Showing papers on "Block cipher published in 1999"
••
[...]
TL;DR: This paper disprove the of t-repeated claim that eliminating all high-probability differentials for the whole cipher is sufficient to guarantee security against differential attacks, and shows how to break COCONUT98, a cipher designed using decorrelation techniques to ensure provable securityagainst differential attacks.
Abstract: This paper describes a new differential-style attack, which we call the boomerang attack. This attack has several interesting applications. First, we disprove the of t-repeated claim that eliminating all high-probability differentials for the whole cipher is sufficient to guarantee security against differential attacks. Second, we show how to break COCONUT98, a cipher designed using decorrelation techniques to ensure provable security against differential attacks, with an advanced differential-style attack that needs just 216 adaptively chosen texts. Also, to illustrate the power of boomerang techniques, we give new attacks on Khufu-16, FEAL-6, and 16 rounds of CAST-256.
611 citations
01 Jan 1999
TL;DR: MARS is designed to take advantage of the powerful operations supported in today’s computers, resulting in a much improved security/performance tradeoff over existing ciphers, and offers better security than triple DES while running significantly faster than single DES.
Abstract: We describe MARS, a shared-key (symmetric) block cipher supporting 128-bit blocks and variable key size. MARS is designed to take advantage of the powerful operations supported in today’s computers, resulting in a much improved security/performance tradeoff over existing ciphers. As a result, MARS offers better security than triple DES while running significantly faster than single DES. The current C implementation runs at rates of about 65 Mbit/sec. on a 200 MHz Pentium-Pro, and 85 Mbit/sec. on a 200 MHz PowerPC. In hardware, MARS can achieve a 10 speedup factor. Still, both hardware and software implementations of MARS are remarkably compact, and easily fit on a smartcard and in other limited-resource environments. The combination of high security, high speed, and flexibility, makes MARS an excellent choice for the encryption needs of the information world well into the next century. MARS IBM submission to AES 1
217 citations
••
24 Mar 1999TL;DR: The application of a new cryptanalytic technique based on impossible differentials to the block ciphers IDEA and Khufu shows that it is applicable to a larger class of cryptosystems, and develops new technical tools for applying it in new situations.
Abstract: In a recent paper we developed a new cryptanalytic technique based on impossible differentials, and used it to attack the Skipjack encryption algorithm reduced from 32 to 31 rounds. In this paper we describe the application of this technique to the block ciphers IDEA and Khufu. In both cases the new attacks cover more rounds than the best currently known attacks. This demonstrates the power of the new cryptanalytic technique, shows that it is applicable to a larger class of cryptosystems, and develops new technical tools for applying it in new situations.
168 citations
••
15 Aug 1999TL;DR: It is proved that Optimal Asymmetric Encryption Padding (OAEP) satisfies these definitions (in the random oracle model) and is the first construction of an AONT that has been proven secure in the strong sense.
Abstract: This paper studies All-or-Nothing Transforms (AONTs), which have been proposed by Rivest as a mode of operation for block ciphers. An AONT is an unkeyed, invertible, randomized transformation, with the property that it is hard to invert unless all of the output is known. Applications of AONTs include improving the security and speed of encryption. We give several formal definitions of security for AONTs that are stronger and more suited to practical applications than the original definitions. We then prove that Optimal Asymmetric Encryption Padding (OAEP) satisfies these definitions (in the random oracle model). This is the first construction of an AONT that has been proven secure in the strong sense. Our bound on the adversary's advantage is nearly optimal, in the sense that no adversary can do substantially better against the OAEP than by exhaustive search. We also show that no AONT can achieve substantially better security than OAEP.
100 citations
••
14 Nov 1999TL;DR: This paper investigates the Lai-Massey scheme which was used in IDEA and shows that it cannot be used as is in order to obtain results like Luby-Rackoff Theorem, and proposes a block cipher family called Walnut.
Abstract: Constructing a block cipher requires to define a random permutation, which is usually performed by the Feistel scheme and its variants. In this paper we investigate the Lai-Massey scheme which was used in IDEA. We show that we cannot use it “as is” in order to obtain results like Luby-Rackoff Theorem. This can however be done by introducing a simple function which has an orthomorphism property. We also show that this design offers nice decorrelation properties, and we propose a block cipher family called Walnut.
