Results 1  10
of
70
Truncated and Higher Order Differentials
 Fast Software Encryption  Second International Workshop, Leuven, Belgium, LNCS 1008
, 1995
"... In [6] higher order derivatives of discrete functions were considered and the concept of higher order differentials was introduced. We introduce the concept of truncated differentials and present attacks on ciphers presumably secure against differential attacks, but vulnerable to attacks using highe ..."
Abstract

Cited by 122 (9 self)
 Add to MetaCart
(Show Context)
In [6] higher order derivatives of discrete functions were considered and the concept of higher order differentials was introduced. We introduce the concept of truncated differentials and present attacks on ciphers presumably secure against differential attacks, but vulnerable to attacks using higher order and truncated differentials. Also we give a differential attack using truncated differentials on DES reduced to 6 rounds using only 46 chosen plaintexts with an expected running time of about the time of 3,500 encryptions. Finally it is shown how to find a minimum nonlinear order of a block cipher using higher order differentials.
The Interpolation Attack on Block Ciphers
 In Fast Software Encryption
, 1997
"... In this paper we introduce a new method of attacks on block ciphers, the interpolation attack. This new method is useful for attacking ciphers using simple algebraic functions (in particular quadratic functions) as Sboxes. Also, ciphers of low nonlinear order are vulnerable to attacks based on hig ..."
Abstract

Cited by 70 (5 self)
 Add to MetaCart
(Show Context)
In this paper we introduce a new method of attacks on block ciphers, the interpolation attack. This new method is useful for attacking ciphers using simple algebraic functions (in particular quadratic functions) as Sboxes. Also, ciphers of low nonlinear order are vulnerable to attacks based on higher order differentials. Recently, Knudsen and Nyberg presented a 6round prototype cipher which is provably secure against ordinary differential cryptanalysis. We show how to attack the cipher by using higher order differentials and a variant of the cipher by the interpolation attack. It is possible to successfully cryptanalyse up to 32 rounds of the variant using about 2 32 chosen plaintexts with a running time less than 2 64 . Using higher order differentials, a new design concept for block ciphers by Kiefer is also shown to be insecure. Rijmen et al presented a design strategy for block ciphers and the cipher SHARK. We show that there exist ciphers constructed according to this des...
The CAST256 Encryption Algorithm
"... This document contains several sections of the CAST256 AES Submission Package delivered to NIST on June 9 th , 1998. All complete submissions received by NIST will be made public in late August at the First AES Candidate Conference, but the following material is being made available now so that p ..."
Abstract

Cited by 64 (0 self)
 Add to MetaCart
This document contains several sections of the CAST256 AES Submission Package delivered to NIST on June 9 th , 1998. All complete submissions received by NIST will be made public in late August at the First AES Candidate Conference, but the following material is being made available now so that public analysis of the CAST256 algorithm may begin (see, for example, http://www.ii.uib.no/~larsr/aes.html for the current status of submitted algorithms). Many thanks are due to those who worked with me in the (long, challenging, frustrating, and very enjoyable!) design and analysis phases that ultimately led to the detailed specification given below: Howard Heys (Memorial University); Stafford Tavares (Queen's University); and Michael Wiener (Entrust). As well, many thanks are due to the two who did the various implementations on a variety of platforms (Reference C, Optimized C, Optimized Java, and even M6811 Assembler): Serge Mister and Ian Clysdale (both
Twofish: A 128Bit Block Cipher
 in First Advanced Encryption Standard (AES) Conference
, 1998
"... Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bit ..."
Abstract

Cited by 58 (8 self)
 Add to MetaCart
Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.
Chaos and Cryptography: Block Encryption Ciphers Based on Chaotic Maps
 IEEE Transactions on Circuits and SystemsI: Fundamental Theory and Applications
, 2001
"... Abstract—This paper is devoted to the analysis of the impact of chaosbased techniques on block encryption ciphers. We present several chaos based ciphers. Using the wellknown principles in the cryptanalysis we show that these ciphers do not behave worse than the standard ones, opening in this way ..."
Abstract

Cited by 48 (1 self)
 Add to MetaCart
(Show Context)
Abstract—This paper is devoted to the analysis of the impact of chaosbased techniques on block encryption ciphers. We present several chaos based ciphers. Using the wellknown principles in the cryptanalysis we show that these ciphers do not behave worse than the standard ones, opening in this way a novel approach to the design of block encryption ciphers. Index Terms—Block encryption ciphers, chaos, cryptography, Sboxes. I.
Integral Cryptanalysis
, 2001
"... This paper considers a cryptanalytic approach called integral cryptanalysis. ..."
Abstract

