Results 1  10
of
70
Camellia: A 128Bit Block Cipher Suitable for Multiple Platforms  Design and Analysis
, 2000
"... We present a new 128bit block cipher called Camellia. Camellia supports 128bit block size and 128, 192, and 256bit keys, i.e. the same interface specifications as the Advanced Encryption Standard (AES). Efficiency on both software and hardware platforms is a remarkable characteristic of Camelli ..."
Abstract

Cited by 88 (4 self)
 Add to MetaCart
We present a new 128bit block cipher called Camellia. Camellia supports 128bit block size and 128, 192, and 256bit keys, i.e. the same interface specifications as the Advanced Encryption Standard (AES). Efficiency on both software and hardware platforms is a remarkable characteristic of Camellia in addition to its high level of security. It is confirmed that Camellia provides strong security against differential and linear cryptanalysis. Compared to the AES finalists, i.e. MARS, RC6, Rijndael, Serpent, and Twofish, Camellia offers at least comparable encryption speed in software and hardware. An optimized implementation of Camellia in assembly language can encrypt on a Pentium III (800MHz) at the rate of more than 276 Mbits per second, which is much faster than the speed of an optimized DES implementation. In addition, a distinguishing feature is its small hardware design. The hardware design, which includes both encryption and decryption, occupies approximately 11K gates, which is the smallest ...
Cube Attacks on Tweakable Black Box Polynomials
"... Abstract. Almost any cryptographic scheme can be described by tweakable polynomials over GF (2), which contain both secret variables (e.g., key bits) and public variables (e.g., plaintext bits or IV bits). The cryptanalyst is allowed to tweak the polynomials by choosing arbitrary values for the publ ..."
Abstract

Cited by 87 (8 self)
 Add to MetaCart
(Show Context)
Abstract. Almost any cryptographic scheme can be described by tweakable polynomials over GF (2), which contain both secret variables (e.g., key bits) and public variables (e.g., plaintext bits or IV bits). The cryptanalyst is allowed to tweak the polynomials by choosing arbitrary values for the public variables, and his goal is to solve the resultant system of polynomial equations in terms of their common secret variables. In this paper we develop a new technique (called a cube attack) for solving such tweakable polynomials, which is a major improvement over several previously published attacks of the same type. For example, on the stream cipher Trivium with a reduced number of initialization rounds, the best previous attack (due to Fischer, Khazaei, and Meier) requires a barely practical complexity of 2 55 to attack 672 initialization rounds, whereas a cube attack can find the complete key of the same variant in 2 19 bit operations (which take less than a second on a single PC). Trivium with 735 initialization rounds (which could not be attacked by any previous technique) can now be broken with 2 30 bit operations, and by extrapolating our experimentally verified complexities for various sizes, we have reasons to believe that cube attacks will remain faster than exhaustive search even for 1024 initialization rounds. Whereas previous attacks were heuristic, had to be adapted to each cryptosystem, had no general complexity bounds,
Essential algebraic structure within the AES
, 2002
"... Abstract. One difficulty in the cryptanalysis of the Advanced Encryption Standard AES is the tension between operations in the two fields GF (2 8) and GF (2). This paper outlines a new approach that avoids this conflict. We define a new block cipher, the BES, that uses only simple algebraic operatio ..."
Abstract

Cited by 72 (7 self)
 Add to MetaCart
(Show Context)
Abstract. One difficulty in the cryptanalysis of the Advanced Encryption Standard AES is the tension between operations in the two fields GF (2 8) and GF (2). This paper outlines a new approach that avoids this conflict. We define a new block cipher, the BES, that uses only simple algebraic operations in GF (2 8). Yet the AES can be regarded as being identical to the BES with a restricted message space and key space, thus enabling the AES to be realised solely using simple algebraic operations in one field GF (2 8). This permits the exploration of the AES within a broad and rich setting. One consequence is that AES encryption can be described by an extremely sparse overdetermined multivariate quadratic system over GF (2 8), whose solution would recover an AES key.
The CAST256 Encryption Algorithm
"... This document contains several sections of the CAST256 AES Submission Package delivered to NIST on June 9 th , 1998. All complete submissions received by NIST will be made public in late August at the First AES Candidate Conference, but the following material is being made available now so that p ..."
Abstract

