Results 1 
6 of
6
Twofish: A 128Bit Block Cipher
 in First Advanced Encryption Standard (AES) Conference
, 1998
"... Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bit ..."
Abstract

Cited by 58 (8 self)
 Add to MetaCart
Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.
Unbalanced Feistel Networks and BlockCipher Design
 Fast Software Encryption, 3rd International Workshop Proceedings
, 1996
"... We examine a generalization of the concept of Feistel networks, which we call Unbalanced Feistel Networks (UFNs). Like conventional Feistel networks, UFNs consist of a series of rounds in which one part of the block operates on the rest of the block. However, in a UFN the two parts need not be of eq ..."
Abstract

Cited by 58 (5 self)
 Add to MetaCart
We examine a generalization of the concept of Feistel networks, which we call Unbalanced Feistel Networks (UFNs). Like conventional Feistel networks, UFNs consist of a series of rounds in which one part of the block operates on the rest of the block. However, in a UFN the two parts need not be of equal size. Removing this limitation on Feistel networks has interesting implications for designing ciphers secure against linear and differential attacks. We describe UFNs and a terminology for discussing their properties, present and analyze some UFN constructions, and make some initial observations about their security. It is notable that almost all the proposed ciphers that are based on Feistel networks follow the same design construction: half the bits operate on the other half. There is no inherent reason that this should be so; as we will demonstrate, it is possible to design Feistel networks across a much wider, richer design space. In this paper, we examine the nature of the...
Practically Secure Feistel Ciphers
 Fast Software Encryption, Cambridge Security Workshop Proceedings
, 1994
"... Abstract. In this paper we give necessary design principles to be used, when constructing secure Feistel ciphers. We introduce a new concept, practical security against linear and di erential attacks on Feistel ciphers. We give examples of such Feistel ciphers (practically) resistant to di erential ..."
Abstract

Cited by 27 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we give necessary design principles to be used, when constructing secure Feistel ciphers. We introduce a new concept, practical security against linear and di erential attacks on Feistel ciphers. We give examples of such Feistel ciphers (practically) resistant to di erential attacks, linear attacks and other attacks. 1
Imprimitive permutation groups and trapdoors in iterated block ciphers
 in Fast Software Encryption (L.R. Knudsen, ed), Lecture Notes in Computer Science 1636 (Springer–Verlag
, 1999
"... block, cipher, trapdoor, cryptanalysis, linear, differential, permutation, group An iterated block cipher can be regarded as a means of producing a set of permutations of a message space. Some properties of the group generated by the round functions of such a cipher are known to be of cryptanalytic ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
(Show Context)
block, cipher, trapdoor, cryptanalysis, linear, differential, permutation, group An iterated block cipher can be regarded as a means of producing a set of permutations of a message space. Some properties of the group generated by the round functions of such a cipher are known to be of cryptanalytic interest. It is shown here that if this group acts imprimitively on the message space then there is an exploitable weakness in the cipher. It is demonstrated that a weakness of this type can be used to construct a trapdoor that appears to be difficult to detect. An example of a DESlike cipher, resistant to both linear and differential cryptanalysis that generates an imprimitive group and is easily broken, is given. Some implications for block cipher design are noted.
Improved Characteristics for Differential Cryptanalysis of Hash Functions Based on Block Ciphers
"... . In this paper we present an improvement of the differential attack on hash functions based on block ciphers. By using the specific properties of the collision attack on hash functions, we can greatly reduce the work factor to find a pair that follows the characteristic. We propose a new family of ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
. In this paper we present an improvement of the differential attack on hash functions based on block ciphers. By using the specific properties of the collision attack on hash functions, we can greatly reduce the work factor to find a pair that follows the characteristic. We propose a new family of differential characteristics that is especially useful in combination with our improvement. Attacks on a hash function based on DES variants reduced to 12, 13 or 15 rounds become faster than brute force collision attacks. 1 Introduction Hash functions are functions that compress inputs of arbitrary length to an output of fixed length n. For cryptographic applications, we impose the following properties: 1. onewayness: given Y , it is difficult to find an X such that h(X) = Y , and given X and h(X), it is difficult to find X 0 6= X such that h(X 0 ) = h(X) 2. collision resistance: it is difficult to find X and X 0 6= X such that h(X) = h(X 0 ). Most hash functions are iterated has...
Reconstruction of s²DES SBoxes and their Immunity to Differential Cryptanalysis
, 1993
"... At Crypto'92, L.R. Knudsen[7] showed that s²DES is insufficient to assure against differential attack. In this paper, we propose a provable design criterion to strengthen s²DES against differential attack without disturbing its cryptographic structure. We show that new s²DES Sboxes can be co ..."
Abstract
 Add to MetaCart
At Crypto'92, L.R. Knudsen[7] showed that s²DES is insufficient to assure against differential attack. In this paper, we propose a provable design criterion to strengthen s²DES against differential attack without disturbing its cryptographic structure. We show that new s²DES Sboxes can be constructed with our new design criteria and suggest new 8 s²DES Sboxes for replacing the current DES Sboxes. Simply called this algorithm as s³DES, the result of our estimation and Knudsen's recent analysis [9] give us that s³DES can resist against differential attack better than DES and s²DES, i.e., breaking s³DES by differential attack is less efficient than keyexhaustive search.