Showing papers on "Block cipher published in 2011"

Biclique cryptanalysis of the full AES

Abstract: Since Rijndael was chosen as the Advanced Encryption Standard (AES), improving upon 7-round attacks on the 128-bit key variant (out of 10 rounds) or upon 8-round attacks on the 192/256-bit key variants (out of 12/14 rounds) has been one of the most difficult challenges in the cryptanalysis of block ciphers for more than a decade. In this paper, we present the novel technique of block cipher cryptanalysis with bicliques, which leads to the following results: The first key recovery method for the full AES-128 with computational complexity 2126.1. The first key recovery method for the full AES-192 with computational complexity 2189.7. The first key recovery method for the full AES-256 with computational complexity 2254.4. Key recovery methods with lower complexity for the reduced-round versions of AES not considered before, including cryptanalysis of 8-round AES-128 with complexity 2124.9. Preimage search for compression functions based on the full AES versions faster than brute force. In contrast to most shortcut attacks on AES variants, we do not need to assume related-keys. Most of our techniques only need a very small part of the codebook and have low memory requirements, and are practically verified to a large extent. As our cryptanalysis is of high computational complexity, it does not threaten the practical use of AES in any way.

Cache Games -- Bringing Access-Based Cache Attacks on AES to Practice

Abstract: Side channel attacks on cryptographic systems exploit information gained from physical implementations rather than theoretical weaknesses of a scheme. In recent years, major achievements were made for the class of so called access-driven cache attacks. Such attacks exploit the leakage of the memory locations accessed by a victim process. In this paper we consider the AES block cipher and present an attack which is capable of recovering the full secret key in almost real time for AES-128, requiring only a very limited number of observed encryptions. Unlike previous attacks, we do not require any information about the plaintext (such as its distribution, etc.). Moreover, for the first time, we also show how the plaintext can be recovered without having access to the cipher text at all. It is the first working attack on AES implementations using compressed tables. There, no efficient techniques to identify the beginning of AES rounds is known, which is the fundamental assumption underlying previous attacks. We have a fully working implementation of our attack which is able to recover AES keys after observing as little as 100 encryptions. It works against the OpenS SL 0.9.8n implementation of AES on Linux systems. Our spy process does not require any special privileges beyond those of a standard Linux user. A contribution of probably independent interest is a denial of service attack on the task scheduler of current Linux systems (CFS), which allows one to observe (on average) every single memory access of a victim process.

LBlock: a lightweight block cipher

Abstract: In this paper, we propose a new lightweight block cipher called LBlock. Similar to many other lightweight block ciphers, the block size of LBlock is 64-bit and the key size is 80-bit. Our security evaluation shows that LBlock can achieve enough security margin against known attacks, such as differential cryptanalysis, linear cryptanalysis, impossible differential cryptanalysis and related-key attacks etc. Furthermore, LBlock can be implemented efficiently not only in hardware environments but also in software platforms such as 8-bit microcontroller. Our hardware implementation of LBlock requires about 1320 GE on 0.18 µm technology with a throughput of 200 Kbps at 100 KHz. The software implementation of LBlock on 8-bit microcontroller requires about 3955 clock cycles to encrypt a plaintext block.

LBlock: A Lightweight Block Cipher.

Abstract: In this paper, we propose a new lightweight block cipher called LBlock. Similar to many other lightweight block ciphers, the block size of LBlock is 64-bit and the key size is 80-bit. Our security evaluation shows that LBlock can achieve enough security margin against known attacks, such as differential cryptanalysis, linear cryptanalysis, impossi- ble differential cryptanalysis and related-key attacks etc. Furthermore, LBlock can be implemented efficiently not only in hardware environ- ments but also in software platforms such as 8-bit microcontroller. Our hardware implementation of LBlock requires about 1320 GE on 0.18 µm technology with a throughput of 200 Kbps at 100 KHz. The software implementation of LBlock on 8-bit microcontroller requires about 3955 clock cycles to encrypt a plaintext block.

SPONGENT: a lightweight hash function

Abstract: This paper proposes spongent - a family of lightweight hash functions with hash sizes of 88 (for preimage resistance only), 128, 160, 224, and 256 bits based on a sponge construction instantiated with a present-type permutation, following the hermetic sponge strategy. Its smallest implementations in ASIC require 738, 1060, 1329, 1728, and 1950 GE, respectively. To our best knowledge, at all security levels attained, it is the hash function with the smallest footprint in hardware published so far, the parameter being highly technology dependent. spongent offers a lot of flexibility in terms of serialization degree and speed. We explore some of its numerous implementation trade-offs. We furthermore present a security analysis of spongent. Basing the design on a present-type primitive provides confidence in its security with respect to the most important attacks. Several dedicated attack approaches are also investigated.

