A Polynomial Description of the Rijndael Advanced Encryption Standard
|
|
- Penelope McGee
- 6 years ago
- Views:
Transcription
1 A Polynomial Description of the Rijndael Advanced Encryption Standard arxiv:cs/ v1 [cs.cr] 2 May 2002 Joachim Rosenthal Department of Mathematics University of Notre Dame Notre Dame, Indiana 46556, USA Rosenthal.1@nd.edu rosen/ April 30, 2002 Abstract The paper gives a polynomial description of the Rijndael Advanced Encryption Standard recently adopted by the National Institute of Standards and Technology. Special attention is given to the structure of the S-Box. Index Terms: Advanced encryption standard, Rijndael algorithm, symmetric-key encryption. 1 Introduction On November 26, 2001 the National Institute of Standards and Technology (NIST) announced that the Rijndael encryption algorithm becomes the Advance Encryption Standard. The Rijndael system will be a Federal Information Processing Standard (FIPS) to be used by U.S. Government organizations (and others) to protect sensitive information [1]. Detailed information can be found at the website: The description [3, 4] supplied by Joan Daemen and Vincent Rijmen, the inventors of the Rijndael encryption algorithm, is very detailed and a reader new to the subject will probably need some time to understand all steps in the algorithm. In this paper we show how the whole algorithm can be quite elegantly described through a sequence of algebraic manipulations in a finite ring. We hope that this description will be helpful in the proliferation of this new important standard. Supported in part by NSF grant DMS
2 We are aware of some attempts (e.g. [5, 9]) where authors tried to explore an algebraic description of the so called S-Box, the main non-linear part of the Rijndael system. We are explaining in this paper why the S-Box can be described through a sparse polynomial. There is however no attempt done to explore this description further in order to find any weakness of the system. We also derive the interpolation polynomial of the inverse S-Box and we describe the cycle decomposition of the S-Box. The most detailed description of Rijndael can be found in the new book [4]. This book gives many details on the design philosophy and implementation aspects, something we do not address in this paper. During the preparation of this paper we found the description of Rijndael as given in [10] useful. We want to thank U. Maurer for pointing us to an algebraic description of Rijndael recently provided by H. W. Lenstra [6]. 2 The Rijndael Algorithm Let Z 2 = {0, 1} be the binary field and consider the irreducible polynomial µ(z) := z 8 + z 4 + z 3 + z + 1 Z 2 [z]. Let F := Z 2 [z]/ < µ(z) >= GF(256) be the Galois field of 2 8 elements and consider the ideal: I :=< x 4 + 1, y 4 + 1, µ(z) > Z 2 [x, y, z]. We will describe the Rijndael algorithm through a sequence of polynomial manipulations inside the finite ring R := Z 2 [x, y, z]/i = F[x, y]/ < x 4 + 1, y >. (2.1) The ring R has simultaneously the structure of a finite Z 2 -algebra and the structure of a finite F-algebra as above description makes it clear. The monomials { x i y j z k 0 i, j 3, 0 k 7 } form a Z 2 -basis of the ring (algebra) R. In particular dim Z2 R = 128, i.e. R = Computations in the ring R can be done very efficiently. Addition in R is done componentwise and multiplication in R is done through multiplication in Z 2 [x, y, z] followed by reduction modulo the ideal I. Remark 2.1 One readily verifies that x 4 + 1, y 4 + 1, µ(z) forms a reduced Gröbner basis of the ideal I which is also a zero-dimensional ideal. As a consequence the reduction modulo I is very easy. More details about finite dimensional algebras and zero dimensional ideals can be found in [2, Chapter 2]. Whenever r R is an element we will define elements r i,j F and r j F[x]/ < x > through: ( r = r i,j x i y j = r i,j x )y i j = r j y j. (2.2) 2
3 On an abstract level a secret key crypto-system consist of a message space M, a cipher space C and a key space K together with an encryption map and a decryption map ε : M K C δ : C K M such that δ(ε(m, k), k) = m for all m M and k K. It should be computationally not feasible to compute the secret key k K from a sequence of plain-text/cipher-text pairs ( m (t), c (t) = ε(m (t), k) ), t = 1, 2,.... In the Rijndael AES system one has the possibility to work with secret keys consisting of 128 bits, 192 bits or 256 bits respectively. We will describe the system when K = and will indicate in Section 3 how to adapt the algebraic description to the other situations. For the Rijndael algorithm we define K = M = C = R. Crucial for the description will be the following polynomial: ϕ(u) := ( z ) u ( z ) u ( z 7 + z 6 + z 5 + z 4 + z ) u ( z 5 + z ) u ( z 7 + z 6 + z 5 + z 4 + z 2) u u ( z 7 + z 5 + z 4 + z ) u ( z 7 + z 3 + z 2 + z + 1 ) u (z 6 + z 5 + z + 1) F[u]. (2.3) Assume Alice and Bob share a common secret key k R and Alice wants to encrypt the message m R. In a first step both Alice and Bob do a key expansion which will result in 10 elements k (t) R t = 0,..., 9. Key expansion: Using the notation introduced in Equation (2.2), both Alice and Bob compute recursively 10 elements k (t) R, t = 0,..., 9 in the following way: k (0) k (t+1) 0 := k (t+1) i := ( k := k (t+1) i 1 ϕ(k (t) i,3 )xi ) x 3 + z t + k (t) 0 for t = 0,..., 9. + k (t) i for t = 0,..., 9, i = 1, 2, 3. In order to describe the actual encryption algorithm we define the ring element: γ := (z + 1)x 3 + x 2 + x + z R. 3
