Public-key Cryptography: Theory and Practice
|
|
- Gervase Evans
- 5 years ago
- Views:
Transcription
1 Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques
2 Block Ciphers A block cipher f of block-size n and key-size r is a function f : Z n 2 Zr 2 Zn 2 that maps (M, K) to C = f(m, K). For each key K, the map f K : Z n 2 Zn 2 taking a plaintext message M to the ciphertext message C = f K (M) = f(m, K) should be bijective (invertible). n and r should be large enough to preclude successful exhaustive search. Each f K should be a sufficiently random permutation.
3 Block Ciphers: Examples Name n, r (Data Encryption Standard) 64, 56 FEAL (Fast Data Encipherment Algorithm) 64, 64 SAFER (Secure And Fast Encryption Routine) 64, 64 IDEA (International Data Encryption Algorithm) 64, 128 Blowfish 64, 448 The Finalists Rijndael (Rijmen and Daemen) 128, 128/192/256 Serpent (Anderson, Biham and Knudsen) 128, 128/192/256 Twofish (Schneier and others) 128, 256 RC6 (Rivest and others) 128, 128/192/256 MARS (Coppersmith and others) 128, (multiple of 32) Old standard: New standard: (adaptation of the Rijndael cipher)
4 Block Ciphers: Security Requirements Introduced by Shannon in Confusion The relation between key and ciphertext must be very complex. Changing a single key bit should affect every ciphertext bit pseudorandomly. Ideally, for a change in each key bit, each ciphertext bit should change with probability 1/2. Confusion is meant to make the guess of the key difficult. Diffusion The relation between plaintext and ciphertext must be very complex. Changing a single plaintext bit should affect every ciphertext bit pseudorandomly. Ideally, for a change in each plaintext bit, each ciphertext bit should change with probability 1/2. Diffusion is meant to dissipate plaintext redundancy.
5 Iterated Block Cipher Block Ciphers M K C K Round 1 e K 1 Round l e 1 K r Round 2 e... K 2 Key Schedule Round l 1 e 1K r 1... Key Schedule Round l e K r K 1 Round 1 e 1 C M (a) Encryption (b) Decryption
6 Substitution-Permutation Network (SPN) Block from round i 1 Substitution Box (S Box) e Permutation Box (P Box) Round key K i Block to round i+1
7 Feistel Cipher Block Ciphers Li 1 Ri 1 R i L i e K i e K i Li (a) Encryption Ri R i 1 L i 1 (b) Decryption L i = R i 1 R i 1 = L i R i = L i 1 e(r i 1, K i ) L i 1 = R i e(l i, K i )
8 (Data Encryption Standard) Proposed as a US standard in supports blocks of length n = 64 bits. supports keys K = k 1 k 2...k 64 of length r = 64 bits, but the bits k 8, k 16,...,k 64 are used as parity-check bits. So the effective key size is 56 bits. is a Feistel cipher. The number of rounds in is l = 16.
9 Key Schedule Block Ciphers Input: A key K = k 1 k 2...k 64. Output: Sixteen 48-bit round keys K 1, K 2,...,K 16. Generate 56-bit permuted key U 0 = PC1(K) = k 57 k 49 k k 12 k 4. Break U 0 in two 28-bit parts: U 0 = C 0 D 0. for i = 1, 2,..., 16, repeat the following steps: { 1 if i = 1, 2, 9, 16, Take s := 2 otherwise. Cyclically left shift C i 1 by s bits to get C i. Cyclically left shift D i 1 by s bits to get D i. Let U i := C i D i = u 1 u 2... u 56. Compute 48-bit round key K i = PC2(U i ) = u 14 u 17 u u 29 u 32.
10 Key Schedule (contd) PC1 PC
11 Encryption Block Ciphers Input: Plaintext block M = m 1 m 2...m 64 and round keys K 1, K 2,..., K 16. Output: The ciphertext block C. Apply initial permutation: V = IP(M) = m 58 m 50 m m 15 m 7. Break V in two 32-bit parts: V = L 0 R 0. For i = 1, 2,..., 16, repeat the following steps: L i := R i 1. R i := L i 1 e(r i 1, K i ). Let W = R 16 L 16 = w 1 w 2... w 64. Apply inverse of IP: C = IP 1 (W) = w 40 w 8 w w 57 w 25.
12 Encryption (contd) IP IP 1
13 Encryption (contd) Encryption primitive e(x, J) = P(S(E(X) J)), where X is a 32-bit message block, and J is a 48-bit round key. Apply 32-to-48 bit expansion: X = E(X) = x 32 x 1 x 2... x 32 x 1. XOR with the round key: Y = X J. Break Y in eight 6-bit parts: Y = Y 1 Y 2 Y 8. For j = 1, 2,...,8, do the following: Write Y j = y 1 y 2 y 3 y 4 y 5 y 6. Consider the integers µ = (y 1 y 6 ) 2 and ν = (y 2 y 3 y 4 y 5 ) 2. Let Z j = (z 1 z 2 z 3 z 4 ) 2 = S j (µ, ν). Concatenate the Z j s to the 32-bit value: Z = Z 1 Z 2 Z 8 = z 1 z 2... z 32. Apply permutation function: e(x, J) = P(Z) = z 16 z 7 z 20...z 4 z 25.
