Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:
|
|
- Vivien Jennifer Morton
- 5 years ago
- Views:
Transcription
1 Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:
2 Secret Key Systems Encrypting a small block of text (say 64 bits) General considerations for cipher design: Encrypted data should look random. As though someone flipped a fair coin 64 times and heads means 1 and tails 0. Any change in one bit of output corresponds to a huge change in the input (bits are uncorrelated). Should be about as many 1's as 0's usually.
3 Secret Key Systems Encrypting a small block of text (say 64 bits) General considerations for cipher design: Encrypted data should look random. As though someone flipped a fair coin 64 times and heads means 1 and tails 0. Any change in one bit of output corresponds to a huge change in the input (bits are uncorrelated). Should be about as many 1's as 0's usually. Try to spread the influence of each input bit to all output bits and change in one input bit should have 50% chance of changing any of the output bits (hence many rounds).
4 Secret Key Systems Encrypting a small block of text (say 64 bits) General considerations for cipher design: Encrypted data should look random. As though someone flipped a fair coin 64 times and heads means 1 and tails 0. Any change in one bit of output corresponds to a huge change in the input (bits are uncorrelated). Should be about as many 1's as 0's usually. Try to spread the influence of each input bit to all output bits and change in one input bit should have 50% chance of changing any of the output bits (hence many rounds). Operations should be invertible hence xor and table lookup. Use of one key for both encryption and decryption.
5 Secret Key Systems Encrypting a small block of text (say 64 bits) General considerations for cipher design: Encrypted data should look random. As though someone flipped a fair coin 64 times and heads means 1 and tails 0. Any change in one bit of output corresponds to a huge change in the input (bits are uncorrelated). Should be about as many 1's as 0's usually. Try to spread the influence of each input bit to all output bits and change in one input bit should have 50% chance of changing any of the output bits (hence many rounds). Operations should be invertible hence xor and table lookup. Use of one key for both encryption and decryption. Attacks may be mitigated if they rely on operations that are not efficiently implemented in hardware yet allow normal operation to complete efficiently, even in software (permute).
6 Secret Key Systems Encrypting a small block of text (say 64 bits) What is considered a successful attack? Suppose some plaintext is known (a crib) and it is desired to find the key. If the cipher were generating truly random output, an attack on a key should take 2 55 tries, on the average, for 56 bit keys. If someone can find a way to guarantee finding a key in 2 50 tries even, then the cipher is considered broken.
7 Secret Key Systems - DES IBM/NSA bit blocks, 56 bit key, 8 bits parity 64 bit input block 32 bit L i 32 bit R i Encryption Round Mangler Function K i 32 bit L i+1 32 bit R i+1 64 bit output block
8 Secret Key Systems - DES IBM/NSA bit blocks, 56 bit key, 8 bits parity 64 bit input block 64 bit output block 32 bit L i 32 bit R i 32 bit L i 32 bit R i Encryption Round Mangler Function K n Decryption Round Mangler Function K n 32 bit L i+1 32 bit R i+1 32 bit L i+1 32 bit R i+1 64 bit output block 64 bit input block
9 Secret Key Systems - DES Generating per round keys K from the 56 bit Key + 8 parity bits Key bits:
10 Secret Key Systems - DES Generating per round keys K from the 56 bit Key + 8 parity bits Key bits: C 0 : D 0 :
11 Secret Key Systems - DES Generating per round keys K from the 56 bit Key + 8 parity bits Key bits: C 0 : D 0 : Each round: K i has 48 bits assembled in 2 halves permuted from 24 bits each of C i and D i, K i+1 is obtained by rotating C i and D i left to form C i+1 and D i+1 (rotation is 1 bit for rounds 1,2,9,16 and 2 bits for other rounds)
12 Secret Key Systems - DES Generating per round keys K from the 56 bit Key + 8 parity bits Key bits: C 0 : D 0 : Each round: K i has 48 bits assembled in 2 halves permuted from 24 bits each of C i and D i, K i+1 is obtained by rotating C i and D i left to form C i+1 and D i+1 (rotation is 1 bit for rounds 1,2,9,16 and 2 bits for other rounds) Permutations: Left half C i : (9,18,22,25 are missing) Right half D i : (35,38,43,54 are missing)
13 Secret Key Systems - DES The Mangler function: mixes 32 bit input with 48 bit key to produce 32 bits 32 bit R i Mangler Function K i 32 bit R i+1
14 Secret Key Systems - DES The Mangler function: mixes 32 bit input with 48 bit key to produce 32 bits 32 bit R i 1. Expansion of input bits: Mangler Function K i 4 bits 4 bits 4 bits 4 bits 4 bits 4 bits 4 bits 4 bits 32 bit R i+1
15 Secret Key Systems - DES The Mangler function: mixes 32 bit input with 48 bit key to produce 32 bits 32 bit R i 1. Expansion of input bits: Mangler Function K i 4 bits 4 bits 4 bits 4 bits 4 bits 4 bits 4 bits 4 bits R i (32 bits)... 6 bits 6 bits 6 bits 6 bits 6 bits 6 bits 6 bits 6 bits 32 bit R i+1
16 Secret Key Systems - DES The Mangler function: mixes 32 bit input with 48 bit key to produce 32 bits 32 bit R i 1. Expansion of input bits: Mangler Function 32 bit R i+1 K i 4 bits 4 bits 4 bits 4 bits 4 bits 4 bits 4 bits 4 bits 6 bits 6 bits 6 bits 6 bits 6 bits 6 bits 6 bits 6 bits... Expanded input (48 bits) 6 bits 6 bits 6 bits 6 bits 6 bits 6 bits 6 bits 6 bits K i (48 bits) R i (32 bits)
17 Secret Key Systems - DES The Mangler function: mixes 32 bit input with 48 bit key to produce 32 bits 32 bit R i 1. Expansion of input bits: Mangler Function K i 4 bits 4 bits 4 bits 4 bits 4 bits 4 bits 4 bits 4 bits R i (32 bits) 6 bits 6 bits 6 bits 6 bits 6 bits 6 bits 6 bits 6 bits... Expanded input (48 bits) 6 bits 6 bits 6 bits 6 bits 6 bits 6 bits 6 bits 6 bits 32 bit R i+1 S-Box i 6 bits K i (48 bits) 2. Mixing with key:... 4 bits 4 bits 4 bits 4 bits 4 bits 4 bits 4 bits 4 bits
18 Secret Key Systems - DES The Mangler function: mixes 32 bit input with 48 bit key to produce 32 bits 32 bit R i 1. Expansion of input bits: Mangler Function K i 4 bits 4 bits 4 bits 4 bits 4 bits 4 bits 4 bits 4 bits R i (32 bits) 6 bits 6 bits 6 bits 6 bits 6 bits 6 bits 6 bits 6 bits... Expanded input (48 bits) 6 bits 6 bits 6 bits 6 bits 6 bits 6 bits 6 bits 6 bits 32 bit R i+1 6 bits K i (48 bits) 2. Mixing with key:... S-Box i 4 bits 4 bits 4 bits 4 bits 4 bits 4 bits 4 bits 4 bits 4 bits 4 bits 4 bits 4 bits 4 bits 4 bits 4 bits 4 bits R i+1 (32 bits)
19 Secret Key Systems - DES The S-Box: maps 6 bit blocks to 4 bit sections S-Box 1 (first 6 bits): Input bits 2,3,4, Input bits 1 and 6 Final permutation:
20 Secret Key Systems - DES Weak and semi-weak keys: If key is such that C 0 or D 0 are: 1) all 0s; 2) all 1s; 3) alternating 1s and 0s, then attack is easy. There are 16 such keys. Keys for which C 0 and D 0 are both 0 or both 1 are called weak (encrypting with key gives same result as decrypting).
