Part (02) Modem Encryption techniques
|
|
- Brianne Rich
- 5 years ago
- Views:
Transcription
1 Part (02) Modem Encryption techniques Dr. Ahmed M. ElShafee 1
2 Block Ciphers and Feistel cipher Dr. Ahmed M. ElShafee 2
3 introduction Modern block ciphers are widely used to provide encryption of quantities of information, and/or a cryptographic checksum to ensure the contents have not been altered. Block ciphers work a on block / word at a time, which is some number of bits. All of these bits have to be available before the block can be processed. Stream ciphers work on a bit or byte of the message at a time, hence process it as a stream. Block ciphers are currently better analysed, and seem to have a broader range of applications, hence focus on them. 3
4 Block cipher principles An arbitrary reversible substitution cipher for a large block size is not practical, however, from an implementation and performance point of view. In general, for an n-bit general substitution block cipher, need a substitution box of 2 n entities For a 64-bit block (8 bytes block), a pure block substation cipher is a huge table contains 2 64 entities, each entity has a 64 bits length. So the size of sbox is 64 x 2 64 = 2 70 = 1.18 E21 bits = 1.34 E8 tera bytes In general, for an n-bit general substitution block cipher, the size of the key is n x 2 n. 4
5 Block length Sbox length 8 bits 8 x 2 8 = 2048 bits = 256 bytes 16 bits 16 x 2 16 = 1.05 E6 bits = 128 kbytes 32 bits 32 x 2 32 = 1.37 E 11 bits = 16 G bytes 64 bits 64 x 2 64 = 2 70 = 1.18 E21 bits = 1.34 E8 tera bytes 5
6 Claude Shannon and Substitution- Permutation Ciphers Claude Shannon s 1949 paper has the key ideas that led to the development of modern block ciphers. Critically, it was the technique of layering groups of S-boxes separated by a larger P-box to form the S-P network, a complex form of a product cipher. He also introduced the ideas of confusion and diffusion, notionally provided by S-boxes and P-boxes (in conjunction with S-boxes). Every block cipher involves a transformation of a block of plaintext into a block of ciphertext, where the transformation depends on the key. 6
7 7
8 The mechanism of diffusion seeks to make the statistical relationship between the plaintext and ciphertext as complex as possible in order to thwart attempts to deduce the key. Confusion seeks to make the relationship between the statistics of the ciphertext and the value of the encryption key as complex as possible, again to thwart attempts to discover the key. So successful are diffusion and confusion in capturing the essence of the desired attributes of a block cipher that they have become the cornerstone of modern block cipher design. 8
9 Block cipher designing rules Applying what shannon said cryptosystem designer should follow the following rules instead of building a huge blocks a smaller blocks is used to create from smaller building blocks using idea of a product cipher (SPN) Block cipher transforms plain block to text block based on user key Block cipher is invertible and based one 1:1 functions 9
10 Feistel Cipher Horst Feistel, working at IBM Thomas J Watson Research Labs devised a suitable invertible cipher structure in early 70's. One of Feistel's main contributions was the invention of a suitable structure which adapted Shannon's S-P network in an easily inverted structure. 10
11 It partitions input block into two halves which are processed through multiple rounds which perform a substitution on left data half, based on round function of right half & subkey, and then have permutation swapping halves. Essentially the same h/w or s/w is used for both encryption and decryption, with just a slight change in how the keys are used. One layer of S-boxes and the following P-box are used to form the round function. 11
12 Feistel cipher as black substitution box Feistel refers to an n-bit general substitution as an ideal block cipher it allows for the maximum number of possible encryption mappings from the plaintext to ciphertext block. 12
13 Ex: A 4-bit input produces one of 16 possible input states, which is mapped by the substitution cipher into a unique one of 16 possible output states, each of which is represented by 4 ciphertext bits. The encryption and decryption mappings can be defined by a 13 tabulation
14 Feistel Cipher Design Elements The exact realization of a Feistel network depends on the choice of the following parameters and design features: block size - increasing size improves security, but slows cipher key size - increasing size improves security, makes exhaustive key searching harder, but may slow cipher number of rounds - increasing number improves security, but slows cipher subkey generation algorithm - greater complexity can make analysis harder, but slows cipher round function - greater complexity can make analysis harder, but slows cipher fast software en/decryption - more recent concern for practical use ease of analysis - for easier validation & testing of strength 14
15 Feistel cipher decryption The process of decryption with a Feistel cipher, is essentially the same as the encryption process. The rule is as follows: Use the ciphertext as input to the algorithm, but use the subkeys Ki in reverse order. 15
16 That is, use Kn in the first round, Kn 1 in the second round, and so on until K1 is used in the last round. This is a nice feature because it means we need not implement two different algorithms, one for encryption and one 16 for decryption.
17 17
18 Proof; Feistel encryption is the same as Feistel decryption Enc: R2 = R1 1 L2 = L1 xor F(R1, K) 2 L1 R1 L2 R2 Dec: R3 = R2 3 L3 = L2 xor F(R2, k) 4 From 3 & 1 R1= R3 L2 R2 L3 R3 From 2 & 4 L 3 = L1 xor F(R1, k) xor F(R2, k) But R1 = R2 L3 = L1 xor F(R1, k) xor F(R1, k) L3 = L1 18
19 Proof; Feistel encryption is the same as Feistel decryption encryption R3 = L2 xor F(R2,K2) 1 L3 = R2 2 R2 = L1 xor F(R1,k1) 3 L2 = R1 4 19
20 Decryption R5 = R4 5 L5 = L4 xor F(R4,K1) 6 R4 = R3 xor F(L3,k2) 7 L4 = L3 8 20
21 R3 = L2 xor F(R2,K2) L3 = R2 R2 = L1 xor F(R1,k1) L2 = R R5 = R4 L5 = L4 xor F(R4,K1) R4 = R3 xor F(L3,k2) L4 = L From 1,2,4: R3 = R1 xor F(L3,K2) 8 From 2,3: L3 = L1 xor F(R1,K1) 9 From 7,5,8: R5 = R3 xor F(L3,K2)10 From 8,5,6: L5 = L3 xor F(R5,K1) 11 Sub 11 in 9 L5 = L1 xor F(R1,K1) xor F(R5,K1) But R1 == R5 so F(R1,K1) = F(R5,K1) Sub 10 in 8 R5 = R1 xor F(L3,K2) xor F(L3,k2) = R1 # So L5 = L1 # 21
22 Thanks,.. See you next week (ISA), 22
23 Feistel Cipher Example Simplified 2 rounds operated on 26 characters English plaintext characters space Dr. Ahmed M. ElShafee 23
24 8 chars 8 chars 4 L1 R1 4 L3 R3 K K2-4 L2 R2 4 K2 L4 R K1 4 L3 R3 4 - L5 R5 24
25 Feistel Function is SP network Plain characters xored with Key a simple substitution (4 x sbox) L1 K1 R1 Followed by simple permutation (1 x pbox) R0,0 R0,1 R0,2 R0,3 + K0,0 + K0,1 + K0,2 + K0,3 S1 S2 S3 S4 Permutation 25
26 Key schedule key
27 Example 1 Use the following feistel cipher to encrypt the following message supplies Using the following key scrt s1= pdqjkfvobwselcmtirhgnyxazu S2=gcobidpjmywurtzqefkxnlhsav S3=musxelogkrqpzbatifjycdnvhw S4=ycsjndegatipzwhrokfqvxlubm 27 P=dacb
28 L1 R1 + SPN + K1 L2 R2 + SPN + K2 L3 R3 28
29 L1 + s u p p p j d W SPN + d k v l R1 K1 l i e s s c r t L2 l i e s R2 h d s l j w p n SPN + j u l d K2 c r t s L3 h d s l R3 u e t f h d s l u e t f
30 SPN Sboxes input p d q j k f v o b w s e l c m t i r h g n y x a z u g c o b i d p j m y w u r t z q e f k x n l h s a v m u s x e l o g k r q p z b a t i f j y c d n v h y y c s j n d e g a t i p z w h r o k f q v x l u b m d a c b pbox Sboxes output Feistel output 30
31 SPN d k v l Sboxes input p d q j k f v o b w s e l c m t i r h g n y x a z u g c o b i d p j m y w u r t z q e f k x n l h s a v m u s x e l o g k r q p z b a t i f j y c d n v h y y c s j n d e g a t i p z w h r o k f q v x l u b m d a c b pbox j w d p Sboxes output p j d w Feistel output 31
32 SPN Sboxes input p d q j k f v o b w s e l c m t i r h g n y x a z u g c o b i d p j m y w u r t z q e f k x n l h s a v m u s x e l o g k r q p z b a t i f j y c d n v h y y c s j n d e g a t i p z w h r o k f q v x l u b m d a c b pbox Sboxes output Feistel output 32
33 SPN j u l d Sboxes input p d q j k f v o b w s e l c m t i r h g n y x a z u g c o b i d p j m y w u r t z q e f k x n l h s a v m u s x e l o g k r q p z b a t i f j y c d n v h y y c s j n d e g a t i p z w h r o k f q v x l u b m d a c b pbox w n p j Sboxes output j w p n Feistel output 33
34 Example 2 Use the following feistel cipher to encrypt the following message ten fifty Using the following key scrt s1= pdqjkfvobwselcmtirhgnyxazu S2=gcobidpjmywurtzqefkxnlhsav S3=musxelogkrqpzbatifjycdnvhw S4=ycsjndegatipzwhrokfqvxlubm 34 P=dacb
35 L1 t e n f R1 i f t y + SPN + K1 s c r t L2 R2 + SPN + K2 c r t s L3 R3 35
