Results 1  10
of
15
Twofish: A 128Bit Block Cipher
 in First Advanced Encryption Standard (AES) Conference
, 1998
"... Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bit ..."
Abstract

Cited by 54 (8 self)
 Add to MetaCart
Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.
Cryptanalysis of stream ciphers with linear masking
 Proc. of CRYPTO’02
, 2002
"... Abstract. We describe a cryptanalytical technique for distinguishing some stream ciphers from a truly random process. Roughly, the ciphers to which this method applies consist of a “nonlinear process ” (say, akin to a round function in block ciphers), and a “linear process ” such as an LFSR (or eve ..."
Abstract

Cited by 36 (1 self)
 Add to MetaCart
Abstract. We describe a cryptanalytical technique for distinguishing some stream ciphers from a truly random process. Roughly, the ciphers to which this method applies consist of a “nonlinear process ” (say, akin to a round function in block ciphers), and a “linear process ” such as an LFSR (or even fixed tables). The output of the cipher can be the linear sum of both processes. To attack such ciphers, we look for any property of the “nonlinear process ” that can be distinguished from random. In addition, we look for a linear combination of the linear process that vanishes. We then consider the same linear combination applied to the cipher’s output, and try to find traces of the distinguishing property. In this report we analyze two specific “distinguishing properties”. One is a linear approximation of the nonlinear process, which we demonstrate on the stream cipher SNOW. This attack needs roughly 2 95 words of output, with workload of about 2 100. The other is a “lowdiffusion” attack, that we apply to the cipher Scream0. The latter attack needs only about 2 43 bytes of output, using roughly 2 50 space and 2 80 time.
Trivium  A Stream Cipher Construction Inspired by Block Cipher Design Principles. eSTREAM, ECRYPT Stream Cipher
, 2005
"... Abstract. In this paper, we propose a new stream cipher construction based on block cipher design principles. The main idea is to replace the building blocks used in block ciphers by equivalent stream cipher components. In order to illustrate this approach, we construct a very simple synchronous str ..."
Abstract

Cited by 24 (1 self)
 Add to MetaCart
Abstract. In this paper, we propose a new stream cipher construction based on block cipher design principles. The main idea is to replace the building blocks used in block ciphers by equivalent stream cipher components. In order to illustrate this approach, we construct a very simple synchronous stream cipher which provides a lot of flexibility for hardware implementations, and seems to have a number of desirable cryptographic properties. 1
Mercy: A fast large block cipher for disk sector encryption
 Proc. Fast Software Encryption 2000, LNCS 1978
, 2000
"... Abstract. We discuss the special requirements imposed on the underlying cipher of systems which encrypt each sector of a disk partition independently, and demonstrate a certificational weakness in some existing block ciphers including Bellare and Rogaway’s 1999 proposal, proposing a new quantitative ..."
Abstract

Cited by 21 (0 self)
 Add to MetaCart
Abstract. We discuss the special requirements imposed on the underlying cipher of systems which encrypt each sector of a disk partition independently, and demonstrate a certificational weakness in some existing block ciphers including Bellare and Rogaway’s 1999 proposal, proposing a new quantitative measure of avalanche. To address these needs, we present Mercy, a new block cipher accepting large (4096bit) blocks, which uses a keydependent state machine to build a bijective F function for a Feistel cipher. Mercy achieves 9 cycles/byte on a Pentium compatible processor.
IDEA: A Cipher for Multimedia Architectures?
 In Selected Areas in Cryptography ’98
, 1998
"... MMX is a new technology to accelerate multimedia applications on Pentium processors. We report an implementation of IDEA on a Pentium MMX that is $1.65$ times faster than any previously known implementation on the Pentium. By parallelizing four IDEA's we reach an unprecedented $78$ Mbits/s throughpu ..."
Abstract

