scispace - formally typeset
Search or ask a question
Topic

Round function

About: Round function is a research topic. Over the lifetime, 203 publications have been published within this topic receiving 2794 citations.


Papers
More filters
Journal ArticleDOI
TL;DR: This paper considers the security of Feistel networks where the round functions are chosen at random from a family of 2k randomly chosen functions for any k and finds that some constructions, which have been proved super pseudorandom in the model of Luby and Rackoff, do not seem to offer more security in this model than constructions which are not super Pseudorandom.
Abstract: This paper considers the security of Feistel networks where the round func- tions are chosen at random from a family of 2 k randomly chosen functions for any k. Also considered are the networks where the round functions are themselves permuta- tions, since these have applications in practice. The constructions are attacked under the assumption that a key-recovery attack on one round function itself requires an exhaus- tive search over all 2 k possible functions. Attacks are given on all three-, four-, five-, and six-round Feistel constructions and interesting bounds on their security level are obtained. In a chosen text scenario the key recovery attacks on the four-round construc- tions, the analogue to the super pseudorandom permutations in the Luby and Rackoff model, take roughly only the time of an exhaustive search for the key of one round. A side result of the presented attacks is that some constructions, which have been proved super pseudorandom in the model of Luby and Rackoff, do not seem to offer more security in our model than constructions which are not super pseudorandom.

41 citations

Book ChapterDOI
23 Mar 1998
TL;DR: In this paper, a new higher order differential attack was proposed to improve the complexity of solving a linear system of equations by using exhaustive search for recovering the last round key of a CAST cipher.
Abstract: This paper proposes a new higher order differential attack. The higher order differential attack proposed at FSE’97 by Jakobsen and Knudsen used exhaustive search for recovering the last round key. Our new attack improves the complexity to the cost of solving a linear system of equations. As an example we show the higher order differential attack of a CAST cipher with 5 rounds. The required number of chosen plaintexts is 217 and the required complexity is less than 225 times the computation of the round function. Our experimental results show that the last round key of the CAST cipher with 5 rounds can be recovered in less than 15 seconds on an UltraSPARC station.

39 citations

Book ChapterDOI
14 Aug 2016
TL;DR: It is proved that the authors can always distinguish 5 rounds of AES-like SPN ciphers from random permutations even when the difference of the sub-keys is unknown, and it is shown that, in the chosen-ciphertext mode, there exist some nontrivial distinguishers for 5-round AES.
Abstract: It has been proved in Eurocrypti¾?2016 by Sun et al. that if the details of the S-boxes are not exploited, an impossible differential and a zero-correlation linear hull can extend over at most 4 rounds of the AES. This paper concentrates on distinguishing properties of AES-like SPN ciphers by investigating the details of both the underlying S-boxes and the MDS matrices, and illustrates some new insights on the security of these schemes. Firstly, we construct several types of 5-round zero-correlation linear hulls for AES-like ciphers that adopt identical S-boxes to construct the round function and that have two identical elements in a column of the inverse of their MDS matrices. We then use these linear hulls to construct 5-round integrals provided that the difference of two sub-key bytes is known. Furthermore, we prove that we can always distinguish 5 rounds of such ciphers from random permutations even when the difference of the sub-keys is unknown. Secondly, the constraints for the S-boxes and special property of the MDS matrices can be removed if the cipher is used as a building block of the Miyaguchi-Preneel hash function. As an example, we construct two types of 5-round distinguishers for the hash function Whirlpool. Finally, we show that, in the chosen-ciphertext mode, there exist some nontrivial distinguishers for 5-round AES. To the best of our knowledge, this is the longest distinguisher for the round-reduced AES in the secret-key setting. Since the 5-round distinguisher for the AES can only be constructed in the chosen-ciphertext mode, the security margin for the round-reduced AES under the chosen-plaintext attack may be different from that under the chosen-ciphertext attack.

39 citations

Journal Article
TL;DR: In this article, the cycle length of the S-box combined with the ShiftRow and MixColumn transformation is shown to be at least 10 205, which is the smallest cycle length known.
Abstract: While it is known previously that the cycle lengths of individual components of the AES round function are very small, we demonstrate here that the cycle length of the S-box combined with the ShiftRow and MixColumn transformation is at least 10 205 . This result is obtained by providing new invariances of the complete AES round function without the key addition. Furthermore, we consider self-duality properties of the AES round function and derive a property analogous to the complementation property of the DES round function. These results confirm the assessments given in other publications that the AES components have several unexpected structural properties.

35 citations

Book ChapterDOI
24 Mar 1999
TL;DR: This paper deals with truncated differential cryptanalysis of the 128-bit block cipher E2, which is an AES candidate designed and submitted by NTT and shows a non-trivial seven round byte characteristic, which leads to a possible attack of E2 reduced to eight rounds without IT and FT by a chosen plaintext scenario.
Abstract: This paper deals with truncated differential cryptanalysis of the 128-bit block cipher E2, which is an AES candidate designed and submitted by NTT. Our analysis is based on byte characteristics, where a difference of two bytes is simply encoded into one bit information "0" (the same) or "1" (not the same). Since E2 is a strongly byte-oriented algorithm, this bytewise treatment of characteristics greatly simplifies a description of its probabilistic behavior and noticeably enables us an analysis independent of the structure of its (unique) lookup table. As a result, we show a non-trivial seven round byte characteristic, which leads to a possible attack of E2 reduced to eight rounds without IT and FT by a chosen plaintext scenario. We also show that by a minor modification of the byte order of output of the round function -- which does not reduce the complexity of the algorithm nor violates its design criteria at all --, a non-trivial nine round byte characteristic can be established, which results in a possible attack of the modified E2 reduced to ten rounds without IT and FT, and reduced to nine rounds with IT and FT. Our analysis does not have a serious impact on the full E2, since it has twelve rounds with IT and FT; however, our results show that the security level of the modified version against differential cryptanalysis is lower than the designers' estimation.

35 citations

Network Information
Related Topics (5)
Cryptography
37.3K papers, 854.5K citations
87% related
Public-key cryptography
27.2K papers, 547.7K citations
87% related
Cryptographic protocol
11.7K papers, 268.8K citations
84% related
Encryption
98.3K papers, 1.4M citations
83% related
Hash function
31.5K papers, 538.5K citations
81% related
Performance
Metrics
No. of papers in the topic in previous years
YearPapers
20216
202015
201911
201816
20178
201614