21 Secret Key Systems - DES Weak and semi-weak keys: If key is such that C 0 or D 0 are: 1) all 0s; 2) all 1s; 3) alternating 1s and 0s, then attack is easy. There are 16 such keys. Keys for which C 0 and D 0 are both 0 or both 1 are called weak (encrypting with key gives same result as decrypting). Discussion: 1. Not much known about the design not made public Probably attempt to prevent known attacks 2. Changing S-Boxes has resulted in provably weaker system
22 Two keys and K 2 : Secret Key Systems - 3DES K 2 K 2 m E D E c encryption c D E D m decryption
23 Two keys and K 2 : Secret Key Systems - 3DES K 2 K 2 m E D E c encryption c D E D m decryption Why not 2DES 1. Double encryption with the same key still requires searching 2 56 keys
24 Two keys and K 2 : Secret Key Systems - 3DES K 2 K 2 m E D E c encryption c D E D m decryption Why not 2DES 1. Double encryption with the same key still requires searching 2 56 keys 2. Double encryption with two different keys is just as vulnerable as DES due to the following, assuming some <m,c> pairs are known:
25 Two keys and K 2 : Secret Key Systems - 3DES K 2 K 2 m E D E c encryption c D E D m decryption Why not 2DES 1. Double encryption with the same key still requires searching 2 56 keys 2. Double encryption with two different keys is just as vulnerable as DES due to the following, assuming some <m,c> pairs are known: 56{ m: E(, m)
26 Two keys and K 2 : Secret Key Systems - 3DES K 2 K 2 m E D E c encryption c D E D m decryption Why not 2DES 1. Double encryption with the same key still requires searching 2 56 keys 2. Double encryption with two different keys is just as vulnerable as DES due to the following, assuming some <m,c> pairs are known: 2 56{ m: E(, m) { c: K 2 D(K 2, c)
27 Two keys and K 2 : Secret Key Systems - 3DES K 2 K 2 m E D E c encryption c D E D m decryption Why not 2DES 1. Double encryption with the same key still requires searching 2 56 keys 2. Double encryption with two different keys is just as vulnerable as DES due to the following, assuming some <m,c> pairs are known: 2 56{ m: E(, m) { c: K 2 D(K 2, c)
28 Two keys and K 2 : Secret Key Systems - 3DES K 2 K 2 m E D E c encryption c D E D m decryption Why not 2DES 1. Double encryption with the same key still requires searching 2 56 keys 2. Double encryption with two different keys is just as vulnerable as DES due to the following, assuming some <m,c> pairs are known: 2 56{ m: E(, m) { c: K 2 D(K 2, c) Test matches on other <m,c> pairs m E(K ,m) D(K ,c) c
29 Secret Key Systems - 3DES Why not 2DES 2. Double encryption with two different keys is just as vulnerable as DES due to the following, assuming some <m,c> pairs are known: How many <m,c> pairs do you need? 2 64 possible blocks 2 56 table entries each block has probability 2-8 = 1/256 of showing in a table probability a block is in both tables is 2-16 average number of matches is 2 48 average number of matches for two <m,c> pairs is about 2 32 for three <m,c> pairs is about 2 16 for four <m,c> pairs is about Triple encryption with two different keys bits of key is considered enough - straightforward to find a triple of keys that maps a given plaintext to a given ciphertext (no known attack with 2 keys) - EDE: use same keys to get DES, EEE: effect of permutations lost
30 CBC with 3DES: Secret Key Systems - 3DES m i m i+1 m i m i+1 E E E E K 2 D D K 2 D D E E c i c i+1 E E outside c i c i+1 inside
31 Secret Key Systems - 3DES CBC with 3DES: 1. On the outside same attack as with CBC change a block with side effect of garbling another 2. On the inside attempt at changing a block results in all block garbled to the end of the message. 3. On the inside use three times as much hardware to pipeline encryptions resulting in DES speeds. 4. On the outside EDE simply is a drop-in replacement for what might have been there before.
32 Secret Key Systems - IDEA ETH Zuria bit blocks, 128 bit key, 0 bits parity: 64 bit input block Odd Encryption Round 16 bit X i,a 16 bit X i,b 16 bit X i,c 16 bit X i,d Multiplication mod K K i,a i,a K i,a K i,a is treated as 2 16 (invertible) 16 bit X i+1,a 16 bit X i+1,b 16 bit X i+1,c 16 bit X i+1,d Addition but throw away carries 64 bit output block
33 Secret Key Systems - IDEA ETH Zuria bit blocks, 128 bit key, 0 bits parity: 64 bit input block Even Encryption Round 16 bit X i,a 16 bit X i,b 16 bit X i,c 16 bit X i,d Mangler Function Ki,e K i,f 16 bit X i+1,a 16 bit X i+1,b 16 bit X i+1,c 16 bit X i+1,d Y in = X i,a X i,b Z in = X i,c X i,d Y out = ((K i,e Y in ) Z in K i,f Z out = (K i,e Y in ) Y out X i+1,a = X i,a Y out X i+1,b = X i,b Y out X i+1,c = X i,c Z out X i+1,d = X i,d Z out 64 bit output block
34 Secret Key Systems - IDEA Key generation bit keys needed (2 per even round 4 per odd): 128 bit key,a,b,c,d K 2,e K 2,f K 3,a K 3,b
35 Secret Key Systems - IDEA Key generation bit keys needed (2 per even round 4 per odd): 128 bit key,a,b,c,d K 2,e K 2,f K 3,a K 3,b 128 bit key 128 bit key... K 3,c K 3,d K 4,e K 4,f K 5,a K 5,b K 5,c K 5,d 25 bits
36 Secret Key Systems - AES NIST (2001) parameterized key size (128 bits to 256 bits) 4N b octet inp 4N k octet key a 0,0 a 0,3 k 0,0 k 0,3 a 1,0 a 2,0... a 1,3 a 2,3 k 1,0 k 2,0... k 1,3 k 2,3 a 3,0 a 3,3 k 3,0 k 3,3 key expansion K 0... round 1...
