Fast Software Encryption

TheFastSoftwareEncryptionWorkshop1999isthesixthinaseriesofworkshops startinginCambridgeinDecember1993. TheworkshopwasorganizedbyGeneralChairWilliamWolfowicz,Fon- zioneU. Bordoni,andProgrammeChairLarsKnudsen,UniversityofBergen, Norway,incooperationwithSecurteam,asfaraslocalarrangementswerec- cerned. TheworkshopwasheldMarch24-26,1999inRome,Italy. Theworkshopconcentratedonallaspectsoffastsecretkeyciphers,inc- dingthedesignandcryptanalysisofblockandstreamciphers,aswellashash functions. Therewere51submissions,allofthemsubmittedelectronically. Ones- missionwaslaterwithdrawnbytheauthors,and22paperswereselectedfor presentation. Allsubmissionswerecarefullyreviewedbyatleast4committee members. Attheworkshop,preliminaryversionsofall22papersweredistri- tedtoallattendees. Aftertheworkshoptherewasa nalreviewingprocesswith additionalcommentstotheauthors. Ithasbeenachallengeformetochairthecommitteeofthisworkshop,andit isapleasuretothankallthemembersoftheprogrammecommitteefortheirhard work. Thecommitteethisyearconsistedof,inalphabeticorder,RossAnd- son(Cambridge,UK),EliBiham(Technion,Israel),DonCoppersmith(IBM, USA), Cunsheng Ding (Singapore), Dieter Gollmann (Microsoft, UK), James Massey (Denmark), Mitsuru Matsui (Mitsubishi, Japan), Bart Preneel (K. U. Leuven, Belgium), Bruce Schneier (Counterpane, USA), and Serge Vaudenay (ENS,France). ItisagreatpleasuretothankWilliamWolfowiczfororganisingtheworkshop. Also,itisapleasuretothankSecurteamforthelogisticsandTelsyandSunfor supportingtheconference. Finally,abigthankyoutoallsubmittingauthorsfor theircontributions,andtoallattendees(approximately165)oftheworkshop. Finally, I would like to thank Vincent Rijmen for his technical assistance in preparingtheseproceedings. April1999 LarsKnudsen TableofContents AdvancedEncryptionStandard ImprovedAnalysisofSomeSimpli edVariantsofRC6 . . . . . . . . . . . . . . . . . . . . . . . 1 S. Contini,R. L. Rivest,M. J. B. Robshaw,andY. L. Yin LinearCryptanalysisofRC5andRC6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 J. Borst,B. Preneel,andJ. Vandewalle ARevisedVersionofCRYPTON:CRYPTONV1. 0. . . . . . . . . . . . . . . . . . . . . . . . . 31 C. H. Lim AttackonSixRoundsofCRYPTON. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 C. D’Halluin,G. Bijnens,V. Rijmen,andB. Preneel OntheSecurityofthe128-bitBlockCipherDEAL. . . . . . . . . . . . . . . . . . . . . . . . . 60 S. Lucks CryptanalysisofaReducedVersionoftheBlockCipherE2. . . . . . . . . . . . . . . . . 71 M. MatsuiandT. Tokita OntheDecorrelatedFastCipher(DFC)andItsTheory. . . . . . . . . . . . . . . . . . . . 81 L. R. KnudsenandV. Rijmen RemotelyKeyedEncryption ScrambleAll,EncryptSmall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 M. Jakobsson,J. P. Stern,andM. Yung AcceleratedRemotelyKeyedEncryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 S. Lucks AnalysisofBlockCiphersI MissintheMiddleAttacksonIDEAandKhufu. . . . . . . . . . . . . . . . . . . . . . . . . . . 124 E. Biham,A. Biryukov,andA. Shamir ModnCryptanalysis,withApplicationsagainstRC5PandM6. . . . . . . . . . . . 139 J. Kelsey,B. Schneier,andD. Wagner TheBoomerangAttack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 D. Wagner Miscellaneous TowardsMakingLuby-Racko CiphersOptimalandPractical . . . . . . . . . . . . . 171 S. Patel,Z. Ramzan,andG. S. Sundaram ANewCharacterizationofAlmostBentFunctions. . . . . . . . . . . . . . . . . . . . . . . . . 186 A. Canteaut,P. Charpin,andH. Dobbertin ImprimitivePermutationGroupsandTrapdoorsinIteratedBlockCiphers. 201 K. G. Paterson VIII TableofContents ModesofOperation OntheSecurityofDoubleand2-KeyTripleModesofOperation. . . . . . . . . . . 215 H. HandschuhandB. Preneel OntheConstructionofVariable-Input-LengthCiphers. . . . . . . . . . . . . . . . . . . . 231 M. BellareandP. Rogaway AnalysisofBlockCiphersII SlideAttacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 A. BiryukovandD. Wagner OntheSecurityofCS-Cipher. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 S. Vaudenay InterpolationAttacksoftheBlockCipher:SNAKE. . . . . . . . . . . . . . . . . . . . . . . . 275 S. Moriai,T. Shimoyama,andT. Kaneko StreamCiphers High-SpeedPseudorandomNumberGenerationwithSmallMemory. . . . . . . 290 W. Aiello,S. Rajagopalan,andR. Venkatesan SOBERCryptanalysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 D. BleichenbacherandS. Patel AuthorIndex. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317 ImprovedAnalysisof SomeSimpli edVariantsofRC6 1 2 1 1 ScottContini ,RonaldL. Rivest ,M. J. B. Robshaw ,andYiqunLisaYin 1 RSALaboratories,2955CampusDrive SanMateo,CA94403,USA fscontini,matt,yiqung@rsa. com 2 M. I. T. LaboratoryforComputerScience,545TechnologySquare Cambridge,MA02139,USA rivest@theory. lcs. mit.