Results 1  10
of
27
KLEIN: A New Family of Lightweight Block Ciphers
"... Resourceefficient cryptographic primitives become fundamental for realizing both security and efficiency in embedded systems like RFID tags and sensor nodes. Among those primitives, lightweight block cipher plays a major role as a building block for security protocols. In this paper, we describe a ..."
Abstract

Cited by 52 (4 self)
 Add to MetaCart
(Show Context)
Resourceefficient cryptographic primitives become fundamental for realizing both security and efficiency in embedded systems like RFID tags and sensor nodes. Among those primitives, lightweight block cipher plays a major role as a building block for security protocols. In this paper, we describe a new family of lightweight block ciphers named KLEIN, which is designed for resourceconstrained devices such as wireless sensors and RFID tags. Compared to the related proposals, KLEIN has advantage in the software performance on legacy sensor platforms, while its hardware implementation can be compact as well.
Quark: A lightweight hash
 in Mangard and Standaert [21
"... The need for lightweight (that is, compact, lowpower, lowenergy) cryptographic hash functions has been repeatedly expressed by professionals, notably to implement cryptographic protocols in RFID technology. At the time of writing, however, no algorithm exists that provides satisfactory security an ..."
Abstract

Cited by 40 (0 self)
 Add to MetaCart
(Show Context)
The need for lightweight (that is, compact, lowpower, lowenergy) cryptographic hash functions has been repeatedly expressed by professionals, notably to implement cryptographic protocols in RFID technology. At the time of writing, however, no algorithm exists that provides satisfactory security and performance. The ongoing SHA3 Competition will not help, as it concerns generalpurpose designs and focuses on software performance. This paper thus proposes a novel design philosophy for lightweight hash functions, based on the sponge construction in order to minimize memory requirements. Inspired by the stream cipher Grain and by the block cipher KATAN (amongst the lightest secure ciphers), we present the hash function family Quark, composed of three instances: uQuark, dQuark, and sQuark. As a sponge construction, Quark can be used for message authentication, stream encryption, or authenticated encryption. Our hardware evaluation shows that Quark compares well to previous tentative lightweight hash functions. For example, our lightest instance uQuark conjecturally provides at least 64bit security against all attacks (collisions, multicollisions, distinguishers, etc.), fits in 1379 gateequivalents, and consumes in average 2.44 µW at 100 kHz in 0.18 µm ASIC. For 112bit security, we propose sQuark, which can be implemented with 2296 gateequivalents with a power consumption of 4.35 µW.
Multiple differential cryptanalysis: Theory and practice
 In Joux [12
"... Abstract. Differential cryptanalysis is a wellknown statistical attack on block ciphers. We present here a generalisation of this attack called multiple differential cryptanalysis. We study the data complexity, the time complexity and the success probability of such an attack and we experimentally ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Differential cryptanalysis is a wellknown statistical attack on block ciphers. We present here a generalisation of this attack called multiple differential cryptanalysis. We study the data complexity, the time complexity and the success probability of such an attack and we experimentally validate our formulas on a reduced version of PRESENT. Finally, we propose a multiple differential cryptanalysis on 18round PRESENT for both 80bit and 128bit master keys.
Spongent: The design space of lightweight cryptographic hashing. IACR Cryptology ePrint Archive
, 2011
"... Abstract. The design of secure yet efficiently implementable cryptographic algorithms is a fundamental problem of cryptography. Lately, lightweight cryptography – optimizing the algorithms to fit the most constrained environments – has received a great deal of attention, the recent research being ma ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
(Show Context)
Abstract. The design of secure yet efficiently implementable cryptographic algorithms is a fundamental problem of cryptography. Lately, lightweight cryptography – optimizing the algorithms to fit the most constrained environments – has received a great deal of attention, the recent research being mainly focused on building block ciphers. As opposed to that, the design of lightweight hash functions is still far from being wellinvestigated with only few proposals in the public domain. In this article, we aim to address this gap by exploring the design space of lightweight hash functions based on the sponge construction instantiated with presenttype permutations. The resulting family of hash functions is called spongent. We propose 13 spongent variants – for different levels of collision and (second) preimage resistance as well as for various implementation constraints. For each of them we provide several ASIC hardware implementations ranging from the lowest area to the highest throughput. We make efforts to address the fairness of comparison with other designs in the field by providing an exhaustive hardware evaluation on various technologies, including an open core library. We also prove essential differential properties of spongent permutations, give a security analysis in terms of collision and preimage resistance, as well as study in detail dedicated linear distinguishers.
