Abstract: The boomerang attack is a new and very powerful cryptanalytic technique. However, due to the adaptive chosen plaintext and ciphertext nature of the attack, boomerang key recovery attacks that retrieve key material on both sides of the boomerang distinguisher are hard to mount. We also present a method for using a boomerang distinguisher, which enables retrieving subkey bits on both sides of the boomerang distinguisher. The rectangle attack evolved from the boomerang attack. In this paper we present a new algorithm which improves the results of the rectangle attack.Using these improvements we can attack 3.5-round SC2000 with 267 adaptive chosen plaintexts and ciphertexts, and 10-round Serpent with time complexity of 2173.8 memory accesses (which are equivalent to 2165.3 Serpent encryptions) with data complexity of 2126.3 chosen plaintexts.

Abstract: In this paper, we study the security of randomized CBC-MACs and propose a new construction that resists birthday paradox attacks and provably reaches full security. The size of the MAC tags in this construction is optimal, i.e., exactly twice the size of the block cipher. Up to a constant, the security of the proposed randomized CBC-MAC using an n-bit block cipher is the same as the security of the usual encrypted CBC-MAC using a 2n-bit block cipher. Moreover, this construction adds a negligible computational overhead compared to the cost of a plain, non-randomized CBC-MAC. We give a full standard proof of our construction using one pass of a block-cipher with 2n-bit keys but there also is a proof for n-bit keys block-ciphers in the random oracle model.

Abstract: We present a new type of differential that is particularly suited to analyzing ciphers that use modular multiplication as a primitive operation. These differentials are partially inspired by the differential used to break Nimbus, and we generalize that result. We use these differentials to break the MultiSwap cipher that is part of the Microsoft Digital Rights Management subsystem, to derive a complementation property in the xmx cipher using the recommended modulus, and to mount a weak key attack on the xmx cipher for many other moduli. We also present weak key attacks on several variants of IDEA. We conclude that cipher designers may have placed too much faith in multiplication as a mixing operator, and that it should be combined with at least two other incompatible group operations.

Abstract: We present the impossible differential cryptanalysis of the block cipher XTEA[7] and TEA[6] The core of the design principle of these block ciphers is an easy implementation and a simplicity But this simplicity dose not offer a large diffusion property Our impossible differential cryptanalysis of reduced-round versions of XTEA and TEA is based on this fact We will show how to construct a 12-round impossible characteristic of XTEA We can then derive 128-bit user key of the 14- round XTEA with 2625 chosen plaintexts and 285 encryption times using the 12-round impossible characteristic In addition, we will show how to construct a 10-round impossible characteristic of TEA Then we can derive 128-bit user key of the 11-round TEA with 2525 chosen plaintexts and 284 encryption times using the 10-round impossible characteristic

Abstract: We report on the design of Scream, a new software-efficient stream cipher, which was designed to be a "more secure SEAL". Following SEAL, the design of Scream resembles in many ways a block-cipher design. The new cipher is roughly as fast as SEAL, but we believe that it offers a significantly higher security level. In the process of designing this cipher, we re-visit the SEAL design paradigm, exhibiting some tradeoffs and limitations.

Abstract: The block cipher MISTY1 [9] proposed for the NESSIE project [11] is a Feistel network augmented with key-dependent linear FL functions. The proposal allows a variable number of rounds provided that it is a multiple of four.Here we present a new attack - the Slicing Attack - on the 4-round version, which makes use of the special structure and position of these key-dependent linear FL functions. While the FL functions were introduced to make attacks harder, they also present a subtle weakness in the 4-round version of the cipher.

Abstract: Two ways of mounting distinguishing attacks on two similar stream ciphers, SOBER-t16 and SOBER-t32, are proposed. It results in distinguishing attacks faster than exhaustive key search on full SOBER- t16 and on SOBER-t32 without stuttering.

Abstract: In this note we discuss a novel and simple time-memory tradeoff attack against the stream cipher LILI-128. The attack defeats the security advantage of having an irregular stepping function. The attack requires 246 bits of keystream, a lookup table of 245 89-bit words and computational effort which is roughly equivalent to 248 DES operations.

Abstract: Camellia is a 128 bit block cipher proposed by NTT and Mitsubishi. We discuss the security of Camellia against the square attack. We find a 4 round distinguisher and construct a basic square attack. We can attack 5 round Camellia by guessing one byte subkey and using 216 chosen plaintexts. Cosidering the key schdule, we may extend this attack up to 9 round Camellia including the first FL/FL-1 function layer.

Abstract: We discuss the security of the block cipher Camellia against differential attack and linear attack. The security of Camellia against these attacks has been evaluated by upper bounds of maximum differential characteristic probability (MDCP) and maximum linear characteristic probability (MLCP) calculated by the least numbers of active S-boxes which are found by a search method[2]. However, we found some truncated differential paths generated by the method have wrong properties. We show a new evaluation method for truncated differential and linear paths to discard such wrong paths by using linear equations systems and sets of nonzero conditions. By applying this technique to Camellia, we found tighter upper bounds of MDCP and MLCP for reduced-round Camellia. As a result, 10-round Camellia without FL/FL-1 has no differential and linear characteristic with probability higher than 2-128.

