Construction of Lightweight S-Boxes using Feistel and MISTY structures
|
|
- Gervase Walton
- 5 years ago
- Views:
Transcription
1 Construction of Lightweight S-Boxes using Feistel and MISTY structures Anne Canteaut Sébastien Duval Gaëtan Leurent Inria, France SAC 2015 A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23
2 Block cipher design Shannon s criteria (1949) Diffusion Every bit of plaintext and key should affect every bit of output Usually linear mixing layers Confusion Relation between plaintext and ciphertext must be intractable Confusion requires non-linear operations Often implemented with tables: S-Box S S S S L S S S S L S S S S SPN cipher k k k S-Boxes are critical components of modern ciphers. A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23
3 Lightweight cryptography 8-bit S-Boxes are expensive Maybe too large for RFID... Smaller S-Boxes require less resources table-based software: smaller table hardware: lower gate count bit-sliced implementation: lower instruction count vectorized implementation: 4-bit S-Box using vector permutation FPGA: small S-Boxes with LUT But require more rounds Differential probability: 2 6 for an 8-bit S-Box, 2 2 for a 4-bit S-Box And a more complex linear layer Can we find some trade-off? A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23
4 Constructing S-Boxes from smaller ones L Feistel Misty SPN Lai-Massey Crypton v0.5 Fantomas Crypton v1.0 Whirlpool Zorro Iceberg Robin Khazad A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23
5 Objective of this talk Study the construction of S-Boxes with Feistel and Misty structures In particular, construction of 8-bit S-Boxes from 4-bit ones Tradeoff between implementation cost and security parameters Focus on differential uniformity Linearity results in the paper Our results 1 Determine best properties achievable with these structures Application to 8-bit S-Boxes 2 Construct concrete lightweight S-Boxes A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23
6 S-Box security parameters Definition (Differential uniformity [Nyberg93]) Let F be a function from F n 2 into Fn 2. The differential table of F is: δ F (a b) = #{x F n 2 F(x a) = F(x) b}. Moreover, the differential uniformity of F is δ(f) = max a 0,b δ F(a, b). δ F (a b) is always even δ(f) = 2 for APN functions (almost perfect nonlinear) e.g. x x 3 is APN A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23
7 Feistel and Misty constructions x L k 1 k 2 S 1 S 2 x R Introduced by Feistel in 1973 for Lucifer, DES Builds a 2n-bit permutation out of n-bit functions In this talk: balanced Notations: k 3 S 3 Small functions S1, S 2, S 3 Full construction F Fixed key, k = 0 z L z R 3-round Feistel network A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23
8 Feistel and Misty constructions x L x R S 1 S 2 k 1 k 2 Introduced by Matsui in 1996 for MISTY1 Builds a 2n-bit function out of n-bit functions In this talk: balanced Notations: S 3 k 3 Small functions S 1, S 2, S 3 Full construction F Fixed key, k = 0 z L z R 3-round MISTY network A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23
9 Feistel and Misty constructions Come from block cipher design: keyed permutation Widely studied, lots of security results known 1 MEDP(F K ) = max δ FK (a,b) a 0,b 2 k K F k 2 2 n 1 MELP(F K ) = max a,b 0 λ F K (a,b) 2 k K F k n MEDP(S i ) p MEDP(F) p 2 [NK95, M96] MELP(S i ) q MELP(F) q 2 [N94, AO97] But not applicable in the fixed key setting! A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23
10 MEDP and EMDP Example 3-round Misty structure S i = [A, 7, 9, 6, 0, 1, 5, B, 3, E, 8, 2, C, D, 4, F]. δ(s i ) = 4, MEDP(S i ) = 2 2 MEDP(F) 2 4 For every key, there is a differential with probability 2 3 MEDP bound means: 1 Choose input/output differences 2 For a random key, the differential probability is low No bound when the difference is chosen after the key! A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23
