Learn More
We improve the best attack on Rijndael reduced to 6 rounds from complexity 2 to 2. We also present the first known attacks on 7and 8-round Rijndael. The attacks on 8-round Rijndael work for 192bit and 256-bit keys. Finally, we discuss the key schedule of Rijndael and describe a related-key attack that can break 9-round Rijndael with 256-bit keys.
Twofish is a 128-bit block cipher that accepts a variable-length key up to 256 bits. The cipher is a 16-round Feistel network with a bijective F function made up of four key-dependent 8-by-8-bit S-boxes, a fixed 4-by-4 maximum distance separable matrix over GF(2), a pseudo-Hadamard transform, bitwise rotations, and a carefully designed key schedule. A fully(More)
In many real-world applications, sensitive information must be kept it log files on an untrusted machine. In the event that an attacker captures this machine, we would like to guarantee that he will gain little or no information from the log files and to limit his ability to corrupt the log files. We describe a computationally cheap method for making all(More)
In many real-world applications, sensitive information must be kept in log files on an untrusted machine. In the event that an attacker captures this machine, we would like to guarantee that he will gain little or no information from the log files and to limit his ability to corrupt the log files. We describe a computationally cheap method for making all(More)
We provide a second preimage attack on all n-bit iterated hash functions with Damgard-Merkle strengthening and n-bit intermediate states, allowing a second preimage to be found for a 2-messageblock message with about k× 2 + 2n−k+1 work. Using SHA1 as an example, our attack can find a second preimage for a 2 byte message in 2 work, rather than the previously(More)
In this paper, we develop a new attack on Damg̊ard-Merkle hash functions, called the herding attack, in which an attacker who can find many collisions on the hash function by brute force can first provide the hash of a message, and later “herd” any given starting part of a message to that hash value by the choice of an appropriate suffix. We introduce a new(More)
Helix is a high-speed stream cipher with a built-in MAC functionality. On a Pentium II CPU it is about twice as fast as Rijndael or Twofish, and comparable in speed to RC4. The overhead per encrypted/authenticated message is low, making it suitable for small messages. It is efficient in both hardware and software, and with some pre-computation can(More)
We expand a previous result of Dean [Dea99] to provide a second preimage attack on all n-bit iterated hash functions with Damg̊ardMerkle strengthening and n-bit intermediate states, allowing a second preimage to be found for a 2-message-block message with about k × 2n/2+1+2n−k+1 work. Using RIPEMD-160 as an example, our attack can find a second preimage for(More)
We present new attacks on key schedules of block ciphers. These attacks are based on the principles of related-key differential cryptanalysis: attacks that allow both keys and plaintexts to be chosen with specific differences. We show how these attacks can be exploited in actual protocols and cryptanalyze the key schedules of a variety of algorithms,(More)
Building on the work of Kocher [Koc96], we introduce the notion of side-channel cryptanalysis: cryptanalysis using implementation data. We discuss the notion of side-channel attacks and the vulnerabilities they introduce, demonstrate side-channel attacks against three product ciphers—timing attack against IDEA, processor-flag attack against RC5, and Hamming(More)