Analysis of cryptographic hash functions
|
|
- Mavis Moore
- 5 years ago
- Views:
Transcription
1 Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, / 43
2 Symmetric key cryptography Alice and Bob share the same secret key. Key Plaintext Encryption Ciphertext Decryption Plaintext Stream ciphers Block ciphers Hash functions 2 / 43
3 Cryptographic Hash Functions H : {0,1} {0,1} n. Security properties: Preimage resistance (Complexity of the generic attack: 2 n ) Second-preimage resistance (Complexity of the generic attack: 2 n ) Collision resistance (Complexity of the generic attack: 2 n/2 ) Applications: password protection, digital signatures, key derivation, random number generation,... 3 / 43
4 The NIST SHA-3 competition Devastating attacks against MD5, SHA-1,... Lack of confidence in SHA-2 (standard). NIST launches in 2008 a public competition for defining a new standard. 64 submissions (October 2008) 51 first-round candidates 14 second-round candidates (July 2009) 5 finalists (December 2010) Winner of the competition: Keccak 4 / 43
5 Design of symmetric primitives Block ciphers and hash functions use similar building blocks. Iterated structure F = R r R 1. Every round follows the principles announced by Claude Shannon. A nonlinear part providing confusion. A linear part providing diffusion. 5 / 43
6 Outline 1 Zero-sum distinguishers A bound on the degree of SPN-type iterated permutations A bound implying the degree of the inverse permutation The notion of (v,w)-linearity 2 Side-channel analysis of some SHA-3 candidates 6 / 43
7 Outline 1 Zero-sum distinguishers A bound on the degree of SPN-type iterated permutations A bound implying the degree of the inverse permutation The notion of (v,w)-linearity 2 Side-channel analysis of some SHA-3 candidates 7 / 43
8 Vectorial functions Cryptographic primitives seen as vectorial Boolean functions F : F n 2 F m 2. These functions should behave like random functions. Study the properties of the inner Boolean functions to detect a non-random behaviour. Find a way to exploit the detected non-random behaviour. 8 / 43
9 Algebraic degree F : F 4 2 F 3 2 F(x 0,x 1,x 2,x 3 ) := (x 0 x 1 +x 3,x 0 x 2 x 3 +x 1 x 2,x 0 +x 1 +x 2 ) 9 / 43
10 Algebraic degree F : F 4 2 F 3 2 F(x 0,x 1,x 2,x 3 ) := (x 0 x 1 +x 3,x 0 x 2 x 3 +x 1 x 2,x 0 +x 1 +x 2 ) deg(f) = 3 9 / 43
11 Algebraic degree F : F 4 2 F 3 2 F(x 0,x 1,x 2,x 3 ) := (x 0 x 1 +x 3,x 0 x 2 x 3 +x 1 x 2,x 0 +x 1 +x 2 ) deg(f) = 3 Exploit a low algebraic degree in: algebraic attacks, higher-order differential attacks, cube attacks,... Higher-order differential attacks [Lai 94, Knudsen 94] For every subspace V with dim V > deg F: D V F(x) = v V F(x+v) = 0, for every x F n 2. 9 / 43
12 Algebraic degree of iterated constructions P = P r P 1 Question: How to estimate the algebraic degree of an iterated construction? Trivial bound deg(g F) deggdegf 10 / 43
13 The SHA-3 case Keccak [Bertoni-Daemen-Peeters-VanAssche 08] Winner of the SHA-3 competition Sponge construction Keccak-f Permutation 1600-bit state, seen as a 3-dimensional matrix 24 rounds of R = ι χ π ρ θ Nonlinear layer: 320 parallel applications of a 5 5 S-box χ degχ = 2, degχ 1 = 3 11 / 43
14 The algebraic degree of the Keccak-f permutation Algebraic degree of the round permutation: deg(r) = 2. After r rounds (trivial bound): deg(r r ) 2deg(R r 1 ). For r = 24, deg(r 24 ) > 1600 no relevant information 12 / 43
15 Zero-sum distinguishers Zero-sums For block ciphers (known-key model) [Knudsen-Rijmen 07] For hash functions [Aumasson-Meier 09] Let F : F n 2 Fn 2. {x 1,...,x k } such that A zero-sum of size k for F is a subset k x i = i=1 k F(x i ) = 0. i=1 13 / 43
16 Zero-sum distinguishers Minimal size of a zero-sum [SAC 10] Let F : F n 2 Fn 2. C F : linear code of length 2 n and dimension 2n defined by ( x G F = 0 x 1 x 2 x 3... x 2 n 1 F(x 0 ) F(x 1 ) F(x 2 ) F(x 3 )... F(x 2 n 1) ) Proposition. {x i1,...,x ik } F n 2 is a zero-sum for F if and only if the codeword with support {i 1,...,i K } belongs to CF. Most notably, there exists at least a zero-sum of size 5 for F; F has no zero-sum of size less than or equal to 4 if and only if F is an APN function. 14 / 43
17 Zero-sum distinguishers Zero-sum partitions Let P be a permutation from F n 2 into Fn 2. A zero-sum partition for P of size K = 2 k is a collection of 2 n k disjoint zero-sums. Complexity of the best-known generic algorithm for finding zero-sum partitions: 2 n 2 k +(2n) 3 (2 n k 1). Finding zero-sum partitions for an iterated permutation: Exploit the non-linear part. Exploit the linear part. 15 / 43
18 Zero-sum distinguishers Exploiting the non-linear part [Aumasson-Meier 09] Take advantage of a low algebraic degree after several rounds. P = R r R 1. Let F r t = R r R t+1 and G t = R 1 1 R 1 t. Let V F n 2 with dimv > max(degf r t,degg t ). Let V W = F n 2. P G t F r t X a V +a P(X a ) X a = {G t (a+z),z V},a W is a zero-sum partition of F n 2 of size 2dimV for P. 16 / 43
