Lecture 4: DES and block ciphers
|
|
- Marybeth Hicks
- 5 years ago
- Views:
Transcription
1 Lecture 4: DES and block ciphers Johan Håstad, transcribed by Ernir Erlingsson DES DES is a 64 bit block cipher with a 56 bit key. It selects a 64 bit block and modifies it depending on the key, i.e. {0, 1} 64 {0, 1} General properties of DES The cryptographer s favorite operation, xor, is present in most cryptosystems. It is easily invertible, but at the same time gives immense security since if either input is unknown so is the output. In other words, if we have an equation of the form c = a b then it is quite hard to discern c if we only know a. If we know both inputs we of course know the output but that is true for any function. Breaking a cryptosystem solely based on xor is, however, pretty straightforward. Breaking it is equivalent to solving a linear system of equations mod 2, and this can be done quite efficiently. One common method that applies is gaussian elimination. To prevent this, traditionally, a non-linear table is employed to obfuscate the data, {0, 1} a {0, 1} b. In DES it is done by eight fixed substitution boxes, a.k.a. S-boxes. 1av10
2 bits bits L R f 48 k (XOR) L bits bits Figure 1: Single Round of the DES algorithm (Encryption) The figure above shows a simplified illustration of a single iteration of the DES algorithm, which is used when encrypting data. The figure below shows its inverse, which is used when decrypting data. Both are performed 16 times in a single encryption/decryption. L R bits bits R k 48 f (XOR) L R bits bits Figure 2: Single Inverse Round of the DES algorithm (Decryption) In cryptographic terms the figures above are commonly known as a Feistel 2av10
3 networks 1. Next we need to specify the function f. Note that the ability to decrypt is independent of f and hence the only interesting property is to provide security. The function f consists of the following steps. 1. Expand R to 48 bits. 2. Apply xor with 48 bits from the key, which are selected depending on the current iteration number. 3. Divide the 48 bit result into eight different parts of 6 bits each, and through the use of the eight respective S-boxes, project each part into a part of only four bits {0, 1} 6 {0, 1} Permute the resulting bits. Consult the figure below for an illustration of the four steps. R ( bits) E R (48 bits) K (48 bits) 6 bits 6 bits S1 S2 S3 S4 S5 S6 S7 S8 4 bits 4 bits P R ( bits) Figure 3: Subcomponents of f 1 See table 3.2, 3.4 and figure 3.8 in Cryptography and Network security, Stallings 3av10
4 The input, R, is expanded to 48 bits by duplicating 16 bits from it, while the 48 key bits are selected from among the 56 possible, through the use of two 28-bit registers. As previously mentioned and seen above, DES has eight different S-boxes. Certain conspiracy theories exist that state that these are deliberately flawed by the National Security Agency in the US to allow the agency to exploit these flaws to facilitate cracking data encrypted with DES. To this day, however, no proof has been found to back these theories, even after excruciating crypto-analysis by hundreds of well respected scientists. But still to this day conspiracy theories are alive and well, but most of them point to the suspicious DES key-length of 56 bits. A perceptive student might have noticed that DES permutes the bits on two different occasions, E and P (in the figure above), and this might at first seem redundant. But the fact is that E is in fact not much of a permutation, in fact it permutes the date very little. To see the need for some permutation let us look at the situation when we have no expansion P, the S-boxes map 4 bits to 4 bits and we have no permutation E. In this situation the four least significant bits of all quantities would live their own life and not be influenced by the other bits. The effective block size would be 8 bits as 4 bits of each of L and R would mix and we would not have a good block cipher. The role of P is thus to spread changes within the block and there is one design criteria of the S-boxes with a similar aim. It was required that two blocks which differ only in a single bit should produce very different outputs. In particular it was required that for any two inputs, x and x which differ only in a single bit, then S(x) and S(x ) should differ in at least 2 bits. It is interesting to note that this is a severe restriction and in fact few functions satisfy this property. 2 Modes Modes refers to how block ciphers are used in a broader perspective, i.e. in different encryption modes given a plaintext message with blocks M 1,M 2,... The following subsections contain brief descriptions of some different available modes. Note, however, that the list presented here is far from exhaustive. 2.1 ECB (Electronic Code Book) ECB is the simplest encryption mode, it simply encrypts each message block independently. This method s main advantage is that it is very easy to 4av10