4 Rijndael encryption algorithm: Using the round keys k (t) R and starting with the message m R Alice computes recursively: m (0) := m + k (0) := γ m (t+1) c := m (10) := ϕ(m (t) i,j )xi y 3i+j + k (t+1) for t = 0,..., 8. ϕ(m (9) i,j )xi y 3i+j + k (10) The cipher to be transmitted by Alice is c. Note that in the 10th round no multiplication by γ happens. This will make sure that the decryption process follows formally the same algebraic process as we will show next. Rijndael decryption algorithm: The polynomial ϕ introduced in (2.3) is a permutation polynomial describing a permutation of the elements of F. See Sections 3, 4 for more details. There is a unique permutation polynomial ψ(u) F[u] of degree at most 255 such that ϕ ψ = ψ ϕ = id F and we will derive this polynomial in Section 4. The element γ R is invertible with γ 1 := (z 3 + z + 1)x 3 + (z 3 + z 2 + 1)x 2 + (z 3 + 1)x + (z 3 + z 2 + z) R. Using the map ψ, the element γ 1 and the round keys k (t) Bob can decipher the message m of Alice through: c (0) := c + k (10) c (t+1) := γ 1 c (10) := ψ(c (t) i,j )xi y i+j + γ 1 k (9 t) for t = 0,..., 8. ψ(c (9) i,j )xi y i+j + k (0) One readily verifies that m = c (10). Note that formally both the encryption schedule and the decryption schedule follow the same sequence of transformations. ϕ is simply replaced by ψ, multiplication by γ is substituted with multiplication by γ 1 and the key schedule is changed replacing k (t), t = 0,..., 10 with k (10), γ 1 k (9),..., γ 1 k (1), k (0). Remark 2.2 Both encryption and decryption can be done very efficiently. In practice the polynomials ϕ and ψ are not evaluated and a look up table describing the permutations ϕ, ψ : F F is used instead. Substituting exponents x i y j x i y 3i+j does not require any arithmetic and adding a round key k (t+1) is efficiently done through Boolean XOR operations. Arithmetic computations are required when multiplying by γ respectively by γ 1. Since in general multiplication by γ is slightly easier than multiplication by γ 1 the decryption algorithm takes in general slightly longer than the encryption algorithm. 4
5 Remark 2.3 (Compare with [4, page 55] and [6]). γ was chosen such that multiplication by γ can be done with a minimal branch number and in the same time a good diffusion of F[x]/ < x > is guaranteed. We are not convinced that the choice of γ was optimal for the latter as it has a very small order in R. A direct computation shows that γ has order 4. With this we also have an easy expression for γ 1 : γ 1 = γ 3 = γ 2 γ = (z 2 x 2 + z 2 + 1)γ. (2.4) Instead of multiplying by γ 1 it is therefore possible to multiply three times by γ or alternatively one can pre-process the multiplication of γ by the multiplication of (z 2 x 2 + z 2 + 1). This is more efficient than multiplying the full expression by γ 1. Remark 2.4 We made a computer search for interesting factorizations of γ 1. It seems that the factorization (2.4) is probably the easiest for computation purposes. The following is a related interesting factorization which we found: γ 1 = (zx 3 + z + 1)(x 3 + (z 2 + 1)x 2 + x + z 2 ) (2.5) 3 Relation to the Standard Description In the original description of the Rijndael algorithm the ring R was not used. Instead sets of elements having 128 bits were described by a 4 4 array each containing one byte, i.e. 8 bits. In order to relate the descriptions assign to each element r = 3 3 r i,jx i y j the 4 4 array r 0,0 r 0,1 r 0,2 r 0,3 r 1,0 r 1,1 r 1,2 r 1,3 r 2,0 r 2,1 r 2,2 r 2,3 r 3,0 r 3,1 r 3,2 r 3,3 where each element r i,j F is viewed as one byte. Using a specific schedule the following operations are applied: S-Box Transformation: In this operation each element r i,j F is changed using a permutation ϕ of the symmetric group of 256 elements. The permutation ϕ decomposes into three permutations: { f 1 if f 0, ϕ 1 : F F, f (3.1) 0 if f = 0. L : F F, f (z 4 + z 3 + z 2 + z + 1)f mod z (3.2) ϕ 3 : F F, f z 6 + z 5 + z f. (3.3) The permutation ϕ is defined as ϕ := ϕ 3 L ϕ 1. It is possible to describe the permutation ϕ using a permutation polynomial. For this note that any permutation of F can also be 5
6 described through a unique interpolation polynomial (an element of F[u]) having degree at most 255. We will denote this unique polynomial describing the permutation ϕ with ϕ(u). The context will always make it clear if we view ϕ as a permutation or as a polynomial ϕ(u) F[u]. This unique permutation polynomial can be computed in the following way. If α 0 then 254 T α (u) := u α i u 254 i is the unique Lagrange interpolant having the property that { 1 if α = β, T α (β) = 0 otherwise. If α = 0 then T α (u) = u is the unique Lagrange interpolant. The unique polynomial ϕ(u) F[u] is then readily computed using a symbolic algebra program as ϕ(u) = α F ϕ(α)t α(u). This computation was already done by Daemen and Rijmen in their original proposal and the polynomial ϕ can be found in [3, Subsection 8.5.] The ShiftRow Transformation: In this operation the bytes of the ith row are cyclically shifted by i positions. Algebraically this operation has a simple interpretation. For this consider an element r = r(x, y) R as described in (2.2). The ShiftRow corresponds then simply to the transformation: r = r(x, y) r(xy 3, y). This then translates in the encryption algorithm to replace the monom x i y j with the monom x i y 3i+j. The inverse of the ShiftRow transformation is r = r(x, y) r(xy, y) which translates into the replacement of x i y j with the monom x i y i+j. The MixColumn Transformation: In this transformation each column r j = 3 r i,jx i is multiplied by the element γ. Add Round Key: In this step the t-th round key k (t) is added. The schedule of operation is as follows: In the zero round the round key k (0) is simply added. In rounds 1-9 do the operations S-Box, ShiftRow, MixColumn and Add Round Key. In the 10th round do only S-Box, ShiftRow and Add Round Key. We have given the algebraic description for this schedule. 3.1 AES-192 and AES-256 Until now we described Rijndael when the key size and the message size have 128 bits. This system is referred to as AES-128. In the original description [3] one had the possibility to vary both the size of the message blocks and the size of the secret keys. 6
