Breaking the FF3 Format Preserving Encryption
|
|
- Agnes McGee
- 6 years ago
- Views:
Transcription
1 Breaking the 3 ormat Preserving Encryption. Betül Durak and Serge Vaudenay ÉCOLE POLYTECHNIQUE ÉDÉRALE DE LAUSANNE SV 2017 breaking 3 ESC 17 1 / 23
2 1 ormat Preserving Encryption 2 Round unction Recovery on 4-Round eistel Schemes 3 Attack on 3 SV 2017 breaking 3 ESC 17 2 / 23
3 1 ormat Preserving Encryption 2 Round unction Recovery on 4-Round eistel Schemes 3 Attack on 3 SV 2017 breaking 3 ESC 17 3 / 23
4 An Evolution of Encryption block cipher the encryption of a 128-bit block is a 128-bit block the encryption of a 128k-bit string is a 128k-bit string length-preserving encryption mode the encryption of an l-bit string is an l-bit string format-preserving encryption the encryption of a credit card number is a credit card number the encryption of a phone number is a phone number the encryption of a zip code is a zip code SV 2017 breaking 3 ESC 17 4 / 23
5 Why ormat Preserving Encryption? companies use expensive software with databases they want to encrypt data without rewriting the software simple approach: assume an easy 1-to-1 mapping from the plaintext domain to Z 2 N we need to encrypt on Z 2 N SV 2017 breaking 3 ESC 17 5 / 23
6 Wanted deterministic encryption from Z 2 N to itself N 2 may be really small could add a tweak for more security input: output: plaintext Z 2 N ciphertext Z 2 N key+tweak tweak can be controled by the adversary SV 2017 breaking 3 ESC 17 6 / 23
7 NIST Standard NIST SP G (2016): 1 and 3 tweakable eistel schemes with modular addition balanced, with two branches r = 10 for 1 and r = 8 for 3 security: with q = r N known pt, we have enough information to reconstruct 2 the round functions trivial codebook attack with q = N 2 pt and one tweak (Patarin 2010) r = 4 secure with q N known pt (Patarin 2010) r = 5 secure with q N chosen pt (Patarin 2010) r = 6 secure with q N chosen pt/ct (Bellare-Hoang-Tessaro 2016) attack with q > N 2 (many tweaks) SV 2017 breaking 3 ESC 17 7 / 23
8 1 ormat Preserving Encryption 2 Round unction Recovery on 4-Round eistel Schemes 3 Attack on 3 SV 2017 breaking 3 ESC 17 8 / 23
9 Round unction Recovery r mode time data ref 3 known pt N N our 3R attack 4 chosen pt/ct N 3 2 N 3 2 Biryukov-Leuren-Perrin known pt N 4 N 3 2 our 4R attack 5 chosen pt/ct N N 3 4 N 2 Biryukov-Leuren-Perrin chosen pt N O(N 2 1 ) N 3 2 our 4R attack extended 6 chosen pt N (r 5)N N 3 2 our 4R attack extended SV 2017 breaking 3 ESC 17 9 / 23
10 3R Attack x c z y t input: set S of (xyzt) of size θn 1: take S 1 S with y constant (size θ) 2: fix 0 (y) = 0 arbitrarily and make a 2R attack on θ tuples (cyzt); collect θ equations 2 (t) = z c 3: take S 2 S with t in S 1 (size θ 2 ) 4: using what is known about 2, make a 2R attack on θ 2 tuples (xyct); collect θ 2 equations 0 (y) = c x 5: take S 3 S with y in S 2 (size θ 3 ) 6: using what is known about 0, make a 2R attack on θ 3 tuples (cyzt); collect θ 3 equations 2 (t) = z c 7: play yoyo until nothing new output: (partial) tables for S defines a random bipartite graph between N values of y and t the algorithm looks for the connected component of an arbitrary y fully connected if θ = lnn; with giant component if θ = 1 SV 2017 breaking 3 ESC / 23