36 L1 + t e n f k p q j SPN + a h k r R1 K1 i f t y s c r t L2 i f t y R2 d t d o e f n w SPN + f k w g K2 c r t s L3 d t d o R3 m k g u d t d o m k g u
37 SPN Sboxes input p d q j k f v o b w s e l c m t i r h g n y x a z u g c o b i d p j m y w u r t z q e f k x n l h s a v m u s x e l o g k r q p z b a t i f j y c d n v h y y c s j n d e g a t i p z w h r o k f q v x l u b m d a c b pbox Sboxes output Feistel output 37
38 SPN a h k r Sboxes input p d q j k f v o b w s e l c m t i r h g n y x a z u g c o b i d p j m y w u r t z q e f k x n l h s a v m u s x e l o g k r q p z b a t i f j y c d n v h y y c s j n d e g a t i p z w h r o k f q v x l u b m d a c b pbox p j q k Sboxes output k p q j Feistel output 38
39 SPN Sboxes input p d q j k f v o b w s e l c m t i r h g n y x a z u g c o b i d p j m y w u r t z q e f k x n l h s a v m u s x e l o g k r q p z b a t i f j y c d n v h y y c s j n d e g a t i p z w h r o k f q v x l u b m d a c b pbox Sboxes output Feistel output 39
40 SPN f k w g Sboxes input p d q j k f v o b w s e l c m t i r h g n y x a z u g c o b i d p j m y w u r t z q e f k x n l h s a v m u s x e l o g k r q p z b a t i f j y c d n v h y y c s j n d e g a t i p z w h r o k f q v x l u b m d a c b pbox f w n e Sboxes output e f n w Feistel output 40
41 Example 3 Use the following feistel cipher to decrypt the following message qdkcdyjk Using the following key scrt s1= pdqjkfvobwselcmtirhgnyxazu S2=gcobidpjmywurtzqefkxnlhsav S3=musxelogkrqpzbatifjycdnvhw S4=ycsjndegatipzwhrokfqvxlubm 41 P=dacb
42 L3 R3 + K2 - SPN L4 R4 - SPN + K1 L5 R5 42
43 L3 q d k c v h x n SPN + s u d u R3 d y j k K2 c r t s L4 q d k c R4 i r m x o p x x SPN + a t d q K1 s c r t L5 c o n f R5 i r m x c o n f i r m x
44 SPN Sboxes input p d q j k f v o b w s e l c m t i r h g n y x a z u g c o b i d p j m y w u r t z q e f k x n l h s a v m u s x e l o g k r q p z b a t i f j y c d n v h y y c s j n d e g a t i p z w h r o k f q v x l u b m d a c b pbox Sboxes output Feistel output 44
45 SPN s u d u Sboxes input p d q j k f v o b w s e l c m t i r h g n y x a z u g c o b i d p j m y w u r t z q e f k x n l h s a v m u s x e l o g k r q p z b a t i f j y c d n v h y y c s j n d e g a t i p z w h r o k f q v x l u b m d a c b pbox h n x v Sboxes output v h x n Feistel output 45
46 SPN Sboxes input p d q j k f v o b w s e l c m t i r h g n y x a z u g c o b i d p j m y w u r t z q e f k x n l h s a v m u s x e l o g k r q p z b a t i f j y c d n v h y y c s j n d e g a t i p z w h r o k f q v x l u b m d a c b pbox Sboxes output Feistel output 46
47 SPN a t d q Sboxes input p d q j k f v o b w s e l c m t i r h g n y x a z u g c o b i d p j m y w u r t z q e f k x n l h s a v m u s x e l o g k r q p z b a t i f j y c d n v h y y c s j n d e g a t i p z w h r o k f q v x l u b m d a c b pbox p x x o Sboxes output o p x x Feistel output 47
48 Example 4 Use the following feistel cipher to decrypt the following message hvxswxwk Using the following key scrt s1= pdqjkfvobwselcmtirhgnyxazu S2=gcobidpjmywurtzqefkxnlhsav S3=musxelogkrqpzbatifjycdnvhw S4=ycsjndegatipzwhrokfqvxlubm 48 P=dacb
49 L3 h v x s R3 w x w k - SPN + K2 c r t s L4 R4 - SPN + K1 s c r t L5 R5 49
50 L3 h v x s i w i r SPN + j m q k R3 w x w k K2 c r t s L4 h v x s R4 o b o t z v l b SPN + g d f m K1 s c r t L5 i a m r R5 o b o t i a m r o b o t
51 SPN Sboxes input p d q j k f v o b w s e l c m t i r h g n y x a z u g c o b i d p j m y w u r t z q e f k x n l h s a v m u s x e l o g k r q p z b a t i f j y c d n v h y y c s j n d e g a t i p z w h r o k f q v x l u b m d a c b pbox Sboxes output Feistel output 51
52 SPN j m q k Sboxes input p d q j k f v o b w s e l c m t i r h g n y x a z u g c o b i d p j m y w u r t z q e f k x n l h s a v m u s x e l o g k r q p z b a t i f j y c d n v h y y c s j n d e g a t i p z w h r o k f q v x l u b m d a c b pbox w r i i Sboxes output i w i r Feistel output 52
53 SPN Sboxes input p d q j k f v o b w s e l c m t i r h g n y x a z u g c o b i d p j m y w u r t z q e f k x n l h s a v m u s x e l o g k r q p z b a t i f j y c d n v h y y c s j n d e g a t i p z w h r o k f q v x l u b m d a c b pbox Sboxes output Feistel output 53
54 SPN g d f m Sboxes input p d q j k f v o b w s e l c m t i r h g n y x a z u g c o b i d p j m y w u r t z q e f k x n l h s a v m u s x e l o g k r q p z b a t i f j y c d n v h y y c s j n d e g a t i p z w h r o k f q v x l u b m d a c b pbox v b l z Sboxes output z v l b Feistel output 54
55 Data Encryption Standard Dr. Ahmed M. ElShafee 55
56 Data Encryption Standard (DES) The most widely used private key block cipher, is the Data Encryption Standard (DES). It was adopted in 1977 by the National Bureau of Standards now (NIST) as Federal Information Processing Standard 46 (FIPS PUB 46). DES encrypts data in 64-bit blocks using a 56-bit key. The DES enjoys widespread use. It has also been the subject of much controversy its security. 56
57 DES history In the late 1960s, IBM set up a research project in computer cryptography led by Horst Feistel. The project concluded in 1971 with the development of the LUCIFER algorithm. LUCIFER is a Feistel block cipher that operates on blocks of 64 bits, using a key size of 128 bits. Because of the promising results produced by the LUCIFER project, IBM embarked on an effort, headed by Walter Tuchman and Carl Meyer, to develop a marketable commercial encryption product that ideally could be implemented on a single chip. 57
58 It involved not only IBM researchers but also outside consultants and technical advice from NSA. The outcome of this effort was a refined version of LUCIFER that was more resistant to cryptanalysis but that had a reduced key size of 56 bits, to fit on a single chip. In 1973, the National Bureau of Standards (NBS) issued a request for proposals for a national cipher standard. IBM submitted the modified LUCIFER. It was by far the best algorithm proposed and was adopted in 1977 as the Data Encryption Standard. 58
59 DES Design Controversy although DES standard is public, and before its adoption as a standard, DES faced considerable controversy (arguing) over design in choice of 56-bit key (vs Lucifer 128-bit) and because design criteria were classified subsequent events and public analysis show in fact design was appropriate use of DES has flourished especially in financial applications Recent analysis has shown despite this controversy, that DES is well designed. DES is theoretically broken using Differential or Linear Cryptanalysis but in practise is unlikely to be a problem yet. 59
60 Also rapid advances in computing speed though have rendered the 56 bit key susceptible to exhaustive key search, as predicted by Diffie & Hellman. It is still standardized for legacy systems, with either AES or triple DES for new applications 60
61 DES overall structure DES takes 64-bits of data as input and as a key. process for enciphering a 64- bit data block which consists of: an initial permutation (IP) which shuffles the 64-bit input block
62 2. 16 rounds of a complex key dependent round function involving substitutions & permutations 3. a final permutation, being the inverse of IP 62
63 handling of the 56- bit key and consists of: 1. an initial permutation of the key (PC1) which selects 56-bits out of the 64-bits input, in two 28-bit halves stages to generate the 48-bit subkeys using a left circular shift and a permutation of the two 28-bit halves 63
64 1. Initial Permutation IP The initial permutation and its inverse are defined by tables, in next slide The input to a table consists of 64 bits numbered left to right from 1 to 64. The 64 entries in the permutation table contain a permutation of the numbers from 1 to 64. Each entry in the permutation table indicates the position of a numbered input bit in the output, which also consists of 64 bits. 64
65 65
66 66
67 Note that the bit numbering for DES reflects IBM mainframe practice, and is the opposite of what we now mostly use - so be careful! Numbers from Bit 1 (leftmost, most significant) to bit 32/48/64 etc (rightmost, least significant). Note that examples are specified using hexadecimal. Here a 64-bit plaintext value of 675a6967 5e5a6b5a (written in left & right halves) after permuting with IP becomes ffb2194d 004df6fb. IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb) 67
68 DES Round Structure 68
69 function F, takes R half & subkey, and processes them through E, add subkey, S & P. This follows the classic structure for a feistel cipher. uses two 32-bit L & R halves as for any Feistel cipher can describe as: L i = R i 1 R i = L i 1 F(R i 1, K i ) 69
