scispace - formally typeset
Search or ask a question

Showing papers on "Block cipher published in 1996"


Book ChapterDOI
18 Aug 1996
TL;DR: It is shown that computing the most significant bits of the secret key in a Diffie-Hellman key-exchange protocol from the public keys of the participants is as hard as computing the secretKey itself.
Abstract: We show that computing the most significant bits of the secret key in a Diffie-Hellman key-exchange protocol from the public keys of the participants is as hard as computing the secret key itself. This is done by studying the following hidden number problem: Given an oracle Oα(x) that on input x computes the k most significant bits of α ċ gx mod p, find α modulo p. Our solution can be used to show the hardness of MSB'S in other schemes such s ElGamal's public key system, Shamir's message passing scheme and Okamoto's conference key sharing scheme. Our results lead us to suggest a new variant of Diffie-Hellman key exchange (and other systems), for which we prove the most significant bit is hard to compute.

310 citations


Book ChapterDOI
18 Aug 1996
TL;DR: New attacks based on the principles of related-key differential cryptanalysis are presented, which can be exploited in actual protocols and cryptanalyze the key schedules of a variety of algorithms, including three-key Iriplc-DES.
Abstract: We present new athcks on key schedules of block ciphers. These attacks are based on the principles of related-key differential cryptanalysis: attacks that allow both keys and plainkxts t,o be rhoscn with specific diflercnccs. We show how these attacks can be exploited in actual protocols and cryptanalyze the key schedules of a variety of algorithms, including three-key Iriplc-DES.

276 citations


Book ChapterDOI
18 Aug 1996
TL;DR: This paper proves, in a formal model, that the DESX construction is sound, and shows that, when F is an idealized block cipher, FXk.k2 is substantially more resistant to key search than is F, and has an effective key length of at least ϰ+n - 1 - lg m bits.
Abstract: The block cipher DESX is defined by DESXk.k1.ka(x) = k2 ⊕ DESk(k1 ⊕ x), where ⊕ denotes bitwise exclusive-or. This construction was first suggested by Ron Rivest as a computationally-cheap way to protect DES against exhaustive key-search attacks. This paper proves, in a formal model, that the DESX construction is sound. We show that, when F is an idealized block cipher, FXk.k1.k2(x)= K2 ⊕ Fk(k1 ⊕ x) is substantially more resistant to key search than is F. In fact, our analysis says that FX has an effective key length of at least ϰ+n - 1 - lg m bits, where ϰ, is the key length of F, n is the block Iength, and m bounds the number of (x, FXk(x)) pairs the adversary can obtain.

257 citations


Book ChapterDOI
21 Feb 1996
TL;DR: This work describes UFNs and a terminology for discussing their properties, presents and analyze some UFN constructions, and makes some initial observations about their security.
Abstract: We examine a generalization of the concept of Feistel networks, which we call Unbalanced Feistel Networks (UFNs) Like conventional Feistel networks, UFNs consist of a series of rounds in which one part of the block operates on the rest of the block However, in a UFN the two parts need not be of equal size Removing this limitation on Feistel networks has interesting implications for designing ciphers secure against linear and differential attacks We describe UFNs and a terminology for discussing their properties, present and analyze some UFN constructions, and make some initial observations about their security

249 citations


Book ChapterDOI
21 Feb 1996
TL;DR: Shark as discussed by the authors combines highly nonlinear substitution boxes and maximum distance separable error correcting codes (MDS-codes) to guarantee a good diffusion and is resistant against differential and linear cryptanalysis after a small number of rounds.
Abstract: We present the new block cipher SHARK. This cipher combines highly non-linear substitution boxes and maximum distance separable error correcting codes (MDS-codes) to guarantee a good diffusion. The cipher is resistant against differential and linear cryptanalysis after a small number of rounds. The structure of SHARK is such that a fast software implementation is possible, both for the encryption and the decryption. Our C-implementation of SHARK runs more than four times faster than SAFER and IDEA on a 64-bit architecture.

