Results 1  10
of
166
PRESENT: An UltraLightweight Block Cipher
 THE PROCEEDINGS OF CHES 2007
, 2007
"... With the establishment of the AES the need for new block ciphers has been greatly diminished; for almost all block cipher applications the AES is an excellent and preferred choice. However, despite recent implementation advances, the AES is not suitable for extremely constrained environments such ..."
Abstract

Cited by 167 (19 self)
 Add to MetaCart
(Show Context)
With the establishment of the AES the need for new block ciphers has been greatly diminished; for almost all block cipher applications the AES is an excellent and preferred choice. However, despite recent implementation advances, the AES is not suitable for extremely constrained environments such as RFID tags and sensor networks. In this paper we describe an ultralightweight block cipher, present. Both security and hardware efficiency have been equally important during the design of the cipher and at 1570 GE, the hardware requirements for present are competitive with today’s leading compact stream ciphers.
Camellia: A 128Bit Block Cipher Suitable for Multiple Platforms  Design and Analysis
, 2000
"... We present a new 128bit block cipher called Camellia. Camellia supports 128bit block size and 128, 192, and 256bit keys, i.e. the same interface specifications as the Advanced Encryption Standard (AES). Efficiency on both software and hardware platforms is a remarkable characteristic of Camelli ..."
Abstract

Cited by 94 (4 self)
 Add to MetaCart
We present a new 128bit block cipher called Camellia. Camellia supports 128bit block size and 128, 192, and 256bit keys, i.e. the same interface specifications as the Advanced Encryption Standard (AES). Efficiency on both software and hardware platforms is a remarkable characteristic of Camellia in addition to its high level of security. It is confirmed that Camellia provides strong security against differential and linear cryptanalysis. Compared to the AES finalists, i.e. MARS, RC6, Rijndael, Serpent, and Twofish, Camellia offers at least comparable encryption speed in software and hardware. An optimized implementation of Camellia in assembly language can encrypt on a Pentium III (800MHz) at the rate of more than 276 Mbits per second, which is much faster than the speed of an optimized DES implementation. In addition, a distinguishing feature is its small hardware design. The hardware design, which includes both encryption and decryption, occupies approximately 11K gates, which is the smallest ...
Cube Attacks on Tweakable Black Box Polynomials
 in Proceedings of the 28th Annual International Conference on Advances in Cryptology: The Theory and Applications of Cryptographic Techniques, LNCS 5479
, 2009
"... Abstract. Almost any cryptographic scheme can be described by tweakable polynomials over GF (2), which contain both secret variables (e.g., key bits) and public variables (e.g., plaintext bits or IV bits). The cryptanalyst is allowed to tweak the polynomials by choosing arbitrary values for the publ ..."
Abstract

Cited by 91 (8 self)
 Add to MetaCart
(Show Context)
Abstract. Almost any cryptographic scheme can be described by tweakable polynomials over GF (2), which contain both secret variables (e.g., key bits) and public variables (e.g., plaintext bits or IV bits). The cryptanalyst is allowed to tweak the polynomials by choosing arbitrary values for the public variables, and his goal is to solve the resultant system of polynomial equations in terms of their common secret variables. In this paper we develop a new technique (called a cube attack) for solving such tweakable polynomials, which is a major improvement over several previously published attacks of the same type. For example, on the stream cipher Trivium with a reduced number of initialization rounds, the best previous attack (due to Fischer, Khazaei, and Meier) requires a barely practical complexity of 255 to attack 672 initialization rounds, whereas a cube attack can find the complete key of the same variant in 219 bit operations (which take less than a second on a single PC). Trivium with 735 initialization rounds (which could not be attacked by any previous technique) can now be broken with 230 bit operations. Trivium with 767 initialization rounds can now be broken with 245 bit operations, and the complexity of the attack can almost certainly be further reduced to about 236 bit operations. Whereas previous attacks were heuristic, had to be adapted to each cryptosystem, had no general complexity bounds, and were not expected to succeed on random looking polynomials, cube attacks are provably successful when applied to random polynomials of degree d over n secret variables whenever the number m of public variables exceeds d + logdn. Their complexity is 2 d−1n + n2 bit operations, which is polynomial in n and amazingly low when d is small. Cube attacks can be applied to any block cipher, stream cipher, or MAC which is provided as a black box (even when nothing is known about its internal structure) as long as at least one output bit can be represented by (an unknown) polynomial of relatively low degree in the secret and public variables.
Survey and Benchmark of Block Ciphers for Wireless Sensor Networks
 ACM Transactions on Sensor Networks
, 2004
"... Choosing the most storage and energye#cient block cipher specifically for wireless sensor networks (WSNs) is not as straightforward as it seems. To our knowledge so far, there is no systematic evaluation framework for the purpose. In this paper, we have identified the candidates of block ciphe ..."
Abstract

Cited by 89 (1 self)
 Add to MetaCart
(Show Context)
Choosing the most storage and energye#cient block cipher specifically for wireless sensor networks (WSNs) is not as straightforward as it seems. To our knowledge so far, there is no systematic evaluation framework for the purpose. In this paper, we have identified the candidates of block ciphers suitable for WSNs based on existing literature.
The LED Block Cipher
 Cryptographic Hardware and Embedded Systems  CHES 2011, volume 6917 of LNCS
, 2011
"... Abstract. We present a new block cipher LED. While dedicated to compact hardware implementation, and offering the smallest silicon footprint among comparable block ciphers, the cipher has been designed to simultaneously tackle three additional goals. First, we explore the role of an ultralight (in ..."
Abstract

