Results 1  10
of
100
Differential Power Analysis
, 1999
"... Cryptosystem designers frequently assume that secrets will be manipulated in closed, reliable computing environments. Unfortunately, actual computers and microchips leak information about the operations they process. This paper examines specific methods for analyzing power consumption measuremen ..."
Abstract

Cited by 665 (7 self)
 Add to MetaCart
Cryptosystem designers frequently assume that secrets will be manipulated in closed, reliable computing environments. Unfortunately, actual computers and microchips leak information about the operations they process. This paper examines specific methods for analyzing power consumption measurements to find secret keys from tamper resistant devices. We also discuss approaches for building cryptosystems that can operate securely in existing hardware that leaks information.
The RC5 Encryption Algorithm
, 1995
"... Abstract. This document describes the RC5 encryption algorithm. RC5 is a fast symmetric block cipher suitable for hardware or software implementations. A novel feature of RC5 is the heavy use of datadependent rotations. RC5 has a variable word size, a variable number of rounds, and a variablelengt ..."
Abstract

Cited by 266 (9 self)
 Add to MetaCart
Abstract. This document describes the RC5 encryption algorithm. RC5 is a fast symmetric block cipher suitable for hardware or software implementations. A novel feature of RC5 is the heavy use of datadependent rotations. RC5 has a variable word size, a variable number of rounds, and a variablelength secret key. 1 AParameterized Family of Encryption Algorithms RC5 is wordoriented: all of the primitive operations work on wbit words as their basic unit of information. Here we assume w = 32, although the formal speci cation of RC5 admits variants for other word lengths, such asw = 64 bits. RC5 has twoword (64bit) input (plaintext) and output (ciphertext) block sizes. RC5 uses an \expanded key table, " S, derived from the user's supplied secret key. The size t of table S depends on the number r of rounds: S has t =2(r +1) words. There are thus several distinct \RC5 " algorithms, depending on the choice of parameters w and r. We summarize these parameters below: w This is the word size, in bits � each word contains u =(w=8) 8bit bytes. The standard value of w is 32 bits � allowable values of w are 16, 32, and 64. RC5 encrypts twoword blocks: plaintext and ciphertext blocks are each 2w bits long. r This is the number of rounds. Also, the expanded key table S contains t =2(r +1)words. Allowable values of r are 0, 1,..., 255. In addition to w and r, RC5 has a variablelength secret cryptographic key, speci ed parameters b and K: b The number of bytes in the secret key K. Allowable values of b are 0, 1,
How to protect DES against exhaustive key search
 Journal of Cryptology
, 1996
"... Abstract The block cipher DESX is defined by DESX k:k1:k2 (x) = k2 \Phi DES k (k1 \Phi x), where \Phi denotes bitwise exclusiveor. This construction was first suggested by Rivest as a computationallycheap way to protect DES against exhaustive keysearch attacks. This paper proves, in a formal mode ..."
Abstract

Cited by 88 (11 self)
 Add to MetaCart
Abstract The block cipher DESX is defined by DESX k:k1:k2 (x) = k2 \Phi DES k (k1 \Phi x), where \Phi denotes bitwise exclusiveor. This construction was first suggested by Rivest as a computationallycheap way to protect DES against exhaustive keysearch attacks. This paper proves, in a formal model, that the DESX construction is sound. We show that, when F is an idealized block cipher, FX
Breaking DES Using a Molecular Computer
, 1995
"... Recently Adleman [1] has shown that a small traveling salesman problem can be solved by molecular operations. In this paper we show how the same principles can be applied to breaking the Data Encryption Standard (DES). Our method is based on an encoding technique presented in Lipton [8]. We describe ..."
Abstract

Cited by 56 (4 self)
 Add to MetaCart
Recently Adleman [1] has shown that a small traveling salesman problem can be solved by molecular operations. In this paper we show how the same principles can be applied to breaking the Data Encryption Standard (DES). Our method is based on an encoding technique presented in Lipton [8]. We describe in detail a library of operations which are useful when working with a molecular computer. We estimate that given one arbitrary (plaintext, ciphertext) pair, one can recover the DES key in about 4 months of work. Furthermore, if one is given ciphertext, but the plain text is only known to be one of several candidates then it is still possible to recover the key in about 4 months of work. Finally, under chosen ciphertext attack it is possible to recover the DES key in one day using some preprocessing. 1 Introduction Due to advances in molecular biology it is nowadays possible to create a soup of roughly 10 18 DNA strands that fits in a small glass of water. Adleman [1] has shown that e...
Linear Cryptanalysis Using Multiple Approximations
 Advances in Cryptology  CRYPTO '94 Proceedings
, 1994
"... Abstract. We present a technique which aids in the linear cryptanalysis of a block cipher and allows for a reduction in the amount of data required for a successful attack. We note the limits of this extension when applied to DES, but illustrate that it is generally applicable and might be exception ..."
Abstract