Duplexing the sponge: single-pass authenticated encryption and other applications

Abstract: This paper proposes a novel construction, called duplex, closely related to the sponge construction, that accepts message blocks to be hashed and---at no extra cost---provides digests on the input blocks received so far. It can be proven equivalent to a cascade of sponge functions and hence inherits its security against single-stage generic attacks. The main application proposed here is an authenticated encryption mode based on the duplex construction. This mode is efficient, namely, enciphering and authenticating together require only a single call to the underlying permutation per block, and is readily usable in, e.g., key wrapping. Furthermore, it is the first mode of this kind to be directly based on a permutation instead of a block cipher and to natively support intermediate tags. The duplex construction can be used to efficiently realize other modes, such as a reseedable pseudo-random bit sequence generators and a sponge variant that overwrites part of the state with the input block rather than to XOR it in.

KLEIN: a new family of lightweight block ciphers

Abstract: Resource-efficient cryptographic primitives are essential for realizing both security and efficiency in embedded systems like RFID tags and sensor nodes. Among those primitives, lightweight block cipher plays a major role as a building block for security protocols. In this paper, we describe a new family of lightweight block ciphers named KLEIN, which is designed for resource-constrained devices such as wireless sensors and RFID tags. Compared to related proposals, KLEIN has advantage in the software performance on legacy sensor platforms, while its hardware implementation can be compact as well.

Secure Hardware Implementation of Nonlinear Functions in the Presence of Glitches

Abstract: Hardware implementations of cryptographic algorithms are vulnerable to side-channel attacks. Side-channel attacks that are based on multiple measurements of the same operation can be countered by employing masking techniques. Many protection measures depart from an idealized hardware model that is very expensive to meet with real hardware. In particular, the presence of glitches causes many masking techniques to leak information during the computation of nonlinear functions. We discuss a recently introduced masking method which is based on secret sharing and multi-party computation methods. The approach results in implementations that are provably resistant against a wide range of attacks, while making only minimal assumptions on the hardware. We show how to use this method to derive secure implementations of some nonlinear building blocks for cryptographic algorithms. Finally, we provide a provable secure implementation of the block cipher Noekeon and verify the results by means of low-level simulations.

Differential and linear cryptanalysis using mixed-integer linear programming

Abstract: Differential and linear cryptanalysis are two of the most powerful techniques to analyze symmetric-key primitives. For modern ciphers, resistance against these attacks is therefore a mandatory design criterion. In this paper, we propose a novel technique to prove security bounds against both differential and linear cryptanalysis. We use mixed-integer linear programming (MILP), a method that is frequently used in business and economics to solve optimization problems. Our technique significantly reduces the workload of designers and cryptanalysts, because it only involves writing out simple equations that are input into an MILP solver. As very little programming is required, both the time spent on cryptanalysis and the possibility of human errors are greatly reduced. Our method is used to analyze Enocoro-128v2, a stream cipher that consists of 96 rounds. We prove that 38 rounds are sufficient for security against differential cryptanalysis, and 61 rounds for security against linear cryptanalysis. We also illustrate our technique by calculating the number of active S-boxes for AES.

