Product Systems, Substitution-Permutation Networks, and Linear and Differential Analysis
|
|
- Allan Hancock
- 6 years ago
- Views:
Transcription
1 Product Systems, Substitution-Permutation Networks, and Linear and Differential Analysis Cryptology, lecture 3 Stinson, Section Tuesday, February 12th, 2008
2 1 Composition Product 2 Substitution-Permutation Networks Feistel Networks Exclusive Or 3 The Bias of a Random Variable Linear Approximation Linear Attack 4 Differential Approximation Differential Attack
3 1 Composition Product 2 Substitution-Permutation Networks Feistel Networks Exclusive Or 3 The Bias of a Random Variable Linear Approximation Linear Attack 4 Differential Approximation Differential Attack
4 1 Composition Product 2 Substitution-Permutation Networks Feistel Networks Exclusive Or 3 The Bias of a Random Variable Linear Approximation Linear Attack 4 Differential Approximation Differential Attack
5 1 Composition Product 2 Substitution-Permutation Networks Feistel Networks Exclusive Or 3 The Bias of a Random Variable Linear Approximation Linear Attack 4 Differential Approximation Differential Attack
6 Product Given S 1 = (P 1, M, K 1, E 1, D 1, Pr 1 ) S 2 = (M, C 2, K 2, E 2, D 2, Pr 2 ) (Note: C 1 = P 2 = M) We write e(x, K ) also as e K (x). Define S 1 S 2 = (P 1, C 2, K 1 K 2, E, D, Pr) e (K1,K 2 ) = e K1 ; e K2 = e K2 e K1 d (K1,K 2 ) = d K2 ; d K1 = d K1 d K2 Pr[(K 1, K 2 )] = Pr 1 (K 1 ) Pr 2 (K 2 ) Amounting to serial composition x e K1 (x) S 1 S 2 e K2 (e K1 (x)) K 1 K 2
7 Product Given S 1 = (P 1, M, K 1, E 1, D 1, Pr 1 ) S 2 = (M, C 2, K 2, E 2, D 2, Pr 2 ) (Note: C 1 = P 2 = M) We write e(x, K ) also as e K (x). Define S 1 S 2 = (P 1, C 2, K 1 K 2, E, D, Pr) e (K1,K 2 ) = e K1 ; e K2 = e K2 e K1 d (K1,K 2 ) = d K2 ; d K1 = d K1 d K2 Pr[(K 1, K 2 )] = Pr 1 (K 1 ) Pr 2 (K 2 ) Amounting to serial composition x e K1 (x) S 1 S 2 e K2 (e K1 (x)) K 1 K 2
8 Product Properties Multiplication of ciphers is associative, S 1 (S 2 S 3 = (S 1 S 2 ) S 3 ) is not (necessarily) commutative, S 2 S 1 >< S 1 S 2 is endomorphic, if P = C (assume S endomorphic) is idempotent, if S S = S 2 = S Examples The Shift, Substitution, Multiplicative, Affine, Hill, Vigenère (cf. Exercise 2.20) and Permutation Ciphers are all idempotent.
9 Substitution-Permutation Networks Feistel Networks Exclusive Or For a non-idempotent cipher S we might hope for the iterated cipher S }. {{.. S } = S n to be safer than just S by itself. n Proof. If S and T are both idempotent and commute, then S T is also idempotent. (S T) (S T) = S (T S) T = S (S T) T = (S S) (T T) = S T Can you think of a non-idempotent cipher?
10 Substitution-Permutation Networks Feistel Networks Exclusive Or For a non-idempotent cipher S we might hope for the iterated cipher S }. {{.. S } = S n to be safer than just S by itself. n Proof. If S and T are both idempotent and commute, then S T is also idempotent. (S T) (S T) = S (T S) T = S (S T) T = (S S) (T T) = S T Can you think of a non-idempotent cipher?
11 Substitution-Permutation Networks Feistel Networks Exclusive Or For a non-idempotent cipher S we might hope for the iterated cipher S }. {{.. S } = S n to be safer than just S by itself. n Proof. If S and T are both idempotent and commute, then S T is also idempotent. (S T) (S T) = S (T S) T = S (S T) T = (S S) (T T) = S T Can you think of a non-idempotent cipher?
12 Substitution-Permutation Networks Feistel Networks Exclusive Or For a non-idempotent cipher S we might hope for the iterated cipher S }. {{.. S } = S n to be safer than just S by itself. n Proof. If S and T are both idempotent and commute, then S T is also idempotent. (S T) (S T) = S (T S) T = S (S T) T = (S S) (T T) = S T Can you think of a non-idempotent cipher?