Cited by 45 (3 self)
 Add to MetaCart
This paper considers a cryptanalytic approach called integral cryptanalysis.
DPA Attacks and SBoxes
 Berlin / Heidelberg
, 2005
"... Abstract. For the power consumption model called Hamming weight model, we rewrite DPA attacks in terms of correlation coefficients between two Boolean functions. We exhibit properties of Sboxes (also called (n, m)functions) relied on DPA attacks. We show that these properties are opposite to the n ..."
Abstract

Cited by 28 (0 self)
 Add to MetaCart
Abstract. For the power consumption model called Hamming weight model, we rewrite DPA attacks in terms of correlation coefficients between two Boolean functions. We exhibit properties of Sboxes (also called (n, m)functions) relied on DPA attacks. We show that these properties are opposite to the nonlinearity criterion and to the propagation criterion. To quantify the resistance of an Sbox to DPA attacks, we introduce the notion of transparency order of an Sbox and we study this new criterion with respect to the nonlinearity and to the propagation criterion. 1
Cryptanalysis of Block Ciphers with Probabilistic NonLinear Relations of Low Degree
 CRYPTO 98, LNCS 1462
, 1998
"... Using recent results from coding theory, it is shown how to break block ciphers operating on GF(q) where the ciphertext is expressible as evaluations of an unknown univariate polynomial of low degree m over the plaintext with a typically low but nonnegligible probability µ. The method employed is e ..."
Abstract

Cited by 26 (2 self)
 Add to MetaCart
(Show Context)
Using recent results from coding theory, it is shown how to break block ciphers operating on GF(q) where the ciphertext is expressible as evaluations of an unknown univariate polynomial of low degree m over the plaintext with a typically low but nonnegligible probability µ. The method employed is essentially Sudan’s algorithm for decoding ReedSolomon codes beyond the errorcorrection diameter. The known plaintext attack needs n=2m/µ^2 plaintext/ciphertext pairs and the running time is polynomial in n. Furthermore, it is shown how to discover more general nonlinear relations p(x,y)=0 between plaintext x and ciphertext y that hold with small probability µ. The second attack needs access to n=(2m/µ)^2 plaintext/ciphertext pairs where m =deg(p) and its running time is also polynomial in n. As a demonstration, we break up to 10 rounds of a cipher constructed by Nyberg and Knudsen provably secure against differential and linear cryptanalysis.
A.: Breaking Grain128 with Dynamic Cube Attacks. Cryptology ePrint Archive, Report 2010/570
, 2010
"... Abstract. We present a new variant of cube attacks called a dynamic cube attack. Whereas standard cube attacks [4] find the key by solving a system of linear equations in the key bits, the new attack recovers the secret key by exploiting distinguishers obtained from cube testers. Dynamic cube attack ..."
Abstract

Cited by 25 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We present a new variant of cube attacks called a dynamic cube attack. Whereas standard cube attacks [4] find the key by solving a system of linear equations in the key bits, the new attack recovers the secret key by exploiting distinguishers obtained from cube testers. Dynamic cube attacks can create lower degree representations of the given cipher, which makes it possible to attack schemes that resist all previously known attacks. In this paper we concentrate on the wellknown stream cipher Grain128 [6], on which the best known key recovery attack [15] can recover only 2 key bits when the number of initialization rounds is decreased from 256 to 213. Our first attack runs in practical time complexity and recovers the full 128bit key when the number of initialization rounds in Grain128 is reduced to 207. Our second attack breaks a Grain128 variant with 250 initialization rounds and is faster than exhaustive search by a factor of about 2 28. Finally, we present an attack on the full version of Grain128 which can recover the full key but only when it belongs to a large subset of 2 −10 of the possible keys. This attack is faster than exhaustive search over the 2 118 possible keys by a factor of about 2 15. All of our key recovery attacks are the best known so far, and their correctness was experimentally verified rather than extrapolated from smaller variants of the cipher. This is the first time that a cube attack was shown to be effective against the full version of a well known cipher which resisted all previous attacks.
Degree of composition of highly nonlinear functions and applications to higher order differential cryptanalysis
 EUROCRYPT 2002
, 2002
"... To improve the security of iterated block ciphers, the resistance against linear cryptanalysis has been formulated in terms of provable security which suggests the use of highly nonlinear functions as round functions. Here, we show that some properties of such functions enable to find a new upper bo ..."
Abstract

Cited by 21 (6 self)
 Add to MetaCart
(Show Context)
To improve the security of iterated block ciphers, the resistance against linear cryptanalysis has been formulated in terms of provable security which suggests the use of highly nonlinear functions as round functions. Here, we show that some properties of such functions enable to find a new upper bound for the degree of the product of its Boolean components. Such an improvement holds when all values occurring in the Walsh spectrum of the round function are divisible by a high power of 2. This result leads to a higher order differential attack on any 5round Feistel ciphers using an almost bent substitution function. We also show that the use of such a function is precisely the origin of the weakness of a reduced version of MISTY1 reported in [23, 1].