Division Property: a New Attack Against Block Ciphers
|
|
- Louisa Flynn
- 5 years ago
- Views:
Transcription
1 Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, / 50
2 Symmetric-key encryption Alice and Bob exchange the secret key through a secure channel. Encryption Decryption 2 / 50
3 Symmetric-key encryption Alice and Bob exchange the secret key through a secure channel. Encryption Decryption Key-exchange problem birth of the public-key cryptography. 2 / 50
4 Public-key encryption Encryption %gti2z* Decryption 3 / 50
5 Advantages and disadvantages of each system Advantages Disadvantages Secret-key Public-key Fast systems Relatively short-keys No key-exchange needed n users: 2n keys Need secure key-exchange n users: n 2 keys Slow systems Relatively long-keys 4 / 50
6 Hybrid encryption Idea: Use a combination of asymmetric and symmetric encryption to benefit from the strengths of every system. Encryption Decryption Encryption Decryption 5 / 50
7 Hybrid encryption Use a public-key cryptosystem to exchange a key (session key). Use the exchanged key to encrypt data by using a symmetric-key cryptosystem. Advantages: Slow public-cryptosystem is used to encrypt a short string only. Fast symmetric-key cryptosystem is used to encrypt the longer communication session. Used for example in the SSL protocol. 6 / 50
8 Block ciphers Outline 1 Block ciphers 2 Division property 3 Propagation through an Sbox 4 Extending the division property 5 Understanding D n k for some specific values of k 7 / 50
9 Block ciphers Block ciphers Encrypt a block of message m into a block of ciphertext c under the action of the key k. ENC : {0,1} n {0,1} κ {0,1} n (m,k) ENC(m,k) = c k m ENC c Given k, it must be easy to compute c from m. Given m,c it must be hard to compute k such that ENC(m,k) = c. 8 / 50
10 Block ciphers Two important parameters: block size, n key size, κ A block cipher generates a family of permutations indexed by a key k. (2 n )! permutations subset 2 κ Ideal design: 2 κ permutations chosen uniformly at random from all 2 n! 2 (n 1)2n permutations. 9 / 50
11 Block ciphers Iterated block ciphers Idea: Iterate a round function f several times. The function f r is waited to be strong for large r. Advantages: Compact implementation. Easier analysis. master key k Key schedule k 1 k 2 k r m f f f c Use a key schedule to extend the user-supplied (or master) key to a sequence of r subkeys. 10 / 50
12 Block ciphers How to build the round function? Two major approaches: Feistel network. Substitution-Permutation Network (SPN). 11 / 50
13 Block ciphers How to build the round function? Two major approaches: Feistel network. Substitution-Permutation Network (SPN). 11 / 50
14 Block ciphers Substitution Permutation Network (SPN) m k1 Substitution Permutation k2 Substitution Permutation k3 Substitution Permutation k4 Substitution Permutation k5 c 12 / 50
15 Block ciphers Substitution Permutation Network (SPN) m k1 S S S S k2 S S S S k3 S S S S k4 S S S S k5 c 12 / 50
16 Block ciphers Cryptanalysis of block ciphers Problem: Design block ciphers that are fast and secure at the same time. In symmetric key cryptography, security proofs are partial and insufficient. Only mean of proving that a design is secure: cryptanalysis. An algorithm is secure as long there is no attack against it. The more an algorithm is analysed without being broken, the more reliable it is. 13 / 50
17 Block ciphers What does "broken" mean? No attack faster than exhaustive search should exist. If a block cipher encrypts messages with a k-bit key, no attack with time complexity less than 2 k should be known. Otherwise, the cipher is considered as broken (even if the complexity of the attack is not practical). 14 / 50
18 Division property Outline 1 Block ciphers 2 Division property 3 Propagation through an Sbox 4 Extending the division property 5 Understanding D n k for some specific values of k 15 / 50
