#### DMCA

## Tweakable block ciphers (2002)

### Cached

### Download Links

- [www.iacr.org]
- [www.iacr.org]
- [www.cs.wm.edu]
- [theory.lcs.mit.edu]
- [www.cs.berkeley.edu]
- [now.cs.berkeley.edu]
- [www.cs.berkeley.edu]
- [www.cs.berkeley.edu]
- [www.eecs.berkeley.edu]
- [http.cs.berkeley.edu]
- [www.eecs.berkeley.edu]
- [people.csail.mit.edu]
- [csrc.nist.gov]
- [theory.lcs.mit.edu]
- [www.cs.berkeley.edu]
- [http.cs.berkeley.edu]
- [now.cs.berkeley.edu]
- [www.eecs.berkeley.edu]
- [www.cs.berkeley.edu]
- [http.cs.berkeley.edu]
- [www.eecs.berkeley.edu]
- DBLP

### Other Repositories/Bibliography

Citations: | 151 - 4 self |

### Citations

3251 | Handbook of Applied Cryptography - Menezes, Oorschot, et al. - 1997 |

672 | Differential Cryptanalysis of DES-like Cryptosystems - Biham, Shamir - 1991 |

640 | Timing attacks on implementations of diffie-hellman, rsa, dss, and other systems - Kocher - 1996 |

415 | Di®erential Cryptanalysis of the Data Encryption Standard - Biham, Shamir - 1993 |

348 | The RC5 encryption algorithm - Rivest - 1995 |

240 | The Security of the Cipher Block Chaining Message Authentication Code - Bellare, Kilian, et al. |

199 | New types of cryptanalytic attacks using related keys
- Biham
- 1994
(Show Context)
Citation Context ...ring the tweak into the key: e EK (T ; M) = EKT (M) need not yield secure tweakable block ciphers, since a block cipher need not depend on every bit of its key. (Biham's related-key attacks of Biham [=-=2-=-] would be relevant to this sort of design.) The following theorem gives a construction that works. Theorem 1. Let e EK (T ; M) = EK (T EK (M)): e E is a secure tweakable block cipher. More precisely,... |

149 | Truncated and higher order differentials - Knudsen - 1994 |

146 | UMAC: Fast and secure message authentication
- Black, Halevi, et al.
- 1999
(Show Context)
Citation Context ...reover, we expect that our construction will be reasonably fast. For instance, for t = n = 128, a generalized division hash runs in something like 300 cycles [15], UMAC/UHASH runs in about 200 cycles =-=[5]-=-, hash127 runs in about 150 cycles [2] and a DFC-style decorrelation module should run in about 200 cycles [9] (all speeds on a Pentium II class machine, and are rough estimates). If we compare to AES... |

132 | Markov Ciphers and Differential Cryptanalysis - Lai, Massey, et al. - 1991 |

131 | cryptanalysis method for des cipher - Linear - 1994 |

103 | Differential cryptanalysis of the full 16–round DES - Biham, Shamir - 1993 |

92 |
Applied Cryptography, Second Edition: Protocols, Algorithms, and Source Code in C
- Schneier
- 1996
(Show Context)
Citation Context ...de for a tweakable block cipher. Each ciphertext becomes the tweak for the next encryption. To handle messages whose length is greater than n but not a multiple of n, a variant of ciphertext-stealing =-=[8]-=- can be used; see Figure 5. E K E K M C m-1 C || C' m M || C' m m-1 X || C m Fig. 5. Ciphertext stealing for tweak block chaining handles messages whose length is at least n bits long but not a multip... |

88 | between differential and linear cryptanalysis, in - Chabaud, Vaudenay, et al. - 1995 |

80 | Linear approximation of block ciphers - Nyberg - 1995 |

80 | CBC MACs for arbitrary-length messages: The three-key constructions - BLACK, ROGAWAY - 2000 |

75 | A construction of a cipher from a single pseudorandom permutation
- Even, Mansour
- 1997
(Show Context)
Citation Context ...ed." In a similar vein, Biham and Biryukov [1] suggest strengthening DES against exhaustive search by (among other things) applying a DESX-like construction to each of DES's S-boxes. Even and Man=-=sour [4-=-] have also investigated a similar construction (see Figure 2(b)) where the inner encryption operator issxed and public. They show (see also Daemen[3]) that the eective key length here is n lg l lg m ... |

