Ways of Doubling Block Size of Feistel Ciphers Used in Some Candidates for the AES
|
|
- Avis Simmons
- 5 years ago
- Views:
Transcription
1 Ways of Doubling Block Size of Feistel Ciphers Used in Some Candidates for the AS Bohuslav Rudolf National Security Authority P. O. Box 49, 15 6, Prague 56 Abstract We describe and discuss rounds of 4 (former) candidates into the AS process (DAL, CAST-256, Twofish and RC6). ach of them represents its own way from a Feistel network to a cipher with double block size. We try to sketch these ways and to compare them. Keywords: Feistel network, AS, block size, DAL, CAST, Twofish, RC6. 1 ntroduction ost block ciphers in use today have a block size of 64 bits. For these ciphers some variants of the birthday attack require storage / collection of 2 32 ciphertexts blocks for a succes about one half [4]. With the rapid increase in computing power and available storage media it can be expected that in a few years this attack is very realistic. Hence in a near future we shall use for higher security levels block ciphers with 128-bit block size. This has been taken also into considerations in the projects AS and NSS. A lot of block algorithms are Feistel networks. They are iterated block ciphers. This means taking a simple round function and iterating it multiple times. A basic building block of the round (function) is a non-linear function usually called F function or round function. When we try to design Feistel cipher with 128-bit block size, we can choose one of two following possibilities. First one is to develop our own design. The second one is try to double 64-bit block size of some common Feistel cipher. n this contribution we describe and discuss rounds of 4 candidates into the AS process. ach of them represents its own way from (perhaps slightly modified) Feistel network to a cipher with double block size. The simplest (and straightforward) approach to solve this problem is to use encryption function of a chosen 64- bit block cipher as F function of a new cipher. n the end we obtain pure Feistel network with 128-bit block size. This is an instance of the cipher DAL (with DS encryption as the building block). Little bit less straightforward, but still very simple way is to take F function of the original cipher and use it in generalized (unbalanced) Feistel network. This way led for instance from the cipher CAST-128 to CAST-256. Both of these examples are very simple. But none of them (DAL and CAST-256) became one of the AS finalists. Both of two remaining discussed candidates Twofish and RC6 were among 5 finalists of the AS process. Twofish F function design is based on nontrivial modification and doubling of Blowfish F function. n this contribution we try to sketch a probable way from Blowfish to Twofish design. The last one example is design of RC6. t is the result of a careful modification of two parallel copies of RC5. Both of them are connected with Feistel structure but both of them differ essentially from traditional Feistel network. t is interesting for us that authors of RC6 described their way from RC5 to RC6 [7]. A way of mixing of all computation lines during encryption is important for a new cipher quality. f this mixing is too slow we should not expect high performance and high security of the cipher simultaneously. n the former paper [1] we studied and used D (diffusion evaluation matrix). t is a simple tool for elementary estimation of cipher diffusion. t is based on old ideas to use matrices for diffusion evaluation (see for instance [2]) completed by the theorem about D of composed mapping and exploitation of matrix calculus. Usually we use it for estimation of the smallest number of encryption rounds potentially providing full diffusion. We speak about potentiality only because we are not sure that different ways of dependency transfer do not mutually cancel. n the paper [1] we illustrated D estimation with the following examples: Twofish F-function, a traditional Feistel network and an unbalanced Feistel network used in CAST-256. D estimation of RC6 is done in Appendix of this contribution. Security and Protection of nformation
2 Of course, block cipher security estimation is sophisticated problem. t has many important aspects. Usually cipher resistance against known attacks is examined (differential, linear and other kinds of cryptanalysis, detectable key classes and so on) and attacks against simplified variants of the algorithm are designed. For the AS finalists we know corresponding security levels assigned them by NST. 2 DAL - cipher design using DS encryption as F function ntroductory remarks: n [5] Knudsen proposed the r-round Feistel cipher DAL with a block size 128 bits. DAL is a simple way of constructing a new block cipher based on another block cipher, doubling the block size. t uses DS in the round function. One could as well view DAL as a mode of operation of the underlying block cipher (here DS), instead of a block cipher of its own right. The word DAL means Data ncryption Algorithm with Larger blocks. DAL round: A 128 bit plaintext is split up into two halves. A round take the 128-bit block (L, R) and the round key K as the input to compute the output block (L new, R new ) by: L new = R, R new = L (R, K) denotes XOR and is the DS encryption function, K is the DS key, L, R, L new and R new are 64-bit words The Knudsen attack: n Knudsen paper [5] is the following proposition: There is an attack on six-round DAL with independent round keys, which requires about DS-encryptions using about 2 7 chosen plaintexts. Diffusion: DAL F function is DS encryption function. Hence it has potentially full diffusion and in accordance with our results in [1] three DAL rounds have potentially full diffusion. Number of rounds and speed of encryption: Accordingly to the attack on 6 rounds Knudsen recommended to use DAL at least with 6 rounds. DAL accepts three different key sizes, namely 128 bits (DAL-128), 192 bits (DAL-192) and 256 bits (DAL-256). For the first two sizes author recommends that number of rounds is equal to 6, for 256 bit keys it should be 8. DAL with 6 rounds is as fast as triple DS. Hence it provides a worst-case performance benchmark for AS. [1]. Let us notice that Knudsen participated also on proposal of Serpent (one of AS finalists). 