Revisiting AES Related-Key Differential Attacks with Constraint Programming
|
|
- Myron Lamb
- 5 years ago
- Views:
Transcription
1 Revisiting AES Related-Key Differential Attacs with Constraint Programming D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) () - LIMOS, Université Clermont-Ferrand (2) - LORIA, Université de Lorraine (3) - LIRIS, INSA de Lyon Journées Méthodes Formelles - 3 May 27 D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) / 4
2 Revisiting AES RKD Attacs with CP Differential cryptanalysis of the AES First CP model for Step Second CP model for Step Third CP model for Step CP model for Step 2 Results Conclusion D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 2 / 4
3 AES (Advanced Encryption Standard) Bloc cipher standard since 2 Input: A plaintext X = 28 bits = 4x4 bytes A ey K = 28, 92, or 256 bits = 4x4, 4x6, or 4x8 bytes Output: a ciphertext E K (X ) such that X = E K (E K (X )) Iterative process of r rounds: r = (2, 4) when K = 28 (92, 256) Operations applied at each round i [, r ] for AES-28: Key K = K (4 4 bytes) Subey K i+ SR MC Plaintext X (4 4 bytes) X i Xr Ciphertext E K (X ) D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 3 / 4
4 Cryptanalysis of the AES Bloc Cipher (/2) Differential Cryptanalysis [Biham and Shamir 99]: Trac XOR differences through the ciphering process to recover the ey: Let δx = X X be an input plaintext difference Let δy = E K (X ) E K (X ) be the output difference The cipher is wea if δx and δy such that Pr[δY δx ] >> 2 K Key recovery in O(/Pr[δY δx ]) D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 4 / 4
5 Cryptanalysis of the AES Bloc Cipher (2/2) Related-Key Attac [Biham 993]: Inject differences in texts and eys Let δx = X X be an input plaintext difference Let δk = K K be an input ey difference Let δy = E K (X ) E K (X ) be the output difference The cipher is wea if δx, δk, and δy such that Pr[δY δx, δk] >> 2 K Key recovery in O(/Pr[δY δx, δk]) D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 5 / 4
6 Related-Key Differential of AES δk = K K δk i+ = K i+ K i+ δx i = X i X i SR MC δx = X X δxr = Xr X r δy = Y Y Goal: Find δx, δk, and δy that maximizes Pr[δY δx, δk ]:, SR, and MC are linear: op(b i ) op(b j ) = op(b i B j ) Probabilities are equal to (or ) for these operators is not linear: Let Pr[δ o δ i ] = #{(B,B2) [,256]2 δ i =B B 2 and δ o=s(b ) S(B 2)} 256 Probability to have output difference δ o given input difference δ i Perfect cipher: δ i, δ o, Pr[δ o δ i ] = 256 but this is impossible! 2 of AES: if δ o =δ i = then Pr[δ o δ i ]= else Pr[δ o δ i ] {, 256, 4 D Gerault (), P combines Lafourcade () linear, M Minier operators (2), C Solnon with (3) non linear on some bytes 6 / }
7 Two step solving process [Biryuov et al 2, Fouque et al 23] Step : Asbtract differential bytes δb = B B to booleans B For each differential byte δb: B = if δb = ; B = if δb [, 255] K SK i [j][3] K i+ SR MC X X i SX i R i M i X r SX r D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 7 / 4
8 Two step solving process [Biryuov et al 2, Fouque et al 23] Step : Asbtract differential bytes δb = B B to booleans B For each differential byte δb: B = if δb = ; B = if δb [, 255] Minimize the nb of boolean variables X i [j][] and K i [j][3] set to : If δx i [j][] = δsx i [j][] = then Pr[δSX i [j][] δx i [j][]] = 2 Otherwise Pr[δSX i [j][] δx i [j][]] {, 256, } K SK i [j][3] K i+ SR MC X X i SX i R i M i X r SX r D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 7 / 4
9 Two step solving process [Biryuov et al 2, Fouque et al 23] Step 2: Concretize booleans to differential bytes If B = then set δb to ; otherwise search for δb [, 255] If not possible: Solution byte-inconsistent If possible: Solution byte-consistent Maximize the probability Pr[δSX r δx, δk ] K SK i [j][3] K i+ SR MC X X i SX i R i M i X r SX r D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 8 / 4
10 Existing approaches Biryuov et al 2: Branch & Bound for Step K = 28: Several days of CPU time K = 92: Several wees of CPU time Fouque et al 23: Graph traversal for Step K = 28: 3mn of CPU time (on 2 cores) but 6 GB of memory Not extended to K = 92 or 256 In both cases: Difficult and time-consuming programming wor Checing the correctness of the program is not straightforward D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 9 / 4
11 What about Constraint Programming (CP)? Solving a problem with CP: Define the problem with a declarative language: Variables (unnowns) and their domains Constraints (relations between variables) Optionally: Objective function to optimize Use generic engines to search for solutions Using CP to compute related-ey differentials: Step : Less than 35 hours for the hardest instance Step 2: Less than 6 minutes for the hardest instance Prove inconsistency of a solution proposed by Biryuov et al 2 New related-ey differentials: K = 28: p = 2 79 (instead of 2 8 ) for 4 rounds K = 92: p = 2 76 for rounds K = 256: p = 2 46 (instead of 2 54 ) for 4 rounds D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) / 4
12 Revisiting AES RKD Attacs with CP Differential cryptanalysis of the AES First CP model for Step Second CP model for Step Third CP model for Step CP model for Step 2 Results Conclusion D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) / 4
13 CP Basic : First CP model for Step K SK i [j][3] K i+ SR MC X X i SX i R i M i X r SX r For each round i, for each row j and each column : X [j][], X i [j][], SX i [j][], R i [j][], M i [j][], K i [j][], SK i [j][3] Boolean variables Domains = {, } D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 2 / 4
