Vincent Rijmen

The Design of Rijndael

From the Publisher: In October 2000, the US National Institute of Standards and Technology selected the block cipher Rijndael as the Advanced Encryption Standard (AES). AES is expected to gradually replace the present Data Encryption Standard (DES) as the most widely applied data encryption technology.|This book by the designers of the block cipher presents Rijndael from scratch. The underlying mathematics and the wide trail strategy as the basic design idea are explained in detail and the basics of differential and linear cryptanalysis are reworked. Subsequent chapters review all known attacks against the Rijndael structure and deal with implementation and optimization issues. Finally, other ciphers related to Rijndael are presented.|This volume is THE authoritative guide to the Rijndael algorithm and AES. Professionals, researchers, and students active or interested in data encryption will find it a valuable source of information and reference.

The Block Cipher Square

In this paper we present a new 128-bit block cipher called Square. The original design of Square concentrates on the resistance against differential and linear cryptanalysis. However, after the initial design a dedicated attack was mounted that forced us to augment the number of rounds. The goal of this paper is the publication of the resulting cipher for public scrutiny. A C implementation of Square is available that runs at 2.63 MByte/s on a 100 MHz Pentium. Our M68HC05 Smart Card implementation fits in 547 bytes and takes less than 2 msec. (4 MHz Clock). The high degree of parallellism allows hardware implementations in the Gbit/s range today.

The Block Cipher Rijndael

In this paper we present the block cipher Rijndael, which is one of the fifteen candidate algorithms for the Advanced Encryption Standard (AES). We show that the cipher can be implemented very efficiently on Smart Cards.

A side-channel analysis resistant description of the AES s-box

So far, efficient algorithmic countermeasures to secure the AES algorithm against (first-order) differential side-channel attacks have been very expensive to implement. In this article, we introduce a new masking countermeasure which is not only secure against first-order side-channel attacks, but which also leads to relatively small implementations compared to other masking schemes implemented in dedicated hardware. Our approach is based on shifting the computation of the finite field inversion in the AES S-box down to GF(4). In this field, the inversion is a linear operation and therefore it is easy to mask. Summarizing, the new masking scheme combines the concepts of multiplicative and additive masking in such a way that security against first-order side-channel attacks is maintained, and that small implementations in dedicated hardware can be achieved.

Progress in Cryptology - INDOCRYPT 2008

Stream Ciphers.- Slid Pairs in Salsa20 and Trivium.- New Directions in Cryptanalysis of Self-Synchronizing Stream Ciphers.- Analysis of RC4 and Proposal of Additional Layers for Better Security Margin.- New Results on the Key Scheduling Algorithm of RC4.- Cryptographic Hash Functions.- Two Attacks on RadioGatun.- Faster Multicollisions.- A New Type of 2-Block Collisions in MD5.- New Collision Attacks against Up to 24-Step SHA-2.- Public-Key Cryptography - I.- Secure Hierarchical Identity Based Encryption Scheme in the Standard Model.- A Fuzzy ID-Based Encryption Efficient When Error Rate Is Low.- Type-Based Proxy Re-encryption and Its Construction.- Toward a Generic Construction of Universally Convertible Undeniable Signatures from Pairing-Based Signatures.- Security Protocols.- Concrete Security for Entity Recognition: The Jane Doe Protocol.- Efficient and Strongly Secure Password-Based Server Aided Key Exchange (Extended Abstract).- Round Efficient Unconditionally Secure Multiparty Computation Protocol.- A New Anonymous Password-Based Authenticated Key Exchange Protocol.- Group Key Management: From a Non-hierarchical to a Hierarchical Structure.- Hardware Attacks.- Scan Based Side Channel Attacks on Stream Ciphers and Their Counter-Measures.- Floating Fault Analysis of Trivium.- Algebraic Methods in Side-Channel Collision Attacks and Practical Collision Detection.- Block Ciphers.- New Related-Key Boomerang Attacks on AES.- New Impossible Differential Attacks on AES.- Reflection Cryptanalysis of Some Ciphers.- A Differential-Linear Attack on 12-Round Serpent.- New AES Software Speed Records.- Public-Key Cryptography - II.- A New Class of Weak Encryption Exponents in RSA.- Two New Efficient CCA-Secure Online Ciphers: MHCBC and MCBC.- Cryptographic Hardware.- Chai-Tea, Cryptographic Hardware Implementations of xTEA.- High Speed Compact Elliptic Curve Cryptoprocessor for FPGA Platforms.- Elliptic Curve Cryptography.- More Discriminants with the Brezing-Weng Method.- Another Approach to Pairing Computation in Edwards Coordinates.- Threshold Cryptography.- A Verifiable Secret Sharing Scheme Based on the Chinese Remainder Theorem.- Secure Threshold Multi Authority Attribute Based Encryption without a Central Authority.