3 The CAST a cipher with a generalized Feistel network The CAST-256 encryption algorithm is an extension of the CAST-128 cipher and has been submitted as a candidate for NST s AS effort [3]. The main idea of the block size doubling: The mechanism for the expansion of a 64-bit block size to a larger block size in the CAST-256 design case is based on the following idea. n a traditional Feistel network (64-bit block size) it is possible the exchange of left and right halves in each round to interpret as a circular right shift of 32 bits. Let us consider a generalization of this structure to a cipher with a block size of 4 x 32 bits. n this case we consider round as a structure consisting in 2 steps. n the first of them F function is used for nontrivial change of one 32-bit word value. Then a 128-bit data block is circularly shifted of 32 bits (one word) to right. Round equations: Accordingly, the round of this cipher contains a circular right shift of 32 bits and the round has the form: C* = C f(d, k), (A new, B new, C new, D new ) = (D, A, B, C*) f denotes F function, k is a round subkey and (A, B, C, D) is a 128-bit block where words A, B, C, D are each 32 bits in length. A cycle and a quad-round of the cipher: n accordance with [11], a cycle is the number of rounds necessary for (non-trivial) modification of each bit in the block. The cycle of a traditional Feistel network contains 2 rounds. For instance the DS cipher has 8 cycles. The CAST-256 algorithm with the block size 128 = 4 x 32 requires 4 rounds (instead of 2) to input all bits in the block to the round function. Thus, its cycle contains 4 rounds called a quad-round. Two representations of a cycle: (see for instance [12], twisted ladder and untwisted ladder) The first one representation of a cycle is straightforward. We write four times one round equation. We obtain the second representation of a cycle by the following modification: nstead of the rotations in cycle rounds we change only notation of words in these rounds. 138 Security and Protection of nformation 23
3 ncryption and decryption: The consequence of the CAST-256 cipher structure design is that it requires a separate structure for decryption. f in the encryption the right circular shift is used, the decryption needs a left circular shift. Accordingly, in this case we have to consider 2 types of quad-rounds: The forward one for the encryption and the reverse one for the decryption. f there are r rounds in the full cipher, the first r/2 rounds use right shifting and the last r/2 rounds use left-shifting. n this way decryption is identical to encryption, requiring only a reversal of the round key. Form of the quad rounds: Here we shall use the second type representation of the Feistel cycle. The forward quad-round has the form: C new = C f 1 (D, k (j) ) B new = B f 2 (C new, k 1 (j) ) A new = A f 3 (B new, k 2 (j) ) The reverse quad-round has the form: D new = D f 1 (A new, k 3 (j) ) D new = D f 1 (A, k 3 (j) ) A new = A f 3 (B, k 2 (j) ) B new = B f 2 (C, k 1 (j) ) C new = C f 1 (D new, k (j) ) where f 1, f 2, f 3 are functions defined as for CAST-128. (A, B, C, D) denotes a 128-bit block where A, B, C, D are each 32 bits in length. (k (j), k (j) 1, k (j) 2, k (j) 3 ) the set of keys for the j-th quad round Choice of the Feistel function: The CAST-256 uses the same Feistel functions as the CAST-128. Cipher diffusion: n [1] we have seen that this kind of unbalanced Feistel network needs at least 7 rounds to reach full diffusion. Number of rounds and speed of encryption: Security analysis in [3] suggests to use CAST-256 with 12 quad rounds having 48 rounds. Accordingly to a lot of required rounds, it is considerably slower than the fastest AS candidates [1]. 4 A possible way from Blowfish to Twofish ntroductory remarks: Twofish is a block cipher designed by Counterpane Systems Group [9] as a candidate for the Advanced ncryption Standard selection process, and was accepted as one of the five finalists. t is a 128-bit block cipher that accepts a variable -length key up to 256 bits. t uses a 16-round (8-cycles) Feistel-like strukture with additional whitening of input and output. (The only non-feistel elements are the 1-bit rotates.) t originated from an attempt to take the original Blowfish design and modify it for a 128-bit block [8]. We do not know the way of the Twofish team from Blowfish to Twofish design exactly. But we can try to reconstruct its main probable line. The Blowfish F function: Blowfish is traditional Feistel network with 64-bit block size. Let us describe its F function now. 1. First the 32-bit input data X are XORed with corresponding subkey K: X* = X K. 2. The result X* is split into 4 bytes: (x*3, x*2, x*1, x*) creating four 8-bit inputs to the four keydependent S-boxes. Their outputs are four 32-bit words: [Y 3, Y 2, Y 1, Y ]. Hence: Y j = sj(x*j). 3. The results are combined (mix) in the folowing way: Y = [(Y Y 1) Y 2] Y 3. Security and Protection of nformation
4 B k (8 x 32) S-box X X* (8 x 32) S-box 1 (8 x 32) S-box 2 (8 x 32) S-box 3 Y Figure 1: Blowfish F function B. First probable step of the way to Twofish - replacement of the function B: The Twofish function G is a successor of Blowfish F function B. t uses 4 bijective 8 x 8 key-dependent s-boxes instead of Blowfish large 8 x 32 boxes. Dependence of the G function on a key is provided only by s-boxes. As mixing (diffusion) layer the DS matrix (connected with sophisticated theoretical background) is used. G x S-box X x 1 S-box 1 Y Z DS x 2 S-box 2 x 3 S-box 3 Figure 2: Twofish function G. Second probable step of the way - predecessor of Twofish F function: Let us take two parallel versions of the function G. n the next steps we need above all to add some diffusion layer to mix outputs (or inputs) of these two versions of G. t also seems be reasonable to break in some way the symmetry connected with two identical functions use. Third probable step of the way - adding mixing layer: To mix computation of both G function instances they use so called Pseudo Hadamard transform (PHT in short) with 32-bit long variables pairs: (X*, Y*) = T PH (X, Y), where: X* = X Y, Y* = X 2 Y = X* Y. t is applied on the both functions G outputs. Fourth probable step of the way - first asymmetry installation: The second instance of G input is firstly rotated by one byte. t is an easy way to make from G a different function G*: G*(X) = G(X <<< 8 ). t is different but closely related function to G. t contains the same boxes (but in different order) and in some sense different DS transformation, but simply related to the original one. Cryptographic properties of both of these functions are the same. Fifth probable step - standard key-dependence insertion: Of course, outputs of the functions G and G* are keydependent. But we need some standard key-dependence, too. Thus we take a different part of the Twofish key and add it modulo 2 32 to both parts of the PHT output. Relationship between the F function F and the function G (resumption) 14 Security and Protection of nformation 23
5 The F function F contains the function G twice. The inputs into the second instance of G are firstly rotated by one byte (to obtain function G*). The outputs from functions G and G* are combined by the Pseudo-Hadamard transform. The standard key-dependence is by subkey adding to the both parts of the output provided. The mixing layer of Twofish F function: The mixing layer of the Twofish F function is composed of two parts: The first one contains the DS transformations of the both instances function G And the second one is the Pseudo-Hadamard transformation realised by two additions. The Twofish F function: Let us represent result of the former five steps. The F function is defined by the function G in the following form: A* = G(A) G(B <<< 8 ) K A, B* = G(A) 2 G(B <<< 8 ) K B, where denotes addition modulo 2 32, A, B (A*, B*) are 32-bit halves of the input (output), K A, K B are 32-bit subkeys. F K A A G PHT A* G* B <<< 8 B* G K B Figure 3: Twofish F function. Sixth step - second asymmetry installation (one-bit rotations in the Feistel structure): ajority of Twofish Feistel function building blocks are byte-oriented (namely S-boxes and DS-transformation). The one-bit rotations were included to help break this structure. Let us denote the round input as (A, B, C, D), its output as (A new, B new, C new, D new ) and two halves of the F function output as (A*, B*). Then: A new = (A* C) >>> 1, B new = B* (D <<< 1 ), where X >>>1 (or X <<<1 ) denotes right (or left) one-bit rotation of the word X. Of course: (C new, D new ) = (A, B). Remark about decryption: Different order of the XOR and rotation in C line and D line helps to provide symmetry for decryption.the Twofish encryption and decryption functions are slightly different, but are built from the same blocks. Security and Protection of nformation