14 CP Basic : First CP model for Step K SK i [j][3] K i+ SR MC X X i SX i R i M i X r SX r performs XOR operations: j, [, 3] : XOR( X [j][], K [j][], X [j][]) i [, r ], j, [, 3] : XOR( M i [j][], K i+ [j][], X i+ [j][]) D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 3 / 4
15 CP Basic : First CP model for Step XOR at the byte level: δb δb 2 δb 3 = (δb, δb 2, δb 3 ) {(,, )} {(, x, x) x [, 255]} {(x,, x) x [, 255]} {(x, x, ) x [, 255]} {(x, y, z) x, y, z [, 255], x y z} XOR at the boolean level: ( B, B 2, B 3 ) { (,, ), (,, ), (,, ), (,, ), (,, )} Definition of the XOR( B, B 2, B 3 ) constraint: B + B 2 + B 3 D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 4 / 4
16 CP Basic : First CP model for Step K SK i [j][3] K i+ SR MC X X i SX i R i M i X r SX r SubBytes does not introduce nor remove differences (because B i B j = S(B i ) S(B j ) = ) i [, r], j, [, 3]: X i [j][] = SX i [j][] i [, r], j [, 3]: K i [j][3] = SK i [j][3] D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 5 / 4
17 CP Basic : First CP model for Step K SK i [j][3] K i+ SR MC X X i SX i R i M i X r SX r SR shifts bytes: i [, r ], j, [, 3]: R i [j][] = SX i [j][ + j%4] D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 6 / 4
18 CP Basic : First CP model for Step K SK i [j][3] K i+ SR MC X X i SX i R i M i X r SX r MC multiplies each column by a fixed matrix Ensures the MDS property: i [, r ], [, 3] 3 R i [j][] + M i [j][] {, 5, 6, 7, 8} j= D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 7 / 4
19 CP Basic : First CP model for Step K SK i [j][3] K i+ SR MC X X i SX i R i M i X r SX r RotWord SubWord Rcon RotWord SubWord Rcon,, 2, 3,,, 2, 3,,, 2, 3,,, 2, 3,,2,2 2,2 3,2,2,2 2,2 3,2,3,3 2,3 3,3,3,3 2,3 3,3 performs XOR, byte shifts, and operations For AES-28: i [, r ], j [, 3] : Column : XOR( K i [j][], SK i [(j + )%4][3], K i [j][]) Columns [, 3]: XOR( K i [j][], K i [j][ ], K i [j][]) D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 8 / 4
20 CP Basic : First CP model for Step K SK i [j][3] K i+ SR MC X X i SX i R i M i X r SX r Goal: Minimize the number of differences that pass through SubBytes: r 3 3 obj Step = ( K i [j][3] + X i [j][]) Ordering heuristics: i= j= = First choose variables that occur in the objective function D Gerault First (), P Lafourcade assign them (), M Minier to (2), C Solnon (3) 9 / 4
21 CP Basic : First CP model for Step r obj Step BCS S Gecode Choco 4 Chuffed Time CP Time CP Time CP 3 2 9e 4e 5e 3 3 5e 2 2e 3 4 2e 3 7e e 3 3 2e 4 8 e 4 2 5e e 4 6 6e 4 5 5e 4 9 2e e 4 6 e 4 3 8e e 4 7 e e 4 4 4e 4 4 6e e e 6 4 9e e r = Nb rounds obj Step = Nb of differences that pass through (active S-boxes) BCS = Number of byte-consistent solutions Boolean solutions that can be concretized to byte solutions S = Number of solutions Most NOT byte-consistent CP = number of choice points in the search tree Chuffed explores less choice points and is faster D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 2 / 4
22 Revisiting AES RKD Attacs with CP Differential cryptanalysis of the AES First CP model for Step Second CP model for Step Third CP model for Step CP model for Step 2 Results Conclusion D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 2 / 4
23 CP EQ : Second CP model for Step What s wrong with CP Basic? XOR constraints do not propagate equality relationships at the byte level For example, if δa δb δc = and δa δb δd = then δc = δd However, at the boolean level, we only propagate: A + B + C and A + B + D New variables and constraints to model byte equalities: For each couple of differential bytes (δa, δb): EQ δa,δb = if δa = δb EQ δa,δb = if δa δb Symmetry: EQ δa,δb = EQ δb,δa Transitivity: EQ δa,δb = EQ δb,δc = EQ δa,δc = Relation with variables: EQ δa,δb = A = B EQ δa,δb = A + B D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 22 / 4
24 CP EQ : Second CP model for Step Definition of XOR in CP Basic : B + B 2 + B 3 Can we strengthen it by exploiting byte equalities? Yes, because: B = δb 2 = δb 3 B 2 = δb = δb 3 B 3 = δb = δb 2 New definition of XOR: XOR( B, B 2, B 3 ) (( B + B 2 + B 3 ) (EQ δb,δb 2 = B 3 ) (EQ δb,δb 3 = B 2 ) (EQ δb2,δb 3 = B )) D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 23 / 4
25 CP EQ : Second CP model for Step K SK i [j][3] K i+ SR MC X X i SX i R i M i X r SX r MDS also holds when XORing different columns of δr and δm: i, i 2 [, r ],, 2 [, 3], the number of bytes equal to in δr i [j][ ] δr i2 [j][ 2 ] and δm i [j][ ] δm i2 [j][ 2 ] {,, 2, 3, 8} New constraints to ensure MDS: i, i 2 [, r ],, 2 [, 3] 3 j= EQ δr i [j][],δr i2 [j][2] + EQ δmi [j][],δm i2 [j][2] {,, 2, 3, 8} D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 24 / 4
26 ,, 2, 3,,, 2, 3,,, 2, 3,,, 2, 3,,2,2 2,2 3,2,2,2 2,2 3,2,3,3 2,3 3,3,3,3 2,3 3,3 Diff Crypt Step () Step (2) Step (3) Step 2 Results Conclusion CP EQ : Second CP model for Step (mainly) performs XOR operations: Column : K i [j][] = K i [j][] SK i [(j + )%4][3] Columns [, 3]: K i [j][] = K i [j][ ] K i [j][] Each byte of K i is eq to a XOR of bytes of K and SK i Ex: K 2 [][] = K 2 [][] K [][] = K [][] SK [2][3] K [][] K [][] = SK [2][3] K [][] New constraints: Pre-compute sets V i,j, such that δk i [j][] = δb V i,j, δb Introduce set variables S i,j, and post the following constraints: S i,j, = {δb V i,j, B = } If S i,j, = then K i [j][] = If S i,j, = {δb} then EQ δki [j][],δb = If S i,j, = {δb, δb 2 } then XOR( B, B 2, K i [j][]) If i, j, st S i,j, = S i,j, then EQ δk i [j][],δk i [j ][ ] = RotWord SubWord Rcon RotWord SubWord Rcon D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 25 / 4
