Results 1  10
of
10
Camellia: A 128Bit Block Cipher Suitable for Multiple Platforms  Design and Analysis
, 2000
"... We present a new 128bit block cipher called Camellia. Camellia supports 128bit block size and 128, 192, and 256bit keys, i.e. the same interface specifications as the Advanced Encryption Standard (AES). Efficiency on both software and hardware platforms is a remarkable characteristic of Camelli ..."
Abstract

Cited by 66 (3 self)
 Add to MetaCart
We present a new 128bit block cipher called Camellia. Camellia supports 128bit block size and 128, 192, and 256bit keys, i.e. the same interface specifications as the Advanced Encryption Standard (AES). Efficiency on both software and hardware platforms is a remarkable characteristic of Camellia in addition to its high level of security. It is confirmed that Camellia provides strong security against differential and linear cryptanalysis. Compared to the AES finalists, i.e. MARS, RC6, Rijndael, Serpent, and Twofish, Camellia offers at least comparable encryption speed in software and hardware. An optimized implementation of Camellia in assembly language can encrypt on a Pentium III (800MHz) at the rate of more than 276 Mbits per second, which is much faster than the speed of an optimized DES implementation. In addition, a distinguishing feature is its small hardware design. The hardware design, which includes both encryption and decryption, occupies approximately 11K gates, which is the smallest ...
SEA: A Scalable Encryption Algorithm for Small Embedded Applications
 SMART CARD RESEARCH AND APPLICATIONS, PROCEEDINGS OF CARDIS 2006, LNCS
, 2006
"... Most present symmetric encryption algorithms result from a tradeoff between implementation cost and resulting performances. In addition, they generally aim to be implemented efficiently on a large variety of platforms. In this paper, we take an opposite approach and consider a context where we have ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
Most present symmetric encryption algorithms result from a tradeoff between implementation cost and resulting performances. In addition, they generally aim to be implemented efficiently on a large variety of platforms. In this paper, we take an opposite approach and consider a context where we have very limited processing resources and throughput requirements. For this purpose, we propose lowcost encryption routines (i.e. with small code size and memory) targeted for processors with a limited instruction set (i.e. AND, OR, XOR gates, word rotation and modular addition). The proposed design is parametric in the text, key and processor size, allows efficient combination of encryption/decryption, “onthefly” key derivation and its security against a number of recent cryptanalytic techniques is discussed. Target applications for such routines include any context requiring lowcost encryption and/or authentication.
Improved Higherorder SideChannel Attacks with FPGA Experiments
 in Cryptographic Hardware and Embedded Systems – CHES 2005, ser. Lecture Notes in Computer Science
, 2005
"... Abstract. We demonstrate that masking a block cipher implementation does not sufficiently improve its security against sidechannel attacks. Under exactly the same hypotheses as in a Differential Power Analysis (DPA), we describe an improvement of the previously introduced higherorder techniques all ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
Abstract. We demonstrate that masking a block cipher implementation does not sufficiently improve its security against sidechannel attacks. Under exactly the same hypotheses as in a Differential Power Analysis (DPA), we describe an improvement of the previously introduced higherorder techniques allowing us to defeat masked implementations in a low (i.e. practically tractable) number of measurements. The proposed technique is based on the efficient use of the statistical distributions of the power consumption in an actual design. It is confirmed both by theoretical predictions and practical experiments against FPGA devices.
Linear cryptanalysis of substitutionpermutation networks
, 2003
"... The subject of this thesis is linear cryptanalysis of substitutionpermutation networks (SPNs). We focus on the rigorous form of linear cryptanalysis, which requires the concept of linear hulls. First, we consider SPNs in which the sboxes are selected independently and uniformly from the set of al ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
The subject of this thesis is linear cryptanalysis of substitutionpermutation networks (SPNs). We focus on the rigorous form of linear cryptanalysis, which requires the concept of linear hulls. First, we consider SPNs in which the sboxes are selected independently and uniformly from the set of all bijective n × n sboxes. We derive an expression for the expected linear probability values of such an SPN, and give evidence that this expression converges to the corresponding value for the true random cipher. This adds quantitative support to the claim that the SPN structure is a good approximation to the true random cipher. We conjecture that this convergence holds for a large class of SPNs. In addition, we derive a lower bound on the probability that an SPN with randomly selected sboxes is practically secure against linear cryptanalysis after a given number of rounds. For common block sizes, experimental evidence indicates that this probability rapidly approaches 1 with an increasing number of rounds.
High Probability Linear Hulls in Q
, 2001
"... In this paper, we demonstrate that the linear hull effect is significant for the Q cipher. The designer of Q performs preliminary linear cryptanalysis by discussing linear characteristics involving only a single active bit at each stage [13]. We present a simple algorithm which combines all such lin ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
In this paper, we demonstrate that the linear hull effect is significant for the Q cipher. The designer of Q performs preliminary linear cryptanalysis by discussing linear characteristics involving only a single active bit at each stage [13]. We present a simple algorithm which combines all such linear characteristics with identical first and last masks into a linear hull. The expected linear probability of the best such linear hull over 7.5 rounds (8 full rounds minus the first S substitution) is 2 \Gamma90:1 . In contrast, the best known expected differential probability over the same rounds is 2 \Gamma110:5 [2]. Choosing a sequence of linear hulls, we get a straightforward attack which can recover a 128bit key with success rate 98.4%, using 2 97 known hplaintext; ciphertexti pairs and no trial encryptions.
