Results 1  10
of
71
Security analysis of a cryptographicallyenabled RFID device
 In 14th USENIX Security Symposium
, 2005
"... We describe our success in defeating the security of an RFID device known as a Digital Signature Transponder (DST). Manufactured by Texas Instruments, DST (and variant) devices help secure millions of SpeedPass TM payment transponders and automobile ignition keys. Our analysis of the DST involved th ..."
Abstract

Cited by 79 (9 self)
 Add to MetaCart
(Show Context)
We describe our success in defeating the security of an RFID device known as a Digital Signature Transponder (DST). Manufactured by Texas Instruments, DST (and variant) devices help secure millions of SpeedPass TM payment transponders and automobile ignition keys. Our analysis of the DST involved three phases: 1. Reverse engineering: Starting from a rough published schematic, we determined the complete functional details of the cipher underpinning the challengeresponse protocol in the DST. We accomplished this with only “oracle ” or “blackbox ” access to an ordinary DST, that is, by experimental observation of responses output by the device. 2. Key cracking: The key length for the DST is only 40 bits. With an array of of sixteen FPGAs operating in parallel, we can recover a DST key in under an hour using two responses to arbitrary challenges. 3. Simulation: Given the key (and serial number) of a DST, we are able to simulate its RF output so as to spoof a reader. As validation of our results, we purchased gasoline at a service station and started an automobile using simulated DST devices. We accomplished all of these steps using inexpensive offtheshelf equipment, and with minimal RF expertise. This suggests that an attacker with modest resources can emulate a target DST after brief shortrange scanning or longrange eavesdropping across several authentication sessions. We conclude that the cryptographic protection afforded by the DST device is relatively weak.
Twofish: A 128Bit Block Cipher
 in First Advanced Encryption Standard (AES) Conference
, 1998
"... Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bit ..."
Abstract

Cited by 66 (8 self)
 Add to MetaCart
(Show Context)
Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.
Amplified Boomerang Attacks Against ReducedRound MARS and Serpent
 MARS and Serpent, in the preproceedings of the Fast Software Encryption Workshop 2000
, 2000
"... . We introduce a new cryptanalytic technique based on Wagner 's boomerang and insideout attacks. We first describe this new attack in terms of the original boomerang attack, and then demonstrate its use on reducedround variants of the MARS core and Serpent. Our attack breaks eleven rounds ..."
Abstract

Cited by 44 (2 self)
 Add to MetaCart
(Show Context)
. We introduce a new cryptanalytic technique based on Wagner 's boomerang and insideout attacks. We first describe this new attack in terms of the original boomerang attack, and then demonstrate its use on reducedround variants of the MARS core and Serpent. Our attack breaks eleven rounds of the MARS core with 2 65 chosen plaintexts, 2 70 memory, and 2 229 partial decryptions. Our attack breaks eight rounds of Serpent with 2 114 chosen plaintexts, 2 119 memory, and 2 179 partial decryptions. 1 Introduction MARS [BCD+98] and Serpent [ABK98] are block ciphers that have been proposed as AES candidates [NIST97a,NIST97b]. More recently, both were chosen as AES finalists. We have spent considerable time in the last few months cryptanalyzing both ciphers, with the bulk of our results appearing in [KS00,KKS00]. During our work on MARS, we developed a new class of attack based on David Wagner's boomerang and insideout attacks [Wag99]. In this paper, we present this new cl...
The Cipher SHARK
 FAST SOFTWARE ENCRYPTION, THIRD INTERNATIONAL WORKSHOP
, 1996
"... We present the new block cipher SHARK. This cipher combines highly nonlinear substitution boxes and maximum distance separable error correcting codes (MDScodes) to guarantee a good diffusion. The cipher is resistant against differential and linear cryptanalysis after a small number of rounds ..."
Abstract

Cited by 33 (5 self)
 Add to MetaCart
We present the new block cipher SHARK. This cipher combines highly nonlinear substitution boxes and maximum distance separable error correcting codes (MDScodes) to guarantee a good diffusion. The cipher is resistant against differential and linear cryptanalysis after a small number of rounds. The structure of SHARK is such that a fast software implementation is possible, both for the encryption and the decryption. Our Cimplementation of SHARK runs more than four times faster than SAFER and IDEA on a 64bit architecture.
FormatPreserving Encryption
"... Abstract. Formatpreserving encryption (FPE) encrypts a plaintext of some specified format into a ciphertext of identical format—for example, encrypting a valid creditcard number into a valid creditcard number. The problem has been known for some time, but it has lacked a fully general and rigorous ..."
Abstract

Cited by 33 (8 self)
 Add to MetaCart
(Show Context)
Abstract. Formatpreserving encryption (FPE) encrypts a plaintext of some specified format into a ciphertext of identical format—for example, encrypting a valid creditcard number into a valid creditcard number. The problem has been known for some time, but it has lacked a fully general and rigorous treatment. We provide one, starting off by formally defining FPE and security goals for it. We investigate the natural approach for achieving FPE on complex domains, the “rankthenencipher ” approach, and explore what it can and cannot do. We describe two flavors of unbalanced Feistel networks that can be used for achieving FPE, and we prove new security results for each. We revisit the cyclewalking approach for enciphering on a nonsparse subset of an encipherable domain, showing that the timing information that may be divulged by cycle walking is not a damaging thing to leak. 1
An FPGA Implementation and Performance Evaluation of the Serpent Block Cipher
 EIGHTH ACM INTERNATIONAL SYMPOSIUM ON FIELDPROGRAMMABLE GATE ARRAYS
, 2000
"... With the expiration of the Data Encryption Standard (DES) in 1998, the Advanced Encryption Standard (AES) development process is well underway. It is hoped that the result of the AES process will be the specification of a new nonclassified encryption algorithm that will have the global acceptance ac ..."
Abstract

