Doug Whiting

Bio: Doug Whiting is an academic researcher from Hifn. The author has contributed to research in topics: Twofish & Block cipher. The author has an hindex of 13, co-authored 17 publications receiving 1649 citations.

Improved Cryptanalysis of Rijndael

Abstract: We improve the best attack on Rijndael reduced to 6 rounds from complexity 272 to 244. We also present the first known attacks on 7- and 8-round Rijndael. The attacks on 8-round Rijndael work for 192- bit and 256-bit keys. Finally, we discuss the key schedule of Rijndael and describe a related-key attack that can break 9-round Rijndael with 256-bit keys.

The Twofish encryption algorithm: a 128-bit block cipher

Abstract: Twofish Design Goals. Twofish Building Blocks. Twofish. Performance of Twofish. Twofish Design Philosophy. The Design of Twofish. Design of the Twofish Key Schedule. Cryptanalysis of Twofish. Using Twofish. Historical Remarks. Conclusions and Further Work. References. Index.

Helix: Fast Encryption and Authentication in a Single Cryptographic Primitive

Abstract: Helix is a high-speed stream cipher with a built-in MAC functionality. On a Pentium II CPU it is about twice as fast as Rijndael or Twofish, and comparable in speed to RC4. The overhead per encrypted/authenticated message is low, making it suitable for small messages. It is efficient in both hardware and software, and with some pre-computation can effectively switch keys on a per-message basis without additional overhead.

A Simple Algebraic Representation of Rijndael

Abstract: We show that there is a very straightforward closed algebraic formula for the Rijndael block cipher. This formula is highly structured and far simpler then algebraic formulations of any other block cipher we know. The security of Rijndael depends on a new and untested hardness assumption: it is computationally infeasible to solve equations of this type. The lack of research on this new assumption raises concerns over the wisdom of using Rijndael for security-critical applications.

Helix : Fast encryption and authentication in a single cryptographic primitive

Abstract: Helix is a high-speed stream cipher with a built-in MAC functionality On a Pentium II CPU it is about twice as fast as Rijn-dael or Twofish, and comparable in speed to RC4 The overhead per encrypted/authenticated message is low, making it suitable for small messages It is efficient in both hardware and software, and with some pre-computation can effectively switch keys on a per-message basis without additional overhead

The Design of Rijndael: AES - The Advanced Encryption Standard

Abstract: 1. The Advanced Encryption Standard Process.- 2. Preliminaries.- 3. Specification of Rijndael.- 4. Implementation Aspects.- 5. Design Philosophy.- 6. The Data Encryption Standard.- 7. Correlation Matrices.- 8. Difference Propagation.- 9. The Wide Trail Strategy.- 10. Cryptanalysis.- 11. Related Block Ciphers.- Appendices.- A. Propagation Analysis in Galois Fields.- A.1.1 Difference Propagation.- A.l.2 Correlation.- A. 1.4 Functions that are Linear over GF(2).- A.2.1 Difference Propagation.- A.2.2 Correlation.- A.2.4 Functions that are Linear over GF(2).- A.3.3 Dual Bases.- A.4.2 Relationship Between Trace Patterns and Selection Patterns.- A.4.4 Illustration.- A.5 Rijndael-GF.- B. Trail Clustering.- B.1 Transformations with Maximum Branch Number.- B.2 Bounds for Two Rounds.- B.2.1 Difference Propagation.- B.2.2 Correlation.- B.3 Bounds for Four Rounds.- B.4 Two Case Studies.- B.4.1 Differential Trails.- B.4.2 Linear Trails.- C. Substitution Tables.- C.1 SRD.- C.2 Other Tables.- C.2.1 xtime.- C.2.2 Round Constants.- D. Test Vectors.- D.1 KeyExpansion.- D.2 Rijndael(128,128).- D.3 Other Block Lengths and Key Lengths.- E. Reference Code.

Cryptanalysis of Block Ciphers with Overdefined Systems of Equations

Abstract: Several recently proposed ciphers, for example Rijndael and Serpent, are built with layers of small S-boxes interconnected by linear key-dependent layers. Their security relies on the fact, that the classical methods of cryptanalysis (e.g. linear or differential attacks) are based on probabilistic characteristics, which makes their security grow exponentially with the number of rounds Nr.In this paper we study the security of such ciphers under an additional hypothesis: the S-box can be described by an overdefined system of algebraic equations (true with probability 1). We show that this is true for both Serpent (due to a small size of S-boxes) and Rijndael (due to unexpected algebraic properties). We study general methods known for solving overdefined systems of equations, such as XL from Eurocrypt'00, and show their inefficiency. Then we introduce a new method called XSL that uses the sparsity of the equations and their specific structure.The XSL attack uses only relations true with probability 1, and thus the security does not have to grow exponentially in the number of rounds. XSL has a parameter P, and from our estimations is seems that P should be a constant or grow very slowly with the number of rounds. The XSL attack would then be polynomial (or subexponential) in Nr, with a huge constant that is double-exponential in the size of the S-box. The exact complexity of such attacks is not known due to the redundant equations. Though the presented version of the XSL attack always gives always more than the exhaustive search for Rijndael, it seems to (marginally) break 256-bit Serpent. We suggest a new criterion for design of S-boxes in block ciphers: they should not be describable by a system of polynomial equations that is too small or too overdefined.

Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm.

Abstract: An authenticated encryption scheme is a symmetric encryption scheme whose goal is to provide both privacy and integrity. We consider two possible notions of authenticity for such schemes, namely integrity of plaintexts and integrity of ciphertexts, and relate them (when coupled with IND-CPA) to the standard notions of privacy (IND-CCA,NM-CPA) by presenting implications and separations between all notions considered. We then analyze the security of authenticated encryption schemes designed by “generic composition,” meaning making blackbox use of a given symmetric encryption scheme and a given MAC. Three composition methods are considered, namely Encrypt-and-MAC, MAC-then-encrypt, and Encrypt-then-MAC. For each of these, and for each notion of security, we indicate whether or not the resulting scheme meets the notion in question assuming the given symmetric encryption scheme is secure against chosen-plaintext attack and the given MAC is unforgeable under chosen-message attack. We provide proofs for the cases where the answer is “yes” and counter-examples for the cases where the answer is “no.”

Constraints and approaches for distributed sensor network security

Abstract: Executive Summary Confidentiality, integrity, and authentication services are critical to preventing an adversary from compromising the security of a distributed sensor network. Key management is likewise critical to establishing the keys necessary to provide this protection. However, providing key management is difficult due to the ad hoc nature, intermittent connectivity, and resource limitations of the sensor network environment. As part of the SensIT program, NAI Labs is addressing this problem by identifying and developing cryptographic protocols and mechanisms that efficiently provide key management security support services. This document describes our sensor network constraints and key management approaches research for FY 2000. As a first step, NAI Labs has researched battlefield sensor and sensor network technology and the unique communications environment in which it will be deployed. We have identified the requirements specific to our problem of providing key management for confidentiality and group-level authentication. We have also identified constraints, particularly energy consumption, that render this problem difficult. NAI Labs has developed novel key management protocols specifically designed for the distributed sensor network environment, including Identity-Based Symmetric Keying and Rich Uncle. We have analyzed both existing and NAI Labs-developed keying protocols for their suitability at satisfying identified requirements while overcoming battlefield energy constraints. Our research has focused heavily on key management energy consumption, evaluating protocols based on total system, average sensor node, and individual sensor node energy consumption. We examined a number of secret-key-based protocols, determining some to be suitable for sensor networks but all of the protocols have flexibility limitations. Secret-key-based protocols are generally energy-efficient, using encryption and hashing algorithms that consume relatively little energy. Security of secret-key-based protocols is generally determined by the granularity of established keys, which vary widely for the protocols described herein. During our examination of these protocols we noted that some of these protocols are not sufficiently flexible for use in battlefield sensor network, since they cannot efficiently handle unanticipated additions of sensor nodes to the network. Our Identity-Based Symmetric Keying protocol and the less efficient Symmetric Key Certificate Based Protocol are well suited for certain sensor networks, establishing granular keys while consuming relatively little energy. However, all of the secure secret-key-based protocols use special nodes that operate as Key Distribution Centers (or Translators). The sensor nodes communicate with these centers exchanging information as part of the key establishment process. Since these special nodes are expected to make up less than 1% of the sensor …

SWATT: softWare-based attestation for embedded devices

Abstract: We expect a future where we are surrounded by embedded devices, ranging from Java-enabled cell phones to sensor networks and smart appliances. An adversary can compromise our privacy and safety by maliciously modifying the memory contents of these embedded devices. In this paper, we propose a softWare-based attestation technique (SWATT) to verify the memory contents of embedded devices and establish the absence of malicious changes to the memory contents. SWATT does not need physical access to the device's memory, yet provides memory content attestation similar to TCG or NGSCB without requiring secure hardware. SWATT can detect any change in memory contents with high probability, thus detecting viruses, unexpected configuration settings, and Trojan Horses. To circumvent SWATT, we expect that an attacker needs to change the hardware to hide memory content changes. We present an implementation of SWATT in off-the-shelf sensor network devices, which enables us to verify the contents of the program memory even while the sensor node is running.