7 In the adopted standard [1] the size of the message blocks are always taken to be 128 bits. In AES-192 and in AES-256 the secret key size consists of 192 respectively 256 bits. In order to run these presumably more secure algorithms it will be necessary to change the key expansion schedule of the last section. In AES elements k (t) R, t = 0,..., 12 are computed from the original 192 bits and the Rijndael algorithm runs over 12 rounds. In AES elements k (t) R, t = 0,..., 14 are computed from the original 192 bits and the Rijndael algorithm runs over 14 rounds. Other than this there seems to be no difference and details can be found in [1, 4]. 4 The Structure of the S-Box Except for the transformation of the S-Box all transformations are Z 2 linear. An understanding of the S-Box is therefore most crucial. Surprisingly the permutation polynomial ϕ(u) is very sparse and we explain in this section why this is the case. The permutation ϕ is the composition of the maps ϕ 1, L and ϕ 3. We will describe the permutation polynomial for each of them. The permutation polynomial for the map ϕ 1 is simply given by ϕ 1 (u) = u 254. The permutation L is a Z 2 linear map. Because of this reason there is a unique linearized polynomial (see [8, Chapter 3]) L(u) = 7 λ iu 2i F[u] such that L(f) = L(f) for all f F. If α 1,..., α 8 is a any basis of F over the prime field Z 2 then it is possible to compute the coefficients λ 0, λ 1,..., λ 7 through the linear equations: L(α j ) = 7 λ i α 2i j = L(α j ), j = 1,..., 8. This system of linear equations can be solved explicitly. For this let β 1,..., β 8 be the dual basis (see e.g. [8, Chapter 3]) of α 1,..., α 8 characterized through the requirement: Tr F/Z2 (α i β j ) = { 1 if i = j, 0 if i j. Introduce the matrices: A := α 1 α1 2 α α1 27 α 2 α2 2 α α α 8 α8 2 α α8 27 B := β 1 β 2... β 8 β1 2 β β8 2 β1 4 β β β1 27 β β8 27 Assuming that β 1,..., β 8 is the dual basis of α 1,..., α 8 simply means that AB = I 8. 7
8 Let S be the change of basis transformation such that α 1 1 α 2 ẓ and consider the matrix L :=. α 8 = S. z which describes the linear map introduced in (3.2) with respect to the polynomial basis 1, z, z 2,..., z 7. Then one has: Lemma 4.1 The coefficients λ 0, λ 1,..., λ 7 of the permutation polynomial L(u) are given as: λ 0 α 1 λ 1. = BSLt S 1 α 2.. (4.1) λ 7 Proof: SL t S 1 describes the change of basis of the linear map L with regard to the basis α 1,..., α 8. In order to explicitly compute the coefficients λ 0, λ 1,..., λ 7 we can work with the polynomial basis 1, z, z 2,..., z 7 (in which case S = I 8 ). Alternatively we can work with a normal basis. We explain the computation for a normal basis. Let α := z F. One verifies e.g. with the computer program Maple that α is a primitive of F and that {α i := α 2i 1 i = 1,..., 8} forms a normal basis. Such bases are called primitive normal bases. α is special in the sense that it is the first element of F with respect to lexicographic order which is both a primitive and the generator of a normal basis. Remark 4.2 The existence of primitive normal bases has been established by Lenstra and Schoof [7] for every finite extension GF(q m ) of a finite field GF(q). Probably the nicest possible basis a finite field can have is a primitive normal basis which is also self-dual. We verified by computer search that GF(256) does not have a self-dual, primitive normal basis. 8 α 8
9 The dual basis of {α 1,..., α 8 } is readily computed using Maple as {β j := β 2j 1 j = 1,..., 8}, where β = z 5 +z 4 +z It is a well known fact that the dual basis of a normal basis is normal as well. The change of basis transformation is computed in this case as: S = With this one readily computes: λ 0 λ 1. λ 7 = BSLt S α α 2. α 27 =. z z z 7 + z 6 + z 5 + z 4 + z z 5 + z z 7 + z 6 + z 5 + z 4 + z 2 1 z 7 + z 5 + z 4 + z z 7 + z 3 + z 2 + z + 1. (4.2) The elements λ i already agree with the non-constant coefficients of ϕ introduced in (2.3) up to order. In order to get the exact form we need a polynomial description of the permutation ϕ 3 introduced in (3.3). Clearly the linear polynomial ϕ 3 (u) := u z + z 5 + z 6 F[u] interpolates the affine map ϕ 3. Concatenating the three polynomial maps we get: ϕ(u) = ϕ 3 L ϕ 1 (u) = 1 + z + z 5 + z 6 + L(u 254 ) mod u u. Note that L has at most 8 nonzero coefficients. Reducing L(u 254 ) by the relation u 256 = u will not change this and this explains the sparsity of the polynomial ϕ(u). The fact that the permutation polynomial ϕ(u) is sparse does not imply that the inverse polynomial ψ(u) is sparse. For this note that ψ(u) = ϕ 1 1 L 1 ϕ 1 3 (u) mod u256 + u. As before the coefficients of the polynomial L 1 (u) are computed from: α BS(L 1 ) t S 1 α 2.. (4.3) α 27 9
10 Using Maple we find: L 1 (u) = ( z 6 + z 5 + z 3 + z 2 + z ) u ( z 7 + z 6 + z 4 + z 3 + z + 1 ) u 64 + ( z 6 + z 4 + z ) u 32 + ( z 6 + z 5 + z 4 + z 3) u 16 + ( z 6 + z 4 + z 3 + z ) u 8 + ( z 6 + z 5 + z 4 + z 3 + z 2 + z + 1 ) u 4 + ( z 7 + z 6 + z 5 + z 4 + z 3 + z 2 + z ) u 2 + ( z ) u F[u]. (4.4) Combining the result with the map ϕ 1 3 (u) one gets: ρ(u) := L 1 ϕ 1 3 (u) = L 1 (u + ϕ 3 (0)) = L 1 (u) + L 1 (ϕ 3 (0)) = L 1 (u) + z (4.5) A polynomial of the form ρ(u) is sometimes called an affine polynomial [8] reflecting the fact that the map L 1 ϕ 1 3 is affine linear over Z 2. Concatenating ρ(u) with the polynomial ϕ 1 1 (u) = ϕ 1 (u) = u 254 results in a non-sparse polynomial ψ(u) = ρ(u) 254 mod u u. For completeness we provide the result of the Maple computation. The coefficients are expressed in terms of the primitive α = z ψ(u) = α 163 u α 76 u α 195 u α 186 u α 234 u α 194 u α 248 u α 255 u α 196 u α 100 u α 216 u α 212 u α 47 u α 17 u α 85 u α 103 u α 201 u α 184 u α 235 u α 215 u α 170 u α 74 u α 15 u α 2 u α 185 u α 89 u α 26 u α 231 u α 137 u α 110 u α 230 u α 20 u α 126 u α 35 u α 117 u α 48 u α 141 u α 56 u α 29 u α 154 u α 207 u α 175 u α 253 u α 147 u α 5 u α 43 u α 194 u