Xuejia Lai

Bio: Xuejia Lai is an academic researcher from Shanghai Jiao Tong University. The author has contributed to research in topics: Block cipher & Higher-order differential cryptanalysis. The author has an hindex of 23, co-authored 112 publications receiving 4816 citations. Previous affiliations of Xuejia Lai include École Polytechnique Fédérale de Lausanne & ETH Zurich.

A proposal for a new block encryption standard

Abstract: A new secret-key block cipher is proposed as a candidate for a new encryption standard. In the proposed cipher, the plaintext and the ciphertext are 64 bit blocks, while the secret key is 128 bit long. The cipher is based on the design concept of "mixing operations from different algebraic groups". The cipher structure was chosen to provide confusion and diffusion and to facilitate both hardware and software implementations.

Markov ciphers and differential cryptanalysis

Abstract: This paper considers the security of iterated block ciphers against the differential cryptanalysis introduced by Biham and Shamir. Differential cryptanalysis is a chosen-plaintext attack on secret-key block ciphers that are based on iterating a cryptographically weak function r times (e.g., the 16-round Data Encryption Standard (DES)). It is shown that the success of such attacks on an r-round cipher depends on the existence of (r-1)-round differentials that have high probabilities, where an i-round differential is defined as a couple (α, β) such that a pair of distinct plaintexts with difference α can result in a pair of i-th round outputs that have difference β, for an appropriate notion of "difference". The probabilities of such differentials can be used to determine a lower bound on the complexity of a differential cryptanalysis attack and to show when an r-round cipher is not vulnerable to such attacks. The concept of "Markov ciphers" is introduced for iterated ciphers because of its significance in differential cryptanalysis. If an iterated cipher is Markov and its round subkeys are independent, then the sequence of differences at each round output forms a Markov chain. It follows from a result of Biham and Shamir that DES is a Markov cipher. It is shown that, for the appropriate notion of "difference", the Proposed Encryption Standard (PES) of Lai and Massey, which is an 8-round iterated cipher, is a Markov cipher, as are also the mini-version of PES with block length 8, 16 and 32 bits. It is shown that PES(8) and PES(16) are immune to differential cryptanalysis after sufficiently many rounds. A detailed cryptanalysis of the full-size PES is given and shows that the very plausibly most probable 7-round differential has a probability about 2-58. A differential cryptanalysis attack of PES(64) based on this differential is shown to require all 264 possible encryptions. This cryptanalysis of PES suggested a new design principle for Markov ciphers, viz., that their transition probability matrices should not be symmetric. A minor modification of PES, consistent with all the original design principles, is proposed that satisfies this new design criterion. This modified cipher, called Improved PES (IPES), is described and shown to be highly resistant to differential cryptanalysis.

Cryptanalysis of the hash functions MD4 and RIPEMD

Abstract: MD4 is a hash function developed by Rivest in 1990 It serves as the basis for most of the dedicated hash functions such as MD5, SHAx, RIPEMD, and HAVAL In 1996, Dobbertin showed how to find collisions of MD4 with complexity equivalent to 220 MD4 hash computations In this paper, we present a new attack on MD4 which can find a collision with probability 2−2 to 2−6, and the complexity of finding a collision doesn't exceed 28 MD4 hash operations Built upon the collision search attack, we present a chosen-message pre-image attack on MD4 with complexity below 28 Furthermore, we show that for a weak message, we can find another message that produces the same hash value The complexity is only a single MD4 computation, and a random message is a weak message with probability 2−122 The attack on MD4 can be directly applied to RIPEMD which has two parallel copies of MD4, and the complexity of finding a collision is about 218 RIPEMD hash operations

Higher Order Derivatives and Differential Cryptanalysis

Abstract: High-order derivatives of multi-variable functions are studied in this paper as a natural generalization of the basic concept used in differential cryptanalysis. Possible applications of such derivatives in cryptology are discussed.

Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD

Abstract: MD5 is the hash function designed by Ron Rivest [9] as a strengthened version of MD4[8]. In 1993 Bert den Boer and Antoon Bosselaers [1] found pseudo-collision for MD5 which is made of the same message with two different sets of initial value. H. Dobbertin[3] found another kind of collision which consists of two different 512-bit messages with a chosen initial value I

Handbook of Applied Cryptography

Abstract: From the Publisher: A valuable reference for the novice as well as for the expert who needs a wider scope of coverage within the area of cryptography, this book provides easy and rapid access of information and includes more than 200 algorithms and protocols; more than 200 tables and figures; more than 1,000 numbered definitions, facts, examples, notes, and remarks; and over 1,250 significant references, including brief comments on each paper.

Differential Power Analysis

Abstract: Cryptosystem designers frequently assume that secrets will be manipulated in closed, reliable computing environments. Unfortunately, actual computers and microchips leak information about the operations they process. This paper examines specific methods for analyzing power consumption measurements to find secret keys from tamper resistant devices. We also discuss approaches for building cryptosystems that can operate securely in existing hardware that leaks information.

Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems

Abstract: By carefully measuring the amount of time required tm perform private key operalions, attackers may be able to find fixed Diffie-Hellman exponents, factor RSA keys, and break other cryptosystems. Against, a valnerable system, the attack is computationally inexpensive and often requires only known ciphertext. Actual systems are potentially at risk, including cryptographic tokens, network-based cryptosystems, and other applications where attackers can make reasonably accurate timing measurements. Techniques for preventing the attack for RSA and Diffie-Hellman are presented. Some cryptosystems will need to be revised to protect against the attack, and new protocols and algorithms may need to incorporate measures to prevenl timing attacks.

The Design of Rijndael: AES - The Advanced Encryption Standard

Abstract: 1. The Advanced Encryption Standard Process.- 2. Preliminaries.- 3. Specification of Rijndael.- 4. Implementation Aspects.- 5. Design Philosophy.- 6. The Data Encryption Standard.- 7. Correlation Matrices.- 8. Difference Propagation.- 9. The Wide Trail Strategy.- 10. Cryptanalysis.- 11. Related Block Ciphers.- Appendices.- A. Propagation Analysis in Galois Fields.- A.1.1 Difference Propagation.- A.l.2 Correlation.- A. 1.4 Functions that are Linear over GF(2).- A.2.1 Difference Propagation.- A.2.2 Correlation.- A.2.4 Functions that are Linear over GF(2).- A.3.3 Dual Bases.- A.4.2 Relationship Between Trace Patterns and Selection Patterns.- A.4.4 Illustration.- A.5 Rijndael-GF.- B. Trail Clustering.- B.1 Transformations with Maximum Branch Number.- B.2 Bounds for Two Rounds.- B.2.1 Difference Propagation.- B.2.2 Correlation.- B.3 Bounds for Four Rounds.- B.4 Two Case Studies.- B.4.1 Differential Trails.- B.4.2 Linear Trails.- C. Substitution Tables.- C.1 SRD.- C.2 Other Tables.- C.2.1 xtime.- C.2.2 Round Constants.- D. Test Vectors.- D.1 KeyExpansion.- D.2 Rijndael(128,128).- D.3 Other Block Lengths and Key Lengths.- E. Reference Code.