Stafford E Tavares

• Ph.D., McGill University
• Professor Emeritus at Queen's University

Several recently proposed block ciphers such as AES, Camellia, Shark, Square and Hierocrypt use s-boxes that are based on the inversion mapping over GF(2n). In order to hide the simple algebraic structure in this mapping, an affine transformation over F2 is usually used after the output of the s-box. In some ciphers, an additional affine transforma...

It is argued that a boolean function f: Z 2n → Z 2m is resistant to statistical analysis if there is no significant static and dynamic leakage between its inputs and outputs. In this paper, we derive expressions for the expected value of the information leakage of randomly selected boolean functions and for the interesting cases of randomly selecte...

In this paper, we present a Petri net based methodology for the formal modelling and analysis of cryptographic protocols. We set up modelling rules that represent the protocols in terms of Petri nets. The modelling produces formal descriptions for the protocols with good visibility and layered abstraction. In particular, the descriptions clearly vi...

Most stream ciphers in the literature have been designed based on linear feedback shift registers, but most of these have been attacked. This paper examines the security of a family of stream ciphers called cascade stream ciphers (CSCs) and proposes two improved versions. A cascade stream cipher consists of a number of small RC4 cells that are casc...

In this paper, we show that all the coordinate functions of the advanced encryption standard (AES) round function are equivalent under an affine transformation of the input. We also show that such affine relations will always exist if the AES S-box is replaced by any bijective monomial over GF(28)GF(28).

In this paper, we investigate the use of decision trees as a measure of the cryptographic strength of Boolean functions. In particular, we consider the univariate decision trees and the multivariate linear decision trees. Trees with bounded errors are also considered. We also introduce the concept of the entropy profile of Boolean functions. Experi...

This report presents the results from the completed compu- tation of an algorithm introduced by the authors in (11) for evaluating the provable security of the AES (Rijndael) against linear cryptanaly- sis. This algorithm, later named KMT2, can in fact be applied to any SPN (8). Preliminary results in (11) were based on 43% of total computa- tion,...

In this paper, cryptanalysis is performed on the GST stream cipher, a cipher which uses cascaded 2-bit s-boxes. The results indicate that the output probabilities for single outputs, digraphs, and trigraphs asymptotically approach those of a random sequence generator. The cipher output was also subjected to a number of statistical tests for random...

We show that the Fast Encryption Algorithm for Multimedia (FEA-M) proposed by Yi et al. (IEEE Trans. Consumer Electronics, vol.47, no.1, p.101-7, 2001) is insecure. In particular, we present a simple attack that reduces the complexity of obtaining both the session key and the master key to solving a set of linear equations. The low complexity of th...

A block cipher, which is an important cryptographic primitive, is a bijective mapping from {0, 1}N to {0,1}N (N is called the block size), parameterized by a key. In the true random cipher, each key results in a distinct mapping, and every mapping is realized by some key—this is generally taken to be the ideal cipher model. This chapter considers a...

In this paper, we show that all the coordinate functions of the Advanced Encryption Standard (AES) round function are equivalent under an affine transformation of the input to the round function. In other words, let f_i and f_j be any two distinct output coordinates of the AES round function, then there exists a nonsingular matrix A_ji over GF(2) s...

In [15], Keliher et al. present a new method for upper bounding the maximum average linear hull probability (MALHP) for SPNs, a value which is required to make claims about provable security against linear cryptanalysis. Application of this method to Rijndael (AES) yields an upper bound of UB = 2-75 when 7 or more rounds are approximated, correspon...

In this paper, we demonstrate that the linear hull effect is significant for the Q cipher. The designer of Q performs preliminary linear cryptanalysis by discussing linear characteristics involving only a single active bit at each stage [13]. We present a simple algorithm which combines all such linear characteristics with identical first and last...

In this paper we present a model for the bias values associated with linear characteristics of substitution-permutation networks (SPN's). The first iteration of the model is based on our observation that for sufficiently large s-boxes, the best linear characteristic usually involves one active s-box per round. We obtain a result which allows us to...

We present a new algorithm for upper bounding the maximum average linear hull probability for SPNs, a value required to determine provable security against linear cryptanalysis. The best previous result (Hong et al. [9]) applies only when the linear transformation branch number (B) is M or (M + 1) (maximal case), where M is the number of s-boxes pe...

Many stream cipher designs based on linear feedback shift registers (LFSRs) with non-linear combining functions are susceptible to various versions of the correlation attack. In this paper we propose a new model for stream ciphers which does not make use of LFSRs. Instead, our stream ciphers are based on a cascade of small substitution boxes (s-box...

