Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida
|
|
- Cornelius Wilson
- 6 years ago
- Views:
Transcription
1 Stream ciphers Pawel Wocjan Department of Electrical Engineering & Computer Science University of Central Florida
2 Definition of block ciphers
3 Block ciphers: crypto work horse n bits PT block n bits E, D CT block key k bits 3DES n=64 bits k=168 bits AES n=128 bits k=168, 192, 256 bits
4 Block ciphers built by iteration k key expansion k 1 k 2 k 3 k l m R(k 1, ) R(k 2, ) R(k 3, ) R(k l, ) c R(, ) is called a round function l = 48 for DES, l = 10 for AES-128
5 Performance Crypto benchmarks on AMD 8354 Opteron 2.2 GHz processor under Linux cipher block/key size speed (MB/sec) RC4 126 Salsa20/ Sosemanuk 727 3DES 64/ AES /
6 Crypto check out for the most recent version Crypto the library contains: authenticated encryption high speed stream ciphers AES and AES candidates other block ciphers block cipher modes of operation message authentication codes hash functions public key cryptography padding schemes for public key cryptography key agreement schemes elliptic curve cryptography... many other features
7 Abstraction of block ciphers: PRPs and PRFs F is a pseudo random function (PRF) defined over (K, X, Y) F : K X Y if efficient algorithm for evaluating F (k, x) E is a pseudo random permutation (PRF) defined over (K, X ) E : K X X provided that the function E(k, ) is injective k K an efficient deterministic algorithm for evaluating E(k, x) an efficient inversion algorithm D such that D ( k, E(k, x) ) = x k K x X
8 Example PRPs: AES and DES AES K X X, K = X = {0, 1} 128 3DES K X X, K = {0, 1} 168, X = {0, 1} 64
9 PRPs are special PRFs a PRP is a special PRF where the two sets X and Y are the same there is an efficient algorithm for inverting
10 Secure PRFs let F : K X Y be a PRF let F(X, Y) denote the set of all functions from X and Y let S = {F (k, ) : k K} F(X, Y) intuitively, a PRF is secure if a random function in F(X, Y) is indistinguishable from a random function in S S S = K F(X, Y) F(X, Y) = Y X
11 Secure PRF b {0, 1} x X Challenger Adversary b = 0 f F(X, Y) f (x) b = 1 F (k, x) k R K b {0, 1}
12 Secure PRPs let E : K X X be a PRP let P(X ) denote the set of all permutations of X let S = {E(k, ) : k K} P(X ) intuitively, a PRP is secure if a random permutation in P(X ) is indistinguishable from a random permutation in S S S = K P(X ) P(X ) = X!
13 Secure PRF b {0, 1} x X Challenger Adversary b = 0 π P(X ) π(x) b = 1 E(k, x) k R K b {0, 1}
14 Question let F : K X {0, 1} 128 be a secure PRF define G by { if x = 0 G(k, x) = F (k, x) otherwise is G a secure PRP?
15 Secure PRFs yield secure PRGs let F : K {0, 1} n {0, 1} n be a secure PRF the following function G : K {0, 1} nt is a secure PRG: G(k) = F (k, 0) F (k, 1) F (k, t) G is parallelizable security of G follows from PRF property: F (k, ) is indistinguishable from function f ( )
16 Data Encryption Standard
17 Data encryption standard (DES) widely deployed in banking (ACH) and commerce early 1970s: Horst Feistel designs Lucifer at IBM key-len = 128 bits; block-len = 128 bits 1973: NBS asks for block cipher proposals IBM submits variant of Lucifer 1976: NBS adopts DES as a federal standard key-len = 56 bits; block-len = 64 bits 1997: DES broken by exhaustive search 2000: NIST adopts Rijndael as AES to replace DES
18 DES core idea: Feistel network given function f 1,..., f d : {0, 1} n {0, 1} n goal: build invertible function F : {0, 1} 2n {0, 1} 2n R 0 R 1 R 2 R d 1 R d f 1 f 2 f d L 0 L 1 L 2 L d 1 L d R i = f i (R i 1 ) L i 1, L i = R i
