Quantum Chosen-Ciphertext Attacks against Feistel Ciphers
|
|
- Evangeline Walton
- 5 years ago
- Views:
Transcription
1 SESSION ID: CRYP-R09 Quantum Chosen-Ciphertext Attacks against Feistel Ciphers Gembu Ito Nagoya University Joint work with Akinori Hosoyamada, Ryutaroh Matsumoto, Yu Sasaki and Tetsu Iwata
2 Overview 3-round Feistel construction is a PRP, 4-round is an SPRP [LR88] Rounds Classic CPA insecure CPA secure [LR88] CCA insecure CCA secure [LR88] insecure: efficient distinguishing attacks secure: indistinguishable from a random permutation [LR88] Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput /49
3 Overview 3-round Feistel construction is not secure against quantum CPAs [KM10] Rounds Classic Quantum CPA insecure CPA secure [LR88] CCA insecure QCPA insecure [KM10] insecure: efficient distinguishing attacks secure: indistinguishable from a random permutation CCA secure [LR88] [KM10] Kuwakado, H., Morii, M.: Quantum distinguisher between the 3-round Feistel cipher and the random permutation. ISIT /49
4 Overview 4-round Feistel construction is not secure against quantum CCAs Rounds Classic CPA insecure CPA secure [LR88] CCA insecure CCA secure [LR88] Quantum QCPA insecure [KM10] QCCA insecure 3/49
5 Overview 4-round Feistel construction is not secure against quantum CCAs Rounds Classic CPA insecure CPA secure [LR88] CCA insecure CCA secure [LR88] Quantum QCPA insecure [KM10] QCCA insecure Extend to practical designs of Feistel ciphers (including key recovery attacks) 4/49
6 Outline 1. Introduction 2. Previous Quantum Distinguisher 3. Quantum CCAs against Feistel Constructions Quantum Distinguisher against 4-round Feistel Constructions Formalization of Quantum Distinguishers Quantum CCAs against Practical Designs of Feistel Constructions 4. Concluding Remarks
7 Outline 1. Introduction 2. Previous Quantum Distinguisher 3. Quantum CCAs against Feistel Constructions Quantum Distinguisher against 4-round Feistel Constructions Formalization of Quantum Distinguishers Quantum CCAs against Practical Designs of Feistel Constructions 4. Concluding Remarks
8 Feistel Ciphers Feistel-F Construction nn-bit state is divided into nn/2-bit halves aa ii and bb ii, then bb ii+1 aa ii FF KKii bb ii, aa ii+1 bb ii FF KKii is a keyed function taking a subkey KK ii as input 7/49
9 Practical Designs of Feistel Ciphers Feistel-KF Construction DES, Camellia Feistel-FK Construction Piccolo, SIMON, Simeck Feistel-KF 8/49 Feistel-FK
10 Main Tool: Simon s algorithm [Sim97] Problem Given ff: {0,1} nn {0,1} nn such that there exists a non-zero period ss with ff xx = ff xx xx = xx ss for any distinct xx, xx {0,1} nn, the goal is to find ss OO 2 nn/2 queries in the classical setting Simon s algorithm [Sim97] can find ss with OO nn quantum queries [Sim97] Simon, D.R.: On the power of quantum computation. SIAM J. Comput. 26(5), (1997) 9/49
11 Main Tool: Simon s algorithm [Sim97] Many polynomial-time attacks using Simon s algorithm 3-round Feistel construction [KM10] Even-Mansour [KM12] LRW, various MACs, and CAESAR candidates [KLL+16] AEZ [Bon17] [KM12] H. Kuwakado and M. Morii. Security on the Quantum-Type Even-Mansour Cipher. ISITA [KLL+16] M. Kaplan, G. Leurent, A. Leverrier, and M. Naya-Plasencia. Breaking Symmetric Cryptosystems using Quantum Period Finding. CRYPTO [Bon17] Bonnetain, X.: Quantum Key-Recovery on Full AEZ. SAC /49
12 Outline 1. Introduction 2. Previous Quantum Distinguisher 3. Quantum CCAs against Feistel Constructions Quantum Distinguisher against 4-round Feistel Constructions Formalization of Quantum Distinguishers Quantum CCAs against Practical Designs of Feistel Constructions 4. Concluding Remarks
13 Overview of the Distinguisher Given an oracle OO which is OO = EE KK or a random permutation Π Perm(nn), distinguish the two cases The adversary can make superposition queries to OO Distinguisher 1. Construct a function ff OO that has a period ss when OO is EE KK, and does not have any period when OO is Π 2. Check if ff OO has a period or not by using Simon s algorithm 12/49
