithm fails to find an improvement, one does not exist, and we have then identified a locally maximum function. We present results comparing the probability distributions of random functions with that of locally maximum functions found by our algorithms, and also comment on how the number of steps required to find a local maximum is affected by increasing the number of variables.