The Block Cipher SQUARE
 FAST SOFTWARE ENCRYPTION (FSE) 1997
, 1997
"... In this paper we present a new 128bit block cipher called Square. The original design of Square concentrates on the resistance against differential and linear cryptanalysis. However, after the initial design a dedicated attack was mounted that forced us to augment the number of rounds. The goal of ..."
In this paper we present a new 128bit block cipher called Square. The original design of Square concentrates on the resistance against differential and linear cryptanalysis. However, after the initial design a dedicated attack was mounted that forced us to augment the number of rounds. The goal of this paper is the publication of the resulting cipher for public scrutiny. A C implementation of Square is available that runs at 2.63 MByte/s on a 100 MHz Pentium. Our M68HC05 Smart Card implementation fits in 547 bytes and takes less than 2 msec. (4 MHz Clock). The high degree of parallellism allows hardware implementations in the Gbit/s range today.
Tweakable block ciphers
, 2002
"... Abstract. We propose a new cryptographic primitive, the “tweakable block cipher. ” Such a cipher has not only the usual inputs—message and cryptographic key—but also a third input, the “tweak. ” The tweak serves much the same purpose that an initialization vector does for CBC mode or that a nonce do ..."
Abstract. We propose a new cryptographic primitive, the “tweakable block cipher. ” Such a cipher has not only the usual inputs—message and cryptographic key—but also a third input, the “tweak. ” The tweak serves much the same purpose that an initialization vector does for CBC mode or that a nonce does for OCB mode. Our proposal thus brings this feature down to the primitive blockcipher level, instead of incorporating it only at the higher modesofoperation levels. We suggest that (1) tweakable block ciphers are easy to design, (2) the extra cost of making a block cipher “tweakable ” is small, and (3) it is easier to design and prove modes of operation based on tweakable block ciphers.
Truncated and Higher Order Differentials
 Fast Software Encryption  Second International Workshop, Leuven, Belgium, LNCS 1008
, 1995
"... In [6] higher order derivatives of discrete functions were considered and the concept of higher order differentials was introduced. We introduce the concept of truncated differentials and present attacks on ciphers presumably secure against differential attacks, but vulnerable to attacks using highe ..."
In [6] higher order derivatives of discrete functions were considered and the concept of higher order differentials was introduced. We introduce the concept of truncated differentials and present attacks on ciphers presumably secure against differential attacks, but vulnerable to attacks using higher order and truncated differentials. Also we give a differential attack using truncated differentials on DES reduced to 6 rounds using only 46 chosen plaintexts with an expected running time of about the time of 3,500 encryptions. Finally it is shown how to find a minimum nonlinear order of a block cipher using higher order differentials.
Markov Ciphers and Differential Cryptanalysis
 Advances in Cryptology  CRYPTO '91
, 1991
"... This paper considers the security of iterated block ciphers against the differential cryptanalysis introduced by Biham and Shamir. Differential cryptanalysis is a chosenplaintext attack on secretkey block ciphers that are based on iterating a cryptographically weak function r times (e.g., the 16r ..."
This paper considers the security of iterated block ciphers against the differential cryptanalysis introduced by Biham and Shamir. Differential cryptanalysis is a chosenplaintext attack on secretkey block ciphers that are based on iterating a cryptographically weak function r times (e.g., the 16round Data Encryption Standard (DES)). It is shown that the success of suchattacks on an rround cipher depends on the existence of (r1)round differentials that have high probabilities, where an iround differential is de#ned as a couple ##; # # such that a pair of distinct plaintexts with difference # can result in a pair of ith round outputs that have di#erence #, for an appropriate notion of "difference". The probabilities of such differentials can be used to determine a lower bound on the complexity of a differential cryptanalysis attack and to show when an rround cipher is not vulnerable to suchattacks. The concept of "Markov ciphers" is introduced for iterated ciphers because of its significance in differential cryptanalysis. If an iterated cipher is Markov and its round subkeys are independent, then the sequence of differences at each round output forms a Markov chain. It follows from a result of Biham and Shamir that DES is a Markov cipher. It is shown that, for the appropriate notion of "difference", the Proposed Encryption Standard (PES) of Lai and Massey, which is an 8round iterated cipher, is a Markov cipher, as are also the miniversion of PES with block length 8, 16 and 32 bits. It is shown that PES(8) and PES(16) are immune to differential cryptanalysis after sufficiently many rounds. A detailed cryptanalysis of the fullsize PES is given and shows that the very plausibly most probable 7round di#erential has a probability about 2
Side Channel Cryptanalysis of Product Ciphers
 JOURNAL OF COMPUTER SECURITY
, 1998
"... Building on the work of Kocher [Koc96], Jaffe, and Yun [KJY98], we discuss the notion of sidechannel cryptanalysis: cryptanalysis using implementation data. We discuss the notion of sidechannel attacks and the vulnerabilities they introduce, demonstrate sidechannel attacks against three produ ..."
Building on the work of Kocher [Koc96], Jaffe, and Yun [KJY98], we discuss the notion of sidechannel cryptanalysis: cryptanalysis using implementation data. We discuss the notion of sidechannel attacks and the vulnerabilities they introduce, demonstrate sidechannel attacks against three product ciphers  timing attack against IDEA, processorflag attack against RC5, and Hamming weight attack against DES  and then generalize our research to other cryptosystems.
Codes, bent functions and permutations suitable for DESlike cryptosystem
, 1998
"... Almost bent functions oppose an optimum resistance to linear and differential cryptanalysis. We present basic properties of almost bent functions; particularly we give an upper bound on the degree. We develop the “coding theory ” point of view for studying the existence of almost bent functions, sh ..."
Almost bent functions oppose an optimum resistance to linear and differential cryptanalysis. We present basic properties of almost bent functions; particularly we give an upper bound on the degree. We develop the “coding theory ” point of view for studying the existence of almost bent functions, showing explicitly the links with cyclic codes. We also give new characterizations of almost bent functions by means of associated Boolean functions.