On the Security of RC4 in TLS
|
|
- Pierce Bailey
- 5 years ago
- Views:
Transcription
1 On the Security of RC4 in TLS Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering, Jacob Schuldt Royal Holloway, University of London University of Illinois at Chicago
2 TLS Record Protocol CBC-mode (AES, 3DES) RC4 2
3 TLS Record Protocol CBC-mode (AES, 3DES) RC4 BEAST attack 2
4 TLS Record Protocol CBC-mode (AES, 3DES) 13 RC4 BEAST attack Lucky 13 2
5 TLS Record Protocol CBC-mode (AES, 3DES) 13 RC4 Switch to RC4? BEAST attack Lucky 13 2
6 TLS Record Protocol CBC-mode (AES, 3DES) 13 RC4 Switch to RC4? BEAST attack Lucky 13 Recommended! 2
7 Usage of RC4 in Practice ICSI Certificate Notary Recent survey of 16 billion TLS connections: Approx. 50% protected via RC4 ciphersuites 3
8 Usage of RC4 in Practice ICSI Certificate Notary Recent survey of 16 billion TLS connections: Approx. 50% protected via RC4 ciphersuites How secure is TLS + RC4? 3
9 RC4 Keystream Distribution Random RC4 keys Keystream bytes 4
10 Keystream Distribution at Position Ciphertext distribution at position 1 Probability Byte value [ ] Byte value
11 Keystream Distribution at Position Ciphertext distribution at position 2 Probability Byte value [ ] Byte value
12 Keystream Distribution at Position Ciphertext distribution at position 3 Probability Byte value [ ] Byte value
13 Keystream Distribution at Position Ciphertext distribution at position 4 Probability Byte value [ ] Byte value
14 Keystream Distribution at Position Ciphertext distribution at position 5 Probability Byte value [ ] Byte value
15 Keystream Distribution at Position Ciphertext distribution at position 6 Probability Byte value [ ] Byte value
16 Keystream Distribution at Position Ciphertext distribution at position 7 Probability Byte value [ ] Byte value
17 Keystream Distribution at Position Ciphertext distribution at position 8 Probability Byte value [ ] Byte value
18 Keystream Distribution at Position Ciphertext distribution at position 9 Probability Byte value [ ] Byte value
19 Keystream Distribution at Position Ciphertext distribution at position 10 Probability Byte value [ ] Byte value
20 Keystream Distribution at Position Ciphertext distribution at position 11 Probability Byte value [ ] Byte value
21 Keystream Distribution at Position Ciphertext distribution at position 12 Probability Byte value [ ] Byte value
22 Keystream Distribution at Position Ciphertext distribution at position 13 Probability Byte value [ ] Byte value
23 Keystream Distribution at Position Ciphertext distribution at position 14 Probability Byte value [ ] Byte value
24 Keystream Distribution at Position Ciphertext distribution at position 15 Probability Byte value [ ] Byte value
25 Keystream Distribution at Position Ciphertext distribution at position 16 Probability Byte value [ ] Byte value
26 Plaintext Recovery Attack Ciphertext distribution at position 1 Ciphertext distribution at position 2 Probability Ciphertext distribution at position Byte value [ ] Probability + Probability Byte value [ ] Byte value [ ] TLS plaintext recovery (initial bytes) 21
27 Success Probability 2 20 Sessions 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 22
28 Success Probability 2 21 Sessions 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 23
29 Success Probability 2 22 Sessions 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 24
30 Success Probability 2 23 Sessions 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 25
31 Success Probability 2 24 Sessions 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 26
32 Success Probability 2 25 Sessions 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 27
33 Success Probability 2 26 Sessions 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 28
34 Success Probability 2 27 Sessions 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 29
35 Success Probability 2 28 Sessions 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 30
36 Success Probability 2 29 Sessions 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 31
37 Success Probability 2 30 Sessions 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 32
38 Success Probability 2 31 Sessions 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 33
39 Success Probability 2 32 Sessions 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 34
40 Second Attack Double-byte long term biases + TLS plaintext recovery (any bytes) 35
41 Second Attack Beyond byte position 256? Double-byte long term biases + TLS plaintext recovery (any bytes) 35
42 Second Attack Beyond byte position 256? Double-byte long term biases + TLS plaintext recovery (any bytes) Interested? TLS + RHUL 35
43 Second Attack Beyond byte position 256? Double-byte long term biases + TLS plaintext recovery (any bytes) Interested? TLS + RHUL Thank You! 35
state-recovery analysis of spritz