Chaos-Based Cryptography

Abstract: 1. Introduction to Chaos.- 2. Chaos-based Cryptography 3. Digitized Chaos for Pseudo-Random Number Generation in Cryptography .- 4. Formation of High-Dimensional Chaotic Maps and Their Uses in Cryptography .- 5. Chaos based hash function .- 6. Chaos-Based Video Encryption Algorithms .- 7. Cryptanalysis of chaotic ciphers .- 8. Lessons learnt from the cryptanalysis of chaos-based ciphers .- 9. Hardware Implementation of chaos based cipher: Design of embedded systems for security applications .- 10. Hardware implementation of chaos-secured optical communication systems .- 11. Performance Evaluation of Chaotic and Conventional Encryption on Portable and Mobile Platforms 4. Formation of High-Dimensional Chaotic Maps and Their Uses in Cryptography .- 5. Chaos based hash function .- 6. Chaos-Based Video Encryption Algorithms .- 7. Cryptanalysis of chaotic ciphers .- 8. Lessons learnt from the cryptanalysis of chaos-based ciphers .- 9. Hardware Implementation of chaos based cipher: Design of embedded systems for security applications .- 10. Hardware implementation of chaos-secured optical communication systems .- 11. Performance Evaluation of Chaotic and Conventional Encryption on Portable and Mobile Platforms 5. Chaos based hash function .- 6. Chaos-Based Video Encryption Algorithms .- 7. Cryptanalysis of chaotic ciphers .- 8. Lessons learnt from the cryptanalysis of chaos-based ciphers .- 9. Hardware Implementation of chaos based cipher: Design of embedded systems for security applications .- 10. Hardware implementation of chaos-secured optical communication systems .- 11. Performance Evaluation of Chaotic and Conventional Encryption on Portable and Mobile Platforms .- 6. Chaos-Based Video Encryption Algorithms .- 7. Cryptanalysis of chaotic ciphers .- 8. Lessons learnt from the cryptanalysis of chaos-based ciphers .- 9. Hardware Implementation of chaos based cipher: Design of embedded systems for security applications .- 10. Hardware implementation of chaos-secured optical communication systems .- 11. Performance Evaluation of Chaotic and Conventional Encryption on Portable and Mobile Platforms 6. Chaos-Based Video Encryption Algorithms .- 7. Cryptanalysis of chaotic ciphers .- 8. Lessons learnt from the cryptanalysis of chaos-based ciphers .- 9. Hardware Implementation of chaos based cipher: Design of embedded systems for security applications .- 10. Hardware implementation of chaos-secured optical communication systems .- 11. Performance Evaluation of Chaotic and Conventional Encryption on Portable and Mobile Platforms 7. Cryptanalysis of chaotic ciphers .- 8. Lessons learnt from the cryptanalysis of chaos-based ciphers .- 9. Hardware Implementation of chaos based cipher: Design of embedded systems for security applications .- 10. Hardware implementation of chaos-secured optical communication systems .- 11. Performance Evaluation of Chaotic and Conventional Encryption on Portable and Mobile Platforms 8. Lessons learnt from the cryptanalysis of chaos-based ciphers .- 9. Hardware Implementation of chaos based cipher: Design of embedded systems for security applications .- 10. Hardware implementation of chaos-secured optical communication systems .- 11. Performance Evaluation of Chaotic and Conventional Encryption on Portable and Mobile Platforms 9. Hardware Implementation of chaos based cipher: Design of embedded systems for security applications .- 10. Hardware implementation of chaos-secured optical communication systems .- 11. Performance Evaluation of Chaotic and Conventional Encryption on Portable and Mobile Platforms .- 11. Performance Evaluation of Chaotic and Conventional Encryption on Portable and Mobile Platforms.

Breaking Grain-128 with dynamic cube attacks

Abstract: We present a new variant of cube attacks called a dynamic cube attack. Whereas standard cube attacks [4] find the key by solving a system of linear equations in the key bits, the new attack recovers the secret key by exploiting distinguishers obtained from cube testers. Dynamic cube attacks can create lower degree representations of the given cipher, which makes it possible to attack schemes that resist all previously known attacks. In this paper we concentrate on the well-known stream cipher Grain-128 [6], on which the best known key recovery attack [15] can recover only 2 key bits when the number of initialization rounds is decreased from 256 to 213. Our first attack runs in practical time complexity and recovers the full 128-bit key when the number of initialization rounds in Grain-128 is reduced to 207. Our second attack breaks a Grain-128 variant with 250 initialization rounds and is faster than exhaustive search by a factor of about 228. Finally, we present an attack on the full version of Grain-128 which can recover the full key but only when it belongs to a large subset of 2-10 of the possible keys. This attack is faster than exhaustive search over the 2118 possible keys by a factor of about 215. All of our key recovery attacks are the best known so far, and their correctness was experimentally verified rather than extrapolated from smaller variants of the cipher. This is the first time that a cube attack was shown to be effective against the full version of a well known cipher which resisted all previous attacks.

The preimage security of double-block-length compression functions

Abstract: We present new techniques for deriving preimage resistance bounds for block cipher based double-block-length, double-call hash functions. We give improved bounds on the preimage security of the three "classical" double-block-length, double-call, block cipher-based compression functions, these being Abreast-DM, Tandem-DM and Hirose's scheme. For Hirose's scheme, we show that an adversary must make at least 22n−5 block cipher queries to achieve chance 0.5 of inverting a randomly chosen point in the range. For Abreast-DM and Tandem-DM we show that at least 22n−10 queries are necessary. These bounds improve upon the previous best bounds of Ω(2n) queries, and are optimal up to a constant factor since the compression functions in question have range of size 22n.

