Abstract Authenticating Secure Tokens Using Slow Memory Access (2008)
John Kelsey, Bruce Schneier, John Kelsey, Bruce Schneier
Rights to individual papers remain with the author or the author's employer. Permission is granted for noncommercial reproduction of the work for educational or research purposes. This copyright...
Chapter 1—Foundations 1.1 Terminology (2008)
Bruce Schneier, Wiley Computer Publishing, John Wiley, Whitfield Diffie
1.4 Simple XOR
About me • Erik Poll, Security of Systems group (SoS), (2008)
Erik Poll, Computer Media, Bruce Schneier, Ross Anderson
• Understand how the OS interacts with hardware
Erik Poll, Bruce Schneier, Ross Anderson
• esp. Java software, for smartcards, MIDP mobile phones, and OS software – Identity-centric Security & Privacy • eg. electronic voting, biometric passports, RFID, protocols for privacy...
Related-Key Cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA (2008)
John Kelsey, Bruce Schneier, David Wagner
We presentnew related-key attacks on the block ciphers 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA. Differential related-key attacks allow both keys and plaintexts to be chosen with specific...
The history of cryptography (2008)
David Kahn, The Codebreakers, Simon Singh, The Code Book, Niels Ferguson, Bruce Schneier, ...
m'
Second preimages on n-bit hash functions for much less than 2 n work (2008)
Abstract. We expand a previous result of Dean [Dea99] to provide a second preimage attack on all n-bit iterated hash functions with Damg˚ard-Merkle strengthening and n-bit intermediate states,...
Security Mechanism Keyed Hash Function Encryption (2008)
Tenets of Information Assurance Absolute verification data has not been modified (Detection of a single bit change) Preventing disclosure. Privacy Verification of originator (Signature on check)...
Abstract Cryptographic Support for Secure Logs on Untrusted Machines (2008)
In many real-world applications, sensitive information must be kept in log files on an untrusted machine. In the event that an attacker captures this machine, we would like to guarantee that he will...
David Wagner, Niels Ferguson, Bruce Schneier
We examine some attacks on the FROG cipher. First we give a differential attack which uses about 2 58 chosen plaintexts and very little time for the analysis; it works for about 2 −33.0 of the...
[13] Marshall Berman, All That is Solid Melts Into Air, (2008)
Patrick Ball, Paul Kobrak, Herbert F. Spirer, Henry Campbell Black, Joseph R. Nolan, ...
people/pagre/rre.html}
Attacks! Preliminary Cryptanalysis of ReducedRound MARS (2008)
Abstract. In this paper, we discuss ways to attack various reducedround variants of MARS. We consider cryptanalysis of two reducedround variants of MARS: MARS with the full mixing layers but fewer...
Abstract Secure Audit Logs to Support Computer Forensics (2008)
In many real-world applications, sensitive information must be kept in log les on an untrusted machine. In the event that an attacker captures this machine, we would like to guarantee that he will...
Abstract Analysis of the SSL 3.0 protocol (2008)
Bruce Schneier, Counterpane Systems, David Wagner, Bruce Schneier
The SSL protocol is intended to provide a practical, application-layer, widely applicable connectionoriented mechanism for Internet client/server communications security. This notegives a detailed...
Security Weaknesses in Maurer-Like Randomized Stream Ciphers (2007)
Niels Ferguson, Bruce Schneier, David Wagner
. TriStrata appears to have implemented a variation of Maurer 's randomised cipher. We dene a variation of Maurer's cipher that appears to be similar to the TriStrata version, and show...
Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, NewDES, RC2, and TEA (2007)
John Kelsey, Bruce Schneier, David Wagner
We present new related-key attacks on the block ciphers 3WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA. Differential related-key attacks allow both keys and plaintexts to be chosen with specific...
Security Weaknesses in Maurer-Like Randomized Stream Ciphers (2007)
Niels Ferguson, Bruce Schneier, David Wagner
. TriStrata appears to have implemented a variation of Maurer 's randomised cipher. We define a variation of Maurer's cipher that appears to be similar to the TriStrata version, and show...
Bruce Schneier, John Kelsey, Jay Walker
. We develop a protocol for "distributed proctoring" which allows a network of graders to grade individual problems solved by a network of test takers. The mutual anonymity of the test...
Exte Nd Ed, John Kelsey, Bruce Schneier, David Wagner
) Chris Hall 1 , John Kelsey 1 , Bruce Schneier 1 , and David Wagner 2 1 Counterpane Systems 101 E. Minnehaha Pkwy Minneapolis, MN 55419 (612) 823-1098 fhall,kelsey,schneierg@counterpane.com 2 U.C....
Bruce Schneier, John Kelsey, Jay Walker
Abstract. We develop a protocol for \distributed proctoring " which allows a network of graders to grade individual problems solved by a network of test takers. The mutual anonymity of the...
Counterpane Systems Counterpane Systems (2007)
David Wagner, Bruce Schneier, John Kelsey
Abstract. Ding et al [DNRS97] propose a stream generator based on several layers. We present several attacks. First, we observe that the non-surjectivity of a linear combination step allows us to...
Bruce Schneier, John Kelsey, Doug Whiting, David Wagner
x Chris Hall Niels Ferguson k Tadayoshi Kohno
David Wagner, Niels Ferguson, Bruce Schneier, Known Texts, Works For
We examine some attacks on the FROG cipher. First we give a differential attack which uses about 2 58 chosen plaintexts and very little time for the analysis; it works for about 2 33:0 of the...
Niels Ferguson, Doug Whiting, Bruce Schneier, John Kelsey, Tadayoshi Kohno
3 Counterpane Internet Security,
John Kelsey, Bruce Schneier, David Wagner
We analyze the key schedule of the SAFER+ block cipher, focusing on the poor diusion of key material through the cipher when using SAFER+ with 256-bit keys. We develop a meet-in-the-middle attack on...