37 Secret Key Systems - AES The State: An array of four rows and N b columns each element is a byte. Initially: next block of 4N b input bytes. Execution: all operations are performed on the State. Example: N b = 4 in 0 in 4 in 8 in 12 s 0,0 s 0,1 s 0,2 s 0,3 in 1 in 5 in 9 in 13 s 1,1 s 1,2 s 1,3 s 1,0 in 2 in 6 in 10 in 14 s 2,2 s 2,3 s 2,0 s 2,1 in 3 in 7 in 11 in 15 s 3,3 s 3,0 s 3,1 s 3,2
38 Secret Key Systems - AES Addition: modulo 2 addition (xor) of polynomials of maximum degree 7 Examples: (x 6 +x 4 +x 2 +x 1 +1) + (x 7 +x 1 +1) = x 7 +x 6 +x 4 +x 2 (polynomial) = (binary notation) 0x57 0x83 = D4 (hexadecimal)
39 Secret Key Systems - AES Multiplication of two degree 7 polynomials (bytes): Just like ordinary multiplication except mod m(x) = (x 8 +x 4 +x 3 +x 1 +1) Reason: for each byte there will be an inverse: a a -1 = 1 mod m(x) Basis: x b = b 7 x 8 + b 6 x 7 + b 5 x 6 + b 4 x 5 + b 3 x 4 + b 2 x 3 + b 1 x 2 + b 0 x Shift b left by 1, if result has a degree 8 bit, xor with m(x) This operation is called xtime(x) = (x << 1) (((x >> 7) & 1) * 0x11b)
40 Secret Key Systems - AES Multiplication of two degree 7 polynomials (bytes): Just like ordinary multiplication except mod m(x) = (x 8 +x 4 +x 3 +x 1 +1) Reason: for each byte there will be an inverse: a a -1 = 1 mod m(x) Basis: x b = b 7 x 8 + b 6 x 7 + b 5 x 6 + b 4 x 5 + b 3 x 4 + b 2 x 3 + b 1 x 2 + b 0 x Shift b left by 1, if result has a degree 8 bit, xor with m(x) This operation is called xtime(x) = (x << 1) (((x >> 7) & 1) * 0x11b) Example: xtime(x 7 + x 5 + x 3 + x 2 + x) = x 6 + x 2 + x + 1 or = or xtime(0xae) = 0x47 Example: (x 6 + x 4 + x 2 + x 1 + 1) (x 4 + x + 1) = 0x57 0x13 (x 6 + x 4 + x 2 + x 1 + 1) x = xtime(0x57) = 0xAE (x 6 + x 4 + x 2 + x 1 + 1) x 2 = xtime(0xae) = 0x47 (x 6 + x 4 + x 2 + x 1 + 1) x 3 = xtime(0x47) = 0x8E (x 6 + x 4 + x 2 + x 1 + 1) x 4 = xtime(0x8e) = 0x7 0x57 0x13 = 0x7 0xAE 0x57 = 0xFE
41 Byte substitutions (S-Box): Secret Key Systems - AES Find the inverse of a polynomial: a(x) b(x) m(x) c(x) = 1 Example: 0x57 0xBF = 1 so 0xBF is the inverse of 0x57 S-Box number: Apply the transformation on the right to the inverse Example: getsbox(0x57) = 0x5B b 0 ' b 0 1 b 1 ' b 1 1 b 2 ' b 2 0 b 3 ' = b 3 0 b 4 ' b 4 0 b 5 ' b 5 1 b 6 ' b 6 1 b 7 ' b 7 0
42 The S-Box: Secret Key Systems - AES y a b c d e f c 77 7b f2 6b 6f c b fe d7 ab 76 1 ca 82 c9 7d fa f0 ad d4 a2 af 9c a4 72 c0 2 b7 fd f f7 cc 34 a5 e5 f1 71 d c7 23 c a e2 eb 27 b c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf 6 d0 ef aa fb 43 4d f9 02 7f 50 3c 9f a8 x 7 51 a3 40 8f 92 9d 38 f5 bc b6 da ff f3 d2 8 cd 0c 13 ec 5f c4 a7 7e 3d 64 5d f dc 22 2a ee b8 14 de 5e 0b db a e0 32 3a 0a c c2 d3 ac e4 79 b e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08 c ba e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a d 70 3e b f6 0e b9 86 c1 1d 9e e e1 f d9 8e 94 9b 1e 87 e9 ce df f 8c a1 89 0d bf e d 0f b0 54 bb 16
43 The Inverse S-Box: Secret Key Systems - AES y a b c d e f a d a5 38 bf 40 a3 9e 81 f3 d7 fb 1 7c e b 2f ff e c4 de e9 cb b a6 c2 23 3d ee 4c 95 0b 42 fa c3 4e e a d9 24 b2 76 5b a2 49 6d 8b d f8 f d4 a4 5c cc 5d 65 b c fd ed b9 da 5e a7 8d 9d d8 ab 00 8c bc d3 0a f7 e b8 b x 7 d0 2c 1e 8f ca 3f 0f 02 c1 af bd a 6b 8 3a f 67 dc ea 97 f2 cf ce f0 b4 e ac e7 ad e2 f9 37 e8 1c 75 df 6e a 47 f1 1a 71 1d 29 c5 89 6f b7 62 0e aa 18 be 1b b fc 56 3e 4b c6 d a db c0 fe 78 cd 5a f4 c 1f dd a c7 31 b ec 5f d f a9 19 b5 4a 0d 2d e5 7a 9f 93 c9 9c ef e a0 e0 3b 4d ae 2a f5 b0 c8 eb bb 3c f 17 2b 04 7e ba 77 d6 26 e c 7d
44 Secret Key Systems - AES Four term polynomials with 8 bit coefficients: State columns will be represented by such polynomials. We will want to transform columns by multiplication, modulo a polynomial, as was done to get the S-Box. However, in this case the maximum degree is 3 and the coefficients are bytes, not bits. The idea is to multiply a column polynomial by the fixed polynomial a(x) = 3x 3 + x 2 + x + 2 mod x Equivalently: a(x) b(x) = d(x) = d 3 x 3 + d 2 x 2 + d 1 x + d 0 where d 0 = (2 b 0 ) (3 b 1 ) (1 b 2 ) (1 b 3 ) d 1 = (1 b 0 ) (2 b 1 ) (3 b 2 ) (1 b 3 ) d 2 = (1 b 0 ) (1 b 1 ) (2 b 2 ) (3 b 3 ) d 3 = (3 b 0 ) (1 b 1 ) (1 b 2 ) (2 b 3 ) Observe: d i is influenced by all four bytes of original column Example: a(x) (0xBx 3 + 0xDx 2 + 0x9x + 0xE) = 1
45 void Cipher () { int i, j, round=0; } Secret Key Systems - AES // Nr is the number of rounds // Copy the input PlainText to state array. state = in; AddRoundKey(0); for (round=1 ; round < Nr ; round++) { SubBytes(); ShiftRows(); MixColumns(); AddRoundKey(round); } SubBytes(); ShiftRows(); AddRoundKey(Nr); // Copy the state array to the Output array. out = state;
46 SubBytes ( ): Secret Key Systems - AES s 0,0 s 0,1 s 0,2 s 0,3 gsx(s 0,0 ) gsx(s 0,1 ) gsx(s 0,2 ) gsx(s 0,3 ) s 1,0 s 1,1 s 1,2 s 1,3 s 2,0 s 2,1 s 2,2 s 2,3 s 3,0 s 3,1 s 3,2 s 3,3 gsx(s 1,0 ) gsx(s 1,1 ) gsx(s 1,2 ) gsx(s 1,3 ) gsx(s 2,0 ) gsx(s 2,1 ) gsx(s 2,2 ) gsx(s 2,3 ) gsx(s 3,0 ) gsx(s 3,1 ) gsx( s 3,2 ) gsx(s 3,3 ) Function gsx(a) maps a to the character it indexes in the S-Box
47 ShiftRows ( ): Secret Key Systems - AES s 0,0 s 0,1 s 0,2 s 0,3 s 0,0 s 0,1 s 0,2 s 0,3 s 1,0 s 1,1 s 1,2 s 1,3 s 1,1 s 1,2 s 1,3 s 1,0 s 2,0 s 2,1 s 2,2 s 2,3 s 2,2 s 2,3 s 2,0 s 2,1 s 3,0 s 3,1 s 3,2 s 3,3 s 3,3 s 3,0 s 3,1 s 3,2 N b Row
