hold or a eistel cipher. We nevertheless prove that the bound given by Nyberg and Knudsen still holds or any round keys. This stronger result implies
|
|
- Justin White
- 5 years ago
- Views:
Transcription
1 Dierential cryptanalysis o eistel ciphers and dierentially uniorm mappings Anne Canteaut INRIA Projet codes Domaine de Voluceau BP Le Chesnay Cedex rance Abstract In this paper we study the round permutations (or Sboxes) which provide to eistel ciphers the best resistance against dierential cryptanalysis. We prove that a eistel cipher with any round keys and with at least 5 rounds resists any dierential attack i its round permutation is dierentially uniorm or a small. This improves an earlier result due to Nyberg and Knudsen which only held or independent and uniormly random round keys. We also give some necessary conditions or a mapping to be almost perect nonlinear (i.e. dierentially 2uniorm). 1 Introduction The underlying motivation o this work is the design o a eistel cipher which resists all classical attacks. The DES cipher seems to have this property since no cryptanalysis is really more ecient than an exhaustive search or the key. But it would be very important to nd a new secure DESlike cipher because the size o the secretkey used in DES makes a bruteorce attack easible. The main problem is thereore to replace the Sboxes used in DES with another unction which resists both dierential and linear cryptanalysis. In this paper we study the round permutations (which play the same role as the Sboxes) which ensure that the corresponding eistel cipher is secure against dierential cryptanalysis. In [NK93] Nyberg and Knudsen gave a condition under which a eistel cipher resists dierential cryptanalysis \in average". They actually gave an upper bound on the probability o any rround dierential o a eistel cipher, or r 3, but this bound only holds when the round keys are independent and uniormly random. This result does thereore not rule out the existence o some weak round keys or which a dierential attack would be easible. A lower bound on the complexity o a practical dierential attack can then only be deduced i it is additionally assumed that the hypothesis o stochastic equivalence [LMM91] is satised, i.e. i the dierentials have roughly the same probabilities or all round keys. But we here show that this urther assumption does usually not On leave at Institute or Signal and Inormation Processing, ETH Zurich, Switzerland 1
2 hold or a eistel cipher. We nevertheless prove that the bound given by Nyberg and Knudsen still holds or any round keys. This stronger result implies that a eistel cipher resists any dierential attack i the round permutation is dierentially uniorm or a small. The resistance o a eistel cipher against dierential cryptanalysis does thereore not require any urther assumption on the round keys or on the key scheduling algorithm. We rst briey recall in Section 2 how dierential cryptanalysis works. Section 3 is then devoted to the complexity o a dierential attack o a eistel cipher: we show why NybergKnudsen's result does not suce to ensure that some eistel ciphers are practically secure against dierential cryptanalysis. We aterwards improve this result since we show that a eistel cipher with any round keys resists dierential cryptanalysis as ar as its round permutation is dierentially uniorm or a small. Section 4 gives some general properties o dierentially uniorm mappings and some necessary conditions or a permutation to be almost perect nonlinear (APN), i.e. dierentially 2uniorm. ollowing a result due to Carlet, Charpin and Zinoviev [CCZ97] we also prove that the smallest value o or which a power polynomial is dierentially uniorm is strongly related to the number o codewords o Hamming weight 3 and 4 in some binary cyclic codes with 2 zeroes. 2 Dierential cryptanalysis o iterated ciphers In an iterated block cipher with r rounds the ciphertext is obtained by iterating r times an invertible unction, called the round unction, depending on a secret parameter K called the round key. The r round keys are usually obtained rom a unique secret key by a key scheduling algorithm. A dierential attack [BS91] o such an iterated cipher consists in encrypting some plaintexts which only dier rom a xed value. The dierence between two plaintexts X and X 0 is here dened by a group operation on the set o plaintexts: X = X X 0?1 where X 0?1 denotes the inverse o X 0 with respect to the group operation. This attack exploits the act that the round unction o an iterated cipher is usually cryptographically weak. This means that the value o the round key K can usually be determined rom the knowledge o the dierence between the inputs o the unction, X, and rom both outputs Y and Y 0. The basic idea o a dierential attack thereore consists in submitting two dierent plaintexts X and X 0 = X or encryption and in estimating the value o the input dierence o the last round Y (r? 1) (see igure 1). I the round unction is cryptographically weak, it is then possible to recover the value o the lastround key K r. Dierential cryptanalysis will then be successul i there exists an (r? 1) round dierential (; ) such that P = P [Y (r? 1) = jy (0) = ; K 1 = k 1 ; : : : ; K r?1 = k r?1 ] (1)
3 Y (0) = m 6 Y (1). Y (r? 1) 6 Y (r) = c Y (0) = K 1 = k 1 K 2 = k 2 Y (r? 1) = K r = k r? Y 0 (0) = m 0 Y 0 (1).? Y 0 (r? 1) Y 0 (r) = c 0 igure 1: Dierential cryptanalysis o an iterated cipher is high. As soon as such an (r? 1)round dierential is known, the attack consists in iterating the ollowing procedure: Choose a plaintext m uniormly at random and submit m and m or encryption. Suppose that Y (r? 1) = and determine all corresponding possible values or K r. Ater many steps one value or K r will occur signicantly more oten than the other ones. The number o such iterations required or recovering the value o the lastround key is then at least [LMM91] 1 P? 1 2 n?1 where P is given by Equation (1) and n is the plaintext size.. An iterated cipher then resists dierential cryptanalysis i, or a xed plaintext dierence, the probability distribution o the output dierence at the lastbutone round is close to the uniorm distribution. The main problem in this attack is to estimate the probability o a dierential as expressed in Equation (1) since the rst (r? 1) round keys are unknown. In most cases we are actually only able to compute the probability o a dierential when the round keys are independent and uniormly random, i.e. P [Y (r? 1) = jy (0) = ]. I we want to deduce rom this probability whether a dierential attack is easible, we have to assume that the probability o a dierential is roughly the same or almost all round keys. This additional condition called the hypothesis o stochastic equivalence was pointed out by Lai, Massey and Murphy [LMM91]. Denition 1 (Hypothesis o stochastic equivalence) or an (r?1)round dierential (; ), P [Y (r? 1) = jy (0) = ; K 1 = k 1 ; : : : ; K r?1 = k r?1 ] ' P [Y (r? 1) = jy (0) = ] or almost all round keys k 1 ; : : : k r?1.