David Wagner, Niels Ferguson, Bruce Schneier, Known Texts, Works For
We examine some attacks on the FROG cipher. First we give a differential attack which uses about 2 58 chosen plaintexts and very little time for the analysis; it works for about 2 33:0 of the...
MARS Attacks! Preliminary Cryptanalysis of (2007)
In this paper, we discuss ways to attack various reducedround variants of MARS. We consider cryptanalysis of two reducedround variants of MARS: MARS with the full mixing layers but fewer core rounds,...
Work done while at Columbia University Abstract. We recently noted [6] that PGP and other e-mail encryption protocols are, in theory, highly vulnerable to chosen-ciphertext attacks in which the...
Attacks! Preliminary Cryptanalysis of ReducedRound MARS (2007)
Abstract. In this paper, we discuss ways to attack various reducedround variants of MARS. We consider cryptanalysis of two reducedround variants of MARS: MARS with the full mixing layers but fewer...
The street performer protocol and digital copyrights (2007)
We introduce the Street Performer Protocol, an electronic-commerce mechanism to facilitate the private financing of public works. Using this protocol, people would place donations in escrow, to be...
Second preimages on n-bit hash functions for much less than 2^n work (2005)
We provide a second preimage attack on all n-bit iterated hash functions with Damgård-Merkle strengthening and n-bit intermediate states, allowing a second preimage to be found for a 2...
AES key agility issues in high-speed IPsec implementations.” [17 (2004)
Doug Whiting, Bruce Schneier, Steve Bellovin
Some high-speed IPsec hardware systems need to support many thousands of security associations. The cost of switching among different encryption keys can dramatically affect throughput, particularly...
and Trusted Third-Party Encryption. A Report by an Ad Hoc Group of Cryptographers (2003)
Prepared Erik Wilde, Harold Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Whitfield Diffie, ...
[7] Bernard Aboba and Pat R. Calhoun. RADIUS (Remote Authentication Dial In
Helix: Fast encryption and authentication in a single cryptographic primitive (2003)
Niels Ferguson, Doug Whiting, Bruce Schneier, John Kelsey, Tadayoshi Kohno
Abstract. Helix is a high-speed stream cipher with a built-in MAC functionality. On a Pentium II CPU it is about twice as fast as Rijndael or Twofish, and comparable in speed to RC4. The overhead per...
Helix: Fast encryption and authentication in a single cryptographic primitive (2003)
Fast Encryption And, Niels Ferguson, Doug Whiting, Bruce Schneier, John Kelsey, Tadayoshi Kohno
Helix is a high-speed stream cipher with a built-in MAC functionality.
Phelix - Fast Encryption and Authentication in a Single Cryptographic Primitive (2003)
Doug Whiting, Bruce Schneier, Stefan Lucks, Frederic Muller
Phelix is a high-speed stream cipher with a built-in MAC functionality.
Helix: Fast encryption and authentication in a single cryptographic primitive (2003)
Doug Whiting, Bruce Schneier, Stefan Lucks, Frédéric Muller
Abstract. Phelix 1 is a high-speed stream cipher with a built-in MAC functionality. It is efficient in both hardware and software. On current Pentium CPUs, Phelix has a per-packet overhead of less...
Implementation of chosen-ciphertext attacks against PGP and GnuPG (2002)
Kahil Jallad, Jonathan Katz, Jena J. Lee, Bruce Schneier
Abstract. We recently noted [6] that PGP and other e-mail encryption protocols are, in theory, highly vulnerable to chosen-ciphertext attacks in which the recipient of the e-mail acts as an unwitting...
Implementation of chosen-ciphertext attacks against PGP and GnuPG (2002)
Kahil Jallad, Jonathan Katz, Bruce Schneier
4 Work done while at Columbia University Abstract. We recently noted [6] that PGP and other e-mail encryption protocols are, in theory, highly vulnerable to chosen-ciphertext attacks in which the...
A Chosen Ciphertext Attack against Several E-Mail Encryption Protocols (2000)
Several security protocols (PGP, PEM, MOSS, S/MIME, PKCS#7, CMS, etc.) have been developed to provide confidentiality and authentication of electronic mail. These protocols are widely used and...
AES Key Agility Issues in High-Speed IPsec Implementations (2000)
Doug Whiting, Bruce Schneier, Steve Bellovin
Some high-speed IPsec hardware systems need to support many thousands of security associations. The cost of switching among di erent encryption keys can dramatically affect throughput, particularly...
The Twofish Team's Final Comments on AES Selection (2000)
Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson, ...
Introduction In 1996, the National Institute of Standards and Technology initiated a program to choose an Advanced Encryption Standard (AES) to replace DES [NIST97a]. In 1997, after soliciting public...
AES Key Agility Issues in High-Speed IPsec Implementations (2000)
Doug Whiting, Bruce Schneier, Steve Bellovin
Some high-speed IPsec hardware systems need to support many thousands of security associations. The cost of switching among di#erent encryption keys can dramatically a#ect throughput, particularly...
Improved Cryptanalysis of Rijndael (2000)
Niels Ferguson, John Kelsey, Stefan Lucks, Bruce Schneier, Mike Stay, David Wagner, ...
We improve the best attack on Rijndael reduced to 6 rounds from complexity 2^72 to 2^44 . We also present the first known attacks on 7- and 8-round Rijndael. The attacks on 8-round Rijndael work for...
Amplified Boomerang Attacks Against Reduced-Round MARS and Serpent (2000)
John Kelsey, Tadayoshi Kohno, Bruce Schneier
. We introduce a new cryptanalytic technique based on Wagner 's boomerang and inside-out attacks. We first describe this new attack in terms of the original boomerang attack, and then...
