Results 1  10
of
17
Camellia: A 128Bit Block Cipher Suitable for Multiple Platforms  Design and Analysis
, 2000
"... We present a new 128bit block cipher called Camellia. Camellia supports 128bit block size and 128, 192, and 256bit keys, i.e. the same interface specifications as the Advanced Encryption Standard (AES). Efficiency on both software and hardware platforms is a remarkable characteristic of Camelli ..."
Abstract

Cited by 87 (4 self)
 Add to MetaCart
We present a new 128bit block cipher called Camellia. Camellia supports 128bit block size and 128, 192, and 256bit keys, i.e. the same interface specifications as the Advanced Encryption Standard (AES). Efficiency on both software and hardware platforms is a remarkable characteristic of Camellia in addition to its high level of security. It is confirmed that Camellia provides strong security against differential and linear cryptanalysis. Compared to the AES finalists, i.e. MARS, RC6, Rijndael, Serpent, and Twofish, Camellia offers at least comparable encryption speed in software and hardware. An optimized implementation of Camellia in assembly language can encrypt on a Pentium III (800MHz) at the rate of more than 276 Mbits per second, which is much faster than the speed of an optimized DES implementation. In addition, a distinguishing feature is its small hardware design. The hardware design, which includes both encryption and decryption, occupies approximately 11K gates, which is the smallest ...
SEA: A Scalable Encryption Algorithm for Small Embedded Applications
 SMART CARD RESEARCH AND APPLICATIONS, PROCEEDINGS OF CARDIS 2006, LNCS
, 2006
"... Most present symmetric encryption algorithms result from a tradeoff between implementation cost and resulting performances. In addition, they generally aim to be implemented efficiently on a large variety of platforms. In this paper, we take an opposite approach and consider a context where we have ..."
Abstract