70 F takes 32-bit R half and 48-bit subkey: expands R to 48-bits using perm E adds to subkey using XOR passes through 8 S-boxes to get 32-bit result finally permutes using 32-bit perm P Note that the s-boxes provide the confusion of data and key values, the permutation P then spreads this as widely as possible, so each S-box output affects as many S-box inputs in the next round as possible, giving diffusion. 70
71 71
72 72
73 The R input is first expanded to 48 bits by using expansion table E that defines a permutation plus an expansion that involves duplication of 16 of the R bits The resulting 48 bits are XORed with Ki. This 48-bit result passes through a substitution function comprising 8 S-boxes which each map 6 input bits to 4 output bits, producing a 32-bit output, which is then permuted by permutation P. 73
74 Substitution Boxes S have eight S-boxes which map 6 to 4 bits each S-box is actually 4 little 4 bit boxes outer bits 1 & 6 (row bits) select one row of 4 inner bits 2-5 (col bits) are substituted result is 8 lots of 4 bits, or 32 bits row selection depends on both data & key feature known as autoclaving (autokeying) example: S( d ) = 5fd25e03 74
75 75
76 76
77 For example, in S1, for input , the row is 01 (row 1) and the column is 1100 (column 12). The value in row 1, column 12 is 9, so the output is The example lists 8 6-bit values (ie 18 in hex is in binary, 09 hex is binary, 12 hex is binary, 3d hex is binary etc), each of which is replaced following the process detailed above using the appropriate S-box. ie S1(011000) lookup row 00 col 1100 in S1 to get 5 S2(001001) lookup row 01 col 0100 in S2 to get 15 = f in hex S3(010010) lookup row 00 col 1001 in S3 to get 13 = d in hex S4(111101) lookup row 11 col 1110 in S4 to get 2 etc 77
78 78
79 DES Key Schedule The DES Key Schedule generates the subkeys needed for each data encryption round. The 64-bit key input is first processed by Permuted Choice One The resulting 56-bit key is then treated as two 28-bit quantities C & D. In each round, these are separately processed through a circular left shift (rotation) of 1 or 2bits 79
80 These shifted values serve as input to the next round of the key schedule. They also serve as input to Permuted Choice Two which produces a 48-bit output that serves as input to the round function F. The 56 bit key size comes from security considerations as we know now. It was big enough so that an exhaustive key search was about as hard as the best direct attack 80
81 The extra 8 bits were then used as parity (error detecting) bits, which makes sense given the original design use for hardware communications links. However we hit an incompatibility with simple s/w implementations since the top bit in each byte is 0 (since ASCII only uses 7 bits), but the DES key schedule throws away the bottom bit! A good implementation needs to be cleverer! 81
82 82
83 83
84 84
85 DES Decryption As with any Feistel cipher, DES decryption uses the same algorithm as encryption except that the subkeys are used in reverse order SK16.. SK1. If you trace through the DES overview diagram can see how each decryption step top to bottom with reversed subkeys, undoes the equivalent encryption step moving from bottom to top. 85
86 Avalanche Effect A desirable property of any encryption algorithm is that a small change in either the plaintext or the key should produce a significant change in the ciphertext. In particular, a change in one bit of the plaintext or one bit of the key should produce a change in many bits of the ciphertext. If the change were small, this might provide a way to reduce the size of the plaintext or key space to be searched. DES exhibits a strong avalanche effect. 86
87 87
88 88
89 Strength of DES Key Size With a key length of 56 bits, there are 2 56 possible keys, which is approximately 7.2*10 16 keys. Thus a brute-force attack appeared impractical. in July 1998, the Electronic Frontier Foundation (EFF) announced that it had broken a DES encryption using a special-purpose "DES cracker" machine that was built for less than $250,000. The attack took less than three days. The EFF has published a detailed description of the machine, enabling others to build their own cracker [EFF98]. 89
90 There have been other demonstrated breaks of the DES using both large networks of computers & dedicated h/w, including: 1997 on a large network of computers in a few months 1998 on dedicated h/w (EFF) in a few days 1999 above combined in 22hrs! It is important to note that there is more to a key-search attack than simply running through all possible keys. Unless known plaintext is provided, the analyst must be able to recognize plaintext as plaintext. Clearly must now consider alternatives to DES, the most important of which are AES and triple DES. 90
91 Strength of DES Analytic Attacks Another concern is the possibility that cryptanalysis is possible by exploiting the characteristics of the DES algorithm. The focus of concern has been on the eight substitution tables, or S-boxes, that are used in each iteration. These techniques utilise some deep structure of the cipher by gathering information about encryptions so that eventually you can recover some/all of the sub-key bits, and then exhaustively search for the rest if necessary. Generally these are statistical attacks which depend on the amount of information gathered for their likelihood of success. Attacks of this form include differential cryptanalysis, linear 91 cryptanalysis, and related key attacks.
92 Strength of DES Timing Attacks timing attacks relate to public-key algorithms. However, the issue may also be relevant for symmetric ciphers. A timing attack is one in which information about the key or the plaintext is obtained by observing how long it takes a given implementation to perform decryptions on various ciphertexts. A timing attack exploits the fact that an encryption or decryption algorithm often takes slightly different amounts of time on different inputs. though DES appears to be fairly resistant to a successful timing attack. 92
93 Differential Cryptanalysis Biham & Shamir show Differential Cryptanalysis can be successfully used to cryptanalyse the DES with an effort on the order of 2 47 encryptions, requiring 2 47 chosen plaintexts. They also demonstrated this form of attack on a variety of encryption algorithms and hash functions. Differential cryptanalysis was known to the IBM DES design team as early as 1974 (as a T attack), and influenced the design of the S-boxes and the permutation P to improve its resistance to it. Compare DES s security with the cryptanalysis of an eightround LUCIFER algorithm which requires only 256 chosen plaintexts, verses an attack on an eight-round version of DES requires 2 14 chosen plaintexts. 93
94 The differential cryptanalysis attack is complex. The rationale behind differential cryptanalysis is to observe the behavior of pairs of text blocks evolving along each round of the cipher, instead of observing the evolution of a single text block. Each round of DES maps the right-hand input into the lefthand output and sets the right-hand output to be a function of the left-hand input and the subkey for this round, which means you cannot trace values back through cipher without knowing the value of the key. Differential Cryptanalysis compares two related pairs of encryptions, which can leak information about the key, given a sufficiently large number of suitable pairs. 94
95 with a known difference in the input searching for a known difference in output when same subkeys are used 95
96 The AES analysis process has highlighted this attack approach, and showed that it is a concern particularly with smartcard implementations, 96
97 Linear Cryptanalysis A more recent development is linear cryptanalysis. This attack is based on finding linear approximations to describe the transformations performed in DES. This method can find a DES key given 2^43 known plaintexts, as compared to 2^47 chosen plaintexts for differential cryptanalysis. Although this is a minor improvement, because it may be easier to acquire known plaintext rather than chosen plaintext, it still leaves linear cryptanalysis infeasible as an attack on DES. 97
98 The objective of linear cryptanalysis is to find an effective linear equation relating some plaintext, ciphertext and key bits that holds with probability p<>0.5 as shown. P[i 1,i 2,...,i a ] C[j 1,j 2,...,j b ] = K[k 1,k 2,...,k c ] where i a,j b,k c are bit locations in P,C,K Once a proposed relation is determined, the procedure is to compute the results of the left-hand side of the equation for a large number of plaintext-ciphertext pairs, in order to determine whether the sum of the key bits is 0 or 1, thus giving 1 bit of info about them. 98
99 This is repeated for other equations and many pairs to derive some of the key bit values. Because we are dealing with linear equations, the problem can be approached one round of the cipher at a time, with the results combined. 99
