Results 1  10
of
79
How to protect DES against exhaustive key search
 Journal of Cryptology
, 1996
"... Abstract The block cipher DESX is defined by DESX k:k1:k2 (x) = k2 \Phi DES k (k1 \Phi x), where \Phi denotes bitwise exclusiveor. This construction was first suggested by Rivest as a computationallycheap way to protect DES against exhaustive keysearch attacks. This paper proves, in a formal mode ..."
Abstract

Cited by 101 (12 self)
 Add to MetaCart
Abstract The block cipher DESX is defined by DESX k:k1:k2 (x) = k2 \Phi DES k (k1 \Phi x), where \Phi denotes bitwise exclusiveor. This construction was first suggested by Rivest as a computationallycheap way to protect DES against exhaustive keysearch attacks. This paper proves, in a formal model, that the DESX construction is sound. We show that, when F is an idealized block cipher, FX
MDxMAC and Building Fast MACs from Hash Functions
, 1995
"... We consider the security of message authentication code (MAC) algorithms, and the construction of MACs from fast hash functions. A new forgery attack applicable to all iterated MAC algorithms is described, the first known such attack requiring fewer operations than exhaustive key search. Existing ..."
Abstract

Cited by 93 (10 self)
 Add to MetaCart
(Show Context)
We consider the security of message authentication code (MAC) algorithms, and the construction of MACs from fast hash functions. A new forgery attack applicable to all iterated MAC algorithms is described, the first known such attack requiring fewer operations than exhaustive key search. Existing methods for constructing MACs from hash functions, including the secret prefix, secret su±x, and envelope methods, are shown to be unsatisfactory. Motivated by the absence of a secure, fast MAC algorithm not based on encryption, a new generic construction (MDxMAC) is proposed for transforming any secure hash function of the MD4family into a secure MAC of equal or smaller bitlength and comparable speed.
Breaking DES Using a Molecular Computer
, 1995
"... Recently Adleman [1] has shown that a small traveling salesman problem can be solved by molecular operations. In this paper we show how the same principles can be applied to breaking the Data Encryption Standard (DES). Our method is based on an encoding technique presented in Lipton [8]. We describe ..."
Abstract

Cited by 70 (4 self)
 Add to MetaCart
(Show Context)
Recently Adleman [1] has shown that a small traveling salesman problem can be solved by molecular operations. In this paper we show how the same principles can be applied to breaking the Data Encryption Standard (DES). Our method is based on an encoding technique presented in Lipton [8]. We describe in detail a library of operations which are useful when working with a molecular computer. We estimate that given one arbitrary (plaintext, ciphertext) pair, one can recover the DES key in about 4 months of work. Furthermore, if one is given ciphertext, but the plain text is only known to be one of several candidates then it is still possible to recover the key in about 4 months of work. Finally, under chosen ciphertext attack it is possible to recover the DES key in one day using some preprocessing. 1 Introduction Due to advances in molecular biology it is nowadays possible to create a soup of roughly 10 18 DNA strands that fits in a small glass of water. Adleman [1] has shown that e...
Twofish: A 128Bit Block Cipher
 in First Advanced Encryption Standard (AES) Conference
, 1998
"... Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bit ..."
Abstract

Cited by 66 (8 self)
 Add to MetaCart
Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.
The ESP DESCBC Cipher Algorithm With Explicit IV", RFC 2405
, 1998
"... This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards " (STD 1) for the standardization state and status of this pro ..."
Abstract

Cited by 61 (1 self)
 Add to MetaCart
(Show Context)
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards " (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (1998). All Rights Reserved. This document describes the use of the DES Cipher algorithm in Cipher Block Chaining Mode, with an explicit IV, as a confidentiality mechanism within the context of the IPSec Encapsulating Security Payload (ESP). 1.
On Applying Molecular Computation To The Data Encryption Standard
"... this paper we consider the so called plaintextciphertext attack. Here the cryptanalyst obtains a plaintext and its corresponding ciphertext and wishes to determine the key used to perform the encryption. The most naive approach to this problem is to try all 2 ..."
Abstract

Cited by 53 (2 self)
 Add to MetaCart
(Show Context)
this paper we consider the so called plaintextciphertext attack. Here the cryptanalyst obtains a plaintext and its corresponding ciphertext and wishes to determine the key used to perform the encryption. The most naive approach to this problem is to try all 2
Breaking Ciphers with COPACOBANA  A CostOptimized Parallel Code Breaker
 IN WORKSHOP ON CRYPTOGRAPHIC HARDWARE AND EMBEDDED SYSTEMS — CHES 2006,YOKOHAMA
, 2006
"... Cryptanalysis of symmetric and asymmetric ciphers is computationally extremely demanding. Since the security parameters (in particular the key length) of almost all practical crypto algorithms are chosen such that attacks with conventional computers are computationally infeasible, the only promising ..."
Abstract

