## The MESH Block Ciphers (2002)

### Cached

### Download Links

- [www.esat.kuleuven.ac.be]
- [ftp.esat.kuleuven.ac.be]
- DBLP

### Other Repositories/Bibliography

Citations: | 2 - 1 self |

### BibTeX

@TECHREPORT{Nakahara02themesh,

author = {Jorge Nakahara and Vincent Rijmen and Bart Preneel and Joos Vandewalle},

title = {The MESH Block Ciphers},

institution = {},

year = {2002}

}

### OpenURL

### Abstract

This paper describes the MESH block ciphers, whose designs are based on the same group operations as the IDEA cipher, but with a number of novel features: flexible block sizes in steps of 32 bits (the block size of IDEA is fixed at 64 bits); larger MA-boxes; distinct key-mixing layers for odd and even rounds; and new key schedule algorithms that achieve fast avalanche and avoid the weak keys of IDEA. The software performance of MESH ciphers are estimated to be better or comparable to that of triple-DES. A number of attacks, such as truncated and impossible di#erentials, linear and Demirci's attack, shows that more resources are required on the MESH ciphers than for IDEA, and indicates that both ciphers seem to have a large margin of security.

### Citations

2681 | Handbook of Applied Cryptography
- Menezes, Oorschot, et al.
- 1997
(Show Context)
Citation Context ... · 3 · 2 16 · 1 13 ≈ 2109 3.5-round MESH-96 encryptions, 2 96 chosen plaintexts, and 2 64 96-bit blocks of memory. There are two additional truncated differentials with the same probability, (11)=-= and (12)-=-, listed in the Appendix, that allows to recover Z (1) 3 , Z(1) 6 , Z(4) 3 , Z(4) 4 , Z(4) 1 , and Z (4) 2 . An attack on 4-round MESH-96 can guess subkeys Z (4) 7 , Z(4) 8 , Z(4) 9 , and apply the pr... |

2067 | The Theory of Error-Correcting Codes - MacWilliams, Sloane - 1977 |

544 | Differential Cryptanalysis of DES-like Cryptosystems - Biham, Shamir - 1991 |

453 | Linear Cryptanalysis Method for DES Cipher,” Eurocrypt - Matsui - 1993 |

254 |
The Design of Rijndael: AES — The Advanced Encryption Standard (Information Security and Cryptography
- Daemen, Rijmen
- 2002
(Show Context)
Citation Context ...operation is used twice in succession in any part of these ciphers; (iii) neither cipher uses explicit S-boxes, nor depend on particular properties of Boolean functions such as in Camellia [1] or AES =-=[8]-=-. Three designs will be described: MESH-64, MESH-96 and MESH-128, where the suffix denotes the block size. 3 The MESH-64 Block Cipher MESH-64 is a 64-bit block cipher with a 128-bit key and 8.5 rounds... |

209 | A Course in Number Theory and Cryptography - Koblitz - 1994 |

144 | Differentially Uniform Mappings for Cryptography - Nyberg - 1994 |

115 | Markov ciphers and differential cryptanalysis
- Lai, Massey, et al.
- 1991
(Show Context)
Citation Context ...k ciphers, design and cryptanalysis, IDEA, MA-boxes. 1 Introduction This paper presents the MESH block ciphers, whose designs are based on the same group operations on 16-bit words as the IDEA cipher =-=[11], name-=-ly, bitwise exclusive-or, denoted ⊕, addition in Z 2 16, denoted ⊞, and multiplication in GF(2 16 + 1), denoted ⊙, with the value 0 denoting 2 16 . The MESH designs are built on the strength of ... |

101 | Truncated and higher order differentials - Knudsen - 1995 |

74 | Camellia – a 128-bit block cipher suitable for multiple platforms (Extended abstract
- Aoki, Ichikawa, et al.
(Show Context)
Citation Context ...d; (ii) no operation is used twice in succession in any part of these ciphers; (iii) neither cipher uses explicit S-boxes, nor depend on particular properties of Boolean functions such as in Camellia =-=[1]-=- or AES [8]. Three designs will be described: MESH-64, MESH-96 and MESH-128, where the suffix denotes the block size. 3 The MESH-64 Block Cipher MESH-64 is a 64-bit block cipher with a 128-bit key and... |