Abstract: In this paper, we apply multiple linear cryptanalysis to a reduced round RC6 block cipher. We show that 18-round RC6 with weak key is breakable by using the multiple linear attack.

Abstract: The BeepBeep algorithm is designed to supply secrecy and integrity for embedded real-time systems. These systems must achieve their required timing performance under all conditions, while operating in a multi-tasking environment with tightly constrained CPU, memory, and bandwidth resources. BeepBeep was designed to be implemented as software on the processors most commonly used for embedded controllers. It uses little program memory, no data memory (its state fits into most processors' register sets), and no inherent message padding (ciphertext is a 1:1 replacement for plaintext). It is significantly faster than existing algorithms (e.g. AES) in this environment and includes mechanisms to support integrity as part of its basic secrecy operation.

Abstract: We analyze the security of the SC2000 block cipher against both differential and linear attacks. SC2000 is a six-and-a-half-round block cipher, which has a unique structure that includes both the Feistel and Substitution-Permutation Network (SPN) structures. Taking the structure of SC2000 into account, we investigate one- and two-round iterative differential and linear characteristics. We present two-round iterative differential characteristics with probability 2-58 and two-round iterative linear characteristics with probability 2-56. These characteristics, which we obtained through a search, allowed us to attack four-and-a-half-round SC2000 in the 128-bit user-key case. Our differential attack needs 2103 pairs of chosen plaintexts and 220 memory accesses and our linear attack needs 2115.17 known plaintexts and 242.32 memory accesses, or 2104.32 known plaintexts and 283.32 memory accesses.

Abstract: In the conference PKC'98, Shin et al. proposed a dedicated hash function of the MD family. In this paper, we study the security of Shin's hash function. We analyze the property of the Boolean functions, the message expansion, and the data dependent rotations of the hash function. We propose a method for finding the collisions of the modified Shin's hash function and show that we can find collisions with probability 2-30.

Abstract: Four round Feistel permutation (like DES) is super-pseudo-random if each round function is random or a secret universal hash function. A similar result is known for five round MISTY type permutation. It seems that each round function must be at least either random or secret in both cases.In this paper, however, we show that the second round permutation g in five round MISTY type permutation need not be cryptographic at all, i.e., no randomness nor secrecy is required. g has only to satisfy that g(x) ? x ? g(x?) ? x? for any x ? x?. This is the first example such that a non-cryptographic primitive is substituted to construct the minimum round super-pseudorandom permutation. Further we show efficient constructions of super-pseudorandom permutations by using above mentioned g.

Abstract: In the course of the evaluation of the stream cipher SOBER- t32 submitted to NESSIE, a correlation between initial states has been found for related keys. With high probability some sums of bits of the initial state after key loading do not change their value when a bit of the key is inverted. This holds also for the loading of frame keys. It is shown that the required condition for the frame keys is met very naturally when using counters as frame keys. The linearity properties of the SOBER-t32 key loading are caused by non-optimal diffusion of the non-linear filter function of the cipher.

Abstract: This paper describes saturation attacks on reduced-round versions of Skipjack. To begin with, we will show how to construct a 16-round distinguisher which distinguishes 16 rounds of Skipjack from a random permutation. The distinguisher is used to attack on 18(5~22) and 23(5~27) rounds of Skipjack. We can also construct a 20-round distinguisher based on the 16-round distinguisher. This distinguisher is used to attack on 22(1~22) and 27(1~27) rounds of Skipjack. The 80- bit user key of 27 rounds of Skipjack can be recovered with 250 chosen plaintexts and 3 ? 275 encryption times.

Abstract: For the block cipher RIJNDAEL with a block length of 128 bits group theoretic properties of the round functions are derived. Especially it is shown that these round functions generate the alternating group.

Abstract: Cryptosystems like AES and triple-DES are designed to encrypt a sequence of input bytes (the plaintext) into a sequence of output bytes (the ciphertext) in such a way that the output carries no information about that plaintext except its length. In recent years, concerns have been raised about ”side-channel” attacks on various cryptosystems—attacks that make use of some kind of leaked information about the cryptographic operations (e.g., power consumption or timing) to defeat them. In this paper, we describe a somewhat different kind of side-channel provided by data compression algorithms, yielding information about their inputs by the size of their outputs. The existence of some information about a compressor’s input in the size of its output is obvious; here, we discuss ways to use this apparently very small leak of information in surprisingly powerful ways.

Abstract: We present a new keystream generator (KSG) MUGI, which is a variant of Panama proposed at FSE '98. MUGI has a 128-bit secret key and a 128-bit initial vector as parameters and generates a 64-bit string per round. The design is particularly suited for efficient hardware implementations, but the software performance of MUGI is excellent as well. A speed optimized implementation in hardware achieves about 3 Gbps with 26 Kgates, which is several times faster than AES. On the other hand the security was evaluated according to re-synchronization attack, related-key attack, and linear correlation of an output sequence. Our analysis confirms that MUGI is a secure KSG.