14 Encryption (contd) E P
15 Encryption: S-Boxes S S S
16 Encryption: S-Boxes (contd) S S S
17 Encryption: S-Boxes (contd) S S
18 Decryption Block Ciphers Input: Ciphertext block C = c 1 c 2...c 64 and round keys K 1, K 2,..., K 16. Output: The plaintext block M. Apply initial permutation: V = IP(C) = c 58 c 50 c c 15 c 7. Break V in two 32-bit parts: V = R 16 L 16. For i = 16, 15,..., 1, repeat the following steps: R i 1 = L i. L i 1 = R i e(l i, K i ). Let W = L 0 R 0 = w 1 w 2... w 64. Apply inverse of IP: M = IP 1 (W) = w 40 w 8 w w 57 w 25. Note: decryption is the same as encryption, with the key schedule reversed.
19 (Advanced Encryption Standard) is an adaptation of the Rijndael cipher designed by J. Daemen and V. Rijmen. Since supports short keys (56 bits) vulnerable even to brute-force search, the new standard is adopted in is a substitution-permutation cipher. is not a Feistel cipher. The block size for is n = 128 bits. Number of rounds for is l = 10, 12, or 14 for key sizes r = 128, 192, or 256 bits. key schedule: From K, generate 32-bit round keys K 0, K 1,...,K 4l+3. Four round keys are used in a round.
20 (contd) Block Ciphers State: represents a 128-bit message block as a 4 4 array of octets: µ 0 µ 1...µ 15 µ 0 µ 4 µ 8 µ 12 µ 1 µ 5 µ 9 µ 13 µ 2 µ 6 µ 10 µ 14 µ 3 µ 7 µ 11 µ 15 Each octet A = a 7 a 6...a 1 a 0 in the state is identified with the element a 7 α 7 + a 6 α a 1 α + a 0 of F 2 8 = F 2 (α), where α 8 + α 4 + α 3 + α + 1 = 0. Each column A 3 A 2 A 1 A 0 in the state is identified with the element A 3 y 3 + A 2 y 2 + A 1 y + A 0 of F 2 8[y] modulo the (reducible polynomial) y
21 Encryption Block Ciphers Generate key schedule K 0, K 1,..., K 4l+3 from the key K. Convert the plaintext block M to a state S. S = AddKey(S, K 0, K 1, K 2, K 3 ). [bitwise XOR] for i = 1, 2,...,l do the following: S = SubState(S). [non-linear, involves inverses in F 2 8] S = ShiftRows(S). [cyclic shift of octets in each row] If i l, S = MixCols(S). [operation in F 2 8[y] mod y 4 + 1] S = AddKey(S, K 4i, K 4i+1, K 4i+2, K 4i+3 ). [bitwise XOR] Convert the state S to the ciphertext block C.
22 Decryption Block Ciphers Generate key schedule K 0, K 1,..., K 4l+3 from the key K. Convert the ciphertext block C to a state S. S = AddKey(S, K 4l, K 4l+1, K 4l+2, K 4l+3 ). for i = l 1, l 2,...,1, 0 do the following: S = ShiftRows 1 (S). S = SubState 1 (S). S = AddKey(S, K 4i, K 4i+1, K 4i+2, K 4i+3 ). If i 0, S = MixCols 1 (S). Convert the state S to the plaintext block M.
23 : The AddKey Primitive Let S = (σ uv ) = σ 00 σ 01 σ 02 σ 03 σ 10 σ 20 σ 11 σ 21 σ 12 σ 22 σ 13 σ 23 be a state of. σ 30 σ 31 σ 32 σ 33 Let the four 32-bit round keys be L 0, L 1, L 2, L 3 with the octet representation L u = λ u0 λ u1 λ u2 λ u3. The u-th key L u is XORed with the u-th column of the state S.. σ 33 λ 33 S maps to AddKey(S, L 0, L 1, L 2, L 3 ) = σ 00 λ 00 σ 01 λ 10 σ 02 λ 20 σ 03 λ 30 σ 10 λ 01 σ 20 λ 02 σ 11 λ 11 σ 21 λ 12 σ 12 λ 21 σ 22 λ 22 σ 13 λ 31 σ 23 λ 32 σ 30 λ 03 σ 31 λ 13 σ 32 λ 23
24 : The SubState Primitive Let A = a 0 a 1... a 6 a 7 be an octet (an element of F 2 8). Let B = b 0 b 1... b 6 b 7 = A 1 in F 2 8 (with 0 1 = 0). Let D = d 0 d 1... d 6 d 7 = 63 = SubOctet(A) = C = c 0 c 1... c 6 c 7, where c i = b i b (i+1)rem8 b (i+2)rem8 b (i+3)rem8 b (i+4)rem8 d i. Let S = σ 00 σ 01 σ 02 σ 03 σ 10 σ 20 σ 11 σ 21 σ 12 σ 22 σ 13 σ 23 be a state. σ 30 σ 31 σ 32 σ 33 SubState(S) = σ 00 σ 01 σ 02 σ 03 σ 10 σ 11 σ 12 σ 13 σ 20 σ 21 σ 22 σ 23 σ 30 σ 31 σ 32 σ 33, where σ uv = SubOctet(σ uv).
25 : The ShiftRows Primitive Cyclically left rotate the r-th row by r bytes: σ 00 σ 01 σ 02 σ 03 σ 10 σ 20 σ 11 σ 21 σ 12 σ 22 σ 13 σ 23 maps to σ 30 σ 31 σ 32 σ 33. σ 32 σ 00 σ 01 σ 02 σ 03 σ 11 σ 22 σ 12 σ 23 σ 13 σ 20 σ 10 σ 21 σ 33 σ 30 σ 31
26 : The MixCols Primitive Let S = σ 00 σ 01 σ 02 σ 03 σ 10 σ 20 σ 11 σ 21 σ 12 σ 22 σ 13 σ 23 be a state. σ 30 σ 31 σ 32 σ 33 Each column of S is identified with an element of F 2 8[y], and is multiplied by the constant polynomial [03]y 3 + [01]y 2 + [01]y + [02] modulo y The v-th column σ 0v σ 1v σ 2v maps to σ 3v where is the multiplication of F 2 8. σ 0v σ 1v σ 2v σ 3v,
27 Inverses of Encryption Primitives AddKey is the inverse of itself. SubState 1 is the octet-by-octet inverse of SubOctet. SubOctet 1 involves an affine transformation followed by taking inverse in F 2 8. ShiftRows 1 cyclically right rotates the r-th row by r bytes. MixCols 1 multiplies each column by the polynomial [0b]y 3 + [0d]y 2 + [09]y + [0e] modulo y 4 + 1, with the coefficient arithmetic being that of F 2 8.