14 Quantum Distinguisher against 3-round Feistel-F [KM10] αα 0, αα 1 0,1 nn/2 : arbitrary distinct constants ff OO : 0,1 0,1 nn/2 0,1 nn/2 ββ xx cc αα ββ 13/49
15 Quantum Distinguisher against 3-round Feistel-F [KM10] FF 3 does not contribute to ff OO Orange line and αα ββ cancel each other 14/49
16 Quantum Distinguisher against 3-round Feistel-F [KM10] 15/49
17 Quantum Distinguisher against 3-round Feistel-F [KM10] ff OO has a period ss = 11 FF 11 αα 00 FF 11 αα 11 ff OO ββ xx = FF 2 xx FF 1 αα ββ = FF 2 xx FF 1 αα 0 FF 1 αα 1 FF 1 αα ββ 1 = ff OO ββ 1 xx FF 1 αα 0 FF 1 αα 1 16/49
18 Key Recovery Attacks Distinguisher can be extended to key recovery attacks Key recovery attacks against Feistel-KF [HS18,DW17] Combining Grover search [Gro96] and the distinguisher Leander and May developed this technique [LM17] [HS18] Hosoyamada, A., Sasaki, Y.: Quantum Demiric-Selçuk meet-in-the-middle attacks: Applications to 6-round generic Feistel constructions. SCN [DW17] Dong, X., Wang, X.: Quantum key-recovery attack on Feistel structures. IACR Cryptology eprint Archive [Gro96] Grover, L.K.: A fast quantum mechanical algorithm for database search. STOC [LM17] Leander, G., May, A.: Grover meets Simon - Quantumly attacking the FX-construction. ASIACRYPT /49
19 Outline 1. Introduction 2. Previous Quantum Distinguisher 3. Quantum CCAs against Feistel Constructions Quantum Distinguisher against 4-round Feistel Constructions Formalization of Quantum Distinguishers Quantum CCAs against Practical Designs of Feistel Constructions 4. Concluding Remarks
20 Quantum Distinguisher against 4-round Feistel-F αα 0, αα 1 0,1 nn/2 : arbitrary distinct constants ff OO : 0,1 0,1 nn/2 0,1 nn/2 ββ xx bb αα ββ 19/49
21 Quantum Distinguisher against 4-round Feistel-F FF 4 has no effect Last FF 1 does not contribute to ff OO 20/49
22 Quantum Distinguisher against 4-round Feistel-F 21/49
23 Quantum Distinguisher against 4-round Feistel-F 22/49
24 Quantum Distinguisher against 4-round Feistel-F 23/49
25 Quantum Distinguisher against 4-round Feistel-F Computation after ZZ ββ xx does not depend on ββ, xx ZZ ββ xx has a period ss = 1 FF 1 αα 0 FF 1 αα 1 24/49
26 Quantum Distinguisher against 4-round Feistel-F αα ββ cancels each other αα 0, αα 0 αα 0 αα 1 = αα 1, αα 1 αα 0 αα 1 = {αα 0, αα 1 } 25/49
27 Quantum Distinguisher against 4-round Feistel-F αα ββ cancels each other αα 0, αα 0 αα 0 αα 1 = αα 1, αα 1 αα 0 αα 1 = {αα 0, αα 1 } Computation after ZZ ββ xx does not depend on ββ, xx 26/49
28 Quantum Distinguisher against 4-round Feistel-F ZZ ββ xx has a period ss = 1 FF 1 αα 0 FF 1 αα 1 since ZZ 0 xx ss = xx FF 1 αα 0 FF 1 αα 1 FF 1 αα 1 = xx FF 1 αα 0 = ZZ 0 xx 27/49
29 Relaxing Simon s Algorithm We know that ff(xx) = ff(xx ) xx = xx ss ff(xx) = ff(xx ) xx = xx ss may or may not hold We formalize a sufficient condition to eliminate the need to prove it 28/49
30 Relaxing Simon s Algorithm Simon s Algorithm uses the circuit SS ff that returns a vector yy ii that is orthogonal to all periods ss 1, ss 2, To recover ss from yy 1, yy 2,, ff has to satisfy ff xx = ff xx xx = xx ss 29/49
31 Relaxing Simon s Algorithm In distinguisher If ff has a period ss, we obtain yy ii ss 0 (mod 2) (other periods can exist) dimension of the space spanned by yy 1, yy 2, is at most nn 11 If ff doesn t have a period, yy ii can take any value of 0,1 nn dimension can reach nn [SS17] Santoli, T., Schaffner, C.: Using Simon s algorithm to attack symmetric-key cryptographic primitives. Quantum Information & Computation /49
32 Relaxing Simon s Algorithm In distinguisher If ff has a period ss, we obtain yy ii ss 0 (mod 2) (other periods can exist) dimension of the space spanned by yy 1, yy 2, is at most nn 11 If ff doesn t have a period, yy ii can take any value of 0,1 nn dimension can reach nn Checking the dimension of the space spanned by yy 1, yy 2, Similar observation is pointed out in [SS17] We formalized a sufficient condition [SS17] Santoli, T., Schaffner, C.: Using Simon s algorithm to attack symmetric-key cryptographic primitives. Quantum Information & Computation /49