19 Division property A new property for block ciphers In Eurocrypt 2015, Yosuke Todo introduces a new property, called the division property. Combination (in some sense) of higher-order differential and saturation attacks. Construction of more powerful generic distinguishers for both SPN and Feistel constructions. Use of this new property for breaking full MISTY-1 (best paper award at CRYPTO 2015). 16 / 50
20 Division property Notation If x,u F n 2, we denote x u = n i=1 x u i i Example: (n = 4) x = (x 1,x 2,x 3,x 4 ) = (1,1,0,1), u = (u 1,u 2,u 3,u 4 ) = (1,0,1,0) x u = x 1 u 1 x 2 u 2 x 3 u 3 x 4 u 4 = = / 50
21 Division property Division property Let X be a multiset of elements in F n 2. For 0 k n, we say that X has the division property Dk n if x u = 0, x X for all u F n 2 such that wt(u) < k. 18 / 50
22 Division property Division property - Example X = {0x0,0x3,0x3,0x3,0x5,0x6,0x8,0xB,0xD,0xE}. Compute x Xx u for all u F 4 2. x u = 1, x X for u = 1011, u = 1101 and u = So, x Xx u = 0 for all u with wt(u) < 3. X has the division property D / 50
23 Division property Using the division property in practice Prepare a set of plaintexts and evaluate its division property. Propagate the input texts and evaluate the division property of the output set after one round. Use rules to propagate the property through the different cipher components (Sboxes, XOR, etc..) Repeat the procedure and compute the division property of the set of texts after several rounds. If after several rounds some exploitable information is found, then we get a distinguisher. 20 / 50
24 Division property Distinguisher and key recovery attack Distinguisher: A property that permits to distinguish the target block cipher from an ideal permutation. Division property: E K (y) has the division property Dk n y Y for k 1. Key recovery: Exploit this property to recover the key by targeting first the subkey of the last round. 21 / 50
25 Propagation through an Sbox Outline 1 Block ciphers 2 Division property 3 Propagation through an Sbox 4 Extending the division property 5 Understanding D n k for some specific values of k 22 / 50
26 Propagation through an Sbox What is an Sbox? Main component for providing non-linearity. Can be seen as a vectorial Boolean function S : F n 2 Fm 2 (usually m = n). Algebraic Normal Form (ANF) of an Sbox y 0 = x 0 x 2 +x 1 +x 2 +x 3 y 1 = x 0 x 1 x 2 +x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 0 x 3 +x 2 x 3 +x 0 +x 2 y 2 = x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 1 x 3 +x 2 x 3 +x 0 +x 1 +x 3 y 3 = x 0 x 1 x 2 +x 1 x 3 +x 0 +x 1 +x / 50
27 Propagation through an Sbox Algebraic degree of an Sbox (y 0,y 1,y 2,y 3 ) = S(x 0,x 1,x 2,x 3 ) y 0 = x 0 x 2 +x 1 +x 2 +x 3 y 1 = x 0 x 1 x 2 +x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 0 x 3 +x 2 x 3 +x 0 +x 2 y 2 = x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 1 x 3 +x 2 x 3 +x 0 +x 1 +x 3 y 3 = x 0 x 1 x 2 +x 1 x 3 +x 0 +x 1 +x The algebraic degree of S is / 50
28 Propagation through an Sbox Propagation of the division property through an Sbox Let S be a permutation of F n 2 of algebraic degree d. Let X be a multiset having the division property D n k. Question: What is the division property of Y = S(X)? If k = n, then Y has the division property D n n. Proposition (Todo): Y has the division property D n k d. 25 / 50
29 Propagation through an Sbox Example - MISTY S 7 MISTY s Sbox S 7 is a 7-bit Sbox of degree 3. The input set X has the property D 7 k. The output set Y has the property D 7 k, with k = k 3. k k / 50
30 Propagation through an Sbox Proof Sketch Let the input set X have the division property Dk n. Then, x u = 0, for all u F n 2 with wt(u) < k. x X Goal: Evaluate for which v F n 2, x XS(x) v vanishes. If deg(s v ) < k then x XS(x) v = 0. If deg(s v ) k, x XS(x) v is undetermined. Obviously, deg(s v ) wt(v) d, so the sum becomes unknown if wt(v) d k. 27 / 50
31 Propagation through an Sbox An improvement idea In the previous proof, the degree was bounded by deg(s v ) wt(v) d This bound is not tight! 28 / 50