19 Zero-sum distinguishers Using the principle of higher-order differentials P G t F r t X a V +a P(X a ) x = G t (z +a) = D V G t (a) = 0 x X a z V P(x) = F r t (z +a) = D V F r t (a) = 0 x X a z V 17 / 43
20 Zero-sum distinguishers Exploiting the structure of the diffusion part Round function R = L S. S composed of several small Sboxes S 0 defined over F n 0 B i = {x F n 2,supp(x) word i}. Let V such that B = i I 2. B i V and B = j J B j L(V) with dimb > degg t and dimb > degf r t. G t L 1 S 1 L S F r t (b+b) B V (b+b ) (b +B ) 18 / 43
21 Zero-sum distinguishers Application to Keccak-f We have shown by using a result of [Canteaut and Videau 02] that deg(r 7 ) rounds Many zero-sum partitions of size for Keccak-f By exploiting the linear structure: 19 rounds A zero-sum partition of size for Keccak-f. 20 rounds A zero-sum partition of size for Keccak-f. 19 / 43
22 A bound on the degree of SPN-type iterated permutations Substitution Permutation Networks S S S S S S Linear Layer S S S S S S Linear Layer S S S S S S Linear Layer How to estimate the evolution of the degree of such constructions? 20 / 43
23 A bound on the degree of SPN-type iterated permutations degs = 3 x 0 x 1 x 2 x 3 Question If S is a permutation, find δ k : maximum degree of the product of k coordinates of S S-Box y 0 y 1 y 2 y 3 21 / 43
24 A bound on the degree of SPN-type iterated permutations degs = 3 x 0 x 1 x 2 x 3 Question If S is a permutation, find δ k : maximum degree of the product of k coordinates of S S-Box k δ k 1 3 y 0 y 1 y 2 y 3 21 / 43
25 A bound on the degree of SPN-type iterated permutations degs = 3 x 0 x 1 x 2 x 3 Question If S is a permutation, find δ k : maximum degree of the product of k coordinates of S S-Box k δ k y 0 y 1 y 2 y 3 21 / 43
26 A bound on the degree of SPN-type iterated permutations degs = 3 x 0 x 1 x 2 x 3 Question If S is a permutation, find δ k : maximum degree of the product of k coordinates of S S-Box k δ k y 0 y 1 y 2 y 3 F permutation of F n 2 : δ k = n iff k = n. 21 / 43
27 A bound on the degree of SPN-type iterated permutations The new bound [FSE 11] Theorem. Let F be a function from F n 2 into Fn 2 corresponding to the parallel application of an Sbox, S, defined over F n 0 2. Then, for any G from F n 2 into Fl 2, we have deg(g F) n n degg, γ where n 0 i γ = max. 1 i n 0 1 n 0 δ i 22 / 43
28 A bound on the degree of SPN-type iterated permutations S 1 S 2 S 3 S 4 Find the maximal degree of the product π of d outputs. x i = # Sboxes for which exactly i coordinates are involved in π. 23 / 43
29 A bound on the degree of SPN-type iterated permutations S 1 S 2 S 3 S 4 Find the maximal degree of the product π of d outputs. x i = # Sboxes for which exactly i coordinates are involved in π. Example (d = 13) x 4 = 1, x 3 = 3: deg(π) δ 3 x 3 +δ 4 x 4 = = / 43
30 A bound on the degree of SPN-type iterated permutations S 1 S 2 S 3 S 4 Find the maximal degree of the product π of d outputs. x i = # Sboxes for which exactly i coordinates are involved in π. Example (d = 13) x 4 = 2, x 3 = 1, x 2 = 1: deg(π) δ 2 x 2 +δ 3 x 3 +δ 4 x 4 = = / 43
31 A bound on the degree of SPN-type iterated permutations S 1 S 2 S 3 S 4 Find the maximal degree of the product π of d outputs. x i = # Sboxes for which exactly i coordinates are involved in π. Example (d = 13) x 4 = 3, x 1 = 1: deg(π) δ 1 x 1 +δ 4 x 4 = = / 43
32 A bound on the degree of SPN-type iterated permutations S 1 S 2 S 3 S 4 Find the maximal degree of the product π of d outputs. x i = # Sboxes for which exactly i coordinates are involved in π. deg(π) with x 1 +2x 2 +3x 3 +4x 4 = d. max (δ 1x 1 +δ 2 x 2 +δ 3 x 3 +δ 4 x 4 ) (x 1,x 2,x 3,x 4 ) 23 / 43
33 A bound on the degree of SPN-type iterated permutations d x 4 x 3 x 2 x 1 deg(π) deg(π) 16 d 3 24 / 43
34 A bound on the degree of SPN-type iterated permutations d x 4 x 3 x 2 x 1 deg(π) deg(π) d 3 24 / 43
35 A bound on the degree of SPN-type iterated permutations Application to Keccak-f deg(f R) deg(f) 3 deg(f R 1 ) deg(f) 2 Zero-sum partitions of size for 24 rounds of Keccak-f. r deg(r r ) deg(r r ) / 43
36 A bound implying the degree of the inverse permutation Influence of the inverse [IEEE Trans. IT 12] Observation of [Duan-Lai 11] for Keccak-f: When multiplying two coordinates of χ 1 the degree is at most 3: δ 2 (χ 1 ) = 3. Theorem. Let F be a permutation on F n 2. Then, for any k and l, δ l (F) < n k if and only if δ k (F 1 ) < n l. Case of Keccak: For F = χ 1, k = 1 and l = 2, δ 2 (χ 1 ) < 5 1 iff deg(χ) < / 43
37 A bound implying the degree of the inverse permutation A new bound on the degree Corollary: Let F be a permutation of F n 2 and let G from Fn 2 into F m 2. Then, deg(g F) < n n 1 degg deg(f 1. ) 27 / 43
38 A bound implying the degree of the inverse permutation A new bound on the degree Corollary: Let F be a permutation of F n 2 and let G from Fn 2 into F m 2. Then, deg(g F) < n n 1 degg deg(f 1. ) Improvement of the bound for the SPN constructions. 27 / 43
39 A bound implying the degree of the inverse permutation Other applications Variant of KN xi 1 yi 1 ki T S E xi yi Improvement of the known bounds on the degree for: Block ciphers: Rijndael-256, AES, LBlock, Piccolo Hash functions: Hamsi, Luffa, JH, ECHO, Grøstl, Photon 28 / 43
