Results 1  10
of
48
Truncated and Higher Order Differentials
 Fast Software Encryption  Second International Workshop, Leuven, Belgium, LNCS 1008
, 1995
"... In [6] higher order derivatives of discrete functions were considered and the concept of higher order differentials was introduced. We introduce the concept of truncated differentials and present attacks on ciphers presumably secure against differential attacks, but vulnerable to attacks using highe ..."
Abstract

Cited by 99 (9 self)
 Add to MetaCart
In [6] higher order derivatives of discrete functions were considered and the concept of higher order differentials was introduced. We introduce the concept of truncated differentials and present attacks on ciphers presumably secure against differential attacks, but vulnerable to attacks using higher order and truncated differentials. Also we give a differential attack using truncated differentials on DES reduced to 6 rounds using only 46 chosen plaintexts with an expected running time of about the time of 3,500 encryptions. Finally it is shown how to find a minimum nonlinear order of a block cipher using higher order differentials.
The CAST256 Encryption Algorithm
"... This document contains several sections of the CAST256 AES Submission Package delivered to NIST on June 9 th , 1998. All complete submissions received by NIST will be made public in late August at the First AES Candidate Conference, but the following material is being made available now so that p ..."
Abstract

Cited by 62 (0 self)
 Add to MetaCart
This document contains several sections of the CAST256 AES Submission Package delivered to NIST on June 9 th , 1998. All complete submissions received by NIST will be made public in late August at the First AES Candidate Conference, but the following material is being made available now so that public analysis of the CAST256 algorithm may begin (see, for example, http://www.ii.uib.no/~larsr/aes.html for the current status of submitted algorithms). Many thanks are due to those who worked with me in the (long, challenging, frustrating, and very enjoyable!) design and analysis phases that ultimately led to the detailed specification given below: Howard Heys (Memorial University); Stafford Tavares (Queen's University); and Michael Wiener (Entrust). As well, many thanks are due to the two who did the various implementations on a variety of platforms (Reference C, Optimized C, Optimized Java, and even M6811 Assembler): Serge Mister and Ian Clysdale (both
The Interpolation Attack on Block Ciphers
 In Fast Software Encryption
, 1997
"... In this paper we introduce a new method of attacks on block ciphers, the interpolation attack. This new method is useful for attacking ciphers using simple algebraic functions (in particular quadratic functions) as Sboxes. Also, ciphers of low nonlinear order are vulnerable to attacks based on hig ..."
Abstract

Cited by 61 (5 self)
 Add to MetaCart
In this paper we introduce a new method of attacks on block ciphers, the interpolation attack. This new method is useful for attacking ciphers using simple algebraic functions (in particular quadratic functions) as Sboxes. Also, ciphers of low nonlinear order are vulnerable to attacks based on higher order differentials. Recently, Knudsen and Nyberg presented a 6round prototype cipher which is provably secure against ordinary differential cryptanalysis. We show how to attack the cipher by using higher order differentials and a variant of the cipher by the interpolation attack. It is possible to successfully cryptanalyse up to 32 rounds of the variant using about 2 32 chosen plaintexts with a running time less than 2 64 . Using higher order differentials, a new design concept for block ciphers by Kiefer is also shown to be insecure. Rijmen et al presented a design strategy for block ciphers and the cipher SHARK. We show that there exist ciphers constructed according to this des...
Twofish: A 128Bit Block Cipher
 in First Advanced Encryption Standard (AES) Conference
, 1998
"... Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bit ..."
Abstract

Cited by 54 (8 self)
 Add to MetaCart
Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.
Chaos and Cryptography: Block Encryption Ciphers Based on Chaotic Maps
 IEEE Transactions on Circuits and SystemsI: Fundamental Theory and Applications
, 2001
"... Abstract—This paper is devoted to the analysis of the impact of chaosbased techniques on block encryption ciphers. We present several chaos based ciphers. Using the wellknown principles in the cryptanalysis we show that these ciphers do not behave worse than the standard ones, opening in this way ..."
Abstract

