Results 1  10
of
99
The Block Cipher SQUARE
 FAST SOFTWARE ENCRYPTION (FSE) 1997
, 1997
"... In this paper we present a new 128bit block cipher called Square. The original design of Square concentrates on the resistance against differential and linear cryptanalysis. However, after the initial design a dedicated attack was mounted that forced us to augment the number of rounds. The goal of ..."
Abstract

Cited by 110 (18 self)
 Add to MetaCart
In this paper we present a new 128bit block cipher called Square. The original design of Square concentrates on the resistance against differential and linear cryptanalysis. However, after the initial design a dedicated attack was mounted that forced us to augment the number of rounds. The goal of this paper is the publication of the resulting cipher for public scrutiny. A C implementation of Square is available that runs at 2.63 MByte/s on a 100 MHz Pentium. Our M68HC05 Smart Card implementation fits in 547 bytes and takes less than 2 msec. (4 MHz Clock). The high degree of parallellism allows hardware implementations in the Gbit/s range today.
AES Proposal: Rijndael
, 1998
"... this document we describe the cipher Rijndael. First we present the mathematical basis necessary for understanding the specifications followed by the design rationale and the description itself. Subsequently, the implementation aspects of the cipher and its inverse are treated. This is followed by t ..."
Abstract

Cited by 100 (0 self)
 Add to MetaCart
this document we describe the cipher Rijndael. First we present the mathematical basis necessary for understanding the specifications followed by the design rationale and the description itself. Subsequently, the implementation aspects of the cipher and its inverse are treated. This is followed by the motivations of all design choices and the treatment of the resistance against known types of attacks. We give our security claims and goals, the advantages and limitations of the cipher, ways how it can be extended and how it can be used
Truncated and Higher Order Differentials
 Fast Software Encryption  Second International Workshop, Leuven, Belgium, LNCS 1008
, 1995
"... In [6] higher order derivatives of discrete functions were considered and the concept of higher order differentials was introduced. We introduce the concept of truncated differentials and present attacks on ciphers presumably secure against differential attacks, but vulnerable to attacks using highe ..."
Abstract

Cited by 97 (9 self)
 Add to MetaCart
In [6] higher order derivatives of discrete functions were considered and the concept of higher order differentials was introduced. We introduce the concept of truncated differentials and present attacks on ciphers presumably secure against differential attacks, but vulnerable to attacks using higher order and truncated differentials. Also we give a differential attack using truncated differentials on DES reduced to 6 rounds using only 46 chosen plaintexts with an expected running time of about the time of 3,500 encryptions. Finally it is shown how to find a minimum nonlinear order of a block cipher using higher order differentials.
Links Between Differential and Linear Cryptanalysis
, 1994
"... Linear cryptanalysis, introduced last year by Matsui, will most certainly openup the way to new attack methods which may be made more efficient when compared or combined with differential cryptanalysis. This report exhibits new relations between linear and differential cryptanalysis and presents ne ..."
Abstract

Cited by 65 (4 self)
 Add to MetaCart
Linear cryptanalysis, introduced last year by Matsui, will most certainly openup the way to new attack methods which may be made more efficient when compared or combined with differential cryptanalysis. This report exhibits new relations between linear and differential cryptanalysis and presents new classes of functions which are optimally resistant to these attacks. In particular, we prove that linearresistant functions, which generally present Bent properties, are differentialresistant as well and thus, present Perfect Nonlinear properties. 1 On leave from D'el'egation G'en'erale de l'Armement Links between differential and linear cryptanalysis 1  I Introduction Matsui has introduced last year a new cryptanalysis method for DESlike cryptosystems [Mat94]. The idea of the method is to approximate the nonlinear Sboxes with linear forms. Beside, the performances of linear cryptanalysis seems next to differential cryptanalysis ones, though a little better. These similitudes s...
The Interpolation Attack on Block Ciphers
 In Fast Software Encryption
, 1997
"... In this paper we introduce a new method of attacks on block ciphers, the interpolation attack. This new method is useful for attacking ciphers using simple algebraic functions (in particular quadratic functions) as Sboxes. Also, ciphers of low nonlinear order are vulnerable to attacks based on hig ..."
Abstract

