Abstract: We present a new mode of encryption for block ciphers, which we call all-or-nothing encryption This mode has the interesting defining property that one must decrypt the entire ciphertext before one can determine even one message block This means that brute-force searches against all-or-nothing encryption are slowed down by a factor equal to the number of blocks in the ciphertext We give a specific way of implementing all-or-nothing encryption using a “package transform≓ as a pre-processing step to an ordinary encryption mode A package transform followed by ordinary codebook encryption also has the interesting property that it is very efficiently implemented in parallel All-or-nothing encryption can also provide protection against chosen-plaintext and related-message attacks

Abstract: We propose secret-key cryptosystems MISTY1 and MISTY2, which are block ciphers with a 128-bit key, a 64-bit block and a variable number of rounds. MISTY is a generic name for MISTY1 and MISTY2. They are designed on the basis of the theory of provable security against differential and linear cryptanalysis, and moreover they realize high speed encryption on hardware platforms as well as on software environments. Our software implementation shows that MISTY1 with eight rounds can encrypt a data stream in CBC mode at a speed of 20Mbps and 40Mbps on Pentium/100MHz and PA-7200/120MHz, respectively. For its hardware performance, we have produced a prototype LSI by a process of 0.5Μ CMOS gate-array and confirmed a speed of 450Mbps. In this paper, we describe the detailed specifications and design principles of MISTY1 and MISTY2.

Abstract: In this paper we describe a fast new DES implementation. This implementation is about five times faster than the fastest known DES implementation on a (64-bit) Alpha computer, and about three times faster than than our new optimized DES implementation on 64-bit computers. This implementation uses a non-standard representation, and view the processor as a SIMD computer, i.e., as 64 parallel one-bit processors computing the same instruction. We also discuss the application of this implementation to other ciphers. We describe a new optimized standard implementation of DES on 64-bit processors, which is about twice faster than the fastest known standard DES implementation on the same processor. Our implementations can also be used for fast exhaustive search in software, which can find a key in only a few days or a few weeks on existing parallel computers and computer networks.

Abstract: In this paper we introduce a new method of attacks on block ciphers, the interpolation attack. This new method is useful for attacking ciphers using simple algebraic functions (in particular quadratic functions) as S-boxes. Also, ciphers of low non-linear order are vulnerable to attacks based on higher order differentials. Recently, Knudsen and Nyberg presented a 6-round prototype cipher which is provably secure against ordinary differential cryptanalysis. We show how to attack the cipher by using higher order differentials and a variant of the cipher by the interpolation attack. It is possible to successfully cryptanalyse up to 32 rounds of the variant using about 232 chosen plaintexts with a running time less than 264. Using higher order differentials, a new design concept for block ciphers by Kiefer is also shown to be insecure. Rijmen et al presented a design strategy for block ciphers and the cipher SHARK. We show that there exist ciphers constructed according to this design strategy which can be broken faster than claimed. In particular, we cryptanalyse 5 rounds of a variant of SHARK, which deviates only slightly from the proposed SHARK.

Abstract: Most encryption algorithms are designed without regard to their performance on top-of-the-line microprocessors This paper discusses general optimization principles algorithms designers should keep in mind when designing algorithms, and analyzes the performance of RC4, SEAL, RC5, Blowfish, and Khufu/Khafre on the Intel Pentium with respect to those principles Finally, we suggest directions for algorithm design, and give example algorithms, that take performance into account

Abstract: The technology of mobile agents, where software pieces of active control and storage (called mobile agents) travel the network and perform tasks distributively, is of growing interest as an Internet technology. Similarly, smartcard holders can be considered mobile users as they access the network at various points. Such mobile processing can be employed in large scale census applications in statistics gathering, in surveys and tallying, in reading and collecting local control information, etc.

Abstract: This paper presents several methods to construct trapdoor block ciphers. A trapdoor cipher contains some hidden structure; knowledge of this structure allows an attacker to obtain information on the key or to decrypt certain ciphertexts. Without this trapdoor information the block cipher seems to be secure. It is demonstrated that for certain block ciphers, trapdoors can be built-in that make the cipher susceptible to linear cryptanalysis; however, finding these trapdoors can be made very hard, even if one knows the general form of the trapdoor. In principle such a trapdoor can be used to design a public key encryption scheme based on a conventional block cipher.

Abstract: SEAL was first introduced in [1] by Rogaway and Coppersmith as a fast software-oriented encryption algorithm. It is a pseudorandom function which stretches a short index into a much longer pseudorandom string under control of a secret key pre-processed into internal tables. In this paper we first describe an attack of a simplified version of SEAL, which provides large parts of the secret tables from approximately 224 algorithm computations. As far as the original algorithm is concerned, we construct a test capable of distinguishing SEAL from a random function using approximately 230 computations. Moreover, we describe how to derive some bits of information about the secret tables. These results were confirmed by computer experiments.