α 242 u α 202 u α 27 u α 15 u α 164 u α 11 u α 233 u α 56 u α 121 u α 163 u α 69 u α 113 u α 235 u α 225 u α 152 u α 227 u α 9 u α 78 u α 234 u α 57 u α 136 u α 115 u α 128 u α 57 u α 223 u α 228 u α 110 u α 249 u α 83 u α 55 u α 55 u α 32 u α 94 u α 71 u α 88 u α 94 u α 45 u α 218 u α 157 u α 73 u α 209 u α 21 u α 122 u α 127 u α 206 u α 19 u α 189 u α 89 u α 177 u α 192 u α 211 u α 99 u α 195 u α 14 u α 172 u α 67 u α 136 u α 6 u α 122 u α 102 u 148 +α 198 u 147 +α 14 u 146 +α 130 u 145 +α 102 u 144 +α 129 u 143 +α 246 u 142 +α 187 u 141 +α 85 u 140 +α 181 u 139 +α 169 u 138 +α 230 u 137 +α 21 u 136 +α 234 u 135 +α 138 u 134 +α 104 u 133 +α 26 u 132 +α 229 u 131 +α 177 u 130 +α 168 u 129 +α 245 u α 13 u α 142 u α 96 u α 240 u α 224 u α 32 u α 228 u α 68 u α 125 u α 147 u α 19 u α 78 u α 51 u α 114 u α 87 u α 120 u α 5 u α 209 u α 51 u α 39 u α 47 u α 109 u α 159 u α 203 u α 202 u α 9 u α 238 u α 44 u α 188 u 99 + α 234 u 98 +α 59 u 97 +α 15 u 96 +α 131 u 95 +α 173 u 94 +α 135 u 93 +α 244 u 92 +α 216 u 91 +α 50 u 90 +α 218 u 89 +α 250 u 88 +α 108 u 87 + α 192 u 86 + α 45 u 85 + α 53 u 84 + α 186 u 83 + α 92 u 82 + α 74 u 81 + α 157 u 80 + α 172 u 79 + α 99 u 78 + α 209 u 77 + α 236 u 76 +α 212 u 75 +α 44 u 74 +α 209 u 73 +α 175 u 72 +α 101 u 71 +α 41 u 70 +α 51 u 69 +α 163 u 68 +α 183 u 67 +α 245 u 66 +α 169 u 65 + α 58 u 64 + α 5 u 63 + α 68 u 62 + α 63 u 61 + α 202 u 60 + α 138 u 59 + α 204 u 58 + α 109 u 57 + α 173 u 56 + α 214 u 55 + α 61 u 54 +α 255 u 53 +α 185 u 52 +α 249 u 51 +α 153 u 50 +α 143 u 49 +α 206 u 48 +α 163 u 47 +α 43 u 46 +α 202 u 45 +α 156 u 44 +α 70 u 43 + α 2 u 42 + α 45 u 41 + α 81 u 40 + α 43 u 39 + α 121 u 38 + α 90 u 37 + α 101 u 36 + α 252 u 35 + α 42 u 34 + α 176 u 33 + α 201 u 32 + α 22 u 31 + α 135 u 30 + α 250 u 29 + α 176 u 28 + α 76 u 27 + α 90 u 26 + α 247 u 25 + α 220 u 24 + α 123 u 23 + α 76 u 22 + α u 21 + α 180 u 20 + α 108 u 19 + α 222 u 18 + α 54 u 17 + α 46 u 16 + α 89 u 15 + α 240 u 14 + α 235 u 13 + α 208 u 12 + α 194 u 11 + α 2 u 10 + α 201 u 9 + α 67 u 8 + α 247 u 7 + α 56 u 6 + α 132 u 5 + α 16 u 4 + α 242 u 3 + α 223 u 2 + α 243 u + α 92 10
11 Other than the fact that ψ(u) = ρ(u) 254 mod u u the author did not observe some regularity in the coefficients of ψ(u). The complicated algebraic structure of the inverse S-Box shows that an algebraic attack on Rijndael which tries to recursively solve the decryption equations might be very hard indeed. Since ϕ(u) is much more sparse it might be more feasible to derive algebraic expressions of several rounds of the encryption schedule. Ferguson, Schroeppel and Whiting [5] show a way to describe multiple rounds of the Rijndael algorithm using some continued fraction expansion. The derived formulas look very appealing. It is however not clear if there is any way to solve these formulas by algebraic means. Although algebraic expressions for several rounds of Rijndael were derived it is our belief that a compact polynomial description of several rounds of Rijndael will result in an explosion of the variables. Further research on this question will be needed. In the last part of this section we provide the cycle decomposition for the permutation of the S-Box. For this let α = z We describe the cycles [β, ϕ(β), ϕ(ϕ(β)),...] expressed in terms of the primitive α: [α, α 113, α 139, α 115, α 211, α 233, α 45, α 150, α 25, α 6, α 96, α 133, α 138, α 80, α 184, α 130, α 119, α 116, α 222, α 164, α 79, α 114, α 9, α 165, α 160, α 98, α 81, α 131, α 215, α 181, α 200, α 125, α 143, α 41, α 179, α 202, α 157, α 70, α 146, α 92, 0, α 210, α 232, α 117, α 11, α 192, α 72, α 185, α 212, α 21, α 105, α 163, α 216, α 78, α 48, α 174, α 198, α 209, α 176, α] [α 2, α 112, α 37, α 161, α 242, α 50, α 240, α 26, α 0, α 42, α 245, α 168, α 10, α 228, α 229, α 251, α 29, α 76, α 247, α 223, α 243, α 17, α 49, α 197, α 225, α 3, α 104, α 106, α 55, α 32, α 204, α 203, α 132, α 206, α 19, α 226, α 107, α 84, α 152, α 231, α 142, α 159, α 140, α 110, α 162, α 170, α 248, α 127, α 82, α 148, α 180, α 151, α 31, α 88, α 227, α 237, α 85, α 43, α 95, α 218, α 71, α 177, α 121, α 65, α 188, α 186, α 77, α 23, α 187, α 238, α 167, α 52, α 145, α 136, α 149, α 147, α 123, α 224, α 20, α 134, α 195, α 2 ] [α 4, α 16, α 69, α 7, α 62, α 34, α 183, α 172, α 208, α 129, α 220, α 91, α 230, α 153, α 87, α 102, α 234, α 93, α 51, α 73, α 155, α 196, α 253, α 124, α 101, α 66, α 235, α 252, α 193, α 18, α 94, α 90, α 144, α 83, α 5, α 47, α 194, α 244, α 118, α 173, α 120, α 199, α 250, α 63, α 156, α 109, α 221, α 30, α 86, α 46, α 126, α 56, α 44, α 249, α 33, α 24, α 201, α 205, α 191, α 128, α 67, α 219, α 239, α 15, α 217, α 103, α 141, α 169, α 241, α 214, α 59, α 154, α 207, α 175, α 178, α 36, α 97, α 13, α 28, α 12, α 74, α 182, α 8, α 14, α 58, α 108, α 75, α 4 ] [α 22, α 135, α 64, α 158, α 190, α 189, α 100, α 40, α 60, α 39, α 99, α 61, α 111, α 166, α 213, α 27, α 89, α 246, α 171, α 137, α 122, α 254, α 35, α 57, α 53, α 236, α 68, α 22 ] [α 38, α 54, α 38 ] It follows that ϕ has cycle lengths 59, 81, 87, 27 and 2 and order lcm (59, 81, 87, 27, 2) = 277, 182 confirming the result given by Lenstra [6]. We would like to remark that the largest order an element of the symmetric group of 256 elements can have is 451,129,701,092,070. In comparison to this the order of ϕ is not very large. 11