70 | A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications - Bellare, Kohno - 2003 |

65 | LOKI--a cryptographic primitive for authentication and secrecy applications - Brown, Pieprzyk, et al. - 1990 |

47 | On Matsui’s Linear Cryptanalysis - Biham - 1994 |

43 | Improving Resistance to Differential Crypt Analysis and the - BROWN, KWAN, et al. - 1993 |

38 | Markov ciphers and di®erential cryptanalysis - Lai, Massey, et al. - 1991 |

36 | On Differential and Linear Crypt analysis of RC5 Encryption Algorithm, proc - KALISKI, YIN - 1995 |

35 | Fast Implementations of AES candidates
- Aoki, Lipmaa
(Show Context)
Citation Context ...] and a DFC-style decorrelation module should run in about 200 cycles [9] (all speeds on a Pentium II class machine, and are rough estimates). If we compare to AES, which runs in about 230-300 cycles =-=[1]-=-, we expect that a version of AES tweaked in this way will run about 50-80% slower than the plain AES. Though this is likely to be faster than the previous construction, it does require a longer key. ... |

34 | Cipher Systems - Beker, Piper - 1982 |

33 | Differential cryptanalysis of FEAL and N-hash - Biham, Shamir - 1991 |

32 | On the impossibility of highly-efficient blockcipher-based hash functions - Black, Cochran, et al. - 2005 |

30 | Limitations of the Even-Mansour construction
- Daemen
- 1991
(Show Context)
Citation Context ...ruction to each of DES's S-boxes. Even and Mansour [4] have also investigated a similar construction (see Figure 2(b)) where the inner encryption operator issxed and public. They show (see also Daemen=-=[3-=-]) that the eective key length here is n lg l lg m where the adversary is allowed to make l calls to the encryption/decryption oracles and m calls to an F=F 1 oracle. 1.2 Outline of this paper In Sect... |

29 | Floating-point arithmetic and message authentication, Unpublished manuscript. Available at http://cr.yp.to/papers.html#hash127
- Bernstein
(Show Context)
Citation Context ...n will be reasonably fast. For instance, for t = n = 128, a generalized division hash runs in something like 300 cycles [15], UMAC/UHASH runs in about 200 cycles [5], hash127 runs in about 150 cycles =-=[2]-=- and a DFC-style decorrelation module should run in about 200 cycles [9] (all speeds on a Pentium II class machine, and are rough estimates). If we compare to AES, which runs in about 230-300 cycles [... |

29 | Designing S-boxes for ciphers resistant To differential cryptanalysis - Adams, Tavaris - 1993 |

29 | Cryptanalysis of multiple modes of operation - Biham - 1995 |

28 | A fast large block cipher for disk sector encryption
- Mercy
- 2000
(Show Context)
Citation Context ...nst exhaustive search by (among other things) applying a DESX-like construction to each of DES's S-boxes. Finally, two block cipher proposals, the Hasty Pudding Cipher (HPC) [14] and the Mercy cipher =-=[6] include an e-=-xtra input for variability, called in their design specications a \spice," a \randomiser," or a \diversication parameter." These proposals include a basic notion of what kind of securit... |

28 | Differential cryptanalysis of Snefru - Biham, Shamir - 1991 |

27 | New results in Linear Cryptanalysis of RC5 - Selcuk - 1998 |

23 | Improved differential attacks on RC5 - Knudsen, Meier - 1996 |

22 | Biryukov, An Improvement of Davies’ Attack on DES - Biham, Alex - 1997 |

21 | Differential Cryptanalysis of Lucifer - Ben-Aroya - 1994 |

19 | How to strengthen DES using existing hardware
- Biham, Biryukov
- 1994
(Show Context)
Citation Context ...r example, the discussion by Rogaway et al. [12] explaining the design rationale for the OCB mode of operation, which uses the same cryptographic key throughout. In a similar vein, Biham and Biryukov =-=[4]-=- suggest strengthening DES against exhaustive search by (among other things) applying a DESX-like construction to each of DES's S-boxes. Finally, two block cipher proposals, the Hasty Pudding Cipher (... |

19 | Timing Attacks on Implementations of Di e-Hellman - Kocher - 1996 |

19 | Di®erential cryptanalysis of the full 16-round DES - Biham, Shamir - 1991 |

18 | Truncated and higher order dierentials - Knudsen - 1995 |

17 | A general construction of tweakable block ciphers and different modes of operations - Chakraborty, Sarkar - 2006 |

