Klein s and PTW Attacks on WEP

Size: px
Start display at page:

Download "Klein s and PTW Attacks on WEP"

Transcription

1 TTM4137 Wireless Security Klein s and PTW Attacks on WEP Anton Stolbunov NTNU, Department of Telematics version 1, September 7, 2009 Abstract These notes should help for an in-depth understanding of the paper [1] by Klein and [2] by Tews, Weinmann and Pyshkin. 1 Notation n 256; S array containing the numbers {0,..., n 1} in some order. Each number is present only once. S is also called a permutation; S i RC4 internal permutation S after the i-th RC4 round. 1 i n corresponds to the key setup algorithm, while i > n is the key stream generation algorithm; j i RC4 internal variable j after the i-th RC4 round; K RC4 key; l length of K in bytes. Equals 16 for the 104-bit Wired Equivalent Privacy (WEP); X RC4 key stream; Rk WEP root key. 13 bytes for the 104-bit WEP; IV WEP per-packet initialization vector. 3 bytes; assignment; swap; bitwise XOR; for all; iff if and only if; concatenation. Indexing in arrays starts from 0, i.e. the first element of S is S[0]. All formulas are implicitly written modulo n, except for the values of probabilities. In Sections 4 and 5 we present attacks on the 104-bit WEP, i.e. l = 16. 1

2 K message RC4 X ciphertext 2 RC4 Stream Cipher Figure 1: RC4 stream cipher. Fig. 1 and Algorithms 1 and 2 illustrate the RC4 encryption. Algorithm 1 RC4 key setup 1: S (0, 1,..., 255) 2: j 0 3: for i 0 to 255 do 4: j j + S[i] + K[ i mod l ] 5: S[i] S[j] 6: end for 7: i 0 8: j 0 Algorithm 2 RC4 key stream generation 1: i i + 1 2: j j + S[i] 3: S[i] S[j] 4: return S[ S[i] + S[j] ] 3 Klein s Correlation in RC4 Throughout this section i is a positive integer less than n. 3.1 Klein s Theorem We present a simplified version of [1, Theorem 1]. The theorem is relevant not only to RC4, as it applies to permutations in general. Theorem 1. Let S be a random permutation 1 of the numbers {0,..., n 1}. 1 S is random means that it is picked from the n! possible permutations such that the probability of picking each one is 1/n!. 2

3 Then for all integers i, x, c {0,..., n 1}, the following holds: Pr ( S[ S[i] + x ] + x = i ) = 2 n, (1) Pr ( S[ S[i] + x ] + x = c ) = n 2, where c i. (2) n(n 1) Proof. To show (1) we will count the total number of different permutations S that satisfy the condition under the Pr sign. Consider the following two disjoint cases: Case 1: S[i] = i x. (3) It follows that i = S[i] + x and, substituting the index i in (3), we get S[ S[i] + x ] = i x. This is equivalent to condition (1), so we are only left with one condition. (3) puts a restriction on one element S[i]. The remaining n 1 elements can take any of the remaining n 1 values. Thus the total number of permutations satisfying (3) is (n 1)!. Case 2: S[i] i x. (4) We now have two conditions that should be met simultaneously. Condition (1) leaves only one possibility for the element S[ S[i] + x ], leaving the remaining elements unrestricted. Because of (4), we have that S[i] + x i, so conditions (1) and (4) apply to elements with different indices. Condition (4) leaves n 1 possibilities for the value of S[i]. The remaining n 2 elements of S can take any of the remaining n 2 unused values. Thus Case 2 incorporates a total of (n 1)(n 2)! = (n 1)! permutations. We have shown that Cases 1 and 2 allow a total of 2(n 1)! different permutations. Since S is picked at random from n! possibilities, the probability that we hit either of the two cases is 2(n 1)! n! = 2 n, which proves (1). To show (2) we will again count possible permutations. We first show that (5) holds. Suppose the opposite is true: S[i] = i x. Then S[i] + x = i, and, substituting the index in (2), we get that S[i] + x = c. But c i, so S[i] + x i, what contradicts our assumption. Thus S[i] i x. (5) Since S[i] + x i, conditions (2) and (5) apply to elements with different indices in S. Condition (2) leaves one possibility for the value of the element S[ S[i] + x ]. This value is c x, and it is different from i x, because c i. So when it comes to the element S[i], it cannot take the value c x because it 3