40 The notion of (v,w)-linearity A different algebraic property ANF of the Hamsi Sbox y 0 = x 0 x 2 +x 1 +x 2 +x 3 y 1 = x 0 x 1 x 2 +x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 0 x 3 +x 2 x 3 +x 0 +x 1 +x 2 y 2 = x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 1 x 3 +x 2 x 3 +x 0 +x 1 +x 3 y 3 = x 0 x 1 x 2 +x 1 x 3 +x 0 +x 1 +x / 43
41 The notion of (v,w)-linearity A different algebraic property ANF of the Hamsi Sbox y 0 = x 0 x 2 +x 1 +x 2 +x 3 y 1 = x 0 x 1 x 2 +x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 0 x 3 +x 2 x 3 +x 0 + x 1 +x 2 y 2 = x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 1 x 3 +x 2 x 3 +x 0 +x 1 +x 3 y 3 = x 0 x 1 x 2 +x 1 x 3 +x 0 +x 1 +x If we fix all-but-one variables to a constant value then all the coordinates of the Sbox are affine with respect to the input variable. 29 / 43
42 The notion of (v,w)-linearity A different algebraic property ANF of the Hamsi Sbox y 0 = x 0 x 2 +x 1 +x 2 +x 3 y 1 = x 0 x 1 x 2 +x 0 x 1 x 3 +x 0 x 2 x 3 + x 1 x 2 +x 0 x 3 +x 2 x 3 +x 0 + x 1 +x 2 y 2 = x 0 x 1 x 3 +x 0 x 2 x 3 + x 1 x 2 +x 1 x 3 +x 2 x 3 +x 0 + x 1 +x 3 y 3 = x 0 x 1 x 2 +x 1 x 3 +x 0 +x 1 +x If we fix two variables to a constant value then two coordinates of the Sbox are affine with respect to the input variables. 29 / 43
43 The notion of (v,w)-linearity A different algebraic property ANF of the Hamsi Sbox y 0 = x 0 x 2 +x 1 +x 2 +x 3 y 1 = x 0 x 1 x 2 +x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 0 x 3 +x 2 x 3 +x 0 +x 1 +x 2 y 2 = x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 1 x 3 +x 2 x 3 +x 0 +x 1 +x 3 y 3 = x 0 x 1 x 2 +x 1 x 3 +x 0 +x 1 +x If we fix one variable to a constant value then one coordinate of the Sbox is affine with respect to the input variables. 29 / 43
44 The notion of (v,w)-linearity The notion of (v,w)-linearity Study of the propagation of affine relations through an Sbox. Definition. Let S be a function from F n 2 into Fm 2. Then, S is (v,w)-linear if there exist two linear subspaces V F n 2 and W F m 2 with dimv = v and dimw = w such that, for all λ W, S λ : x λ S(x) has degree at most 1 on all cosets of V. 30 / 43
45 The notion of (v,w)-linearity Link with the Maiorana-McFarland construction Proposition. S is (v, w)-linear w.r.t. (V, W) if and only its components S λ,λ W, can be written as where M(u) is a w v binary matrix. S W : U V F w 2 (u,v) M(u)v +G(u) Equivalently, all second-order derivatives D α D β S W, with α,β V, vanish. 31 / 43
46 The notion of (v,w)-linearity General Properties Proposition. If S is (v,w)-linear w.r.t. (V,W), then all its components S λ, λ W have degree at most n + 1 v and L(S) 2 v. Equivalence holds for v = n 1 and w = / 43
47 The notion of (v,w)-linearity Analysis of 4-bit optimal Sboxes [Leander-Poschmann 07] Number of V such that S is (v, w)-linear w.r.t. (V, W) for some W. (v,w) Q (2,1) (2,2) (2,3) (2,4) (3,1) (3,2) (3,3) (3,4) G G G G G G G G G G G G G G G G / 43
48 The notion of (v,w)-linearity Second-preimage attack for Hamsi-256 [Fuhr 10] Compression function of Hamsi [Küçük 08]: 3 SPN rounds based on a 4-bit Sbox. Idea of the attack: Find affine relations between some input bits and some output bits of the compression function when the other input bits are fixed to a well chosen value. Preimages for the compression function. Second-preimages for the hash function. 34 / 43
49 The notion of (v,w)-linearity Finding affine relations Choose the variables to go linearly through the first round. For the second and the third round: y 0 = x 0 x 2 +x 1 +x 2 +x 3 y 1 = x 0 x 1 x 2 +x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 0 x 3 +x 2 x 3 +x 0 +x 1 +x 2 y 2 = x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 1 x 3 +x 2 x 3 +x 0 +x 1 +x 3 y 3 = x 0 x 1 x 2 +x 1 x 3 +x 0 +x 1 +x y 0 is of degree at most 1 if x 0 x 2 is of degree at most 1. y 3 is of degree at most 1 if x 1 x 3 and x 0 x 1 x 2 are of degree at most / 43
50 The notion of (v,w)-linearity Finding affine relations Choose the variables to go linearly through the first round. For the second and the third round: y 0 = x 0 x 2 +x 1 +x 2 +x 3 y 1 = x 0 x 1 x 2 +x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 0 x 3 +x 2 x 3 +x 0 +x 1 +x 2 y 2 = x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 1 x 3 +x 2 x 3 +x 0 +x 1 +x 3 y 3 = x 0 x 1 x 2 +x 1 x 3 +x 0 +x 1 +x y 0 is of degree at most 1 if x 0 x 2 is of degree at most 1. y 3 is of degree at most 1 if x 1 x 3 and x 0 x 1 x 2 are of degree at most / 43
51 The notion of (v,w)-linearity Finding affine relations Choose the variables to go linearly through the first round. For the second and the third round: y 0 = x 0 x 2 +x 1 +x 2 +x 3 y 1 = x 0 x 1 x 2 +x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 0 x 3 +x 2 x 3 +x 0 +x 1 +x 2 y 2 = x 0 x 1 x 3 +x 0 x 2 x 3 +x 1 x 2 +x 1 x 3 +x 2 x 3 +x 0 +x 1 +x 3 y 3 = x 0 x 1 x 2 +x 1 x 3 +x 0 +x 1 +x y 0 is (3,1)-linear for three hyperplanes. y 3 is (2,1)-linear for three 2-dimensional subspaces V. 35 / 43