Abstract: By using a large number of round, we hope to be able to scrounge an Sbox out of nowhere, in an environment for which even TEA and the SAFERs are gross overdesign

Abstract: This paper presents the results of the best differential characteristic search of FEAL. The search algorithm for the best differential characteristic (best linear expression) was already presented by Matsui, and improvements on this algorithm were presented by Moriai et al. We further improve the speed of the search algorithm. For example, the search time for the 7-round best differential characteristic of FEAL is reduced to about 10 minutes (Pentium/166 MHz), which is about 2 12.6 times faster than Matsui's algorithm. Moreover, we determine all the best differential characteristics of FEAL for up to 32 rounds assuming all S-boxes are independent. As a result, we confirm that the N-round (7 < N <32) best differential characteristic probability of FEAL is 2 -2N , which was found by Biham. For N = 6, we find 6-round differential characteristics with a greater probability, 2 -11 , than that previously discovered, 2 -12 .

Abstract: This paper describes the design and implementation of the ICE cryptosystem, a 64-bit Feistel block cipher. It describes the design process, with the various aims and tradeoffs involved. It also introduces the concept of keyed permutation to improve resistance to differential and linear cryptanalysis, and the use of an extensible key schedule to achieve an explict tradeoff between speed and security.

Abstract: Message authentication codes (MACs) using polynomial evaluation have the advantage of requiring a very short key even for very large messages. We describe a low complexity software polynomial evaluation procedure, that for large message sizes gives a MAC that has about the same low software complexity as for bucket hashing but requires only small keys and has better security characteristics.

Abstract: This is the minute of a discussion held at the Fourth Fast Software Encryption Workshop, Haifa, Israel, on Monday January 20, 1997 from 15.30 to 16.30 on the NIST call for comments on the Advanced Encryption Standard proposal. The discussion was held in the presence of over 50 workshop participants from all over the world. These comments were collected during the discussion by Ross Anderson (the discussion chair), Bart Preneel, and Eli Biham, and then circulated by email to the participants who submitted a few further comments. The final draft was prepared by Ross Anderson.

Abstract: Feistel ciphers are very common and very important in the design and analysis of blockciphers, especially due to four reasons: (1) Many (DES-like) ciphers are based on Feistel’s construction. (2) Luby and Rackoff proved the security of a four-round Feistel construction when the round functions are random. (3) Recently several provably secure ciphers were suggested, which use other (assumed secure) ciphers as the round function. (4) Other such ciphers use this construction as attempts to improve the security of other ciphers (e.g., to improve the security of DES).

Abstract: In this paper the bits in a linear feedback shift register are treated as if they were independent random variables. A necessary condition for filter functions which result in independent random output bits is given. An example shows that the sufficient condition given by Golic in [2] is not necessary.

Abstract: The mismatch between traditional cipher designs and efficient operation on modern Very Long Instruction Word, Single Instruction Multiple Data, superscalar, and deeply pipelined processors is explored. Guidelines are developed for efficiently exploiting the instruction-level parallelism of these processor architectures.

Abstract: We improve linear cryptanalysis by introducing a technique of probabilistic counting into the maximum likelihood stage.

Abstract: This paper presents xmx, a new symmetric block cipher optimized for public-key libraries and microcontrollers with arithmetic co-processors, xmx has no S-boxes and uses only modular multiplications and xors. The complete scheme can be described by a couple of compact formulae that offer several interesting time-space trade-offs (number of rounds/key-size for constant security).

Abstract: In this paper, we describe an additive stream ciphering algorithm, called “TWOPRIME≓. It is designed for 32-bit computers, and the key has 128 bits. It is fast in software and analytical in the sense that some security aspects of the algorithm can be controlled. A faster version of TWOPRIME is also presented. We also describe a variant of TWOPRIME, called ONEPRIME, which is for 64-bit machines.

Abstract: Stream cipher systems are used to protect intellectual property in pay-TV and a number of other applications. In some of these, it would be convenient if a single ciphertext could be broadcast, and subscribers given slightly different deciphering keys that had the effect of producing slightly different plaintexts. In this way, a subscriber who illegally resold material licensed to him could be traced. Previously, such tracing could be done using a one-time pad, or with complicated key management schemes. In this paper we show how to endow any stream cipher with this potentially useful property. We also present a simple traitor tracing scheme based on random coding with which it can be used.

Abstract: The purpose of remotely keyed encryption is to efficiently realize a secret-key block cipher by sharing the computational burden between a fast untrusted device and a slow device trusted with the key. This paper deals with how to define the security of remotely keyed encryption schemes. Since the attacker can take over the slow device and actually take part in the encryption process, common definitions of the security of block ciphers have to be reconsidered.

Abstract: Matsui's linear cryptanalysis for iterated block ciphers is generalized to an attack called . This attack exploits a weakness that can be described by an e ective partition-pair, i.e., a partition of the plaintext set and a partition of the next-to-last-round output set such that, for every key, the next-to-last-round outputs are non-uniformly distributed over the blocks of the second partition when the plaintexts are chosen uniformly at random from a particular block of the rst partition. The last-round attack by is formalized and requirements for it to be successful are stated. The success probability is approximated and a procedure for nding e ective partition-pairs is formulated. The usefulness of is demonstrated by applying it successfully to six rounds of the DES.

Abstract: We describe a construction of almost universal hash functions suitable for very fast software implementation and applicable to the hashing of variable size data and fast cryptographic message authentication. Our construction uses fast single precision arithmetic which is increasingly supported by modern processors due to the growing needs for fast arithmetic posed by multimedia applications.