4 is already used, and cannot take the value i x because of the condition (5). The element S[i] is only left with n 2 possibilities. The remaining n 2 elements can take any of the remaining n 2 values. Thus the total number of permutations satisfying (2) is (n 2)(n 2)!. This gives us the probability (n 2)(n 2)! n! = n 2 n(n 1). 3.2 Equation (10) Observe that in Lines 4 and 5 of Algorithm 1 the current round number is i + 1. Thus we can write j i+1 = j i + S i [i] + K[ i mod l ], (6) S i+1 [i] = S i [j i+1 ]. (7) After substituting j i+1 in (7) with the value from (6) we get S i+1 [i] = S }{{} i [ j i + S i [i] + K[ i mod l ] ]. (8) }{{} h g Now denote g and h as pictured in (8). Since permutations are invertible, we have that S[g] = h iff S 1 [h] = g, (9) so we can rewrite (8) as or 3.3 Equation (13) S 1 i [ S i+1 [i] ] = j i + S i [i] + K[ i mod l ], K[ i mod l ] = S 1 i [ S i+1 [i] ] (j i + S i [i]). (10) Observe from Line 4 of Algorithm 2 that after a round number i + n the following holds: S i+n [ S i+n [i] + S i+n [j i+n ] ] = X[i 1]. (11) In (1) choose S to be S i+n and x to be S i+n [j i+n ]. Theorem 1 implies that Pr ( S i+n [ S i+n [i] + S i+n [j i+n ] ] + S i+n [j i+n ] = i ) = 2 n. (12) Combining (11) and (12) we get Pr( S i+n [j i+n ] = i X[i 1] ) = 2 }{{}}{{} n. (13) β γ 4

5 3.4 Equation (16) We now use (2) substituting, as before, S with S i+n and x with S i+n [j i+n ]: c i, Pr ( S i+n [ S i+n [i] + S i+n [j i+n ] ] + S i+n [j i+n ] = c ) = n 2 n(n 1) (14) Combining (11) and (14) we get c i, Pr ( X[i 1] + S i+n [j i+n ] = c ) = n 2 n(n 1). Now add i to each side and rearrange the terms: c i, Pr ( S i+n [j i+n ] c + i = i X[i 1] ) = n 2 n(n 1). (15) After denoting δ = S i+n [j i+n ] c + i, we notice that c i iff c = S i+n [j i+n ] δ + i i iff δ S i+n [j i+n ], and thus (15) can be written as δ S i+n [j i+n ], Pr( i X[i 1] }{{}}{{} β γ = δ ) = n 2 n(n 1). (16) 3.5 Equation (20) Consider Algorithm 1 where Line 4 is replaced with j rand(n). (17) This is a rude approximation 2 of the original algorithm, but it will let us derive some important probability estimates. On each round of this modified key setup algorithm, S[i] is swapped with an element S[j], where j is now random. In particular, during the round number i + 2, the probability of the event j = i equals 1/n, and so the probability that j i is 1 1/n. Thus S i+1 [i] stays unchanged during the (i + 2)nd round with probability 1 1/n. We write this fact as Pr ( S i+1 [i] = S i+2 [i] ) = 1 1 n. The same reasoning applies to subsequent rounds, i.e. the probability that S i+1 [i] stays unchanged during the next k rounds is (1 1/n) k, k < n i. 2 If the key K consisted of n independent random bytes, this approximation would be precise in terms of probability distributions. But since l < n, we should expect some imprecision in final results, which will show through an increased number of packets required for the WEP attack in practice. 5

6 Moreover, if we replace Line 2 of Algorithm 2 with (17), our result generalizes to any number of rounds. Using k = n 2, we can write Pr ( S i+1 [i] = S i+n 1 [i] ) = Now observe from Line 3 of Algorithm 2 that ( 1 1 n) n 2. (18) S i+n [j i+n ] = S i+n 1 [i]. (19) Substituting S i+n 1 [i] in (18) with the value from (19) we get Pr( S i+1 [i] }{{} α 3.6 Equation (22) Lemma 1. If = S i+n [j i+n ] ) = }{{} β Pr(α = β) = p 1, Pr(β = γ) = p 2, δ β, Pr(γ = δ) = p 3, ( 1 1 n) n 2. (20) then Pr(α = γ) = p 1 p 2 + (1 p 1 )p 3. Proof. Consider two cases: Case 1: α = β. We find that Pr(α = γ) = Pr(β = γ) = p 2. Case 2: α β. If we now let δ = α, what is allowed since α β, we see that Pr(α = γ) = Pr(γ = δ) = p 3. Since Case 1 happens with probability p 1, and Case 2 with probability (1 p 1 ), we get that Pr(α = γ) = p 1 p 2 + (1 p 1 )p 3. The result of Lemma 1 applies to Equations (13), (16) and (20) with the notation for α, β, γ and δ introduced in these equations. It follows that ( Pr( S i+1 [i] = i X[i 1] ) = 1 1 ) ( n 2 ( 2 n n ) ) n 2 n 2 n n(n 1). If we use n = 256, the last formula approximates to /n. Thus we have that Pr( S i+1 [i] = i X[i 1] ) 1.36 n. (21) 6