33 Relaxing Simon s Algorithm εε ff ππ = max Pr tt 0,1 ll {0 ll } xx [ffππ xx = ff ππ (xx xx)] (ππ is a fixed permutation) irr ff δδ = ππ Perm nn εε ff ππ > 1 δδ (δδ is a small constant 0 δδ < 1) Checking the dimension of the space spanned by yy 1, yy 2,, yy ηη Success probability is at least 1 2ll Pr eeδδδδ/2 [Π irr Π ff δδ ] [SS17] Santoli, T., Schaffner, C.: Using Simon s algorithm to attack symmetric-key cryptographic primitives. Quantum Information & Computation /49
34 Outline 1. Introduction 2. Previous Quantum Distinguisher 3. Quantum CCAs against Feistel Constructions Quantum Distinguisher against 4-round Feistel Constructions Formalization of Quantum Distinguishers Quantum CCAs against Practical Designs of Feistel Constructions 4. Concluding Remarks
35 Quantum Attacks against Practical Designs The same distinguishing attack against Feistel-F can be used against Feistel-KF Extend to quantum distinguishing attacks against 6-round Feistel-FK Key recovery attacks against 7-round Feistel-KF and 9-round Feistel-FK 34/49
36 Quantum Distinguisher against 6-round Feistel-FK ff OO : 0,1 0,1 nn/2 0,1 nn/2 ββ xx aa FF bb αα ββ 35/49
37 Quantum Distinguisher against 6-round Feistel-FK ff OO : 0,1 0,1 nn/2 0,1 nn/2 ββ xx aa FF bb αα ββ 36/49
38 Quantum Distinguisher against 6-round Feistel-FK FF in gray and KK 6 has no effect 37/49
39 Quantum Distinguisher against 6-round Feistel-FK Connect 2 figures 38/49
40 Quantum Distinguisher against 6-round Feistel-FK Almost the same as the 4-round distinguisher 39/49
41 Quantum Distinguisher against 6-round Feistel-FK 40/49
42 Quantum Distinguisher against 6-round Feistel-FK 41/49
43 Quantum Distinguisher against 6-round Feistel-FK Almost the same as the 4-round distinguisher Replace αα ββ with αα ββ KK 1 Replace FF ii xx with FF xx KK ii+1 ss = 1 FF αα 0 KK 1 FF αα 1 KK 1 42/49
44 Key Recovery Attacks 1. Implement a quantum circuit E that takes the subkey for the first (rr 3) round and the value after the first (rr 3) round as input, and returns the oracle output 43/49
45 Key Recovery Attacks If the guess is correct = 44/49
46 Key Recovery Attacks 2. For each guess, apply the distinguisher to E 3. If the distinguisher returns that this is a random permutation, then judge the guess is wrong, otherwise the guess is correct. If the guess is correct = 45/49
47 Key Recovery Attacks Exhaustive search of the first (rr 3) round : OO by Grover search 2 rr 3 nn/2 3-round distinguisher : OO nn for each subkeys guess If the guess is correct = 46/49
48 Key Recovery Attacks Combining Grover search and the distinguisher 7-round Feistel-KF Construction Recover 7nn/2-bit key with OO 2 9-round Feistel-FK Construction Recover 9nn/2-bit key with OO 2 8-round Feistel-FK Construction Recover 8nn/2-bit key with OO 2 rr 4 nn/4 = rr 6 nn/4 = rr 5 nn/4 = OO(2 3nn/4 ) (CCAs) OO(2 3nn/4 ) (CCAs) OO(2 3nn/4 ) (CPAs) 47/49
49 Outline 1. Introduction 2. Previous Quantum Distinguisher 3. Quantum CCAs against Feistel Constructions Quantum Distinguisher against 4-round Feistel Constructions Formalization of Quantum Distinguishers Quantum CCAs against Practical Designs of Feistel Constructions 4. Concluding Remarks
50 Concluding Remarks Rounds 3 4 Classic CPA secure [LR88] CCA secure [LR88] Quantum QCPA insecure [KM10] QCCA insecure Construction Feistel-KF Feistel-FK Distinguish 4-round 6-round Key Recovery 7-round 9-round (and 8-round QCPA) Open Questions Tight bound on the number of rounds that we can attack Feistel-F Improving the complexity or extending the number of rounds of the attacks against Feistel-KF and Feistel-FK 49/49
Quantum Chosen-Ciphertext Attacks against Feistel Ciphers
Quantum Chosen-Ciphertext Attacks against eistel Ciphers Gembu Ito 1, Akinori Hosoyamada 1,2, Ryutaroh Matsumoto 1,3, Yu Sasaki 2, and Tetsu Iwata 1 1 Nagoya University, Nagoya, Japan g itou@echo.nuee.nagoya-u.ac.jp,
More informationBreaking Symmetric Cryptosystems Using Quantum Algorithms
Breaking Symmetric Cryptosystems Using Quantum Algorithms Gaëtan Leurent Joined work with: Marc Kaplan Anthony Leverrier María Naya-Plasencia Inria, France FOQUS Workshop Gaëtan Leurent (Inria) Breaking