100 What is good in DES Design 8 S-boxes provide for non-linearity resistance to differential cryptanalysis good confusion 3 permutation P provide for increased diffusion number of rounds more is better, exhaustive search best attack function f: provides confusion, is nonlinear, avalanche have issues of how S-boxes are selected key schedule 100 complex subkey creation, key avalanche
101 Feistel cipher design aspcets The cryptographic strength of a Feistel cipher derives from three aspects of the design: the number of rounds, the function F, and the key schedule algorithm. number of rounds, The greater the number of rounds, the more difficult it is to perform cryptanalysis, even for a relatively weak F. In general, the criterion should be that the number of rounds is chosen so that known cryptanalytic efforts require greater effort than a simple brute-force key search attack. This criterion is attractive because it makes it easy to judge the strength of an algorithm and to compare different algorithms. 101
102 the function F, The function F provides the element of confusion in a Feistel cipher, want it to be difficult to unscramble the substitution performed by F. One obvious criterion is that F be nonlinear. The more nonlinear F, the more difficult any type of cryptanalysis will be. We would like it to have good avalanche properties, or even the strict avalanche criterion (SAC). Another criterion is the bit independence criterion (BIC). One of the most intense areas of research in the field of symmetric block ciphers is that of S-box design. Would like any change to the input vector to an S-box to result in randomlooking changes to the output. The relationship should be nonlinear and difficult to approximate with linear functions. 102
103 The key schedule algorithm. With any Feistel block cipher, the key schedule is used to generate a subkey for each round. Would like to select subkeys to maximize the difficulty of deducing individual subkeys and the difficulty of working back to the main key. The key schedule should guarantee key/ciphertext Strict Avalanche Criterion and Bit Independence Criterion. 103
104 Data Encryption Standard summery Dr. Ahmed M. ElShafee 104
105 * Initial Permutation Round 1 Round key generation Round key generation Round key generation Inverse Initial Permutation 105
106 106 Back
107 107 Back
108 Plain Block 64 bits L i-1 R i-1 Expansion Permutation (E) table Permuted Choice 1 Xor Permuted Choice 2 Left Circular Shift Substation/Choice (S-Box) Permutation (P) L i R i 108 Ciphered Block 64 bits
109 109 Back
110 110 Back
111 111 Back
112 112 Back
113 113 Back
114 114 Back
115 115 Back
116 116 Back
117 117 Back
118 DES Cipher Example Simplified 2 rounds operated on 26 characters English plaintext characters space Dr. Ahmed M. ElShafee 118
119 * 119
120 120
121 8 characters cipher IP L3 R3 8 characters plain IP L1 R1 8 characters key PC1 EP + CP PC2 Left shift EP + CP PC2 Left shift P P L2 - R2 L2 + R2 EP + CP PC2 Left shift EP + CP PC2 Left shift P L121 R1 Swap IP -1 8 characters plain - PC1 8 characters key L3 121 P + R3 Swap IP -1 8 characters cipher
122 Example 1 Encrypt the following message using simplified 2 rounds DES cipher operated on 26 English plaintext chars pace supplies, using key secretky PC1 = beagdfc PC2 = befcda IP = bheagdfc EP = dacbad CP = bdca P = dacb 122
123 Key generation key PC1 b e a g d f c PC2 b e f c d a PC1 Left shift PC2 K1 Left shift PC2 K2 123
124 Key generation PC1 b e a g d f c PC2 b e f c d a key s e c r e t k y PC1 K1 e s k r t c e PC2 s t c k r E Left shift e e s k r t c s k r t c e e Left shift e s k r t c e PC2 K2 k c e r t s
125 IP L1 b h e a g d f C Plain R1 EP d a c b a d Encryption Round 1 CP P K1 b d c a d a c b + + L2 R2 125
126 IP L1 b h e a g d f C s u p p l i e s Plain u s l s e p i p R EP d a c b a d Encryption Round 1 CP P K1 s t c k r E b d c a d a c b + h x k z v t x z k h p e i p e p h x k z L2 e p i p b p v r R2 126
127 L2 EP d a c b a d R2 K2 + Encryption Round 2 CP P b d c a d a c b + L3 R3 IP -1 b h e a g d f C Cipher 127
128 L2 e p i p EP d a c b a d b p v r R2 Encryption Round 2 CP P K2 k c e r t s b d c a d a c b + b d z g u j d g z b r b v p b r b d z g L3 b p v r f s h v R3 IP -1 b h e a g d f C f s h v b p v r v f r p h v b s Cipher 128
129 Example 3 Decrypt the following message using simplified 2 rounds DES cipher operated on 26 English plaintext chars pace qkqhnbyt, using key secretky PC1 = beagdfc PC2 = befcda IP = bheagdfc EP = dacbad CP = bdca P = dacb 129
130 Key generation key PC1 b e a g d f c PC2 b e f c d a PC1 Left shift PC2 K1 Left shift PC2 K2 130
131 Key generation PC1 b e a g d f c PC2 b e f c d a key s e c r e t k y PC1 K1 e s k r t c e PC2 s t c k r E Left shift e e s k r t c s k r t c e e Left shift e s k r t c e PC2 K2 k c e r t s
132 IP L3 b h e a g d f C cipher R3 EP d a c b a d Decryption Round 1 CP P K2 k c e r t s b d c a d a c b - - L2 R2 132
133 IP L3 b h e a g d f C q k q h n b y t cipher k t n q y h b q R EP d a c b a d Decryption Round 1 CP P K2 k c e r t s b d c a d a c b - a a f y r i a y f a q y b h y q a a f y L2 y h b q k t i s R2 133
134 L2 EP d a c b a d R2 Decryption Round 2 CP P K1 s t c k r E b d c a d a c b - - L1 R1 IP -1 b h e a g d f C plain 134
135 L2 y h b q EP d a c b a d k t i s R2 Decryption Round 2 CP P K1 s t c k r E b d c a d a c b - k d k d b w d d k k s k i t k s k d k d L1 k t i s o e r n R1 IP -1 b h e a g d f C o e r n k t i s n o s t r i k e plain 135
136 Empty Forms 136
137 Key generation key PC1 b e a g d f c PC2 b e f c d a PC1 Left shift PC2 K1 Left shift PC2 K2 137
138 IP L1 EP Plain R1 Encryption Round 1 CP P K1 + + L2 R2 138
139 L2 EP R2 Encryption Round 2 CP P K2 + + L3 R3 IP -1 Cipher 139
140 IP L1 b h e a g d f C cipher R1 EP d a c b a d Decryption Round 1 CP P K2 b d c a d a c b - - L2 R2 140
141 L2 EP d a c b a d R2 K1 - Decryption Round 2 CP P b d c a d a c b - L3 R3 IP -1 b h e a g d f C plain 141
142 Advanced Encryption Standard Dr. Ahmed M. ElShafee 142
143 Introduction The Advanced Encryption Standard (AES) was published by NIST (National Institute of Standards and Technology) in AES is a symmetric block cipher that is intended to replace DES as the approved standard for a wide range of applications. The AES cipher (& other candidates) form the latest generation of block ciphers, and now we see a significant increase in the block size - from the old standard of 64-bits up to 128-bits; and keys from 128 to 256-bits. Whilst triple-des is regarded as secure and well understood, it is slow, especially in s/w. 143
144 In a first round of evaluation, 15 proposed algorithms were accepted. A second round narrowed the field to 5 algorithms. NIST completed its evaluation process and published a final standard (FIPS PUB 197) in November of NIST selected Rijndael as the proposed AES algorithm. The two researchers who developed and submitted Rijndael for the AES are both cryptographers from Belgium: Dr. Joan Daemen and Dr.Vincent Rijmen. 144
145 AES selection, the competition private key symmetric block cipher 128-bit data, 128/192/256-bit keys stronger & faster than Triple-DES active life of years (+ archival use) provide full specification & design details both C & Java implementations NIST SuiteB suggests AES128 for secret data and AES256 for top secret data 145
146 AES Evaluation Criteria When NIST issued its original request for candidate algorithm nominations in 1997, the request stated that candidate algorithms would be compared based on the factors shown in Stallings Table5.1, which were used to evaluate field of 15 candidates to select shortlist of 5. initial criteria: security effort for practical cryptanalysis cost in terms of computational efficiency algorithm & implementation characteristics 146
147 The final criteria evolved during the evaluation process, and were used to select Rijndael from that short-list, general security ease of software & hardware implementation implementation attacks flexibility (in en/decrypt, keying, other factors) 147
148 AES Shortlist after testing and evaluation, shortlist in Aug-99: MARS (IBM) - complex, fast, high security margin RC6 (USA) - v. simple, v. fast, low security margin Rijndael (Belgium) - clean, fast, good security margin Serpent (Euro) - slow, clean, v. high security margin Twofish (USA) - complex, v. fast, high security margin Notice the mix of commercial (MARS, RC6, Twofish) verses academic (Rijndael, Serpent) proposals, sourced from various countries. All were thought to be good it came down to the best balance of attributes to meet criteria, in particular the 148 balance between speed, security & flexibility.