7 Consider (10) that holds unconditionally, and replace the term S i+1 [i] with the value from (21). Since the equality under the Pr sign in (21) holds with the given probability, we can write Pr ( K[ i mod l ] = S 1 i [ i X[i 1] ] (S i [i] + j i ) ) 1.36 n. (22) Note that, according to Algorithm 1, for i < l, the key bytes K[0], K[1],..., K[i 1] completely determine the permutation S i. Therefore (22) expresses the dependency between the i-th key byte, the i preceding key bytes and the (i 1)st key stream byte. We see a severe probability deviation from the mean value 1/n. This fact will be used in our attack to obtain information about the value of the key byte K[i]. 4 Klein s Attack on WEP The payload field in the data frame s MAC protocol data unit (MPDU) consists of: IV, padding, Rk s ID, data, ICV, }{{}}{{} plaintext encrypted where IV is a 3-byte initialization vector, Rk s ID is a 2-bit root key identifier and ICV is the integrity check value. The data field carries packets from higher layers. The encryption is performed by RC4 using the key K = IV Rk. Note that the secret root key Rk is prepent with an IV, which is transmitted over the air in clear text. The IV is different for each packet (which is not always true in practice). Assume we have captured a packet where we know the first 15 bytes of the data field in clear text 3. We compute 15 bytes of the RC4 key stream as follows (see also Fig. 1): X[i] = ciphertext[i] data[i], i {0, 1,..., 14}. Since we know the value of IV = (K[0], K[1], K[2]), we can run the first three rounds of the RC4 key setup algorithm, and thus obtain S 3 and j 3. From S 3 it is also straightforward to compute S3 1 using (9). Now write (22) for i = 3: Pr( K[3] = S3 1 [ 3 X[2] ] (S 3[3] + j 3 ) ) }{{} k n. 3 To recover a 13-byte Rk we do not actually need the first 2 bytes, but only need the following 13 bytes of the data. 7

8 We compute the value k 0 and store it as a candidate for Rk[0]. Note that with a rather high probability /n, the byte Rk[0] can have a value different from k 0. Thus we need to collect more evidence about Rk[0]. Luckily, this can be done using packets that are transmitted between the same stations (thus the same Rk 4 ), but have different IVs. Each new IV provides us with a new experiment outcome, whereas an observation of same IVs gives no new information whatsoever, since same IVs yield identical three first rounds of the key setup Algorithm 1. When enough votes are collected, we can choose the highest rated value of k 0. Klein estimates the number of unique IVs sufficient to recover the byte Rk[0] to be After choosing the most frequent k 0, we let K[3] = k 0, what allows us to run the fourth round of the key setup algorithm for each given IV. Using the same collection of captured packets we now carry out similar calculations for the byte Rk[1]. By this approach we find all the bytes of Rk and finally test it by a trial decryption of some ciphertext for which we know the plaintext, or a part of it. In a case when too few unique IVs were used, the right candidate for some Rk[i] might not be the most frequent one. Then we have to try the second, third and so on, most frequent candidates for Rk[i], recomputing the subsequent key bytes Rk[i + 1],..., Rk[l 1] for each new Rk[i]. This iterative try-and-fail process is repeated until the correct root key is found. Note the high computational cost of correcting falsely guessed key bytes in this approach. 5 PTW Improved Key Calculation Tews, Weinmann and Pyshkin extend the Klein s attack such that it is possible to compute key bytes independently of each other. Consider Line 4 of Algorithm 1 during an (i + 3)rd round, for some i n 3: j i+3 = j i+2 + S i+2 [i + 2] + K[ i + 2 mod l ]. (23) Similarly the (i + 2)nd round yields j i+2 = j i+1 + S i+1 [i + 1] + K[ i + 1 mod l ], and substituting j i+2 in (23) gives j i+3 = j i+1 + i+2 m=i+1 S m [m] + i+2 m=i+1 K[ m mod l ]. 4 We assume that the root key is not changed during the attack, what is very likely to be true in practice. 8

9 After doing this substitution i 2 times we get j i+3 = j 3 + i+2 S m [m] + Now write (22) replacing i with i + 3: i+2 K[ m mod l ]. (24) Pr ( K[ i + 3 mod l ] = S 1 i+3 [ i + 3 X[i + 2] ] (S i+3[i + 3] + j i+3 ) ) 1.36 n, and replace the rightmost term j i+3 with the one from (24). After regrouping of terms we get: Pr( i+3 K[ m mod l ] } {{ } σ i = Si+3 1 [ i + 3 X[i + 2] ] (j i After denoting σ i as pictured above, the last equation becomes ( ) Pr σ i = S 1 i+3 [ i + 3 X[i + 2] ] (j 3 + i+3 S m [m]) S m [m]) ) 1.36 n n. (25) The right side of the equality under the Pr sign is dependent on the first i + 3 key setup rounds. The authors of the PTW attack note that with a rather high probability elements in S that are used in this expression stay unchanged since the third round of the key setup algorithm. Thus we can replace them with the corresponding elements in S 3 and still have a significant probability deviation for small i s [2, Equations 7 and 8)]: Pr( σ i = S 1 3 [ i + 3 X[i + 2] ] (j 3 + i+3 } {{ } A i S 3 [m]) ) > 1 n. (26) The PTW attack proceeds as follows. For each captured packet we run the first three rounds of the RC4 key setup algorithm and compute the values A i for all i {0, 1,..., 12}. Every new IV yields new (possibly repeating) thirteen values A i. When a sufficient number of packets is analysed, we choose the most frequent candidates for A i s and assign them to the variables σ i for all i {0, 1,..., 12}. The root key bytes are then obtained using Rk[0] = σ 0 ; Rk[i] = σ i σ i 1, i {1,..., 12}. The root key is then checked for correctness by a trial decryption. If it is wrong, we choose less frequent candidates for σ i s and try again. As compared to Klein s attack, this approach does not require recalculation of statistics for rightmost key bytes every time we correct a falsely guessed σ i. 9

