Results 11  20
of
108
The Cipher SHARK
 FAST SOFTWARE ENCRYPTION, THIRD INTERNATIONAL WORKSHOP
, 1996
"... We present the new block cipher SHARK. This cipher combines highly nonlinear substitution boxes and maximum distance separable error correcting codes (MDScodes) to guarantee a good diffusion. The cipher is resistant against differential and linear cryptanalysis after a small number of rounds ..."
Abstract

Cited by 24 (3 self)
 Add to MetaCart
We present the new block cipher SHARK. This cipher combines highly nonlinear substitution boxes and maximum distance separable error correcting codes (MDScodes) to guarantee a good diffusion. The cipher is resistant against differential and linear cryptanalysis after a small number of rounds. The structure of SHARK is such that a fast software implementation is possible, both for the encryption and the decryption. Our Cimplementation of SHARK runs more than four times faster than SAFER and IDEA on a 64bit architecture.
Constructing symmetric ciphers using the CAST design procedure
 DESIGNS, CODES, AND CRYPTOGRAPHY
, 1997
"... This paper describes the CAST design procedure for constructing a family of DESlike SubstitutionPermutation Network (SPN) cryptosystems which appear to have good resistance to differential cryptanalysis, linear cryptanalysis, and relatedkey cryptanalysis, along with a number of other desirable ..."
Abstract

Cited by 21 (1 self)
 Add to MetaCart
This paper describes the CAST design procedure for constructing a family of DESlike SubstitutionPermutation Network (SPN) cryptosystems which appear to have good resistance to differential cryptanalysis, linear cryptanalysis, and relatedkey cryptanalysis, along with a number of other desirable cryptographic properties. Details of the design choices in the procedure are given, including those regarding the component substitution boxes (sboxes), the overall framework, the key schedule, and the round function. An example CAST cipher, an output of this design procedure, is presented as an aid to understanding the concepts and to encourage detailed analysis by the cryptologic community.
Practical SBox Design
 SELECTED AREAS IN CRYPTOGRAPHY, 1996
, 1996
"... Much of the security of a block cipher based on the Feistel network depends on the properties of the substitution boxes (sboxes) used in the round function. Although many desirable properties have been studied, relatively little work has been done to determine to what degree these properties are a ..."
Abstract

Cited by 21 (2 self)
 Add to MetaCart
Much of the security of a block cipher based on the Feistel network depends on the properties of the substitution boxes (sboxes) used in the round function. Although many desirable properties have been studied, relatively little work has been done to determine to what degree these properties are achievable in practice. This paper presents one effort to construct large, cryptographically secure sboxes, contrasting theoretical and practical limitations, and highlighting areas for future research.
New method for upper bounding the maximum average linear hull probability for SPNs
 Advances in Cryptology— EUROCRYPT 2001, LNCS 2045
, 2001
"... Abstract. We present a new algorithm for upper bounding the maximum average linear hull probability for SPNs, a value required to determine provable security against linear cryptanalysis. The best previous result (Hong et al. [9]) applies only when the linear transformation branch number (B) is M or ..."
Abstract

Cited by 20 (9 self)
 Add to MetaCart
Abstract. We present a new algorithm for upper bounding the maximum average linear hull probability for SPNs, a value required to determine provable security against linear cryptanalysis. The best previous result (Hong et al. [9]) applies only when the linear transformation branch number (B) is M or (M + 1) (maximal case), where M is the number of sboxes per round. In contrast, our upper bound can be computed for any value of B. Moreover, the new upper bound is a function of the number of rounds (other upper bounds known to the authors are not). When B = M, our upper bound is consistently superior to [9]. When B = (M + 1), our upper bound does not appear to improve on [9]. On application to Rijndael (128bit block size, 10 rounds), we obtain the upper bound UB = 2 −75, corresponding to a lower bound on the data 8 complexity of UB = 278 (for 96.7 % success rate). Note that this does not demonstrate the existence of a such an attack, but is, to our knowledge, the first such lower bound.
NonLinear Approximations in Linear Cryptanalysis
 Advances in Cryptology, Proceedings Eurocrypt'96, LNCS 1070
, 1996
"... Abstract. By considering the role of nonlinear approximations in linear cryptanalysis we obtain a generalization of Matsui’s linear cryptanalytic techniques. This approach allows the cryptanalyst greater flexibility in mounting a linear cryptanalytic attack and we demonstrate the effectiveness of o ..."
Abstract

Cited by 19 (0 self)
 Add to MetaCart
Abstract. By considering the role of nonlinear approximations in linear cryptanalysis we obtain a generalization of Matsui’s linear cryptanalytic techniques. This approach allows the cryptanalyst greater flexibility in mounting a linear cryptanalytic attack and we demonstrate the effectiveness of our nonlinear techniques with some simple attacks on LOKI91. These attacks potentially allow for the recovery of seven additional bits of key information with less than 1/4 of the plaintext that is required using current linear cryptanalytic methods. 1
The Use of Bent Sequences to Achieve HigherOrder Strict Avalanche Criterion in SBox Design
, 1990
"... : Recently, Pieprzyk and Finkelstein described a construction procedure for the substitution boxes (sboxes) of SubstitutionPermutation Network cryptosystems which yielded sboxes of high nonlinearity. Shortly afterward, in seemingly unrelated work, Yarlagadda and Hershey discussed the analysis and ..."
Abstract

