Product Systems, Substitution-Permutation Networks, and Linear and Differential Analysis

Size: px
Start display at page:

Download "Product Systems, Substitution-Permutation Networks, and Linear and Differential Analysis"

Transcription

1 Product Systems, Substitution-Permutation Networks, and Linear and Differential Analysis Cryptology, lecture 3 Stinson, Section Tuesday, February 12th, 2008

2 1 Composition Product 2 Substitution-Permutation Networks Feistel Networks Exclusive Or 3 The Bias of a Random Variable Linear Approximation Linear Attack 4 Differential Approximation Differential Attack

3 1 Composition Product 2 Substitution-Permutation Networks Feistel Networks Exclusive Or 3 The Bias of a Random Variable Linear Approximation Linear Attack 4 Differential Approximation Differential Attack

4 1 Composition Product 2 Substitution-Permutation Networks Feistel Networks Exclusive Or 3 The Bias of a Random Variable Linear Approximation Linear Attack 4 Differential Approximation Differential Attack

5 1 Composition Product 2 Substitution-Permutation Networks Feistel Networks Exclusive Or 3 The Bias of a Random Variable Linear Approximation Linear Attack 4 Differential Approximation Differential Attack

6 Product Given S 1 = (P 1, M, K 1, E 1, D 1, Pr 1 ) S 2 = (M, C 2, K 2, E 2, D 2, Pr 2 ) (Note: C 1 = P 2 = M) We write e(x, K ) also as e K (x). Define S 1 S 2 = (P 1, C 2, K 1 K 2, E, D, Pr) e (K1,K 2 ) = e K1 ; e K2 = e K2 e K1 d (K1,K 2 ) = d K2 ; d K1 = d K1 d K2 Pr[(K 1, K 2 )] = Pr 1 (K 1 ) Pr 2 (K 2 ) Amounting to serial composition x e K1 (x) S 1 S 2 e K2 (e K1 (x)) K 1 K 2

7 Product Given S 1 = (P 1, M, K 1, E 1, D 1, Pr 1 ) S 2 = (M, C 2, K 2, E 2, D 2, Pr 2 ) (Note: C 1 = P 2 = M) We write e(x, K ) also as e K (x). Define S 1 S 2 = (P 1, C 2, K 1 K 2, E, D, Pr) e (K1,K 2 ) = e K1 ; e K2 = e K2 e K1 d (K1,K 2 ) = d K2 ; d K1 = d K1 d K2 Pr[(K 1, K 2 )] = Pr 1 (K 1 ) Pr 2 (K 2 ) Amounting to serial composition x e K1 (x) S 1 S 2 e K2 (e K1 (x)) K 1 K 2

8 Product Properties Multiplication of ciphers is associative, S 1 (S 2 S 3 = (S 1 S 2 ) S 3 ) is not (necessarily) commutative, S 2 S 1 >< S 1 S 2 is endomorphic, if P = C (assume S endomorphic) is idempotent, if S S = S 2 = S Examples The Shift, Substitution, Multiplicative, Affine, Hill, Vigenère (cf. Exercise 2.20) and Permutation Ciphers are all idempotent.

9 Substitution-Permutation Networks Feistel Networks Exclusive Or For a non-idempotent cipher S we might hope for the iterated cipher S }. {{.. S } = S n to be safer than just S by itself. n Proof. If S and T are both idempotent and commute, then S T is also idempotent. (S T) (S T) = S (T S) T = S (S T) T = (S S) (T T) = S T Can you think of a non-idempotent cipher?

10 Substitution-Permutation Networks Feistel Networks Exclusive Or For a non-idempotent cipher S we might hope for the iterated cipher S }. {{.. S } = S n to be safer than just S by itself. n Proof. If S and T are both idempotent and commute, then S T is also idempotent. (S T) (S T) = S (T S) T = S (S T) T = (S S) (T T) = S T Can you think of a non-idempotent cipher?

11 Substitution-Permutation Networks Feistel Networks Exclusive Or For a non-idempotent cipher S we might hope for the iterated cipher S }. {{.. S } = S n to be safer than just S by itself. n Proof. If S and T are both idempotent and commute, then S T is also idempotent. (S T) (S T) = S (T S) T = S (S T) T = (S S) (T T) = S T Can you think of a non-idempotent cipher?

12 Substitution-Permutation Networks Feistel Networks Exclusive Or For a non-idempotent cipher S we might hope for the iterated cipher S }. {{.. S } = S n to be safer than just S by itself. n Proof. If S and T are both idempotent and commute, then S T is also idempotent. (S T) (S T) = S (T S) T = S (S T) T = (S S) (T T) = S T Can you think of a non-idempotent cipher?

