Showing papers on "Block cipher published in 1998"
01 Jan 1998
TL;DR: The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory.
Abstract: Twofish is a 128-bit block cipher that accepts a variable-length key up to 256 bits. The cipher is a 16-round Feistel network with a bijective F function made up of four key-dependent 8-by-8-bit S-boxes, a fixed 4-by-4 maximum distance separable matrix over GF(2), a pseudo-Hadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8-bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 chosen plaintexts and 2 effort.
403 citations
Journal Article•
TL;DR: In this paper, the authors presented a method for finding collisions in SHA-0 which is related to differential cryptanalysis of block ciphers and obtained a theoretical attack on the compression function SHA-O with complexity 2 61, which is thus better than the birthday paradox attack.
Abstract: In this paper we present a method for finding collisions in SHA-0 which is related to differential cryptanalysis of block ciphers. Using this method, we obtain a theoretical attack on the compression function SHA-O with complexity 2 61 , which is thus better than the birthday paradox attack. In the case of SHA-1, this method is unable to find collisions faster than the birthday paradox. This is a strong evidence that the transition to version 1 indeed raised the level of security of SHA.
267 citations
23 Mar 1998
TL;DR: In this paper, the DES S-boxes are used in a new structure that simultaneously allows a more rapid avalanche, a more efficient bitslice implementation, and an easy analysis that enables them to demonstrate its security against all known types of attack.
Abstract: We propose a new block cipher as a candidate for the Advanced Encryption Standard. Its design is highly conservative, yet still allows a very efficient implementation. It uses the well-understood DES S-boxes in a new structure that simultaneously allows a more rapid avalanche, a more efficient bitslice implementation, and an easy analysis that enables us to demonstrate its security against all known types of attack. With a 128-bit block size and a 256-bit key, it is almost as fast as DES on a wide range of platforms, yet conjectured to be at least as secure as three-key triple-DES.
255 citations
16 Sep 1998
TL;DR: The notion of side-channel cryptanalysis: cryptanalysis using implementation data is introduced andSide-channel attacks against three product ciphers are demonstrated and generalized to other cryptosystems are generalized.
Abstract: Building on the work of Kocher [Koc96], we introduce the notion of side-channel cryptanalysis: cryptanalysis using implementation data. We discuss the notion of side-channel attacks and the vulnerabilities they introduce, demonstrate side-channel attacks against three product ciphers-timing attack against IDEA, processor-flag attack against RC5, and Hamming weight attack against DES-and then generalize our research to other cryptosystems.
254 citations
23 Mar 1998
TL;DR: It is argued that PRNGs are their own unique type of cryptographic primitive, and should be analyzed as such, and a model forPRNGs is proposed, and possible attacks against this model are discussed.
Abstract: In this paper we discuss PRNGs: the mechanisms used by real-world secure systems to generate cryptographic keys, initialization vectors, "random" nonces, and other values assumed to be random. We argue that PRNGs are their own unique type of cryptographic primitive, and should be analyzed as such. We propose a model for PRNGs, discuss possible attacks against this model, and demonstrate the applicability of the model (and our attacks) to four real-world PRNGs. We close with a discussion of lessons learned about PRNG design and use, and a few open questions.
226 citations
23 Aug 1998
TL;DR: A theoretical attack on the compression function SHA-O with complexity 2 61 is obtained, which is thus better than the birthday paradox attack and is a strong evidence that the transition to version 1 indeed raised the level of security of SHA.
Abstract: In this paper we present a method for finding collisions in SHA-0 which is related to differential cryptanalysis of block ciphers. Using this method, we obtain a theoretical attack on the compression function SHA-0 with complexity 261, which is thus better than the birthday paradox attack. In the case of SHA-1, this method is unable to find collisions faster than the birthday paradox. This is a strong evidence that the transition to version 1 indeed raised the level of security of SHA.
185 citations
25 Feb 1998
TL;DR: A new way of protecting block ciphers against classes of attacks (including differential and linear crypt-analysis) which is based on the notion of decorrelation which is fairly connected to Carter-Wegman's notion of universal functions is investigated.
Abstract: In this presentation we investigate a new way of protecting block ciphers against classes of attacks (including differential and linear crypt-analysis) which is based on the notion of decorrelation which is fairly connected to Carter-Wegman's notion of universal functions. This defines a simple and friendly combinatorial measurement which enables to quantify the security. We show that we can mix provable protections and heuristic protections. We finally propose two new block ciphers family we call COCONUT and PEANUT, which implement these ideas and achieve quite reasonable performances for real-life applications.