11 4R Attack i V = {(xyzt,x y z t ) z = z,t y = t y,xy x y } V good = {(xyzt,x y z t ) z = z,c = c,xy x y } V x y x y = y c 1 c = c 1 2 d 2 d 3 3 z t z = z t = t + Property if in V good, then x x = 0 (y ) 0 (y) define label(xyzt,x y z t ) = x x SV 2017 breaking 3 ESC / 23
12 4R Attack ii define a graph G = (V,E) with E = {(x 1 y 1 z 1 t 1 x 1 y 1 z 1 t 1,x 2 y 2 z 2 t 2 x 2 y 2 z 2 t 2) y 1 = y 2 } x 1 y 1 x 1 y 1 = y1 + 1 x 2 y 2 = y 1 x 2 y 2 = y c 1 1 c 1 1 c 2 1 c d 1 2 d 1 2 d 2 2 d z 1 t 1 z 1 = z1 t 1 = t1 + 1 z 2 t 2 z 2 = z2 t 2 = t2 + 2 Property if v 1 v 2 v L is a cycle with all v i in V good, then L i=1 label(v i ) = 0 SV 2017 breaking 3 ESC / 23
13 4R Attack iii Lemma E ( #Vgood #V ) = 1 1 N 2 1 N 1 2 Lemma Pr[v 1 v 2 V good v 1 v 2 non trivial cycle, 2 i=1 label(v i) = 0] N 5 (trivial cyle: v 1 and v 2 are permutation of each other) Conjecture Pr[v 1 v L V good v 1 v L acceptable cycle, L i=1 label(v i) = 0] 1 (acceptable: with 2L non-repeating plaintexts) SV 2017 breaking 3 ESC / 23
14 4R Attack iv input: M tuples (xyzt) 1: create G = (V,E) 2: collect non-trivial cycles of length L with zero label sum 3: deduce M 2L /N 3L relations label(v i ) = 0 (y ) 0 (y) 4: create the graph G of all y values connected by these relations 5: find a big connected component C in G {works for M N L } 6: assign 0 (y) arbitrarily for one y C, deduce 0 on C 7: we have (M/N) #C tuples with known 0 (y) 8: do a 3R attack for all tuples with known 0 (y) {works since (M/N) #C > N} 9: do a yoyo game on 4 rounds with the results from 3R attack output: (partial) tables for SV 2017 breaking 3 ESC / 23
15 Results results with L = 3 (and M N 3 2 ( N 2 ) 1 2L ) N M #trials Pr[success] (Pr[S 2 ]) % (88.69%) % (78.62%) % (73.27%) % (71.79%) % (77.14%) % (83.83%) % (89.38%) % (92.45%) S 2 : no bad vertices have been collected SV 2017 breaking 3 ESC / 23
16 1 ormat Preserving Encryption 2 Round unction Recovery on 4-Round eistel Schemes 3 Attack on 3 SV 2017 breaking 3 ESC / 23
17 3 (BPS by Brier-Peyrin-Stern) L 0 R 0 T R 0 T L 1 T R 2 T L 3 T R 4 T L 5 T R 6 T L 7 L 8 R 8 SV 2017 breaking 3 ESC / 23
18 XORing 4 to T L and T R L 0 R 0 T R 0 L 0 R 0 T R 4 G T L 1 T R 2 T L 5 T R 6 H T L 3 T R 4 T L 7 T R 0 H T L 5 T R 6 T L 1 T R 2 G T L 7 T L 3 L 8 R 8 L R 8 8 SV 2017 breaking 3 ESC / 23
19 Consequence given a tweak T, for any key Enc T = H G Enc T (4,4) = G H where both G and H are 4-round eistel schemes defined by T if we collect x and x such that x i+1 = Enc T (x i ) x i+1 = Enc T (4,4) (x i ) and if we guess that G(x i ) = x j, then G(x i+k) = x (x i+k,x j+k ) are pt/ct pairs for G j+k so all SV 2017 breaking 3 ESC / 23
20 Chosen Plaintext Attack on BPS H G G H x 10 x 11 x 12 x 1B x 10 x 11 x 12 x 1B x 20 x 21 x 22 x 2B x 20 x 21 x 22 x 2B x A0 x A1 x A2 x AB G x A0 x A1 x A2 x AB x ij x i(j+1) x i(j+2) x i(j+3) x i 0 x i 1 x i 2 x i B H SV 2017 breaking 3 ESC / 23
21 Chosen Plaintext Attack on BPS input: T 1: T = T (4,4) 2: for i = 1 to N α do 3: pick x i0 and set x ij = Enc T (x i(j 1) ) for j = 1,...,N β 4: pick x i0 and set x ij = Enc T (x i(j 1) ) for j = 1,...,Nβ 5: end for 6: for i,i = 1,...,N α do 7: for j = 0 to N β M 1 do 8: assume G(x ij ) = x i 0 : 9: run 4R attack on G with G(x i(j+k) ) = x i k for k = 0,...,Nβ j 10: if successful, do the same with H and conclude 11: end for 12: for j = 0 to N β M 1 do 13: assume G(x i0 ) = x i j : 14:...(same)... 15: end for 16: end for SV 2017 breaking 3 ESC / 23