19 Feistel network is invertible the Feistel network is invertible because each iteration is invertible R i 1 R i R i R i 1 f i inverse f i L i 1 L i L i L i 1 this provides a general method for building invertible functions (block ciphers) from arbitrary functions this is used in many block ciphers, but not in AES
20 3-round Feistel network yields a secure PRP Theorem (Luby-Rackoff 85) let F : K {0, 1} n {0, 1} n be a secure PRF 3-round Feistel E : K 3 {0, 1} 2n {0, 1} 2n is a secure PRP R 0 R 1 R 2 R 3 F (k 1, ) F (k 2, ) F (k 3, ) L 0 L 1 L 2 L 3 the three keys k 1, k 2, k 3 have to be independent
21 DES: 16 round Feistel network with key expansion f 1,..., f 16 : {0, 1} 32 {0, 1} 32, f i (x) = F (k i, x) k key expansion k 1 k 2 k 3 k 16 input IP 16 round Feistel network FP output
22 DES key schedule
23 DES: 16 round Feistel network
24 The Feistel functions F (k i, ) x E 32 k i S 1 6 S 2 6 S 3 6 S 4 6 S 5 6 S 6 6 S 7 6 S the S i -boxes are functions {0, 1} 6 {0, 1} 4 that are implemented as a look-up tables P 32 32
25 The Feistel functions F (k i, )
26 The Feistel functions F (k i, ) expansion: the 32-bit half-block is expanded to 48 bits using the expansion permutation E by duplicating half of the bits its output consists of eight 6-bit pieces, each containing a copy of 4 corresponding input bits, plus a copy of the immediately adjacent bit from each of the input pieces to either side key mixing: the result is combined with a subkey using an XOR operation. substitution: after mixing in the subkey, the block is divided into eight 6-bit pieces before processing by the S-boxes permutation: the 32 outputs from the S-boxes are rearranged according to a fixed permutation, the P-box this is designed so that, after permutation, each S-box s output bits are spread across 4 different S boxes in the next round
27 The S i -boxes given a 6-bit input, the 4-bit output is found by selecting the row using the outer two bits (the first and last bits), and the column using the inner four bits. for example, an input has outer bits 01 and inner bits 1101; the corresponding output would be 1001
28 Insecure block cipher if S i boxes linear suppose S i (x 1, x 2,..., x 6 ) = (x 1 x 2, x 1 x 4 x 5, x 1 x 6, x 2 x 3 x 6 ) this can be equivalently written the matrix equation: S i (x) = A i x = (mod 2) we say that S i is linear
29 Insecure block cipher if S i boxes linear all S i -boxes linear the entire DES cipher linear fixed binary matrix B such that 832 m k 1 DES(k, m) = B k 2 = c. k 16 but then 64 DES(k, m 1 ) DES(k, m 2 ) DES(k, m 2 ) = DES(k, m 1 m 2 m 3 )
30 Rules for choosing S and P boxes choosing the S and P boxes at random would yield an insecure block cipher (key recovery possible after 2 24 outputs) no output bit should be close to a linear function of the input bits S-boxes are 4-to-1 maps
31 Exhaustive search attacks
32 Exhaustive search for block cipher key goal: given a few PT-CT pairs (m i, c i = E(k, m i )), find k Lemma: suppose DES is an ideal cipher, i.e., E(k 1, ) = π 1,..., E(k 2 56, ) = π 2 56 behave as if we had selected the permutations π 1,..., π 2 56 uniformly at random from P(X ) where X = {0, 1} 64 m, c there is at most one key k such that c = DES(k, m) Proof: Pr ( k k : c = DES(k, m) = DES(k, k) ) ( DES(k, m) = DES(k, m) ) k {0,1} 56 Pr = 1 2 8
33 Exhaustive search for block cipher key for two DES pairs (m 1, DES(k 1, m 1 )), (m 2, DES(k 2, m 2 )) the probability of the key being unique is 1 1/2 71 for two AES-128 pairs (m 1, AES(k 1, m 1 )), (m 2, AES(k 2, m 2 )) the probability of the key being unique is 1 1/2 128 two PT-CT pairs are enough for exhaustive key search