32 Propagation through an Sbox The inverse permutation influences the degree Let S be a permutation on F n 2. Denote by δ k (S) the max. degree of the product of k coordinates of S. Theorem [B. Canteaut 2013]. For any k and l, δ l (S) < n k if and only if δ k (S 1 ) < n l. 29 / 50
33 Propagation through an Sbox Getting a tighter result Use the previous theorem to better estimate deg(s v ): deg(s v ) δ wt(v) (S). Then, δ wt(v) (S) < k iff δ n k (S 1 ) < n wt(v). By re-writing the second inequality we get δ wt(v) (S) < k iff wt(v) < n δ n k (S 1 ). The quantity x X (Sv )(x) becomes unknown when wt(v) n δ n k (S 1 ). So Y has the division property Dn δ n n k (S 1 ). 30 / 50
34 Propagation through an Sbox Example - Back to MISTY S 7 MISTY s inverse Sbox S 1 7 is a 7-bit Sbox of degree 3. k δ k (S 1 7 ) The input set X has the property Dk 7. The output set Y has the property Dk 7, with k = k 3 (Todo s estimation) k = 7 δ 7 k (S7 1 ) (our estimation) k k (Todo s) k (our) For k = 6: k = 7 δ 7 6 (S 1 7 ) = 7 3 = 4 31 / 50
35 Extending the division property Outline 1 Block ciphers 2 Division property 3 Propagation through an Sbox 4 Extending the division property 5 Understanding D n k for some specific values of k 32 / 50
36 Extending the division property Reduced set of a multiset Let X be a multiset of elements in F n 2. The corresponding reduced set X is the set composed of all elements in X having an odd multiplicity. Example: If X = {0x0,0x3,0x3,0x3,0x5,0x7,0x7,0xB,0xC} then X = {0x0,0x3,0x5,0xB,0xC}. A multiset X fulfills D n k if and only if X fulfills D n k. 33 / 50
37 Extending the division property Parity set of a multiset Let X be a multiset of elements in F n 2. The set U(X) is the subset of Fn 2 defined by U(X) = {u F n 2 : x Xx u = 1}, is called the parity set of X. Obviously U(X) = U( X). The parity set provides a complete characterization of the reduced set of a multiset. 34 / 50
38 Extending the division property Incidence vector of U(X) Lemma. Let G be the 2 n 2 n binary matrix whose entries are indexed by n-bit vectors and defined by G u,a = a u, a,u F n 2. For any subset X of F n 2, the incidence vector of U(X) is equal to the product of G by the incidence vector of X. 35 / 50
39 Extending the division property An example (n = 3) G = / 50
40 Extending the division property An example (n = 3) G = / 50
41 Extending the division property An example (n = 3) X = {1,3,4} U(X) = = U(X) = {0,2,3,4}. 37 / 50
42 Extending the division property Reed-Muller codes F m 2 = {z 0,...,z 2 m 1}. Let f : F m 2 F 2. We define c f = (f(z 0 ),...,f(z 2 m 1)). The Reed-Muller code RM(d,m) of order d and length 2 m is defined as RM(d,m) := {c f : deg(f) d}. 38 / 50
43 Extending the division property Correspondance of X and U(X) Corollary. For any subset U of F n 2, there exists a unique setx Fn 2 such that U(X) = U. Proof. The matrix G is a generator matrix of the Reed-Muller code of length 2 n and order n. Dimension of the code : 2 n G is invertible. The mapping matching the incidence vector of a set X, v X to the incidence vector of U(X) is an isomorphism of the set of 2 n vectors. 39 / 50
44 Extending the division property Parity set and the division property Let E k be a keyed permutation. The division property is a distinguishing property of the multiset E k (X) for a given choice of the input multiset X. We can now reformulate the division property Dk n of E k(x) by a simple property of U(E k (X)). Indeed, Dk n characterizes a multiset X by a lower bound on the weight of all elements in U(X). 40 / 50
45 Extending the division property Proposition. Let X be a multiset of elements in F n 2 and k be an integer 0 k n. Then,the following assertions are equivalent: (i) X fulfills the division property D n k. (ii) U(X) {u F n 2 : wt(u) k}. (iii) The incidence vector of the corresponding reduced set X belongs to the Reed-Muller code of length 2 n and order (n k). 41 / 50
46 Understanding Dk n for some specific values of k Outline 1 Block ciphers 2 Division property 3 Propagation through an Sbox 4 Extending the division property 5 Understanding D n k for some specific values of k 42 / 50
