Abstract: It is a general belief among the designers of block-ciphers that even a relatively weak cipher may become very strong if its number of rounds is made very large. In this paper we describe a new generic known- (or sometimes chosen-) plaintext attack on product ciphers, which we call the slide attack and which in many cases is independent of the number of rounds of a cipher. We illustrate the power of this new tool by giving practical attacks on several recently designed ciphers: TREYFER, WAKE-ROFB, and variants of DES and Blowfish.

Abstract: In a recent paper we developed a new cryptanalytic technique based on impossible differentials, and used it to attack the Skipjack encryption algorithm reduced from 32 to 31 rounds. In this paper we describe the application of this technique to the block ciphers IDEA and Khufu. In both cases the new attacks cover more rounds than the best currently known attacks. This demonstrates the power of the new cryptanalytic technique, shows that it is applicable to a larger class of cryptosystems, and develops new technical tools for applying it in new situations.

Abstract: The block cipher CRYPTON has been proposed as a candidate algorithm for the Advanced Encryption Standard (AES). To fix some minor weakness in the key schedule and to remove some undesirable properties in S-boxes, we made some changes to the AES proposal, i.e., in the S-box construction and key scheduling. This paper presents the revised version of CRYPTON and its preliminary analysis.

Abstract: In this paper we evaluate the resistance of the block cipher RC5 against linear cryptanalysis. We describe a known plaintext attack that can break RC5-32 (blocksize 64) with 10 rounds and RC5-64 (block-size 128) with 15 rounds. In order to do this we use techniques related to the use of multiple linear approximations. Furthermore the success of the attack is largely based on the linear hull-effect. To our knowledge, at this moment these are the best known plaintext attacks on RC5, which have negligible storage requirements and do not make any assumption on the plaintext distribution. Furthermore we discuss the impact of our attacking method on the AES-candidate RC6, whose design was based on RC5.

Abstract: In this paper, we propose a new design tool for "block encryption", allowing the en/decryption of arbitrarily long messages, but performing en/decryption on only a single block (e.g., 128 bit block), where the rest of the message is only processed by a good scrambling function (e.g., one based on an ideal hash function). The design can be a component in constructing various schemes where the above properties gives an advantage. A quite natural use of our scheme is for remotely keyed encryption. We actually solve an open problem (at least in the relaxed ideal hash model and where hosts are allowed to add randomness and integrity checks, thus giving a length increasing function); namely, we show the existence of a secure remotely keyed encryption scheme which performs only one interaction with the smart-card device.

Abstract: We provide new constructions for Luby-Rackoff block ciphers which are efficient in terms of computations and key material used. Next, we show that we can make some security guarantees for Luby-Rackoff block ciphers under much weaker and more practical assumptions about the underlying function; namely, that the underlying function is a secure Message Authentication Code. Finally, we provide a SHA-1 based example block cipher called Sha-zam.

Abstract: In this paper we present an attack on a reduced round version of Crypton. The attack is based on the dedicated Square attack. We explain why the attack also works on Crypton and prove that the entire 256-bit user key for 6 rounds of Crypton can be recovered with a complexity of 256 encryptions, whereas for SQUARE 272 encryptions are required to recover the 128-bit user key.

Abstract: This paper deals with truncated differential cryptanalysis of the 128-bit block cipher E2, which is an AES candidate designed and submitted by NTT. Our analysis is based on byte characteristics, where a difference of two bytes is simply encoded into one bit information "0" (the same) or "1" (not the same). Since E2 is a strongly byte-oriented algorithm, this bytewise treatment of characteristics greatly simplifies a description of its probabilistic behavior and noticeably enables us an analysis independent of the structure of its (unique) lookup table. As a result, we show a non-trivial seven round byte characteristic, which leads to a possible attack of E2 reduced to eight rounds without IT and FT by a chosen plaintext scenario. We also show that by a minor modification of the byte order of output of the round function -- which does not reduce the complexity of the algorithm nor violates its design criteria at all --, a non-trivial nine round byte characteristic can be established, which results in a possible attack of the modified E2 reduced to ten rounds without IT and FT, and reduced to nine rounds with IT and FT. Our analysis does not have a serious impact on the full E2, since it has twelve rounds with IT and FT; however, our results show that the security level of the modified version against differential cryptanalysis is lower than the designers' estimation.

Abstract: CS-Cipher is a block cipher which has been proposed at FSE 1998. It is a Markov cipher in which diffusion is performed by multipermutations. In this paper we first provide a formal treatment for differential, linear and truncated differential cryptanalysis, and we apply it to CS-Cipher in order to prove that there exists no good characteristic for these attacks. This holds under the approximation that all round keys of CS-Cipher are uniformly distributed and independent. For this we introduce some new technique for counting active Sboxes in computational networks by the Floyd-Warshall algorithm.

Abstract: In the first part of this paper the decorrelation theory of Vaudenay is analysed. It is shown that the theory behind the proposed constructions does not guarantee security against state-of-the-art differential attacks. In the second part of this paper the proposed Decorrelated Fast Cipher (DFC), a candidate for the Advanced Encryption Standard, is analysed. It is argued that the cipher does not obtain provable security against a differential attack. Also, an attack on DFC reduced to 6 rounds is given.

