Variants of the AES Key Schedule for Better Truncated Differential Bounds.

Our target is AES, and along with a few generic results about the best reachable bounds, we found a permutation to replace the original key schedule that reaches a minimal number of active S-boxes of 20 ... Finally, we give several pairs (Ps, P k ), replacing respectively the ShiftRows operation and the key schedule of the AES, reaching a minimum of 21 active S-boxes over 6 rounds, while again, there is no ... We also went further and modified both the key schedule and one step of the AES round function (namely, ShiftRows) to see whether we can achieve better bounds. ...

doi:10.1007/978-3-030-10970-7_2 fatcat:d5ovruudojbdlgv4uybskj667i

Provable security against differential and linear cryptanalysis in the related-key scenario is an important step towards a better understanding of its construction. ... We use a variant of Dijkstra's algorithm to efficiently find the most efficient related-key attacks on SPN ciphers with an algorithm linear in the number of rounds. ... We would like to thank the Martjin Stam, Christian Rechberger and the anonyous referees for their valuable comments on our paper. ...

doi:10.1007/978-3-642-40041-4_11 fatcat:4c33qsv6sjfipcnz644mswmkuy

While differential behavior of modern ciphers in a single secret key scenario is relatively well understood, and simple techniques for computation of security lower bounds are readily available, the security ... We use this tool to search for the best possible (in terms of the number of rounds) related-key differential characteristics in AES, byte-Camellia, Khazad, FOX, and Anubis. ... bounds for the security of block-ciphers (hash functions) against differential related-key (open-key or chosen message) attacks. ...

doi:10.1007/978-3-642-13190-5_17 fatcat:iz6eqelxtbbmtg25pjrprvprkq

Developers used different methods for achiev- ing security and performance of the algorithms. ... An overview of proposed sym- metric block ciphers and results of their security analysis is given in this paper. ... Key schedule of "ADE" is equal to such operation in AES/Rijndael. ...

doi:10.2478/v10127-010-0033-6 fatcat:fzqket2qzjft5jue6climua7uy

Szczepanski

First, we explore the role of an ultra-light (in fact non-existent) key schedule. ... Second, we consider the resistance of ciphers, and LED in particular, to related-key attacks: we are able to derive simple yet interesting AES-like security proofs for LED regarding related-or single-key ... Note that the bounds on the number of active Sboxes are tight as we know differential paths meeting them (for example the truncated differential path for each active big step can simply be any of the 4 ...

doi:10.1007/978-3-642-23951-9_22 fatcat:57im5gmpnvcbnp4cemm23xanha

One of our attacks uses only two related keys and 2 39 time to recover the complete 256-bit key of a 9-round version of AES-256 (the best previous attack on this variant required 4 related keys and 2 120 ... Another attack can break a 10-round version of AES-256 in 2 45 time, but it uses a stronger type of related subkey attack (the best previous attack on this variant required 64 related keys and 2 172 time ... The probability of this truncated differential is 2 −24 . 4. Differential for the 8-Round Attack. ...

doi:10.1007/978-3-642-13190-5_15 fatcat:imjhqrpk6zb6dgsjzgcmtdwfyq

To fix some minor weakness in the key schedule and to remove some undesirable properties in S-boxes, we made some changes to the AES proposal, i.e., in the S-box construction and key scheduling. ... Key Xoring σ For a round key Round Transformation ρ One round of CRYPTON consists of applying γ, π, τ and σ in sequence to the 4 × 4 data array. ... Acknowledgement The author is very grateful to those people who helped him during the development of CRYPTON. ...

doi:10.1007/3-540-48519-8_3 fatcat:qjczznjjsfe3pnrqnheynm26mq

In the course of proving the security of EPCBC, we could leverage on the extensive security analyses of PRESENT, but we also obtain new results on the differential and linear cryptanalysis bounds for the ... EPCBC is based on a generalized PRESENT with block size 48 and 96 bits for the main cipher structure and customized key schedule design which provides strong protection against related-key differential ... It is noteworthy to stress that EPCBC's key schedule (as opposed to PRESENT) is optimized against related key differential attacks, which allows a secure usage of EPCBC in such scenarios. ...

doi:10.1007/978-3-642-25513-7_7 fatcat:gksee7g27zgzhc53pkzsxhix2y

First, we disprove the oft-repeated claim that eliminating all high-probability differentials for the whole cipher is sufficient to guarantee security against differential attacks. ... s impossible differentials [BBS98,BBS99] also disprove the folk theorem. They show that if one can find a differential of sufficiently low probability, the cipher can be broken. ... The algorithm designer obtains somehow an upper bound p on the probability of any differential characteristic for the cipher. ...

