In this paper we look at the security of two block ciphers which were both claimed in the published literature to be secure
against differential crypt-analysis (DC). However, a more careful examination shows that none of these ciphers is very secure
against... differential cryptanalysis, in particular if we consider attacks with sets of differentials. For both these ciphers
we report new perfectly periodic (iterative) aggregated differential attacks which propagate with quite high probabilities.
The first cipher we look at is GOST, a well-known Russian government encryption standard. The second cipher we look at is
PP-1, a very recent Polish block cipher. Both ciphers were designed to withstand linear and differential cryptanalysis. Unhappily,
both ciphers are shown to be much weaker than expected against advanced differential attacks. For GOST, we report better and
stronger sets of differentials than the best currently known attacks presented at SAC 2000  and propose the first attack
ever able to distinguish 16 rounds of GOST from random permutation. For PP-1 we show that in spite of the fact, that its S-box
has an optimal theoretical security level against differential cryptanalysis , , our differentials are strong enough
to allow to break all the known versions of the PP-1 cipher.
Multiplicative complexity is the minimum number of AND-gates required to implement a given Boolean function in (AND, XOR) algebra. It is a good measure of a hardware complexity of an S-box, but an S-box cannot have too low multiplicative complexity due to security constraints. In this article we focus on generic constructions that can be used to find good n×n S-boxes with low multiplicative complexity. We tested these constructions in the specific case when n = 8. We were able to find 8 × 8 S-boxes with multiplicative complexity at most 16 (which is half of the known bound on multiplicative complexity of the AES S-box), while providing a reasonable resistance against linear and differential cryptanalysis.
. , Security of E2 against Truncated DifferentialCryptanalysis , in: H. Heys and C. Adams , editors, Selected Areas in Cryptography — 6th Annual International Workshop , SAC′99, Volume 1758 of Lecture Notes in Computer Science, pp. 106 – 117 , Berlin