13 Substitution-Permutation Networks Feistel Networks Exclusive Or Setting up an Iterated Cipher P = C are the states. The number of rounds Nr N 1. A key schedule K (K 1,..., K Nr ) assigning subkeys K i (or round keys) to a given key K. (Note: superscript-indexing.) A round function g : P K P posessing an inverse g 1, i.e. g 1 (g(w, k), k) = w for each state w and subkey k. Encryption w 0 x w i g(w i 1, K i ) i = 1,..., Nr y w Nr Decryption w Nr y w i 1 g 1 (w i, K i ) i = Nr,..., 1 x w 0
14 Substitution-Permutation Networks Feistel Networks Exclusive Or Setting up a Substitution-Permutation Network For l, m N 1, an lm-bit word x = (x 1,..., x ml ) is split into m l-bit blocks (note the use of base 1 numbering): x = x 1 x m x i = (x (i 1)l+1,..., x il ) An l-bit block is permuted by ( substitution ) π S : {0, 1} l {0, 1} l A complete lm-bit word is permuted by π P : {1,..., lm} {1,..., lm} The key schedule maps K into ({0, 1} lm ) Nr+1
15 Substitution-Permutation Networks Feistel Networks Exclusive Or Employing an SPN The first Nr 1 rounds consist a subkey addition, m substitutions (in parallel) and a permutation. The Nr-th round has subkey addition and substitution only, and finally K Nr+1 is added. Encryption x for r to Nr 1 do u r w r 1 K r for i to m do v i r π S (u i r ) od w r (vπ r P (1),..., v π r P (lm) ) od u Nr w Nr 1 K Nr for i to m do v i Nr π S (u i Nr) od y v Nr K Nr+1 w 0 Decryption Solve Exercise 3.1.
16 Substitution-Permutation Networks Feistel Networks Exclusive Or Example 3.1 All of the Sj i use π S : z π S (z) E 4 D 1 2 F B 8 z 8 9 A B C D E F π S (z) 3 A 6 C z π P (z) z π P (z)
17 Substitution-Permutation Networks Feistel Networks Exclusive Or Example 3.1 K 1 = K 2 = K 3 = K 4 = K 5 = For the homework, please use π P : z π P (z) z π P (z)
18 Substitution-Permutation Networks Feistel Networks Exclusive Or Special case: a Feistel Cipher Suggested 1973 by Horst Feistel for IBM s Lucipher : Each state w i is split into a left and a right half, w i = L i R i. For some f (satisfying no special requirements!) each round encrypts by L i = R i 1 R i = L i 1 f (R i 1, K i ) Decryption Solve Exercise 3.2.
19 Substitution-Permutation Networks Feistel Networks Exclusive Or Binary (Boolean) algebra 0 = False, 1 = True. Inclusive disjunction (either this or that or both, (Lat.:) vel... vel... ) = = Conjunction (this as well as that, (Lat.:)... et... ) = = & = Exclusive disjunction (either this or that, but not both, (Lat.:) aut... aut... ) = non-equivalence ( ) = sum modulo 2 = Facts a (b c) = (a b) c b a = a b a 0 = 0 a = a a a = 0 a (b c) = (a b) (a c) a a = 1 a 1 = 1 a = a a = b c a b c = 0 a b = (a b) ( a b) = (a b) ( a b)
20 The Bias of a Random Variable Linear Approximation Linear Attack Binary Random Variable A binary random variable X assumes two values only, which we shall denote 0 and 1. It thus only distinguishes two probabilities, Pr[X = 0] = p and Pr[X = 1] = 1 p. Bias The bias of X is defined to be Bi[X] = p 1 2. X is fair if Bi[X] = 0. Facts Pr[X = 0] = Bi[X] Pr[X = 1] = 1 2 Bi[X] 1 2 Bi[X] 1 2 Bi[X 1] = Bi[X]
21 The Bias of a Random Variable Linear Approximation Linear Attack Lemma (Piling-up Lemma) For k mutually independent random variables X 1,..., X k, Bi[X 1... X k ] = 2 k 1 k i=1 Bi[X i]. Proof. By induction over k; obvious for k = 1. Let Y denote k 1 i=1 X i, and assume validity for k 1: Bi[Y ] = 2 k 2 k 1 i 1 Bi[X i]. Pr[ k i=1 X i = 0] = Pr[Y = 0]Pr[X k = 0] + Pr[Y = 1]Pr[X k = 1] = ( Bi[Y ])( Bi[X k]) + ( 1 2 Bi[Y ])( 1 2 Bi[X k]) = Bi[Y ]Bi[X k], so Bi[ k i=1 X i] = 2 k 1 k i 1 Bi[X i] Corollary X 1... X k is fair if and only if one of the terms X i is fair.