4 I this hypothesis is not satised, a dierential may have a low probability in average but its probability may nevertheless be high or some particular round keys. This would mean that some round keys would be weak in the sense that the corresponding cipher would not resist dierential cryptanalysis. 3 Resistance o eistel ciphers against dierential cryptanalysis We are now interested in the complexity o a dierential attack o a eistel cipher when the dierence is dened by the bitwise XOR denoted by An upper bound on the average probability o any dierential We here only consider eistel ciphers with block size 2n without expansion. In this case, the round permutation is designed as ollows: : n 2 n 2! n 2 n 2 (L; R) 7! (R; L + (R + K i )) where + denotes the exclusiveor operation, K i 2 n 2 is the ith round key and is a permutation over n 2, called the round permutation. Using the particular structure o this round unction Nyberg and Knudsen [NK93] gave an upper bound on the probability o any rround dierential or r 3 when the round keys are independent and uniormly random. They actually proved the ollowing result: Proposition 1 [NK93] or a eistel cipher with block size 2n, with round permutation and with independent uniormly random round keys, the probability o any rround dierential (; ), 6= 0, or r 3 satises where = max P [Y (r) = jy (0) = ] 2 max jx 2 n 2 ; (X + ) + (X) = gj 6=0 This proposition then implies that any eistel cipher with at least 5 rounds resists dierential cryptanalysis i the round permutation is such that is small and i the hypothesis o stochastic equivalence is satised. In order to use this theoretical result in practice, Knudsen [Knu94] called a eistel cipher a practically secure eistel cipher i it resists dierential cryptanalysis under the assumption o independent uniormly random round keys. But it unortunately seems that the hypothesis o stochastic equivalence does not hold in general or a eistel cipher.
5 3.2 Hypothesis o stochastic equivalence or eistel ciphers As an example we here show that the hypothesis o stochastic equivalence is not satised or a small eistel cipher with block size 8. The round permutation o this cipher is dened by : 2 4! 2 4 x 7! x 7 where the vector space 4 2 is identied with the nite eld with 16 elements. or this small eistel cipher, we give the probabilities o two dierent 3round dierentials (; ) = and = When the round keys are independent and uniormly random, we obtain P [Y (3) = jy (0) = ] = 9:8 10?3 But when the rst 3 round keys are xed, we get P [Y (3) = jy (0) = ; K 1 = k 1 ; K 2 = k 2 ; K 3 = k 3 ] = 0 or 50 % o the keys = 7:8 10?3 or 25 % o the keys = 3:12 10?2 or 25 % o the keys = and = When the round keys are independent and uniormly random, this 3round dierential has probability P [Y (3) = jy (0) = ] = 1:56 10?2 But or xed round keys this probability actually equals P [Y (3) = jy (0) = ; K 1 = k 1 ; K 2 = k 2 ; K 3 = k 3 ] = 0 or 75 % o the keys = 6:25 10?2 or 25 % o the keys It then turns out that or this particular eistel cipher the hypothesis o stochastic equivalence does not hold. urthermore the computation o the probability o some 3round dierentials or many dierent small eistel ciphers leads to similar results. This then implies that the result given by Nyberg and Knudsen does not allow to deduce i a dierential attack o a eistel cipher is easible in practice. 3.3 A practical result on the resistance o eistel ciphers against dierential cryptanalysis The hypothesis o stochastic equivalence is nevertheless satised or any eistel cipher in some particular cases. We here denote by (; ) the number o solutions X 2 n 2 o the equation (X + ) + (X) =
6 Proposition 2 or any eistel cipher with block size 2n, the hypothesis o stochastic equivalence exactly holds or any 2round dierential (; ). Moreover we have or any L ; R ; L ; R 2 n 2 and or any round keys k 1 and k 2, P [Y (2) = ( L ; R )jy (0) = ( L ; R ); K 1 = k 1 ; K 2 = k 2 ] = P [Y (2) = ( L ; R )jy (0) = ( L ; R )] = ( R ; L + L ) ( L ; R + R ) Proo. We denote by R(i) the right hal o the input o the (i + 1)th round. SimilarlyZ(i) = (R(i)+K i+1 ). When the round keys are xed, the probability o a 2round dierential can be decomposed as ollows: P = P [Y (2) = ( L ; R )jy (0) = ; K 1 = k 1 ; K 2 = k 2 ] = P [Z(1) = R + R jr(1) = L ; Y (0) = ( L ; R ); K 1 = k 1 ; K 2 = k 2 ] P [Z(0) = L + L jy (0) = ( L ; R ); K 1 = k 1 ] Since R(0) is uniormly random, we obviously have that P [Z(0) = L + L jy (0) = ( L ; R ); K 1 = k 1 ] = ( R ; L + L ) 2 n On the other hand, we have X P [Z(1) = R + R jr(1) = L ; Y (0) = ( L ; R ); K 1 = k 1 ; K 2 = k 2 ] =? P [Z(1) = R + R jr(1) = L ; R(1) + k 2 = r] r P [R(1) + k 2 = rjr(1) = L ; Y (0) = ( L ; R ); K 1 = k 1 ] Since R(1) = (R(0) + k 1 ) + L(0) and since L(0) is uniormly distributed, the random variable R(1) is uniormly distributed even i R(1) and Y (0) are xed. We then obtain that P [Z(1) = R + R jr(1) = L ; Y (0) = ( L ; R ); K 1 = k 1 ; K 2 = k 2 ] = P [Z(1) = R + R jr(1) = L ] = ( L ; R + R ) 2 n 2 The hypothesis o stochastic equivalence is also satised or some 3round dierentials as asserted in the ollowing proposition. Proposition 3 or any eistel cipher with block size 2n, the hypothesis o stochastic equivalence exactly holds or any 3round dierential (( L ; R ); ( L ; R )) such that R = 0 or L = R. We additionally have that or any round keys k 1 ; k 2 and k 3, P [Y (3) = ( L ; R )jy (0) = ( L ; 0); (K 1 ; K 2 ; K 3 ) = (k 1 ; k 2 ; k 3 )] = ( L ; L ) ( L ; R + L ) P [Y (3) = ( R ; R )jy (0) = ( L ; R ); (K 1 ; K 2 ; K 3 ) = (k 1 ; k 2 ; k 3 )] = ( R ; L ) ( R ; R )