34 DES challenge PT = The unkn own mess age is: XXX... CT = c 1 c 2 c 3 c 4 Goal: find k {0, 56} 56 such that DES(k, m i ) = c i for i = 1, 2, Internet search: 3 months 1998 EEF machine (deep crack): 3 days $250k 1999 combined search: 22 hours 2006 COPACOBANA (120 FPGAs): 7 days $10k 56-bit ciphers should not be used
35 Strengthening block encryption method 1 Triple encryption let E : K M M be a block cipher define 3E : K 3 M M by 3E((k 1, k 2, k 3 ), m) = E(k 1, D(k 2, E(k 3, m))) observe that we recover (single) encryption when all keys equal E((k, k, k), m) = E(k, m) for 3DES: key-size = 3 56 = 168 bits; 3 times slower than DES
36 Why not double encryption? define 2E((k 1, k 2 ), m) = E(k 1, E(k 2, m)) m E(k 2, ) E(k 1, ) c goal: find (k 1, k 2 ) such that E(k 1, E(k 2, m)) = c E(k 2, m) = D(k 1, c)
37 Meet-in-the-middle attack on double encryption attack: M = (m 1,..., m 10 ), C = (c 1,..., c 10 ) build table and sort on second column k 0 = E(k 0, M) k 1 = E(k 1, M) k 2 = E(k 2, M).. k N = E(k N, M) repeat ranging k {0, 1} 56 until D(k, c) appears in second column (check using binary search) when this happens, then E(k i, M) = D(k, C) (k 2, k 1 ) = (k 2, k 1 )
38 Complexity of the meet-in-the-middle attack Triple DES m E(k 2, ) E(k 1, ) c Time = 2 56 log(2 56 ) log(2 56 ) < Space 2 56 Double DES m E(k 3, ) E(k 2, ) E(k 1, ) c same attack on 3DES Time = Space 2 56
39 Strengthening block encryption method 2 X (xor before and after encryption) let E : K {0, 1} n {0, 1} n be a block cipher define EX by EX ((k 1, k 2, k 3 ), m) = k 1 E(k 2, m k 3 ) observe that k 1 E(k 2 ) and E(k 2, m k 1 ) does nothing for DESX: key-len= =184 bits there is an easy attack in time = 2 120
40 More attacks on block ciphers
41 Attack on the implementation side channel attacks: measure time to do enc/dec, measure power for enc/dec fault attacks: computing errors in the last round expose the secret key k
42 Linear and differential attacks given many PT-CT pairs, the key can be recovered in time less than 2 56 linear cryptanalysis: suppose for random k and m, we have Pr(m[i 1 ] m[i r ] c[j 1 ] c[j s ] k[l 1 ] c[l t ]) = 1 2 +ε for some ε > 0 for DES, relation exist with ε = 1/2 21
43 Linear attacks Theorem: Assume Pr k K m M (m[i 1 ] m[i r ] c[j 1 ] c[j s ] k[l 1 ] c[l t ]) = 1 2 +ε holds, then with probability greater than 97.7% the equality k[l 1 ] c[l t ] = MAJ(m[i 1 ] m[i r ] c[j 1 ] c[j s ] is satisfied provided that we are given 1/ε 2 pairs (m, DES(k, m)) with m M we can determine k[l 1,..., l t ] with 1/ε 2 random PT-CT pairs in time 1/ε 2
44 Linear attacks for DES ε = 1/2 21 given 2 42 random PT-CP pairs, we can determine k[l 1,..., l t in time key bits can be found this way in time 2 42 brute force search the remaining = 42 bits in time 2 42 total attack time is with 2 42 random PT-CT pairs a slight amount of linearity in S 5 leads to a 2 42 time attack
45
46
18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh
18733: Applied Cryptography Anupam Datta (CMU) Block ciphers Online Cryptography Course What is a block cipher? Block ciphers: crypto work horse n bits PT Block n bits E, D CT Block Key k bits Canonical
More information18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh
18733: Applied Cryptography Anupam Datta (CMU) Block ciphers Online Cryptography Course What is a block cipher? Block ciphers: crypto work horse n bits PT Block n bits E, D CT Block Key k bits Canonical
More informationOnline Cryptography Course. Block ciphers. What is a block cipher? Dan Boneh
Online Cryptography Course Block ciphers What is a block cipher? Block ciphers: crypto work horse n bits PT Block n bits E, D CT Block Key k bits Canonical examples: 1. 3DES: n= 64 bits, k = 168 bits 2.
