## The Block Cipher: SEA2 With Provable Resistance Against DC and LC Attacks (1999)

### BibTeX

@MISC{Chang99theblock,

author = {Shih-hsu Chang and Fang-hsuan Cheng and Wen-hsing Hsu},

title = {The Block Cipher: SEA2 With Provable Resistance Against DC and LC Attacks},

year = {1999}

}

### OpenURL

### Abstract

This paper describes the block cipher SEA2. SEA2 is an evolutionary improvement of SEA. Modifications were made to increase the diffusion achieved per round, thus allowing for greater security and fewer rounds. Like SEA, SEA2 makes essential use of key-dependent permutations and substitutions to provide protection against differential cryptnalysis(DC) and linear cryptnalysis(LC). Our analysis shows that attacks based on DC and LC do not offer any significant improvement over a brute force attack for 4-round SEA2. The C language implementation on 4-round SEA2 could achieve a speed of about 2.9 Mbytes/sec on a 200MHZ Pentium PC, running Windows 95. Keywords: DES, encryption algorithm, block cipher, S-box, Feistel structure, security

### Citations

1021 |
Applied Cryptography
- Schneier
- 1996
(Show Context)
Citation Context ...permutations are key-dependent so that it can avoid linking of plaintexts to inputs to the first F-function and ciphertexts to inputs to the last F-function. This is similar to the Whitening technique=-=[18]-=-, which XORs subkeys into the input to the first and last rounds’ F functions to add strength against cryptanalytic attack.sTHE BLOCK CIPHER SEA2 817 Let KP i,1 = (m 1, m 2, m 3, m 4) and KP i,2 = (n ... |

803 |
Communication theory of secrecy systems
- Shannon
- 1949
(Show Context)
Citation Context ...y is the art or science of keeping messages secret. It has become one of the main tools for privacy, trust, access control, electronic payments, corporate security, and countless other fields. Shannon=-=[1]-=-’s principles of confusion and diffusion remain the cornerstone of good block cipher design. The best known and most used block cipher today is DES[2]. The DES-like structure is the “Feistel structure... |

502 | Differential Cryptanalysis of DES-like Cryptosystems
- Biham, Shamir
- 1990
(Show Context)
Citation Context ...alyze the security of SEA2 against differential and linear cryptanalysis attacks. 3.1 Differential Cryptanalysis Differential cryptanalysis is a chosen plaintext attack introduced by Biham and Shamir =-=[20]-=-. DC relies on the existence of highly probable characteristics/differentials. The probability of any characteristic is completely determined by the number of active S-boxes and their characteristic p... |

432 |
Linear cryptanalysis method for DES cipher
- Matsui
- 1993
(Show Context)
Citation Context ...keys. This fact shows that key-dependent permutations and substitutions could provide high security. 3.2 Linear Cryptanalysis Linear cryptanalysis(LC) is a known plaintext attack introduced by Matsui =-=[22]-=-. It reconstructs the key based on affine linear approximations of the relationships among plaintext bits, ciphertext bits, and key bits. If this linear approximation holds with some probability biase... |

139 |
Cryptography and computer privacy
- Feistel
- 1973
(Show Context)
Citation Context ...s principles of confusion and diffusion remain the cornerstone of good block cipher design. The best known and most used block cipher today is DES[2]. The DES-like structure is the “Feistel structure”=-=[3]-=-. It is the basis of most of the block ciphers whichhave been published since then, including FEAL[4], CAST[5], LOKI97[6], DEAL[7], MAGENTA [8], Blowfish[9], Twofish[10], and DFC[11]. It has the good ... |

111 | The Block Cipher Square
- Daemen, Knudsen, et al.
- 1997
(Show Context)
Citation Context ...form non-linearity such that the number of rounds can be reduced; nevertheless, compared with a Feistel cipher, the amount of work per round is increased. SAFER[13], CRYPTON[14], SHARK[15], and SQUARE=-=[16]-=- are some examples of block ciphers based on the SPN architecture. SEA2 adopts the SPN structure in Ffunction. The design of SEA2 began with a consideration of SEA [17]. Modifications were then made t... |