28 Key Schedule Block Ciphers Let t be the key size in words (t = 4, 6, 8 for r = 128, 192, 256). The respective numbers of rounds are l = 10, 12, 14. key schedule generates 4(l + 1) 32-bit keys K 0, K 1,...,K 4Nr+3 from the secret key K. Initially, K = K 0 K 1... K t 1. For i = t, t + 1,..., 4l + 3, generate K i as follows: Let K i 1 = τ 0 τ 1 τ 2 τ 3 (each τ j an octet). Let τ j = SubOctet(τ j ). If (i 0 (mod t)), then set T = (τ 1 τ 2 τ 3 τ 0 ) [α(i/t) ], else if (t > 6) and (i 4 (mod t)), then set T = τ 0 τ 1 τ 2 τ 3. Generate the 32-bit key K i = K i t T.
29 Multiple Encryption Block Ciphers K 1 K 2 m x g 1 g 2 c (a) Double encryption K 1 K 2 K 3 m x y h 1 h 2 h 3 c (b) Triple encryption
30 Modes of Operation: Encryption Break the message M = M 1 M 2... M l into blocks of bit length n n. To generate the ciphertext C = C 1 C 2... C l. ECB (Electronic Code-Book) mode: Here n = n. C i = f K (M i ). CBC (Cipher-Block Chaining) mode: Here n = n. Set C 0 = IV. C i = f K (M i C i 1 ). CFB (Cipher FeedBack) Mode: Here n n. Set k 0 = IV. C i = M i msb n (f K (k i 1 )). [Mask key and plaintext] k i = lsb n n (k i 1 ) C i. [Generate next key] OFB (Output FeedBack) Mode: Here n n. Set k 0 = IV. k i = f K (k i 1 ). [Generate next key] C i = M i msb n (k i ). [Mask plaintext block] CFB and OFB modes act like stream ciphers
31 Modes of Operation: Decryption ECB (Electronic Code-Book) mode: M i = f 1 K (C i). CBC (Cipher-Block Chaining) mode: Set C 0 = IV. M i = f 1 K (C i) C i 1. CFB (Cipher FeedBack) Mode: Set k 0 = IV. M i = C i msb n (f K (k i 1 )). [Remove mask from ciphertext] k i = lsb n n (k i 1 ) C i. [Generate next key] OFB (Output FeedBack) Mode: Set k 0 = IV. k i = f K (k i 1 ). [Generate next key] M i = C i msb n (k i ). [Remove mask from ciphertext]
32 Attacks on Block Ciphers Exhaustive key search If the key space is small, all possibilities for an unknown key can be matched against known plaintext-ciphertext pairs. Many challenges are cracked by exhaustive key search. has a small key-size (56 bits). Only two plaintext-ciphertext pairs usually suffice to determine a key uniquely. Exhaustive key search on block ciphers (like ) with key sizes 128 is infeasible. Linear and differential cryptanalysis By far the most sophisticated attacks on block ciphers. Impractical if sufficiently many rounds are used. is robust against these attacks.
33 Attacks on Block Ciphers (contd) Specific attacks on Square attack Collision attack Algebraic attacks (like XSL) Meet-in-the-middle attack Applies to multiple encryption schemes. For m stages, we get security of m/2 keys only.
34 Block Ciphers Linear Feedback Shift Register (LFSR) Berlekamp-Massey Attack Stream ciphers encrypt bit-by-bit. Plaintext stream: M = m 1 m 2...m l. Key stream: K = k 1 k 2...k l. Ciphertext stream: C = c 1 c 2... c l. Encryption: c i = m i k i. Decryption: m i = c i k i. Source of security: unpredictability in the key-stream. Vernam s one-time pad: For a truly random key stream, Pr(c i = 0) = Pr(c i = 1) = 1 2 for each i, irrespective of the probabilities of the values assumed by m i. This leads to unconditional security, that is, the knowledge of any number of plaintext-ciphertext bit pairs, does not help in decrypting a new ciphertext bit.
35 : Drawbacks Linear Feedback Shift Register (LFSR) Berlekamp-Massey Attack Key stream should be as long as the message stream. Management of long key streams is difficult. It is difficult to generate truly random (and reproducible) key streams. Pseudorandom bit streams provide practical solution, but do not guarantee unconditional security. Pseudorandom bit generators are vulnerable to compromise of seeds. Repeated use of the same key stream degrades security.
36 Linear Feedback Shift Register (LFSR) Berlekamp-Massey Attack Linear Feedback Shift Register (LFSR) feedback s d Dd 1 Dd 2 D2 D1 D0 d 1 s d d 1 d 2 a a s s s s 0 a a 2 1 a 0 output
37 LFSR: Example Block Ciphers Linear Feedback Shift Register (LFSR) Berlekamp-Massey Attack D D 2 D 1 D 0 3 output Time D 3 D 2 D 1 D
38 LFSR: State Transition Linear Feedback Shift Register (LFSR) Berlekamp-Massey Attack Control bits: a 0, a 1,...,a d 1. State: s = (s 0, s 1,..., s d 1 ). Each clock pulse changes the state as follows: t 0 = s 1 t 1 = s 2. t d 2 = s d 1 t d 1 a 0 s 0 + a 1 s 1 + a 2 s a d 1 s d 1 (mod 2).