Block ciphers are an important class of cryptographic algorithms, often used for the efficient encryption of large volumes of information. They can serve as cryptographic primitives in larger security frameworks, for example, the systems used to conduct secure e-commerce over the Internet. A block cipher is a objective mapping from N bits to N bits...

In this paper we present a model for the bias values associated with linear characteristics of substitution-permutation networks (SPN's). The first iteration of the model is based on our observation that for sufficiently large s-boxes, the best linear characteristic usually involves one active s-box per round. We obtain a result which allows us to...

We examine the cryptographic security of the CAST-256 symmetric block encryption algorithm. The CAST-256 cipher has been proposed as a candidate for the Advanced Encryption Standard currently under consideration by the U.S. National Institute of Standards and Technology (NTST). It has been designed for a 128-bit block size and variable key sizes of...

This paper investigates some security properties of basic substitution-permutation encryption networks (SPNs) by studying the nonlinearity distribution and the XOR table distribution. Based on the idea that mixing small weak transformations results in a large strong cipher, we provide some evidence which shows that a basic SPN converges to a random...

This paper investigates some security properties of basic substitution-permutation encryption networks (SPNs) by studying the nonlinearity distribution and the XOR table distribution. Based on the idea that mixing small weak transformations results in a large strong cipher, we provide some evidence which shows that a basic SPN converges to a random...

RC4, a stream cipher designed by Rivest for RSA Data Security Inc., has found several commercial applications, but little public analysis has been done to date. In this paper, alleged RC4 (hereafter called RC4) is described and existing analysis outlined. The properties of RC4, and in particular its cycle structure, are discussed. Several variants...

We introduce a practical differential-like attack on a class of substitution-permutation networks (SPN). Our attack is effective regardless of the key-scheduling algorithm and more efficient than classical differential cryptanalysis. In addition, it is shown that 64-bit SPNs with 8×8 s-boxes are resistant to our attack after 12 rounds

The authors show that breaking the key agreement scheme proposed by Dawson and Wu [1997] is equivalent to solving a set of linear equations hence it is insecure

Linear cryptanalysis and differential cryptanalysis are two recently introduced, powerful methodologies for attacking private-key block ciphers. In this paper, we examine the application of these two cryptanalysis techniques to a CAST-like encryption algorithm. It is shown that, when randomly generated substitution boxes (s-boxes) are used in a CAS...

In this paper we study the security of Substitution Permutation Encryption Networks (SPNs) with randomly selected bijective substitution boxes and a randomly selected invertible linear transformation layer. In particular, our results show that for such a 64--bit SPN using 8 2 8 s-boxes, the number of s-boxes involved in any 2 rounds of a linear app...

We present two methods for constructing highly nonlinear injective S-boxes. Both of these methods, which are based on exponential sums, outperform previously proposed methods. In particular, we are able to obtain injective 8×32 S-boxes with nonlinearity equal to 80 and maximum XOR table entry of 2. We also reevaluate the resistance of the CAST like...

We present a novel method to analyze cryptographic protocols using coloured Petri nets. This method employs the matrix description for coloured Petri nets. We use this method to analyze a wireless protocol proposed by A. Aziz and W. Diffie (1994), and identify an ambiguity that should be resolved

Koyama and Terada (1991) proposed a family of cryptographic functions for application to symmetric block ciphers. The authors show that this family of circuits is affine over GF(2). More explicitly, for any specific key K, the ciphertext Y is related to the plaintext X by the simple affine relation Y=M_KX⊗d_K where M <sub>K</sub...

: In this paper we present asymptotic expressions for the number of functions satisfying the Strict Avalanche Criterion (SAC) with respect to one and two variables, previously developed by O'Connor. Cusick recently gave a conjecture for a lower bound on the number of functions satisfying the SAC. Here, we give a constructive proof for this conjectu...

The Strict Avalanche Criterion (SAC) was introduced by Webster and Tavares (1995) in a study of design criteria for certain cryptographic functions. O'Connor (1994) gave an upper bound for the number of functions satisfying the SAC. Cusick (1996) gave a lower bound for the number of functions satisfying the SAC. He also gave a conjecture that provi...

We study slotted ALOHA multiple access when a satellite contains an on-board antenna array to attenuate interference. This leads to a capture phenomenon in slotted ALOHA that is provided by the adaptive array. As expected, and as earlier reported in the literature, the adaptive array can improve system throughput. We find that it also improves syst...

