Learn More
The existence of Almost Perfect Non-linear (APN) permutations operating on an even number of bits has been a long standing open question until Dillon et al., who work for the NSA, provided an example on 6 bits in 2009. In this paper, we apply methods intended to reverse-engineer S-Boxes with unknown structure to this permutation and find a simple(More)
NXP Semiconductors and its academic partners challenged the cryptographic community with nding practical attacks on the block cipher they designed, PRINCE. Instead of trying to attack as many rounds as possible using attacks which are usually impractical despite being faster than brute-force, the challenge invites cryptographers to nd practical attacks and(More)
In this paper we introduce an open framework for the benchmarking of lightweight block ciphers on a multitude of embedded platforms. Our framework is able to evaluate execution time, RAM footprint, as well as (binary) code size, and allows a user to define a custom " figure of merit " according to which all evaluated candidates can be ranked. We used the(More)
S-Boxes are the key components of many cryptographic primitives and designing them to improve resilience to attacks such as linear or dierential crypt-analysis is well understood. In this paper, we investigate techniques that can be used to reverse-engineer S-box design and illustrate those by studying the S-Box F of the Skipjack block cipher whose design(More)
TWINE is a recent lightweight block cipher based on a Feis-tel structure. We rst present two new attacks on TWINE-128 reduced to 25 rounds that have a slightly higher overall complexity than the 25-round attack presented by Wang and Wu at ACISP 2014, but a lower data complexity. Then, we introduce alternative representations of both the round function of(More)
In this paper we introduce FELICS, a free and open-source benchmarking framework designed for fair and consistent evaluation of software implementations of lightweight cryptographic primitives for embedded devices. The framework is very flexible thanks to its modular structure, which allows for an easy integration of new metrics, target devices and(More)
Paper presented at WCC 2013, including some corrections. Abstract. We provide the differential spectra of differentially 6-uniform functions among the family of power functions x → x 2 t −1 defined in F2n. We show that the functions x → x 2 t −1 when t = n−1 2 , n+3 2 with odd n and when t = kn+1 3 , (3−k)n+2 3 with kn ≡ 2 mod 3 have differential spectra(More)
sn this p—perD we investig—te the properties of iter—tive nonEinje™tive fun™tions —nd the se™urity of primitives where they —re usedF pirstD we introdu™e the gollision €ro˜—˜ility ƒpe™trum @cpsA p—r—meter to qu—ntify how f—r from — permut—tion — fun™tion isF sn p—rti™ul—rD we show th—t the output size de™re—ses line—rly with the num˜er of iter—tions where—s(More)
The last hash function and block cipher standardized by the Russian standardization body (GOST) both use the same S-Box. It is also used by an independent CAESAR candidate. This transformation is only specified as a look up table and the reason behind its choice is unknown. We managed to reverse-engineer this S-Box and describe its unpublished structure.(More)
Generic distinguishers against Feistel Network with up to 5 rounds exist in the regular setting and up to 6 rounds in a multi-key setting. We present new cryptanalyses against Feistel Networks with 5, 6 and 7 rounds which are not simply distinguishers but actually recover completely the unknown Feistel functions. When an exclusive-or is used to combine the(More)