K.: Links Between Truncated Differential and Multidimensional Linear Properties of Block Ciphers and Underlying Attack Complexities
, 2014
"... Abstract. The mere number of various apparently different statistical attacks on block ciphers has raised the question about their relationships which would allow to classify them and determine those that give essentially complementary information about the security of block ciphers. While mathema ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
(Show Context)
Abstract. The mere number of various apparently different statistical attacks on block ciphers has raised the question about their relationships which would allow to classify them and determine those that give essentially complementary information about the security of block ciphers. While mathematical links between some statistical attacks have been derived in the last couple of years, the important link between general truncated differential and multidimensional linear attacks has been missing. In this work we close this gap. The new link is then exploited to relate the complexities of chosenplaintext and knownplaintext distinguishing attacks of differential and linear types, and further, to explore the relations between the keyrecovery attacks. Our analysis shows that a statistical saturation attack is the same as a truncated differential attack, which allows us, for the first time, to provide a justifiable analysis of the complexity of the statistical saturation attack and discuss its validity on 24 rounds of the PRESENT block cipher. By studying the data, time and memory complexities of a multidimensional linear keyrecovery attack and its relation with a truncated differential one, we also show that in most cases a knownplaintext attack can be transformed into a less costly chosenplaintext attack. In particular, we show that there is a differential attack in the chosenplaintext model on 26 rounds of PRESENT with less memory complexity than the best previous attack, which assumes known plaintext. The links between the statistical attacks discussed in this paper give further examples of attacks where the method used to sample the data required by the statistical test is more differentiating than the method used for finding the distinguishing property.
New Links between Differential and Linear Cryptanalysis
 In EUROCRYPT’13, LNCS 7881
, 2013
"... Abstract. Recently, a number of relations have been established among previously known statistical attacks on block ciphers. Leander showed in 2011 that statistical saturation distinguishers are on average equivalent to multidimensional linear distinguishers. Further relations between these two typ ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Recently, a number of relations have been established among previously known statistical attacks on block ciphers. Leander showed in 2011 that statistical saturation distinguishers are on average equivalent to multidimensional linear distinguishers. Further relations between these two types of distinguishers and the integral and zerocorrelation distinguishers were established by Bogdanov et al. [6]. Knowledge about such relations is useful for classification of statistical attacks in order to determine those that give essentially complementary information about the security of block ciphers. The purpose of the work presented in this paper is to explore relations between differential and linear attacks. The mathematical link between linear and differential attacks was discovered by Chabaud and Vaudenay already in 1994, but it has never been used in practice. We will show how to use it for computing accurate estimates of truncated differential probabilities from accurate estimates of correlations of linear approximations. We demonstrate this method in practice and give the first instantiation of multiple differential cryptanalysis using the LLR statistical test on PRESENT. On a more theoretical side, we establish equivalence between a multidimensional linear distinguisher and a truncated differential distinguisher, and show that certain zerocorrelation linear distinguishers exist if and only if certain impossible differentials exist.
