Abstract. Although linear perfect diffusion primitives, i.e. MDS matrices, are widely used in block ciphers, e.g. AES, very little systematic work has been done on how to find "efficient " ones. In this paper we attempt to do so by considering software implementations on various platforms. These considerations lead to interesting combinatorial problems: how to maximize the number of occurrences of 1 in those matrices, and how to minimize the number of pairwise different entries. We investigate these problems and construct efficient 4*4 and 8*8 MDS matrices to be used e.g. in block ciphers. 1 Introduction Block ciphers are cascades of diffusion and confusion layers [9]. We usually for-malize confusion layers as application of substitution boxes which are defined by lookup tables. Since those tables must be as small as possible for implementationreasons, confusion layers apply substitution in parallel on pieces of informations, e.g. elements whose values lie in a set K of size 256. The goal of diffusion is tomix up those pieces. One possibility for formalizing the notion of perfect diffusion is the concept of multipermutation which was introduced in [8, 10]. Bydefinition, a diffusion function f from Kp to Kq is a multipermutation if for any x1,..., xp 2 K and any integer r such that 1 < = r < = p, the influence of modifying r input values on f (x1,..., xp) is to modify at least q- r + 1 output values.Another way to define it consists of saying that the set of all words consisting of

Abstract not found

Abstract. In this paper we re-visit distinguishing attacks. We show how to generalize the notion of linear distinguisher to arbitrary sets. Our thesis is that our generalization is the most natural one. We compare it with the one by Granboulan et al. from FSE’06 by showing that we can get sharp estimates of the data complexity and cumulate characteristics in linear hulls. As a proof of concept, we propose a better attack on their toy cipher TOY100 than the one that was originally suggested and we propose the best known plaintext attack on SAFER K/SK so far. This provides new directions to block cipher cryptanalysis even in the binary case. On the constructive side, we introduce DEAN18, a toy cipher which encrypts blocks of 18 decimal digits and we study its security. 1

Abstract — Symmetric-key block ciphers are often used to provide data confidentiality with low complexity, especially in the case of dedicated hardware implementations. IDEA NXT is a novel block cipher family, which has many interesting features and is targeted to multimedia streaming encryption. Different values can be assigned to the hardware architecture parameters in order to scale the security and the performance of the cipher. In this paper we implement the IDEA NXT algorithm in custom silicon, using a commercial technology library; different optimizations are applied in order to satisfy different constraints in terms of latency and area occupation, maintaining a high level of security. After giving an overview of the IDEA NXT design, a discussion of the implementation choices and trade offs is given, highlighting the similarities and the main differences with regards to other block ciphers. To the authors ’ knowledge this is the first paper describing such work. I.

A secure hash structure in Random Oracle Model may not be a secure model in true design. In this paper, we give an integrated proof method on security proof of iterated hash structure. Based on the proof method, we can distinguish the security of Merkel-Damagård structure, wide-pipe hash, double-pipe hash and 3c hash and know the requirement of true design on compression function, and give a new recommend structure. At last, we give new hash structure, MAC structure, encryption model, which use same block cipher round function and key schedule algorithm, the security proofs on those structures are given.

Abstract. The overall structure is one of the most important properties of block ciphers. At present, the most common structures include Feistel structure, SP structure, MISTY structure, L-M structure and Generalized Feistel structure. In [29], Choy et al. proposed a new structure called GF-NLFSR (Generalized Feistel-NonLinear Feedback Shift Register), and designed a new block cipher called Four-Cell which is based on the 4-cell GF-NLFSR. In this paper, we first study properties of the n-cell GF-NLFSR structure, and prove that for an n-cell GF-NLFSR, there exists an (n 2 + n − 2) rounds impossible differential. Then we present an impossible differential attack on the full 25-round Four-Cell using this kind of 18-round impossible differential distinguisher together with differential cryptanalysis technique. The data complexity of our attack is 2 111.5 and the time complexity is less than 2 123.5 encryptions. In addition, we expect the attack to be more efficient when the relations between different round subkeys can be exploited by taking the key schedule algorithm into consideration.

Encryption algorithms are becoming more necessary to ensure data is securely transmitted over insecure communication channels. FOX is a recently developed algorithm and its structure is based on the already proven IDEA (International Data Encryption Algorithm) cipher.

Abstract. At Asiacrypt’99, Vaudenay modified the structure in the IDEA cipher to a new scheme, which they called as the Lai-Massey scheme. It is proved that 3-round Lai-Massey scheme is sufficient for pseudorandomness and 4-round Lai-Massey scheme is sufficient for strong pseudorandomness. But the author didn’t point out whether three rounds and four rounds are necessary for the pseudorandomness and strong pseudorandomness of the Lai-Massey Scheme. In this paper we find a tworound pseudorandomness distinguisher and a three-round strong pseudorandomness distinguisher, thus prove that three rounds is necessary for the pseudorandomness and four rounds is necessary for the strong pseudorandomness. 1

In this paper, we propose a systematic search method for finding the impossible differential characteristic for block cipher structures, better than the U-method introduced by Kim et al [6]. This method is referred as unified impossible differential (UID) cryptanalysis. We give practical UID cryptanalysis on some popular block ciphers and give the detailed impossible differential characteristics. On the generalized CAST-256 and generalized MARS block cipher structure, our results are better than the U-method. On the Four-Cell, FOX64, our results are the same as previous best manual works. Thus UID method can be used as a tool for examining the security of a block cipher structure against impossible differential cryptanalysis. 1

Block ciphers are the very foundation of computer and information security. FOX, also known as IDEA NXT, is a family of block ciphers published in 2004 and is famous for its provable security to cryptanalysis. In this paper, we apply impossible differential cryptanalysis on FOX cipher. We find a 4-round impossible difference, by using which adversaries can attack 5, 6 and 7-round FOX64 with 2 71, 2 135 and 2 199 one-round encryptions respectively. Compared to the previous best attack with 2 109.4, 2 173.4 and 2 237.4 full-round encryptions to 5, 6 and 7-round FOX64, the method in this paper is the best attack to FOX cipher. This attack can also be applied to 5-round FOX128 with 2 135 one-round encryptions. Index Terms — Security, cryptography, block cipher, FOX, impossible difference