7 Proo. R = 0. In this case, the rst round o the cipher is a trivial round. Thus R(1) = L with probability 1. The random variable R(1) is then uniormly distributed when L(0) and R(0) are uniormly random. We then obtain P [Y (3) = ( L ; R )jy (0) = ( L ; 0); (K 1 ; K 2 ; K 3 ) = (k 1 ; k 2 ; k 3 )] = P [Y (3) = ( L ; R )jy (1) = ( R ; L ); (K 2 ; K 3 ) = (k 2 ; k 3 )] = ( L ; L ) ( L ; R + L ) where the last equality is deduced rom Proposition 2. L = R In this case Z(1) = 0. Since is a permutation, this can only occur when R(1) = 0. This implies that the second round o the cipher is here a trivial round. We then have P [Y (3) = ( R ; R )jy (0) = ( L ; R ); K 1 = k 1 ; K 2 = k 2 ; K 3 = k 3 ] = ( R ; L ) 2 n P [Z(2) = R jr(2) = R ; Y (0) = ( L ; R ); K 1 = k 1 ; K 2 = k 2 ; K 3 = k 3 ] On the other hand the random variable R(2) is uniormly distributed in this case even i the dierences R(2), Y (0) and the rst two round keys are xed. This implies that P [Z(2) = R jr(2) = R ; Y (0) = ( L ; R ); K 1 = k 1 ; K 2 = k 2 ; K 3 = k 3 ] = and we thereore conclude that P [Z(2) = R jr(2) = R ] P [Y (3) = ( R ; R )jy (0) = ( L ; R ); (K 1 ; K 2 ; K 3 ) = (k 1 ; k 2 ; k 3 )] = ( R ; L ) ( R ; R ) 2 Using that the hypothesis is always satised in these both cases, we now prove that the upper bound on the probability o a dierential given by Nyberg and Knudsen still holds or any round keys. Theorem 1 or a eistel cipher with block size 2n, with round permutation and with any round keys k 1 ; : : : ; k r, the probability o any rround dierential (; ), 6= 0, or r 3, satises P [Y (r) = jy (0) = ; K 1 = k 1 ; : : : ; K r = k r ] 2 where = max max jx 2 2 n; (X + ) + (X) = gj 6=0
8 Proo. We rst prove this result or any 3round dierential (( L ; R ); ( L ; R )) with ( L ; R ) 6= (0; 0). The probability o any 3round dierential (; ) can be decomposed as ollows: P = P X [Y (3) = ( L ; R )jy (0) = ( L ; R ); K 1 = k 1 ; K 2 = k 2 ; K 3 = k 3 ] = P [Z(2) = R + djr(2) = L ; Y (0) = ( L ; R ); K 1 = k 1 ; K 2 = k 2 ; K 3 = k 3 ] d ( R ; d + L ) (d; L + R ) I R 6= L, R(1) cannot be zero. I R 6= 0, we conclude that P [Y (3) = ( L ; R )jy (0) = ( L ; R ); K 1 = k 1 ; K 2 = k 2 ; K 3 = k 3 ] 2 2 X d6=0 P [Z(2) = R + djr(2) = L ; Y (0) = ( L ; R ); K 1 = k 1 ; K 2 = k 2 ; K 3 = k 3 ] I R = 0, the previous proposition gives P [Y (3) = ( L ; R )jy (0) = ( L ; 0); K 1 = k 1 ; K 2 = k 2 ; K 3 = k 3 ] = 2 ( L ; L ) ( L ; R + L ) since L = 0 would imply that L = 0 and hence that = 0. I R = L, the previous proposition gives P [Y (3) = ( R ; R )jy (0) = ( L ; R ); K 1 = k 1 ; K 2 = k 2 ; K 3 = k 3 ] = since R = 0 would imply that L = 0. 2 ( R ; L ) ( R ; R ) We now obtain the same upper bound or any rround dierential or r > 3 by induction on r. 2 This new theorem implies that a eistel cipher with any round keys is secure against dierential cryptanalysis as ar as the round permutation is such that is small. This only depends on the ollowing property o the round permutation dened by Nyberg and Knudsen [NK93]: Denition 2 A unction over n 2 n 2, 6= 0, and or all 2 n 2, is dierentially uniorm i, or all 2 jx 2 n 2 ; (X + ) + (X) = gj
9 Using [LMM91, Theorem 1] we obtain a lower bound on the complexity o a dierential attack o a eistel cipher, i.e. the number o encryptions it requires. Corollary 1 Let us consider a eistel cipher with block size 2n, with at least 5 rounds and with a dierentially uniorm round permutation. The complexity o a dierential attack against this cipher is at least 2(22n?1) 2?1. 4 Dierentially uniorm permutations The number o solutions o (X + ) + (X) = is obviously even. This implies that the smallest possible value such that a permutation is dierentially uniorm is = 2. Dierentially 2uniorm permutations are also called almost perect nonlinear (APN) permutations. They correspond to the round permutations which provide the best resistance against dierential cryptanalysis. 4.1 APN permutations over 2 n or even n rom now on we identiy the vectorspace n 2 with the nite eld 2n. Any permutation o 2 n can be expressed as a unique polynomial o 2 n[x] o degree at most 2 n? 1. We rst give a necessary condition or a polynomial to be APN when n is even. P 2 Proposition 4 Let n be an even integer. The mapping : x 7! n?1 i=0 a i X i is not APN over 2 n i 2 n?1 3X j=1 a 3j = 0 Proo. We rst notice that 0 and 1 are two solutions o Equation (X + 1) + (X) = X 2 n?1 i=0 a i (2) Let now x = u where is a primitive element in 2 n and u = 2n?1. Since 3 x 4 = x, x is in P 4 and x 62 0; 1g. It then satises x 2 + x + 1 = 0. We then 2 n?1 3 obtain that i j=1 a 3j = 0, x = u is another solution o Equation 2. 2 This result notably implies that no power polynomial permutation, i.e. (x) = x t with gcd(t; 2 n? 1) = 1, is APN when n is even. 4.2 Dierentially uniorm power polynomials and cyclic codes with two zeroes We now only consider the mappings on 2 n which can be expressed as a power polynomial X t. In this case we only have to examine or t a representative o each cyclotomic coset modulo 2 n? 1. When is a power polynomial, the dierentially uniorm property can be characterized as ollows:
10 Proposition 5 The power polynomial mapping : x 7! x t is dierentially uniorm i and only i or all c 2 2 n, c 6= 0, the equation (X + 1) t + X t = c has at most solutions in 2 n. In [CCZ97] it is proved that the power polynomial unction x 7! x t is APN over 2 n i and only i the cyclic code C 1;t o length 2 n? 1 with dening set 1; tg has minimum distance 5. The link between dierentially uniorm power polynomials and cyclic codes is still tighter since the number o solutions o the equations (X + 1) t + X t = c is related to the number o codewords o weight 3 and 4 in C 1;t. Proposition 6 Let C 1;t denote the cyclic code o length 2 n? 1 with dening set 1; tg and let c be the number o roots in 2 n o polynomial P c (X) = (X + 1) t + X t + c. The number A 3 (resp. A 4 ) o codewords with Hamming weight 3 (resp. 4) in C 1;t is given by A 3 = (2n? 1) 6 A 4 = (2n? 1) 24 ( 1? 2) X c2 2 n 2 c? 2 n+1? 4( 1? 2) Proo. A binary vector x = (x 0 ; : : : ; x 2?2) belongs to C n 1;t i and only i its syndrome is zero. The word with support i 1 ; i 2 ; i 3 ; i 4 g then lies in C 1;t i and only i, or x j = i j, there exists (a; b) 2 2 n 2 n, a 6= 0 such that (x 1 + a) t + x t 1 = b = (x 3 + a) t + x t 3 i.e. x 1 a?1 ; x 1 a?1 + 1; x 3 a?1 ; x 3 a?1 + 1 are 4 distinct roots o P c with c = b. a t Since 0 is a root o P c i and only i c = 1, we obtain that the codewords o Hamming weight 3 o C 1;t exactly correspond to the 3tuples (x; y; x + y) with nonzero distinct coordinates such that x(x + y)?1 and x(x + y)?1 + 1 are nonzero roots o P 1. Similarly the codewords o weight 4 in C 1;t exactly correspond to the 4tuples (x; y; z; x + y + z) with nonzero distinct coordinates such that x(x + y)?1, x(x + y)?1 + 1, z(x + y)?1 and z(x + y)?1 + 1 are 4 distinct roots o P c. 2 Note that i n is odd and i the minimum distance o C 1;t is 3, the smallest possible value or such that x 7! x t is dierentially uniorm is 8 since 1 2 mod 6. Some cyclic codes with 2 zeroes and with minimum distance 3 were examined in [CTZ97]. 