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from
More informationBlock ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit
Block ciphers Block ciphers Myrto Arapinis School o Inormatics University o Edinburgh January 22, 2015 A block cipher with parameters k and l is a pair o deterministic algorithms (E, D) such that Encryption
More informationDan Boneh. Stream ciphers. The One Time Pad
Online Cryptography Course Stream ciphers The One Time Pad Symmetric Ciphers: definition Def: a cipher defined over is a pair of efficient algs (E, D) where E is often randomized. D is always deterministic.
More informationSecurity and Cryptography 1
Security and Cryptography 1 Module 5: Pseudo Random Permutations and Block Ciphers Disclaimer: large parts from Mark Manulis and Dan Boneh Dresden, WS 18 Reprise from the last modules You know CIA, perfect
More informationCryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:
More informationBLOCK CIPHERS KEY-RECOVERY SECURITY
BLOCK CIPHERS and KEY-RECOVERY SECURITY Mihir Bellare UCSD 1 Notation Mihir Bellare UCSD 2 Notation {0, 1} n is the set of n-bit strings and {0, 1} is the set of all strings of finite length. By ε we denote
More informationCodes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII
Codes and Cryptography MAMME, Fall 2015 PART XII Outline 1 Symmetric Encryption (II) 2 Construction Strategies Construction Strategies Stream ciphers: For arbitrarily long messages (e.g., data streams).
More informationStream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden
Dept. of EIT, Lund University, P.O. Box 118, 221 00 Lund, Sweden thomas@eit.lth.se May 16, 2011 Outline: Introduction to stream ciphers Distinguishers Basic constructions of distinguishers Various types
More informationPermutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1
Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Kwangsu Lee A Thesis for the Degree of Master of Science Division of Computer Science, Department
More informationCryptography Lecture 4 Block ciphers, DES, breaking DES
Cryptography Lecture 4 Block ciphers, DES, breaking DES Breaking a cipher Eavesdropper recieves n cryptograms created from n plaintexts in sequence, using the same key Redundancy exists in the messages
More informationBuilding Secure Block Ciphers on Generic Attacks Assumptions
Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin University of Versailles and Orange Labs SAC 2008 August 14-15, 2008 the context security of symmetric primitives
More information7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive key-search do not exploit any properties of the encryption algorithm or implementation. Structural attacks
More informationModule 2 Advanced Symmetric Ciphers
Module 2 Advanced Symmetric Ciphers Dr. Natarajan Meghanathan Professor of Computer Science Jackson State University E-mail: natarajan.meghanathan@jsums.edu Data Encryption Standard (DES) The DES algorithm
More informationLecture 4: DES and block ciphers
Lecture 4: DES and block ciphers Johan Håstad, transcribed by Ernir Erlingsson 2006-01-25 1 DES DES is a 64 bit block cipher with a 56 bit key. It selects a 64 bit block and modifies it depending on the
More informationBlock Cipher Cryptanalysis: An Overview
0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution
More informationDD2448 Foundations of Cryptography Lecture 3
DD2448 Foundations of Cryptography Lecture 3 Douglas Wikström KTH Royal Institute of Technology dog@kth.se February 3, 2016 Linear Cryptanalysis of the SPN Basic Idea Linearize Find an expression of the
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationLecture 24: MAC for Arbitrary Length Messages. MAC Long Messages
Lecture 24: MAC for Arbitrary Length Messages Recall Previous lecture, we constructed MACs for fixed length messages The GGM Pseudo-random Function (PRF) Construction Given. Pseudo-random Generator (PRG)
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 27 Previously on COS 433 Security Experiment/Game (One- time setting) b m, m M c Challenger k ß K c ß Enc(k,m b ) b IND-Exp b ( )
More informationDivision Property: a New Attack Against Block Ciphers
Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50 Symmetric-key encryption
More informationIntroduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.
Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationLecture 5: Pseudorandom functions from pseudorandom generators
Lecture 5: Pseudorandom functions from pseudorandom generators Boaz Barak We have seen that PRF s (pseudorandom functions) are extremely useful, and we ll see some more applications of them later on. But
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More informationCPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions
CPSC 91 Computer Security Assignment #3 Solutions 1. Show that breaking the semantic security of a scheme reduces to recovering the message. Solution: Suppose that A O( ) is a message recovery adversary
More informationThe Advanced Encryption Standard
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 48 The Advanced Encryption Standard Successor of DES DES considered insecure; 3DES considered too slow. NIST competition in 1997 15
More informationIntroduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES
CSC/ECE 574 Computer and Network Security Topic 3.1 Secret Key Cryptography Algorithms CSC/ECE 574 Dr. Peng Ning 1 Outline Introductory Remarks Feistel Cipher DES AES CSC/ECE 574 Dr. Peng Ning 2 Introduction
More informationThe Artin-Feistel Symmetric Cipher
The Artin-Feistel Symmetric Cipher May 23, 2012 I. Anshel, D. Goldfeld. Introduction. The Feistel cipher and the Braid Group The main aim of this paper is to introduce a new symmetric cipher, which we
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More informationSymmetric key cryptography over non-binary algebraic structures
Symmetric key cryptography over non-binary algebraic structures Kameryn J Williams Boise State University 26 June 2012 AAAS Pacific Conference 24-27 June 2012 Acknowledgments These results are due to collaboration
More informationImproved security analysis of OMAC
Improved security analysis of OMAC Mridul andi CIVESTAV-IP, Mexico City mridul.nandi@gmail.com Abstract. We present an improved security analysis of OMAC, the construction is widely used as a candidate
More informationSymmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)
Symmetric Ciphers Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5) Symmetric Cryptography C = E(P,K) P = D(C,K) Requirements Given C, the only way to obtain P should be with the knowledge of K Any
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informationSimple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)
Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia) Henry Ng Henry.Ng.a@gmail.com Abstract. A new cryptographic pseudorandom number generator Cilia is presented. It hashes
More informationTHE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018
THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018 CPSC 418/MATH 318 L01 October 17, 2018 Time: 50 minutes
More informationQuantum Differential and Linear Cryptanalysis
Quantum Differential and Linear Cryptanalysis Marc Kaplan 1,2 Gaëtan Leurent 3 Anthony Leverrier 3 María Naya-Plasencia 3 1 LTCI, Télécom ParisTech 2 School of Informatics, University of Edinburgh 3 Inria
More informationA Domain Extender for the Ideal Cipher
A Domain Extender for the Ideal Cipher Jean-Sébastien Coron 2, Yevgeniy Dodis 1, Avradip Mandal 2, and Yannick Seurin 3,4 1 New York University 2 University of Luxembourg 3 University of Versailles 4 Orange
More informationComplementing Feistel Ciphers
Complementing Feistel Ciphers Alex Biryukov 1 and Ivica Nikolić 2 1 University of Luxembourg 2 Nanyang Technological University, Singapore alex.biryukov@uni.lu inikolic@ntu.edu.sg Abstract. In this paper,
More informationBenes and Butterfly schemes revisited
Benes and Butterfly schemes revisited Jacques Patarin, Audrey Montreuil Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract In [1], W. Aiello and R. Venkatesan have
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationProvable Security in Symmetric Key Cryptography
Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Takeaway: Crypto is Hard Designing crypto is hard, even experts get it wrong Just because I don t know
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationThe Random Oracle Model and the Ideal Cipher Model are Equivalent
The Random Oracle Model and the Ideal Cipher Model are Equivalent Jean-ébastien Coron 1, Jacques Patarin 2, and Yannick eurin 2,3 (1) Univ. Luxembourg, (2) Univ. Versailles, (3)Orange Labs éminaire EN
More informationPractice Exam Winter 2018, CS 485/585 Crypto March 14, 2018
Practice Exam Name: Winter 2018, CS 485/585 Crypto March 14, 2018 Portland State University Prof. Fang Song Instructions This exam contains 8 pages (including this cover page) and 5 questions. Total of
