Invariant Hopping Attacks on Block Ciphers
|
|
- Brice Briggs
- 5 years ago
- Views:
Transcription
1 Invariant Hopping Attacks on Block Ciphers attack 3 attack 4 strong Bool + high degree invariant + high success proba attack 1 2x linear attack 2 1x linear Nicolas T. Courtois University College London, UK
2 Roadmap Part 1: Cold War / History Block Ciphers Part 2: New Attacks: Constructive Cryptanalysis with Polynomial Invariants + Annihilators + inside Boolean ring B n 2
3 Algebraic Attacks on Block Ciphers Nicolas T. Courtois Question 1: Why 0% of symmetric encryption used in practice are provably secure? 3
4 A New Frontier in Symmetric Cryptanalysis MQ Problem Dense MQ is VERY hard. Best attacks n top of the top hard problem. for both standard and PQ crypto mqchallenge.org FXL/Joux 2017/372 => Allows to build a provably secure stream cipher based on MQ directly! C. Berbain, H. Gilbert, and J. Patarin: QUAD: A Practical Stream Cipher with Provable Security, Eurocrypt 2005 => provably secure encryption exists! 4
5 Algebraic Attacks on Block Ciphers Nicolas T. Courtois Question 2: Why researchers have found so few attacks on block ciphers? mystified by complexity 5
6 Algebraic Attacks on Block Ciphers Nicolas T. Courtois Claim: Finding new attacks on block ciphers is EASY and FUN 6
7 Dr. Nicolas T. Courtois blog.bettercrypto.com 1. cryptanalysis 7
8 Dr. Nicolas T. Courtois blog.bettercrypto.com 1. cryptanalysis 2. industrial crypto 8
9 Code Breakers - LinkedIn 9
10 Code Breakers 3. Crypto History 10 Nicolas T. Courtois
11 Roadmap Towards Modern Crypto 11
12 s NATO Cipher competition UK US France Germany Requirements: tapeless and rotorless => semi-conductor electronic, high EM/SCA security!
13 Backdoors French Submission [2004] large period, non-linearity / removing the correlations (p.108) certainement la meilleure machine cryptographique de son époque "?????????????????????????????????????????????????????????? 13 Nicolas T. Courtois
14 Code Breakers Compromise of Old Crypto USS Pueblo / North Korea Jan
15 Cold War Cold War: Soviet Union was breaking codes and employed at least 100 cryptologists [Source: Cryptologia, interviews by David Kahn with gen. Andreev=first head of FAPSI=Russian NSA] Example: In 1967 GRU (Soviet Intelligence) was intercepting cryptograms from 115 countries, using 152 cryptosystems, and among these they broke 11 codes and obtained 7 other codes. 15
16 US/NATO crypto broken Russia broke the NATO KW-7 cipher machine: Walker spy ring, rotors+keys, paid more than 1M USD (source: NSA) greatest exploit in KGB history allowed Soviets to read millions of US messages [1989, Washington Post] 16
17 1970s Modern block ciphers are born. In which country?? 17
18 1970s Modern block ciphers are born. In which country?? Who knows Eastern Bloc also worked on these questions and for a long time. 18
19 1927 The inventor of the ANF = Algebraic Normal Form en.wikipedia.org/wiki/zhegalkin_polynomial Russian mathematician and logician Ива н Ива нович Жега лкин [Moscow State University] best known for his formulation of Boolean algebra as the theory of the ring of integers mod 2 B n, +,* 19
20 Backdoors Our Sources T-310 spec 20 Nicolas T. Courtois
21 Backdoors Our Sources ZCO = Zentrales Chiffrierorgan der DDR BStU = Stasi Records Agency 21 Nicolas T. Courtois
22 T-310 East German T-310 Block Cipher 240 bits quasi-absolute security [ ] has a physical RNG=>IV 22 Nicolas T. Courtois long-term secret 90 bits only!