11 Feistel: Previous results Theorem ([Li & Wang, CHES 14]) δ(f) 2δ(S 2 ) δ(f) 2 n+1 if S 2 is not a permutation In particular, for n = 4 δ(f) 8, tight A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23
12 Theorem Feistel: New results δ(f) δ(s 2 ) max (δ min (S 1 ), δ min (S 3 )) δ(f) 2 n+1 if S 2 is not a permutation δ(f) max i 2,j i,2 δ(s i )δ min (S j ), δ(s i )δ min (S 1 2 ) if S 2 is a permutation In particular, for n = 4 δ(f) 8, tight δ min (S) = min a 0 max b δ S (a, b) Bounds involving all three S-boxes A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23
13 Theorem MISTY: New results δ(f) δ(s 1 ) max (δ min (S 2 ), δ min (S 3 )) δ(f) 2 n+1 if S 1 is not a permutation δ(f) max i 1,j 1,i δ(s i )δ min (S j ), δ(s i )δ min (S 1 1 ) if S 1 is a permutation In particular, for n = 4 δ(f) 8, tight δ min (S) = min a 0 max b δ S (a, b) No previous results on fixed-key Misty structure A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23
14 δx L = 0 δx R = a S 1 δy R = c Proof Proposition δ F (0 a, b c) = δ S1 (a, c) δ S3 (c, b c) Proof δx L = c δx L = c δx R = 0 S 2 δy R = 0 δx R = c S 3 δy R = b c F(x L x R ) F(x L (x R a)) = b c S 3(S 1 (x R ) x L ) S 3 (S 1 (x R a) x L ) = b c, S 2 (x L ) S 1 (x R ) x L S 2 (x L ) S 1 (x R a) x L = c S 3(S 1 (x R ) x L ) S 3 (S 1 (x R a) x L ) = b c, S 1 (x R ) S 1 (x R a) = c x R D S1 (a c) x L S 1 (x R ) D S3 (c b c) δz L = b δz R = c A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23
15 δx L = 0 δx R = a S 1 δy R = c Proof Proposition δ F (0 a, b c) = δ S1 (a, c) δ S3 (c, b c) Application: if S 1 is not invertible δx L = c δx R = 0 S 2 δy R = 0 Set b = c = 0, δ S3 (0, 0) = 2 n Select a, so that δ S1 (a, 0) 2 δ(f) δ F (0 a, 0 0) 2 n+1 δx L = c δx R = c S 3 δy R = b c δz L = b δz R = c A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23
16 δx L = 0 δx R = a S 1 δy R = c Proof Proposition δ F (0 a, b c) = δ S1 (a, c) δ S3 (c, b c) Application: if S 1 is invertible δx L = c δx R = 0 S 2 δy R = 0 Select a, c so that δ S1 (a, c) = δ(s 1 ) Select b with δ S3 (c, b c) δ min (S 3 ) δ(f) δ F (0 a, b c) δ(s 1 ) δ min (S 3 ) δx L = c δz L = b δx R = c S 3 δy R = b c δz R = c Select b, c so that δ S3 (c, b c) = δ(s 3 ) Select a with δ S1 (a, c) δ min (S 1 1 ) δ(f) δ F (0 a, b c) δ(s 3 ) δ min (S 1 1 ) A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23
17 Proof δx L = 0 δx R = a δx L = a δx R = 0 δx L = b δx R = a S 1 S 1 S 1 δy R = c δy R = 0 δy R = b δx L = c δx R = 0 δx L = a δx R = a δx L = 0 δx R = b S 2 S 2 S 2 δy R = 0 δy R = a c δy R = c δx L = c δx R = c δx L = c δx R = a δx L = c δx R = 0 S 3 S 3 S 3 δy R = b c δy R = b c δy R = 0 δz L = b δz R = c δz L = b δz R = c δz L = c δz R = c A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23
18 Application to n = 4 Properties of 4-bit S-Boxes Full classification of 4-bit permutations 302 affine eq. classes [de Cannière; Leander & Poschmann 07] Full classification of 4-bit APN functions 2 extended affine eq. classes [Brinkmann & Leander 08] There exist 4-bit APN functions δ(si ) = 2, δ min (S i ) = 2 There are no 4-bit APN permutations If S i is a permutation, δ(s i ) 4, δ min (S i ) 2 A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23
19 8-bit MISTY S-Box Theorem δ(f) δ(s 1 ) max (δ min (S 2 ), δ min (S 3 )) δ(f) 2 n+1 if S 1 is not a permutation δ(f) max i 1,j 1,i δ(s i )δ min (S j ), δ(s i )δ min (S 1 1 ) if S 1 is a permutation If S 1 is a permutation, δ(s 1 ) 4, then δ(f) 8 If S 1 is not a permutation, then δ(f) 32 Can we reach δ(f) = 8? A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23
20 8-bit MISTY S-Box with δ(f) = 8 Necessary conditions for δ(f) = 8 S 1 a permutation, with δ(s 1 ) = 4 S 2, S 3 APN Proof. Let s assume δ(s 3 ) 4 There exist a, b with δ S3 (a, b) 4 There are two pairs (x, x a), (y, y a) in DS3 (a b) Also two pairs (x, y), (x a, y a) in D S3 (a d ) with a = x y, d = S 3 (x) S 3 (y) Also two pairs (x, y a), (x a, y) in D S3 (a a b b ) There exist three columns a, a, a a, with values 4 A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23
