Results 1  10
of
37
Side Channel Cryptanalysis of Product Ciphers
 JOURNAL OF COMPUTER SECURITY
, 1998
"... Building on the work of Kocher [Koc96], Jaffe, and Yun [KJY98], we discuss the notion of sidechannel cryptanalysis: cryptanalysis using implementation data. We discuss the notion of sidechannel attacks and the vulnerabilities they introduce, demonstrate sidechannel attacks against three produ ..."
Abstract

Cited by 112 (8 self)
 Add to MetaCart
Building on the work of Kocher [Koc96], Jaffe, and Yun [KJY98], we discuss the notion of sidechannel cryptanalysis: cryptanalysis using implementation data. We discuss the notion of sidechannel attacks and the vulnerabilities they introduce, demonstrate sidechannel attacks against three product ciphers  timing attack against IDEA, processorflag attack against RC5, and Hamming weight attack against DES  and then generalize our research to other cryptosystems.
Twofish: A 128Bit Block Cipher
 in First Advanced Encryption Standard (AES) Conference
, 1998
"... Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bit ..."
Abstract

Cited by 66 (8 self)
 Add to MetaCart
(Show Context)
Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.
Concurrent error detection schemes for faultbased sidechannel cryptanalysis of symmetric block ciphers
 IEEE Transactions on ComputerAided Design of Integrated Circuits and Systems
, 2002
"... Abstract—Faultbased sidechannel cryptanalysis is very effective against symmetric and asymmetric encryption algorithms. Although straightforward hardware and time redundancybased concurrent error detection (CED) architectures can be used to thwart such attacks, they entail significant overheads ( ..."
Abstract

Cited by 31 (4 self)
 Add to MetaCart
(Show Context)
Abstract—Faultbased sidechannel cryptanalysis is very effective against symmetric and asymmetric encryption algorithms. Although straightforward hardware and time redundancybased concurrent error detection (CED) architectures can be used to thwart such attacks, they entail significant overheads (either area or performance). The authors investigate systematic approaches to lowcost lowlatency CED techniques for symmetric encryption algorithms based on inverse relationships that exist between encryption and decryption at algorithm level, round level, and operation level and develop CED architectures that explore tradeoffs among area overhead, performance penalty, and fault detection latency. The proposed techniques have been validated on FPGA implementations of Advanced Encryption Standard (AES) finalist 128bit symmetric encryption algorithms. Index Terms—AES, CED, cryptanalysis, cryptography, fault based, RC6, Rijndael, Serpent, side channel, symmetric encryption, Twofish.
Faster Correlation Attack on Bluetooth Keystream Generator E0
 Advances on Cryptography  CRYPTO 2004, Lecture Notes in Computer Science
, 2004
"... Abstract. We study both distinguishing and keyrecovery attacks against E0, the keystream generator used in Bluetooth by means of correlation. First, a powerful computation method of correlations is formulated by a recursive expression, which makes it easier to calculate correlations of the finite s ..."
Abstract

Cited by 24 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We study both distinguishing and keyrecovery attacks against E0, the keystream generator used in Bluetooth by means of correlation. First, a powerful computation method of correlations is formulated by a recursive expression, which makes it easier to calculate correlations of the finite state machine output sequences up to 26 bits for E0 and allows us to verify the two known correlations to be the largest for the first time. Second, we apply the concept of convolution to the analysis of the distinguisher based on all correlations, and propose an efficient distinguisher due to the linear dependency of the largest correlations. Last, we propose a novel maximum likelihood decoding algorithm based on fast Walsh transform to recover the closest codeword for any linear code of dimension L and length n. It requires time O(n + L · 2 L) and memory min(n, 2 L). This can speed up many attacks such as fast correlation attacks. We apply it to E0, and our best keyrecovery attack works in 2 39 time given 2 39 consecutive bits after O(2 37) precomputation. This is the best known attack against E0 so far. 1
Optimal key ranking procedures in a statistical cryptanalysis
 Advances in Cryptology  Eurocrypt’03, volume 2656 of LNCS
, 2003
"... Abstract. Hypothesis tests have been used in the past as a tool in a cryptanalytic context. In this paper, we propose to use this paradigm and define a precise and sound statistical framework in order to optimally mix information on independent attacked subkey bits obtained from any kind of statisti ..."
Abstract

Cited by 18 (5 self)
 Add to MetaCart
(Show Context)
Abstract. Hypothesis tests have been used in the past as a tool in a cryptanalytic context. In this paper, we propose to use this paradigm and define a precise and sound statistical framework in order to optimally mix information on independent attacked subkey bits obtained from any kind of statistical cryptanalysis. In the context of linear cryptanalysis, we prove that the best mixing paradigm consists of sorting key candidates by decreasing weighted Euclidean norm of the bias vector. Keywords: Key ranking, statistical cryptanalysis, NeymanPearson lemma, linear cryptanalysis 1
Serpent: A Flexible Block Cipher With Maximum Assurance
 In The First Advanced Encryption Standard Candidate Conference
, 1998
"... This paper presents a candidate block cipher for the Advanced Encryption Standard (AES). AES is an intriguing challenge to the designer, because of the great length of time the selected algorithm will have to resist attack. ..."
Abstract