27 Revisiting AES RKD Attacs with CP Differential cryptanalysis of the AES First CP model for Step Second CP model for Step Third CP model for Step CP model for Step 2 Results Conclusion D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 26 / 4
28 CP Class : Third CP model for Step Alternative way to model equivalence classes: For each boolean variable B, define an integer variable Class δb D(Class δb ) = [, 255] Constraints: ( B = ) (Class δb = ) Global precede constraint to brea symmetries Update all constraints: replace EQ δb,δb 2 = by Class δb = Class δb2 replace EQ δb,δb 2 = by Class δb Class δb2 D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 27 / 4
29 Revisiting AES RKD Attacs with CP Differential cryptanalysis of the AES First CP model for Step Second CP model for Step Third CP model for Step CP model for Step 2 Results Conclusion D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 28 / 4
30 CP model for Step 2 Initialize Obj Step to 2 Step : Search for all boolean solutions 3 For each boolean solution of Step : Step 2: Search for byte values that maximize Pr[δSX r δx, δk ] (or detect inconsistency and set Pr to ) Let Pr max be the largest probability wrt all boolean solutions of Step 4 If Pr max < 2 6(Obj Step+) then increment Obj Step and go to (2) Otherwise, return Pr max K SK i [j][3] K i+ SR MC X X i SX i R i M i Xr SXr D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 29 / 4
31 CP model for Step 2 For each boolean variable B: Integer variable δb If B = in the Step solution then: D(δB) = {} Otherwise: D(δB) = [, 255] For each byte A on which is applied: Integer variable P A Base 2 logarithm of Pr(δSA δa) If A = SA = then: D(P A ) = {} because Pr( ) = Otherwise: D(P A ) = { 7, 6} because Pr(δSA δa) { 2 256, } Objective function: Maximize obj Step2 = A on which is applied P A K SK i [j][3] K i+ SR MC X X i SX i R i M i Xr SXr D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 3 / 4
32 Table constraint related to : For each byte A on which is applied: CP model for Step 2 (δa, δsa, P A ) {(X, Y, P) (B, B 2 ) [, 255] [, 255], X = B B 2, Y = S(B ) S(B 2 ), P = log 2 (Pr(Y X ))} Constraints related to,, SR, and MC: Straightforward definition with table constraints K SK i [j][3] K i+ SR MC X X i SX i R i M i Xr SXr D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 3 / 4
33 Revisiting AES RKD Attacs with CP Differential cryptanalysis of the AES First CP model for Step Second CP model for Step Third CP model for Step CP model for Step 2 Results Conclusion D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 32 / 4
34 Experimental setup Languages and Solvers: CP models for Step are defined in MiniZinc Benchmar for the 26 MiniZinc Challenge Best results are obtained with Chuffed and Picat The CP model for Step 2 is defined in Choco 4 (Java CP library) CPU time limit for Step : 24 hours on a 35 GHz i7-47mq processor with 8 gigabytes of memory If not solved in 24 hours: Decompose into independent subproblems D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 33 / 4
35 Scale-up properties: AES-28 Step Step 2 r obj Step time # boolean # byte-cons time Pr CP EQ CP Class solutions solutions ?? 542 2? 2 3 Useless to go on with r > 6 because 2 3 < 2 28 Recall of the results of CP Basic for Step : r = 3, obj Step = 5 : 2e 4 boolean solutions r = 4, obj Step = : 9e 7 boolean solutions Most byte-inconsistent sol are removed by new constraints at byte level D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 34 / 4
36 Extension to AES-92 and AES-256 Key K Subey K i+ SR MC Plaintext X (4 4 bytes) X i X r Ciphertext E K (X ) Update constraints related to KeySchedule: Step : XOR constraints combined with byte shifts Step 2: XOR constraints combined with byte shifts + SubBytes on some columns D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 35 / 4
37 Extension to AES-92 and AES-256 Key K Subey K i+ SR MC Plaintext X (4 4 bytes) X i X r Ciphertext E K (X ) Update constraints related to KeySchedule: Step : XOR constraints combined with byte shifts Step 2: XOR constraints combined with byte shifts + SubBytes on some columns D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 35 / 4
38 Scale-up properties: AES-92 Step Step 2 r obj Step time # boolean # byte time Pr CP EQ CP Class Useless to go on with r > or obj Step > 3 because 6 32 = 92 D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 36 / 4
39 Scale-up properties: AES-256 Step Step 2 r obj Step time # boolean # byte-cons time Pr CP EQ CP Class solutions solutions D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 37 / 4
40 Decomposition of hard instances into independent subproblems For each round i: Integer variables SumX i and SumK i Number of differences in δx i : SumX i = j, [,3] X i[j][] Number of differences in δk i : SumK i = j [,3] K i[j][3] One subproblem for each possible value of SumX i and SumK i All subproblems are independent and may be solved in parallel Combine Picat and Chuffed to solve the subproblems Use Picat to enumerate SumX i and SumK i with solutions (if any) Use Chuffed to enumerate all solutions, given SumX i and SumK i given by Picat Time to solve the hardest instance AES-92 with r = and obj Step = 29 Less than 24 hours for each subproblem and 35 hours for the complete sum D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 38 / 4