23 References Nicolas T. Courtois, Jörg Drobick, Jacques Patarin, Maria-Bristena Oprisanu, Matteo Scarlata, Om Bhallamudi, Cryptographic Security Analysis of T-310, eprint.iacr.org/2017/440.pdf, 132 pages, 2017 Nicolas T. Courtois, Maria-Bristena Oprisanu: Ciphertext-Only Attacks and Weak Long-Term Keys in T-310, in Cryptologia, vol 42, iss. 4, pp , May Nicolas T. Courtois, Maria-Bristena Oprisanu, Klaus Schmeh: Linear Cryptanalysis and Block Cipher Design in Eastern Germany in the 1970s, Cryptologia, Dec 2018, Nicolas T. Courtois, Klaus Schmeh: Feistel ciphers in East Germany in the communist era, In Cryptologia, vol. 42, Iss. 6, 2018, pp
24 Cipher Class Alpha 1970s Who invented Alpha? [full document not avail.] 24
25 T-310 [ ] 4 branches 25
26 IBM USA 1970s IBM have agreed with the NSA that the design criteria of DES should not be made public. NSA have generated DES S-boxes. source: Coppersmith, invited summer
27 Security of DES (overview) Official History of Cryptanalysis DC was in 1970s Davies-Murphy attack [1982=classified, published in 1995] = early LC Shamir Paper [1985] early LC Differential Cryptanalysis : Biham-Shamir [1991] Linear Cryptanalysis: Gilbert and Matsui [ ] 27
28 One form of DC was known in 1973! 28
29 LC at ZCO ! 29
30 Discrete Differentials and HO DC 1976! Higher Order: 30
31 Computing HO Differentials for All Orders... fast points! 31
32 Backdoors Contracting Feistel [1970s Eastern Germany!] 1 round of T-310 φ 32 Nicolas T. Courtois
33 Roadmap Backdoors 33
34 Roadmap Backdoors vs. Normal Cryptanalysis All our attacks work with relatively large probability. so if you are not lucky a cipher which was NOT backdoored will also be broken! 34
35 Better Card-only Attacks on Mifare Classic Any Backdoors? Claim: Non-bijective φ ALL broken! See: 1. Nicolas T. Courtois, Maria-Bristena Oprisanu: Ciphertext-Only Attacks and Weak Long-Term Keys in T-310 [Cryptologia v.42 iss ] 35 Nicolas T. Courtois,
36 Backdoors How to Backdoor T-310 [yes we can] omit just 1 out of 40 conditions: ciphertext-only bad long-term key 36
37 Backdoors LC Method to Backdoor T-310 [2017] 1,3,5 => 1,3,5 P=1 bad long-term key 703 P=7,14,33,23,18,36,5,2,9, 16,30,12,32,26,21,1,13,25, 20,8,24,15,22,29,10,28,6 D=0,4,24,12,16,32,28,36,20 37
38 Generalised Linear Cryptanalysis = GLC = [Harpes, Kramer and Massey, Eurocrypt 95] 38
39 Generalised Linear Cryptanalysis = GLC = [Harpes, Kramer and Massey, Eurocrypt 95] Concept of non-linear I/O sums. F(inputs) = G(outputs) with some probability 39
40 Connecting Non-Linear Approxs. Black-Box Approach Non-linear functions F G H I. F(x 1, ) G(x 1, ) H(y 1, ) I(z 1, ) 40
41 GLC and Feistel Ciphers? [Knudsen and Robshaw, EuroCrypt 96 one-round approximations that are non-linear [ ] cannot be joined together At Crypto 2004 Courtois shows that GLC is in fact possible for Feistel schemes! 41
42 BLC better than LC for DES Better than the best existing linear attack of Matsui for 3, 7, 11, 15, rounds. Ex: LC 11 rounds: BLC 11 rounds: 42
43 Wrong Approach [!!!!] Black-Box Combination Approach constructive BUT limited possibilities F(x 1, ) G(x 1, ) H(y 1, ) I(z 1, ) 43
44 White Box Approach New! [Courtois 2018] Study of non-linear I/O sums. P(inputs) = P(outputs) 44
45 New White Box Approach Study of non-linear I/O sums.. P(inputs) = P(outputs) with probability 1. Formal equality of 2 polynomials. BIG PROBLEM: 2 2^n possible attacks 45
46 Variable Boolean Function We denote by Z our Boolean function We consider a space of ciphers where Z is variable. Question: given a fixed polynomial P what is the probability over random choice of Z that P(inputs) = P(outputs) is an invariant (for any number of rounds). 46
47 Invariant Hopping attack 3 attack 4 strong Bool + high degree invariant + high success proba attack 1 2x linear 47 attack 2 1x linear
48 Group Theory Is DES A Group? Study of group generated by φ K for any key K. Typically AGL not GL. Any smaller sub-groups? 48 Nicolas T. Courtois, January 2009
49 Group Theory Is DES A Group? Study of group generated by φ K for any key K. Typically AGL not GL. Any smaller sub-groups? This question was also Bloc 49 Nicolas T. Courtois, January 2009
50 Group Theory Is DES A Group? Study of group generated by φ K for any key K. Typically AGL not GL. Any smaller sub-groups? This question was also Bloc 50 Nicolas T. Courtois, January 2009
51 Hopping in Group Lattices attack 1 three invariants linear Boolean function 51 AGL
52 Hopping in Group Lattices attack 1 three invariants linear Boolean function attack 2 two invariants bad Boolean function 52 AGL
53 Hopping in Group Lattices attack 1 three invariants linear Boolean function attack 2 two invariants bad Boolean function attack 36 one high degree invariant strong Boolean function 53 AGL
54 Hopping in Group Lattices attack 1 three invariants linear Boolean function attack 2 two invariants bad Boolean function attack 36 one complex high degree invariant strong Boolean function 54 Nicolas T. Courtois, January 2009 AGL
55 Hopping Discovery Method Making the impossible possible. How? Learn from examples. old => new attack transform a linear attack on a weak cipher with a linear Boolean function into non-linear attack on a cipher with a strong Boolean function. 55
56 Hopping Discovery We navigate inside a product lattice =def= set of pairs (set of invariants, cipher spec) = -all possible invariant attacks -all possible ciphers [we modify the spec of the cipher] Find a path from a trivial attack on a weak cipher to a non-trivial attack on a strong cipher. 56