A Twofish Retreat: Related-Key Attacks Against Reduced-Round Twofish (2000)
Niels Ferguson, John Kelsey, Bruce Schneier, Doug Whiting
The Twofish AES submission document contains a partial chosen-key and a related-key attack against ten rounds of Twofish without whitening, using 256-bit keys. This attack does not work; it makes use...
Cryptanalytic Progress: Lessons for AES (2000)
John Kelsey, Niels Ferguson, Bruce Schneier, Mike Stay
this paper, we review cryptanalytic progress against three well-regarded block ciphers and discuss the development of new cryptanalytic tools against these ciphers over time. This review illustrates...
Amplified Boomerang attacks Against Reduced-Round MARS and Serpent (2000)
John Kelsey, Tadayoshi Kohno, Bruce Schneier
We introduce a new cryptanalytic technique based on Wagner 's boomerang and inside-out attacks. We first describe this new attack in terms of the original boomerang attack, and then demonstrate...
The Twofish Team's Final Comments on AES Selection (2000)
Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson, ...
to choose an Advanced Encryption Standard (AES) to replace DES [NIST97a].
Key-Schedule Cryptanalysis of DEAL (2000)
John Kelsey, Bruce Schneier, E. Minnehaha Pkwy
Abstract. DEAL is a six- or eight-round Luby-Rackoff cipher that uses DES as its round function, with allowed key lengths of 128, 192, and 256 bits. In this paper, we discuss two new results on the...
Improved cryptanalysis of Rijndael (2000)
Niels Ferguson, John Kelsey, Stefan Lucks, Bruce Schneier, Mike Stay, David Wagner, ...
Abstract. We improve the best attack on Rijndael reduced to 6 rounds from complexity 2 72 to 2 44. We also present the first known attacks on 7- and 8-round Rijndael. The attacks on 8-round Rijndael...
Authenticating Secure Tokens Using Slow Memory Access (1999)
We present an authentication protocol that allows a token, such as a smart card, to authenticate itself to a back-end trusted computer system through an untrusted reader. This protocol relies on the...
John Kelsey, Bruce Schneier, Niels Ferguson
Abstract. We describe the design of Yarrow, a family of cryptographic pseudo-random number generators (PRNG). We describe the concept of a PRNG as a separate cryptographic primitive, and the design...
Minimizing bandwidth for remote access to cryptographically protected audit logs (1999)
Abstract. Tamperproof audit logs are an essential tool for computer forensics. Building on the work in [SK98,SK99], we show how to build a tamperproof audit log where the amount of information...
Mod n cryptanalysis, with applications against RC5P and M6 (1999)
John Kelsey, Bruce Schneier, David Wagner
Abstract. We introduce “mod n cryptanalysis, ” a form of partitioning attack that is effective against ciphers which rely on modular addition and bit rotations for their security. We demonstrate...
Performance Comparison of the AES Submissions (1999)
Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson
The principal goal guiding the design of any encryption algorithm must be security. In the real world, however, performance and implementation cost are always of concern. Making the assumption that...
Minimizing Bandwidth for Remote Access to Cryptographically Protected Audit Logs (1999)
Tamperproof audit logs are an essential tool for computer forensics. Building on the work in [SK98,SK99], we show how to build a tamperproof audit log where the amount of information exchange...
Authenticating Secure Tokens Using Slow Memory Access (1999)
John Kelsey Bruce, Bruce Schneier
We present an authentication protocol that allows a token, such as a smart card, to authenticate itself to a back-end trusted computer system through an untrusted reader. This protocol relies on the...
David Wagner, Niels Ferguson, Bruce Schneier
We examine some attacks on the FROG cipher. First we give a differential attack which uses about 2 58 chosen plaintexts and very little time for the analysis; it works for about 2 -33.0 of the...
Key Schedule Weaknesses in SAFER+ (1999)
John Kelsey, Bruce Schneier, David Wagner
We analyze the key schedule of the SAFER+ block cipher, focusing on the poor diffusion of key material through the cipher when using SAFER+ with 256-bit keys. We develop a meet-in-the-middle attack...
John Kelsey, Bruce Schneier, Niels Ferguson
. We describe the design of Yarrow, a family of cryptographic pseudo-random number generators (PRNG). We describe the concept of a PRNG as a separate cryptographic primitive, and the design...
Cryptanalysis, with Applications Against RC5P and M6 (1999)
John Kelsey, Bruce Schneier, David Wagner
. We introduce "mod n cryptanalysis," a form of partitioning attack that is e#ective against ciphers which rely on modular addition and bit rotations for their security. We demonstrate this...
David Wagner, Niels Ferguson, Bruce Schneier, Known Texts, Works For
We examine some attacks on the FROG cipher. First we give a differential attack which uses about 2 58 chosen plaintexts and very little time for the analysis; it works for about 2 33:0 of the...
Further Observations on the Key Schedule of Twofish (1999)
Doug Whiting, John Kelsey, Bruce Schneier, David Wagner, Niels Ferguson, Chris Hall
Twofish is a 128-bit block cipher submitted as an AES candidate [SKW+98]. Mirza and Murphy [MM99] recently noted two interesting properties in the Twofish key schedule for 128-bit keys: there is a...
Further Observations on the Key Schedule of Twofish (1999)
Doug Whiting, John Kelsey, Bruce Schneier, David Wagner, Niels Ferguson, Chris Hall
Two sh is a 128-bit block cipher submitted as an AES candidate [SKW+98]. Mirza and Murphy [MM99] recently noted two interesting properties in the Two sh key schedule for 128-bit keys: there is a...