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationWinter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2
0368.3049.01 Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod Assignment #2 Published Sunday, February 17, 2008 and very slightly revised Feb. 18. Due Tues., March 4, in Rani Hod
More informationA Pseudo-Random Encryption Mode
A Pseudo-Random Encryption Mode Moni Naor Omer Reingold Block ciphers are length-preserving private-key encryption schemes. I.e., the private key of a block-cipher determines a permutation on strings of
More informationLinear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers
Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers Kaisa Nyberg Aalto University School of Science kaisa.nyberg@aalto.fi Luxemburg January 2017 Outline Introduction
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationDifferential Fault Analysis on DES Middle Rounds
Differential Fault Analysis on DES Middle Rounds Matthieu Rivain Speaker: Christophe Giraud Oberthur Technologies Agenda 1 Introduction Data Encryption Standard DFA on DES Last & Middle Rounds 2 Our Attack
More informationA survey on quantum-secure cryptographic systems
A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08 Module Outline Stream ciphers under the hood Block ciphers
More informationCS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn
CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, 2014 Instructor: Rachel Lin 1 Recap Lecture 5: RSA OWFs Scribe: Tiawna Cayton Last class we discussed a collection of one-way functions (OWFs),
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationPrivate-Key Encryption
Private-Key Encryption Ali El Kaafarani Mathematical Institute Oxford University 1 of 37 Outline 1 Pseudo-Random Generators and Stream Ciphers 2 More Security Definitions: CPA and CCA 3 Pseudo-Random Functions/Permutations
More informationCSA E0 235: Cryptography March 16, (Extra) Lecture 3
CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which
More informationOnline Cryptography Course. Using block ciphers. Review: PRPs and PRFs. Dan Boneh
Online Cryptography Course Using block ciphers Review: PRPs and PRFs Block ciphers: crypto work horse n bits PT Block n bits E, D CT Block Key k bits Canonical examples: 1. 3DES: n= 64 bits, k = 168 bits
More informationSymmetric Encryption
1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space
More informationCryptography 2017 Lecture 2
Cryptography 2017 Lecture 2 One Time Pad - Perfect Secrecy Stream Ciphers November 3, 2017 1 / 39 What have seen? What are we discussing today? Lecture 1 Course Intro Historical Ciphers Lecture 2 One Time
More informationG /G Introduction to Cryptography November 4, Lecture 10. Lecturer: Yevgeniy Dodis Fall 2008
G22.3210-001/G63.2170 Introduction to Cryptography November 4, 2008 Lecture 10 Lecturer: Yevgeniy Dodis Fall 2008 Last time we defined several modes of operation for encryption. Today we prove their security,
More informationBreaking Symmetric Cryptosystems Using Quantum Algorithms
Breaking Symmetric Cryptosystems Using Quantum Algorithms Gaëtan Leurent Joined work with: Marc Kaplan Anthony Leverrier María Naya-Plasencia Inria, France FOQUS Workshop Gaëtan Leurent (Inria) Breaking
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationQuantum-secure symmetric-key cryptography based on Hidden Shifts
Quantum-secure symmetric-key cryptography based on Hidden Shifts Gorjan Alagic QMATH, Department of Mathematical Sciences University of Copenhagen Alexander Russell Department of Computer Science & Engineering
More informationMESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1
MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1 Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified
More informationTowards Provable Security of Substitution-Permutation Encryption Networks
Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,
More informationOn related-key attacks and KASUMI: the case of A5/3
On related-key attacks and KASUMI: the case of A5/3 Phuong Ha Nguyen 1, M.J.B. Robshaw 2, Huaxiong Wang 1 1 Nanyang Technological University, Singapore 2 Applied Cryptography Group, Orange Labs, France
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 16 October 30, 2017 CPSC 467, Lecture 16 1/52 Properties of Hash Functions Hash functions do not always look random Relations among
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationMATH3302 Cryptography Problem Set 2
