Abstract. This paper examines the security of AES-192 and AES-256 against a related-key rectangle attack. We find the following new attacks: 8-round reduced AES-192 with 2 related keys, 10-round reduced AES-192 with 64 or 256 related keys and 9-round reduced AES-256 with 4 related keys. Our attacks reduce the complexity of earlier attacks presented at FSE 2005 and Eurocrypt 2005: for reduced AES-192 with 8 rounds, we decrease the required number of related keys from 4 to 2 at the cost of a higher data and time complexity; we present the first shortcut attack on AES-192 reduced to 10 rounds; for reduced AES-256 with 9 rounds, we decrease the required number of related keys from 256 to 4 and both the data and time complexity at the cost of a smaller number of attacked rounds. Furthermore, we point out some flaw in the 9-round AES-192 attack presented at Eurocrypt 2005, show how to fix it and enhance the attack in terms of the number of related keys.

Abstract. An iterated block cipher can be regarded as a means of producing a set of permutations of a message space. Some properties of the group generated by the round functions of such a cipher are known to be of cryptanalytic interest. It is shown here that if this group acts imprimitively on the message space then there is an exploitable weakness in the cipher. It is demonstrated that a weakness of this type can be used to construct a trapdoor that may be difficult to detect. An example of a DES-like cipher, resistant to both linear and differential cryptanalysis that generates an imprimitive group and is easily broken, is given. Some implications for block cipher design are noted. 1

. The block cipher CRYPTON has been proposed as a candidate algorithm for the Advanced Encryption Standard (AES). To fix some minor weakness in the key schedule and to remove some undesirable properties in S-boxes, we made some changes to the AES proposal, i.e., in the S-box construction and key scheduling. This paper presents the revised version of CRYPTON and its preliminary analysis. 1 Motivations and Changes The block cipher CRYPTON has been proposed as a candidate algorithm for the AES [22]. Unfortunately, however, we couldn't have enough time to refine our algorithm at the time of submission. So, we later revised part of the AES proposal. This paper describes this revision and analyzes its security and efficiency. CRYPTON v1.0 is different from the AES proposal (v0.5) only in the S-box construction and key scheduling. As we mentioned at the 1st AES candidate conference, we already had a plan to revise the CRYPTON key schedule. The previous key schedule was in fact expected from ...

Abstract. We describe two new techniques of side-channel cryptanalysis which we call the impossible collision attack and the multiset collision attack. These are inspired by the state-of-the-art cryptanalytic techniques of impossible differential attacks [BBS99] and partial-function collision attacks [GM00] respectively. Using these techniques on an example of the AES we show that one has to mask all the rounds of a 128-bit key AES in order to prevent such attacks. For example these attacks can be used to break a recent proposal by Schramm et al. [SP06] of high order masking for the AES, since it protects only 3 external rounds. 1

This paper is motivated by some results presented by Knudsen, Robshaw and Wagner at Crypto'99 [3], that described many attacks of reduced versions of Skipjack, some of them being erroneous.

In a recent paper we developed a new cryptanalytic technique based on impossible differentials, and used it to attack the Skipjack encryption algorithm reduced from 32 to 31 rounds. In this paper we describe the application of this technique to the block ciphers IDEA, Khufu and Khafre. In the case of IDEA, the new attacks have smaller complexities and cover more rounds than the best currently known attacks. This demonstrates the power of the new cryptanalytic technique, shows that it is applicable to a larger class of cryptosystems, and develops new technical tools for applying it in new situations. 1

In this paper we introduce a novel meet-in-the-middle attack on the IDEA block cipher. The attack consists of a precomputation and an elimination phase. The attack reduces the number of required plaintexts significantly for 4 and 4.5 rounds, and, to the best of our knowledge, it is the first attack on the 5-round IDEA.

We present a critical evaluation of the first known implementation of elliptic curve cryptography over F2p for sensor networks based on the 8-bit, 7.3828-MHz MICA2 mote. We offer, along the way, a primer for those interested in the field of cryptography for sensor networks. We discuss, in particular, the decisions underlying our design and alternatives thereto. And we elaborate on the methodologies underlying our evaluation. Through instrumentation of UC Berkeley’s TinySec module, we argue that, although symmetric cryptography has been tractable in this domain for some time, there has remained a need, unfulfilled until recently, for an efficient, secure mechanism for distribution of secret keys among nodes. Although public-key infrastructure has been thought impractical, we show, through analysis of our original implementation for TinyOS of point multiplication on elliptic curves, that public-key infrastructure is indeed viable for TinySec keys ’ distribution, even on the MICA2. We demonstrate that public keys can be generated within 34 seconds and that shared secrets can be distributed among nodes in a sensor network within the same, using just over 1 kilobyte of SRAM and 34 kilobytes of ROM. We demonstrate that communication costs are minimal, with only 2 packets required for transmission of a public key among nodes. We make available all of our source code for other researchers to download and use. And we discuss recent results based on our work that corroborate and improve upon our conclusions.

Most present symmetric encryption algorithms result from a tradeoff between implementation cost and resulting performances. In addition, they generally aim to be implemented efficiently on a large variety of platforms. In this paper, we take an opposite approach and consider a context where we have very limited processing resources and throughput requirements. For this purpose, we propose low-cost encryption routines (i.e. with small code size and memory) targeted for processors with a limited instruction set (i.e. AND, OR, XOR gates, word rotation and modular addition). The proposed design is parametric in the text, key and processor size, allows efficient combination of encryption/decryption, “on-the-fly” key derivation and its security against a number of recent cryptanalytic techniques is discussed. Target applications for such routines include any context requiring low-cost encryption and/or authentication.

We present a formal view of cryptography that overcomes the usual assumptions of formal models for reasoning about security of computer systems, i.e. perfect cryptography and Dolev-Yao adversary model. In our framework, equivalence among formal cryptographic expressions is parameterized by a computational adversary that may exploit weaknesses of the cryptosystem to cryptanalyze ciphertext with a certain probability of success. To validate our approach, we show that in the restricted setting of ideal cryptosystems, for which the probability of guessing information that the Dolev-Yao adversary cannot derive is negligible, the computational adversary is limited to the allowed behaviors of the Dolev-Yao adversary.