4.3 Some APN power polynomials Table 1 lists all known exponents t (up to equivalence) such that x 7! x t is APN. But the only APN power polynomials X t amongst these 4 amilies which can be used as a round permutation o a eistel cipher are those corresponding to t 2 K i with i 6. It was actually proved that the mapping x 7! x t with t 2 I is not secure against linear cryptanalysis [LW90, CV95]. The power polynomials corresponding to t 2 Q i or t 2 W can neither be used since a dierential 1 A
11 exponent smallest value o such that notation or the corresponding re. is dierentially uniorm cyclotomic coset 2 i gcd(n;i) Q i [Nyb93] 2 n? 2 i? 1 2 i n is odd I [Nyb93, BD93] 4 i n is even 2 2i? 2 i i n is odd and gcd(n; i) = 1 K i [Kas71] 2 n? i n is odd W [Dob] Table 1: Minimum value o or some power polynomials on 2 n. attack using higher order dierentials is easible when the Hamming weight o t is small [JK97]. This attack exploits the act that any ciphertext bit can be expressed as a polynomial in all plaintext bits o degree at most d = w(t) r?3 where r denotes the number o rounds 4.4 A lower bound on the degree o APN power polynomials over 2 n Janwa, McGuire and Wilson [JW93, JMW95] proved that or most values o t, the code C 1;t o length 2 n? 1 does not have minimum distance 5 or innitely many values o n. Their proo relies on Weil's theorem which gives a lower bound on the number o rational points on an absolutely irreducible curve over 2 n. We here use a similar argument or proving that or a xed n the mapping x 7! x t is not APN as ar as t exceeds a certain value. Theorem 2 Suppose that the curve g t (X; Y ) = X t + Y t + (X + Y + 1) t (X + Y )(X + 1)(Y + 1) is absolutely irreducible over 2. The mapping x 7! x t is not APN over 2 n, n 5, i t 2 n 4 + 4:5 Janwa, McGuire and Wilson [JMW95] proved that g t (X; Y ) is absolutely irreducible or any t 3 mod 4, t > 3 and or some values such that t 1 mod 4. They actually conjectured that this curve is absolutely irreducible or all values o t except those lying in the cyclotomic cosets Q i and K i (see Table 1). This statement also holds or any t < 100. We thereore give in Table 2 some values o t or which x 7! x t is not APN. 5 Concluding remarks We here proved that a eistel cipher without expansion with any round keys resists dierential cryptanalysis i its round permutation is dierentially uniorm
12 n t min Table 2: Bound t min such that x 7! x t is not APN over 2 n or all t t min, t 62 Q i [ K i or a small. But the only (up to equivalence) known APN permutation which can be used in a eistel cipher is the power polynomial unction over 2 n de ned by x 7! x 22i?2 i +1 where n is odd and gcd(n; i) = 1. It nevertheless appears that any new result concerning either the number o roots o polynomials over a nite eld or the weight distribution o some cyclic codes would have some important consequences or the design o new provably secure eistel ciphers. It is however important to note that the resistance o eistel ciphers against a dierential attack is still an open problem when the dierence is not dened by the bitwise exclusiveor but by another group operation on the set o plaintexts. Reerences [BD93] [BS91] [CCZ97] [CTZ97] T. Beth and C. Ding. On almost perect nonlinear permutations. In Advances in Cryptology EUROCRYPT'93, number 765 in Lecture Notes in Computer Science, pages 65{76. SpringerVerlag, E. Biham and A. Shamir. Dierential cryptanalysis o DESlike cryptosystems. Journal o Cryptology, 4(1):3{72, C. Carlet, P. Charpin, and V. Zinoviev. Cyclic codes and permutations suitable or DESlike cryptosystems. In 1997 IEEE Inormation Theory Workshop, Norway, July To be presented. P. Charpin, A. Tietavainen, and V. Zinoviev. On binary cyclic codes with d = 3. Problems o Inormation Transmission, To appear. [CV95]. Chabaud and S. Vaudenay. Links between dierential and linear cryptanalysis. In Advances in Cryptology EUROCRYPT'94, number 950 in Lecture Notes in Computer Science, pages 356{365. SpringerVerlag, [Dob] [JK97] H. Dobbertin. Private Communication. T. Jakobsen and L.R. Knudsen. The interpolation attack on block ciphers. In ast Sotware Encryption 97, January [JMW95] H. Janwa, G. McGuire, and R.M. Wilson. Doubleerror correcting cyclic codes and absolutely irreducible polynomials over G(2). Journal o Algebra, (178):665{676, [JW93] H. Janwa and R.M. Wilson. Hyperplane sections o ermat varieties in P 3 in char. 2 and some applications to cyclic codes. In Applied
13 Algebra, Algebraic Algorithms and Errorcorrecting Codes Proceedings AAECC10, number 673 in Lecture Notes in Computer Science, pages 180{194. SpringerVerlag, [Kas71] [Knu94] T. Kasami. The weight enumerators or several classes o subcodes o the second order binary ReedMuller codes. Inormation and Control, (18):369{394, L.R. Knudsen. Practically secure eistel ciphers. In ast Sotware Encryption 93, number 809 in Lecture Notes in Computer Science, pages 211{221. SpringerVerlag, [LMM91] X. Lai, J.L. Massey, and S. Murphy. Markov ciphers and dierential cryptanalysis. In Advances in Cryptology EUROCRYPT'91, number 547 in Lecture Notes in Computer Science, pages 17{38. Springer Verlag, [LW90] G. Lachaud and J. Wolmann. The weights o the orthogonal o the extended quadratic binary Goppa codes. IEEE Transactions on Inormation Theory, 36(3):686{692, [NK93] K. Nyberg and L.R. Knudsen. Provable security against dierential cryptanalysis. In Advances in Cryptology CRYPTO'92, number 740 in Lecture Notes in Computer Science, pages 566{574. Springer Verlag, [Nyb93] K. Nyberg. Dierentially uniorm mappings or cryptography. In Advances in Cryptology EUROCRYPT'93, number 765 in Lecture Notes in Computer Science, pages 55{64. SpringerVerlag, 1993.