state-recovery analysis of spritz Ralph Ankele 1 Stefan Kölbl 2 Christian Rechberger 2 August 25, 2015 1 RHUL, Royal Holloway University of London, United Kingdom 2 DTU Compute, Technical University of
More informationDependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA
Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Sourav Sen Gupta 1 Subhamoy Maitra 1 Willi Meier 2 Goutam Paul 1 Santanu Sarkar 3 Indian Statistical Institute, India FHNW, Windisch,
More informationPrivate-Key Encryption
Private-Key Encryption Ali El Kaafarani Mathematical Institute Oxford University 1 of 37 Outline 1 Pseudo-Random Generators and Stream Ciphers 2 More Security Definitions: CPA and CCA 3 Pseudo-Random Functions/Permutations
More informationRevisiting Roos Bias in RC4 Key Scheduling Algorithm
Revisiting Roos Bias in RC4 Key Scheduling Algorithm Santanu Sarkar, Ayineedi Venkateswarlu To cite this version: Santanu Sarkar, Ayineedi Venkateswarlu. Revisiting Roos Bias in RC4 Key Scheduling Algorithm.
More informationStatistical Attacks on Cookie Masking for RC4
Statistical Attacks on Cookie Masking for RC4 Kenneth G. Paterson 1 and Jacob C.N. Schuldt 2 1 Royal Holloway, University of London, UK 2 AIST, Japan Abstract. Levillain et al. (AsiaCCS 2015) proposed
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2012 Konstantin Beznosov 1 Module Outline! Stream ciphers under the hood Block ciphers under
More informationA Practical Attack Against the Use of RC4 in the HIVE Hidden Volume Encryption System
A Practical Attack Against the Use of RC4 in the HIVE Hidden Volume Encryption System Kenneth G. Paterson 1 and Mario Strefler 2 1 Information Security Group, Royal Holloway, University of London Kenny.Paterson@rhul.ac.uk
More informationAnalysing and Exploiting the Mantin Biases in RC4
Analysing and Exploiting the Mantin Biases in RC4 Remi Bricout 1, Sean Murphy 2, Kenneth G. Paterson 2, and Thyla van der Merwe 2 1 ENS, Paris 2 Royal Holloway, University of London Abstract. We explore
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES
CS355: Cryptography Lecture 9: Encryption modes. AES Encryption modes: ECB } Message is broken into independent blocks of block_size bits; } Electronic Code Book (ECB): each block encrypted separately.
More informationSome New Weaknesses in the RC4 Stream Cipher
Some ew Weaknesses in the RC4 Stream Cipher Jing Lv (B), Bin Zhang, and Dongdai Lin 2 Laboratory of Trusted Computing and Information Assurance, Institute of Software, Chinese Academy of Sciences, 0090
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationRecent Cryptanalysis of RC4 Stream Cipher
28 August, 2013 ASK 2013 @ Weihai, China Recent Cryptanalysis of RC4 Stream Cipher Takanori Isobe Kobe University Joint work with Toshihiro Ohigashi, Yuhei Watanabe, and Maskatu Morii Agenda This talk
More informationIntroduction to Symmetric Cryptography
Introduction to Symmetric Cryptography COST Training School on Symmetric Cryptography and Blockchain Stefan Kölbl February 19th, 2018 DTU Compute, Technical University of Denmark Practical Information
More informationCryptanalysis of the Full Spritz Stream Cipher
Cryptanalysis of the Full Spritz Stream Cipher Subhadeep Banik 1,2 and Takanori Isobe 3 1 School of Physical and Mathematical Sciences, NTU 2 DTU Compute, Technical University of Denmark, Lungby 3 Sony
More informationAlternative Approaches: Bounded Storage Model
Alternative Approaches: Bounded Storage Model A. Würfl 17th April 2005 1 Motivation Description of the Randomized Cipher 2 Motivation Motivation Description of the Randomized Cipher Common practice in
More informationAttack on Broadcast RC4
Attack on Broadcast RC4 Revisited S. Maitra 1 G. Paul 2 S. Sen Gupta 1 1 Indian Statistical Institute, Kolkata 2 Jadavpur University, Kolkata FSE 2011, Lyngby, Denmark 15 February 2011 Outline of the Talk
More informationA Weak Cipher that Generates the Symmetric Group
A Weak Cipher that Generates the Symmetric Group Sean Murphy Kenneth Paterson Peter Wild Information Security Group, Royal Holloway and Bedford New College, University of London, Egham, Surrey TW20 0EX,
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08 Module Outline Stream ciphers under the hood Block ciphers
More informationORYX. ORYX not an acronym, but upper case Designed for use with cell phones. Standard developed by. Cipher design process not open
ORYX ORYX 1 ORYX ORYX not an acronym, but upper case Designed for use with cell phones o To protect confidentiality of voice/data o For data channel, not control channel o Control channel encrypted with
More informationDistinct difference configurations and Wireless Sensor Networks
Distinct difference configurations and Wireless Sensor Networks Simon R. Blackburn Joint work with: Tuvi Etzion, Keith M. Martin, Maura B. Paterson Royal Holloway, University of London 12th May 2009 S.R.