22 The Bias of a Random Variable Linear Approximation Linear Attack Lemma (Piling-up Lemma) For k mutually independent random variables X 1,..., X k, Bi[X 1... X k ] = 2 k 1 k i=1 Bi[X i]. Proof. By induction over k; obvious for k = 1. Let Y denote k 1 i=1 X i, and assume validity for k 1: Bi[Y ] = 2 k 2 k 1 i 1 Bi[X i]. Pr[ k i=1 X i = 0] = Pr[Y = 0]Pr[X k = 0] + Pr[Y = 1]Pr[X k = 1] = ( Bi[Y ])( Bi[X k]) + ( 1 2 Bi[Y ])( 1 2 Bi[X k]) = Bi[Y ]Bi[X k], so Bi[ k i=1 X i] = 2 k 1 k i 1 Bi[X i] Corollary X 1... X k is fair if and only if one of the terms X i is fair.
23 The Bias of a Random Variable Linear Approximation Linear Attack Linear Approximation of an S-box For π S : {0, 1} m {0, 1} n, try to find relations like Y 2 X 1 X 3 X 4 ; equivalently: a biased random variable Z (a1,...,a m),(b 1,...,b n)(x, Y) = ( m i=1 a ix i ) ( n i=1 b iy i ), Y = π S (X). Linear Approximation Table For each a = (a 1,..., a m ), b = (b 1,..., b n ), N L (a, b) is the number of x such that Z a,b (x, y) = 0, y = π S (x). Bi[Z a,b ] = 2 m N L (a, b) 1 2. Solve Exercise 3.12.
24 The Bias of a Random Variable Linear Approximation Linear Attack Linear Attack Assume available a large number of corresponding plaintext-ciphertext pairs for the same unknown key. (Known-plaintext attack.) To find subkey K Nr+1, combine biased variables like X 1 X 3 X 4 Y 2 and X 2 Y 2 Y 4 into a biased sum of plaintext bits, subkey bits and bits from u Nr. In Example 3.1, use T 1 = U5 1 U1 7 U1 8 V 6 1 Bi[T 1 ] = 1 4 T 2 = U6 2 V 6 2 V 8 2 Bi[T 2 ] = 1 4 T 3 = U6 3 V 6 3 V 8 3 Bi[T 3 ] = 1. 4 T 4 = U14 3 V 14 3 V 16 3 Bi[T 4 ] = 1 4
25 The Bias of a Random Variable Linear Approximation Linear Attack Linear Attack Assuming (which is false!) linear independence among T 1, T 2, T 3, T 4, by the piling-up lemma on T = T 1 T 2 T 3 T 4 we obtain Bi[T ] = 2 3 ( 1 4 )( 1 4 )3 = Insertion gives T = X 5 X 7 X 8 U6 4 U4 8 U4 14 U4 16 L where L = K5 1 K 7 1 K 8 1 K 6 2 K6 3 K 14 3 K 6 4 K 8 4 K 14 4 K Since L is constant (0 or 1), we find Bi[X 5 X 7 X 8 U6 4 U4 8 U4 14 U4 16 ] = ± 1 32
26 The Bias of a Random Variable Linear Approximation Linear Attack The final biased random variable only involves bits from the plaintext and from u Nr. These bits ui Nr participate in certain S-box inputs u j Nr, with outputs v Nr j to be x-ored with M subkey bits K Nr+1 j. (In our example: the 8 subkey bits K 2 5 and K 4 5.) Note that tracing the network backwards, u Nr can be obtained from y and K Nr+1. For each of the 2 M subkey bit possibilities, count the number of cases in the test sample of N plaintext-ciphertext pairs where the biased variable is 0. Hopefully, for most of the subkey bit possibilities, this number will be close to N/2, and for sufficiently large N (inversely proportional to the square of the bias), the correct subkey bits stand out.
27 Differential Approximation Differential Attack Definition For an input x-or x = x x and an S-box π S : {0, 1} m {0, 1} n, the output x-or is y = π S (x) π S (x ). Differential Approximation Table Definition (x ) = {(x, x ) x x = x } N D (x, y ) = {(x, x ) (x ) π S (x) π S (x ) = y }. R D (x, y ) = 2 m N D (x, y ) approximates the probability of output x-or y given input x-or x.
28 Differential Approximation Differential Attack Differential Attack Combine large propagation ratios into a differential trail through the network, arranging for the output x-or from each round to be the input x-or of the next round. The full trail leads from a particular input x-or x to a particular state x-or (u Nr ). Assuming (which may not be mathematically valid) independence among the layers of the network, the propagation ratio ε of the full differential trail may be computed by multiplication, and this will also be larger than for a random distribution.