41 Revisiting AES RKD Attacs with CP Differential cryptanalysis of the AES First CP model for Step Second CP model for Step Third CP model for Step CP model for Step 2 Results Conclusion D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 39 / 4
42 Conclusion Better related-ey differential Characteristic For AES-28, For 4 rounds, our solution (proved optimal): obj Step = 2 and Pr = 2 79 (before obj Step = 3 and Pr = 2 8 ) For AES-92, For rounds (not ) best related-ey differential trail: obj Step = 29 and Pr = 2 76 For AES-256, For 4 rounds, our solution (proved optimal): obj Step = 24 and Pr = 2 46 (before Pr = 2 54 ) Declarative framewor for Cryptanalysis? CP models describe problems, not how to solve them: Easier to define and chec than a full program Better solutions than [Biryuov et al 29] and [Fouque et al 23] Models are defined with the MiniZinc language: We can use different CP solvers to solve them D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 4 / 4
43 Thans for Your Attention! Questions? D Gerault (), P Lafourcade (), M Minier (2), C Solnon (3) 4 / 4
Revisiting AES Related-Key Differential Attacks with Constraint Programming
Revisiting AES Related-Key Differential Attacks with Constraint Programming David Gérault, Pascal Lafourcade, Marine Minier, Christine Solnon To cite this version: David Gérault, Pascal Lafourcade, Marine
More informationRelated Key Differential Cryptanalysis of Midori
Related Key Differential Cryptanalysis of Midori Using constraint programming David Gerault Pascal Lafourcade LIMOS, University Clermont Auvergne Gerault, Lafourcade Related Key Differential Cryptanalysis
More informationAnalysis of AES, SKINNY, and Others with Constraint Programming
Analysis of AES, SKINNY, and Others with Constraint Programming Siwei Sun 1,4 David Gerault 2 Pascal Lafourcade 2 Qianqian Yang 1,4 Yosuke Todo 3 Kexin Qiao 1,4 Lei Hu 1,4 1 Institute of Information Engineering,
More informationStructural Evaluation by Generalized Integral Property
Structural Evaluation by Generalized Integral Property Yosue Todo NTT Secure Platform Laboratories, Toyo, Japan todo.yosue@lab.ntt.co.jp Abstract. In this paper, we show structural cryptanalyses against
More informationStructural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Pierre-Alain Fouque 1 Jérémy Jean 2 Thomas Peyrin 3 1 Université de Rennes 1, France 2 École Normale Supérieure, France 3 Nanyang
More informationSubspace Trail Cryptanalysis and its Applications to AES
Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and Sondre Rønjom March, 2017 1 / 28 Introduction In the case of AES, several alternative representations (algebraic
More informationFFT-Based Key Recovery for the Integral Attack
FFT-Based Key Recovery for the Integral Attack Yosuke Todo NTT Secure Platform Laboratories Abstract. The integral attack is one of the most powerful attack against block ciphers. In this paper, we propose
More informationImproved Multiple Impossible Differential Cryptanalysis of Midori128
Improved Multiple Impossible Differential Cryptanalysis of Midori128 Mohamed Tolba, Ahmed Abdelkhalek, and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University,
More informationIntroduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.
Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography
More informationAlgebraic Techniques in Differential Cryptanalysis
Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London FSE 2009, Leuven, 24.02.2009 Martin Albrecht and Carlos
More informationOutline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael
Outline CPSC 418/MATH 318 Introduction to Cryptography Advanced Encryption Standard Renate Scheidler Department of Mathematics & Statistics Department of Computer Science University of Calgary Based in
More informationImproved Slide Attacks
Improved Slide Attacs Eli Biham 1 Orr Dunelman 2 Nathan Keller 3 1 Computer Science Department, Technion. Haifa 32000, Israel biham@cs.technion.ac.il 2 Katholiee Universiteit Leuven, Dept. of Electrical
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationLow Complexity Differential Cryptanalysis and Fault Analysis of AES
Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 34 Introduction We present a survey of low
More informationImproved Impossible Differential Cryptanalysis of Rijndael and Crypton
Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,
More informationCryptanalysis of SP Networks with Partial Non-Linear Layers
Cryptanalysis of SP Networks with Partial Non-Linear Layers Achiya Bar-On 1, Itai Dinur 2, Orr Dunkelman 3, Nathan Keller 1, Virginie Lallemand 4, and Boaz Tsaban 1 1 Bar-Ilan University, Israel 2 École
More informationMILP Modeling for (Large) S-boxes to Optimize Probability of Differential Characteristics
MILP Modeling for (Large) S-boxes to Optimize Probability of Differential Characteristics Ahmed Abdelkhalek, Yu Sasaki 2, Yosuke Todo 2, Mohamed Tolba, and Amr M. Youssef :Concordia University, 2: NTT
More informationSome integral properties of Rijndael, Grøstl-512 and LANE-256
Some integral properties of Rijndael, Grøstl-512 and LANE-256 Marine Minier 1, Raphael C.-W. Phan 2, and Benjamin Pousse 3 1 Universit de Lyon, INRIA, INSA-Lyon, CITI, 2 Electronic & Electrical Engineering,
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES
CS355: Cryptography Lecture 9: Encryption modes. AES Encryption modes: ECB } Message is broken into independent blocks of block_size bits; } Electronic Code Book (ECB): each block encrypted separately.