48 MixColumns ( ) : Secret Key Systems - AES s' 0,c s 0,c s' 1,c = s 1,c s 2,c ' s 2,c s 3,c ' s 3,c tmp = s 0,c s 1,c s 2,c s 3,c s 0,c = xtime(s 0,c s 1,c ) tmp s 0,c s 1,c = xtime(s 1,c s 2,c ) tmp s 1,c s 2,c = xtime(s 2,c s 3,c ) tmp s 2,c s 3,c = xtime(s 0,c s 3,c ) tmp s 3,c Replace state columns by matrix multiplication ( and ) above Columns are considered as polynomials over GF(2 8 ) and multiplied mod x 4 +1 by a fixed polynomial given by 3x 3 + x 2 + x + 2 Example: 0xD4 0xBF 0x5D 0x30 0x04 0x66 0x81 0xE5
49 Secret Key Systems - AES MixColumns ( ) : 0x2B 0xD4 0xDE 0xAD lookups 0xB3 0x56 0x2B 0x42 0x4C 0xA7 0xD4 0x2B 0xB4 0x41 0xDE 0xD4 0x7D 0x36 0xAD 0xDE 0x67 0xAD 0x79 0xEC
50 AddRoundKey ( ): s 0,0 s 0,1 s 0,2 s 0,3 Secret Key Systems - AES s 0,0 s 0,1 s 0,2 s 0,3 s 1,0 s 1,1 s 1,2 s 1,3 s 1,1 s 1,2 s 1,3 s 1,0 s 2,0 s 2,1 s 2,2 s 2,3 s 2,2 s 2,3 s 2,0 s 2,1 s 3,0 s 3,1 s 3,2 s 3,3 w 0,0 w 0,1 w 0,2 w 0,3 s 3,3 s 3,0 s 3,1 s 3,2 w 1,0 w 2,0 w 3,0 w 1,1 w 1,2 w 2,1 w 2,2 w 3,1 w 3,2 w 1,3 w 2,3 w 3,3 first round only - generally it's w i,r+c where c is the column and r is the round
51 Key Schedule: example for N k =4 Secret Key Systems - AES w 0,0, w 1,0, w 2,0, w 3,0... w 0,3, w 1,3, w 2,3, w 3,3 w 0,4, w 1,4, w 2,4, w 3,4 1 st round 2 nd round All rounds: 32*N k bits for a round key
52 Key Expansion: example for N k = 4 Secret Key Systems - AES RotWord ( ): changes [ a 0, a 1, a 2, a 3 ] to [ a 3, a 2, a 1, a 0 ] Rcon[i]: the word [ x i-1, 0, 0, 0 ] mod x 4 + 1, where x = 2 SubWord ( ): maps each byte of [ a 0, a 1, a 2, a 3 ] using S-Box values
53 Secret Key Systems - AES Rcon[i]: also precomputed as a lookup table Y a b c d e f b 36 6c d8 ab 4d 9a 1 2f 5e bc 63 c a d4 b3 7d fa ef c e4 d3 bd 61 c2 9f 25 4a cc 83 1d 3a 3 74 e8 cb 8d b 36 6c d8 4 ab 4d 9a 2f 5e bc 63 c a d4 b3 7d fa ef 5 c e4 d3 bd 61 c2 9f 25 4a cc d 3a 74 e8 cb 8d b X c d8 ab 4d 9a 2f 5e bc 63 c a d4 b3 8 7d fa ef c e4 d3 bd 61 c2 9f 25 4a cc 83 1d 3a 74 e8 cb 8d a b 36 6c d8 ab 4d 9a 2f 5e bc 63 c b 6a d4 b3 7d fa ef c e4 d3 bd 61 c2 9f c 25 4a cc 83 1d 3a 74 e8 cb 8d d b 36 6c d8 ab 4d 9a 2f 5e bc 63 e c a d4 b3 7d fa ef c e4 d3 bd f 61 c2 9f 25 4a cc 83 1d 3a 74 e8 cb
54 Key Expansion: example for N k = 4 Secret Key Systems - AES RotWord ( ): changes [ a 0, a 1, a 2, a 3 ] to [ a 3, a 2, a 1, a 0 ] Rcon[i]: the word [ x i-1, 0, 0, 0 ] mod x 4 + 1, where x = 2 SubWord ( ): maps each byte of [ a 0, a 1, a 2, a 3 ] using S-Box values First Round: the original key (16 bytes if N k = 4) Other Rounds: [ w 0,l, w 1,l, w 2,l, w 3,l ] smallest l is N k -1 [ w 3,l, w 2,l, w 1,l, w 0,l ] apply RotWord [ S(w 0,l ), S(w 1,l ), S(w 2,l ), S(w 3,l ) ] apply SubWord [ S(w 0,l ) Rcon[(l+1)/N k ], S(w 1,l ), S(w 2,l ), S(w 3,l ) ] use Rcon [ S(w 0,l ) Rcon[(l+1)/N k ] w 0,l, S(w 1,l ) w 1,l, S(w 2,l ) w 2,l, S(w 3,l ) w 3,l ] [ w 0,l+1, w 1,l+1, w 2,l+1, w 3,l+1 ] next key word
55 Key: 2B 7E AE D2 A6 AB F CF 4F 3C
56 Key: 2B 7E AE D2 A6 AB F CF 4F 3C
57 Secret Key Systems - AES Example: Input: E0 43 5A F A8 8D A2 34 Key: 2B 28 AB 09 7E AE F7 CF 15 D2 15 4F 16 A6 88 3C
58 Secret Key Systems - AES Example: E0 19 A0 9A E9 Input: 43 5A F D F4 C6 F8 E3 E2 8D 48 A8 8D A2 34 BE 2B 2A 08 Key: 2B 28 AB 09 7E AE F7 CF 15 D2 15 4F beginning of first round - input placed into the state and key has been added to state 16 A6 88 3C
59 Secret Key Systems - AES Example: State: 19 A0 9A E9 3D F4 C6 F8 E3 E2 8D 48 S-Box D4 E0 B8 1E 27 BF B D 52 BE 2B 2A 08 AE F1 E5 30 D4 E0 B8 1E ShiftRows 04 E BF B CB F8 06 5D AE F1 E5 MixColumns D3 26 E5 9A 7A 4C
60 Performance Notes: Secret Key Systems - AES 1. Many operations are table look ups so they are fast 2. Parallelism can be exploited 3. Key expansion only needs to be done one time until the key is changed 4. The S-box minimizes the correlation between input and output bits 5. There are no known weak keys Security: 1. resistant to differential attack - how differences in input can affect output bit values 2. resistant to linear cryptanalysis - construct linear equations relating plaintext, ciphertext and key bits whose probabilities are as close as possible to 0 or 1 nearly always. Then use these linear equations in conjunction with known plaintext-ciphertext pairs to derive key bits. A bit flip at some point quickly propagates to the complete internal state Specially crafted, bigger "S-boxes" to support non-linearity
61 Attacks: Secret Key Systems - AES Extended Sparse Linearization - Derive a system of quadratic simultaneous equations and solve, 128 bit key: 8000 quadratic equations, 1600 variables 256 bit key: quadratic equations, 4480 variables given plaintext, to get the key not practical although vs
62 Attacks: Secret Key Systems - AES Extended Sparse Linearization - Derive a system of quadratic simultaneous equations and solve, 128 bit key: 8000 quadratic equations, 1600 variables 256 bit key: quadratic equations, 4480 variables given plaintext, to get the key not practical although vs Related Key - Attacker may be able to observe behavior of cipher in the case of several keys, not initially known, but with some understanding of the mathematical relationship connecting the keys - e.g. the number of 1s equals the number of 0s 2 70 time for an 11 round version of 256-bit AES but attack on full version is not Reported.
