Results 1  10
of
32
Tweakable block ciphers
, 2002
"... Abstract. We propose a new cryptographic primitive, the “tweakable block cipher. ” Such a cipher has not only the usual inputs—message and cryptographic key—but also a third input, the “tweak. ” The tweak serves much the same purpose that an initialization vector does for CBC mode or that a nonce do ..."
Abstract

Cited by 153 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We propose a new cryptographic primitive, the “tweakable block cipher. ” Such a cipher has not only the usual inputs—message and cryptographic key—but also a third input, the “tweak. ” The tweak serves much the same purpose that an initialization vector does for CBC mode or that a nonce does for OCB mode. Our proposal thus brings this feature down to the primitive blockcipher level, instead of incorporating it only at the higher modesofoperation levels. We suggest that (1) tweakable block ciphers are easy to design, (2) the extra cost of making a block cipher “tweakable ” is small, and (3) it is easier to design and prove modes of operation based on tweakable block ciphers.
Advanced Slide Attacks
, 2000
"... Abstract. Recently a powerful cryptanalytic tool—the slide attack— was introduced [3]. Slide attacks are very successful in breaking iterative ciphers with a high degree of selfsimilarity and even more surprisingly are independent of the number of rounds of a cipher. In this paper we extend the app ..."
Abstract

Cited by 69 (6 self)
 Add to MetaCart
(Show Context)
Abstract. Recently a powerful cryptanalytic tool—the slide attack— was introduced [3]. Slide attacks are very successful in breaking iterative ciphers with a high degree of selfsimilarity and even more surprisingly are independent of the number of rounds of a cipher. In this paper we extend the applicability of slide attacks to a larger class of ciphers. We find very efficient known and chosentext attacks on generic Feistel ciphers with a periodic keyschedule with four independent subkeys, and consequently we are able to break a DES variant proposed in [2] using just 128 chosen texts and negligible time for the analysis (for one out of every 2 16 keys). We also describe knownplaintext attacks on DESX and EvenMansour schemes with the same complexity as the best previously known chosenplaintext attacks on these ciphers. Finally, we provide new insight into the design of GOST by successfully analyzing a 20round variant (GOST⊕) and demonstrating weak key classes for all 32 rounds. 1
A Toolbox for Cryptanalysis: Linear and Affine Equivalence Algorithms
 PROCEEDINGS OF EUROCRYPT 2003
, 2003
"... This paper presents two algorithms for solving the linear and the affine equivalence problem for arbitrary permutations (Sboxes). For a pair of n × nbit permutations the complexity of the linear equivalence algorithm (LE) is O(n 3 2 n). The affine equivalence algorithm (AE) has complexity O(n 3 ..."
Abstract

Cited by 21 (2 self)
 Add to MetaCart
(Show Context)
This paper presents two algorithms for solving the linear and the affine equivalence problem for arbitrary permutations (Sboxes). For a pair of n × nbit permutations the complexity of the linear equivalence algorithm (LE) is O(n 3 2 n). The affine equivalence algorithm (AE) has complexity O(n 3 2 2n). The algorithms are efficient and allow to study linear and affine equivalences for bijective Sboxes of all popular sizes (LE is efficient up to n ≤ 32). Using these tools new equivalent representations are found for a variety of ciphers: Rijndael, DES, Camellia, Serpent, Misty, Kasumi, Khazad, etc. The algorithms are furthermore extended for the case of nonbijective n to mbit Sboxes with a small value of n − m  and for the case of almost equivalent Sboxes. The algorithms also provide new attacks on a generalized EvenMansour scheme. Finally, the paper defines a new problem of Sbox decomposition in terms of Substitution Permutations Networks (SPN) with layers of smaller Sboxes. Simple informationtheoretic bounds are proved for such decompositions.
Tight Security Bounds for KeyAlternating Ciphers
"... A tround keyalternating cipher (also called iterated EvenMansour cipher) can be viewed as an abstraction of AES. It defines a cipher E from t fixed public permutations P1,...,Pt: {0,1} n → {0,1} n and a key k = k0‖···‖kt ∈ {0,1} n(t+1) by setting Ek(x) = kt⊕Pt(kt−1⊕Pt−1(···k1⊕P1(k0⊕ x)···)). The ..."
Abstract