220 citations


Book ChapterDOI
21 Feb 1996
TL;DR: Two new provably secure block ciphers are suggested, called BEAR and LION, which both have large block sizes, and are based on the Luby-Rackoff construction.
Abstract: In this paper we suggest two new provably secure block ciphers, called BEAR and LION They both have large block sizes, and are based on the Luby-Rackoff construction Their underlying components are a hash function and a stream cipher, and they are provably secure in the sense that attacks which find their keys would yield attacks on one or both of the underlying components They also have the potential to be much faster than existing block ciphers in many applications

148 citations


Book ChapterDOI
12 May 1996
TL;DR: By considering the role of non-linear approximatioris in linear cryptanalysis, a generalization of Matsui's linear cryptanalytic techniques is obtained, allowing for the recovery of seven additional bits of key information with less than 1/4 of the plaintext that is required using current linear crypt analyzed methods.
Abstract: By considering the role of non-linear approximatioris in linear cryptanalysis we obtain a generalization of Matsui's linear cryptanalytic techniques. This approach allows Ihe cryptanalyst greater flexibility in mounting a linear cryptanalytic attack and we demonstrate the effectiveness of our non-linear techniques with some simple attacks on LOK191. These attacks potentially allow for the recovery of seven additional bits of key information with less than 1/4 of the plaintext that is required using current linear cryptanalytic methods.

129 citations


Book ChapterDOI
03 Nov 1996
TL;DR: A simple network of small s-boxes can be proven secure against differential and linear cryptanalysis.
Abstract: A simple network of small s-boxes can be proven secure against differential and linear cryptanalysis. Upperbounds of the differential probabilities and the linear correlations are derived for a generalized Feistel network having 1, 2, 3 or 4 s-boxes in parallel per round. It is conjectured that the results hold in general.

126 citations


Proceedings Article
21 Feb 1996
TL;DR: In this article, the authors introduce a methodology for designing block ciphers with provable security against differential and linear cryptanalysis, based on three new principles: change of the location of round functions, round functions with recursive structure, and substitution boxes of different sizes.
Abstract: We introduce a methodology for designing block ciphers with provable security against differential and linear cryptanalysis. It is based on three new principles: change of the location of round functions, round functions with recursive structure, and substitution boxes of different sizes. The first realizes parallel computation of the round functions without losing provable security, and the second reduces the size of substitution boxes; moreover, the last is expected to make algebraic attacks difficult. We also give specific examples of practical block ciphers that are provably secure under an independent subkey assumption and are reasonably fast in hardware as well as in software implementation.

115 citations


Proceedings ArticleDOI
01 Jan 1996
TL;DR: A new heuristic method has found an attack against DES absolutely equivalent to M. Matsui's (1994) one by following a distinct path and appears to be roughly as efficient as both differential and linear cryptanalysis.
Abstract: Linear cryptanalysis and differential cryptanalysis are the most important methods of attack against block ciphers. Their efficiency have been demonstrated against several ciphers, including the Data Encryption Standard. We prove that both of them can be considered, improved and joined in a more general statistical framework. We also show that the very same results as those obtained in the case of DES can be found without any linear analysis and we slightly improve them into an attack with theoretical complexity 242.9 We can apply another statistical attack-the ?2 cryptanalysis-on the same characteristics without a definite idea of what happens in the encryption process. It appears to be roughly as efficient as both differential and linear cryptanalysis. We propose a new heuristic method to find good characteristics. It has found an attack against DES absolutely equivalent to M. Matsui's (1994) one by following a distinct path.

114 citations


Journal ArticleDOI
TL;DR: It is shown that using large S-boxes with good diffusion characteristics and replacing the permutation between rounds by an appropriate linear transformation is effective in improving the cipher security in relation to these two attacks.
Abstract: In this paper we examine a class of product ciphers referred to as substitution-permutation networks. We investigate the resistance of these cryptographic networks to two important attacks: differential cryptanalysis and linear cryptanalysis. In particular, we develop upper bounds on the differential characteristic probability and on the probability of a linear approximation as a function of the number of rounds of substitutions. Further, it is shown that using large S-boxes with good diffusion characteristics and replacing the permutation between rounds by an appropriate linear transformation is effective in improving the cipher security in relation to these two attacks.