63 Attacks: Secret Key Systems - AES Extended Sparse Linearization - Derive a system of quadratic simultaneous equations and solve, 128 bit key: 8000 quadratic equations, 1600 variables 256 bit key: quadratic equations, 4480 variables given plaintext, to get the key not practical although vs Related Key - Attacker may be able to observe behavior of cipher in the case of several keys, not initially known, but with some understanding of the mathematical relationship connecting the keys - e.g. the number of 1s equals the number of 0s 2 70 time for an 11 round version of 256-bit AES but attack on full version is not Reported. Titled Attack - If attacker can stop the execution of encryption, apply a difference to the state, and roll back the encryption vs
64 Attacks: Secret Key Systems - AES Extended Sparse Linearization - Derive a system of quadratic simultaneous equations and solve, 128 bit key: 8000 quadratic equations, 1600 variables 256 bit key: quadratic equations, 4480 variables given plaintext, to get the key not practical although vs Related Key - Attacker may be able to observe behavior of cipher in the case of several keys, not initially known, but with some understanding of the mathematical relationship connecting the keys - e.g. the number of 1s equals the number of 0s 2 70 time for an 11 round version of 256-bit AES but attack on full version is not Reported. Titled Attack - If attacker can stop the execution of encryption, apply a difference to the state, and roll back the encryption vs Side Channel - Vulnerable in some implementations later in the course
65 Number of rounds: Secret Key Systems - AES N k N b
Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES
CS355: Cryptography Lecture 9: Encryption modes. AES Encryption modes: ECB } Message is broken into independent blocks of block_size bits; } Electronic Code Book (ECB): each block encrypted separately.
More informationIntroduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES
CSC/ECE 574 Computer and Network Security Topic 3.1 Secret Key Cryptography Algorithms CSC/ECE 574 Dr. Peng Ning 1 Outline Introductory Remarks Feistel Cipher DES AES CSC/ECE 574 Dr. Peng Ning 2 Introduction
More informationThe Advanced Encryption Standard
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 48 The Advanced Encryption Standard Successor of DES DES considered insecure; 3DES considered too slow. NIST competition in 1997 15
More informationCHAPTER 5 A BLOCK CIPHER INVOLVING A KEY APPLIED ON BOTH THE SIDES OF THE PLAINTEXT
82 CHAPTER 5 A BLOCK CIPHER INVOLVING A KEY APPLIED ON BOTH THE SIDES OF THE PLAINTEXT 83 5.1 Introduction In a pioneering paper, Hill [5] developed a block cipher by using the modular arithmetic inverse
More informationOutline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael
Outline CPSC 418/MATH 318 Introduction to Cryptography Advanced Encryption Standard Renate Scheidler Department of Mathematics & Statistics Department of Computer Science University of Calgary Based in
More informationIntroduction. Outline. CSC/ECE 574 Computer and Network Security. Secret Keys or Secret Algorithms? Secrets? (Cont d) Secret Key Cryptography
Outline CSC/ECE 574 Computer and Network Security Introductory Remarks Feistel Cipher DES AES Topic 3.1 Secret Key Cryptography Algorithms CSC/ECE 574 Dr. Peng Ning 1 CSC/ECE 574 Dr. Peng Ning 2 Secret
More informationThe Rijndael Block Cipher
The Rijndael Block Cipher Vincent Leith MATH 27.2 May 3, 2 A brief look at the mathematics behind the Rijndael Block Chiper. Introduction The Rijndael Block Chiper was brought about by Joan Daemen and
More informationApplications of Finite Sets Jeremy Knight Final Oral Exam Texas A&M University March 29 th 2012
Finite Fields and Cryptography Applications of Finite Sets Jeremy Knight Final Oral Exam Texas A&M University March 29 th 2012 A field is a set that 1. is associative, commutative, and distributive for
More information(Solution to Odd-Numbered Problems) Number of rounds. rounds
CHAPTER 7 AES (Solution to Odd-Numbered Problems) Review Questions. The criteria defined by NIST for selecting AES fall into three areas: security, cost, and implementation. 3. The number of round keys
More informationModule 2 Advanced Symmetric Ciphers
Module 2 Advanced Symmetric Ciphers Dr. Natarajan Meghanathan Professor of Computer Science Jackson State University E-mail: natarajan.meghanathan@jsums.edu Data Encryption Standard (DES) The DES algorithm
More informationMASKED INVERSION IN GF(2 N ) USING MIXED FIELD REPRESENTATIONS AND ITS EFFICIENT IMPLEMENTATION FOR AES
Chapter X MASKED INVERSION IN GF( N ) USING MIXED FIELD REPRESENTATIONS AND ITS EFFICIENT IMPLEMENTATION FOR AES SHAY GUERON 1,, ORI PARZANCHEVSKY 1 and OR ZUK 1,3 1 Discretix Technologies, Netanya, ISRAEL
More informationDifferential Fault Analysis on A.E.S.