21 8-bit MISTY S-Box with δ(f) = 8 Necessary conditions for δ(f) = 8 S 1 a permutation, with δ(s 1 ) = 4 S 2, S 3 APN Proof. Let s assume δ(s 3 ) 4 There exist three columns a, a, a a, with values 4 We have δ F (0 a, b c) = δ S1 (a, c) δ S3 (c, b c) Lines of δ S1 and columns of δ S3 We need S 1 with three lines a, a, a a with value 2 Property invariant by affine equivalence Test equivalence class: no solution A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23
22 Theorem 8-bit Feistel S-Box δ(f) δ(s 2 ) max (δ min (S 1 ), δ min (S 3 )) δ(f) 2 n+1 if S 2 is not a permutation δ(f) max i 2,j i,2 δ(s i )δ min (S j ), δ(s i )δ min (S 1 2 ) if S 2 is a permutation If S 2 is a permutation, δ(s 2 ) 4, then δ(f) 8 If S 2 is not a permutation, then δ(f) 32 Necessary conditions for δ(f) = 8 S 2 a permutation, with δ(s 2 ) = 4 S 1, S 3 APN A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23
23 8-bit Feistel & MISTY S-Box Feistel δ(f) 8, tight Requires S 1, S 3 APN, S 2 permutation with δ(s 2 ) = 4 L(F) 48 L(F) 64 if δ(f) < 32 MISTY δ(f) 8, tight Requires S 2, S 3 APN, S 1 permutation with δ(s 1 ) = 4 F is not a permutation! L(F) 48 L(F) 64 if δ(f) < 32 Permutation: δ(f) = 16, tight A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23
24 Building a good S-Box for lightweight designs According to previous results, Feistel structure is better We need S 1, S 3 APN, S 2 permutation with δ(s 2 ) = 4 Can we choose them with a small implementation? Small hardware, bitslice software Exhaustive search over small implementations until good property are reached [Üllrich & al. 11] Search sequences of instructions for bit-sliced implementation Use equivalences class to cut branches Minimize non-linear operations A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23
25 Concrete example Permutation with δ = 4 Easy search Re-use results from Üllrich et al. 9-instruction solutions 4 non-linear 4 XOR 1 copy 4 NL gates is optimal APN function Expensive search No permutation filtering 6k core-hours 10-instruction solutions But 6 non-linear 11-instruction solutions 4 non-linear 5 XOR 2 copy 4 NL gates is optimal A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23
26 Concrete example x 0 x 1 x 2 x 3 x 0 x 1 x 2 x 3 y 0 y 1 y 2 y 3 y 0 y 1 y 2 y 3 Permutation with δ = 4 APN function A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23
27 Results Implem. Properties S-Box Construction, L δ cost AES Inversion Whirlpool Lai-Massey CRYPTON 3-r. Feistel Robin 3-r. Feistel Fantomas 3-r. MISTY (3/5 bits) LS (unnamed) Whirlpool-like New 3-r. Feistel A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23
28 Conclusion 1 Bounds on the security of fixed-key Feistel & MISTY networks 2 Application to 8-bit S-Boxes Necessary conditions Refined bounds for permutations Feistel structure is better for 8-bit invertible S-Box 3 Construction of a concrete lightweight S-Box 8-bit S-Box with 3-round Feistel Improvement over previously used S-Boxes A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23
29 Thanks Q uestions? A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes using Feistel and MISTY SAC / 23
Construction of Lightweight S-Boxes using Feistel and MISTY structures (Full Version )
Construction of Lightweight S-Boxes using Feistel and MISTY structures (Full Version ) Anne Canteaut, Sébastien Duval, and Gaëtan Leurent Inria, project-team SECRET, France {Anne.Canteaut, Sebastien.Duval,
More informationLS-Designs. Bitslice Encryption for Efficient Masked Software Implementations
Bitslice Encryption for Efficient Masked Software Implementations Vincent Grosso 1 Gaëtan Leurent 1,2 François Xavier Standert 1 Kerem Varici 1 1 UCL, Belgium 2 Inria, France FSE 2014 G Leurent (UCL,Inria)
More informationBlock Ciphers and Side Channel Protection
Block Ciphers and Side Channel Protection Gregor Leander ECRYPT-CSA@CHANIA-2017 Main Idea Side-Channel Resistance Without protection having a strong cipher is useless Therefore: Masking necessary Usual
More informationSimilarities between encryption and decryption: how far can we go?