This paper presents a novel cryptanalysis of Substitution-Permutation Networks using a chosen plaintext approach. The attack is based on the highly probable occurrence of key-dependent degeneracies within the network and is applicable regardless of the method of S-box keying. It is shown that a large number of rounds is required before a network is...

Nonlinearity is a crucial requirement for the substitution boxes in secure block ciphers. The authors derive an estimate for the expected nonlinearity of a randomly selected injective substitution box

: In this letter, we study the marginal density of the XOR distribution table, and the linear approximation table entries of regular substitution boxes (s-boxes). Based on this, we show that the fraction of good s-boxes (with regard to immunity against linear and differential cryptanalysis) increases dramatically with the number of input variables....

Not Available

This paper develops analytical models for the avalanche characteristics of a class of block ciphers usually referred to as substitution-permutation encryption networks or SPNs. An SPN is considered to display good avalanche characteristics if a one bit change in the plaintext input is expected to result in close to half the ciphertext output bits c...

The cryptanalysis of a class of block ciphers referred to as substitution-permutation networks (SPNs) is examined. Specifically, a novel attack applicable to tree-structured SPNs is presented. Since it uses a known plaintext approach, the attack is preferable to previously outlined chosen plaintext attacks. It is also shown that the attack is appli...

We describe an efficient design methodology for the s-boxes of DES-like cryptosystems. Our design guarantees that the resulting s-boxes will be bijective and nonlinear and will exhibit the strict avalanche criterion and the output bit independence criterion.

The security of DES-like cryptosystems depends heavily on the strength of the Substitution boxes (S-boxes) used. The design of new S-boxes is therefore an important concern in the creation of new and more secure cryptosystems. The full set of design criteria for the S-boxes of DES has never been released and a complete set has yet to be proposed in...

The cryptographic strength of an SP network depends crucially on the strength of its substitution boxes (S-boxes). In this paper we use the concept of information leakage to evaluate the strength of S-boxes and SP networks. We define an equivalence class on n × n S-boxes that is invariant in information leakage. Simulation results for a 16 × 16 SP...

This paper describes some recently successful results in the CMOS VLSI implementation of public-key data encryption algorithms. Architectural details, circuits, and prototype test results are presented for RSA encryption and multiplication in the finite field GF(2m). These designs emphasize high throughput and modularity. An asynchronous modulo mul...

In this paper, we extend the concept of information leakage in Forre (1990) and Zhang et al. (1994) to the case of multi-output Boolean functions. A spectral characterization of multi-output boolean function is given. This result is used to express different forms of information leakage of multi-output Boolean function in terms of the Walsh transfo...

We examine a new private key encryption algorithm referred to as CAST. Specifically, we investigate the security of the cipher with respect to linear cryptanalysis. From our analysis we conclude that it is easy to select S-boxes so that an efficient implementation or the CAST algorithm is demonstrably resistant to linear cryptanalysis

In this paper, decomposition techniques are used to simplify the analysis of cryptographic protocols using coloured Petri nets to locate security flaws and weaknesses. These techniques exploit the inherent modularity of the Petri net model which is composed of distinct protocol entities, distinct protocol stages, and an explicit intruder model. The...

This paper presents some results on the cryptographic strength of Boolean functions from the information theoretic point of view. It is argued that a Boolean function is resistant to statistical analysis if there is no significant static and dynamic information leakage between its inputs and its output(s). In particular we relate information leakag...

In this paper we examine a class of product ciphers referred to as substitution-permutation networks. We investigate the resistance of these cryptographic networks to two important attacks: differential cryptanalysis and linear cryptanalysis. In particular, we develop upper bounds on the differential characteristic probability and on the probabilit...

In this paper, we examine a class of block ciphers referred to as substitution- permutation networks or SPNs. We assert that the basic SPN architecture can be used to provide an efficient implementation of a secure block cipher if the system S-boxes are carefully selected and connected with an ap- propriate linear transformation. Specifically, it i...

We present a new serial-parallel concurrent modular-multiplication algorithm and architecture suitable for standard RSA encryption. In the new scheme, multiplication is performed modulo a multiple of the RSA modulus n, which has a diminished-radix form 2k -v, where k and v are positive integers and v < n. This design is the first concurrent modular...

Not Available

This paper examines recent work in the a rea of bent-function-based substitution boxes in order to refine the relationship between s-box construction and immunity to the differ- ential cryptanalysis attack described by Biham and Shamir. It is concluded that m n × s-boxes, m n < , which are partially bent-function-based are the most appropriate choi...