99 citations
••
04 Mar 1999Abstract: We uncover a new class of attacks that can potentially affect any cryptographic protocol. The attack is performed by an adversary that at some point has access to the physical memory of a participant, including all its previous states.
In order to protect protocols from such attacks, we introduce a cryptographic primitive that we call erasable memory. Using this primitive, it is possible to implement the essential cryptographic action of forgetting a secret. We show how to use a small erasable memory in order to transform a large non-erasable memory into a large and erasable memory. In practice, this shows how to turn any type of storage device into a storage device that can selectively forget. Moreover, the transformation can be performed using the minimal assumption of the existence of any one-way function, and can be implemented using any block cipher, in which case it is quite efficient. We conclude by suggesting some concrete implementations of small amounts of erasable memory.
98 citations
•
TL;DR: The first construction of an AONT that has been proven secure in the strong sense in the random oracle model was shown in this paper, where the adversary's advantage is nearly optimal, in the sense that no adversary can do substantially better against the OAEP than by exliaustive search.
Abstract: This paper studies All-or-Nothing Transforms (AONTs). which have been proposed by Rivest as a mode of operation for block ciphers. An AONT is an unkeyed, invertible, randomized transformation, with the property that it is hard to invert unless all of the output is tion, with the property that it is hard to invert unless all of the output is known. Applications of AONTs mclude improving the security and speed of encryption. We give several formal definitions of security for AONTs that are stronger and more suited to practical applications than the original definitions. We then prove that Optimal Asymmetric Encryption Padding (OAEP) satisfies these definitions (in the random oracle model). This is the first construction of an AONT that has been proven secure in the strong sense. Our bound on the adversary's advantage is nearly optimal, in the sense that no adversary can do substantially better against the OAEP than by exliaustive search We also show that no AONT can achieve substantially better security than OAEP.
87 citations
••
24 Mar 1999TL;DR: It is demonstrated that a weakness of this type can be used to construct a trapdoor that may be difficult to detect and some implications for block cipher design are noted.
Abstract: An iterated block cipher can be regarded as a means of producing a set of permutations of a message space. Some properties of the group generated by the round functions of such a cipher are known to be of cryptanalytic interest. It is shown here that if this group acts imprimitively on the message space then there is an exploitable weakness in the cipher. It is demonstrated that a weakness of this type can be used to construct a trapdoor that may be difficult to detect. An example of a DES-like cipher, resistant to both linear and differential cryptanalysis that generates an imprimitive group and is easily broken, is given. Some implications for block cipher design are noted.
80 citations
••
15 Aug 1999TL;DR: This paper considers the design of iterated MACs under the (minimal) assumption that the given FIL primitive is itself a MAC, and looks at three popular transforms, namely CBC, Feistel and the Merkle-Damgard method, and shows that each preserves unforgeability.
Abstract: Practical MACs are typically designed by iterating applications of some fixed-input-length (FIL) primitive, namely one like a block cipher or compression function that only applies to data of a fixed length. Existing security analyses of these constructions either require a stronger security property from the FIL primitive (eg. pseudorandomness) than the unforgeability required of the final MAC, or, as in the case of HMAC, make assumptions about the iterated function itself. In this paper we consider the design of iterated MACs under the (minimal) assumption that the given FIL primitive is itself a MAC. We look at three popular transforms, namely CBC, Feistel and the Merkle-Damgard method, and ask for each whether it preserves unforgeability. We show that the answer is no in the first two cases and yes in the third. The last yields an alternative cryptographic hash function based MAC which is secure under weaker assumptions than existing ones, although at a slight increase in cost.
80 citations
••
TL;DR: A secure communication architecture for the GSM network is proposed that uses public-key cryptography for user authentication and stream cipher for message encryption and decryption and an authentication protocol and a key generation method are presented.