More informationarxiv: v3 [quant-ph] 31 Jan 2017
arxiv:1603.07856v3 [quant-ph] 31 Jan 2017 USING SIMON S ALGORITHM TO ATTACK SYMMETRIC-KEY CRYPTOGRAPHIC PRIMITIVES THOMAS SANTOLI a Mathematical Institute, University of Oxford; Andrew Wiles Building,
More informationQuantum Differential and Linear Cryptanalysis
Quantum Differential and Linear Cryptanalysis Marc Kaplan 1,2 Gaëtan Leurent 3 Anthony Leverrier 3 María Naya-Plasencia 3 1 LTCI, Télécom ParisTech 2 School of Informatics, University of Edinburgh 3 Inria
More informationGrover s algorithm. We want to find aa. Search in an unordered database. QC oracle (as usual) Usual trick
Grover s algorithm Search in an unordered database Example: phonebook, need to find a person from a phone number Actually, something else, like hard (e.g., NP-complete) problem 0, xx aa Black box ff xx
More informationDD2448 Foundations of Cryptography Lecture 3
DD2448 Foundations of Cryptography Lecture 3 Douglas Wikström KTH Royal Institute of Technology dog@kth.se February 3, 2016 Linear Cryptanalysis of the SPN Basic Idea Linearize Find an expression of the
More informationQuantum-secure symmetric-key cryptography based on Hidden Shifts
Quantum-secure symmetric-key cryptography based on Hidden Shifts Gorjan Alagic QMATH, Department of Mathematical Sciences University of Copenhagen Alexander Russell Department of Computer Science & Engineering
More informationThe Random Oracle Model and the Ideal Cipher Model are Equivalent
The Random Oracle Model and the Ideal Cipher Model are Equivalent Jean-ébastien Coron 1, Jacques Patarin 2, and Yannick eurin 2,3 (1) Univ. Luxembourg, (2) Univ. Versailles, (3)Orange Labs éminaire EN
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationBuilding Secure Block Ciphers on Generic Attacks Assumptions
Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin University of Versailles and Orange Labs SAC 2008 August 14-15, 2008 the context security of symmetric primitives
More informationTable Of Contents. ! 1. Introduction to AES
1 Table Of Contents! 1. Introduction to AES! 2. Design Principles behind AES Linear Cryptanalysis Differential Cryptanalysis Square Attack Biclique Attack! 3. Quantum Cryptanalysis of AES Applying Grover
More informationA survey on quantum-secure cryptographic systems
A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More informationOn the Round Security of Symmetric-Key Cryptographic Primitives
On the Round Security of Symmetric-Key Cryptographic Primitives Zulfikar Ramzan Leonid Reyzin. November 30, 000 Abstract We put forward a new model for understanding the security of symmetric-key primitives,
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationPermutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1
Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Kwangsu Lee A Thesis for the Degree of Master of Science Division of Computer Science, Department
More informationA Domain Extender for the Ideal Cipher
A Domain Extender for the Ideal Cipher Jean-Sébastien Coron 2, Yevgeniy Dodis 1, Avradip Mandal 2, and Yannick Seurin 3,4 1 New York University 2 University of Luxembourg 3 University of Versailles 4 Orange
More informationQuantum-Secure Symmetric-Key Cryptography Based on Hidden Shifts
Quantum-Secure Symmetric-Key Cryptography Based on Hidden Shifts Gorjan Alagic 1 and Alexander Russell 2 1 Department of Computer Science and Engineering University of Connecticut acr@cse.uconn.edu 2 QMATH,
More informationLinear Hull Attack on Round-Reduced Simeck with Dynamic Key-guessing Techniques
Linear Hull Attack on Round-Reduced Simeck with Dynamic Key-guessing Techniques Lingyue Qin 1, Huaifeng Chen 3, Xiaoyun Wang 2,3 1 Department of Computer Science and Technology, Tsinghua University, Beijing
More informationThe Pseudorandomness of Elastic Block Ciphers
The Pseudorandomness of Elastic Block Ciphers Debra L. Cook and Moti Yung and Angelos Keromytis Department of Computer Science, Columbia University {dcook,moti,angelos}@cs.columbia.edu September 28, 2005
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationLocality in Coding Theory