13 Substitution-Permutation Networks Feistel Networks Exclusive Or Setting up an Iterated Cipher P = C are the states. The number of rounds Nr N 1. A key schedule K (K 1,..., K Nr ) assigning subkeys K i (or round keys) to a given key K. (Note: superscript-indexing.) A round function g : P K P posessing an inverse g 1, i.e. g 1 (g(w, k), k) = w for each state w and subkey k. Encryption w 0 x w i g(w i 1, K i ) i = 1,..., Nr y w Nr Decryption w Nr y w i 1 g 1 (w i, K i ) i = Nr,..., 1 x w 0

14 Substitution-Permutation Networks Feistel Networks Exclusive Or Setting up a Substitution-Permutation Network For l, m N 1, an lm-bit word x = (x 1,..., x ml ) is split into m l-bit blocks (note the use of base 1 numbering): x = x 1 x m x i = (x (i 1)l+1,..., x il ) An l-bit block is permuted by ( substitution ) π S : {0, 1} l {0, 1} l A complete lm-bit word is permuted by π P : {1,..., lm} {1,..., lm} The key schedule maps K into ({0, 1} lm ) Nr+1

15 Substitution-Permutation Networks Feistel Networks Exclusive Or Employing an SPN The first Nr 1 rounds consist a subkey addition, m substitutions (in parallel) and a permutation. The Nr-th round has subkey addition and substitution only, and finally K Nr+1 is added. Encryption x for r to Nr 1 do u r w r 1 K r for i to m do v i r π S (u i r ) od w r (vπ r P (1),..., v π r P (lm) ) od u Nr w Nr 1 K Nr for i to m do v i Nr π S (u i Nr) od y v Nr K Nr+1 w 0 Decryption Solve Exercise 3.1.

16 Substitution-Permutation Networks Feistel Networks Exclusive Or Example 3.1 All of the Sj i use π S : z π S (z) E 4 D 1 2 F B 8 z 8 9 A B C D E F π S (z) 3 A 6 C z π P (z) z π P (z)

17 Substitution-Permutation Networks Feistel Networks Exclusive Or Example 3.1 K 1 = K 2 = K 3 = K 4 = K 5 = For the homework, please use π P : z π P (z) z π P (z)

18 Substitution-Permutation Networks Feistel Networks Exclusive Or Special case: a Feistel Cipher Suggested 1973 by Horst Feistel for IBM s Lucipher : Each state w i is split into a left and a right half, w i = L i R i. For some f (satisfying no special requirements!) each round encrypts by L i = R i 1 R i = L i 1 f (R i 1, K i ) Decryption Solve Exercise 3.2.

19 Substitution-Permutation Networks Feistel Networks Exclusive Or Binary (Boolean) algebra 0 = False, 1 = True. Inclusive disjunction (either this or that or both, (Lat.:) vel... vel... ) = = Conjunction (this as well as that, (Lat.:)... et... ) = = & = Exclusive disjunction (either this or that, but not both, (Lat.:) aut... aut... ) = non-equivalence ( ) = sum modulo 2 = Facts a (b c) = (a b) c b a = a b a 0 = 0 a = a a a = 0 a (b c) = (a b) (a c) a a = 1 a 1 = 1 a = a a = b c a b c = 0 a b = (a b) ( a b) = (a b) ( a b)

20 The Bias of a Random Variable Linear Approximation Linear Attack Binary Random Variable A binary random variable X assumes two values only, which we shall denote 0 and 1. It thus only distinguishes two probabilities, Pr[X = 0] = p and Pr[X = 1] = 1 p. Bias The bias of X is defined to be Bi[X] = p 1 2. X is fair if Bi[X] = 0. Facts Pr[X = 0] = Bi[X] Pr[X = 1] = 1 2 Bi[X] 1 2 Bi[X] 1 2 Bi[X 1] = Bi[X]

21 The Bias of a Random Variable Linear Approximation Linear Attack Lemma (Piling-up Lemma) For k mutually independent random variables X 1,..., X k, Bi[X 1... X k ] = 2 k 1 k i=1 Bi[X i]. Proof. By induction over k; obvious for k = 1. Let Y denote k 1 i=1 X i, and assume validity for k 1: Bi[Y ] = 2 k 2 k 1 i 1 Bi[X i]. Pr[ k i=1 X i = 0] = Pr[Y = 0]Pr[X k = 0] + Pr[Y = 1]Pr[X k = 1] = ( Bi[Y ])( Bi[X k]) + ( 1 2 Bi[Y ])( 1 2 Bi[X k]) = Bi[Y ]Bi[X k], so Bi[ k i=1 X i] = 2 k 1 k i 1 Bi[X i] Corollary X 1... X k is fair if and only if one of the terms X i is fair.

22 The Bias of a Random Variable Linear Approximation Linear Attack Lemma (Piling-up Lemma) For k mutually independent random variables X 1,..., X k, Bi[X 1... X k ] = 2 k 1 k i=1 Bi[X i]. Proof. By induction over k; obvious for k = 1. Let Y denote k 1 i=1 X i, and assume validity for k 1: Bi[Y ] = 2 k 2 k 1 i 1 Bi[X i]. Pr[ k i=1 X i = 0] = Pr[Y = 0]Pr[X k = 0] + Pr[Y = 1]Pr[X k = 1] = ( Bi[Y ])( Bi[X k]) + ( 1 2 Bi[Y ])( 1 2 Bi[X k]) = Bi[Y ]Bi[X k], so Bi[ k i=1 X i] = 2 k 1 k i 1 Bi[X i] Corollary X 1... X k is fair if and only if one of the terms X i is fair.