22 Results results with L = 3 (and M N 3 2 ( N 2 ) 1 2L ) N M N α N β #run Pr[success] % % % % % % % % % SV 2017 breaking 3 ESC / 23
23 Conclusion eistel schemes over small domains are not well understood yet bad domain separation in 3 (easy to fix) SV 2017 breaking 3 ESC / 23
Breaking The FF3 Format-Preserving Encryption Standard Over Small Domains
Breaking The 3 ormat-preserving Encryption Standard Over Small Domains. Betül Durak and Serge Vaudenay 2 Rutgers University Department of Computer Science fbdurak@cs.rutgers.edu 2 Ecole Polytechnique édérale
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationCryptography and Security Midterm Exam
Cryptography and Security Midterm Exam Serge Vaudenay 23.11.2017 duration: 1h45 no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices
More informationSymmetric Encryption
1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from
More informationLecture 4: Perfect Secrecy: Several Equivalent Formulations
Cryptology 18 th August 015 Lecture 4: Perfect Secrecy: Several Equivalent Formulations Instructor: Goutam Paul Scribe: Arka Rai Choudhuri 1 Notation We shall be using the following notation for this lecture,
More informationCPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions
CPSC 91 Computer Security Assignment #3 Solutions 1. Show that breaking the semantic security of a scheme reduces to recovering the message. Solution: Suppose that A O( ) is a message recovery adversary
More informationCharacterization of EME with Linear Mixing
Characterization of EME with Linear Mixing Nilanjan Datta and Mridul Nandi Cryptology Research Group Applied Statistics Unit Indian Statistical Institute 03, B.T. Road, Kolkata, India 700108 nilanjan isi
More informationIntroduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.
Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More informationAlgebraic Techniques in Differential Cryptanalysis
Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London FSE 2009, Leuven, 24.02.2009 Martin Albrecht and Carlos
More informationChosen Plaintext Attacks (CPA)
Chosen Plaintext Attacks (CPA) Goals New Attacks! Chosen Plaintext Attacks (often CPA) is when Eve can choose to see some messages encoded. Formally she has Black Box for ENC k. We will: 1. Define Chosen
More informationChapter 2 : Perfectly-Secret Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 2 : Perfectly-Secret Encryption 1 2.1 Definitions and Basic Properties We refer to probability
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationBLOCK CIPHERS KEY-RECOVERY SECURITY
BLOCK CIPHERS and KEY-RECOVERY SECURITY Mihir Bellare UCSD 1 Notation Mihir Bellare UCSD 2 Notation {0, 1} n is the set of n-bit strings and {0, 1} is the set of all strings of finite length. By ε we denote
More informationStructural Cryptanalysis of SASAS
tructural Cryptanalysis of AA Alex Biryukov and Adi hamir Computer cience department The Weizmann Institute Rehovot 76100, Israel. Abstract. In this paper we consider the security of block ciphers which
More informationSolutions for week 1, Cryptography Course - TDA 352/DIT 250
Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationChapter 2. A Look Back. 2.1 Substitution ciphers
Chapter 2 A Look Back In this chapter we take a quick look at some classical encryption techniques, illustrating their weakness and using these examples to initiate questions about how to define privacy.