5 implement. C i = E k (M i ) The equation above can be described in layman terms as, crypto text block C i is equal to the plaintext block M i encrypted by a block cipher E and key k. The main disadvantage of this method is that identical plaintext blocks are encrypted to identical ciphertext blocks. 2.2 CBC (Cipher Block Chaining) In CBC mode, each block of plaintext is XORed with the previous ciphertext block before being encrypted. Thus an arbitrary ciphertext block is dependent on all plaintext blocks up to that point. C i = E k [M i C i 1 ] We set C 0 = N, which is a random initialization vector and is transmitted with the other crypto-blocks. M1 M2 M3 N C1 C2 C3 Figure 4: CBC is designed to make the cipher blocks appear randomized, thus making it impossible to notice repeats in the plaintext, and also make it impossible to change the order of the blocks. The main drawback with this method is that it cannot be parallelized since it is sequential. A possible solution it the use of Counter mode (CTR), which is presented briefly in the next subsection. 5av10
6 2.3 CTR (Counter mode) This mode turns a block cipher into a stream cipher. It generates the next key stream block by encrypting successive values of a "counter", which is sent as part of the message. C 0 = CTR C i = E k [CTR + i] M i This has the same problems as one time tape with regards to malleability and resending of messages. 3 DES security One important (and often missed) security aspect is that of repeating blocks. I f we have T possible blocks, then if the blocks are uniformly distributed the first repeat is expected to occur after T sent blocks. As uniform distribution is rare, in practice we would happen much sooner. 3.1 Is DES secure? The answer to this question is "not really". Since the creation of DES technology has advanced forward at a fast pace, enabling even todays supercomputer s the ability to brute force compute an arbitrary DES key in a reasonable amount of time (days or weeks). And not to mention specially built machines to break DES, which are constantly cheaper and better. This is of course all due to the DES algorithm s short key length of 56 bits, giving 2 56 possible keys. 3.2 Is DES employed in conjunction with CBC secure? The security of DES of any other block cipher is essentially a matter of faith. The only hard evidence that it is indeed secure lies in the fact that nobody knows how to break it. When analyzing modes one can use a different approach. One assumes that the block cipher is secure and then proves that the mode has certain property. In such cases one usually works with a very strong notion of security. Consider the following game. You are given a black box and you are told that the box, given x, either computes E k (x) for a fixed randomly chosen key k or it gives F (x) for a permutation, F picked uniformly at random from 6av10
7 all permutations. Your task is to tell which of the two is the case. If your probability of being correct is essentially 1/2 the block cipher is secure. One can prove that CBC used with a block crypto with such security properties have nice provably properties but do not discuss the details here. 4 Triple DES This is a known variant of DES and is very easy to implement given an implementation of DES. Its strength lies in the new key length of 168 bits which addresses the biggest weakness with standard DES albeit with an unorthodox key length like standard DES. Triple DES works by splitting the key into three parts, and like the name implies, apply the standard algorithm three times, i.e. E k1 E 1 k2 E k3[m]. This solution is actually better than applying E k1 E k2 E k3 [M], because it enables us to choose the k s in such a way that two cancel each other out, e.g. with k 1 = k 2, the result is simply E k3 [M] which is simply the standard DES algorithm. Thus is can be used in a network that also uses standard DES. But if Triple DES is a good idea, then surely Double DES is as well? Unfortunately Double DES can be broken with the same time complexity as standard DES. This is due to double DES s suspectibility to a "meet in the middle" attack, which operates by finding possible keys from each end of the algorithm and then search those sets for matches. The following subsection gives an example and (hopefully) clarifies the issue. 4.1 "Meet in the middle" example Let us assume that we are given a message M, its encryption C, anddouble DES was employed, i.e. C = E k1 (E k2 (M)). One calculates E k2 [M] for all k 2 and stores these values in a hash table. One then computes E 1 k 1 [C], for all k 1 looks for collisions in the hash table that can be investigated further. This approach uses time at most 2 57 so it is only marginally more expensive than single DES. On a more pessimistic note the procedure also uses 2 56 memory and that might be harder to come by. 7av10