57 Linear Attack Example 57
58 Exact Thm. [eprint/2017/440] 58
59 Hopping Step 1 First we look at an attack where the Boolean function is linear and we have trivial LINEAR invariants (same as Matsui s LC) Example: 59
60 Backdoors A Vulnerable Setup 1 round of T-310 φ 60 Nicolas T. Courtois
61 Hopping Step2 Now could you please tell us if is an invariant? 61
62 Hopping Step2 Now could you please tell us if is an invariant? The answer is remarkably simple. 62
63 Hopping Step2 Theorem: is an invariant IF AND ONLY IF a certain polynomial = FE = 63 is zero (as a polynomial, multiple cancellations)
64 Hopping Step2 Theorem: is an invariant IF AND ONLY IF 64 is zero (as a polynomial, multiple cancellations)
65 Hopping Step2 Theorem: is an invariant IF AND ONLY IF subs by ANF simplifies to: 65 is zero (as a polynomial, multiple cancellations)
66 Hopping Step2 Theorem: is an invariant IF AND ONLY IF 66 is zero (as a polynomial, multiple cancellations)
67 What is Special About P 2-factoring decomposition = AC+BD. is invariant IF AND ONLY IF some solutions are: 67
68 Invariant P of Degree 4? = ABCD. is a 1-round invariant IF AND ONLY IF 68
69 Invariant P of Degree 4? = ABCD. is a 1-round invariant IF AND ONLY IF 69 a multiple of the previous polynomial!
70 Corollary: Easy Thm. [not included in the paper]. For every cipher in our cipher space = (LZS551+any Boolean) if AC+BD is an invariant (degree 2) then also ABCD is an invariant (degree 4). Note: there is no invariant of degree 3 etc 70
71 Selective Removal Q : Can we now have ABCD to be an invariant of degree 4 WITHOUT any invariants of degrees 1,2,3???? 71
72 Selective Removal Q : Can we now have ABCD to be an invariant of degree 4 WITHOUT any invariants of degrees 1,2,3???? Answer: easy: a root of second polynomial and NOT a root of the first [almost always]. mc=yc mbcd=ybcd 72
73 Summary 1. We start with a trivial attack on a weak cipher. Benefit: a certain polynomial has a solution. 2. Then some non-linear invariants also exist = additional roots. 3. Then we modify the cipher [manipulation of roots of our FE] and the invariant so that simple invariants are removed. 4. What you get is a bit like a backdoor! Potentially hard to detect. 73
74 Conclusion We modify the cipher and the invariant so that simple invariants disappear. Q: Can this be done with a really secure Boolean function? YES, see [eprint/2018/1242] 74
75 Remark: Irreducible Polynomials For a long time we searched for invariant attacks where P is an irreducible polynomial. We were wrong! 75
76 Product Question Trivial NL invariants based on cycles in LC. A B C D A Then ABCD is a round invariant of degree 4. Stupid?? 76
77 Product Question Trivial NL invariants based on cycles in LC. A B C D A Then ABCD is a round invariant of degree 4. Stupid?? Not at all! Some of the strongest attacks ever found are like this. 77
78 Product Question 78 Trivial NL invariants based on cycles in LC. A B C D E A Then ABCDE is a round invariant of degree 5. Stupid?? Not at all! Some of the strongest attacks ever found are like this. Trivial invariants can be REMOVED!!!!
79 Hopping in Group Lattices attack 1 three invariants linear Boolean function attack 2 two invariants bad Boolean function attack 36 one complex high degree invariant strong Boolean function 79 Nicolas T. Courtois, January 2009 AGL
80 Phase Transition When P is of degree 4, the Boolean function is still inevitably degenerated [this paper]. Q: Can we backdoor or break a cipher with a random Boolean function? 80
81 Phase Transition When P is of degree 4, the Boolean function is still inevitably degenerated [this paper]. Q: Can we backdoor or break a cipher with a random Boolean function? YES, see [eprint/2018/1242] Degree 8 attack, P =ABCDEFGH. extremely strong: 15% success rate over the choice of a random Boolean function. 81
82 Other Ciphers? DES 82
83 Bonus: New No-Trivial Attacks an irregular sporadic attack with P of degree 7 83
84 New White Box Method 84 [Courtois 2018] Same concept of a non-linear I/O sums. Focus on perfect invariants mostly. P(inputs) = P(outputs) with probability 1. Formal equality of 2 polynomials. Exploits the structure of the ring B n. annihilation events absorption events would be unthinkable if we had unique factorisation ABCD=A B C D
85 *Lack Of Unique Factorization sage: R.<A,B,C,D,E,F,G,H> = BooleanPolynomialRing(8) sage: mu=(b+c)*(g+h)*(b+h)*(b+f)*(c+d) sage: mu + (C+H+1)*(C+F+1)*(B*D*G + H*(B+D+1)*(B+G+1)) sage: 0 sage: mu + (B+D+1)*(B+G+1)*(C*F*H + G*(C+H+1)*(C+F+1)) sage: 0 sage: 85
86 *Lack Of Unique Factorization sage: R.<A,B,C,D,E,F,G,H> = BooleanPolynomialRing(8) sage: mu=(b+c)*(g+h)*(b+h)*(b+f)*(c+d) sage: mu + (C+H+1)*(C+F+1)*(B*D*G + H*(B+D+1)*(B+G+1)) sage: 0 sage: mu + (B+D+1)*(B+G+1)*(C*F*H + G*(C+H+1)*(C+F+1)) sage: 0 sage: 86
Invariant Hopping Attacks on Block Ciphers
Invariant Hopping Attacks on Block Ciphers Nicolas T. Courtois University College London, Gower Street, London, UK Abstract. Block ciphers are in widespread use since the 1970s. Their iterated structure
More informationOn the Existence of Non-Linear Invariants and Algebraic Polynomial Constructive Approach to Backdoors in Block Ciphers
On the Existence of Non-Linear Invariants and Algebraic Polynomial Constructive Approach to Backdoors in Block Ciphers Nicolas T. Courtois University College London, Gower Street, London, UK Abstract.