Similarities between encryption and decryption: how far can we go? Anne Canteaut Inria, France and DTU, Denmark Anne.Canteaut@inria.fr http://www-rocq.inria.fr/secret/anne.canteaut/ SAC 2013 based on a
More informationAnalysis of cryptographic hash functions
Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43 Symmetric key cryptography Alice and Bob share
More informationImproved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning
Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gaëtan Leurent Inria, France Abstract. In this work we study the security of Chaskey, a recent lightweight MAC designed by
More informationProvable Security Against Differential and Linear Cryptanalysis
Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University Introduction CRADIC Linear Hull SPN and Two Strategies Highly
More informationTowards Provable Security of Substitution-Permutation Encryption Networks
Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,
More information7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive key-search do not exploit any properties of the encryption algorithm or implementation. Structural attacks
More informationDifferential Attacks Against SPN: A Thorough Analysis
Differential Attacks Against SPN: A Thorough Analysis Anne Canteaut, Joëlle Roué To cite this version: Anne Canteaut, Joëlle Roué. Differential Attacks Against SPN: A Thorough Analysis. Codes, Cryptology,
More informationA New Classification of 4-bit Optimal S-boxes and its Application to PRESENT, RECTANGLE and SPONGENT
A New Classification of 4-bit Optimal S-boxes and its Application to PRESENT, RECTANGLE and SPONGENT Wentao Zhang 1, Zhenzhen Bao 1, Vincent Rijmen 2, Meicheng Liu 1 1.State Key Laboratory of Information
More informationLinear Cryptanalysis
Linear Cryptanalysis Linear cryptanalysis is a powerful method of cryptanalysis introduced by Matsui in 1993 [11]. It is a known plaintext attack in which the attacker studies the linear approximations
More informationDirect Construction of Lightweight Rotational-XOR MDS Diffusion Layers
Direct Construction of Lightweight Rotational-XOR MDS Diffusion Layers Zhiyuan Guo 1,2, Renzhang Liu 3, Wenling Wu 1,2, and Dongdai Lin 3 1 Institute of Software, Chinese Academy of Sciences, Beijing,
More informationDivision Property: a New Attack Against Block Ciphers
Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50 Symmetric-key encryption
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationCryptography Lecture 4 Block ciphers, DES, breaking DES
Cryptography Lecture 4 Block ciphers, DES, breaking DES Breaking a cipher Eavesdropper recieves n cryptograms created from n plaintexts in sequence, using the same key Redundancy exists in the messages
More informationLinear Cryptanalysis of Reduced-Round PRESENT
Linear Cryptanalysis of Reduced-Round PRESENT Joo Yeon Cho 1 Helsinki University of Technology, Finland 2 Nokia A/S, Denmark joo.cho@tkk.fi Abstract. PRESENT is a hardware-oriented block cipher suitable
More informationMATH3302 Cryptography Problem Set 2
MATH3302 Cryptography Problem Set 2 These questions are based on the material in Section 4: Shannon s Theory, Section 5: Modern Cryptography, Section 6: The Data Encryption Standard, Section 7: International
More informationBlock Ciphers and Feistel cipher
introduction Lecture (07) Block Ciphers and cipher Dr. Ahmed M. ElShafee Modern block ciphers are widely used to provide encryption of quantities of information, and/or a cryptographic checksum to ensure
More informationDD2448 Foundations of Cryptography Lecture 3
DD2448 Foundations of Cryptography Lecture 3 Douglas Wikström KTH Royal Institute of Technology dog@kth.se February 3, 2016 Linear Cryptanalysis of the SPN Basic Idea Linearize Find an expression of the
More informationCryptanalysis of SP Networks with Partial Non-Linear Layers
Cryptanalysis of SP Networks with Partial Non-Linear Layers Achiya Bar-On 1, Itai Dinur 2, Orr Dunkelman 3, Nathan Keller 1, Virginie Lallemand 4, and Boaz Tsaban 1 1 Bar-Ilan University, Israel 2 École
More informationImproved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON
Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON Danping Shi 1,2, Lei Hu 1,2, Siwei Sun 1,2, Ling Song 1,2, Kexin Qiao 1,2, Xiaoshuang Ma 1,2 1 State Key Laboratory of Information
More informationBlock Cipher Cryptanalysis: An Overview
0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution
More informationInvariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs
Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs Jian Guo 1, Jeremy Jean 2, Ivica Nikolić 1, Kexin Qiao 3, Yu Sasaki 4, and Siang Meng Sim 1 1. Nanyang Technological
More informationCBEAM: Ecient Authenticated Encryption from Feebly One-Way φ Functions
CBEAM: Ecient Authenticated Encryption from Feebly One-Way φ Functions Author: Markku-Juhani O. Saarinen Presented by: Jean-Philippe Aumasson CT-RSA '14, San Francisco, USA 26 February 2014 1 / 19 Sponge
More informationProvable Security Against Differential and Linear Cryptanalysis
Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Aalto University School of Science and Nokia, Finland kaisa.nyberg@aalto.fi Abstract. In this invited talk, a brief survey on
More information3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis
3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis TANAKA Hidema, TONOMURA Yuji, and KANEKO Toshinobu A multi rounds elimination method for higher order differential cryptanalysis
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from
More informationHardware Design and Analysis of Block Cipher Components
Hardware Design and Analysis of Block Cipher Components Lu Xiao and Howard M. Heys Electrical and Computer Engineering Faculty of Engineering and Applied Science Memorial University of Newfoundland St.