10 References [1] Andreas Klein. Attacks on the RC4 stream cipher. Des. Codes Cryptography, 48(3): , [2] Erik Tews, Ralf-Philipp Weinmann, and Andrei Pyshkin. Breaking 104 bit WEP in less than 60 seconds. In Sehun Kim, Moti Yung, and Hyung- Woo Lee, editors, WISA, volume 4867 of Lecture Notes in Computer Science, pages Springer,

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time

More information

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies SOBER Cryptanalysis Daniel Bleichenbacher and Sarvar Patel {bleichen,sarvar}@lucent.com Bell Laboratories Lucent Technologies Abstract. SOBER is a new stream cipher that has recently been developed by

More information

ORYX. ORYX not an acronym, but upper case Designed for use with cell phones. Standard developed by. Cipher design process not open

ORYX. ORYX not an acronym, but upper case Designed for use with cell phones. Standard developed by. Cipher design process not open ORYX ORYX 1 ORYX ORYX not an acronym, but upper case Designed for use with cell phones o To protect confidentiality of voice/data o For data channel, not control channel o Control channel encrypted with

More information

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern

More information

On the pseudo-random generator ISAAC

On the pseudo-random generator ISAAC On the pseudo-random generator ISAAC Jean-Philippe Aumasson FHNW, 5210 Windisch, Switzerland Abstract. This paper presents some properties of he deterministic random bit generator ISAAC (FSE 96), contradicting

More information

New Form of Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4

New Form of Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4 ew Form of Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4 Subhamoy Maitra Applied Statistics Unit, Indian Statistical Institute, 203 B T Road, Kolkata 700 08, India, Email: subho@isical.ac.in

More information

Cryptanalysis of Hiji-bij-bij (HBB)

Cryptanalysis of Hiji-bij-bij (HBB) Cryptanalysis of Hiji-bij-bij (HBB) Vlastimil Klíma LEC s.r.o., Národní 9, Prague, Czech Republic v.klima@volny.cz Abstract. In this paper, we show several known-plaintext attacks on the stream cipher

More information

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017 COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 27 Previously on COS 433 Security Experiment/Game (One- time setting) b m, m M c Challenger k ß K c ß Enc(k,m b ) b IND-Exp b ( )

More information

Lecture 12: Block ciphers

Lecture 12: Block ciphers Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is

More information

Exercise Sheet Cryptography 1, 2011

Exercise Sheet Cryptography 1, 2011 Cryptography 1 http://www.cs.ut.ee/~unruh/crypto1-11/ Exercise Sheet Cryptography 1, 2011 Exercise 1 DES The Data Encryption Standard (DES) is a very famous and widely used block cipher. It maps 64-bit

More information

RC4 State Information at Any Stage Reveals the Secret Key

RC4 State Information at Any Stage Reveals the Secret Key RC4 State Information at Any Stage Reveals the Secret Key Goutam Paul Department of Computer Science and Engineering, Jadavpur University, Kolkata 700 032, India, Email: goutam paul@cse.jdvu.ac.in Subhamoy

More information

Chapter 2. A Look Back. 2.1 Substitution ciphers

Chapter 2. A Look Back. 2.1 Substitution ciphers Chapter 2 A Look Back In this chapter we take a quick look at some classical encryption techniques, illustrating their weakness and using these examples to initiate questions about how to define privacy.

More information

Complementing Feistel Ciphers

Complementing Feistel Ciphers Complementing Feistel Ciphers Alex Biryukov 1 and Ivica Nikolić 2 1 University of Luxembourg 2 Nanyang Technological University, Singapore alex.biryukov@uni.lu inikolic@ntu.edu.sg Abstract. In this paper,

More information

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5) Symmetric Ciphers Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5) Symmetric Cryptography C = E(P,K) P = D(C,K) Requirements Given C, the only way to obtain P should be with the knowledge of K Any

More information

Classical Cryptography

Classical Cryptography Classical Cryptography CSG 252 Fall 2006 Riccardo Pucella Goals of Cryptography Alice wants to send message X to Bob Oscar is on the wire, listening to communications Alice and Bob share a key K Alice

