Results 1  10
of
13
Twofish: A 128Bit Block Cipher
 in First Advanced Encryption Standard (AES) Conference
, 1998
"... Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bit ..."
Abstract

Cited by 58 (8 self)
 Add to MetaCart
Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.
Unbalanced Feistel Networks and BlockCipher Design
 Fast Software Encryption, 3rd International Workshop Proceedings
, 1996
"... We examine a generalization of the concept of Feistel networks, which we call Unbalanced Feistel Networks (UFNs). Like conventional Feistel networks, UFNs consist of a series of rounds in which one part of the block operates on the rest of the block. However, in a UFN the two parts need not be of eq ..."
Abstract

Cited by 58 (5 self)
 Add to MetaCart
We examine a generalization of the concept of Feistel networks, which we call Unbalanced Feistel Networks (UFNs). Like conventional Feistel networks, UFNs consist of a series of rounds in which one part of the block operates on the rest of the block. However, in a UFN the two parts need not be of equal size. Removing this limitation on Feistel networks has interesting implications for designing ciphers secure against linear and differential attacks. We describe UFNs and a terminology for discussing their properties, present and analyze some UFN constructions, and make some initial observations about their security. It is notable that almost all the proposed ciphers that are based on Feistel networks follow the same design construction: half the bits operate on the other half. There is no inherent reason that this should be so; as we will demonstrate, it is possible to design Feistel networks across a much wider, richer design space. In this paper, we examine the nature of the...
Practically Secure Feistel Ciphers
 Fast Software Encryption, Cambridge Security Workshop Proceedings
, 1994
"... Abstract. In this paper we give necessary design principles to be used, when constructing secure Feistel ciphers. We introduce a new concept, practical security against linear and di erential attacks on Feistel ciphers. We give examples of such Feistel ciphers (practically) resistant to di erential ..."
Abstract

Cited by 27 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we give necessary design principles to be used, when constructing secure Feistel ciphers. We introduce a new concept, practical security against linear and di erential attacks on Feistel ciphers. We give examples of such Feistel ciphers (practically) resistant to di erential attacks, linear attacks and other attacks. 1
Scream: a softwareefficient stream cipher
 Fast Software Encryption (FSE) 2002, Lecture Notes in Computer Science
, 2002
"... We report on the design of Scream, a new softwareefficient stream cipher, which was designed to be a "more secure SEAL". Following SEAL, the design of Scream resembles in many ways a blockcipher design. The new cipher is roughly as fast as SEAL, but we believe that it offers a significan ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
We report on the design of Scream, a new softwareefficient stream cipher, which was designed to be a "more secure SEAL". Following SEAL, the design of Scream resembles in many ways a blockcipher design. The new cipher is roughly as fast as SEAL, but we believe that it offers a significantly higher security level. In the process of designing this cipher, we revisit the SEAL design paradigm, exhibiting some tradeoffs and limitations.
Relationships among nonlinearity criteria
 In Advances in Cryptology  EUROCRYPT'94, volume 950, Lecture Notes in Computer Science
, 1995
"... Abstract. An important question in designing cryptographic functions including substitution boxes (Sboxes) is the relationships among the various nonlinearity criteria each of which indicates the strength or weakness of a cryptographic function against a particular type of cryptanalytic attacks. In ..."
Abstract