47 Understanding Dk n for some specific values of k Some specific values of k Question: What can be said about a multiset X that verifies a property Dk n, for some value of k? The cases D1 n, Dn 2, Dn n, have been characterized. [Todo 2015], [Sun et al. 2015] The cases Dk n, for k {1,2,n} had not been exploited before. We provide some insight on these cases here by using the above introduced new vision and some well known properties of Reed-Muller codes. 43 / 50
48 Understanding Dk n for some specific values of k The property D n 1 Let X be a multiset of elements in F n 2. X fulfills D n 1 if and only if its cardinality is even. Indeed, X has the property D1 n: For u = (0,...,0) : x X xu = 0 x x 0 n = = #X mod 2 = 0 x X x X1 The inverse can be easily deduced. 44 / 50
49 Understanding Dk n for some specific values of k The property D n 2 Let X be a multiset of elements in F n 2. X fulfills D n 2 if and only if its cardinality is even and it has the Balance property. Balance property: For any i, 1 i n x Xx i = 0. Indeed, if X has the property D n 2 : x X x0 1...x0 n = 0 X has even cardinality. For all u with wt(u) = 1: x X xu = x X x0 1...x0 i 1 x1 i...x0 n = x X x i = 0 X has the Balance property. The inverse is proven easily. 45 / 50
50 Understanding Dk n for some specific values of k The property D n n Let X be a multiset of elements in F n 2. X fulfills D n n if and only if its reduced set X is either empty or equal to F n 2. Let v be the incidence vector of X. Proof. X satisfies Dn n iff v R(0,n). Thus, either v is the all-zero vector, i.e., X is empty or v is the all-one vector i.e. X = F n / 50
51 Understanding Dk n for some specific values of k The property D n n 1 Let X be a multiset of elements in F n 2. Proposition. X satisfies D n n 1 if and only if X is an (affine) subspace of dimension (n 1). Proof. X satisfies Dn 1 n iff v R(1,n). R(1,n) consists of the incidence vectors of all (affine) hyperplanes of F 2. Then, this equivalently means that X is an (affine) hyperplane. 47 / 50
52 Understanding Dk n for some specific values of k Example [Todo, Eurocrypt 2015] For the multiset of elements of F 4 2 X = {0x0,0x3,0x3,0x3,0x5,0x6,0x8,0xB,0xD,0xE}, the corresponding reduced set X = {0x0,0x3,0x5,0x6,0x8,0xB,0xD,0xE} is a linear subspace of dimension 3 spanned by {0x3,0x5,0x8}. So, it can be directly deduced (without computation) that X has the property D / 50
53 Understanding Dk n for some specific values of k The property D n k Proposition. Let X be a multiset of elements in F n 2 satisfying Dn k such that X is not empty. Then X 2 k, and equality holds iff X is an affine subspace of dimension k. Proof. X satisfies D n k iff v X belongs to R(n k,n). The minimum distance of R(n k,n) is 2 k and that the minimum-weight codewords in this code are the incidence vectors of the affine subspaces of dimension k. 49 / 50
54 Understanding Dk n for some specific values of k Conclusion We have reformulated the division property to captivate more information. Complete characterisation of the property Dk n for different values of k. More powerful distinguishers for a high number of block ciphers. Work in progress / 50
55 Understanding Dk n for some specific values of k Conclusion We have reformulated the division property to captivate more information. Complete characterisation of the property Dk n for different values of k. More powerful distinguishers for a high number of block ciphers. Work in progress... Thanks for your attention! 50 / 50
Another view of the division property
Another view of the division property Christina Boura and Anne Canteaut Université de Versailles-St Quentin, France Inria Paris, France Dagstuhl seminar, January 2016 Motivation E K : block cipher with
More informationSome attacks against block ciphers
Some attacks against block ciphers hristina Boura École de printemps en codage et cryptographie May 19, 2016 1 / 59 Last-round attacks Outline 1 Last-round attacks 2 Higher-order differential attacks 3
More informationIntroduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.
Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography
More informationAnalysis of cryptographic hash functions
Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43 Symmetric key cryptography Alice and Bob share
More informationStructural Evaluation by Generalized Integral Property
Structural Evaluation by Generalized Integral Property Yosue Todo NTT Secure Platform Laboratories, Toyo, Japan todo.yosue@lab.ntt.co.jp Abstract. In this paper, we show structural cryptanalyses against
More informationBlock Cipher Cryptanalysis: An Overview
0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution
More informationIntroduction to symmetric cryptography
Introduction to symmetric cryptography hristina Boura École de printemps en codage et cryptographie May 17, 2016 1 / 48 Overview Introduction to symmetric-key cryptography Block ciphers Boolean functions
More informationOptimized Interpolation Attacks on LowMC
Optimized Interpolation Attacks on LowMC Itai Dinur 1, Yunwen Liu 2, Willi Meier 3, and Qingju Wang 2,4 1 Département d Informatique, École Normale Supérieure, Paris, France 2 Dept. Electrical Engineering
More informationBlock Ciphers and Feistel cipher
introduction Lecture (07) Block Ciphers and cipher Dr. Ahmed M. ElShafee Modern block ciphers are widely used to provide encryption of quantities of information, and/or a cryptographic checksum to ensure
More informationTowards Provable Security of Substitution-Permutation Encryption Networks
Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,
More informationREU 2015: Complexity Across Disciplines. Introduction to Cryptography
REU 2015: Complexity Across Disciplines Introduction to Cryptography Symmetric Key Cryptosystems Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i
More informationMILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers
MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers Ling Sun 1, Wei Wang 1, Meiqin Wang 1,2 1 Key Laboratory of Cryptologic Technology and Information Security,
More informationClassical Cryptography
Classical Cryptography CSG 252 Fall 2006 Riccardo Pucella Goals of Cryptography Alice wants to send message X to Bob Oscar is on the wire, listening to communications Alice and Bob share a key K Alice
More informationInvariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs
Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs Jian Guo 1, Jeremy Jean 2, Ivica Nikolić 1, Kexin Qiao 3, Yu Sasaki 4, and Siang Meng Sim 1 1. Nanyang Technological
More informationRevisit and Cryptanalysis of a CAST Cipher
2017 3rd International Conference on Electronic Information Technology and Intellectualization (ICEITI 2017) ISBN: 978-1-60595-512-4 Revisit and Cryptanalysis of a CAST Cipher Xiao Zhou, Jingwei Li, Xuejia
More informationLecture Notes on Cryptographic Boolean Functions
Lecture Notes on Cryptographic Boolean Functions Anne Canteaut Inria, Paris, France Anne.Canteaut@inria.fr https://www.rocq.inria.fr/secret/anne.canteaut/ version: March 10, 016 Contents 1 Boolean functions
More informationCube Attacks on Stream Ciphers Based on Division Property
Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven 12-10-2017, Crete Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 1 / 23 Plan 1 Cube Attack:
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationNotes on Alekhnovich s cryptosystems
Notes on Alekhnovich s cryptosystems Gilles Zémor November 2016 Decisional Decoding Hypothesis with parameter t. Let 0 < R 1 < R 2 < 1. There is no polynomial-time decoding algorithm A such that: Given
More information7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive key-search do not exploit any properties of the encryption algorithm or implementation. Structural attacks
More informationCIS 551 / TCOM 401 Computer and Network Security
CIS 551 / TCOM 401 Computer and Network Security Spring 2008 Lecture 15 3/20/08 CIS/TCOM 551 1 Announcements Project 3 available on the web. Get the handout in class today. Project 3 is due April 4th It
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationFinal Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.
Final Exam Math 10: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 0 April 2002 :0 11:00 a.m. Instructions: Please be as neat as possible (use a pencil), and show
More informationMultiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs
Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs Alex Biryukov 1,2, Dmitry Khovratovich 2, Léo Perrin 2 1 CSC, University of Luxembourg 2 SnT, University of Luxembourg https://www.cryptolux.org
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More informationNotes 10: Public-key cryptography
MTH6115 Cryptography Notes 10: Public-key cryptography In this section we look at two other schemes that have been proposed for publickey ciphers. The first is interesting because it was the earliest such
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationLinks Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT
Links Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT Céline Blondeau, Benoît Gérard SECRET-Project-Team, INRIA, France TOOLS for Cryptanalysis - 23th June 2010 C.Blondeau