More information

CLASSICAL ENCRYPTION. Mihir Bellare UCSD 1

CLASSICAL ENCRYPTION. Mihir Bellare UCSD 1 CLASSICAL ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: (Adversary) Mihir Bellare UCSD 2 Correct decryption requirement For all K, M

More information

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and An average case analysis of a dierential attack on a class of SP-networks Luke O'Connor Distributed Systems Technology Centre, and Information Security Research Center, QUT Brisbane, Australia Abstract

More information

Algebraic Techniques in Differential Cryptanalysis

Algebraic Techniques in Differential Cryptanalysis Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London FSE 2009, Leuven, 24.02.2009 Martin Albrecht and Carlos

More information

Differential-Linear Cryptanalysis of Serpent

Differential-Linear Cryptanalysis of Serpent Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,

More information

Asymmetric Encryption

Asymmetric Encryption -3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function

More information

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6 U.C. Berkeley CS276: Cryptography Handout N6 Luca Trevisan February 5, 2009 Notes for Lecture 6 Scribed by Ian Haken, posted February 8, 2009 Summary The encryption scheme we saw last time, based on pseudorandom

More information

Attacks on the RC4 stream cipher

Attacks on the RC4 stream cipher Attacks on the RC4 stream cipher Andreas Klein July 4, 2007 Abstract In this article we present some weaknesses in the RC4 cipher and their cryptographic applications. Especially we improve the attack

More information

The Pseudorandomness of Elastic Block Ciphers

The Pseudorandomness of Elastic Block Ciphers The Pseudorandomness of Elastic Block Ciphers Debra L. Cook and Moti Yung and Angelos Keromytis Department of Computer Science, Columbia University {dcook,moti,angelos}@cs.columbia.edu September 28, 2005

More information

Key reconstruction from the inner state of RC4

Key reconstruction from the inner state of RC4 BACHELOR THESIS Lukáš Sladký Key reconstruction from the inner state of RC4 Department of Algebra Supervisor of the bachelor thesis: Study programme: Study branch: Mgr. Milan Boháček Mathematics Mathematical

More information

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3 Shift Cipher For 0 i 25, the ith plaintext character is shifted by some value 0 k 25 (mod 26). E.g. k = 3 a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V W X Y

More information

Security of the AES with a Secret S-box

Security of the AES with a Secret S-box Security of the AES with a Secret S-box Tyge Tiessen, Lars R Knudsen, Stefan Kölbl, and Martin M Lauridsen {tyti,lrkn,stek,mmeh}@dtudk DTU Compute, Technical University of Denmark, Denmark Abstract How

More information

Outline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael

Outline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael Outline CPSC 418/MATH 318 Introduction to Cryptography Advanced Encryption Standard Renate Scheidler Department of Mathematics & Statistics Department of Computer Science University of Calgary Based in

More information

Alternative Approaches: Bounded Storage Model

Alternative Approaches: Bounded Storage Model Alternative Approaches: Bounded Storage Model A. Würfl 17th April 2005 1 Motivation Description of the Randomized Cipher 2 Motivation Motivation Description of the Randomized Cipher Common practice in

More information

Impossible Differential Cryptanalysis of Mini-AES

Impossible Differential Cryptanalysis of Mini-AES Impossible Differential Cryptanalysis of Mini-AES Raphael Chung-Wei Phan ADDRESS: Swinburne Sarawak Institute of Technology, 1 st Floor, State Complex, 93576 Kuching, Sarawak, Malaysia. rphan@swinburne.edu.my

More information

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen. Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography

More information

FFT-Based Key Recovery for the Integral Attack

FFT-Based Key Recovery for the Integral Attack FFT-Based Key Recovery for the Integral Attack Yosuke Todo NTT Secure Platform Laboratories Abstract. The integral attack is one of the most powerful attack against block ciphers. In this paper, we propose

More information

Some New Weaknesses in the RC4 Stream Cipher

Some New Weaknesses in the RC4 Stream Cipher Some ew Weaknesses in the RC4 Stream Cipher Jing Lv (B), Bin Zhang, and Dongdai Lin 2 Laboratory of Trusted Computing and Information Assurance, Institute of Software, Chinese Academy of Sciences, 0090

More information

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive key-search do not exploit any properties of the encryption algorithm or implementation. Structural attacks

More information

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Kwangsu Lee A Thesis for the Degree of Master of Science Division of Computer Science, Department

More information

Constructing Variable-Length PRPs and SPRPs from Fixed-Length PRPs

Constructing Variable-Length PRPs and SPRPs from Fixed-Length PRPs Constructing Variable-Length PRPs and SPRPs from Fixed-Length PRPs Debra L. Cook 1, Moti Yung 2, Angelos Keromytis 3 1 Columbia University, New York, NY USA dcook@cs.columbia.edu 2 Google, Inc. and Columbia

More information

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m. Final Exam Math 10: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 0 April 2002 :0 11:00 a.m. Instructions: Please be as neat as possible (use a pencil), and show