8 5 Breaking DES Given a set of known plaintexts and cryptotexts, it is possible to analyze the pairs and construct and reduce the number of keys it is necessary to check. Example s of such an approach are: 1. Differential crypto-analysis Linear crypto-analysis. 3. The former algorithm can successfully crypt-analyze DES by seeing 2 47 chosen plaintexts, the latter algorithm, however, requires 2 43 message blocks, which is 2 46 bytes, or 64 Tera bytes. An examination of the former algorithm is beyond the scope of this lecture, but the latter is presented in the following subsection, although very briefly. 5.1 Linear crypto-analysis Linear cryptanalysis is the method of combining linear equation which often apply. Although the S-boxes are not linear, they can often be approximated linearly with good results. For example, we could perhaps have that outbit[3] = inbit[2] + inbit[5] with a probability of 75%, where the probability is taken over the other inputs. Similar relations might hold with other bits. Using such relations, we can create a chain of equations, where each equation applies with 75% probability, and at the end relates the input data to the output data. Let us be more concrete with a toy example. Suppose we only have two iterations of a cipher where the inputs on the first round in 1 are equal to the message bits M the output of the first round, out 1, equals the inputs to the second round in 2 and the outputs from the second round out 2 equals the crypto bits C. The key bits on the two rounds are k 1 and k 2 respectively. Suppose that because of an S-box used on the first round we have out 1 [3] = in 1 [2] + in 1 [3] + k 1 [2] + k 1 [3] holding with probability.75. Assume for the second round we 2 Biham + Shamir 3 Matsui out 2 [2] + out 2 [4] = in 2 [3] + k 2 [3] 8av10
9 also with probability.75. Now the inputs for the first round is the clear text and the output of the second round is the cipher text and the inputs to the second round are the outputs of the first round. The last fact implies that out 1 [3] = in 2 [3]. Combining the equations we hence get an equation in 1 [2] + in 1 [3] + out 2 [2] + out 2 [4] = k 1 [2] + k 1 [3] + k 2 [3] which is correct with probability ( ) ( ) 2 1 =5/8, 4 where the first terms comes from both equations being correct and the second from both being incorrect. This implies that sampling many times and each time looking at in 1 [2] + in 1 [3] + out 2 [2] + out 2 [4] = M[2] + M[3] + C[2] + C[4] we get a bit that with probability 5/8 equals k 1 [2] + k 1 [3] + k 2 [3] and thus given enough pairs of clear text and crypto texts we will eventually learn this bit of the key. As a general rule for combining equations we have the following fact. Its proof is by a calculation that we omit. For bits: A = B, the probability is 1+p 1 2 B = C, the probability is 1+p 2 2 this leads to: A = C with probability 1+p 1p 2 2 Through tedious equation puzzling, the Japanese crypto-analyst Matsui found a relationship between the in, out, and key bits, for full DES which are correct with probability As we see below this will enable us to extract useful information after roughly 2 44 observed blocks of cleartext and cryptotext. 9av10
10 5.2 Fact from probability theory Suppose we are given a guess of a bit b which is correct with probability 1 +p, 2 how many independent guesses do we need until we are pretty sure to know the value of b? IfweseeN guesses, the expected number of correct guesses is N + Np. 2 The standard deviation of this number is N. We can view the expected advantage, Np, as a signal, and the standard deviation, N, as noise. When the signal is stronger than the noise, we should be able to do something useful. In our case this would mean which is equivalent to Np > N N p 2. This can be made rigorous and we leave the details to the interested reader. 10 av 10
Lecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationA block cipher enciphers each block with the same key.