58 |
The solitaire encryption algorithm
- Schneier
- 1999
(Show Context)
Citation Context ...ES-like structure is the “Feistel structure”[3]. It is the basis of most of the block ciphers whichhave been published since then, including FEAL[4], CAST[5], LOKI97[6], DEAL[7], MAGENTA [8], Blowfish=-=[9]-=-, Twofish[10], and DFC[11]. It has the good feature that it is guaranteed to be reversible for all choices of the F-function. SEA2 adopts this structure. 813s814 SHIH-HSU CHANG, FANG-HSUAN CHENG AND W... |

48 | SAFER K-64: A byte-oriented block-ciphering algorithm
- Massey
- 1995
(Show Context)
Citation Context ...d input. It has strong diffusion and uniform non-linearity such that the number of rounds can be reduced; nevertheless, compared with a Feistel cipher, the amount of work per round is increased. SAFER=-=[13]-=-, CRYPTON[14], SHARK[15], and SQUARE[16] are some examples of block ciphers based on the SPN architecture. SEA2 adopts the SPN structure in Ffunction. The design of SEA2 began with a consideration of ... |

43 |
Some cryptographic Techniques for Machine-to-Machine Data
- Feistel, Notz, et al.
- 1975
(Show Context)
Citation Context ...o be reversible for all choices of the F-function. SEA2 adopts this structure. 813s814 SHIH-HSU CHANG, FANG-HSUAN CHENG AND WEN-HSING HSU Another structure is the substitution-permutation network(SPN)=-=[12]-=-, which incorporates layers of substitution and permutation. Each round transforms the whole round input. It has strong diffusion and uniform non-linearity such that the number of rounds can be reduce... |

40 |
New structure of block ciphers with provable security against differential and linear cryptanalysis
- Matsui
- 1996
(Show Context)
Citation Context ...is the number computed by Eqs.(8) and (10). The differential probability p d is 0.039062(2 -5 ). The linear probability p l is 0.041260(2 -4.6 ). The p d and p l, respectively, are defined as follows =-=[17, 23]-=-: a = # {x Œ GF(2 8 )|(S(x) ≈ S(x ≈ Dx)) = Dy}, (8) 1 Nd= max α , pd( S) = Nd, Δx≠0, Δy 8 2 (9) b = |# {x Œ GF(28 )|x · Gx = S(x) · Gy} – 128|, (10) 2 Nl= max β , pl( S) = ( Nl / 128) , (11) Γx, Γy≠0 ... |

29 | Substitution-permutation networks resistant to differential and linear cryptanalysis
- Heyes, Tavares
(Show Context)
Citation Context ...n the existence of highly probable characteristics/differentials. The probability of any characteristic is completely determined by the number of active S-boxes and their characteristic probabilities =-=[24]-=-. In SEA2, changing one bit input to F-function could affect nine active S-boxes(one in S-layer 1 and eight in S-layer 2), and the best characteristic probability pd of S-boxes is 2 -5 . Under the ass... |

27 |
Cryptography: A
- Konheim
- 1981
(Show Context)
Citation Context ...” so that bits are in different positions and have equal effects on the product. Changing one input bit could affect one s-box in S-layer 1 and eight s-boxes in S-layer 2. Hence, the avalanche effect =-=[19]-=- of F-function occurs when changing one input bit could affect all output 64 bits. Each output bit is affected by all input 64 bits. The key features in the F-function are: ∑ The design philosophy is ... |

27 | Practically secure feistel ciphers
- Knudsen
- 1993
(Show Context)
Citation Context ...eristic probability pd of S-boxes is 2 -5 . Under the assumption of independent and uniform distribution for plaintexts and round keys, the probability pc,r for the r-round characteristic is given by =-=[25]-=- 9 [ r / 2] p = ( p ) , cr , d 90 pc, 4 = 2 , − 135 pc, 6 = 2 − . (12) (13) (14) Equation (14) shows that 6-round iterations of F-function have no efficient differential characteristics.sTHE BLOCK CIP... |