Differential Fault Analysis on A.E.S. P. Dusart, G. Letourneux, O. Vivolo 01/10/2002 Abstract We explain how a differential fault analysis (DFA) works on AES 128, 192 or 256 bits. Contents 1 Introduction
More informationAURORA: A Cryptographic Hash Algorithm Family
AURORA: A Cryptographic Hash Algorithm Family Submitters: Sony Corporation 1 and Nagoya University 2 Algorithm Designers: Tetsu Iwata 2, Kyoji Shibutani 1, Taizo Shirai 1, Shiho Moriai 1, Toru Akishita
More informationInvariant Subspace Attack Against Full Midori64
Invariant Subspace Attack Against Full Midori64 Jian Guo 1, Jérémy Jean 1, Ivica Nikolić 1, Kexin Qiao 1,2, Yu Sasaki 1,3, and Siang Meng Sim 1 1 Nanyang Technological University, Singapore 2 Institute
More informationIntroduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.
Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography
More informationLow Complexity Differential Cryptanalysis and Fault Analysis of AES
Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 34 Introduction We present a survey of low
More informationAccelerating AES Using Instruction Set Extensions for Elliptic Curve Cryptography. Stefan Tillich, Johann Großschädl
Accelerating AES Using Instruction Set Extensions for Elliptic Curve Cryptography International Workshop on Information Security & Hiding (ISH '05) Institute for Applied Information Processing and Communications
More informationBlock ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit
Block ciphers Block ciphers Myrto Arapinis School o Inormatics University o Edinburgh January 22, 2015 A block cipher with parameters k and l is a pair o deterministic algorithms (E, D) such that Encryption
More informationDesign of Low Power Optimized MixColumn/Inverse MixColumn Architecture for AES
Design of Low Power Optimized MixColumn/Inverse MixColumn Architecture for AES Rajasekar P Assistant Professor, Department of Electronics and Communication Engineering, Kathir College of Engineering, Neelambur,
More informationA Very Efficient Pseudo-Random Number Generator Based On Chaotic Maps and S-Box Tables M. Hamdi, R. Rhouma, S. Belghith
A Very Efficient Pseudo-Random Number Generator Based On Chaotic Maps and S-Box Tables M. Hamdi, R. Rhouma, S. Belghith Abstract Generating random numbers are mainly used to create secret keys or random
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationThe XL and XSL attacks on Baby Rijndael. Elizabeth Kleiman. A thesis submitted to the graduate faculty
The XL and XSL attacks on Baby Rijndael by Elizabeth Kleiman A thesis submitted to the graduate faculty in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE Major: Mathematics
More informationTable Of Contents. ! 1. Introduction to AES
1 Table Of Contents! 1. Introduction to AES! 2. Design Principles behind AES Linear Cryptanalysis Differential Cryptanalysis Square Attack Biclique Attack! 3. Quantum Cryptanalysis of AES Applying Grover
More informationTHE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018
THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018 CPSC 418/MATH 318 L01 October 17, 2018 Time: 50 minutes
More informationImproved S-Box Construction from Binomial Power Functions
Malaysian Journal of Mathematical Sciences 9(S) June: 21-35 (2015) Special Issue: The 4 th International Cryptology and Information Security Conference 2014 (Cryptology 2014) MALAYSIAN JOURNAL OF MATHEMATICAL
More informationON THE SECURITY OF THE ADVANCED ENCRYPTION STANDARD
ON THE SECURITY OF THE ADVANCED ENCRYPTION STANDARD Paul D. Yacoumis Supervisor: Dr. Robert Clarke November 2005 Thesis submitted for the degree of Honours in Pure Mathematics Contents 1 Introduction
More informationStructural Evaluation by Generalized Integral Property
Structural Evaluation by Generalized Integral Property Yosue Todo NTT Secure Platform Laboratories, Toyo, Japan todo.yosue@lab.ntt.co.jp Abstract. In this paper, we show structural cryptanalyses against
More informationUnit 3. Digital encoding
Unit 3. Digital encoding Digital Electronic Circuits (Circuitos Electrónicos Digitales) E.T.S.I. Informática Universidad de Sevilla 9/2012 Jorge Juan 2010, 2011, 2012 You are free to
More informationLOOKING INSIDE AES AND BES
23 LOOKING INSIDE AES AND BES Ilia Toli, Alberto Zanoni Università degli Studi di Pisa Dipartimento di Matematica Leonida Tonelli Via F. Buonarroti 2, 56127 Pisa, Italy {toli, zanoni}@posso.dm.unipi.it
More information1. Basics of Information
1. Basics of Information 6.004x Computation Structures Part 1 Digital Circuits Copyright 2015 MIT EECS 6.004 Computation Structures L1: Basics of Information, Slide #1 What is Information? Information,
More informationarxiv: v1 [cs.cr] 13 Sep 2016
Hacking of the AES with Boolean Functions Michel Dubois Operational Cryptology and Virology Laboratory Éric Filiol Operational Cryptology and Virology Laboratory September 14, 2016 arxiv:1609.03734v1 [cs.cr]
More informationProvably Secure Higher-Order Masking of AES
Provably Secure Higher-Order Masking of AES Matthieu Rivain 1 and Emmanuel Prouff 2 1 CryptoExperts matthieu.rivain@cryptoexperts.com 2 Oberthur Technologies e.prouff@oberthur.com Abstract. Implementations
More informationBlock Cipher Cryptanalysis: An Overview
0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationThe Hash Function Fugue
The Hash Function Fugue Shai Halevi William E. Hall Charanjit S. Jutla IBM T.J. Watson Research Center October 6, 2009 Abstract We describe Fugue, a hash function supporting inputs of length upto 2 64
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More informationImproved Impossible Differential Cryptanalysis of Rijndael and Crypton
Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,
More informationExtended Criterion for Absence of Fixed Points
Extended Criterion for Absence of Fixed Points Oleksandr Kazymyrov, Valentyna Kazymyrova Abstract One of the criteria for substitutions used in block ciphers is the absence of fixed points. In this paper
More informationApplying Grover s algorithm to AES: quantum resource estimates
Applying Grover s algorithm to AES: quantum resource estimates Markus Grassl 1, Brandon Langenberg 2, Martin Roetteler 3 and Rainer Steinwandt 2 1 Universität Erlangen-Nürnberg & Max Planck Institute for
More informationA SIMPLIFIED RIJNDAEL ALGORITHM AND ITS LINEAR AND DIFFERENTIAL CRYPTANALYSES
A SIMPLIFIED RIJNDAEL ALGORITHM AND ITS LINEAR AND DIFFERENTIAL CRYPTANALYSES MOHAMMAD MUSA, EDWARD F SCHAEFER, AND STEPHEN WEDIG Abstract In this paper, we describe a simplified version of the Rijndael
More informationSymmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)
Symmetric Ciphers Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5) Symmetric Cryptography C = E(P,K) P = D(C,K) Requirements Given C, the only way to obtain P should be with the knowledge of K Any
More informationMethods and Tools for Analysis of Symmetric Cryptographic Primitives
Methods and Tools for Analysis of Symmetric Cryptographic Primitives Oleksandr Kazymyrov University of Bergen Norway 14th of October, 2014 Oleksandr Kazymyrov Methods and Tools for Analysis of Symmetric
More informationLecture Notes. Advanced Discrete Structures COT S
