Block vs. Stream cipher
|
|
- Cynthia MargaretMargaret Tucker
- 6 years ago
- Views:
Transcription
1 Block vs. Stream cipher Idea of a block cipher: partition the text into relatively large (e.g. 128 bits) blocks and encode each block separately. The encoding of each block generally depends on at most one of the previous blocks. the same key is used at each block. Idea of a stream cipher: partition the text into small (e.g. 1 bit) blocks and let the encoding of each block depend on many previous blocks. for each block, a different key is generated.
2 Ý ¼ Ü ½ Ý ½ Ü ¾ Ý ¾ Ü Ý Ü Ý Examples of stream ciphers One-time pad. Block cipher in OFB or CTR mode. ÁÎ ½ ÁÎ ¾ ÁÎ ÁÎ ÁÎ
3 Synchronous stream ciphers Definition 1. A stream cipher is synchronous if its key sequence does not depend on the plain- and ciphertexts but only on the previous elements of the key sequence and the initial key. Þ Þ ½ Þ ¾ Þ Ø µ Ý Ü Þ µ Þ ½ Þ¼ Þ½ Þ¾ Þ Ý½ ݾ Ý Ü½ ܾ Ü
4 Properties of the synchronous stream cipher 1. The encoder and decoder must be synchronized, i.e. the decoder must always make sure that it applies the right element of the key sequence to the given element of the ciphertext sequence. 2. If an element of the ciphertext sequence has been changed (but not deleted) then only the corresponding plaintext element is affected. One-time pad is a synchronous stream cipher. Other synchronous stream ciphers could be called pseudo one-time pads. They are as secure as hard it is to distinguish Þ µ from a truly random sequence.
5 ݼ ݽ ݾ Ý Self-synchronizing stream ciphers Definition 2. A stream cipher is self-synchronizing if its keystream depends on the plain- or ciphertext. Þ Ý ½ Ý ¾ Ý Ø µ Ý Ü Þ µ Þ½ Þ¾ Þ Ý ½ ܽ ܾ Ü
6 Properties of a self-synchronizing stream cipher 1. If a ciphertext block is changed somehow (either randomly or adverently) then only the decryptions of the next Ø blocks are affected. Hence the decoding process synchronizes itself. 2. The rather quick reappearance of the correct decoding means that the tampering of some ciphertext blocks may remain unnoticed. 3. As the cryptotext blocks depend on all preceeding plaintext blocks, the statistical analysis of the cryptotext is hopefully more difficult.
7 Linear keystream generator Let ½ Ø ¾ ¼ ½ certain fixed bits and Þ ¼ Þ Ø ½ the initial keystream bits. The subsequent bits Þ of the keystream Þ Ò µ, where Ø, are generated using the rule Þ Þ ½ Þ ¾ Þ Ø µ ½ Þ ½ ¾ Þ ¾ Ø Þ Ø µ ÑÓ ¾ Example: Ø let, ¾ ¼ ½ ja ½ Þ and Þ ½ Þ ¾ Þ µ ¼ ½ ¼ ¼µ. The output of the generator is then ¼ ¼ ½ ¼ ¼ ½ ½ ¼ ½ ¼ ½ ½ ½ ½ ¼ ¼ ¼
8 Linear feedback shift register (Lineaarse tagasisidega nihkeregister)... is an electronic gadget for generating a linear keystream. The LFSR corresponding to the previous example is Ê Ê Ê ¾ Ê ½ output
9 LFSR works like this... Ê step Ê Ê ¾ Ê ½ Ê step Ê Ê ¾ Ê ½ Ê Ê Ê ¾ Ê ½ output
10 Periodic sequences Definition 3. A sequence Þ ¼ Þ ½ Þ ¾ is periodic if there exists a ½, such that Þ Þ for all ¼. The smallest such is called the period of that sequence. If Þ Þ holds only for all sufficiently large -s, then Þ is called eventually periodic. Exercise. Show that the sequence of bits generated by any LFSR is eventually periodic. Show that the period of a sequence generated by a Ø-register LFSR is at most ¾ Ø ½. Show that if this bound is reached then each period contains ¾ Ø ½ bits ½ and ¾ Ø ½ ½ bits ¼. Exercise. Show that any (eventually) periodic sequence can be generated by an LFSR. The linear complexity Ä Þµ of a sequence Þ is the minimal number of registers that a LFSR needs to output this sequence.
11 LFSR as a stream cipher P C ¼ ½. A key ¾ K consists of Ø ¾ Æ ; ½ Ø ¾ ¼ ½; Þ ¼ Þ Ø ½ ¾ ¼ ½. To encode or Ü ¾ ¼ ½ decode : compute Þ Ò ½ Þ ½ Ø Þ Ø ÑÓ Ø Ò ½ for and Ü output Þ. ¾ A synchronous stream cipher...how difficult it is to distinguish Þ µ from a truly random sequence of bits? I.e. if we know a part of the sequence Þ µ, how difficult it is to predict the next element(s)?
12 Þ Ö Ø ½ ½ Þ Ö Ø ¾ ¾ Þ Ö Ø Þ Ö Ø Þ Ö Ø ½ Þ Ö Ø ½ ¾ Þ Ö ½ Ø Þ Ö Ø ½ If we know the linear complexity Ä Þµ Let Ø. We need to find ¾Ø out consequtive keystream Þ bits Þ Ö ¾Ø ½ Ö. Known-plaintext attack can provide them. The following equations hold: Ö ¾Ø ¾ ½ Þ Ö ¾Ø ¾ Þ Ö Ø ½ Ø Þ Ö ¾Ø ½ Þ Solve this system over ¾ for Ø ½ µ. It has a solution the coefficients of the LFSR generating this sequence.