Locality in Coding Theory Madhu Sudan Harvard April 9, 2016 Skoltech: Locality in Coding Theory 1 Error-Correcting Codes (Linear) Code CC FF qq nn. FF qq : Finite field with qq elements. nn block length
More informationTighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)
1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa
More informationStream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida
Stream ciphers Pawel Wocjan Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu Definition of block ciphers Block ciphers: crypto work horse n bits
More informationZCZ: Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls
ZCZ: Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls Ritam Bhaumik, Indian Statistical Institute, Kolkata Eik List, Bauhaus-Universität Weimar, Weimar Mridul Nandi,
More informationGeneral Strong Polarization
General Strong Polarization Madhu Sudan Harvard University Joint work with Jaroslaw Blasiok (Harvard), Venkatesan Gurswami (CMU), Preetum Nakkiran (Harvard) and Atri Rudra (Buffalo) December 4, 2017 IAS:
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationA Brief Comparison of Simon and Simeck
A Brief Comparison of Simon and Simeck Stefan Kölbl, Arnab Roy {stek,arroy}@dtu.dk DTU Compute, Technical University of Denmark, Denmark Abstract. Simeck is a new lightweight block cipher design based
More informationOn the Design Rationale of Simon Block Cipher: Integral Attacks and Impossible Differential Attacks against Simon Variants
On the Design Rationale of Simon Block Cipher: Integral Attacks and Impossible Differential Attacks against Simon Variants Kota Kondo 1, Yu Sasaki 2, and Tetsu Iwata 3 1 Nagoya University, Japan, k kondo@echo.nuee.nagoya-u.ac.jp
More informationBenes and Butterfly schemes revisited
Benes and Butterfly schemes revisited Jacques Patarin, Audrey Montreuil Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract In [1], W. Aiello and R. Venkatesan have
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationCryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:
More informationSecurity of Random Feistel Schemes with 5 or more Rounds
Security of Random Feistel Schemes with 5 or more Rounds Jacques Patarin Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract. We study cryptographic attacks on random
More informationChapter 2 Balanced Feistel Ciphers, First Properties
Chapter 2 Balanced Feistel Ciphers, First Properties Abstract Feistel ciphers are named after Horst Feistel who studied these schemes in the 1960s. In this chapter, we will only present classical Feistel
More informationCharacterization of EME with Linear Mixing
Characterization of EME with Linear Mixing Nilanjan Datta and Mridul Nandi Cryptology Research Group Applied Statistics Unit Indian Statistical Institute 03, B.T. Road, Kolkata, India 700108 nilanjan isi
More informationOn Quantum Indifferentiability
On Quantum Indifferentiability Tore Vincent Carstens, Ehsan Ebrahimi, Gelo Noel Tabia, and Dominique Unruh University of Tartu, Estonia March 8, 2018 Abstract We study the indifferentiability of classical
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationWinter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2
0368.3049.01 Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod Assignment #2 Published Sunday, February 17, 2008 and very slightly revised Feb. 18. Due Tues., March 4, in Rani Hod
More informationExperiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL
More informationCryptography CS 555. Topic 22: Number Theory/Public Key-Cryptography
Cryptography CS 555 Topic 22: Number Theory/Public Key-Cryptography 1 Exam Recap 2 Exam Recap Highest Average Score on Question Question 4: (Feistel Network with round function f(x) = 0 n ) Tougher Questions
More informationOn Post-Quantum Cryptography
On Post-Quantum Cryptography Ehsan Ebrahimi Quantum Cryptography Group University of Tartu, Estonia 15 March 2018 Information Security and Cryptography Group Seminar Post-Quantum Cryptography Users intend
More informationPost-quantum Security of the CBC, CFB, OFB, CTR, and XTS Modes of Operation.
