Results 1  10
of
25
Robustness Principles for Public Key Protocols
, 1995
"... : We present a number of attacks, some new, on public key protocols. We also advance a number of principles which may help designers avoid many of the pitfalls, and help attackers spot errors which can be exploited. 1 Introduction Cryptographic protocols are typically used to identify a user to a co ..."
Abstract

Cited by 116 (9 self)
 Add to MetaCart
: We present a number of attacks, some new, on public key protocols. We also advance a number of principles which may help designers avoid many of the pitfalls, and help attackers spot errors which can be exploited. 1 Introduction Cryptographic protocols are typically used to identify a user to a computer system, to authenticate a transaction, or to set up a key. They typically involve the exchange of about 25 messages, and they are very easy to get wrong: bugs have been found in well known protocols years after they were first published. This is quite remarkable; after all, a protocol is a kind of program, and one would expect to get any other program of this size right by staring at it for a while. A number of remedies have been proposed. One approach is formal mathematical proof, and can range from systematic protocol verification techniques such as the BAN logic [BAN89] to the casebycase reduction of security claims to the intractability of some problem such as factoring. Anot...
MDxMAC and Building Fast MACs from Hash Functions
 In Crypto 95
, 1995
"... . We consider the security of message authentication code (MAC) algorithms, and the construction of MACs from fast hash functions. A new forgery attack applicable to all iterated MAC algorithms is described, the first known such attack requiring fewer operations than exhaustive key search. Existing ..."
Abstract

Cited by 78 (6 self)
 Add to MetaCart
. We consider the security of message authentication code (MAC) algorithms, and the construction of MACs from fast hash functions. A new forgery attack applicable to all iterated MAC algorithms is described, the first known such attack requiring fewer operations than exhaustive key search. Existing methods for constructing MACs from hash functions, including the secret prefix, secret suffix, and envelope methods, are shown to be unsatisfactory. Motivated by the absence of a secure, fast MAC algorithm not based on encryption, a new generic construction (MDxMAC) is proposed for transforming any secure hash function of the MD4family into a secure MAC of equal or smaller bitlength and comparable speed. 1 Introduction Hash functions play a fundamental role in modern cryptography. One main application is their use in conjunction with digital signature schemes; another is in conventional techniques for message authentication. In the latter, it is preferable that a hash function take as a d...
Twofish: A 128Bit Block Cipher
 in First Advanced Encryption Standard (AES) Conference
, 1998
"... Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bit ..."
Abstract

Cited by 54 (8 self)
 Add to MetaCart
Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.
Linear Cryptanalysis Using Multiple Approximations
 Advances in Cryptology  CRYPTO '94 Proceedings
, 1994
"... Abstract. We present a technique which aids in the linear cryptanalysis of a block cipher and allows for a reduction in the amount of data required for a successful attack. We note the limits of this extension when applied to DES, but illustrate that it is generally applicable and might be exception ..."
Abstract

Cited by 50 (2 self)
 Add to MetaCart
Abstract. We present a technique which aids in the linear cryptanalysis of a block cipher and allows for a reduction in the amount of data required for a successful attack. We note the limits of this extension when applied to DES, but illustrate that it is generally applicable and might be exceptionally successful when applied to other block ciphers. This forces us to reconsider some of the initial attempts to quantify the resistance of block ciphers to linear cryptanalysis, and by taking account of this new technique we cover several issues which have not yet been considered. 1
Cryptographic Hash Functions: A Survey
, 1995
"... This paper gives a survey on cryptographic hash functions. It gives an overview of all types of hash functions and reviews design principals and possible methods of attacks. It also focuses on keyed hash functions and provides the applications, requirements, and constructions of keyed hash functions ..."
Abstract

Cited by 35 (7 self)
 Add to MetaCart
This paper gives a survey on cryptographic hash functions. It gives an overview of all types of hash functions and reviews design principals and possible methods of attacks. It also focuses on keyed hash functions and provides the applications, requirements, and constructions of keyed hash functions.
Truncated Differentials of SAFER
, 1996
"... . In this paper we do differential cryptanalysis of SAFER. We consider "truncated differentials" and apply them in an attack on 5round SAFER, which finds the secret key in time much faster than by exhaustive search. 1 Introduction In [6] a new encryption algorithm, SAFER K64, hereafter denoted SAF ..."
Abstract

