Results 1 
6 of
6
A MeetintheMiddle Attack on 8Round AES
"... Abstract. We present a 5round distinguisher for AES. We exploit this distinguisher to develop a meetinthemiddle attack on 7 rounds of AES192 and 8 rounds of AES256. We also give a timememory tradeoff generalization of the basic attack which gives a better balancing between different costs of ..."
Abstract

Cited by 17 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We present a 5round distinguisher for AES. We exploit this distinguisher to develop a meetinthemiddle attack on 7 rounds of AES192 and 8 rounds of AES256. We also give a timememory tradeoff generalization of the basic attack which gives a better balancing between different costs of the attack. As an additional note, we state a new squarelike property of the AES algorithm.
Automatic Search of Truncated Impossible Differentials and Applications
"... Abstract. Finding the longest impossible differentials is an essential assignment in proceeding impossible differential cryptanalysis. In this paper, we introduce a novel tool to search the longest truncated impossible differentials for wordoriented block ciphers with bijective Sboxes. It costs po ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. Finding the longest impossible differentials is an essential assignment in proceeding impossible differential cryptanalysis. In this paper, we introduce a novel tool to search the longest truncated impossible differentials for wordoriented block ciphers with bijective Sboxes. It costs polynomial time to return a flag indicating whether a truncated differential is impossible under several filter conditions. To demonstrate the strength of our tool, we show that it allows to automatically find the longest truncated impossible differentials for many wordoriented block ciphers. It independently rediscovers all known truncated impossible differentials on nine round CLEFIA. What’s more, it finds new and longest truncated impossible differentials for the AES, ARIA, Camellia without F L and F L −1 layers, E2, MIBS, LBlock and Piccolo. Finally, we give an impossible differential of 14round LBlock to illustrate that our tool is more powerful than the Umethod and UIDmethod. We expect that the tool proposed in this paper will be useful for evaluating the security of block ciphers against impossible differentials, especially when one tries to design a wordoriented block cipher with bijective Sboxes. Key words: wordoriented block ciphers, truncated impossible differentials, difference propagation system, Umethod, UIDmethod 1
A New Involutory MDS Matrix for the AES
, 2006
"... This paper proposes a new, large diffusion layer for the AES block cipher. This new layer replaces the ShiftRows and MixColumns operations by a new involutory matrix in every round. The objective is to provide complete diffusion in a single round, thus sharply improving the overall cipher security. ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
This paper proposes a new, large diffusion layer for the AES block cipher. This new layer replaces the ShiftRows and MixColumns operations by a new involutory matrix in every round. The objective is to provide complete diffusion in a single round, thus sharply improving the overall cipher security. Moreover, the new matrix elements have low Hammingweight in order to provide equally good performance for both the encryption and decryption operations. We use the Cauchy matrix construction instead of circulant matrices such as in the AES. The reason is that circulant matrices cannot be simultaneously MDS and involutory.
On the Order of Round Components in the AES
, 2006
"... This paper1 analyses all 24 possible round constructions using different combinations of the four round components of the AES cipher: SubBytes, ShiftRows, AddRoundKey and MixColumns. We investigate how the different round orderings affect the security of AES against differential, linear, multiset, i ..."
Abstract
 Add to MetaCart
(Show Context)
This paper1 analyses all 24 possible round constructions using different combinations of the four round components of the AES cipher: SubBytes, ShiftRows, AddRoundKey and MixColumns. We investigate how the different round orderings affect the security of AES against differential, linear, multiset, impossible differential and boomerang attacks. The cryptographic strenght of each cipher variant was measured by the size of each distinguisher, their probability or correlation value and the number of active Sboxes. Our analyses indicate that all these permutations of the AES components have similar cryptographic strength (concerning these five attacks), although there are implementation advantages for certain permutations. Keywords: Active Sbox, AES, cryptanalysis 1
A time–memory tradeoff approach for the solution of nonlinear equation systems
 TURK J ELEC ENG & COMP SCI (2013) 21: 186 – 197
, 2013
"... We propose a memorybased method for the solution of a specific type of nonlinear equation systems. We observe that when the equations in a system can be separated into 2 parts, where each subset contains fewer parameters than the whole set of equations, the system can be solved faster with a prepr ..."
Abstract
 Add to MetaCart
We propose a memorybased method for the solution of a specific type of nonlinear equation systems. We observe that when the equations in a system can be separated into 2 parts, where each subset contains fewer parameters than the whole set of equations, the system can be solved faster with a preprocessing phase. We show that reduced rounds of AES produce such a system under a chosen plaintext scenario. This observation enables us to solve that system within a practically applicable complexity of 237 operations where a brute force approach requires 272 trials. The method can be used for the solution of other equation systems of the same structure. In the optimal case where we can divide the equations into 2, a problem that contains n binary variables can be solved at time O(n 2 · 2n/2) operations and using O(2n/2) units of memory rather than O(2n) trials of the equation system.