6 A B C D K A F A* B* <<<1 K B >>>1 A new B new C new D new Figure 4: The round structure of Twofish. Diffusion: n paper [1] we have seen that Twofish F function has potentially full diffusion. Number of rounds, security and speed of encryption: Twofish with 16 rounds (8-cycles) appears to have a high security level in the sense of NST comparison of AS finalists security. (Of course, this is probably mainly connected with the use of key-dependent boxes). Twofish was ranked among the fastest AS candidates. 5 Way from RC5 to RC6 ntroductory remarks: The iterated block cipher RC5 was introduced by Rivest in [6]. t has a variable number of rounds denoted with r and key size of b bytes. The design is word-oriented for word sizes w = 32, 64 and the block size is 2w. The choice of parameters is usually denoted as RC5-w / r / b. n the next we shall take w = 32 only. A novel feature of the RC5 algorithm is the use of data-dependent rotations. RC5 is not exactly a Feistel cipher but it has a very similar structure. The RC6 block cipher is an evolutionary improvement of RC5, designed to meet the requirements of the AS. The authors of the RC6 (Rivest,. Robshaw, Sidney and Yin) described the way from RC5 to RC6 in their AS proposal [7]. A round of RC5 encryption: Formulas for one (half) round of RC5 encryption have the form: A* = [(A B) <<< B ] K, (A new, B new ) = (B, A*) A, B, K j, A*, A new, B new are w-bit words, (here we suppose w = 32) A new, B new denote new values (after round) of words A, B and K is a round subkey. A <<<B rotate the w-bit word A to the left by the amount given by the least significant lg w bits of B (here lg w = 5) We see that the data entering round is split into two halves - a left word A and a right word B. Value of the word B does not change and it is transferred into a new value of the word A. The unkeyed part of F function analogy: The function f(x, Y) = X <<< Y appears as unkeyed part of F function analogy. t has two input words X and Y. The inputs are playing very different roles. We can interpret it in the way that input word Y controls computation of a new value of the input word X. This function is highly nonlinear accordingly to (in reality 5 least significant bits only) the input word Y. (RC5 security is based on data dependent rotations.) A way from RC5 round to RC6 round: The authors of RC6 described their way from RC5 to RC6 roughly in the following form: 142 Security and Protection of nformation 23
7 A First step - an improvement of the RC5 round: The rotation provided by the function f depends on 5 least significant bits of word B only. Accordingly RC5 has been strengthened to have rotation amounts depending on all the bits of B. nstead of using B in straightforward manner as above, they use transformed version of this register, for suitable transformation. The particular choice of this transformation for RC6 is: g(x) = [X (2X 1)] <<< 5, Note that g(x) is one-to-one modulo 2 32, and that the bits of g(x), which determine the rotation amount used, depend heavily on all the bits of x. Then the strengthened form of RC5 round has the form: T = g(b), A* = [(A T) <<< T ] K, (A new, B new ) = (B, A*) A B T g f K A new B new Figure 5: The strengthened version of RC5 round. A second step - doubling a block size: Run two copies of strengthened RC5 in parallel: T = g(b), U = g(d), A* = [(A T) <<< T ] K L, C* = [(C U) <<< U ] K R, (A new, B new ) = (B, A*), (C new, D new ) = (D, C*) A third step of the way : ix the A, B computation with the C, D computation. nstead of swapping A with B and C with D, permute the registers A, B, C, D. Switch where the rotation amounts come from between two computations: T = g(b), U = g(d), A* = [(A T) <<< U ] K L, C* = [(C U) <<< T ] K R, (A new, B new, C new, D new ) = (B, C*, D, A*) Security and Protection of nformation
8 A B D C T g g U f f K L K R A new B new D new C new Figure 6: One round of RC6. Remark about change of order of words (A, B, C, D) on the figure 6: Both copies of RC5 are used in symmetric way. To preserve this symmetry in our figure we changed order of words C and D here. Hence instead of rotation of the outgoing 4 words we can see two kinds of mixing computation lines: The first one provides mixing inside (strengthened) RC5 instance only and it is represented by transpositions: A new = B, C new = D. The second one mix both instances lines also: B new = C, D new = A. Diffusion: n the Appendix, D estimation of RC6 is computed with the following result: Full diffusion is potentially provided by 3 rounds of RC6. Number of rounds, security and speed of encryption: RC6 with 2 rounds appears to have an adequate security margin and reasonable speed of encryption. But both these characteristics are closely connected with a data dependent rotation use. 6 Conclusion We described 4 ways of doubling block length of Feistel network connected with 4 former candidates for the AS. The simplest one of them is connected with the cipher DAL. n this case the whole encryption function of the original cipher (here DS) is used as the F function of the new cipher. However, the resulting cipher is very slow in comparison with other AS candidates. The second approach is based on inserting the F function of the original cipher into an unbalanced Feistel network. Cycle of this cipher consists of 4 rounds (quad round). Full mixing is potentially reached after 7 rounds. For reasonable security a huge amount of rounds is need. CAST-256 proposal require 12 quad rounds e. g. 48 rounds. Thus speed of encryption is also considerably low. The third approach is based on doubling of F function. The original (Blowfish) F function has been essentially modified for function g and doubled. ixing of lines of computing connected with these two instances of function g is provided by the PHT transform. n this way the Twofish F function is obtained. Number of resulting cipher rounds needed for full mixing is the same as for standard Feistel network - in the case of the optimal mixing of F function three rounds are needed. Twofish is secure and simultaneously fast cipher. The last approach is based on doubling and mixing of a modified Feistel network. Two parallel running copies of original cipher (RC5) round are strengthened and their computation is mixed. RC6 reach full diffusion potentially after 3 rounds. Security of RC5 and RC6 is influenced heavily by the data dependent rotations use. 144 Security and Protection of nformation 23