More informationSecret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:
Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design: Secret Key Systems Encrypting a small block of text (say 64 bits) General considerations
More informationMATH 509 Differential Cryptanalysis on DES
MATH 509 on DES Department of Mathematics, Boise State University Spring 2012 MATH 509 on DES MATH 509 on DES Feistel Round Function for DES MATH 509 on DES 1977: DES is approved as a standard. 1 1 Designers:
More informationAn average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and
An average case analysis of a dierential attack on a class of SP-networks Luke O'Connor Distributed Systems Technology Centre, and Information Security Research Center, QUT Brisbane, Australia Abstract
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationDifferential Fault Analysis of AES using a Single Multiple-Byte Fault
Differential Fault Analysis of AES using a Single Multiple-Byte Fault Subidh Ali 1, Debdeep Mukhopadhyay 1, and Michael Tunstall 2 1 Department of Computer Sc. and Engg, IIT Kharagpur, West Bengal, India.
More informationIntegrals go Statistical: Cryptanalysis of Full Skipjack Variants
Integrals go Statistical: Cryptanalysis of ull Skipjack Variants Meiqin Wang mqwang@sdu.edu.cn Joint Work with Tingting Cui, Huaifeng Chen, Ling Sun, Long Wen, Andrey Bogdanov Shandong University, China;
More informationarxiv: v1 [cs.cr] 13 Sep 2016
Hacking of the AES with Boolean Functions Michel Dubois Operational Cryptology and Virology Laboratory Éric Filiol Operational Cryptology and Virology Laboratory September 14, 2016 arxiv:1609.03734v1 [cs.cr]
More informationCryptanalysis of SP Networks with Partial Non-Linear Layers
Cryptanalysis of SP Networks with Partial Non-Linear Layers Achiya Bar-On 1, Itai Dinur 2, Orr Dunkelman 3,5,, Virginie Lallemand 4,, Nathan Keller 1,5,, and Boaz Tsaban 1 1 Department of Mathematics,
More informationImpossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128
Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com
More informationIntroduction to Symmetric Cryptography
Introduction to Symmetric Cryptography COST Training School on Symmetric Cryptography and Blockchain Stefan Kölbl February 19th, 2018 DTU Compute, Technical University of Denmark Practical Information
More informationRelated-Key Rectangle Attack on Round-reduced Khudra Block Cipher
Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher Xiaoshuang Ma 1,2 Kexin Qiao 1,2 1 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationCube Attacks on Stream Ciphers Based on Division Property
Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven 12-10-2017, Crete Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 1 / 23 Plan 1 Cube Attack:
More informationVirtual isomorphisms of ciphers: is AES secure against differential / linear attack?
Alexander Rostovtsev alexander. rostovtsev@ibks.ftk.spbstu.ru St. Petersburg State Polytechnic University Virtual isomorphisms of ciphers: is AES secure against differential / linear attack? In [eprint.iacr.org/2009/117]
More informationSubspace Trail Cryptanalysis and its Applications to AES
Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi 1, Christian Rechberger 1,3 and Sondre Rønjom 2,4 1 IAIK, Graz University of Technology, Austria 2 Nasjonal sikkerhetsmyndighet,
More informationProvably Secure Higher-Order Masking of AES
Provably Secure Higher-Order Masking of AES Matthieu Rivain 1 and Emmanuel Prouff 2 1 CryptoExperts matthieu.rivain@cryptoexperts.com 2 Oberthur Technologies e.prouff@oberthur.com Abstract. Implementations
More informationAutomatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version)
Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version) Shengbao Wu 1,2, Mingsheng Wang 3 1. Institute of Software, Chinese Academy of Sciences, Beijing 100190,
More informationTowards Provable Security of Substitution-Permutation Encryption Networks
Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,
More information1. Write a program to calculate distance traveled by light
G. H. R a i s o n i C o l l e g e O f E n g i n e e r i n g D i g d o h H i l l s, H i n g n a R o a d, N a g p u r D e p a r t m e n t O f C o m p u t e r S c i e n c e & E n g g P r a c t i c a l M a
More informationAES side channel attacks protection using random isomorphisms
Rostovtsev A.G., Shemyakina O.V., St. Petersburg State Polytechnic University AES side channel attacks protection using random isomorphisms General method of side-channel attacks protection, based on random
More informationMILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers
MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers Ling Sun 1, Wei Wang 1, Meiqin Wang 1,2 1 Key Laboratory of Cryptologic Technology and Information Security,
More informationExtended Criterion for Absence of Fixed Points
Extended Criterion for Absence of Fixed Points Oleksandr Kazymyrov, Valentyna Kazymyrova Abstract One of the criteria for substitutions used in block ciphers is the absence of fixed points. In this paper
More information7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive key-search do not exploit any properties of the encryption algorithm or implementation. Structural attacks