Journal ArticleDOI
TL;DR: A new mode of multiple encryption—triple-DES external feedback cipher block chaining with output feedback masking is proposed to provide increased protection against certain attacks (dictionary attacks and matching ciphertext attacks) which exploit the short message-block size of DES.
Abstract: We propose a new mode of multiple encryption—triple-DES external feedback cipher block chaining with output feedback masking. The aim is to provide increased protection against certain attacks (dictionary attacks and matching ciphertext attacks) which exploit the short message-block size of DES. The new mode obtains this protection through the introduction of secret masking values that are exclusive-ORed with the intermediate outputs of each triple-DES encryption operation. The secret mask value is derived from a fourth encryption operation per message block, in addition to the three used in previous modes. The new mode is part of a suite of encryption modes proposed in the ANSI X9.F.1 triple-DES draft standard (X9.52).

Book ChapterDOI
Matt Blaze1
21 Feb 1996
TL;DR: RKEP works with any conventional block cipher and requires only standard ECB mode block cipher operations on the smartcard, permitting its implementation with off-the-shelf components and there is no storage overhead.
Abstract: This paper describes a simple protocol, the Remotely Keyed Encryption Protocol (RKEP), that enables a secure, but bandwidthlimited, cryptographic smartcard to function as a high-bandwidth secretkey encryption and decryption engine for an insecure, but fast, host processor. The host processor assumes most of the computational and bandwidth burden of each cryptographic operation without ever learning the secret key stored on the card. By varying the parameters of the protocol, arbitrary size blocks can be processed by the host with only a single small message exchange with the card and minimal card computation. RKEP works with any conventional block cipher and requires only standard ECB mode block cipher operations on the smartcard, permitting its implementation with off-the-shelf components. There is no storage overhead. Computational overhead is minimal, and includes the calculation of a cryptographic hash function as well as a conventional cipher function on the host processor.

Patent
23 Sep 1996
TL;DR: In this article, a method of encrypting clear payload data to form encrypted payload data uses a block cipher, the block cipher being characterized by a predetermined block length, the residual block length being less than the block length.
Abstract: A method of encrypting clear payload data to form encrypted payload data uses a block cipher, the block cipher being characterized by a predetermined block length. The method includes a step of parsing and first and second steps of encrypting. The step of parsing parses the clear payload data into at least one full clear block and a residual block, the at least one full clear block including a last full clear block. Each full clear block is characterized by the predetermined block length. The residual block is characterized by a residual block length, the residual block length being less than the predetermined block length. The step of parsing further parses the last full clear block into a first part and a second part, the second part being characterized by a length equaling a difference between the predetermined block length and the residual block length. The first step of encrypting encrypts a combination of the second part and the residual block to form a first encrypted block, the first encrypted block having a third part and a fourth part. The third part is characterized by a length equaling the second part length. The second step of encrypting encrypts a combination of the first part and the third part to form a second encrypted block, and it is the combination of the second encrypted block and the fourth part that forms the encrypted payload data.

Proceedings ArticleDOI
22 Sep 1996
TL;DR: The Improved-DES is a new algorithm that is stronger than the DES against differential cryptanalysis for cryptographic security and the analysis will show that the unicity distance in the Improved- DES is increased more than theDES's UD.
Abstract: The cryptosystem which is most used throughout the world for protecting information is the Data Encryption Standard (DES) which was announced by the National Bureau of Standard (NBS). The DES must be stronger than the other cryptosystems in its security. But, because the process time required for cryptanalysis has lessened, and because hardware technique has developed rapidly, the DES may be attacked by various kinds of cryptanalysis using parallel process. It may be especially vulnerable to attack by differential cryptanalysis. Therefore, the DES will require strengthening to ensure cryptographic security in the days to come. This paper proposes design of a DES-like cryptosystem called the Improved-DES. The Improved-DES is a new algorithm. We show that the Improved-DES is stronger than the DES against differential cryptanalysis for cryptographic security. We will divide one data block (96 bits) into 3 sub-blocks of 32 bits and then perform different f functions on each of the 3 sub-blocks, and then increase the S/sub 1/-S/sub 8/ of the S-boxes to S/sub 1/-S/sub 16/, satisfying the strict avalanche criterion (SAC: p/sub i, j/) and the correlation coefficient (p/sub i, j/). Finally we will increase the key length to 112 bits. The analysis will show that the unicity distance (UD) in the Improved-DES is increased more than the DES's UD.

