Results 1  10
of
11
Twofish: A 128Bit Block Cipher
 in First Advanced Encryption Standard (AES) Conference
, 1998
"... Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bit ..."
Abstract

Cited by 56 (8 self)
 Add to MetaCart
Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.
Differential Cryptanalysis of Feal and NHash
, 1991
"... In [1,2] we introduced the notion of differential cryptanalysis and described its application to DES[11] and several of its variants. In this paper we show the applicability of differential cryptanalysis to the Feal family of encryption algorithms and to the NHash hash function. In addition, we sho ..."
Abstract

Cited by 30 (2 self)
 Add to MetaCart
In [1,2] we introduced the notion of differential cryptanalysis and described its application to DES[11] and several of its variants. In this paper we show the applicability of differential cryptanalysis to the Feal family of encryption algorithms and to the NHash hash function. In addition, we show how to transform differential cryptanalytic chosen plaintext attacks into known plaintext attacks. 1 Introduction Feal is a family of encryption algorithms, which are designed to have simple and efficient software implementations on eightbit microprocessors. The original member of this family, called Feal4[13], had four rounds. This version was broken by Den Boer[3] using a chosen plaintext attack with 100 to 10000 ciphertexts. The designers of Feal reacted by creating a second version, called Feal8[12,9] in which the number of rounds was increased to eight, while the F function was not changed. Feal8 was broken by the differential cryptanalytic chosen plaintext attack described in thi...
Imprimitive permutation groups and trapdoors in iterated block ciphers
 6th International Workshop, FSE’99
, 1999
"... Abstract. An iterated block cipher can be regarded as a means of producing a set of permutations of a message space. Some properties of the group generated by the round functions of such a cipher are known to be of cryptanalytic interest. It is shown here that if this group acts imprimitively on the ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
Abstract. An iterated block cipher can be regarded as a means of producing a set of permutations of a message space. Some properties of the group generated by the round functions of such a cipher are known to be of cryptanalytic interest. It is shown here that if this group acts imprimitively on the message space then there is an exploitable weakness in the cipher. It is demonstrated that a weakness of this type can be used to construct a trapdoor that may be difficult to detect. An example of a DESlike cipher, resistant to both linear and differential cryptanalysis that generates an imprimitive group and is easily broken, is given. Some implications for block cipher design are noted. 1
Linear cryptanalysis of substitutionpermutation networks
, 2003
"... The subject of this thesis is linear cryptanalysis of substitutionpermutation networks (SPNs). We focus on the rigorous form of linear cryptanalysis, which requires the concept of linear hulls. First, we consider SPNs in which the sboxes are selected independently and uniformly from the set of al ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
The subject of this thesis is linear cryptanalysis of substitutionpermutation networks (SPNs). We focus on the rigorous form of linear cryptanalysis, which requires the concept of linear hulls. First, we consider SPNs in which the sboxes are selected independently and uniformly from the set of all bijective n × n sboxes. We derive an expression for the expected linear probability values of such an SPN, and give evidence that this expression converges to the corresponding value for the true random cipher. This adds quantitative support to the claim that the SPN structure is a good approximation to the true random cipher. We conjecture that this convergence holds for a large class of SPNs. In addition, we derive a lower bound on the probability that an SPN with randomly selected sboxes is practically secure against linear cryptanalysis after a given number of rounds. For common block sizes, experimental evidence indicates that this probability rapidly approaches 1 with an increasing number of rounds.
From Differential Cryptanalysis to CiphertextOnly Attacks
 Lecture Notes in Computer Science 1462, Advances in Cryptology  Proceedings of CRYPTO'98, pp.7288
, 1998
"... Abstract. We present a method for efficient conversion of differential (chosen plaintext) attacks into the more practical known plaintext and ciphertextonly attacks. Our observation may save up to a factor of 2 20 in data over the known methods, assuming that plaintext is ASCII encoded English (or ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Abstract. We present a method for efficient conversion of differential (chosen plaintext) attacks into the more practical known plaintext and ciphertextonly attacks. Our observation may save up to a factor of 2 20 in data over the known methods, assuming that plaintext is ASCII encoded English (or some other types of highly redundant data). We demonstrate the effectiveness of our method by practical attacks on the blockcipher Madryga and on roundreduced versions of RC5 and DES.