While there is evidence that large substitution boxes (S-boxes) have better cryptographic properties than small S-boxes, they are much harder to design. The difficulty arises from the relative scarcity of suitable boolean functions as the size of the S-box increases. We describe the construction of cryptographically strong 5×5 S-boxes using near-be...

Previously proposed error detection algorithms for the residue number system require a complete recombination. A weighted approximation via the Chinese remainder theorem is shown to be sufficient to detect 100% of single errors. This makes real-time single-error diagnosis possible, which involves up to N +2 iterations of detection ( N is the number...

We introduce two general classes of bent sequences, “bent-based” and “linear-based”, and conjecture that all bent sequences fall into these classes. This gives us a framework for discussing the construction and cardinality of the set of bent sequences of any given order.

Research in neural networks has reached an intense state of activity with growing interest in practical and commercial applications. Neural networks provide a solution for tasks which require a huge processing capacity, by using a large number of simple elements operating in parallel. One such task is pattern classification. This Letter discusses P...

QUISC3 is a distributed processing silicon compiler, operating under the ELECTRIC Layout Tool. This new version of QUISC is designed to perform distributed processing on a LAN of workstations. It exploits the inherent hierarchy of VHDL to create macrocells on remote network servers, thereby improving both user response time and the allowable design...

The cryptographic strength of an SP network depends crucially on the strength of its substitution boxes (S-boxes). In this paper we use the concept of information leakage to evaluate the strength of S-boxes and SP networks. We define an equivalence class on n×n S-boxes that is invariant in information leakage. Simulation results for a 16×16 SP netw...

The security of DES-like cryptosystems depends heavily on the strength of the substitution boxes (S-boxes) used. The design of new S-boxes is therefore an important concern in the creation of new and more secure cryptosystems. The full set of design criteria for the S-boxes of DES has never been released and a complete set has yet to be proposed in...

Two general classes of binary bent sequences, bent-based and linear-based, are introduced. Algorithms that allow easy generation of bent sequences from either class are given. Based on some simple computation and a computer search, the authors conjecture a lower bound on the total number of binary bent sequences of a given order. This lower bound i...

We describe a design procedure for the s-boxes of private key cryptosystems constructed as substitution-permutation networks (DES-like cryptosystems). Our procedure is proven to construct s-boxes which are bijective, are highly nonlinear, possess the strict avalanche criterion, and have output bits which act (vitually) independently when any single...

We show how to create a master key scheme for controlling access to a set of services. Each master key is a concise representation for a list of service keys, such that only service keys in this list can be computed easily from the master key. Our scheme is more flexible than others, permitting hierarchical organization and expansion of the set of...

Three existing protocol modeling techniques have been combined into a design methodology for communication protocols: Petri nets, formal grammars, and programming languages. The steps involved in the structured design of a protocol are presented, and the role of models in the design process is discussed. The three protocol modeling methods are eval...

Several VLSI architectures for performing exponentiation in GF(2 ^m) are presented. Two approaches to the architecture design are taken. In the first, all intermediate products of the exponentiation are computed in a sequential fashion to minimize the silicon area. In the second approach, all values of raised to the 2^ei power,...

Multiplication in the finite field GF(2^{m} ) has particular computational advantages in data encryption systems. This paper presents a new algorithm for performing fast multiplication in GF(2^{m} ), which is O(m) in computation time and implementation area. The bit-slice architecture of a serial-in-serial-out modulo multiplier is described and the...

This paper presents a layered approach to the design of private key cryptographic algorithms based on a few strategically chosen layers. Each layer is a conceptually simple invertible transformation that may be weak in isolation, but makes a necessary contribution to the security of the algorithm. This is in contrast to algorithms such as DES which...

The complexity of a finite sequence as defined by Lempel and Ziv is advocated as the basis of a test for cryptographic algorithms. Assuming binary data and block enciphering, it is claimed that the difference (exclusive OR sum) between the plaintext vector and the corresponding ciphertext vector should have high complexity, with very high probabili...

A new type of cryptosystem with applications in broadcast communications and database systems is described. The scheme combines various elements of both SP-networks and Hill broadcast encryption systems. The theoretical basis for the encryption technique is described in a series of equations and the results of a preliminary production process compl...

Multiplication in the finite field GF(2**M ) has particular computational advantages in data encryption systems. A new algorithm is presented for performing fast multiplication in GF(2**M ) which is 0(m) in computation time and implementation area. The bit-slice architecture of a serial-in-serial-out modulo multiplier is described and the circuit d...

A new type of cryptosystem is presented that may find application in broadcast communication networks and database systems. To date, all proposals for such systems have either been shown to be weak under cryptanalytic attack or to possess undesirable characteristics such as data expansion. The new scheme is a layered system that is a concatenation...