Book ChapterDOI
18 Aug 1996
TL;DR: The differential analysis made by Kaliski and Yin is not optimal and is shown to give differential attacks better by up to a factor of 512 and to show that RC5 has many weak keys with respect to differential attacks.
Abstract: In this paper we investigate the strength of the secret-key algorithm RC5 newly proposed by Ron Rivest. The target version of RC5 works on words of 32 bits, has 12 rounds and a user-selected key of 128 bits. At Crypto'95 Kaliski and Yin estimated the strength of RC5 by differential and linear cryptanalysis. They conjectured that their linear analysis is optimal and that the use of 12 rounds for RC5 is sufficient to make both differential and linear cryptanalysis impractical. In this paper we show that the differential analysis made by Kaliski and Yin is not optimal. We give differential attacks better by up to a factor of 512. Also we show that RC5 has many weak keys with respect to differential attacks. This weakness relies on the structure of the cipher and not on the key schedule.

Patent
28 Jun 1996
TL;DR: In this article, a system for generating variable substitution boxes from arbitrary keys for use in a block cipher system utilizes an initial set of linearly independent numbers to generate substitution tables, modulated with the bits of an arbitrary key through operations that result in final sets of linear independent numbers.
Abstract: A system for generating variable substitution boxes from arbitrary keys for use in a block cipher system utilizes an initial set of linearly independent numbers to generate substitution tables. The initial set of linearly independent numbers is modulated with the bits of an arbitrary key through operations that result in final sets of linearly independent numbers to form the substitution tables. The system also includes an implementation which allows for rapid key changes for the crypto system by only generating portions of the substitution tables as needed for specific blocks of input data to be encrypted or decrypted,

Book ChapterDOI
12 May 1996
TL;DR: A fast and efficient procedure for finding low order approximations to large boolean functions, if such approxIMations exist, is developed and is based on representing low order boolean functions by appropriate linear recurring sequences generated by binary filter generators.
Abstract: A fast and efficient procedure for finding low order approximations to large boolean functions, if such approximations exist, is developed. The procedure uses iterative error-correction algorithms for fast correlation attacks on certain stream ciphers and is based on representing low order boolean functions by appropriate linear recurring sequences generated by binary filter generators. Applications and significance of the proposed method in thc analysis and design of block and stream ciphers are also discussed.


Proceedings Article
01 Jan 1996
TL;DR: BEAST is a Luby-Rackoff cipher and fast when the blocks are large, and it is provably secure if these building blocks are secure.
Abstract: This paper describes BEAST, a new blockcipher for arbitrary size blocks. It is a Luby-Rackoff cipher and fast when the blocks are large. BEAST is assembled from cryptographic hash functions and stream ciphers. It is provably secure if these building blocks are secure.

Journal Article
TL;DR: In this paper, a new attack on the LOKIDBH mode was presented, which breaks the last remaining subclass in a wide class of efficient hash functions which have been proposed in the literature.
Abstract: We consider constructions for cryptographic hash functions based on m-bit block ciphers First we present a new attack on the LOKIDBH mode: the attack finds collisions in 23m/4 encryptions, which should be compared to 2m encryptions for a brute force attack This attack breaks the last remaining subclass in a wide class of efficient hash functions which have been proposed in the literature We then analyze hash functions based on a collision resistant compression function for which finding a collision requires at least 2m encryptions, providing a lower bound of the complexity of collisions of the hash function A new class of constructions is proposed, based on error correcting codes over GF(22) and a proof of security is given, which relates their security to that of single block hash functions For example, a compression function is presented which requires about 4 encryptions to hash an m-bit block, and for which finding a collision requires at least 2m encryptions This scheme has the same hash rate as MDC-4, but better security against collision attacks Our method can be used to construct compression functions with even higher levels of security at the cost of more internal memory

Book ChapterDOI
03 Nov 1996
TL;DR: It is proved that any linear approximation of IDEA with extended subkeys, generalized to R rounds, requires at least R+[R/3] approximations to the multiply operation.
Abstract: Linear cryptanalysis is a well-known attack based on linear approximations, and is said to be feasible for an n-bit block cipher if the data complexity is at most 2n. In this paper we consider IDEA with independent and uniformly distributed subkeys, referred to as IDEA with extended subkeys. We prove that any linear approximation of IDEA with extended subkeys, generalized to R rounds, requires at least R+[R/3] approximations to the multiply operation. We argue that the best approximations are based on approximating least significant bits in the round operations and show that the probability of selecting a key for which such a linear cryptanalysis is feasible on IDEA is approximately 2−100.