39 LFSR: State Transition (contd) Linear Feedback Shift Register (LFSR) Berlekamp-Massey Attack In the matrix notation t L s (mod 2), where the transition matrix is L = a 0 a 1 a 2 a d 2 a d 1
40 LFSR (contd) Block Ciphers Linear Feedback Shift Register (LFSR) Berlekamp-Massey Attack The output bit-stream behaves like a pseudorandom sequence. The output stream must be periodic. The period should be large. Maximum period of a non-zero bit-stream = 2 d 1. Maximum-length LFSR has the maximum period. Connection polynomial C L (x) = 1+a d 1 x + a d 2 x 2 + +a 1 x d 1 + a 0 x d F 2 [X]. L is a maximum-length LFSR if and only if C L (x) is a primitive polynomial of F 2 [x].
41 An Attack on LFSR Block Ciphers Linear Feedback Shift Register (LFSR) Berlekamp-Massey Attack The linear relation of the feedback bit as a function of the current state in LFSRs invites attacks. Berlekamp-Massey attack Suppose that the bits m i and c i for 2d consecutive values of i (say, 1, 2,...,2d) are known to an attacker. Then k i = m i c i are also known for these values of i. Define the states S i = (k i, k i+1,...,k i+d 1 ) of the LFSR. Then, S i+1 L S i (mod 2) for i = 1, 2,...,d. Treat each S i as a column vector. Then, ( S2 S 3 S d+1 ) L ( S1 S 2 S d ) (mod 2) This reveals L, that is, the secret a 0, a 1,...,a d 1. Remedy: Introduce non-linearity to the LFSR output.
42 Nonlinear Combination Generator Linear Feedback Shift Register (LFSR) Berlekamp-Massey Attack LFSR 1 u 1 LFSR.. LFSR 2 k u u 2 k f Nonlinear function u
43 The Geffe Generator Block Ciphers Linear Feedback Shift Register (LFSR) Berlekamp-Massey Attack LFSR LFSR 1 2 u u 1 2 k LFSR 3 u 3 f
44 Nonlinear Filter Generator Linear Feedback Shift Register (LFSR) Berlekamp-Massey Attack Feedback Feedback function... Nonlinear filter function Output
45 Block Ciphers Properties Merkle s Meta Method SHA-1 Used to convert strings of any length to strings of a fixed length. Used for the generation of (short) representatives of messages. Unkeyed hash functions ensure data integrity. Keyed hash functions authenticate source of messages. Symmetric techniques are typically used for designing hash functions. A collision for a hash function H is a pair of two distinct strings x, y with H(x) = H(y). Since hash functions map an infinite domain to finite sets, collisions must exist for any hash function.
46 Properties Merkle s Meta Method SHA-1 : Desirable Properties Easy to compute First pre-image resistance (Difficult to invert): For most hash values y, it should be difficult to find a string x with H(x) = y. Second pre-image resistance: Given a string x, it should be difficult to find a different string x with H(x ) = H(x). Collision resistance: It should be difficult to find two distinct strings x, x with H(x) = H(x ).
47 Properties Merkle s Meta Method SHA-1 : Properties (contd) Collision resistance implies second pre-image resistance. Second pre-image resistance does not imply collision resistance: Let S be a finite set of size 2 and H a cryptographic hash function. Then { H 0 n+1 if x S, (x) = 1 H(x) otherwise, is second pre-image resistant but not collision resistant.
48 Properties Merkle s Meta Method SHA-1 : Properties (contd) Collision resistance does not imply first pre-image resistance: Let H be an n-bit cryptographic hash function. Then { H 0 x if x = n, (x) = 1 H(x) otherwise. is collision resistant (so second pre-image resistant), but not first pre-image resistant. First pre-image resistance does not imply second pre-image resistance: Let m be a product of two unknown big primes. Define H (x) = (1 x) 2 (mod m). H is first pre-image resistant, but not second pre-image resistant.
49 : Construction Properties Merkle s Meta Method SHA-1 Compression function: A function F : Z m 2 Zn 2, where m = n + r. Merkle-Damgård s meta method Break the input x = x 1 x 2... x l to blocks each of bit-length r. Initialize h 0 = 0 r. For i = 1, 2,..., l use compression h i = F(h i 1 x i ). Output H(x) = h l as the hash value. x1 x2 x3... xl h0 h 1 h 2 h 3 hl 1 h l F F F... F
50 Properties Merkle s Meta Method SHA-1 : Construction (contd) Properties If F is first pre-image resistant, then H is also first pre-image resistant. If F is collision resistant, then H is also collision resistant. A concrete realization Let f is a block cipher of block-size n and key-size r. Take: F(M K) = f K (M). Keyed hash function HMAC(M) = H(K P H(K Q M)), where H is an unkeyed hash function, K is a key and P, Q are short padding strings.
51 Properties Merkle s Meta Method SHA-1 Custom-Designed The SHA (Secure Hash Algorithm) family: SHA-1 (160-bit), SHA-256 (256-bit), SHA-384 (384-bit), SHA-512 (512-bit). The MD family: MD2 (128-bit), MD5 (128-bit). The RIPEMD family: RIPEMD-128 (128-bit), RIPEMD-160 (160-bit).