More informationAn Improved Affine Equivalence Algorithm for Random Permutations
An Improved Affine Equivalence Algorithm for Random Permutations Itai Dinur Department of Computer Science, Ben-Gurion University, Israel Abstract. In this paper we study the affine equivalence problem,
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationStream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida
Stream ciphers Pawel Wocjan Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu Definition of block ciphers Block ciphers: crypto work horse n bits
More informationCook-Levin Theorem. SAT is NP-complete
Cook-Levin Theorem SAT is NP-complete In other words SAT NP A NP A P SAT 1 Consider any A NP NTM N that decides A in polytime n k For any input w Σ * valid tableau of configurations 2 Properties of an
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More informationCryptography Lecture 4 Block ciphers, DES, breaking DES
Cryptography Lecture 4 Block ciphers, DES, breaking DES Breaking a cipher Eavesdropper recieves n cryptograms created from n plaintexts in sequence, using the same key Redundancy exists in the messages
More informationCryptanalysis of SP Networks with Partial Non-Linear Layers
Cryptanalysis of SP Networks with Partial Non-Linear Layers Achiya Bar-On 1, Itai Dinur 2, Orr Dunkelman 3, Nathan Keller 1, Virginie Lallemand 4, and Boaz Tsaban 1 1 Bar-Ilan University, Israel 2 École
More informationAlgebraic properties of SHA-3 and notable cryptanalysis results
Algebraic properties of SHA-3 and notable cryptanalysis results Christina Boura University of Versailles, France ICMC 2015, January 9, 2014 1 / 51 Cryptographic Hash Functions H : {0,1} {0,1} n m H h =
More informationMATH3302 Cryptography Problem Set 2
MATH3302 Cryptography Problem Set 2 These questions are based on the material in Section 4: Shannon s Theory, Section 5: Modern Cryptography, Section 6: The Data Encryption Standard, Section 7: International
More informationAn average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and
An average case analysis of a dierential attack on a class of SP-networks Luke O'Connor Distributed Systems Technology Centre, and Information Security Research Center, QUT Brisbane, Australia Abstract
More informationImpossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128
Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com
More informationModule 2 Advanced Symmetric Ciphers
Module 2 Advanced Symmetric Ciphers Dr. Natarajan Meghanathan Professor of Computer Science Jackson State University E-mail: natarajan.meghanathan@jsums.edu Data Encryption Standard (DES) The DES algorithm
More informationStructural Cryptanalysis of SASAS
tructural Cryptanalysis of AA Alex Biryukov and Adi hamir Computer cience department The Weizmann Institute Rehovot 76100, Israel. Abstract. In this paper we consider the security of block ciphers which
More informationPublic Key Encryption
Public Key Encryption KG October 17, 2017 Contents 1 Introduction 1 2 Public Key Encryption 2 3 Schemes Based on Diffie-Hellman 3 3.1 ElGamal.................................... 5 4 RSA 7 4.1 Preliminaries.................................
More informationHigher-order differential properties of Keccak and Luffa
Higher-order differential properties of Keccak and Luffa Christina Boura 1,2, Anne Canteaut 1 and Christophe De Cannière 3 1 SECRET Project-Team - INRIA Paris-Rocquencourt - B.P. 105-78153 Le Chesnay Cedex
More informationChoosing Round Constants in Lightweight Block Ciphers and Cryptographic Permutations
Choosing Round Constants in Lightweight Block Ciphers and Cryptographic Permutations Christof Beierle SnT, University of Luxembourg, Luxembourg (joint work with Anne Canteaut, Gregor Leander, and Yann
More informationSolution to Midterm Examination
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Handout #13 Xueyuan Su November 4, 2008 Instructions: Solution to Midterm Examination This is a closed book
More informationMILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers
MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers Ling Sun 1, Wei Wang 1, Meiqin Wang 1,2 1 Key Laboratory of Cryptologic Technology and Information Security,
More informationLS-Designs. Bitslice Encryption for Efficient Masked Software Implementations
Bitslice Encryption for Efficient Masked Software Implementations Vincent Grosso 1 Gaëtan Leurent 1,2 François Xavier Standert 1 Kerem Varici 1 1 UCL, Belgium 2 Inria, France FSE 2014 G Leurent (UCL,Inria)
More informationZero-Sum Partitions of PHOTON Permutations
Zero-Sum Partitions of PHOTON Permutations Qingju Wang 1, Lorenzo Grassi 2, Christian Rechberger 1,2 1 Technical University of Denmark, Denmark, 2 IAIK, Graz University of Technology, Austria quwg@dtu.dk,
More informationImproved Zero-sum Distinguisher for Full Round Keccak-f Permutation
Improved Zero-sum Distinguisher for Full Round Keccak-f Permutation Ming Duan 12 and Xuejia Lai 1 1 Department of Computer Science and Engineering, Shanghai Jiao Tong University, China. 2 Basic Courses
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationConstruction of Lightweight S-Boxes using Feistel and MISTY structures (Full Version )