23 The Bias of a Random Variable Linear Approximation Linear Attack Linear Approximation of an S-box For π S : {0, 1} m {0, 1} n, try to find relations like Y 2 X 1 X 3 X 4 ; equivalently: a biased random variable Z (a1,...,a m),(b 1,...,b n)(x, Y) = ( m i=1 a ix i ) ( n i=1 b iy i ), Y = π S (X). Linear Approximation Table For each a = (a 1,..., a m ), b = (b 1,..., b n ), N L (a, b) is the number of x such that Z a,b (x, y) = 0, y = π S (x). Bi[Z a,b ] = 2 m N L (a, b) 1 2. Solve Exercise 3.12.

24 The Bias of a Random Variable Linear Approximation Linear Attack Linear Attack Assume available a large number of corresponding plaintext-ciphertext pairs for the same unknown key. (Known-plaintext attack.) To find subkey K Nr+1, combine biased variables like X 1 X 3 X 4 Y 2 and X 2 Y 2 Y 4 into a biased sum of plaintext bits, subkey bits and bits from u Nr. In Example 3.1, use T 1 = U5 1 U1 7 U1 8 V 6 1 Bi[T 1 ] = 1 4 T 2 = U6 2 V 6 2 V 8 2 Bi[T 2 ] = 1 4 T 3 = U6 3 V 6 3 V 8 3 Bi[T 3 ] = 1. 4 T 4 = U14 3 V 14 3 V 16 3 Bi[T 4 ] = 1 4

25 The Bias of a Random Variable Linear Approximation Linear Attack Linear Attack Assuming (which is false!) linear independence among T 1, T 2, T 3, T 4, by the piling-up lemma on T = T 1 T 2 T 3 T 4 we obtain Bi[T ] = 2 3 ( 1 4 )( 1 4 )3 = Insertion gives T = X 5 X 7 X 8 U6 4 U4 8 U4 14 U4 16 L where L = K5 1 K 7 1 K 8 1 K 6 2 K6 3 K 14 3 K 6 4 K 8 4 K 14 4 K Since L is constant (0 or 1), we find Bi[X 5 X 7 X 8 U6 4 U4 8 U4 14 U4 16 ] = ± 1 32

26 The Bias of a Random Variable Linear Approximation Linear Attack The final biased random variable only involves bits from the plaintext and from u Nr. These bits ui Nr participate in certain S-box inputs u j Nr, with outputs v Nr j to be x-ored with M subkey bits K Nr+1 j. (In our example: the 8 subkey bits K 2 5 and K 4 5.) Note that tracing the network backwards, u Nr can be obtained from y and K Nr+1. For each of the 2 M subkey bit possibilities, count the number of cases in the test sample of N plaintext-ciphertext pairs where the biased variable is 0. Hopefully, for most of the subkey bit possibilities, this number will be close to N/2, and for sufficiently large N (inversely proportional to the square of the bias), the correct subkey bits stand out.

27 Differential Approximation Differential Attack Definition For an input x-or x = x x and an S-box π S : {0, 1} m {0, 1} n, the output x-or is y = π S (x) π S (x ). Differential Approximation Table Definition (x ) = {(x, x ) x x = x } N D (x, y ) = {(x, x ) (x ) π S (x) π S (x ) = y }. R D (x, y ) = 2 m N D (x, y ) approximates the probability of output x-or y given input x-or x.

28 Differential Approximation Differential Attack Differential Attack Combine large propagation ratios into a differential trail through the network, arranging for the output x-or from each round to be the input x-or of the next round. The full trail leads from a particular input x-or x to a particular state x-or (u Nr ). Assuming (which may not be mathematically valid) independence among the layers of the network, the propagation ratio ε of the full differential trail may be computed by multiplication, and this will also be larger than for a random distribution.

29 Differential Approximation Differential Attack Example 3.1 In S2 1, use R P(1011, 0010) = 1 2. In S3 2, use R P(0100, 0110) = 3 8. In S2 3, use R P(0010, 0101) = 3 8. In S3 3, use R P(0010, 0101) = 3 8. Giving 1 2 ( 3 8 )3 = as propagation ratio for the full differential trail.

30 Differential Approximation Differential Attack Those positions of u Nr where the corresponding position of (u Nr ) is 1, depend on M particular bits of K Nr+1. Assume a large collection of corresponding values (x, x, y, y ) have been obtained. (I.e.: ciphertexts y and y correspond to x and x, respectively, all encodings employ the same (unknown) key, and each quadruple has the input x-or x x = x of the full differential trail.) (Chosen-plaintext attack.) For each of the 2 M possibilities for the subkey bits in question, the following is done: The collection is run through; from y and y and the suggested subkey bits, u Nr and (u Nr ) are reconstructed, and the percentage with the correct sum (u Nr ) is computed. If the collection is sufficiently large (inversely proportional to propagation ratio ε), the M correct subkey bits will stand out.

