Results 1  10
of
20
The Block Cipher SQUARE
 FAST SOFTWARE ENCRYPTION (FSE) 1997
, 1997
"... In this paper we present a new 128bit block cipher called Square. The original design of Square concentrates on the resistance against differential and linear cryptanalysis. However, after the initial design a dedicated attack was mounted that forced us to augment the number of rounds. The goal of ..."
Abstract

Cited by 114 (18 self)
 Add to MetaCart
In this paper we present a new 128bit block cipher called Square. The original design of Square concentrates on the resistance against differential and linear cryptanalysis. However, after the initial design a dedicated attack was mounted that forced us to augment the number of rounds. The goal of this paper is the publication of the resulting cipher for public scrutiny. A C implementation of Square is available that runs at 2.63 MByte/s on a 100 MHz Pentium. Our M68HC05 Smart Card implementation fits in 547 bytes and takes less than 2 msec. (4 MHz Clock). The high degree of parallellism allows hardware implementations in the Gbit/s range today.
AES Proposal: Rijndael
, 1998
"... this document we describe the cipher Rijndael. First we present the mathematical basis necessary for understanding the specifications followed by the design rationale and the description itself. Subsequently, the implementation aspects of the cipher and its inverse are treated. This is followed by t ..."
Abstract

Cited by 105 (0 self)
 Add to MetaCart
this document we describe the cipher Rijndael. First we present the mathematical basis necessary for understanding the specifications followed by the design rationale and the description itself. Subsequently, the implementation aspects of the cipher and its inverse are treated. This is followed by the motivations of all design choices and the treatment of the resistance against known types of attacks. We give our security claims and goals, the advantages and limitations of the cipher, ways how it can be extended and how it can be used
Twofish: A 128Bit Block Cipher
 in First Advanced Encryption Standard (AES) Conference
, 1998
"... Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bit ..."
Abstract

Cited by 56 (8 self)
 Add to MetaCart
Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.
Truncated Differentials of SAFER
, 1996
"... . In this paper we do differential cryptanalysis of SAFER. We consider "truncated differentials" and apply them in an attack on 5round SAFER, which finds the secret key in time much faster than by exhaustive search. 1 Introduction In [6] a new encryption algorithm, SAFER K64, hereafter d ..."
Abstract