Abstract: With the advance of wireless communications technology, mobile communications has become more convenient than ever. However, because of the openness of wireless communications, the protection of the privacy between communicating parties is becoming a very important issue. We focus on the security of the Global System for Mobile communication (GSM) networks. A secure communication architecture for the GSM network is proposed. In the proposed architecture, we use public-key cryptography for user authentication and stream cipher for message encryption and decryption. An authentication protocol and a key generation method are presented in conjunction with the proposed architecture. Cryptanalysis and operational analysis show that the authentication protocol is secure and efficient. Simulation results indicate that the key generation method can always produce key strings of evenly distributed 0s and 1s and with infinite period.
79 citations
••
24 Mar 1999
TL;DR: The revised version of CRYPTON is presented and its preliminary analysis shows some minor weakness in the key schedule and some undesirable properties in S-boxes are removed.
Abstract: The block cipher CRYPTON has been proposed as a candidate algorithm for the Advanced Encryption Standard (AES). To fix some minor weakness in the key schedule and to remove some undesirable properties in S-boxes, we made some changes to the AES proposal, i.e., in the S-box construction and key scheduling. This paper presents the revised version of CRYPTON and its preliminary analysis.
••
24 Mar 1999TL;DR: The VIL mode of operation makes a variable-input-length cipher from any block cipher, and is demonstrably secure in the provable-security sense of modern cryptography: it is given a quantitative security analysis relating the difficulty of breaking the constructed (variable- input-length) cipher to the difficultyof breaking the underlying block cipher.
Abstract: Whereas a block cipher enciphers messages of some one particular length (the blocklength), a variable-input-length cipher takes messages of varying (and preferably arbitrary) lengths. Still, the length of the ciphertext must equal the length of the plaintext. This paper introduces the problem of constructing such objects, and provides a practical solution. Our VIL mode of operation makes a variable-input-length cipher from any block cipher. The method is demonstrably secure in the provable-security sense of modern cryptography: we give a quantitative security analysis relating the difficulty of breaking the constructed (variable-input-length) cipher to the difficulty of breaking the underlying block cipher.
•
TL;DR: It is shown how to use a small erasable memory in order to transform a large non-erasable memory into a large and erasables memory, and how to turn any type of storage device into a storage device that can selectively forget.
Abstract: We uncover a new class of attacks that can potentially affect any cryptographic protocol. The attack is performed by an adversary that at some point has access to the physical memory of a participant, including all its previous states. In order to protect protocols from such attacks, we introduce a cryptographic primitive that we call erasable memory. Using this primitive, it is possible to implement the essential cryptographic action of forgetting a secret. We show how to use a small erasable memory in order to transform a large non-erasable memory into a large and erasable memory. In practice, this shows how to turn any type of storage device into a storage device that can selectively forget. Moreover, the transformation can be performed using the minimal assumption of the existence of any one-way function, and can be implemented using any block cipher, in which case it is quite efficient. We conclude by suggesting some concrete implementations of small amounts of erasable memory.
•
TL;DR: In this paper, the Lai-Massey scheme was used in IDEA and it was shown that it cannot be used as is in order to obtain results like Luby-Rackoff Theorem.
Abstract: Constructing a block cipher requires to define a random permutation, which is usually performed by the Feistel scheme and its variants. In this paper we investigate the Lai-Massey scheme which was used in IDEA. We show that we cannot use it as is in order to obtain results like Luby-Rackoff Theorem. This can however be done by introducing a simple function which has an orthomorphism property. We also show that this design offers nice decorrelation properties, and we propose a block cipher family called Walnut.
•
22 Jun 1999TL;DR: In this article, a mixing function is used to combine a pseudo-random number generator with a plaintext message to produce a block-by-block ciphertext, which preserves the advantages of a block cipher in terms of data confidentiality and data integrity, as well as benefiting from the speed advantage of a stream cipher.
Abstract: An encryption system comprises a pseudo-random number generator (KS) for generating a long pseudo-random sequence (S) from a shorter encryption key (K) and, if necessary, a nonce value (N), and a mixing function (MX) for combining the sequence with a plaintext message (P) on a block-by-block basis, where successive blocks (S(i)) of 128 bits of the sequence are combined with successive 64-bit blocks of plaintext (P(i)) to produce successive 64-bit blocks of ciphertext. The blockwise use of a long pseudo-random sequence preserves the advantages of a block cipher in terms of data confidentiality and data integrity, as well as benefiting from the speed advantages of a stream cipher.