More informationA note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT
A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT Daniel Jost, Christian Badertscher, Fabio Banfi Department of Computer Science, ETH Zurich, Switzerland daniel.jost@inf.ethz.ch christian.badertscher@inf.ethz.ch
More informationIdentity-Based Format-Preserving Encryption
A preliminary version of this paper appears in the ACM Computer and Communications Security (CCS) Conference, 2017. This is the full version. Identity-Based ormat-preserving Encryption Mihir Bellare 1
More information6.892 Computing on Encrypted Data October 28, Lecture 7
6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling
More informationZCZ: Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls
ZCZ: Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls Ritam Bhaumik, Indian Statistical Institute, Kolkata Eik List, Bauhaus-Universität Weimar, Weimar Mridul Nandi,
More informationA Domain Extender for the Ideal Cipher
A Domain Extender for the Ideal Cipher Jean-Sébastien Coron 2, Yevgeniy Dodis 1, Avradip Mandal 2, and Yannick Seurin 3,4 1 New York University 2 University of Luxembourg 3 University of Versailles 4 Orange
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationShift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3
Shift Cipher For 0 i 25, the ith plaintext character is shifted by some value 0 k 25 (mod 26). E.g. k = 3 a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V W X Y
More informationThe Improbable Differential Attack. Cryptanalysis of Reduced Round CLEFIA
: Cryptanalysis of Reduced Round CLEFIA École Polytechnique Fédérale de Lausanne, Switzerland (This work was done at) Institute of Applied Mathematics Middle East Technical University, Ankara, Turkey INDOCRYPT
More informationIII. Pseudorandom functions & encryption
III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:
More informationBetter proofs for rekeying
Better proofs for rekeying 1 D. J. Bernstein Security of AES-256 key k is far below 2 256 in most protocols: (AES k (0); : : : ; AES k (n 1)) is distinguishable from uniform with probability n(n 1)=2 129,
More informationDan Boneh. Stream ciphers. The One Time Pad
Online Cryptography Course Stream ciphers The One Time Pad Symmetric Ciphers: definition Def: a cipher defined over is a pair of efficient algs (E, D) where E is often randomized. D is always deterministic.
More informationNotes on Property-Preserving Encryption
Notes on Property-Preserving Encryption The first type of specialized encryption scheme that can be used in secure outsourced storage we will look at is property-preserving encryption. This is encryption
More informationAkelarre. Akelarre 1
Akelarre Akelarre 1 Akelarre Block cipher Combines features of 2 strong ciphers o IDEA mixed mode arithmetic o RC5 keyed rotations Goal is a more efficient strong cipher Proposed in 1996, broken within
More informationBlock ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit
Block ciphers Block ciphers Myrto Arapinis School o Inormatics University o Edinburgh January 22, 2015 A block cipher with parameters k and l is a pair o deterministic algorithms (E, D) such that Encryption
More informationDD2448 Foundations of Cryptography Lecture 3
DD2448 Foundations of Cryptography Lecture 3 Douglas Wikström KTH Royal Institute of Technology dog@kth.se February 3, 2016 Linear Cryptanalysis of the SPN Basic Idea Linearize Find an expression of the
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationCryptanalysis of SP Networks with Partial Non-Linear Layers
Cryptanalysis of SP Networks with Partial Non-Linear Layers Achiya Bar-On 1, Itai Dinur 2, Orr Dunkelman 3, Nathan Keller 1, Virginie Lallemand 4, and Boaz Tsaban 1 1 Bar-Ilan University, Israel 2 École
More informationIntroduction to Cybersecurity Cryptography (Part 5)
Introduction to Cybersecurity Cryptography (Part 5) Prof. Dr. Michael Backes 13.01.2017 February 17 th Special Lecture! 45 Minutes Your Choice 1. Automotive Security 2. Smartphone Security 3. Side Channel
More informationA Unified Method for Finding Impossible Differentials of Block Cipher Structures
A Unified Method for inding Impossible Differentials of Block Cipher Structures Yiyuan Luo 1,2, Zhongming Wu 1, Xuejia Lai 1 and Guang Gong 2 1 Department of Computer Science and Engineering, Shanghai
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationImpossible Differential Cryptanalysis of Mini-AES
Impossible Differential Cryptanalysis of Mini-AES Raphael Chung-Wei Phan ADDRESS: Swinburne Sarawak Institute of Technology, 1 st Floor, State Complex, 93576 Kuching, Sarawak, Malaysia. rphan@swinburne.edu.my