Cited by 35 (0 self)
 Add to MetaCart
Abstract—This paper is devoted to the analysis of the impact of chaosbased techniques on block encryption ciphers. We present several chaos based ciphers. Using the wellknown principles in the cryptanalysis we show that these ciphers do not behave worse than the standard ones, opening in this way a novel approach to the design of block encryption ciphers. Index Terms—Block encryption ciphers, chaos, cryptography, Sboxes. I.
Integral Cryptanalysis
, 2001
"... This paper considers a cryptanalytic approach called integral cryptanalysis. ..."
Abstract

Cited by 32 (3 self)
 Add to MetaCart
This paper considers a cryptanalytic approach called integral cryptanalysis.
Cryptanalysis of Block Ciphers with Probabilistic NonLinear Relations of Low Degree
 CRYPTO 98, LNCS 1462
, 1998
"... Using recent results from coding theory, it is shown how to break block ciphers operating on GF(q) where the ciphertext is expressible as evaluations of an unknown univariate polynomial of low degree m over the plaintext with a typically low but nonnegligible probability µ. The method employed is e ..."
Abstract

Cited by 25 (2 self)
 Add to MetaCart
Using recent results from coding theory, it is shown how to break block ciphers operating on GF(q) where the ciphertext is expressible as evaluations of an unknown univariate polynomial of low degree m over the plaintext with a typically low but nonnegligible probability µ. The method employed is essentially Sudan’s algorithm for decoding ReedSolomon codes beyond the errorcorrection diameter. The known plaintext attack needs n=2m/µ^2 plaintext/ciphertext pairs and the running time is polynomial in n. Furthermore, it is shown how to discover more general nonlinear relations p(x,y)=0 between plaintext x and ciphertext y that hold with small probability µ. The second attack needs access to n=(2m/µ)^2 plaintext/ciphertext pairs where m =deg(p) and its running time is also polynomial in n. As a demonstration, we break up to 10 rounds of a cipher constructed by Nyberg and Knudsen provably secure against differential and linear cryptanalysis.
Degree of composition of highly nonlinear functions and applications to higher order differential cryptanalysis
 EUROCRYPT 2002
, 2002
"... To improve the security of iterated block ciphers, the resistance against linear cryptanalysis has been formulated in terms of provable security which suggests the use of highly nonlinear functions as round functions. Here, we show that some properties of such functions enable to find a new upper bo ..."
Abstract

Cited by 21 (6 self)
 Add to MetaCart
To improve the security of iterated block ciphers, the resistance against linear cryptanalysis has been formulated in terms of provable security which suggests the use of highly nonlinear functions as round functions. Here, we show that some properties of such functions enable to find a new upper bound for the degree of the product of its Boolean components. Such an improvement holds when all values occurring in the Walsh spectrum of the round function are divisible by a high power of 2. This result leads to a higher order differential attack on any 5round Feistel ciphers using an almost bent substitution function. We also show that the use of such a function is precisely the origin of the weakness of a reduced version of MISTY1 reported in [23, 1].
Serpent: A Flexible Block Cipher With Maximum Assurance
 In The First Advanced Encryption Standard Candidate Conference
, 1998
"... This paper presents a candidate block cipher for the Advanced Encryption Standard (AES). AES is an intriguing challenge to the designer, because of the great length of time the selected algorithm will have to resist attack. ..."
Abstract

Cited by 15 (0 self)
 Add to MetaCart
This paper presents a candidate block cipher for the Advanced Encryption Standard (AES). AES is an intriguing challenge to the designer, because of the great length of time the selected algorithm will have to resist attack.
Probabilistic Higher Order Differential Attack and Higher Order Bent Functions
 In Advances in Cryptology — ASIACRYPT 1999
, 1999
"... . We first show that a Feistel type block cipher is broken if the round function is approximated by a low degree vectorial Boolean function. The proposed attack is a generalization of the higher order differential attack to a probabilistic one. We next introduce a notion of higher order bent functi ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
. We first show that a Feistel type block cipher is broken if the round function is approximated by a low degree vectorial Boolean function. The proposed attack is a generalization of the higher order differential attack to a probabilistic one. We next introduce a notion of higher order bent functions in order to prevent our attack. We then show their explicit constructions. 1