Lecture Notes Advanced Discrete Structures COT 4115.001 S15 2015-01-27 Recap ADFGX Cipher Block Cipher Modes of Operation Hill Cipher Inverting a Matrix (mod n) Encryption: Hill Cipher Example Multiple
More informationA B CDE F B FD D A C AF DC A F
International Journal of Arts & Sciences, CD-ROM. ISSN: 1944-6934 :: 4(20):121 131 (2011) Copyright c 2011 by InternationalJournal.org A B CDE F B FD D A C A BC D EF C CE C A D ABC DEF B B C A E E C A
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2012 Konstantin Beznosov 1 Module Outline! Stream ciphers under the hood Block ciphers under
More informationUNDERSTANDING THE COST OF GROVER'S ALGORITHM FOR FINDING A SECRET KEY
UNDERSTANDING THE COST OF GROVER'S ALGORITHM FOR FINDING A SECRET KEY Rainer Steinwandt 1,2 Florida Atlantic University, USA (joint work w/ B. Amento, M. Grassl, B. Langenberg 2, M. Roetteler) 1 supported
More informationTopics. Probability Theory. Perfect Secrecy. Information Theory
Topics Probability Theory Perfect Secrecy Information Theory Some Terms (P,C,K,E,D) Computational Security Computational effort required to break cryptosystem Provable Security Relative to another, difficult
More informationSecret Key: stream ciphers & block ciphers
Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad define a secret key ( seed ) Using the seed generates a byte stream (Keystream): i-th byte is function only
More informationNew Block Cipher: ARIA
This is the accepted version of LNCS 97 pp.43-445 (004, presented at ICISC 003. https://doi.org/0.007/978-3-540-469-6_3 New Block Cipher: ARIA Daesung Kwon, Jaesung Kim, Sangwoo Park, Soo Hak Sung 3, Yaekwon
More informationNACC Uniform Data Set (UDS) FTLD Module
NACC Uniform Data Set (UDS) FTLD Module Data Template For FOLLOW-UP Visit Packet Version 2.0, January 2012 Copyright 2013 University of Washington Created and published by the FTLD work group of the ADC
More informationSymmetric Cryptography
Symmetric Cryptography Stanislav Palúch Fakula riadenia a informatiky, Žilinská univerzita 25. októbra 2017 Stanislav Palúch, Fakula riadenia a informatiky, Žilinská univerzita Symmetric Cryptography 1/54
More information7.5 Proportionality Relationships
www.ck12.org Chapter 7. Similarity 7.5 Proportionality Relationships Learning Objectives Identify proportional segments when two sides of a triangle are cut by a segment parallel to the third side. Extend
More information4.3 Analog Value Representation
4.3 Analog Value Representation Introduction This section describes the analog values for all the measuring ranges and output ranges which you can use with the analog modules. Converting analog values
More information7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive key-search do not exploit any properties of the encryption algorithm or implementation. Structural attacks
More informationSpecification on a Block Cipher : Hierocrypt L1
Specification on a Block Cipher : Hierocrypt L1 Toshiba Corporation September 2001 Contents 1 Design principle 3 1.1 Data randomizing part........................ 3 1.1.1 Nested SPN structure....................
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08 Module Outline Stream ciphers under the hood Block ciphers
More informationNACC Uniform Data Set (UDS) FTLD Module
NACC Uniform Data Set (UDS) FTLD Module Data Template For Initial Visit Packet Version 2.0, January 2012 Copyright 2013 University of Washington Created and published by the FTLD work group of the ADC
More informationIntroduction to Modern Cryptography. (1) Finite Groups, Rings and Fields. (2) AES - Advanced Encryption Standard
Introduction to Modern Cryptography Lecture 3 (1) Finite Groups, Rings and Fields (2) AES - Advanced Encryption Standard +,0, and -a are only notations! Review - Groups Def (group): A set G with a binary
More informationCryptanalysis of Luffa v2 Components
Cryptanalysis of Luffa v2 Components Dmitry Khovratovich 1, María Naya-Plasencia 2, Andrea Röck 3, and Martin Schläffer 4 1 University of Luxembourg, Luxembourg 2 FHNW, Windisch, Switzerland 3 Aalto University
More informationORYX. ORYX not an acronym, but upper case Designed for use with cell phones. Standard developed by. Cipher design process not open
ORYX ORYX 1 ORYX ORYX not an acronym, but upper case Designed for use with cell phones o To protect confidentiality of voice/data o For data channel, not control channel o Control channel encrypted with
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationParts Manual. EPIC II Critical Care Bed REF 2031
EPIC II Critical Care Bed REF 2031 Parts Manual For parts or technical assistance call: USA: 1-800-327-0770 2013/05 B.0 2031-109-006 REV B www.stryker.com Table of Contents English Product Labels... 4
More informationMILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers
MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers Ling Sun 1, Wei Wang 1, Meiqin Wang 1,2 1 Key Laboratory of Cryptologic Technology and Information Security,
More informationCryptographic Hashes. Yan Huang. Credits: David Evans, CS588
Cryptographic Hashes Yan Huang Credits: David Evans, CS588 Recap: CPA 1. k KeyGen(1 n ). b {0,1}. Give Enc(k, ) to A. 2. A chooses as many plaintexts as he wants, and receives the corresponding ciphertexts
More informationA Polynomial Description of the Rijndael Advanced Encryption Standard
A Polynomial Description of the Rijndael Advanced Encryption Standard arxiv:cs/0205002v1 [cs.cr] 2 May 2002 Joachim Rosenthal Department of Mathematics University of Notre Dame Notre Dame, Indiana 46556,
More informationSecurity of the AES with a Secret S-box
Security of the AES with a Secret S-box Tyge Tiessen, Lars R Knudsen, Stefan Kölbl, and Martin M Lauridsen {tyti,lrkn,stek,mmeh}@dtudk DTU Compute, Technical University of Denmark, Denmark Abstract How
More informationDivision Property: a New Attack Against Block Ciphers
Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50 Symmetric-key encryption
More informationAn Analytical Approach to S-Box Generation
An Analytical Approach to Generation K. J. Jegadish Kumar 1, K. Hariprakash 2, A.Karunakaran 3 1 (Department of ECE, SSNCE, India) 2 (Department of ECE, SSNCE, India) 3 (Department of ECE, SSNCE, India)
More information2. Accelerated Computations
2. Accelerated Computations 2.1. Bent Function Enumeration by a Circular Pipeline Implemented on an FPGA Stuart W. Schneider Jon T. Butler 2.1.1. Background A naive approach to encoding a plaintext message
More informationNew Coding System of Grid Squares in the Republic of Indonesia
September14, 2006 New Coding System of Grid Squares in the Republic of Indonesia Current coding system of grid squares in the Republic of Indonesia is based on similar
More informationMatrix Algebra. Matrix Algebra. Chapter 8 - S&B
Chapter 8 - S&B Algebraic operations Matrix: The size of a matrix is indicated by the number of its rows and the number of its columns. A matrix with k rows and n columns is called a k n matrix. The number
More informationCSc 466/566. Computer Security. 5 : Cryptography Basics
1/84 CSc 466/566 Computer Security 5 : Cryptography Basics Version: 2012/03/03 10:44:26 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian Collberg Christian