9 References [1] Rudolf B.: Diffusion valuation atrix Applied to (Generalized) Feistel Networks, (corrected version), ikulášská kryptobesídka 22, sborník přednášek, CO-ONTOR.CO. [2] eyer C.: Cryptography A New Dimension in Computer data Security, 1982, John Wiley & sons pp [3] Adams C.: The CAST-256 ncryption Algorithm, AS proposal [4] Knudsen L.: Contemporary Block Ciphers, Lectures on Data Security, LNCS [5] Knudsen L.: DAL - a 128-bit Block Cipher, [6] Rivest R. L.: The RC5 ncryption Algorithm, Fast Software ncryption 95, LNCS 18, pp [7] Rivest R. L., Robshaw. J. B., Yin Y. L.: The RC6 Block Cipher. v.1.1, AS proposal [8] Schneier Br.: The Twofish ncryption Algorithm: A 128-bit block cipher, Dr. Dobb s Journal, December [9] Schneier, Kelsey, Whiting, Wagner, Ferguson: Twofish: A 128-bit block cipher, AS proposal [1] Schneier, Kelsey, Whiting, Wagner, Hall: Performance Comparison of the AS Submissions. [11] Schneier, Kelsey: Unbalanced Feistel Network and Block Cipher Design, Fast Software ncryption 96, LNCS 139, pp [12] Oorschot, Vanstone, enezes: Handbook of Applied Cryptography, CRC Press 1996, p nformation about the author RNDr. Bohuslav RUDOLF Studies Faculty of athematics and Physics of the Charles University (athematical Physics) 1986 Doctor degree - RNDr. - in the subject: nterdisciplinary Physics Research Faculty of echanical ngineering of the Czech Technical University Research project: Stochastic odels in Statistical and Quantum Physics Grant CTU: Nonlinear odels in Quantum Physics Shanghai University of Science and Technology (quasi-classical approximation in quantum chaos) ilitary Technical nstitute of lectronics (risk analysis, public-key cryptography) 2 - National Security Authority (block ciphers analysis) Security and Protection of nformation
10 Appendix - D estimation of RC6 rounds Preliminary information Definitions of D (D1), output-input-component dependence (D2) and σ-reduction (D3) D1: Let us consider function ϕ: Y = ϕ(x) working with n-bit variables X and Y. Now we regard the n-bit variables X and Y as m-dimensional vectors. Usually we consider the case: m = n / 8 (vector components are bytes). The j-th component of vector X (or Y) we denote x j (or y j ). We assign to this function the corresponding diffusion evaluation matrix (D), which we denote as (ϕ). ts matrix element m jk (ϕ) (in the j-the row and k-th column) is by definition equal to 1 if and only if the j-th component y j of the variable Y depends on the k-th component x k of the variable X. Otherwise we put: m jk (ϕ) =. D2: For function ϕ: Y = ϕ(x) and the variables X, Y as above, the formulation that the j-th component y j of Y depends on the k-th component x k of X means the following: There is at least one pair of values (X,X*) of the variable X such that: x* k x k, x* r = x r for r k, y* j y j, where: Y = ϕ(x), Y* = ϕ(x*). D3. Let us consider a real matrix. Then the σ-reduced matrix σ() corresponding to has elements σ(m jk ), whereas: m jk σ(m jk ) = 1, m jk = σ(m jk ) =, (m jk is the corresponding element of ). Theorem about D estimation of a composed mapping: Let functions ϕ, χ and ψ are working with n-bit variables so that: ψ = ϕ χ. Let us regard the n-bit inputs and n-bit outputs of these functions as m-dimensional vectors. Then for Ds of these functions the following inequality holds: (ψ) = (ϕ χ) σ[(ϕ) (χ)], where the symbol denotes the standard matrix multiplication and the inequality: N of matrices, N means, that m jk n jk for every pair of indices (j, k). Full diffusion and matrix : We say that a function ϕ has full diffusion iff every component of its output Y depends on all components of its input X. The corresponding diffusion evaluation matrix contains only 1 as its matrix elements. This kind of matrix we call as full diffusion matrix and we denote it as. Potentially full diffusion: Usually we are interested in lowest number of rounds needed for full diffusion. But we compute D estimation only (and not D value). t follows from our use of inequality for D of composed function. Accordingly we obtain results of estimation in the form: An n-round D of some considered function is less or equal to. However in many cases it simply means that this D is equal to. For this reason we speak about potentially full diffusion in these cases. dentity matrix : We use matrix of identity also and we denote it as. t has non-zero elements on its diagonal only. They all are equal to 1. Work with matrices and : To make σ-reduced multiplications of matrices and N (containing and as submatrices) we can use the following equations: σ( ) = σ( ) = σ() =, σ( ) =, σ( ) = σ() =, σ( ) = σ( ) = σ( ) =, σ( ) =. Rotational matrices: The left circular shift of a bit string by α bits we express by a (rotational) matrix α. Let us notice that D of this mapping is simply equal to this matrix: ( α ) = α. n the following computation we do not need an explicit form of this matrix. 146 Security and Protection of nformation 23
11 Work with rotational matrices: t is evident that the following equations hold: σ( α ) = σ( α ) = σ( α ) = α, σ( α β ) = σ( α β ) = α β, σ( α ) = σ( α ) = σ() =, σ( α ) = σ( α ) =, f we need to express σ( α ), σ( α β ) we have to use an explicit form of a rotational matrix. t is not so complicated, but in the following computation we do not need it. Calculations To be more close to the figure we change notation of words in the following way: Then the round equations become into: (A, B, C, D) (α, β, γ, δ) = (A, B, D, C) α* = {[α g(β)] <<< g(γ) } K L, δ* = {[δ g(γ)] <<< g(β) } K R, (α new, β new, γ new, δ new ) = (β, δ*, α*, γ) The round mapping R we regard as composed mapping: R = q 4 q 3 q 2 q 1, whereas: (α*, β*, γ*, δ*) = q 1 (α, β, γ, δ), α* = α g(β), β* = β, γ* = γ, δ* = δ g(γ) (α*, β*, γ*, δ*) = q 2 (α, β, γ, δ), α* = α <<< g(γ), β* = β, γ* = γ, δ* = δ <<< g(β). (α*, β*, γ*, δ*) = q 3 (α, β, γ, δ), α* = α K L, β* = β, γ* = γ, δ* = δ K R. (α*, β*, γ*, δ*) = q 4 (α, β, γ, δ) = (β, δ, α, γ) D of the function g: t is equal to : (g) =. very bit of a modular product depends on all bits of its factors. D of subkey adding: t depends on a value of the subkey. Hence we consider the worst diffusion case only. t is connected with the particular subkey value: K L = K R =. Then (q 3, worst ) =. Accordingly we obtain the following formulas for D of mappings q j : ( q1 ) =, ( q ) 2 = γ α Here the symbols γ and α denote rotational matrices for the left circular shifts by 5 least significant bits of the words g(γ) and g(α), respectively. Security and Protection of nformation
12 Security and Protection of nformation ( ) = worst q, 3, ( ) = 4 q And D estimation of a round has the form: ( ) ( ) ( ) ( ) ( ) [ ] =, q q worst q q R γ α σ Now we need to distinguish rotational matrices connected with different rounds. The matrices α, β connected with the j-th round we denote as α(j), β(j). D estimation of two rounds (for instance rounds 1. and 2.) we obtain in the following way: ( ) ( ) ( ) [ ] ( ) ( ) () () R R R γ α γ α σ σ And it has the form: ( ) ( ) () R γ α t is evident that D estimation of 3 rounds gives (3R). Hence 3 rounds of RC6 provide potentially full diffusion.