52 The notion of (v,w)-linearity Automatic search for affine relations Results: There are 23 subspaces V, with dimv = 2 for which the Sbox of Hamsi is (2,2)-linear. There are 3 subspaces V, with dimv = 2 for which the Sbox of Hamsi is (2,3)-linear. Exploit this to propagate more relations through the second and the third round. N var = 9: 13 affine relations (two more than in [Fuhr 10]) N var = 10: 11 affine relations (two more than in [Fuhr 10]) Replace the Hamsi Sbox by some other well-chosen Sbox. The attack does not work anymore! 36 / 43
53 Side-channel analysis of some SHA-3 candidates Outline 1 Zero-sum distinguishers A bound on the degree of SPN-type iterated permutations A bound implying the degree of the inverse permutation The notion of (v,w)-linearity 2 Side-channel analysis of some SHA-3 candidates 37 / 43
54 Side-channel analysis of some SHA-3 candidates Statistical Power Analysis Attacks against some material implementation of the primitive. Side channel attacks: Observe physical leakages while the algorithm is running on some platform (time, power consumption, electromagnetic radiation,...) Statistical Power Analysis: Keep power traces for many computations. Partition traces using a (partial) key hypothesis Detect the correct key by using statistical methods Hash functions used in MACs concerned by these attacks. 38 / 43
55 Side-channel analysis of some SHA-3 candidates Countermeasures for Grøstl [Gauravaram et al.] Protect the initial XOR between h and m Protect the rest of the computation in the same way as for AES. Generate a Boolean mask R of 512 bits. Mask the Sboxes. Generate once u,v F 8 2 and compute S (x+u) = S(x)+v, for every x F / 43
56 Side-channel analysis of some SHA-3 candidates CPA on HMAC-Grøstl Non-protected algorithm After the application of the countermeasures 40 / 43
57 Side-channel analysis of some SHA-3 candidates Countermeasures for Skein [Ferguson et al.] Protect the modular addition between the message and the key. Use Goubin s algorithm for converting Boolean masks to arithmetic and vice versa. Minimize the number of arithmetic to Boolean transformations. 41 / 43
58 Side-channel analysis of some SHA-3 candidates Comparison of the two candidates [TrustED 12] 32-bit ARM-based smart card running at 8 MHz. Algorithm Timings at 8MHz Extra RAM reference code secured code static stack Extra code HMAC-Grøstl 453 ms 486 ms (+7.2%) +325 bytes bytes HMAC-Skein 77.7 ms 155 ms (+100%) bytes bytes 42 / 43
59 Side-channel analysis of some SHA-3 candidates Related open questions Are there any other algebraic biases than can be exploited? Does the role of the inverse permutation have any other consequences on the overall construction, except the influence on the degree? Study the notion of (v,w)-linearity for other primitives. Applications for block ciphers? Try to exploit some of the algebraic biases studied for certain lightweight block ciphers. 43 / 43
Algebraic properties of SHA-3 and notable cryptanalysis results
Algebraic properties of SHA-3 and notable cryptanalysis results Christina Boura University of Versailles, France ICMC 2015, January 9, 2014 1 / 51 Cryptographic Hash Functions H : {0,1} {0,1} n m H h =
More informationHigher-order differential properties of Keccak and Luffa
Higher-order differential properties of Keccak and Luffa Christina Boura 1,2, Anne Canteaut 1 and Christophe De Cannière 3 1 SECRET Project-Team - INRIA Paris-Rocquencourt - B.P. 105-78153 Le Chesnay Cedex
More informationHigher-order differential properties of Keccak and Luffa
Higher-order differential properties of Keccak and Luffa Christina Boura 1,2, Anne Canteaut 1, and Christophe De Cannière 3 1 SECRET Project-Team - INRIA Paris-Rocquencourt - B.P. 105 78153 Le Chesnay
More informationImproved Zero-sum Distinguisher for Full Round Keccak-f Permutation
Improved Zero-sum Distinguisher for Full Round Keccak-f Permutation Ming Duan 12 and Xuejia Lai 1 1 Department of Computer Science and Engineering, Shanghai Jiao Tong University, China. 2 Basic Courses
More informationHigher-order differential properties of Keccak and Luffa
Higher-order differential properties of Keccak and Luffa Christina Boura, Anne Canteaut, Christophe De Cannière To cite this version: Christina Boura, Anne Canteaut, Christophe De Cannière. Higher-order
More informationSome attacks against block ciphers
Some attacks against block ciphers hristina Boura École de printemps en codage et cryptographie May 19, 2016 1 / 59 Last-round attacks Outline 1 Last-round attacks 2 Higher-order differential attacks 3
More informationDivision Property: a New Attack Against Block Ciphers
Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50 Symmetric-key encryption
More informationZero-Sum Partitions of PHOTON Permutations
Zero-Sum Partitions of PHOTON Permutations Qingju Wang 1, Lorenzo Grassi 2, Christian Rechberger 1,2 1 Technical University of Denmark, Denmark, 2 IAIK, Graz University of Technology, Austria quwg@dtu.dk,
More informationPractical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function
Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function Itai Dinur 1, Pawe l Morawiecki 2,3, Josef Pieprzyk 4 Marian Srebrny 2,3, and Micha l Straus 3 1 Computer Science Department, École
More informationStructural Evaluation by Generalized Integral Property
Structural Evaluation by Generalized Integral Property Yosue Todo NTT Secure Platform Laboratories, Toyo, Japan todo.yosue@lab.ntt.co.jp Abstract. In this paper, we show structural cryptanalyses against
More informationExtended Criterion for Absence of Fixed Points
Extended Criterion for Absence of Fixed Points Oleksandr Kazymyrov, Valentyna Kazymyrova Abstract One of the criteria for substitutions used in block ciphers is the absence of fixed points. In this paper
More informationAnother view of the division property
Another view of the division property Christina Boura and Anne Canteaut Université de Versailles-St Quentin, France Inria Paris, France Dagstuhl seminar, January 2016 Motivation E K : block cipher with
More informationHow to Improve Rebound Attacks. María Naya-Plasencia FHNW - Switzerland
How to Improve Rebound Attacks María Naya-Plasencia FHNW - Switzerland Outline 1 Hash Functions and the SHA-3 Competition 2 The Rebound Attack and Motivation 3 Merging Lists with Respect to t Problem 1
More informationInside Keccak. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1. Keccak & SHA-3 Day Université Libre de Bruxelles March 27, 2013
Inside Keccak Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Keccak & SHA-3 Day Université Libre de Bruxelles March 27, 2013 1 / 49 Outline
More informationCBEAM: Ecient Authenticated Encryption from Feebly One-Way φ Functions
CBEAM: Ecient Authenticated Encryption from Feebly One-Way φ Functions Author: Markku-Juhani O. Saarinen Presented by: Jean-Philippe Aumasson CT-RSA '14, San Francisco, USA 26 February 2014 1 / 19 Sponge
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More informationIntroduction to symmetric cryptography
Introduction to symmetric cryptography hristina Boura École de printemps en codage et cryptographie May 17, 2016 1 / 48 Overview Introduction to symmetric-key cryptography Block ciphers Boolean functions
More informationAn introduction to Hash functions
An introduction to Hash functions Anna Rimoldi eriscs - Universitée de la Méditerranée, Marseille Secondo Workshop di Crittografia BunnyTN 2011 A. Rimoldi (eriscs) Hash function 12 September 2011 1 / 27
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Davies-Meyer Hashes in Practice Hash
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informationLS-Designs. Bitslice Encryption for Efficient Masked Software Implementations
Bitslice Encryption for Efficient Masked Software Implementations Vincent Grosso 1 Gaëtan Leurent 1,2 François Xavier Standert 1 Kerem Varici 1 1 UCL, Belgium 2 Inria, France FSE 2014 G Leurent (UCL,Inria)
More informationConstruction of Lightweight S-Boxes using Feistel and MISTY structures (Full Version )
Construction of Lightweight S-Boxes using Feistel and MISTY structures (Full Version ) Anne Canteaut, Sébastien Duval, and Gaëtan Leurent Inria, project-team SECRET, France {Anne.Canteaut, Sebastien.Duval,
More informationElliptic Curve Cryptography and Security of Embedded Devices
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Mathématiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography
More informationCollision Attacks on Up to 5 Rounds of SHA-3 Using Generalized Internal Differentials
Collision Attacks on Up to 5 Rounds of SHA-3 Using Generalized Internal Differentials Itai Dinur 1, Orr Dunkelman 1,2 and Adi Shamir 1 1 The Weizmann Institute, Israel 2 University of Haifa, Israel Keccak
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2012 Konstantin Beznosov 1 Module Outline! Stream ciphers under the hood Block ciphers under
More informationA New Algorithm to Construct. Secure Keys for AES
Int. J. Contemp. Math. Sciences, Vol. 5, 2010, no. 26, 1263-1270 A New Algorithm to Construct Secure Keys for AES Iqtadar Hussain Department of Mathematics Quaid-i-Azam University, Islamabad, Pakistan
More informationOn the Security of NOEKEON against Side Channel Cube Attacks
On the Security of NOEKEON against Side Channel Cube Attacks Shekh Faisal Abdul-Latip 1,2, Mohammad Reza Reyhanitabar 1, Willy Susilo 1, and Jennifer Seberry 1 1 Center for Computer and Information Security
More informationChoosing Round Constants in Lightweight Block Ciphers and Cryptographic Permutations
Choosing Round Constants in Lightweight Block Ciphers and Cryptographic Permutations Christof Beierle SnT, University of Luxembourg, Luxembourg (joint work with Anne Canteaut, Gregor Leander, and Yann
More informationImproved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method
Improved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method Zheng Li 1, Wenquan Bi 1, Xiaoyang Dong 2, and Xiaoyun Wang 1,2 1 Key Laboratory of Cryptologic Technology and Information Security,
More informationOn the Security of Hash Functions Employing Blockcipher Post-processing