Cryptography - Session 2

Cryptography - Session 2 Cryptography - Session 2 O. Geil, Aalborg University November 18, 2010 Random variables Discrete random variable X: 1. Probability distribution on finite set X. 2. For x X write Pr(x) = Pr(X = x). X and

More information

Block Cipher Cryptanalysis: An Overview

Block Cipher Cryptanalysis: An Overview 0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution

More information

DD2448 Foundations of Cryptography Lecture 3

DD2448 Foundations of Cryptography Lecture 3 DD2448 Foundations of Cryptography Lecture 3 Douglas Wikström KTH Royal Institute of Technology dog@kth.se February 3, 2016 Linear Cryptanalysis of the SPN Basic Idea Linearize Find an expression of the

More information

Lecture 12: Block ciphers

Lecture 12: Block ciphers Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is

More information

Thesis Research Notes

Thesis Research Notes Thesis Research Notes Week 26-2012 Christopher Wood June 29, 2012 Abstract This week was devoted to reviewing some classical literature on the subject of Boolean functions and their application to cryptography.

More information

Sol: First, calculate the number of integers which are relative prime with = (1 1 7 ) (1 1 3 ) = = 2268

Sol: First, calculate the number of integers which are relative prime with = (1 1 7 ) (1 1 3 ) = = 2268 ò{çd@àt ø 2005.0.3. Suppose the plaintext alphabets include a z, A Z, 0 9, and the space character, therefore, we work on 63 instead of 26 for an affine cipher. How many keys are possible? What if we add

More information

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128 Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com

More information

MasterMath Cryptology /2 - Cryptanalysis

MasterMath Cryptology /2 - Cryptanalysis MasterMath Cryptology 2015 2/2 Cryptanalysis Wednesday, 8 April, 2015 10:38 9. Differential cryptanalysis (v2) 9.1. Differential cryptanalysis In differential analysis we simultaneously consider two encryptions

More information

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018 THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018 CPSC 418/MATH 318 L01 October 17, 2018 Time: 50 minutes

More information

A Weak Cipher that Generates the Symmetric Group

A Weak Cipher that Generates the Symmetric Group A Weak Cipher that Generates the Symmetric Group Sean Murphy Kenneth Paterson Peter Wild Information Security Group, Royal Holloway and Bedford New College, University of London, Egham, Surrey TW20 0EX,

More information

Algebraic Techniques in Differential Cryptanalysis

Algebraic Techniques in Differential Cryptanalysis Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London FSE 2009, Leuven, 24.02.2009 Martin Albrecht and Carlos

More information

Module 2 Advanced Symmetric Ciphers

Module 2 Advanced Symmetric Ciphers Module 2 Advanced Symmetric Ciphers Dr. Natarajan Meghanathan Professor of Computer Science Jackson State University E-mail: natarajan.meghanathan@jsums.edu Data Encryption Standard (DES) The DES algorithm

More information

Chapter 1 - Linear cryptanalysis.

Chapter 1 - Linear cryptanalysis. Chapter 1 - Linear cryptanalysis. James McLaughlin 1 Introduction. Linear cryptanalysis was first introduced by Mitsuru Matsui in [12]. The cryptanalyst attempts to find a linear equation x 1... x i =

More information

Block Ciphers and Feistel cipher

Block Ciphers and Feistel cipher introduction Lecture (07) Block Ciphers and cipher Dr. Ahmed M. ElShafee Modern block ciphers are widely used to provide encryption of quantities of information, and/or a cryptographic checksum to ensure

More information

Division Property: a New Attack Against Block Ciphers

Division Property: a New Attack Against Block Ciphers Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50 Symmetric-key encryption

More information

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern

More information

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 08 Shannon s Theory (Contd.)

More information

Akelarre. Akelarre 1

Akelarre. Akelarre 1 Akelarre Akelarre 1 Akelarre Block cipher Combines features of 2 strong ciphers o IDEA mixed mode arithmetic o RC5 keyed rotations Goal is a more efficient strong cipher Proposed in 1996, broken within

More information

MATH3302 Cryptography Problem Set 2

MATH3302 Cryptography Problem Set 2 MATH3302 Cryptography Problem Set 2 These questions are based on the material in Section 4: Shannon s Theory, Section 5: Modern Cryptography, Section 6: The Data Encryption Standard, Section 7: International

More information

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m. Final Exam Math 10: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 0 April 2002 :0 11:00 a.m. Instructions: Please be as neat as possible (use a pencil), and show

More information

GENERALIZED NONLINEARITY OF S-BOXES. Sugata Gangopadhyay

GENERALIZED NONLINEARITY OF S-BOXES. Sugata Gangopadhyay Volume X, No. 0X, 0xx, X XX doi:0.3934/amc.xx.xx.xx GENERALIZED NONLINEARITY OF -BOXE ugata Gangopadhyay Department of Computer cience and Engineering, Indian Institute of Technology Roorkee, Roorkee 47667,

More information

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL

More information

Statistical and Linear Independence of Binary Random Variables

Statistical and Linear Independence of Binary Random Variables Statistical and Linear Independence of Binary Random Variables Kaisa Nyberg Department of Computer Science, Aalto University School of Science, Finland kaisa.nyberg@aalto.fi October 10, 2017 Abstract.