OFB, CTR, In CBC, Ehsan Ebrahimi Targhi, Gelo Noel Tabia, Dominique Unruh University of Tartu February 4, 2016 Table of contents In CBC 1 2 3 4 In CBC PRF under quantum 5 6 Being optimistic about the emergence
More informationEnhancing the Signal to Noise Ratio
Enhancing the Signal to Noise Ratio in Differential Cryptanalysis, using Algebra Martin Albrecht, Carlos Cid, Thomas Dullien, Jean-Charles Faugère and Ludovic Perret ESC 2010, Remich, 10.01.2010 Outline
More informationCryptanalysis of block EnRUPT
Cryptanalysis of block EnRUPT Elias Yarrkov 2010-10-08 (revised 2010-10-12) Abstract EnRUPT is a cryptographic primitive with a variable block and key length. We show several attacks on it that stem from
More informationIII. Pseudorandom functions & encryption
III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:
More informationSymmetric Encryption
1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently
More informationInvariant Subspace Attack Against Full Midori64
Invariant Subspace Attack Against Full Midori64 Jian Guo 1, Jérémy Jean 1, Ivica Nikolić 1, Kexin Qiao 1,2, Yu Sasaki 1,3, and Siang Meng Sim 1 1 Nanyang Technological University, Singapore 2 Institute
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationInvariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs
Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs Jian Guo 1, Jeremy Jean 2, Ivica Nikolić 1, Kexin Qiao 3, Yu Sasaki 4, and Siang Meng Sim 1 1. Nanyang Technological
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More information18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh
18733: Applied Cryptography Anupam Datta (CMU) Block ciphers Online Cryptography Course What is a block cipher? Block ciphers: crypto work horse n bits PT Block n bits E, D CT Block Key k bits Canonical
More informationLectures 2+3: Provable Security
Lectures 2+3: Provable Security Contents 1 Motivation 1 2 Syntax 3 3 Correctness 5 4 Security Definitions 6 5 Important Cryptographic Primitives 8 6 Proofs of Security 10 7 Limitations of Provable Security
More informationConstructing Variable-Length PRPs and SPRPs from Fixed-Length PRPs
Constructing Variable-Length PRPs and SPRPs from Fixed-Length PRPs Debra L. Cook 1, Moti Yung 2, Angelos Keromytis 3 1 Columbia University, New York, NY USA dcook@cs.columbia.edu 2 Google, Inc. and Columbia
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More informationOn Stream Ciphers with Small State
ESC 2017, Canach, January 16. On Stream Ciphers with Small State Willi Meier joint work with Matthias Hamann, Matthias Krause (University of Mannheim) Bin Zhang (Chinese Academy of Sciences, Beijing) 1
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationGeneral Strong Polarization
General Strong Polarization Madhu Sudan Harvard University Joint work with Jaroslaw Blasiok (Harvard), Venkatesan Gurswami (CMU), Preetum Nakkiran (Harvard) and Atri Rudra (Buffalo) May 1, 018 G.Tech:
More informationEliminating Random Permutation Oracles in the Even-Mansour Cipher
Eliminating Random Permutation Oracles in the Even-Mansour Cipher Craig Gentry and Zulfikar Ramzan DoCoMo Communications Laboratories USA, Inc. {cgentry, ramzan}@docomolabs-usa.com Abstract. Even and Mansour
More informationRelated-Key Rectangle Attack on Round-reduced Khudra Block Cipher
Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher Xiaoshuang Ma 1,2 Kexin Qiao 1,2 1 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationKnown and Chosen Key Differential Distinguishers for Block Ciphers
1/19 Known and Chosen Key Differential Distinguishers for Block Ciphers Josef Pieprzyk joint work with Ivica Nikolić, Przemys law Soko lowski, and Ron Steinfeld ASK 2011, August 29-31, 2011 2/19 Outline
More informationModern symmetric-key Encryption
Modern symmetric-key Encryption Citation I would like to thank Claude Crepeau for allowing me to use his slide from his crypto course to mount my course. Some of these slides are taken directly from his
More informationCSA E0 235: Cryptography March 16, (Extra) Lecture 3
CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which
More informationChosen Ciphertext Security with Optimal Ciphertext Overhead
Chosen Ciphertext Security with Optimal Ciphertext Overhead Masayuki Abe 1, Eike Kiltz 2 and Tatsuaki Okamoto 1 1 NTT Information Sharing Platform Laboratories, NTT Corporation, Japan 2 CWI Amsterdam,
More informationThe Random Oracle Model and the Ideal Cipher Model are Equivalent