••
01 Jan 1999TL;DR: This work provides a formal framework in which to study the security of RKESs and gives anRKES that satisfies the formal security requirements and is efficient in that the amount of communication and computation required of the smart-card is independent of the input size.
Abstract: Remotely keyed encryption schemes (RKESs), introduced by Blaze [6], support high-band width cryptographic applications (such as encrypted video conferences) in which long-lived secrets (such as users' private keys) never leave lower-bandwidth environments such as secure smart-cards. We provide a formal framework in which to study the security of RKESs and give an RKES that satisfies our formal security requirements. Our RKES is efficient in that the amount of communication and computation required of the smart-card is independent of the input size. Our proof of security uses the pseudorandom permutation framework of Naor and Reingold [14] in an essential way.
••
24 Mar 1999TL;DR: A form of partitioning attack that is effective against ciphers which rely on modular addition and bit rotations for their security, and that the general attack is extensible to other values of n.
Abstract: We introduce "mod n cryptanalysis," a form of partitioning attack that is effective against ciphers which rely on modular addition and bit rotations for their security. We demonstrate this attack with a mod 3 attack against RC5P, an RC5 variant that uses addition instead of xor. We also show mod 5 and mod 257 attacks against some versions of a family of ciphers used in the FireWire standard. We expect mod n cryptanalysis to be applicable to many other ciphers, and that the general attack is extensible to other values of n.
••
12 Aug 1999TL;DR: By locally observing the value of a few RAM or adress bus bits during the execution of a cryptographic algorithm, an attacker could easily recover information on the secret key being used.
Abstract: This paper describes a new type of attack on tamper-resistant cryptographic hardware. We show that by locally observing the value of a few RAM or adress bus bits (possibly a single one) during the execution of a cryptographic algorithm, typically by the mean of a probe (needle), an attacker could easily recover information on the secret key being used; our attacks apply to public-key cryptosystems such as RSA or El Gamal, as well as to secret-key encryption schemes including DES and RC5.
14 Jul 1999
TL;DR: In this article, the authors describe an algorithm called Arcfour that is believed to be fully interoperable with the RC4 algoritm, which will allow for a smoother transition to protocols that have been developed through the IETF standards process.
Abstract: This document describes an algorithm here called Arcfour that is
believed to be fully interoperable with the RC4 algoritm. RC4 is
trademark of RSA Data Security, Inc. There is a need in the Internet
community for an encryption algorithm that provides interoperable
operation with existing deployed commercial cryptographic
applications. This interoperability will allow for a smoother
transition to protocols that have been developed through the IETF
standards process.
01 Jan 1999
TL;DR: The proposed attack is a generalization of the higher order differential attack to a probabilistic one and introduces a notion of higher order bent functions in order to prevent the attack.
Abstract: We first show that a Feistel type block cipher is broken if the round function is approximated by a low degree vectorial Boolean function. The proposed attack is a generalization of the higher order differential attack to a probabilistic one. We next introduce a notion of higher order bent functions in order to prevent our attack. We then show their explicit constructions.
••
24 Mar 1999TL;DR: A known plaintext attack that can break RC5-32 (blocksize 64) with 10 rounds andRC5-64 (block-size 128) with 15 rounds is described, which are the bestknown plaintext attacks on RC5, which have negligible storage requirements and do not make any assumption on the plaintext distribution.
Abstract: In this paper we evaluate the resistance of the block cipher RC5 against linear cryptanalysis. We describe a known plaintext attack that can break RC5-32 (blocksize 64) with 10 rounds and RC5-64 (block-size 128) with 15 rounds. In order to do this we use techniques related to the use of multiple linear approximations. Furthermore the success of the attack is largely based on the linear hull-effect. To our knowledge, at this moment these are the best known plaintext attacks on RC5, which have negligible storage requirements and do not make any assumption on the plaintext distribution. Furthermore we discuss the impact of our attacking method on the AES-candidate RC6, whose design was based on RC5.
