Hartung-Gorre Verlag

Inh.: Dr. Renate Gorre

D-78465 Konstanz

Fon: +49 (0)7533 97227

Fax: +49 (0)7533 97228



New publication 1992/1995

ETH Series in Information Processing Vol. 1

Editor: James L. Massey






Xuejia Lai


On the Design and Security of Block Ciphers


2nd Edition 1995. XII, 108 pages. EUR 34,80.

ISBN 3-89191-573-X


Secret-key block ciphers are the subject of this work. The design and security of block ciphers, together with their application in hashing techniques, are considered. In particular, iterated block ciphers that are based on iterating a weak round function several times are considered. Four basic constructions for the round function of an iterated cipher are studied.


The iterated block cipher IDEA is proposed. This cipher is based on the new design concept of mixing different group operations on 16-bit subblocks. Using operations on subblocks facilitates the software implementation of the cipher. The regular structure of the cipher facilitates hardware implementation. The interaction of the three chosen "incompatible" group operations provides the necessary "confusion", and the chosen cipher structure causes the required "diffusion".


The security of iterated ciphers against Biham and Shamir's differential cryptanalysis is discussed. Differential cryptanalysis is described in terms of an i-round "differential", which is defined as a couple (α,β) such that a pair of distinct plaintexts with difference a can result in a pair of i-th round outputs having difference β. It is shown that the maximum probability of such a differential can be used to determine a lower bound on the complexity of a differential cryptanalysis attack. The concept of "Markov ciphers" is introduced because of its significance in differential cryptanalysis. It is shown that the security of a Markov cipher against differential cryptanalysis is determined by the transition probability matrix created by the round function. A design principle for Markov ciphers is formulated, viz., that its transition matrix should be non-symmetric. Differential cryptanalysis of the IDEA cipher is performed partly by theoretical analysis of the relationship between the three chosen group operations and the properties of the MA-structure within the cipher, and partly by numerical experiments on "mini versions" of the cipher. The results suggest that the IDEA cipher is secure against differential cryptanalysis attack after only four of its eight rounds.


The application of block ciphers in constructing hash functions is also considered. Five different attacks on hash functions obtained by iterating a hash round function are formulated and examined. Relations between the security of such an iterated hash function and the strength of its round function are derived. Schemes for constructing hash round functions by using block ciphers are discussed and new hashing schemes using the IDEA cipher are proposed. In particular, the problem of constructing 2m-bit hash round functions from available m-bit block ciphers is considered and two new constructions are proposed. Four attacks on three known hash schemes are presented by applying a new principle for evaluating the security of a hash round function.


ETH Series in Information Processing


Buchbestellungen in Ihrer Buchhandlung, bei www.amazon.de

oder direkt:


Hartung-Gorre Verlag / D-78465 Konstanz

Telefon: +49 (0) 7533 97227  Telefax: +49 (0) 7533 97228

http://www.hartung-gorre.de   eMail: verlag@hartung-gorre.de