More informationHigh Performance Computing techniques for attacking reduced version of AES using XL and XSL methods
Graduate Theses and Dissertations Iowa State University Capstones, Theses and Dissertations 2010 High Performance Computing techniques for attacking reduced version of AES using XL and XSL methods Elizabeth
More informationMATH3302 Cryptography Problem Set 2
MATH3302 Cryptography Problem Set 2 These questions are based on the material in Section 4: Shannon s Theory, Section 5: Modern Cryptography, Section 6: The Data Encryption Standard, Section 7: International
More informationAll-Or-Nothing Transforms Using Quasigroups
All-Or-Nothing Transforms Using Quasigroups Stelios I Marnas, Lefteris Angelis, and George L Bleris Department of Informatics, Aristotle University 54124 Thessaloniki, Greece Email: {marnas,lef,bleris}@csdauthgr
More informationCryptography Lecture 4 Block ciphers, DES, breaking DES
Cryptography Lecture 4 Block ciphers, DES, breaking DES Breaking a cipher Eavesdropper recieves n cryptograms created from n plaintexts in sequence, using the same key Redundancy exists in the messages
More informationBlock Ciphers and Feistel cipher
introduction Lecture (07) Block Ciphers and cipher Dr. Ahmed M. ElShafee Modern block ciphers are widely used to provide encryption of quantities of information, and/or a cryptographic checksum to ensure
More informationSelma City Schools Curriculum Pacing Guide Grades Subject: Algebra II Effective Year:
Selma City Schools Curriculum Pacing Guide Grades 9-12 Subject: Algebra II Effective Year: 2013-14 Nine 1 Nine 2 Nine 3 Nine 4 X X Time CC COS QC Literacy DOK Lesson References/Activities Date Taught Test
More informationLecture Notes. Advanced Discrete Structures COT S
Lecture Notes Advanced Discrete Structures COT 4115.001 S15 2015-01-22 Recap Two methods for attacking the Vigenère cipher Frequency analysis Dot Product Playfair Cipher Classical Cryptosystems - Section
More informationMetroCount Traffic Executive Individual Vehicles
Individual-34 Page 1 MetroCount Traffic Executive Individual Vehicles Individual-34 -- English (ENA) Datasets: Site: [00001] Old Coast Rd 4km N of Od Bunbury Rd Direction: 5 - South bound A>B, North bound
More informationCodes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII
Codes and Cryptography MAMME, Fall 2015 PART XII Outline 1 Symmetric Encryption (II) 2 Construction Strategies Construction Strategies Stream ciphers: For arbitrarily long messages (e.g., data streams).
More informationDeveloping a Distributed Java-based Speech Recognition Engine
The ITB Journal Volume 5 Issue 1 Article 2 2004 Developing a Distributed Java-based Speech Recognition Engine Tony Ayers Institute of Technology Blanchardstown, tony.ayers@itb.ie Brian Nolan Institute
More informationStructural Cryptanalysis of SASAS
tructural Cryptanalysis of AA Alex Biryukov and Adi hamir Computer cience department The Weizmann Institute Rehovot 76100, Israel. Abstract. In this paper we consider the security of block ciphers which
More informationBlock Ciphers. Chester Rebeiro IIT Madras. STINSON : chapters 3
Block Ciphers Chester Rebeiro IIT Madras STINSON : chapters 3 Block Cipher K E K D Alice untrusted communication link E #%AR3Xf34^$ message encryption (ciphertext) Attack at Dawn!! D decryption Bob Attack
More informationVirtual isomorphisms of ciphers: is AES secure against differential / linear attack?
Alexander Rostovtsev alexander. rostovtsev@ibks.ftk.spbstu.ru St. Petersburg State Polytechnic University Virtual isomorphisms of ciphers: is AES secure against differential / linear attack? In [eprint.iacr.org/2009/117]
More informationInside Keccak. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1. Keccak & SHA-3 Day Université Libre de Bruxelles March 27, 2013
Inside Keccak Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Keccak & SHA-3 Day Université Libre de Bruxelles March 27, 2013 1 / 49 Outline
More informationAES [and other Block Ciphers] Implementation Tricks
AES [and other Bloc Ciphers] Implementation Trics Cryptographic algorithms Basic primitives Survey by Stephen et al, LNCS 1482, Sep. 98 General Structure of a Bloc Cipher Useful Properties for Implementing
More informationLecture 4: DES and block ciphers
Lecture 4: DES and block ciphers Johan Håstad, transcribed by Ernir Erlingsson 2006-01-25 1 DES DES is a 64 bit block cipher with a 56 bit key. It selects a 64 bit block and modifies it depending on the
More informationStructural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Pierre-Alain Fouque 1 Jérémy Jean 2 Thomas Peyrin 3 1 Université de Rennes 1, France 2 École Normale Supérieure, France 3 Nanyang
More informationDifferential Fault Analysis on the families of SIMON and SPECK ciphers
Differential Fault Analysis on the families of SIMON and SPECK ciphers Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay Indian Institute of Technology, Kharagpur Abstract. In 2013, the US National
More informationProfiling the International New Venture -A literature review of the empirical evidence
The ITB Journal Volume 5 Issue 1 Article 11 2004 Profiling the International New Venture -A literature review of the empirical evidence Natasha Evers School ofbusiness & Humanities Institute of Technology,
More informationSubspace Trail Cryptanalysis and its Applications to AES
Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi 1, Christian Rechberger 1,3 and Sondre Rønjom 2,4 1 IAIK, Graz University of Technology, Austria 2 Nasjonal sikkerhetsmyndighet,
More informationCryptanalysis of a Generalized Unbalanced Feistel Network Structure
Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li, Bing Sun, Chao Li, Longjiang Qu National University of Defense Technology, Changsha, China ACISP 2010, Sydney, Australia 5
More informationPart (02) Modem Encryption techniques
Part (02) Modem Encryption techniques Dr. Ahmed M. ElShafee 1 Block Ciphers and Feistel cipher Dr. Ahmed M. ElShafee 2 introduction Modern block ciphers are widely used to provide encryption of quantities
More informationNotes on Alekhnovich s cryptosystems
Notes on Alekhnovich s cryptosystems Gilles Zémor November 2016 Decisional Decoding Hypothesis with parameter t. Let 0 < R 1 < R 2 < 1. There is no polynomial-time decoding algorithm A such that: Given
More informationLattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.
Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.
More informationArchitecture and development methodology for Location Based Services
The ITB Journal Volume 5 Issue 1 Article 13 2004 Architecture and development methodology for Location Based Services Aaron Hand School of Science, Institute of Technology at Tallaght, Dublin 24., aaron.hand@itnet.ie
More information18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh
18733: Applied Cryptography Anupam Datta (CMU) Block ciphers Online Cryptography Course What is a block cipher? Block ciphers: crypto work horse n bits PT Block n bits E, D CT Block Key k bits Canonical
More informationSolutions for week 1, Cryptography Course - TDA 352/DIT 250
Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.
More information