More information(Solution to Odd-Numbered Problems) Number of rounds. rounds
CHAPTER 7 AES (Solution to Odd-Numbered Problems) Review Questions. The criteria defined by NIST for selecting AES fall into three areas: security, cost, and implementation. 3. The number of round keys
More informationStructural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-18 Pierre-Alain Fouque 1, Jérémy Jean,, and Thomas Peyrin 3 1 Université de Rennes 1, France École Normale Supérieure, France 3
More informationImproved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning
Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gaëtan Leurent Inria, France Abstract. In this work we study the security of Chaskey, a recent lightweight MAC designed by
More informationSecurity Evaluation of Stream Cipher Enocoro-128v2
Security Evaluation of Stream Cipher Enocoro-128v2 Hell, Martin; Johansson, Thomas 2010 Link to publication Citation for published version (APA): Hell, M., & Johansson, T. (2010). Security Evaluation of
More informationSTP Models of Optimal Differential and Linear Trail for S-box Based Ciphers
STP Models of Optimal Differential and Linear Trail for S-box Based Ciphers Yu Liu 1,2, Huicong Liang 1, Muzhou Li 1, Luning Huang 1, Kai Hu 1, Chenhe Yang 1, and Meiqin Wang 1,3 1 Key Laboratory of Cryptologic
More informationA New Technique for Multidimensional Linear Cryptanalysis with Applications on Reduced Round Serpent
A New Technique for Multidimensional Linear Cryptanalysis with Applications on Reduced Round Serpent Joo Yeon Cho, Miia Hermelin, and Kaisa Nyberg Helsinki University of Technology, Department of Information
More informationLecture 4: DES and block ciphers
Lecture 4: DES and block ciphers Johan Håstad, transcribed by Ernir Erlingsson 2006-01-25 1 DES DES is a 64 bit block cipher with a 56 bit key. It selects a 64 bit block and modifies it depending on the
More informationSecurity of the AES with a Secret S-box
Security of the AES with a Secret S-box Tyge Tiessen, Lars R Knudsen, Stefan Kölbl, and Martin M Lauridsen {tyti,lrkn,stek,mmeh}@dtudk DTU Compute, Technical University of Denmark, Denmark Abstract How
More informationTHE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018
THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018 CPSC 418/MATH 318 L01 October 17, 2018 Time: 50 minutes
More informationOn Correlation Between the Order of S-boxes and the Strength of DES
On Correlation Between the Order of S-boxes and the Strength of DES Mitsuru Matsui Computer & Information Systems Laboratory Mitsubishi Electric Corporation 5-1-1, Ofuna, Kamakura, Kanagawa, 247, Japan
More informationCryptanalysis of the Light-Weight Cipher A2U2 First Draft version
Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version Mohamed Ahmed Abdelraheem, Julia Borghoff, Erik Zenner Technical University of Denmark, DK-2800 Kgs. Lyngby, Denmark {M.A.Abdelraheem,J.Borghoff,E.Zenner}@mat.dtu.dk
More informationDifferential Analaysis of Block Ciphers SIMON and SPECK
1 / 36 Differential Analaysis of Block Ciphers SIMON and SPECK Alex Biryukov, Arnab Roy, Vesselin Velichkov 2 / 36 Outline Introduction Light-Weight Block Ciphers: SIMON and SPECK Differential Anlaysis
More informationTable Of Contents. ! 1. Introduction to AES
1 Table Of Contents! 1. Introduction to AES! 2. Design Principles behind AES Linear Cryptanalysis Differential Cryptanalysis Square Attack Biclique Attack! 3. Quantum Cryptanalysis of AES Applying Grover
More informationA SIMPLIFIED RIJNDAEL ALGORITHM AND ITS LINEAR AND DIFFERENTIAL CRYPTANALYSES
A SIMPLIFIED RIJNDAEL ALGORITHM AND ITS LINEAR AND DIFFERENTIAL CRYPTANALYSES MOHAMMAD MUSA, EDWARD F SCHAEFER, AND STEPHEN WEDIG Abstract In this paper, we describe a simplified version of the Rijndael
More informationLOOKING INSIDE AES AND BES
23 LOOKING INSIDE AES AND BES Ilia Toli, Alberto Zanoni Università degli Studi di Pisa Dipartimento di Matematica Leonida Tonelli Via F. Buonarroti 2, 56127 Pisa, Italy {toli, zanoni}@posso.dm.unipi.it
More informationThe Improbable Differential Attack. Cryptanalysis of Reduced Round CLEFIA
: Cryptanalysis of Reduced Round CLEFIA École Polytechnique Fédérale de Lausanne, Switzerland (This work was done at) Institute of Applied Mathematics Middle East Technical University, Ankara, Turkey INDOCRYPT
More informationSome attacks against block ciphers
Some attacks against block ciphers hristina Boura École de printemps en codage et cryptographie May 19, 2016 1 / 59 Last-round attacks Outline 1 Last-round attacks 2 Higher-order differential attacks 3
More informationClassical Cryptography
Classical Cryptography CSG 252 Fall 2006 Riccardo Pucella Goals of Cryptography Alice wants to send message X to Bob Oscar is on the wire, listening to communications Alice and Bob share a key K Alice
More informationSieve-in-the-Middle: Improved MITM Attacks (Full Version )
Sieve-in-the-Middle: Improved MITM Attacks (Full Version ) Anne Canteaut 1, María Naya-Plasencia 1, and Bastien Vayssière 2 1 Inria Paris-Rocquencourt, project-team SECRET B.P. 105, 78153 Le Chesnay cedex,