Differential properties of power functions
Differential properties of power functions Céline Blondeau, Anne Canteaut and Pascale Charpin SECRET Project-Team - INRIA Paris-Rocquencourt Domaine de Voluceau - B.P. 105-8153 Le Chesnay Cedex - France
More informationCéline Blondeau, Anne Canteaut and Pascale Charpin*
Int. J. Information and Coding Theory, Vol. 1, No. 2, 2010 149 Differential properties of power functions Céline Blondeau, Anne Canteaut and Pascale Charpin* INRIA Paris-Rocquencourt, Project-Team SECRET,
More informationDecomposing Bent Functions
2004 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 49, NO. 8, AUGUST 2003 Decomposing Bent Functions Anne Canteaut and Pascale Charpin Abstract In a recent paper [1], it is shown that the restrictions
More informationDIFFERENTIAL cryptanalysis is the first statistical attack
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL 57, NO 12, DECEMBER 2011 8127 Differential Properties of x x 2t 1 Céline Blondeau, Anne Canteaut, Pascale Charpin Abstract We provide an extensive study of
More informationTransform Domain Analysis of DES. Guang Gong and Solomon W. Golomb. University of Southern California. Tels and
Transform Domain Analysis of DES Guang Gong and Solomon W. Golomb Communication Sciences Institute University of Southern California Electrical Engineering-Systems, EEB # 500 Los Angeles, California 90089-2565
More informationDK-2800 Lyngby, Denmark, Mercierlaan 94, B{3001 Heverlee, Belgium,
The Interpolation Attack on Block Ciphers? Thomas Jakobsen 1 and Lars R. Knudsen 2 1 Department of Mathematics, Building 303, Technical University of Denmark, DK-2800 Lyngby, Denmark, email:jakobsen@mat.dtu.dk.
More informationMitsuru Matsui , Ofuna, Kamakura, Kanagawa, 247, Japan. which are block ciphers with a 128-bit key, a 64-bit block and a variable
New Block Encryption Algorithm MISTY Mitsuru Matsui Inormation Technology R&D Center Mitsubishi Electric Corporation 5-1-1, Ouna, Kamakura, Kanagawa, 247, Japan matsui@iss.isl.melco.co.jp Abstract. We
More informationA class of quadratic APN binomials inequivalent to power functions
A class of quadratic APN binomials inequivalent to power functions Lilya Budaghyan, Claude Carlet, Gregor Leander November 30, 2006 Abstract We exhibit an infinite class of almost perfect nonlinear quadratic
More informationAn average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and
An average case analysis of a dierential attack on a class of SP-networks Luke O'Connor Distributed Systems Technology Centre, and Information Security Research Center, QUT Brisbane, Australia Abstract
More informationOn Cryptographic Properties of the Cosets of R(1;m)
1494 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 47, NO. 4, MAY 2001 On Cryptographic Properties of the Cosets of R(1;m) Anne Canteaut, Claude Carlet, Pascale Charpin, and Caroline Fontaine Abstract
More informationExtended Criterion for Absence of Fixed Points
Extended Criterion for Absence of Fixed Points Oleksandr Kazymyrov, Valentyna Kazymyrova Abstract One of the criteria for substitutions used in block ciphers is the absence of fixed points. In this paper
More informationConstructions of Quadratic Bent Functions in Polynomial Forms
1 Constructions of Quadratic Bent Functions in Polynomial Forms Nam Yul Yu and Guang Gong Member IEEE Department of Electrical and Computer Engineering University of Waterloo CANADA Abstract In this correspondence
More informationVectorial Boolean Functions for Cryptography
Vectorial Boolean Functions for Cryptography Claude Carlet June 1, 008 To appear as a chapter of the volume Boolean Methods and Models, published by Cambridge University Press, Eds Yves Crama and Peter
More informationQuadratic Equations from APN Power Functions
IEICE TRANS. FUNDAMENTALS, VOL.E89 A, NO.1 JANUARY 2006 1 PAPER Special Section on Cryptography and Information Security Quadratic Equations from APN Power Functions Jung Hee CHEON, Member and Dong Hoon
More informationTwo Notions of Differential Equivalence on Sboxes
Two Notions of Differential Equivalence on Sboxes Christina Boura, Anne Canteaut, Jérémy Jean, Valentin Suder To cite this version: Christina Boura, Anne Canteaut, Jérémy Jean, Valentin Suder. Two Notions
More informationDivision Property: a New Attack Against Block Ciphers
Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50 Symmetric-key encryption
More informationConstructing new APN functions from known ones
Constructing new APN functions from known ones Lilya Budaghyan a, Claude Carlet b, and Gregor Leander c a Department of Mathematics University of Trento ITALY b Department of Mathematics University of
More informationQuadratic Almost Perfect Nonlinear Functions With Many Terms
Quadratic Almost Perfect Nonlinear Functions With Many Terms Carl Bracken 1 Eimear Byrne 2 Nadya Markin 3 Gary McGuire 2 School of Mathematical Sciences University College Dublin Ireland Abstract We introduce
More informationOpen problems related to algebraic attacks on stream ciphers
Open problems related to algebraic attacks on stream ciphers Anne Canteaut INRIA - projet CODES B.P. 105 78153 Le Chesnay cedex - France e-mail: Anne.Canteaut@inria.fr Abstract The recently developed algebraic
More informationTowards Provable Security of Substitution-Permutation Encryption Networks
Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,
More informationImproved Fast Correlation Attacks Using Parity-Check Equations of Weight 4 and 5
Improved Fast Correlation Attacks Using Parity-Check Equations of Weight 4 and 5 Anne Canteaut 1 and Michaël Trabbia 1,2 1 INRIA projet CODES B.P. 105 78153 Le Chesnay Cedex - France Anne.Canteaut@inria.fr
More informationWell known bent functions satisfy both SAC and PC(l) for all l n, b not necessarily SAC(k) nor PC(l) of order k for k 1. On the other hand, balancedne
Design of SAC/PC(l) of order k Boolean functions and three other cryptographic criteria Kaoru Kurosawa 1 and Takashi Satoh?2 1 Dept. of Comper Science, Graduate School of Information Science and Engineering,
More informationThe simplest method for constructing APN polynomials EA-inequivalent to power functions
The siplest ethod for constructing APN polynoials EA-inequivalent to power functions Lilya Budaghyan Abstract The first APN polynoials EA-inequivalent to power functions have been constructed in [7, 8]
More informationComputing the biases of parity-check relations
Computing the biases of parity-check relations Anne Canteaut INRIA project-team SECRET B.P. 05 7853 Le Chesnay Cedex, France Email: Anne.Canteaut@inria.fr María Naya-Plasencia INRIA project-team SECRET
More informationConstructing differential 4-uniform permutations from know ones
Noname manuscript No. (will be inserted by the editor) Constructing differential 4-uniform permutations from know ones Yuyin Yu Mingsheng Wang Yongqiang Li Received: date / Accepted: date Abstract It is
More informationSome Results on the Known Classes of Quadratic APN Functions
Some Results on the Known Classes of Quadratic APN Functions Lilya Budaghyan, Tor Helleseth, Nian Li, and Bo Sun Department of Informatics, University of Bergen Postboks 7803, N-5020, Bergen, Norway {Lilya.Budaghyan,Tor.Helleseth,Nian.Li,Bo.Sun}@uib.no
More informationAPN Power Functions Over GF(2 n ) for Infinitely Many n
APN Power Functions Over GF( n ) for Infinitely Many n David Jedlicka University of Texas at Austin Department of Mathematics Austin, TX 7871 USA jedlicka@math.utexas.edu July 11, 005 Abstract I present
More informationHyperbent functions, Kloosterman sums and Dickson polynomials
Hyperbent functions, Kloosterman sums and Dickson polynomials Pascale Charpin INRIA, Codes Domaine de Voluceau-Rocquencourt BP 105-78153, Le Chesnay France Email: pascale.charpin@inria.fr Guang Gong Department
More informationProvable Security Against Differential and Linear Cryptanalysis
Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University Introduction CRADIC Linear Hull SPN and Two Strategies Highly
More informationCorrelation Attack to the Block Cipher RC5. and the Simplied Variants of RC6. 3 Fujitsu Laboratories LTD.
