Results 1  10
of
48
Twofish: A 128Bit Block Cipher
 in First Advanced Encryption Standard (AES) Conference
, 1998
"... Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bit ..."
Abstract

Cited by 54 (8 self)
 Add to MetaCart
Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.
Survey and Benchmark of Block Ciphers for Wireless Sensor Networks
 ACM Transactions on Sensor Networks
, 2004
"... Choosing the most storage and energye#cient block cipher specifically for wireless sensor networks (WSNs) is not as straightforward as it seems. To our knowledge so far, there is no systematic evaluation framework for the purpose. In this paper, we have identified the candidates of block ciphe ..."
Abstract

Cited by 46 (0 self)
 Add to MetaCart
Choosing the most storage and energye#cient block cipher specifically for wireless sensor networks (WSNs) is not as straightforward as it seems. To our knowledge so far, there is no systematic evaluation framework for the purpose. In this paper, we have identified the candidates of block ciphers suitable for WSNs based on existing literature.
A survey of security issues in wireless sensor networks
 IEEE Communications Surveys & Tutorials
"... Advances in wireless communication and electronics have enabled the development of lowcost, lowpower, multifunctional sensor nodes. These tiny sensor nodes, consisting of sensing, data processing, and communication components, make it possible to deploy Wireless Sensor Networks (WSNs), which repres ..."
Abstract

Cited by 44 (3 self)
 Add to MetaCart
Advances in wireless communication and electronics have enabled the development of lowcost, lowpower, multifunctional sensor nodes. These tiny sensor nodes, consisting of sensing, data processing, and communication components, make it possible to deploy Wireless Sensor Networks (WSNs), which represent a significant improvement over traditional wired sensor networks. WSNs can greatly simplify system design and operation, as the environment being monitored does not require the communication or energy infrastructure associated with wired networks [1]. WSNs are expected to be solutions to many applications, such as detecting and tracking the passage of troops and tanks on a battlefield, monitoring environmental pollutants, measuring traffic flows on roads, and tracking the location of personnel in a building. Many sensor networks have missioncritical tasks and thus require that security be considered [2, 3]. Improper use of information or using forged information may cause unwanted information leakage and provide inaccurate results. While some aspects of WSNs are similar to traditional wireless ad hoc networks, important distinctions exist which greatly affect how security is achieved. The differences
Provable security against differential and linear cryptanalysis for the SPN structure
 FAST SOFTWARE ENCRYPTION (FSE 2000)
, 2000
"... In the SPN (SubstitutionPermutation Network) structure, it is very important to design a diffusion layer to construct a secure block cipher against differential cryptanalysis and linear cryptanalysis. The purpose of this work is to prove that the SPN structure with a maximal diffusion layer provide ..."
Abstract

Cited by 23 (1 self)
 Add to MetaCart
In the SPN (SubstitutionPermutation Network) structure, it is very important to design a diffusion layer to construct a secure block cipher against differential cryptanalysis and linear cryptanalysis. The purpose of this work is to prove that the SPN structure with a maximal diffusion layer provides a provable security against differential cryptanalysis and linear cryptanalysis in the sense that the probability of each differential (respectively linear hull) is bounded by p^n (respectively q^n), where p (respectively q) is the maximum differential (respectively liner hull) probability of n Sboxes used in the substitution layer. We will also give a provable security for the SPN structure with a semimaximal diffusion layer against differential cryptanalysis and linear cryptanalysis.
Degree of composition of highly nonlinear functions and applications to higher order differential cryptanalysis
 EUROCRYPT 2002
, 2002
"... To improve the security of iterated block ciphers, the resistance against linear cryptanalysis has been formulated in terms of provable security which suggests the use of highly nonlinear functions as round functions. Here, we show that some properties of such functions enable to find a new upper bo ..."
Abstract

