Results 1  10
of
64
AES Proposal: Rijndael
, 1998
"... this document we describe the cipher Rijndael. First we present the mathematical basis necessary for understanding the specifications followed by the design rationale and the description itself. Subsequently, the implementation aspects of the cipher and its inverse are treated. This is followed by t ..."
Abstract

Cited by 114 (0 self)
 Add to MetaCart
this document we describe the cipher Rijndael. First we present the mathematical basis necessary for understanding the specifications followed by the design rationale and the description itself. Subsequently, the implementation aspects of the cipher and its inverse are treated. This is followed by the motivations of all design choices and the treatment of the resistance against known types of attacks. We give our security claims and goals, the advantages and limitations of the cipher, ways how it can be extended and how it can be used
Camellia: A 128Bit Block Cipher Suitable for Multiple Platforms  Design and Analysis
, 2000
"... We present a new 128bit block cipher called Camellia. Camellia supports 128bit block size and 128, 192, and 256bit keys, i.e. the same interface specifications as the Advanced Encryption Standard (AES). Efficiency on both software and hardware platforms is a remarkable characteristic of Camelli ..."
Abstract

Cited by 75 (4 self)
 Add to MetaCart
We present a new 128bit block cipher called Camellia. Camellia supports 128bit block size and 128, 192, and 256bit keys, i.e. the same interface specifications as the Advanced Encryption Standard (AES). Efficiency on both software and hardware platforms is a remarkable characteristic of Camellia in addition to its high level of security. It is confirmed that Camellia provides strong security against differential and linear cryptanalysis. Compared to the AES finalists, i.e. MARS, RC6, Rijndael, Serpent, and Twofish, Camellia offers at least comparable encryption speed in software and hardware. An optimized implementation of Camellia in assembly language can encrypt on a Pentium III (800MHz) at the rate of more than 276 Mbits per second, which is much faster than the speed of an optimized DES implementation. In addition, a distinguishing feature is its small hardware design. The hardware design, which includes both encryption and decryption, occupies approximately 11K gates, which is the smallest ...
Essential algebraic structure within the AES
, 2002
"... Abstract. One difficulty in the cryptanalysis of the Advanced Encryption Standard AES is the tension between operations in the two fields GF (2 8) and GF (2). This paper outlines a new approach that avoids this conflict. We define a new block cipher, the BES, that uses only simple algebraic operatio ..."
Abstract

Cited by 72 (7 self)
 Add to MetaCart
Abstract. One difficulty in the cryptanalysis of the Advanced Encryption Standard AES is the tension between operations in the two fields GF (2 8) and GF (2). This paper outlines a new approach that avoids this conflict. We define a new block cipher, the BES, that uses only simple algebraic operations in GF (2 8). Yet the AES can be regarded as being identical to the BES with a restricted message space and key space, thus enabling the AES to be realised solely using simple algebraic operations in one field GF (2 8). This permits the exploration of the AES within a broad and rich setting. One consequence is that AES encryption can be described by an extremely sparse overdetermined multivariate quadratic system over GF (2 8), whose solution would recover an AES key.
The CAST256 Encryption Algorithm
"... This document contains several sections of the CAST256 AES Submission Package delivered to NIST on June 9 th , 1998. All complete submissions received by NIST will be made public in late August at the First AES Candidate Conference, but the following material is being made available now so that p ..."
Abstract

Cited by 64 (0 self)
 Add to MetaCart
This document contains several sections of the CAST256 AES Submission Package delivered to NIST on June 9 th , 1998. All complete submissions received by NIST will be made public in late August at the First AES Candidate Conference, but the following material is being made available now so that public analysis of the CAST256 algorithm may begin (see, for example, http://www.ii.uib.no/~larsr/aes.html for the current status of submitted algorithms). Many thanks are due to those who worked with me in the (long, challenging, frustrating, and very enjoyable!) design and analysis phases that ultimately led to the detailed specification given below: Howard Heys (Memorial University); Stafford Tavares (Queen's University); and Michael Wiener (Entrust). As well, many thanks are due to the two who did the various implementations on a variety of platforms (Reference C, Optimized C, Optimized Java, and even M6811 Assembler): Serge Mister and Ian Clysdale (both
Cube Attacks on Tweakable Black Box Polynomials
"... Abstract. Almost any cryptographic scheme can be described by tweakable polynomials over GF (2), which contain both secret variables (e.g., key bits) and public variables (e.g., plaintext bits or IV bits). The cryptanalyst is allowed to tweak the polynomials by choosing arbitrary values for the publ ..."
Abstract