Cited by 14 (7 self)
 Add to MetaCart
(Show Context)
Abstract. An important question in designing cryptographic functions including substitution boxes (Sboxes) is the relationships among the various nonlinearity criteria each of which indicates the strength or weakness of a cryptographic function against a particular type of cryptanalytic attacks. In this paper we reveal, for the rst time, interesting connections among the strict avalanche characteristics, di erential characteristics, linear structures and nonlinearity of quadratic Sboxes. In addition, we show that our proof techniques allow us to treat in a uni ed fashion all quadratic permutations, regardless of the underlying construction methods. This greatly simpli es the proofs for a number of known results on nonlinearity characteristics of quadratic permutations. As a byproduct, we obtain a negative answer to an open problem regarding the existence of di erentially 2uniform quadratic permutations on an even dimensional vector space. 1 Nonlinearity Criteria
Hijibijbij: A New Stream Cipher with SelfSynchronizing and MAC Modes Of Operation
 Progress in Cryptology – Indocrypt 2003, LNCS 2904
, 2003
"... In this paper, we present a new stream cipher called Hijibijbij (HBB). The basic design principle of HBB is to mix a linear and a nonlinear map. Our innovation is in the design of the linear and the nonlinear maps. The linear map is realised using two 256bit maximal period 90/150 cellular autom ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
In this paper, we present a new stream cipher called Hijibijbij (HBB). The basic design principle of HBB is to mix a linear and a nonlinear map. Our innovation is in the design of the linear and the nonlinear maps. The linear map is realised using two 256bit maximal period 90/150 cellular automata.
1The Cipher SHARK
"... fvincent.rijmen,joan.daemen,bart.preneel,antoon.bosselaers,erik.dewing ..."
(Show Context)
On Linear Redundancy in the AES SBox
, 2002
"... We show the existence of a previously unknown linear redundancy property of the only nonlinear component of the AES block cipher. It is demonstrated that the outputs of the 8*8 Rijndael sbox (based on inversion in a finite field) are all equivalent under affine transformation. ..."
Abstract
 Add to MetaCart
(Show Context)
We show the existence of a previously unknown linear redundancy property of the only nonlinear component of the AES block cipher. It is demonstrated that the outputs of the 8*8 Rijndael sbox (based on inversion in a finite field) are all equivalent under affine transformation.
Sequences with Low Cross Correlation
, 2003
"... We nd several classes of sequences that have low cross correlation with the msequence represented by Tr(x). Firstly, we determine when a linear combination of Goldterms is bent or Goldlike over ) by an ecient polynomial GCD computation. Using this GCD condition, we derive large classes of ..."
Abstract
 Add to MetaCart
We nd several classes of sequences that have low cross correlation with the msequence represented by Tr(x). Firstly, we determine when a linear combination of Goldterms is bent or Goldlike over ) by an ecient polynomial GCD computation. Using this GCD condition, we derive large classes of bent and Goldlike sequences over ), where q is prime. Secondly, we restrict ourselves to the binary case p = 2 and derive three large classes of Goldlike sequences which are certain sum of Gold terms. Thirdly, we generalise the construction of [13] to determine when a sum of cascaded GMW sequences is Goldlike.
On a Structure of Block Ciphers with Provable Security against Differential and Linear Cryptanalysis
, 1999
"... bi#B# yi s low,i t cannot be concluded that the ci#O/W i# strong agai#gO di#i#gO ti#i cryptanalysi#F Meanwhi#O1 Nyberg and Knudsen [6] first showed an example of a blockci#WW# whosemaxi#OF di#i#OF ti#i probabi#Yq yi s low enough; they have called such property "provablesecuri# y"agai#BW di ..."
Abstract
 Add to MetaCart
bi#B# yi s low,i t cannot be concluded that the ci#O/W i# strong agai#gO di#i#gO ti#i cryptanalysi#F Meanwhi#O1 Nyberg and Knudsen [6] first showed an example of a blockci#WW# whosemaxi#OF di#i#OF ti#i probabi#Yq yi s low enough; they have called such property "provablesecuri# y"agai#BW di#i#BW ti#i cryptanalysi #y In li#1#z cryptanalysi#i we can see asi#WB1# si#W uati#B1 The first versi#z ofli#F1Y cryptanalysi# also appli#O "characteri#F#Oi (ofli#OF/ cryptanalysi## to an attack of blockci#F#W#O but Nyberg [5] has recently showed that a collecti#z of characteri#1#Oi# whi# h she called "li#edO hull," must be taken i# toconsi#zO(/FFB forstri#F evaluati#O of the strengthagai#gt li#i#g cryptanalysi #z Si#ly the examplegi# en i# [6] has a low hull probabi#1O y,i# i# also provably secure agai#eO li#i#e Manuscript received March 27, 1998. Manuscript revised July 30, 1998. + The author is with Information Technology R&D Center, Mitsubishi Electric Corporation, Kamakura