119 citations
17 Aug 1998
TL;DR: This analysis shows that, although the full-size RC4 remains secure against known attacks, keystreams are distinguishable from randomly generated bit streams, and the RC4 key can be recovered if a significant fraction of the full cycle of keystream bits is generated.
Abstract: RC4, a stream cipher designed by Rivest for RSA Data Security Inc., has found several commercial applications, but little public analysis has been done to date. In this paper, alleged RC4 (hereafter called RC4) is described and existing analysis outlined. The properties of RC4, and in particular its cycle structure, are discussed. Several variants of a basic "tracking" attack are described, and we provide experimental results on their success for scaled-down versions of RC4. This analysis shows that, although the full-size RC4 remains secure against known attacks, keystreams are distinguishable from randomly generated bit streams, and the RC4 key can be recovered if a significant fraction of the full cycle of keystream bits is generated (while recognizing that for a full-size system, the cycle length is too large for this to be practical). The tracking attacks discussed provide a significant improvement over the exhaustive search of the full RC4 keyspace. For example, the state of a 5 bit RC4-like cipher can be obtained from a portion of the keystream using 242 steps, while the nominal keyspace of the system is 2160. More work is necessary to improve these attacks in the case where a reduced keyspace is used.
101 citations
01 Nov 1998
TL;DR: This document describes the use of the DES Cipher algorithm in Cipher Block Chaining Mode, with an explicit IV, as a confidentiality mechanism within the context of the IPSec Encapsulating Security Payload (ESP).
Abstract: This document describes the use of the DES Cipher algorithm in Cipher Block Chaining Mode, with an explicit IV, as a confidentiality mechanism within the context of the IPSec Encapsulating Security Payload (ESP).
99 citations
31 May 1998
TL;DR: This paper shows a drastic improvement of the results of several previous attempts of cryptanalysis of RC5 due to a novel partial differential approach and shows that the 64 bit word version of this cipher is also much weaker than it was expected.
Abstract: RC5 is a fast block cipher designed by Ron Rivest in 1994. Since then several attempts of cryptanalysis of this cipher were published. The best previously known attack requires 254 chosen plaintexts in order to derive the full set of 25 subkeys for the 12 round RC5 with 32 bit words. In this paper we show a drastic improvement of these results due to a novel partial differential approach. Our attack requires 244 chosen plaintexts. We show that the 64 bit word version of RC5 is also much weaker than it was expected.
98 citations
Patent•
03 Mar 1998TL;DR: In this article, the Digital Video Broadcasting descrambling algorithm in the context of MPEG compressed data streams containing interleaved sections of scrambled and unscrambled data, at a data rate of 60 MBits/sec with a clock of 2.7 MHz, was implemented.
Abstract: In order to implement the Digital Video Broadcasting descrambling algorithm in the context of MPEG compressed data streams containing interleaved sections of scrambled and unscrambled data, at a data rate of 60 MBits/sec with a clock of 2.7 MHz, a stream cipher has an input to receive scrambled video data, and an output coupled to a block cipher for providing descrambled data, the stream cipher comprises shift register means for holding input data coupled to a first mapping logic mechanism comprising at least a first logic means and a second logic means coupled in sequence and arranged to carry out similar logical steps, and the block cipher means comprising shift register means for holding the output of the stream cipher means and a second logic mapping mechanism, comprising at least a first logic means, a second logic means, a third logic means and a fourth logic means coupled in sequence being arranged to carry out similar logical steps.
Patent•
25 Jun 1998TL;DR: In this article, a cryptosystem which performs encryption/deciphering of communication text using k bits of cryptographically secure pseudo-random numbers as the block cipher key thereof is presented.
Abstract: In a cryptosystem which performs encryption/deciphering of communication text using k bits of cryptographically secure pseudo-random numbers as the block cipher key thereof, the block cipher key is updated each time j=k/m bits of new pseudo-random numbers are generated, with the j·m=k bits of pseudo-random numbers created by combining the j·(m−1) bits within the k bits of the present key and the newly generated j bits, serving as a new key, thereby shortening the updating cycle and improving the safety. Also, by sending the number of times of generation of pseudo-random numbers along with the encrypted communication text from the sending side, and by the receiving side using from the sequentially generated pseudo-random numbers, pseudo-random numbers generated after the received number of times of generation as the new key, deciphering can be performed regardless of the order to reception, in the event that a plurality of cipher texts are sequentially sent while updating the encryption key.