Cited by 60 (6 self)
 Add to MetaCart
Abstract. Almost any cryptographic scheme can be described by tweakable polynomials over GF (2), which contain both secret variables (e.g., key bits) and public variables (e.g., plaintext bits or IV bits). The cryptanalyst is allowed to tweak the polynomials by choosing arbitrary values for the public variables, and his goal is to solve the resultant system of polynomial equations in terms of their common secret variables. In this paper we develop a new technique (called a cube attack) for solving such tweakable polynomials, which is a major improvement over several previously published attacks of the same type. For example, on the stream cipher Trivium with a reduced number of initialization rounds, the best previous attack (due to Fischer, Khazaei, and Meier) requires a barely practical complexity of 2 55 to attack 672 initialization rounds, whereas a cube attack can find the complete key of the same variant in 2 19 bit operations (which take less than a second on a single PC). Trivium with 735 initialization rounds (which could not be attacked by any previous technique) can now be broken with 2 30 bit operations, and by extrapolating our experimentally verified complexities for various sizes, we have reasons to believe that cube attacks will remain faster than exhaustive search even for 1024 initialization rounds. Whereas previous attacks were heuristic, had to be adapted to each cryptosystem, had no general complexity bounds,
Twofish: A 128Bit Block Cipher
 in First Advanced Encryption Standard (AES) Conference
, 1998
"... Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bit ..."
Abstract

Cited by 58 (8 self)
 Add to MetaCart
Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.
The Whirlpool Hashing Function
 First open NESSIE Workshop
, 2000
"... Abstract. We present Whirlpool, a 512bit hash function operating on messages less than 2256 bits in length. The function structure is designed according to the Wide Trail strategy and permits a wide variety of implementation tradeoffs. (Revised on May 24, 2003) 1 ..."
Abstract

Cited by 41 (0 self)
 Add to MetaCart
Abstract. We present Whirlpool, a 512bit hash function operating on messages less than 2256 bits in length. The function structure is designed according to the Wide Trail strategy and permits a wide variety of implementation tradeoffs. (Revised on May 24, 2003) 1
Decorrelation: a theory for block cipher security
 Journal of Cryptology
, 2003
"... Abstract. Pseudorandomness is a classical model for the security of block ciphers. In this paper we propose convenient tools in order to study it in connection with the Shannon Theory, the CarterWegman universal hash functions paradigm, and the LubyRackoff approach. This enables the construction o ..."
Abstract

Cited by 37 (4 self)
 Add to MetaCart
Abstract. Pseudorandomness is a classical model for the security of block ciphers. In this paper we propose convenient tools in order to study it in connection with the Shannon Theory, the CarterWegman universal hash functions paradigm, and the LubyRackoff approach. This enables the construction of new ciphers with security proofs under specific models. We show how to ensure security against basic differential and linear cryptanalysis and even more general attacks. We propose practical construction schemes. 1
Cryptanalysis of Block Ciphers with Probabilistic NonLinear Relations of Low Degree
 CRYPTO 98, LNCS 1462
, 1998
"... Using recent results from coding theory, it is shown how to break block ciphers operating on GF(q) where the ciphertext is expressible as evaluations of an unknown univariate polynomial of low degree m over the plaintext with a typically low but nonnegligible probability µ. The method employed is e ..."
Abstract

Cited by 26 (2 self)
 Add to MetaCart
Using recent results from coding theory, it is shown how to break block ciphers operating on GF(q) where the ciphertext is expressible as evaluations of an unknown univariate polynomial of low degree m over the plaintext with a typically low but nonnegligible probability µ. The method employed is essentially Sudan’s algorithm for decoding ReedSolomon codes beyond the errorcorrection diameter. The known plaintext attack needs n=2m/µ^2 plaintext/ciphertext pairs and the running time is polynomial in n. Furthermore, it is shown how to discover more general nonlinear relations p(x,y)=0 between plaintext x and ciphertext y that hold with small probability µ. The second attack needs access to n=(2m/µ)^2 plaintext/ciphertext pairs where m =deg(p) and its running time is also polynomial in n. As a demonstration, we break up to 10 rounds of a cipher constructed by Nyberg and Knudsen provably secure against differential and linear cryptanalysis.
Degree of composition of highly nonlinear functions and applications to higher order differential cryptanalysis
 EUROCRYPT 2002
, 2002
"... To improve the security of iterated block ciphers, the resistance against linear cryptanalysis has been formulated in terms of provable security which suggests the use of highly nonlinear functions as round functions. Here, we show that some properties of such functions enable to find a new upper bo ..."
Abstract

Cited by 21 (6 self)
 Add to MetaCart
To improve the security of iterated block ciphers, the resistance against linear cryptanalysis has been formulated in terms of provable security which suggests the use of highly nonlinear functions as round functions. Here, we show that some properties of such functions enable to find a new upper bound for the degree of the product of its Boolean components. Such an improvement holds when all values occurring in the Walsh spectrum of the round function are divisible by a high power of 2. This result leads to a higher order differential attack on any 5round Feistel ciphers using an almost bent substitution function. We also show that the use of such a function is precisely the origin of the weakness of a reduced version of MISTY1 reported in [23, 1].