New Results on the Twofish Encryption Algorithm (1999)
Bruce Schneier, Johnn Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson
TwoFIsh is a 128-bit block cipher submitted as an AES candidate. We provide several new results, continuing the research in [SKW+98a, SKW+99b]. 1) We provide new performance numbers, including:...
Cryptanalysis of Microsoft's PPTP Authentication Extensions (MS-CHAPv2) (1999)
Bruce Schneier, Bruce Schneier Mudge, David Wagner
The Point-to-Point Tunneling Protocol (PPTP) is used to secure PPP connections over TCP/IP link. In response to [SM98], Microsoft released extensions to the PPTP authentication mechanism (MS-CHAP),...
Protecting Secret Keys with Personal Entropy (1999)
Carl Ellison, Chris Hall, Randy Milbert, Bruce Schneier
Conventional encryption technology often requires users to protect a secret key by selecting a password or passphrase. While a good passphrase will only be known to the user, it also has the flaw...
Cryptanalysis, with Applications Against RC5P and M6 (1999)
John Kelsey, Bruce Schneier, David Wagner
We introduce "mod n cryptanalysis," a form of partitioning attack that is e ective against ciphers which rely on modular addition and bit rotations for their security. We demonstrate this...
Key Schedule Weaknesses in SAFER+ (1999)
John Kelsey, Bruce Schneier, David Wagner
We analyze the key schedule of the SAFER+ block cipher, focusing on the poor diffusion of key material through the cipher when using SAFER+ with 256-bit keys. We develop a meet-in-the-middle attack...
Mod n Cryptanalysis, with Applications Against RC5P and M6 (1999)
John Kelsey, Bruce Schneier, David Wagner
. We introduce "mod n cryptanalysis," a form of partitioning attack that is effective against ciphers which rely on modular addition and bit rotations for their security. We demonstrate...
Minimizing Bandwidth for Remote Access to Cryptographically Protected Audit Logs (1999)
Tamperproof audit logs are an essential tool for computer forensics. Building on the work in [SK98,SK99], we show how to build a tamperproof audit log where the amount of information exchange...
New Results on the Twofish Encryption Algorithm (1999)
Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson
Twofish is a 128-bit block cipher submitted as an AES candidate. We provide several new results, continuing the research in [SKW+98a, SKW+99b]. 1) We provide new performance numbers, including:...
The Advanced Computing Systems Association (1999)
The Following Paper, Counterpane Systems, Netect Inc, Bruce Schneier, Bruce Schneier, Adam Shostack, ...
Smart card systems di#er from conventional computer systems in that di#erent aspects of the system are not under a single trust boundary. The processor, I#O, data, programs, and network...
Cryptanalysis of Microsoft’s PPTP Authentication Extensions (MS-CHAPv2 (1999)
Bruce Schneier, David Wagner, Counterpane Systems
Abstract. The Point-to-Point Tunneling Protocol (PPTP) is used to secure PPP connections over TCP/IP link. In response to [SM98], Microsoft released extensions to the PPTP authentication mechanism...
Breaking up is hard to do: Modeling security threats for smart cards (1999)
Bruce Schneier, Adam Shostack, Counterpane Systems Netect
Smart card systems differ from conventional computer systems in that different aspects of the system are not under a single trust boundary. The processor, I/O, data, programs, and network may be...
Protecting Secret Keys with Personal Entropy (1999)
Carl Ellison, Chris Hall, Randy Milbert, Bruce Schneier
Conventional encryption technology often requires users to protect a secret key by selecting a password or passphrase. While a good passphrase will only be known to the user, it also has the aw that...
Reaction Attacks against Several Public-Key Cryptosystems (1999)
Chris Hall, Ian Goldberg, Bruce Schneier
Abstract. We present attacks against the McEliece Public-Key Cryptosystem, the Atjai-Dwork Public-Key Cryptosystem, and variants of those systems. Most of these systems base their security on the...
Authenticating Secure Tokens Using Slow Memory Access (1998)
We present an authentication protocol that allows a token, such as a smart card, to authenticate itself to a back-end trusted computer system through an untrusted reader. This protocol relies on the...
Blaze, Matt, Diffie, Whitfield, Rivest, Ronald L., Schneier, Bruce, Shimomura, Tsutomu
Encryption plays an essential role in protecting the privacy of electronic information against threats from a variety of potential attackers. In so doing, modern cryptography employs a combination of...
Environmental Key Generation Towards Clueless Agents (1998)
Abstract. In this paper, we introduce a collection of cryptographic key constructions built from environmental data that are resistant to adversarial analysis and deceit. We expound upon their...
Cryptanalytic attacks on pseudorandom number generators (1998)
John Kelsey, Bruce Schneier, David Wagner
Abstract. In this paper we discuss PRNGs: the mechanisms used by real-world secure systems to generate cryptographic keys, initialization vectors, \random " nonces, and other values assumed...
Side Channel Cryptanalysis of Product Ciphers (1998)
John Kelsey, Bruce Schneier, David Wagner
Abstract. Building on the work of Kocher[Koc96], Jae, and Yun [KJY98], we discuss the notion of side-channel cryptanalysis: cryptanalysis using implementation data. We discuss the notion of...
Cryptanalytic attacks on pseudorandom number generators (1998)
John Kelsey, Bruce Schneier, David Wagner, Chris Hall, Counterpane Systems
Abstract. In this paper we discuss PRNGs: the mechanisms used by real-world secure systems to generate cryptographic keys, initialization vectors, “random ” nonces, and other values assumed to be...
Cryptanalytic attacks on pseudorandom number generators (1998)
John Kelsey, Bruce Schneier, David Wagner, Chris Hall, Counterpane Systems
Abstract. In this paper we discuss PRNGs: the mechanisms used by real-world secure systems to generate cryptographic keys, initialization vectors, \random " nonces, and other values assumed...