Cited by 31 (4 self)
 Add to MetaCart
Most present symmetric encryption algorithms result from a tradeoff between implementation cost and resulting performances. In addition, they generally aim to be implemented efficiently on a large variety of platforms. In this paper, we take an opposite approach and consider a context where we have very limited processing resources and throughput requirements. For this purpose, we propose lowcost encryption routines (i.e. with small code size and memory) targeted for processors with a limited instruction set (i.e. AND, OR, XOR gates, word rotation and modular addition). The proposed design is parametric in the text, key and processor size, allows efficient combination of encryption/decryption, “onthefly” key derivation and its security against a number of recent cryptanalytic techniques is discussed. Target applications for such routines include any context requiring lowcost encryption and/or authentication.
Improved Higherorder SideChannel Attacks with FPGA Experiments
 in Cryptographic Hardware and Embedded Systems – CHES 2005, ser. Lecture Notes in Computer Science
, 2005
"... Abstract. We demonstrate that masking a block cipher implementation does not sufficiently improve its security against sidechannel attacks. Under exactly the same hypotheses as in a Differential Power Analysis (DPA), we describe an improvement of the previously introduced higherorder techniques all ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We demonstrate that masking a block cipher implementation does not sufficiently improve its security against sidechannel attacks. Under exactly the same hypotheses as in a Differential Power Analysis (DPA), we describe an improvement of the previously introduced higherorder techniques allowing us to defeat masked implementations in a low (i.e. practically tractable) number of measurements. The proposed technique is based on the efficient use of the statistical distributions of the power consumption in an actual design. It is confirmed both by theoretical predictions and practical experiments against FPGA devices.
Linear cryptanalysis of substitutionpermutation networks
, 2003
"... The subject of this thesis is linear cryptanalysis of substitutionpermutation networks (SPNs). We focus on the rigorous form of linear cryptanalysis, which requires the concept of linear hulls. First, we consider SPNs in which the sboxes are selected independently and uniformly from the set of al ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
(Show Context)
The subject of this thesis is linear cryptanalysis of substitutionpermutation networks (SPNs). We focus on the rigorous form of linear cryptanalysis, which requires the concept of linear hulls. First, we consider SPNs in which the sboxes are selected independently and uniformly from the set of all bijective n × n sboxes. We derive an expression for the expected linear probability values of such an SPN, and give evidence that this expression converges to the corresponding value for the true random cipher. This adds quantitative support to the claim that the SPN structure is a good approximation to the true random cipher. We conjecture that this convergence holds for a large class of SPNs. In addition, we derive a lower bound on the probability that an SPN with randomly selected sboxes is practically secure against linear cryptanalysis after a given number of rounds. For common block sizes, experimental evidence indicates that this probability rapidly approaches 1 with an increasing number of rounds.
Report on the AES Candidates
, 1999
"... This document reports the activities of the AES working group organized at the Ecole Normale Superieure. Several candidates are evaluated. In particular we outline some weaknesses in the designs of some candidates. We mainly discuss selection criteria between the candidates, and make casebycas ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
This document reports the activities of the AES working group organized at the Ecole Normale Superieure. Several candidates are evaluated. In particular we outline some weaknesses in the designs of some candidates. We mainly discuss selection criteria between the candidates, and make casebycase comments. We finally recommend the selection of Mars, RC6, Serpent, ... and DFC. As the report is being finalized, we also added some new preliminary cryptanalysis on RC6 and Crypton in the Appendix which are not considered in the main body of the report.
High Probability Linear Hulls in Q
, 2001
"... In this paper, we demonstrate that the linear hull effect is significant for the Q cipher. The designer of Q performs preliminary linear cryptanalysis by discussing linear characteristics involving only a single active bit at each stage [13]. We present a simple algorithm which combines all such lin ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
In this paper, we demonstrate that the linear hull effect is significant for the Q cipher. The designer of Q performs preliminary linear cryptanalysis by discussing linear characteristics involving only a single active bit at each stage [13]. We present a simple algorithm which combines all such linear characteristics with identical first and last masks into a linear hull. The expected linear probability of the best such linear hull over 7.5 rounds (8 full rounds minus the first S substitution) is 2 \Gamma90:1 . In contrast, the best known expected differential probability over the same rounds is 2 \Gamma110:5 [2]. Choosing a sequence of linear hulls, we get a straightforward attack which can recover a 128bit key with success rate 98.4%, using 2 97 known hplaintext; ciphertexti pairs and no trial encryptions.
QUAD: Overview and recent developments
 Symmetric Cryptography, volume 07021 of Dagstuhl Seminar Proceedings. Internationales Begegnungs und Forschungszentrum für Informatik (IBFI), Schloss Dagstuhl
, 2007
"... Abstract. We give an outline of the specification and provable security features of the QUAD stream cipher proposed at Eurocrypt 2006 [6]. The cipher relies on the iteration of a multivariate quadratic function over a finite field, typically GF(2) or a small extension. In the binary case, the securi ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We give an outline of the specification and provable security features of the QUAD stream cipher proposed at Eurocrypt 2006 [6]. The cipher relies on the iteration of a multivariate quadratic function over a finite field, typically GF(2) or a small extension. In the binary case, the security of the keystream generation can be related, in the concrete security model, to the conjectured intractability of the MQ problem of solving a random system of m equations in n unknowns. We show that this security reduction can be extended to incorporate the key and IV setup and provide a security argument related to the whole cipher. We also briefly address software and hardware performance issues and show that if one is willing to pseudorandomly generate the systems of quadratic polynomials underlying the cipher, this leads to suprisingly inexpensive hardware implementations of QUAD. Key words: MQ problem, stream cipher, provable security, Gröbner basis computation 1
Fast software implementations of SC2000
 In Information Security Conference 2002
, 2002
"... Abstract. The block cipher SC2000 was recently proposed by a research group of Fujitsu Laboratories as a candidate cipher for the CRYPTREC and NESSIE projects. The cipher was designed so that it would be highly flexible and fast on many platforms. In this paper we show that the cipher is really fast ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. The block cipher SC2000 was recently proposed by a research group of Fujitsu Laboratories as a candidate cipher for the CRYPTREC and NESSIE projects. The cipher was designed so that it would be highly flexible and fast on many platforms. In this paper we show that the cipher is really fast on the Pentium III and AMD platforms: Our C implementation of SC2000 on Pentium III is only second to the best C implementations of RC6 on the same platform, and faster than for example the world fastest implementation of Twofish in assembly. In particular, we improve the bulk encryption and decryption times by almost times as compared to the previous best implementation by Fujitsu. Finally, we report new Rijndael and RC6 implementation results that are slightly better than these of Aoki and Lipmaa. Keywords: block cipher design, fast implementation, large Sboxes, SC2000. 1
Modeling Linear Characteristics of SubstitutionPermutation Networks
 Sixth Annual International Workshop on Selected Areas in Cryptography (SAC’99), LNCS 1758
, 2000
"... In this paper we present a model for the bias values associated with linear characteristics of substitutionpermutation networks (SPN's). The first iteration of the model is based on our observation that for sufficiently large sboxes, the best linear characteristic usually involves one active ..."
Abstract

Cited by 3 (3 self)
 Add to MetaCart
(Show Context)
In this paper we present a model for the bias values associated with linear characteristics of substitutionpermutation networks (SPN's). The first iteration of the model is based on our observation that for sufficiently large sboxes, the best linear characteristic usually involves one active sbox per round. We obtain a result which allows us to compute an upper bound on the probability that linear cryptanalysis using such a characteristic is feasible, as a function of the number of rounds. We then generalize this result, upper bounding the probability that linear cryptanalysis is feasible when any linear characteristic may be used (no restriction on the number of active sboxes). The work of this paper indicates that the basic SPN structure provides good security against linear cryptanalysis based on linear characteristics after a reasonably small number of rounds. 1
Ecole Normale Superieure { CNRS
"... Abstract This document reports the activities of the AES working group organized at the Ecole Normale Superieure. Several candidates are evaluated. In particular we outline some weaknesses in the designs of some candidates. We mainly discuss selection criteria between the candidates, and make caseb ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract This document reports the activities of the AES working group organized at the Ecole Normale Superieure. Several candidates are evaluated. In particular we outline some weaknesses in the designs of some candidates. We mainly discuss selection criteria between the candidates, and make casebycase comments. We nally recommend the selection of Mars, RC6, Serpent,... and DFC. As the report is being nalized, we also added some new preliminary cryptanalysis on RC6 and Crypton in the Appendix which are not considered in the main body of the report. Designing the encryption standard of the rst twenty years of the twenty rst century is a challenging task: we need to predict possible future technologies, and we have totake unknown future attacks in account. Following the AES process initiated by NIST, we organized an open working group at the Ecole Normale Superieure. This group met two hours a week to review the AES candidates. The present document reports its results.