Abstract: A new non-proprietary secret-key block-enciphering algorithm, SAFER K-64 (for Secure And Fast Encryption Routine with a Key of length 64 bits) is described. The blocklength is 64 bits (8 bytes) and only byte operations are used in the processes of encryption and decryption. New cryptographic features in SAFER K-64 include the use of an unorthodox linear transform, called the Pseudo-Hadamard Transform, to achieve the desired “diffusion” of small changes in the plaintext or the key over the resulting ciphertext and the use of additive key biases to eliminate the possibility of “weak keys”. The design principles of K-64 are explained and a program is given, together with examples, to define the encryption algorithm precisely.

Abstract: Pseudorandom sequences, with a variety of statistical properties (such as high linear span, low autocorrelation and pairwise cross-correlation values, and high pairwise hamming distance) are important in many areas of communications and computing (such as cryptography, spread spectrum communications, error correcting codes, and Monte Carlo integration). Binary sequences~ such as m-sequences, more general nonlinear feedback shift register sequences, and summation combiner sequences, have been widely studied by many researchers. Linear feedback shift register hardware can be used to relate certain of these sequences (such as m-sequences) to error correcting codes (such as first order Reed-Muller codes). In this paper a new type of feedback register, feedback with carry shift registers (or FCSRs), will be presented. These relatively simple devices can be used to relate summation combiner sequences, arithmetic codes, and 1/q sequences. We describe an algebraic framework, based on algebra over the 2-adic numbers, in which the sequences generated by FCSRs can be analyzed, in much the same way that algebra over finite fields can be used to analyze LFSR sequences. As a consequence of this analysis, we present a method for cracking the summation combiner [9] which has been suggested for generating cryptographicaily secure binary sequences. In general, one must consider this "2-adic span" as a measure of security along with ordinary linear span. At the same time, FCSRs are a new, general, and therefore exciting, mechanism for generating sequences with enough structure for analysis. Many of the methods of nonlinearization that have been applied to linear feed back shift registers (LFSRs) can be applied to FCSRs, and some of these possibilities are be described here. Hopefully, they will result in sequences with greater cryptologic security. The many threads that are brought together by our analysis have analogues in the theory of LFSRs. In an LFSR, certain register cells are "tapped", their contents are added modulo 2 (using exclusive OR gates) and the sum is returned to the first cell of the shift register. Any periodic binary sequence may be realized as the output sequence from some LFSlZ with appropriate taps. Recall some of the well known concepts and consequences which are derived from this point of view.

Abstract: We describe a fast, software-oriented, encryption algorithm. Computational cost on a 32-bit processor is about 5 elementary machine instructions per byte of text. The cipher is a pseudorandom function; under control of a key (first pre-processed into an internal table) it stretches a short index into a much longer pseudorandom string. This string can be used as a one-time pad.

Abstract: In this paper we give necessary design principles to be used, when constructing secure Feistel ciphers We introduce a new concept, practical security against linear and differential attacks on Feistel ciphers We give examples of such Feistel ciphers (practically) resistant to differential attacks, linear attacks and other attacks

Abstract: In this paper we apply the cryptographic finite state machine approach as introduced in [1] to the design of symmetric key block ciphers. Key words in the design approach are simplicity, uniformity, parallelism, distributed nonlinearity and high diffusion. 3-Way is a block cipher with a block and key length of 96 bits. Key components in the construction of 3-Way are a 3-bit nonlinear S-box and a linear mapping that can be described by modular polynomial multiplication in ℤ 2 12 . The arrangement of the components allows software implementations in the range of 10 Mbit/s on a modern PC and dedicated hardware implementations above 1 Gbit/s using standard technology (1.2μ CMOS). The cipher structure of 3-Way is shown to be surprisingly strong with respect to both linear and differential cryptanalysis.

Abstract: A fast software encryption algorithm is described. The computation cost is about 20 simple machine code instructions per word, although a key dependent table has to be constructed for each new key. Table construction time is some hundreds of word encryption times. It is a word based algorithm with a running key.

Abstract: We describe a fast, software-oriented, encryption algorithm. Computational cost on a 32-bit processor is about 5 elementary machine instructions per byte of text. The cipher is a pseudorandom function; under control of a key (first pre-processed into an internal table) it stretches a short index into a much longer pseudorandom string. This string can be used as a one-time pad.

Abstract: Security against divide and conquer correlation attacks of binary keystream generators based on regularly or irregularly clocked shift registers combined by a function with or without memory is discussed. A comprehensive survey of the results published in the literature is presented, some new concepts are introduced, and many open problems are pointed out.

Abstract: This paper introduces the differential cryptanalysis of additive stream ciphers, and develops its theoretical basis. The relationships between differential and other types of stream cipher analysis are presented. The conservation laws of patterns and of mutual information are derived. The cryptographic significance of pattern distribution of keystream sequences is shown. The cryptographic transformation densities are introduced, and their relations with other cryptographic factors are summarized. This work is illustrated by reference to the design and security of additive natural stream ciphers, which are nonlinear filtered sequences driven by a counter rather than by a shift register.

Abstract: We propose two families of scalable hash functions for collision-resistant hashing that are highly parallel and based on the generalized fast Fourier transform (FFT). FFT-hashing is based on multipermutations. This is a basic cryptographic primitive for perfect generation of diffusion and confusion which generalizes the boxes of the classic FFT. The slower FFT-hash functions iterate a compression function. For the faster FFT-hash functions all rounds are alike with the same number of message words entering each round.