More informationEME : extending EME to handle arbitrary-length messages with associated data
EME : extending EME to handle arbitrary-length messages with associated data (Preliminiary Draft) Shai Halevi May 18, 2004 Abstract We describe a mode of oepration EME that turns a regular block cipher
More informationRSA-OAEP and Cramer-Shoup
RSA-OAEP and Cramer-Shoup Olli Ahonen Laboratory of Physics, TKK 11th Dec 2007 T-79.5502 Advanced Cryptology Part I: Outline RSA, OAEP and RSA-OAEP Preliminaries for the proof Proof of IND-CCA2 security
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationModern symmetric-key Encryption
Modern symmetric-key Encryption Citation I would like to thank Claude Crepeau for allowing me to use his slide from his crypto course to mount my course. Some of these slides are taken directly from his
More informationCryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:
More informationS-box (Substitution box) is a basic component of symmetric
JOURNAL OF L A TEX CLASS FILES, VOL., NO., AUGUST 1 Characterizations of the Degraded Boolean Function and Cryptanalysis of the SAFER Family Wentan Yi and Shaozhen Chen Abstract This paper investigates
More informationIntroduction to Cryptology. Lecture 2
Introduction to Cryptology Lecture 2 Announcements 2 nd vs. 1 st edition of textbook HW1 due Tuesday 2/9 Readings/quizzes (on Canvas) due Friday 2/12 Agenda Last time Historical ciphers and their cryptanalysis
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationSYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:
Syntax symmetric encryption scheme = (K, E, D) consists of three algorithms: SYMMETRIC ENCRYPTION K is randomized E can be randomized or stateful D is deterministic 1/ 116 2/ 116 Correct decryption requirement
More informationREU 2015: Complexity Across Disciplines. Introduction to Cryptography
REU 2015: Complexity Across Disciplines Introduction to Cryptography Symmetric Key Cryptosystems Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i
More informationOn the Need for Provably Secure Distance Bounding
On the Need for Provably Secure Distance Bounding Serge Vaudenay ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE http://lasec.epfl.ch/ SV 2012 distance bounding CIoT 2012 1 / 39 1 Introduction to Distance-Bounding
More informationBlock Ciphers and Feistel cipher
introduction Lecture (07) Block Ciphers and cipher Dr. Ahmed M. ElShafee Modern block ciphers are widely used to provide encryption of quantities of information, and/or a cryptographic checksum to ensure
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationStructural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Pierre-Alain Fouque 1 Jérémy Jean 2 Thomas Peyrin 3 1 Université de Rennes 1, France 2 École Normale Supérieure, France 3 Nanyang
More informationThe Indistinguishability of the XOR of k permutations
The Indistinguishability of the XOR of k permutations Benoit Cogliati, Rodolphe Lampe, Jacques Patarin University of Versailles, France Abstract. Given k independent pseudorandom permutations f 1,...,
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationStream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden
Dept. of EIT, Lund University, P.O. Box 118, 221 00 Lund, Sweden thomas@eit.lth.se May 16, 2011 Outline: Introduction to stream ciphers Distinguishers Basic constructions of distinguishers Various types
More informationExercise Sheet Cryptography 1, 2011
Cryptography 1 http://www.cs.ut.ee/~unruh/crypto1-11/ Exercise Sheet Cryptography 1, 2011 Exercise 1 DES The Data Encryption Standard (DES) is a very famous and widely used block cipher. It maps 64-bit
More informationScribe for Lecture #5
CSA E0 235: Cryptography 28 January 2016 Scribe for Lecture #5 Instructor: Dr. Arpita Patra Submitted by: Nidhi Rathi 1 Pseudo-randomness and PRG s We saw that computational security introduces two relaxations
More informationPermutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1
Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Kwangsu Lee A Thesis for the Degree of Master of Science Division of Computer Science, Department
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationCryptanalysis of the Full DES and the Full 3DES Using a New Linear Property
Cryptanalysis of the ull DES and the ull 3DES Using a New Linear Property Tomer Ashur 1 and Raluca Posteuca 1 imec-cosic, KU Leuven, Leuven, Belgium [tomer.ashur, raluca.posteuca]@esat.kuleuven.be Abstract.