29 Differential Approximation Differential Attack Example 3.1 In S2 1, use R P(1011, 0010) = 1 2. In S3 2, use R P(0100, 0110) = 3 8. In S2 3, use R P(0010, 0101) = 3 8. In S3 3, use R P(0010, 0101) = 3 8. Giving 1 2 ( 3 8 )3 = as propagation ratio for the full differential trail.
30 Differential Approximation Differential Attack Those positions of u Nr where the corresponding position of (u Nr ) is 1, depend on M particular bits of K Nr+1. Assume a large collection of corresponding values (x, x, y, y ) have been obtained. (I.e.: ciphertexts y and y correspond to x and x, respectively, all encodings employ the same (unknown) key, and each quadruple has the input x-or x x = x of the full differential trail.) (Chosen-plaintext attack.) For each of the 2 M possibilities for the subkey bits in question, the following is done: The collection is run through; from y and y and the suggested subkey bits, u Nr and (u Nr ) are reconstructed, and the percentage with the correct sum (u Nr ) is computed. If the collection is sufficiently large (inversely proportional to propagation ratio ε), the M correct subkey bits will stand out.
Cryptography - Session 2
Cryptography - Session 2 O. Geil, Aalborg University November 18, 2010 Random variables Discrete random variable X: 1. Probability distribution on finite set X. 2. For x X write Pr(x) = Pr(X = x). X and
More informationBlock Cipher Cryptanalysis: An Overview
0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution
More informationDD2448 Foundations of Cryptography Lecture 3
DD2448 Foundations of Cryptography Lecture 3 Douglas Wikström KTH Royal Institute of Technology dog@kth.se February 3, 2016 Linear Cryptanalysis of the SPN Basic Idea Linearize Find an expression of the
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationThesis Research Notes
Thesis Research Notes Week 26-2012 Christopher Wood June 29, 2012 Abstract This week was devoted to reviewing some classical literature on the subject of Boolean functions and their application to cryptography.
More informationSol: First, calculate the number of integers which are relative prime with = (1 1 7 ) (1 1 3 ) = = 2268
ò{çd@àt ø 2005.0.3. Suppose the plaintext alphabets include a z, A Z, 0 9, and the space character, therefore, we work on 63 instead of 26 for an affine cipher. How many keys are possible? What if we add
More informationImpossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128
Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com
More informationMasterMath Cryptology /2 - Cryptanalysis
MasterMath Cryptology 2015 2/2 Cryptanalysis Wednesday, 8 April, 2015 10:38 9. Differential cryptanalysis (v2) 9.1. Differential cryptanalysis In differential analysis we simultaneously consider two encryptions
More informationTHE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018
THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018 CPSC 418/MATH 318 L01 October 17, 2018 Time: 50 minutes
More informationA Weak Cipher that Generates the Symmetric Group
A Weak Cipher that Generates the Symmetric Group Sean Murphy Kenneth Paterson Peter Wild Information Security Group, Royal Holloway and Bedford New College, University of London, Egham, Surrey TW20 0EX,
More informationAlgebraic Techniques in Differential Cryptanalysis
Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London FSE 2009, Leuven, 24.02.2009 Martin Albrecht and Carlos
More informationModule 2 Advanced Symmetric Ciphers
Module 2 Advanced Symmetric Ciphers Dr. Natarajan Meghanathan Professor of Computer Science Jackson State University E-mail: natarajan.meghanathan@jsums.edu Data Encryption Standard (DES) The DES algorithm
More informationChapter 1 - Linear cryptanalysis.
Chapter 1 - Linear cryptanalysis. James McLaughlin 1 Introduction. Linear cryptanalysis was first introduced by Mitsuru Matsui in [12]. The cryptanalyst attempts to find a linear equation x 1... x i =
More informationBlock Ciphers and Feistel cipher
introduction Lecture (07) Block Ciphers and cipher Dr. Ahmed M. ElShafee Modern block ciphers are widely used to provide encryption of quantities of information, and/or a cryptographic checksum to ensure
More informationDivision Property: a New Attack Against Block Ciphers
Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50 Symmetric-key encryption
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 08 Shannon s Theory (Contd.)
More informationAkelarre. Akelarre 1
Akelarre Akelarre 1 Akelarre Block cipher Combines features of 2 strong ciphers o IDEA mixed mode arithmetic o RC5 keyed rotations Goal is a more efficient strong cipher Proposed in 1996, broken within
More informationMATH3302 Cryptography Problem Set 2
MATH3302 Cryptography Problem Set 2 These questions are based on the material in Section 4: Shannon s Theory, Section 5: Modern Cryptography, Section 6: The Data Encryption Standard, Section 7: International
More informationFinal Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.