MATH3302 Cryptography Problem Set 2 These questions are based on the material in Section 4: Shannon s Theory, Section 5: Modern Cryptography, Section 6: The Data Encryption Standard, Section 7: International
More informationIntroduction. Outline. CSC/ECE 574 Computer and Network Security. Secret Keys or Secret Algorithms? Secrets? (Cont d) Secret Key Cryptography
Outline CSC/ECE 574 Computer and Network Security Introductory Remarks Feistel Cipher DES AES Topic 3.1 Secret Key Cryptography Algorithms CSC/ECE 574 Dr. Peng Ning 1 CSC/ECE 574 Dr. Peng Ning 2 Secret
More informationAkelarre. Akelarre 1
Akelarre Akelarre 1 Akelarre Block cipher Combines features of 2 strong ciphers o IDEA mixed mode arithmetic o RC5 keyed rotations Goal is a more efficient strong cipher Proposed in 1996, broken within
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationOn the Round Security of Symmetric-Key Cryptographic Primitives
On the Round Security of Symmetric-Key Cryptographic Primitives Zulfikar Ramzan Leonid Reyzin. November 30, 000 Abstract We put forward a new model for understanding the security of symmetric-key primitives,
More informationLinks Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT
Links Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT Céline Blondeau, Benoît Gérard SECRET-Project-Team, INRIA, France TOOLS for Cryptanalysis - 23th June 2010 C.Blondeau
More informationSecurity of the AES with a Secret S-box
Security of the AES with a Secret S-box Tyge Tiessen, Lars R Knudsen, Stefan Kölbl, and Martin M Lauridsen {tyti,lrkn,stek,mmeh}@dtudk DTU Compute, Technical University of Denmark, Denmark Abstract How
More informationBiomedical Security. Overview 9/15/2017. Erwin M. Bakker
Biomedical Security Erwin M. Bakker Overview Cryptography: Algorithms Cryptography: Protocols Pretty Good Privacy (PGP) / B. Schneier Workshop Biomedical Security Biomedical Application Security (guest
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 08 Shannon s Theory (Contd.)
More informationLecture Notes on Secret Sharing
COMS W4261: Introduction to Cryptography. Instructor: Prof. Tal Malkin Lecture Notes on Secret Sharing Abstract These are lecture notes from the first two lectures in Fall 2016, focusing on technical material
More informationSolutions for week 1, Cryptography Course - TDA 352/DIT 250
Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.
More informationScribe for Lecture #5
CSA E0 235: Cryptography 28 January 2016 Scribe for Lecture #5 Instructor: Dr. Arpita Patra Submitted by: Nidhi Rathi 1 Pseudo-randomness and PRG s We saw that computational security introduces two relaxations
More informationThe Hash Function Fugue
The Hash Function Fugue Shai Halevi William E. Hall Charanjit S. Jutla IBM T.J. Watson Research Center October 6, 2009 Abstract We describe Fugue, a hash function supporting inputs of length upto 2 64
More informationBlock Ciphers and Feistel cipher
introduction Lecture (07) Block Ciphers and cipher Dr. Ahmed M. ElShafee Modern block ciphers are widely used to provide encryption of quantities of information, and/or a cryptographic checksum to ensure
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More informationKlein s and PTW Attacks on WEP
TTM4137 Wireless Security Klein s and PTW Attacks on WEP Anton Stolbunov NTNU, Department of Telematics version 1, September 7, 2009 Abstract These notes should help for an in-depth understanding of the
More informationSTRIBOB : Authenticated Encryption
1 / 19 STRIBOB : Authenticated Encryption from GOST R 34.11-2012 or Whirlpool Markku-Juhani O. Saarinen mjos@item.ntnu.no Norwegian University of Science and Technology Directions in Authentication Ciphers
More informationChosen Plaintext Attacks (CPA)
Chosen Plaintext Attacks (CPA) Goals New Attacks! Chosen Plaintext Attacks (often CPA) is when Eve can choose to see some messages encoded. Formally she has Black Box for ENC k. We will: 1. Define Chosen
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2012 Konstantin Beznosov 1 Module Outline! Stream ciphers under the hood Block ciphers under
More informationChapter 2 Symmetric Encryption Algorithms
Chapter 2 Symmetric Encryption Algorithms February 15, 2010 2 The term symmetric means that the same key used to encrypt is used decrypt. In the widest sense all pre-pkc encryption algorithms are symmetric,
More informationAttacks on DES , K 2. ) L 3 = R 2 = L 1 f ( R 1, K 2 ) R 4 R 2. f (R 1 = L 1 ) = L 1. ) f ( R 3 , K 4. f (R 3 = L 3
Attacks on DES 1 Attacks on DES Differential cryptanalysis is an attack on DES that compares the differences (that is, XOR values between ciphertexts of certain chosen plaintexts to discover information
More information