Cryptosystem designers frequently assume that secrets will be manipulated in closed, reliable computing environments. Unfortunately, actual computers and microchips leak information about the operations they process. This paper examines specific methods for analyzing power consumption measurements to find secret keys from tamper resistant devices. We also discuss approaches for building cryptosystems that can operate securely in existing hardware that leaks information.

Abstract. This document describes the RC5 encryption algorithm. RC5 is a fast symmetric block cipher suitable for hardware or software implementations. A novel feature of RC5 is the heavy use of data-dependent rotations. RC5 has a variable word size, a variable number of rounds, and a variable-length secret key. 1 AParameterized Family of Encryption Algorithms RC5 is word-oriented: all of the primitive operations work on w-bit words as their basic unit of information. Here we assume w = 32, although the formal speci cation of RC5 admits variants for other word lengths, such asw = 64 bits. RC5 has two-word (64-bit) input (plaintext) and output (ciphertext) block sizes. RC5 uses an \expanded key table, " S, derived from the user's supplied secret key. The size t of table S depends on the number r of rounds: S has t =2(r +1) words. There are thus several distinct \RC5 " algorithms, depending on the choice of parameters w and r. We summarize these parameters below: w This is the word size, in bits � each word contains u =(w=8) 8-bit bytes. The standard value of w is 32 bits � allowable values of w are 16, 32, and 64. RC5 encrypts two-word blocks: plaintext and ciphertext blocks are each 2w bits long. r This is the number of rounds. Also, the expanded key table S contains t =2(r +1)words. Allowable values of r are 0, 1,..., 255. In addition to w and r, RC5 has a variable-length secret cryptographic key, speci ed parameters b and K: b The number of bytes in the secret key K. Allowable values of b are 0, 1,

Abstract The block cipher DESX is defined by DESX k:k1:k2 (x) = k2 \Phi DES k (k1 \Phi x), where \Phi denotes bitwise exclusive-or. This construction was first suggested by Rivest as a computationallycheap way to protect DES against exhaustive key-search attacks. This paper proves, in a formal model, that the DESX construction is sound. We show that, when F is an idealized block cipher, FX

Recently Adleman [1] has shown that a small traveling salesman problem can be solved by molecular operations. In this paper we show how the same principles can be applied to breaking the Data Encryption Standard (DES). Our method is based on an encoding technique presented in Lipton [8]. We describe in detail a library of operations which are useful when working with a molecular computer. We estimate that given one arbitrary (plain-text, cipher-text) pair, one can recover the DES key in about 4 months of work. Furthermore, if one is given cipher-text, but the plain text is only known to be one of several candidates then it is still possible to recover the key in about 4 months of work. Finally, under chosen cipher-text attack it is possible to recover the DES key in one day using some preprocessing. 1 Introduction Due to advances in molecular biology it is nowadays possible to create a soup of roughly 10 18 DNA strands that fits in a small glass of water. Adleman [1] has shown that e...

Abstract. We present a technique which aids in the linear cryptanalysis of a block cipher and allows for a reduction in the amount of data required for a successful attack. We note the limits of this extension when applied to DES, but illustrate that it is generally applicable and might be exceptionally successful when applied to other block ciphers. This forces us to reconsider some of the initial attempts to quantify the resistance of block ciphers to linear cryptanalysis, and by taking account of this new technique we cover several issues which have not yet been considered. 1

Linear cryptanalysis and differential cryptanalysis are the most important methods of attack against block ciphers. Their efficiency have been demonstrated against several ciphers, including the Data Encryption Standard. We prove that both of them can be considered, improved and joined in a more general statistical framework. We also show that the very same results as those obtained in the case of DES can be found without any linear analysis and we slightly improve them into an attack with theoretical complexity 2 42:9 . We can apply another statistical attack --- the Ø 2 -cryptanalysis --- on the same characteristics without a definite idea of what happens in the encryption process. It appears to be roughly as efficient as both differential and linear cryptanalysis. We propose a new heuristic method to find good characteristics. It has found an attack against DES absolutely equivalent to Matsui's one by following a distinct path.

We consider the security of two message authentication code �MAC � algorithms� the MD5�based envelope method �RFC 1828� � and the banking standard MAA �ISO 8731�2�. Customization of a general MAC forgery attack allows improvements in both cases. For the envelope method � the forgery attack is extended to allow key recovery� for example � a 128�bit key can be recovered using 2 67 known text�MAC pairs and time plus 2 13 chosen texts. For MAA � internal collisions are found with fewer and shorter messages than previously by exploiting the algorithm�s internal structure � the number of chosen texts �each 256 Kbyte long � for a forgery can be reduced by two orders of magnitude � e.g. from 2 24 to 2 17. Moreover � certain internal collisions allow key recovery � and weak keys for MAA are identi�ed. 1

We study [2m −1, 2m]-binary linear codes whose weights lie between w0 and 2m −w0, where w0 takes the highest possible value. Primitive cyclic codes with two zeros whose dual satisfies this property actually correspond to almost bent power functions and to pairs of maximum-length sequences with preferred crosscorrelation. We prove that, for odd m, these codes are completely characterized by their dual distance and by their weight divisibility. Using McEliece’s theorem we give some general results on the weight divisibility of duals of cyclic codes with two zeros; specifically, we exhibit some infinite families of pairs of maximum-length sequences which are not preferred.

Abstract. This paper compares the parameters sizes and software performance of several recent constructions for universal hash functions: bucket hashing, polynomial hashing, Toeplitz hashing, division hashing, evaluation hashing, and MMH hashing. An objective comparison between these widely varying approaches is achieved by defining constructions that offer a comparable security level. It is also demonstrated how the security of these constructions compares favorably to existing MAC algorithms, the security of which is less understood. 1

We argue that the invertibility of a block cipher can reduce the security of schemes that use it, and a better starting point for scheme design is the non-invertible analog of a block cipher, that is, a pseudorandom function (PRF). Since a block cipher may be viewed as a pseudorandom permutation, we are led to investigate the reverse of the problem studied by Luby and Rackoff, and ask: "how can one transform a PRP into a PRF in as security-preserving a way as possible?" The solution we propose is data-dependent re-keying. As an illustrative special case, let E:f0; 1g nf0;1g n!f0;1g n be the block cipher. Then we can construct the PRF F from the PRP E by setting F (k; x) =E(E(k; x);x). We generalize this to allow for arbitrary block and key lengths, and to improve e ciency. We prove strong quantitative bounds on the value of data-dependent re-keying in the Shannon model of an ideal cipher, and take some initial steps towards an analysis in the standard model.