Public-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informationDifferential Attack on Five Rounds of the SC2000 Block Cipher
Differential Attack on Five Rounds of the SC2 Block Cipher Jiqiang Lu Department of Mathematics and Computer Science, Eindhoven University of Technology, 56 MB Eindhoven, The Netherlands lvjiqiang@hotmail.com
More informationDistinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network
Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense
More informationAttacks on DES , K 2. ) L 3 = R 2 = L 1 f ( R 1, K 2 ) R 4 R 2. f (R 1 = L 1 ) = L 1. ) f ( R 3 , K 4. f (R 3 = L 3
Attacks on DES 1 Attacks on DES Differential cryptanalysis is an attack on DES that compares the differences (that is, XOR values between ciphertexts of certain chosen plaintexts to discover information
More informationModule 2 Advanced Symmetric Ciphers
Module 2 Advanced Symmetric Ciphers Dr. Natarajan Meghanathan Professor of Computer Science Jackson State University E-mail: natarajan.meghanathan@jsums.edu Data Encryption Standard (DES) The DES algorithm
More informationLinear Cryptanalysis of RC5 and RC6
Linear Cryptanalysis of RC5 and RC6 Johan Borst, Bart Preneel, and Joos Vandewalle K.U. Leuven, Dept. Elektrotechniek-ESAT/COSIC Kardinaal Mercierlaan 94, B-3001 Heverlee Belgium Johan.Borst@esat.kuleuven.ac.be
More informationLecture 4: DES and block ciphers
Lecture 4: DES and block ciphers Johan Håstad, transcribed by Ernir Erlingsson 2006-01-25 1 DES DES is a 64 bit block cipher with a 56 bit key. It selects a 64 bit block and modifies it depending on the
More informationjorge 2 LSI-TEC, PKI Certification department
Linear Analysis of reduced-round CAST-28 and CAST-256 Jorge Nakahara Jr, Mads Rasmussen 2 UNISANTOS, Brazil jorge nakahara@yahoo.com.br 2 LSI-TEC, PKI Certification department mads@lsitec.org.br Abstract.
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationCRYPTOGRAPHIC PROPERTIES OF ADDITION MODULO 2 n
CRYPTOGRAPHIC PROPERTIES OF ADDITION MODULO 2 n S. M. DEHNAVI, A. MAHMOODI RISHAKANI, M. R. MIRZAEE SHAMSABAD, HAMIDREZA MAIMANI, EINOLLAH PASHA Abstract. The operation of modular addition modulo a power
More informationThe Pseudorandomness of Elastic Block Ciphers
The Pseudorandomness of Elastic Block Ciphers Debra L. Cook and Moti Yung and Angelos Keromytis Department of Computer Science, Columbia University {dcook,moti,angelos}@cs.columbia.edu September 28, 2005
More information7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive key-search do not exploit any properties of the encryption algorithm or implementation. Structural attacks
More informationTowards Provable Security of Substitution-Permutation Encryption Networks
Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,
More informationImproved Analysis of Some Simplified Variants of RC6
Improved Analysis of Some Simplified Variants of RC6 Scott Contini 1, Ronald L. Rivest 2, M.J.B. Robshaw 1, and Yiqun Lisa Yin 1 1 RSA Laboratories, 2955 Campus Drive San Mateo, CA 94403, USA {scontini,matt,yiqun}@rsa.com
More informationA New Class of Invertible Mappings
A New Class of Invertible Mappings Alexander Klimov and Adi Shamir Computer Science department, The Weizmann Institute of Science Rehovot 76100, Israel {ask,shamir}@wisdom.weizmann.ac.il Abstract. Invertible
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES
CS355: Cryptography Lecture 9: Encryption modes. AES Encryption modes: ECB } Message is broken into independent blocks of block_size bits; } Electronic Code Book (ECB): each block encrypted separately.