Final Exam Math 10: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 0 April 2002 :0 11:00 a.m. Instructions: Please be as neat as possible (use a pencil), and show
More informationGENERALIZED NONLINEARITY OF S-BOXES. Sugata Gangopadhyay
Volume X, No. 0X, 0xx, X XX doi:0.3934/amc.xx.xx.xx GENERALIZED NONLINEARITY OF -BOXE ugata Gangopadhyay Department of Computer cience and Engineering, Indian Institute of Technology Roorkee, Roorkee 47667,
More informationExperiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL
More informationStatistical and Linear Independence of Binary Random Variables
Statistical and Linear Independence of Binary Random Variables Kaisa Nyberg Department of Computer Science, Aalto University School of Science, Finland kaisa.nyberg@aalto.fi October 10, 2017 Abstract.
More informationBernoulli variables. Let X be a random variable such that. 1 with probability p X = 0 with probability q = 1 p
Unit 20 February 25, 2011 1 Bernoulli variables Let X be a random variable such that { 1 with probability p X = 0 with probability q = 1 p Such an X is called a Bernoulli random variable Unit 20 February
More informationTowards Provable Security of Substitution-Permutation Encryption Networks
Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,
More informationDifferential Attack on Five Rounds of the SC2000 Block Cipher
Differential Attack on Five Rounds of the SC2 Block Cipher Jiqiang Lu Department of Mathematics and Computer Science, Eindhoven University of Technology, 56 MB Eindhoven, The Netherlands lvjiqiang@hotmail.com
More informationLinks Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT
Links Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT Céline Blondeau, Benoît Gérard SECRET-Project-Team, INRIA, France TOOLS for Cryptanalysis - 23th June 2010 C.Blondeau
More informationCryptography CS 555. Topic 2: Evolution of Classical Cryptography CS555. Topic 2 1
Cryptography CS 555 Topic 2: Evolution of Classical Cryptography Topic 2 1 Lecture Outline Basics of probability Vigenere cipher. Attacks on Vigenere: Kasisky Test and Index of Coincidence Cipher machines:
More informationLinear Cryptanalysis of Reduced-Round Speck
Linear Cryptanalysis of Reduced-Round Speck Tomer Ashur Daniël Bodden KU Leuven and iminds Dept. ESAT, Group COSIC Address Kasteelpark Arenberg 10 bus 45, B-3001 Leuven-Heverlee, Belgium tomer.ashur-@-esat.kuleuven.be
More informationLogic and Boolean algebra
Computer Mathematics Week 7 Logic and Boolean algebra College of Information Science and Engineering Ritsumeikan University last week coding theory channel coding information theory concept Hamming distance
More informationBlock Ciphers. Chester Rebeiro IIT Madras. STINSON : chapters 3
Block Ciphers Chester Rebeiro IIT Madras STINSON : chapters 3 Block Cipher K E K D Alice untrusted communication link E #%AR3Xf34^$ message encryption (ciphertext) Attack at Dawn!! D decryption Bob Attack
More informationClassical Cryptography
Classical Cryptography CSG 252 Fall 2006 Riccardo Pucella Goals of Cryptography Alice wants to send message X to Bob Oscar is on the wire, listening to communications Alice and Bob share a key K Alice
More informationLecture Notes. Advanced Discrete Structures COT S
Lecture Notes Advanced Discrete Structures COT 4115.001 S15 2015-01-22 Recap Two methods for attacking the Vigenère cipher Frequency analysis Dot Product Playfair Cipher Classical Cryptosystems - Section
More informationExtended Criterion for Absence of Fixed Points
Extended Criterion for Absence of Fixed Points Oleksandr Kazymyrov, Valentyna Kazymyrova Abstract One of the criteria for substitutions used in block ciphers is the absence of fixed points. In this paper
More information7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive key-search do not exploit any properties of the encryption algorithm or implementation. Structural attacks
More informationSolution to Problem Set 3
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Handout #11 (rev. 2) Xueyuan Su October 27, 2008 Solution to Problem Set 3 Due on Wednesday, October 22, 2008.
More informationSecurity of Random Feistel Schemes with 5 or more Rounds
Security of Random Feistel Schemes with 5 or more Rounds Jacques Patarin Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract. We study cryptographic attacks on random
More informationSolutions for week 1, Cryptography Course - TDA 352/DIT 250
Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.
More informationA Large Block Cipher using an Iterative Method and the Modular Arithmetic Inverse of a key Matrix
A Large Block Cipher using an Iterative Method and the Modular Arithmetic Inverse of a key Matrix S. Udaya Kumar V. U. K. Sastry A. Vinaya babu Abstract In this paper, we have developed a block cipher
More informationIntroduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.
Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography
More informationOn Correlation Between the Order of S-boxes and the Strength of DES
On Correlation Between the Order of S-boxes and the Strength of DES Mitsuru Matsui Computer & Information Systems Laboratory Mitsubishi Electric Corporation 5-1-1, Ofuna, Kamakura, Kanagawa, 247, Japan
More informationCryptanalysis of the SIMON Family of Block Ciphers
Cryptanalysis of the SIMON Family of Block Ciphers Hoda A. Alkhzaimi and Martin M. Lauridsen DTU Compute Section for Cryptology Department of Applied Mathematics and Computer Science Matematiktorvet, building
More informationX = X X n, + X 2
CS 70 Discrete Mathematics for CS Fall 2003 Wagner Lecture 22 Variance Question: At each time step, I flip a fair coin. If it comes up Heads, I walk one step to the right; if it comes up Tails, I walk
More informationWritten examination. Tuesday, August 18, 2015, 08:30 a.m.
Advanced Methods of Cryptography Univ.-Prof. Dr. rer. nat. Rudolf Mathar 1 2 3 4 19 20 11 20 70 Written examination Tuesday, August 18, 2015, 08:30 a.m. Name: Matr.-No.: Field of study: Please pay attention
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationLinear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015
Kaisa Nyberg Department of Computer Science Aalto University School of Science s 2 r t S3, Sackville, August 11, 2015 Outline Linear characteristics and correlations Matsui s algorithms Traditional statistical
More informationNew Combined Attacks on Block Ciphers
New Combined Attacks on Block Ciphers Eli Biham 1, Orr Dunkelman 1,, and Nathan Keller 2 1 Computer Science Department, Technion, Haifa 32000, Israel {biham, orrd}@cs.technion.ac.il 2 Einstein Institute
More informationLinear Cryptanalysis
Linear Cryptanalysis Linear cryptanalysis is a powerful method of cryptanalysis introduced by Matsui in 1993 [11]. It is a known plaintext attack in which the attacker studies the linear approximations
More informationSymmetric key cryptography over non-binary algebraic structures
Symmetric key cryptography over non-binary algebraic structures Kameryn J Williams Boise State University 26 June 2012 AAAS Pacific Conference 24-27 June 2012 Acknowledgments These results are due to collaboration
More informationAn average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and
An average case analysis of a dierential attack on a class of SP-networks Luke O'Connor Distributed Systems Technology Centre, and Information Security Research Center, QUT Brisbane, Australia Abstract
More informationREU 2015: Complexity Across Disciplines. Introduction to Cryptography
REU 2015: Complexity Across Disciplines Introduction to Cryptography Symmetric Key Cryptosystems Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i
More informationDifferential Fault Analysis on DES Middle Rounds
Differential Fault Analysis on DES Middle Rounds Matthieu Rivain Speaker: Christophe Giraud Oberthur Technologies Agenda 1 Introduction Data Encryption Standard DFA on DES Last & Middle Rounds 2 Our Attack
More informationStructural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Pierre-Alain Fouque 1 Jérémy Jean 2 Thomas Peyrin 3 1 Université de Rennes 1, France 2 École Normale Supérieure, France 3 Nanyang
More informationCONVERGENCE OF CYCLIC RANDOM WALKS WITH AN APPLICATION TO CRYPTANALYSIS
CONVERGENCE OF CYCLIC RANDOM WALKS WITH AN APPLICATION TO CRYPTANALYSIS CLIFFORD BERGMAN 1 AND SUNDER SETHURAMAN 2 Imagine that you and some friends are playing a version of roulette. The wheel is divided
More informationCiphertext-only Cryptanalysis of a Substitution Permutation Network
Ciphertext-only Cryptanalysis of a Substitution Permutation Network No Author Given No Institute Given Abstract. We present the first ciphertext-only cryptanalytic attack against a substitution permutation
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationChosen Plaintext Attacks (CPA)
Chosen Plaintext Attacks (CPA) Goals New Attacks! Chosen Plaintext Attacks (often CPA) is when Eve can choose to see some messages encoded. Formally she has Black Box for ENC k. We will: 1. Define Chosen
More informationA Block Cipher using an Iterative Method involving a Permutation
Journal of Discrete Mathematical Sciences & Cryptography Vol. 18 (015), No. 3, pp. 75 9 DOI : 10.1080/097059.014.96853 A Block Cipher using an Iterative Method involving a Permutation Lakshmi Bhavani Madhuri
More informationBreaking One.Fivium by AIDA an Algebraic IV Differential Attack
Breaking One.Fivium by an Michael Vielhaber, Instituto de Matemáticas, Universidad Austral de Chile Casilla 567, Valdivia, Chile, vielhaber@gmail.com October 28, 2007 Abstract We show, how to break Trivium
More informationHow Biased Are Linear Biases
How Biased Are Linear Biases Adnan Baysal and Orhun Kara TÜBİTAK BİLGEM UEKAE Gebze, 41470 Kocaeli Turkey. E-mails: {abaysal,orhun}@uekae.tubitak.gov.tr Abstract In this paper we re-visit the Matsui s
More informationA block cipher enciphers each block with the same key.