More information

Solution of Exercise Sheet 7

Solution of Exercise Sheet 7 saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,

More information

Chapter 2 : Perfectly-Secret Encryption

Chapter 2 : Perfectly-Secret Encryption COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 2 : Perfectly-Secret Encryption 1 2.1 Definitions and Basic Properties We refer to probability

More information

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version Mohamed Ahmed Abdelraheem, Julia Borghoff, Erik Zenner Technical University of Denmark, DK-2800 Kgs. Lyngby, Denmark {M.A.Abdelraheem,J.Borghoff,E.Zenner}@mat.dtu.dk

More information

Lecture 4: DES and block ciphers

Lecture 4: DES and block ciphers Lecture 4: DES and block ciphers Johan Håstad, transcribed by Ernir Erlingsson 2006-01-25 1 DES DES is a 64 bit block cipher with a 56 bit key. It selects a 64 bit block and modifies it depending on the

More information

Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan

Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan Simon R. Blackburn and Kenneth G. Paterson Department of Mathematics Royal Holloway, University of London Egham, Surrey, TW20 0EX,

More information

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,

More information

Computer Science A Cryptography and Data Security. Claude Crépeau

Computer Science A Cryptography and Data Security. Claude Crépeau Computer Science 308-547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308-647A)

More information

Akelarre. Akelarre 1

Akelarre. Akelarre 1 Akelarre Akelarre 1 Akelarre Block cipher Combines features of 2 strong ciphers o IDEA mixed mode arithmetic o RC5 keyed rotations Goal is a more efficient strong cipher Proposed in 1996, broken within

More information

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2 0368.3049.01 Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod Assignment #2 Published Sunday, February 17, 2008 and very slightly revised Feb. 18. Due Tues., March 4, in Rani Hod

More information

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems CPE 776:DATA SECURITY & CRYPTOGRAPHY Some Number Theory and Classical Crypto Systems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Some Number Theory

More information

Lecture 4 - Computational Indistinguishability, Pseudorandom Generators

Lecture 4 - Computational Indistinguishability, Pseudorandom Generators Lecture 4 - Computational Indistinguishability, Pseudorandom Generators Boaz Barak September 27, 2007 Computational Indistinguishability Recall that we defined that statistical distance of two distributions

More information

Number theory (Chapter 4)

Number theory (Chapter 4) EECS 203 Spring 2016 Lecture 12 Page 1 of 8 Number theory (Chapter 4) Review Compute 6 11 mod 13 in an efficient way What is the prime factorization of 100? 138? What is gcd(100, 138)? What is lcm(100,138)?

More information

Block Ciphers and Feistel cipher

Block Ciphers and Feistel cipher introduction Lecture (07) Block Ciphers and cipher Dr. Ahmed M. ElShafee Modern block ciphers are widely used to provide encryption of quantities of information, and/or a cryptographic checksum to ensure

More information

CSCI3381-Cryptography

CSCI3381-Cryptography CSCI3381-Cryptography Lecture 2: Classical Cryptosystems September 3, 2014 This describes some cryptographic systems in use before the advent of computers. All of these methods are quite insecure, from

More information

First-Order DPA Attack Against AES in Counter Mode w/ Unknown Counter. DPA Attack, typical structure

First-Order DPA Attack Against AES in Counter Mode w/ Unknown Counter. DPA Attack, typical structure Josh Jaffe CHES 2007 Cryptography Research, Inc. www.cryptography.com 575 Market St., 21 st Floor, San Francisco, CA 94105 1998-2007 Cryptography Research, Inc. Protected under issued and/or pending US

More information

Public-key Cryptography: Theory and Practice

Public-key Cryptography: Theory and Practice Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size

More information

Lecture 1: Introduction to Public key cryptography

Lecture 1: Introduction to Public key cryptography Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means

More information

Truncated differential cryptanalysis of five rounds of Salsa20

Truncated differential cryptanalysis of five rounds of Salsa20 Truncated differential cryptanalysis of five rounds of Salsa20 Paul Crowley 17th October 2005 Abstract We present an attack on Salsa20 reduced to five of its twenty rounds. This attack uses many clusters

More information

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida Stream ciphers Pawel Wocjan Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu Definition of block ciphers Block ciphers: crypto work horse n bits

More information

CS 6260 Applied Cryptography

CS 6260 Applied Cryptography CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space

More information

Lecture Notes. Advanced Discrete Structures COT S

Lecture Notes. Advanced Discrete Structures COT S Lecture Notes Advanced Discrete Structures COT 4115.001 S15 2015-01-27 Recap ADFGX Cipher Block Cipher Modes of Operation Hill Cipher Inverting a Matrix (mod n) Encryption: Hill Cipher Example Multiple

More information

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128 Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com

More information

Jay Daigle Occidental College Math 401: Cryptology

Jay Daigle Occidental College Math 401: Cryptology 3 Block Ciphers Every encryption method we ve studied so far has been a substitution cipher: that is, each letter is replaced by exactly one other letter. In fact, we ve studied stream ciphers, which produce