••
24 Mar 1999TL;DR: A new design tool for "block encryption", allowing the en/decryption of arbitrarily long messages, but performing en-decryption on only a single block, where the rest of the message is only processed by a good scrambling function.
Abstract: In this paper, we propose a new design tool for "block encryption", allowing the en/decryption of arbitrarily long messages, but performing en/decryption on only a single block (e.g., 128 bit block), where the rest of the message is only processed by a good scrambling function (e.g., one based on an ideal hash function). The design can be a component in constructing various schemes where the above properties gives an advantage. A quite natural use of our scheme is for remotely keyed encryption. We actually solve an open problem (at least in the relaxed ideal hash model and where hosts are allowed to add randomness and integrity checks, thus giving a length increasing function); namely, we show the existence of a secure remotely keyed encryption scheme which performs only one interaction with the smart-card device.
••
20 Sep 1999TL;DR: The WAP WTLS protocol was designed to provide privacy, data integrity, and authentication for wireless terminals and will be contained in millions of devices in a few years.
Abstract: The WAP WTLS protocol was designed to provide privacy, data integrity, and authentication for wireless terminals. The protocol is currently being fielded, and it is expected that the protocol will be contained in millions of devices in a few years.
••
24 Mar 1999TL;DR: The paper provides new constructions for Luby-Rackoff block ciphers which are efficient in terms of computations and key material used and shows that some security guarantees can be made under much weaker and more practical assumptions about the underlying function.
Abstract: We provide new constructions for Luby-Rackoff block ciphers which are efficient in terms of computations and key material used. Next, we show that we can make some security guarantees for Luby-Rackoff block ciphers under much weaker and more practical assumptions about the underlying function; namely, that the underlying function is a secure Message Authentication Code. Finally, we provide a SHA-1 based example block cipher called Sha-zam.
01 Jan 1999
TL;DR: The AES candidate block ciphers Crypton, Mars, RC6, Rijndael, and Serpent were implemented on the Motorola 6805 series 8-bit architecture and their performance, including ROM and RAM sizes and time to encrypt a single block was measured in simulation.
Abstract: The AES candidate block ciphers Crypton, Mars, RC6, Rijndael, and Serpent were implemented on the Motorola 6805 series 8-bit architecture. Their performance, including ROM and RAM sizes and time to encrypt a single block, was measured in simulation, and the results presented and compared with results for the other NIST cryptography algorithms SHA and DEA and previously published results for AES candidate Twofish. Rijndael was found to be the clear “winner”, but the ciphers Crypton, Serpent, and Twofish also performed acceptably. The NIST is currently evaluating block cipher algorithms as part of its Advanced Encryption Standard development effort. Among the requirements for the AES is that it should be efficient on small 8-bit processors as found in smart cards. Unfortunately, although most of the AES submissions presented performance estimates (sometimes even timings of actual implementations) for some kind of 8-bit processor, there were almost as many 8-bit processors used as there were submissions. In this paper, we hope to rectify this by implementing the most likely AES candidates for a single 8-bit platform, the Motorola 6805 series [3] and measuring their performance in simulation. The candidates chosen were Crypton, Mars, RC6, Rijndael, and Serpent. The authors of the Twofish AES submission [8] have already implemented Twofish on a 6805 CPU, so we simply quote their results below. These include the fastest five algorithms on the reference platform. There is some discussion below of the next two fastest candidates, CAST and E2. 1 The 6805 processors The processor family we chose is based around the Motorola HC05 core. There are a large number of variants, all of which use the same instruction set and timTable 1: 68HC05-series processors. Part RAM EEPROM ROM typical price (bytes) (bytes) (bytes) package (USD) MC68HC705KJ1 64
••
24 Mar 1999TL;DR: This paper deals with truncated differential cryptanalysis of the 128-bit block cipher E2, which is an AES candidate designed and submitted by NTT and shows a non-trivial seven round byte characteristic, which leads to a possible attack of E2 reduced to eight rounds without IT and FT by a chosen plaintext scenario.