Cited by 20 (5 self)
 Add to MetaCart
MMX is a new technology to accelerate multimedia applications on Pentium processors. We report an implementation of IDEA on a Pentium MMX that is $1.65$ times faster than any previously known implementation on the Pentium. By parallelizing four IDEA's we reach an unprecedented $78$ Mbits/s throughput per output block on a 166MHz MMX. In the light of rapidly increasing popularity of multimedia applications, causing more dedicated hardware to be built, and observing that most of the current block ciphers do not benefit from MMX, we raise the problem of designing block ciphers (and encryption modes) fully utilizing the basic operations of multimedia.
Assche. Sponge functions
, 2007
"... XProofpointVirusVersion: vendor=fsecure engine=4.65.5502:2.3.11,1.2.37,4.0.164 definitions=20070427_05:20070427,20070427,20070427 signatures=0 XPPSpamDetails: rule=spampolicy2_notspam policy=spampolicy2 score=0 spamscore=0 ipscore=0 phishscore=0 adultscore=0 classifier=spam adjust=0 rea ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
XProofpointVirusVersion: vendor=fsecure engine=4.65.5502:2.3.11,1.2.37,4.0.164 definitions=20070427_05:20070427,20070427,20070427 signatures=0 XPPSpamDetails: rule=spampolicy2_notspam policy=spampolicy2 score=0 spamscore=0 ipscore=0 phishscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=3.1.00703060001 definitions=main0704270063 XPPSpamScore: 0 XNISTMailScanner: Found to be clean
Attack the Dragon
 Progress in Cryptology  INDOCRYPT 2005, Lecture Notes in Computer Science
, 2005
"... Dragon is a word oriented stream cipher submitted to the ECRYPT project, it operates on key sizes of 128 and 256 bits. The original idea of the design is to use a nonlinear feedback shift register (NLFSR) and a linear part (counter), combined by a filter function to generate a new state of the NL ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Dragon is a word oriented stream cipher submitted to the ECRYPT project, it operates on key sizes of 128 and 256 bits. The original idea of the design is to use a nonlinear feedback shift register (NLFSR) and a linear part (counter), combined by a filter function to generate a new state of the NLFSR and produce the keystream. The internal state of the cipher is 1088 bits, i.e., any kinds of TMD attacks are not applicable. In this paper we present two statistical distinguishers that distinguish Dragon from a random source both requiring around O(2 ) words of the keystream. In the first scenario the time complexity is around O(2 ) with the memory complexity O(2 ), whereas the second scenario needs only O(2 ) of time, but O(2 ) of memory. The attack is based on a statistical weakness introduced into the keystream by the filter function F . This is the first paper presenting an attack on Dragon, and it shows that the cipher does not provide full security when the key of size 256 bits is used.
Hijibijbij: A New Stream Cipher with SelfSynchronizing and MAC Modes Of Operation
 Progress in Cryptology – Indocrypt 2003, LNCS 2904
, 2003
"... In this paper, we present a new stream cipher called Hijibijbij (HBB). The basic design principle of HBB is to mix a linear and a nonlinear map. Our innovation is in the design of the linear and the nonlinear maps. The linear map is realised using two 256bit maximal period 90/150 cellular autom ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
In this paper, we present a new stream cipher called Hijibijbij (HBB). The basic design principle of HBB is to mix a linear and a nonlinear map. Our innovation is in the design of the linear and the nonlinear maps. The linear map is realised using two 256bit maximal period 90/150 cellular automata.
Why IV Setup for Stream Ciphers is Difficult
, 2007
"... In recent years, the initialization vector (IV) setup has proven to be the most vulnerable point when designing secure stream ciphers. In this paper, we take a look at possible reasons why this is the case, identifying numerous open research problems in cryptography. 1 ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
In recent years, the initialization vector (IV) setup has proven to be the most vulnerable point when designing secure stream ciphers. In this paper, we take a look at possible reasons why this is the case, identifying numerous open research problems in cryptography. 1
Analysis of the Collision Resistance of RadioGatún using Algebraic Techniques
"... Abstract. In this paper, we present some preliminary results on the security of the RadioGatún hash function. RadioGatún has an internal state of 58 words, and is parameterized by the word size, from one to 64 bits. We mostly study the onebit version of RadioGatún since according to the authors, at ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. In this paper, we present some preliminary results on the security of the RadioGatún hash function. RadioGatún has an internal state of 58 words, and is parameterized by the word size, from one to 64 bits. We mostly study the onebit version of RadioGatún since according to the authors, attacks on this version also affect the reasonablysized versions. On this toy version, we revisit the claims of the designers and first improve some results. Secondly, given a differential path, we show how to find a message pair colliding more efficiently than the strategy proposed by the authors using algebraic techniques. We experimented this strategy on the onebit version since we can efficiently find differential path by brute force. Even though the complexity of this collision attack is higher than the general security claim on RadioGatún〈1〉, it is still less than the birthday paradox on the size of the internal state. 1