Construction of Lightweight S-Boxes using Feistel and MISTY structures (Full Version ) Anne Canteaut, Sébastien Duval, and Gaëtan Leurent Inria, project-team SECRET, France {Anne.Canteaut, Sebastien.Duval,
More informationWinter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2
0368.3049.01 Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod Assignment #2 Published Sunday, February 17, 2008 and very slightly revised Feb. 18. Due Tues., March 4, in Rani Hod
More informationCryptanalysis of a Generalized Unbalanced Feistel Network Structure
Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li, Bing Sun, Chao Li, Longjiang Qu National University of Defense Technology, Changsha, China ACISP 2010, Sydney, Australia 5
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 10 February 19, 2013 CPSC 467b, Lecture 10 1/45 Primality Tests Strong primality tests Weak tests of compositeness Reformulation
More informationGENERALIZED NONLINEARITY OF S-BOXES. Sugata Gangopadhyay
Volume X, No. 0X, 0xx, X XX doi:0.3934/amc.xx.xx.xx GENERALIZED NONLINEARITY OF -BOXE ugata Gangopadhyay Department of Computer cience and Engineering, Indian Institute of Technology Roorkee, Roorkee 47667,
More informationTutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction
Tutorial on Quantum Computing Vwani P. Roychowdhury Lecture 1: Introduction 1 & ) &! # Fundamentals Qubits A single qubit is a two state system, such as a two level atom we denote two orthogonal states
More informationProduct Systems, Substitution-Permutation Networks, and Linear and Differential Analysis
Product Systems, Substitution-Permutation Networks, and Linear and Differential Analysis Cryptology, lecture 3 Stinson, Section 2.7 3.4 Tuesday, February 12th, 2008 1 Composition Product 2 Substitution-Permutation
More informationMILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher
MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher Raghvendra Rohit, Riham AlTawy, & Guang Gong Department of Electrical and Computer Engineering, University of Waterloo Waterloo,
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationAkelarre. Akelarre 1
Akelarre Akelarre 1 Akelarre Block cipher Combines features of 2 strong ciphers o IDEA mixed mode arithmetic o RC5 keyed rotations Goal is a more efficient strong cipher Proposed in 1996, broken within
More informationDistinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network
Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from
More informationExtended Criterion for Absence of Fixed Points
Extended Criterion for Absence of Fixed Points Oleksandr Kazymyrov, Valentyna Kazymyrova Abstract One of the criteria for substitutions used in block ciphers is the absence of fixed points. In this paper
More informationBISON Instantiating the Whitened Swap-Or-Not Construction November 14th, 2018
BION Instantiating the Whitened wap-or-not Construction November 14th, 2018 FluxFingers Workgroup ymmetric Cryptography, Ruhr University Bochum Virginie Lallemand, Gregor Leander, Patrick Neumann, and
More informationIntroduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES
CSC/ECE 574 Computer and Network Security Topic 3.1 Secret Key Cryptography Algorithms CSC/ECE 574 Dr. Peng Ning 1 Outline Introductory Remarks Feistel Cipher DES AES CSC/ECE 574 Dr. Peng Ning 2 Introduction
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationCube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version)
Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version) Yosuke Todo 1, Takanori Isobe 2, Yonglin Hao 3, and Willi Meier 4 1 NTT Secure Platform Laboratories, Tokyo 180-8585,
More informationHigher-order differential properties of Keccak and Luffa
Higher-order differential properties of Keccak and Luffa Christina Boura 1,2, Anne Canteaut 1, and Christophe De Cannière 3 1 SECRET Project-Team - INRIA Paris-Rocquencourt - B.P. 105 78153 Le Chesnay
More informationLinear Cryptanalysis of Reduced-Round PRESENT
Linear Cryptanalysis of Reduced-Round PRESENT Joo Yeon Cho 1 Helsinki University of Technology, Finland 2 Nokia A/S, Denmark joo.cho@tkk.fi Abstract. PRESENT is a hardware-oriented block cipher suitable
More informationhold or a eistel cipher. We nevertheless prove that the bound given by Nyberg and Knudsen still holds or any round keys. This stronger result implies
Dierential cryptanalysis o eistel ciphers and dierentially uniorm mappings Anne Canteaut INRIA Projet codes Domaine de Voluceau BP 105 78153 Le Chesnay Cedex rance Abstract In this paper we study the round
More informationU.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6
U.C. Berkeley CS276: Cryptography Handout N6 Luca Trevisan February 5, 2009 Notes for Lecture 6 Scribed by Ian Haken, posted February 8, 2009 Summary The encryption scheme we saw last time, based on pseudorandom
More informationProvable Security Against Differential and Linear Cryptanalysis
Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University Introduction CRADIC Linear Hull SPN and Two Strategies Highly
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationRelated-Key Statistical Cryptanalysis