13 If we do not know the linear complexity Then we must (over)estimate it. Let us know Ø Ä Þµ Ø ¼. We need ¾Ø consequtive keystream bits; solve the same system of equations. It has a solution: if ¼ ½ ¼ Ø ¼ µ are the coefficients of a minimal LFSR generating Þ then ¼ if ½ ؼ ; ¼ if Ø ¼ ½ Ø is a solution to the system of equations. There are other solutions as well. We can even determine the linear compexity.
14 Polynomials over a ring Ê Formally, a polynomial Ô is a mapping Æ Ê (here Æ ¼ ½ ¾ ) with only finitely many non-zero entries. Denote Ô µ by Ô. The values of Ô are called its coefficients. is usually written Ô as Ô ½ Ü Ô ¾ Ü ¾ Ô Ñ Ü ¼ where Ô Ñ Ô Ñ ½ Ñ ¾ ¼. Ô Polynomials can be added, multiplied, divided (with remainder), ÔÕ division is possible if the leading coefficient Õ of is invertible. multiplied with a scalar used as arguments to Euclid s algorithm, giving their gcd. The set of all polynomials over Ê, denoted ÊÜ, is a ring.
15 ¼ ½ µ ¼ ½ µ Formal series over a ring Ê A formal series is Æ a mapping Ê. The values of are called its ½ coefficients. is usually written as ¼ Ü. Formal series can be added, multiplied, multiplied with a scalar: È µ µ If ¼ is invertible then ½ exists and is given by ½ µ ¼ ½ ¼ ½ µ ½ ¼ The set of all formal series over Ê, denoted ÊÜ, is a ring. A sequence Þ µ can also be seen as a formal series (over ¾ ).
16 Õ ½ ½ ½ Õ µ Õ Ô ½ ½ Õ ½ Rational formal series A formal series is rational if it can be expressed ÔÕ as, where Ô and ½ are polynomials. Then ¼ Ô ¼ Õ ½ ¼ and Õ ½ Õ µ Õ ½ ¼ Ô Ô ¼ Õ ½ ¼ Ô Õ ½ Õ µ Õ ½ ¼ Ô Ô Ô Õ ½ µ ¼ ½ ¼ Ô Õ I.e. the coefficients of a rational formal series satisfy a linear recurrence. If Ê is finite then the coefficients of are eventually periodic.
17 ½ Ö ½ Ø Ö Ü Ô ¼µ ½ Ü Ø µ ½ Ô Ü Ö Ô ¼µ ½ Ü Ø µ Ô Ü Ö Theorem 1. Let the coefficients of ¾ ÊÜ be eventually periodic. Then is rational. Proof. Let ¼ Ö ½ be the non-periodic part of s coefficients and let Ø for all Ö. Let Ü and Ô Ô ¼µ ¼ ¼ Then Ô ¼µ Ô Ü Ö Ô Ü Ö Ø Ô Ü Ö ¾Ø Ô ¼µ ½ Ü Ø Ü ¾Ø µ Ô Ü Ö ½ Ü Ø Corollary. If s coefficients are periodic (i.e. Ö ¼) then Ô Õ where Ô Õ.
18 Õ and Þ ½ Ø Þ ½ Rational formal series over ¾ vs. LFSRs Let ½ Ø and Þ ½ Þ Ø be given. Compare: Take Ô Õ ¼ ½, Õ Ø and Õ for ½ Ø. Ô Þ Þ for ½ Ø. ½ È Then Þ. Õ is the characteristic polynomial of the LFSR generating Þ. If Ä Þµ Ø then Õ is the characteristic polynomial of Þ.
19 Finding the characteristic polynomial Given: Þ Ö Þ Ö ¾Ø ½, such that Ø Ä Þµ. Assume Ö ½. Compute ½ Ø by solving a system of linear equations. Find Õ and Ô as in the previous slide. Return Õ Ô Õµ. Berlekamp-Massey algorithm is faster...ç Ø ¾ µ. Exercise: if we know Ä Þµ and solve the system of equations containing exactly Ä Þµ unknowns, then is it possible to get more than one solution?
20 Berlekamp-Massey algorithm B-M algorithm reads the coefficients ¼ ½ ¾ one by one. At the -th stage of the algorithm (having read ¼ ½ ) it has computed polynomials Ô µ, Õ µ, such that Õ µ Ô µ ÑÓ Ü µ The size Ô µ Õ µ µ ÑÜ Õ µ Ô µ µ ½ of the LFSR is minimal. Step of the algorithm: read. If Õ µ Ô µ ÑÓ Ü ½ µ then Õ ½µ Õ µ, Ô ½µ Ô µ. Otherwise we have a discrepancy.