DissertationDOI
01 Jan 1996
TL;DR: It is argued that the ciphers IDEA and SAFER are secure against this generalization of linear cryptanalysis, and the last-round attack by partitioning cryptanalysis is described and requirements for this attack are formalized.
Abstract: Matsui's linear cryptanalysis for iterated block ciphers is first general¬ ized by replacing his linear expressions with I/O sums. For a single round, an I/O sum is the XOR of a balanced binary-valued function of the round input and a balanced binary-valued function of the round output. A last-round attack is described and conditions for it to be successful are given. A procedure for finding effective "homomorphic" I/O sums to be used in an attack is given. A cipher contrived to be secure against linear cryptanalysis but vulnerable to this generalization of linear cryptanalysis is given. It is argued that the ciphers IDEA and SAFER are secure against this generalization of linear cryptanalysis. Statistical evidence is provided for the hypotheses of fixed-key equiva¬ lence and of fixed-key randomization, on which the success of the attack relies. A second generalization of linear cryptanalysis is obtained by replac¬ ing an I/O sum with the m-ary group difference of a function of the round input and a function of the round output. A corresponding at¬ tack on an iterative cipher is developed. Several different measures for the effectiveness of m-ary group differences are defined and analyzed. The previous attacks are generalized to an attack called partitioning cryptanalysis. This attack exploits a weakness that can be described by an effective partition-pair, i.e., a partition of the plaintext set and a partition of the next-to-last-round output set such that, for every key, the next-to-last-round outputs are non-uniformly distributed over the blocks of the second partition when the plaintexts are chosen uni¬ formly from a particular block of the first partition. The last-round attack by partitioning cryptanalysis is formalized and requirements for

Book
01 Jan 1996
TL;DR: A new structure of block ciphers with provable security against differential and linear cryptanalysis is presented, with a comparison of fast correlation attacks.
Abstract: Attacks on the HKM / HFX cryptosystem.- Truncated differentials of SAFER.- On the weak keys of blowfish.- High-bandwidth encryption with low-bandwidth smartcards.- ISAAC.- A note on the hash function of Tillich and zemor.- Cryptanalysis of MD4.- RIPEMD-160: A strengthened version of RIPEMD.- Fast accumulated hashing.- Tiger: A fast new hash function.- The cipher SHARK.- Two practical and provably secure block ciphers: BEAR and LION.- Unbalanced Feistel networks and block cipher design.- A comparison of fast correlation attacks.- Correlation attacks on stream ciphers: Computing low-weight parity checks based on error-correcting codes.- On the security of nonlinear filter generators.- Faster Luby-Rackoff ciphers.- New structure of block ciphers with provable security against differential and linear cryptanalysis.

Book ChapterDOI
Xun Yi1
02 Dec 1996
TL;DR: The results show the mini cipher with 8-bit blocks is resistant to differential attack, and some cryptographic properties of the cipher are discussed.
Abstract: In this paper a new secret-key block cipher based on mixing operations of different algebraic groups is proposed. Some cryptographic properties of the cipher are discussed. Differential cryptanalysis of the cipher structure is treated. The results show the mini cipher with 8-bit blocks is resistant to differential attack.

Patent
14 Jun 1996
TL;DR: In this article, an IC card is provided with a non-volatile memory 16 which can be rewritten, a read-only memory 12 storing a first cipher processing program ciphering information and CPU 18 ciphering by using the first cipherprocessing program.
Abstract: PROBLEM TO BE SOLVED: To provide an IC card which can speedily and inexpensively change a cipher processing program. SOLUTION: The IC card is provided with a non-volatile memory 16 which can be rewritten, a read-only memory 12 storing a first cipher processing program ciphering information and CPU 18 ciphering information by using the first cipher processing program. The non-volatile memory has a cipher processing program area which can store a second cipher processing program different from the first cipher processing program. Then, CPU 18 ciphers information by using the second cipher processing program instead of the first cipher processing program when the second cipher processing program is stored in the cipher processing program area.