More information

Bernoulli variables. Let X be a random variable such that. 1 with probability p X = 0 with probability q = 1 p

Bernoulli variables. Let X be a random variable such that. 1 with probability p X = 0 with probability q = 1 p Unit 20 February 25, 2011 1 Bernoulli variables Let X be a random variable such that { 1 with probability p X = 0 with probability q = 1 p Such an X is called a Bernoulli random variable Unit 20 February

More information

Towards Provable Security of Substitution-Permutation Encryption Networks

Towards Provable Security of Substitution-Permutation Encryption Networks Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,

More information

Differential Attack on Five Rounds of the SC2000 Block Cipher

Differential Attack on Five Rounds of the SC2000 Block Cipher Differential Attack on Five Rounds of the SC2 Block Cipher Jiqiang Lu Department of Mathematics and Computer Science, Eindhoven University of Technology, 56 MB Eindhoven, The Netherlands lvjiqiang@hotmail.com

More information

Links Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT

Links Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT Links Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT Céline Blondeau, Benoît Gérard SECRET-Project-Team, INRIA, France TOOLS for Cryptanalysis - 23th June 2010 C.Blondeau

More information

Cryptography CS 555. Topic 2: Evolution of Classical Cryptography CS555. Topic 2 1

Cryptography CS 555. Topic 2: Evolution of Classical Cryptography CS555. Topic 2 1 Cryptography CS 555 Topic 2: Evolution of Classical Cryptography Topic 2 1 Lecture Outline Basics of probability Vigenere cipher. Attacks on Vigenere: Kasisky Test and Index of Coincidence Cipher machines:

More information

Linear Cryptanalysis of Reduced-Round Speck

Linear Cryptanalysis of Reduced-Round Speck Linear Cryptanalysis of Reduced-Round Speck Tomer Ashur Daniël Bodden KU Leuven and iminds Dept. ESAT, Group COSIC Address Kasteelpark Arenberg 10 bus 45, B-3001 Leuven-Heverlee, Belgium tomer.ashur-@-esat.kuleuven.be

More information

Logic and Boolean algebra

Logic and Boolean algebra Computer Mathematics Week 7 Logic and Boolean algebra College of Information Science and Engineering Ritsumeikan University last week coding theory channel coding information theory concept Hamming distance

More information

Block Ciphers. Chester Rebeiro IIT Madras. STINSON : chapters 3

Block Ciphers. Chester Rebeiro IIT Madras. STINSON : chapters 3 Block Ciphers Chester Rebeiro IIT Madras STINSON : chapters 3 Block Cipher K E K D Alice untrusted communication link E #%AR3Xf34^$ message encryption (ciphertext) Attack at Dawn!! D decryption Bob Attack

More information

Classical Cryptography

Classical Cryptography Classical Cryptography CSG 252 Fall 2006 Riccardo Pucella Goals of Cryptography Alice wants to send message X to Bob Oscar is on the wire, listening to communications Alice and Bob share a key K Alice

More information

Lecture Notes. Advanced Discrete Structures COT S

Lecture Notes. Advanced Discrete Structures COT S Lecture Notes Advanced Discrete Structures COT 4115.001 S15 2015-01-22 Recap Two methods for attacking the Vigenère cipher Frequency analysis Dot Product Playfair Cipher Classical Cryptosystems - Section

More information

Extended Criterion for Absence of Fixed Points

Extended Criterion for Absence of Fixed Points Extended Criterion for Absence of Fixed Points Oleksandr Kazymyrov, Valentyna Kazymyrova Abstract One of the criteria for substitutions used in block ciphers is the absence of fixed points. In this paper

More information

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive key-search do not exploit any properties of the encryption algorithm or implementation. Structural attacks

More information

Solution to Problem Set 3

Solution to Problem Set 3 YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Handout #11 (rev. 2) Xueyuan Su October 27, 2008 Solution to Problem Set 3 Due on Wednesday, October 22, 2008.

More information

Security of Random Feistel Schemes with 5 or more Rounds

Security of Random Feistel Schemes with 5 or more Rounds Security of Random Feistel Schemes with 5 or more Rounds Jacques Patarin Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract. We study cryptographic attacks on random

More information

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Solutions for week 1, Cryptography Course - TDA 352/DIT 250 Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.

More information

A Large Block Cipher using an Iterative Method and the Modular Arithmetic Inverse of a key Matrix

A Large Block Cipher using an Iterative Method and the Modular Arithmetic Inverse of a key Matrix A Large Block Cipher using an Iterative Method and the Modular Arithmetic Inverse of a key Matrix S. Udaya Kumar V. U. K. Sastry A. Vinaya babu Abstract In this paper, we have developed a block cipher

More information

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen. Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography

More information

On Correlation Between the Order of S-boxes and the Strength of DES

On Correlation Between the Order of S-boxes and the Strength of DES On Correlation Between the Order of S-boxes and the Strength of DES Mitsuru Matsui Computer & Information Systems Laboratory Mitsubishi Electric Corporation 5-1-1, Ofuna, Kamakura, Kanagawa, 247, Japan

More information

Cryptanalysis of the SIMON Family of Block Ciphers

Cryptanalysis of the SIMON Family of Block Ciphers Cryptanalysis of the SIMON Family of Block Ciphers Hoda A. Alkhzaimi and Martin M. Lauridsen DTU Compute Section for Cryptology Department of Applied Mathematics and Computer Science Matematiktorvet, building

More information

X = X X n, + X 2

X = X X n, + X 2 CS 70 Discrete Mathematics for CS Fall 2003 Wagner Lecture 22 Variance Question: At each time step, I flip a fair coin. If it comes up Heads, I walk one step to the right; if it comes up Tails, I walk

More information

Written examination. Tuesday, August 18, 2015, 08:30 a.m.