12 5 Conclusion In this paper we provided a description of the Advanced Encryption Standard Rijndael which involved a series of polynomial transformations in a finite ring R. Special attention was given to derive the permutation polynomials describing the S-Box and the inverse S-Box of the Rijndael system. References [1] Federal information processing standards publication 197, advanced encryption standard, November Available at pdf. [2] D. Cox, J. Little, and D. O Shea. Using Algebraic Geometry. Springer-Verlag, New York, [3] J. Daemen and V. Rijmen. AES Proposal Rijndael, September AES algorithm submission, available at [4] J. Daemen and V. Rijmen. The Design of Rijndael: AES The Advanced Encryption Standard. Springer-Verlag, Berlin Heidelberg, [5] N. Ferguson, R. Schroeppel, and D. Whiting. A simple algebraic representation of Rijndael. In A.M. Vaudenay, S. Youssef, editor, Selected Areas in Cryptography, LNCS number 2259, pages Springer Verlag, Berlin, December [6] H. W. Lenstra, Jr. Rijndael for algebraists, April Preprint: hwl/. [7] H. W. Lenstra, Jr. and R. J. Schoof. Primitive normal bases for finite fields. Math. Comp., 48(177): , [8] R. Lidl and H. Niederreiter. Introduction to Finite Fields and their Applications. Cambridge University Press, Cambridge, London, Revised edition. [9] S. Murphy and M. Robshaw. New observations on Rijndael, August Preprint: mrobshaw/rijndael.pdf. [10] W. Trappe and L. C. Washington. Introduction to Cryptography with Coding Theory. Prentice Hall, Upper Saddle River, New Jersey,
Affine equivalence in the AES round function
Discrete Applied Mathematics 148 (2005) 161 170 www.elsevier.com/locate/dam Affine equivalence in the AES round function A.M. Youssef a, S.E. Tavares b a Concordia Institute for Information Systems Engineering,
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationEssential Algebraic Structure Within the AES
Essential Algebraic Structure Within the AES Sean Murphy and Matthew J.B. Robshaw Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20 0EX, U.K. s.murphy@rhul.ac.uk m.robshaw@rhul.ac.uk
More informationA New Algorithm to Construct. Secure Keys for AES
Int. J. Contemp. Math. Sciences, Vol. 5, 2010, no. 26, 1263-1270 A New Algorithm to Construct Secure Keys for AES Iqtadar Hussain Department of Mathematics Quaid-i-Azam University, Islamabad, Pakistan
More informationOutline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael
Outline CPSC 418/MATH 318 Introduction to Cryptography Advanced Encryption Standard Renate Scheidler Department of Mathematics & Statistics Department of Computer Science University of Calgary Based in
More informationIntroduction to Modern Cryptography. (1) Finite Groups, Rings and Fields. (2) AES - Advanced Encryption Standard
Introduction to Modern Cryptography Lecture 3 (1) Finite Groups, Rings and Fields (2) AES - Advanced Encryption Standard +,0, and -a are only notations! Review - Groups Def (group): A set G with a binary
More informationLOOKING INSIDE AES AND BES
23 LOOKING INSIDE AES AND BES Ilia Toli, Alberto Zanoni Università degli Studi di Pisa Dipartimento di Matematica Leonida Tonelli Via F. Buonarroti 2, 56127 Pisa, Italy {toli, zanoni}@posso.dm.unipi.it
More informationAES side channel attacks protection using random isomorphisms
Rostovtsev A.G., Shemyakina O.V., St. Petersburg State Polytechnic University AES side channel attacks protection using random isomorphisms General method of side-channel attacks protection, based on random
More informationAn Algebraic Framework for Cipher Embeddings
An Algebraic Framework for Cipher Embeddings C. Cid 1, S. Murphy 1, and M.J.B. Robshaw 2 1 Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20 0EX, U.K. 2 France Télécom
More informationExtended Criterion for Absence of Fixed Points
Extended Criterion for Absence of Fixed Points Oleksandr Kazymyrov, Valentyna Kazymyrova Abstract One of the criteria for substitutions used in block ciphers is the absence of fixed points. In this paper
More informationComputational and Algebraic Aspects of the Advanced Encryption Standard
Computational and Algebraic Aspects of the Advanced Encryption Standard Carlos Cid, Sean Murphy and Matthew Robshaw Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20
More informationThe Advanced Encryption Standard
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 48 The Advanced Encryption Standard Successor of DES DES considered insecure; 3DES considered too slow. NIST competition in 1997 15
More informationA New Algebraic Method to Search Irreducible Polynomials Using Decimal Equivalents of Polynomials over Galois Field GF(p q )
A New Algebraic Method to Search Irreducible Polynomials Using Decimal Equivalents of Polynomials over Galois Field GF(p q ) Sankhanil Dey and Ranjan Ghosh 2 Institute of Radio Physics and Electronics
More informationApplications of Finite Sets Jeremy Knight Final Oral Exam Texas A&M University March 29 th 2012
Finite Fields and Cryptography Applications of Finite Sets Jeremy Knight Final Oral Exam Texas A&M University March 29 th 2012 A field is a set that 1. is associative, commutative, and distributive for
More informationImproved Impossible Differential Cryptanalysis of Rijndael and Crypton
Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,
More informationChapter 4 Mathematics of Cryptography
Chapter 4 Mathematics of Cryptography Part II: Algebraic Structures Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 4.1 Chapter 4 Objectives To review the concept
More informationA SIMPLIFIED RIJNDAEL ALGORITHM AND ITS LINEAR AND DIFFERENTIAL CRYPTANALYSES
A SIMPLIFIED RIJNDAEL ALGORITHM AND ITS LINEAR AND DIFFERENTIAL CRYPTANALYSES MOHAMMAD MUSA, EDWARD F SCHAEFER, AND STEPHEN WEDIG Abstract In this paper, we describe a simplified version of the Rijndael
More informationTable Of Contents. ! 1. Introduction to AES
1 Table Of Contents! 1. Introduction to AES! 2. Design Principles behind AES Linear Cryptanalysis Differential Cryptanalysis Square Attack Biclique Attack! 3. Quantum Cryptanalysis of AES Applying Grover
More informationDesign of Low Power Optimized MixColumn/Inverse MixColumn Architecture for AES
Design of Low Power Optimized MixColumn/Inverse MixColumn Architecture for AES Rajasekar P Assistant Professor, Department of Electronics and Communication Engineering, Kathir College of Engineering, Neelambur,
More informationVirtual isomorphisms of ciphers: is AES secure against differential / linear attack?