Higher-order glitches free implementation of the AES using secure multi-party computation protocols

Abstract: Higher-order side channel attacks (HO-SCA) is a powerful technique against cryptographic implementations and the design of appropriate countermeasures is nowadays an important topic. In parallel, another class of attacks, called glitches attacks, have been investigated which exploit the hardware glitches phenomena occurring during the physical execution of algorithms. We introduce in this paper a circuit model that encompasses sufficient conditions to resist glitches effects. This allows us to construct the first countermeasure thwarting both glitches and HO-SCA attacks. Our new construction requires Secure Multi-Party Computation protocols and we propose to apply the one introduced by Ben'Or et al. at STOC in 1988. The adaptation of the latter protocol to the context of side channel analysis results in a completely new higher-order masking scheme, particularly interesting when addressing resistance in the presence of glitches. An application of our scheme to the AES block cipher is detailed.

Automatic search of attacks on round-reduced AES and applications

Abstract: In this paper, we describe versatile and powerful algorithms for searching guess-and-determine and meet-in-the-middle attacks on byte-oriented symmetric primitives. To demonstrate the strengh of these tool, we show that they allows to automatically discover new attacks on round-reduced AES with very low data complexity, and to find improved attacks on the AES-based MACs Alpha-MAC and Pelican-MAC, and also on the AES-based stream cipher LEX. Finally, the tools can be used in the context of fault attacks. These algorithms exploit the algebraically simple byte-oriented structure of the AES. When the attack found by the tool are practical, they have been implemented and validated.

Chaotic encryption algorithm based on alternant of stream cipher and block cipher

Abstract: In recent years, a growing number of discrete chaotic cryptographic algorithms have been proposed. However, most of them encounter some problems such as the lack of robustness and security. In this paper, a new encryption algorithm is proposed, which encrypts the plaintext based on alternant of the stream cipher and block cipher. A pseudo-random number is used to control which encryption mode is chosen. Using this algorithm, multiple kinds of files (such as TXT, DOC, WMA, and JPEG) are encrypted and decrypted, and the security of the proposed cryptosystem is analyzed. The results show that the security of the cryptosystem is intensified and the proposed algorithm can resist differential attacks.

Multiple differential cryptanalysis: theory and practice

Abstract: Differential cryptanalysis is a well-known statistical attack on block ciphers. We present here a generalisation of this attack called multiple differential cryptanalysis. We study the data complexity, the time complexity and the success probability of such an attack and we experimentally validate our formulas on a reduced version of PRESENT. Finally, we propose a multiple differential cryptanalysis on 18-round PRESENT for both 80-bit and 128-bit master keys.

Conditional differential cryptanalysis of trivium and KATAN

Abstract: The concept of conditional differential cryptanalysis has been applied to NLFSR-based cryptosystems at ASIACRYPT 2010 We improve the technique by using automatic tools to find and analyze the involved conditions Using these improvements we cryptanalyze the stream cipher Trivium and the KATAN family of lightweight block ciphers For both ciphers we obtain new cryptanalytic results For reduced variants of Trivium we obtain a class of weak keys that can be practically distinguished up to 961 of 1152 rounds For the KATAN family we focus on its security in the related-key scenario and obtain practical key-recovery attacks for 120, 103 and 90 of 254 rounds of KATAN32, KATAN48 and KATAN64, respectively

A cryptanalytic attack on the knapsack cryptosystem using binary Firefly algorithm

Abstract: This paper presents a binary Firefly Algorithm (FA), for cryptanalysis of knapsack cipher algorithm so as to deduce the meaning of an encrypted message (i.e. to determine a plaintext from the cipher text). The implemented algorithm has been characterized, in this paper, by a number of properties and operations that build up and evolve the fireflies' positions. These include light intensity, distances, attractiveness, and position updating, fitness evaluation. The results of the Firefly algorithm are compared with the results shown by Genetic Algorithm (GA), to discover the plaintext from the cipher text. Experimental results show that binary firefly algorithm is capable of finding correct results more efficiently than GA.