A certified e-mail protocol (1998)
Protocols to facilitate secure electronic delivery are necessary if the Internet is to achieve its true potential as a business communications tool. We present a protocol for secure e-mail that...
Cryptanalytic attacks on pseudorandom number generators (1998)
John Kelsey, Bruce Schneier, David Wagner, Counterpane Systems
Abstract. In this paper we discuss PRNGs: the mechanisms used by real-world secure systems to generate cryptographic keys, initialization vectors, "random " nonces, and other values...
Secure Applications of Low-Entropy Keys (1998)
John Kelsey, Bruce Schneier, Chris Hall, David Wagner
Abstract. We introduce the notion of key stretching, a mechanism to convert short s-bit keys into longer keys, such that the complexity required to brute-force search a s + t-bit keyspace is the same...
On the Twofish Key Schedule (1998)
Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Niels Ferguson
x Abstract. Twofish is a new block cipher with a 128 bit block, and a key length of 128, 192, or 256 bits, which has been submitted as an AES candidate. In this paper, we briefly review the structure...
Electronic Commerce and the Street Performer Protocol (1998)
electronic-commerce mechanism to facilitate the private nancing of public works. Using this protocol, people would place donations in escrow, to be released to an author in the event that the...
Twofish: A 128-Bit Block Cipher (1998)
Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson
Twofish is a 128-bit block cipher that accepts a variable-length key up to 256 bits. The cipher is a 16-round Feistel network with a bijective F function made up of four key-dependent 8-by-8-bit...
Building PRFs from PRPs (1998)
Chris Hall, David Wagner, John Kelsey, Bruce Schneier
. We evaluate constructions for building pseudo-random functions (PRFs) from pseudo-random permutations (PRPs). We present two constructions: a slower construction which preserves the security of the...
Twofish: A 128-Bit Block Cipher (1998)
Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson
Twofish is a 128-bit block cipher that accepts a variable-length key up to 256 bits. The cipher is a 16-round Feistel network with a bijective F function made up of four key-dependent 8-by-8-bit...
A Certified E-Mail Protocol (1998)
Protocols to facilitate secure electronic delivery are necessary if the Internet is to achieve its true potential as a business communications tool. We present a protocol for secure e-mail that...
Cryptanalysis of Microsoft's Point-to-Point Tunneling Protocol (PPTP) (1998)
Bruce Schneier, Bruce Schneier Mudge
The Point-to-Point Tunneling Protocol (PPTP) is used to secure PPP connections over TCP/IP links. In this paper we analyze Microsoft's Windows NT implementation of PPTP. We show how to break...
Side Channel Cryptanalysis of Product Ciphers (1998)
John Kelsey, Bruce Schneier, David Wagner, Chris Hall
Building on the work of Kocher[Koc96], Jaffe, and Yun [KJY98], we discuss the notion of side-channel cryptanalysis: cryptanalysis using implementation data. We discuss the notion of side-channel...
Secure Applications of Low-Entropy Keys (1998)
John Kelsey, Bruce Schneier, Chris Hall, David Wagner
We introduce the notion of key stretching, a mechanism to convert short s-bit keys into longer keys, such that the complexity required to brute-force search a s + t-bit keyspace is the same as the...
On the Twofish Key Schedule (1998)
Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson
Twofish is a new block cipher with a 128 bit block, and a key length of 128, 192, or 256 bits, which has been submitted as an AES candidate. In this paper, we briefly review the structure of Twofish,...
Electronic Commerce and the Street Performer Protocol (1998)
John Kelsey Bruce, Bruce Schneier
We introduce the Street Performer Protocol, an electronic-commerce mechanism to facilitate the private financing of public works. Using this protocol, people would place donations in escrow, to be...
Cryptanalysis of TWOPRIME (1998)
Don Coppersmith, David Wagner, Bruce Schneier, John Kelsey
. Ding et al [DNRS97] propose a stream generator based on several layers. We present several attacks. First, we observe that the non-surjectivity of a linear combination step allows us to recover...
Cryptanalysis of Magenta (1998)
Eli Biham, Alex Biryukov, Niels Ferguson, Lars R. Knudsen, Bruce Schneier, Adi Shamir
he top half of the data, and X B i is the bottom half. We #rst present a chosen plaintext attack using 2 64 chosen plaintexts and requiring 2 64 steps of analysis. 1. Choose an arbitrary plaintext X...
On The Twofish Key Schedule (1998)
Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson
Twofish is a new block cipher with a 128 bit block, and a key length of 128, 192, or 256 bits, which has been submitted as an AES candidate. In this paper, we briefly review the structure of Twofish,...
Building PRFs from PRPs (1998)
Chris Hall, David Wagner, John Kelsey, Bruce Schneier
. We evaluate constructions for building pseudo-random functions (PRFs) from pseudo-random permutations (PRPs). We present two constructions: a slower construction which preserves the security of the...
Cryptanalysis of Microsoft's Point-to-Point Tunneling Protocol (PPTP) (1998)
Bruce Schneier, Bruce Schneier Mudge
The Point-to-Point Tunneling Protocol (PPTP) is used to secure PPP connections over TCP/IP links. In this paper we analyze Microsoft's Windows NT implementation of PPTP. We show how to break...
Cryptanalysis of TWOPRIME (1998)
Don Coppersmith, David Wagner, Bruce Schneier, John Kelsey
. Ding et al [DNRS97] propose a stream generator based on several layers. We present several attacks. First, we observe that the non-surjectivity of a linear combination step allows us to recover...
Twofish: A 128-Bit Block Cipher (1998)
Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson
Twofish is a 128-bit block cipher that accepts a variable-length key up to 256 bits. The cipher is a 16-round Feistel network with a bijective F function made up of four key-dependent 8-by-8-bit...