21 µ µ Recomputing Ô and Õ We have Õ µ Ô µ µ Ü ÑÓ Ü ½ µ for some µ ¼. Let be some earlier discrepancy: Õ µ Ô µ µ Ü ÑÓ Ü ½ µ. µ Ü Ô µ and Õ ½µ Õ µ Õ µ Ü µ Take Ô ½µ Ô µ Exercise. Show that Õ ½µ Ô ½µ ÑÓ Ü ½ µ In the B-M algorithm, the last such is used where Ô µ Õ µ µ Ô ½µ Õ ½µ µ
22 B-M algorithm: initialization If ¼ ½ ¾ ¼ then return Ô ¼ Õ ½µ. Let be such, that Ñ ½ ¼ ¼, Ñ ¼. Ñ Let ¼, ½, Ô Ñ ½µ Ô Ñµ Ü Õ Ñµ Ñ, Ñ Ü, if Ñ Ñ ¼ and Õ Ñ ½µ ½ if Ñ ¼. Õ Ñ ½µ ½ At step Ñ, the linear complexity changed.
23 LFSR-s with long periods We know that an LFSR with Ø registers can output a sequence with a period at most ¾ Ø ½. How to achieve this upper bound? Definition 4. A polynomial Ô ¾ ÊÜ is reducible if there exists a polynomial Õ ¾ ÊÜ, such that ½ Õ Ô and Õ Ô. Otherwise we call Ô irreducible.
24 Residue classes modulo polynomials Given Ô ¾ ÊÜ with invertible leading coefficient we can consider the set ÊÜ Ô of all residue classes of ÊÜ modulo Ô. We can define addition and multiplication on this set. ÊÜ Ô Õ Õ ¾ ÊÜ Õ Ô; Õ ½ Õ ¾ Õ ½ Õ ¾ ; Õ ½ Õ ¾ Õ ½ Õ ¾ ÑÓ Ô. The structure ÊÜ Ô µ is a ring. If Ê is a field and Ô is irreducible then ÊÜ Ô is a field. Finding inverses in ÊÜ Ô just like in Õ, where Õ ¾ È. Main tool Euclid s algorithm.
25 Finite fields Let Ô be an irreducible polynomial of degree Ñ over a finite field Ã. ÃÜ Ô Then is a field Ô with elements. Ñ Up to isomorphism, there exists only one field with Ô Ñ elements. If is a finite field à then is cyclic, i.e. it can be generated by à a single element of Ã. Definition 5. A polynomial Ô ¾ ÃÜ is primitive if Ü is a generator of ÃÜ Ôµ. Theorem 2. If a LFSR s characteristic polynomial Õ is primitive then the period of the sequence produced by this LFSR is ¾ Õ ½ for any non-zero initialization vector. Proof follows...
26 LFSRs in Galois configuration ½ Ê ¾ Ê Ê Ê Ê Ê Normal; characteristic ½ Ü polynomial: Ü Ü ¼ Ê ½ Ê ¾ Ê Ê Ê Ê Galois configuration; char. ½ Ü Ü polynomial: Ü Char. poly. of Galois conf: contains Ü if there is extra input to Ê. Also contains Ü Ø where Ø is the number of registers.
27 Evolution of state of a LFSR in Galois conf. A state of a Ø-register LFSR can be represented by a polynomial Ë µü where Ë Ê µ is the contents of Ê in Ë. Ë Ê ¼ The next state of LFSR in Galois conf. is then Ü Ô Ëµ µ ÑÓ Õ where Õ is the characteristic polynomial. Ô Ëµ È Ø ½ If Õ is primitive then the state of that LFSR in Galois conf. passes through all ¾ Ø ½ possible values. We can define an isomorphism between the states of a normal LFSR and its corresponding LFSR in Galois conf. Hence the states of a LFSR pass through ¾ all ½ possible values if the corresponding LFSR in Galois conf. has a primitive characteristic Ø polynomial. The period of the output sequence is ¾ then ½ as well. Ø
28 Mirror images of polynomials For Õ a ¼ polynomial Ü with Õ ¼ Õ È r Õµ image ¼ by Ü. Õ È ¼ Õ define its mirror If a (normal) LFSR has the characteristic polynomial Õ then the corresponding LFSR in Galois conf. has the characteristic polynomial r Õµ. r Õµ r Õ ¼ µ r Õ Õ ¼ µ. Just compare the coefficients. Hence Õ is irreducible iff r Õµ is. Õ (of degree ) is primitive iff r Õµ is. Indeed, suppose an irreducible Õ is not primitive, then Ü ½ ÑÓ Õµ for some Ô ½. I.e. there exists a polynomial Õ ¼, such that Ü ½ ÕÕ ¼. Then also r Ü ½µ r Õµr Õ ¼ µ. But r Ü ½µ Ü ½µ. Hence r Õµ r Õ ¼ µµ Ü ½ and r Õµ is not primitive.
29 Testing irreducibility Theorem 3. An irreducible Ñ polynomial of -th degree divides Ô Ü in ÔÜ. Ü Proof. ÔÜ Ñ is a field with Ô elements. Hence «Ô «¼ in ÔÜ Ñ for all «¾ ÔÜ Ñ (Fermat s little theorem). The polynomial Ü is also a member ÔÜ Ñ, hence Ü Ô Ü ¼ ÑÓ Ñµ in ÔÜ. Theorem 4. If an irreducible polynomial Ñ of -th degree divides ¼ then Ô. Ü Ü Proof. Let be ¼ the field with elements; it contains exactly the roots ¼ Ã Ô ¼ of Ü. is a vector space over with dimension. It contains ¼ Ô Ü Ô Ã ½ also «the roots of Ñ, let be Ë a root of Ñ. Let È ¼ «¾ Ô. Then is a field. Ã Ë We have Ô, Ñ hence Ã Ë ¼ Ô Ñ Ë Ãµ Ñ Ë Ãµ ˵ Ô and. ¼ Ñ
30 Testing irreducibility Õ ¾ ÔÜ is irreducible if Õ Ü Ô Üµ ½ for all Õµ¾. Here Ü Ô may be computed modulo Õ.
31 Testing primitiveness For Õ ¾ ÔÜ to be primitive, it must first be irreducible. Let Ñ We Ü ÑÓ must have Ô for all ½. It is sufficient to test ½ Õµ this only Ñ Ô for ½µÔ the values Ô where is a prime factor of ½. ¼ ¼ Ñ Ñ Ô Õ.