149 The AES Cipher - Rijndael The Rijndael has block length and the key length can be independently specified to be 128,192,or 256 bits, while the AES specification uses the same three key size alternatives but limits the block length to 128 bits. Rijndael is an academic submission, based on the earlier Square cipher, from Belgium academics Dr Joan Daemen and Dr Vincent Rijmen. It is an iterative cipher (operates on entire data block in every round) rather than feistel (operate on halves at a time) 149
150 It was designed to have characteristics of: Resistance against all known attacks, Speed and code compactness on a wide range of platforms, & Design simplicity. 150
151 RIJNDAEL, the AES structure Block length/ key length Multiple of 32 bits, with a minimum of 128 bits and a maximum of 256 bits Block length = 128, 192, and 256 bits. Key lengths = 128, 192, and 256 bits. Due to fixed block length of 128 bits = 16 bytes, Rijndael uses 4 4 matrix calls state Rijndael versions of larger key length, adds columns to state. 151
152 Overall structure 152
153 The state, the cipher key and the number of rounds Block mapped to array of 4 rows N b columns. Key is mapped to array of 4 rows N k columns. A 0,0 A 0,1 A 0,2 A 0,3 A 0,4 A 0,5 K 0,0 K 0,1 K 0,2 K 0,3 A 1,0 A 1,1 A 1,2 A 1,3 A 1,4 A 1,5 K 1,0 K 1,1 K 1,2 K 1,3 A 2,0 A 2,1 A 2,2 A 2,3 A 2,4 A 2,5 K 2,0 K 2,1 K 2,2 K 2,3 A 3,0 A 3,1 A 3,2 A 3,3 A 3,4 A 3,5 K 3,0 K 3,1 K 3,2 K 3,3 example of state (with N b = 6) and cipher key (with N k = 4) layout State may be considered as 4 bytes vectors (a,b,c,d). 153
154 Rijndael input/ output Input is an array of bytes, length = ((4 Nb)-1) Output is the same length as input. Rijndael rounds (N r ) N r N b = 4 N b = 6 N b = 8 N k = N k = N k =
155 The round transformation All rounds Round (State, RoundKey) { ByteSub (State); ShiftRow (State); MixColumn (State); AddRoundKey (State, RoundKey); } 155
156 Last round FinalRound (State, RoundKey) { ByteSub (State); ShiftRow (State); AddRoundKey (State, RoundKey); } 156
157 The ByteSub transformation a simple substitution of each byte uses one table of 16x16 bytes containing a permutation of all bit values each byte of state is replaced by byte indexed by row (left 4- bits) & column (right 4-bits) S-box may be constructed using defined transformation of values in GF(28) designed to be resistant to all known attacks 157
158 a a a a a a a a b b b b b b b b 00 is mapped to itself Affine transformation
159 159
160 160
161 The ShiftRow Transformation N b C 1 C 2 C
162 The MixColumn Transformation 162 '02' '01' '01' '03' ) ( 2 3 x x x x C ) ( ) ( ) ( x a x c x b a a a a b b b b ' '0 '09' ' '0 ' '0 ) ( 2 3 E x x D x B x d
163 The Round Key Addition Regardless the user key length, round key (generated) equals to N b 163
164 164
165 165
166 Key Schedule 3 simple rules; 1. expanded key length (bits) = (block length * number of rounds+1) 2. User key (cipher) expanded to expanded key 3. Expanded key divided into N r round keys in ascending order Generated as; W [N b (N r +1)]. W is 4 bytes array. 166
167 Round Key Selection Key expansion and round key selection for N b = 6 and N k = 4 167
168 ShiftRow g 1 ByteSub Xor Rcon g 1 168
169 ShiftRow g 1 ByteSub g 1 Xor Rcon ByteSub g 2 W 8 W 9 Xor Rcon g 2 169
170 N k < 6 170
171 N k >= 6 171
172 AES Decryption The Cipher RIJNDAEL (State, CipherKey) { KeyExpansion (CipherKey, ExpandedKey); AddRoundKey (State, RoundKey); For (I = 0; I < N r ; I++) Round (State, ExpandedKey + N b I); FinalRound (State, ExpandedKey + N b N r ); } 172
173 The Inverse Cipher InverseRIJNDAEL (State, CipherKey) { KeyExpansion (CipherKey, ExpandedKey); InverseFinalRound (State, ExpandedKey + N b N r ); For (I = 0; I < N r ; I++) InverseRound (State, ExpandedKey + N b I); AddRoundKey (State, RoundKey); } 173
174 Implementation Aspects can efficiently implement on 8-bit CPU byte substitution works on bytes using a table of 256 entries shift rows is simple byte shift add round key works on byte XOR s mix columns requires matrix multiply in GF(2 8 ) which works on byte values, can be simplified to use table lookups & byte XOR s 174
175 can efficiently implement on 32-bit CPU redefine steps to use 32-bit words can precompute 4 tables of 256-words then each column in each round can be computed using 4 table lookups + 4 XORs at a cost of 4Kb to store tables designers believe this very efficient implementation was a key factor in its selection as the AES cipher 175
176 RIJNDAEL cryptanalysis Brute Force Attack Key length Number of Trials 128 bits bits bits
177 Linear Cryptanalysis By 2006, Key length Number of rounds Broken number of rounds RIJNDAEL Algebraic Description Concerns Rijndael has a neat algebraic description. This has not yet led to any attacks some cryptanalyst believe 177 that complicated algebraic description is required.
178 XSL Attack announced by Nicolas Courtois and Josef Pieprzyk, in Some famous cryptographers faced problems in the underlying mathematics of the proposed attack, so they think authors may mistaken in some estimates. So it remains an open question. Side Channel Attacks Side channel attacks do not attack the underlying cipher, but attack implementations of the cipher on systems which inadvertently leak data. 178
179 In April 2005, D.J. Bernstein announced a cache timing attack that he used to break a custom server that used OpenSSL's AES encryption. The custom server was designed to give out as much timing information as possible, and the attack required over 200 million chosen plaintexts. Some say the attack is not practical over the internet with a distance of one or more hops; Bruce Schneier called the research a "nice timing attack". In October 2005, "Dag Arne Osvik", "Adi Shamir" and "Eran Tromer" presented a paper demonstrating several cache timing attacks against AES. One attack was able to obtain an entire AES key after only 800 writes. 179
180 Simplified AES example Dr. Ahmed M. ElShafee 180
181 Example 01 Encrypt the following message tomorrow never die using simplified AES operates on 26 English plaintext characters, using the following key simpler than des Sbox: pdqjkfvobwselcmtirhgnyxazu 181
182 simpler than des Key generation k1 s i m p l e r t h a n d e s x x K2 182
183 simpler than des Key generation k1 s i m p l e r t h a n d e s x x K2 h p b q e i z s k k x a b t q n 183
184 PlainState bytesub tomorrow never die Enc 1 st Round p d q j k f v o b w s e l c m t i r h g n y x a z u X ShiftRow 3 MixColumn = = K1
185 PlainState bytesub t o m o r r o w n e v e r d i e Enc 1 st Round p d q j k f v o b w s e l c m t i r h g n y x a z u g m l m 0 g m l m r r m x 1 x r r m c k y k 2 y k c k X r j b k ShiftRow 3 j b k r MixColumn = l v k m x g h e t a d l g w u t = K1
186 PlainState bytesub l v k m x g h e t a d l g w u t Enc 2 nd Round p d q j k f v o b w s e l c m t i r h g n y x a z u X ShiftRow 3 MixColumn = = K2
187 PlainState bytesub l v k m x g h e t a d l g w u t Enc 2 nd Round p d q j k f v o b w s e l c m t i r h g n y x a z u e y s l 0 e y s l a v o k 1 k a v o g p j e 2 j e g p X v x n g ShiftRow 3 x n g v MixColumn = m a u q j v n p f o t j z l h f = K2
188 Example 02 Decryot the following message uhqhhiogepdtoaja using simplified AES operates on 26 English plaintext characters, using the following key simpler than des Sbox: pdqjkfvobwselcmtirhgnyxazu 188
189 uhqhhiogepdtoaja Dec 1 st Round CipherState ShiftRow MixColumn p d q j k f v o b w s e l c m t i r h g n y x a z u bytesub K2 = = X 189
190 uhqhhiogepdtoaja Dec 1 st Round u h q h h i o g e p d t o a j a CipherState e b e a s t q l w f o h f d b r ShiftRow 3 - e b e a l s t q o h w f d b r f p d q j k f v o b w s e l c m t i r h g n y x a z u K2 = = X MixColumn l i l x k p c m j f h s f b i r bytesub
191 l i l x k p c m j f h s f b i r CipherState ShiftRow MixColumn p d q j k f v o b w s e l c m t i r h g n y x a z u K1 = Dec 2 nd Round = bytesub -1 X 191
192 l i l x k p c m j f h s f b i r CipherState h m b g b h d r k p s p d e k a MixColumn p d q j k f v o b w s e l c m t i r h g n y x a z u s o i t i s b r e a k a b l e x ShiftRow h m b g r b h d s p k p e k a d So it is breakable x K Dec 2 nd Round bytesub -1 = = X
193 Example 03 Encrypt the following message play hide and seek using simplified AES operates on 26 English plaintext characters, using the following key my hidden secret key Sbox: pdqjkfvobwselcmtirhgnyxazu 193
194 my hidden secret key Key generation k K2 194
195 my hidden secret key Key generation k1 m y h i d d e n s e c r e t k e K2 u s z h q t x k j n p g i b l p 195
