Fast software encryption : 14th International Workshop, FSE 2007, Luxembourg, Luxembourg, March 26-28, 2007 : revised selected papers

This book contains the thoroughly refereed post-proceedings of the 14th International Workshop on Fast Software Encryption, FSE 2007, held in Luxembourg, Luxembourg, March 2007. It addresses all current aspects of fast and secure primitives for symmetric cryptology, covering hash function cryptanaly...

Full description

Saved in:
Bibliographic Details
Main Authors FSE, International Association for Cryptologic Research, Biryukov, Alex
Format eBook Book
LanguageEnglish
Published Berlin Springer 2007
Springer Berlin / Heidelberg
Edition1
SeriesLecture Notes in Computer Science
Subjects
Access control
Computers
Computers > Access control > Congresses
Congresses
Data encryption (Computer science)
Data encryption (Computer science) > Congresses
Online AccessGet full text
ISBN9783540746171
354074617X

Cover

Table of Contents:
  • Intro -- Preface -- FSE 2007 -- Table of Contents -- Producing Collisions for Panama, Instantaneously -- Cryptanalysis of FORK-256 -- The Grindahl Hash Functions -- Overtaking VEST -- Cryptanalysis of Achterbahn-128/80 -- Differential-Linear Attacks Against the Stream Cipher Phelix -- How to Enrich the Message Space of a Cipher -- Security Analysis of Constructions Combining FIL Random Oracles -- Bad and Good Ways of Post-processing Biased Physical Random Numbers -- Improved Slide Attacks -- A New Class of Weak Keys for Blowfish -- The 128-Bit Blockcipher CLEFIA (Extended Abstract) -- New Lightweight DES Variants -- A New Attack on 6-Round IDEA -- Related-Key Rectangle Attacks on Reduced AES-192 and AES-256 -- An Analysis of XSL Applied to BES -- On the Security of IV Dependent Stream Ciphers -- Two General Attacks on Pomaranch-Like Keystream Generators -- Analysis of QUAD -- Message Freedom in MD4 and MD5 Collisions: Application to APOP -- New Message Difference for MD4 -- Algebraic Cryptanalysis of 58-Round SHA-1 -- Algebraic Immunity of S-Boxes and Augmented Functions -- Generalized Correlation Analysis of Vectorial Boolean Functions -- An Analytical Model for Time- Driven Cache Attacks -- Improving the Security of MACs Via Randomized Message Preprocessing -- New Bounds for PMAC, TMAC, and XCBC -- Perfect Block Ciphers with Small Blocks -- Author Index
  • History of Lazard-Faug`ere Solvers:\mathbf{F_4}, \mathbf{F_5} , XL, XL2, FXL
  • TheXLSConstruction -- The Mixing Function -- The Bit Flips -- SecurityofXLS -- Supporting Tweaks -- XLS with Ordinary PRPs -- References -- Security Analysis of Constructions Combining FIL Random Oracles -- Introduction -- Definitions and Notations -- Security Analysis for Preimage Resistance -- Security Analysis for Collision Resistance -- Application to Previously Proposed Schemes -- Concluding Remarks -- References -- Bad and Good Ways of Post-processing Biased Physical Random Numbers -- Introduction -- An Ineffective Post-processing Method for Biased Random Numbers -- The E-Transform -- True and Claimed Properties of the E-Transform -- What Is Really Going on in the E-Transform -- Attacking the Post-processed Output of the E-Transform -- Attacking Unknown Quasigroups and Leaders -- Two Classes of Random Number Post-processing Functions -- Improved Random Number Post-processing Functions with a Fixed Number of Input Bits -- The Concrete Problem Considered -- A Solution for Low Area Hardware Implementation -- Analysis of H -- Improving -- An Even Better Solution -- What About Going Further? -- The Entropy of S -- On the Implementation of S -- Conclusion and Further Research Topics -- References -- Improved Slide Attacks -- Introduction -- Related-Key Attacks and Slide Attacks -- Related-Key Attacks -- Slide Attacks -- Our New Technique -- Studying the Cycle Structure -- Using the Cycles in the Slide Attack -- Several Attacks on Reduced Round GOST -- A Short Description of GOST -- Description of the Attack -- Analysis of the Attack -- Other Results on GOST -- Summary and Conclusions -- References -- A New Class of Weak Keys for Blowfish -- Introduction -- Our Contributions and Organization of the Paper -- Notation -- High Level Descriptions of Blowfish -- New Models for Description -- Reflection Properties of Blowfish -- Two Reflection Attacks