Cited by 42 (14 self)
 Add to MetaCart
(Show Context)
Cryptanalysis of symmetric and asymmetric ciphers is computationally extremely demanding. Since the security parameters (in particular the key length) of almost all practical crypto algorithms are chosen such that attacks with conventional computers are computationally infeasible, the only promising way to tackle existing ciphers (assuming no mathematical breakthrough) is to build specialpurpose hardware. Dedicating those machines to the task of cryptanalysis holds the promise of a dramatically improved costperformance ratio so that breaking of commercial ciphers comes within reach. This contribution presents the design and realization of the COPACOBANA (CostOptimized Parallel Code Breaker) machine, which is optimized for running cryptanalytical algorithms and can be realized for less than US $ 10,000. It will be shown that, depending on the actual algorithm, the architecture can outperform conventional computers by several orders in magnitude. COPACOBANA hosts 120 lowcost FPGAs and is able to, e.g., perform an exhaustive key search of the Data Encryption Standard (DES) in less than nine days on average. As a realworld application, our architecture can be used to attack machine readable travel documents (ePass). COPACOBANA is intended, but not necessarily restricted to solving problems related to cryptanalysis. The hardware architecture is suitable for computational problems which are parallelizable and have low communication requirements. The hardware can be used, e.g., to attack elliptic curve cryptosystems and to factor numbers. Even though breaking fullsize RSA (1024 bit or more) or elliptic curves (ECC with 160 bit or more) is out of reach with COPACOBANA, it can be used to analyze cryptosystems with a (deliberately chosen) small bitlength to provide reliable security estimates of RSA and ECC by extrapolation.
Fast DES Implementations for FPGAs and its Application to a Universal KeySearch Machine
 Queen's University
"... . Most modern security protocols and security applications are defined to be algorithm independent, that is, they allow a choice from a set of cryptographic algorithms for the same function. Therefore a keysearch machine which is also defined to be algorithm independent might be interesting. We res ..."
Abstract

Cited by 36 (5 self)
 Add to MetaCart
(Show Context)
. Most modern security protocols and security applications are defined to be algorithm independent, that is, they allow a choice from a set of cryptographic algorithms for the same function. Therefore a keysearch machine which is also defined to be algorithm independent might be interesting. We researched the feasibility of a universal keysearch machine using the Data Encryption Standard (DES) as an example algorithm. Field Programmable Gate Arrays (FPGA) provide an ideal match for an algorithm independent cracker as they can switch algorithms onthefly and run much faster than software. We designed, implemented and compared various architecture options of DES with strong emphasis on highspeed performance. Techniques like pipelining and loop unrolling were used and their effectiveness for DES on FPGAs investigated. The most interesting result is that we could achieve data rates of up to 403 Mbit/s using a standard Xilinx FPGA. This result is by a factor 31 faster than software imp...
Secure Applications of LowEntropy Keys
 LECTURE NOTES IN COMPUTER SCIENCE
, 1998
"... We introduce the notion of key stretching, a mechanism to convert short sbit keys into longer keys, such that the complexity required to bruteforce search a s + tbit keyspace is the same as the time required to bruteforce search a sbit key stretched by t bits. ..."
Abstract

Cited by 34 (2 self)
 Add to MetaCart
We introduce the notion of key stretching, a mechanism to convert short sbit keys into longer keys, such that the complexity required to bruteforce search a s + tbit keyspace is the same as the time required to bruteforce search a sbit key stretched by t bits.
DEAL  A 128bit Block Cipher
 NIST AES Proposal
, 1998
"... We propose a new block cipher, DEAL, based on the DES (DEA). DEAL has a block size of 128 bits and allows for three key sizes of 128, 192, and 256 bits respectively. Our proposal has several advantages to other schemes: because of the large blocks, the problem of the "matching ciphertext att ..."
Abstract

Cited by 31 (0 self)
 Add to MetaCart
We propose a new block cipher, DEAL, based on the DES (DEA). DEAL has a block size of 128 bits and allows for three key sizes of 128, 192, and 256 bits respectively. Our proposal has several advantages to other schemes: because of the large blocks, the problem of the "matching ciphertext attacks" is made small, and the encryption rate is similar to that of tripleDES. We conjecture that the most realistic (or the least unrealistic) attack on all versions of DEAL is an exhaustive search for the keys. We have suggested ANSI to include DEAL in the ANSI standard X9.52. We also suggest DEAL as a candidate for the NIST AES standard. 1 Introduction The DES (or DEA) [14] is a 64bit block cipher taking a 64bit key, of which 56 bits are effective. It is an iterated 16round cipher, where the ciphertext is processed by applying a round function iteratively to the plaintext. The DES has a socalled Feistel structure: in each round one half of the ciphertext is fed through a nonlinear f...