60 |
Cipher and hash function design strategies based on linear and differential cryptanalysis
- Daemen
- 1995
(Show Context)
Citation Context ...n-linear operator in the cipher, the key schedule needs to be designed to avoid weak subkeys for any choice of the user key, otherwise, all multiplications could, in principle, be manipulated (Daemen =-=[5]).-=- The following design principles were used in the key schedule of MESH ciphers to avoid weak keys: – fast key avalanche: each subkey generated from the user key quickly depends, non-linearly, upon a... |

44 | Key-schedule Cryptanalysis of - Kelsey, Schneier, et al. - 1996 |

26 | On the distribution of characteristics in bijective mappings - O'Connor - 1994 |

22 |
The block cipher
- Daemen, Knudsen, et al.
- 1997
(Show Context)
Citation Context ... 12 Time complexity increases to 2 128+64 = 2 192 steps. 9 Demirci’s Attack This section follows the work of Demirci in [9]. 9.1 Demirci’s Attack on MESH-64 Demirci’s attack using 1st-order inte=-=grals [10, 7]-=- can be adapted to MESH-64 starting from the 2nd round, or any other even round. The integral operator is 12sexclusive-or. Consider a multiset of the form (P P P A), namely, with the first three words... |

21 | Truncated differentials of SAFER - Knudsen, Berson |

20 | A key-schedule weakness in SAFER-K64 - Knudsen - 1995 |

16 |
On weaknesses of non-surjective round functions
- Rijmen, Preneel, et al.
- 1997
(Show Context)
Citation Context ...ely avoid many one-round linear relations and one-round characteristics (to be discussed further). All the new MA-boxes are bijective mappings (permutations), in order to avoid non-surjective attacks =-=[13]-=-). Another feature of the MESH ciphers is the key schedule algorithm. Note that in IDEA all multiplications involve a subkey as an operand. Since the modular multiplication is the main non-linear oper... |

9 |
Two attacks on reduced IDEA
- Borst, Knudsen, et al.
- 1997
(Show Context)
Citation Context ... 48 42 42 18 MESH-96 96 192 10.5 73 90 83 53 43 MESH-128 128 256 12.5 148 144 148 100 52 6 Truncated Differential Analysis Differential analysis of MESH ciphers followed the framework of Borst et al. =-=[4]. -=-The difference operator is bitwise exclusive-or. 6.1 Truncated Differential Attack on MESH-64 The truncated differential (4), with A, B, C, D, E, F, G, H ∈ Z 16 2 , is used in an attack on 3.5-round... |

3 |
Miss-in-the-Middle Attacks on IDEA, Khufu and Khafre
- Biham, Biryukov, et al.
- 1999
(Show Context)
Citation Context ...layer, leading to a complexity of 2 69+128 = 2 197 parity computations. 8 Impossible Differential Attacks Impossible differential (ID) attacks on MESH ciphers follow a similar setting of Biham et al. =-=[2]. 8.1 -=-Impossible Differential Attack of MESH-64 A key-recovery ID attack on 3.5-round MESH-64 uses the 2.5-round impossible differential (a, 0, a, 0) �→ (b, b, 0, 0), with a, b �= 0, starting after th... |

2 | Self-reciprocal cipher structures," COSIC internal report - Daemen, Rijmen - 1996 |

2 | The interpolation attack on block ciphers," these proceedings - Jakobsen, Knudsen |

2 | Daemen et al., "The cipher SHARK - Rijmen, J - 1996 |

1 |
Slide Attacks, In: Knudsen,L.R. (ed
- Biryukov, Wagner
- 1999
(Show Context)
Citation Context ...ESH-96, and 5536 cycles/key-setup for MESH-128. . larger MA-boxes designed to better resist differential and linear attacks. . distinct key-mixing layers, originally designed to counter slide attacks =-=[3], bu-=-t also proved useful against Demirci’s attack [9]. The design of the MESH ciphers incorporates measures to counter a number of modern cryptanalytic attacks developed along the past 12 years [2–4, ... |