Cited by 21 (9 self)
 Add to MetaCart
. In this paper we do differential cryptanalysis of SAFER. We consider "truncated differentials" and apply them in an attack on 5round SAFER, which finds the secret key in time much faster than by exhaustive search. 1 Introduction In [6] a new encryption algorithm, SAFER K64, hereafter denoted SAFER, was proposed. Both the block and the key size is 64. The algorithm is an iterated cipher, such that encryption is done by iteratively applying the same function to the plaintext in a number of rounds. The suggested number of rounds is minimum 6 and maximum 10 [6, 7]. Finally an output transformation is applied to produce the ciphertext. Strong evidence has been given that the scheme is secure against differential cryptanalysis after 5 rounds [7] and against linear cryptanalysis after 2 rounds [2]. In [9] it was shown that by replacing the Sboxes in SAFER by random permutations, about 6% of the resulting ciphers can be broken faster than by exhaustive search. In [4] a weakness in the key...
Recent Developments in the Design of Conventional Cryptographic Algorithms
 Computer Security and Industrial Cryptography  State of the Art and Evolution, LNCS
, 1998
"... This paper examines proposals for three cryptographic primitives: block ciphers, stream ciphers, and hash functions. It provides an overview of the design principles of a large number of recent proposals, which includes the global structure, the number of rounds, the way of introducing nonlinearity ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
This paper examines proposals for three cryptographic primitives: block ciphers, stream ciphers, and hash functions. It provides an overview of the design principles of a large number of recent proposals, which includes the global structure, the number of rounds, the way of introducing nonlinearity and diffusion, and the key schedule. The software performance of about twenty primitives is compared based on highly optimized implementations for the Pentium. The goal of the paper is to provided a technical perspective on the wide variety of primitives that exist today.
Hash Functions Based on Block Ciphers and Quaternary Codes
 Advances in Cryptology ASIACRYPT
, 1996
"... . We consider constructions for cryptographic hash functions based on mbit block ciphers. First we present a new attack on the LOKIDBH mode: the attack finds collisions in 2 3m=4 encryptions, which should be compared to 2 m encryptions for a brute force attack. This attack breaks the last remai ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
. We consider constructions for cryptographic hash functions based on mbit block ciphers. First we present a new attack on the LOKIDBH mode: the attack finds collisions in 2 3m=4 encryptions, which should be compared to 2 m encryptions for a brute force attack. This attack breaks the last remaining subclass in a wide class of efficient hash functions which have been proposed in the literature. We then analyze hash functions based on a collision resistant compression function for which finding a collision requires at least 2 m encryptions, providing a lower bound of the complexity of collisions of the hash function. A new class of constructions is proposed, based on error correcting codes over GF(2 2 ) and a proof of security is given, which relates their security to that of single block hash functions. For example, a compression function is presented which requires about 4 encryptions to hash an mbit block, and for which finding a collision requires at least 2 m encryptions...
An Analysis Of Safer
, 1998
"... We investigate some of the algebraic properties of the SAFER block cipher when the message space is considered as a Zmodule. In particular we consider the invariant Zsubmodules of the PHT layer and show how these invariant Zsubmodules give potential cryptographic weaknesses. Key Words. Block ciph ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
We investigate some of the algebraic properties of the SAFER block cipher when the message space is considered as a Zmodule. In particular we consider the invariant Zsubmodules of the PHT layer and show how these invariant Zsubmodules give potential cryptographic weaknesses. Key Words. Block cipher, SAFER, Cryptanalysis, Invariant Zsubmodules. The author acknowledges the support of the Nuffield Foundation. 1 1 Introduction SAFER K64 is a block cipher that was introduced by Massey at the 1993 Cambridge Security Workshop on Fast Software Encryption [7]. It operates on 64bit blocks under the control of a 64bit key. It is a "byteoriented" cipher in that all the basic encryption operations are on bytes or pairs of bytes. At the 1994 Leuven Workshop on Cryptographic Algorithms, Massey presented a paper [8] which surveyed the first year's research on SAFER K64 and defined SAFER K128, which is SAFER with a 128bit key. In this paper, we investigate certain algebraic properties o...
Keyschedule cryptanalysis of idea, gdes, gost, safer and tripledes
 In Advances in Cryptology  CRYPTO '96
, 1996
"... Abstract. We present new attacks on key schedules of block ciphers. These attacks are based on the principles of relatedkey di erential cryptanalysis: attacks that allowbothkeys and plaintexts to bechosen with speci c di erences. We show how these attacks can be exploited in actual protocols and cr ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Abstract. We present new attacks on key schedules of block ciphers. These attacks are based on the principles of relatedkey di erential cryptanalysis: attacks that allowbothkeys and plaintexts to bechosen with speci c di erences. We show how these attacks can be exploited in actual protocols and cryptanalyze the key schedules of a variety of algorithms, including threekey tripleDES. 1
The MESH Block Ciphers
, 2002
"... This paper describes the MESH block ciphers, whose designs are based on the same group operations as the IDEA cipher, but with a number of novel features: flexible block sizes in steps of 32 bits (the block size of IDEA is fixed at 64 bits); larger MAboxes; distinct keymixing layers for odd an ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
This paper describes the MESH block ciphers, whose designs are based on the same group operations as the IDEA cipher, but with a number of novel features: flexible block sizes in steps of 32 bits (the block size of IDEA is fixed at 64 bits); larger MAboxes; distinct keymixing layers for odd and even rounds; and new key schedule algorithms that achieve fast avalanche and avoid the weak keys of IDEA. The software performance of MESH ciphers are estimated to be better or comparable to that of tripleDES. A number of attacks, such as truncated and impossible di#erentials, linear and Demirci's attack, shows that more resources are required on the MESH ciphers than for IDEA, and indicates that both ciphers seem to have a large margin of security.
Key Schedule Weaknesses in SAFER+
, 1999
"... We analyze the key schedule of the SAFER+ block cipher, focusing on the poor diusion of key material through the cipher when using SAFER+ with 256bit keys. We develop a meetinthemiddle attack on 256bit SAFER+ requiring 12 2 24 bytes of memory, 3 known plaintext/ciphertext pairs, and work appro ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
We analyze the key schedule of the SAFER+ block cipher, focusing on the poor diusion of key material through the cipher when using SAFER+ with 256bit keys. We develop a meetinthemiddle attack on 256bit SAFER+ requiring 12 2 24 bytes of memory, 3 known plaintext/ciphertext pairs, and work approximately equivalent to 2 240 SAFER+ encryptions. We also develop a relatedkey attack on 256bit SAFER+ requiring 3 2 32 chosen plaintexts under two keys with a chosen xor relationship, and work approximately equivalent to 2 200 SAFER+ encryptions. We consider a number of other keyschedule properties, such as equivalent keys, DESstyle weak and semiweak keys, and keydependent linear and dierential characteristics. We fail to nd any such properties, and oer some arguments why some of these are unlikely to exist. Finally, we propose an improvement to the SAFER+ key schedule which defends against our attacks, while causing no apparent weakening of the cipher to other at...