Results 1  10
of
23
Perfect diffusion primitives for block ciphers
 In [14
, 2004
"... Abstract. Although linear perfect diffusion primitives, i.e. MDS matrices, are widely used in block ciphers, e.g. AES, very little systematic work has been done on how to find "efficient " ones. In this paper we attempt to do so by considering software implementations on various platforms. ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
Abstract. Although linear perfect diffusion primitives, i.e. MDS matrices, are widely used in block ciphers, e.g. AES, very little systematic work has been done on how to find "efficient " ones. In this paper we attempt to do so by considering software implementations on various platforms. These considerations lead to interesting combinatorial problems: how to maximize the number of occurrences of 1 in those matrices, and how to minimize the number of pairwise different entries. We investigate these problems and construct efficient 4*4 and 8*8 MDS matrices to be used e.g. in block ciphers. 1 Introduction Block ciphers are cascades of diffusion and confusion layers [9]. We usually formalize confusion layers as application of substitution boxes which are defined by lookup tables. Since those tables must be as small as possible for implementationreasons, confusion layers apply substitution in parallel on pieces of informations, e.g. elements whose values lie in a set K of size 256. The goal of diffusion is tomix up those pieces. One possibility for formalizing the notion of perfect diffusion is the concept of multipermutation which was introduced in [8, 10]. Bydefinition, a diffusion function f from Kp to Kq is a multipermutation if for any x1,..., xp 2 K and any integer r such that 1 < = r < = p, the influence of modifying r input values on f (x1,..., xp) is to modify at least q r + 1 output values.Another way to define it consists of saying that the set of all words consisting of
Security Analysis of the GFNLFSR Structure and FourCell Block Cipher
"... Abstract. The overall structure is one of the most important properties of block ciphers. At present, the most common structures include Feistel structure, SP structure, MISTY structure, LM structure and Generalized Feistel structure. In [29], Choy et al. proposed a new structure called GFNLFSR (G ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. The overall structure is one of the most important properties of block ciphers. At present, the most common structures include Feistel structure, SP structure, MISTY structure, LM structure and Generalized Feistel structure. In [29], Choy et al. proposed a new structure called GFNLFSR (Generalized FeistelNonLinear Feedback Shift Register), and designed a new block cipher called FourCell which is based on the 4cell GFNLFSR. In this paper, we first study properties of the ncell GFNLFSR structure, and prove that for an ncell GFNLFSR, there exists an (n 2 + n − 2) rounds impossible differential. Then we present an impossible differential attack on the full 25round FourCell using this kind of 18round impossible differential distinguisher together with differential cryptanalysis technique. The data complexity of our attack is 2 111.5 and the time complexity is less than 2 123.5 encryptions. In addition, we expect the attack to be more efficient when the relations between different round subkeys can be exploited by taking the key schedule algorithm into consideration.
Linear Cryptanalysis of Non Binary Ciphers with an Application to SAFER
"... Abstract. In this paper we revisit distinguishing attacks. We show how to generalize the notion of linear distinguisher to arbitrary sets. Our thesis is that our generalization is the most natural one. We compare it with the one by Granboulan et al. from FSE’06 by showing that we can get sharp esti ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we revisit distinguishing attacks. We show how to generalize the notion of linear distinguisher to arbitrary sets. Our thesis is that our generalization is the most natural one. We compare it with the one by Granboulan et al. from FSE’06 by showing that we can get sharp estimates of the data complexity and cumulate characteristics in linear hulls. As a proof of concept, we propose a better attack on their toy cipher TOY100 than the one that was originally suggested and we propose the best known plaintext attack on SAFER K/SK so far. This provides new directions to block cipher cryptanalysis even in the binary case. On the constructive side, we introduce DEAN18, a toy cipher which encrypts blocks of 18 decimal digits and we study its security. 1
New Integrated proof method on Iterated Hash Structure and New Structures
, 2006
"... A secure hash structure in Random Oracle Model may not be a secure model in true design. In this paper, we give an integrated proof method on security proof of iterated hash structure. Based on the proof method, we can distinguish the security of MerkelDamagård structure, widepipe hash, doublepi ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
A secure hash structure in Random Oracle Model may not be a secure model in true design. In this paper, we give an integrated proof method on security proof of iterated hash structure. Based on the proof method, we can distinguish the security of MerkelDamagård structure, widepipe hash, doublepipe hash and 3c hash and know the requirement of true design on compression function, and give a new recommend structure. At last, we give new hash structure, MAC structure, encryption model, which use same block cipher round function and key schedule algorithm, the security proofs on those structures are given.