Cited by 21 (9 self)
 Add to MetaCart
. In this paper we do differential cryptanalysis of SAFER. We consider "truncated differentials" and apply them in an attack on 5round SAFER, which finds the secret key in time much faster than by exhaustive search. 1 Introduction In [6] a new encryption algorithm, SAFER K64, hereafter denoted SAFER, was proposed. Both the block and the key size is 64. The algorithm is an iterated cipher, such that encryption is done by iteratively applying the same function to the plaintext in a number of rounds. The suggested number of rounds is minimum 6 and maximum 10 [6, 7]. Finally an output transformation is applied to produce the ciphertext. Strong evidence has been given that the scheme is secure against differential cryptanalysis after 5 rounds [7] and against linear cryptanalysis after 2 rounds [2]. In [9] it was shown that by replacing the Sboxes in SAFER by random permutations, about 6% of the resulting ciphers can be broken faster than by exhaustive search. In [4] a weakness in the key...
A Keyschedule Weakness in SAFER K64
 Advances in Cryptology, Proceedings Crypto'95, LNCS 963
, 1995
"... . In this paper we analyse SAFER K64 and show a weakness in the key schedule. It has the effect that for almost every key K, there exists at least one different key K , such that for many plaintexts the outputs after 6 rounds of encryption are equal. The output transformation causes the cipherte ..."
Abstract

Cited by 19 (8 self)
 Add to MetaCart
. In this paper we analyse SAFER K64 and show a weakness in the key schedule. It has the effect that for almost every key K, there exists at least one different key K , such that for many plaintexts the outputs after 6 rounds of encryption are equal. The output transformation causes the ciphertexts to differ in one of the 8 bytes. Also, the same types of keys encrypt even more pairs of plaintexts different in one byte to ciphertexts different only in the same byte. This enables us to do a relatedkey chosen plaintext attack on SAFER K64, which finds 8 bits of the key requiring from 2 44 to about 2 47 chosen plaintexts. While our observations may have no greater impact on the security of SAFER K64 when used for encryption in practice, it greatly reduces the security of the algorithm when used in hashing modes, which is illustrated. We give collisions for the wellknown secure hash modes using a block cipher. Also we give a suggestion of how to improve the key schedule, such th...
A New Class of Collision Attacks and its Application to DES
, 2003
"... Until now in cryptography the term collision was mainly associated with the surjective mapping of different inputs to an equal output of a hash function. Previous collision attacks were only able to detect collisions at the output of a particular function. In this publication we introduce a new clas ..."
Abstract

Cited by 18 (3 self)
 Add to MetaCart
Until now in cryptography the term collision was mainly associated with the surjective mapping of different inputs to an equal output of a hash function. Previous collision attacks were only able to detect collisions at the output of a particular function. In this publication we introduce a new class of attacks which uses side channel analysis to detect internal collisions. We applied our attack against the widely used Data Encryption Standard (DES). We show that internal collisions can be caused in the SBoxes of DES in order to gain information about the secret keybits. As result, we were able to exploit an internal collision with a minimum of 140 encryptions yielding 10.2 keybits. Moreover, we successfully applied the attack to a smart card processor.
MD4 is Not OneWay
"... Abstract. MD4 is a hash function introduced by Rivest in 1990. It is still used in some contexts, and the most commonly used hash function (MD5, SHA1, SHA2) are based on the design principles of MD4. MD4 has been extensively studied and very efficient collision attacks are known, but it is still b ..."
Abstract

Cited by 12 (1 self)
 Add to MetaCart
Abstract. MD4 is a hash function introduced by Rivest in 1990. It is still used in some contexts, and the most commonly used hash function (MD5, SHA1, SHA2) are based on the design principles of MD4. MD4 has been extensively studied and very efficient collision attacks are known, but it is still believed to be a oneway function. In this paper we show a partial pseudopreimage attack on the compression function of MD4, using some ideas from previous cryptanalysis of MD4. We can choose 64 bits of the output for the cost of 2 32 compression function computations (the remaining bits are randomly chosen by the preimage algorithm). This gives a preimage attack on the compression function of MD4 with complexity 2 96, and we extend it to an attack on the full MD4 with complexity 2 102. As far as we know this is the first preimage attack on a member of the MD4 family.
On Recent Results for MD2, MD4 and MD5
 RSA Laboratories’ Bulletin
, 1996
"... . Recent cryptanalytic results on the properties of three popular hash functions have raised questions about their security. This note summarizes these results, gives our assessment of their implications and offers our recommendations for product planners and developers who may be using these algori ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
. Recent cryptanalytic results on the properties of three popular hash functions have raised questions about their security. This note summarizes these results, gives our assessment of their implications and offers our recommendations for product planners and developers who may be using these algorithms. 1. Introduction A hash function (or more accurately a cryptographic hash function or messagedigest algorithm) operates on an input string of arbitrary length and generates an output string of fixed length. This output is commonly called a hash value or a message digest. While much of the motivation for the design of a hash function comes from its usefulness in optimizing the process of digitally signing some document, hash functions can be used for a wide range of purposes. MD2 [13], MD4 [20] and MD5 [21] are hash functions that were developed by Ron Rivest at MIT for RSA Data Security. A description of these hash functions can be found in RSA Laboratories Technical Report TR101 [...