More informationImproved Impossible Differential Cryptanalysis of Rijndael and Crypton
Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,
More informationIntroduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.
Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography
More informationExperiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL
More informationBlock Ciphers and Systems of Quadratic Equations
Block Ciphers and Systems of Quadratic Equations Alex Biryukov and Christophe De Cannière Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenberg 10, B 3001 Leuven-Heverlee, Belgium
More informationFFT-Based Key Recovery for the Integral Attack
FFT-Based Key Recovery for the Integral Attack Yosuke Todo NTT Secure Platform Laboratories Abstract. The integral attack is one of the most powerful attack against block ciphers. In this paper, we propose
More informationPerfect Diffusion Primitives for Block Ciphers
Perfect Diffusion Primitives for Block Ciphers Building Efficient MDS Matrices Pascal Junod and Serge Vaudenay École Polytechnique Fédérale de Lausanne (Switzerland) {pascaljunod, sergevaudenay}@epflch
More informationSubstitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis
J. Cryptology (1996) 9: 1 19 1996 International Association for Cryptologic Research Substitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis Howard M. Heys and Stafford E.
More informationSpecification on a Block Cipher : Hierocrypt L1
Specification on a Block Cipher : Hierocrypt L1 Toshiba Corporation September 2001 Contents 1 Design principle 3 1.1 Data randomizing part........................ 3 1.1.1 Nested SPN structure....................
More informationobservations on the simon block cipher family
observations on the simon block cipher family Stefan Kölbl 1 Gregor Leander 2 Tyge Tiessen 1 August 17, 2015 1 DTU Compute, Technical University of Denmark, Denmark 2 Horst Görtz Institute for IT Security,
More informationOn Reverse-Engineering S-boxes with Hidden Design Criteria or Structure
On Reverse-Engineering S-boxes with Hidden Design Criteria or Structure Alex Biryukov, Léo Perrin {alex.biryukov,leo.perrin}@uni.lu University of Luxembourg January 13, 2015 1 / 42 Introduction Skipjack
More informationChosen Plaintext Attacks (CPA)
Chosen Plaintext Attacks (CPA) Goals New Attacks! Chosen Plaintext Attacks (often CPA) is when Eve can choose to see some messages encoded. Formally she has Black Box for ENC k. We will: 1. Define Chosen
More informationLinks Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT
Links Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT Céline Blondeau, Benoît Gérard SECRET-Project-Team, INRIA, France TOOLS for Cryptanalysis - 23th June 2010 C.Blondeau
More informationCryptanalysis of the SIMON Family of Block Ciphers
Cryptanalysis of the SIMON Family of Block Ciphers Hoda A. Alkhzaimi and Martin M. Lauridsen DTU Compute Section for Cryptology Department of Applied Mathematics and Computer Science Matematiktorvet, building
More informationCryptanalysis of a Generalized Unbalanced Feistel Network Structure
Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li, Bing Sun, Chao Li, Longjiang Qu National University of Defense Technology, Changsha, China ACISP 2010, Sydney, Australia 5
More informationStructural Evaluation by Generalized Integral Property
Structural Evaluation by Generalized Integral Property Yosue Todo NTT Secure Platform Laboratories, Toyo, Japan todo.yosue@lab.ntt.co.jp Abstract. In this paper, we show structural cryptanalyses against
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More informationAnother view of the division property
Another view of the division property Christina Boura and Anne Canteaut Université de Versailles-St Quentin, France Inria Paris, France Dagstuhl seminar, January 2016 Motivation E K : block cipher with
More informationExtended Criterion for Absence of Fixed Points
Extended Criterion for Absence of Fixed Points Oleksandr Kazymyrov, Valentyna Kazymyrova Abstract One of the criteria for substitutions used in block ciphers is the absence of fixed points. In this paper
More informationMatrix Power S-Box Construction
Matrix Power S-Box Construction Eligijus Sakalauskas a and Kestutis Luksys b Department of Applied Mathematics, Kaunas University of Technology, Studentu g. 50, 52368 Kaunas, Lithuania a Eligijus.Sakalauskas@ktu.lt
More informationSymmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway
Symmetric Cryptanalytic Techniques Sean Murphy ショーン マーフィー Royal Holloway Block Ciphers Encrypt blocks of data using a key Iterative process ( rounds ) Modified by Modes of Operation Data Encryption Standard
More informationRevisit and Cryptanalysis of a CAST Cipher
2017 3rd International Conference on Electronic Information Technology and Intellectualization (ICEITI 2017) ISBN: 978-1-60595-512-4 Revisit and Cryptanalysis of a CAST Cipher Xiao Zhou, Jingwei Li, Xuejia
More informationThesis Research Notes
Thesis Research Notes Week 26-2012 Christopher Wood June 29, 2012 Abstract This week was devoted to reviewing some classical literature on the subject of Boolean functions and their application to cryptography.
