Index A DFC and DFC v2 196, 199 E2 196 Advanced Encryption Standard see AES FEAL and FEAL-NX 194, 198, 202–203 AES 35–64 FOX 199 AES process and finalists 196 FROG 196 algebraic attack 60 GOST 194 bottleneck attack 58 Grand Cru 198 key schedule 45, 178 Hasty Pudding Cipher 196 related-key attack 62 Hierocrypt-L1 and Hierocrypt-3 198 s-box 44, 50, 191 Hight 200 side-channel cryptanalysis 63 ICE 195 square attack 55 IDEA 194, 198, 205–207 algebraic attack see AES KASUMI 178, 185, 207–212 amplified boomerang attack see differential KFC 199 cryptanalysis Khazad 198 authenticated encryption 82–85 Khufu and Khafre 194 CCM 83 LION and LIONESS 195 EAX 84 LOKI, LOKI91, and LOKI97 194, 196 Lucifer 13, 194 B Madygra 194 Magenta 196 block cipher MARS 196, 198 3-way 195 mCrypton 200 Akelarre 195 Mercy 199 Anubis 191, 198 MISTY 185, 191, 195, 198, 207 BaseKing 195 MULTI2 194 BEAR 195 Nimbus 198 Blowfish 195 Noekeon 198 Camellia 198 NUSH 198 CAST-128 and CAST-256 195, 196 PES and IPES 194 CIPHERUNICORN-A 198 PRESENT 191, 200, 217–218 CIPHERUNICORN-E 198 Q 198 Clefia 200 RC2 194 Crypton 196 RC5 179, 195, 212–214 CS-Cipher 198 RC6 196, 198 DEAL 179, 196 REDOC II 194 DES-based variants see DES Rijndael see AES, 195 L.R. Knudsen and M.J.B. Robshaw, The Block Cipher Companion, Information Security 221 and Cryptography, DOI 10.1007/978-3-642-17342-4, © Springer-Verlag Berlin Heidelberg 2011 222 Index SAFER and variants 195, 196, 198 boomerang attack 162 SC2000 198 countermeasures 184 SEA 200 definition of difference 145 Serpent 178, 196, 197 difference distribution table 115 SHACAL 93, 198 differential characteristics 116, 146 SHARK 195 differentials 122, 147 Skipjack 214–216 filtering 124, 149 SMS4 199 higher-order differentials 162 SPEED 195 hypothesis of stochastic equivalence 148 SQUARE 195 impossible differentials 152, 159–160 TEA and XTEA 195, 200 miss-in-the-middle 159 Twofish 191, 196, 197 rectangle attack 165 UES 195 right and wrong pairs 148 Wake 195 signal-to-noise ratio 151 XMX 195 structures of texts 153 block cipher topology 181 truncated differentials 154 boomerang attack see differential wrong-key randomisation 150 cryptanalysis differential-linear cryptanalysis 174–175 bottleneck attack see AES diffusion 5 branch number 52 distinguished points see time–memory brute force attack trade-off DES 14, 95 generic 95–108 E true cost 95 exhaustive search see brute force attack C F central limit theorem 170 ciphertext stealing see modes of operation Feistel cipher 14 confusion 5 field arithmetic 37 cryptanalysis data type 8 H resources 9 CRYPTREC 198 hash function 3, 86–93 compression function 87 D Davies-Meyer 87 double block length 90 Data Encryption Standard see DES Hirose 92 DES 13–34, 193 Matyas-Meyer-Oseas 87 brute force attack 14, 95 MDC-2 and MDC-4 90 complementation property 27 Miyaguchi-Preneel 87 DESX 32 rate 89 DESXL 200 SHA-3 92 differential cryptanalysis of 14 single block length 87 GDES 194 higher-order differentials see differential hardware implementation 200 cryptanalysis key schedule 18, 178 hypothesis of stochastic equivalence linear cryptanalysis of 14 differential cryptanalysis 148 RDES 194 linear cryptanalysis 168 s-boxes 22–23 triple-DES 30–32 I weak and semi-weak keys 28 differential cryptanalysis 109–126, 145–165 impossible differentials see differential amplified boomerang attack 164 cryptanalysis Index 223 initial value see modes of operation Moore’s law 95 initialisation value see modes of operation multiple encryption initialisation vector see modes of operation double 103 interpolation attack 177 triple 105 irreducible polynomial 37 N K NESSIE 197 Kerckhoffs’ principle 8 nonce see modes of operation key schedule 7, 178–180 P L partitioning cryptanalysis 173 lightweight block ciphers 199 permutation linear cryptanalysis 127–144, 165–174 as a component 7 bilinear cryptanalysis 174 block cipher 4, 5 complexity of attacks 169 pseudorandom 181 correlation 143 super pseudorandom 182, 183 countermeasures 184 piling-up lemma see linear cryptanalysis hypothesis of stochastic equivalence 168 iterative characteristic 167 R linear approximation table 133 linear characteristic 167 rectangle attack see differential cryptanalysis linear hulls 141, 142, 168 redundancy 5 multiple approximations 172 related-key attack 180 non-linear approximations 174 AES 62 piling-up lemma 133, 139, 140, 143, 166 KASUMI 208 squared correlation 143, 144 triple-DES 180 linear hulls see linear cryptanalysis Luby-Rackoff 181 S M S-boxes 186–191 algebraic degree 188 Markov cipher algebraic normal form 188 differential cryptanalysis 147 IO degree 188, 190 linear cryptanalysis 168 non-linear degree 188, 189 MDS matrix 52, 53 power mappings 187, 191 meet-in-the-middle attack 103–108 strict avalanche criterion 187 double encryption 103 signal-to-noise ratio see differential three-key triple encryption 107 cryptanalysis two-key triple encryption 105 slide attack 180 message authentication codes 3, 77–82 SP-network 7 CBC-MAC 78 square attack see AES OMAC 80 stream cipher 3, 69–73 message-digest algorithm see hash function substitution 6 modes of operation 65 cipher block chaining 65, 67 T cipher feedback 65, 69 ciphertext stealing 76 time–memory trade-off 96–103 counter mode 65, 73 distinguished points 100 electronic code book 65, 66 Hellman 96 initial value 74 Oechslin 101 nonce 75, 84 rainbow tables 101 output feedback 65, 70 triple-DES see DES padding 75 truncated differentials see differential modulo n cryptanalysis 174 cryptanalysis References 1. C. M. Adams. Constructing symmetric ciphers using the CAST design procedure. Designs, Codes, and Cryptography, 12(3):283–316, 1997. 