Cited by 17 (0 self)
 Add to MetaCart
(Show Context)
This paper presents a candidate block cipher for the Advanced Encryption Standard (AES). AES is an intriguing challenge to the designer, because of the great length of time the selected algorithm will have to resist attack.
On the complexity of Matsui’s attack
 in Selected Areas in Cryptography, SAC 2001
, 2001
"... Abstract. Linear cryptanalysis remains the most powerful attack against DES at this time. Given 2 43 known plaintextciphertext pairs, Matsui expected a complexity of less than 2 43 DES evaluations in 85 % of the cases for recovering the key. In this paper, we present a theoretical and experimental ..."
Abstract

Cited by 16 (2 self)
 Add to MetaCart
Abstract. Linear cryptanalysis remains the most powerful attack against DES at this time. Given 2 43 known plaintextciphertext pairs, Matsui expected a complexity of less than 2 43 DES evaluations in 85 % of the cases for recovering the key. In this paper, we present a theoretical and experimental complexity analysis of this attack, which has been simulated 21 times using the idle time of several computers. The experimental results suggest a complexity upperbounded by 2 41 DES evaluations in 85 % of the case, while more than the half of the experiments needed less than 2 39 DES evaluations. In addition, we give a detailed theoretical analysis of the attack complexity.
Towards a Unifying View of Block Cipher Cryptanalysis
, 2004
"... We introduce commutative diagram cryptanalysis, a framework for expressing certain kinds of attacks on product ciphers. We show that many familiar attacks, including linear cryptanalysis, di#erential cryptanalysis, di#erentiallinear cryptanalysis, mod n attacks, truncated di#erential cryptanaly ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
We introduce commutative diagram cryptanalysis, a framework for expressing certain kinds of attacks on product ciphers. We show that many familiar attacks, including linear cryptanalysis, di#erential cryptanalysis, di#erentiallinear cryptanalysis, mod n attacks, truncated di#erential cryptanalysis, impossible di#erential cryptanalysis, higherorder di#erential cryptanalysis, and interpolation attacks can be expressed within this framework. Thus, we show that commutative diagram attacks provide a unifying view into the field of block cipher cryptanalysis.
Resistance Against General Iterated Attacks
 In Advances in Cryptology EUROCRYPT'99, Prague, Czech Republic, Lectures Notes in Computer Science 1592
, 1998
"... . In this paper we study the resistance of a block cipher against any general iterated attack. This class of attacks includes differential and linear cryptanalysis. We prove that we can upper bound the complexity of the attack by using Vaudenay's decorrelation technique. Our main theorem enable ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
. In this paper we study the resistance of a block cipher against any general iterated attack. This class of attacks includes differential and linear cryptanalysis. We prove that we can upper bound the complexity of the attack by using Vaudenay's decorrelation technique. Our main theorem enables to prove the security of some recently proposed block ciphers COCONUT98 and PEANUT98. Since publickey cryptography has been discovered in the late 70s, proving the security of cryptographic protocols has been a challenging problem. Recently, the random oracle model and the generic algorithm techniques have introduced new tools for validating cryptographic algorithms. Although much older, the area of symmetric cryptography did not get so many tools. In the early 90s, Biham and Shamir [2] introduced the notion of differential cryptanalysis and Matsui [7, 8] introduced the notion of linear cryptanalysis, which was a quite general model of attack. Since then many authors tried to formalize these a...
Linear Cryptanalysis of RC5 and RC6
 PROCEEDINGS OF FAST SOFTWARE ENCRYPTION, LECTURE NOTES IN COMPUTER SCIENCE
, 1999
"... In this paper we evaluate the resistance of the block cipher RC5 against linear cryptanalysis. We describe a known plaintext attack that can break RC532 (blocksize 64) with 10 rounds and RC564 (blocksize 128) with 15 rounds. In order to do this we use techniques related to the use of multiple ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
(Show Context)
In this paper we evaluate the resistance of the block cipher RC5 against linear cryptanalysis. We describe a known plaintext attack that can break RC532 (blocksize 64) with 10 rounds and RC564 (blocksize 128) with 15 rounds. In order to do this we use techniques related to the use of multiple linear approximations. Furthermore the success of the attack is largely based on the linear hulleffect. To our knowledge, at this moment these are the best known plaintext attacks on RC5, which have negligible storage requirements and do not make any assumption on the plaintext distribution. Furthermore we discuss the impact of our attacking method on the AEScandidate RC6, whose design was based on RC5.