On the Distribution of Linear Biases: Three Instructive Examples
 In R. SafaviNaini, R. Canetti (Eds.) CRYPTO 2012, LNCS 7417
"... Abstract. Despite the fact that we evidently have very good block ciphers at hand today, some fundamental questions on their security are still unsolved. One such fundamental problem is to precisely assess the security of a given block cipher with respect to linear cryptanalysis. In by far most of t ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Despite the fact that we evidently have very good block ciphers at hand today, some fundamental questions on their security are still unsolved. One such fundamental problem is to precisely assess the security of a given block cipher with respect to linear cryptanalysis. In by far most of the cases we have to make (clearly wrong) assumptions, e.g., assume independent roundkeys. Besides being unsatisfactory from a scientific perspective, the lack of fundamental understanding might have an impact on the performance of the ciphers we use. As we do not understand the security sufficiently enough, we often tend to embed a security margin – from an efficiency perspective nothing else than wasted performance. The aim of this paper is to stimulate research on these foundations of block ciphers. We do this by presenting three examples of ciphers that behave differently to what is normally assumed. Thus, on the one hand these examples serve as counter examples to common beliefs and on the other hand serve as a guideline for future work. 1
The Resistance of PRESENT80 Against RelatedKey Differential Attacks
"... Abstract. We examine the security of the 64bit lightweight block cipher PRESENT80 against relatedkey differential attacks. With a computer search we are able to prove that no relatedkey differential characteristic exists with probability higher than 2 −64 for the fullround PRESENT80. To overco ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We examine the security of the 64bit lightweight block cipher PRESENT80 against relatedkey differential attacks. With a computer search we are able to prove that no relatedkey differential characteristic exists with probability higher than 2 −64 for the fullround PRESENT80. To overcome the exponential (in the state and key sizes) computational complexity we use truncated differences, however as the key schedule is not nibble oriented, we switch to actual differences and apply early abort techniques to prune the treebased search. With a new method called extended split approach we are able to make the whole search feasible and we implement and run it in real time. Our approach targets the PRESENT80 cipher however, with small modifications can be reused for other lightweight ciphers as well. 1
RECTANGLE: A Bitslice UltraLightweight Block Cipher Suitable for Multiple Platforms
"... Abstract. In this paper, we propose a new lightweight block cipher named RECTANGLE. The main idea of the design of RECTANGLE is to allow lightweight and fast implementations using bitslice techniques. RECTANGLE uses an SPnetwork. The substitution layer consists of 16 4 × 4 Sboxes in parallel. The ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we propose a new lightweight block cipher named RECTANGLE. The main idea of the design of RECTANGLE is to allow lightweight and fast implementations using bitslice techniques. RECTANGLE uses an SPnetwork. The substitution layer consists of 16 4 × 4 Sboxes in parallel. The permutation layer is composed of 3 rotations. As shown in this paper, RECTANGLE offers great performance in both hardware and software environment, which proves enough flexibility for different application scenario. The following are 3 main advantages of RECTANGLE. First, RECTANGLE is extremely hardwarefriendly. For the 80bit key version, a onecycleperround parallel implementation only needs 1467 gates for a throughput of 246 Kbits/sec at 100KHz clock and an energy efficiency of 1.11 pJ/bit. Second, RECTANGLE achieves a very competitive software speed among the existing lightweight block ciphers due to its bitslice style. Using 128bit SSE instructions, a bitslice implementation of RECTANGLE reaches an average encryption speed of about 5.38 cycles/byte for messages around 1000 bytes. Last but not least. We propose new design criteria for 4×4 Sboxes. RECTANGLE uses such a new type of Sbox. Due to our careful selection of the Sbox and the asymmetric design of the permutation layer, RECTANGLE achieves a very good securityperformance tradeoff. Our extensive and deep security analysis finds distinguishers for up to 14 rounds only, and the highest number of rounds that we can attack, is 18 (out of 25).
Improved Linear Cryptanalysis of Round Reduced SIMON
"... Abstract. SIMON is a family of ten lightweight block ciphers published by Beaulieu et al. from U.S. National Security Agency (NSA). A cipher in this family with Kbit key and Nbit block is called SIMON N/K. In this paper we investigate the security of SIMON against different variants of linear cryp ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
Abstract. SIMON is a family of ten lightweight block ciphers published by Beaulieu et al. from U.S. National Security Agency (NSA). A cipher in this family with Kbit key and Nbit block is called SIMON N/K. In this paper we investigate the security of SIMON against different variants of linear cryptanalysis, i.e., classic linear, multiple linear and linear hull attacks. We present a connection between linear characteristic and differential characteristic, multiple linear and differential and linear hull and differential, and employ it to adapt the current known results on differential cryptanalysis of SIMON to linear cryptanalysis of this block cipher. Our best linear cryptanalysis covers SIMON 32/64 reduced to 20 rounds out of 32 rounds with the data complexity 231.69 and time complexity 259.69. We have implemented our attacks for small scale variants of SIMON and our experiments confirm the theoretical bias presented in this work. So far, our results are the best known with respect to linear cryptanalysis for any variant of SIMON.