Computational efficiency is of prime importance to any micro-processor based cryptosystem. A technique is presented here which permits a reduction in the enciphering complexity of private key schemes without a loss in security. The net result can be a simplification of the system’s implementation, a reduction in cryptographic overhead and the poten...

For p a prime of the form 8m ± 3, Karlin and MacWilliams (1972) have constructed some (2p + 2, p + 1) codes which are the binary images of the (p + 1, (p + 1)/2) extended quadratic residue codes over GF(4). For p a prime of the form 8m + 3, the (2p + 2, p + 1) codes are equivalent to the codes proposed by Bhargava et al. (1974). In the related (2p,...

A computer search has been made to determine the true minimum distance d for all binary cyclic codes having odd lengths n in the range 69leq nleq 99 . Using an algorithm originally developed by C. L. Chen, the generator matrix G of each (n,k) binary cyclic code was put in systematic form. All possible codewords obtained from sums of i rows of G , f...

The weight distribution of some "best" (3m,2m) rate 2/3 binary quasi-cyclic codes of length up to 54 is discussed. The approach taken was to compute the weight distribution of the corresponding (3m,m) rate 1/3 dual code, and then take advantage of the MacWilliams' identities to derive the weight distribution of the (3m,2m) code.

For every twin prime and prime power p where p ≡ 3(4) we define a (2p + 2, p + 1) binary code by a generator matrix of the form G = [I, Sp, where Sp is given in terms of the incidence matrix of a difference set of the Hadamard type. For p ≡ 3(8) these codes are shown to be self-dual with weights divisible by four. For p = 7, 15, 23, 27, 31 and 35 t...

Some optimal rate- frac{1}{2} quasi-cyclic codes found by Chert et aL [3] are grouped into a small set of equivalence classes with the assistance of a computer. The weight distribution of a selection of these rate- frac{1}{2} codes is tabulated. In addition, a list of new optimal rate- frac{2}{3} quasi-cyclic codes of lengths up to 54 is presented.

Let Vprime be a binary (n,k) majority-logic decodable code with gprime (X) as its generator polynomial and odd minimum distance d . Let V be the (n, k - 1) subset code generated by gprime (X)(1 + X ). This correspondence shows that V is majority-logic deeodable with d + 1 orthogonal estimates. This fact is useful in the simultaneous correction of r...

The problem of finding the cycle representatives of a cyclic code is considered. In a recent paper, Tavares, Allard and Shiva, provided a solution to this problem for all cyclic codes having a parity check polynomial which satisfies either of the following conditions: (i) h(x) consists entirely of factors having exponent n, (ii) the exponents of th...

The problem of finding the cycle representatives of a cyclic code is examined. For an (n, k) cyclic code whose parity check polynomial h(x) consists entirely of factors with exponent n, a complete set of representatives is obtained. Further, if the exponents of the factors of h(x) are relatively prime to each other, a complete set can also be gener...

Stone^1 found that multiple-error-correcting codes inherently have the ability to correct multiple bursts. Using his methods, somewhat stronger theorems are derived here, and a decoding procedure is given.

This paper presents a new class of synchronizable error-correcting codes which are derivable from cyclic codes by restraining some of their information symbols. They are called subset codes because each code constitutes a subset of code words in the parent cyclic code. The ability of the subset codes to detect and correct loss of synchronism, or sl...

It is shown that certain coset codes derived from binary cyclic codes can determine the magnitude of a synchronization error, as well as its direction by examining only the syndrome of the received n tuple. For such coset codes, therefore, the need for a search procedure to recover synchronism is eliminated. In addition, the range of slip that can...

The ideas of completeness and the avalanche effect were first introduced by Kam and Davida [1] and Feistel [2], respectively. If a cryptographic transformation is complete, then each ciphertext bit must depend on all of the plaintext bits. Thus, if it were possible to find the simplest Boolean expression for each ciphertext bit in terms of the plai...

: Recently, Pieprzyk and Finkelstein described a construction procedure for the substitution boxes (s-boxes) of Substitution-Permutation Network cryptosystems which yielded s-boxes of high nonlinearity. Shortly afterward, in seemingly unrelated work, Yarlagadda and Hershey discussed the analysis and synthesis of binary bent sequences of length 4 k...

In this paper we examine the key clustering characteristics of a class of block cryptosystems referred to as substitution-permutation networks or SPNs. Specifically, we investigate the relationship between the property of key avalanche and the success of a key clustering attack. Further, we develop an analytical model of the key avalanche property...