Ciphers are classified as block or stream ciphers. All ciphers split long messages into blocks and encipher each block separately. Block sizes range from one bit to thousands of bits per block. A block
More informationChapter 2 - Differential cryptanalysis.
Chapter 2 - Differential cryptanalysis. James McLaughlin 1 Introduction. Differential cryptanalysis, published in 1990 by Biham and Shamir [5, 6], was the first notable cryptanalysis technique to be discovered
More informationLinear and Statistical Independence of Linear Approximations and their Correlations
Linear and Statistical Independence of Linear Approximations and their Correlations Kaisa Nyberg Aalto University School of Science kaisa.nyberg@aalto.fi Boolean Functions and their Applications Os, Norway,
More informationIntroduction to Cryptology. Lecture 2
Introduction to Cryptology Lecture 2 Announcements 2 nd vs. 1 st edition of textbook HW1 due Tuesday 2/9 Readings/quizzes (on Canvas) due Friday 2/12 Agenda Last time Historical ciphers and their cryptanalysis
More informationMaximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers
Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers Muxiang Zhang 1 and Agnes Chan 2 1 GTE Laboratories Inc., 40 Sylvan Road LA0MS59, Waltham, MA 02451 mzhang@gte.com 2 College of Computer
More informationKlein s and PTW Attacks on WEP
TTM4137 Wireless Security Klein s and PTW Attacks on WEP Anton Stolbunov NTNU, Department of Telematics version 1, September 7, 2009 Abstract These notes should help for an in-depth understanding of the
More informationZero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA
Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA Andrey Bogdanov, Meiqin Wang Technical University of Denmark, Shandong University, China ESC 2013,
More informationSymmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway
Symmetric Cryptanalytic Techniques Sean Murphy ショーン マーフィー Royal Holloway Block Ciphers Encrypt blocks of data using a key Iterative process ( rounds ) Modified by Modes of Operation Data Encryption Standard
More informationThe Vigenère cipher is a stronger version of the Caesar cipher The encryption key is a word/sentence/random text ( and )
A Better Cipher The Vigenère cipher is a stronger version of the Caesar cipher The encryption key is a word/sentence/random text ( and ) To the first letter, add 1 To the second letter, add 14 To the third
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from
More informationStream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida
Stream ciphers Pawel Wocjan Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu Definition of block ciphers Block ciphers: crypto work horse n bits
More informationRelated-Key Rectangle Attack on Round-reduced Khudra Block Cipher
Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher Xiaoshuang Ma 1,2 Kexin Qiao 1,2 1 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy
More informationStructural Evaluation by Generalized Integral Property
Structural Evaluation by Generalized Integral Property Yosue Todo NTT Secure Platform Laboratories, Toyo, Japan todo.yosue@lab.ntt.co.jp Abstract. In this paper, we show structural cryptanalyses against
More informationSubstitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis
J. Cryptology (1996) 9: 1 19 1996 International Association for Cryptologic Research Substitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis Howard M. Heys and Stafford E.