The Random Oracle Model and the Ideal Cipher Model are Equivalent Jean-Sébastien Coron 1, Jacques Patarin 2, and Yannick Seurin 2,3 1 University of Luxembourg 2 University of Versailles 3 Orange Labs Abstract.
More informationThe Indistinguishability of the XOR of k permutations
The Indistinguishability of the XOR of k permutations Benoit Cogliati, Rodolphe Lampe, Jacques Patarin University of Versailles, France Abstract. Given k independent pseudorandom permutations f 1,...,
More informationImproved Multiple Impossible Differential Cryptanalysis of Midori128
Improved Multiple Impossible Differential Cryptanalysis of Midori128 Mohamed Tolba, Ahmed Abdelkhalek, and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University,
More informationTowards Understanding the Known-Key Security of Block Ciphers
Towards Understanding the Known-Key Security of Block Ciphers Elena Andreeva 1, Andrey Bogdanov 2 and Bart Mennink 1 1 Dept Electrical Engineering, ESAT/COSIC, KU Leuven, and iminds, Belgium {elenaandreeva,
More informationReport on Learning with Errors over Rings-based HILA5 and its CCA Security
Report on Learning with Errors over Rings-based HILA5 and its CCA Security Jesús Antonio Soto Velázquez January 24, 2018 Abstract HILA5 is a cryptographic primitive based on lattices that was submitted
More informationAlgebraic Techniques in Differential Cryptanalysis
Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London FSE 2009, Leuven, 24.02.2009 Martin Albrecht and Carlos
More informationLinks Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT
Links Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT Céline Blondeau, Benoît Gérard SECRET-Project-Team, INRIA, France TOOLS for Cryptanalysis - 23th June 2010 C.Blondeau
More informationOn the Counter Collision Probability of GCM*
On the Counter Collision Probability of GCM* Keisuke Ohashi, Nagoya University Yuichi Niwa, Nagoya University Tetsu Iwata, Nagoya University Early Symmetric Crypto (ESC) seminar January 14 18, Mondorf
More informationMILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher
MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher Raghvendra Rohit, Riham AlTawy, & Guang Gong Department of Electrical and Computer Engineering, University of Waterloo Waterloo,
More informationBuilding Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions
Building Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions Akinori Hosoyamada and Kan Yasuda NTT Secure Platform Laboratories, 3-9-, Midori-cho Musashino-shi,
More informationSymmetric key cryptography over non-binary algebraic structures
Symmetric key cryptography over non-binary algebraic structures Kameryn J Williams Boise State University 26 June 2012 AAAS Pacific Conference 24-27 June 2012 Acknowledgments These results are due to collaboration
More information18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh
18733: Applied Cryptography Anupam Datta (CMU) Block ciphers Online Cryptography Course What is a block cipher? Block ciphers: crypto work horse n bits PT Block n bits E, D CT Block Key k bits Canonical
More informationImpossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128
Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com
More informationOn the Construction of Pseudo-Random Permutations: Luby-Rackoff Revisited
On the Construction of Pseudo-Random Permutations: Luby-Rackoff Revisited Moni Naor Omer Reingold Abstract Luby and Rackoff [26] showed a method for constructing a pseudo-random permutation from a pseudo-random
More informationPrivate-Key Encryption
Private-Key Encryption Ali El Kaafarani Mathematical Institute Oxford University 1 of 37 Outline 1 Pseudo-Random Generators and Stream Ciphers 2 More Security Definitions: CPA and CCA 3 Pseudo-Random Functions/Permutations
More informationProvable Security in Symmetric Key Cryptography
Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X
More information10.4 The Cross Product
Math 172 Chapter 10B notes Page 1 of 9 10.4 The Cross Product The cross product, or vector product, is defined in 3 dimensions only. Let aa = aa 1, aa 2, aa 3 bb = bb 1, bb 2, bb 3 then aa bb = aa 2 bb
More informationThe Random Oracle Model and the Ideal Cipher Model Are Equivalent
The Random Oracle Model and the Ideal Cipher Model Are Equivalent Jean-Sébastien Coron 1,JacquesPatarin 2, and Yannick Seurin 2,3 1 University of Luxembourg 2 University of Versailles 3 Orange Labs Abstract.