Ciphers are classified as block or stream ciphers. All ciphers split long messages into blocks and encipher each block separately. Block sizes range from one bit to thousands of bits per block. A block
More informationBlock Ciphers and Feistel cipher
introduction Lecture (07) Block Ciphers and cipher Dr. Ahmed M. ElShafee Modern block ciphers are widely used to provide encryption of quantities of information, and/or a cryptographic checksum to ensure
More information7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive key-search do not exploit any properties of the encryption algorithm or implementation. Structural attacks
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2012 Konstantin Beznosov 1 Module Outline! Stream ciphers under the hood Block ciphers under
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES
CS355: Cryptography Lecture 9: Encryption modes. AES Encryption modes: ECB } Message is broken into independent blocks of block_size bits; } Electronic Code Book (ECB): each block encrypted separately.
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 08 Shannon s Theory (Contd.)
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationBlock ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit
Block ciphers Block ciphers Myrto Arapinis School o Inormatics University o Edinburgh January 22, 2015 A block cipher with parameters k and l is a pair o deterministic algorithms (E, D) such that Encryption
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08 Module Outline Stream ciphers under the hood Block ciphers
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informationCryptography Lecture 4 Block ciphers, DES, breaking DES
Cryptography Lecture 4 Block ciphers, DES, breaking DES Breaking a cipher Eavesdropper recieves n cryptograms created from n plaintexts in sequence, using the same key Redundancy exists in the messages
More informationCodes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII
Codes and Cryptography MAMME, Fall 2015 PART XII Outline 1 Symmetric Encryption (II) 2 Construction Strategies Construction Strategies Stream ciphers: For arbitrarily long messages (e.g., data streams).
More informationAttacks on DES , K 2. ) L 3 = R 2 = L 1 f ( R 1, K 2 ) R 4 R 2. f (R 1 = L 1 ) = L 1. ) f ( R 3 , K 4. f (R 3 = L 3
Attacks on DES 1 Attacks on DES Differential cryptanalysis is an attack on DES that compares the differences (that is, XOR values between ciphertexts of certain chosen plaintexts to discover information
More informationChapter 1 - Linear cryptanalysis.
Chapter 1 - Linear cryptanalysis. James McLaughlin 1 Introduction. Linear cryptanalysis was first introduced by Mitsuru Matsui in [12]. The cryptanalyst attempts to find a linear equation x 1... x i =
More informationU.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6
U.C. Berkeley CS276: Cryptography Handout N6 Luca Trevisan February 5, 2009 Notes for Lecture 6 Scribed by Ian Haken, posted February 8, 2009 Summary The encryption scheme we saw last time, based on pseudorandom
More informationImpossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128
Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com
More informationMenu. Lecture 5: DES Use and Analysis. DES Structure Plaintext Initial Permutation. DES s F. S-Boxes 48 bits Expansion/Permutation
Lecture : Use and nalysis Menu Today s manifest: on line only Review Modes of Operation ttacks CS: Security and rivacy University of Virginia Computer Science David Evans http://www.cs.virginia.edu/~evans
More informationImproved Impossible Differential Cryptanalysis of Rijndael and Crypton
Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,
More informationIntroduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.
Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography
More informationCSc 466/566. Computer Security. 5 : Cryptography Basics
1/84 CSc 466/566 Computer Security 5 : Cryptography Basics Version: 2012/03/03 10:44:26 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian Collberg Christian
More informationStream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida
Stream ciphers Pawel Wocjan Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu Definition of block ciphers Block ciphers: crypto work horse n bits
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationStructural Cryptanalysis of SASAS
tructural Cryptanalysis of AA Alex Biryukov and Adi hamir Computer cience department The Weizmann Institute Rehovot 76100, Israel. Abstract. In this paper we consider the security of block ciphers which
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationSOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies
SOBER Cryptanalysis Daniel Bleichenbacher and Sarvar Patel {bleichen,sarvar}@lucent.com Bell Laboratories Lucent Technologies Abstract. SOBER is a new stream cipher that has recently been developed by
More informationImpossible Differential Cryptanalysis of Mini-AES
Impossible Differential Cryptanalysis of Mini-AES Raphael Chung-Wei Phan ADDRESS: Swinburne Sarawak Institute of Technology, 1 st Floor, State Complex, 93576 Kuching, Sarawak, Malaysia. rphan@swinburne.edu.my
More informationComplementing Feistel Ciphers
Complementing Feistel Ciphers Alex Biryukov 1 and Ivica Nikolić 2 1 University of Luxembourg 2 Nanyang Technological University, Singapore alex.biryukov@uni.lu inikolic@ntu.edu.sg Abstract. In this paper,
More informationAnalysis of SHA-1 in Encryption Mode
Analysis of SHA- in Encryption Mode [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 00, vol. 00 of Lecture Notes in Computer Science, pp. 70 83, Springer-Verlag, 00.] Helena Handschuh, Lars
More informationLecture Notes. Advanced Discrete Structures COT S
Lecture Notes Advanced Discrete Structures COT 4115.001 S15 2015-01-22 Recap Two methods for attacking the Vigenère cipher Frequency analysis Dot Product Playfair Cipher Classical Cryptosystems - Section
More informationSymmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)
Symmetric Ciphers Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5) Symmetric Cryptography C = E(P,K) P = D(C,K) Requirements Given C, the only way to obtain P should be with the knowledge of K Any
More informationTowards Provable Security of Substitution-Permutation Encryption Networks
Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationAn average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and
An average case analysis of a dierential attack on a class of SP-networks Luke O'Connor Distributed Systems Technology Centre, and Information Security Research Center, QUT Brisbane, Australia Abstract
More informationWinter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2
0368.3049.01 Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod Assignment #2 Published Sunday, February 17, 2008 and very slightly revised Feb. 18. Due Tues., March 4, in Rani Hod
More informationPermutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1
Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Kwangsu Lee A Thesis for the Degree of Master of Science Division of Computer Science, Department
More informationCSA E0 235: Cryptography March 16, (Extra) Lecture 3
CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationDistinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network
Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense
More informationImpossible Differential Attacks on 13-Round CLEFIA-128
Mala H, Dakhilalian M, Shakiba M. Impossible differential attacks on 13-round CLEFIA-128. JOURNAL OF COMPUTER SCIENCE AND TECHNOLOGY 26(4): 744 750 July 2011. DOI 10.1007/s11390-011-1173-0 Impossible Differential
More informationA Pseudo-Random Encryption Mode
A Pseudo-Random Encryption Mode Moni Naor Omer Reingold Block ciphers are length-preserving private-key encryption schemes. I.e., the private key of a block-cipher determines a permutation on strings of
More informationIntroduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES
CSC/ECE 574 Computer and Network Security Topic 3.1 Secret Key Cryptography Algorithms CSC/ECE 574 Dr. Peng Ning 1 Outline Introductory Remarks Feistel Cipher DES AES CSC/ECE 574 Dr. Peng Ning 2 Introduction
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 16 October 30, 2017 CPSC 467, Lecture 16 1/52 Properties of Hash Functions Hash functions do not always look random Relations among
More informationLecture 9 - Symmetric Encryption
0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,
More informationMATH 509 Differential Cryptanalysis on DES
MATH 509 on DES Department of Mathematics, Boise State University Spring 2012 MATH 509 on DES MATH 509 on DES Feistel Round Function for DES MATH 509 on DES 1977: DES is approved as a standard. 1 1 Designers:
More informationCryptography. pieces from work by Gordon Royle
Cryptography pieces from work by Gordon Royle The set-up Cryptography is the mathematics of devising secure communication systems, whereas cryptanalysis is the mathematics of breaking such systems. We
More informationProblem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed
Problem 1 n bits k zero bits IV Block Block Block Block removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Missing bits January 27, 2011 Practical
More informationCryptanalysis of the Light-Weight Cipher A2U2 First Draft version
Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version Mohamed Ahmed Abdelraheem, Julia Borghoff, Erik Zenner Technical University of Denmark, DK-2800 Kgs. Lyngby, Denmark {M.A.Abdelraheem,J.Borghoff,E.Zenner}@mat.dtu.dk
More informationMulti-Map Orbit Hopping Chaotic Stream Cipher
Multi-Map Orbit Hopping Chaotic Stream Cipher Xiaowen Zhang 1, Li Shu 2, Ke Tang 1 Abstract In this paper we propose a multi-map orbit hopping chaotic stream cipher that utilizes the idea of spread spectrum
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationDifferential Attack on Five Rounds of the SC2000 Block Cipher
Differential Attack on Five Rounds of the SC2 Block Cipher Jiqiang Lu Department of Mathematics and Computer Science, Eindhoven University of Technology, 56 MB Eindhoven, The Netherlands lvjiqiang@hotmail.com
More informationCryptanalysis of Achterbahn
Cryptanalysis of Achterbahn Thomas Johansson 1, Willi Meier 2, and Frédéric Muller 3 1 Department of Information Technology, Lund University P.O. Box 118, 221 00 Lund, Sweden thomas@it.lth.se 2 FH Aargau,
More informationNumber Theory in Cryptography
Number Theory in Cryptography Introduction September 20, 2006 Universidad de los Andes 1 Guessing Numbers 2 Guessing Numbers (person x) (last 6 digits of phone number of x) 3 Guessing Numbers (person x)
More informationAn Analytical Approach to S-Box Generation
An Analytical Approach to Generation K. J. Jegadish Kumar 1, K. Hariprakash 2, A.Karunakaran 3 1 (Department of ECE, SSNCE, India) 2 (Department of ECE, SSNCE, India) 3 (Department of ECE, SSNCE, India)
More informationCPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions
CPSC 91 Computer Security Assignment #3 Solutions 1. Show that breaking the semantic security of a scheme reduces to recovering the message. Solution: Suppose that A O( ) is a message recovery adversary
More informationBreaking an encryption scheme based on chaotic Baker map
Breaking an encryption scheme based on chaotic Baker map Gonzalo Alvarez a, and Shujun Li b a Instituto de Física Aplicada, Consejo Superior de Investigaciones Científicas, Serrano 144 28006 Madrid, Spain
More informationScribe for Lecture #5
CSA E0 235: Cryptography 28 January 2016 Scribe for Lecture #5 Instructor: Dr. Arpita Patra Submitted by: Nidhi Rathi 1 Pseudo-randomness and PRG s We saw that computational security introduces two relaxations
More informationAPPLYING QUANTUM SEARCH TO A KNOWN- PLAINTEXT ATTACK ON TWO-KEY TRIPLE ENCRYPTION
APPLYING QUANTUM SEARCH TO A KNOWN- PLAINTEXT ATTACK ON TWO-KEY TRIPLE ENCRYPTION Phaneendra HD, Vidya Raj C, Dr MS Shivakumar Assistant Professor, Department of Computer Science and Engineering, The National
More informationCryptanalysis of block EnRUPT
Cryptanalysis of block EnRUPT Elias Yarrkov 2010-10-08 (revised 2010-10-12) Abstract EnRUPT is a cryptographic primitive with a variable block and key length. We show several attacks on it that stem from