Patent•
07 Oct 1998
TL;DR: In this paper, the authors proposed a new cryptographic method which is fast and ideally suited for secure, high volume data communication and storage, where the data is encrypted at the source using a private key and then transmitted to a destination over a secure or insecure channel.
Abstract: The disclosed invention is a new cryptographic method which is fast and ideally suited for secure, high volume data communication and storage. The data is encrypted at the source using a private key and then transmitted to a destination over a secure or insecure channel. The destination can either be a local storage device or a non-local station. At the destination the data is decrypted using the same private key. The disclosed invention is a new method and apparatus for data encryption. The mathematical robustness and simplicity of this method brings a great improvement in security and speed as compared to previous block ciphers. The data block length or the key length can also be changed very easily and such changes do not require any significant redesigns in the components of the cipher. This is a significant advantage over previous block ciphers, where extensive modifications are needed if the key or the data block length is to be altered, if this is even feasible.
23 Mar 1998
TL;DR: In this article, the authors studied the strong pseudorandomness of the Luby-Rackoff construction when the number of rounds is increased to O(m4/23n+m2/22n).
Abstract: This paper is a continuation of the work initiated in [2] by M. Luby and C. Rackoff on Feistel schemes used as pseudorandom permutation generators. The aim of this paper is to study the qualitative improvements of "strong pseudorandomness" of the Luby-Rackoff construction when the number of rounds increase. We prove that for 6 rounds (or more), the success probability of the distinguisher is reduced from O(m2/2n) (for 3 or 4 rounds) to at most O(m4/23n+m2/22n). (Here m denotes the number of cleartext or ciphertext queries obtained by the enemy in a dynamic way, and 2n denotes the number of bits of the cleartexts and ciphertexts).
We then introduce two new concepts that are stronger than strong pseudorandomness: "very strong pseudorandomness" and "homogeneous permutations". We explain why we think that those concepts are natural, and we study the values k for which the Luby-Rackoff construction with k rounds satisfy these notions.
17 Aug 1998
TL;DR: A timing attack on the RC5 block encryption algorithm is described, showing that, for the nominal version of RC5, only a few thousand ciphertexts are required to determine 5 bits of the last half-round subkey with high probability.
Abstract: This paper describes a timing attack on the RC5 block encryption algorithm. The analysis is motivated by the possibility that some implementations of RC5 could result in the data-dependent rotations taking a time that is a function of the data. Assuming that encryption timing measurements can be made which enable the cryptanalyst to deduce the total amount of rotations carried out during an encryption, it is shown that, for the nominal version of RC5, only a few thousand ciphertexts are required to determine 5 bits of the last half-round subkey with high probability. Further, it is shown that it is practical to determine the whole secret key with about 220 encryption timings with a time complexity that can be as low as 228.
Dissertation•
01 Jan 1998
TL;DR: Various optimisation heuristics were found to provide a successful method of automated cryptanalysis of a variety of the classical ciphers and to enhance existing fast correlation attacks on certain streamciphers.
Abstract: The aim of the research presented in this thesis is to investigate the use of various optimisation heuristics in the fields of automated cryptanalysis and automated cryptographic function generation. These techniques were found to provide a successful method of automated cryptanalysis of a variety of the classical ciphers. Also, they were found to enhance existing fast correlation attacks on certain stream ciphers. A previously proposed attack of the knapsack cipher is shown to be flawed due to the absence of a suitable solution evaluation mechanism. Finally, a new approach for finding highly nonlinear Boolean functions is introduced.
Patent•
IBM1
TL;DR: In this article, a method and apparatus for an advanced symmetric key cipher for encryption and decryption, using a block cipher algorithm, is presented, where different block sizes and key sizes are supported, and a different sub-key is used in each round.
Abstract: A method and apparatus for an advanced symmetric key cipher for encryption and decryption, using a block cipher algorithm. Different block sizes and key sizes are supported, and a different sub-key is used in each round. Encryption is computed using a variable number of rounds of mixing, permutation, and key-dependent substitution. Decryption uses a variable number of rounds of key-dependent inverse substitution, inverse permutation and inverse mixing. The variable length sub-keys are data-independent, and can be precomputed.
23 Mar 1998
TL;DR: The block cipher RC2 was designed in 1989 by Ron Rivest for RSA Data Security Inc. as mentioned in this paper, and preliminary attempts to use both differential and linear cryptanalysis have been made.