Abstract: An alarmingly large number of different cryptosystems have been proposed for use with Internet Privacy Enhanced Mail [1] These include the hash functions MD-n (for various values of n) and a combinatorial explosion of new DES modes The criteria for choosing which algorithm is most suitable for a particular application include vulnerability to attacks, performance, and availability of hardware implementations There is already extensive literature on vulnerabilities The objective of this paper is to provide some concrete information on performance, in order that an algorithm with a suitable combination of both security and performance may be chosen

Abstract: The Shrinking Generator, presented at Crypto'93, is a LFSR-based pseudorandom generator suitable for the implementation of additive stream ciphers. It is particularly simple and has attractive security properties. (The reader is referred to [1] for the definition of the generator and its properties). Although the algorithm was originally intended for hardware implementation, here we will focus on some initial results of an experimental software implementation and other practical considerations.

Abstract: This paper describes a fast software stream cipher called Fish based on the shrinking principle applied to the lagged Fibonacci generator (Fish — Fibonacci shrinking). It is designed to make full use of the 32 bit word length of popular processors. On an Intel 486 clocked with 33 MHz a data rate of 15 Mbit/s is achieved with a C implementation.

Abstract: The perfect nonlinear mappings and their implementations studied in [4] where based on the Maiorana-McFarland construction of bent functions. Recently Carlet [1] presented two modifications of the Maiorana-McFarland construction and obtained two new classes of bent functions.The purpose of the present work is to give nontrivial examples of Carlet'sbent functions and construct new perfect nonlinear mappings admittingfast implementation.

Abstract: Dedicated hash functions are cryptographically secure compression functions which are designed specifically for hashing. They intend to form a practical alternative for hash functions based on another cryptographic primitive like a block cipher or modular squaring. About a dozen of dedicated hash functions have been proposed in the literature. This paper discusses the design principles on which these hash functions are based.

Abstract: A fruitful source of confusion on the Internet is that both cryptologists and statisticians use pseudo-random numbers, but their objectives and constraints are subtly different. This paper will describe some of the requirements for a good generator for statistical simulations, and attempt to put them into cryptological terms.

Abstract: This paper reviews some works on finite automaton one-key cryptosystems and related topics such as autonomous finite automata and Latin arrays.

Abstract: Attacks on double block length hash functions using a block cipher are considered in this paper. We present a general free-start attack, in which the attacker is free to choose the initial value, and a real attack on a large class of hash functions. Recent results on the complexities of attacks on double block hash functions are summarized.

Abstract: Clock control is one of the mechanisms employed to introduce non-linearity into key stream generators built from linear feedback shift registers. The earliest devices were built from stop-and-go registers while the most recent example, the Shrinking Generator proposed in [2], has an irregular clocking scheme where the number of steps between successive outputs is linked to the length of zero-runs in the clocking sequence. Clock controlled shift registers can also be regarded as generalized rotor machines. Thus cascades of clock controlled shift registers can be viewed as the successors of mechanical rotor machines. There is a sufficient body of knowledge to derive analytical results on the period, linear complexity, and statistical properties of such devices [4]. In comparison, little has been published on algorithms for 'practical' cryptanalysis. This contribution attempts to give a survey of the techniques published so far and to put forward open questions and challenges for further work in this area. The presentation will try to convey the main features of the different techniques without going into too much technical detail. The reader will find more information in the references quoted but will notice a general lack of empirical data on the practical efficiency of these methods.

Abstract: The cryptologic literature contains a lot of material on both shift register and rotor machine systems. It is natural to wonder whether these two types of mechanism can be combined in one robust design. During the 1980's, research in clock-controlled shift registers was inspired by rotor machines of the Hagelin type [G1], and a t-shirt appeared at a Crypto conference with a design consisting of a shift register and five rotors [D]. More recently, one writer proposed to filter three linear generators A , B , and C with two permutations ~ and p in order to get a keystream K = A + ~ ( B + pC) IF]; and a rump session paper at Eurocrypt this year showed that if a shift register sequence is filtered through a permutation which acts on m-bit symbols, then a correlation at tack will need m times as many bits as before [B1]. In this article, we propose a different combination, which appears to be the simplest yet; it consists of an Enigma-type rotor machine (without the Umkehrwalze) , in which three wired rotors which each implement a random permutat ion on 256 symbols are turned by a linear feedback shift register. It is straightforward to implement and fairly fast; yet, provided the rotors are kept secret, and the shift register is too long for its state to be guessed, it appears to resist all known attacks.

Abstract: There are several possible explanations. Many people are unaware of the potential benefits of encrypting messages before transmission. Alternatively they may not be aware how insecure their computers are; for example most of the computers in use within the Computer Laboratory here in Cambridge transmit user's passwords unen.crypted so that they may be read by anybody who cares to monitor network transmissions; this is typical of many if not most computer networks. Another possibility is that the cost of encrypting network traffic is considered too high for the potential benefits.

Abstract: In this paper we study the modes of operation in which a cryptosystem, and in particular DES, can be used. This study shows that attempts to complicate the modes of operation weaken (in many cases) the resultant modes. We conclude that operation modes should be designed around the underlying cryptosystem without any attempt to use intermediate data as feedback, or to mix the feedback into an intermediate round. Thus, in particular, triple-DES used in CBC mode is more secure than a single-DES used in triple-CBC mode. Alternatively, if several encryptions are applied to each block, the best choice is to concatenate them to one long encryption, and build the mode of operation around it.