More informationHow Fast can be Algebraic Attacks on Block Ciphers?
How Fast can be Algebraic Attacks on Block Ciphers? Nicolas T. Courtois Axalto mart Cards, 36-38 rue de la Princesse BP 45, 78430 Louveciennes Cedex, France http://www.nicolascourtois.net courtois@minrank.org
More informationCryptographic Security Analysis of T-310
Cryptographic Security Analysis of T-310 Nicolas T. Courtois 1, Klaus Schmeh 3, Jörg Drobick 5, Jacques Patarin 2, Maria-Bristena Oprisanu 1, Matteo Scarlata 1,4, Om Bhallamudi 1 1 University College London,
More informationWeak Keys and Cryptanalysis of a Cold War Block Cipher
University College London Computer Science Department 2018 arxiv:1901.06504v1 [cs.cr] 19 Jan 2019 Weak Keys and Cryptanalysis of a Cold War Block Cipher Marios Georgiou MSc Information Security Supervised
More informationAlgebraic Aspects of Symmetric-key Cryptography
Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information Security Group Royal Holloway, University of London 04.May.2007 ECRYPT Summer School 1 Algebraic Techniques
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationThe Invariant Set Attack 26th January 2017
The Invariant Set Attack 26th January 2017 Workgroup Symmetric Cryptography Ruhr University Bochum Friedrich Wiemer Friedrich Wiemer The Invariant Set Attack 26th January 2017 1 Nonlinear Invariant Attack
More informationVirtual isomorphisms of ciphers: is AES secure against differential / linear attack?
Alexander Rostovtsev alexander. rostovtsev@ibks.ftk.spbstu.ru St. Petersburg State Polytechnic University Virtual isomorphisms of ciphers: is AES secure against differential / linear attack? In [eprint.iacr.org/2009/117]
More informationSolving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?
Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know? Alexander May, Maike Ritzenhofen Faculty of Mathematics Ruhr-Universität Bochum, 44780 Bochum,
More informationStructural Nonlinear Invariant Attacks on T-310: Attacking Arbitrary Boolean Functions
Structural Nonlinear Invariant Attacks on T-310: Attacking Arbitrary Boolean Functions Nicolas T. Courtois University College London, Gower Street, London, UK Abstract. Recent papers [36, 12] show how
More informationMultiplicative Complexity Gate Complexity Cryptography and Cryptanalysis
Multiplicative Complexity Gate Complexity Cryptography and Cryptanalysis Nicolas T. Courtois 1,2, Daniel Hulme 1,2, Theodosis Mourouzis 1 1 University College London, UK 2 NP-Complete Ltd, UK Two Interesting
More informationFeistel Schemes and Bi-Linear Cryptanalysis (Long extended version of Crypto 2004 paper) Nicolas T. Courtois
Feistel Schemes and Bi-Linear Cryptanalysis (Long extended version of Crypto 004 paper) Nicolas T. Courtois Axalto Smart Cards Crypto Research, 36-38 rue de la Princesse, BP 45, F-78430 Louveciennes Cedex,
More informationLecture 4: DES and block ciphers
Lecture 4: DES and block ciphers Johan Håstad, transcribed by Ernir Erlingsson 2006-01-25 1 DES DES is a 64 bit block cipher with a 56 bit key. It selects a 64 bit block and modifies it depending on the
More informationPermutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1
Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Kwangsu Lee A Thesis for the Degree of Master of Science Division of Computer Science, Department
More informationFinding Low Degree Annihilators for a Boolean Function Using Polynomial Algorithms
Finding Low Degree Annihilators for a Boolean Function Using Polynomial Algorithms Vladimir Bayev Abstract. Low degree annihilators for Boolean functions are of great interest in cryptology because of
More informationExtended Criterion for Absence of Fixed Points
Extended Criterion for Absence of Fixed Points Oleksandr Kazymyrov, Valentyna Kazymyrova Abstract One of the criteria for substitutions used in block ciphers is the absence of fixed points. In this paper
More informationAES side channel attacks protection using random isomorphisms
Rostovtsev A.G., Shemyakina O.V., St. Petersburg State Polytechnic University AES side channel attacks protection using random isomorphisms General method of side-channel attacks protection, based on random
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationTowards Provable Security of Substitution-Permutation Encryption Networks
Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,
More informationDistinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network
Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense
More informationA Weak Cipher that Generates the Symmetric Group
A Weak Cipher that Generates the Symmetric Group Sean Murphy Kenneth Paterson Peter Wild Information Security Group, Royal Holloway and Bedford New College, University of London, Egham, Surrey TW20 0EX,
More informationCryptanalysis of the Stream Cipher ABC v2