More informationSymmetric Encryption
1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently
More informationFORGERY ON STATELESS CMCC WITH A SINGLE QUERY. Guy Barwell University of Bristol
FORGERY ON STATELESS CMCC WITH A SINGLE QUERY Guy Barwell guy.barwell@bristol.ac.uk University of Bristol Abstract. We present attacks against CMCC that invalidate the claimed security of integrity protection
More informationSimple, Efficient and Strongly KI-Secure Hierarchical Key Assignment Schemes
Simple, Efficient and Strongly KI-Secure Hierarchical Key Assignment Schemes Eduarda S. V. Freire and Bertram Poettering and Kenny G. Paterson Information Security Group Royal Holloway, University of London
More informationA Low Data Complexity Attack on the GMR-2 Cipher Used in the Satellite Phones
A Low Data Complexity Attack on the GMR-2 Cipher Used in the atellite Phones Ruilin Li, Heng Li, Chao Li, Bing un National University of Defense Technology, Changsha, China FE 2013, ingapore 11 th ~13
More informationCryptanalysis of the Algebraic Eraser
Cryptanalysis of the Algebraic Eraser Simon R. Blackburn Royal Holloway University of London 9th June 2016 Simon R. Blackburn (RHUL) The Algebraic Eraser 1 / 14 Diffie-Hellman key exchange Alice and Bob
More informationImpact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers
Impact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers Goutam Paul and Shashwat Raizada Jadavpur University, Kolkata and Indian Statistical Institute,
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationThe HMAC brawl. Daniel J. Bernstein University of Illinois at Chicago
The HMAC brawl Daniel J. Bernstein University of Illinois at Chicago 2012.02.19 Koblitz Menezes Another look at HMAC : : : : Third, we describe a fundamental flaw in Bellare s 2006 security proof for HMAC,
More informationSecret Key: stream ciphers & block ciphers
Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad define a secret key ( seed ) Using the seed generates a byte stream (Keystream): i-th byte is function only
More informationBlock ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit
Block ciphers Block ciphers Myrto Arapinis School o Inormatics University o Edinburgh January 22, 2015 A block cipher with parameters k and l is a pair o deterministic algorithms (E, D) such that Encryption
More informationIntroduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.
Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography
More informationAnalysis and Implementation of RC4 Stream Cipher
Analysis and Implementation of RC4 Stream Cipher A thesis presented to Indian Statistical Institute in fulfillment of the thesis requirement for the degree of Doctor of Philosophy in Computer Science by
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More information(Non-)Random Sequences from (Non-)Random Permutations - Analysis of RC4 stream cipher
(on-)random Sequences from (on-)random Permutations - Analysis of RC4 stream cipher Sourav Sen Gupta, Subhamoy Maitra, Goutam Paul 2, and Santanu Sarkar Applied Statistics Unit, Indian Statistical Institute,
More informationFirst-Order DPA Attack Against AES in Counter Mode w/ Unknown Counter. DPA Attack, typical structure
Josh Jaffe CHES 2007 Cryptography Research, Inc. www.cryptography.com 575 Market St., 21 st Floor, San Francisco, CA 94105 1998-2007 Cryptography Research, Inc. Protected under issued and/or pending US
More informationSymmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway
Symmetric Cryptanalytic Techniques Sean Murphy ショーン マーフィー Royal Holloway Block Ciphers Encrypt blocks of data using a key Iterative process ( rounds ) Modified by Modes of Operation Data Encryption Standard
More informationProblem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed
Problem 1 n bits k zero bits IV Block Block Block Block removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Missing bits January 27, 2011 Practical
More informationSymmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)
Symmetric Ciphers Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5) Symmetric Cryptography C = E(P,K) P = D(C,K) Requirements Given C, the only way to obtain P should be with the knowledge of K Any
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More information(Non-)Random Sequences from (Non-)Random Permutations Analysis of RC4 Stream Cipher
J. Cryptol. (2014) 27: 67 108 DOI: 10.1007/s00145-012-9138-1 (on-)random Sequences from (on-)random Permutations Analysis of RC4 Stream Cipher Sourav Sen Gupta and Subhamoy Maitra Applied Statistics Unit,
More informationA block cipher enciphers each block with the same key.
Ciphers are classified as block or stream ciphers. All ciphers split long messages into blocks and encipher each block separately. Block sizes range from one bit to thousands of bits per block. A block
More informationPractice Assignment 2 Discussion 24/02/ /02/2018
German University in Cairo Faculty of MET (CSEN 1001 Computer and Network Security Course) Dr. Amr El Mougy 1 RSA 1.1 RSA Encryption Practice Assignment 2 Discussion 24/02/2018-29/02/2018 Perform encryption
More informationCellular Automata in Cryptography" Information Security Group,Royal Holloway, Abstract The cipher systems based on Cellular Automata proposed by Nandi
Comments on \Theory and Applications of Cellular Automata in Cryptography" S.R. Blackburn, S. Murphy y and K.G. Paterson z Information Security Group,Royal Holloway, University of London, Surrey TW20 0EX,
More informationDistinguishing Attack on Common Scrambling Algorithm
410 The International Arab Journal of Information Technology, Vol. 12, No. 4, July 2015 Distinguishing Attack on Common Scrambling Algorithm Kai Zhang and Jie Guan Zhengzhou Information Science and Technology
More informationInformation Security Theory vs. Reality
Information Security Theory vs. Reality 0368-4474, Winter 2015-2016 Lecture 3: Power analysis, correlation power analysis Lecturer: Eran Tromer 1 Power Analysis Simple Power Analysis Correlation Power
More informationDifferential Fault Analysis of Trivium
Differential Fault Analysis of Trivium Michal Hojsík 1,2 and Bohuslav Rudolf 2,3 1 Department of Informatics, University of Bergen, N-5020 Bergen, Norway 2 Department of Algebra, Charles University in
More informationBias in the LEVIATHAN Stream Cipher
Bias in the LEVIATHAN tream ipher Paul rowley 1 and tefan Lucks 2 1 cryptolabs Amsterdam paul@cryptolabs.org 2 University of Mannheim lucks@weisskugel.informatik.uni-mannheim.de Abstract. We show two methods
More informationAnalysis of Message Injection in Stream Cipher-based Hash Functions