23 | Deal — A 128-bit Block Cipher
- Knudsen
- 1998
(Show Context)
Citation Context ...her today is DES[2]. The DES-like structure is the “Feistel structure”[3]. It is the basis of most of the block ciphers whichhave been published since then, including FEAL[4], CAST[5], LOKI97[6], DEAL=-=[7]-=-, MAGENTA [8], Blowfish[9], Twofish[10], and DFC[11]. It has the good feature that it is guaranteed to be reversible for all choices of the F-function. SEA2 adopts this structure. 813s814 SHIH-HSU CHA... |

21 | Constructing symmetric ciphers using the CAST design procedure
- Adams
- 1997
(Show Context)
Citation Context ... most used block cipher today is DES[2]. The DES-like structure is the “Feistel structure”[3]. It is the basis of most of the block ciphers whichhave been published since then, including FEAL[4], CAST=-=[5]-=-, LOKI97[6], DEAL[7], MAGENTA [8], Blowfish[9], Twofish[10], and DFC[11]. It has the good feature that it is guaranteed to be reversible for all choices of the F-function. SEA2 adopts this structure. ... |

19 |
V.: The Block Cipher
- Daeman, Knudsen, et al.
- 1997
(Show Context)
Citation Context ...iffusion and uniform non-linearity such that the number of rounds can be reduced; nevertheless, compared with a Feistel cipher, the amount of work per round is increased. SAFER[13], CRYPTON[14], SHARK=-=[15]-=-, and SQUARE[16] are some examples of block ciphers based on the SPN architecture. SEA2 adopts the SPN structure in Ffunction. The design of SEA2 began with a consideration of SEA [17]. Modifications ... |

8 |
Dierential Cryptanalysis of Lucifer
- Ben-Aroya, Biham
- 1994
(Show Context)
Citation Context ...e (15) P P p1 = p ( Δu→( Δ x|0)), (16) F F p1= p ( 0→ 0) = 1, (17) F F p2= p ( Δx → Δ 1), (18) F F p3= p ( Δ1→ Δ2), Δ3= Δx⊕Δ 2, (19) F F p4= p ( Δ3→ Δ4), Δ5= Δ1⊕Δ 4, (20) P P p2= p (( Δ5| Δ3) ← Δ v). =-=(21)-=- pF (Dx Æ Dy) denotes the probability that the expected input difference to the function F is Dx, and that the expected output difference is Dy. We note that pF (Dx Æ D1) = 0 when Dx π 0 and D1 = 0. p... |

5 |
Key-dependency of linear probability of RC5
- Moriai, Aoki, et al.
- 1996
(Show Context)
Citation Context ...( 2bi ). 2 i= 1 Below, we briefly discuss the linear approximations of P-function and F-function. The linear approximation to the key-dependent rotation operation a = b <<< k(or a = b >>> k) has bias =-=[26]-=- brot = 2 -6 , (33) where k is zero everywhere except in the lowest 5 bits. In P-function, each input word through P-function can affect all output words. Each output word is affected by all input fou... |

2 |
The Magenta Block Cipher Algorithm, Presented at the rst Advanced Encryption Standard Candidate Conference
- Jacobson, Huber
- 1998
(Show Context)
Citation Context ...DES[2]. The DES-like structure is the “Feistel structure”[3]. It is the basis of most of the block ciphers whichhave been published since then, including FEAL[4], CAST[5], LOKI97[6], DEAL[7], MAGENTA =-=[8]-=-, Blowfish[9], Twofish[10], and DFC[11]. It has the good feature that it is guaranteed to be reversible for all choices of the F-function. SEA2 adopts this structure. 813s814 SHIH-HSU CHANG, FANG-HSUA... |