Cited by 19 (1 self)
 Add to MetaCart
(Show Context)
A tround keyalternating cipher (also called iterated EvenMansour cipher) can be viewed as an abstraction of AES. It defines a cipher E from t fixed public permutations P1,...,Pt: {0,1} n → {0,1} n and a key k = k0‖···‖kt ∈ {0,1} n(t+1) by setting Ek(x) = kt⊕Pt(kt−1⊕Pt−1(···k1⊕P1(k0⊕ x)···)). The indistinguishability of Ek from a truly random permutation by an adversary who also has oracle access to the (public) random permutations P1,...,Pt was investigated in 1997 by Even and Mansour for t = 1 and for higher values of t in a series of recent papers. For t = 1, Even and Mansour proved indistinguishability security up to 2n/2 queries, which is tight. Much later Bogdanov et al. (2011) conjectured that security should be 2 t t+1n queries for general t, which matches an easy distinguishing attack (so security cannot be more). A number of partial results have been obtained supporting this conjecture, besides Even and Mansour’s original result for t = 1: Bogdanov et al. proved security of 2 2 3n for t ≥ 2, Steinberger (2012) proved security of 2 3 4n for t ≥ 3, and Lampe, Patarin and Seurin (2012) proved security of 2 t t+2n for all even values of t, thus “barely ” falling short of the desired 2 t t+1n. Our contribution in this work is to prove the longsoughtfor security bound of 2 t t+1n, up to a constant multiplicative factor depending on t. Our method is essentially an application of Patarin’s Hcoefficient technique. The proof contains some couplinglike and inclusionexclusion ideas, but the main trick that pushes the computations through is to stick with the combinatorics and to refrain from rounding any quantities too early. For the reader’s interest, we include a selfcontained tutorial on the Hcoefficient technique.
An Asymptotically Tight Security Analysis of the Iterated EvenMansour Cipher
 In Advances in Cryptology  ASIACRYPT 2012  18th International Conference on the Theory and Application of Cryptology and Information Security
"... Abstract. We analyze the security of the iterated EvenMansour cipher (a.k.a. keyalternating cipher), a very simple and natural construction of a blockcipher in the random permutation model. This construction, first considered by Even and Mansour (J. Cryptology, 1997) with a single permutation, was ..."
Abstract