Cryptanalysis of the Stream Cipher ABC v2 Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven, ESAT/SCD-COSIC Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium {wu.hongjun,bart.preneel}@esat.kuleuven.be
More informationStructural Cryptanalysis of SASAS
tructural Cryptanalysis of AA Alex Biryukov and Adi hamir Computer cience department The Weizmann Institute Rehovot 76100, Israel. Abstract. In this paper we consider the security of block ciphers which
More informationA New Algorithm to Construct. Secure Keys for AES
Int. J. Contemp. Math. Sciences, Vol. 5, 2010, no. 26, 1263-1270 A New Algorithm to Construct Secure Keys for AES Iqtadar Hussain Department of Mathematics Quaid-i-Azam University, Islamabad, Pakistan
More informationNew Results in the Linear Cryptanalysis of DES
New Results in the Linear Cryptanalysis of DES Igor Semaev Department of Informatics University of Bergen, Norway e-mail: igor@ii.uib.no phone: (+47)55584279 fax: (+47)55584199 May 23, 2014 Abstract Two
More informationGröbner Bases in Public-Key Cryptography
Gröbner Bases in Public-Key Cryptography Ludovic Perret SPIRAL/SALSA LIP6, Université Paris 6 INRIA ludovic.perret@lip6.fr ECRYPT PhD SUMMER SCHOOL Emerging Topics in Cryptographic Design and Cryptanalysis
More informationProvable Security Against Differential and Linear Cryptanalysis
Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University Introduction CRADIC Linear Hull SPN and Two Strategies Highly
More informationCryptography Lecture 4 Block ciphers, DES, breaking DES
Cryptography Lecture 4 Block ciphers, DES, breaking DES Breaking a cipher Eavesdropper recieves n cryptograms created from n plaintexts in sequence, using the same key Redundancy exists in the messages
More informationChapter 1 - Linear cryptanalysis.
Chapter 1 - Linear cryptanalysis. James McLaughlin 1 Introduction. Linear cryptanalysis was first introduced by Mitsuru Matsui in [12]. The cryptanalyst attempts to find a linear equation x 1... x i =
More informationMultivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar?
Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar? Christian Eder, Jean-Charles Faugère and Ludovic Perret Seminar on Fundamental Algorithms, University
More informationIntroduction to Modern Cryptography. (1) Finite Groups, Rings and Fields. (2) AES - Advanced Encryption Standard
Introduction to Modern Cryptography Lecture 3 (1) Finite Groups, Rings and Fields (2) AES - Advanced Encryption Standard +,0, and -a are only notations! Review - Groups Def (group): A set G with a binary
More informationMATH 509 Differential Cryptanalysis on DES
MATH 509 on DES Department of Mathematics, Boise State University Spring 2012 MATH 509 on DES MATH 509 on DES Feistel Round Function for DES MATH 509 on DES 1977: DES is approved as a standard. 1 1 Designers:
More informationAlgebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL
Algebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL Mohamed Saied Emam Mohamed 1, Jintai Ding 2, and Johannes Buchmann 1 1 TU Darmstadt, FB Informatik Hochschulstrasse 10, 64289 Darmstadt,
More informationLinear Cryptanalysis
Linear Cryptanalysis Linear cryptanalysis is a powerful method of cryptanalysis introduced by Matsui in 1993 [11]. It is a known plaintext attack in which the attacker studies the linear approximations
More informationHidden Field Equations
Security of Hidden Field Equations (HFE) 1 The security of Hidden Field Equations ( H F E ) Nicolas T. Courtois INRIA, Paris 6 and Toulon University courtois@minrank.org Permanent HFE web page : hfe.minrank.org
More informationDifferential properties of power functions
Differential properties of power functions Céline Blondeau, Anne Canteaut and Pascale Charpin SECRET Project-Team - INRIA Paris-Rocquencourt Domaine de Voluceau - B.P. 105-8153 Le Chesnay Cedex - France
More informationBlock Ciphers and Systems of Quadratic Equations
Block Ciphers and Systems of Quadratic Equations Alex Biryukov and Christophe De Cannière Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenberg 10, B 3001 Leuven-Heverlee, Belgium
More informationHistorical cryptography. cryptography encryption main applications: military and diplomacy
Historical cryptography cryptography encryption main applications: military and diplomacy ancient times world war II Historical cryptography All historical cryptosystems badly broken! No clear understanding
More informationEssential Algebraic Structure Within the AES
Essential Algebraic Structure Within the AES Sean Murphy and Matthew J.B. Robshaw Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20 0EX, U.K. s.murphy@rhul.ac.uk m.robshaw@rhul.ac.uk
More informationAnalysis of SHA-1 in Encryption Mode
Analysis of SHA- in Encryption Mode [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 00, vol. 00 of Lecture Notes in Computer Science, pp. 70 83, Springer-Verlag, 00.] Helena Handschuh, Lars
More informationCryptography. pieces from work by Gordon Royle