Abstract: The block cipher RC2 was designed in 1989 by Ron Rivest for RSA Data Security Inc. In this paper we describe both the cipher and preliminary attempts to use both differential and linear cryptanalysis.
17 Aug 1998
TL;DR: This work reports an implementation of IDEA on a Pentium MMX that is 1.65 times faster than any previously known implementation on the Pentium, and reaches an unprecedented 78 Mbits/s throughput per output block on a 166MHz MMX.
Abstract: MMX is a new technology to accelerate multimedia applications on Pentium processors. We report an implementation of IDEA on a Pentium MMX that is 1.65 times faster than any previously known implementation on the Pentium. By parallelizing four IDEA's we reach an unprecedented 78 Mbits/s throughput per output block on a 166MHz MMX. In the light of rapidly increasing popularity of multimedia applications, causing more dedicated hardware to be built, and observing that most of the current block ciphers do not benefit from MMX, we raise the problem of designing block ciphers (and encryption modes) fully utilizing the basic operations of multimedia.
Patent•
IBM1
TL;DR: In this article, a symmetric key block cipher with variable block sizes and key sizes is presented, as well as a variable number of rounds, where variable-length keys can be precomputed in some but not all stages.
Abstract: The present invention provides a technique, system, and computer program for a symmetric key block cipher. Variable block sizes and key sizes are supported, as well as a variable number of rounds. The cipher uses multiple stages of processing, where the stages have different structures and different subround functions, to provide excellent resistance to both linear and differential attacks. Feistel Type-1 and Type-3 are both used, each during different stages. The number of rounds may vary among stages. Subkeys are used in some, but not all, stages. The variable-length keys can be precomputed. A novel manner of using data-dependent rotation in a cipher is defined.
Patent•
01 Dec 1998TL;DR: In this paper, a pseudo-random sequence of integers is generated by selecting the least significant bit from each integer value and then used to encrypt a message using a selected encryption algorithm such as the XOR algorithm.
Abstract: A method is provided for generating a pseudo-random sequence of integers, and the method is applied to the encryption of messages. The method uses a key K and a pair of prime numbers p and q, where q=2p+1. According to one aspect of the invention, a sequence of integers is formed. A sequence of bits is then formed from the sequence of integers, e.g., by selecting the least significant bit from each integer value. The sequence of bits is then used to encrypt a message using a selected encryption algorithm such as the XOR algorithm. Since prime numbers p and q can be selected to be larger than key K, the repeating period of the sequence of integers is larger than that permitted by the bit length of K.
Journal Article•
TL;DR: In this paper, the authors provide an overview of the design principles of a large number of recent cryptographic primitives, which includes the global structure, the number of rounds, the way of introducing nonlinearity and diffusion, and the key schedule.
Abstract: This paper examines proposals for three cryptographic primitives: block ciphers, stream ciphers, and hash functions. It provides an overview of the design principles of a large number of recent proposals, which includes the global structure, the number of rounds, the way of introducing non-linearity and diffusion, and the key schedule. The software performance of about twenty primitives is compared based on highly optimized implementations for the Pentium. The goal of the paper is to provided a technical perspective on the wide variety of primitives that exist today.
23 Aug 1998
TL;DR: In this article, the authors present a method for efficient conversion of chosen plaintext attacks into the more practical known plaintext and ciphertext-only attacks, and demonstrate the effectiveness of their method by practical attacks on the block-cipher Madryga and on round-reduced versions of RC5 and DES.
Abstract: We present a method for efficient conversion of differential (chosen plaintext) attacks into the more practical known plaintext and ciphertext-only attacks. Our observation may save up to a factor of 220 in data over the known methods, assuming that plaintext is ASCII encoded English (or some other types of highly redundant data). We demonstrate the effectiveness of our method by practical attacks on the block-cipher Madryga and on round-reduced versions of RC5 and DES.
Patent•
IBM1
TL;DR: In this paper, a symmetric key block cipher with variable block sizes and key sizes is presented, as well as a variable number of rounds, where variable-length keys can be precomputed in some but not all stages.
Abstract: The present invention provides a technique, system, and computer program for a symmetric key block cipher. Variable block sizes and key sizes are supported, as well as a variable number of rounds. The cipher uses multiple stages of processing, where the stages have different structures and different subround functions, to provide excellent resistance to both linear and differential attacks. Feistel Type-3 networks are used, with different networks during different stages. The number of rounds may vary among stages. Subkeys are used in some, but not all, stages. The variable-length keys can be precomputed. A novel manner of using multiplication in a cipher is defined.
