: We present a number of attacks, some new, on public key protocols. We also advance a number of principles which may help designers avoid many of the pitfalls, and help attackers spot errors which can be exploited. 1 Introduction Cryptographic protocols are typically used to identify a user to a computer system, to authenticate a transaction, or to set up a key. They typically involve the exchange of about 2--5 messages, and they are very easy to get wrong: bugs have been found in well known protocols years after they were first published. This is quite remarkable; after all, a protocol is a kind of program, and one would expect to get any other program of this size right by staring at it for a while. A number of remedies have been proposed. One approach is formal mathematical proof, and can range from systematic protocol verification techniques such as the BAN logic [BAN89] to the case-by-case reduction of security claims to the intractability of some problem such as factoring. Anot...

. We consider the security of message authentication code (MAC) algorithms, and the construction of MACs from fast hash functions. A new forgery attack applicable to all iterated MAC algorithms is described, the first known such attack requiring fewer operations than exhaustive key search. Existing methods for constructing MACs from hash functions, including the secret prefix, secret suffix, and envelope methods, are shown to be unsatisfactory. Motivated by the absence of a secure, fast MAC algorithm not based on encryption, a new generic construction (MDx-MAC) is proposed for transforming any secure hash function of the MD4-family into a secure MAC of equal or smaller bitlength and comparable speed. 1 Introduction Hash functions play a fundamental role in modern cryptography. One main application is their use in conjunction with digital signature schemes; another is in conventional techniques for message authentication. In the latter, it is preferable that a hash function take as a d...

Twofish is a 128-bit block cipher that accepts a variable-length key up to 256 bits. The cipher is a 16-round Feistel network with a bijective F function made up of four key-dependent 8-by-8-bit S-boxes, a fixed 4-by-4 maximum distance separable matrix over GF(2 8 ), a pseudo-Hadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8-bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.

Abstract. We present a technique which aids in the linear cryptanalysis of a block cipher and allows for a reduction in the amount of data required for a successful attack. We note the limits of this extension when applied to DES, but illustrate that it is generally applicable and might be exceptionally successful when applied to other block ciphers. This forces us to reconsider some of the initial attempts to quantify the resistance of block ciphers to linear cryptanalysis, and by taking account of this new technique we cover several issues which have not yet been considered. 1

This paper gives a survey on cryptographic hash functions. It gives an overview of all types of hash functions and reviews design principals and possible methods of attacks. It also focuses on keyed hash functions and provides the applications, requirements, and constructions of keyed hash functions.

. In this paper we do differential cryptanalysis of SAFER. We consider "truncated differentials" and apply them in an attack on 5round SAFER, which finds the secret key in time much faster than by exhaustive search. 1 Introduction In [6] a new encryption algorithm, SAFER K-64, hereafter denoted SAFER, was proposed. Both the block and the key size is 64. The algorithm is an iterated cipher, such that encryption is done by iteratively applying the same function to the plaintext in a number of rounds. The suggested number of rounds is minimum 6 and maximum 10 [6, 7]. Finally an output transformation is applied to produce the ciphertext. Strong evidence has been given that the scheme is secure against differential cryptanalysis after 5 rounds [7] and against linear cryptanalysis after 2 rounds [2]. In [9] it was shown that by replacing the S-boxes in SAFER by random permutations, about 6% of the resulting ciphers can be broken faster than by exhaustive search. In [4] a weakness in the key...

. In this paper we analyse SAFER K-64 and show a weakness in the key schedule. It has the effect that for almost every key K, there exists at least one different key K , such that for many plaintexts the outputs after 6 rounds of encryption are equal. The output transformation causes the ciphertexts to differ in one of the 8 bytes. Also, the same types of keys encrypt even more pairs of plaintexts different in one byte to ciphertexts different only in the same byte. This enables us to do a related-key chosen plaintext attack on SAFER K-64, which finds 8 bits of the key requiring from 2 44 to about 2 47 chosen plaintexts. While our observations may have no greater impact on the security of SAFER K-64 when used for encryption in practice, it greatly reduces the security of the algorithm when used in hashing modes, which is illustrated. We give collisions for the well-known secure hash modes using a block cipher. Also we give a suggestion of how to improve the key schedule, such th...

Until now in cryptography the term collision was mainly associated with the surjective mapping of different inputs to an equal output of a hash function. Previous collision attacks were only able to detect collisions at the output of a particular function. In this publication we introduce a new class of attacks which uses side channel analysis to detect internal collisions. We applied our attack against the widely used Data Encryption Standard (DES). We show that internal collisions can be caused in the S-Boxes of DES in order to gain information about the secret key-bits. As result, we were able to exploit an internal collision with a minimum of 140 encryptions yielding 10.2 key-bits. Moreover, we successfully applied the attack to a smart card processor.

. Recent cryptanalytic results on the properties of three popular hash functions have raised questions about their security. This note summarizes these results, gives our assessment of their implications and offers our recommendations for product planners and developers who may be using these algorithms. 1. Introduction A hash function (or more accurately a cryptographic hash function or message-digest algorithm) operates on an input string of arbitrary length and generates an output string of fixed length. This output is commonly called a hash value or a message digest. While much of the motivation for the design of a hash function comes from its usefulness in optimizing the process of digitally signing some document, hash functions can be used for a wide range of purposes. MD2 [13], MD4 [20] and MD5 [21] are hash functions that were developed by Ron Rivest at MIT for RSA Data Security. A description of these hash functions can be found in RSA Laboratories Technical Report TR-101 [...

Abstract. MD4 is a hash function introduced by Rivest in 1990. It is still used in some contexts, and the most commonly used hash function (MD5, SHA-1, SHA-2) are based on the design principles of MD4. MD4 has been extensively studied and very efficient collision attacks are known, but it is still believed to be a one-way function. In this paper we show a partial pseudo-preimage attack on the compression function of MD4, using some ideas from previous cryptanalysis of MD4. We can choose 64 bits of the output for the cost of 2 32 compression function computations (the remaining bits are randomly chosen by the preimage algorithm). This gives a preimage attack on the compression function of MD4 with complexity 2 96, and we extend it to an attack on the full MD4 with complexity 2 102. As far as we know this is the first preimage attack on a member of the MD4 family.