Cited by 71 (7 self)
 Add to MetaCart
(Show Context)
Abstract. We present a new block cipher LED. While dedicated to compact hardware implementation, and offering the smallest silicon footprint among comparable block ciphers, the cipher has been designed to simultaneously tackle three additional goals. First, we explore the role of an ultralight (in fact nonexistent) key schedule. Second, we consider the resistance of ciphers, and LED in particular, to relatedkey attacks: we are able to derive simple yet interesting AESlike security proofs for LED regarding related or singlekey attacks. And third, while we provide a block cipher that is very compact in hardware, we aim to maintain a reasonable performance profile for software implementation. Key words: lightweight, block cipher, RFID tag, AES. 1
Improved Cryptanalysis of Rijndael
, 2000
"... We improve the best attack on Rijndael reduced to 6 rounds from complexity 2^72 to 2^44 . We also present the first known attacks on 7 and 8round Rijndael. The attacks on 8round Rijndael work for 192bit and 256bit keys. Finally, we discuss the key schedule of Rijndael and describe a relatedkey ..."
Abstract

Cited by 70 (3 self)
 Add to MetaCart
We improve the best attack on Rijndael reduced to 6 rounds from complexity 2^72 to 2^44 . We also present the first known attacks on 7 and 8round Rijndael. The attacks on 8round Rijndael work for 192bit and 256bit keys. Finally, we discuss the key schedule of Rijndael and describe a relatedkey attack that can break 9round Rijndael with 256bit keys. 1 Introduction Rijndael is one of the five AES candidate ciphers that made it to the second round [DR98]. Rijndael has 10, 12, or 14 rounds, depending on the key size. Previously it was known how to break up to 6 rounds of Rijndael [DR98]. Independently from our work, Gilbert and Minier [GM00] presented an attack on 7 rounds of Rijndael. In section 2, we describe a new partial sum technique that can dramatically reduce the complexity of the 6round attacks. We also show how to use these ideas to attack 7 and 8 rounds of Rijndael, in some cases using additional known texts (where available) to reduce the workfactor. The attacks ag...
Twofish: A 128Bit Block Cipher
 in First Advanced Encryption Standard (AES) Conference
, 1998
"... Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bit ..."
Abstract

Cited by 66 (8 self)
 Add to MetaCart
(Show Context)
Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.
Biclique Cryptanalysis of the Full AES
 In ASIACRYPT 2011, volume 7073 of LNCS
, 2011
"... Abstract. Since Rijndael was chosen as the AdvancedEncryption Standard (AES), improving upon 7round attacks on the 128bit key variant (out of 10 rounds) or upon 8round attacks on the 192/256bit key variants (out of 12/14 rounds) has been one of the most difficult challenges in the cryptanalysis ..."
Abstract

Cited by 45 (8 self)
 Add to MetaCart
(Show Context)
Abstract. Since Rijndael was chosen as the AdvancedEncryption Standard (AES), improving upon 7round attacks on the 128bit key variant (out of 10 rounds) or upon 8round attacks on the 192/256bit key variants (out of 12/14 rounds) has been one of the most difficult challenges in the cryptanalysis of block ciphers for more than a decade. In this paper, we present the novel technique of block cipher cryptanalysis with bicliques, which leads to the following results: – The first key recovery method for the full AES128 with computational complexity 2 126.1. – The first key recovery method for the full AES192 with computational complexity 2 189.7. – The first key recovery method for the full AES256 with computational complexity 2 254.4. – Key recovery methods with lower complexity for the reducedround versions of AES not considered before, including cryptanalysis of 8round AES128 with complexity 2 124.9. – Preimage search for compression functions based on the full AES versions faster than brute force. In contrast to most shortcut attacks on AES variants, we do not need to assume relatedkeys. Most of our techniques only need a very small part of the codebook and have low memory requirements, and are practically verified to a large extent. As our cryptanalysis is of high computational complexity, it does not threaten the practical use of AES in any way.
Attacking Seven Rounds of Rijndael under 192bit and 256bit Keys
, 2000
"... . The authors of Rijndael [3] describe the \Square attack" as the best known attack against the block cipher Rijndael. If the key size is 128 bit, the attack is faster than exhaustive search for up to six rounds. We extend the Square attack on Rijndael variants with larger keys of 192 bit and 2 ..."
Abstract

Cited by 41 (0 self)
 Add to MetaCart
. The authors of Rijndael [3] describe the \Square attack" as the best known attack against the block cipher Rijndael. If the key size is 128 bit, the attack is faster than exhaustive search for up to six rounds. We extend the Square attack on Rijndael variants with larger keys of 192 bit and 256 bit. Our attacks exploit minor weaknesses of the Rijndael key schedule and are faster than exhaustive search for up to seven rounds of Rijndael. 1 Introduction The block cipher Rijndael [3] has been proposed as an AES candidate and was selected for the secound round. It is a member of a fastgrowing family of Squarelike ciphers [26]. Rijndael allows both a variable block length of M 32 bit with M 2 f4; 6; 8g and a variable key length of N 32 bit, N an integer. In the context of this paper we concentrate on M = 4, i.e., on a block length of 128 bit, and on N 2 f4; 6; 8g, i.e., on key sizes of 128, 192, and 256 bit. We abridge these variants by RD128, RD192 and RD256. The number R of ...