2. C. M. Adams and S. E. Tavares. Good S-boxes are easy to find. In G. Brassard, editor, Advances in Cryptology - CRYPTO ’89, volume 435 of Lecture Notes in Computer Science, Springer, pages 612–615, 1990. 3. C. M. Adams and S. E. Tavares. The structured design of cryptographically good S-boxes. J. Cryptology, 3(1):27–41, 1990. 4. W. Aiello and R. Venkatesan. Foiling birthday attacks in length-doubling transformations - Benes: A non-reversible alternative to Feistel. In U. Maurer, editor, Advances in Cryptology - EUROCRYPT ’96, volume 1070 of Lecture Notes in Computer Science, Springer, pages 307–320, 1996. 5. M.-L. Akkar and C. Giraud. An implementation of DES and AES, secure against some attacks. In C¸ .K. Koc¸, D. Naccache and C. Paar, editors, Cryptographic Hardware and Em- bedded Systems - CHES 2001, volume 2162 of Lecture Notes in Computer Science, Springer, 2001, pages 309–318, 2001. 6. M. Albrecht and C. Cid. Algebraic techniques in differential cryptanalysis. In O. Dunkelman, editor, Fast Software Encryption, FSE 2009, volume 5665 of Lecture Notes in Computer Science, Springer, pages 193–208, 2009. 7. American Bankers Association. American national standard - financial institution key man- agement (wholesale), ANSI X9.17. ASC X9 Secretariat, 1985. 8. American Bankers Association. American national standard - financial institution retail mes- sage authentication, ANSI X9.19. ASC X9 Secretariat, 1985. 9. H. Amirazizi and M. E. Hellman. Time-memory-processor trade-offs. IEEE Trans. Informa- tion Theory, 34(3):505–512, May 1988. 10. R. J. Anderson and E. Biham. Two practical and provably secure block ciphers BEAR and LION. In D. Gollmann, editor, Fast Software Encryption, FSE 1996, volume 1039 of Lecture Notes in Computer Science, Springer, pages 113–120, 1996. 11. R. J. Anderson, E. Biham, and L. R. Knudsen. SERPENT - a 128-bit block cipher. A candidate for the Advanced Encryption Standard. Available via www.nist.gov/aes. 12. K. Aoki. On maximum non-averaged differential probability. In S.E. Tavares and H. Mei- jer, editors, Selected Areas in Cryptography, SAC 1998, volume 1556 of Lecture Notes in Computer Science, Springer, pages 118–130, 1999. 13. K. Aoki. Efficient evaluation of security against generalized interpolation attack. In H.M. Heys and C.M. Adams, editors, Selected Areas in Cryptography, SAC 1999, volume 1758 of Lecture Notes in Computer Science, Springer, pages 135–146, 2000. 14. K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, J. Nakajima, and T. Tokita. Camellia: A 128-bit block cipher suitable for multiple platforms - design and analysis. In D.R. Stin- 225 226 References son and S.E. Tavares, editors, Selected Areas in Cryptography, SAC 2000, volume 2012 of Lecture Notes in Computer Science, Springer, pages 39–56, 2001. 15. K. Aoki, K. Kobayashi, and S. Moriai. Best differential characteristic search of FEAL. In E. Biham, editor, Fast Software Encryption, FSE 1997, volume 1267 of Lecture Notes in Computer Science, Springer, pages 41–53, 1997. 16. K. Aoki and K. Ohta. Differential-linear cryptanalysis of FEAL-8. In IEICE Transactions: Fundamentals of Electronics, Communications, and Computer Sciences (Japan), volume E79-A, 1, pages 20–27, 1996. 17. G. Ars, J.-C. Faugere,´ M. K. Hideki Imai, and M. Sugita. Comparison between XL and Grobner¨ basis algorithms. In P.J. Lee, editor, Advances in Cryptology - ASIACRYPT 2004, volume 3329 of Lecture Notes in Computer Science, Springer, pages 338–353, 2004. 18. J.-P. Aumasson, J. Nakahara, and P. Sepehrdad. Cryptanalysis of the ISDB scrambling al- gorithm (MULTI2). In O. Dunkelman, editor, Fast Software Encryption, FSE 2009, volume 5665 of Lecture Notes in Computer Science, Springer, pages 296–307, 2009. 19. E. S. Ayaz and A. A. Selc¸uk. Improved DST cryptanalysis of IDEA. In E. Biham and A.M. Youssef, editors, Selected Areas in Cryptography, SAC 2006, volume 4356 of Lecture Notes in Computer Science, Springer, pages 1–14, 2007. 20. S. Babbage and L. Frisch. On MISTY1 higher order differential cryptanalysis. In D. Won, editor, 3rd International Conference on Information Security and Cryptology (ICISC 2000), volume 2015 of Lecture Notes in Computer Science, pages 22–36.