Cited by 18 (3 self)
 Add to MetaCart
: Recently, Pieprzyk and Finkelstein described a construction procedure for the substitution boxes (sboxes) of SubstitutionPermutation Network cryptosystems which yielded sboxes of high nonlinearity. Shortly afterward, in seemingly unrelated work, Yarlagadda and Hershey discussed the analysis and synthesis of binary bent sequences of length 4 k , for k a positive integer. In this paper, we report on work which not only extends the results of both of these papers, but also combines them through the concept of "higher orders" of the Strict Avalanche Criterion for Boolean functions. We discuss the implications for sbox design and the use of such sboxes in the construction of DESlike cryptosystems. 1 The authors are with the Department of Electrical Engineering, Queen's University at Kingston, Ontario, K7L 3N6 2 The Use of Bent Sequences to Achieve HigherOrder Strict Avalanche Criterion in SBox Design 1 Introduction Substitution boxes (sboxes) are a critical component of ...
Improving the Upper Bound on the Maximum Average Linear Hull Probability for Rijndael
, 2001
"... In [15], Keliher et al. present a new method for upper bounding the maximum average linear hull probability (MALHP) for SPNs, a value which is required to make claims about provable security against linear cryptanalysis. Application of this method to Rijndael (AES) yields an upper bound of UB = 2 \ ..."
Abstract

Cited by 14 (6 self)
 Add to MetaCart
In [15], Keliher et al. present a new method for upper bounding the maximum average linear hull probability (MALHP) for SPNs, a value which is required to make claims about provable security against linear cryptanalysis. Application of this method to Rijndael (AES) yields an upper bound of UB = 2 \Gamma75 when 7 or more rounds are approximated, corresponding to a lower bound on the data complexity of 32 UB = 2 80 (for a 96.7% success rate). In the current paper, we improve this upper bound for Rijndael by taking into consideration the distribution of linear probability values for the (unique) Rijndael 8 \Theta 8 sbox. Our new upper bound on the MALHP when 9 rounds are approximated is 2 \Gamma92 , corresponding to a lower bound on the data complexity of 2 97 (again for a 96.7% success rate). [This is after completing 43% of the computation; however, we believe that values have stabilizedsee Section 7.] Keywords: linear cryptanalysis, maximum average linear hull probability, provable security, Rijndael, AES 1
An FPGA Implementation and Performance Evaluation of the Serpent Block Cipher
 EIGHTH ACM INTERNATIONAL SYMPOSIUM ON FIELDPROGRAMMABLE GATE ARRAYS
, 2000
"... With the expiration of the Data Encryption Standard (DES) in 1998, the Advanced Encryption Standard (AES) development process is well underway. It is hoped that the result of the AES process will be the specification of a new nonclassified encryption algorithm that will have the global acceptance ac ..."
Abstract

Cited by 11 (2 self)
 Add to MetaCart
With the expiration of the Data Encryption Standard (DES) in 1998, the Advanced Encryption Standard (AES) development process is well underway. It is hoped that the result of the AES process will be the specification of a new nonclassified encryption algorithm that will have the global acceptance achieved by DES as well as the capability of longterm protection of sensitive information. The technical analysis used in determining which of the potential AES candidates will be selected as the Advanced Encryption Algorithm includes e#ciency testing of both hardware and software implementations of candidate algorithms. Reprogrammable devices such as Field Programmable Gate Arrays (FPGAs) are highly attractive options for hardware implementations of encryption algorithms as they provide cryptographic algorithm agility, physical security, and potentially much higher performance than software solutions. This contribution investigates the significance of an FPGA implementation of Serpent, one of the Advanced Encryption Standard candidate algorithms. Multiple architecture options of the Serpent algorithm will be explored with a strong focus being placed on a high speed implementation within an FPGA in order to support security for current and future high bandwidth applications. One of the main findings is that Serpent can be implemented with encryption rates beyond 4 Gbit/s on current FPGAs.
CorrelatedInput Secure Hash Functions
"... Abstract. We undertake a general study of hash functions secure under correlated inputs, meaning that security should be maintained when the adversary sees hash values of many related highentropy inputs. Such a property is satisfied by a random oracle, and its importance is illustrated by study of ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
Abstract. We undertake a general study of hash functions secure under correlated inputs, meaning that security should be maintained when the adversary sees hash values of many related highentropy inputs. Such a property is satisfied by a random oracle, and its importance is illustrated by study of the “avalanche effect, ” a wellknown heuristic in cryptographic hash function design. One can interpret “security ” in different ways: e.g., asking for onewayness or that the hash values look uniformly and independently random; the latter case can be seen as a generalization of correlationrobustness introduced by Ishai et al. (CRYPTO 2003). We give specific applications of these notions to passwordbased login and efficient search on encrypted data. Our main construction achieves them (without random oracles) for inputs related by polynomials over the input space (namely Zp), based on corresponding variants of the qDiffie Hellman Inversion assumption. Additionally, we show relations between correlatedinput secure hash functions and cryptographic primitives secure under relatedkey attacks. Using our techniques, we are also able to obtain a host of new results for such relatedkey attack secure cryptographic primitives. 1
Probing Attacks on TamperResistant Devices
, 1999
"... This paper describes a new type of attack on tamperresistant cryptographic hardware. We show that by locally observing the value of a few RAM or adress bus bits (possibly a single one) during the execution of a cryptographic algorithm, typically by the mean of a probe (needle), an attacker coul ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
This paper describes a new type of attack on tamperresistant cryptographic hardware. We show that by locally observing the value of a few RAM or adress bus bits (possibly a single one) during the execution of a cryptographic algorithm, typically by the mean of a probe (needle), an attacker could easily recover information on the secret key being used; our attacks apply to publickey cryptosystems such as RSA or El Gamal, as well as to secretkey encryption schemes including DES and RC5.