Modeling Linear Characteristics of SubstitutionPermutation Networks
 Sixth Annual International Workshop on Selected Areas in Cryptography (SAC’99), LNCS 1758
, 2000
"... In this paper we present a model for the bias values associated with linear characteristics of substitutionpermutation networks (SPN's). The first iteration of the model is based on our observation that for sufficiently large sboxes, the best linear characteristic usually involves one active sbox ..."
Abstract

Cited by 3 (3 self)
 Add to MetaCart
In this paper we present a model for the bias values associated with linear characteristics of substitutionpermutation networks (SPN's). The first iteration of the model is based on our observation that for sufficiently large sboxes, the best linear characteristic usually involves one active sbox per round. We obtain a result which allows us to compute an upper bound on the probability that linear cryptanalysis using such a characteristic is feasible, as a function of the number of rounds. We then generalize this result, upper bounding the probability that linear cryptanalysis is feasible when any linear characteristic may be used (no restriction on the number of active sboxes). The work of this paper indicates that the basic SPN structure provides good security against linear cryptanalysis based on linear characteristics after a reasonably small number of rounds. 1
Fast software implementations of SC2000
 In Information Security Conference 2002
, 2002
"... Abstract. The block cipher SC2000 was recently proposed by a research group of Fujitsu Laboratories as a candidate cipher for the CRYPTREC and NESSIE projects. The cipher was designed so that it would be highly flexible and fast on many platforms. In this paper we show that the cipher is really fast ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. The block cipher SC2000 was recently proposed by a research group of Fujitsu Laboratories as a candidate cipher for the CRYPTREC and NESSIE projects. The cipher was designed so that it would be highly flexible and fast on many platforms. In this paper we show that the cipher is really fast on the Pentium III and AMD platforms: Our C implementation of SC2000 on Pentium III is only second to the best C implementations of RC6 on the same platform, and faster than for example the world fastest implementation of Twofish in assembly. In particular, we improve the bulk encryption and decryption times by almost times as compared to the previous best implementation by Fujitsu. Finally, we report new Rijndael and RC6 implementation results that are slightly better than these of Aoki and Lipmaa. Keywords: block cipher design, fast implementation, large Sboxes, SC2000. 1
Fast Implementations of AES Candidates
 In The Third Advanced Encryption Standard Candidate Conference
, 2000
"... Of the five AES finalists fourMARS, RC6, Rijndael, Twofish have not only (expected) good security but also exceptional performance on the PC platforms, especially on those featuring the Pentium Pro, the NIST AES analysis platform. In the current paper we present new performance numbers of ..."
Abstract
 Add to MetaCart
Of the five AES finalists fourMARS, RC6, Rijndael, Twofish have not only (expected) good security but also exceptional performance on the PC platforms, especially on those featuring the Pentium Pro, the NIST AES analysis platform. In the current paper we present new performance numbers of the mentioned four ciphers resulting from our carefully optimized assemblylanguage implementations on the Pentium II, the successor of the Pentium Pro.
New Results on Cryptanalysis of Stream Ciphers
, 2007
"... Stream ciphers are cryptographic primitives that ensure the confidentiality of communications. In this thesis, we study several attacks on stream ciphers. For practical applications, the candidates of stream ciphers of NESSIE and eSTREAM projects are scrutinized. Firstly,
the algebraic attacks on SO ..."
Abstract
 Add to MetaCart
Stream ciphers are cryptographic primitives that ensure the confidentiality of communications. In this thesis, we study several attacks on stream ciphers. For practical applications, the candidates of stream ciphers of NESSIE and eSTREAM projects are scrutinized. Firstly,
the algebraic attacks on SOBERt32 and SOBERt16 stream ciphers are performed under the assumption that the stuttering phases are not considered. In particular, our attack demonstrates that the fast algebraic attack can improve the efficiency of the algebraic attack significantly by reducing the degree of nonlinear algebraic equations with annihilators. Next, a linear distinguishing attack is presented against SOBER128 which is a strengthened version of SOBERt32. We observe that there is a highly biased approximation in the filter function which can be combined with the linearity of the shift register. In addition, we show that it is possible to improve the complexity of the attack by using a quadratic equation. Following this, a new type of linear distinguishing attack is applied to the NLS stream cipher. This attack demonstrates that a linear attack can be extended to stream
ciphers based on a nonlinear shift register and a nonlinear filter function. The attack on NLS is extended to NLSv2 which is a tweaked version of NLS. In this attack, we show that certain combinations of multiple modular additions retain highly biased linear approximations. Finally, a distinguishing attack on the Dragon stream cipher is presented. Though this attack is far away from being practical, our attack shows that basic components of
Dragon are not correlation immune.