Results 1  10
of
21
Side Channel Cryptanalysis of Product Ciphers
 JOURNAL OF COMPUTER SECURITY
, 1998
"... Building on the work of Kocher [Koc96], Jaffe, and Yun [KJY98], we discuss the notion of sidechannel cryptanalysis: cryptanalysis using implementation data. We discuss the notion of sidechannel attacks and the vulnerabilities they introduce, demonstrate sidechannel attacks against three produ ..."
Abstract

Cited by 92 (7 self)
 Add to MetaCart
Building on the work of Kocher [Koc96], Jaffe, and Yun [KJY98], we discuss the notion of sidechannel cryptanalysis: cryptanalysis using implementation data. We discuss the notion of sidechannel attacks and the vulnerabilities they introduce, demonstrate sidechannel attacks against three product ciphers  timing attack against IDEA, processorflag attack against RC5, and Hamming weight attack against DES  and then generalize our research to other cryptosystems.
Twofish: A 128Bit Block Cipher
 in First Advanced Encryption Standard (AES) Conference
, 1998
"... Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bit ..."
Abstract

Cited by 58 (8 self)
 Add to MetaCart
Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.
How far can we go beyond linear cryptanalysis
 Advances in Cryptology  Asiacrypt’04, volume 3329 of LNCS
, 2004
"... Abstract. Several generalizations of linear cryptanalysis have been proposed in the past, as well as very similar attacks in a statistical point of view. In this paper, we define a rigorous general statistical framework which allows to interpret most of these attacks in a simple and unified way. The ..."
Abstract

Cited by 38 (10 self)
 Add to MetaCart
Abstract. Several generalizations of linear cryptanalysis have been proposed in the past, as well as very similar attacks in a statistical point of view. In this paper, we define a rigorous general statistical framework which allows to interpret most of these attacks in a simple and unified way. Then, we explicitely construct optimal distinguishers, we evaluate their performance, and we prove that a block cipher immune to classical linear cryptanalysis possesses some resistance to a wide class of generalized versions, but not all. Finally, we derive tools which are necessary to set up more elaborate extensions of linear cryptanalysis, and to generalize the notions of bias, characteristic, and pilingup lemma.
Mod n cryptanalysis, with applications against RC5P and M6
 Fast Software Encryption, Sixth International Workshop
, 1999
"... Abstract. We introduce “mod n cryptanalysis, ” a form of partitioning attack that is effective against ciphers which rely on modular addition and bit rotations for their security. We demonstrate this attack with a mod 3 attack against RC5P, an RC5 variant that uses addition instead of xor. We also s ..."
Abstract

Cited by 25 (2 self)
 Add to MetaCart
Abstract. We introduce “mod n cryptanalysis, ” a form of partitioning attack that is effective against ciphers which rely on modular addition and bit rotations for their security. We demonstrate this attack with a mod 3 attack against RC5P, an RC5 variant that uses addition instead of xor. We also show mod 5 and mod 257 attacks against some versions of a family of ciphers used in the FireWire standard. We expect mod n cryptanalysis to be applicable to many other ciphers, and that the general attack is extensible to other values of n. 1
A Statistical Saturation Attack against the Block Cipher PRESENT
 IN PROCEEDINGS OF CTRSA 2009
, 2009
"... In this paper, we present a statistical saturation attack that combines previously introduced cryptanalysis techniques against block ciphers. As the name suggests, the attack is statistical and can be seen as a particular example of partitioning cryptanalysis. It extracts information about the key ..."
Abstract

Cited by 22 (0 self)
 Add to MetaCart
In this paper, we present a statistical saturation attack that combines previously introduced cryptanalysis techniques against block ciphers. As the name suggests, the attack is statistical and can be seen as a particular example of partitioning cryptanalysis. It extracts information about the key by observing nonuniform distributions in the ciphertexts. It can also be seen as a dual to saturation (aka square, integral) attacks in the sense that it exploits the diffusion properties in block ciphers and a combination of active and passive multisets of bits in the plaintexts. The attack is chosenplaintext in its basic version but can be easily extended to a knownplaintext scenario. As an illustration, it is applied to the block cipher PRESENT proposed by Bogdanov et al. at CHES 2007. We provide theoretical arguments to predict the attack efficiency and show that it improves previous (linear, differential) cryptanalysis results. We also provide experimental evidence that we can break up to 15 rounds of PRESENT with 2 35.6 plaintextciphertext pairs. Eventually, we discuss the attack specificities and possible countermeasures. Although dedicated to PRESENT, it is an open question to determine if this technique improves the best known cryptanalysis for other ciphers.
FOX: a New Family of Block Ciphers
 Selected Areas in CryptographySAC 2004,LNCS 2595
, 2004
"... In this paper, we describe the design of a new family of block cipher, named FOX and designed upon the request of MediaCrypt AG [23]. The main features ofthis design, besides a very high security level, are a large flexibility in terms of use ..."
Abstract