On the Security of Hash Functions Employing Blockcipher Post-processing Donghoon Chang 1, Mridul Nandi 2, Moti Yung 3 1 National Institute of Standards and Technology (NIST), USA 2 C R Rao AIMSCS, Hyderabad,
More informationOn Keccak and SHA-3. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1. Icebreak 2013 Reykjavik, Iceland June 8, 2013
On Keccak and SHA-3 Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Icebreak 2013 Reykjavik, Iceland June 8, 2013 1 / 61 Outline 1 Origins
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08 Module Outline Stream ciphers under the hood Block ciphers
More informationRotational cryptanalysis of round-reduced Keccak
Rotational cryptanalysis of round-reduced Keccak Pawe l Morawiecki 1,3, Josef Pieprzyk 2, and Marian Srebrny 1,3 1 Section of Informatics, University of Commerce, Kielce, Poland pawelm@wsh-kielce.edu.pl
More informationLinear Cryptanalysis of Reduced-Round PRESENT
Linear Cryptanalysis of Reduced-Round PRESENT Joo Yeon Cho 1 Helsinki University of Technology, Finland 2 Nokia A/S, Denmark joo.cho@tkk.fi Abstract. PRESENT is a hardware-oriented block cipher suitable
More informationKeccak. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1
Keccak Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors 17th Workshop on Elliptic Curve Cryptography Leuven, Belgium, September 17th, 2013 1
More informationConstruction of Lightweight S-Boxes using Feistel and MISTY structures
Construction of Lightweight S-Boxes using Feistel and MISTY structures Anne Canteaut Sébastien Duval Gaëtan Leurent Inria, France SAC 2015 A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes
More informationNew attacks on Keccak-224 and Keccak-256
New attacks on Keccak-224 and Keccak-256 Itai Dinur 1, Orr Dunkelman 1,2 and Adi Shamir 1 1 Computer Science department, The Weizmann Institute, Rehovot, Israel 2 Computer Science Department, University
More informationAnalysis of Some Quasigroup Transformations as Boolean Functions
M a t h e m a t i c a B a l k a n i c a New Series Vol. 26, 202, Fasc. 3 4 Analysis of Some Quasigroup Transformations as Boolean Functions Aleksandra Mileva Presented at MASSEE International Conference
More informationIntroduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.
Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography
More informationMILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers
MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers Ling Sun 1, Wei Wang 1, Meiqin Wang 1,2 1 Key Laboratory of Cryptologic Technology and Information Security,
More informationDistinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network
Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense
More informationLow-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512
Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512 Takanori Isobe and Taizo Shirai Sony Corporation 1-7-1 Konan, Minato-ku, Tokyo 108-0075, Japan {Takanori.Isobe,Taizo.Shirai}@jp.sony.com
More informationOn the computation of best second order approximations of Boolean Functions ΕΤΗΣΙΑ ΕΚΘΕΣΗ 2010
Introduction Boolean functions 2nd order nonlinearity Summary ARXH PROSTASIAS_APOLOGISMOS 2010.indd 1 20/04/2011 12:54 ΜΜ On the computation of best second order approximations of Boolean Functions ΕΤΗΣΙΑ
More informationProvable Security Against Differential and Linear Cryptanalysis
Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University Introduction CRADIC Linear Hull SPN and Two Strategies Highly
More informationSubspace Trail Cryptanalysis and its Applications to AES
Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and Sondre Rønjom March, 2017 1 / 28 Introduction In the case of AES, several alternative representations (algebraic
More informationSimilarities between encryption and decryption: how far can we go?
Similarities between encryption and decryption: how far can we go? Anne Canteaut Inria, France and DTU, Denmark Anne.Canteaut@inria.fr http://www-rocq.inria.fr/secret/anne.canteaut/ SAC 2013 based on a
More informationCube Attacks on Stream Ciphers Based on Division Property
Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven 12-10-2017, Crete Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 1 / 23 Plan 1 Cube Attack:
More informationSome integral properties of Rijndael, Grøstl-512 and LANE-256
Some integral properties of Rijndael, Grøstl-512 and LANE-256 Marine Minier 1, Raphael C.-W. Phan 2, and Benjamin Pousse 3 1 Universit de Lyon, INRIA, INSA-Lyon, CITI, 2 Electronic & Electrical Engineering,
More informationDecomposing Bent Functions
2004 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 49, NO. 8, AUGUST 2003 Decomposing Bent Functions Anne Canteaut and Pascale Charpin Abstract In a recent paper [1], it is shown that the restrictions
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES
CS355: Cryptography Lecture 9: Encryption modes. AES Encryption modes: ECB } Message is broken into independent blocks of block_size bits; } Electronic Code Book (ECB): each block encrypted separately.