  • First Attack -- Second Attack -- Improvement of Vaudenay's Cryptanalysis on a Subset of Keys -- Discussion of Attacks -- References -- The 128-Bit Blockcipher CLEFIA (Extended Abstract) -- Introduction -- Notations -- Specification -- Definition of \textit{GFN}_{d,r} -- Data Processing Part -- Key Scheduling Part -- F-Functions -- Constant Values -- Design Rationale -- Evaluations -- Security -- Performance -- Conclusion -- References -- New Lightweight DES Variants -- Introduction -- Design Considerations for Lightweight Block Ciphers -- DESL and DESXL: Design Ideas and Security Consideration -- Design Criteria of DESL -- Improved Resistance Against Differential Cryptanalysis and Davis Murphy Attack -- Improved Resistance Against Linear Cryptanalysis -- 4R Iterative Linear Approximation -- 5R Iterative Linear Approximation -- nR Iterative Linear Approximation -- Resistance Against Algebraic Attacks -- Improved S-Box -- Lightweight Implementation of DESL -- Results and Conclusion -- References -- A New Attack on 6-Round IDEA -- Introduction -- Description of IDEA and the Notations Used in the Paper -- A New Attack on 5.5-Round IDEA -- The First Component - A Linear Equation Involving the LSBs of the Intermediate Encryption Values -- The Second Component - A Square-Like Structure -- The Third Component - Exploiting the Weak Key Schedule -- Analysis and Improvement of the Basic Attack -- The 6-Round Attack -- An Improved 5-Round Attack -- A 5-Round Attack Using Only 16 Known Plaintexts -- Summary and Conclusions -- References -- Related-Key Rectangle Attacks on Reduced AES-192 and AES-256* -- Introduction -- Description of AES -- The Related-Key Rectangle Attack -- Related-Key Rectangle Attack on 10-Round AES-192 -- 8-Round Related-Key Rectangle Distinguisher -- Key Recovery Attack on 10-Round AES-192 with 256 Related Keys
  • On Hardware Implementations -- On Hashing Small Messages -- Memory Requirements -- Conclusion -- References -- Overtaking VEST -- Introduction -- Description of VEST -- Counter -- Linear Counter Diffusor -- Accumulator -- Output Combiner -- Key Setup Mode -- IV Setup Mode -- Basic Weaknesses of VEST Components -- Differential Characteristics of the Registers -- Collision in the Counter Diffusor -- Partial Keyed State Recovery -- Attack with Long IVs -- Attack with Short IVs -- KeyRecovery -- Backtracking the Key Setup Second Phase -- Meet-in-the-Middle Attack -- Key Recovery Through Related-Key Attack -- Security Discussion -- Existential Forgeries for VEST Hash MAC Mode -- Conclusion -- References -- Cryptanalysis of Achterbahn-128/80 -- Introduction -- Main Specifications of Achterbahn-128/80 -- Main Specifications of Achterbahn-128 -- Main Specifications of Achterbahn-80 -- The Key-Loading Algorithm -- Attack Against Achterbahn Version 2 in 2 in \boldsymbol{2^{53}} -- Principle of Hell and Johansson Attack -- Complexity -- Example with Achterbahn Version 2 -- Improvement of the Attack Against Achterbahn Version 2 -- Distinguishing Attacks Against Achterbahn-128/80 -- Distinguishing Attack Against Achterbahn-80 -- Distinguishing Attack Against Achterbahn-128 -- Attack with a New Keystream Limitation -- Recovering the Key -- References -- Differential-Linear AttacksAgainst the Stream Cipher Phelix* -- Introduction -- The Stream Cipher Phelix -- The Differential Propagation of Addition -- A Basic Key Recovery Attack on Phelix -- The Bias in the Differential Distribution of the Keystream -- Recovering the Key -- Improving the Attack on Phelix -- Recovering Z^{(i) -- Recovering X_{i+1,0} -- An Approach to Strengthen Helix and Phelix -- Conclusion -- References -- How to Enrich the Message Space of a Cipher -- Introduction -- Preliminaries
