Fast Software Encryption

TheFastSoftwareEncryptionWorkshop1999isthesixthinaseriesofworkshops startinginCambridgeinDecember1993. TheworkshopwasorganizedbyGeneralChairWilliamWolfowicz,Fon- zioneU. Bordoni,andProgrammeChairLarsKnudsen,UniversityofBergen, Norway,incooperationwithSecurteam,asfaraslocalarrangementswerec- cerned. TheworkshopwasheldMarch24-26,1999inRome,Italy. Theworkshopconcentratedonallaspectsoffastsecretkeyciphers,inc- dingthedesignandcryptanalysisofblockandstreamciphers,aswellashash functions. Therewere51submissions,allofthemsubmittedelectronically. Ones- missionwaslaterwithdrawnbytheauthors,and22paperswereselectedfor presentation. Allsubmissionswerecarefullyreviewedbyatleast4committee members. Attheworkshop,preliminaryversionsofall22papersweredistri- tedtoallattendees. Aftertheworkshoptherewasa nalreviewingprocesswith additionalcommentstotheauthors. Ithasbeenachallengeformetochairthecommitteeofthisworkshop,andit isapleasuretothankallthemembersoftheprogrammecommitteefortheirhard work. Thecommitteethisyearconsistedof,inalphabeticorder,RossAnd- son(Cambridge,UK),EliBiham(Technion,Israel),DonCoppersmith(IBM, USA), Cunsheng Ding (Singapore), Dieter Gollmann (Microsoft, UK), James Massey (Denmark), Mitsuru Matsui (Mitsubishi, Japan), Bart Preneel (K. U. Leuven, Belgium), Bruce Schneier (Counterpane, USA), and Serge Vaudenay (ENS,France). ItisagreatpleasuretothankWilliamWolfowiczfororganisingtheworkshop. Also,itisapleasuretothankSecurteamforthelogisticsandTelsyandSunfor supportingtheconference. Finally,abigthankyoutoallsubmittingauthorsfor theircontributions,andtoallattendees(approximately165)oftheworkshop. Finally, I would like to thank Vincent Rijmen for his technical assistance in preparingtheseproceedings. April1999 LarsKnudsen TableofContents AdvancedEncryptionStandard ImprovedAnalysisofSomeSimpli edVariantsofRC6 . . . . . . . . . . . . . . . . . . . . . . . 1 S. Contini,R. L. Rivest,M. J. B. Robshaw,andY. L. Yin LinearCryptanalysisofRC5andRC6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 J. Borst,B. Preneel,andJ. Vandewalle ARevisedVersionofCRYPTON:CRYPTONV1. 0. . . . . . . . . . . . . . . . . . . . . . . . . 31 C. H. Lim AttackonSixRoundsofCRYPTON. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 C. D Halluin,G. Bijnens,V. Rijmen,andB. Preneel OntheSecurityofthe128-bitBlockCipherDEAL. . . . . . . . . . . . . . . . . . . . . . . . . 60 S. Lucks CryptanalysisofaReducedVersionoftheBlockCipherE2. . . . . . . . . . . . . . . . . 71 M. MatsuiandT. Tokita OntheDecorrelatedFastCipher(DFC)andItsTheory. . . . . . . . . . . . . . . . . . . . 81 L. R. KnudsenandV. Rijmen RemotelyKeyedEncryption ScrambleAll,EncryptSmall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 M. Jakobsson,J. P. Stern,andM. Yung AcceleratedRemotelyKeyedEncryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 S. Lucks AnalysisofBlockCiphersI MissintheMiddleAttacksonIDEAandKhufu. . . . . . . . . . . . . . . . . . . . . . . . . . . 124 E. Biham,A. Biryukov,andA. Shamir ModnCryptanalysis,withApplicationsagainstRC5PandM6. . . . . . . . . . . . 139 J. Kelsey,B. Schneier,andD. Wagner TheBoomerangAttack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 D. Wagner Miscellaneous TowardsMakingLuby-Racko CiphersOptimalandPractical . . . . . . . . . . . . . 171 S. Patel,Z. Ramzan,andG. S. Sundaram ANewCharacterizationofAlmostBentFunctions. . . . . . . . . . . . . . . . . . . . . . . . . 186 A. Canteaut,P. Charpin,andH. Dobbertin ImprimitivePermutationGroupsandTrapdoorsinIteratedBlockCiphers. 201 K. G. Paterson VIII TableofContents ModesofOperation OntheSecurityofDoubleand2-KeyTripleModesofOperation. . . . . . . . . . . 215 H. HandschuhandB. Preneel OntheConstructionofVariable-Input-LengthCiphers. . . . . . . . . . . . . . . . . . . . 231 M. BellareandP. Rogaway AnalysisofBlockCiphersII SlideAttacks.