Patent•
IBM1
TL;DR: In this paper, a byte-oriented symmetric key cipher for encryption and decryption is proposed, where different block sizes and key sizes are supported, and a different sub-key is used in each round.
Abstract: A method and apparatus for an advanced byte-oriented symmetric key cipher for encryption and decryption, using a block cipher algorithm. Different block sizes and key sizes are supported, and a different sub-key is used in each round. Encryption is computed using a variable number of rounds of mixing, permutation, and key-dependent substitution. Decryption uses a variable number of rounds of key-dependent inverse substitution, inverse permutation, and inverse mixing. The variable length sub-keys are data-independent, and can be precomputed.
Patent•
11 Jun 1998TL;DR: In this article, the authors proposed a block cipher algorithm based on the prior Feistel type block cipher (or similar to DES algorithm) algorithm, in which the round input data block is divided into 8-bit blocks and the divided sub-blocks are fed, with the combined output data of the previous S-box, into 256×8 Sbox, except for the first input sub-data block.
Abstract: The present invention relates to the block cipher algorithm based on the prior Feistel type block cipher algorithm (or similar to DES algorithm). Usually the security of Feistel type block cipher algorithm depends on the structure of its round function. More specifically, the present invention relates to the round function structure of the Feistel type block cipher algorithm, in the instance that the round input data block is divided into 8-bit blocks and the divided sub-blocks are fed, with the combined output data of the previous S-box, into 256×8 S-box, except for the first input sub-data block. The first sub-data block one is directly fed into the first S-box. The total output data block, after these steps, is rotated by 8-bits and this rotated result is the output of the current round function.
01 Jan 1998
TL;DR: The proposed candidate - called DFC as for "Decorrelated Fast Cipher" - is based on the recent decorrelation technique and provides provable security against several classes of attacks which include Differential Cryptanalysis and Linear Cryptanalysis.
Abstract: This report presents a response to the call for candidates issued by the National Institute for Standards and Technologies (the Advanced Encryption Standard project). The proposed candidate - called DFC as for "Decorrelated Fast Cipher" - is based on the recent decorrelation technique. This provides provable security against several classes of attacks which include Differential Cryptanalysis and Linear Cryptanalysis.
05 Feb 1998
TL;DR: The aim of this paper is to propose a novel one-way hash function based on cellular automata whose cryptographic properties have been extensively studied over the past decade or so and which is especially suitable for compact and fast implementation in hardware.
Abstract: One-way hash functions are an important tool in achieving authentication and data integrity. The aim of this paper is to propose a novel one-way hash function based on cellular automata whose cryptographic properties have been extensively studied over the past decade or so. Furthermore, security of the proposed one-way hash function is analyzed by the use of very recently published results on applications of cellular automata in cryptography. The analysis indicates that the one-way hash function is secure against all known attacks. An important feature of the proposed one-way hash function is that it is especially suitable for compact and fast implementation in hardware, which is particularly attractive to emerging security applications that employ smart cards, such as digital identification cards and electronic cash payment protocols,
01 Jan 1998
TL;DR: This paper describes LOKI97, a new private key block cipher with 128-bit data and a 256-bit key schedule, which can be initialised by 128, 192, or 256- bit keys.
Abstract: This paper describes LOKI97, a new private key block cipher with 128-bit data and a 256-bit key schedule, which can be initialised by 128, 192, or 256-bit keys. The data computation uses 16 rounds of a balanced Feistel network with a complex function f which incorporates two S-P layers. The 256-bit key schedule uses 48 rounds of an unbalanced Feistel network using the same complex function f to generate the subkeys. The cipher specication is given, followed by some background and design considerations, and a preliminary analysis.
Proceedings Article•
[...]
23 Mar 1998
TL;DR: In this paper, the authors presented a new block cipher which offers good encryption rate on any platform and is particularly optimized for hardware implementation where the expected rate is several Gbps on a small dedicated chip working at 30MHz.
Abstract: This paper presents a new block cipher which offers good encryption rate on any platform. It is particularly optimized for hardware implementation where the expected rate is several Gbps on a small dedicated chip working at 30MHz. Its design combines up to date state of the art concepts in order to make it (hopefully) secure: diffusion network based on the Fast Fourier Transform, multipermutations, highly nonlinear confusion boxes.