Results 1  10
of
88
AES Proposal: Rijndael
, 1998
"... this document we describe the cipher Rijndael. First we present the mathematical basis necessary for understanding the specifications followed by the design rationale and the description itself. Subsequently, the implementation aspects of the cipher and its inverse are treated. This is followed by t ..."
Abstract

Cited by 100 (0 self)
 Add to MetaCart
this document we describe the cipher Rijndael. First we present the mathematical basis necessary for understanding the specifications followed by the design rationale and the description itself. Subsequently, the implementation aspects of the cipher and its inverse are treated. This is followed by the motivations of all design choices and the treatment of the resistance against known types of attacks. We give our security claims and goals, the advantages and limitations of the cipher, ways how it can be extended and how it can be used
PRESENT: An UltraLightweight Block Cipher
 the proceedings of CHES 2007
, 2007
"... Abstract. With the establishment of the AES the need for new block ciphers has been greatly diminished; for almost all block cipher applications the AES is an excellent and preferred choice. However, despite recent implementation advances, the AES is not suitable for extremely constrained environmen ..."
Abstract

Cited by 68 (8 self)
 Add to MetaCart
Abstract. With the establishment of the AES the need for new block ciphers has been greatly diminished; for almost all block cipher applications the AES is an excellent and preferred choice. However, despite recent implementation advances, the AES is not suitable for extremely constrained environments such as RFID tags and sensor networks. In this paper we describe an ultralightweight block cipher, present. Both security and hardware efficiency have been equally important during the design of the cipher and at 1570 GE, the hardware requirements for present are competitive with today’s leading compact stream ciphers. 1
Camellia: A 128Bit Block Cipher Suitable for Multiple Platforms  Design and Analysis
, 2000
"... We present a new 128bit block cipher called Camellia. Camellia supports 128bit block size and 128, 192, and 256bit keys, i.e. the same interface specifications as the Advanced Encryption Standard (AES). Efficiency on both software and hardware platforms is a remarkable characteristic of Camelli ..."
Abstract

Cited by 63 (3 self)
 Add to MetaCart
We present a new 128bit block cipher called Camellia. Camellia supports 128bit block size and 128, 192, and 256bit keys, i.e. the same interface specifications as the Advanced Encryption Standard (AES). Efficiency on both software and hardware platforms is a remarkable characteristic of Camellia in addition to its high level of security. It is confirmed that Camellia provides strong security against differential and linear cryptanalysis. Compared to the AES finalists, i.e. MARS, RC6, Rijndael, Serpent, and Twofish, Camellia offers at least comparable encryption speed in software and hardware. An optimized implementation of Camellia in assembly language can encrypt on a Pentium III (800MHz) at the rate of more than 276 Mbits per second, which is much faster than the speed of an optimized DES implementation. In addition, a distinguishing feature is its small hardware design. The hardware design, which includes both encryption and decryption, occupies approximately 11K gates, which is the smallest ...
Twofish: A 128Bit Block Cipher
 in First Advanced Encryption Standard (AES) Conference
, 1998
"... Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bit ..."
Abstract

Cited by 54 (8 self)
 Add to MetaCart
Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.
Improved Cryptanalysis of Rijndael
, 2000
"... We improve the best attack on Rijndael reduced to 6 rounds from complexity 2^72 to 2^44 . We also present the first known attacks on 7 and 8round Rijndael. The attacks on 8round Rijndael work for 192bit and 256bit keys. Finally, we discuss the key schedule of Rijndael and describe a relatedkey ..."
Abstract

Cited by 52 (3 self)
 Add to MetaCart
We improve the best attack on Rijndael reduced to 6 rounds from complexity 2^72 to 2^44 . We also present the first known attacks on 7 and 8round Rijndael. The attacks on 8round Rijndael work for 192bit and 256bit keys. Finally, we discuss the key schedule of Rijndael and describe a relatedkey attack that can break 9round Rijndael with 256bit keys. 1 Introduction Rijndael is one of the five AES candidate ciphers that made it to the second round [DR98]. Rijndael has 10, 12, or 14 rounds, depending on the key size. Previously it was known how to break up to 6 rounds of Rijndael [DR98]. Independently from our work, Gilbert and Minier [GM00] presented an attack on 7 rounds of Rijndael. In section 2, we describe a new partial sum technique that can dramatically reduce the complexity of the 6round attacks. We also show how to use these ideas to attack 7 and 8 rounds of Rijndael, in some cases using additional known texts (where available) to reduce the workfactor. The attacks ag...
Cube Attacks on Tweakable Black Box Polynomials
"... Abstract. Almost any cryptographic scheme can be described by tweakable polynomials over GF (2), which contain both secret variables (e.g., key bits) and public variables (e.g., plaintext bits or IV bits). The cryptanalyst is allowed to tweak the polynomials by choosing arbitrary values for the publ ..."
Abstract