More informationImproved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly (Full Version)
Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly (Full Version) Qingju Wang 1,2,3, Yonglin Hao 4, Yosuke Todo 5, Chaoyun Li 6, Takanori Isobe 7, and Willi Meier
More informationDES S-box Generator. 2 EPFL, Switzerland
DES S-box Generator Lauren De Meyer 1 and Serge Vaudenay 2 lauren.demeyer@student.kuleuven.be serge.vaudenay@epfl.ch 1 KU Leuven, Belgium 2 EPFL, Switzerland Abstract. The Data Encryption Standard (DES)
More informationS-box (Substitution box) is a basic component of symmetric
JOURNAL OF L A TEX CLASS FILES, VOL., NO., AUGUST 1 Characterizations of the Degraded Boolean Function and Cryptanalysis of the SAFER Family Wentan Yi and Shaozhen Chen Abstract This paper investigates
More informationOvertaking VEST. 45, avenue des États-Unis, Versailles Cedex, France 3 DCSSI Crypto Lab
Overtaking VEST Antoine Joux 1,2 and Jean-René Reinhard 3 1 DGA 2 Université de Versailles St-Quentin-en-Yvelines, PRISM 45, avenue des États-Unis, 78035 Versailles Cedex, France antoine.joux@m4x.org 3
More informationON THE SECURITY OF THE ADVANCED ENCRYPTION STANDARD
ON THE SECURITY OF THE ADVANCED ENCRYPTION STANDARD Paul D. Yacoumis Supervisor: Dr. Robert Clarke November 2005 Thesis submitted for the degree of Honours in Pure Mathematics Contents 1 Introduction
More informationBlock ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit
Block ciphers Block ciphers Myrto Arapinis School o Inormatics University o Edinburgh January 22, 2015 A block cipher with parameters k and l is a pair o deterministic algorithms (E, D) such that Encryption
More informationLinear Cryptanalysis of Reduced-Round PRESENT
Linear Cryptanalysis of Reduced-Round PRESENT Joo Yeon Cho 1 Helsinki University of Technology, Finland 2 Nokia A/S, Denmark joo.cho@tkk.fi Abstract. PRESENT is a hardware-oriented block cipher suitable
More informationImpossible Differential Attacks on 13-Round CLEFIA-128
Mala H, Dakhilalian M, Shakiba M. Impossible differential attacks on 13-round CLEFIA-128. JOURNAL OF COMPUTER SCIENCE AND TECHNOLOGY 26(4): 744 750 July 2011. DOI 10.1007/s11390-011-1173-0 Impossible Differential
More informationImpossible Differential Cryptanalysis of Mini-AES
Impossible Differential Cryptanalysis of Mini-AES Raphael Chung-Wei Phan ADDRESS: Swinburne Sarawak Institute of Technology, 1 st Floor, State Complex, 93576 Kuching, Sarawak, Malaysia. rphan@swinburne.edu.my
More informationNew Insights on AES-Like SPN Ciphers
New Insights on AES-Like SPN Ciphers Bing Sun 1,2,3, Meicheng Liu 3,4, Jian Guo 3, Longjiang Qu 1, Vincent Rijmen 5 1 College of Science, National University of Defense Technology, Changsha, Hunan, P.R.China,
More informationMultiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs
Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs Alex Biryukov 1,2, Dmitry Khovratovich 2, Léo Perrin 2 1 CSC, University of Luxembourg 2 SnT, University of Luxembourg https://www.cryptolux.org
More informationCiphertext-only Cryptanalysis of a Substitution Permutation Network
Ciphertext-only Cryptanalysis of a Substitution Permutation Network No Author Given No Institute Given Abstract. We present the first ciphertext-only cryptanalytic attack against a substitution permutation
More informationLinear Cryptanalysis of DES with Asymmetries
Linear Cryptanalysis of DES with Asymmetries Andrey Bogdanov and Philip S. Vejre Technical University of Denmark {anbog,psve}@dtu.dk Abstract. Linear cryptanalysis of DES, proposed by Matsui in 1993, has
More informationMILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers
MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers Ling Sun 1, Wei Wang 1, Meiqin Wang 1,2 1 Key Laboratory of Cryptologic Technology and Information Security,
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More informationAlgebraic Aspects of Symmetric-key Cryptography
Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information Security Group Royal Holloway, University of London 04.May.2007 ECRYPT Summer School 1 Algebraic Techniques
More informationAutomatic Search of Attacks on round-reduced AES and Applications
Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet, Patrick Derbez, and Pierre-Alain Fouque ENS, CNRS, INRIA, 45 rue d Ulm, 75005 Paris, France {charles.bouillaguet,patrick.derbez,pierre-alain.fouque}@ens.fr
More informationDifferential Fault Analysis on DES Middle Rounds
Differential Fault Analysis on DES Middle Rounds Matthieu Rivain Speaker: Christophe Giraud Oberthur Technologies Agenda 1 Introduction Data Encryption Standard DFA on DES Last & Middle Rounds 2 Our Attack
More informationCube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version)
Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version) Yosuke Todo 1, Takanori Isobe 2, Yonglin Hao 3, and Willi Meier 4 1 NTT Secure Platform Laboratories, Tokyo 180-8585,
More informationAkelarre. Akelarre 1
Akelarre Akelarre 1 Akelarre Block cipher Combines features of 2 strong ciphers o IDEA mixed mode arithmetic o RC5 keyed rotations Goal is a more efficient strong cipher Proposed in 1996, broken within
More informationAutomatic Search of Attacks on Round-Reduced AES and Applications