More information3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis
3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis TANAKA Hidema, TONOMURA Yuji, and KANEKO Toshinobu A multi rounds elimination method for higher order differential cryptanalysis
More informationDistinguishers for the Compression Function and Output Transformation of Hamsi-256
Distinguishers for the Compression Function and Output Transformation of Hamsi-256 Jean-Philippe Aumasson Emilia Käsper Lars Ramkilde Knudsen Krystian Matusiewicz Rune Ødegård Thomas Peyrin Martin Schläffer
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationOpen problems related to algebraic attacks on stream ciphers
Open problems related to algebraic attacks on stream ciphers Anne Canteaut INRIA - projet CODES B.P. 105 78153 Le Chesnay cedex - France e-mail: Anne.Canteaut@inria.fr Abstract The recently developed algebraic
More informationImproved Collision Attacks on the Reduced-Round Grøstl Hash Function
Improved Collision Attacks on the Reduced-Round Grøstl Hash Function Kota Ideguchi 1,3, Elmar Tischhauser 1,2,, and Bart Preneel 1,2 1 Katholieke Universiteit Leuven, ESAT-COSIC and 2 IBBT Kasteelpark
More informationLecture Notes on Cryptographic Boolean Functions
Lecture Notes on Cryptographic Boolean Functions Anne Canteaut Inria, Paris, France Anne.Canteaut@inria.fr https://www.rocq.inria.fr/secret/anne.canteaut/ version: March 10, 016 Contents 1 Boolean functions
More informationDifferential properties of power functions
Differential properties of power functions Céline Blondeau, Anne Canteaut and Pascale Charpin SECRET Project-Team - INRIA Paris-Rocquencourt Domaine de Voluceau - B.P. 105-8153 Le Chesnay Cedex - France
More informationCryptographically Robust Large Boolean Functions. Debdeep Mukhopadhyay CSE, IIT Kharagpur
Cryptographically Robust Large Boolean Functions Debdeep Mukhopadhyay CSE, IIT Kharagpur Outline of the Talk Importance of Boolean functions in Cryptography Important Cryptographic properties Proposed
More information7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive key-search do not exploit any properties of the encryption algorithm or implementation. Structural attacks
More informationHASH FUNCTIONS. Mihir Bellare UCSD 1
HASH FUNCTIONS Mihir Bellare UCSD 1 Hashing Hash functions like MD5, SHA1, SHA256, SHA512, SHA3,... are amongst the most widely-used cryptographic primitives. Their primary purpose is collision-resistant
More informationParallel Cube Tester Analysis of the CubeHash One-Way Hash Function
Parallel Cube Tester Analysis of the CubeHash One-Way Hash Function Alan Kaminsky Department of Computer Science B. Thomas Golisano College of Computing and Information Sciences Rochester Institute of
More informationTowards Provable Security of Substitution-Permutation Encryption Networks
Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,
More informationThesis Research Notes
Thesis Research Notes Week 26-2012 Christopher Wood June 29, 2012 Abstract This week was devoted to reviewing some classical literature on the subject of Boolean functions and their application to cryptography.
More informationLinear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015
Kaisa Nyberg Department of Computer Science Aalto University School of Science s 2 r t S3, Sackville, August 11, 2015 Outline Linear characteristics and correlations Matsui s algorithms Traditional statistical
More informationComputing the biases of parity-check relations
Computing the biases of parity-check relations Anne Canteaut INRIA project-team SECRET B.P. 05 7853 Le Chesnay Cedex, France Email: Anne.Canteaut@inria.fr María Naya-Plasencia INRIA project-team SECRET
More informationBash-f: another LRX sponge function
Bash-f: another LRX sponge function S. Agievich, V. Marchuk, A. Maslau, V. Semenov Research Institute for Applied Problems of Mathematics and Informatics Belarusian State University Abstract. We present
More informationStream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden
Dept. of EIT, Lund University, P.O. Box 118, 221 00 Lund, Sweden thomas@eit.lth.se May 16, 2011 Outline: Introduction to stream ciphers Distinguishers Basic constructions of distinguishers Various types
More informationProving Resistance against Invariant Attacks: How to Choose the Round Constants
Proving Resistance against Invariant Attacks: How to Choose the Round Constants Christof Beierle 1, Anne Canteaut 2, Gregor Leander 1, and Yann Rotella 2 1 Horst Görtz Institute for IT Security, Ruhr-Universität
More informationOn Cryptographic Properties of the Cosets of R(1;m)
1494 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 47, NO. 4, MAY 2001 On Cryptographic Properties of the Cosets of R(1;m) Anne Canteaut, Claude Carlet, Pascale Charpin, and Caroline Fontaine Abstract
More informationCryptanalysis of Lightweight Cryptographic Algorithms
Cryptanalysis of Lightweight Cryptographic Algorithms By Mohammad Ali Orumiehchiha A thesis submitted to Macquarie University for the degree of Doctor of Philosophy Department of Computing July 2014 ii
More informationHASH FUNCTIONS 1 /62
HASH FUNCTIONS 1 /62 What is a hash function? By a hash function we usually mean a map h : D {0,1} n that is compressing, meaning D > 2 n. E.g. D = {0,1} 264 is the set of all strings of length at most
More informationAutomatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version)
Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version) Shengbao Wu 1,2, Mingsheng Wang 3 1. Institute of Software, Chinese Academy of Sciences, Beijing 100190,
More informationBlock Ciphers and Feistel cipher
introduction Lecture (07) Block Ciphers and cipher Dr. Ahmed M. ElShafee Modern block ciphers are widely used to provide encryption of quantities of information, and/or a cryptographic checksum to ensure
More informationFunctions on Finite Fields, Boolean Functions, and S-Boxes
Functions on Finite Fields, Boolean Functions, and S-Boxes Claude Shannon Institute www.shannoninstitute.ie and School of Mathematical Sciences University College Dublin Ireland 1 July, 2013 Boolean Function
More informationVectorial Boolean Functions for Cryptography