Cited by 21 (3 self)
 Add to MetaCart
(Show Context)
In this paper, we describe the design of a new family of block cipher, named FOX and designed upon the request of MediaCrypt AG [23]. The main features ofthis design, besides a very high security level, are a large flexibility in terms of use
Concurrent error detection schemes for faultbased sidechannel cryptanalysis of symmetric block ciphers
 IEEE Transactions on ComputerAided Design of Integrated Circuits and Systems
, 2002
"... Abstract—Faultbased sidechannel cryptanalysis is very effective against symmetric and asymmetric encryption algorithms. Although straightforward hardware and time redundancybased concurrent error detection (CED) architectures can be used to thwart such attacks, they entail significant overheads ( ..."
Abstract

Cited by 19 (3 self)
 Add to MetaCart
(Show Context)
Abstract—Faultbased sidechannel cryptanalysis is very effective against symmetric and asymmetric encryption algorithms. Although straightforward hardware and time redundancybased concurrent error detection (CED) architectures can be used to thwart such attacks, they entail significant overheads (either area or performance). The authors investigate systematic approaches to lowcost lowlatency CED techniques for symmetric encryption algorithms based on inverse relationships that exist between encryption and decryption at algorithm level, round level, and operation level and develop CED architectures that explore tradeoffs among area overhead, performance penalty, and fault detection latency. The proposed techniques have been validated on FPGA implementations of Advanced Encryption Standard (AES) finalist 128bit symmetric encryption algorithms. Index Terms—AES, CED, cryptanalysis, cryptography, fault based, RC6, Rijndael, Serpent, side channel, symmetric encryption, Twofish.
Serpent: A Flexible Block Cipher With Maximum Assurance
 In The First Advanced Encryption Standard Candidate Conference
, 1998
"... This paper presents a candidate block cipher for the Advanced Encryption Standard (AES). AES is an intriguing challenge to the designer, because of the great length of time the selected algorithm will have to resist attack. ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
(Show Context)
This paper presents a candidate block cipher for the Advanced Encryption Standard (AES). AES is an intriguing challenge to the designer, because of the great length of time the selected algorithm will have to resist attack.
Towards a Unifying View of Block Cipher Cryptanalysis
, 2004
"... We introduce commutative diagram cryptanalysis, a framework for expressing certain kinds of attacks on product ciphers. We show that many familiar attacks, including linear cryptanalysis, di#erential cryptanalysis, di#erentiallinear cryptanalysis, mod n attacks, truncated di#erential cryptanaly ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
We introduce commutative diagram cryptanalysis, a framework for expressing certain kinds of attacks on product ciphers. We show that many familiar attacks, including linear cryptanalysis, di#erential cryptanalysis, di#erentiallinear cryptanalysis, mod n attacks, truncated di#erential cryptanalysis, impossible di#erential cryptanalysis, higherorder di#erential cryptanalysis, and interpolation attacks can be expressed within this framework. Thus, we show that commutative diagram attacks provide a unifying view into the field of block cipher cryptanalysis.
A Revised Version of CRYPTON  CRYPTON V1.0
 Fast Software Encryption  FSE’99, volume 1636 of LNCS
, 1999
"... . The block cipher CRYPTON has been proposed as a candidate algorithm for the Advanced Encryption Standard (AES). To fix some minor weakness in the key schedule and to remove some undesirable properties in Sboxes, we made some changes to the AES proposal, i.e., in the Sbox construction and key sch ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
(Show Context)
. The block cipher CRYPTON has been proposed as a candidate algorithm for the Advanced Encryption Standard (AES). To fix some minor weakness in the key schedule and to remove some undesirable properties in Sboxes, we made some changes to the AES proposal, i.e., in the Sbox construction and key scheduling. This paper presents the revised version of CRYPTON and its preliminary analysis. 1 Motivations and Changes The block cipher CRYPTON has been proposed as a candidate algorithm for the AES [22]. Unfortunately, however, we couldn't have enough time to refine our algorithm at the time of submission. So, we later revised part of the AES proposal. This paper describes this revision and analyzes its security and efficiency. CRYPTON v1.0 is different from the AES proposal (v0.5) only in the Sbox construction and key scheduling. As we mentioned at the 1st AES candidate conference, we already had a plan to revise the CRYPTON key schedule. The previous key schedule was in fact expected from ...