Correlation Attack to the Block Cipher RC5 and the Simplied Variants of RC6 Takeshi Shimoyama 3, Kiyofumi Takeuchi y, Juri Hayakawa y 3 Fujitsu Laboratories LTD. 4-1-1 Kamikodanaka, Nakahara-ku, Kawasaki
More informationAnalysis of SHA-1 in Encryption Mode
Analysis of SHA- in Encryption Mode [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 00, vol. 00 of Lecture Notes in Computer Science, pp. 70 83, Springer-Verlag, 00.] Helena Handschuh, Lars
More informationProvable Security Against a Dierential Attack? Aarhus University, DK-8000 Aarhus C.
Provable Security Against a Dierential Attack Kaisa Nyberg and Lars Ramkilde Knudsen Aarus University, DK-8000 Aarus C. Abstract. Te purpose of tis paper is to sow tat tere exist DESlike iterated cipers,
More informationType 1.x Generalized Feistel Structures
Noname manuscript No. (will be inserted by the editor) Type 1.x Generalized eistel Structures Shingo Yanagihara Tetsu Iwata Received: date / Accepted: date Abstract We formalize the Type 1.x Generalized
More informationCharacterizations of the differential uniformity of vectorial functions by the Walsh transform
Characterizations of the differential uniformity of vectorial functions by the Walsh transform Claude Carlet LAGA, Department of Mathematics, University of Paris 8 (and Paris 13 and CNRS), Saint Denis
More informationOn High-Rate Cryptographic Compression Functions
On High-Rate Cryptographic Compression Functions Richard Ostertág and Martin Stanek Department o Computer Science Faculty o Mathematics, Physics and Inormatics Comenius University Mlynská dolina, 842 48
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationOn Binary Cyclic Codes with Codewords of Weight Three and Binary Sequences with the Trinomial Property
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 47, NO. 1, JANUARY 2001 421 [4] A. A. Davydov, Constructions and families of covering codes and saturated sets of points in projective geometry, IEEE Trans.
More informationMaximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers
Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers Muxiang Zhang 1 and Agnes Chan 2 1 GTE Laboratories Inc., 40 Sylvan Road LA0MS59, Waltham, MA 02451 mzhang@gte.com 2 College of Computer
More informationAffine equivalence in the AES round function
Discrete Applied Mathematics 148 (2005) 161 170 www.elsevier.com/locate/dam Affine equivalence in the AES round function A.M. Youssef a, S.E. Tavares b a Concordia Institute for Information Systems Engineering,
More informationFourier Spectra of Binomial APN Functions
Fourier Spectra of Binomial APN Functions arxiv:0803.3781v1 [cs.dm] 26 Mar 2008 Carl Bracken Eimear Byrne Nadya Markin Gary McGuire March 26, 2008 Abstract In this paper we compute the Fourier spectra
More informationDifferentially uniform mappings for cryptography
Differentially uniform mappings for cryptography KAISA NYBERG* Institute of Computer Technology, Vienna Technical University Abstract. This work is motivated by the observation that in DES-like ciphexs
More informationA Unified Method for Finding Impossible Differentials of Block Cipher Structures
A Unified Method for inding Impossible Differentials of Block Cipher Structures Yiyuan Luo 1,2, Zhongming Wu 1, Xuejia Lai 1 and Guang Gong 2 1 Department of Computer Science and Engineering, Shanghai
More informationVirtual isomorphisms of ciphers: is AES secure against differential / linear attack?
Alexander Rostovtsev alexander. rostovtsev@ibks.ftk.spbstu.ru St. Petersburg State Polytechnic University Virtual isomorphisms of ciphers: is AES secure against differential / linear attack? In [eprint.iacr.org/2009/117]
More informationCCZ-equivalence and Boolean functions
CCZ-equivalence and Boolean functions Lilya Budaghyan and Claude Carlet Abstract We study further CCZ-equivalence of (n, m)-functions. We prove that for Boolean functions (that is, for m = 1), CCZ-equivalence
More informationjorge 2 LSI-TEC, PKI Certification department
Linear Analysis of reduced-round CAST-28 and CAST-256 Jorge Nakahara Jr, Mads Rasmussen 2 UNISANTOS, Brazil jorge nakahara@yahoo.com.br 2 LSI-TEC, PKI Certification department mads@lsitec.org.br Abstract.
More informationIf a Generalised Butterfly is APN then it Operates on 6 Bits
If a Generalised Butterfly is APN then it Operates on 6 Bits Anne Canteaut 1, Léo Perrin 1, Shizhu Tian 1,2,3 1 Inria, Paris, France. 2 State Key Laboratory of Information Security, Institute of Information
More informationImproved Impossible Differential Cryptanalysis of Rijndael and Crypton
Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,
More informationImproved characteristics for differential cryptanalysis of hash functions based on block ciphers
1 Improved characteristics for differential cryptanalysis of hash functions based on block ciphers Vincent Rijmen Bart Preneel Katholieke Universiteit Leuven ESAT-COSIC K. Mercierlaan 94, B-3001 Heverlee,
More informationHigher-order differential properties of Keccak and Luffa
Higher-order differential properties of Keccak and Luffa Christina Boura 1,2, Anne Canteaut 1, and Christophe De Cannière 3 1 SECRET Project-Team - INRIA Paris-Rocquencourt - B.P. 105 78153 Le Chesnay
More informationStatistical and Linear Independence of Binary Random Variables
Statistical and Linear Independence of Binary Random Variables Kaisa Nyberg Department of Computer Science, Aalto University School of Science, Finland kaisa.nyberg@aalto.fi October 10, 2017 Abstract.