196 PlainState bytesub play hide and seek Enc 1 st Round p d q j k f v o b w s e l c m t i r h g n y x a z u ShiftRow 3 X MixColumn = = K1
197 PlainState bytesub p l a y h i d e a n d s e e k x play hide and seek Enc 1 st Round p d q j k f v o b w s e l c m t i r h g n y x a z u t e p z 0 o b j k 1 p c j h 2 k k s a ShiftRow 3 t e p z k o b j j h p c k s a k X MixColumn = o z p w n t p g m k m e u r g a = K1
198 PlainState bytesub o z p w n t p g m k m e u r g a Enc 2 nd Round p d q j k f v o b w s e l c m t i r h g n y x a z u ShiftRow 3 X MixColumn = = K2
199 PlainState bytesub o z p w n t p g m k m e u r g a Enc 2 nd Round p d q j k f v o b w s e l c m t i r h g n y x a z u m u t x 0 c g t v 1 l s l k 2 n r v p ShiftRow 3 m u t x v c g t l k l s r v p n X MixColumn = w g c m t h d l c r s s n s e u = K2
200 Example 04 Decrypt the following message ltnyobbbswbgrmxj using simplified AES operates on 26 English plaintext characters, using the following key my hidden secret key Sbox: pdqjkfvobwselcmtirhgnyxazu 200
201 ltnyobbbswbgrmxj Dec 1 st Round CipherState ShiftRow MixColumn p d q j k f v o b w s e l c m t i r h g n y x a z u K2 = = X bytesub
202 ltnyobbbswbgrmxj l t n y o b b b s w b g r m x j CipherState g i r c x v m l e k h n q d f c ShiftRow g i r c l x v m h n e k d f c q p d q j k f v o b w s e l c m t i r h g n y x a z u K = = Dec 1 st Round X MixColumn t q r n w g o m l e s u c b f n 202 bytesub -1
203 t q r n w g o m l e s u c b f n CipherState ShiftRow 3 - MixColumn p d q j k f v o b w s e l c m t i r h g n y x a z u K = Dec 2 nd Round = X bytesub
204 t q r n w g o m l e s u c b f n CipherState d k o b c j k c k l z e b c k h MixColumn p d q j k f v o b w s e l c m t i r h g n y x a z u b e h i n d e n e m y l i n e s ShiftRow d k o b c c j k z e k l c k h b Behind enemy lines K Dec 2 nd Round = = X bytesub -1
205 Thanks,.. See you next week (ISA), 205
206 k1 Key generation K2 206
207 PlainState Enc 1 st Round bytesub p d q j k f v o b w s e l c m t i r h g n y x a z u ShiftRow 3 X MixColumn = = K1
208 PlainState Enc 2 nd Round bytesub p d q j k f v o b w s e l c m t i r h g n y x a z u ShiftRow 3 X MixColumn = = K2
209 Dec 1 st Round - = CipherState ShiftRow MixColumn p d q j k f v o b w s e l c m t i r h g n y x a z u K2 = X bytesub
210 Dec 2 nd Round - = CipherState ShiftRow MixColumn p d q j k f v o b w s e l c m t i r h g n y x a z u K1 = X bytesub
Block Ciphers and Feistel cipher
introduction Lecture (07) Block Ciphers and cipher Dr. Ahmed M. ElShafee Modern block ciphers are widely used to provide encryption of quantities of information, and/or a cryptographic checksum to ensure
More informationOutline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael
Outline CPSC 418/MATH 318 Introduction to Cryptography Advanced Encryption Standard Renate Scheidler Department of Mathematics & Statistics Department of Computer Science University of Calgary Based in
More informationModule 2 Advanced Symmetric Ciphers
Module 2 Advanced Symmetric Ciphers Dr. Natarajan Meghanathan Professor of Computer Science Jackson State University E-mail: natarajan.meghanathan@jsums.edu Data Encryption Standard (DES) The DES algorithm
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08 Module Outline Stream ciphers under the hood Block ciphers
More informationExtended Criterion for Absence of Fixed Points
Extended Criterion for Absence of Fixed Points Oleksandr Kazymyrov, Valentyna Kazymyrova Abstract One of the criteria for substitutions used in block ciphers is the absence of fixed points. In this paper
More informationIntroduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES
CSC/ECE 574 Computer and Network Security Topic 3.1 Secret Key Cryptography Algorithms CSC/ECE 574 Dr. Peng Ning 1 Outline Introductory Remarks Feistel Cipher DES AES CSC/ECE 574 Dr. Peng Ning 2 Introduction
More informationStream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida
Stream ciphers Pawel Wocjan Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu Definition of block ciphers Block ciphers: crypto work horse n bits
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2012 Konstantin Beznosov 1 Module Outline! Stream ciphers under the hood Block ciphers under
More information7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive key-search do not exploit any properties of the encryption algorithm or implementation. Structural attacks
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More information18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh
18733: Applied Cryptography Anupam Datta (CMU) Block ciphers Online Cryptography Course What is a block cipher? Block ciphers: crypto work horse n bits PT Block n bits E, D CT Block Key k bits Canonical
More informationCryptography Lecture 4 Block ciphers, DES, breaking DES
Cryptography Lecture 4 Block ciphers, DES, breaking DES Breaking a cipher Eavesdropper recieves n cryptograms created from n plaintexts in sequence, using the same key Redundancy exists in the messages
More information18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh
18733: Applied Cryptography Anupam Datta (CMU) Block ciphers Online Cryptography Course What is a block cipher? Block ciphers: crypto work horse n bits PT Block n bits E, D CT Block Key k bits Canonical
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from
More informationHow Fast can be Algebraic Attacks on Block Ciphers?
How Fast can be Algebraic Attacks on Block Ciphers? Nicolas T. Courtois Axalto mart Cards, 36-38 rue de la Princesse BP 45, 78430 Louveciennes Cedex, France http://www.nicolascourtois.net courtois@minrank.org
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES
CS355: Cryptography Lecture 9: Encryption modes. AES Encryption modes: ECB } Message is broken into independent blocks of block_size bits; } Electronic Code Book (ECB): each block encrypted separately.
More informationAttacks on DES , K 2. ) L 3 = R 2 = L 1 f ( R 1, K 2 ) R 4 R 2. f (R 1 = L 1 ) = L 1. ) f ( R 3 , K 4. f (R 3 = L 3
Attacks on DES 1 Attacks on DES Differential cryptanalysis is an attack on DES that compares the differences (that is, XOR values between ciphertexts of certain chosen plaintexts to discover information
More informationLecture 4: DES and block ciphers
Lecture 4: DES and block ciphers Johan Håstad, transcribed by Ernir Erlingsson 2006-01-25 1 DES DES is a 64 bit block cipher with a 56 bit key. It selects a 64 bit block and modifies it depending on the
More informationBLOCK CIPHERS KEY-RECOVERY SECURITY
BLOCK CIPHERS and KEY-RECOVERY SECURITY Mihir Bellare UCSD 1 Notation Mihir Bellare UCSD 2 Notation {0, 1} n is the set of n-bit strings and {0, 1} is the set of all strings of finite length. By ε we denote
More informationImproved Impossible Differential Cryptanalysis of Rijndael and Crypton
Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,
More informationTable Of Contents. ! 1. Introduction to AES
1 Table Of Contents! 1. Introduction to AES! 2. Design Principles behind AES Linear Cryptanalysis Differential Cryptanalysis Square Attack Biclique Attack! 3. Quantum Cryptanalysis of AES Applying Grover
More informationBlock Ciphers and Systems of Quadratic Equations
Block Ciphers and Systems of Quadratic Equations Alex Biryukov and Christophe De Cannière Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenberg 10, B 3001 Leuven-Heverlee, Belgium
More informationTowards Provable Security of Substitution-Permutation Encryption Networks
Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,
More informationSecret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:
Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design: Secret Key Systems Encrypting a small block of text (say 64 bits) General considerations
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationDesign of Low Power Optimized MixColumn/Inverse MixColumn Architecture for AES
Design of Low Power Optimized MixColumn/Inverse MixColumn Architecture for AES Rajasekar P Assistant Professor, Department of Electronics and Communication Engineering, Kathir College of Engineering, Neelambur,
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationThe XL and XSL attacks on Baby Rijndael. Elizabeth Kleiman. A thesis submitted to the graduate faculty
The XL and XSL attacks on Baby Rijndael by Elizabeth Kleiman A thesis submitted to the graduate faculty in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE Major: Mathematics
More informationIntroduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.
Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography
More informationDivision Property: a New Attack Against Block Ciphers
Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50 Symmetric-key encryption
More informationBlock ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit
Block ciphers Block ciphers Myrto Arapinis School o Inormatics University o Edinburgh January 22, 2015 A block cipher with parameters k and l is a pair o deterministic algorithms (E, D) such that Encryption
More information(Solution to Odd-Numbered Problems) Number of rounds. rounds
CHAPTER 7 AES (Solution to Odd-Numbered Problems) Review Questions. The criteria defined by NIST for selecting AES fall into three areas: security, cost, and implementation. 3. The number of round keys
More informationThe Advanced Encryption Standard
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 48 The Advanced Encryption Standard Successor of DES DES considered insecure; 3DES considered too slow. NIST competition in 1997 15
More informationChapter 1 - Linear cryptanalysis.
Chapter 1 - Linear cryptanalysis. James McLaughlin 1 Introduction. Linear cryptanalysis was first introduced by Mitsuru Matsui in [12]. The cryptanalyst attempts to find a linear equation x 1... x i =
More informationON THE SECURITY OF THE ADVANCED ENCRYPTION STANDARD
ON THE SECURITY OF THE ADVANCED ENCRYPTION STANDARD Paul D. Yacoumis Supervisor: Dr. Robert Clarke November 2005 Thesis submitted for the degree of Honours in Pure Mathematics Contents 1 Introduction
More informationNew attacks on Keccak-224 and Keccak-256
New attacks on Keccak-224 and Keccak-256 Itai Dinur 1, Orr Dunkelman 1,2 and Adi Shamir 1 1 Computer Science department, The Weizmann Institute, Rehovot, Israel 2 Computer Science Department, University
More informationIntroduction. Outline. CSC/ECE 574 Computer and Network Security. Secret Keys or Secret Algorithms? Secrets? (Cont d) Secret Key Cryptography
Outline CSC/ECE 574 Computer and Network Security Introductory Remarks Feistel Cipher DES AES Topic 3.1 Secret Key Cryptography Algorithms CSC/ECE 574 Dr. Peng Ning 1 CSC/ECE 574 Dr. Peng Ning 2 Secret
More informationA SIMPLIFIED RIJNDAEL ALGORITHM AND ITS LINEAR AND DIFFERENTIAL CRYPTANALYSES
A SIMPLIFIED RIJNDAEL ALGORITHM AND ITS LINEAR AND DIFFERENTIAL CRYPTANALYSES MOHAMMAD MUSA, EDWARD F SCHAEFER, AND STEPHEN WEDIG Abstract In this paper, we describe a simplified version of the Rijndael
More informationA New Algorithm to Construct. Secure Keys for AES
Int. J. Contemp. Math. Sciences, Vol. 5, 2010, no. 26, 1263-1270 A New Algorithm to Construct Secure Keys for AES Iqtadar Hussain Department of Mathematics Quaid-i-Azam University, Islamabad, Pakistan
More informationEssential Algebraic Structure Within the AES
Essential Algebraic Structure Within the AES Sean Murphy and Matthew J.B. Robshaw Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20 0EX, U.K. s.murphy@rhul.ac.uk m.robshaw@rhul.ac.uk
More informationStructural Cryptanalysis of SASAS
tructural Cryptanalysis of AA Alex Biryukov and Adi hamir Computer cience department The Weizmann Institute Rehovot 76100, Israel. Abstract. In this paper we consider the security of block ciphers which
More informationLinear Cryptanalysis of Reduced-Round Speck
Linear Cryptanalysis of Reduced-Round Speck Tomer Ashur Daniël Bodden KU Leuven and iminds Dept. ESAT, Group COSIC Address Kasteelpark Arenberg 10 bus 45, B-3001 Leuven-Heverlee, Belgium tomer.ashur-@-esat.kuleuven.be
More informationAn Analytical Approach to S-Box Generation
An Analytical Approach to Generation K. J. Jegadish Kumar 1, K. Hariprakash 2, A.Karunakaran 3 1 (Department of ECE, SSNCE, India) 2 (Department of ECE, SSNCE, India) 3 (Department of ECE, SSNCE, India)
More informationDistinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network
Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense
More informationSecurity and Cryptography 1
Security and Cryptography 1 Module 5: Pseudo Random Permutations and Block Ciphers Disclaimer: large parts from Mark Manulis and Dan Boneh Dresden, WS 18 Reprise from the last modules You know CIA, perfect
More informationImpossible Differential Cryptanalysis of Mini-AES
Impossible Differential Cryptanalysis of Mini-AES Raphael Chung-Wei Phan ADDRESS: Swinburne Sarawak Institute of Technology, 1 st Floor, State Complex, 93576 Kuching, Sarawak, Malaysia. rphan@swinburne.edu.my
More informationAnalysis of cryptographic hash functions
Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43 Symmetric key cryptography Alice and Bob share
More informationBlock Cipher Cryptanalysis: An Overview
0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution
More informationTHE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018
THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018 CPSC 418/MATH 318 L01 October 17, 2018 Time: 50 minutes
More informationAffine equivalence in the AES round function
Discrete Applied Mathematics 148 (2005) 161 170 www.elsevier.com/locate/dam Affine equivalence in the AES round function A.M. Youssef a, S.E. Tavares b a Concordia Institute for Information Systems Engineering,
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationChosen Plaintext Attacks (CPA)
Chosen Plaintext Attacks (CPA) Goals New Attacks! Chosen Plaintext Attacks (often CPA) is when Eve can choose to see some messages encoded. Formally she has Black Box for ENC k. We will: 1. Define Chosen
More informationA New Approach for Designing Key-Dependent S-Box Defined over GF (2 4 ) in AES
A New Approach for Designing Key-Dependent S-Box Defined over GF (2 4 ) in AES Hanem M. El-Sheikh, Omayma A. El-Mohsen, Senior Member, IACSIT, Talaat Elgarf, and Abdelhalim Zekry, Senior Member, IACSIT
More informationAlgebraic properties of SHA-3 and notable cryptanalysis results
Algebraic properties of SHA-3 and notable cryptanalysis results Christina Boura University of Versailles, France ICMC 2015, January 9, 2014 1 / 51 Cryptographic Hash Functions H : {0,1} {0,1} n m H h =
More informationBiomedical Security. Overview 9/15/2017. Erwin M. Bakker
Biomedical Security Erwin M. Bakker Overview Cryptography: Algorithms Cryptography: Protocols Pretty Good Privacy (PGP) / B. Schneier Workshop Biomedical Security Biomedical Application Security (guest
More informationOptimized Interpolation Attacks on LowMC
Optimized Interpolation Attacks on LowMC Itai Dinur 1, Yunwen Liu 2, Willi Meier 3, and Qingju Wang 2,4 1 Département d Informatique, École Normale Supérieure, Paris, France 2 Dept. Electrical Engineering
More informationPerfect Diffusion Primitives for Block Ciphers
Perfect Diffusion Primitives for Block Ciphers Building Efficient MDS Matrices Pascal Junod and Serge Vaudenay École Polytechnique Fédérale de Lausanne (Switzerland) {pascaljunod, sergevaudenay}@epflch
More informationComputational and Algebraic Aspects of the Advanced Encryption Standard
Computational and Algebraic Aspects of the Advanced Encryption Standard Carlos Cid, Sean Murphy and Matthew Robshaw Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20
More informationLow Complexity Differential Cryptanalysis and Fault Analysis of AES
Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 34 Introduction We present a survey of low
More informationLinear Cryptanalysis of Reduced-Round PRESENT
Linear Cryptanalysis of Reduced-Round PRESENT Joo Yeon Cho 1 Helsinki University of Technology, Finland 2 Nokia A/S, Denmark joo.cho@tkk.fi Abstract. PRESENT is a hardware-oriented block cipher suitable
More informationPermutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1
Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Kwangsu Lee A Thesis for the Degree of Master of Science Division of Computer Science, Department
More informationImpact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers
Impact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers Goutam Paul and Shashwat Raizada Jadavpur University, Kolkata and Indian Statistical Institute,
More informationBlock Ciphers. Chester Rebeiro IIT Madras. STINSON : chapters 3
Block Ciphers Chester Rebeiro IIT Madras STINSON : chapters 3 Block Cipher K E K D Alice untrusted communication link E #%AR3Xf34^$ message encryption (ciphertext) Attack at Dawn!! D decryption Bob Attack
More informationDifferential Fault Analysis of AES using a Single Multiple-Byte Fault
Differential Fault Analysis of AES using a Single Multiple-Byte Fault Subidh Ali 1, Debdeep Mukhopadhyay 1, and Michael Tunstall 2 1 Department of Computer Sc. and Engg, IIT Kharagpur, West Bengal, India.