More informationSTREAM CIPHER. Chapter - 3
STREAM CIPHER Chapter - 3 S t r e a m C i p h e r P a g e 38 S t r e a m C i p h e r P a g e 39 STREAM CIPHERS Stream cipher is a class of symmetric key algorithm that operates on individual bits or bytes.
More informationCellular Automata Based S-boxes
Cellular Automata Based S-boxes Luca Mariot 1, Stjepan Picek, Alberto Leporati 1, and Domagoj Jakobovic 3 1 Dipartimento di Informatica, Sistemistica e Comunicazione, Università degli Studi di Milano-Bicocca,
More informationCount November 21st, 2017
RUHR-UNIVERSITÄT BOCHUM XOR Count November 21st, 2017 FluxFingers Workgroup Symmetric Cryptography Ruhr University Bochum Friedrich Wiemer Friedrich Wiemer XOR Count November 21st, 2017 1 Overview Joint
More informationAvalanche Characteristics of Substitution- Permutation Encryption Networks
Avalanche Characteristics of Substitution- Permutation Encryption Networks Howard M. Heys and Stafford E. Tavares, member IEEE Abstract This paper develops analytical models for the avalanche characteristics
More informationA Brief Comparison of Simon and Simeck
A Brief Comparison of Simon and Simeck Stefan Kölbl, Arnab Roy {stek,arroy}@dtu.dk DTU Compute, Technical University of Denmark, Denmark Abstract. Simeck is a new lightweight block cipher design based
More informationBlock Ciphers. Chester Rebeiro IIT Madras. STINSON : chapters 3
Block Ciphers Chester Rebeiro IIT Madras STINSON : chapters 3 Block Cipher K E K D Alice untrusted communication link E #%AR3Xf34^$ message encryption (ciphertext) Attack at Dawn!! D decryption Bob Attack
More informationIf a Generalised Butterfly is APN then it Operates on 6 Bits
If a Generalised Butterfly is APN then it Operates on 6 Bits Anne Canteaut 1, Léo Perrin 1, Shizhu Tian 1,2,3 1 Inria, Paris, France. 2 State Key Laboratory of Information Security, Institute of Information
More informationStructural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Pierre-Alain Fouque 1 Jérémy Jean 2 Thomas Peyrin 3 1 Université de Rennes 1, France 2 École Normale Supérieure, France 3 Nanyang
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08 Module Outline Stream ciphers under the hood Block ciphers
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informationThe Invariant Set Attack 26th January 2017
The Invariant Set Attack 26th January 2017 Workgroup Symmetric Cryptography Ruhr University Bochum Friedrich Wiemer Friedrich Wiemer The Invariant Set Attack 26th January 2017 1 Nonlinear Invariant Attack
More informationKey Difference Invariant Bias in Block Ciphers
Key Difference Invariant Bias in Block Ciphers Andrey Bogdanov, Christina Boura, Vincent Rijmen 2, Meiqin Wang 3, Long Wen 3, Jingyuan Zhao 3 Technical University of Denmark, Denmark 2 KU Leuven ESAT/SCD/COSIC
More informationbison Instantiating the Whitened Swap-Or-Not Construction
bison Instantiating the Whitened Swap-Or-Not Construction Anne Canteaut 1, Virginie Lallemand 2, Gregor Leander 2, Patrick Neumann 2 and Friedrich Wiemer 2 1 Inria, Paris, France anne.canteaut@inria.fr
More informationAnalysis of Differential Attacks in ARX Constructions
.. Analysis of Differential Attacks in ARX Constructions Gaëtan Leurent UCL Crypto Group University of Luxembourg Asiacrypt 2012 G. Leurent (UCL & uni.lu) Analysis of Differential Attacks in ARX Constructions
More information18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh
18733: Applied Cryptography Anupam Datta (CMU) Block ciphers Online Cryptography Course What is a block cipher? Block ciphers: crypto work horse n bits PT Block n bits E, D CT Block Key k bits Canonical
More informationIntroduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES
CSC/ECE 574 Computer and Network Security Topic 3.1 Secret Key Cryptography Algorithms CSC/ECE 574 Dr. Peng Ning 1 Outline Introductory Remarks Feistel Cipher DES AES CSC/ECE 574 Dr. Peng Ning 2 Introduction
More informationUsing MILP in Analysis of Feistel Structures and Improving Type II GFS by Switching Mechanism
Using MILP in Analysis of Feistel Structures and Improving Type II GFS by Switching Mechanism Mahdi Sajadieh and Mohammad Vaziri 1 Department of Electrical Engineering, Khorasgan Branch, Islamic Azad University,
More informationA Toolbox for Cryptanalysis: Linear and Affine Equivalence Algorithms
A Toolbox for Cryptanalysis: Linear and Affine Equivalence Algorithms Alex Biryukov, Christophe De Cannière, An Braeken, and Bart Preneel Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark
More informationOpen problems related to algebraic attacks on stream ciphers
Open problems related to algebraic attacks on stream ciphers Anne Canteaut INRIA - projet CODES B.P. 105 78153 Le Chesnay cedex - France e-mail: Anne.Canteaut@inria.fr Abstract The recently developed algebraic
More informationAlgebraic Attack Against Trivium
Algebraic Attack Against Trivium Ilaria Simonetti, Ludovic Perret and Jean Charles Faugère Abstract. Trivium is a synchronous stream cipher designed to provide a flexible trade-off between speed and gate
More informationTHE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018
THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018 CPSC 418/MATH 318 L01 October 17, 2018 Time: 50 minutes
More informationChapter 1 - Linear cryptanalysis.