More informationCryptanalysis of Hiji-bij-bij (HBB)
Cryptanalysis of Hiji-bij-bij (HBB) Vlastimil Klíma LEC s.r.o., Národní 9, Prague, Czech Republic v.klima@volny.cz Abstract. In this paper, we show several known-plaintext attacks on the stream cipher
More informationAll-Or-Nothing Transforms Using Quasigroups
All-Or-Nothing Transforms Using Quasigroups Stelios I Marnas, Lefteris Angelis, and George L Bleris Department of Informatics, Aristotle University 54124 Thessaloniki, Greece Email: {marnas,lef,bleris}@csdauthgr
More informationOn Correlation Between the Order of S-boxes and the Strength of DES
On Correlation Between the Order of S-boxes and the Strength of DES Mitsuru Matsui Computer & Information Systems Laboratory Mitsubishi Electric Corporation 5-1-1, Ofuna, Kamakura, Kanagawa, 247, Japan
More informationLinear Cryptanalysis of Reduced-Round Speck
Linear Cryptanalysis of Reduced-Round Speck Tomer Ashur Daniël Bodden KU Leuven and iminds Dept. ESAT, Group COSIC Address Kasteelpark Arenberg 10 bus 45, B-3001 Leuven-Heverlee, Belgium tomer.ashur-@-esat.kuleuven.be
More informationCSCI3381-Cryptography
CSCI3381-Cryptography Lecture 2: Classical Cryptosystems September 3, 2014 This describes some cryptographic systems in use before the advent of computers. All of these methods are quite insecure, from
More informationEnhancing the Signal to Noise Ratio
Enhancing the Signal to Noise Ratio in Differential Cryptanalysis, using Algebra Martin Albrecht, Carlos Cid, Thomas Dullien, Jean-Charles Faugère and Ludovic Perret ESC 2010, Remich, 10.01.2010 Outline
More information9 Knapsack Cryptography
9 Knapsack Cryptography In the past four weeks, we ve discussed public-key encryption systems that depend on various problems that we believe to be hard: prime factorization, the discrete logarithm, and
More informationCryptanalysis of a Message Authentication Code due to Cary and Venkatesan
Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan Simon R. Blackburn and Kenneth G. Paterson Department of Mathematics Royal Holloway, University of London Egham, Surrey, TW20 0EX,
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationExam Security January 19, :30 11:30
Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in
More informationBlock ciphers And modes of operation. Table of contents
Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation
More informationExtended Criterion for Absence of Fixed Points
Extended Criterion for Absence of Fixed Points Oleksandr Kazymyrov, Valentyna Kazymyrova Abstract One of the criteria for substitutions used in block ciphers is the absence of fixed points. In this paper
More informationAES side channel attacks protection using random isomorphisms
Rostovtsev A.G., Shemyakina O.V., St. Petersburg State Polytechnic University AES side channel attacks protection using random isomorphisms General method of side-channel attacks protection, based on random
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationLecture 5: Pseudorandom functions from pseudorandom generators
Lecture 5: Pseudorandom functions from pseudorandom generators Boaz Barak We have seen that PRF s (pseudorandom functions) are extremely useful, and we ll see some more applications of them later on. But
More informationLecture Notes. Advanced Discrete Structures COT S
Lecture Notes Advanced Discrete Structures COT 4115.001 S15 2015-01-27 Recap ADFGX Cipher Block Cipher Modes of Operation Hill Cipher Inverting a Matrix (mod n) Encryption: Hill Cipher Example Multiple
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 15 October 20, 2014 CPSC 467, Lecture 15 1/37 Common Hash Functions SHA-2 MD5 Birthday Attack on Hash Functions Constructing New
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationLecture 7: ElGamal and Discrete Logarithms
Lecture 7: ElGamal and Discrete Logarithms Johan Håstad, transcribed by Johan Linde 2006-02-07 1 The discrete logarithm problem Recall that a generator g of a group G is an element of order n such that
More informationChapter 2. A Look Back. 2.1 Substitution ciphers
Chapter 2 A Look Back In this chapter we take a quick look at some classical encryption techniques, illustrating their weakness and using these examples to initiate questions about how to define privacy.