15 | On the Security of the RC5 Encryption Algorithm - S, Yin - 1998 |

14 |
OCB: A block-cipher mode of operation for ecient authenticated encryption
- Rogaway, Bellare, et al.
(Show Context)
Citation Context ...relatively expensive to change the key, these modes of operation are relatively inecient compared to similar modes that use the same key throughout. See, for example, the discussion by Rogaway et al. =-=[7]-=- explaining the design rationale for the OCB mode of operation, which uses the same cryptographic key throughout. A tweakable block cipher should also be secure. In order to deal with the issue of sec... |

12 | Improved Di®erential Attacks on RC5 - Knudsen, Meier - 1996 |

11 | On Immunity against Biham and Shamir's "Differential Cryptanalysis - Adams - 1992 |

10 | On modes of operation - Biham |

10 | Differtial Cryptanalysis of Lucifer - Ben-Aroya, Biham - 1993 |

10 | Differential Cryptanalysis of Snefru, Khafre - Biham, Shamir - 1992 |

9 | Linearly weak keys of RC5 - Heys - 1997 |

8 | Modern Cryptology. Volume 325 - Brassard - 1988 |

8 | Proof that DES Is Not a Group - Campbell, Wiener - 1993 |

8 | Designing S-boxes for ciphers resistant to di®erential cryptanalysis - Adams, Tavares - 1993 |

6 | Report of the workshop on cryptography in support of computer security - Gait, Katzke |

5 |
to Strengthen DES Using Existing Hardware
- ”How
- 1994
(Show Context)
Citation Context ...are the secret key parameters. and post-whitening operations are essentially there to provide distinct families of encryption operators, i.e. they are \tweaked." In a similar vein, Biham and Biry=-=ukov [1]-=- suggest strengthening DES against exhaustive search by (among other things) applying a DESX-like construction to each of DES's S-boxes. Even and Mansour [4] have also investigated a similar construct... |

5 | Structure in the S-Boxes of the DES - Brickell, Moore, et al. - 1987 |

5 | Key-dependency of linear probability of RC5 - Moriai, Aoki, et al. - 1996 |

3 | Key-dependency of linear probability ofRC5 - Moriai, Aoki, et al. - 1996 |

2 | Linear cryptanalysis of FEAL-8 (experimentation report - Aoki, Ohta, et al. - 1994 |

2 | Strategy description, May 22 - Packard - 1997 |

2 | The Next Generation of Microprocessor Architecture - Corporation |

1 |
How to protect DES against exhaustive search (an analysis of DESX
- Kilian, Rogaway
- 1996
(Show Context)
Citation Context ...duced by Rivest (unpublished). See Figure 2(a). The reason for introducing DESX was to cheaply provide additional key information for DES. The security of DESX has been analyzed by Kilian and Rogaway =-=[5-=-]; they show that DESX with n-bit inputs (and tweaks) and k-bit keys has an eective key-length of k +n 1 lg m where the adversary is limited to m oracle calls. Similarly, if one looks at the internals... |

1 | A Formal and Practical Design for Substitution - Permutation Network Cryptosystems - Adams - 1990 |

1 | Improved cryptanalysis of RC5. To appear - Biryukov, Kushilevitz - 1998 |

1 | AFormal and Practical Design for Substitution � Per� mutation Network Cryptosystems - Adams - 1990 |

1 | On Immunity against Biham and - Adams - 1992 |

1 | Linear cryptanalysis of FEAL�8 �experimentation report - Araki�, Matsui - 1994 |

1 | Di�erential cryptanalysis of FEAL - Biham, Shamir - 1991 |

1 | Modern Cryptology� volume 325 of Lecture Notes in Com� puter Science - Brassard - 1988 |

1 | Structure in the S�boxes of the DES - Purtill - 1987 |

1 | LOKI� A cryptographic prim� itive for authentication and secrecy applications - Pieprzyl�, Seberry - 1990 |

1 | Alsoavailableat: citeseer.nj.nec.com/daemen92limitation.html. 8.ShimonEvenandYishayMansour.Aconstructionofacipherfromasinglepseudorandompermutation.JournalofCryptology,10(3):151-161,Summer1997.Also availableat:citeseer.nj.nec.com/even91construction.html. - InProceedingsASIACRYPT'91, volume739ofLectureNotesinComputerScience, et al. |