52 SHA-1: Message Padding Properties Merkle s Meta Method SHA-1 To compute SHA-1(M) for a message M of bit-length λ. Pad M to generate M = M 1 0 k Λ, where Λ is the 64-bit representation of λ, and k is the smallest integer 0 for which M = λ k + 64 is a multiple of 512. Break M into 512-bit blocks M (1), M (2),..., M (l). Break each M (i) = M (i) 0 M (i) 1 M (i) 15 into sixteen 32-bit words M (i) j.
53 Properties Merkle s Meta Method SHA-1 SHA-1: Iterated Hash Construction The idea is similar to the Merkle-Damgård construction. Start with the initial hash value H (0) = 0x efcdab89 98badcfe c3d2e1f0. For i = 1, 2,...,l, consume the message block M (i) to convert H (i 1) to H (i). Return H (l) as SHA-1(M). Each H (i) is a 160-bit value. Write H (i) = H (i) 0 H (i) 1 H (i) 2 H (i) is a 32-bit word. H (i) j 3 H (i) 4, where each
54 SHA-1: Compression Function Properties Merkle s Meta Method SHA-1 Compute the message schedule W j, 0 j 79: For j = 0, 1,..., 15, set W j := M (i) j. For j = 16, 17,..., 79, set W j := LR 1 (W j 3 W j 8 W j 14 W j 16 ). For j = 0, 1, 2, 3, 4, store H (i 1) j in t j. For j = 0, 1,...,79, do the following: ) Set T = (LR 5 (t 0 ) + f j (t 1, t 2, t 3 ) + t 4 + K j + W j rem t 4 = t 3, t 3 = t 2, t 2 = RR 2 (t 1 ), t 1 = t 0, t 0 = T. ( ) For j = 0, 1, 2, 3, 4, update H (i) j := t j + H (i 1) j rem 2 32.
55 Properties Merkle s Meta Method SHA-1 SHA-1: Compression Function (contd) xy xz if 0 j 19 x y z if 20 j 39 f j (x, y, z) = xy xz yz if 40 j 59 x y z if 60 j 79 0x5a if 0 j 19 0x6ed9eba1 if 20 j 39 K j = 0x8f1bbcdc if 40 j 59 0xca62c1d6 if 60 j 79 LR k and RR k mean left and right rotate by k bits.
56 Attacks on Properties Merkle s Meta Method SHA-1 The birthday attack is based on the birthday paradox. For an n-bit hash function, one needs to compute on an average 2 n/2 hash values in order to detect (with high probability) a collision for the hash function. For cryptographic applications one requires n 128 (n 160 is preferable). Algebraic attacks may make hash functions vulnerable. Some other attacks: Pseudo-collision attacks Chaining attacks Attacks on the underlying cipher Exhaustive key search for keyed hash functions Long message attacks
57 The Birthday Paradox Block Ciphers Properties Merkle s Meta Method SHA-1 Let S be a set finite size N. k elements are drawn at random from S (with replacement). The probability that all these k elements are distinct is p k = N(N 1) (N k + 1) N k = k 1 i=1 ( 1 i N p k 1/2 for k N ln N. p k for k 2 N. ) e k(k 1) 2N. Examples There is a chance of 50% that at least two of 23 (randomly chosen) persons have the same birthday. A collision of an n-bit hash function can be found with high probability from O(2 n/2 ) random hash calculations.
Symmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08 Module Outline Stream ciphers under the hood Block ciphers
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationSymmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)
Symmetric Ciphers Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5) Symmetric Cryptography C = E(P,K) P = D(C,K) Requirements Given C, the only way to obtain P should be with the knowledge of K Any
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More informationENEE 459-C Computer Security. Message authentication (continue from previous lecture)
ENEE 459-C Computer Security Message authentication (continue from previous lecture) Last lecture Hash function Cryptographic hash function Message authentication with hash function (attack?) with cryptographic
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2012 Konstantin Beznosov 1 Module Outline! Stream ciphers under the hood Block ciphers under
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES
CS355: Cryptography Lecture 9: Encryption modes. AES Encryption modes: ECB } Message is broken into independent blocks of block_size bits; } Electronic Code Book (ECB): each block encrypted separately.
More informationPseudo-Random Number Generators
Unit 41 April 18, 2011 1 Pseudo-Random Number Generators Recall the one-time pad: k = k 1, k 2, k 3... a random bit-string p = p 1, p 2, p 3,... plaintext bits E(p) = p k. We desire long sequences of numbers
More informationA block cipher enciphers each block with the same key.
Ciphers are classified as block or stream ciphers. All ciphers split long messages into blocks and encipher each block separately. Block sizes range from one bit to thousands of bits per block. A block
More informationREU 2015: Complexity Across Disciplines. Introduction to Cryptography
REU 2015: Complexity Across Disciplines Introduction to Cryptography Symmetric Key Cryptosystems Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i
More informationCodes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII
Codes and Cryptography MAMME, Fall 2015 PART XII Outline 1 Symmetric Encryption (II) 2 Construction Strategies Construction Strategies Stream ciphers: For arbitrarily long messages (e.g., data streams).
More informationCSc 466/566. Computer Security. 5 : Cryptography Basics
1/84 CSc 466/566 Computer Security 5 : Cryptography Basics Version: 2012/03/03 10:44:26 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian Collberg Christian
More informationCRC Press has granted the following specific permissions for the electronic version of this book:
This is a Chapter from the Handbook of Applied Cryptography, by A. Menezes, P. van Oorschot, and S. Vanstone, CRC Press, 1996. For further information, see www.cacr.math.uwaterloo.ca/hac CRC Press has
More informationBlock Cipher Cryptanalysis: An Overview
0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution
More informationSTREAM CIPHER. Chapter - 3
STREAM CIPHER Chapter - 3 S t r e a m C i p h e r P a g e 38 S t r e a m C i p h e r P a g e 39 STREAM CIPHERS Stream cipher is a class of symmetric key algorithm that operates on individual bits or bytes.