Proceedings Article
01 Jan 1996
TL;DR: At Eurocrypt’93 Park, Itoh and Kurusawa presented a voting scheme based on an efficient concrete mix-net that is vulnerable to active and passive attacks, and Pfitzmann pointed out that the anonymity of the votes can’t be guaranteed.
Abstract: At Eurocrypt’93 Park, Itoh and Kurusawa presented a voting scheme based on an efficient concrete mix-net. However, Pfitzmann pointed out that the used concrete mix-net is vulnerable to active and passive attacks. Therefore, the anonymity of the votes can’t be guaranteed. Furthermore, Pfitzmann discussed some countermeasures against the attacks and how far they help.

Journal ArticleDOI
TL;DR: A novel cryptanalysis of Substitution-Permutation Networks using a chosen plaintext approach based on the highly probable occurrence of key-dependent degeneracies within the network and is applicable regardless of the method of S-box keying.
Abstract: This paper presents a novel cryptanalysis of Substitution-Permutation Networks using a chosen plaintext approach. The attack is based on the highly probable occurrence of key-dependent degeneracies within the network and is applicable regardless of the method of S-box keying. It is shown that a large number of rounds is required before a network is resistant to the attack. Experimental results have found 64-bit networks to be cryptanalyzable for as many as 8 to 12 rounds depending on the S-box properties.

Journal ArticleDOI
TL;DR: The cryptanalysis of a recently proposed public-key cipher is presented and it is shown that the cipher is broken simply by multiplying the ciphertext by a matrix which is the multiplicative inverse of a matrix formed with the public information available.
Abstract: The cryptanalysis of a recently proposed public-key cipher is presented. The mathematical structure of the cipher is based on linear complementary subspaces over a finite field. The cipher is broken simply by multiplying the ciphertext by a matrix which is the multiplicative inverse of a matrix formed with the public information available.

Book
01 Jan 1996
TL;DR: A message recovery signature scheme equivalent to DSA over elliptic curves based on real-quadratic A-fields (extended abstract) and a fast software implementation for arithmetic operations in GF(2n).
Abstract: A message recovery signature scheme equivalent to DSA over elliptic curves.- Cryptographic protocols based on real-quadratic A-fields (extended abstract).- Minding your p's and q's.- Authenticated multi-party key agreement.- Cryptography and the internet: Lessons and challenges.- Generating standard DSA signatures without long inversion.- A fast software implementation for arithmetic operations in GF(2n).- Hash functions based on block ciphers and quaternary codes.- Generalized Feistel networks.- On applying linear cryptanalysis to IDEA.- A multi-recastable ticket scheme for electronic elections.- Some remarks on a receipt-free and universally verifiable Mix-type voting scheme.- Observations on non-repudiation.- On the efficiency of one-time digital signatures.- A hidden cryptographic assumption in no-transferable indentification schemes.- Electronic money and key management from global and regional points of view.- Limiting the visible space visual secret sharing schemes and their application to human identification.- Towards characterizing when information-theoretic secret key agreement is possible.- Key sharing based on the wire-tap channel type II concept with noisy main channel.- Generalization of higher order SAC to vector output Boolean functions.- On the correlation immune functions and their nonlinearity.- How to date blind signatures.- Provably secure blind signature schemes.- Cost-effective payment schemes with privacy regulation.- Mis-representation of identities in e-cash schemes and how to prevent it.- "Indirect discourse proofs": Achieving efficient Fair Off-Line e-cash.- The validation of cryptographic algorithms.- Convertible group signatures.- How to utilize the transformability of digital signatures for solving the oracle problem.- On the risk of disruption in several multiparty signature schemes.- Correlation attacks on cascades of clock controlled shift registers.- Conditional correlation attack on nonlinear filter generators.- The cryptographic security of the syndrome decoding problem for rank distance codes.- A World Wide Number Field Sieve factoring record: On to 512 bits.