Cited by 50 (2 self)
 Add to MetaCart
Abstract. We present a technique which aids in the linear cryptanalysis of a block cipher and allows for a reduction in the amount of data required for a successful attack. We note the limits of this extension when applied to DES, but illustrate that it is generally applicable and might be exceptionally successful when applied to other block ciphers. This forces us to reconsider some of the initial attempts to quantify the resistance of block ciphers to linear cryptanalysis, and by taking account of this new technique we cover several issues which have not yet been considered. 1
How far can we go beyond linear cryptanalysis
 Advances in Cryptology  Asiacrypt’04, volume 3329 of LNCS
, 2004
"... Abstract. Several generalizations of linear cryptanalysis have been proposed in the past, as well as very similar attacks in a statistical point of view. In this paper, we define a rigorous general statistical framework which allows to interpret most of these attacks in a simple and unified way. The ..."
Abstract

Cited by 37 (9 self)
 Add to MetaCart
Abstract. Several generalizations of linear cryptanalysis have been proposed in the past, as well as very similar attacks in a statistical point of view. In this paper, we define a rigorous general statistical framework which allows to interpret most of these attacks in a simple and unified way. Then, we explicitely construct optimal distinguishers, we evaluate their performance, and we prove that a block cipher immune to classical linear cryptanalysis possesses some resistance to a wide class of generalized versions, but not all. Finally, we derive tools which are necessary to set up more elaborate extensions of linear cryptanalysis, and to generalize the notions of bias, characteristic, and pilingup lemma.
An Experiment on DES Statistical Cryptanalysis
, 1995
"... Linear cryptanalysis and differential cryptanalysis are the most important methods of attack against block ciphers. Their efficiency have been demonstrated against several ciphers, including the Data Encryption Standard. We prove that both of them can be considered, improved and joined in a more gen ..."
Abstract

Cited by 36 (10 self)
 Add to MetaCart
Linear cryptanalysis and differential cryptanalysis are the most important methods of attack against block ciphers. Their efficiency have been demonstrated against several ciphers, including the Data Encryption Standard. We prove that both of them can be considered, improved and joined in a more general statistical framework. We also show that the very same results as those obtained in the case of DES can be found without any linear analysis and we slightly improve them into an attack with theoretical complexity 2 42:9 . We can apply another statistical attack  the Ø 2 cryptanalysis  on the same characteristics without a definite idea of what happens in the encryption process. It appears to be roughly as efficient as both differential and linear cryptanalysis. We propose a new heuristic method to find good characteristics. It has found an attack against DES absolutely equivalent to Matsui's one by following a distinct path.
On the security of two MAC algorithms
 In Advances in Cryptology — EUROCRYPT ’96
, 1996
"... We consider the security of two message authentication code �MAC � algorithms� the MD5�based envelope method �RFC 1828� � and the banking standard MAA �ISO 8731�2�. Customization of a general MAC forgery attack allows improvements in both cases. For the envelope method � the forgery attack is extend ..."
Abstract

Cited by 28 (4 self)
 Add to MetaCart
We consider the security of two message authentication code �MAC � algorithms� the MD5�based envelope method �RFC 1828� � and the banking standard MAA �ISO 8731�2�. Customization of a general MAC forgery attack allows improvements in both cases. For the envelope method � the forgery attack is extended to allow key recovery� for example � a 128�bit key can be recovered using 2 67 known text�MAC pairs and time plus 2 13 chosen texts. For MAA � internal collisions are found with fewer and shorter messages than previously by exploiting the algorithm�s internal structure � the number of chosen texts �each 256 Kbyte long � for a forgery can be reduced by two orders of magnitude � e.g. from 2 24 to 2 17. Moreover � certain internal collisions allow key recovery � and weak keys for MAA are identi�ed. 1
Software performance of universal hash functions
 In Advances in Cryptology — EUROCRYPT ’99
, 1999
"... Abstract. This paper compares the parameters sizes and software performance of several recent constructions for universal hash functions: bucket hashing, polynomial hashing, Toeplitz hashing, division hashing, evaluation hashing, and MMH hashing. An objective comparison between these widely varying ..."
Abstract

Cited by 26 (0 self)
 Add to MetaCart
Abstract. This paper compares the parameters sizes and software performance of several recent constructions for universal hash functions: bucket hashing, polynomial hashing, Toeplitz hashing, division hashing, evaluation hashing, and MMH hashing. An objective comparison between these widely varying approaches is achieved by defining constructions that offer a comparable security level. It is also demonstrated how the security of these constructions compares favorably to existing MAC algorithms, the security of which is less understood. 1
WEIGHT DIVISIBILITY OF CYCLIC CODES, HIGHLY NONLINEAR FUNCTIONS ON F2m, AND CROSSCORRELATION Of Maximumlength Sequences
, 2000
"... We study [2m −1, 2m]binary linear codes whose weights lie between w0 and 2m −w0, where w0 takes the highest possible value. Primitive cyclic codes with two zeros whose dual satisfies this property actually correspond to almost bent power functions and to pairs of maximumlength sequences with pre ..."
Abstract

Cited by 25 (2 self)
 Add to MetaCart
We study [2m −1, 2m]binary linear codes whose weights lie between w0 and 2m −w0, where w0 takes the highest possible value. Primitive cyclic codes with two zeros whose dual satisfies this property actually correspond to almost bent power functions and to pairs of maximumlength sequences with preferred crosscorrelation. We prove that, for odd m, these codes are completely characterized by their dual distance and by their weight divisibility. Using McEliece’s theorem we give some general results on the weight divisibility of duals of cyclic codes with two zeros; specifically, we exhibit some infinite families of pairs of maximumlength sequences which are not preferred.