Secure Hardware Implementation of Nonlinear Functions in the Presence of Glitches

Hardware implementations of cryptographic algorithms are vulnerable to side-channel attacks. Side-channel attacks that are based on multiple measurements of the same operation can be countered by employing masking techniques. Many protection measures depart from an idealized hardware model that is very expensive to meet with real hardware. In particular, the presence of glitches causes many masking techniques to leak information during the computation of nonlinear functions. We discuss a recently introduced masking method which is based on secret sharing and multi-party computation methods. The approach results in implementations that are provably resistant against a wide range of attacks, while making only minimal assumptions on the hardware. We show how to use this method to derive secure implementations of some nonlinear building blocks for cryptographic algorithms. Finally, we provide a provable secure implementation of the block cipher Noekeon and verify the results by means of low-level simulations.

Update on SHA-1

We report on the experiments we performed in order to assess the security of SHA-1 against the attack by Chabaud and Joux [5]. We present some ideas for optimizations of the attack and some properties of the message expansion routine. Finally, we show that for a reduced version of SHA-1, with 53 rounds instead of 80, it is possible to find collisions in less than 280 operations.

The Wide Trail Design Strategy

We explain the theoretical background of the wide trail design strategy, which was used to design Rijndael, the Advanced Encryption Standard (AES). In order to facilitate the discussion, we introduce our own notation to describe differential and linear cryptanalysis. We present a block cipher structure and prove bounds on the resistance against differential and linear cryptanalysis.

RECTANGLE: a bit-slice lightweight block cipher suitable for multiple platforms

In this paper, we propose a new lightweight block cipher named RECTANGLE. The main idea of the design of RECTANGLE is to allow lightweight and fast implementations using bit-slice techniques. RECTANGLE uses an SP-network. The substitution layer consists of 16 4×4 S-boxes in parallel. The permutation layer is composed of 3 rotations. As shown in this paper, RECTANGLE offers great performance in both hardware and software environment, which provides enough flexibility for different application scenario. The following are 3 main advantages of RECTANGLE. First, RECTANGLE is extremely hardware-friendly. For the 80-bit key version, a one-cycle-per-round parallel implementation only needs 1600 gates for a throughput of 246 Kbits/s at 100 kHz clock and an energy efficiency of 3.0 pJ/bit. Second, RECTANGLE achieves a very competitive software speed among the existing lightweight block ciphers due to its bit-slice style. Using 128-bit SSE instructions, a bit-slice implementation of RECTANGLE reaches an average encryption speed of about 3.9 cycles/byte for messages around 3000 bytes. Last but not least, we propose new design criteria for the RECTANGLE S-box. Due to our careful selection of the S-box and the asymmetric design of the permutation layer, RECTANGLE achieves a very good security-performance tradeoff. Our extensive and deep security analysis shows that the highest number of rounds that we can attack, is 18 (out of 25).摘要创新点本论文提出一个新的轻量级分组密码 RECTANGLE. RECTANGLE 具有以下 4 个特点: (1.) 具有很好的抵抗数学类攻击的安全冗余度; (2). 容易进行侧信道防护; (3). 设计基于比特切片技术, 同时具有很好的硬件和软件实现; (4). 我们公开了 RECTANGLE 的设计准则. RECTANGLE 的 S 盒选取, 我们提出了新的设计准则; RECTANGLE 的 P 置换设计也非常关键, RECTANGLE 的 P 置换仅由 3 次循环移位组成, 同时适合硬件和软件实现; RECTANGLE 的 S 盒和 P 置换组合在一起, 使整体的密码算法具有很弱的差分/线性路径的聚集, 从而使 RECTANGLE 具有很好的安全性和实现效率的折中.

Higher-Order Threshold Implementations

Higher-order differential power analysis attacks are a serious threat for cryptographic hardware implementations. In particular, glitches in the circuit make it hard to protect the implementation with masking. The existing higher-order masking countermeasures that guarantee security in the presence of glitches use multi-party computation techniques and require a lot of resources in terms of circuit area and randomness. The Threshold Implementation method is also based on multi-party computation but it is more area and randomness efficient. Moreover, it typically requires less clock-cycles since all parties can operate simultaneously. However, so far it is only provable secure against 1st-order DPA. We address this gap and extend the Threshold Implementation technique to higher orders. We define generic constructions and prove their security. To illustrate the approach, we provide 1st, 2nd and 3rd-order DPA-resistant implementations of the block cipher KATAN- 32. Our analysis of 300 million power traces measured from an FPGA implementation supports the security proofs.