Automatic Search of Attacks on Round-Reduced AES and Applications Charles Bouillaguet, Patrick Derbez, and Pierre-Alain Fouque ENS, CNRS, INRIA, 45 rue d Ulm, 75005 Paris, France {charles.bouillaguet,patrick.derbez,pierre-alain.fouque}@ens.fr
More informationBLOCK CIPHERS KEY-RECOVERY SECURITY
BLOCK CIPHERS and KEY-RECOVERY SECURITY Mihir Bellare UCSD 1 Notation Mihir Bellare UCSD 2 Notation {0, 1} n is the set of n-bit strings and {0, 1} is the set of all strings of finite length. By ε we denote
More informationModule 2 Advanced Symmetric Ciphers
Module 2 Advanced Symmetric Ciphers Dr. Natarajan Meghanathan Professor of Computer Science Jackson State University E-mail: natarajan.meghanathan@jsums.edu Data Encryption Standard (DES) The DES algorithm
More informationand Céline Blondeau October 8, 2012 joint work with Benoît Gérard and Kaisa Nyberg Multiple differential cryptanalysis using LLR and October, 8 1/27
Multiple differential cryptanalysis using LLR and Céline Blondeau joint work with Benoît Gérard and Kaisa Nyberg October 8, 2012 1/27 Outline Introduction Block Ciphers Differential Cryptanalysis Last
More informationIntroduction to Cryptography Lecture 4
Data Integrity, Message Authentication Introduction to Cryptography Lecture 4 Message authentication Hash functions Benny Pinas Ris: an active adversary might change messages exchanged between and M M
More informationCryptanalysis of a Generalized Unbalanced Feistel Network Structure
Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li, Bing Sun, Chao Li, Longjiang Qu National University of Defense Technology, Changsha, China ACISP 2010, Sydney, Australia 5
More informationComplementing Feistel Ciphers
Complementing Feistel Ciphers Alex Biryukov 1 and Ivica Nikolić 2 1 University of Luxembourg 2 Nanyang Technological University, Singapore alex.biryukov@uni.lu inikolic@ntu.edu.sg Abstract. In this paper,
More informationApplying Grover s algorithm to AES: quantum resource estimates
Applying Grover s algorithm to AES: quantum resource estimates Markus Grassl 1, Brandon Langenberg 2, Martin Roetteler 3 and Rainer Steinwandt 2 1 Universität Erlangen-Nürnberg & Max Planck Institute for
More informationDifferential Fault Analysis on A.E.S.
Differential Fault Analysis on A.E.S. P. Dusart, G. Letourneux, O. Vivolo 01/10/2002 Abstract We explain how a differential fault analysis (DFA) works on AES 128, 192 or 256 bits. Contents 1 Introduction
More informationStream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida
Stream ciphers Pawel Wocjan Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu Definition of block ciphers Block ciphers: crypto work horse n bits
More informationAES [and other Block Ciphers] Implementation Tricks
AES [and other Bloc Ciphers] Implementation Trics Cryptographic algorithms Basic primitives Survey by Stephen et al, LNCS 1482, Sep. 98 General Structure of a Bloc Cipher Useful Properties for Implementing
More informationInside Keccak. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1. Keccak & SHA-3 Day Université Libre de Bruxelles March 27, 2013
Inside Keccak Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Keccak & SHA-3 Day Université Libre de Bruxelles March 27, 2013 1 / 49 Outline
More informationDD2448 Foundations of Cryptography Lecture 3
DD2448 Foundations of Cryptography Lecture 3 Douglas Wikström KTH Royal Institute of Technology dog@kth.se February 3, 2016 Linear Cryptanalysis of the SPN Basic Idea Linearize Find an expression of the
More informationZero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA
Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA Andrey Bogdanov, Meiqin Wang Technical University of Denmark, Shandong University, China ESC 2013,
More informationCHAPTER 5 A BLOCK CIPHER INVOLVING A KEY APPLIED ON BOTH THE SIDES OF THE PLAINTEXT
82 CHAPTER 5 A BLOCK CIPHER INVOLVING A KEY APPLIED ON BOTH THE SIDES OF THE PLAINTEXT 83 5.1 Introduction In a pioneering paper, Hill [5] developed a block cipher by using the modular arithmetic inverse
More informationCryptanalysis of the SIMON Family of Block Ciphers
Cryptanalysis of the SIMON Family of Block Ciphers Hoda A. Alkhzaimi and Martin M. Lauridsen DTU Compute Section for Cryptology Department of Applied Mathematics and Computer Science Matematiktorvet, building
More informationSOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies
SOBER Cryptanalysis Daniel Bleichenbacher and Sarvar Patel {bleichen,sarvar}@lucent.com Bell Laboratories Lucent Technologies Abstract. SOBER is a new stream cipher that has recently been developed by
More informationA Stochastic Model for Differential Side Channel Cryptanalysis
A Stochastic Model for Differential Side Channel Cryptanalysis Werner Schindler 1, Kerstin Lemke 2, Christof Paar 2 1 Bundesamt für Sicherheit in der Informationstechnik (BSI) 53175 Bonn, Germany 2 Horst
More informationBISON Instantiating the Whitened Swap-Or-Not Construction November 14th, 2018
BION Instantiating the Whitened wap-or-not Construction November 14th, 2018 FluxFingers Workgroup ymmetric Cryptography, Ruhr University Bochum Virginie Lallemand, Gregor Leander, Patrick Neumann, and
More information