Abstract. In this paper, we propose a new symmetric key block cipher SC2000 with 128-bit block length and 128-,192-,256-bit key lengths. The block cipher is constructed by piling two layers: one is a Feistel structure layer and the other is an SPN structure layer. Each operation used in two layers is S-box or logical operation, which has been well studied about security. It is a strong feature of the cipher that the fast software implementations are available by using the techniques of putting together S-boxes in various ways and of the Bitslice implementation. 1

. This paper describes various techniques to reduce the number

In order to implement efficiently in software block ciphers, advanced bitslicing techniques (such as those described by Biham[1]) may be used. However, these techniques lead to a slow development process, and the resulting code is hard to maintain. We describe here a compiler that takes a formal description of an algorithm and outputs C code implementing it in an optimized way.

Abstract. We describe several software side-channel attacks based on inter-process leakage through the state of the CPU’s memory cache. This leakage reveals memory access patterns, which can be used for cryptanalysis of cryptographic primitives that employ data-dependent table lookups. The attacks allow an unprivileged process to attack other processes running in parallel on the same processor, despite partitioning methods such as memory protection, sandboxing and virtualization. Some of our methods require only the ability to trigger services that perform encryption or MAC using the unknown key, such as encrypted disk partitions or secure network links. Moreover, we demonstrate an extremely strong type of attack, which requires knowledge of neither the specific plaintexts nor ciphertexts, and works by merely monitoring the effect of the cryptographic process on the cache. We discuss in detail several such attacks on AES, and experimentally demonstrate their applicability to real systems, such as OpenSSL and Linux’s dm-crypt encrypted partitions (in the latter case, the full key can be recovered after just 800 writes to the partition, taking 65 milliseconds). Finally, we describe several countermeasures which can be used to mitigate such attacks.

This paper covers the issues of using weak, US government-approved security as well as problems with flawed security measures, examines some of the measures necessary to provide an adequate level of security, and then suggests several possible solutions. This paper is targeted at people with a responsibility for computer security as well as those currently considering the extent to which their organisation may wish to become involved in Internet commerce, and includes fairly extensive coverage of past and present Internet commerce related security problems in order to given a general idea of areas to look out for. Although little security knowledge is assumed, some sections are intended for more technically-aware readers and may be skipped if desired. Problems in Internet-Based Electronic Commerce The creation of a global electronic commerce system will provide an extremely powerful magnet for hackers, criminals, disgruntled employees, and hostile (but also "friendly") governments' intelligence agencies. This problem is magnified by the nature of the Internet, which allows attackers to quickly disseminate technical details on performing attacks and software to exploit vulnerabilities. A single skilled attacker willing to share their knowledge can enable hordes of dilettantes around the world to exploit a security hole in an operating system or application software within a matter of hours [Gordon 1994]. One example of how easy these tools make it for neophytes to attack a system involved someone gaining super-user privileges on a Unix system and then trying to execute DOS commands. The Internet also enables an attacker to perform attacks over long distances with little chance of detection and even less chance of apprehension. The ability to carry this out more or less ...

e of length-preserving encryption in general) see [3, 5, 9]. This note describes a mode of operation for block-ciphers that achieves a strong notion of security: If the original block-cipher is a pseudo-random permutation then we get a pseudo-random permutation on the entire message (see a more quantitative statement below). The description is extracted from [9] where a framework for constructing and proving the security of pseudorandom permutations is introduced. In such a construction a pseudo-random permutation \Pi is defined to be the composition of three permutations: \Pi j h 2 ffi A ffi h 1 . In general, h 1 and h 2 are "lightweight," and A is where most of the work is done. Intuitively, there are only a few bad inputs for A and the role of h 1 and h 2 is to "filter" out these inputs. The Mode Let E : f0; 1g denote an encryption permutation on ` bits and let E be its inverse permutation. We define an encryption permutation \Pi : f0; 1g on b blocks of ` bi

The Data Encryption Standard (DES) has been the workhorse of cryptography for some 20 years. Its wide deployment and now-small key size make it an interesting target for attackers. This paper discusses the first public "crack" of a DES-encrypted message using brute force, and shows how the sort of power necessary to reproduce this can be mustered by individuals and very small organizations with little or no funding.

We proposed a new block cipher, Serpent, as a candidate for the Advanced Encryption Standard. This algorithm uses a new structure that simultaneously allows a more rapid avalanche, a more ecient bitslice implementation, and an easy analysis that enables us to demonstrate its security against all known types of attack. Although designed primarily for ecient implementation on Intel Pentium/MMX platforms, it is also suited for implementation on smartcards and other 8-bit processors. In this note we describe why. We also describe why many other candidates are not suitable.

Abstract. KeeLoq is a lightweight block cipher with a 32-bit block size and a 64-bit key. Despite its short key size, it is widely used in remote keyless entry systems and other wireless authentication applications. For example, authentication protocols based on KeeLoq are supposedly used by various car manufacturers in anti-theft mechanisms. This paper presents a practical key recovery attack against KeeLoq that requires 2 16 known plaintexts and has a time complexity of 2 44.5 KeeLoq encryptions. It is based on the slide attack and a novel approach to meet-in-the-middle attacks. We investigated the way KeeLoq is intended to be used in practice and conclude that our attack can be used to subvert the security of real systems. In some scenarios the attacker may even reveal the master secret used in an entire class of devices from attacking a single device. Our attack has been fully implemented. We have built a device that can obtain the data required for the attack in less than 100 minutes, and our software simulations show that, given the data, the key can be found in 7.8 days of calculations on 64 CPU cores.