************************************************************************* This is a temporary e-mail address; I am in Cambridge until 12 March. Continue to send mail to schneier@counterpane.com; it forwards by itself. ************************************************************************* Report on the Third International Workshop on FAST SOFTWARE ENCRYPTION, Cambridge University, UK, Feb 96 The conference was held at the Isaac Newton Institute for Mathemtical Science, and was attended by about 45 people. What follows is a short description of some, but not all, of the talks. There were two papers analyzing safer: "Truncated Differentials of SAFER" by Knudsen and Berson, and "The PHT of SAFER" by Murphy. Unfortunately, only the first paper appears in the proceedings. The attacks work on SAFER with 5 rounds or less, and not on SAFER with the new key schedule suggested at Crypto '95. Vaudenay presented his attack on Blowfish, which expoloits weak keys that result in two S-box entries being identical. In a weak Blowfish variant where the S-boxes are known, his attack can break 8-round Blowfish efficiently but does not work against the full 16-round version. If the S-boxes are secret, as they are in Blowfish, his attack can detect these weak keys in the 8-round variant but not in the 16-round variant. Blaze presented a really clever protocol for encrypting with a low-bandwidth smartcard. The idea is that the host computer is trusted with the plaintext but not the key, and the secure smartcard is too slow to do bulk encryption. He presents a protocol where the host does all the work but does not learn the key. Dobbertin presented a beautiful paper where he cryptanalyzed MD4, extending the work he did cryptanalyzing RIPE-MD. Attendees took bets on when MD5 will fall to this sort of attack. There were several new algorithms presented. RIPEMD-160 is a strengthened version of RIPE-MD, designed by Dobbertin, Bosselaers, and Preneel. ISAAC is a steam cipher by Bob Jenkins. Tiger is a one-way hash function by Anderson and Biham designed to work efficently on 64-bit computers. Shark is a block cipher, similar in design to SAFER, by Rijmen, Daemen, Preneel, Bosselaers, and De Win. And there were two Luby-Rackoff-like constructions that make block ciphers of arbitrary block size out of stream ciphers and one-way hash functions by Anderson and Biham, called Bear and Lion. Another paper by Lucks showed how to spead up Luby-Rackoff's block cipher. Matsui presented some work on block cipher designs provably secure against differential and linear cryptanalysis, but not the specific construction that is the MISTY algorithm. Kelsey and Schneier presented a paper on unbalanced Feistel networks. Called UFNs, these are Feistel networks where the two sides are of unequal size. Examples of this construction includes MD4, RC2, MacGuffin, S1, and REDOC III. We gave some general analysis of different constructions. There were two papers on correlation attacks on stream ciphers, and one paper by Golic on nonlinear filter generators. The proceedings have been published by Springer-Verlag in their Lecture Notes in Computer Science series, #1039. The editor of the volume is Dieter Gollmann, and the ISBN is 3-540-60865-6.