Results 1  10
of
29
Tweakable block ciphers
, 2002
"... Abstract. We propose a new cryptographic primitive, the “tweakable block cipher. ” Such a cipher has not only the usual inputs—message and cryptographic key—but also a third input, the “tweak. ” The tweak serves much the same purpose that an initialization vector does for CBC mode or that a nonce do ..."
Abstract

Cited by 102 (4 self)
 Add to MetaCart
Abstract. We propose a new cryptographic primitive, the “tweakable block cipher. ” Such a cipher has not only the usual inputs—message and cryptographic key—but also a third input, the “tweak. ” The tweak serves much the same purpose that an initialization vector does for CBC mode or that a nonce does for OCB mode. Our proposal thus brings this feature down to the primitive blockcipher level, instead of incorporating it only at the higher modesofoperation levels. We suggest that (1) tweakable block ciphers are easy to design, (2) the extra cost of making a block cipher “tweakable ” is small, and (3) it is easier to design and prove modes of operation based on tweakable block ciphers.
Twofish: A 128Bit Block Cipher
 in First Advanced Encryption Standard (AES) Conference
, 1998
"... Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bit ..."
Abstract

Cited by 54 (8 self)
 Add to MetaCart
Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.
A Timing Attack on RC5
 SELECTED AREAS IN CRYPTOGRAPHY
, 1999
"... This paper describes a timing attack on the RC5 block encryption algorithm. The analysis is motivated by the possibility that some implementations of RC5 could result in the datadependent rotations taking a time that is a function of the data. Assuming that encryption timing measurements can be ..."
Abstract

Cited by 25 (2 self)
 Add to MetaCart
This paper describes a timing attack on the RC5 block encryption algorithm. The analysis is motivated by the possibility that some implementations of RC5 could result in the datadependent rotations taking a time that is a function of the data. Assuming that encryption timing measurements can be made which enable the cryptanalyst to deduce the total amount of rotations carried out during an encryption, it is shown that, for the nominal version of RC5, only a few thousand ciphertexts are required to determine 5 bits of the last halfround subkey with high probability. Further, it is shown that it is practical to determine the whole secret key with about 2 encryption timings with a time complexity that can be as low as 2 .
Mod n cryptanalysis, with applications against RC5P and M6
 Fast Software Encryption, Sixth International Workshop
, 1999
"... Abstract. We introduce “mod n cryptanalysis, ” a form of partitioning attack that is effective against ciphers which rely on modular addition and bit rotations for their security. We demonstrate this attack with a mod 3 attack against RC5P, an RC5 variant that uses addition instead of xor. We also s ..."
Abstract

Cited by 24 (2 self)
 Add to MetaCart
Abstract. We introduce “mod n cryptanalysis, ” a form of partitioning attack that is effective against ciphers which rely on modular addition and bit rotations for their security. We demonstrate this attack with a mod 3 attack against RC5P, an RC5 variant that uses addition instead of xor. We also show mod 5 and mod 257 attacks against some versions of a family of ciphers used in the FireWire standard. We expect mod n cryptanalysis to be applicable to many other ciphers, and that the general attack is extensible to other values of n. 1
Improved Differential Attacks on RC5
, 1996
"... . In this paper we investigate the strength of the secretkey algorithm RC5 newly proposed by Ron Rivest. The target version of RC5 works on words of 32 bits, has 12 rounds and a userselected key of 128 bits. At Crypto'95 Kaliski and Yin estimated the strength of RC5 by differential and linear cryp ..."
Abstract

Cited by 22 (3 self)
 Add to MetaCart
. In this paper we investigate the strength of the secretkey algorithm RC5 newly proposed by Ron Rivest. The target version of RC5 works on words of 32 bits, has 12 rounds and a userselected key of 128 bits. At Crypto'95 Kaliski and Yin estimated the strength of RC5 by differential and linear cryptanalysis. They conjectured that their linear analysis is optimal and that the use of 12 rounds for RC5 is sufficient to make both differential and linear cryptanalysis impractical. In this paper we show that the differential analysis made by Kaliski and Yin is not optimal. We give differential attacks better by up to a factor of 512. Also we show that RC5 has many weak keys with respect to differential attacks. This weakness relies on the structure of the cipher and not on the key schedule. Keywords. Cryptanalysis. Block Cipher. Differential cryptanalysis. Weak keys. 1 Introduction RC5 is a secretkey block cipher proposed by Ron Rivest [5]. RC5 has a variable word size, a variable number ...
Transform Domain Analysis of DES
, 1998
"... DES can be regarded as a nonlinear feedback shift register (NLFSR) with input. From this point of view, the tools for pseudorandom sequence analysis are applied to the Sboxes in DES. The properties of the Sboxes of DES under Fourier transform, Hadamard transform, extended Hadamard transform and A ..."
Abstract

Cited by 16 (5 self)
 Add to MetaCart
DES can be regarded as a nonlinear feedback shift register (NLFSR) with input. From this point of view, the tools for pseudorandom sequence analysis are applied to the Sboxes in DES. The properties of the Sboxes of DES under Fourier transform, Hadamard transform, extended Hadamard transform and Avalanche transform are investigated. Two important results about the Sboxes of DES are found. The first result is that nearly twothirds of the total 32 functions from GF(2 6 ) to GF (2) which are associated with the 8 Sboxes of DES have the maximal linear span 63, and the other onethird have linear span greater than or equal to 57. The second result is that for all Sboxes, the distances of the Sboxes approximated by monomial functions has the same distribution as for the Sboxes approximated by linear functions. Some new criteria for the design of permutation functions for use in block cipher algorithms are discussed. Index Terms DES, nonlinear feedback shift register, transform do...
On the Security of the RC5 Encryption Algorithm
, 1998
"... this report, we will focus our discussions on the securityofRC5 against di#erential and linear cryptanalysis, but we will also give a brief summary of other known cryptanalytic results on RC5. ..."
Abstract

Cited by 12 (1 self)
 Add to MetaCart
this report, we will focus our discussions on the securityofRC5 against di#erential and linear cryptanalysis, but we will also give a brief summary of other known cryptanalytic results on RC5.
Probing Attacks on TamperResistant Devices
, 1999
"... This paper describes a new type of attack on tamperresistant cryptographic hardware. We show that by locally observing the value of a few RAM or adress bus bits (possibly a single one) during the execution of a cryptographic algorithm, typically by the mean of a probe (needle), an attacker coul ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
This paper describes a new type of attack on tamperresistant cryptographic hardware. We show that by locally observing the value of a few RAM or adress bus bits (possibly a single one) during the execution of a cryptographic algorithm, typically by the mean of a probe (needle), an attacker could easily recover information on the secret key being used; our attacks apply to publickey cryptosystems such as RSA or El Gamal, as well as to secretkey encryption schemes including DES and RC5.