More informationCryptography Lecture 4 Block ciphers, DES, breaking DES
Cryptography Lecture 4 Block ciphers, DES, breaking DES Breaking a cipher Eavesdropper recieves n cryptograms created from n plaintexts in sequence, using the same key Redundancy exists in the messages
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More informationSecurity of the AES with a Secret S-box
Security of the AES with a Secret S-box Tyge Tiessen, Lars R Knudsen, Stefan Kölbl, and Martin M Lauridsen {tyti,lrkn,stek,mmeh}@dtudk DTU Compute, Technical University of Denmark, Denmark Abstract How
More informationSOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies
SOBER Cryptanalysis Daniel Bleichenbacher and Sarvar Patel {bleichen,sarvar}@lucent.com Bell Laboratories Lucent Technologies Abstract. SOBER is a new stream cipher that has recently been developed by
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationCryptanalysis of a Generalized Unbalanced Feistel Network Structure
Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li 1, Bing Sun 1, Chao Li 1,2, and Longjiang Qu 1,3 1 Department of Mathematics and System Science, Science College, National
More informationCryptanalysis of Akelarre Niels Ferguson Bruce Schneier DigiCash bv Counterpane Systems Kruislaan E Minnehaha Parkway 1098 VA Amsterdam, Nethe
Cryptanalysis of Akelarre Niels Ferguson Bruce Schneier DigiCash bv Counterpane Systems Kruislaan 9 0 E Minnehaha Parkway 098 VA Amsterdam, Netherlands Minneapolis, MN 559, USA niels@digicash.com schneier@counterpane.com
More informationComplementing Feistel Ciphers
Complementing Feistel Ciphers Alex Biryukov 1 and Ivica Nikolić 2 1 University of Luxembourg 2 Nanyang Technological University, Singapore alex.biryukov@uni.lu inikolic@ntu.edu.sg Abstract. In this paper,
More informationAnalysis of SHA-1 in Encryption Mode
Analysis of SHA- in Encryption Mode [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 00, vol. 00 of Lecture Notes in Computer Science, pp. 70 83, Springer-Verlag, 00.] Helena Handschuh, Lars
More informationImproved Impossible Differential Cryptanalysis of Rijndael and Crypton
Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationExperiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL
More informationAES side channel attacks protection using random isomorphisms
Rostovtsev A.G., Shemyakina O.V., St. Petersburg State Polytechnic University AES side channel attacks protection using random isomorphisms General method of side-channel attacks protection, based on random
More informationImpossible Differential Attacks on 13-Round CLEFIA-128
Mala H, Dakhilalian M, Shakiba M. Impossible differential attacks on 13-round CLEFIA-128. JOURNAL OF COMPUTER SCIENCE AND TECHNOLOGY 26(4): 744 750 July 2011. DOI 10.1007/s11390-011-1173-0 Impossible Differential
More informationTruncated differential cryptanalysis of five rounds of Salsa20
Truncated differential cryptanalysis of five rounds of Salsa20 Paul Crowley 17th October 2005 Abstract We present an attack on Salsa20 reduced to five of its twenty rounds. This attack uses many clusters
More informationBlock Ciphers and Feistel cipher
introduction Lecture (07) Block Ciphers and cipher Dr. Ahmed M. ElShafee Modern block ciphers are widely used to provide encryption of quantities of information, and/or a cryptographic checksum to ensure
More informationBlock Cipher Cryptanalysis: An Overview
0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution
More informationOn Feistel Ciphers Using Optimal Diffusion Mappings Across Multiple Rounds
On Feistel Ciphers Using Optimal Diffusion Mappings Across Multiple Rounds Taizo Shirai 1, and Bart Preneel 2 1 Sony Corporation, Tokyo, Japan taizo.shirai@jp.sony.com 2 ESAT/SCD-COSIC, Katholieke Universiteit
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08 Module Outline Stream ciphers under the hood Block ciphers
More informationImproved Cascaded Stream Ciphers Using Feedback
Improved Cascaded Stream Ciphers Using Feedback Lu Xiao 1, Stafford Tavares 1, Amr Youssef 2, and Guang Gong 3 1 Department of Electrical and Computer Engineering, Queen s University, {xiaolu, tavares}@ee.queensu.ca
More informationExtended Criterion for Absence of Fixed Points
Extended Criterion for Absence of Fixed Points Oleksandr Kazymyrov, Valentyna Kazymyrova Abstract One of the criteria for substitutions used in block ciphers is the absence of fixed points. In this paper
More informationFFT-Based Key Recovery for the Integral Attack
FFT-Based Key Recovery for the Integral Attack Yosuke Todo NTT Secure Platform Laboratories Abstract. The integral attack is one of the most powerful attack against block ciphers. In this paper, we propose
More informationThe Advanced Encryption Standard
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 48 The Advanced Encryption Standard Successor of DES DES considered insecure; 3DES considered too slow. NIST competition in 1997 15
More informationStructural Evaluation by Generalized Integral Property
Structural Evaluation by Generalized Integral Property Yosue Todo NTT Secure Platform Laboratories, Toyo, Japan todo.yosue@lab.ntt.co.jp Abstract. In this paper, we show structural cryptanalyses against
More informationA new version of the RC6 algorithm, stronger against χ 2 cryptanalysis
A new version of the RC6 algorithm, stronger against χ 2 cryptanalysis Routo Terada 1 Eduardo T. Ueda 2 1 Dept. of Computer Science University of São Paulo, Brazil Email: rt@ime.usp.br 2 Dept. of Computer
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2012 Konstantin Beznosov 1 Module Outline! Stream ciphers under the hood Block ciphers under
More informationRevisit and Cryptanalysis of a CAST Cipher
2017 3rd International Conference on Electronic Information Technology and Intellectualization (ICEITI 2017) ISBN: 978-1-60595-512-4 Revisit and Cryptanalysis of a CAST Cipher Xiao Zhou, Jingwei Li, Xuejia
More informationCryptanalysis of EnRUPT
Cryptanalysis of EnRUPT Dmitry Khovratovich and Ivica Nikolić University of Luxembourg Abstract. In this paper we present a preimage attack on EnRUPT- 512. We exploit the fact that the internal state is
More informationStream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida
Stream ciphers Pawel Wocjan Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu Definition of block ciphers Block ciphers: crypto work horse n bits
More informationCryptanalysis of a Multistage Encryption System
Cryptanalysis of a Multistage Encryption System Chengqing Li, Xinxiao Li, Shujun Li and Guanrong Chen Department of Mathematics, Zhejiang University, Hangzhou, Zhejiang 310027, China Software Engineering
More informationStatistical Analysis of chi-square A. Author(s)ISOGAI, Norihisa; MIYAJI, Atsuko; NO
JAIST Reposi https://dspace.j Title Statistical Analysis of chi-square A Author(s)ISOGAI, Norihisa; MIYAJI, Atsuko; NO Citation IEICE TRANSACTIONS on Fundamentals o Electronics, Communications and Comp
More informationLinear Approximations for 2-round Trivium
Linear Approximations for 2-round Trivium Meltem Sönmez Turan 1, Orhun Kara 2 1 Institute of Applied Mathematics, Middle East Technical University Ankara, Turkey msonmez@metu.edu.tr 2 TUBITAK-UEKAE, Gebze,
More informationOptimized Interpolation Attacks on LowMC
Optimized Interpolation Attacks on LowMC Itai Dinur 1, Yunwen Liu 2, Willi Meier 3, and Qingju Wang 2,4 1 Département d Informatique, École Normale Supérieure, Paris, France 2 Dept. Electrical Engineering
More informationThe Artin-Feistel Symmetric Cipher
The Artin-Feistel Symmetric Cipher May 23, 2012 I. Anshel, D. Goldfeld. Introduction. The Feistel cipher and the Braid Group The main aim of this paper is to introduce a new symmetric cipher, which we
More informationAutomatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version)
Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version) Shengbao Wu 1,2, Mingsheng Wang 3 1. Institute of Software, Chinese Academy of Sciences, Beijing 100190,