More information

Differential Attack on Five Rounds of the SC2000 Block Cipher

Differential Attack on Five Rounds of the SC2000 Block Cipher Differential Attack on Five Rounds of the SC2 Block Cipher Jiqiang Lu Department of Mathematics and Computer Science, Eindhoven University of Technology, 56 MB Eindhoven, The Netherlands lvjiqiang@hotmail.com

More information

Secret Key: stream ciphers & block ciphers

Secret Key: stream ciphers & block ciphers Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad define a secret key ( seed ) Using the seed generates a byte stream (Keystream): i-th byte is function only

More information

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Solutions for week 1, Cryptography Course - TDA 352/DIT 250 Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.

More information

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1 SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2

More information

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES CS355: Cryptography Lecture 9: Encryption modes. AES Encryption modes: ECB } Message is broken into independent blocks of block_size bits; } Electronic Code Book (ECB): each block encrypted separately.

More information

DD2448 Foundations of Cryptography Lecture 3

DD2448 Foundations of Cryptography Lecture 3 DD2448 Foundations of Cryptography Lecture 3 Douglas Wikström KTH Royal Institute of Technology dog@kth.se February 3, 2016 Linear Cryptanalysis of the SPN Basic Idea Linearize Find an expression of the

More information

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 10 February 19, 2013 CPSC 467b, Lecture 10 1/45 Primality Tests Strong primality tests Weak tests of compositeness Reformulation

More information

arxiv:nlin/ v1 [nlin.cd] 10 Aug 2006

arxiv:nlin/ v1 [nlin.cd] 10 Aug 2006 Cryptanalysis of a chaotic block cipher with external key and its improved version arxiv:nlin/0608020v1 [nlin.cd] 10 Aug 2006 Chengqing Li a,, Shujun Li b,, Gonzalo Álvarezc, Guanrong Chen a and Kwok-Tung

More information

Cryptography CS 555. Topic 2: Evolution of Classical Cryptography CS555. Topic 2 1

Cryptography CS 555. Topic 2: Evolution of Classical Cryptography CS555. Topic 2 1 Cryptography CS 555 Topic 2: Evolution of Classical Cryptography Topic 2 1 Lecture Outline Basics of probability Vigenere cipher. Attacks on Vigenere: Kasisky Test and Index of Coincidence Cipher machines:

More information

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense

More information

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30 CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).

More information

On the Weak State in GGHN-like Ciphers

On the Weak State in GGHN-like Ciphers 2012 Seventh International Conference on Availability, Reliability and Security On the Weak State in GGH-like Ciphers Aleksandar Kircanski Dept. of Computer Science and Software Engineering Concordia University

More information

Cryptography Lecture 4 Block ciphers, DES, breaking DES

Cryptography Lecture 4 Block ciphers, DES, breaking DES Cryptography Lecture 4 Block ciphers, DES, breaking DES Breaking a cipher Eavesdropper recieves n cryptograms created from n plaintexts in sequence, using the same key Redundancy exists in the messages

More information

Introduction to Cryptology. Lecture 2

Introduction to Cryptology. Lecture 2 Introduction to Cryptology Lecture 2 Announcements 2 nd vs. 1 st edition of textbook HW1 due Tuesday 2/9 Readings/quizzes (on Canvas) due Friday 2/12 Agenda Last time Historical ciphers and their cryptanalysis

More information

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018 THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018 CPSC 418/MATH 318 L01 October 17, 2018 Time: 50 minutes

More information

Security of Networks (12) Exercises

Security of Networks (12) Exercises (12) Exercises 1.1 Below are given four examples of ciphertext, one obtained from a Substitution Cipher, one from a Vigenere Cipher, one from an Affine Cipher, and one unspecified. In each case, the task

More information

Private-key Systems. Block ciphers. Stream ciphers

Private-key Systems. Block ciphers. Stream ciphers Chapter 2 Stream Ciphers Further Reading: [Sim92, Chapter 2] 21 Introduction Remember classication: Private-key Systems Block ciphers Stream ciphers Figure 21: Private-key cipher classication Block Cipher:

More information

Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher

Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher Xiaoshuang Ma 1,2 Kexin Qiao 1,2 1 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy

More information

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7 CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a

More information

Benes and Butterfly schemes revisited

Benes and Butterfly schemes revisited Benes and Butterfly schemes revisited Jacques Patarin, Audrey Montreuil Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract In [1], W. Aiello and R. Venkatesan have

More information

Cryptanalysis of the Full Spritz Stream Cipher

Cryptanalysis of the Full Spritz Stream Cipher Cryptanalysis of the Full Spritz Stream Cipher Subhadeep Banik 1,2 and Takanori Isobe 3 1 School of Physical and Mathematical Sciences, NTU 2 DTU Compute, Technical University of Denmark, Lungby 3 Sony