Alexander Rostovtsev alexander. rostovtsev@ibks.ftk.spbstu.ru St. Petersburg State Polytechnic University Virtual isomorphisms of ciphers: is AES secure against differential / linear attack? In [eprint.iacr.org/2009/117]
More informationHow Fast can be Algebraic Attacks on Block Ciphers?
How Fast can be Algebraic Attacks on Block Ciphers? Nicolas T. Courtois Axalto mart Cards, 36-38 rue de la Princesse BP 45, 78430 Louveciennes Cedex, France http://www.nicolascourtois.net courtois@minrank.org
More informationStructural Cryptanalysis of SASAS
tructural Cryptanalysis of AA Alex Biryukov and Adi hamir Computer cience department The Weizmann Institute Rehovot 76100, Israel. Abstract. In this paper we consider the security of block ciphers which
More informationSecret Key: stream ciphers & block ciphers
Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad define a secret key ( seed ) Using the seed generates a byte stream (Keystream): i-th byte is function only
More informationFields in Cryptography. Çetin Kaya Koç Winter / 30
Fields in Cryptography http://koclab.org Çetin Kaya Koç Winter 2017 1 / 30 Field Axioms Fields in Cryptography A field F consists of a set S and two operations which we will call addition and multiplication,
More informationGalois fields/1. (M3) There is an element 1 (not equal to 0) such that a 1 = a for all a.
Galois fields 1 Fields A field is an algebraic structure in which the operations of addition, subtraction, multiplication, and division (except by zero) can be performed, and satisfy the usual rules. More
More informationA New Approach for Designing Key-Dependent S-Box Defined over GF (2 4 ) in AES
A New Approach for Designing Key-Dependent S-Box Defined over GF (2 4 ) in AES Hanem M. El-Sheikh, Omayma A. El-Mohsen, Senior Member, IACSIT, Talaat Elgarf, and Abdelhalim Zekry, Senior Member, IACSIT
More informationPerfect Diffusion Primitives for Block Ciphers
Perfect Diffusion Primitives for Block Ciphers Building Efficient MDS Matrices Pascal Junod and Serge Vaudenay École Polytechnique Fédérale de Lausanne (Switzerland) {pascaljunod, sergevaudenay}@epflch
More informationThe Rijndael Block Cipher
The Rijndael Block Cipher Vincent Leith MATH 27.2 May 3, 2 A brief look at the mathematics behind the Rijndael Block Chiper. Introduction The Rijndael Block Chiper was brought about by Joan Daemen and
More informationHardware Design and Analysis of Block Cipher Components
Hardware Design and Analysis of Block Cipher Components Lu Xiao and Howard M. Heys Electrical and Computer Engineering Faculty of Engineering and Applied Science Memorial University of Newfoundland St.
More information(Solution to Odd-Numbered Problems) Number of rounds. rounds
CHAPTER 7 AES (Solution to Odd-Numbered Problems) Review Questions. The criteria defined by NIST for selecting AES fall into three areas: security, cost, and implementation. 3. The number of round keys
More informationarxiv: v1 [cs.cr] 13 Sep 2016
Hacking of the AES with Boolean Functions Michel Dubois Operational Cryptology and Virology Laboratory Éric Filiol Operational Cryptology and Virology Laboratory September 14, 2016 arxiv:1609.03734v1 [cs.cr]
More informationThe XL and XSL attacks on Baby Rijndael. Elizabeth Kleiman. A thesis submitted to the graduate faculty
The XL and XSL attacks on Baby Rijndael by Elizabeth Kleiman A thesis submitted to the graduate faculty in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE Major: Mathematics
More informationOn Feistel Ciphers Using Optimal Diffusion Mappings Across Multiple Rounds
On Feistel Ciphers Using Optimal Diffusion Mappings Across Multiple Rounds Taizo Shirai 1, and Bart Preneel 2 1 Sony Corporation, Tokyo, Japan taizo.shirai@jp.sony.com 2 ESAT/SCD-COSIC, Katholieke Universiteit
More informationON THE SECURITY OF THE ADVANCED ENCRYPTION STANDARD
ON THE SECURITY OF THE ADVANCED ENCRYPTION STANDARD Paul D. Yacoumis Supervisor: Dr. Robert Clarke November 2005 Thesis submitted for the degree of Honours in Pure Mathematics Contents 1 Introduction
More informationCryptanalysis of a key exchange protocol based on the endomorphisms ring End(Z p Z p 2)
AAECC (212) 23:143 149 DOI 1.17/s2-12-17-z ORIGINAL PAPER Cryptanalysis of a key exchange protocol based on the endomorphisms ring End(Z p Z p 2) Abdel Alim Kamal Amr M. Youssef Received: 2 November 211
More informationCryptography: Key Issues in Security
L. Babinkostova J. Keller B. Schreiner J. Schreiner-McGraw K. Stubbs August 1, 2014 Introduction Motivation Group Generated Questions and Notation Translation Based Ciphers Previous Results Definitions
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES
CS355: Cryptography Lecture 9: Encryption modes. AES Encryption modes: ECB } Message is broken into independent blocks of block_size bits; } Electronic Code Book (ECB): each block encrypted separately.