Unified Impossible Differential Cryptanalysis on Block Cipher Structures
"... In this paper, we propose a systematic search method for finding the impossible differential characteristic for block cipher structures, better than the Umethod introduced by Kim et al [6]. This method is referred as unified impossible differential (UID) cryptanalysis. We give practical UID cryptan ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
In this paper, we propose a systematic search method for finding the impossible differential characteristic for block cipher structures, better than the Umethod introduced by Kim et al [6]. This method is referred as unified impossible differential (UID) cryptanalysis. We give practical UID cryptanalysis on some popular block ciphers and give the detailed impossible differential characteristics. On the generalized CAST256 and generalized MARS block cipher structure, our results are better than the Umethod. On the FourCell, FOX64, our results are the same as previous best manual works. Thus UID method can be used as a tool for examining the security of a block cipher structure against impossible differential cryptanalysis. 1
Asic hardware implementation of the idea nxt encryption algorithm
 In IEEE International Symposium on Circuits and Systems
"... ..."
(Show Context)
M.: Direct Construction of Recursive MDS Diffusion Layers using Shortened BCH Codes
 In: FSE. Lecture Notes in Computer Science
, 2014
"... Abstract. MDS matrices allow to build optimal linear diffusion layers in block ciphers. However, MDS matrices cannot be sparse and usually have a large description, inducing costly software/hardware implementations. Recursive MDS matrices allow to solve this problem by focusing on MDS matrices that ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. MDS matrices allow to build optimal linear diffusion layers in block ciphers. However, MDS matrices cannot be sparse and usually have a large description, inducing costly software/hardware implementations. Recursive MDS matrices allow to solve this problem by focusing on MDS matrices that can be computed as a power of a simple companion matrix, thus having a compact description suitable even for constrained environments. However, up to now, finding recursive MDS matrices required to perform an exhaustive search on families of companion matrices, thus limiting the size of MDS matrices one could look for. In this article we propose a new direct construction based on shortened BCH codes, allowing to efficiently construct such matrices for whatever parameters. Unfortunately, not all recursive MDS matrices can be obtained from BCH codes, and our algorithm is not always guaranteed to find the best matrices for a given set of parameters. Linear diffusion, recursive MDS matrices, BCH codes. 1
Provably Secure SBox Implementation Based on Fourier Transform
"... Abstract. Cryptographic algorithms implemented in embedded devices must withstand Side Channel Attacks such as the Differential Power Analysis (DPA). A common method of protecting symmetric cryptographic implementations against DPA is to use masking techniques. However, clever masking of nonlinear ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Cryptographic algorithms implemented in embedded devices must withstand Side Channel Attacks such as the Differential Power Analysis (DPA). A common method of protecting symmetric cryptographic implementations against DPA is to use masking techniques. However, clever masking of nonlinear parts such as SBoxes is difficult and has been the flaw of many countermeasures. In this article, we take advantage of some remarkable properties of the Fourier Transform to propose a new method to thwart DPA on the implementation of every SBox. After introducing criteria so that an implementation is qualified as DPAresistant, we prove the security of our scheme. Finally, we apply the method to FOX and AES SBoxes and we show in the latter case that the resulting implementation is one of the most efficient.
Constrained Search for a Class of Good SBoxes with Improved DPA Resistivity
"... Abstract. In FSE 2005, transparency order was proposed as a parameter for the robustness of Sboxes to Differential Power Analysis (DPA): lower transparency order implying more resistance. However most cryptographically strong Boolean functions have been found to have high transparency order. Also i ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. In FSE 2005, transparency order was proposed as a parameter for the robustness of Sboxes to Differential Power Analysis (DPA): lower transparency order implying more resistance. However most cryptographically strong Boolean functions have been found to have high transparency order. Also it is a difficult problem to search for Boolean functions which are strong cryptographically, and yet have low transparency order, the total search space for (n, n)bit Boolean functions being as large as n2 2n. In this paper we characterize transparency order for various classes of Boolean functions by computing the upper and lower bounds of transparency order for both even and odd numbers of variables. The transparency order is defined in terms of diffusion properties of the structures of Boolean functions namely the number of bit flips in the output of the functions corresponding to the number of bit flips at the input of the function. The calculated bounds depend on the number of vectors flipping the input of Sbox for which bias of probability of Sbox output bit deviates from the value of 0.5. The transparency order is found to be high in the class of those Boolean functions which have larger cardinality of input differences for which the probability of output bit flip is 0.5. Also we find that instead of propagation characteristics, autocorrelation spectra of the Sbox function F is a more qualifying candidate in deciding the characteristics of transparency order. The relations developed to characterize transparency order aid in our constrained random generation and search of a class of balanced 8 × 8 Sboxes with transparency order upper bounded by 7.8, nonlinearity in range (104, 110) and absolute indicator values of GAC in range (48, 88).