Cryptography pieces from work by Gordon Royle The set-up Cryptography is the mathematics of devising secure communication systems, whereas cryptanalysis is the mathematics of breaking such systems. We
More informationAffine equivalence in the AES round function
Discrete Applied Mathematics 148 (2005) 161 170 www.elsevier.com/locate/dam Affine equivalence in the AES round function A.M. Youssef a, S.E. Tavares b a Concordia Institute for Information Systems Engineering,
More informationImproved characteristics for differential cryptanalysis of hash functions based on block ciphers
1 Improved characteristics for differential cryptanalysis of hash functions based on block ciphers Vincent Rijmen Bart Preneel Katholieke Universiteit Leuven ESAT-COSIC K. Mercierlaan 94, B-3001 Heverlee,
More informationCryptanalysis of the Stream Cipher DECIM
Cryptanalysis of the Stream Cipher DECIM Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven, ESAT/SCD-COSIC Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium {wu.hongjun, bart.preneel}@esat.kuleuven.be
More informationIntroduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES
CSC/ECE 574 Computer and Network Security Topic 3.1 Secret Key Cryptography Algorithms CSC/ECE 574 Dr. Peng Ning 1 Outline Introductory Remarks Feistel Cipher DES AES CSC/ECE 574 Dr. Peng Ning 2 Introduction
More informationMatrix Power S-Box Construction
Matrix Power S-Box Construction Eligijus Sakalauskas a and Kestutis Luksys b Department of Applied Mathematics, Kaunas University of Technology, Studentu g. 50, 52368 Kaunas, Lithuania a Eligijus.Sakalauskas@ktu.lt
More informationTHE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018
THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018 CPSC 418/MATH 318 L01 October 17, 2018 Time: 50 minutes
More informationExperiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL
More informationCryptography. P. Danziger. Transmit...Bob...
10.4 Cryptography P. Danziger 1 Cipher Schemes A cryptographic scheme is an example of a code. The special requirement is that the encoded message be difficult to retrieve without some special piece of
More informationCryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups
Great Theoretical Ideas in CS V. Adamchik CS 15-251 Upcoming Interview? Lecture 24 Carnegie Mellon University Cryptography and RSA How the World's Smartest Company Selects the Most Creative Thinkers Groups
More informationCryptography 2017 Lecture 2
Cryptography 2017 Lecture 2 One Time Pad - Perfect Secrecy Stream Ciphers November 3, 2017 1 / 39 What have seen? What are we discussing today? Lecture 1 Course Intro Historical Ciphers Lecture 2 One Time
More informationPublic Key Cryptography
Public Key Cryptography Spotlight on Science J. Robert Buchanan Department of Mathematics 2011 What is Cryptography? cryptography: study of methods for sending messages in a form that only be understood
More informationOn Reverse-Engineering S-boxes with Hidden Design Criteria or Structure
On Reverse-Engineering S-boxes with Hidden Design Criteria or Structure Alex Biryukov, Léo Perrin {alex.biryukov,leo.perrin}@uni.lu University of Luxembourg January 13, 2015 1 / 42 Introduction Skipjack
More informationComputing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring
Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics University of Paderborn 33102 Paderborn,
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between
More informationPROPERTIES OF THE EULER TOTIENT FUNCTION MODULO 24 AND SOME OF ITS CRYPTOGRAPHIC IMPLICATIONS
PROPERTIES OF THE EULER TOTIENT FUNCTION MODULO 24 AND SOME OF ITS CRYPTOGRAPHIC IMPLICATIONS Raouf N. Gorgui-Naguib and Satnam S. Dlay Cryptology Research Group Department of Electrical and Electronic
More informationSubspace Trail Cryptanalysis and its Applications to AES
Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and Sondre Rønjom March, 2017 1 / 28 Introduction In the case of AES, several alternative representations (algebraic
More informationFully Homomorphic Encryption and Bootstrapping
Fully Homomorphic Encryption and Bootstrapping Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Fully Homomorphic Encryption (FHE) A FHE scheme can evaluate unbounded
More informationAn Algebraic Framework for Cipher Embeddings
An Algebraic Framework for Cipher Embeddings C. Cid 1, S. Murphy 1, and M.J.B. Robshaw 2 1 Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20 0EX, U.K. 2 France Télécom
More informationQuantum Differential and Linear Cryptanalysis
Quantum Differential and Linear Cryptanalysis Marc Kaplan 1,2 Gaëtan Leurent 3 Anthony Leverrier 3 María Naya-Plasencia 3 1 LTCI, Télécom ParisTech 2 School of Informatics, University of Edinburgh 3 Inria
More informationSTREAM CIPHER. Chapter - 3
STREAM CIPHER Chapter - 3 S t r e a m C i p h e r P a g e 38 S t r e a m C i p h e r P a g e 39 STREAM CIPHERS Stream cipher is a class of symmetric key algorithm that operates on individual bits or bytes.