Cited by 46 (4 self)
 Add to MetaCart
Abstract. Almost any cryptographic scheme can be described by tweakable polynomials over GF (2), which contain both secret variables (e.g., key bits) and public variables (e.g., plaintext bits or IV bits). The cryptanalyst is allowed to tweak the polynomials by choosing arbitrary values for the public variables, and his goal is to solve the resultant system of polynomial equations in terms of their common secret variables. In this paper we develop a new technique (called a cube attack) for solving such tweakable polynomials, which is a major improvement over several previously published attacks of the same type. For example, on the stream cipher Trivium with a reduced number of initialization rounds, the best previous attack (due to Fischer, Khazaei, and Meier) requires a barely practical complexity of 2 55 to attack 672 initialization rounds, whereas a cube attack can find the complete key of the same variant in 2 19 bit operations (which take less than a second on a single PC). Trivium with 735 initialization rounds (which could not be attacked by any previous technique) can now be broken with 2 30 bit operations, and by extrapolating our experimentally verified complexities for various sizes, we have reasons to believe that cube attacks will remain faster than exhaustive search even for 1024 initialization rounds. Whereas previous attacks were heuristic, had to be adapted to each cryptosystem, had no general complexity bounds,
Survey and Benchmark of Block Ciphers for Wireless Sensor Networks
 ACM Transactions on Sensor Networks
, 2004
"... Choosing the most storage and energye#cient block cipher specifically for wireless sensor networks (WSNs) is not as straightforward as it seems. To our knowledge so far, there is no systematic evaluation framework for the purpose. In this paper, we have identified the candidates of block ciphe ..."
Abstract

Cited by 45 (0 self)
 Add to MetaCart
Choosing the most storage and energye#cient block cipher specifically for wireless sensor networks (WSNs) is not as straightforward as it seems. To our knowledge so far, there is no systematic evaluation framework for the purpose. In this paper, we have identified the candidates of block ciphers suitable for WSNs based on existing literature.
Attacking Seven Rounds of Rijndael under 192bit and 256bit Keys
, 2000
"... . The authors of Rijndael [3] describe the \Square attack" as the best known attack against the block cipher Rijndael. If the key size is 128 bit, the attack is faster than exhaustive search for up to six rounds. We extend the Square attack on Rijndael variants with larger keys of 192 bit and 256 bi ..."
Abstract

Cited by 28 (0 self)
 Add to MetaCart
. The authors of Rijndael [3] describe the \Square attack" as the best known attack against the block cipher Rijndael. If the key size is 128 bit, the attack is faster than exhaustive search for up to six rounds. We extend the Square attack on Rijndael variants with larger keys of 192 bit and 256 bit. Our attacks exploit minor weaknesses of the Rijndael key schedule and are faster than exhaustive search for up to seven rounds of Rijndael. 1 Introduction The block cipher Rijndael [3] has been proposed as an AES candidate and was selected for the secound round. It is a member of a fastgrowing family of Squarelike ciphers [26]. Rijndael allows both a variable block length of M 32 bit with M 2 f4; 6; 8g and a variable key length of N 32 bit, N an integer. In the context of this paper we concentrate on M = 4, i.e., on a block length of 128 bit, and on N 2 f4; 6; 8g, i.e., on key sizes of 128, 192, and 256 bit. We abridge these variants by RD128, RD192 and RD256. The number R of ...
IDEA: A Cipher for Multimedia Architectures?
 In Selected Areas in Cryptography ’98
, 1998
"... MMX is a new technology to accelerate multimedia applications on Pentium processors. We report an implementation of IDEA on a Pentium MMX that is $1.65$ times faster than any previously known implementation on the Pentium. By parallelizing four IDEA's we reach an unprecedented $78$ Mbits/s throughpu ..."
Abstract

Cited by 20 (5 self)
 Add to MetaCart
MMX is a new technology to accelerate multimedia applications on Pentium processors. We report an implementation of IDEA on a Pentium MMX that is $1.65$ times faster than any previously known implementation on the Pentium. By parallelizing four IDEA's we reach an unprecedented $78$ Mbits/s throughput per output block on a 166MHz MMX. In the light of rapidly increasing popularity of multimedia applications, causing more dedicated hardware to be built, and observing that most of the current block ciphers do not benefit from MMX, we raise the problem of designing block ciphers (and encryption modes) fully utilizing the basic operations of multimedia.
A Statistical Saturation Attack against the Block Cipher PRESENT
 IN PROCEEDINGS OF CTRSA 2009
, 2009
"... In this paper, we present a statistical saturation attack that combines previously introduced cryptanalysis techniques against block ciphers. As the name suggests, the attack is statistical and can be seen as a particular example of partitioning cryptanalysis. It extracts information about the key ..."
Abstract

Cited by 19 (0 self)
 Add to MetaCart
In this paper, we present a statistical saturation attack that combines previously introduced cryptanalysis techniques against block ciphers. As the name suggests, the attack is statistical and can be seen as a particular example of partitioning cryptanalysis. It extracts information about the key by observing nonuniform distributions in the ciphertexts. It can also be seen as a dual to saturation (aka square, integral) attacks in the sense that it exploits the diffusion properties in block ciphers and a combination of active and passive multisets of bits in the plaintexts. The attack is chosenplaintext in its basic version but can be easily extended to a knownplaintext scenario. As an illustration, it is applied to the block cipher PRESENT proposed by Bogdanov et al. at CHES 2007. We provide theoretical arguments to predict the attack efficiency and show that it improves previous (linear, differential) cryptanalysis results. We also provide experimental evidence that we can break up to 15 rounds of PRESENT with 2 35.6 plaintextciphertext pairs. Eventually, we discuss the attack specificities and possible countermeasures. Although dedicated to PRESENT, it is an open question to determine if this technique improves the best known cryptanalysis for other ciphers.