Abstract: RC6 has been submitted as a candidate for the Advanced Encryption Standard (AES). Two important features of RC6 that were absent from its predecessor RC5 are a quadratic function and a fixed rotation. By examining simplified variants that omit these features we clarify their essential contribution to the overall security of RC6.

Abstract: We study the functions from F2m into F2m for odd m which oppose an optimal resistance to linear cryptanalysis. These functions are called almost bent. It is known that almost bent functions are also almost perfect nonlinear, i.e. they also ensure an optimal resistance to differential cryptanalysis but the converse is not true. We here give a necessary and sufficient condition for an almost perfect nonlinear function to be almost bent. This notably enables us to exhibit some infinite families of power functions which are not almost bent.

Abstract: DEAL is a DES-based block cipher proposed by Knudsen. The block size of DEAL is 128 bits, twice as much as the DES block size. The main result of the current paper is a certificational attack on DEAL- 192, the DEAL variant with a 192-bit key. The attack allows a trade-off between the number of plaintext/ciphertext pairs and the time for the attacker's computations. Nevertheless, the DEAL design principle seems to be a useful way of doubling the block size of a given block cipher.

Abstract: This paper presents an efficient interpolation attack using a computer algebra system. The interpolation attack proposed by Jakobsen and Knudsen was shown to be effective for attacking ciphers that use simple algebraic functions. However, there was a problem that the complexity and the number of pairs of plaintexts and ciphertexts required for the attack can be overestimated. We solve this problem by first, finding the actual number of coefficients in the polynomial (or rational expression) used in the attack by using a computer algebra system, and second, by finding the polynomial (or rational expression) with fewest coefficients by choosing the plaintexts. We apply this interpolation attack to the block cipher SNAKE proposed by Lee and Cha at JW-ISC'97. In the SNAKE family there are two types of Feistel ciphers, SNAKE(1) and SNAKE(2), with different round functions. Both of them use the inverse function in Galois Field GF(2m) as S-box. We show that when the block size is 64 bits and m = 8, all round keys are recovered for SNAKE(1) and SNAKE(2) with up to 11 rounds. Moreover, when the block size is 128 bits and m = 16, all round keys are recovered for SNAKE(1) with up to 15 rounds and SNAKE(2) with up to 16 rounds.

Abstract: We present constructions for a family of pseudorandom generators that are very fast in practice, yet possess provable strong cryptographic and statistical unpredictability properties. While such constructions were previously known, our constructions here have much smaller memory requirements, e.g., small enough for smart cards, etc. Our memory improvements are achieved by using variants of pseudorandom functions. The security requirements of this primitive are a weakening of the security requirements of a pseudorandom function. We instantiate this primitive by a keyed secure hash function. A sample construction based on DES and MD5 was found to run at about 20 megabits per second on a Pentium II.

Abstract: The DES has reached the end of its lifetime due to its too short key length and block length (56 and 64 bits respectively). As we are awaiting the new AES, triple (and double) encryption are the common solution. However, several authors have shown that these multiple modes are much less secure than anticipated. The general belief is that these schemes should not be used, as they are not resistant against attacks requiring 264 chosen plaintexts. This paper extends the analysis by considering some more realistic attack models. It also presents an improved attack on multiple modes that contain an OFB mode and discusses practical solutions that take into account realistic constraints.

Abstract: SOBER is a new stream cipher that has recently been developed by Greg Rose for possible applications in wireless telephony [3]. In this paper we analyze SOBER and point out different weaknesses. In the case where an attacker can analyze key streams generated for consecutive frames with the same key we present an attack, that in our implementation requires less than one minute on a 200Mhz Pentium.

Abstract: An iterated block cipher can be regarded as a means of producing a set of permutations of a message space. Some properties of the group generated by the round functions of such a cipher are known to be of cryptanalytic interest. It is shown here that if this group acts imprimitively on the message space then there is an exploitable weakness in the cipher. It is demonstrated that a weakness of this type can be used to construct a trapdoor that may be difficult to detect. An example of a DES-like cipher, resistant to both linear and differential cryptanalysis that generates an imprimitive group and is easily broken, is given. Some implications for block cipher design are noted.

Abstract: We introduce "mod n cryptanalysis," a form of partitioning attack that is effective against ciphers which rely on modular addition and bit rotations for their security. We demonstrate this attack with a mod 3 attack against RC5P, an RC5 variant that uses addition instead of xor. We also show mod 5 and mod 257 attacks against some versions of a family of ciphers used in the FireWire standard. We expect mod n cryptanalysis to be applicable to many other ciphers, and that the general attack is extensible to other values of n.

Abstract: Remotely keyed encryption schemes (RKESs) support fast encryption and decryption using low-bandwidth devices, such as secure smartcards. The long-lived secret keys never leave the smartcard, but most of the encryption is done on a fast untrusted device, such as the smartcard’s host.

Abstract: Whereas a block cipher enciphers messages of some one particular length (the blocklength), a variable-input-length cipher takes messages of varying (and preferably arbitrary) lengths. Still, the length of the ciphertext must equal the length of the plaintext. This paper introduces the problem of constructing such objects, and provides a practical solution. Our VIL mode of operation makes a variable-input-length cipher from any block cipher. The method is demonstrably secure in the provable-security sense of modern cryptography: we give a quantitative security analysis relating the difficulty of breaking the constructed (variable-input-length) cipher to the difficulty of breaking the underlying block cipher.