Lars R. Knudsen

The Block Cipher Square

In this paper we present a new 128-bit block cipher called Square. The original design of Square concentrates on the resistance against differential and linear cryptanalysis. However, after the initial design a dedicated attack was mounted that forced us to augment the number of rounds. The goal of this paper is the publication of the resulting cipher for public scrutiny. A C implementation of Square is available that runs at 2.63 MByte/s on a 100 MHz Pentium. Our M68HC05 Smart Card implementation fits in 547 bytes and takes less than 2 msec. (4 MHz Clock). The high degree of parallellism allows hardware implementations in the Gbit/s range today.

Truncated and Higher Order Differentials

In [6] higher order derivatives of discrete functions were considered and the concept of higher order differentials was introduced. We introduce the concept of truncated differentials and present attacks on ciphers presumably secure against differential attacks, but vulnerable to attacks using higher order and truncated differentials. Also we give a differential attack using truncated differentials on DES reduced to 6 rounds using only 46 chosen plaintexts with an expected running time of about the time of 3,500 encryptions. Finally it is shown how to find a minimum nonlinear order of a block cipher using higher order differentials.

PRINCE: a low-latency block cipher for pervasive computing applications

This paper presents a block cipher that is optimized with respect to latency when implemented in hardware. Such ciphers are desirable for many future pervasive applications with real-time security needs. Our cipher, named PRINCE, allows encryption of data within one clock cycle with a very competitive chip area compared to known solutions. The fully unrolled fashion in which such algorithms need to be implemented calls for innovative design choices. The number of rounds must be moderate and rounds must have short delays in hardware. At the same time, the traditional need that a cipher has to be iterative with very similar round functions disappears, an observation that increases the design space for the algorithm. An important further requirement is that realizing decryption and encryption results in minimum additional costs. PRINCE is designed in such a way that the overhead for decryption on top of encryption is negligible. More precisely for our cipher it holds that decryption for one key corresponds to encryption with a related key. This property we refer to as α-reflection is of independent interest and we prove its soundness against generic attacks.

The Interpolation Attack on Block Ciphers

In this paper we introduce a new method of attacks on block ciphers, the interpolation attack. This new method is useful for attacking ciphers using simple algebraic functions (in particular quadratic functions) as S-boxes. Also, ciphers of low non-linear order are vulnerable to attacks based on higher order differentials. Recently, Knudsen and Nyberg presented a 6-round prototype cipher which is provably secure against ordinary differential cryptanalysis. We show how to attack the cipher by using higher order differentials and a variant of the cipher by the interpolation attack. It is possible to successfully cryptanalyse up to 32 rounds of the variant using about 232 chosen plaintexts with a running time less than 264. Using higher order differentials, a new design concept for block ciphers by Kiefer is also shown to be insecure. Rijmen et al presented a design strategy for block ciphers and the cipher SHARK. We show that there exist ciphers constructed according to this design strategy which can be broken faster than claimed. In particular, we cryptanalyse 5 rounds of a variant of SHARK, which deviates only slightly from the proposed SHARK.

PRINTcipher: a block cipher for IC-printing

In this paper we consider some cryptographic implications of integrated circuit (IC) printing. While still in its infancy, IC-printing allows the production and personalisation of circuits at very low cost. In this paper we present two block ciphers PRINTcipher-48 and PRINTcipher-96 that are designed to exploit the properties of IC-printing technology and we further extend recent advances in lightweight block cipher design.

Provable security against a differential attack

The purpose of this paper is to show that DES-like iterated ciphers that are provably resistant against differential attacks exist. The main result on the security of a DES-like cipher with independent round keys is Theorem 1, which gives an upper bound to the probability of s-round differentials, as defined in [4], and this upper bound depends only on the round function of the iterated cipher. Moreover, it is shown that functions exist such that the probabilities of differentials are less than or equal to 23−n, where n is the length of the plaintext block. We also show a prototype of an iterated block cipher, which is compatible with DES and has proven security against differential attack.

Provable Security Against Differential Cryptanalysis

The purpose of this paper is to show that there exist DES-like iterated ciphers, which are provably resistant against differential attacks. The main result on the security of a DES-like cipher with independent round keys is Theorem 1, which gives an upper bound to the probability of r-round differentials, as defined in [3] and this upper bound depends only on the round function of the iterated cipher. Moreover, it is shown that there exist functions such that the probabilities of differentials are less than or equal to 22 − n where n is the length of the plaintext block. We also show a prototype of an iterated block cipher, which is compatible with DES and has proven security against differential attacks.

Non-linear approximations in linear cryptanalysis

By considering the role of non-linear approximatioris in linear cryptanalysis we obtain a generalization of Matsuis linear cryptanalytic techniques. This approach allows Ihe cryptanalyst greater flexibility in mounting a linear cryptanalytic attack and we demonstrate the effectiveness of our non-linear techniques with some simple attacks on LOK191. These attacks potentially allow for the recovery of seven additional bits of key information with less than 1/4 of the plaintext that is required using current linear cryptanalytic methods.

Self management of oral anticoagulant therapy after heart valve replacement.

OBJECTIVE Patients with mechanical heart valves require lifelong oral anticoagulant treatment which entails frequent blood sampling and dosage adjustment. The purpose of this study was to investigate the feasibility of letting heart valve operated patients manage blood specimen analysis and dosage adjustment themselves. METHODS A total of 21 patients were enrolled in the study and followed for at least 9 months postoperatively. Immediately after the heart valve operation they were trained in operating a CoaguChek international normal ratio (INR) monitor to analyze capillary whole blood samples. Subsequently training in dosage adjustment was accomplished and all patients were considered fully capable of self management after 30 weeks. In the training period, parallel laboratory INR measurements were made at 3-4 week intervals for reference. A control group of 20 patients was matched, respectively, to the study group. The INR target range was 2.0-3.0. RESULTS Out of the 21 study patients 19 continued self management beyond 9 months. The median INR value obtained with the monitor was within therapeutic target range for all study patients and only 15 out of 20 control patients were within this range. The mean systematic deviation between laboratory and CoaguChek INR was 7.8% but each patient had a constant characteristic deviation from -11 to +21%. The study patients were within therapeutic target range 77% of the time compared with 53% for the control patients. CONCLUSIONS Self management of oral anticoagulation is feasible for selected patients and constitutes a significant service improvement compared with conventional management. The CoaguChek monitor seems sufficiently accurate and reliable for self testing and the treatment quality is comparable or even better than conventional management. Assessment of the rate of bleeding and thrombo-embolic events shall be settled in studies comprising larger number of patients.

Online Ciphers and the Hash-CBC Construction

We initiate a study of on-line ciphers. These are ciphers that can take input plaintexts of large and varying lengths and will output the ith block of the ciphertext after having processed only the first i blocks of the plaintext. Such ciphers permit length-preserving encryption of a data stream with only a single pass through the data. We provide security definitions for this primitive and study its basic properties. We then provide attacks on some possible candidates, including CBC with fixed IV. Finally we provide a construction called HCBC which is based on a given block cipher E and a family of AXU functions. HCBC is proven secure against chosen-plaintext attacks assuming that E is a PRP secure against chosen-plaintext attacks.