More informationHans Delfs & Helmut Knebl: Kryptographie und Informationssicherheit WS 2008/2009. References. References
Hans Delfs & Helmut Knebl: Kryptographie und Informationssicherheit WS 2008/2009 Die Unterlagen sind ausschliesslich zum persoenlichen Gebrauch der Vorlesungshoerer bestimmt. Die Herstellung von elektronischen
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informationRoyal Holloway University of London
Projective Aspects of the AES Inversion Wen-Ai Jackson and Sean Murphy Technical Report RHUL MA 2006 4 25 November 2005 Royal Holloway University of London Department of Mathematics Royal Holloway, University
More informationTHE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018
THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018 CPSC 418/MATH 318 L01 October 17, 2018 Time: 50 minutes
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08 Module Outline Stream ciphers under the hood Block ciphers
More informationGurgen Khachatrian Martun Karapetyan
34 International Journal Information Theories and Applications, Vol. 23, Number 1, (c) 2016 On a public key encryption algorithm based on Permutation Polynomials and performance analyses Gurgen Khachatrian
More informationDirect Construction of Recursive MDS Diffusion Layers using Shortened BCH Codes
Direct Construction of Recursive MDS Diffusion Layers using Shortened BCH Codes Daniel Augot 1 and Matthieu Finiasz 2 1 INRIA - LIX UMR 7161 X-CNRS 2 CryptoExperts Abstract. MDS matrices allow to build
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationAttacking AES via SAT
Computer Science Department Swansea University BCTCS Warwick, April 7, 2009 Introduction In the following talk, a general translation framework, based around SAT, is considered, with the aim of providing
More informationSecurity of the AES with a Secret S-box
Security of the AES with a Secret S-box Tyge Tiessen, Lars R Knudsen, Stefan Kölbl, and Martin M Lauridsen {tyti,lrkn,stek,mmeh}@dtudk DTU Compute, Technical University of Denmark, Denmark Abstract How
More informationClassical Cryptography
Classical Cryptography CSG 252 Fall 2006 Riccardo Pucella Goals of Cryptography Alice wants to send message X to Bob Oscar is on the wire, listening to communications Alice and Bob share a key K Alice
More informationSecret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:
Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design: Secret Key Systems Encrypting a small block of text (say 64 bits) General considerations
More informationAnalysis of cryptographic hash functions
Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43 Symmetric key cryptography Alice and Bob share
More informationOn the invertibility of the XOR of rotations of a binary word
On the invertibility of the XOR of rotations of a binary word Ronald L. Rivest November 10, 2009 Abstract We prove the following result regarding operations on a binary word whose length is a power of
More informationHyper-bent Functions
Hyper-bent Functions Amr M. Youssef 1 and Guang Gong 2 1 Center for Applied Cryptographic Research Department of Combinatorics & Optimization University of Waterloo, Waterloo, Ontario N2L3G1, CANADA a2youssef@cacr.math.uwaterloo.ca
More information} has dimension = k rank A > 0 over F. For any vector b!
FINAL EXAM Math 115B, UCSB, Winter 2009 - SOLUTIONS Due in SH6518 or as an email attachment at 12:00pm, March 16, 2009. You are to work on your own, and may only consult your notes, text and the class
More informationBlock Ciphers and Systems of Quadratic Equations
Block Ciphers and Systems of Quadratic Equations Alex Biryukov and Christophe De Cannière Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenberg 10, B 3001 Leuven-Heverlee, Belgium
More informationAlgebraic Aspects of Symmetric-key Cryptography
Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information Security Group Royal Holloway, University of London 04.May.2007 ECRYPT Summer School 1 Algebraic Techniques
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2012 Konstantin Beznosov 1 Module Outline! Stream ciphers under the hood Block ciphers under
More informationMATH3302 Cryptography Problem Set 2
MATH3302 Cryptography Problem Set 2 These questions are based on the material in Section 4: Shannon s Theory, Section 5: Modern Cryptography, Section 6: The Data Encryption Standard, Section 7: International
More informationMatrix Power S-Box Construction
Matrix Power S-Box Construction Eligijus Sakalauskas a and Kestutis Luksys b Department of Applied Mathematics, Kaunas University of Technology, Studentu g. 50, 52368 Kaunas, Lithuania a Eligijus.Sakalauskas@ktu.lt
More informationDickson Polynomials that are Involutions
Dickson Polynomials that are Involutions Pascale Charpin Sihem Mesnager Sumanta Sarkar May 6, 2015 Abstract Dickson polynomials which are permutations are interesting combinatorial objects and well studied.
More informationQuadratic Equations from APN Power Functions
IEICE TRANS. FUNDAMENTALS, VOL.E89 A, NO.1 JANUARY 2006 1 PAPER Special Section on Cryptography and Information Security Quadratic Equations from APN Power Functions Jung Hee CHEON, Member and Dong Hoon
More informationAn Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations
An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations J.H. Silverman 1, N.P. Smart 2, and F. Vercauteren 2 1 Mathematics Department, Box 1917, Brown
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationNew Gröbner Bases for formal verification and cryptography
New Gröbner Bases for formal verification and cryptography Gert-Martin Greuel Diamant/Eidma Symposium November 29th - November 30th November 29th, 2007 Introduction Focus of this talk New developements
More informationWinter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2
0368.3049.01 Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod Assignment #2 Published Sunday, February 17, 2008 and very slightly revised Feb. 18. Due Tues., March 4, in Rani Hod
More informationIntroduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.
Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography
More informationCHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER
177 CHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER 178 12.1 Introduction The study of cryptography of gray level images [110, 112, 118] by using block ciphers has gained considerable
More informationSubquadratic space complexity multiplier for a class of binary fields using Toeplitz matrix approach
Subquadratic space complexity multiplier for a class of binary fields using Toeplitz matrix approach M A Hasan 1 and C Negre 2 1 ECE Department and CACR, University of Waterloo, Ontario, Canada 2 Team
More informationCryptographically Robust Large Boolean Functions. Debdeep Mukhopadhyay CSE, IIT Kharagpur
Cryptographically Robust Large Boolean Functions Debdeep Mukhopadhyay CSE, IIT Kharagpur Outline of the Talk Importance of Boolean functions in Cryptography Important Cryptographic properties Proposed
More informationChapter 2 Symmetric Encryption Algorithms
Chapter 2 Symmetric Encryption Algorithms February 15, 2010 2 The term symmetric means that the same key used to encrypt is used decrypt. In the widest sense all pre-pkc encryption algorithms are symmetric,
More informationExam Security January 19, :30 11:30
Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in
More informationModule 2 Advanced Symmetric Ciphers
Module 2 Advanced Symmetric Ciphers Dr. Natarajan Meghanathan Professor of Computer Science Jackson State University E-mail: natarajan.meghanathan@jsums.edu Data Encryption Standard (DES) The DES algorithm
More informationCODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.
CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES A selection of the following questions will be chosen by the lecturer to form the Cryptology Assignment. The Cryptology Assignment is due by 5pm Sunday 1
More information17.1 Binary Codes Normal numbers we use are in base 10, which are called decimal numbers. Each digit can be 10 possible numbers: 0, 1, 2, 9.
( c ) E p s t e i n, C a r t e r, B o l l i n g e r, A u r i s p a C h a p t e r 17: I n f o r m a t i o n S c i e n c e P a g e 1 CHAPTER 17: Information Science 17.1 Binary Codes Normal numbers we use
More informationImpossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128
Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com
More informationSome approaches to construct MDS matrices over a finite field
2017 6 Å 31 Å 2 ¹ June 2017 Communication on Applied Mathematics and Computation Vol.31 No.2 DOI 10.3969/j.issn.1006-6330.2017.02.001 Some approaches to construct MDS matrices over a finite field BELOV
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationPractical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function
Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function Itai Dinur 1, Pawe l Morawiecki 2,3, Josef Pieprzyk 4 Marian Srebrny 2,3, and Micha l Straus 3 1 Computer Science Department, École
More informationA SIMPLE GENERALIZATION OF THE ELGAMAL CRYPTOSYSTEM TO NON-ABELIAN GROUPS
Communications in Algebra, 3: 3878 3889, 2008 Copyright Taylor & Francis Group, LLC ISSN: 0092-7872 print/132-12 online DOI: 10.1080/0092787080210883 A SIMPLE GENERALIZATION OF THE ELGAMAL CRYPTOSYSTEM
More informationMathematical Foundations of Cryptography
Mathematical Foundations of Cryptography Cryptography is based on mathematics In this chapter we study finite fields, the basis of the Advanced Encryption Standard (AES) and elliptical curve cryptography
More informationCold Boot Key Recovery by Solving Polynomial Systems with Noise
Cold Boot Key Recovery by Solving Polynomial Systems with Noise Martin R. Albrecht 1 & Carlos Cid 2 Team Salsa, LIP6, UPMC Information Security Group, Royal Holloway, University of London DTU, 04. April
More informationWhite Box Cryptography: Another Attempt
White Box Cryptography: Another Attempt Julien Bringer 1, Hervé Chabanne 1, and Emmanuelle Dottax 1 Sagem Défense Sécurité Abstract. At CMS 2006 Bringer et al. show how to conceal the algebraic structure
More informationNotes 10: Public-key cryptography
MTH6115 Cryptography Notes 10: Public-key cryptography In this section we look at two other schemes that have been proposed for publickey ciphers. The first is interesting because it was the earliest such
More informationIntroduction to Modern Cryptography Lecture 4
Introduction to Modern Cryptography Lecture 4 November 22, 2016 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/
More informationUNDERSTANDING THE COST OF GROVER'S ALGORITHM FOR FINDING A SECRET KEY
UNDERSTANDING THE COST OF GROVER'S ALGORITHM FOR FINDING A SECRET KEY Rainer Steinwandt 1,2 Florida Atlantic University, USA (joint work w/ B. Amento, M. Grassl, B. Langenberg 2, M. Roetteler) 1 supported
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationBiomedical Security. Overview 9/15/2017. Erwin M. Bakker
Biomedical Security Erwin M. Bakker Overview Cryptography: Algorithms Cryptography: Protocols Pretty Good Privacy (PGP) / B. Schneier Workshop Biomedical Security Biomedical Application Security (guest
More informationLittle Dragon Two: An efficient Multivariate Public Key Cryptosystem
Little Dragon Two: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India October
More informationTROPICAL CRYPTOGRAPHY II: EXTENSIONS BY HOMOMORPHISMS
TROPICAL CRYPTOGRAPHY II: EXTENSIONS BY HOMOMORPHISMS DIMA GRIGORIEV AND VLADIMIR SHPILRAIN Abstract We use extensions of tropical algebras as platforms for very efficient public key exchange protocols
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 13 March 3, 2013 CPSC 467b, Lecture 13 1/52 Elliptic Curves Basics Elliptic Curve Cryptography CPSC
More informationChapter 1 - Linear cryptanalysis.
Chapter 1 - Linear cryptanalysis. James McLaughlin 1 Introduction. Linear cryptanalysis was first introduced by Mitsuru Matsui in [12]. The cryptanalyst attempts to find a linear equation x 1... x i =
More informationIntroduction to finite fields
Chapter 7 Introduction to finite fields This chapter provides an introduction to several kinds of abstract algebraic structures, particularly groups, fields, and polynomials. Our primary interest is in
More informationBlock ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit
Block ciphers Block ciphers Myrto Arapinis School o Inormatics University o Edinburgh January 22, 2015 A block cipher with parameters k and l is a pair o deterministic algorithms (E, D) such that Encryption
More informationImage Encryption and Decryption Algorithm Using Two Dimensional Cellular Automata Rules In Cryptography
Image Encryption and Decryption Algorithm Using Two Dimensional Cellular Automata Rules In Cryptography P. Sanoop Kumar Department of CSE, Gayatri Vidya Parishad College of Engineering(A), Madhurawada-530048,Visakhapatnam,
More informationSome integral properties of Rijndael, Grøstl-512 and LANE-256
Some integral properties of Rijndael, Grøstl-512 and LANE-256 Marine Minier 1, Raphael C.-W. Phan 2, and Benjamin Pousse 3 1 Universit de Lyon, INRIA, INSA-Lyon, CITI, 2 Electronic & Electrical Engineering,
More informationduring transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL
THE MATHEMATICAL BACKGROUND OF CRYPTOGRAPHY Cryptography: used to safeguard information during transmission (e.g., credit card number for internet shopping) as opposed to Coding Theory: used to transmit
More informationAccelerating AES Using Instruction Set Extensions for Elliptic Curve Cryptography. Stefan Tillich, Johann Großschädl
Accelerating AES Using Instruction Set Extensions for Elliptic Curve Cryptography International Workshop on Information Security & Hiding (ISH '05) Institute for Applied Information Processing and Communications
More informationUniv.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.
Cryptography Univ.-Prof. Dr. rer. nat. Rudolf Mathar 1 2 3 4 15 15 15 15 60 Written Examination Cryptography Tuesday, August 29, 2017, 01:30 p.m. Name: Matr.-No.: Field of study: Please pay attention to
More informationStream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida
Stream ciphers Pawel Wocjan Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu Definition of block ciphers Block ciphers: crypto work horse n bits
More information