More informationBlock ciphers And modes of operation. Table of contents
Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation
More informationBISON Instantiating the Whitened Swap-Or-Not Construction November 14th, 2018
BION Instantiating the Whitened wap-or-not Construction November 14th, 2018 FluxFingers Workgroup ymmetric Cryptography, Ruhr University Bochum Virginie Lallemand, Gregor Leander, Patrick Neumann, and
More informationLinear Cryptanalysis of RC5 and RC6
Linear Cryptanalysis of RC5 and RC6 Johan Borst, Bart Preneel, and Joos Vandewalle K.U. Leuven, Dept. Elektrotechniek-ESAT/COSIC Kardinaal Mercierlaan 94, B-3001 Heverlee Belgium Johan.Borst@esat.kuleuven.ac.be
More informationBernoulli variables. Let X be a random variable such that. 1 with probability p X = 0 with probability q = 1 p
Unit 20 February 25, 2011 1 Bernoulli variables Let X be a random variable such that { 1 with probability p X = 0 with probability q = 1 p Such an X is called a Bernoulli random variable Unit 20 February
More informationMultiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs
Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs Alex Biryukov 1,2, Dmitry Khovratovich 2, Léo Perrin 2 1 CSC, University of Luxembourg 2 SnT, University of Luxembourg https://www.cryptolux.org
More informationA Weak Cipher that Generates the Symmetric Group
A Weak Cipher that Generates the Symmetric Group Sean Murphy Kenneth Paterson Peter Wild Information Security Group, Royal Holloway and Bedford New College, University of London, Egham, Surrey TW20 0EX,
More informationThe HMAC brawl. Daniel J. Bernstein University of Illinois at Chicago
The HMAC brawl Daniel J. Bernstein University of Illinois at Chicago 2012.02.19 Koblitz Menezes Another look at HMAC : : : : Third, we describe a fundamental flaw in Bellare s 2006 security proof for HMAC,
More informationExperiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL
More informationChapter 1 - Linear cryptanalysis.
Chapter 1 - Linear cryptanalysis. James McLaughlin 1 Introduction. Linear cryptanalysis was first introduced by Mitsuru Matsui in [12]. The cryptanalyst attempts to find a linear equation x 1... x i =
More informationHidden Field Equations
Security of Hidden Field Equations (HFE) 1 The security of Hidden Field Equations ( H F E ) Nicolas T. Courtois INRIA, Paris 6 and Toulon University courtois@minrank.org Permanent HFE web page : hfe.minrank.org
More informationLecture 5: Pseudorandom functions from pseudorandom generators
Lecture 5: Pseudorandom functions from pseudorandom generators Boaz Barak We have seen that PRF s (pseudorandom functions) are extremely useful, and we ll see some more applications of them later on. But
More informationHow Fast can be Algebraic Attacks on Block Ciphers?