Written examination. Tuesday, August 18, 2015, 08:30 a.m. Advanced Methods of Cryptography Univ.-Prof. Dr. rer. nat. Rudolf Mathar 1 2 3 4 19 20 11 20 70 Written examination Tuesday, August 18, 2015, 08:30 a.m. Name: Matr.-No.: Field of study: Please pay attention

More information

Differential-Linear Cryptanalysis of Serpent

Differential-Linear Cryptanalysis of Serpent Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,

More information

Linear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015

Linear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015 Kaisa Nyberg Department of Computer Science Aalto University School of Science s 2 r t S3, Sackville, August 11, 2015 Outline Linear characteristics and correlations Matsui s algorithms Traditional statistical

More information

New Combined Attacks on Block Ciphers

New Combined Attacks on Block Ciphers New Combined Attacks on Block Ciphers Eli Biham 1, Orr Dunkelman 1,, and Nathan Keller 2 1 Computer Science Department, Technion, Haifa 32000, Israel {biham, orrd}@cs.technion.ac.il 2 Einstein Institute

More information

Linear Cryptanalysis

Linear Cryptanalysis Linear Cryptanalysis Linear cryptanalysis is a powerful method of cryptanalysis introduced by Matsui in 1993 [11]. It is a known plaintext attack in which the attacker studies the linear approximations

More information

Symmetric key cryptography over non-binary algebraic structures

Symmetric key cryptography over non-binary algebraic structures Symmetric key cryptography over non-binary algebraic structures Kameryn J Williams Boise State University 26 June 2012 AAAS Pacific Conference 24-27 June 2012 Acknowledgments These results are due to collaboration

More information

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and An average case analysis of a dierential attack on a class of SP-networks Luke O'Connor Distributed Systems Technology Centre, and Information Security Research Center, QUT Brisbane, Australia Abstract

More information

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

REU 2015: Complexity Across Disciplines. Introduction to Cryptography REU 2015: Complexity Across Disciplines Introduction to Cryptography Symmetric Key Cryptosystems Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i

More information

Differential Fault Analysis on DES Middle Rounds

Differential Fault Analysis on DES Middle Rounds Differential Fault Analysis on DES Middle Rounds Matthieu Rivain Speaker: Christophe Giraud Oberthur Technologies Agenda 1 Introduction Data Encryption Standard DFA on DES Last & Middle Rounds 2 Our Attack

More information

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Pierre-Alain Fouque 1 Jérémy Jean 2 Thomas Peyrin 3 1 Université de Rennes 1, France 2 École Normale Supérieure, France 3 Nanyang

More information

CONVERGENCE OF CYCLIC RANDOM WALKS WITH AN APPLICATION TO CRYPTANALYSIS

CONVERGENCE OF CYCLIC RANDOM WALKS WITH AN APPLICATION TO CRYPTANALYSIS CONVERGENCE OF CYCLIC RANDOM WALKS WITH AN APPLICATION TO CRYPTANALYSIS CLIFFORD BERGMAN 1 AND SUNDER SETHURAMAN 2 Imagine that you and some friends are playing a version of roulette. The wheel is divided

More information

Ciphertext-only Cryptanalysis of a Substitution Permutation Network

Ciphertext-only Cryptanalysis of a Substitution Permutation Network Ciphertext-only Cryptanalysis of a Substitution Permutation Network No Author Given No Institute Given Abstract. We present the first ciphertext-only cryptanalytic attack against a substitution permutation

More information

ECS 189A Final Cryptography Spring 2011

ECS 189A Final Cryptography Spring 2011 ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I

More information

Chosen Plaintext Attacks (CPA)

Chosen Plaintext Attacks (CPA) Chosen Plaintext Attacks (CPA) Goals New Attacks! Chosen Plaintext Attacks (often CPA) is when Eve can choose to see some messages encoded. Formally she has Black Box for ENC k. We will: 1. Define Chosen

More information

A Block Cipher using an Iterative Method involving a Permutation

A Block Cipher using an Iterative Method involving a Permutation Journal of Discrete Mathematical Sciences & Cryptography Vol. 18 (015), No. 3, pp. 75 9 DOI : 10.1080/097059.014.96853 A Block Cipher using an Iterative Method involving a Permutation Lakshmi Bhavani Madhuri

More information

Breaking One.Fivium by AIDA an Algebraic IV Differential Attack

Breaking One.Fivium by AIDA an Algebraic IV Differential Attack Breaking One.Fivium by an Michael Vielhaber, Instituto de Matemáticas, Universidad Austral de Chile Casilla 567, Valdivia, Chile, vielhaber@gmail.com October 28, 2007 Abstract We show, how to break Trivium

More information

How Biased Are Linear Biases

How Biased Are Linear Biases How Biased Are Linear Biases Adnan Baysal and Orhun Kara TÜBİTAK BİLGEM UEKAE Gebze, 41470 Kocaeli Turkey. E-mails: {abaysal,orhun}@uekae.tubitak.gov.tr Abstract In this paper we re-visit the Matsui s

More information

A block cipher enciphers each block with the same key.