More informationAccelerating AES Using Instruction Set Extensions for Elliptic Curve Cryptography. Stefan Tillich, Johann Großschädl
Accelerating AES Using Instruction Set Extensions for Elliptic Curve Cryptography International Workshop on Information Security & Hiding (ISH '05) Institute for Applied Information Processing and Communications
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 16 October 30, 2017 CPSC 467, Lecture 16 1/52 Properties of Hash Functions Hash functions do not always look random Relations among
More informationIntroduction to Modern Cryptography. (1) Finite Groups, Rings and Fields. (2) AES - Advanced Encryption Standard
Introduction to Modern Cryptography Lecture 3 (1) Finite Groups, Rings and Fields (2) AES - Advanced Encryption Standard +,0, and -a are only notations! Review - Groups Def (group): A set G with a binary
More informationHardware Design and Analysis of Block Cipher Components
Hardware Design and Analysis of Block Cipher Components Lu Xiao and Howard M. Heys Electrical and Computer Engineering Faculty of Engineering and Applied Science Memorial University of Newfoundland St.
More informationChapter 2 Symmetric Encryption Algorithms
Chapter 2 Symmetric Encryption Algorithms February 15, 2010 2 The term symmetric means that the same key used to encrypt is used decrypt. In the widest sense all pre-pkc encryption algorithms are symmetric,
More informationDifferential Cache Trace Attack Against CLEFIA
Differential Cache Trace Attack Against CLEFIA Chester Rebeiro and Debdeep Mukhopadhyay Dept. of Computer Science and Engineering Indian Institute of Technology Kharagpur, India {chester,debdeep}@cse.iitkgp.ernet.in
More informationStructural Evaluation by Generalized Integral Property
Structural Evaluation by Generalized Integral Property Yosue Todo NTT Secure Platform Laboratories, Toyo, Japan todo.yosue@lab.ntt.co.jp Abstract. In this paper, we show structural cryptanalyses against
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 08 Shannon s Theory (Contd.)
More informationSubstitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis
J. Cryptology (1996) 9: 1 19 1996 International Association for Cryptologic Research Substitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis Howard M. Heys and Stafford E.
More informationA Block Cipher using an Iterative Method involving a Permutation
Journal of Discrete Mathematical Sciences & Cryptography Vol. 18 (015), No. 3, pp. 75 9 DOI : 10.1080/097059.014.96853 A Block Cipher using an Iterative Method involving a Permutation Lakshmi Bhavani Madhuri
More informationSpecification on a Block Cipher : Hierocrypt L1
Specification on a Block Cipher : Hierocrypt L1 Toshiba Corporation September 2001 Contents 1 Design principle 3 1.1 Data randomizing part........................ 3 1.1.1 Nested SPN structure....................
More informationOnline Cryptography Course. Block ciphers. What is a block cipher? Dan Boneh
Online Cryptography Course Block ciphers What is a block cipher? Block ciphers: crypto work horse n bits PT Block n bits E, D CT Block Key k bits Canonical examples: 1. 3DES: n= 64 bits, k = 168 bits 2.
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 15 October 20, 2014 CPSC 467, Lecture 15 1/37 Common Hash Functions SHA-2 MD5 Birthday Attack on Hash Functions Constructing New
More informationStream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden
Dept. of EIT, Lund University, P.O. Box 118, 221 00 Lund, Sweden thomas@eit.lth.se May 16, 2011 Outline: Introduction to stream ciphers Distinguishers Basic constructions of distinguishers Various types
More informationA Large Block Cipher using an Iterative Method and the Modular Arithmetic Inverse of a key Matrix
A Large Block Cipher using an Iterative Method and the Modular Arithmetic Inverse of a key Matrix S. Udaya Kumar V. U. K. Sastry A. Vinaya babu Abstract In this paper, we have developed a block cipher
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationarxiv: v1 [cs.cr] 13 Sep 2016
Hacking of the AES with Boolean Functions Michel Dubois Operational Cryptology and Virology Laboratory Éric Filiol Operational Cryptology and Virology Laboratory September 14, 2016 arxiv:1609.03734v1 [cs.cr]
More informationMATH3302 Cryptography Problem Set 2
MATH3302 Cryptography Problem Set 2 These questions are based on the material in Section 4: Shannon s Theory, Section 5: Modern Cryptography, Section 6: The Data Encryption Standard, Section 7: International
More informationSieve-in-the-Middle: Improved MITM Attacks (Full Version )
Sieve-in-the-Middle: Improved MITM Attacks (Full Version ) Anne Canteaut 1, María Naya-Plasencia 1, and Bastien Vayssière 2 1 Inria Paris-Rocquencourt, project-team SECRET B.P. 105, 78153 Le Chesnay cedex,
More informationLOOKING INSIDE AES AND BES
23 LOOKING INSIDE AES AND BES Ilia Toli, Alberto Zanoni Università degli Studi di Pisa Dipartimento di Matematica Leonida Tonelli Via F. Buonarroti 2, 56127 Pisa, Italy {toli, zanoni}@posso.dm.unipi.it
More informationLinear Cryptanalysis
Linear Cryptanalysis Linear cryptanalysis is a powerful method of cryptanalysis introduced by Matsui in 1993 [11]. It is a known plaintext attack in which the attacker studies the linear approximations
More informationClassical Cryptography
Classical Cryptography CSG 252 Fall 2006 Riccardo Pucella Goals of Cryptography Alice wants to send message X to Bob Oscar is on the wire, listening to communications Alice and Bob share a key K Alice
More informationSecurity of the AES with a Secret S-box
Security of the AES with a Secret S-box Tyge Tiessen, Lars R Knudsen, Stefan Kölbl, and Martin M Lauridsen {tyti,lrkn,stek,mmeh}@dtudk DTU Compute, Technical University of Denmark, Denmark Abstract How
More informationTechnion - Computer Science Department - Technical Report CS0816.revised
How to Strengthen DES Using Existing Hardware Eli Biham? Alex Biryukov?? Abstract Dierential, linear and improved Davies' attacks are capable of breaking DES faster than exhaustive search, but are usually
More informationDifferential Attack on Five Rounds of the SC2000 Block Cipher
Differential Attack on Five Rounds of the SC2 Block Cipher Jiqiang Lu Department of Mathematics and Computer Science, Eindhoven University of Technology, 56 MB Eindhoven, The Netherlands lvjiqiang@hotmail.com
More informationModified Hill Cipher for a Large Block of Plaintext with Interlacing and Iteration
Journal of Computer Science 4 (1): 15-20, 2008 ISSN 1549-3636 2008 Science Publications Modified Hill Cipher for a Large Block of Plaintext with Interlacing and Iteration V.U.K. Sastry and N. Ravi Shankar
More informationAttacking AES via SAT
Computer Science Department Swansea University BCTCS Warwick, April 7, 2009 Introduction In the following talk, a general translation framework, based around SAT, is considered, with the aim of providing
More informationSimple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)
Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia) Henry Ng Henry.Ng.a@gmail.com Abstract. A new cryptographic pseudorandom number generator Cilia is presented. It hashes
More informationSymmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)
Symmetric Ciphers Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5) Symmetric Cryptography C = E(P,K) P = D(C,K) Requirements Given C, the only way to obtain P should be with the knowledge of K Any
More information3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis
3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis TANAKA Hidema, TONOMURA Yuji, and KANEKO Toshinobu A multi rounds elimination method for higher order differential cryptanalysis
More informationComplementing Feistel Ciphers
Complementing Feistel Ciphers Alex Biryukov 1 and Ivica Nikolić 2 1 University of Luxembourg 2 Nanyang Technological University, Singapore alex.biryukov@uni.lu inikolic@ntu.edu.sg Abstract. In this paper,
More informationSTREAM CIPHER. Chapter - 3
STREAM CIPHER Chapter - 3 S t r e a m C i p h e r P a g e 38 S t r e a m C i p h e r P a g e 39 STREAM CIPHERS Stream cipher is a class of symmetric key algorithm that operates on individual bits or bytes.
More informationMulti-Map Orbit Hopping Chaotic Stream Cipher
Multi-Map Orbit Hopping Chaotic Stream Cipher Xiaowen Zhang 1, Li Shu 2, Ke Tang 1 Abstract In this paper we propose a multi-map orbit hopping chaotic stream cipher that utilizes the idea of spread spectrum
More informationMATH 509 Differential Cryptanalysis on DES
MATH 509 on DES Department of Mathematics, Boise State University Spring 2012 MATH 509 on DES MATH 509 on DES Feistel Round Function for DES MATH 509 on DES 1977: DES is approved as a standard. 1 1 Designers:
More information