More informationCryptanalysis of the SIMON Family of Block Ciphers
Cryptanalysis of the SIMON Family of Block Ciphers Hoda A. Alkhzaimi and Martin M. Lauridsen DTU Compute Section for Cryptology Department of Applied Mathematics and Computer Science Matematiktorvet, building
More information18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh
18733: Applied Cryptography Anupam Datta (CMU) Block ciphers Online Cryptography Course What is a block cipher? Block ciphers: crypto work horse n bits PT Block n bits E, D CT Block Key k bits Canonical
More informationIntroduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES
CSC/ECE 574 Computer and Network Security Topic 3.1 Secret Key Cryptography Algorithms CSC/ECE 574 Dr. Peng Ning 1 Outline Introductory Remarks Feistel Cipher DES AES CSC/ECE 574 Dr. Peng Ning 2 Introduction
More informationFurther improving security of Vector Stream Cipher
NOLTA, IEICE Paper Further improving security of Vector Stream Cipher Atsushi Iwasaki 1a) and Ken Umeno 2 1 Fukuoka Institute of Technology Wajiro-higashi, Higashiku, Fukuoka 811-0295, Japan 2 Graduate
More informationEfficient Cryptanalysis of Homophonic Substitution Ciphers
Efficient Cryptanalysis of Homophonic Substitution Ciphers Amrapali Dhavare Richard M. Low Mark Stamp Abstract Substitution ciphers are among the earliest methods of encryption. Examples of classic substitution
More informationImpossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128
Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com
More informationLinear Cryptanalysis Using Multiple Approximations
Linear Cryptanalysis Using Multiple Approximations Burton S. Kaliski Jr. and M.J.B. Robshaw RSA Laboratories 100 Marine Parkway Redwood City, CA 94065, USA Abstract. We present a technique which aids in
More informationPermutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1
Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Kwangsu Lee A Thesis for the Degree of Master of Science Division of Computer Science, Department
More informationProduct Systems, Substitution-Permutation Networks, and Linear and Differential Analysis
Product Systems, Substitution-Permutation Networks, and Linear and Differential Analysis Cryptology, lecture 3 Stinson, Section 2.7 3.4 Tuesday, February 12th, 2008 1 Composition Product 2 Substitution-Permutation
More informationSecurity of Random Feistel Schemes with 5 or more Rounds
Security of Random Feistel Schemes with 5 or more Rounds Jacques Patarin Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract. We study cryptographic attacks on random
More informationTHE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018
THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018 CPSC 418/MATH 318 L01 October 17, 2018 Time: 50 minutes
More informationSimple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)
Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia) Henry Ng Henry.Ng.a@gmail.com Abstract. A new cryptographic pseudorandom number generator Cilia is presented. It hashes
More informationA Unified Method for Finding Impossible Differentials of Block Cipher Structures
A Unified Method for inding Impossible Differentials of Block Cipher Structures Yiyuan Luo 1,2, Zhongming Wu 1, Xuejia Lai 1 and Guang Gong 2 1 Department of Computer Science and Engineering, Shanghai
More informationRelated-Key Rectangle Attack on Round-reduced Khudra Block Cipher
Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher Xiaoshuang Ma 1,2 Kexin Qiao 1,2 1 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy
More information18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh
18733: Applied Cryptography Anupam Datta (CMU) Block ciphers Online Cryptography Course What is a block cipher? Block ciphers: crypto work horse n bits PT Block n bits E, D CT Block Key k bits Canonical
More informationCryptanalysis of Hiji-bij-bij (HBB)
Cryptanalysis of Hiji-bij-bij (HBB) Vlastimil Klíma LEC s.r.o., Národní 9, Prague, Czech Republic v.klima@volny.cz Abstract. In this paper, we show several known-plaintext attacks on the stream cipher
More informationAnalysis of cryptographic hash functions
Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43 Symmetric key cryptography Alice and Bob share
More informationStructural Cryptanalysis of SASAS
tructural Cryptanalysis of AA Alex Biryukov and Adi hamir Computer cience department The Weizmann Institute Rehovot 76100, Israel. Abstract. In this paper we consider the security of block ciphers which
More informationAnalysis of Some Quasigroup Transformations as Boolean Functions
M a t h e m a t i c a B a l k a n i c a New Series Vol. 26, 202, Fasc. 3 4 Analysis of Some Quasigroup Transformations as Boolean Functions Aleksandra Mileva Presented at MASSEE International Conference
More informationNew Results in the Linear Cryptanalysis of DES
New Results in the Linear Cryptanalysis of DES Igor Semaev Department of Informatics University of Bergen, Norway e-mail: igor@ii.uib.no phone: (+47)55584279 fax: (+47)55584199 May 23, 2014 Abstract Two
More informationLinear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015
Kaisa Nyberg Department of Computer Science Aalto University School of Science s 2 r t S3, Sackville, August 11, 2015 Outline Linear characteristics and correlations Matsui s algorithms Traditional statistical
More informationOn the Salsa20 Core Function
On the Salsa20 Core Function Julio Cesar Hernandez-Castro, Juan M. E. Tapiador, and Jean-Jacques Quisquater Crypto Group, DICE, Universite Louvain-la-Neuve Place du Levant, 1 B-1348 Louvain-la-Neuve, Belgium
More informationOutline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael
Outline CPSC 418/MATH 318 Introduction to Cryptography Advanced Encryption Standard Renate Scheidler Department of Mathematics & Statistics Department of Computer Science University of Calgary Based in
More informationAlgebraic properties of SHA-3 and notable cryptanalysis results
Algebraic properties of SHA-3 and notable cryptanalysis results Christina Boura University of Versailles, France ICMC 2015, January 9, 2014 1 / 51 Cryptographic Hash Functions H : {0,1} {0,1} n m H h =
More informationMod n Cryptanalysis, with Applications Against RC5P and M6
Mod n Cryptanalysis, with Applications Against RC5P and M6 John Kelsey, Bruce Schneier, and David Wagner Abstract. We introduce mod n cryptanalysis, a form of partitioning attack that is effective against
More informationBit-Pattern Based Integral Attack
Bit-Pattern Based Integral Attack Muhammad Reza Z aba 1,Håvard Raddum 2,,MattHenricksen 3, and Ed Dawson 1 1 Information Security Institute, Queensland University of Technology, GPO Box 2434, Brisbane,
More informationMILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers
MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers Ling Sun 1, Wei Wang 1, Meiqin Wang 1,2 1 Key Laboratory of Cryptologic Technology and Information Security,
More informationEssential Algebraic Structure Within the AES
Essential Algebraic Structure Within the AES Sean Murphy and Matthew J.B. Robshaw Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20 0EX, U.K. s.murphy@rhul.ac.uk m.robshaw@rhul.ac.uk
More informationDivision Property: a New Attack Against Block Ciphers
Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50 Symmetric-key encryption
More informationAll-Or-Nothing Transforms Using Quasigroups
All-Or-Nothing Transforms Using Quasigroups Stelios I Marnas, Lefteris Angelis, and George L Bleris Department of Informatics, Aristotle University 54124 Thessaloniki, Greece Email: {marnas,lef,bleris}@csdauthgr
More informationBeyond the MD5 Collisions
Beyond the MD5 Collisions Daniel Joščák Daniel.Joscak@i.cz S.ICZ a.s. Hvězdova 1689/2a, 140 00 Prague 4; Faculty of Mathematics and Physics, Charles University, Prague Abstract We summarize results and
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 08 Shannon s Theory (Contd.)
