BISON Instantiating the Whitened Swap-Or-Not Construction November 14th, 2018
|
|
- Alexia Clark
- 5 years ago
- Views:
Transcription
1 BION Instantiating the Whitened wap-or-not Construction November 14th, 2018 FluxFingers Workgroup ymmetric Cryptography, Ruhr University Bochum Virginie Lallemand, Gregor Leander, Patrick Neumann, and Friedrich Wiemer Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,
2 Block Ciphers Encrypt plaintext in blocks p i of n bits, under a key of n bits: p 0 {0, 1} n p 1 {0, 1} n k {0, 1} n Enc Enc k {0, 1} n c 0 {0, 1} n c 1 {0, 1} n Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,
3 Block Ciphers Encrypt plaintext in blocks p i of n bits, under a key of n bits: k 0 p 0 {0, 1} n p 1 {0, 1} n k 1 k {0, 1} n Enc Enc k {0, 1} n k 2 c 0 {0, 1} k n 3 c 1 {0, 1} n Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,
4 The WN construction Published by Tessaro at AsiaCrypt 2015 [ia.cr/2015/868]. Overview round, iterated r times k f x 1 0 y Whitened wap-or-not round function x, k {0, 1} n and f k : {0, 1} n {0, 1} x + k if fk (x) = 1 y = x if f k (x) = 0 Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,
5 The WN construction Published by Tessaro at AsiaCrypt 2015 [ia.cr/2015/868]. Overview round, iterated r times k f x 1 0 y Whitened wap-or-not round function x, k {0, 1} n and f k : {0, 1} n {0, 1} x + k if fk (x) = 1 y = x if f k (x) = 0 Properties of f k (needed for decryption) f k (x) = f k (x + k) ecurity Proposition (informal) The WN construction with r = (n) rounds is Full Domain secure. Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,
6 The WN construction Encryption Input x x x + k 0 x x + k 1 x + k 0 x + k 0 + k 1 x x + k 2 x + k 1 x + k 1 + k 2 x + k 0 x + k 0 + k 2 x + k 0 + k 1 x + k 0 + k 1 + k 2 Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,
7 The WN construction Encryption Input x x x + k 0 x x + k 1 x + k 0 x + k 0 + k 1 x x + k 2 x + k 1 x + k 1 + k 2 x + k 0 x + k 0 + k 2 x + k 0 + k 1 x + k 0 + k 1 + k 2 Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,
8 The WN construction Encryption Input x x x + k 0 x x + k 1 x + k 0 x + k 0 + k 1 x x + k 2 x + k 1 x + k 1 + k 2 x + k 0 x + k 0 + k 2 x + k 0 + k 1 x + k 0 + k 1 + k 2 Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,
9 The WN construction Encryption Input x x x + k 0 x x + k 1 x + k 0 x + k 0 + k 1 x x + k 2 x + k 1 x + k 1 + k 2 x + k 0 x + k 0 + k 2 x + k 0 + k 1 x + k 0 + k 1 + k 2 r Encryption: E k (x) := x + λ i k i = y i=1 Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,
10 An Implementation Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,
11 An Implementation Construction f k (x) :=? Key schedule? (n) rounds? Theoretical vs. practical constructions Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,
12 Generic Analysis On the number of rounds Observation The ciphertext is the plaintext plus a subset of the round keys: y = x + r λ i k i i=1 For pairs x i, y i : span {x i + y i } span k j. Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,
13 Generic Analysis On the number of rounds Observation The ciphertext is the plaintext plus a subset of the round keys: y = x + r λ i k i i=1 For pairs x i, y i : span {x i + y i } span k j. Distinguishing Attack for r < n rounds There is an u n 2 \ {0}, s. t. u, x = u, y holds always: u, y = = u, x + u, x + λ i k i λ i k i = u, x + 0 u, for all u span {k 1,..., k r } {0} Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,
14 Generic Analysis On the number of rounds Observation The ciphertext is the plaintext plus a subset of the round keys: y = x + r λ i k i i=1 For pairs x i, y i : span {x i + y i } span k j. Distinguishing Attack for r < n rounds There is an u n 2 \ {0}, s. t. u, x = u, y holds always: u, y = = u, x + u, x + λ i k i λ i k i = u, x + 0 u, for all u span {k 1,..., k r } {0} Rationale 1 Any instance must iterate at least n rounds; any set of n consecutive keys should be linearly indp. Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,
15 Generic Analysis On the Boolean functions f Rationale 2 A bit out of the blue sky, but: For any instance, f k has to depend on all bits, and for any δ n 2 : Pr [f k(x) = f k (x + δ)] 1 2. Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,