A block cipher enciphers each block with the same key. Ciphers are classified as block or stream ciphers. All ciphers split long messages into blocks and encipher each block separately. Block sizes range from one bit to thousands of bits per block. A block

More information

Chapter 2 - Differential cryptanalysis.

Chapter 2 - Differential cryptanalysis. Chapter 2 - Differential cryptanalysis. James McLaughlin 1 Introduction. Differential cryptanalysis, published in 1990 by Biham and Shamir [5, 6], was the first notable cryptanalysis technique to be discovered

More information

Linear and Statistical Independence of Linear Approximations and their Correlations

Linear and Statistical Independence of Linear Approximations and their Correlations Linear and Statistical Independence of Linear Approximations and their Correlations Kaisa Nyberg Aalto University School of Science kaisa.nyberg@aalto.fi Boolean Functions and their Applications Os, Norway,

More information

Introduction to Cryptology. Lecture 2

Introduction to Cryptology. Lecture 2 Introduction to Cryptology Lecture 2 Announcements 2 nd vs. 1 st edition of textbook HW1 due Tuesday 2/9 Readings/quizzes (on Canvas) due Friday 2/12 Agenda Last time Historical ciphers and their cryptanalysis

More information

Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers

Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers Muxiang Zhang 1 and Agnes Chan 2 1 GTE Laboratories Inc., 40 Sylvan Road LA0MS59, Waltham, MA 02451 mzhang@gte.com 2 College of Computer

More information

Klein s and PTW Attacks on WEP

Klein s and PTW Attacks on WEP TTM4137 Wireless Security Klein s and PTW Attacks on WEP Anton Stolbunov NTNU, Department of Telematics version 1, September 7, 2009 Abstract These notes should help for an in-depth understanding of the

More information

Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA

Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA Andrey Bogdanov, Meiqin Wang Technical University of Denmark, Shandong University, China ESC 2013,

More information

Symmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway

Symmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway Symmetric Cryptanalytic Techniques Sean Murphy ショーン マーフィー Royal Holloway Block Ciphers Encrypt blocks of data using a key Iterative process ( rounds ) Modified by Modes of Operation Data Encryption Standard

More information

The Vigenère cipher is a stronger version of the Caesar cipher The encryption key is a word/sentence/random text ( and )

The Vigenère cipher is a stronger version of the Caesar cipher The encryption key is a word/sentence/random text ( and ) A Better Cipher The Vigenère cipher is a stronger version of the Caesar cipher The encryption key is a word/sentence/random text ( and ) To the first letter, add 1 To the second letter, add 14 To the third

More information

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from

More information

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida Stream ciphers Pawel Wocjan Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu Definition of block ciphers Block ciphers: crypto work horse n bits

More information

Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher

Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher Xiaoshuang Ma 1,2 Kexin Qiao 1,2 1 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy

More information

Structural Evaluation by Generalized Integral Property

Structural Evaluation by Generalized Integral Property Structural Evaluation by Generalized Integral Property Yosue Todo NTT Secure Platform Laboratories, Toyo, Japan todo.yosue@lab.ntt.co.jp Abstract. In this paper, we show structural cryptanalyses against

More information

Substitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis

Substitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis J. Cryptology (1996) 9: 1 19 1996 International Association for Cryptologic Research Substitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis Howard M. Heys and Stafford E.

More information

Modified Hill Cipher for a Large Block of Plaintext with Interlacing and Iteration

Modified Hill Cipher for a Large Block of Plaintext with Interlacing and Iteration Journal of Computer Science 4 (1): 15-20, 2008 ISSN 1549-3636 2008 Science Publications Modified Hill Cipher for a Large Block of Plaintext with Interlacing and Iteration V.U.K. Sastry and N. Ravi Shankar

More information

The Pseudorandomness of Elastic Block Ciphers

The Pseudorandomness of Elastic Block Ciphers The Pseudorandomness of Elastic Block Ciphers Debra L. Cook and Moti Yung and Angelos Keromytis Department of Computer Science, Columbia University {dcook,moti,angelos}@cs.columbia.edu September 28, 2005

More information

Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version)

Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version) Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version) Shengbao Wu 1,2, Mingsheng Wang 3 1. Institute of Software, Chinese Academy of Sciences, Beijing 100190,

More information

Linear Cryptanalysis Using Multiple Approximations

Linear Cryptanalysis Using Multiple Approximations Linear Cryptanalysis Using Multiple Approximations Burton S. Kaliski Jr. and M.J.B. Robshaw RSA Laboratories 100 Marine Parkway Redwood City, CA 94065, USA Abstract. We present a technique which aids in

More information

Some attacks against block ciphers

Some attacks against block ciphers Some attacks against block ciphers hristina Boura École de printemps en codage et cryptographie May 19, 2016 1 / 59 Last-round attacks Outline 1 Last-round attacks 2 Higher-order differential attacks 3