David Wagner, Niels Ferguson, Bruce Schneier
We examine some attacks on the FROG cipher. First we give a di#erential attack which uses about 2 58 chosen plaintexts and very little time for the analysis; it works for about 2 ,33:0 of the...
David Wagner, Niels Ferguson, Bruce Schneier, Known Texts, Works For
We examine some attacks on the FROG cipher. First we give a differential attack which uses about 2 58 chosen plaintexts and very little time for the analysis; it works for about 2 \Gamma33:0 of the...
Side Channel Cryptanalysis of Product Ciphers (1998)
John Kelsey, Bruce Schneier, David Wagner, Chris Hall
Building on the work of Kocher [Koc96], we introduce the notion of em side-channel cryptanalysis: cryptanalysis using implementation data. We discuss the notion of side-channel attacks and the...
Side Channel Cryptanalysis of Product Ciphers (1998)
John Kelsey, Bruce Schneier, David Wagner, Chris Hall
Building on the work of Kocher [Koc96], Jaffe, and Yun [KJY98], we discuss the notion of side-channel cryptanalysis: cryptanalysis using implementation data. We discuss the notion of side-channel...
Cryptographic Design Vulnerabilities (1998)
This article conveys some of the lessons we've learned.
Side Channel Cryptanalysis of Product Ciphers (1998)
John Kelsey, Bruce Schneier, David Wagner, Chris Hall
. Building on the work of Kocher [Koc96], we introduce the notion of side-channel cryptanalysis: cryptanalysis using implementation data. We discuss the notion of side-channel attacks and the...
Secure Applications of Low-Entropy Keys (1998)
John Kelsey, Bruce Schneier, Chris Hall, David Wagner
. We introduce the notion of key stretching, a mechanism to convert short s-bit keys into longer keys, such that the complexity required to brute-force search a s + t-bit keyspace is the same as the...
Building PRFs from PRPs (1998)
Chris Hall, David Wagner, John Kelsey, Bruce Schneier
. We evaluate constructions for building pseudo-random functions (PRFs) from pseudo-random permutations (PRPs). We present two constructions: a slower construction which preserves the security of the...
Cryptanalysis of Magenta (1998)
Eli Biham, Alex Biryukov, Niels Ferguson, Lars R. Knudsen, Bruce Schneier, Adi Shamir
Magenta [1] is an encryption algorithm submitted for AES by Deutsche Telekom AG, and presented...
Building PRFs from PRPs (1998)
Chris Hall, David Wagner, John Kelsey, Bruce Schneier
We evaluate constructions for building pseudo-random functions (PRFs) from pseudo-random permutations (PRPs). We present two constructions: a slower construction which preserves the security of the...
Side Channel Cryptanalysis of Product Ciphers (1998)
John Kelsey Bruce, Bruce Schneier, David Wagner
Building on the work of Kocher [Koc96], we introduce the notion of side-channel cryptanalysis: cryptanalysis using implementation data. We discuss the notion of side-channel attacks and the...
Electronic Commerce and the Street Performer Protocol (1998)
John Kelsey Bruce, Bruce Schneier
We introduce the Street Performer Protocol, an electronic-commerce mechanism to facilitate the private nancing of public works. Using this protocol, people would place donations in escrow, to be...
Related-Key Cryptanalysis of 3-WAY, BihamDES (1997)
John Kelsey, Bruce Schneier, David Wagner
Abstract. We present new related-key attacks on the block ciphers 3WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA. Dierential related-key attacks allow both keys and plaintexts to be chosen with...
Fast Software Encryption: Designing Encryption Algorithms for Optimal Speed on (1997)
Abstract. Most encryption algorithms are designed without regard to their performance on top-of-the-line microprocessors. This paper discusses general optimization principles algorithms designers...
Cryptanalysis of the Cellular Message Encryption Algorithm (1997)
David Wagner, Bruce Schneier, John Kelsey
Abstract. This paper analyzes the Telecommunications Industry Association 's Cellular Message Encryption Algorithm (CMEA), which is used for confidentiality of the control channel in the most...
Cryptanalysis of the Cellular Message Encryption Algorithm (1997)
David Wagner, Bruce Schneier, John Kelsey
Abstract. This paper analyzes the Telecommunications Industry Association 's Cellular Message Encryption Algorithm (CMEA), which is used for condentiality of the control channel in the most...
Automatic Event-Stream Notarization Using Digital Signatures (1997)
. Some digital signature algorithms (such as RSA) require messages to be padded before they are signed. Secure tokens can use these padding bits as a subliminal channel to embed auditing information...
Protocol Interactions and the Chosen Protocol Attack (1997)
John Kelsey, Bruce Schneier, David Wagner
There are many cases in the literature in which reuse of the same key material for different functions can open up security holes. In this paper, we discuss such interactions between protocols, and...
Analysis of the SSL 3.0 protocol (1997)
The SSL protocol is intended to provide a practical, application-layer, widely applicable connectionoriented mechanism for Internet client/server communications security. This note gives a detailed...
Remote Auditing of Software Outputs Using a Trusted Coprocessor (1997)
A cryptographic coprocessor is described for certifying outcomes of software programs. The system for certifying and authenticating outputs allows a third party who trusts the secure components of...
. Most encryption algorithms are designed without regard to their performance on top-of-the-line microprocessors. This paper discusses general optimization principles algorithms designers should keep...
Cryptanalysis of the Cellular Message Encryption Algorithm (1997)
David Wagner, Bruce Schneier, John Kelsey
. This paper analyzes the Telecommunications Industry Association 's Cellular Message Encryption Algorithm (CMEA), which is used for confidentiality of the control channel in the most recent...