16 A genus of the WN family: BION Rationale 1 Any instance must iterate at least n rounds; any set of n consecutive keys should be linearly indp. Rationale 2 For any instance, f k has to depend on all bits, and for any δ n 2 : Pr [f k(x) = f k (x + δ)] 1 2. Generic properties of Bent whitened wap Or Not At least n iterations of the round function Consecutive round keys linearly independent The round function depends on all bits δ : Pr [ f k (x) = f k (x + δ)] = 1 2 (bent) Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,
17 A genus of the WN family: BION Rationale 1 Any instance must iterate at least n rounds; any set of n consecutive keys should be linearly indp. Rationale 2 For any instance, f k has to depend on all bits, and for any δ n 2 : Pr [f k(x) = f k (x + δ)] 1 2. Generic properties of Bent whitened wap Or Not At least n iterations of the round function Consecutive round keys linearly independent Rational 1 & 2: WN is slow in practice! The round function depends on all bits δ : Pr [ f k (x) = f k (x + δ)] = 1 2 (bent) But what about Differential Cryptanalysis? Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,
18 Differential Cryptanalysis Primer p p = α k Enc Enc k c Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th, c = β
19 Differential Cryptanalysis Primer p k 0 p = α k 1 k Enc Enc k k 2 c k 3 Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th, c = β
20 Differential Cryptanalysis Primer p k 0 p = α k 1 k Enc Enc k k 2 c k 3 Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th, c = β
21 Differential Cryptanalysis One round Proposition For one round of BION the probabilities are: 1 if α = β = k or α = β = 0 1 Pr [α β] = 2 else if β {α, α + k} 0 else Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,
22 Differential Cryptanalysis One round Proposition For one round of BION the probabilities are: 1 if α = β = k or α = β = 0 1 Pr [α β] = 2 else if β {α, α + k} 0 else Possible differences x + f k (x) k x + α + f k (x + α) k = α + (f k (x) + f k (x + α)) k Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,
23 Differential Cryptanalysis One round Proposition For one round of BION the probabilities are: 1 if α = β = k or α = β = 0 1 Pr [α β] = 2 else if β {α, α + k} 0 else Possible differences x + f k (x) k x + α + f k (x + α) k = α + (f k (x) + f k (x + α)) k Remember Pr [f k (x) = f k (x + α)] = 1 2 Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,
24 Differential Cryptanalysis More rounds Example differences over r = 3 rounds: 1 2 α 1 2 α α + k α α + k 2 α + k 1 α + k 1 + k 2 α α + k 3 α + k 2 α + k 2 + k 3 α + k 1 α + k 1 + k 3 α + k 1 + k 2 α + k 1 + k 2 + k 3 Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,
25 Differential Cryptanalysis More rounds Example differences over r = 3 rounds: 1 2 α 1 2 α α + k α α + k 2 α + k 1 α + k 1 + k 2 α α + k 3 α + k 2 α + k 2 + k 3 α + k 1 α + k 1 + k 3 α + k 1 + k 2 α + k 1 + k 2 + k 3 For fixed α and β there is only one path! Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,
26 BION A concrete species Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,
27 Addressing Rationale 1 The Key chedule Rationale 1 Any instance must iterate at least n rounds; any set of n consecutive keys should be linearly indp. Design Decisions Choose number of rounds as 3 n Round keys derived from the state of LFRs Add round constants to round keys Implications Clocking an LFR is cheap For an LFR with irreducible feedback polynomial of degree n, every n consecutive states are linearly independent Round constants avoid structural weaknesses Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,
28 Addressing Rationale 2 The Round Function Rationale 2 For any instance, the f k should depend on all bits, and for any δ n 2 : Pr [f k(x) = f k (x + δ)] 1 2. Design Decisions Choose f k : n 2 2 s. t. δ n 2 : Pr [f k(x) = f k (x + δ)] = 1 2, that is, f k is a bent function. Choose the simplest bent function known: Implications Bent functions are well studied Bent functions only exist for even n Instance not possible for every block length n f k (x, y) := x, y Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,
29 Details
30 BION Round Function BION s round function For round keys k i n 2 and w i n 1 2 the round function computes R ki,w i (x) := x + f b(i) wi + Φ ki (x) k i. where Φ ki and f b(i) are defined as Φ k (x) : n 2 n 1 2 Φ k (x) := (x + x[i(k)] k)[j] 1 j n j i(k) and b(i) is 0 if i r 2 and 1 else. f b(i) : n n f b(i) (x, y) := x, y + b(i), Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,