More informationMultiplicative complexity in block cipher design and analysis
Multiplicative complexity in block cipher design and analysis Pavol Zajac Institute of Computer Science and Mathematics Slovak University of Technology pavol.zajac@stuba.sk Fewer Multiplications in Cryptography
More informationThe Polynomial Composition Problem in (Z/nZ)[X]
The Polynomial Composition Problem in (Z/nZ)[X] Marc Joye 1, David Naccache 2, and Stéphanie Porte 1 1 Gemplus Card International Avenue du Jujubier, ZI Athélia IV, 13705 La Ciotat Cedex, France {marc.joye,
More informationFunctions on Finite Fields, Boolean Functions, and S-Boxes
Functions on Finite Fields, Boolean Functions, and S-Boxes Claude Shannon Institute www.shannoninstitute.ie and School of Mathematical Sciences University College Dublin Ireland 1 July, 2013 Boolean Function
More informationStatistical and Algebraic Properties of DES
Statistical and Algebraic Properties of DES Stian Fauskanger 1 and Igor Semaev 2 1 Norwegian Defence Research Establishment (FFI), PB 25, 2027 Kjeller, Norway 2 Department of Informatics, University of
More informationAn Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations
An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations J.H. Silverman 1, N.P. Smart 2, and F. Vercauteren 2 1 Mathematics Department, Box 1917, Brown
More informationDK-2800 Lyngby, Denmark, Mercierlaan 94, B{3001 Heverlee, Belgium,
The Interpolation Attack on Block Ciphers? Thomas Jakobsen 1 and Lars R. Knudsen 2 1 Department of Mathematics, Building 303, Technical University of Denmark, DK-2800 Lyngby, Denmark, email:jakobsen@mat.dtu.dk.
More informationCryptanalysis of a Generalized Unbalanced Feistel Network Structure
Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li 1, Bing Sun 1, Chao Li 1,2, and Longjiang Qu 1,3 1 Department of Mathematics and System Science, Science College, National
More informationDES S-box Generator. 2 EPFL, Switzerland
DES S-box Generator Lauren De Meyer 1 and Serge Vaudenay 2 lauren.demeyer@student.kuleuven.be serge.vaudenay@epfl.ch 1 KU Leuven, Belgium 2 EPFL, Switzerland Abstract. The Data Encryption Standard (DES)
More informationNew attacks on RSA with Moduli N = p r q
New attacks on RSA with Moduli N = p r q Abderrahmane Nitaj 1 and Tajjeeddine Rachidi 2 1 Laboratoire de Mathématiques Nicolas Oresme Université de Caen Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More informationAdvanced differential-style cryptanalysis of the NSA's skipjack block cipher
Loughborough University Institutional Repository Advanced differential-style cryptanalysis of the NSA's skipjack block cipher This item was submitted to Loughborough University's Institutional Repository
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationLecture Notes. Advanced Discrete Structures COT S
Lecture Notes Advanced Discrete Structures COT 4115.001 S15 2015-01-27 Recap ADFGX Cipher Block Cipher Modes of Operation Hill Cipher Inverting a Matrix (mod n) Encryption: Hill Cipher Example Multiple
More informationPoly Dragon: An efficient Multivariate Public Key Cryptosystem
Poly Dragon: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India May 19, 2010
More informationCryptanalysis of a Generalized Unbalanced Feistel Network Structure
Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li, Bing Sun, Chao Li, Longjiang Qu National University of Defense Technology, Changsha, China ACISP 2010, Sydney, Australia 5
More informationImpossible Differential Attacks on 13-Round CLEFIA-128
Mala H, Dakhilalian M, Shakiba M. Impossible differential attacks on 13-round CLEFIA-128. JOURNAL OF COMPUTER SCIENCE AND TECHNOLOGY 26(4): 744 750 July 2011. DOI 10.1007/s11390-011-1173-0 Impossible Differential
More informationLittle Dragon Two: An efficient Multivariate Public Key Cryptosystem
Little Dragon Two: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India October
More informationSymmetric key cryptography over non-binary algebraic structures
Symmetric key cryptography over non-binary algebraic structures Kameryn J Williams Boise State University 26 June 2012 AAAS Pacific Conference 24-27 June 2012 Acknowledgments These results are due to collaboration
More informationDivision Property: a New Attack Against Block Ciphers
Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50 Symmetric-key encryption
More informationBlock Cipher Cryptanalysis: An Overview
0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution
More informationCryptanalysis of Achterbahn
