A tool for automating differential cryptanalysis for cryptographic primitives.


A short-input hash function optimized for high performance on platforms supporting [AES-NI]( Used in [SPHINCS+]( and [Gravity-SPHINCS](


A cipher designed for efficient software implementations with strong side-channel protections submitted to the [NIST Lightweight Project](


A lightweight tweakable block cipher with strong security guarantees. Submitted to the [NIST Lightweight Project](

Mind the Gap - A Closer Look at the Security of Block Ciphers against Differential Cryptanalysis

Resistance against differential cryptanalysis is an important design criteria for any modern block cipher and most designs rely on finding some upper bound on probability of single differential characteristics. However, already at EUROCRYPT'91, Lai …

Tools for Cryptanalysis

A Brief Comparison of Simon and Simeck

Simeck is a new lightweight block cipher design based on combining the design principles of the Simon and Speck block cipher. While the design allows a smaller and more efficient hardware implementation, its security margins are not well understood. …

State-recovery analysis of Spritz

RC4 suffered from a range of plaintext-recovery attacks using statistical biases, which use substantial, albeit close-to-practical, amounts of known keystream in applications such as TLS or WEP/WPA. Spritz was recently proposed at the rump session of …

Observations on the SIMON block cipher family

In this paper we analyse the general class of functions underlying the Simon block cipher. In particular, we derive efficiently computable and easily implementable expressions for the exact differential and linear behaviour of Simon-like round …

Security of AES with a Secret S-box

How does the security of the AES change when the S-box is replaced by a secret S-box, about which the adversary has no knowledge? Would it be safe to reduce the number of encryption rounds? In this paper, we demonstrate attacks based on integral …