More informationLECTURE NOTES IN CRYPTOGRAPHY
1 LECTURE NOTES IN CRYPTOGRAPHY Thomas Johansson 2005/2006 c Thomas Johansson 2006 2 Chapter 1 Abstract algebra and Number theory Before we start the treatment of cryptography we need to review some basic
More informationOptimized Interpolation Attacks on LowMC
Optimized Interpolation Attacks on LowMC Itai Dinur 1, Yunwen Liu 2, Willi Meier 3, and Qingju Wang 2,4 1 Département d Informatique, École Normale Supérieure, Paris, France 2 Dept. Electrical Engineering
More informationHigher-order differential properties of Keccak and Luffa
Higher-order differential properties of Keccak and Luffa Christina Boura 1,2, Anne Canteaut 1 and Christophe De Cannière 3 1 SECRET Project-Team - INRIA Paris-Rocquencourt - B.P. 105-78153 Le Chesnay Cedex
More informationSOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies
SOBER Cryptanalysis Daniel Bleichenbacher and Sarvar Patel {bleichen,sarvar}@lucent.com Bell Laboratories Lucent Technologies Abstract. SOBER is a new stream cipher that has recently been developed by
More informationCryptanalysis of Akelarre Niels Ferguson Bruce Schneier DigiCash bv Counterpane Systems Kruislaan E Minnehaha Parkway 1098 VA Amsterdam, Nethe
Cryptanalysis of Akelarre Niels Ferguson Bruce Schneier DigiCash bv Counterpane Systems Kruislaan 9 0 E Minnehaha Parkway 098 VA Amsterdam, Netherlands Minneapolis, MN 559, USA niels@digicash.com schneier@counterpane.com
More informationAnalysis of Some Quasigroup Transformations as Boolean Functions
M a t h e m a t i c a B a l k a n i c a New Series Vol. 26, 202, Fasc. 3 4 Analysis of Some Quasigroup Transformations as Boolean Functions Aleksandra Mileva Presented at MASSEE International Conference
More informationImproved Zero-sum Distinguisher for Full Round Keccak-f Permutation
Improved Zero-sum Distinguisher for Full Round Keccak-f Permutation Ming Duan 12 and Xuejia Lai 1 1 Department of Computer Science and Engineering, Shanghai Jiao Tong University, China. 2 Basic Courses
More informationOpen problems on cyclic codes
Open problems on cyclic codes Pascale Charpin Contents 1 Introduction 3 2 Different kinds of cyclic codes. 4 2.1 Notation.............................. 5 2.2 Definitions............................. 6
More informationTwo Notions of Differential Equivalence on Sboxes
Two Notions of Differential Equivalence on Sboxes Christina Boura 1,2, Anne Canteaut 2, Jérémy Jean 3, and Valentin Suder 1 1 University of Versailles, France Christina.Boura@uvsq.fr, Valentin.Suder@uvsq.fr
More informationDES S-box Generator. 2 EPFL, Switzerland
DES S-box Generator Lauren De Meyer 1 and Serge Vaudenay 2 lauren.demeyer@student.kuleuven.be serge.vaudenay@epfl.ch 1 KU Leuven, Belgium 2 EPFL, Switzerland Abstract. The Data Encryption Standard (DES)
More informationNew Results on Boomerang and Rectangle Attacks
New Results on Boomerang and Rectangle Attacks Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haia 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationRevisit and Cryptanalysis of a CAST Cipher
2017 3rd International Conference on Electronic Information Technology and Intellectualization (ICEITI 2017) ISBN: 978-1-60595-512-4 Revisit and Cryptanalysis of a CAST Cipher Xiao Zhou, Jingwei Li, Xuejia
More informationDickson Polynomials that are Involutions
Dickson Polynomials that are Involutions Pascale Charpin Sihem Mesnager Sumanta Sarkar May 6, 2015 Abstract Dickson polynomials which are permutations are interesting combinatorial objects and well studied.
More informationThird-order nonlinearities of some biquadratic monomial Boolean functions
Noname manuscript No. (will be inserted by the editor) Third-order nonlinearities of some biquadratic monomial Boolean functions Brajesh Kumar Singh Received: April 01 / Accepted: date Abstract In this
More informationAlgebraic Techniques in Differential Cryptanalysis
Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London FSE 2009, Leuven, 24.02.2009 Martin Albrecht and Carlos
More informationProvably Secure Double-Block-Length Hash Functions in a Black-Box Model
Provably Secure Double-Block-ength Hash Functions in a Black-Box Model Shoichi Hirose Graduate School o Inormatics, Kyoto niversity, Kyoto 606-8501 Japan hirose@i.kyoto-u.ac.jp Abstract. In CRYPTO 89,
More informationMiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity
MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity. Arnab Roy 1 (joint work with Martin Albrecht 2, Lorenzo Grassi 3, Christian Rechberger 1,3 and Tyge Tiessen
More informationStrengthening McEliece Cryptosystem
Strengthening McEliece Cryptosystem Pierre Loidreau Project CODES, INRIA Rocquencourt Research Unit - B.P. 105-78153 Le Chesnay Cedex France Pierre.Loidreau@inria.fr Abstract. McEliece cryptosystem is
More informationA Weak Cipher that Generates the Symmetric Group
A Weak Cipher that Generates the Symmetric Group Sean Murphy Kenneth Paterson Peter Wild Information Security Group, Royal Holloway and Bedford New College, University of London, Egham, Surrey TW20 0EX,
More informationAES side channel attacks protection using random isomorphisms
Rostovtsev A.G., Shemyakina O.V., St. Petersburg State Polytechnic University AES side channel attacks protection using random isomorphisms General method of side-channel attacks protection, based on random
More informationCryptanalysis of the Full DES and the Full 3DES Using a New Linear Property
Cryptanalysis of the ull DES and the ull 3DES Using a New Linear Property Tomer Ashur 1 and Raluca Posteuca 1 imec-cosic, KU Leuven, Leuven, Belgium [tomer.ashur, raluca.posteuca]@esat.kuleuven.be Abstract.