1 |
Fast data encipherment algorithm FEAL,” D. Chaum and
- Shimizu, Miyaguchi
- 1988
(Show Context)
Citation Context ...known and most used block cipher today is DES[2]. The DES-like structure is the “Feistel structure”[3]. It is the basis of most of the block ciphers whichhave been published since then, including FEAL=-=[4]-=-, CAST[5], LOKI97[6], DEAL[7], MAGENTA [8], Blowfish[9], Twofish[10], and DFC[11]. It has the good feature that it is guaranteed to be reversible for all choices of the F-function. SEA2 adopts this st... |

1 |
Introducing the new LOKI97 block cipher,” Presented at (42
- Brown, Pieprzyk
- 1998
(Show Context)
Citation Context ...block cipher today is DES[2]. The DES-like structure is the “Feistel structure”[3]. It is the basis of most of the block ciphers whichhave been published since then, including FEAL[4], CAST[5], LOKI97=-=[6]-=-, DEAL[7], MAGENTA [8], Blowfish[9], Twofish[10], and DFC[11]. It has the good feature that it is guaranteed to be reversible for all choices of the F-function. SEA2 adopts this structure. 813s814 SHI... |

1 |
Decorrelated fast cipher,” Presented at the First Advanced Encryption Standard Candidate Conference
- Vaudenay
- 1998
(Show Context)
Citation Context ...“Feistel structure”[3]. It is the basis of most of the block ciphers whichhave been published since then, including FEAL[4], CAST[5], LOKI97[6], DEAL[7], MAGENTA [8], Blowfish[9], Twofish[10], and DFC=-=[11]-=-. It has the good feature that it is guaranteed to be reversible for all choices of the F-function. SEA2 adopts this structure. 813s814 SHIH-HSU CHANG, FANG-HSUAN CHENG AND WEN-HSING HSU Another struc... |

1 |
CRYPTON: A new 128-bit block cipher,” Presented at the First Advanced Encryption Standard Candidate Conference
- Lim
- 1998
(Show Context)
Citation Context ...as strong diffusion and uniform non-linearity such that the number of rounds can be reduced; nevertheless, compared with a Feistel cipher, the amount of work per round is increased. SAFER[13], CRYPTON=-=[14]-=-, SHARK[15], and SQUARE[16] are some examples of block ciphers based on the SPN architecture. SEA2 adopts the SPN structure in Ffunction. The design of SEA2 began with a consideration of SEA [17]. Mod... |

1 |
The SEA block cipher algorithm
- Chang, Cheng, et al.
(Show Context)
Citation Context ...YPTON[14], SHARK[15], and SQUARE[16] are some examples of block ciphers based on the SPN architecture. SEA2 adopts the SPN structure in Ffunction. The design of SEA2 began with a consideration of SEA =-=[17]-=-. Modifications were then made to increase security and to improve performance. As a result, the new SEA2 has much faster diffusion than SEA. This also allows SEA2 to run with fewer rounds with increa... |

1 |
The RC6 block cipher,” Presented at the First Advanced Encryption Standard Candidate Conference. Available from http://www.nist.gov/aes. Shih-Hsu Chang ( ) was born in Changhua, Taiwan, on January 27
- Rivest, Robshaw, et al.
- 1965
(Show Context)
Citation Context ...e of SEA2 on an 8-bit processor, e.g., Intel’s MCS 51 Microcontroller family [27]. The basic operations can be implemented on an 8-bit processor in the following way(ignoring addressing instructions) =-=[28]-=-: 1. XOR A 32-bit exclusive-or can be computed using four 8-bit exclusive-ors(XRL). 2. Addition A 32-bit addition can be computed using four 8-bit additions with carry(ADDC). 3. Multiplication A 32-bi... |

1 | to 1992, Dr. Cheng was with Chung Shan Institute of Science and Technology as a senior specialist, there, he was involved in signal processing, flight data analysis, parameter estimation and distributed database design. Dr. Cheng has been an associate pro - From - 1988 |

1 | received a B.S. in electrical engineering from National Cheng Kung University in 1972, M.E. and Doctor of Engineering degrees in Electrical Engineering from Keio University - He - 1978 |