How Fast can be Algebraic Attacks on Block Ciphers? Nicolas T. Courtois Axalto mart Cards, 36-38 rue de la Princesse BP 45, 78430 Louveciennes Cedex, France http://www.nicolascourtois.net courtois@minrank.org
More informationPerfectly-Secret Encryption
Perfectly-Secret Encryption CSE 5351: Introduction to Cryptography Reading assignment: Read Chapter 2 You may sip proofs, but are encouraged to read some of them. 1 Outline Definition of encryption schemes
More informationProvable Security in Symmetric Key Cryptography
Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X
More informationBreaking Symmetric Cryptosystems Using Quantum Algorithms
Breaking Symmetric Cryptosystems Using Quantum Algorithms Gaëtan Leurent Joined work with: Marc Kaplan Anthony Leverrier María Naya-Plasencia Inria, France FOQUS Workshop Gaëtan Leurent (Inria) Breaking
More informationImproved Multiple Impossible Differential Cryptanalysis of Midori128
Improved Multiple Impossible Differential Cryptanalysis of Midori128 Mohamed Tolba, Ahmed Abdelkhalek, and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University,
More informationClassical Cryptography
Classical Cryptography CSG 252 Fall 2006 Riccardo Pucella Goals of Cryptography Alice wants to send message X to Bob Oscar is on the wire, listening to communications Alice and Bob share a key K Alice
More informationEnhancing the Signal to Noise Ratio
Enhancing the Signal to Noise Ratio in Differential Cryptanalysis, using Algebra Martin Albrecht, Carlos Cid, Thomas Dullien, Jean-Charles Faugère and Ludovic Perret ESC 2010, Remich, 10.01.2010 Outline
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationImpossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128
Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com
More informationCryptanalysis of the Light-Weight Cipher A2U2 First Draft version
Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version Mohamed Ahmed Abdelraheem, Julia Borghoff, Erik Zenner Technical University of Denmark, DK-2800 Kgs. Lyngby, Denmark {M.A.Abdelraheem,J.Borghoff,E.Zenner}@mat.dtu.dk
More informationMultivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar?
Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar? Christian Eder, Jean-Charles Faugère and Ludovic Perret Seminar on Fundamental Algorithms, University
More informationLecture 24: MAC for Arbitrary Length Messages. MAC Long Messages
Lecture 24: MAC for Arbitrary Length Messages Recall Previous lecture, we constructed MACs for fixed length messages The GGM Pseudo-random Function (PRF) Construction Given. Pseudo-random Generator (PRG)
More informationOn Perfect and Adaptive Security in Exposure-Resilient Cryptography. Yevgeniy Dodis, New York University Amit Sahai, Princeton Adam Smith, MIT
On Perfect and Adaptive Security in Exposure-Resilient Cryptography Yevgeniy Dodis, New York University Amit Sahai, Princeton Adam Smith, MIT 1 Problem: Partial Key Exposure Alice needs to store a cryptographic
More informationType 1.x Generalized Feistel Structures
Noname manuscript No. (will be inserted by the editor) Type 1.x Generalized eistel Structures Shingo Yanagihara Tetsu Iwata Received: date / Accepted: date Abstract We formalize the Type 1.x Generalized
More informationProvable Security against Side-Channel Attacks
Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com MCrypt Seminar Aug. 11th 2014 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable
More informationComputing on Encrypted Data
Computing on Encrypted Data COSIC, KU Leuven, ESAT, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium. August 31, 2018 Computing on Encrypted Data Slide 1 Outline Introduction Multi-Party
More informationarxiv: v1 [cs.cr] 16 Dec 2014
How many ueries are needed to distinguish a truncated random permutation from a random function? Shoni Gilboa 1, Shay Gueron,3 and Ben Morris 4 arxiv:141.504v1 [cs.cr] 16 Dec 014 1 The Open University
More informationLecture Notes on Secret Sharing
COMS W4261: Introduction to Cryptography. Instructor: Prof. Tal Malkin Lecture Notes on Secret Sharing Abstract These are lecture notes from the first two lectures in Fall 2016, focusing on technical material
More informationSimple Codes MTH 440
Simple Codes MTH 440 Not all codes are for the purpose of secrecy Morse Code ASCII Zip codes Area codes Library book codes Credit Cards ASCII Code Steganography: Hidden in plain sight (example from http://www.bbc.co.uk/news/10
More informationLecture 13: Private Key Encryption
COM S 687 Introduction to Cryptography October 05, 2006 Instructor: Rafael Pass Lecture 13: Private Key Encryption Scribe: Ashwin Machanavajjhala Till this point in the course we have learnt how to define
More informationZero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA
Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA Andrey Bogdanov, Meiqin Wang Technical University of Denmark, Shandong University, China ESC 2013,
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationCLASSICAL ENCRYPTION. Mihir Bellare UCSD 1
CLASSICAL ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: (Adversary) Mihir Bellare UCSD 2 Correct decryption requirement For all K, M
More information