More informationPolynomials on F 2. cryptanalysis. Y. Aubry 1 G. McGuire 2 F. Rodier 1. m with good resistance to. 1 IML Marseille 2 University College Dublin
Polynomials on F 2 m with good resistance to cryptanalysis Y Aubry 1 G McGuire 2 F Rodier 1 1 IML Marseille 2 University College Dublin Outline APN functions A lower bound for the degree of an APN polynomial
More informationHow Biased Are Linear Biases
How Biased Are Linear Biases Adnan Baysal and Orhun Kara TÜBİTAK BİLGEM UEKAE Gebze, 41470 Kocaeli Turkey. E-mails: {abaysal,orhun}@uekae.tubitak.gov.tr Abstract In this paper we re-visit the Matsui s
More informationrecover the secret key [14]. More recently, the resistance of smart-card implementations of the AES candidates against monitoring power consumption wa
Resistance against Dierential Power Analysis for Elliptic Curve Cryptosystems Jean-Sebastien Coron Ecole Normale Superieure Gemplus Card International 45 rue d'ulm 34 rue Guynemer Paris, F-75230, France
More informationIntroduction. Outline. CSC/ECE 574 Computer and Network Security. Secret Keys or Secret Algorithms? Secrets? (Cont d) Secret Key Cryptography
Outline CSC/ECE 574 Computer and Network Security Introductory Remarks Feistel Cipher DES AES Topic 3.1 Secret Key Cryptography Algorithms CSC/ECE 574 Dr. Peng Ning 1 CSC/ECE 574 Dr. Peng Ning 2 Secret
More informationIN this paper, we exploit the information given by the generalized
4496 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 52, NO. 10, OCTOBER 2006 A New Upper Bound on the Block Error Probability After Decoding Over the Erasure Channel Frédéric Didier Abstract Motivated by
More informationarxiv: v1 [cs.it] 31 May 2013
Noname manuscript No. (will be inserted by the editor) A Note on Cyclic Codes from APN Functions Chunming Tang Yanfeng Qi Maozhi Xu arxiv:1305.7294v1 [cs.it] 31 May 2013 Received: date / Accepted: date
More informationOn Pseudo Randomness from Block Ciphers
SCIS96 The 1996 Symposium on Cryptography and Information Security Komuro, Japan, January 29-31, 1996 The Institute of Electronics, Information and Communication Engineers SCIS96-11C On Pseudo Randomness
More informationG-Perfect Nonlinear Functions
University of Richmond UR Scholarship Repository Math and Computer Science Faculty Publications Math and Computer Science 1-2008 G-Perfect Nonlinear Functions James A. Davis University of Richmond, jdavis@richmond.edu
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationCryptanalysis of the Original McEliece Cryptosystem
Cryptanalysis of the Original McEliece Cryptosystem Anne Canteaut and Nicolas Sendrier INRIA - projet CODES BP 105 78153 Le Chesnay, France Abstract. The class of public-ey cryptosystems based on error-correcting
More informationTechnion - Computer Science Department - Technical Report CS0816.revised
How to Strengthen DES Using Existing Hardware Eli Biham? Alex Biryukov?? Abstract Dierential, linear and improved Davies' attacks are capable of breaking DES faster than exhaustive search, but are usually
More informationCellular Automata in Cryptography" Information Security Group,Royal Holloway, Abstract The cipher systems based on Cellular Automata proposed by Nandi
Comments on \Theory and Applications of Cellular Automata in Cryptography" S.R. Blackburn, S. Murphy y and K.G. Paterson z Information Security Group,Royal Holloway, University of London, Surrey TW20 0EX,
More informationHigher-order differential properties of Keccak and Luffa
Higher-order differential properties of Keccak and Luffa Christina Boura, Anne Canteaut, Christophe De Cannière To cite this version: Christina Boura, Anne Canteaut, Christophe De Cannière. Higher-order
More informationFinding good differential patterns for attacks on SHA-1
Finding good differential patterns for attacks on SHA-1 Krystian Matusiewicz and Josef Pieprzyk Centre for Advanced Computing - Algorithms and Cryptography, Department of Computing, Macquarie University,
More informationDetection and Exploitation of Small Correlations in Stream Ciphers
Detection and Exploitation of Small Correlations in Stream Ciphers Masterthesis conducted under the guidance of Prof. Dr. Joachim Rosenthal and Dr. Gérard Maze Institute of Mathematics, University of Zurich
More information7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive key-search do not exploit any properties of the encryption algorithm or implementation. Structural attacks
More informationSecurity of Random Feistel Schemes with 5 or more Rounds
Security of Random Feistel Schemes with 5 or more Rounds Jacques Patarin Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract. We study cryptographic attacks on random
More informationLinear Cryptanalysis
Linear Cryptanalysis Linear cryptanalysis is a powerful method of cryptanalysis introduced by Matsui in 1993 [11]. It is a known plaintext attack in which the attacker studies the linear approximations
More informationFast Signature Generation with a. Fiat Shamir { Like Scheme. Fachbereich Mathematik / Informatik. Abstract
Fast Signature Generation with a Fiat Shamir { Like Scheme H. Ong Deutsche Bank AG Stuttgarter Str. 16{24 D { 6236 Eschborn C.P. Schnorr Fachbereich Mathematik / Informatik Universitat Frankfurt Postfach
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 13 (rev. 2) Professor M. J. Fischer October 22, 2008 53 Chinese Remainder Theorem Lecture Notes 13 We
More information17 Galois Fields Introduction Primitive Elements Roots of Polynomials... 8
Contents 17 Galois Fields 2 17.1 Introduction............................... 2 17.2 Irreducible Polynomials, Construction of GF(q m )... 3 17.3 Primitive Elements... 6 17.4 Roots of Polynomials..........................
More informationThe Impact of Carries on the Complexity of Collision Attacks on SHA-1
The Impact o Carries on the Complexity o Collision Attacks on SHA-1 Florian Mendel, Norbert Pramstaller, Christian Rechberger and Vincent Rijmen Norbert.Pramstaller@iaik.tugraz.at Institute or Applied
More informationHyper-bent Functions
Hyper-bent Functions Amr M. Youssef 1 and Guang Gong 2 1 Center for Applied Cryptographic Research Department of Combinatorics & Optimization University of Waterloo, Waterloo, Ontario N2L3G1, CANADA a2youssef@cacr.math.uwaterloo.ca
More informationProvable Security Against Differential and Linear Cryptanalysis
Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Aalto University School of Science and Nokia, Finland kaisa.nyberg@aalto.fi Abstract. In this invited talk, a brief survey on
More informationLinear Cryptanalysis of Reduced-Round Speck
Linear Cryptanalysis of Reduced-Round Speck Tomer Ashur Daniël Bodden KU Leuven and iminds Dept. ESAT, Group COSIC Address Kasteelpark Arenberg 10 bus 45, B-3001 Leuven-Heverlee, Belgium tomer.ashur-@-esat.kuleuven.be
More informationImproved Analysis of Some Simplified Variants of RC6
Improved Analysis of Some Simplified Variants of RC6 Scott Contini 1, Ronald L. Rivest 2, M.J.B. Robshaw 1, and Yiqun Lisa Yin 1 1 RSA Laboratories, 2955 Campus Drive San Mateo, CA 94403, USA {scontini,matt,yiqun}@rsa.com
More informationRoyal Holloway University of London
Projective Aspects of the AES Inversion Wen-Ai Jackson and Sean Murphy Technical Report RHUL MA 2006 4 25 November 2005 Royal Holloway University of London Department of Mathematics Royal Holloway, University
More informationElementary 2-Group Character Codes. Abstract. In this correspondence we describe a class of codes over GF (q),
Elementary 2-Group Character Codes Cunsheng Ding 1, David Kohel 2, and San Ling Abstract In this correspondence we describe a class of codes over GF (q), where q is a power of an odd prime. These codes
More informationOn values of vectorial Boolean functions and related problems in APN functions
On values of vectorial Boolean functions and related problems in APN functions George Shushuev Sobolev Institute of Mathematics, Novosibirsk, Russia Novosibirsk State University, Novosibirsk, Russia E-mail:
More information