## Self Evaluation: Hierocrypt–L1 (2000)

### BibTeX

@MISC{Corporation00selfevaluation:,

author = {Toshiba Corporation},

title = { Self Evaluation: Hierocrypt–L1 },

year = {2000}

}

### OpenURL

### Abstract

### Citations

550 | Di®erential Cryptanalysis of DES-like Cryptosystems
- Biham, Shamir
- 1991
(Show Context)
Citation Context ...ainst differential and linear cryptanalysis The differential and linear cryptanalysis are effective against general symmetric block cryptosystems, the former of which was proposed by Biham and Shamir =-=[1]-=- and the latter proposed by Matsui [6]. The most important security measure is the number of plaintext-ciphertext pairs need for the cryptanalysis. The number of pairs is known to be the same order of... |

459 |
Linear cryptanalysis method for DES cipher
- Matsui
- 1994
(Show Context)
Citation Context ...lysis The differential and linear cryptanalysis are effective against general symmetric block cryptosystems, the former of which was proposed by Biham and Shamir [1] and the latter proposed by Matsui =-=[6]-=-. The most important security measure is the number of plaintext-ciphertext pairs need for the cryptanalysis. The number of pairs is known to be the same order of the inverse of the maximum differenti... |

124 | The Block Cipher Square
- Daemen, Knudsen, et al.
- 1997
(Show Context)
Citation Context ...k is a chosen-plaintext attack, which is applied to the SQUAREcipher and other SQUARE-like ciphers. The basic attack and its extensions of applicable round numbers by key estimation have been proposed=-=[2]-=-. The manner of counting rounds in Hierocrypt–L1 is different from that of the SQUAREcipher. To avoid confusion, we introduce a definition of a number of layers instead of the number of rounds. The nu... |

67 |
New block encryption algorithm MISTY
- Matsui
- 1997
(Show Context)
Citation Context ... in ten trials to carry out 1,000,000 block encryptions of Hierocrypt–3 in ECB mode for each key length. The round structure is implemented by iterated loop. The performance of MISTY-I is referred to =-=[14]-=-. The decryption process with ∗ needs calculation nearly twice as much as the encryption, because the extended key for encryption is used. If a key scheduling for decryption is used, the decryption ca... |

32 | Attacking Seven Rounds of Rijndael under 192-bit and 256-bit
- Lucks
- 2000
(Show Context)
Citation Context ...er, a layer corresponds to a round. The SQUAREattack is effective up to 6 layers for 128-bit key SQUAREcipher and Rijndael cipher[2], and up to 7 layers for 192-bit key and 256-bit key Rijndael cipher=-=[5]-=-. However, we confirmed that it is effective just up to 5 layers for Hierocrypt–L1. Because the Hierocrypt–L1 is designed as 12 layers, it has enough security against the SQUARE attack. 2.2.1 Definiti... |

24 | Provable security against differential and linear cryptanalysis for the spn structure
- Hong, Lee, et al.
- 1978
(Show Context)
Citation Context ...nded) by the minimum number of active S-boxes, as the cipher consists of the nested SPN structure. Furthermore, we found that the provable security for a two-round SPN structure proven by Hong et al. =-=[3, 12]-=- is applicable to two consecutive rounds of Hierocrypt–3. The provable security leads to the rigid upper bound of the maximum differential and linear probabilities. We will show the result of evaluati... |

21 | Truncated differentials of SAFER
- Knudsen, Berson
(Show Context)
Citation Context ...ential attack is an algebraic attack, where some extended key bits are obtained by solving the equation, which is derived by the following properties for the Boule function whose algebraic order is d =-=[4]-=-. • All (d + 1)-th order differentials are 0 • all d-th order differentials are constants. The security against the higher-order differential attack is assured by showing that there is no efficient se... |

12 | Cryptanalysis of a reduced version of the block cipher E2,” Fast Software Encryption Workshop
- Matsui, okita
(Show Context)
Citation Context ... differential probabilities. [MDSH-function] The MDSH-function consists only of byte-wise exclusive or’s. Approximate values (powers of 2) of truncated differential are obtained by Matsui’s algorithm =-=[7]-=-. 2.3.3 Evaluation for multiple rounds MDSH-functions and the MDSL-functions are put in alternate layers in Hierocrypt–L1 except for the S-boxes and the key additions. As previously stated, the trunca... |

12 |
The block cipher Hierocrypt
- Ohkuma, Muratani, et al.
- 2001
(Show Context)
Citation Context ... is a family of block ciphers whose data randomizing parts consist of the nested SPN structure, which is a hierarchical SPN structure where a higher-level S-box consists of the lower-level SP network =-=[11, 10, 9, 8]-=-. It is easy for the nested SPN structure to achieve a sufficient security level against the differential/linear cryptanalysis, as the number of active S-boxes in each level can be assured hierarchica... |

11 |
Speech Communication
- Heracleous, Shimizu
- 2005
(Show Context)
Citation Context ...nded) by the minimum number of active S-boxes, as the cipher consists of the nested SPN structure. Furthermore, we found that the provable security for a two-round SPN structure proven by Hong et al. =-=[3, 12]-=- is applicable to two consecutive rounds of Hierocrypt–3. The provable security leads to the rigid upper bound of the maximum differential and linear probabilities. We will show the result of evaluati... |

4 |
Proposition of a 64-bit version of Hierocrypt
- Muratani, Ohkuma, et al.
(Show Context)
Citation Context ... is a family of block ciphers whose data randomizing parts consist of the nested SPN structure, which is a hierarchical SPN structure where a higher-level S-box consists of the lower-level SP network =-=[11, 10, 9, 8]-=-. It is easy for the nested SPN structure to achieve a sufficient security level against the differential/linear cryptanalysis, as the number of active S-boxes in each level can be assured hierarchica... |

4 |
Specification and assessment of the cipher Hierocrypt
- Ohkuma, Muratani, et al.
- 2000
(Show Context)
Citation Context ... is a family of block ciphers whose data randomizing parts consist of the nested SPN structure, which is a hierarchical SPN structure where a higher-level S-box consists of the lower-level SP network =-=[11, 10, 9, 8]-=-. It is easy for the nested SPN structure to achieve a sufficient security level against the differential/linear cryptanalysis, as the number of active S-boxes in each level can be assured hierarchica... |

3 |
A revised nested SPN cipher
- Ohkuma, Muratani, et al.
(Show Context)
Citation Context |

3 | Relationships among differential, truncated differential, impossible differential cryptanalyses against word-oriented block ciphers like Rijndael, E2. Presented at AES3. A An equivalent representation of the DES that appears to have unusual properties We
- Sugita, Kobara, et al.
- 2000
(Show Context)
Citation Context ...el 8-bit words. This property uniquely determines the truncated differential probability of mdsL-function, and leads to the fact that truncated Hamming differential is equal to truncated differential =-=[13]-=-. Figure 4 shows approximate values (powers of 2) for the truncated differential probabilities. [MDSH-function] The MDSH-function consists only of byte-wise exclusive or’s. Approximate values (powers ... |

2 |
Performance Evaluation of
- Sano, Koike, et al.
- 2000
(Show Context)
Citation Context ... reference table is used which is the most efficient. Thus, source code is rather large, and it can be decreased. The performance for MISTY-I, a 64-bit block cipher with 128-bit key, is referred from =-=[16]-=-. Table 10: Speed and Memory on smartcard key length ROM RAM encryption algorithm (bits) (bytes) (bytes) (states) (ms @5MHz) Hierocrypt-L1 128 26 2, 447 19, 399 3.88 MISTY-I 128 44 1, 598 25, 486 5.10... |