A New Collision Differential For MD5 With Its Full Differential Path
"... 【Abstract】Since the first collision differential with its full differential path was presented for MD5 function by Wang et al. in 2004, renewed interests on collision attacks for the MD family of hash functions have surged over the world of cryptology. To date, however, no cryptanalyst can give a se ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
【Abstract】Since the first collision differential with its full differential path was presented for MD5 function by Wang et al. in 2004, renewed interests on collision attacks for the MD family of hash functions have surged over the world of cryptology. To date, however, no cryptanalyst can give a second computationally feasible collision differential for MD5 with its full differential path, even no improved differential paths based on Wang’s MD5 collision differential have appeared in literature. Firstly in this paper, a new differential cryptanalysis called signed difference is defined, and some principles or recipes on finding collision differentials and designing differential paths are proposed, the signed difference generation or elimination rules which are implicit in the auxiliary functions, are derived. Then, based on these newly found properties and rules, this paper comes up with a new computationally feasible collision differential for MD5 with its full differential path, which is simpler thus more understandable than Wang’s, and a set of sufficient conditions considering carries that guarantees a full collision is derived from the full differential path. Finally, a multimessage modificationbased fast collision attack algorithm for searching collision messages is specialized for the full differential path, resulting in a computational complexity of 36 32 2 and 2 MD5 operations, respectively for the first and second blocks. As for examples, two collision message pairs with different first blocks are obtained. Key Words:MD5, differential cryptanalysis, collision attacks, collision differential, differential path design 1.
Differential and Linear Cryptanalysis of ReducedRound SC2000
 Proceedings of Second Open NESSIE Workshop
, 2002
"... Abstract. We analyze the security of the SC2000 block cipher against both differential and linear attacks. SC2000 is a sixandahalfround block cipher, which has a unique structure that includes both the Feistel and SubstitutionPermutation Network (SPN) structures. Taking the structure of SC2000 ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. We analyze the security of the SC2000 block cipher against both differential and linear attacks. SC2000 is a sixandahalfround block cipher, which has a unique structure that includes both the Feistel and SubstitutionPermutation Network (SPN) structures. Taking the structure of SC2000 into account, we investigate one and tworound iterative differential and linear characteristics. We present tworound iterative differential characteristics with probability 2 −58 and tworound iterative linear characteristics with probability 2 −56. These characteristics, which we obtained through a search, allowed us to attack fourandahalfround SC2000 in the 128bit userkey case. Our differential attack needs 2 103 pairs of chosen plaintexts and 2 20 memory accesses and our linear attack needs 2 115.17 known plaintexts and 2 42.32 memory accesses, or 2 104.32 known plaintexts and 2 83.32 memory accesses.
Observations on Information Security Crisis
"... Despite a wide body of academic knowledge of secure information systems, application software, communication protocols and cryptographic primitives remain insecure. This is especially alarming in the emerge of application domains and organisational structures that depend heavily on the availability ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Despite a wide body of academic knowledge of secure information systems, application software, communication protocols and cryptographic primitives remain insecure. This is especially alarming in the emerge of application domains and organisational structures that depend heavily on the availability of reliable and secure data communication infrastructure, such as electronic commerce. A survey of recently reported vulnerabilities demonstrates that systems remain susceptible to attacks known for decades. The lack of security awareness among system and protocol designers and therefore occurring security problems are called the information security crisis. This paper surveys the symptoms and causes of information security crisis, and sketches an outline of an approach required for tackling the crisis. Keywords: Data security, Computer communication systems BRT Keywords: USE, UF Introduction Since the information theory based cryptography by Shannon (1949) and the public key cryptography...