In this paper, we consider how an unknown constant within a state update function or output function a ects biases of linear approximations. This allows us to obtain information from an unknown constant within a T-function. We use this knowledge for mounting an attack against stream cipher SOBER-128 where we gain information from the key dependent secret constant using multiple linear approxima...

In late 2012 and early 2013 the discrete logarithm problem (DLP) in finite fields of small characteristic underwent a dramatic series of breakthroughs, culminating in a heuristic quasipolynomial time algorithm, due to Barbulescu, Gaudry, Joux and Thomé. Using these developments, Adj, Menezes, Oliveira and Rodŕıguez-Henŕıquez analysed the concrete security of the DLP, as it arises from pairings ...

Status of this Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. The IP, UDP, and TCP MIB modules currentl...

This paper investigates pairs of AES-128 cipher keys and plaintexts which result in being “quiet” in the final round, i.e., whose 128-bit State holds the same bit pattern before and after Round 10. We show that the number of such quiet plaintexts (resulting in Hamming distance 0) for any cipher key is at most 5,914,624, and that there exist exactly 729 cipher keys having such a maximum number. ...

In this letter we demonstrate a fast correlation attack on the recently proposed stream cipher LILI-128. The attack has complexity around 2 bit operations assuming a received sequence of length around 2 bits and a precomputation phase of complexity 2 table lookups. This complexity is significantly lower than 2, which was conjectured by the inventors of LILI-128 to be a lower bound on the comple...

The Chaskey MAC algorithm was presented by Mouha et al. at SAC 2014. It is designed for real-world applications where 128-bit keys are required, but standard cryptographic algorithms cannot be implemented because of stringent requirements on speed, energy consumption, or code size. Shortly after its publication, Chaskey was considered for standardization by ISO/IEC JTC 1/SC 27/WG 2. At the Octo...

CCM is a conventional authenticated-encryption scheme obtained from a 128-bit block cipher. The mechanism has been adopted as the mandatory encryption algorithm in an IEEE 802.11 draft stan­ dard [15], and its use has been proposed more broadly [16, 17]. In this note we point out a number of limitations of CCM. A related note provides an alternative to CCM [5].

Status of this Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. The IP, UDP, and TCP MIB modules currentl...

In this paper, we demonstrate that the linear hull eeect is signiicant for the Q cipher. The designer of Q performs preliminary linear cryptanalysis by discussing linear characteristics involving only a single active bit at each stage 13]. We present a simple algorithm which combines all such linear characteristics with identical rst and last masks into a linear hull. The expected linear probab...