32 Polynomials: exercise Which of those polynomials are reducible, which are irreducible and which are primitive over ¾? 1. Ü ½, 2. Ü ¾, 3. Ü ¾ ½, 4. Ü ¾ Ü ½ 5. Ü ½ 6. Ü Ü ½, 7. Ü Ü ½, 8. Ü Ü ¾ ½.
33 Linear complexity: exercises Exercise. Determine the linear complexities of the following sequences. 1. ½ ¼ ½ ¼ ½ ¼ 2. ½ ¼ ¼ ½ ¼ ½ ½ ½ ¼ ¼ ½ ¼ ½ ½ 3. ½ ¼ ¼ ¼ ½ ¼ ½ ¼ ¼ ¼ ½ ¼ Exercise. 1. Construct a sequence with infinite linear complexity (i.e. a sequence that is generated by no LFSR).
34 LFSR-s in real cryptosystems Use one or more LFSR-s and apply some non-linear function to their outputs.
35 Shrinking generator... is constructed from two LFSRs working synchronously. The shrinking generator produces up to one bit for each bit-pair generated by these two LFSRs. It is defined as follows: 1. If the first LFSR outputs ½ then return the output of the second LFSR. 2. If the first LFSR outputs ¼ then return nothing (discard the output of the second LFSR). If the linear complexities of these two LFSR-s are Ä ½ and Ä ¾ and their periods are maximal, then the linear complexity Ä of the shrinking generator satisfies Ä ¾ ¾ Ä ½ ¾ Ä Ä ¾ ¾ Ä ½ ½
36 Other non-linear combiners Self-shrinking generator: Generate two bits, ¾ ½. If ½ ½ then output ¾. If ½ ¼ then output nothing. Majority: use three LFSR-s clocked synchronously, output the majority of their bits. Irregular clocking: use several LFSR-s, do not clock each of them at each clock cycle, decide the clocked LFSR-s in a non-linear way.
Pseudo-Random Number Generators
Unit 41 April 18, 2011 1 Pseudo-Random Number Generators Recall the one-time pad: k = k 1, k 2, k 3... a random bit-string p = p 1, p 2, p 3,... plaintext bits E(p) = p k. We desire long sequences of numbers
More informationLecture 10-11: General attacks on LFSR based stream ciphers
Lecture 10-11: General attacks on LFSR based stream ciphers Thomas Johansson T. Johansson (Lund University) 1 / 23 Introduction z = z 1, z 2,..., z N is a known keystream sequence find a distinguishing
More informationPrivate-key Systems. Block ciphers. Stream ciphers
Chapter 2 Stream Ciphers Further Reading: [Sim92, Chapter 2] 21 Introduction Remember classication: Private-key Systems Block ciphers Stream ciphers Figure 21: Private-key cipher classication Block Cipher:
More informationIntroduction to Modern Cryptography Lecture 4
Introduction to Modern Cryptography Lecture 4 November 22, 2016 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More informationCryptography Lecture 3. Pseudorandom generators LFSRs
Cryptography Lecture 3 Pseudorandom generators LFSRs Remember One Time Pad is ideal With OTP you need the same transmission capacity via an already secure channel for the key as you can then secure via
More informationCSc 466/566. Computer Security. 5 : Cryptography Basics
1/84 CSc 466/566 Computer Security 5 : Cryptography Basics Version: 2012/03/03 10:44:26 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian Collberg Christian
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More informationCRC Press has granted the following specific permissions for the electronic version of this book:
This is a Chapter from the Handbook of Applied Cryptography, by A. Menezes, P. van Oorschot, and S. Vanstone, CRC Press, 1996. For further information, see www.cacr.math.uwaterloo.ca/hac CRC Press has
More informationL9: Galois Fields. Reading material
L9: Galois Fields Reading material Muzio & Wesselkamper Multiple-valued switching theory, p. 3-5, - 4 Sasao, Switching theory for logic synthesis, pp. 43-44 p. 2 - Advanced Logic Design L9 - Elena Dubrova
More information4.3 General attacks on LFSR based stream ciphers
67 4.3 General attacks on LFSR based stream ciphers Recalling our initial discussion on possible attack scenarios, we now assume that z = z 1,z 2,...,z N is a known keystream sequence from a generator
More informationChapter 4 Mathematics of Cryptography
Chapter 4 Mathematics of Cryptography Part II: Algebraic Structures Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 4.1 Chapter 4 Objectives To review the concept
More informationCODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.
CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES A selection of the following questions will be chosen by the lecturer to form the Cryptology Assignment. The Cryptology Assignment is due by 5pm Sunday 1
More informationSolutions to the Midterm Test (March 5, 2011)
MATC16 Cryptography and Coding Theory Gábor Pete University of Toronto Scarborough Solutions to the Midterm Test (March 5, 2011) YOUR NAME: DO NOT OPEN THIS BOOKLET UNTIL INSTRUCTED TO DO SO. INSTRUCTIONS:
More informationCombinatorics of p-ary Bent Functions
Combinatorics of p-ary Bent Functions MIDN 1/C Steven Walsh United States Naval Academy 25 April 2014 Objectives Introduction/Motivation Definitions Important Theorems Main Results: Connecting Bent Functions
More information3.8 MEASURE OF RUNDOMNESS:
Lec 10 : Data Security Stream Cipher Systems 1 3.8 MEASURE OF RUNDOMNESS: 3.9.1 DEFINITION: Run: sequence of identical bits (0 or 1) Ex.01110000111 Runs are 0,111, 0000, 111 Gap: runs of zeroes 1000011
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informationCryptography and Security Protocols. Previously on CSP. Today. El Gamal (and DSS) signature scheme. Paulo Mateus MMA MEIC
Cryptography and Security Protocols Paulo Mateus MMA MEIC Previously on CSP Symmetric Cryptosystems. Asymmetric Cryptosystem. Basics on Complexity theory : Diffie-Hellman key agreement. Algorithmic complexity.
More informationSTREAM CIPHER. Chapter - 3
STREAM CIPHER Chapter - 3 S t r e a m C i p h e r P a g e 38 S t r e a m C i p h e r P a g e 39 STREAM CIPHERS Stream cipher is a class of symmetric key algorithm that operates on individual bits or bytes.
More informationCONVEX OPTIMIZATION OVER POSITIVE POLYNOMIALS AND FILTER DESIGN. Y. Genin, Y. Hachez, Yu. Nesterov, P. Van Dooren
CONVEX OPTIMIZATION OVER POSITIVE POLYNOMIALS AND FILTER DESIGN Y. Genin, Y. Hachez, Yu. Nesterov, P. Van Dooren CESAME, Université catholique de Louvain Bâtiment Euler, Avenue G. Lemaître 4-6 B-1348 Louvain-la-Neuve,
More informationApplications of Discrete Mathematics to the Analysis of Algorithms
Applications of Discrete Mathematics to the Analysis of Algorithms Conrado Martínez Univ. Politècnica de Catalunya, Spain May 2007 Goal Given some algorithm taking inputs from some set Á, we would like
More informationUniv.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.
Cryptography Univ.-Prof. Dr. rer. nat. Rudolf Mathar 1 2 3 4 15 15 15 15 60 Written Examination Cryptography Tuesday, August 29, 2017, 01:30 p.m. Name: Matr.-No.: Field of study: Please pay attention to
More informationCIS 551 / TCOM 401 Computer and Network Security
CIS 551 / TCOM 401 Computer and Network Security Spring 2008 Lecture 15 3/20/08 CIS/TCOM 551 1 Announcements Project 3 available on the web. Get the handout in class today. Project 3 is due April 4th It
More informationLinear Feedback Shift Registers
Linear Feedback Shift Registers Pseudo-Random Sequences A pseudo-random sequence is a periodic sequence of numbers with a very long period. Golomb's Principles G1: The # of zeros and ones should be as
More informationFinding small factors of integers. Speed of the number-field sieve. D. J. Bernstein University of Illinois at Chicago
The number-field sieve Finding small factors of integers Speed of the number-field sieve D. J. Bernstein University of Illinois at Chicago Prelude: finding denominators 87366 22322444 in R. Easily compute
More informationClassical Cryptography
Classical Cryptography CSG 252 Fall 2006 Riccardo Pucella Goals of Cryptography Alice wants to send message X to Bob Oscar is on the wire, listening to communications Alice and Bob share a key K Alice
More informationSecret Key: stream ciphers & block ciphers
Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad define a secret key ( seed ) Using the seed generates a byte stream (Keystream): i-th byte is function only
More informationA Language for Task Orchestration and its Semantic Properties
DEPARTMENT OF COMPUTER SCIENCES A Language for Task Orchestration and its Semantic Properties David Kitchin, William Cook and Jayadev Misra Department of Computer Science University of Texas at Austin
More informationBasic elements of number theory
Cryptography Basic elements of number theory Marius Zimand 1 Divisibility, prime numbers By default all the variables, such as a, b, k, etc., denote integer numbers. Divisibility a 0 divides b if b = a
More informationBasic elements of number theory
Cryptography Basic elements of number theory Marius Zimand By default all the variables, such as a, b, k, etc., denote integer numbers. Divisibility a 0 divides b if b = a k for some integer k. Notation
More informationThesis Research Notes
Thesis Research Notes Week 26-2012 Christopher Wood June 29, 2012 Abstract This week was devoted to reviewing some classical literature on the subject of Boolean functions and their application to cryptography.
More informationLecture Notes. Advanced Discrete Structures COT S
Lecture Notes Advanced Discrete Structures COT 4115.001 S15 2015-01-22 Recap Two methods for attacking the Vigenère cipher Frequency analysis Dot Product Playfair Cipher Classical Cryptosystems - Section
More informationDistinguishing Stream Ciphers with Convolutional Filters
Distinguishing Stream Ciphers with Convolutional Filters Joan Daemen and Gilles Van Assche STMicroelectronics Smart Cards ICs Division Excelsiorlaan 44 46, 930 Zaventem, Belgium February 5, 2005 Abstract
More informationFields in Cryptography. Çetin Kaya Koç Winter / 30
Fields in Cryptography http://koclab.org Çetin Kaya Koç Winter 2017 1 / 30 Field Axioms Fields in Cryptography A field F consists of a set S and two operations which we will call addition and multiplication,
More informationChapter 4 Finite Fields
Chapter 4 Finite Fields Introduction will now introduce finite fields of increasing importance in cryptography AES, Elliptic Curve, IDEA, Public Key concern operations on numbers what constitutes a number
More informationB. Cyclic Codes. Primitive polynomials are the generator polynomials of cyclic codes.