RC4 Stream Cipher and Its Variants

Abstract: RC4 Stream Cipher and Its Variants is the first book to fully cover the popular software stream cipher RC4. With extensive expertise in stream cipher cryptanalysis and RC4 research, the authors focus on the analysis and design issues of RC4. They also explore variants of RC4 and the eSTREAM finalist HC-128. After an introduction to the vast field of cryptology, the book reviews hardware and software stream ciphers and describes RC4. It presents a theoretical analysis of RC4 KSA, discussing biases of the permutation bytes toward secret key bytes and absolute values. The text explains how to reconstruct the secret key from known state information and analyzes the RC4 PRGA in detail, including a sketch of state recovery attacks. The book then describes three popular attacks on RC4: distinguishing attacks, Wired Equivalent Privacy (WEP) protocol attacks, and fault attacks. The authors also compare the advantages and disadvantages of several variants of RC4 and examine stream cipher HC-128, which is the next level of evolution after RC4 in the software stream cipher paradigm. The final chapter emphasizes the safe use of RC4. With open research problems in each chapter, this book offers a complete account of the most current research on RC4. It not only covers the basics of cryptography, but also provides a comparative study of RC4 with other stream ciphers.

On linear hulls, statistical saturation attacks, PRESENT and a cryptanalysis of PUFFIN

Abstract: We discuss complexities of advanced linear attacks. In particular, we argue why it is often more appropriate to examine the median of the complexity than the average value. Moreover, we apply our methods to the block ciphers PUFFIN and PRESENT. For PUFFIN, a 128 bit key cipher, we present an attack which breaks the cipher for at least a quarter of the keys with a complexity less than 258. In the case of PRESENT we show that the design is sound. The design criteria are sufficient to ensure the resistance against linear attacks, taking into account the notion of linear hulls. Finally, we show that statistical saturation attacks and multi dimensional linear attacks are almost identical.

Solving Circuit Optimisation Problems in Cryptography and Cryptanalysis

Abstract: One of the hardest problems in computer science is the prob- lem of gate-e-cient implementation. Such optimizations are particularly important in industrial hardware implementations of standard crypto- graphic algorithms. In this paper we focus on optimizing some small circuits such as S-boxes in cryptographic algorithms. We consider the no- tion of Multiplicative Complexity, a new important notion of complexity introduced in 2008 by Boyar and Peralta and applied to flnd interesting optimizations for the S-box of the AES cipher (13,16,15). We applied this methodology to produce a compact implementation of several ciphers. In this short paper we report our results on PRESENT and GOST, two block ciphers known for their exceptionally low hardware cost. This kind of representation seems to be very promising in implementations aiming at preventing side channel attacks on cryptographic chips such as DPA. More importantly, we postulate that this kind of minimality is also an important and interesting tool in cryptanalysis.

EPCBC: a block cipher suitable for electronic product code encryption

Abstract: In this paper, we present EPCBC, a lightweight cipher that has 96-bit key size and 48-bit/96-bit block size. This is suitable for Electronic Product Code (EPC) encryption, which uses low-cost passive RFID-tags and exactly 96 bits as a unique identifier on the item level. EPCBC is based on a generalized PRESENT with block size 48 and 96 bits for the main cipher structure and customized key schedule design which provides strong protection against related-key differential attacks, a recent class of powerful attacks on AES. Related-key attacks are especially relevant when a block cipher is used as a hash function. In the course of proving the security of EPCBC, we could leverage on the extensive security analyses of PRESENT, but we also obtain new results on the differential and linear cryptanalysis bounds for the generalized PRESENT when the block size is less than 64 bits, and much tighter bounds otherwise. Further, we analyze the resistance of EPCBC against integral cryptanalysis, statistical saturation attack, slide attack, algebraic attack and the latest higher-order differential cryptanalysis from FSE 2011 [11]. Our proposed cipher would be the most efficient at EPC encryption, since for other ciphers such as AES and PRESENT, it is necessary to encrypt 128-bit blocks (which results in a 33% overhead being incurred). The efficiency of our proposal therefore leads to huge market implications. Another contribution is an optimized implementation of PRESENT that is smaller and faster than previously published results.