Analysis o Message Injection in Stream Cipher-based Hash Functions Yuto Nakano 1, Carlos Cid 2, Kazuhide Fukushima 1, and Shinsaku Kiyomoto 1 1 KDDI R&D Laboratories Inc. 2 Royal Holloway, University o
More informationCPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions
CPSC 91 Computer Security Assignment #3 Solutions 1. Show that breaking the semantic security of a scheme reduces to recovering the message. Solution: Suppose that A O( ) is a message recovery adversary
More informationAlgebraic Techniques in Differential Cryptanalysis
Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London FSE 2009, Leuven, 24.02.2009 Martin Albrecht and Carlos
More informationSymmetric Encryption. Adam O Neill based on
Symmetric Encryption Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Syntax Eat $ 1 k7 - draw } randomised t ~ m T# c- Do m or Hateful distinguishes from ywckcipter - Correctness Pr [ NCK,
More informationSubspace Trail Cryptanalysis and its Applications to AES
Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and Sondre Rønjom March, 2017 1 / 28 Introduction In the case of AES, several alternative representations (algebraic
More informationExpanding Weak-key Space of RC4
[DOI: 10.2197/ipsjjip.22.357] Recommended Paper Expanding Weak-key Space of RC4 Atsushi agao 1,a) Toshihiro Ohigashi 2 Takanori Isobe 1 Masakatu Morii 1 Received: July 7, 2013, Accepted: ovember 1, 2013
More informationInnovations in permutation-based crypto
Innovations in permutation-based crypto Joan Daemen 1,2 based on joint work with Guido Bertoni 3, Seth Hoert, Michaël Peeters 1, Gilles Van Assche 1 and Ronny Van Keer 1 Cryptacus Training School, Azores,
More informationAkelarre. Akelarre 1
Akelarre Akelarre 1 Akelarre Block cipher Combines features of 2 strong ciphers o IDEA mixed mode arithmetic o RC5 keyed rotations Goal is a more efficient strong cipher Proposed in 1996, broken within
More informationAES side channel attacks protection using random isomorphisms
Rostovtsev A.G., Shemyakina O.V., St. Petersburg State Polytechnic University AES side channel attacks protection using random isomorphisms General method of side-channel attacks protection, based on random
More informationKey Recovery Attack against 2.5-round π-cipher
Key Recovery Attack against 2.5-round -Cipher Christina Boura 1, Avik Chakraborti 2, Gaëtan Leurent 3, Goutam Paul 2, Dhiman Saha 4, Hadi Soleimany 5,6 and Valentin Suder 7 1 University of Versailles,
More informationAttack on Broadcast RC4 Revisited
Attack on Broadcast RC4 Revisited Subhamoy Maitra, Goutam Paul 2, and Sourav Sen Gupta Applied Statistics Unit, Indian Statistical Institute, Kolkata 700 08, India {subho,souravsg r}@isical.ac.in 2 Department
More informationHow to Find Short RC4 Colliding Key.
JAIST Reposi https://dspace.j Title How to Find Short RC4 Colliding Key Author(s)Chen, Jiageng; Miyaji, Atsuko Citation Lecture Notes in Computer Science, 7 46 Issue Date 2011-10-12 Type Journal Article
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes Lecture 8 Tel-Aviv University
More informationGurgen Khachatrian Martun Karapetyan
34 International Journal Information Theories and Applications, Vol. 23, Number 1, (c) 2016 On a public key encryption algorithm based on Permutation Polynomials and performance analyses Gurgen Khachatrian
More informationPrivate-key Systems. Block ciphers. Stream ciphers
Chapter 2 Stream Ciphers Further Reading: [Sim92, Chapter 2] 21 Introduction Remember classication: Private-key Systems Block ciphers Stream ciphers Figure 21: Private-key cipher classication Block Cipher:
More informationBernoulli variables. Let X be a random variable such that. 1 with probability p X = 0 with probability q = 1 p
Unit 20 February 25, 2011 1 Bernoulli variables Let X be a random variable such that { 1 with probability p X = 0 with probability q = 1 p Such an X is called a Bernoulli random variable Unit 20 February
More informationDM49-2. Obligatoriske Opgave
DM49-2. Obligatoriske Opgave Jacob Christiansen, moffe42, 130282 Thomas Nordahl Pedersen, nordahl, 270282 1/4-05 Indhold 1 Opgave 1 - Public Exponent 2 1.1 a.................................. 2 1.2 b..................................