More information

Solution of Exercise Sheet 7

Solution of Exercise Sheet 7 saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,

More information

The Artin-Feistel Symmetric Cipher

The Artin-Feistel Symmetric Cipher The Artin-Feistel Symmetric Cipher May 23, 2012 I. Anshel, D. Goldfeld. Introduction. The Feistel cipher and the Braid Group The main aim of this paper is to introduce a new symmetric cipher, which we

More information

Structural Cryptanalysis of SASAS

Structural Cryptanalysis of SASAS tructural Cryptanalysis of AA Alex Biryukov and Adi hamir Computer cience department The Weizmann Institute Rehovot 76100, Israel. Abstract. In this paper we consider the security of block ciphers which

More information

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3 Shift Cipher For 0 i 25, the ith plaintext character is shifted by some value 0 k 25 (mod 26). E.g. k = 3 a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V W X Y

More information

Block ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit

Block ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit Block ciphers Block ciphers Myrto Arapinis School o Inormatics University o Edinburgh January 22, 2015 A block cipher with parameters k and l is a pair o deterministic algorithms (E, D) such that Encryption

More information

Benes and Butterfly schemes revisited

Benes and Butterfly schemes revisited Benes and Butterfly schemes revisited Jacques Patarin, Audrey Montreuil Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract In [1], W. Aiello and R. Venkatesan have

More information

Data and information security: 2. Classical cryptography

Data and information security: 2. Classical cryptography ICS 423: s Data and information security: 2. Classical cryptography UHM ICS 423 Fall 2014 Outline ICS 423: s s and crypto systems ciphers ciphers Breaking ciphers What did we learn? Outline ICS 423: s

More information

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version Mohamed Ahmed Abdelraheem, Julia Borghoff, Erik Zenner Technical University of Denmark, DK-2800 Kgs. Lyngby, Denmark {M.A.Abdelraheem,J.Borghoff,E.Zenner}@mat.dtu.dk

More information

Improved Analysis of Some Simplified Variants of RC6

Improved Analysis of Some Simplified Variants of RC6 Improved Analysis of Some Simplified Variants of RC6 Scott Contini 1, Ronald L. Rivest 2, M.J.B. Robshaw 1, and Yiqun Lisa Yin 1 1 RSA Laboratories, 2955 Campus Drive San Mateo, CA 94403, USA {scontini,matt,yiqun}@rsa.com

More information

3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis

3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis 3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis TANAKA Hidema, TONOMURA Yuji, and KANEKO Toshinobu A multi rounds elimination method for higher order differential cryptanalysis

More information

Practically Secure against Differential Cryptanalysis for Block Cipher SMS4

Practically Secure against Differential Cryptanalysis for Block Cipher SMS4 Practically Secure against Differential Cryptanalysis for Block Cipher SMS4 Zhang MeiLing 1, Liu YuanHua 1, Liu JingMei 2,3, Min XiangShen 1 1. School of communication and information engineering, Xi an

More information

(Solution to Odd-Numbered Problems) Number of rounds. rounds

(Solution to Odd-Numbered Problems) Number of rounds. rounds CHAPTER 7 AES (Solution to Odd-Numbered Problems) Review Questions. The criteria defined by NIST for selecting AES fall into three areas: security, cost, and implementation. 3. The number of round keys

More information

CHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER

CHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER 177 CHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER 178 12.1 Introduction The study of cryptography of gray level images [110, 112, 118] by using block ciphers has gained considerable

More information

Linear Approximations for 2-round Trivium

Linear Approximations for 2-round Trivium Linear Approximations for 2-round Trivium Meltem Sönmez Turan 1, Orhun Kara 2 1 Institute of Applied Mathematics, Middle East Technical University Ankara, Turkey msonmez@metu.edu.tr 2 TUBITAK-UEKAE, Gebze,

More information

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design: Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design: Secret Key Systems Encrypting a small block of text (say 64 bits) General considerations

More information

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment. CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES A selection of the following questions will be chosen by the lecturer to form the Cryptology Assignment. The Cryptology Assignment is due by 5pm Sunday 1

More information

BISON Instantiating the Whitened Swap-Or-Not Construction November 14th, 2018

BISON Instantiating the Whitened Swap-Or-Not Construction November 14th, 2018 BION Instantiating the Whitened wap-or-not Construction November 14th, 2018 FluxFingers Workgroup ymmetric Cryptography, Ruhr University Bochum Virginie Lallemand, Gregor Leander, Patrick Neumann, and

More information

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 3 January 22, 2013 CPSC 467b, Lecture 3 1/35 Perfect secrecy Caesar cipher Loss of perfection Classical ciphers One-time pad Affine

More information

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian

More information

Stream Ciphers: Cryptanalytic Techniques

Stream Ciphers: Cryptanalytic Techniques Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and Information Technology. Lund University, Sweden ECRYPT Summer school 2007 (Lund University) Stream Ciphers: Cryptanalytic

More information

Symmetric Crypto Systems

Symmetric Crypto Systems T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08 Module Outline Stream ciphers under the hood Block ciphers

More information