Results 1  10
of
59
Cryptanalysis of block ciphers with overdefined systems of equations
, 2002
"... Abstract. Several recently proposed ciphers, for example Rijndael and Serpent, are built with layers of small Sboxes interconnected by linear keydependent layers. Their security relies on the fact, that the classical methods of cryptanalysis (e.g. linear or differential attacks) are based on proba ..."
Abstract

Cited by 251 (22 self)
 Add to MetaCart
Abstract. Several recently proposed ciphers, for example Rijndael and Serpent, are built with layers of small Sboxes interconnected by linear keydependent layers. Their security relies on the fact, that the classical methods of cryptanalysis (e.g. linear or differential attacks) are based on probabilistic characteristics, which makes their security grow exponentially with the number of rounds Nr. In this paper we study the security of such ciphers under an additional hypothesis: the Sbox can be described by an overdefined system of algebraic equations (true with probability 1). We show that this is true for both Serpent (due to a small size of Sboxes) and Rijndael (due to unexpected algebraic properties). We study general methods known for solving overdefined systems of equations, such as XL from Eurocrypt’00, and show their inefficiency. Then we introduce a new method called XSL that uses the sparsity of the equations and their specific structure. The XSL attack uses only relations true with probability 1, and thus the security does not have to grow exponentially in the number of rounds. XSL has a parameter P, and from our estimations is seems that P should be a constant or grow very slowly with the number of rounds. The XSL attack would then be polynomial (or subexponential) in Nr, with a huge constant that is doubleexponential in the size of the Sbox. The exact complexity of such attacks is not known due to the redundant equations. Though the presented version of the XSL attack always gives always more than the exhaustive search for Rijndael, it seems to (marginally) break 256bit Serpent. We suggest a new criterion for design of Sboxes in block ciphers: they should not be describable by a system of polynomial equations that is too small or too overdefined.
Nonlinearity and Propagation Characteristics of Balanced Boolean Functions
, 1993
"... Three important criteria for cryptographically strong Boolean functions are balance, nonlinearity and the propagation criterion. The main contribution of this paper is to reveal a number of interesting properties of balance and nonlinearity, and to study systematic methods for constructing Boolean f ..."
Abstract

Cited by 32 (18 self)
 Add to MetaCart
Three important criteria for cryptographically strong Boolean functions are balance, nonlinearity and the propagation criterion. The main contribution of this paper is to reveal a number of interesting properties of balance and nonlinearity, and to study systematic methods for constructing Boolean functions that satisfy some or all of the three criteria. We show that concatenating, splitting, modifying and multiplying (in the sense of Kronecker) sequences can yield balanced Boolean functions with a very high nonlinearity. In particular, we show that balanced Boolean functions obtained by modifying and multiplying sequences achieve a nonlinearity higher than that attainable by any previously known construction method. We also present methods for constructing balanced Boolean functions that are highly nonlinear and satisfy the strict avalanche criterion (SAC). Furthermore we present methods for constructing highly nonlinear balanced Boolean functions satisfying the propagation criterion with respect to all but one or three vectors. A technique is developed to transform the vectors where the propagation criterion is not satisfied in such a way that the functions constructed satisfy the propagation criterion of high degree while preserving the balance and nonlinearity of the functions. The algebraic degrees of functions constructed are also discussed.
SubstitutionPermutation Networks Resistant to Differential and Linear Cryptanalysis
 JOURNAL OF CRYPTOLOGY
, 1996
"... In this paper we examine a class of product ciphers referred to as substitutionpermutation networks. We investigate the resistance of these cryptographic networks to two important attacks: differential cryptanalysis and linear cryptanalysis. In particular, we develop upper bounds on the differenti ..."
Abstract

Cited by 32 (11 self)
 Add to MetaCart
(Show Context)
In this paper we examine a class of product ciphers referred to as substitutionpermutation networks. We investigate the resistance of these cryptographic networks to two important attacks: differential cryptanalysis and linear cryptanalysis. In particular, we develop upper bounds on the differential characteristic probability and on the probability of a linear approximation as a function of the number of rounds of substitutions. Further, it is shown that using large Sboxes with good diffusion characteristics and replacing the permutation between rounds by an appropriate linear transformation is effective in improving the cipher security in relation to these two attacks.
Designing SBoxes For Ciphers Resistant To Differential Cryptanalysis
 PROCEEDINGS OF THE 3RD SYMPOSIUM ON STATE AND PROGRESS OF RESEARCH IN CRYPTOGRAPHY
, 1993
"... This paper examines recent work in the area of bentfunctionbased substitution boxes in order to refine the relationship between sbox construction and immunity to the differential cryptanalysis attack described by Biham and Shamir. It is concluded that mxn sboxes, m<n, which are partially bent ..."
Abstract