David Wagner, L. Simpson, E. Dawson, John Kelsey, W. Millan, Bruce Schneier
. We present an attack on the ORYX stream cipher that requires only 25--27 bytes of known plaintext and has time complexity of 2 16 . This attack directly recovers the full 96 bit internal state of...
Automatic Event-Stream Notarization Using Digital Signatures (1997)
Some digital signature algorithms (such as RSA) require messages to be padded before they are signed. Secure tokens can use these padding bits as a subliminal channel to embed auditing information in...
Remote Electronic Gambling (1997)
We examine the problem of putting a casino on the Internet. We discuss fairly generating random bits and permutations for use in casino games, protecting against player/player and player/dealer...
Related-Key Cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA (1997)
John Kelsey, Bruce Schneier, David Wagner
. We present new related-key attacks on the block ciphers 3WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA. Differential related-key attacks allow both keys and plaintexts to be chosen with...
Protocol Interactions and the Chosen Protocol Attack (1997)
John Kelsey, Bruce Schneier, David Wagner
. There are many cases in the literature in which reuse of the same key material for different functions can open up security holes. In this paper, we discuss such interactions between protocols, and...
Cryptanalysis of Akelarre (1997)
Niels Ferguson, Bruce Schneier
We showtwo practical attacks against the Akelarre block cipher. The best attack retrieves the 128-bit key using less than 100 chosen plaintexts and 2 42 o#-line trial encryptions. Our attacks use a...
Cryptanalysis of Akelarre (1997)
Niels Ferguson, Bruce Schneier
We show two practical attacks against the Akelarre block cipher. The best attack retrieves the 128-bit key using less than 100 chosen plaintexts and 2 42 off-line trial encryptions. Our attacks use a...
Reaction Attacks Against Several Public-Key Cryptosystem (1997)
Chris Hall, Ian Goldberg, Bruce Schneier
. We present attacks against the McEliece Public-Key Cryptosystem, the Atjai-Dwork Public-Key Cryptosystem, and variants of those systems. Most of these systems base their security on the apparent...
Protocol Interactions and the Chosen Protocol Attack (1997)
John Kelsey, Bruce Schneier, David Wagner
There are many cases in the literature in which reuse of the same key material for different functions can open up security holes. In this paper, we discuss such interactions between protocols, and...
Protocol Interactions and the Chosen Protocol Attack (1997)
John Kelsey, Bruce Schneier, David Wagner
. There are many cases in the literature in which reuse of the same key material for different functions can open up security holes. In this paper, we discuss such interactions between protocols, and...
Most encryption algorithms are designed without regard to their performance on top-of-the-line microprocessors. This paper discusses general optimization principles algorithms designers should keep...
Protocol Interactions and the Chosen Protocol Attack (1997)
John Kelsey, Bruce Schneier, David Wagner
There are many cases in the literature in which reuse of the same key material for dierent functions can open up security holes. In this paper, we discuss such interactions between protocols, and...
Key-schedule cryptanalysis of idea, g-des, gost, safer and triple-des (1996)
John Kelsey, Bruce Schneier, David Wagner
Abstract. We present new attacks on key schedules of block ciphers. These attacks are based on the principles of related-key di erential cryptanalysis: attacks that allowbothkeys and plaintexts to...
An authenticated camera (1996)
John Kelsey, Bruce Schneier, Chris Hall
We develop protocols for an authenticated camera that allows people to verify that a given digital image was taken by a specific camera at a specific time and specific place. These protocols require...
Reaction Attacks Against Several Public-Key Cryptosystems (1996)
Chris Hall, Ian Goldberg, Bruce Schneier
We present attacks against the McEliece Public-Key Cryptosystem, the Atjai-Dwork Public-Key Cryptosystem, and variants of those systems. Most of these systems base their security on the apparent...
Key-schedule cryptanalysis of idea, g-des, gost, safer and triple-des (1996)
John Kelsey, Bruce Schneier, David Wagner
Abstract. We present new attacks on key schedules of block ciphers. These attacks are based on the principles of related-key dierential cryptanalysis: attacks that allow both keys and plaintexts to...
Analysis of the SSL 3.0 protocol (1996)
Counterpane Systems, David Wagner, Bruce Schneier, Bruce Schneier
The SSL protocol is intended to provide a practical, application-layer, widely applicable connectionoriented mechanism for Internet client/server communications security. This note gives a detailed...
Analysis of the SSL 3.0 protocol (1996)
The SSL protocol is intended to provide a practical, application-layer, widely applicable connectionoriented mechanism for Internet client/server communications security. This note gives a detailed...
Analysis of the SSL 3.0 protocol (1996)
The SSL protocol is intended to provide a practical, application-layer, widely applicable connectionoriented mechanism for Internet client/server communications security. This note gives a detailed...
Analysis of the SSL 3.0 protocol (1996)
The SSL protocol is intended to provide a practical, application-layer, widely applicable connectionoriented mechanism for Internet client/server communications security. This note gives a detailed...
Unbalanced Feistel Networks and Block-Cipher Design (1996)
We examine a generalization of the concept of Feistel networks, which we call Unbalanced Feistel Networks (UFNs). Like conventional Feistel networks, UFNs consist of a series of rounds in which one...
Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES (1996)
John Kelsey, Bruce Schneier, David Wagner
We present new attacks on key schedules of block ciphers. These attacks are based on the principles of related-key differential cryptanalysis: attacks that allow both keys and plaintexts to be chosen...
Authenticating Outputs of Computer Software Using a Cryptographic Coprocessor (1996)
John Kelsey Bruce, Bruce Schneier
. A cryptographic coprocessor is described for certifying outcomes of software programs. The system for certifying and authenticating outputs allows a third party who trusts the secure components of...