Vectorial Boolean Functions for Cryptography Claude Carlet June 1, 008 To appear as a chapter of the volume Boolean Methods and Models, published by Cambridge University Press, Eds Yves Crama and Peter
More informationInvariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs
Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs Jian Guo 1, Jeremy Jean 2, Ivica Nikolić 1, Kexin Qiao 3, Yu Sasaki 4, and Siang Meng Sim 1 1. Nanyang Technological
More informationREU 2015: Complexity Across Disciplines. Introduction to Cryptography
REU 2015: Complexity Across Disciplines Introduction to Cryptography Symmetric Key Cryptosystems Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationCryptanalysis of 1-Round KECCAK
Cryptanalysis of 1-Round KECCAK Rajendra Kumar 1,Mahesh Sreekumar Rajasree 1 and Hoda AlKhzaimi 2 1 Center for Cybersecurity, Indian Institute of Technology Kanpur, India rjndr@iitk.ac.in, mahesr@iitk.ac.in
More informationFFT-Based Key Recovery for the Integral Attack
FFT-Based Key Recovery for the Integral Attack Yosuke Todo NTT Secure Platform Laboratories Abstract. The integral attack is one of the most powerful attack against block ciphers. In this paper, we propose
More informationHash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34
Hash Functions Ali El Kaafarani Mathematical Institute Oxford University 1 of 34 Outline 1 Definition and Notions of Security 2 The Merkle-damgård Transform 3 MAC using Hash Functions 4 Cryptanalysis:
More informationRevisit and Cryptanalysis of a CAST Cipher
2017 3rd International Conference on Electronic Information Technology and Intellectualization (ICEITI 2017) ISBN: 978-1-60595-512-4 Revisit and Cryptanalysis of a CAST Cipher Xiao Zhou, Jingwei Li, Xuejia
More informationComplementing Feistel Ciphers
Complementing Feistel Ciphers Alex Biryukov 1 and Ivica Nikolić 2 1 University of Luxembourg 2 Nanyang Technological University, Singapore alex.biryukov@uni.lu inikolic@ntu.edu.sg Abstract. In this paper,
More informationImproved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning
Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gaëtan Leurent Inria, France Abstract. In this work we study the security of Chaskey, a recent lightweight MAC designed by
More informationImproved Impossible Differential Cryptanalysis of Rijndael and Crypton
Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,
More informationOptimized Interpolation Attacks on LowMC
Optimized Interpolation Attacks on LowMC Itai Dinur 1, Yunwen Liu 2, Willi Meier 3, and Qingju Wang 2,4 1 Département d Informatique, École Normale Supérieure, Paris, France 2 Dept. Electrical Engineering
More informationBlock Cipher Cryptanalysis: An Overview
0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution
More informationA Polynomial Description of the Rijndael Advanced Encryption Standard
A Polynomial Description of the Rijndael Advanced Encryption Standard arxiv:cs/0205002v1 [cs.cr] 2 May 2002 Joachim Rosenthal Department of Mathematics University of Notre Dame Notre Dame, Indiana 46556,
More informationCryptanalysis of Luffa v2 Components
Cryptanalysis of Luffa v2 Components Dmitry Khovratovich 1, María Naya-Plasencia 2, Andrea Röck 3, and Martin Schläffer 4 1 University of Luxembourg, Luxembourg 2 FHNW, Windisch, Switzerland 3 Aalto University
More informationAnalysis of SHA-1 in Encryption Mode
Analysis of SHA- in Encryption Mode [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 00, vol. 00 of Lecture Notes in Computer Science, pp. 70 83, Springer-Verlag, 00.] Helena Handschuh, Lars
More informationLinear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers
Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers Kaisa Nyberg Aalto University School of Science kaisa.nyberg@aalto.fi Luxemburg January 2017 Outline Introduction
More informationLecture Notes. Advanced Discrete Structures COT S
Lecture Notes Advanced Discrete Structures COT 4115.001 S15 2015-01-27 Recap ADFGX Cipher Block Cipher Modes of Operation Hill Cipher Inverting a Matrix (mod n) Encryption: Hill Cipher Example Multiple
More informationHashes and Message Digests Alex X. Liu & Haipeng Dai
Hashes and Message Digests Alex X. Liu & Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University Integrity vs. Secrecy Integrity: attacker cannot
More informationNonlinear Invariant Attack
Nonlinear Invariant Attack Practical Attack on Full SCREAM, iscream, and Midori64 Yosuke Todo 13, Gregor Leander 2, and Yu Sasaki 1 1 NTT Secure Platform Laboratories, Tokyo, Japan todo.yosuke@lab.ntt.co.jp,
More informationImproved Multiple Impossible Differential Cryptanalysis of Midori128
Improved Multiple Impossible Differential Cryptanalysis of Midori128 Mohamed Tolba, Ahmed Abdelkhalek, and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University,
More informationLinear Analysis of Reduced-Round CubeHash
Linear Analysis of Reduced-Round CubeHash Tomer Ashur and Orr Dunkelman, Faculty of Mathematics and Computer Science Weizmann Institute of Science P.O. Box, Rehovot 00, Israel tomerashur@gmail.com Computer
More informationA NEW ALGORITHM TO CONSTRUCT S-BOXES WITH HIGH DIFFUSION
A NEW ALGORITHM TO CONSTRUCT S-BOXES WITH HIGH DIFFUSION Claudia Peerez Ruisanchez Universidad Autonoma del Estado de Morelos ABSTRACT In this paper is proposed a new algorithm to construct S-Boxes over
More informationCodes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII
Codes and Cryptography MAMME, Fall 2015 PART XII Outline 1 Symmetric Encryption (II) 2 Construction Strategies Construction Strategies Stream ciphers: For arbitrarily long messages (e.g., data streams).
More informationDifferential and Correlation Power Analysis Attacks on HMAC-Whirlpool
2011 Eighth International Conference on Information Technology: New Generations Differential and Correlation Power Analysis Attacks on HMAC-Whirlpool Fan Zhang and Zhijie Jerry Shi Department of Computer
More informationSide-channel analysis in code-based cryptography
1 Side-channel analysis in code-based cryptography Tania RICHMOND IMATH Laboratory University of Toulon SoSySec Seminar Rennes, April 5, 2017 Outline McEliece cryptosystem Timing Attack Power consumption
More information