Cited by 29 (1 self)
 Add to MetaCart
(Show Context)
This paper examines recent work in the area of bentfunctionbased substitution boxes in order to refine the relationship between sbox construction and immunity to the differential cryptanalysis attack described by Biham and Shamir. It is concluded that mxn sboxes, m<n, which are partially bentfunctionbased are the most appropriate choice for privatekey cryptosystems constructed as substitutionpermutation networks (SPNs). Since sboxes of this dimension and with this property have received little attention in the open literature, this paper provides a description of their construction and shows how they can be incorporated in a design procedure for a family of SPN cryptosystems with desirable cryptographic properties.
Constructing symmetric ciphers using the CAST design procedure
 DESIGNS, CODES, AND CRYPTOGRAPHY
, 1997
"... This paper describes the CAST design procedure for constructing a family of DESlike SubstitutionPermutation Network (SPN) cryptosystems which appear to have good resistance to differential cryptanalysis, linear cryptanalysis, and relatedkey cryptanalysis, along with a number of other desirable ..."
Abstract

Cited by 27 (1 self)
 Add to MetaCart
This paper describes the CAST design procedure for constructing a family of DESlike SubstitutionPermutation Network (SPN) cryptosystems which appear to have good resistance to differential cryptanalysis, linear cryptanalysis, and relatedkey cryptanalysis, along with a number of other desirable cryptographic properties. Details of the design choices in the procedure are given, including those regarding the component substitution boxes (sboxes), the overall framework, the key schedule, and the round function. An example CAST cipher, an output of this design procedure, is presented as an aid to understanding the concepts and to encourage detailed analysis by the cryptologic community.
The Use of Bent Sequences to Achieve HigherOrder Strict Avalanche Criterion in SBox Design
, 1990
"... : Recently, Pieprzyk and Finkelstein described a construction procedure for the substitution boxes (sboxes) of SubstitutionPermutation Network cryptosystems which yielded sboxes of high nonlinearity. Shortly afterward, in seemingly unrelated work, Yarlagadda and Hershey discussed the analysis and ..."
Abstract

Cited by 18 (3 self)
 Add to MetaCart
: Recently, Pieprzyk and Finkelstein described a construction procedure for the substitution boxes (sboxes) of SubstitutionPermutation Network cryptosystems which yielded sboxes of high nonlinearity. Shortly afterward, in seemingly unrelated work, Yarlagadda and Hershey discussed the analysis and synthesis of binary bent sequences of length 4 k , for k a positive integer. In this paper, we report on work which not only extends the results of both of these papers, but also combines them through the concept of "higher orders" of the Strict Avalanche Criterion for Boolean functions. We discuss the implications for sbox design and the use of such sboxes in the construction of DESlike cryptosystems. 1 The authors are with the Department of Electrical Engineering, Queen's University at Kingston, Ontario, K7L 3N6 2 The Use of Bent Sequences to Achieve HigherOrder Strict Avalanche Criterion in SBox Design 1 Introduction Substitution boxes (sboxes) are a critical component of ...
Dragon: A fast word based stream cipher
 Proc. ICISC 2004, volume 3506 of LNCS
, 2005
"... This is the author’s version of a work that was submitted/accepted for publication in the following source: ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
This is the author’s version of a work that was submitted/accepted for publication in the following source:
A Proposed Design For An Extended DES
, 1999
"... The Data Encryption standard (DES) has achieved wide utilization, especially in the financial industry. Whilst DES is a standard, the design criteria used in its development have been classified by the US government. This paper reviews what is known about the design criteria for the Sboxes, Pboxes ..."
Abstract

Cited by 10 (6 self)
 Add to MetaCart
The Data Encryption standard (DES) has achieved wide utilization, especially in the financial industry. Whilst DES is a standard, the design criteria used in its development have been classified by the US government. This paper reviews what is known about the design criteria for the Sboxes, Pboxes, and key scheduling in the current DES. It then indicates how this information could be used to design an extended scheme with a double length key. There are two main objectives indoing this. One is because of increasing doubts about the ability of DES to withstand an attack based on exhaustive keyspace searches, using specialized hardware. The other is to develop an encryption scheme for which the design rules used are known, and hence open to analysis and criticism. 1.
Imprimitive permutation groups and trapdoors in iterated block ciphers
 in Fast Software Encryption (L.R. Knudsen, ed), Lecture Notes in Computer Science 1636 (Springer–Verlag
, 1999
"... block, cipher, trapdoor, cryptanalysis, linear, differential, permutation, group An iterated block cipher can be regarded as a means of producing a set of permutations of a message space. Some properties of the group generated by the round functions of such a cipher are known to be of cryptanalytic ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
(Show Context)
block, cipher, trapdoor, cryptanalysis, linear, differential, permutation, group An iterated block cipher can be regarded as a means of producing a set of permutations of a message space. Some properties of the group generated by the round functions of such a cipher are known to be of cryptanalytic interest. It is shown here that if this group acts imprimitively on the message space then there is an exploitable weakness in the cipher. It is demonstrated that a weakness of this type can be used to construct a trapdoor that appears to be difficult to detect. An example of a DESlike cipher, resistant to both linear and differential cryptanalysis that generates an imprimitive group and is easily broken, is given. Some implications for block cipher design are noted.