More informationModified Hill Cipher for a Large Block of Plaintext with Interlacing and Iteration
Journal of Computer Science 4 (1): 15-20, 2008 ISSN 1549-3636 2008 Science Publications Modified Hill Cipher for a Large Block of Plaintext with Interlacing and Iteration V.U.K. Sastry and N. Ravi Shankar
More informationThe Pseudorandomness of Elastic Block Ciphers
The Pseudorandomness of Elastic Block Ciphers Debra L. Cook and Moti Yung and Angelos Keromytis Department of Computer Science, Columbia University {dcook,moti,angelos}@cs.columbia.edu September 28, 2005
More informationAutomatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version)
Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version) Shengbao Wu 1,2, Mingsheng Wang 3 1. Institute of Software, Chinese Academy of Sciences, Beijing 100190,
More informationLinear Cryptanalysis Using Multiple Approximations
Linear Cryptanalysis Using Multiple Approximations Burton S. Kaliski Jr. and M.J.B. Robshaw RSA Laboratories 100 Marine Parkway Redwood City, CA 94065, USA Abstract. We present a technique which aids in
More informationSome attacks against block ciphers
Some attacks against block ciphers hristina Boura École de printemps en codage et cryptographie May 19, 2016 1 / 59 Last-round attacks Outline 1 Last-round attacks 2 Higher-order differential attacks 3
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationThe Artin-Feistel Symmetric Cipher
The Artin-Feistel Symmetric Cipher May 23, 2012 I. Anshel, D. Goldfeld. Introduction. The Feistel cipher and the Braid Group The main aim of this paper is to introduce a new symmetric cipher, which we
More informationStructural Cryptanalysis of SASAS
tructural Cryptanalysis of AA Alex Biryukov and Adi hamir Computer cience department The Weizmann Institute Rehovot 76100, Israel. Abstract. In this paper we consider the security of block ciphers which
More informationShift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3
Shift Cipher For 0 i 25, the ith plaintext character is shifted by some value 0 k 25 (mod 26). E.g. k = 3 a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V W X Y
More informationBlock ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit
Block ciphers Block ciphers Myrto Arapinis School o Inormatics University o Edinburgh January 22, 2015 A block cipher with parameters k and l is a pair o deterministic algorithms (E, D) such that Encryption
More informationBenes and Butterfly schemes revisited
Benes and Butterfly schemes revisited Jacques Patarin, Audrey Montreuil Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract In [1], W. Aiello and R. Venkatesan have
More informationData and information security: 2. Classical cryptography
ICS 423: s Data and information security: 2. Classical cryptography UHM ICS 423 Fall 2014 Outline ICS 423: s s and crypto systems ciphers ciphers Breaking ciphers What did we learn? Outline ICS 423: s
More informationCryptanalysis of the Light-Weight Cipher A2U2 First Draft version
Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version Mohamed Ahmed Abdelraheem, Julia Borghoff, Erik Zenner Technical University of Denmark, DK-2800 Kgs. Lyngby, Denmark {M.A.Abdelraheem,J.Borghoff,E.Zenner}@mat.dtu.dk
More informationImproved Analysis of Some Simplified Variants of RC6
Improved Analysis of Some Simplified Variants of RC6 Scott Contini 1, Ronald L. Rivest 2, M.J.B. Robshaw 1, and Yiqun Lisa Yin 1 1 RSA Laboratories, 2955 Campus Drive San Mateo, CA 94403, USA {scontini,matt,yiqun}@rsa.com
More information3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis
3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis TANAKA Hidema, TONOMURA Yuji, and KANEKO Toshinobu A multi rounds elimination method for higher order differential cryptanalysis
More informationPractically Secure against Differential Cryptanalysis for Block Cipher SMS4
Practically Secure against Differential Cryptanalysis for Block Cipher SMS4 Zhang MeiLing 1, Liu YuanHua 1, Liu JingMei 2,3, Min XiangShen 1 1. School of communication and information engineering, Xi an
More information(Solution to Odd-Numbered Problems) Number of rounds. rounds
CHAPTER 7 AES (Solution to Odd-Numbered Problems) Review Questions. The criteria defined by NIST for selecting AES fall into three areas: security, cost, and implementation. 3. The number of round keys
More informationCHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER
177 CHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER 178 12.1 Introduction The study of cryptography of gray level images [110, 112, 118] by using block ciphers has gained considerable
More informationLinear Approximations for 2-round Trivium
Linear Approximations for 2-round Trivium Meltem Sönmez Turan 1, Orhun Kara 2 1 Institute of Applied Mathematics, Middle East Technical University Ankara, Turkey msonmez@metu.edu.tr 2 TUBITAK-UEKAE, Gebze,
More informationSecret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:
Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design: Secret Key Systems Encrypting a small block of text (say 64 bits) General considerations
More informationCODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.
CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES A selection of the following questions will be chosen by the lecturer to form the Cryptology Assignment. The Cryptology Assignment is due by 5pm Sunday 1
More informationBISON Instantiating the Whitened Swap-Or-Not Construction November 14th, 2018
BION Instantiating the Whitened wap-or-not Construction November 14th, 2018 FluxFingers Workgroup ymmetric Cryptography, Ruhr University Bochum Virginie Lallemand, Gregor Leander, Patrick Neumann, and
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 3 January 22, 2013 CPSC 467b, Lecture 3 1/35 Perfect secrecy Caesar cipher Loss of perfection Classical ciphers One-time pad Affine
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationStream Ciphers: Cryptanalytic Techniques
Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and Information Technology. Lund University, Sweden ECRYPT Summer school 2007 (Lund University) Stream Ciphers: Cryptanalytic
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08 Module Outline Stream ciphers under the hood Block ciphers
More information