B. Cyclic Codes A cyclic code is a linear block code with the further property that a shift of a codeword results in another codeword. These are based on polynomials whose elements are coefficients from
More informationCongruence Classes. Number Theory Essentials. Modular Arithmetic Systems
Cryptography Introduction to Number Theory 1 Preview Integers Prime Numbers Modular Arithmetic Totient Function Euler's Theorem Fermat's Little Theorem Euclid's Algorithm 2 Introduction to Number Theory
More informationNew Methods for Cryptanalysis of Stream Ciphers. The Selmer Centre Department of Informatics University of Bergen Norway
New Methods for Cryptanalysis of Stream Ciphers Håvard Molland The Selmer Centre Department of Informatics University of Bergen Norway 18th May 2005 Acknowledgments I would like to express my gratitude
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationMathematical Foundations of Cryptography
Mathematical Foundations of Cryptography Cryptography is based on mathematics In this chapter we study finite fields, the basis of the Advanced Encryption Standard (AES) and elliptical curve cryptography
More informationCIS 6930/4930 Computer and Network Security. Topic 5.1 Basic Number Theory -- Foundation of Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.1 Basic Number Theory -- Foundation of Public Key Cryptography 1 Review of Modular Arithmetic 2 Remainders and Congruency For any integer a and any positive
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationEECS Components and Design Techniques for Digital Systems. Lec 26 CRCs, LFSRs (and a little power)
EECS 150 - Components and esign Techniques for igital Systems Lec 26 CRCs, LFSRs (and a little power) avid Culler Electrical Engineering and Computer Sciences University of California, Berkeley http://www.eecs.berkeley.edu/~culler
More informationCryptanalysis of the Light-Weight Cipher A2U2 First Draft version
Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version Mohamed Ahmed Abdelraheem, Julia Borghoff, Erik Zenner Technical University of Denmark, DK-2800 Kgs. Lyngby, Denmark {M.A.Abdelraheem,J.Borghoff,E.Zenner}@mat.dtu.dk
More informationA Low Data Complexity Attack on the GMR-2 Cipher Used in the Satellite Phones
A Low Data Complexity Attack on the GMR-2 Cipher Used in the atellite Phones Ruilin Li, Heng Li, Chao Li, Bing un National University of Defense Technology, Changsha, China FE 2013, ingapore 11 th ~13
More informationA block cipher enciphers each block with the same key.
Ciphers are classified as block or stream ciphers. All ciphers split long messages into blocks and encipher each block separately. Block sizes range from one bit to thousands of bits per block. A block
More informationSoft-decision Decoding of Chinese Remainder Codes
Soft-decision Decoding of Chinese Remainder Codes Venkatesan Guruswami Amit Sahai Ý Madhu Sudan Þ Abstract Given Ò relatively prime integers Ô Ô Ò and an integer Ò, the Chinese Remainder Code, ÊÌ É ÔÔÒ,
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationCPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems
CPE 776:DATA SECURITY & CRYPTOGRAPHY Some Number Theory and Classical Crypto Systems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Some Number Theory
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationECEN 5022 Cryptography
Elementary Algebra and Number Theory University of Colorado Spring 2008 Divisibility, Primes Definition. N denotes the set {1, 2, 3,...} of natural numbers and Z denotes the set of integers {..., 2, 1,
More informationRandomized Simultaneous Messages: Solution of a Problem of Yao in Communication Complexity
Randomized Simultaneous Messages: Solution of a Problem of Yao in Communication Complexity László Babai Peter G. Kimmel Department of Computer Science The University of Chicago 1100 East 58th Street Chicago,
More informationThe RSA cryptosystem and primality tests
Mathematics, KTH Bengt Ek November 2015 Supplementary material for SF2736, Discrete mathematics: The RSA cryptosystem and primality tests Secret codes (i.e. codes used to make messages unreadable to outsiders
More informationMathematics of Cryptography
UNIT - III Mathematics of Cryptography Part III: Primes and Related Congruence Equations 1 Objectives To introduce prime numbers and their applications in cryptography. To discuss some primality test algorithms
More informationNOTES ON FINITE FIELDS
NOTES ON FINITE FIELDS AARON LANDESMAN CONTENTS 1. Introduction to finite fields 2 2. Definition and constructions of fields 3 2.1. The definition of a field 3 2.2. Constructing field extensions by adjoining
More informationCode-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago
Code-based post-quantum cryptography D. J. Bernstein University of Illinois at Chicago Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption security
More informationAlgebra for error control codes
Algebra for error control codes EE 387, Notes 5, Handout #7 EE 387 concentrates on block codes that are linear: Codewords components are linear combinations of message symbols. g 11 g 12 g 1n g 21 g 22
More information10 Concrete candidates for public key crypto