31 BION Round Function what s different BION s round function For round keys k i n 2 and w i n 1 2 the round function computes R ki,w i (x) := x + f b(i) wi + Φ ki (x) k i. where Φ ki and f b(i) are defined as Φ k (x) : n 2 n 1 2 Φ k (x) := (x + x[i(k)] k)[j] 1 j n j i(k) and b(i) is 0 if i r 2 and 1 else. f b(i) : n n f b(i) (x, y) := x, y + b(i), Φ k basically ensures f k (x) = f k (x + k) (the property we need for decryption). Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,
32 BION Key chedule BION s key schedule Given primitive p k, p w 2 [x] with degrees n, n 1 and companion matrices C k, C w. master key K = (k, w) n 2 n 1 2 \ {0, 0} The ith round keys are computed by K i : n 2 n 1 2 n 2 n 1 2 K i (k, w) := (k i, c i + w i ) where k i = (C k ) i k, c i = (C w ) i e 1, w i = (C w ) i w. Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,
33 Further Cryptanalysis Linear Cryptanalysis For r n rounds, the correlation of any non-trivial linear trail for BION is upper bounded by 2 n+1 2. Zero Correlation For r > 2n 2 rounds, BION does not exhibit any zero correlation linear hulls. Invariant Attacks For r n rounds, neither invariant subspaces nor nonlinear invariant attacks do exist for BION. Impossible Differentials For r > n rounds, there are no impossible differentials for BION. Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,
34 Conclusion/Questions Thank you for your attention! BION A first instance of the WN construction Good results for differential cryptanalysis Open Problems Construction for linear cryptanalysis Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,
35 Conclusion/Questions Thank you for your attention! BION A first instance of the WN construction Good results for differential cryptanalysis Open Problems Construction for linear cryptanalysis Missing figure redacted Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,
36 Conclusion/Questions Thank you for your attention! BION A first instance of the WN construction Good results for differential cryptanalysis Open Problems Construction for linear cryptanalysis Missing figure redacted Thank you! Questions? 2018/1011 Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,
The Invariant Set Attack 26th January 2017
The Invariant Set Attack 26th January 2017 Workgroup Symmetric Cryptography Ruhr University Bochum Friedrich Wiemer Friedrich Wiemer The Invariant Set Attack 26th January 2017 1 Nonlinear Invariant Attack
More informationbison Instantiating the Whitened Swap-Or-Not Construction
bison Instantiating the Whitened Swap-Or-Not Construction Anne Canteaut 1, Virginie Lallemand 2, Gregor Leander 2, Patrick Neumann 2 and Friedrich Wiemer 2 1 Inria, Paris, France anne.canteaut@inria.fr
More informationLinear Cryptanalysis: Key Schedules and Tweakable Block Ciphers
Linear Cryptanalysis: Key Schedules and Tweakable Block Ciphers Thorsten Kranz, Gregor Leander, Friedrich Wiemer Horst Görtz Institute for IT Security, Ruhr University Bochum Block Cipher Design k KS m
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationInvariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs
Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs Jian Guo 1, Jeremy Jean 2, Ivica Nikolić 1, Kexin Qiao 3, Yu Sasaki 4, and Siang Meng Sim 1 1. Nanyang Technological
More informationDivision Property: a New Attack Against Block Ciphers
Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50 Symmetric-key encryption
More informationBlock Cipher Cryptanalysis: An Overview
0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution
More informationProving Resistance against Invariant Attacks: How to Choose the Round Constants
Proving Resistance against Invariant Attacks: How to Choose the Round Constants Christof Beierle 1, Anne Canteaut 2, Gregor Leander 1, and Yann Rotella 2 1 Horst Görtz Institute for IT Security, Ruhr-Universität
More informationThesis Research Notes
Thesis Research Notes Week 26-2012 Christopher Wood June 29, 2012 Abstract This week was devoted to reviewing some classical literature on the subject of Boolean functions and their application to cryptography.
More informationImpossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128
Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com
More informationREU 2015: Complexity Across Disciplines. Introduction to Cryptography
REU 2015: Complexity Across Disciplines Introduction to Cryptography Symmetric Key Cryptosystems Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i
More informationAkelarre. Akelarre 1
Akelarre Akelarre 1 Akelarre Block cipher Combines features of 2 strong ciphers o IDEA mixed mode arithmetic o RC5 keyed rotations Goal is a more efficient strong cipher Proposed in 1996, broken within
More informationCryptanalysis of SP Networks with Partial Non-Linear Layers
Cryptanalysis of SP Networks with Partial Non-Linear Layers Achiya Bar-On 1, Itai Dinur 2, Orr Dunkelman 3, Nathan Keller 1, Virginie Lallemand 4, and Boaz Tsaban 1 1 Bar-Ilan University, Israel 2 École
More informationBlock Cipher Invariants as Eigenvectors of Correlation Matrices
Block Cipher Invariants as Eigenvectors of Correlation Matrices Tim Beyne imec-cosic, KU Leuven name.lastname@esat.kuleuven.be Abstract. A new approach to invariant subspaces and nonlinear invariants is
More informationExtended Criterion for Absence of Fixed Points
Extended Criterion for Absence of Fixed Points Oleksandr Kazymyrov, Valentyna Kazymyrova Abstract One of the criteria for substitutions used in block ciphers is the absence of fixed points. In this paper
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationIntroduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.
Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography
More information(Solution to Odd-Numbered Problems) Number of rounds. rounds
CHAPTER 7 AES (Solution to Odd-Numbered Problems) Review Questions. The criteria defined by NIST for selecting AES fall into three areas: security, cost, and implementation. 3. The number of round keys
More informationCryptanalysis of the Light-Weight Cipher A2U2 First Draft version
Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version Mohamed Ahmed Abdelraheem, Julia Borghoff, Erik Zenner Technical University of Denmark, DK-2800 Kgs. Lyngby, Denmark {M.A.Abdelraheem,J.Borghoff,E.Zenner}@mat.dtu.dk
More informationCount November 21st, 2017
RUHR-UNIVERSITÄT BOCHUM XOR Count November 21st, 2017 FluxFingers Workgroup Symmetric Cryptography Ruhr University Bochum Friedrich Wiemer Friedrich Wiemer XOR Count November 21st, 2017 1 Overview Joint
More informationImproved Multiple Impossible Differential Cryptanalysis of Midori128
Improved Multiple Impossible Differential Cryptanalysis of Midori128 Mohamed Tolba, Ahmed Abdelkhalek, and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University,
More informationChoosing Round Constants in Lightweight Block Ciphers and Cryptographic Permutations
Choosing Round Constants in Lightweight Block Ciphers and Cryptographic Permutations Christof Beierle SnT, University of Luxembourg, Luxembourg (joint work with Anne Canteaut, Gregor Leander, and Yann
More informationOptimized Interpolation Attacks on LowMC
Optimized Interpolation Attacks on LowMC Itai Dinur 1, Yunwen Liu 2, Willi Meier 3, and Qingju Wang 2,4 1 Département d Informatique, École Normale Supérieure, Paris, France 2 Dept. Electrical Engineering
More informationAES side channel attacks protection using random isomorphisms
Rostovtsev A.G., Shemyakina O.V., St. Petersburg State Polytechnic University AES side channel attacks protection using random isomorphisms General method of side-channel attacks protection, based on random
More informationDD2448 Foundations of Cryptography Lecture 3
DD2448 Foundations of Cryptography Lecture 3 Douglas Wikström KTH Royal Institute of Technology dog@kth.se February 3, 2016 Linear Cryptanalysis of the SPN Basic Idea Linearize Find an expression of the
More informationLinear Cryptanalysis of Reduced-Round PRESENT
Linear Cryptanalysis of Reduced-Round PRESENT Joo Yeon Cho 1 Helsinki University of Technology, Finland 2 Nokia A/S, Denmark joo.cho@tkk.fi Abstract. PRESENT is a hardware-oriented block cipher suitable
More informationLinear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers
Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers Kaisa Nyberg Aalto University School of Science kaisa.nyberg@aalto.fi Luxemburg January 2017 Outline Introduction
More informationOn related-key attacks and KASUMI: the case of A5/3
On related-key attacks and KASUMI: the case of A5/3 Phuong Ha Nguyen 1, M.J.B. Robshaw 2, Huaxiong Wang 1 1 Nanyang Technological University, Singapore 2 Applied Cryptography Group, Orange Labs, France
More informationLinear Approximations for 2-round Trivium
Linear Approximations for 2-round Trivium Meltem Sönmez Turan 1, Orhun Kara 2 1 Institute of Applied Mathematics, Middle East Technical University Ankara, Turkey msonmez@metu.edu.tr 2 TUBITAK-UEKAE, Gebze,
More informationCHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER
177 CHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER 178 12.1 Introduction The study of cryptography of gray level images [110, 112, 118] by using block ciphers has gained considerable
More informationLinear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015
Kaisa Nyberg Department of Computer Science Aalto University School of Science s 2 r t S3, Sackville, August 11, 2015 Outline Linear characteristics and correlations Matsui s algorithms Traditional statistical
More informationThe Pseudorandomness of Elastic Block Ciphers
The Pseudorandomness of Elastic Block Ciphers Debra L. Cook and Moti Yung and Angelos Keromytis Department of Computer Science, Columbia University {dcook,moti,angelos}@cs.columbia.edu September 28, 2005
More informationOutline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael
Outline CPSC 418/MATH 318 Introduction to Cryptography Advanced Encryption Standard Renate Scheidler Department of Mathematics & Statistics Department of Computer Science University of Calgary Based in
More informationProblem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed
Problem 1 n bits k zero bits IV Block Block Block Block removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Missing bits January 27, 2011 Practical
More informationS-box (Substitution box) is a basic component of symmetric
JOURNAL OF L A TEX CLASS FILES, VOL., NO., AUGUST 1 Characterizations of the Degraded Boolean Function and Cryptanalysis of the SAFER Family Wentan Yi and Shaozhen Chen Abstract This paper investigates
More informationIntroduction to Cryptology. Lecture 2
Introduction to Cryptology Lecture 2 Announcements 2 nd vs. 1 st edition of textbook HW1 due Tuesday 2/9 Readings/quizzes (on Canvas) due Friday 2/12 Agenda Last time Historical ciphers and their cryptanalysis
More informationSymmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway
Symmetric Cryptanalytic Techniques Sean Murphy ショーン マーフィー Royal Holloway Block Ciphers Encrypt blocks of data using a key Iterative process ( rounds ) Modified by Modes of Operation Data Encryption Standard
More informationZero-Correlation Linear Cryptanalysis of Reduced-Round LBlock
Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock Hadi Soleimany and Kaisa Nyberg Department of Information and Computer Science, Aalto University School of Science, Finland WCC 2013 1/53 Outline
More informationBernoulli variables. Let X be a random variable such that. 1 with probability p X = 0 with probability q = 1 p
Unit 20 February 25, 2011 1 Bernoulli variables Let X be a random variable such that { 1 with probability p X = 0 with probability q = 1 p Such an X is called a Bernoulli random variable Unit 20 February
More informationImpossible Differential Attacks on 13-Round CLEFIA-128
Mala H, Dakhilalian M, Shakiba M. Impossible differential attacks on 13-round CLEFIA-128. JOURNAL OF COMPUTER SCIENCE AND TECHNOLOGY 26(4): 744 750 July 2011. DOI 10.1007/s11390-011-1173-0 Impossible Differential
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationPermutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1
Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Kwangsu Lee A Thesis for the Degree of Master of Science Division of Computer Science, Department
More informationA Brief Comparison of Simon and Simeck