More informationEfficient Identity-based Encryption Without Random Oracles
Efficient Identity-based Encryption Without Random Oracles Brent Waters Weiwei Liu School of Computer Science and Software Engineering 1/32 Weiwei Liu Efficient Identity-based Encryption Without Random
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationChosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers
Chosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers Simon Fischer 1, Shahram Khazaei 2, and Willi Meier 1 1 FHNW and 2 EPFL (Switzerland) AfricaCrypt 2008, Casablanca - June 11-14
More informationBlock encryption of quantum messages
Block encryption of quantum messages Min Liang 1 and Li Yang,3 1 Data Communication Science and Technology Research Institute, Beijing 100191, China liangmin07@mails.ucas.ac.cn State Key Laboratory of
More informationEME : extending EME to handle arbitrary-length messages with associated data
EME : extending EME to handle arbitrary-length messages with associated data (Preliminiary Draft) Shai Halevi May 18, 2004 Abstract We describe a mode of oepration EME that turns a regular block cipher
More informationModels and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
Models and analysis of security protocols 1st Semester 2009-2010 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: September 29th 2009 1 / 60 Last Time (I) Security
More informationZero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA
Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA Andrey Bogdanov, Meiqin Wang Technical University of Denmark, Shandong University, China ESC 2013,
More informationSimilarities between encryption and decryption: how far can we go?
Similarities between encryption and decryption: how far can we go? Anne Canteaut Inria, France and DTU, Denmark Anne.Canteaut@inria.fr http://www-rocq.inria.fr/secret/anne.canteaut/ SAC 2013 based on a
More informationCryptography CS 555. Topic 13: HMACs and Generic Attacks
Cryptography CS 555 Topic 13: HMACs and Generic Attacks 1 Recap Cryptographic Hash Functions Merkle-Damgård Transform Today s Goals: HMACs (constructing MACs from collision-resistant hash functions) Generic
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 74 Outline 1 Complexity measures 2 Algebra and Number Theory Background 3 Public Key Encryption: security notions
More informationCryptanalysis of the SIMON Family of Block Ciphers
Cryptanalysis of the SIMON Family of Block Ciphers Hoda A. Alkhzaimi and Martin M. Lauridsen DTU Compute Section for Cryptology Department of Applied Mathematics and Computer Science Matematiktorvet, building
More informationBlock ciphers And modes of operation. Table of contents
Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation
More informationA Note on Quantum-Secure PRPs
A Note on Quantum-Secure PRPs Mark Zhandry Princeton University mzhandry@princeton.edu Abstract We show how to construct pseudorandom permutations (PRPs) that remain secure even if the adversary can query
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 27 Previously on COS 433 Security Experiment/Game (One- time setting) b m, m M c Challenger k ß K c ß Enc(k,m b ) b IND-Exp b ( )
More informationImpact of ANSI X9.24 1:2009 Key Check Value on ISO/IEC :2011 MACs
Impact of ANSI X9.24 1:2009 Key Check Value on ISO/IEC 9797 1:2011 MACs Tetsu Iwata, Nagoya University Lei Wang, Nanyang Technological University FSE 2014 March 4, 2014, London, UK 1 Overview ANSI X9.24
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationModes of Operations for Wide-Block Encryption
Wide-Block Encryption p. 1/4 Modes of Operations for Wide-Block Encryption Palash Sarkar Indian Statistical Institute, Kolkata Wide-Block Encryption p. 2/4 Structure of Presentation From block cipher to
More information