Cited by 21 (6 self)
 Add to MetaCart
To improve the security of iterated block ciphers, the resistance against linear cryptanalysis has been formulated in terms of provable security which suggests the use of highly nonlinear functions as round functions. Here, we show that some properties of such functions enable to find a new upper bound for the degree of the product of its Boolean components. Such an improvement holds when all values occurring in the Walsh spectrum of the round function are divisible by a high power of 2. This result leads to a higher order differential attack on any 5round Feistel ciphers using an almost bent substitution function. We also show that the use of such a function is precisely the origin of the weakness of a reduced version of MISTY1 reported in [23, 1].
New results on the pseudorandomness of some blockcipher constructions
 in Proceedings of Fast Software Encryption (FSE 2001), Lecture Notes in Computer Science, Volume 2355, Pages
, 2002
"... Abstract. In this paper, we describe new results on the security, in the LubyRackoff paradigm, of two modified Feistel constructions, namely the Lscheme, a construction used at various levels of the MISTY blockcipher which allows to derive a 2nbit permutation from several nbit permutations, and ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
Abstract. In this paper, we describe new results on the security, in the LubyRackoff paradigm, of two modified Feistel constructions, namely the Lscheme, a construction used at various levels of the MISTY blockcipher which allows to derive a 2nbit permutation from several nbit permutations, and a slightly different construction named the Rscheme. We obtain pseudorandomness and superpseudorandomness proofs for Lschemes and Rschemes with a sufficient number of rounds, which extend the pseudorandomness and non superpseudorandomness results on the 4round Lscheme previously established by Sugita [Su96] and Sakurai et al. [Sa97]. In particular, we show that unlike the 3round Lscheme, the 3round Rscheme is pseudorandom, and that both the 5round L scheme and the 5round R scheme are super pseudorandom (whereas the 4 round versions of both schemes are not super pseudorandom). The security bounds obtained here are close to those established by Luby and Rackoff for the three round version of the original Feistel scheme. 1
Related key attacks on reduced round KASUMI
 Fast Software Encryption, FSE 2001
, 2002
"... Abstract. This paper describes related key attacks on five and six round KASUMI. The five round attack requires the encryption of approximately 2 19 chosen plaintext pairs X and X ∗ under keys K and K ∗ respectively where K and K ∗ differ in only one bit, and requires a maximum of a little over 2 33 ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
Abstract. This paper describes related key attacks on five and six round KASUMI. The five round attack requires the encryption of approximately 2 19 chosen plaintext pairs X and X ∗ under keys K and K ∗ respectively where K and K ∗ differ in only one bit, and requires a maximum of a little over 2 33 trials to recover the entire key. The sixround attack requires a smaller number of chosen plaintext encryptions than the five round attack, and recovers the entire key in a maximum of 2 112 trials. 1
Recent Developments in the Design of Conventional Cryptographic Algorithms
 Computer Security and Industrial Cryptography  State of the Art and Evolution, LNCS
, 1998
"... This paper examines proposals for three cryptographic primitives: block ciphers, stream ciphers, and hash functions. It provides an overview of the design principles of a large number of recent proposals, which includes the global structure, the number of rounds, the way of introducing nonlinearity ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
This paper examines proposals for three cryptographic primitives: block ciphers, stream ciphers, and hash functions. It provides an overview of the design principles of a large number of recent proposals, which includes the global structure, the number of rounds, the way of introducing nonlinearity and diffusion, and the key schedule. The software performance of about twenty primitives is compared based on highly optimized implementations for the Pentium. The goal of the paper is to provided a technical perspective on the wide variety of primitives that exist today.
B.: A Toolbox for Cryptanalysis: Linear and Affine Equivalence Algorithms
 Proceedings of EUROCRYPT 2003
, 2003
"... Abstract. This paper presents two algorithms for solving the linear and the affine equivalence problem for arbitrary permutations (Sboxes). For a pair of n × nbit permutations the complexity of the linear equivalence algorithm (LE) is O(n 3 2 n). The affine equivalence algorithm (AE) has complexit ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
Abstract. This paper presents two algorithms for solving the linear and the affine equivalence problem for arbitrary permutations (Sboxes). For a pair of n × nbit permutations the complexity of the linear equivalence algorithm (LE) is O(n 3 2 n). The affine equivalence algorithm (AE) has complexity O(n 3 2 2n). The algorithms are efficient and allow to study linear and affine equivalences for bijective Sboxes of all popular sizes (LE is efficient up to n ≤ 32). Using these tools new equivalent representations are found for a variety of ciphers: Rijndael, DES, Camellia, Serpent, Misty, Kasumi, Khazad, etc. The algorithms are furthermore extended for the case of nonbijective n to mbit Sboxes with a small value of n − m  and for the case of almost equivalent Sboxes. The algorithms also provide new attacks on a generalized EvenMansour scheme. Finally, the paper defines a new problem of Sbox decomposition in terms of Substitution Permutations Networks (SPN) with layers of smaller Sboxes. Simple informationtheoretic bounds are proved for such decompositions. Keywords: Linear, affine equivalence algorithm, Sboxes, Blockciphers,
Cryptanalysis of ReducedRound MISTY
 ADVANCES IN CRYPTOLOGY – EUROCRYPT 2001
, 2001
"... The block ciphers MISTY1 and MISTY2 proposed by Matsui are based on the principle of provable security against di#erential and linear cryptanalysis. This paper presents attacks on reducedround variants of both ciphers, without as well as with the keydependent linear functions FL. The attacks e ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
The block ciphers MISTY1 and MISTY2 proposed by Matsui are based on the principle of provable security against di#erential and linear cryptanalysis. This paper presents attacks on reducedround variants of both ciphers, without as well as with the keydependent linear functions FL. The attacks employ collisionsearching techniques and impossible di#erentials. KASUMI, a MISTY variant to be used in next generation cellular phones, can be attacked with the latter method faster than brute force when reduced to six sounds.