More informationHash Functions. A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length.
Hash Functions 1 Hash Functions A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length. 0 1 1 0 1 0 0 1 Long Message Hash Function 1 1 1
More informationTHE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018
THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018 CPSC 418/MATH 318 L01 October 17, 2018 Time: 50 minutes
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationProblem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed
Problem 1 n bits k zero bits IV Block Block Block Block removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Missing bits January 27, 2011 Practical
More informationLecture 4: DES and block ciphers
Lecture 4: DES and block ciphers Johan Håstad, transcribed by Ernir Erlingsson 2006-01-25 1 DES DES is a 64 bit block cipher with a 56 bit key. It selects a 64 bit block and modifies it depending on the
More informationModule 2 Advanced Symmetric Ciphers
Module 2 Advanced Symmetric Ciphers Dr. Natarajan Meghanathan Professor of Computer Science Jackson State University E-mail: natarajan.meghanathan@jsums.edu Data Encryption Standard (DES) The DES algorithm
More informationSecret Key: stream ciphers & block ciphers
Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad define a secret key ( seed ) Using the seed generates a byte stream (Keystream): i-th byte is function only
More informationOutline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael
Outline CPSC 418/MATH 318 Introduction to Cryptography Advanced Encryption Standard Renate Scheidler Department of Mathematics & Statistics Department of Computer Science University of Calgary Based in
More informationSMASH - A Cryptographic Hash Function
SMASH - A Cryptographic Hash Function Lars R. Knudsen Department of Mathematics, Technical University of Denmark Abstract. 1 This paper presents a new hash function design, which is different from the
More informationBiomedical Security. Overview 9/15/2017. Erwin M. Bakker
Biomedical Security Erwin M. Bakker Overview Cryptography: Algorithms Cryptography: Protocols Pretty Good Privacy (PGP) / B. Schneier Workshop Biomedical Security Biomedical Application Security (guest
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 15 October 20, 2014 CPSC 467, Lecture 15 1/37 Common Hash Functions SHA-2 MD5 Birthday Attack on Hash Functions Constructing New
More informationLecture Notes. Advanced Discrete Structures COT S
Lecture Notes Advanced Discrete Structures COT 4115.001 S15 2015-01-27 Recap ADFGX Cipher Block Cipher Modes of Operation Hill Cipher Inverting a Matrix (mod n) Encryption: Hill Cipher Example Multiple
More informationExtended Criterion for Absence of Fixed Points
Extended Criterion for Absence of Fixed Points Oleksandr Kazymyrov, Valentyna Kazymyrova Abstract One of the criteria for substitutions used in block ciphers is the absence of fixed points. In this paper
More informationSpecification on a Block Cipher : Hierocrypt L1
Specification on a Block Cipher : Hierocrypt L1 Toshiba Corporation September 2001 Contents 1 Design principle 3 1.1 Data randomizing part........................ 3 1.1.1 Nested SPN structure....................
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationChapter 2 Symmetric Encryption Algorithms
Chapter 2 Symmetric Encryption Algorithms February 15, 2010 2 The term symmetric means that the same key used to encrypt is used decrypt. In the widest sense all pre-pkc encryption algorithms are symmetric,
More informationPrivate-key Systems. Block ciphers. Stream ciphers
Chapter 2 Stream Ciphers Further Reading: [Sim92, Chapter 2] 21 Introduction Remember classication: Private-key Systems Block ciphers Stream ciphers Figure 21: Private-key cipher classication Block Cipher:
More informationStructural Evaluation by Generalized Integral Property
Structural Evaluation by Generalized Integral Property Yosue Todo NTT Secure Platform Laboratories, Toyo, Japan todo.yosue@lab.ntt.co.jp Abstract. In this paper, we show structural cryptanalyses against
More informationWeek 12: Hash Functions and MAC
Week 12: Hash Functions and MAC 1. Introduction Hash Functions vs. MAC 2 Hash Functions Any Message M Hash Function Generate a fixed length Fingerprint for an arbitrary length message. No Key involved.
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationHashes and Message Digests Alex X. Liu & Haipeng Dai
Hashes and Message Digests Alex X. Liu & Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University Integrity vs. Secrecy Integrity: attacker cannot
More informationAnalysis of SHA-1 in Encryption Mode
Analysis of SHA- in Encryption Mode [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 00, vol. 00 of Lecture Notes in Computer Science, pp. 70 83, Springer-Verlag, 00.] Helena Handschuh, Lars
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 16 October 30, 2017 CPSC 467, Lecture 16 1/52 Properties of Hash Functions Hash functions do not always look random Relations among
More informationAnalysis of Modern Stream Ciphers
Analysis of Modern Stream Ciphers Josef Pieprzyk Centre for Advanced Computing Algorithms and Cryptography, Macquarie University, Australia CANS - Singapore - December 2007 estream Outline 1. estream Project
More informationIntroduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication
Common Usage of MACs for message authentication Introduction to Cryptography k Alice α m, MAC k (m) Isα= MAC k (m)? Bob k Lecture 5 Benny Pinkas k Alice m, MAC k (m) m,α Got you! α MAC k (m )! Bob k Eve
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 08 Shannon s Theory (Contd.)