A Brief Comparison of Simon and Simeck Stefan Kölbl, Arnab Roy {stek,arroy}@dtu.dk DTU Compute, Technical University of Denmark, Denmark Abstract. Simeck is a new lightweight block cipher design based
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationImproved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON
Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON Danping Shi 1,2, Lei Hu 1,2, Siwei Sun 1,2, Ling Song 1,2, Kexin Qiao 1,2, Xiaoshuang Ma 1,2 1 State Key Laboratory of Information
More informationNonlinear Invariant Attack
Nonlinear Invariant Attack Practical Attack on Full SCREAM, iscream, and Midori64 Yosuke Todo 13, Gregor Leander 2, and Yu Sasaki 1 1 NTT Secure Platform Laboratories, Tokyo, Japan todo.yosuke@lab.ntt.co.jp,
More informationPrivate-key Systems. Block ciphers. Stream ciphers
Chapter 2 Stream Ciphers Further Reading: [Sim92, Chapter 2] 21 Introduction Remember classication: Private-key Systems Block ciphers Stream ciphers Figure 21: Private-key cipher classication Block Cipher:
More informationImproved Impossible Differential Cryptanalysis of Rijndael and Crypton
Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,
More informationModified Hill Cipher for a Large Block of Plaintext with Interlacing and Iteration
Journal of Computer Science 4 (1): 15-20, 2008 ISSN 1549-3636 2008 Science Publications Modified Hill Cipher for a Large Block of Plaintext with Interlacing and Iteration V.U.K. Sastry and N. Ravi Shankar
More informationStructural Cryptanalysis of SASAS
tructural Cryptanalysis of AA Alex Biryukov and Adi hamir Computer cience department The Weizmann Institute Rehovot 76100, Israel. Abstract. In this paper we consider the security of block ciphers which
More informationProvable Security Against Differential and Linear Cryptanalysis
Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University Introduction CRADIC Linear Hull SPN and Two Strategies Highly
More informationImpossible Differential Cryptanalysis of Mini-AES
Impossible Differential Cryptanalysis of Mini-AES Raphael Chung-Wei Phan ADDRESS: Swinburne Sarawak Institute of Technology, 1 st Floor, State Complex, 93576 Kuching, Sarawak, Malaysia. rphan@swinburne.edu.my
More informationRelated Key Differential Cryptanalysis of Midori
Related Key Differential Cryptanalysis of Midori Using constraint programming David Gerault Pascal Lafourcade LIMOS, University Clermont Auvergne Gerault, Lafourcade Related Key Differential Cryptanalysis
More informationProduct Systems, Substitution-Permutation Networks, and Linear and Differential Analysis
Product Systems, Substitution-Permutation Networks, and Linear and Differential Analysis Cryptology, lecture 3 Stinson, Section 2.7 3.4 Tuesday, February 12th, 2008 1 Composition Product 2 Substitution-Permutation
More informationCryptanalysis of SP Networks with Partial Non-Linear Layers
Cryptanalysis of SP Networks with Partial Non-Linear Layers Achiya Bar-On 1, Itai Dinur 2, Orr Dunkelman 3,5,, Virginie Lallemand 4,, Nathan Keller 1,5,, and Boaz Tsaban 1 1 Department of Mathematics,
More informationStructural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Pierre-Alain Fouque 1 Jérémy Jean 2 Thomas Peyrin 3 1 Université de Rennes 1, France 2 École Normale Supérieure, France 3 Nanyang
More informationCryptography and Security Midterm Exam
Cryptography and Security Midterm Exam Serge Vaudenay 23.11.2017 duration: 1h45 no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices
More informationLinear Cryptanalysis of Reduced-Round Speck
Linear Cryptanalysis of Reduced-Round Speck Tomer Ashur Daniël Bodden KU Leuven and iminds Dept. ESAT, Group COSIC Address Kasteelpark Arenberg 10 bus 45, B-3001 Leuven-Heverlee, Belgium tomer.ashur-@-esat.kuleuven.be
More informationAutomatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version)
Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version) Shengbao Wu 1,2, Mingsheng Wang 3 1. Institute of Software, Chinese Academy of Sciences, Beijing 100190,
More informationDistinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network
Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense
More informationSimilarities between encryption and decryption: how far can we go?