A Peer-to-Peer Software Metering System (1996)
We present two software-network payment systems, designed so that every user is capable of both buying and selling. One system uses online clearing; the other uses o#ine clearing. 1 Introduction...
Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES (1996)
John Kelsey, Bruce Schneier, David Wagner
We present new attacks on key schedules of block ciphers. These attacks are based on the principles of related-key differential cryptanalysis: attacks that allow both keys and plaintexts to be chosen...
Analysis of the SSL 3.0 protocol (1996)
David Wagner Bruce, David Wagner, Bruce Schneier
The SSL protocol is intended to provide a practical, application-layer, widely applicable connectionoriented mechanism for Internet client/server communications security. This note gives a detailed...
A Peer-to-Peer Software Metering System (1996)
John Kelsey Bruce, Bruce Schneier
We present two software-network payment systems, designed so that every user is capable of both buying and selling. One system uses online clearing; the other uses oine clearing.
Unbalanced Feistel Networks and Block-Cipher Design (1996)
We examine a generalization of the concept of Feistel networks, which we call Unbalanced Feistel Networks (UFNs). Like conventional Feistel networks, UFNs consist of a series of rounds in which one...
Authenticating Outputs of Computer Software (1996)
Using Cryptographic Coprocessor, John Kelsey, Bruce Schneier
A cryptographic coprocessor is described for certifying outcomes of software programs. The system for certifying and authenticating outputs allows a third party who trusts the secure components of...
The MacGuffin Block Cipher Algorithm (1995)
. This paper introduces MacGuffin, a 64 bit "codebook" block cipher. Many of its characteristics (block size, application domain, performance and implementation structure) are similar to...
The MacGuffin Block Cipher Algorithm (1995)
. This paper introduces MacGuffin, a 64 bit "codebook" block cipher. Many of its characteristics (block size, application domain, performance and implementation structure) are similar to...
Cryptanalytic Attacks on Pseudorandom Number Generators (1988)
John Kelsey Bruce, Bruce Schneier, David Wagner, Chris Hall
. In this paper we discuss PRNGs: the mechanisms used by real-world secure systems to generate cryptographic keys, initialization vectors, "random" nonces, and other values assumed to be...
Insurance and the Computer Industry (0000)
The article envisions the future in which the computer security industry will be run by the insurance industry. In the real world businesses get security through insurance. They take the risk they...
The Uses and Abuses of Biometrics (0000)
The article focuses on uses and abuses of biometrics. Biometrics are seductive. They are the oldest form of identification. In order to be useful, biometrics must be stored in a database. There is a...
Cryptography, Security, and the Future (0000)
From email to cellular communications, from secure Web access to digital cash, cryptography is an essential part of today\'s information systems. Cryptography helps provide accountability, fairness,...
Insurance and the Computer Industry
The article envisions the future in which the computer security industry will be run by the insurance industry. In the real world businesses get security through insurance. They take the risk they...
The Uses and Abuses of Biometrics
The article focuses on uses and abuses of biometrics. Biometrics are seductive. They are the oldest form of identification. In order to be useful, biometrics must be stored in a database. There is a...
Cryptography, Security, and the Future
From email to cellular communications, from secure Web access to digital cash, cryptography is an essential part of today's information systems. Cryptography helps provide accountability, fairness,...
Chris Hall, John Kelsey, Vincent Rijmen, Bruce Schneier, David Wagner
. The cipher family SPEED (and an associated hashing mode) was recently proposed in Financial Cryptography '97. This paper cryptanalyzes that proposal, in two parts: First, we discuss several...
Chris Hall, John Kelsey, Bruce Schneier, David Wagner
) Chris Hall 1 , John Kelsey 1 , Bruce Schneier 1 , and David Wagner 2 1 Counterpane Systems 101 E. Minnehaha Pkwy Minneapolis, MN 55419 (612) 823-1098 {hall,kelsey,schneier}@counterpane.com 2 U.C....
Chris Hall, John Kelsey, Vincent Rijmen, Bruce Schneier, David Wagner
. The cipher family SPEED (and an associated hashing mode) was recently proposed in Financial Cryptography '97. This paper cryptanalyzes that proposal, in two parts: First, we discuss several...
Environmental Key Generation towards Clueless Agents
. In this paper, we introduce a collection of cryptographic key constructions built from environmental data that are resistant to adversarial analysis and deceit. We expound upon their properties and...
Preliminary Cryptanalysis of Reduced-Round Serpent
Tadayoshi Kohno, John Kelsey, Bruce Schneier
Serpent is a 32-round AES block cipher finalist. In this paper we present several attacks on reduced-round variants of Serpent that require less work than exhaustive search. We attack six-round...
Preliminary Cryptanalysis of Reduced-Round Serpent
Tadayoshi Kohno, John Kelsey, Bruce Schneier, Counterpane Internet Security
Serpent is a 32-round AES block cipher finalist. In this paper we present several attacks on reduced-round variants of Serpent that require less work than exhaustive search. We attack six-round...
Performance Comparison of the AES Submissions
Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall
The principal goal guiding the design of any encryption algorithm must be security. In the real world, however, performance and implementation cost are always of concern. Making the assumption that...
Chris Hall, John Kelsey, Vincent Rijmen, Bruce Schneier, David Wagner
The cipher family SPEED (and an associated hashing mode) was recently proposed in Financial Cryptography '97. This paper cryptanalyzes that proposal, in two parts: First, we discuss several...
Preliminary Cryptanalysis of Reduced-Round Serpent
Tadayoshi Kohno, John Kelsey, Bruce Schneier
Serpent is a 32-round AES block cipher finalist. In this paper we present several attacks on reduced-round variants of Serpent that require less work than exhaustive search. We attack six-round...