More informationDifferential Fault Analysis on DES Middle Rounds
Differential Fault Analysis on DES Middle Rounds Matthieu Rivain Speaker: Christophe Giraud Oberthur Technologies Agenda 1 Introduction Data Encryption Standard DFA on DES Last & Middle Rounds 2 Our Attack
More informationLinear Approximations for 2-round Trivium
Linear Approximations for 2-round Trivium Meltem Sönmez Turan 1, Orhun Kara 2 1 Institute of Applied Mathematics, Middle East Technical University Ankara, Turkey msonmez@metu.edu.tr 2 TUBITAK-UEKAE, Gebze,
More informationOn Permissions, Inheritance and Role Hierarchies
On Permissions, Inheritance and Role Hierarchies Information Security Group Royal Holloway, University of London Introduction The role hierarchy is central to most RBAC models Modelled as a partially ordered
More informationCube Attacks on Stream Ciphers Based on Division Property
Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven 12-10-2017, Crete Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 1 / 23 Plan 1 Cube Attack:
More informationCryptanalysis of the Stream Cipher DECIM
Cryptanalysis of the Stream Cipher DECIM Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven, ESAT/SCD-COSIC Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium {wu.hongjun, bart.preneel}@esat.kuleuven.be
More informationCold Boot Attacks in the Discrete Logarithm Setting
Cold Boot Attacks in the Discrete Logarithm Setting B. Poettering 1 & D. L. Sibborn 2 1 Ruhr University of Bochum 2 Royal Holloway, University of London October, 2015 Outline of the talk 1 Introduction
More informationDistinct Difference Configurations
Distinct Difference Configurations Simon R. Blackburn Joint work with: Tuvi Etzion, Keith M. Martin, Maura B. Paterson Royal Holloway, University of London 16th July 009 S.R. Blackburn (RHUL) Distinct
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space
More informationPseudo-Random Number Generators
Unit 41 April 18, 2011 1 Pseudo-Random Number Generators Recall the one-time pad: k = k 1, k 2, k 3... a random bit-string p = p 1, p 2, p 3,... plaintext bits E(p) = p k. We desire long sequences of numbers
More informationCSc 466/566. Computer Security. 5 : Cryptography Basics
1/84 CSc 466/566 Computer Security 5 : Cryptography Basics Version: 2012/03/03 10:44:26 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian Collberg Christian
More informationTHEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER. A. A. Zadeh and Howard M. Heys
THEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER A. A. Zadeh and Howard M. Heys Electrical and Computer Engineering Faculty of Engineering and Applied Science Memorial University of Newfoundland
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationStructural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Pierre-Alain Fouque 1 Jérémy Jean 2 Thomas Peyrin 3 1 Université de Rennes 1, France 2 École Normale Supérieure, France 3 Nanyang
More informationTable Of Contents. ! 1. Introduction to AES
1 Table Of Contents! 1. Introduction to AES! 2. Design Principles behind AES Linear Cryptanalysis Differential Cryptanalysis Square Attack Biclique Attack! 3. Quantum Cryptanalysis of AES Applying Grover
More informationACORN: A Lightweight Authenticated Cipher (v3)
ACORN: A Lightweight Authenticated Cipher (v3) Designer and Submitter: Hongjun Wu Division of Mathematical Sciences Nanyang Technological University wuhongjun@gmail.com 2016.09.15 Contents 1 Specification
More informationImpossible Differential Cryptanalysis of Mini-AES
Impossible Differential Cryptanalysis of Mini-AES Raphael Chung-Wei Phan ADDRESS: Swinburne Sarawak Institute of Technology, 1 st Floor, State Complex, 93576 Kuching, Sarawak, Malaysia. rphan@swinburne.edu.my
More informationOn the Design of Trivium
On the Design of Trivium Yun Tian, Gongliang Chen, Jianhua Li School of Information Security Engineering, Shanghai Jiaotong University, China ruth tian@sjtu.edu.cn, chengl@sjtu.edu.cn, lijh888@sjtu.edu.cn
More informationOn Data Complexity of Distinguishing Attacks vs. Message Recovery Attacks on Stream Ciphers
On Data Complexity of Distinguishing Attacks vs. Message Recovery Attacks on Stream Ciphers Goutam Paul Souvik Ray Abstract We revisit the different approaches used in the literature to estimate the data
More informationMessage Authentication (MAC) Algorithm For The VMPC-R (RC4-like) Stream Cipher
Message Authentication (MAC) Algorithm For The VMPC-R (RC4-like) Stream Cipher Bartosz Zoltak www.vmpcfunction.com bzoltak@vmpcfunction.com Abstract. We propose an authenticated encryption scheme for the
More informationA Practical Attack on Bluetooth Encryption
The : A Practical Yi Lu EPFL Willi Meier FH Aargau Serge Vaudenay EPFL CRYPTO 05, Santa Barbara Yi Lu, Willi Meier and Serge Vaudenay - p. 1/21 CRYPTO 05, Santa Barbara Yi Lu, Willi Meier and Serge Vaudenay
More informationDan Boneh. Stream ciphers. The One Time Pad
Online Cryptography Course Stream ciphers The One Time Pad Symmetric Ciphers: definition Def: a cipher defined over is a pair of efficient algs (E, D) where E is often randomized. D is always deterministic.