Cryptanalysis of Achterbahn Thomas Johansson 1, Willi Meier 2, and Frédéric Muller 3 1 Department of Information Technology, Lund University P.O. Box 118, 221 00 Lund, Sweden thomas@it.lth.se 2 FH Aargau,
More informationSymmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway
Symmetric Cryptanalytic Techniques Sean Murphy ショーン マーフィー Royal Holloway Block Ciphers Encrypt blocks of data using a key Iterative process ( rounds ) Modified by Modes of Operation Data Encryption Standard
More informationComputing the biases of parity-check relations
Computing the biases of parity-check relations Anne Canteaut INRIA project-team SECRET B.P. 05 7853 Le Chesnay Cedex, France Email: Anne.Canteaut@inria.fr María Naya-Plasencia INRIA project-team SECRET
More informationSmart Hill Climbing Finds Better Boolean Functions
Smart Hill Climbing Finds Better Boolean Functions William Millan, Andrew Clark and Ed Dawson Information Security Research Centre Queensland University of Technology GPO Box 2434, Brisbane, Queensland,
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informationA New Attack on RSA with Two or Three Decryption Exponents
A New Attack on RSA with Two or Three Decryption Exponents Abderrahmane Nitaj Laboratoire de Mathématiques Nicolas Oresme Université de Caen, France nitaj@math.unicaen.fr http://www.math.unicaen.fr/~nitaj
More informationAn Extended DES. National Chiao Tung University Hsinchu, 300 Taiwan
JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 18, 349-365 (2002) An Extended DES YI-SHIUNG YEH AND CHING-HUNG HSU * Institute of Computer Science and Information Engineering * Institute of Computer and
More informationThe ANF of the Composition of Addition and Multiplication mod 2 n with a Boolean Function
The ANF of the Composition of Addition and Multiplication mod 2 n with a Boolean Function An Braeken 1 and Igor Semaev 2 1 Department Electrical Engineering, ESAT/COSIC, Katholieke Universiteit Leuven,
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationBreaking Symmetric Cryptosystems Using Quantum Algorithms
Breaking Symmetric Cryptosystems Using Quantum Algorithms Gaëtan Leurent Joined work with: Marc Kaplan Anthony Leverrier María Naya-Plasencia Inria, France FOQUS Workshop Gaëtan Leurent (Inria) Breaking
More informationAn average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and
An average case analysis of a dierential attack on a class of SP-networks Luke O'Connor Distributed Systems Technology Centre, and Information Security Research Center, QUT Brisbane, Australia Abstract
More informationCryptographic Engineering
Cryptographic Engineering Clément PERNET M2 Cyber Security, UFR-IM 2 AG, Univ. Grenoble-Alpes ENSIMAG, Grenoble INP Outline Unconditional security of symmetric cryptosystem Probabilities and information
More informationFast Cryptanalysis of the Matsumoto-Imai Public Key Scheme
Fast Cryptanalysis of the Matsumoto-Imai Public Key Scheme P. Delsarte Philips Research Laboratory, Avenue Van Becelaere, 2 B-1170 Brussels, Belgium Y. Desmedt Katholieke Universiteit Leuven, Laboratorium
More informationMath-Net.Ru All Russian mathematical portal
Math-Net.Ru All Russian mathematical portal G. P. Agibalov, I. A. Pankratova, Asymmetric cryptosystems on Boolean functions, Prikl. Diskr. Mat., 2018, Number 40, 23 33 DOI: https://doi.org/10.17223/20710410/40/3
More informationOn the Salsa20 Core Function
On the Salsa20 Core Function Julio Cesar Hernandez-Castro, Juan M. E. Tapiador, and Jean-Jacques Quisquater Crypto Group, DICE, Universite Louvain-la-Neuve Place du Levant, 1 B-1348 Louvain-la-Neuve, Belgium
More informationQuadratic Equations from APN Power Functions
IEICE TRANS. FUNDAMENTALS, VOL.E89 A, NO.1 JANUARY 2006 1 PAPER Special Section on Cryptography and Information Security Quadratic Equations from APN Power Functions Jung Hee CHEON, Member and Dong Hoon
More informationTruncated and Higher Order Differentials
Truncated and Higher Order Differentials Lars R. Knudsen Aarhus University, Denmark email : ramkilde 0da aau. dk Abstract. In [6] higher order derivatives of discrete functions were considered and the
More informationAnalysing Relations involving small number of Monomials in AES S- Box
Analysing Relations involving small number of Monomials in AES S- Box Riddhi Ghosal Indian Statistical Institute Email: postboxriddhi@gmail.com June 13, 2017 Abstract In the present day, AES is one the
More informationMaximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers
Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers Muxiang Zhang 1 and Agnes Chan 2 1 GTE Laboratories Inc., 40 Sylvan Road LA0MS59, Waltham, MA 02451 mzhang@gte.com 2 College of Computer
More information