Cited by 61 (5 self)
 Add to MetaCart
In this paper we introduce a new method of attacks on block ciphers, the interpolation attack. This new method is useful for attacking ciphers using simple algebraic functions (in particular quadratic functions) as Sboxes. Also, ciphers of low nonlinear order are vulnerable to attacks based on higher order differentials. Recently, Knudsen and Nyberg presented a 6round prototype cipher which is provably secure against ordinary differential cryptanalysis. We show how to attack the cipher by using higher order differentials and a variant of the cipher by the interpolation attack. It is possible to successfully cryptanalyse up to 32 rounds of the variant using about 2 32 chosen plaintexts with a running time less than 2 64 . Using higher order differentials, a new design concept for block ciphers by Kiefer is also shown to be insecure. Rijmen et al presented a design strategy for block ciphers and the cipher SHARK. We show that there exist ciphers constructed according to this des...
Twofish: A 128Bit Block Cipher
 in First Advanced Encryption Standard (AES) Conference
, 1998
"... Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bit ..."
Abstract

Cited by 54 (8 self)
 Add to MetaCart
Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.
Provable Security Against a Differential Attack
 Journal of Cryptology
, 1995
"... . The purpose of this paper is to show that there exist DESlike iterated ciphers, which are provably resistant against differential attacks. The main result on the security of a DESlike cipher with independent round keys is Theorem 1, which gives an upper bound to the probability of sround differe ..."
Abstract

Cited by 33 (2 self)
 Add to MetaCart
. The purpose of this paper is to show that there exist DESlike iterated ciphers, which are provably resistant against differential attacks. The main result on the security of a DESlike cipher with independent round keys is Theorem 1, which gives an upper bound to the probability of sround differentials, as defined in [4] and this upper bound depends only on the round function of the iterated cipher. Moreover, it is shown that there exist functions such that the probabilities of differentials are less than or equal to 2 3\Gamman , where n is the length of the plaintext block. We also show a prototype of an iterated block cipher, which is compatible with DES and has proven security against differential attacks. Key words. DESlike ciphers, Differential cryptanalysis, Almost perfect nonlinear permutations, Markov Ciphers. 1 Introduction A DESlike cipher is a block cipher based on iterating a function, called F, several times. Each iteration is called a round. The input to each rou...
SubstitutionPermutation Networks Resistant to Differential and Linear Cryptanalysis
 JOURNAL OF CRYPTOLOGY
, 1996
"... In this paper we examine a class of product ciphers referred to as substitutionpermutation networks. We investigate the resistance of these cryptographic networks to two important attacks: differential cryptanalysis and linear cryptanalysis. In particular, we develop upper bounds on the differenti ..."
Abstract

Cited by 29 (10 self)
 Add to MetaCart
In this paper we examine a class of product ciphers referred to as substitutionpermutation networks. We investigate the resistance of these cryptographic networks to two important attacks: differential cryptanalysis and linear cryptanalysis. In particular, we develop upper bounds on the differential characteristic probability and on the probability of a linear approximation as a function of the number of rounds of substitutions. Further, it is shown that using large Sboxes with good diffusion characteristics and replacing the permutation between rounds by an appropriate linear transformation is effective in improving the cipher security in relation to these two attacks.
Practically Secure Feistel Ciphers
 Fast Software Encryption, Cambridge Security Workshop Proceedings
, 1994
"... Abstract. In this paper we give necessary design principles to be used, when constructing secure Feistel ciphers. We introduce a new concept, practical security against linear and di erential attacks on Feistel ciphers. We give examples of such Feistel ciphers (practically) resistant to di erential ..."
Abstract

Cited by 27 (0 self)
 Add to MetaCart
Abstract. In this paper we give necessary design principles to be used, when constructing secure Feistel ciphers. We introduce a new concept, practical security against linear and di erential attacks on Feistel ciphers. We give examples of such Feistel ciphers (practically) resistant to di erential attacks, linear attacks and other attacks. 1
A class of quadratic APN binomials inequivalent to power functions
, 2006
"... We exhibit an infinite class of almost perfect nonlinear quadratic binomials from F2n to F2n (n ≥ 12, n divisible by 3 but not by 9). We prove that these functions are EAinequivalent to any power function and that they are CCZinequivalent to any Gold function and to any Kasami function. It means t ..."
Abstract

Cited by 25 (6 self)
 Add to MetaCart
We exhibit an infinite class of almost perfect nonlinear quadratic binomials from F2n to F2n (n ≥ 12, n divisible by 3 but not by 9). We prove that these functions are EAinequivalent to any power function and that they are CCZinequivalent to any Gold function and to any Kasami function. It means that for n even they are CCZinequivalent to any known APN function, and in particular for n = 12,24, they are therefore CCZinequivalent to any power function. It is also proven that, except in particular cases, the Gold mappings are CCZinequivalent to the Kasami and Welch functions.