10 Concrete candidates for public key crypto In the previous lecture we talked about public key cryptography and saw the Diffie Hellman system and the DSA signature scheme. In this lecture, we will see
More informationF O R SOCI AL WORK RESE ARCH
7 TH EUROPE AN CONFERENCE F O R SOCI AL WORK RESE ARCH C h a l l e n g e s i n s o c i a l w o r k r e s e a r c h c o n f l i c t s, b a r r i e r s a n d p o s s i b i l i t i e s i n r e l a t i o n
More informationAn Improved Quantum Fourier Transform Algorithm and Applications
An Improved Quantum Fourier Transform Algorithm and Applications Lisa Hales Group in Logic and the Methodology of Science University of California at Berkeley hales@cs.berkeley.edu Sean Hallgren Ý Computer
More informationNew Implementations of the WG Stream Cipher
New Implementations of the WG Stream Cipher Hayssam El-Razouk, Arash Reyhani-Masoleh, and Guang Gong Abstract This paper presents two new hardware designs of the WG-28 cipher, one for the multiple output
More informationAlgebraic attack on stream ciphers Master s Thesis
Comenius University Faculty of Mathematics, Physics and Informatics Department of Computer Science Algebraic attack on stream ciphers Master s Thesis Martin Vörös Bratislava, 2007 Comenius University Faculty
More informationMathematical Foundations of Public-Key Cryptography
Mathematical Foundations of Public-Key Cryptography Adam C. Champion and Dong Xuan CSE 4471: Information Security Material based on (Stallings, 2006) and (Paar and Pelzl, 2010) Outline Review: Basic Mathematical
More informationAn algorithm for computing minimal bidirectional linear recurrence relations
Loughborough University Institutional Repository An algorithm for computing minimal bidirectional linear recurrence relations This item was submitted to Loughborough University's Institutional Repository
More informationEECS150 - Digital Design Lecture 21 - Design Blocks
EECS150 - Digital Design Lecture 21 - Design Blocks April 3, 2012 John Wawrzynek Spring 2012 EECS150 - Lec21-db3 Page 1 Fixed Shifters / Rotators fixed shifters hardwire the shift amount into the circuit.
More information1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2
Contents 1 Recommended Reading 1 2 Public Key/Private Key Cryptography 1 2.1 Overview............................................. 1 2.2 RSA Algorithm.......................................... 2 3 A Number
More informationDesign of Pseudo-Random Spreading Sequences for CDMA Systems
Design of Pseudo-Random Spreading Sequences for CDMA Systems Jian Ren and Tongtong Li Department of Electrical and Computer Engineering Michigan State University, 2120 Engineering Building East Lansing,
More informationLecture 6: Introducing Complexity
COMP26120: Algorithms and Imperative Programming Lecture 6: Introducing Complexity Ian Pratt-Hartmann Room KB2.38: email: ipratt@cs.man.ac.uk 2015 16 You need this book: Make sure you use the up-to-date
More informationA CRYPTANALYTIC ATTACK-ON THE LU-LEE PUBLIC-KEY CRYPTOSYSTEM
Philips J. Res. 35, 301-306, 1980 R J022 A CRYPTANALYTIC ATTACK-ON THE LU-LEE PUBLIC-KEY CRYPTOSYSTEM by J.-M. GOETHALS and C. COUVREUR Abstract We present a method for finding the secret decryption key
More informationa fast correlation attack implementation
university of cape town a fast correlation attack implementation Honours Project 2011 Azhar Desai supervisors Dr Anne Kayem Dr Christine Swart Abstract Stream ciphers are used to encrypt data on devices
More informationClock-Controlled Shift Registers for Key-Stream Generation
Clock-Controlled Shift Registers for Key-Stream Generation Alexander Kholosha Department of athematics and Computer Science Technische Universiteit Eindhoven, PO Box 513, 5600 B Eindhoven, The Netherlands
More informationReal scripts backgrounder 3 - Polyalphabetic encipherment - XOR as a cipher - RSA algorithm. David Morgan
Real scripts backgrounder 3 - Polyalphabetic encipherment - XOR as a cipher - RSA algorithm David Morgan XOR as a cipher Bit element encipherment elements are 0 and 1 use modulo-2 arithmetic Example: 1
More informationCorrelation Analysis of the Shrinking Generator
Correlation Analysis of the Shrinking Generator Jovan Dj. Golić GEMPLUS Rome CryptoDesign Center, Technology R&D Via Pio Emanuelli 1, 00143 Rome, Italy Email: jovan.golic@gemplus.com Abstract. The shrinking
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 9 February 6, 2012 CPSC 467b, Lecture 9 1/53 Euler s Theorem Generating RSA Modulus Finding primes by guess and check Density of
More informationSpeeding up characteristic 2: I. Linear maps II. The Å(Ò) game III. Batching IV. Normal bases. D. J. Bernstein University of Illinois at Chicago
Speeding up characteristic 2: I. Linear maps II. The Å(Ò) game III. Batching IV. Normal bases D. J. Bernstein University of Illinois at Chicago NSF ITR 0716498 Part I. Linear maps Consider computing 0
More informationCryptography and Shift Registers
6 The Open Mathematics Journal, 29, 2, 6-2 Cryptography and Shift Registers Open Access A.A. Bruen and R.A. Mollin,* Department of Electrical and Computer Engineering, University of Calgary, Canada Department
More informationCryptography. P. Danziger. Transmit...Bob...