Abstract: This paper deals with truncated differential cryptanalysis of the 128-bit block cipher E2, which is an AES candidate designed and submitted by NTT. Our analysis is based on byte characteristics, where a difference of two bytes is simply encoded into one bit information "0" (the same) or "1" (not the same). Since E2 is a strongly byte-oriented algorithm, this bytewise treatment of characteristics greatly simplifies a description of its probabilistic behavior and noticeably enables us an analysis independent of the structure of its (unique) lookup table. As a result, we show a non-trivial seven round byte characteristic, which leads to a possible attack of E2 reduced to eight rounds without IT and FT by a chosen plaintext scenario. We also show that by a minor modification of the byte order of output of the round function -- which does not reduce the complexity of the algorithm nor violates its design criteria at all --, a non-trivial nine round byte characteristic can be established, which results in a possible attack of the modified E2 reduced to ten rounds without IT and FT, and reduced to nine rounds with IT and FT. Our analysis does not have a serious impact on the full E2, since it has twelve rounds with IT and FT; however, our results show that the security level of the modified version against differential cryptanalysis is lower than the designers' estimation.
••
24 Mar 1999TL;DR: This paper provides a formal treatment for differential, linear and truncated differential cryptanalysis, and applies it to CS-Cipher in order to prove that there exists no good characteristic for these attacks.
Abstract: CS-Cipher is a block cipher which has been proposed at FSE 1998. It is a Markov cipher in which diffusion is performed by multipermutations. In this paper we first provide a formal treatment for differential, linear and truncated differential cryptanalysis, and we apply it to CS-Cipher in order to prove that there exists no good characteristic for these attacks. This holds under the approximation that all round keys of CS-Cipher are uniformly distributed and independent. For this we introduce some new technique for counting active Sboxes in computational networks by the Floyd-Warshall algorithm.
••
24 Mar 1999TL;DR: It is shown that the theory behind the proposed constructions does not guarantee security against state-of-the-art differential attacks and it is argued that the cipher does not obtain provable security against a differential attack.
Abstract: In the first part of this paper the decorrelation theory of Vaudenay is analysed. It is shown that the theory behind the proposed constructions does not guarantee security against state-of-the-art differential attacks. In the second part of this paper the proposed Decorrelated Fast Cipher (DFC), a candidate for the Advanced Encryption Standard, is analysed. It is argued that the cipher does not obtain provable security against a differential attack. Also, an attack on DFC reduced to 6 rounds is given.
25 Jan 1999
TL;DR: In this article, the authors analyzed the security of iterated hash functions with rate 1 such as follows: the round function of a hash function uses a block cipher with an m-bit input (output) and a 2m-bit key.
Abstract: We analyze the security of iterated hash functions with rate 1 such as follows: The round function of a hash function uses a block cipher with an m-bit input (output) and a 2m-bit key. The output of the hash function is 2m bits long. We rst show a preimage attack with O(2 m ) complexity on Yi and Lam's hash function of this type. This means that their claim is wrong and it is less secure than MDC-2. Next, it is shown that a very wide class of such functions is less secure than MDC-2. More precisely, we prove that there exist a preimage attack and a 2nd preimage attack with O(2 m ) complexity and a collision attack with O(2 3m=4 ) complexity, respectively. Finally, we suggest a class of double block length hash functions which seem to be as secure as MDC-2. key words: cryptanalysis, hash function, block cipher, meet-inthe-middle attack, birthday attack
••
02 May 1999TL;DR: The main theorem enables to prove the security against iterated attacks of order d of some recently proposed block ciphers COCONUT98 and PEANUT98, as well as the AES candidate DFC.
Abstract: In this paper we study the resistance of a block cipher against a class of general attacks which we call "iterated attacks". This class includes some elementary versions of differential and linear cryptanalysis. We prove that we can upper bound the complexity of the attack by using decorrelation techniques. Our main theorem enables to prove the security against these attacks (in our model) of some recently proposed block ciphers COCONUT98 and PEANUT98, as well as the AES candidate DFC.We outline that decorrelation to the order 2d is required for proving security against iterated attacks of order d.