More informationStructural Cryptanalysis of SASAS
tructural Cryptanalysis of AA Alex Biryukov and Adi hamir Computer cience department The Weizmann Institute Rehovot 76100, Israel. Abstract. In this paper we consider the security of block ciphers which
More informationLeftovers from Lecture 3
Leftovers from Lecture 3 Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite
More informationBlock ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit
Block ciphers Block ciphers Myrto Arapinis School o Inormatics University o Edinburgh January 22, 2015 A block cipher with parameters k and l is a pair o deterministic algorithms (E, D) such that Encryption
More informationPermutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1
Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Kwangsu Lee A Thesis for the Degree of Master of Science Division of Computer Science, Department
More informationCryptographic Hash Functions
Cryptographic Hash Functions Çetin Kaya Koç koc@ece.orst.edu Electrical & Computer Engineering Oregon State University Corvallis, Oregon 97331 Technical Report December 9, 2002 Version 1.5 1 1 Introduction
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationSMASH - A Cryptographic Hash Function
SMASH - A Cryptographic Hash Function Lars R. Knudsen Department of Mathematics, Technical University of Denmark Abstract. 1 This paper presents a new hash function design, which is different from the
More informationCryptography Lecture 4 Block ciphers, DES, breaking DES
Cryptography Lecture 4 Block ciphers, DES, breaking DES Breaking a cipher Eavesdropper recieves n cryptograms created from n plaintexts in sequence, using the same key Redundancy exists in the messages
More informationPractical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function
Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function Itai Dinur 1, Pawe l Morawiecki 2,3, Josef Pieprzyk 4 Marian Srebrny 2,3, and Micha l Straus 3 1 Computer Science Department, École
More informationIntroduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES
CSC/ECE 574 Computer and Network Security Topic 3.1 Secret Key Cryptography Algorithms CSC/ECE 574 Dr. Peng Ning 1 Outline Introductory Remarks Feistel Cipher DES AES CSC/ECE 574 Dr. Peng Ning 2 Introduction
More informationNotes for Lecture 9. 1 Combining Encryption and Authentication
U.C. Berkeley CS276: Cryptography Handout N9 Luca Trevisan February 17, 2009 Notes for Lecture 9 Notes scribed by Joel Weinberger, posted March 1, 2009 Summary Last time, we showed that combining a CPA-secure
More informationREU 2015: Complexity Across Disciplines. Introduction to Cryptography
REU 2015: Complexity Across Disciplines Introduction to Cryptography Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i s from any key k K. A block
More informationImproved Impossible Differential Cryptanalysis of Rijndael and Crypton
Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationNetwork Security: Hashes
1 Network Security: Hashes Henning Schulzrinne Columbia University, New York schulzrinne@cs.columbia.edu Columbia University, Fall 2000 cfl1999-2000, Henning Schulzrinne Last modified October 5, 2000 2
More informationA Pseudo-Random Encryption Mode
A Pseudo-Random Encryption Mode Moni Naor Omer Reingold Block ciphers are length-preserving private-key encryption schemes. I.e., the private key of a block-cipher determines a permutation on strings of
More informationThe Security of Abreast-DM in the Ideal Cipher Model
The Security of breast-dm in the Ideal Cipher Model Jooyoung Lee, Daesung Kwon The ttached Institute of Electronics and Telecommunications Research Institute Yuseong-gu, Daejeon, Korea 305-390 jlee05@ensec.re.kr,ds
More informationPseudo-random Number Generation. Qiuliang Tang
Pseudo-random Number Generation Qiuliang Tang Random Numbers in Cryptography The keystream in the one-time pad The secret key in the DES encryption The prime numbers p, q in the RSA encryption The private
More informationIntroduction to Information Security
Introduction to Information Security Lecture 4: Hash Functions and MAC 2007. 6. Prof. Byoungcheon Lee sultan (at) joongbu. ac. kr Information and Communications University Contents 1. Introduction - Hash
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More informationSimple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)
Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia) Henry Ng Henry.Ng.a@gmail.com Abstract. A new cryptographic pseudorandom number generator Cilia is presented. It hashes
More informationAlgebraic attack on stream ciphers Master s Thesis
Comenius University Faculty of Mathematics, Physics and Informatics Department of Computer Science Algebraic attack on stream ciphers Master s Thesis Martin Vörös Bratislava, 2007 Comenius University Faculty
More informationLinear Cryptanalysis of Reduced-Round PRESENT
Linear Cryptanalysis of Reduced-Round PRESENT Joo Yeon Cho 1 Helsinki University of Technology, Finland 2 Nokia A/S, Denmark joo.cho@tkk.fi Abstract. PRESENT is a hardware-oriented block cipher suitable
More informationBenes and Butterfly schemes revisited
Benes and Butterfly schemes revisited Jacques Patarin, Audrey Montreuil Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract In [1], W. Aiello and R. Venkatesan have
More informationAnalysis of cryptographic hash functions
Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43 Symmetric key cryptography Alice and Bob share
More informationCryptographic Hash Functions Part II
Cryptographic Hash Functions Part II Cryptography 1 Andreas Hülsing, TU/e Some slides by Sebastiaan de Hoogh, TU/e Hash function design Create fixed input size building block Use building block to build
More informationThe Advanced Encryption Standard
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 48 The Advanced Encryption Standard Successor of DES DES considered insecure; 3DES considered too slow. NIST competition in 1997 15
More informationHenning Schulzrinne Columbia University, New York Columbia University, Fall 2000
1 Network Security: Hashes Henning Schulzrinne Columbia University, New York schulzrinne@cs.columbia.edu Columbia University, Fall 2000 cfl1999-2000, Henning Schulzrinne Last modified October 5, 2000 Slide
More informationChair for Network Architectures and Services Institute of Informatics TU München Prof. Carle. Network Security. Chapter 2 Basics
Chair for Network Architectures and Services Institute of Informatics TU München Prof. Carle Network Security Chapter 2 Basics 2.4 Random Number Generation for Cryptographic Protocols Motivation It is
More informationAffine equivalence in the AES round function
Discrete Applied Mathematics 148 (2005) 161 170 www.elsevier.com/locate/dam Affine equivalence in the AES round function A.M. Youssef a, S.E. Tavares b a Concordia Institute for Information Systems Engineering,
More informationIntroduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.
Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography
More informationIntroduction to Modern Cryptography Lecture 4
Introduction to Modern Cryptography Lecture 4 November 22, 2016 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More informationComputer Science A Cryptography and Data Security. Claude Crépeau
Computer Science 308-547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308-647A)
More informationAn introduction to Hash functions
An introduction to Hash functions Anna Rimoldi eriscs - Universitée de la Méditerranée, Marseille Secondo Workshop di Crittografia BunnyTN 2011 A. Rimoldi (eriscs) Hash function 12 September 2011 1 / 27
More informationSecret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:
Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design: Secret Key Systems Encrypting a small block of text (say 64 bits) General considerations
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Davies-Meyer Hashes in Practice Hash
More informationDistinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network
Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense
More informationIntroduction Description of MD5. Message Modification Generate Messages Summary
How to Break MD5 and other hash functions Xiaoyun Wang and Hongbo Yu (China) Presented by: Saar Benodiz May 2012 Outline Introduction Description of MD5 Differential Attack for Hash Functions Message Modification
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationAlgebraic Attacks and Stream Ciphers
November 25 th, 24 Algebraic Attacks and Stream Ciphers Helsinki University of Technology mkivihar@cc.hut.fi Overview Stream ciphers and the most common attacks Algebraic attacks (on LSFR-based ciphers)
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationCrypto Engineering (GBX9SY03) Hash functions
Crypto Engineering (GBX9SY03) Hash functions Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2017 10 18 Hash functions 2017 10 18 1/32 First
More informationCIS 6930/4930 Computer and Network Security. Topic 4. Cryptographic Hash Functions
CIS 6930/4930 Computer and Network Security Topic 4. Cryptographic Hash Functions 1 The SHA-1 Hash Function 2 Secure Hash Algorithm (SHA) Developed by NIST, specified in the Secure Hash Standard, 1993
More informationExam Security January 19, :30 11:30
Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in
More informationENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions
ENEE 457: Computer Systems Security 09/19/16 Lecture 6 Message Authentication Codes and Hash Functions Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationUnbalanced Feistel Networks and Block-Cipher Design
Unbalanced Feistel Networks and Block-Cipher Design Bruce Schneier and John Kelsey Counterpane Systems, 101 East Minnehaha Parkway, Minneapolis, MN 55419 {schneier,kelsey}@counterpane.com Abstract. We
More informationb = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.
INTRODUCTION TO CRYPTOGRAPHY 5. Discrete Logarithms Recall the classical logarithm for real numbers: If we write b = 10 a, then a = log 10 b is the logarithm of b to the base 10. Changing the base to e
More informationImproved Cascaded Stream Ciphers Using Feedback
Improved Cascaded Stream Ciphers Using Feedback Lu Xiao 1, Stafford Tavares 1, Amr Youssef 2, and Guang Gong 3 1 Department of Electrical and Computer Engineering, Queen s University, {xiaolu, tavares}@ee.queensu.ca
More informationStream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida
Stream ciphers Pawel Wocjan Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu Definition of block ciphers Block ciphers: crypto work horse n bits
More informationON THE SECURITY OF THE ADVANCED ENCRYPTION STANDARD
ON THE SECURITY OF THE ADVANCED ENCRYPTION STANDARD Paul D. Yacoumis Supervisor: Dr. Robert Clarke November 2005 Thesis submitted for the degree of Honours in Pure Mathematics Contents 1 Introduction
More informationCHAPTER 6: OTHER CRYPTOSYSTEMS, PSEUDO-RANDOM NUMBER GENERATORS and HASH FUNCTIONS. Part VI
CHAPTER 6: OTHER CRYPTOSYSTEMS, PSEUDO-RANDOM NUMER GENERATORS and HASH FUNCTIONS Part VI Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions A large number of interesting
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationBlock Ciphers and Systems of Quadratic Equations
Block Ciphers and Systems of Quadratic Equations Alex Biryukov and Christophe De Cannière Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenberg 10, B 3001 Leuven-Heverlee, Belgium
More informationIntroduction to Cryptography Lecture 4
Data Integrity, Message Authentication Introduction to Cryptography Lecture 4 Message authentication Hash functions Benny Pinas Ris: an active adversary might change messages exchanged between and M M
More information7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive key-search do not exploit any properties of the encryption algorithm or implementation. Structural attacks
More informationhas the solution where M = Since c = w 2 mod n we have c w 2 (mod p) and c w 2 (mod q);
CHAPTER 6: OTHER CRYPTOSYSTEMS and ASIC CRYPTOGRAPHY PRIMITIVES A large number of interesting and important cryptosystems have already been designed. In this chapter we present several other of them in
More informationHow Fast can be Algebraic Attacks on Block Ciphers?
How Fast can be Algebraic Attacks on Block Ciphers? Nicolas T. Courtois Axalto mart Cards, 36-38 rue de la Princesse BP 45, 78430 Louveciennes Cedex, France http://www.nicolascourtois.net courtois@minrank.org
More information