More informationStronger Security Variants of GCM-SIV
Stronger Security Variants of GCM-SIV Tetsu Iwata 1 Kazuhiko Minematsu 2 FSE 2017 Tokyo, Japan March 8 2017 Nagoya University, Japan NEC Corporation, Japan Supported in part by JSPS KAKENHI, Grant-in-Aid
More informationStream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden
Dept. of EIT, Lund University, P.O. Box 118, 221 00 Lund, Sweden thomas@eit.lth.se May 16, 2011 Outline: Introduction to stream ciphers Distinguishers Basic constructions of distinguishers Various types
More informationPicnic Post-Quantum Signatures from Zero Knowledge Proofs
Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM DAVID DERLER STEVEN GOLDFEDER JONATHAN KATZ VLAD KOLESNIKOV CLAUDIO ORLANDI SEBASTIAN RAMACHER CHRISTIAN RECHBERGER
More informationAlgebraic Aspects of Symmetric-key Cryptography
Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information Security Group Royal Holloway, University of London 04.May.2007 ECRYPT Summer School 1 Algebraic Techniques
More informationAn Improved Estimate of the Correlation of Distinguisher for Dragon
An Improved Estimate of the Correlation of Distinguisher for Dragon Joo Yeon Cho Helsinki University of Technology, Laboratory for Theoretical Computer Science, P.O. Box 5400, FI-02015 TKK, Finland joo.cho@tkk.fi
More informationRC4 State Information at Any Stage Reveals the Secret Key
RC4 State Information at Any Stage Reveals the Secret Key Goutam Paul Department of Computer Science and Engineering, Jadavpur University, Kolkata 700 032, India, Email: goutam paul@cse.jdvu.ac.in Subhamoy
More informationCold Boot Key Recovery by Solving Polynomial Systems with Noise
Cold Boot Key Recovery by Solving Polynomial Systems with Noise Martin R. Albrecht 1 & Carlos Cid 2 Team Salsa, LIP6, UPMC Information Security Group, Royal Holloway, University of London DTU, 04. April
More informationLow Complexity Differential Cryptanalysis and Fault Analysis of AES
Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 34 Introduction We present a survey of low
More informationLecture Notes. Advanced Discrete Structures COT S
Lecture Notes Advanced Discrete Structures COT 4115.001 S15 2015-01-22 Recap Two methods for attacking the Vigenère cipher Frequency analysis Dot Product Playfair Cipher Classical Cryptosystems - Section
More informationA Pseudo-Random Encryption Mode
A Pseudo-Random Encryption Mode Moni Naor Omer Reingold Block ciphers are length-preserving private-key encryption schemes. I.e., the private key of a block-cipher determines a permutation on strings of
More informationCodes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII
Codes and Cryptography MAMME, Fall 2015 PART XII Outline 1 Symmetric Encryption (II) 2 Construction Strategies Construction Strategies Stream ciphers: For arbitrarily long messages (e.g., data streams).
More informationKlein s and PTW Attacks on WEP
TTM4137 Wireless Security Klein s and PTW Attacks on WEP Anton Stolbunov NTNU, Department of Telematics version 1, September 7, 2009 Abstract These notes should help for an in-depth understanding of the
More informationFundamentals of Modern Cryptography
Fundamentals of Modern Cryptography BRUCE MOMJIAN This presentation explains the fundamentals of modern cryptographic methods. Creative Commons Attribution License http://momjian.us/presentations Last
More informationSecurity Evaluation of Stream Cipher Enocoro-128v2
Security Evaluation of Stream Cipher Enocoro-128v2 Hell, Martin; Johansson, Thomas 2010 Link to publication Citation for published version (APA): Hell, M., & Johansson, T. (2010). Security Evaluation of
More informationKey reconstruction from the inner state of RC4
BACHELOR THESIS Lukáš Sladký Key reconstruction from the inner state of RC4 Department of Algebra Supervisor of the bachelor thesis: Study programme: Study branch: Mgr. Milan Boháček Mathematics Mathematical
More information