More information8.1 Principles of Public-Key Cryptosystems
Public-key cryptography is a radical departure from all that has gone before. Right up to modern times all cryptographic systems have been based on the elementary tools of substitution and permutation.
More informationModule 2 Advanced Symmetric Ciphers
Module 2 Advanced Symmetric Ciphers Dr. Natarajan Meghanathan Professor of Computer Science Jackson State University E-mail: natarajan.meghanathan@jsums.edu Data Encryption Standard (DES) The DES algorithm
More informationDivision Property: a New Attack Against Block Ciphers
Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50 Symmetric-key encryption
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationJay Daigle Occidental College Math 401: Cryptology
3 Block Ciphers Every encryption method we ve studied so far has been a substitution cipher: that is, each letter is replaced by exactly one other letter. In fact, we ve studied stream ciphers, which produce
More informationLinear Cryptanalysis of Reduced-Round PRESENT
Linear Cryptanalysis of Reduced-Round PRESENT Joo Yeon Cho 1 Helsinki University of Technology, Finland 2 Nokia A/S, Denmark joo.cho@tkk.fi Abstract. PRESENT is a hardware-oriented block cipher suitable
More informationSolutions for week 1, Cryptography Course - TDA 352/DIT 250
Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.
More informationCryptanalysis of the SIMON Family of Block Ciphers
Cryptanalysis of the SIMON Family of Block Ciphers Hoda A. Alkhzaimi and Martin M. Lauridsen DTU Compute Section for Cryptology Department of Applied Mathematics and Computer Science Matematiktorvet, building
More informationConcurrent Error Detection in S-boxes 1
International Journal of Computer Science & Applications Vol. 4, No. 1, pp. 27 32 2007 Technomathematics Research Foundation Concurrent Error Detection in S-boxes 1 Ewa Idzikowska, Krzysztof Bucholc Poznan
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from
More informationEfficient FPGA Implementations and Cryptanalysis of Automata-based Dynamic Convolutional Cryptosystems
Efficient FPGA Implementations and Cryptanalysis of Automata-based Dynamic Convolutional Cryptosystems Dragoş Trincă Department of Computer Science and Engineering University of Connecticut Storrs CT 06269
More informationKlein s and PTW Attacks on WEP
TTM4137 Wireless Security Klein s and PTW Attacks on WEP Anton Stolbunov NTNU, Department of Telematics version 1, September 7, 2009 Abstract These notes should help for an in-depth understanding of the
More informationInformation Security
SE 4472 / ECE 9064 Information Security Week 12: Random Number Generators and Picking Appropriate Key Lengths Fall 2015 Prof. Aleksander Essex Random Number Generation Where do keys come from? So far we
More informationLectures 2+3: Provable Security
Lectures 2+3: Provable Security Contents 1 Motivation 1 2 Syntax 3 3 Correctness 5 4 Security Definitions 6 5 Important Cryptographic Primitives 8 6 Proofs of Security 10 7 Limitations of Provable Security
More informationHow Fast can be Algebraic Attacks on Block Ciphers?
How Fast can be Algebraic Attacks on Block Ciphers? Nicolas T. Courtois Axalto mart Cards, 36-38 rue de la Princesse BP 45, 78430 Louveciennes Cedex, France http://www.nicolascourtois.net courtois@minrank.org
More informationCryptography 2017 Lecture 2
Cryptography 2017 Lecture 2 One Time Pad - Perfect Secrecy Stream Ciphers November 3, 2017 1 / 39 What have seen? What are we discussing today? Lecture 1 Course Intro Historical Ciphers Lecture 2 One Time
More informationTruncated differential cryptanalysis of five rounds of Salsa20
Truncated differential cryptanalysis of five rounds of Salsa20 Paul Crowley 17th October 2005 Abstract We present an attack on Salsa20 reduced to five of its twenty rounds. This attack uses many clusters
More information