More information

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian

More information

A Five-Round Algebraic Property of the Advanced Encryption Standard

A Five-Round Algebraic Property of the Advanced Encryption Standard A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science

More information

Solution to Midterm Examination

Solution to Midterm Examination YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Handout #13 Xueyuan Su November 4, 2008 Instructions: Solution to Midterm Examination This is a closed book

More information

On Correlation Between the Order of S-boxes and the Strength of DES

On Correlation Between the Order of S-boxes and the Strength of DES On Correlation Between the Order of S-boxes and the Strength of DES Mitsuru Matsui Computer & Information Systems Laboratory Mitsubishi Electric Corporation 5-1-1, Ofuna, Kamakura, Kanagawa, 247, Japan

More information

FORGERY ON STATELESS CMCC WITH A SINGLE QUERY. Guy Barwell University of Bristol

FORGERY ON STATELESS CMCC WITH A SINGLE QUERY. Guy Barwell University of Bristol FORGERY ON STATELESS CMCC WITH A SINGLE QUERY Guy Barwell guy.barwell@bristol.ac.uk University of Bristol Abstract. We present attacks against CMCC that invalidate the claimed security of integrity protection

More information

Cryptanalysis of a Multistage Encryption System

Cryptanalysis of a Multistage Encryption System Cryptanalysis of a Multistage Encryption System Chengqing Li, Xinxiao Li, Shujun Li and Guanrong Chen Department of Mathematics, Zhejiang University, Hangzhou, Zhejiang 310027, China Software Engineering

More information

CTR mode of operation

CTR mode of operation CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext

More information

(Non-)Random Sequences from (Non-)Random Permutations - Analysis of RC4 stream cipher

(Non-)Random Sequences from (Non-)Random Permutations - Analysis of RC4 stream cipher (on-)random Sequences from (on-)random Permutations - Analysis of RC4 stream cipher Sourav Sen Gupta, Subhamoy Maitra, Goutam Paul 2, and Santanu Sarkar Applied Statistics Unit, Indian Statistical Institute,

More information

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2 Contents 1 Recommended Reading 1 2 Public Key/Private Key Cryptography 1 2.1 Overview............................................. 1 2.2 RSA Algorithm.......................................... 2 3 A Number

More information

CHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER

CHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER 177 CHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER 178 12.1 Introduction The study of cryptography of gray level images [110, 112, 118] by using block ciphers has gained considerable

More information

CPA-Security. Definition: A private-key encryption scheme

CPA-Security. Definition: A private-key encryption scheme CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of

More information

Exam Security January 19, :30 11:30

Exam Security January 19, :30 11:30 Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in

More information

Security of the SMS4 Block Cipher Against Differential Cryptanalysis

Security of the SMS4 Block Cipher Against Differential Cryptanalysis Su BZ, Wu WL, Zhang WT. Security of the SMS4 block cipher against differential cryptanalysis. JOURNAL OF COM- PUTER SCIENCE AND TECHNOLOGY 26(1): 130 138 Jan. 2011. DOI 10.1007/s11390-011-1116-9 Security

More information

Real scripts backgrounder 3 - Polyalphabetic encipherment - XOR as a cipher - RSA algorithm. David Morgan

Real scripts backgrounder 3 - Polyalphabetic encipherment - XOR as a cipher - RSA algorithm. David Morgan Real scripts backgrounder 3 - Polyalphabetic encipherment - XOR as a cipher - RSA algorithm David Morgan XOR as a cipher Bit element encipherment elements are 0 and 1 use modulo-2 arithmetic Example: 1

More information

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004 CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key

More information

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 9 February 6, 2012 CPSC 467b, Lecture 9 1/53 Euler s Theorem Generating RSA Modulus Finding primes by guess and check Density of

More information

Block Cipher Cryptanalysis: An Overview

Block Cipher Cryptanalysis: An Overview 0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution

More information

Sol: First, calculate the number of integers which are relative prime with = (1 1 7 ) (1 1 3 ) = = 2268

Sol: First, calculate the number of integers which are relative prime with = (1 1 7 ) (1 1 3 ) = = 2268 ò{çd@àt ø 2005.0.3. Suppose the plaintext alphabets include a z, A Z, 0 9, and the space character, therefore, we work on 63 instead of 26 for an affine cipher. How many keys are possible? What if we add

More information

Number Theory in Cryptography

Number Theory in Cryptography Number Theory in Cryptography Introduction September 20, 2006 Universidad de los Andes 1 Guessing Numbers 2 Guessing Numbers (person x) (last 6 digits of phone number of x) 3 Guessing Numbers (person x)

More information

Perfectly-Secret Encryption

Perfectly-Secret Encryption Perfectly-Secret Encryption CSE 5351: Introduction to Cryptography Reading assignment: Read Chapter 2 You may sip proofs, but are encouraged to read some of them. 1 Outline Definition of encryption schemes

More information