Chapter 1 - Linear cryptanalysis. James McLaughlin 1 Introduction. Linear cryptanalysis was first introduced by Mitsuru Matsui in [12]. The cryptanalyst attempts to find a linear equation x 1... x i =
More informationCryptanalysis of SP Networks with Partial Non-Linear Layers
Cryptanalysis of SP Networks with Partial Non-Linear Layers Achiya Bar-On 1, Itai Dinur 2, Orr Dunkelman 3,5,, Virginie Lallemand 4,, Nathan Keller 1,5,, and Boaz Tsaban 1 1 Department of Mathematics,
More informationQuantum Differential and Linear Cryptanalysis
Quantum Differential and Linear Cryptanalysis Marc Kaplan 1,2 Gaëtan Leurent 3 Anthony Leverrier 3 María Naya-Plasencia 3 1 LTCI, Télécom ParisTech 2 School of Informatics, University of Edinburgh 3 Inria
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2012 Konstantin Beznosov 1 Module Outline! Stream ciphers under the hood Block ciphers under
More informationarxiv: v2 [cs.cr] 18 Jan 2016
A note on APN permutations in even dimension M. Calderini a, M. Sala a, I. Villa a a Department of Mathematics, University of Trento, Via Sommarive 14, 38100 Povo (Trento), Italy arxiv:1511.08101v2 [cs.cr]
More informationMultiplicative Complexity Reductions in Cryptography and Cryptanalysis
Multiplicative Complexity Reductions in Cryptography and Cryptanalysis THEODOSIS MOUROUZIS SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 1 Presentation Overview Linearity
More informationSide-channel Analysis of Lightweight Ciphers: Does Lightweight Equal Easy?
Side-channel Analysis of Lightweight Ciphers: Does Lightweight Equal Easy? Annelie Heuser 1, Stjepan Picek 2, Sylvain Guilley 3, and Nele Mentens 2 1 IRISA/CNRS, Rennes, France 2 KU Leuven, ESAT/COSIC
More informationInvariant Subspace Attack Against Full Midori64
Invariant Subspace Attack Against Full Midori64 Jian Guo 1, Jérémy Jean 1, Ivica Nikolić 1, Kexin Qiao 1,2, Yu Sasaki 1,3, and Siang Meng Sim 1 1 Nanyang Technological University, Singapore 2 Institute
More informationLinks Between Truncated Differential and Multidimensional Linear Properties of Block Ciphers and Underlying Attack Complexities
Links Between Truncated Differential and Multidimensional Linear Properties of Block Ciphers and Underlying Attack Complexities Céline Blondeau and Kaisa Nyberg Department of Information and Computer Science,
More informationOn the Design of Trivium
On the Design of Trivium Yun Tian, Gongliang Chen, Jianhua Li School of Information Security Engineering, Shanghai Jiaotong University, China ruth tian@sjtu.edu.cn, chengl@sjtu.edu.cn, lijh888@sjtu.edu.cn
More informationBitblock Ciphers and Feistel Networks
Chapter 2 Bitblock Ciphers and Feistel Networks This chapter contains basic facts about bitblock ciphers and some approaches to their construction. 13 K. Pommerening, Bitblock Ciphers 14 2.1 Bitblock Ciphers
More information2. Accelerated Computations
2. Accelerated Computations 2.1. Bent Function Enumeration by a Circular Pipeline Implemented on an FPGA Stuart W. Schneider Jon T. Butler 2.1.1. Background A naive approach to encoding a plaintext message
More informationTransform Domain Analysis of DES. Guang Gong and Solomon W. Golomb. University of Southern California. Tels and
Transform Domain Analysis of DES Guang Gong and Solomon W. Golomb Communication Sciences Institute University of Southern California Electrical Engineering-Systems, EEB # 500 Los Angeles, California 90089-2565
More informationHuihui Yap* and Khoongming Khoo. Axel Poschmann
Int. J. Applied Cryptography, Vol. X, No. Y, 200X 1 Parallelisable variants of Camellia and SMS4 block cipher: p-camellia and p-sms4 Huihui Yap* and Khoongming Khoo DSO National Laboratories, 20 Science
More informationBreaking Symmetric Cryptosystems Using Quantum Algorithms