Related-Key Statistical Cryptanalysis Darakhshan J. Mir Department of Computer Science, Rutgers, The State University of New Jersey Poorvi L. Vora Department of Computer Science, George Washington University
More informationA Weak Cipher that Generates the Symmetric Group
A Weak Cipher that Generates the Symmetric Group Sean Murphy Kenneth Paterson Peter Wild Information Security Group, Royal Holloway and Bedford New College, University of London, Egham, Surrey TW20 0EX,
More informationCPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems
CPE 776:DATA SECURITY & CRYPTOGRAPHY Some Number Theory and Classical Crypto Systems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Some Number Theory
More informationSieve-in-the-Middle: Improved MITM Attacks (Full Version )
Sieve-in-the-Middle: Improved MITM Attacks (Full Version ) Anne Canteaut 1, María Naya-Plasencia 1, and Bastien Vayssière 2 1 Inria Paris-Rocquencourt, project-team SECRET B.P. 105, 78153 Le Chesnay cedex,
More informationExperiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL
More informationHigher-order differential properties of Keccak and Luffa
Higher-order differential properties of Keccak and Luffa Christina Boura, Anne Canteaut, Christophe De Cannière To cite this version: Christina Boura, Anne Canteaut, Christophe De Cannière. Higher-order
More informationBLOCK CIPHERS KEY-RECOVERY SECURITY
BLOCK CIPHERS and KEY-RECOVERY SECURITY Mihir Bellare UCSD 1 Notation Mihir Bellare UCSD 2 Notation {0, 1} n is the set of n-bit strings and {0, 1} is the set of all strings of finite length. By ε we denote
More informationDifferential properties of power functions
Differential properties of power functions Céline Blondeau, Anne Canteaut and Pascale Charpin SECRET Project-Team - INRIA Paris-Rocquencourt Domaine de Voluceau - B.P. 105-8153 Le Chesnay Cedex - France
More informationAES side channel attacks protection using random isomorphisms
Rostovtsev A.G., Shemyakina O.V., St. Petersburg State Polytechnic University AES side channel attacks protection using random isomorphisms General method of side-channel attacks protection, based on random
More informationDK-2800 Lyngby, Denmark, Mercierlaan 94, B{3001 Heverlee, Belgium,
The Interpolation Attack on Block Ciphers? Thomas Jakobsen 1 and Lars R. Knudsen 2 1 Department of Mathematics, Building 303, Technical University of Denmark, DK-2800 Lyngby, Denmark, email:jakobsen@mat.dtu.dk.
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Takeaway: Crypto is Hard Designing crypto is hard, even experts get it wrong Just because I don t know
More informationPublic Key Cryptography
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Public Key Cryptography EECE 412 1 What is it? Two keys Sender uses recipient s public key to encrypt Receiver uses his private key to decrypt
More informationCryptography CS 555. Topic 2: Evolution of Classical Cryptography CS555. Topic 2 1
Cryptography CS 555 Topic 2: Evolution of Classical Cryptography Topic 2 1 Lecture Outline Basics of probability Vigenere cipher. Attacks on Vigenere: Kasisky Test and Index of Coincidence Cipher machines:
More informationIng. Amilcare Francesco Santamaria, Ph.D. DIMES Dpt. University of Calabria
DES Algorithm works on bit or binary number, this mean that if we have to face with an HEX number such as 1 it needs to be converted in a binary number: 1 hex = 0001 (4 bits 1 nibble) 9 hex = 1001 A hex
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationTHE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018
THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018 CPSC 418/MATH 318 L01 October 17, 2018 Time: 50 minutes
More informationDecomposing Bent Functions
2004 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 49, NO. 8, AUGUST 2003 Decomposing Bent Functions Anne Canteaut and Pascale Charpin Abstract In a recent paper [1], it is shown that the restrictions
More informationFFT-Based Key Recovery for the Integral Attack
FFT-Based Key Recovery for the Integral Attack Yosuke Todo NTT Secure Platform Laboratories Abstract. The integral attack is one of the most powerful attack against block ciphers. In this paper, we propose
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationCryptography and Security Midterm Exam
Cryptography and Security Midterm Exam Serge Vaudenay 23.11.2017 duration: 1h45 no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices
More informationCourse 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography
Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography David R. Wilkins Copyright c David R. Wilkins 2006 Contents 9 Introduction to Number Theory and Cryptography 1 9.1 Subgroups
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationStatistical and Algebraic Properties of DES
Statistical and Algebraic Properties of DES Stian Fauskanger 1 and Igor Semaev 2 1 Norwegian Defence Research Establishment (FFI), PB 25, 2027 Kjeller, Norway 2 Department of Informatics, University of
More informationNumber theory (Chapter 4)
EECS 203 Spring 2016 Lecture 12 Page 1 of 8 Number theory (Chapter 4) Review Compute 6 11 mod 13 in an efficient way What is the prime factorization of 100? 138? What is gcd(100, 138)? What is lcm(100,138)?
More information