Twofish is a 128-bit block cipher that accepts a variable-length key up to 256 bits. The cipher is a 16-round Feistel network with a bijective F function made up of four key-dependent 8-by-8-bit S-boxes, a fixed 4-by-4 maximum distance separable matrix over GF(2 8 ), a pseudo-Hadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8-bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.

We examine a generalization of the concept of Feistel networks, which we call Unbalanced Feistel Networks (UFNs). Like conventional Feistel networks, UFNs consist of a series of rounds in which one part of the block operates on the rest of the block. However, in a UFN the two parts need not be of equal size. Removing this limitation on Feistel networks has interesting implications for designing ciphers secure against linear and differential attacks. We describe UFNs and a terminology for discussing their properties, present and analyze some UFN constructions, and make some initial observations about their security. It is notable that almost all the proposed ciphers that are based on Feistel networks follow the same design construction: half the bits operate on the other half. There is no inherent reason that this should be so; as we will demonstrate, it is possible to design Feistel networks across a much wider, richer design space. In this paper, we examine the nature of the...

Abstract not found

Substitution-permutation networks (SPNs) are an important class of private key cryptosystems, having substitution boxes (s-boxes) as a critical internal component. Much of the research into s-boxes has focussed on determining those s-box properties which yield a cryptographically strong SPN. We investigate s-boxes which are generated in a pseudo-random fashion from a key. This approach has the advantage of decreasing the effectiveness of certain attacks. In addition, combinatorial results give evidence that the resulting s-boxes will possess several desirable properties with high probability. We propose a key-dependent s-box generation method and an SPN which incorporates it. The proposed system successfully passes a range of standard statistical tests, as well as two new statistical tests which are designed to detect correlation between s-boxes. Some interesting theoretical results concerning these new tests are proven, and one of the tests is shown to be a generalisation of the exist...

Abstract not found

The inclusion-exclusion principle is a combinatorial method for determining the cardinality of a set where each element X 2 U satisfies a list of properties u 1 ; u 2 ; : : : ; u n . In this paper we will display the usefulness of the inclusion-exclusion principle by solving 8 problems of interest to cryptography. These problems will concentrate on the enumeration of boolean functions and permutations that have properties which are considered to be necessary for a cryptographic mapping to be secure. In particular we will be concerned with the properties of nonlinearity and nondegeneracy as these properties correspond to Shannon's notions of confusion and diffusion, respectively. Keywords: probability, enumeration, inclusion-exclusion principle, boolean functions, permutations. 1 Introduction In cryptography we are often interested in determining the probability that a certain event may occur. For example, what is the probability that a given block C of ciphertext is encoded using a...

This paper outlines the ongoing work of the authors' investigation into the design of a new block cipher incorporating key-dependent, pseudo-randomly generated s-boxes. Other systems using key-dependent s-boxes have been proposed in the past, the most well-known being perhaps Blowfish [17] and Khufu [12]. Each of these two systems, however, uses the cryptosystem itself to generate the s-boxes, which renders analysis difficult --- we choose to avoid this approach. Preliminary results indicate that our proposed system has good cryptographic strength, with the added benefit that it is immune to linear and differential cryptanalysis, which require that the s-boxes be known. In addition, the system can easily be extended through the use of larger s-boxes and an increased number of rounds.