Cited by 69 (0 self)
 Add to MetaCart
This document contains several sections of the CAST256 AES Submission Package delivered to NIST on June 9 th , 1998. All complete submissions received by NIST will be made public in late August at the First AES Candidate Conference, but the following material is being made available now so that public analysis of the CAST256 algorithm may begin (see, for example, http://www.ii.uib.no/~larsr/aes.html for the current status of submitted algorithms). Many thanks are due to those who worked with me in the (long, challenging, frustrating, and very enjoyable!) design and analysis phases that ultimately led to the detailed specification given below: Howard Heys (Memorial University); Stafford Tavares (Queen's University); and Michael Wiener (Entrust). As well, many thanks are due to the two who did the various implementations on a variety of platforms (Reference C, Optimized C, Optimized Java, and even M6811 Assembler): Serge Mister and Ian Clysdale (both
Twofish: A 128Bit Block Cipher
 in First Advanced Encryption Standard (AES) Conference
, 1998
"... Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bit ..."
Abstract

Cited by 64 (8 self)
 Add to MetaCart
(Show Context)
Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.
The Whirlpool Hashing Function
 First open NESSIE Workshop
, 2000
"... Abstract. We present Whirlpool, a 512bit hash function operating on messages less than 2256 bits in length. The function structure is designed according to the Wide Trail strategy and permits a wide variety of implementation tradeoffs. (Revised on May 24, 2003) 1 ..."
Abstract

Cited by 56 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We present Whirlpool, a 512bit hash function operating on messages less than 2256 bits in length. The function structure is designed according to the Wide Trail strategy and permits a wide variety of implementation tradeoffs. (Revised on May 24, 2003) 1
Decorrelation: a theory for block cipher security
 Journal of Cryptology
, 2003
"... Abstract. Pseudorandomness is a classical model for the security of block ciphers. In this paper we propose convenient tools in order to study it in connection with the Shannon Theory, the CarterWegman universal hash functions paradigm, and the LubyRackoff approach. This enables the construction o ..."
Abstract

Cited by 46 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Pseudorandomness is a classical model for the security of block ciphers. In this paper we propose convenient tools in order to study it in connection with the Shannon Theory, the CarterWegman universal hash functions paradigm, and the LubyRackoff approach. This enables the construction of new ciphers with security proofs under specific models. We show how to ensure security against basic differential and linear cryptanalysis and even more general attacks. We propose practical construction schemes. 1
Cryptanalysis of Block Ciphers with Probabilistic NonLinear Relations of Low Degree
 CRYPTO 98, LNCS 1462
, 1998
"... Using recent results from coding theory, it is shown how to break block ciphers operating on GF(q) where the ciphertext is expressible as evaluations of an unknown univariate polynomial of low degree m over the plaintext with a typically low but nonnegligible probability µ. The method employed is e ..."
Abstract

Cited by 26 (2 self)
 Add to MetaCart
(Show Context)
Using recent results from coding theory, it is shown how to break block ciphers operating on GF(q) where the ciphertext is expressible as evaluations of an unknown univariate polynomial of low degree m over the plaintext with a typically low but nonnegligible probability µ. The method employed is essentially Sudan’s algorithm for decoding ReedSolomon codes beyond the errorcorrection diameter. The known plaintext attack needs n=2m/µ^2 plaintext/ciphertext pairs and the running time is polynomial in n. Furthermore, it is shown how to discover more general nonlinear relations p(x,y)=0 between plaintext x and ciphertext y that hold with small probability µ. The second attack needs access to n=(2m/µ)^2 plaintext/ciphertext pairs where m =deg(p) and its running time is also polynomial in n. As a demonstration, we break up to 10 rounds of a cipher constructed by Nyberg and Knudsen provably secure against differential and linear cryptanalysis.
Degree of composition of highly nonlinear functions and applications to higher order differential cryptanalysis
 EUROCRYPT 2002
, 2002
"... To improve the security of iterated block ciphers, the resistance against linear cryptanalysis has been formulated in terms of provable security which suggests the use of highly nonlinear functions as round functions. Here, we show that some properties of such functions enable to find a new upper bo ..."
Abstract

Cited by 24 (7 self)
 Add to MetaCart
(Show Context)
To improve the security of iterated block ciphers, the resistance against linear cryptanalysis has been formulated in terms of provable security which suggests the use of highly nonlinear functions as round functions. Here, we show that some properties of such functions enable to find a new upper bound for the degree of the product of its Boolean components. Such an improvement holds when all values occurring in the Walsh spectrum of the round function are divisible by a high power of 2. This result leads to a higher order differential attack on any 5round Feistel ciphers using an almost bent substitution function. We also show that the use of such a function is precisely the origin of the weakness of a reduced version of MISTY1 reported in [23, 1].