Cited by 15 (3 self)
 Add to MetaCart
With the expiration of the Data Encryption Standard (DES) in 1998, the Advanced Encryption Standard (AES) development process is well underway. It is hoped that the result of the AES process will be the specification of a new nonclassified encryption algorithm that will have the global acceptance achieved by DES as well as the capability of longterm protection of sensitive information. The technical analysis used in determining which of the potential AES candidates will be selected as the Advanced Encryption Algorithm includes e#ciency testing of both hardware and software implementations of candidate algorithms. Reprogrammable devices such as Field Programmable Gate Arrays (FPGAs) are highly attractive options for hardware implementations of encryption algorithms as they provide cryptographic algorithm agility, physical security, and potentially much higher performance than software solutions. This contribution investigates the significance of an FPGA implementation of Serpent, one of the Advanced Encryption Standard candidate algorithms. Multiple architecture options of the Serpent algorithm will be explored with a strong focus being placed on a high speed implementation within an FPGA in order to support security for current and future high bandwidth applications. One of the main findings is that Serpent can be implemented with encryption rates beyond 4 Gbit/s on current FPGAs.
Recent Developments in the Design of Conventional Cryptographic Algorithms
 Computer Security and Industrial Cryptography  State of the Art and Evolution, LNCS
, 1998
"... This paper examines proposals for three cryptographic primitives: block ciphers, stream ciphers, and hash functions. It provides an overview of the design principles of a large number of recent proposals, which includes the global structure, the number of rounds, the way of introducing nonlinearity ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
This paper examines proposals for three cryptographic primitives: block ciphers, stream ciphers, and hash functions. It provides an overview of the design principles of a large number of recent proposals, which includes the global structure, the number of rounds, the way of introducing nonlinearity and diffusion, and the key schedule. The software performance of about twenty primitives is compared based on highly optimized implementations for the Pentium. The goal of the paper is to provided a technical perspective on the wide variety of primitives that exist today.
How to Enrich the Message Space of a Cipher
 Fast Software Encryption – FSE ’07, LNCS
, 2007
"... Abstract. Given (deterministic) ciphers E and E that can encipher messages of l and n bits, respectively, we construct a cipher E ∗ = XLS[E, E] that can encipher messages of l+ s bits for any s < n. Enciphering such a string will take one call to E and two calls to E. We prove that E ∗ is a str ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
Abstract. Given (deterministic) ciphers E and E that can encipher messages of l and n bits, respectively, we construct a cipher E ∗ = XLS[E, E] that can encipher messages of l+ s bits for any s < n. Enciphering such a string will take one call to E and two calls to E. We prove that E ∗ is a strong pseudorandom permutation as long as E and E are. Our construction works even in the tweakable and VIL (variableinputlength) settings. It makes use of a multipermutation (a pair of orthogonal Latin squares), a combinatorial object not previously used to get a provablesecurity result.
On Feistel ciphers using optimal diffusion mappings across multiple rounds
 ASIACRYPT 2004, LNCS 3329
, 2004
"... Abstract. We study a recently proposed design approach of Feistel ciphers which employs optimal diffusion mappings across multiple rounds. This idea was proposed by Shirai and Shibutani at FSE2004, and the technique enables to improve the immunity against either differential or linear cryptanalysis ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We study a recently proposed design approach of Feistel ciphers which employs optimal diffusion mappings across multiple rounds. This idea was proposed by Shirai and Shibutani at FSE2004, and the technique enables to improve the immunity against either differential or linear cryptanalysis (but not both). In this paper, we present a theoretical explanation why the new design using three different matrices achieves the better immunity. In addition, we are able to prove conditions to improve the immunity against both differential and linear cryptanalysis. As a result, we show that this design approach guarantees at least R(m+1) active Sboxes in 3R consecutive rounds (R ≥ 2) where m is the number of Sboxes in a round. By using the guaranteed number of active Sboxes, we compare this design approach to other wellknown designs employed in SHARK, Rijndael, and MDSFeistel ciphers. Moreover, we show interesting additional properties of the new design approach.
A new keystream generator MUGI
 Fast Software Encryption 2002, volume 2365 of Lecture Notes in Computer Science
, 2002
"... Abstract. We present a new keystream generator (KSG) MUGI, which is a variant of Panama proposed at FSE ’98. MUGI has a 128bit secret key and a 128bit initial vector as parameters and generates a 64bit string per round. The design is particularly suited for efficient hardware implementations, but ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We present a new keystream generator (KSG) MUGI, which is a variant of Panama proposed at FSE ’98. MUGI has a 128bit secret key and a 128bit initial vector as parameters and generates a 64bit string per round. The design is particularly suited for efficient hardware implementations, but the software performance of MUGI is excellent as well. A speed optimized implementation in hardware achieves about 3 Gbps with 26 Kgates, which is several times faster than AES. On the other hand the security was evaluated according to resynchronization attack, relatedkey attack, and linear correlation of an output sequence. Our analysis confirms that MUGI is a secure KSG. Keywords. Keystream generator, Blockcipher, Panama, Resynchronization attack, Relatedkey attack. 1