10.4 Cryptography P. Danziger 1 Cipher Schemes A cryptographic scheme is an example of a code. The special requirement is that the encoded message be difficult to retrieve without some special piece of
More informationIEOR SEMINAR SERIES Cryptanalysis: Fast Correlation Attacks on LFSR-based Stream Ciphers
IEOR SEMINAR SERIES Cryptanalysis: Fast Correlation Attacks on LFSR-based Stream Ciphers presented by Goutam Sen Research Scholar IITB Monash Research Academy. 1 Agenda: Introduction to Stream Ciphers
More informationCOMPUTER ARITHMETIC. 13/05/2010 cryptography - math background pp. 1 / 162
COMPUTER ARITHMETIC 13/05/2010 cryptography - math background pp. 1 / 162 RECALL OF COMPUTER ARITHMETIC computers implement some types of arithmetic for instance, addition, subtratction, multiplication
More informationMODEL ANSWERS TO HWK #10
MODEL ANSWERS TO HWK #10 1. (i) As x + 4 has degree one, either it divides x 3 6x + 7 or these two polynomials are coprime. But if x + 4 divides x 3 6x + 7 then x = 4 is a root of x 3 6x + 7, which it
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More informationBlock ciphers And modes of operation. Table of contents
Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation
More informationBlock-tridiagonal matrices
Block-tridiagonal matrices. p.1/31 Block-tridiagonal matrices - where do these arise? - as a result of a particular mesh-point ordering - as a part of a factorization procedure, for example when we compute
More informationMargin Maximizing Loss Functions
Margin Maximizing Loss Functions Saharon Rosset, Ji Zhu and Trevor Hastie Department of Statistics Stanford University Stanford, CA, 94305 saharon, jzhu, hastie@stat.stanford.edu Abstract Margin maximizing
More informationDesign of Filter Functions for Key Stream Generators using Boolean Power Functions Jong-Min Baek
Design of Filter Functions for Key Stream Generators using Boolean Power Functions Jong-Min Baek The Graduate School Yonsei University Department of Electrical and Electronic Engineering Design of Filter
More informationLinear Feedback Shift Registers (LFSRs) 4-bit LFSR
Linear Feedback Shift Registers (LFSRs) These are n-bit counters exhibiting pseudo-random behavior. Built from simple shift-registers with a small number of xor gates. Used for: random number generation
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 08 Shannon s Theory (Contd.)
More informationThe LILI-128 Keystream Generator
The LILI-128 Keystream Generator E. Dawson 1 A. Clark 1 J. Golić 2 W. Millan 1 L. Penna 1 L. Simpson 1 1 Information Security Research Centre, Queensland University of Technology GPO Box 2434, Brisbane
More informationKnow the meaning of the basic concepts: ring, field, characteristic of a ring, the ring of polynomials R[x].
The second exam will be on Friday, October 28, 2. It will cover Sections.7,.8, 3., 3.2, 3.4 (except 3.4.), 4. and 4.2 plus the handout on calculation of high powers of an integer modulo n via successive
More informationDetection and Exploitation of Small Correlations in Stream Ciphers
Detection and Exploitation of Small Correlations in Stream Ciphers Masterthesis conducted under the guidance of Prof. Dr. Joachim Rosenthal and Dr. Gérard Maze Institute of Mathematics, University of Zurich
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationMacLane s coherence theorem expressed as a word problem
MacLane s coherence theorem expressed as a word problem Paul-André Melliès Preuves, Programmes, Systèmes CNRS UMR-7126, Université Paris 7 ÑÐÐ ÔÔ ºÙ ÙºÖ DRAFT In this draft, we reduce the coherence theorem
More informationLinear Cellular Automata as Discrete Models for Generating Cryptographic Sequences
Linear Cellular Automata as Discrete Models for Generating Cryptographic Sequences A Fúster-Sabater P Caballero-Gil 2 Institute of Applied Physics, CSIC Serrano 44, 286 Madrid, Spain Email: amparo@ieccsices
More informationHow does the computer generate observations from various distributions specified after input analysis?
1 How does the computer generate observations from various distributions specified after input analysis? There are two main components to the generation of observations from probability distributions.
More informationStream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden
Dept. of EIT, Lund University, P.O. Box 118, 221 00 Lund, Sweden thomas@eit.lth.se May 16, 2011 Outline: Introduction to stream ciphers Distinguishers Basic constructions of distinguishers Various types
More information1/30: Polynomials over Z/n.
1/30: Polynomials over Z/n. Last time to establish the existence of primitive roots we rely on the following key lemma: Lemma 6.1. Let s > 0 be an integer with s p 1, then we have #{α Z/pZ α s = 1} = s.
More informationThe Vigenère cipher is a stronger version of the Caesar cipher The encryption key is a word/sentence/random text ( and )
A Better Cipher The Vigenère cipher is a stronger version of the Caesar cipher The encryption key is a word/sentence/random text ( and ) To the first letter, add 1 To the second letter, add 14 To the third
More informationMath 312/ AMS 351 (Fall 17) Sample Questions for Final
Math 312/ AMS 351 (Fall 17) Sample Questions for Final 1. Solve the system of equations 2x 1 mod 3 x 2 mod 7 x 7 mod 8 First note that the inverse of 2 is 2 mod 3. Thus, the first equation becomes (multiply
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationLecture Notes. Advanced Discrete Structures COT S
Lecture Notes Advanced Discrete Structures COT 4115.001 S15 2015-01-27 Recap ADFGX Cipher Block Cipher Modes of Operation Hill Cipher Inverting a Matrix (mod n) Encryption: Hill Cipher Example Multiple
More informationSection X.55. Cyclotomic Extensions
X.55 Cyclotomic Extensions 1 Section X.55. Cyclotomic Extensions Note. In this section we return to a consideration of roots of unity and consider again the cyclic group of roots of unity as encountered
More information