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationModified Hill Cipher for a Large Block of Plaintext with Interlacing and Iteration
Journal of Computer Science 4 (1): 15-20, 2008 ISSN 1549-3636 2008 Science Publications Modified Hill Cipher for a Large Block of Plaintext with Interlacing and Iteration V.U.K. Sastry and N. Ravi Shankar
More informationBiomedical Security. Overview 9/15/2017. Erwin M. Bakker
Biomedical Security Erwin M. Bakker Overview Cryptography: Algorithms Cryptography: Protocols Pretty Good Privacy (PGP) / B. Schneier Workshop Biomedical Security Biomedical Application Security (guest
More informationOn Correlation Between the Order of S-boxes and the Strength of DES
On Correlation Between the Order of S-boxes and the Strength of DES Mitsuru Matsui Computer & Information Systems Laboratory Mitsubishi Electric Corporation 5-1-1, Ofuna, Kamakura, Kanagawa, 247, Japan
More informationMATH3302 Cryptography Problem Set 2
MATH3302 Cryptography Problem Set 2 These questions are based on the material in Section 4: Shannon s Theory, Section 5: Modern Cryptography, Section 6: The Data Encryption Standard, Section 7: International
More informationA Sound Method for Switching between Boolean and Arithmetic Masking
A Sound Method for Switching between Boolean and Arithmetic Masking Louis Goubin CP8 Crypto Lab, SchlumbergerSema 36-38 rue de la Princesse, BP45 78430 Louveciennes Cedex, France Louis.Goubin@louveciennes.tt.slb.com
More informationSymmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway
Symmetric Cryptanalytic Techniques Sean Murphy ショーン マーフィー Royal Holloway Block Ciphers Encrypt blocks of data using a key Iterative process ( rounds ) Modified by Modes of Operation Data Encryption Standard
More informationThesis Research Notes
Thesis Research Notes Week 26-2012 Christopher Wood June 29, 2012 Abstract This week was devoted to reviewing some classical literature on the subject of Boolean functions and their application to cryptography.
More informationNew Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia
New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya iu 1, eibo i 2,3, Dawu Gu 1, Xiaoyun Wang 2,3,4, Zhiqiang iu 1, Jiazhe Chen 2,3, Wei i 5,6 1 Department of Computer
More informationK Anup Kumar et al,int.j.comp.tech.appl,vol 3 (1), 23-31
K Anup Kumar et al,int.j.comp.tech.appl,vol 3 (1), 23-31 A Modified Feistel Cipher involving a key as a multiplicant on both the sides of the Plaintext matrix and supplemented with Mixing Permutation and
More informationImpossible differential and square attacks: Cryptanalytic link and application to Skipjack
UCL Crypto Group Technical Report Series Impossible differential and square attacks: Cryptanalytic link and application to Skipjack Gilles Piret Jean-Jacques Quisquater REGARDS GROUPE http://www.dice.ucl.ac.be/crypto/
More informationAn Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations
An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations J.H. Silverman 1, N.P. Smart 2, and F. Vercauteren 2 1 Mathematics Department, Box 1917, Brown
More informationPerfect Diffusion Primitives for Block Ciphers
Perfect Diffusion Primitives for Block Ciphers Building Efficient MDS Matrices Pascal Junod and Serge Vaudenay École Polytechnique Fédérale de Lausanne (Switzerland) {pascaljunod, sergevaudenay}@epflch
More informationWeaknesses in the HAS-V Compression Function
Weaknesses in the HAS-V Compression Function Florian Mendel and Vincent Rijmen Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, A-8010
More informationThe Improved 96th-Order Differential Attack on 11 Rounds of the Block Cipher CLEFIA
he Improved 96th-Order Differential Attack on 11 Rounds of the Block Cipher CLEFIA Yasutaka Igarashi, Seiji Fukushima, and omohiro Hachino Kagoshima University, Kagoshima, Japan Email: {igarashi, fukushima,
More informationCHAPTER 5 A BLOCK CIPHER INVOLVING A KEY APPLIED ON BOTH THE SIDES OF THE PLAINTEXT
82 CHAPTER 5 A BLOCK CIPHER INVOLVING A KEY APPLIED ON BOTH THE SIDES OF THE PLAINTEXT 83 5.1 Introduction In a pioneering paper, Hill [5] developed a block cipher by using the modular arithmetic inverse
More informationMasterMath Cryptology /2 - Cryptanalysis
MasterMath Cryptology 2015 2/2 Cryptanalysis Wednesday, 8 April, 2015 10:38 9. Differential cryptanalysis (v2) 9.1. Differential cryptanalysis In differential analysis we simultaneously consider two encryptions
More information