Cited by 14 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We analyze the security of the iterated EvenMansour cipher (a.k.a. keyalternating cipher), a very simple and natural construction of a blockcipher in the random permutation model. This construction, first considered by Even and Mansour (J. Cryptology, 1997) with a single permutation, was recently generalized to use t permutations in the work of Bogdanov et al. (EUROCRYPT 2012). They proved that the construction is secure up to O(N2/3) queries (where N is the domain size of the permutations), as soon as the number t of rounds is 2 or more. This is tight for t = 2, however in the general case the best known attack requires Ω(N t/(t+1)) queries. In this paper, we give asymptotically tight security proofs for two types of adversaries: 1. for nonadaptive chosenplaintext adversaries, we prove that the construction achieves an optimal security bound of O(N t/(t+1)) queries; 2. for adaptive chosenplaintext and ciphertext adversaries, we prove that the construction achieves security up to O(N t/(t+2)) queries (for t even). This improves previous results for t ≥ 6. Our proof crucially relies on the use of a coupling to upperbound the statistical distance of the outputs of the iterated EvenMansour cipher to the uniform distribution.
RelatedKey Cryptanalysis of 3WAY, BihamDES,CAST, DESX, NewDES, RC2, and TEA
 DES, RC2, and TEA, Proceedings of the 1997 International Conference on Information and Communications Security
, 1997
"... We present new relatedkey attacks on the block ciphers 3WAY, BihamDES, CAST, DESX, NewDES, RC2, and TEA. Dierential relatedkey attacks allow both keys and plaintexts to be chosen with speci c dierences [KSW96]. Our attacks build on the original work, showing how to adapt the general attack ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
We present new relatedkey attacks on the block ciphers 3WAY, BihamDES, CAST, DESX, NewDES, RC2, and TEA. Dierential relatedkey attacks allow both keys and plaintexts to be chosen with speci c dierences [KSW96]. Our attacks build on the original work, showing how to adapt the general attack to deal with the diculties of the individual algorithms. We also give speci c design principles to protect against these attacks.
S.: Cryptanalysis of RoundReduced LED
 In: Fast Software Encryption, FSE 2013. LNCS
, 2013
"... Abstract. In this paper we present knownplaintext singlekey and chosenkey attacks on roundreduced LED64 and LED128. We show that with an application of the recently proposed slidex attacks [7], one immediately improves the complexity of the previous singlekey 4step attack on LED128. Furthe ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we present knownplaintext singlekey and chosenkey attacks on roundreduced LED64 and LED128. We show that with an application of the recently proposed slidex attacks [7], one immediately improves the complexity of the previous singlekey 4step attack on LED128. Further, we explore the possibility of multicollisions and show singlekey attacks on 6 steps of LED128. A generalization of our multicollision attack leads to the statement that no 6round cipher with two subkeys that alternate, or 2round cipher with linearly dependent subkeys, is secure in the singlekey model. Next, we exploit the possibility of finding pairs of inputs that follow a certain differential rather than a differential characteristic, and obtain chosenkey differential distinguishers for 5step LED64, as well as 8step and 9step LED128. We provide examples of inputs that follow the 8step differential, i.e. we are able to practically confirm our results on 2/3 of the steps of LED128. We introduce a new type of chosenkey differential distinguisher, called randomdifference distinguisher, and successfully penetrate 10 of the total 12 steps of LED128. We show that this type of attack is generic in the chosenkey model, and can be applied to any 10round cipher with two alternating subkeys.
LSdesigns: Bitslice encryption for efficient masked software implementations. To appear in the proceedings of FSE 2014, available at http://www.uclouvain.be/crypto/people/show/382
 Vincent Grosso, Gaëtan Leurent, FrançoisXavier Standaert, Kerem Varici, François Durvaux, Lubos
, 2014
"... Abstract. Sidechannel analysis is an important issue for the security of embedded cryptographic devices, and masking is one of the most investigated solutions to mitigate such attacks. In this context, efficient masking has recently been considered as a possible criteria for new block cipher desig ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Sidechannel analysis is an important issue for the security of embedded cryptographic devices, and masking is one of the most investigated solutions to mitigate such attacks. In this context, efficient masking has recently been considered as a possible criteria for new block cipher designs. Previous proposals in this direction were applicable to different types of masking schemes (e.g. Boolean and polynomial). In this paper, we study possible optimizations when specializing the designs to Boolean masking. For this purpose, we first observe that bitslice ciphers have interesting properties for improving both the efficiency and the regularity of masked software implementations. Next we specify a family of block ciphers (denoted as LSdesigns) that can systematically take advantage of bitslicing in a principled manner. Eventually, we evaluate both the security and performance of such designs and two of their instances, confirming excellent properties for physically secure applications. 1
Eliminating Random Permutation Oracles in the EvenMansour Cipher
"... Abstract. Even and Mansour [EM97] proposed a block cipher construction that takes a publicly computable random permutation oracle P and XORs different keys prior to and after applying P: C = k2 ⊕ P (M ⊕ k1). They did not, however, describe how one could instantiate such a permutation securely. It is ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Abstract. Even and Mansour [EM97] proposed a block cipher construction that takes a publicly computable random permutation oracle P and XORs different keys prior to and after applying P: C = k2 ⊕ P (M ⊕ k1). They did not, however, describe how one could instantiate such a permutation securely. It is a fundamental open problem whether their construction could be proved secure outside the random permutation oracle model. We resolve this question in the affirmative by showing that the construction can be proved secure in the random function oracle model. In particular, we show that the random permutation oracle in their scheme can be replaced by a construction that utilizes a fourround Feistel network (where each round function is a random function oracle publicly computable by all parties including the adversary). Further, we prove that the resulting cipher is super pseudorandom – the adversary’s distinguishing advantage is at most 2q 2 /2 n if he makes q total queries to the cipher, its inverse, as well as any random oracles. Even and Mansour, on the other hand, only showed security against inversion and forgery. One noteworthy aspect of this result is that the cipher remains secure even though the adversary is permitted separate oracle access to all of the round functions. One can achieve a twofold and fourfold reduction respectively in the amount of key material by a closer inspection of the proof and by instantiating the scheme using group operations other than exclusiveOR. On the negative side, a straightforward adaption of an advanced slide attack recovers the 4nbit key with approximately √ 2 · 2 n work using roughly √ 2 · 2 n known plaintexts. Finally, if only three Feistel rounds are used, the resulting cipher is pseudorandom, but not super pseudorandom. 1
RelatedKey Attacks on TripleDES and DESX Variants
 In Topics in Cryptology  The Cryptographer’s Track at RSA Conference (CTRSA ’04) (2004), T. Okamoto, Ed., LNCS 2964
"... Abstract. In this paper, we present relatedkey slide attacks on 2key and 3key triple DES, and relatedkey differential and slide attacks on two variants of DESX. First, we show that 2key and 3key tripleDES are susceptible to relatedkey slide attacks. The only previously known such attacks are ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we present relatedkey slide attacks on 2key and 3key triple DES, and relatedkey differential and slide attacks on two variants of DESX. First, we show that 2key and 3key tripleDES are susceptible to relatedkey slide attacks. The only previously known such attacks are relatedkey differential attacks on 3key tripleDES. Second, we present a relatedkey differential attack on DESX+, a variant of the DESX with its pre and postwhitening XOR operations replaced with addition modulo 2 64. Our attack shows a counterintuitive result, that DESX+ is weaker than DESX against a relatedkey attack. Third, we present the first known attacks on DESEXE, another variant of DESX where the XOR operations and DES encryptions are interchanged. Further, our attacks show that DESEXE is also weaker than DESX against a relatedkey attack. This work suggests that extreme care has to be taken when proposing variants of popular block ciphers, that it is not always newer variants that are more resistant to attacks. 1