doi:10.1007/3-540-48519-8_12 fatcat:hnavmghotnem7i5nqeoazbp4r4

A related-key differential cryptanalysis is applied to the 192bit key variant of AES. ... The attack can be improved using truncated differentials. In this case, the number of required plaintext/ciphertext pairs is 2 81 and the complexity is about 2 86 . ... Conclusion We applied the related-key differential cryptanalysis to the 192-bit key variant of AES. ...

doi:10.1007/978-3-540-24654-1_15 fatcat:uwxcheok5rajhj66hb2qsdy5qe

In our smallest implementation, the hardware requirements for the 80 and the 128-bit key mode are only 683 and 758 gate equivalents, respectively. ... Thus, Piccolo is one of the competitive ultra-lightweight blockciphers which are suitable for extremely constrained environments such as RFID tags and sensor nodes. ... The authors would like to thank the anonymous reviewers for their helpful comments. ...

doi:10.1007/978-3-642-23951-9_23 fatcat:xsgxzecnrzfpbfdwzslrc4n4aq

We introduce the rebound attack as a variant of differential cryptanalysis on hash functions and apply it to the hash function Whirlpool, standardized by ISO/IEC. ... We give attacks on reduced variants of the Whirlpool hash function and the Whirlpool compression function. Next, we introduce the subspace problems as generalizations of near-collision resistance. ... Acknowledgements The work in this paper has been supported in part by the Secure Information ...

doi:10.1007/s00145-013-9166-5 fatcat:zci3752qhzgejfujmis3jekof4

This approach allows to use e.g. truncated differential, impossible differential and integral attacks to find the secret key. ... Finally, we show that our impossible differential attack on 5 rounds of AES with secret S-Box can be turned into a distinguisher for AES in the same setting as the one recently proposed by Sun, Liu, Guo ... We also thank Charles Bouillaguet for helping us with the tool described in [BDF11] to find attacks that better match the settings we consider. ...

doi:10.13154/tosc.v2016.i2.192-225 dblp:journals/tosc/GrassiRR16 fatcat:rm7yye34gvg3dc7s6jpo3hv72e

DOAJ OJS

This approach allows to use e.g. truncated differential, impossible differential and integral attacks to find the secret key. ... Finally, we show that our impossible differential attack on 5 rounds of AES with secret S-Box can be turned into a distinguisher for AES in the same setting as the one recently proposed by Sun, Liu, Guo ... We also thank Charles Bouillaguet for helping us with the tool described in [BDF11] to find attacks that better match the settings we consider. ...

doi:10.46586/tosc.v2016.i2.192-225 fatcat:7xxvgajoyfhc3cdalrzfxm7j3i

DOAJ OJS

We conjecture that our main proposal AES-PRF, AES with a feed-forward of the middle state, achieves close to optimal security. ... In support of its security, we give the rationale of relying on the EDMD function (as opposed to alternatives), and present analysis of simplified versions of our conversion method applied to the AES. ... The authors are thankful to the anonymous reviewers of FSE 2018 for their useful technical comments, to Pierre Karpman and Atul Luykx for preliminary discussions, to Tetsu Iwata and Yannick Seurin for ...

doi:10.13154/tosc.v2017.i3.228-252 dblp:journals/tosc/MenninkN17 fatcat:2xfj5naymrhypmfisq3tk7l4xu

DOAJ OJS

Variants of the AES Key Schedule for Better Truncated Differential Bounds [chapter]

Preserved Fulltext

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-Round AES-128 [chapter]

Preserved Fulltext

Automatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers: Application to AES, Camellia, Khazad and Others [chapter]

Preserved Fulltext

Results of Ukrainian national public cryptographic competition

Preserved Fulltext

The LED Block Cipher [chapter]

Preserved Fulltext

Key Recovery Attacks of Practical Complexity on AES-256 Variants with up to 10 Rounds [chapter]

Preserved Fulltext

A Revised Version of CRYPTON: CRYPTON V1.0 [chapter]

Preserved Fulltext

EPCBC - A Block Cipher Suitable for Electronic Product Code Encryption [chapter]

Preserved Fulltext

The Boomerang Attack [chapter]

Preserved Fulltext

Related-Key Differential Cryptanalysis of 192-bit Key AES Variants [chapter]

Preserved Fulltext

Piccolo: An Ultra-Lightweight Blockcipher [chapter]

Preserved Fulltext

The Rebound Attack and Subspace Distinguishers: Application to Whirlpool

Preserved Fulltext

Subspace Trail Cryptanalysis and its Applications to AES

Preserved Fulltext

Subspace Trail Cryptanalysis and its Applications to AES

Preserved Fulltext

Optimal PRFs from Blockcipher Designs

Preserved Fulltext