Breaking Symmetric Cryptosystems Using Quantum Algorithms Gaëtan Leurent Joined work with: Marc Kaplan Anthony Leverrier María Naya-Plasencia Inria, France FOQUS Workshop Gaëtan Leurent (Inria) Breaking
More informationAlgebraic properties of SHA-3 and notable cryptanalysis results
Algebraic properties of SHA-3 and notable cryptanalysis results Christina Boura University of Versailles, France ICMC 2015, January 9, 2014 1 / 51 Cryptographic Hash Functions H : {0,1} {0,1} n m H h =
More informationModule 2 Advanced Symmetric Ciphers
Module 2 Advanced Symmetric Ciphers Dr. Natarajan Meghanathan Professor of Computer Science Jackson State University E-mail: natarajan.meghanathan@jsums.edu Data Encryption Standard (DES) The DES algorithm
More informationVirtual isomorphisms of ciphers: is AES secure against differential / linear attack?
Alexander Rostovtsev alexander. rostovtsev@ibks.ftk.spbstu.ru St. Petersburg State Polytechnic University Virtual isomorphisms of ciphers: is AES secure against differential / linear attack? In [eprint.iacr.org/2009/117]
More informationBlock Ciphers that are Easier to Mask: How Far Can we Go?
Block Ciphers that are Easier to Mask: How Far Can we Go? Benoît Gérard, Vincent Grosso, María Naya-Plasencia, François-Xavier Standaert To cite this version: Benoît Gérard, Vincent Grosso, María Naya-Plasencia,
More informationComputing the biases of parity-check relations
Computing the biases of parity-check relations Anne Canteaut INRIA project-team SECRET B.P. 05 7853 Le Chesnay Cedex, France Email: Anne.Canteaut@inria.fr María Naya-Plasencia INRIA project-team SECRET
More informationLightweight Cryptography for RFID Systems
Lightweight Cryptography for RFID Systems Guang Gong Department of Electrical and Computer Engineering University of Waterloo CANADA G. Gong (University of Waterloo)
More informationHigher-order differential properties of Keccak and Luffa
Higher-order differential properties of Keccak and Luffa Christina Boura 1,2, Anne Canteaut 1 and Christophe De Cannière 3 1 SECRET Project-Team - INRIA Paris-Rocquencourt - B.P. 105-78153 Le Chesnay Cedex
More informationOn Distinct Known Plaintext Attacks
Céline Blondeau and Kaisa Nyberg Aalto University Wednesday 15th of April WCC 2015, Paris Outline Linear Attacks Data Complexity of Zero-Correlation Attacks Theory Experiments Improvement of Attacks Multidimensional
More informationThe Security of Abreast-DM in the Ideal Cipher Model
The Security of breast-dm in the Ideal Cipher Model Jooyoung Lee, Daesung Kwon The ttached Institute of Electronics and Telecommunications Research Institute Yuseong-gu, Daejeon, Korea 305-390 jlee05@ensec.re.kr,ds
More informationBernoulli variables. Let X be a random variable such that. 1 with probability p X = 0 with probability q = 1 p
Unit 20 February 25, 2011 1 Bernoulli variables Let X be a random variable such that { 1 with probability p X = 0 with probability q = 1 p Such an X is called a Bernoulli random variable Unit 20 February
More informationImproved Meet-in-the-Middle Attacks on Reduced-Round Camellia-192/256
Improved Meet-in-the-Middle Attacks on Reduced-Round Camellia-192/256 Leibo Li 1 and Keting Jia 2 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, School of Mathematics,
More informationSolutions to the Midterm Test (March 5, 2011)
MATC16 Cryptography and Coding Theory Gábor Pete University of Toronto Scarborough Solutions to the Midterm Test (March 5, 2011) YOUR NAME: DO NOT OPEN THIS BOOKLET UNTIL INSTRUCTED TO DO SO. INSTRUCTIONS:
More informationA New Algorithm to Construct. Secure Keys for AES
Int. J. Contemp. Math. Sciences, Vol. 5, 2010, no. 26, 1263-1270 A New Algorithm to Construct Secure Keys for AES Iqtadar Hussain Department of Mathematics Quaid-i-Azam University, Islamabad, Pakistan
More information