Abstract. Cryptographic hash functions are an important tool in cryptography for applications such as digital fingerprinting of messages, message authentication, and key derivation. During the last five years, several fast software hash functions have been proposed; most of them are based on the design principles of Ron Rivest’s MD4. One such proposal was RIPEMD, which was developed in the framework of the EU project RIPE (Race Integrity Primitives Evaluation). Because of recent progress in the cryptanalysis of these hash functions, we propose a new version of RIPEMD with a 160-bit result, as well as a plug-in substitute for RIPEMD with a 128-bit result. We also compare the software performance of several MD4-based algorithms, which is of independent interest. 1

Twofish is a 128-bit block cipher that accepts a variable-length key up to 256 bits. The cipher is a 16-round Feistel network with a bijective F function made up of four key-dependent 8-by-8-bit S-boxes, a fixed 4-by-4 maximum distance separable matrix over GF(2 8 ), a pseudo-Hadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8-bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.

We study a k-dimensional generalization of the birthday problem: given k lists of n-bit values, and some way to choose one element from each list so that the resulting k values xor to zero. For k = 2, this is just the extremely well-known birthday problem, which has a square-root time algorithm with many applications in cryptography. In this paper, we show new algorithms for the case k > 2: we show a cube-root time algorithm for the case of k = 4 lists, and we give an algorithm with subexponential running time when k is unrestricted.

DES and triple-DES are two well-known and popular encryption algorithms, but they both have the same drawback: their block size is limited to 64 bits. While the cryptographic community is working hard to select and evaluate candidates and finalists for the AES (Advanced Encryption Standard) contest launched by NIST in 1997, it might be of interest to propose a secure and simple double block-length encryption algorithm. More than in terms of key length and block size, our Universal Encryption Standard is a new construction that remains totally compliant with DES and triple-DES specifications as well as with AES requirements.

this article particularly interesting. Perhaps the most remarkable cryptanalytic developments over the last year or two have been the advances made in the analysis of hash functions by Hans Dobbertin. The net result of this work has been a lack of options in the hash functions that are available for long-term use. In Europe, however, RIPEMD-160 has been gaining in popularity and the designers of this algorithm provide us with a summary of its features in this issue of the newsletter. Finally, at the 1997 Crypto conference attendees honored the work of Oded Goldreich. As one of the pioneers in establishing a theoretical framework to today's cryptography Oded's invited lecture was one of the highlights of the conference. In our lead article Oded provides us with his perspective on the foundations of modern cryptography. The future success of CryptoBytes depends on input from all sectors of the cryptographic community, and as usual we would like very much to thank the writers who have contributed to this second issue of the third volume. We encourage any readers with comments, opposite opinions, suggestions or proposals for future issues to contact the CryptoBytes editor at RSA Laboratories or by E-mail to bytes-ed@rsa.com. CRYPTOBYTES T H E T E C H N I C A L N E W S L E T T E R O F R S A L A B O R A T O R I E S --- A U T U M N 1 9 9 7 3

Abstract. Blue Midnight Wish hash function is one of 14 candidate functions that are continuing in the Second Round of the SHA-3 competition. In its design it has several S-boxes (bijective components) that transform 32-bit or 64-bit values. Although they look similar to the S-boxes in SHA-2, they are also different. It is well known fact that the design principles of SHA-2 family of hash functions are still kept as a classified NSA information. However, in the open literature there have been several attempts to analyze those design principles. In this paper first we give an observation on the properties of SHA-2 S-boxes and then we investigate the same properties in Blue Midnight Wish. 1

RIPEMD-160 is a fast cryptographic hash function that is tuned towards software implementations on 32-bit architectures. It has evolved from the 256-bit extension of MD4, which was introduced in 1990 by Ron Rivest [20, 21]. Its main design feature are two different and independent parallel chains, the result of