Statistical analysis of S-box in image encryption applications based on majority logic criterion

Abstract: The S-box is used in various block ciphers and the complexity of encryption essentially depends on the strength of S-box. The strength of an S-box can be measured by analyzing its statistical and algebraic properties. The S-box is the only non-linear component in various block ciphers capable of creating confusion. Many S-boxes have been proposed with similar algebraic and statistical properties. Therefore, it is sometimes difficult to choose an S-box for a particular application. The performances of these S-boxes vary and depend on the nature of data and their application. In this paper, we propose a criterion to analyze the prevailing S-boxes and study their strengths and weaknesses in order to determine their suitability in image encryption applications. The proposed criterion uses the results from correlation analysis, entropy analysis, contrast analysis, homogeneity analysis, energy analysis, and mean of absolute deviation analysis. These analyses are applied to advanced encryption standard (AES), affine-power-affine (APA), gray, Lui J, residue prime, S 8 AES, SKIPJACK, and Xyi Sboxes. The results of these analyses are further examined and a majority logic criterion is used to determine the appropriateness of an S-box to image encryption applications.

Another look at tightness

Abstract: We examine a natural, but non-tight, reductionist security proof for deterministic message authentication code (MAC) schemes in the multi-user setting. If security parameters for the MAC scheme are selected without accounting for the non-tightness in the reduction, then the MAC scheme is shown to provide a level of security that is less than desirable in the multi-user setting. We find similar deficiencies in the security assurances provided by non-tight proofs when we analyze some protocols in the literature including ones for network authentication and aggregate MACs. Our observations call into question the practical value of non-tight reductionist security proofs. We also exhibit attacks on authenticated encryption schemes, disk encryption schemes, and stream ciphers in the multi-user setting.

The Return of the Cryptographic Boomerang

Abstract: The boomerang analysis, together with its offspring the amplified boomerang analysis and the rectangle analysis, are techniques that are widely used in the analysis of block ciphers. Realistic examples are given which demonstrate that the boomerang analysis can commonly give probability values that are highly inaccurate. Thus, any complexity estimates for the security of a block cipher based on the boomerang or rectangle analysis must be viewed extremely sceptically.

Second-Order differential collisions for reduced SHA-256

Abstract: In this work, we introduce a new non-random property for hash/compression functions using the theory of higher order differentials. Based on this, we show a second-order differential collision for the compression function of SHA-256 reduced to 47 out of 64 steps with practical complexity. We have implemented the attack and provide an example. Our results suggest that the security margin of SHA-256 is much lower than the security margin of most of the SHA-3 finalists in this setting. The techniques employed in this attack are based on a rectangle/boomerang approach and cover advanced search algorithms for good characteristics and message modification techniques. Our analysis also exposes flaws in all of the previously published related-key rectangle attacks on the SHACAL-2 block cipher, which is based on SHA-256. We provide valid rectangles for 48 steps of SHACAL-2.

Improved Meet-in-the-Middle cryptanalysis of KTANTAN (poster)

Abstract: This paper presents ongoing work towards extensions of meet-in-the-middle (MITM) attacks on block ciphers. Exploring developments in MITM attacks in hash analysis such as: (i) the splice-and-cut technique; (ii) the indirect-partial-matching technique. Our first contribution is that we show corrections to previous cryptanalysis and point out that the key schedule is more vulnerable to MITM attacks than previously reported. Secondly we further improve the time complexities of previous attacks with (i) and (ii), now the 80-bit secret key of the full rounds KTANTAN-{32,48,64} can be recovered at time complexity of 272.9, 273.8 and 274.4 respectively, each requiring 4 chosen-plaintexts.

Improved Attacks on Full GOST.

Abstract: GOST is a well known block cipher which was developed in the Soviet Union during the 1970’s as an alternative to the US-developed DES. In spite of considerable cryptanalytic effort, until very recently there were no published single key attacks against its full 32-round version which were faster than the 2 time complexity of exhaustive search. In February 2011, Isobe used in a novel way the previously discovered reflection property in order to develop the first such attack, which requires 2 data, 2 memory and 2 time. Shortly afterwards, Courtois and Misztal used a different technique to attack the full GOST using 2 data, 2 memory and 2 time. In this paper we introduce a new fixed point property and a better way to attack 8-round GOST in order to find improved attacks on full GOST: Given 2 data we can reduce the memory complexity from an impractical 2 to a practical 2 without changing the 2 time complexity, and given 2 data we can simultaneously reduce the time complexity to 2 and the memory complexity to 2.

Addition of the ARIA Cipher Suites to Transport Layer Security (TLS)

Abstract: This document specifies a set of cipher suites for the Transport Layer Security (TLS) protocol to support the ARIA encryption algorithm as a block cipher. This document is not an Internet Standards Track specification; it is published for informational purposes.