  • Reducing the Number of Related Keys from 256 to 64 -- Related-Key Rectangle Attacks on 8-Round AES-192 and 9-Round AES-256 -- Comments on the 9-Round AES-192 Attack Presentedat Eurocrypt 2005 -- Conclusion -- References -- An Analysis of XSL Applied to BES -- Introduction -- The XSL Attack on BES -- A Summary of the XSL Attack -- A Summary of the BES Cipher -- An Analysis of This Attack -- Analysing the Extended S-Box Equations -- Adding the Extended Linear Equations -- Further Analysis -- Conclusion -- References -- On the Security of IV Dependent Stream Ciphers* -- Introduction -- Outline of Our Results -- Security Model -- Basic Security Notions -- Security Requirements for an IV-Dependent Stream Ciphers -- Security of the Generic Construction -- A Simple Composition Theorem -- A Tree Based Stream Cipher Construction -- The Tree Based Construction -- Resulting Stream Cipher Construction -- Efficiency Considerations -- Application to the quad Stream Cipher -- Conclusion -- References -- Two General Attacks on Pomaranch-Like Keystream Generators -- Introduction -- Description of Pomaranch -- Pomaranch Version 1 -- Pomaranch Version 2 -- Pomaranch Version 3 -- Previous Attacks on the Pomaranch Stream Ciphers -- Distinguishing Attacks on Pomaranch-Like Ciphers -- Period of Registers -- Filter Function -- Linear Approximations of Jump Registers -- Attacking Different Versions of Pomaranch -- Attack Complexities for the Existing Versions of the Pomaranch Family -- Square Root IV Attack -- Attack Complexities on Pomaranch -- Conclusions -- References -- Analysis of \qq -- Introduction -- Questions -- Conclusions -- Previous Work -- Future Work -- The \qq Family of Stream Ciphers -- Definition of \qq -- Parameter Restrictions -- Example: \qq(256, 20, 20) -- Nonces -- How to Solve Multivariate Systems
  • Intro -- Title Page -- Preface -- FSE 2007 -- Table of Contents -- Producing Collisions for Panama, Instantaneously -- Introduction -- Description of \panama -- Structure of the Attack -- Collision in the Buffer -- Collision in the State -- Difference Propagation Through \gamma -- Specifying the Trail -- Symmetric Patterns -- Techniques for Equation Transfer -- Immediate Satisfaction in W -- Bridge from W to T -- Side Bridge -- Dependency Removal -- The Conditions Due to Differential (dT, dU -- Solving the Equations by Correction -- TheChosenTrail -- Equation Transfer in the Chosen Trail -- Subcollisions I and V -- Subcollision II -- Subcollision III -- Subcollision IV -- Example of Collision and Workload -- References -- Cryptanalysis of FORK-256 -- Introduction -- Description of FORK-256 -- Preliminary Observations on FORK-256 -- Micro-collisions in Q_L and Q_R -- Necessary and Sufficient Condition for Micro-collisions -- A First Attempt with a Simple Differential Path -- Near-Collision at the Seventh Round -- Choosing the Difference -- Near-Collisions for FORK-256's Compression Function -- Finding High-Level Differential Paths in FORK-256 -- More General Variant of Path Finding -- Collisions for the Full Compression Function -- Finding Collisions with Low Memory Requirements -- Finding Collisions Faster with Precomputed Tables -- Compression Function's Collisions Turned into Hash Ones -- References -- The Grindahl Hash Functions -- Introduction -- The Grindahl Design -- General Strategy -- Invertibility -- Design Approach for the Permutation -- Birthday Attacks -- Design Parameters for the Permutation -- Design Parameters for the Output Transformation -- Proposals for Hash Functions -- Grindahl-256 -- Grindahl-512 -- Padding Rule -- Security Analysis -- Designing Secure Compression Functions -- Implementation -- Software Performance