Results 1 
5 of
5
Twofish: A 128Bit Block Cipher
 in First Advanced Encryption Standard (AES) Conference
, 1998
"... Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bit ..."
Abstract

Cited by 54 (8 self)
 Add to MetaCart
Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.
Unbalanced Feistel Networks and BlockCipher Design
 Fast Software Encryption, 3rd International Workshop Proceedings
, 1996
"... We examine a generalization of the concept of Feistel networks, which we call Unbalanced Feistel Networks (UFNs). Like conventional Feistel networks, UFNs consist of a series of rounds in which one part of the block operates on the rest of the block. However, in a UFN the two parts need not be of eq ..."
Abstract

Cited by 50 (5 self)
 Add to MetaCart
We examine a generalization of the concept of Feistel networks, which we call Unbalanced Feistel Networks (UFNs). Like conventional Feistel networks, UFNs consist of a series of rounds in which one part of the block operates on the rest of the block. However, in a UFN the two parts need not be of equal size. Removing this limitation on Feistel networks has interesting implications for designing ciphers secure against linear and differential attacks. We describe UFNs and a terminology for discussing their properties, present and analyze some UFN constructions, and make some initial observations about their security. It is notable that almost all the proposed ciphers that are based on Feistel networks follow the same design construction: half the bits operate on the other half. There is no inherent reason that this should be so; as we will demonstrate, it is possible to design Feistel networks across a much wider, richer design space. In this paper, we examine the nature of the...
Practically Secure Feistel Ciphers
 Fast Software Encryption, Cambridge Security Workshop Proceedings
, 1994
"... Abstract. In this paper we give necessary design principles to be used, when constructing secure Feistel ciphers. We introduce a new concept, practical security against linear and di erential attacks on Feistel ciphers. We give examples of such Feistel ciphers (practically) resistant to di erential ..."
Abstract

Cited by 27 (0 self)
 Add to MetaCart
Abstract. In this paper we give necessary design principles to be used, when constructing secure Feistel ciphers. We introduce a new concept, practical security against linear and di erential attacks on Feistel ciphers. We give examples of such Feistel ciphers (practically) resistant to di erential attacks, linear attacks and other attacks. 1
Improved Characteristics for Differential Cryptanalysis of Hash Functions Based on Block Ciphers
"... . In this paper we present an improvement of the differential attack on hash functions based on block ciphers. By using the specific properties of the collision attack on hash functions, we can greatly reduce the work factor to find a pair that follows the characteristic. We propose a new family of ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
. In this paper we present an improvement of the differential attack on hash functions based on block ciphers. By using the specific properties of the collision attack on hash functions, we can greatly reduce the work factor to find a pair that follows the characteristic. We propose a new family of differential characteristics that is especially useful in combination with our improvement. Attacks on a hash function based on DES variants reduced to 12, 13 or 15 rounds become faster than brute force collision attacks. 1 Introduction Hash functions are functions that compress inputs of arbitrary length to an output of fixed length n. For cryptographic applications, we impose the following properties: 1. onewayness: given Y , it is difficult to find an X such that h(X) = Y , and given X and h(X), it is difficult to find X 0 6= X such that h(X 0 ) = h(X) 2. collision resistance: it is difficult to find X and X 0 6= X such that h(X) = h(X 0 ). Most hash functions are iterated has...
Reconstruction of s^2DES SBoxes and their Immunity to Differential Cryptanalysis
, 1993
"... At Crypto'92, L.R. Knudsen[7] showed that s 2 DES is insufficient to assure against differential attack. In this paper, we propose a provable design criterion to strengthen s 2 DES against differential attack without disturbing its cryptographic structure. We show that new s 2 DES Sboxes ca ..."
Abstract
 Add to MetaCart
At Crypto'92, L.R. Knudsen[7] showed that s 2 DES is insufficient to assure against differential attack. In this paper, we propose a provable design criterion to strengthen s 2 DES against differential attack without disturbing its cryptographic structure. We show that new s 2 DES Sboxes can be constructed with our new design criteria and suggest new 8 s 2 DES Sboxes for replacing the current DES Sboxes. Simply called this algorithm as s 3 DES, the result of our estimation and Knudsen's recent analysis [9] give us that s 3 DES can resist against differential attack better than DES and s 2 DES, i.e., breaking s 3 DES by differential attack is less efficient than keyexhaustive search. 1. Introduction In 1990, Biham and Shamir [4] proposed one of the remarkable breaking method "differential cryptanalysis 1 " to cryptanalyze any iterated block cipher algorithm (DES [1], FEAL [2], LOKI [3], etc:). To break DES (Data Encryption Standard), they utilized the preco...