Similarities between encryption and decryption: how far can we go? Anne Canteaut Inria, France and DTU, Denmark Anne.Canteaut@inria.fr http://www-rocq.inria.fr/secret/anne.canteaut/ SAC 2013 based on a
More informationRevisit and Cryptanalysis of a CAST Cipher
2017 3rd International Conference on Electronic Information Technology and Intellectualization (ICEITI 2017) ISBN: 978-1-60595-512-4 Revisit and Cryptanalysis of a CAST Cipher Xiao Zhou, Jingwei Li, Xuejia
More informationEfficient Cryptanalysis of Homophonic Substitution Ciphers
Efficient Cryptanalysis of Homophonic Substitution Ciphers Amrapali Dhavare Richard M. Low Mark Stamp Abstract Substitution ciphers are among the earliest methods of encryption. Examples of classic substitution
More informationNew Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia
New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya iu 1, eibo i 2,3, Dawu Gu 1, Xiaoyun Wang 2,3,4, Zhiqiang iu 1, Jiazhe Chen 2,3, Wei i 5,6 1 Department of Computer
More informationAlgebraic Techniques in Differential Cryptanalysis
Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London FSE 2009, Leuven, 24.02.2009 Martin Albrecht and Carlos
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationBlock ciphers And modes of operation. Table of contents
Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation
More informationMultivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar?
Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar? Christian Eder, Jean-Charles Faugère and Ludovic Perret Seminar on Fundamental Algorithms, University
More informationSecurity of the AES with a Secret S-box
Security of the AES with a Secret S-box Tyge Tiessen, Lars R Knudsen, Stefan Kölbl, and Martin M Lauridsen {tyti,lrkn,stek,mmeh}@dtudk DTU Compute, Technical University of Denmark, Denmark Abstract How
More informationOn Stream Ciphers with Small State
ESC 2017, Canach, January 16. On Stream Ciphers with Small State Willi Meier joint work with Matthias Hamann, Matthias Krause (University of Mannheim) Bin Zhang (Chinese Academy of Sciences, Beijing) 1
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationLattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.
Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.
More informationSymmetric Encryption
1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently
More informationImproved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method
Improved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method Zheng Li 1, Wenquan Bi 1, Xiaoyang Dong 2, and Xiaoyun Wang 1,2 1 Key Laboratory of Cryptologic Technology and Information Security,
More informationLinear Hull Attack on Round-Reduced Simeck with Dynamic Key-guessing Techniques
Linear Hull Attack on Round-Reduced Simeck with Dynamic Key-guessing Techniques Lingyue Qin 1, Huaifeng Chen 3, Xiaoyun Wang 2,3 1 Department of Computer Science and Technology, Tsinghua University, Beijing
More information7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive key-search do not exploit any properties of the encryption algorithm or implementation. Structural attacks
More informationFast Correlation Attacks: an Algorithmic Point of View
Fast Correlation Attacks: an Algorithmic Point of View Philippe Chose, Antoine Joux, and Michel Mitton DCSSI, 18 rue du Docteur Zamenhof F-92131 Issy-les-Moulineaux cedex, France Philippe.Chose@ens.fr,
More informationCryptanalysis of the SIMON Family of Block Ciphers
Cryptanalysis of the SIMON Family of Block Ciphers Hoda A. Alkhzaimi and Martin M. Lauridsen DTU Compute Section for Cryptology Department of Applied Mathematics and Computer Science Matematiktorvet, building
More informationZero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA
Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA Andrey Bogdanov, Meiqin Wang Technical University of Denmark, Shandong University, China ESC 2013,
More informationAlgebraic Aspects of Symmetric-key Cryptography
Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information Security Group Royal Holloway, University of London 04.May.2007 ECRYPT Summer School 1 Algebraic Techniques
More informationHuman-readable Proof of the Related-Key Security of AES-128
Human-readable Proof of the Related-Key ecurity of AE-128 Khoongming Khoo 1, Eugene Lee 2, Thomas Peyrin 3,4,5 and iang Meng im 3 1 DO National Laboratories, ingapore kkhoongm@dso.org.sg 2 Raffles Institution,
More informationCryptography Lecture 4 Block ciphers, DES, breaking DES
Cryptography Lecture 4 Block ciphers, DES, breaking DES Breaking a cipher Eavesdropper recieves n cryptograms created from n plaintexts in sequence, using the same key Redundancy exists in the messages
More informationMath-Net.Ru All Russian mathematical portal
Math-Net.Ru All Russian mathematical portal G. P. Agibalov, I. A. Pankratova, Asymmetric cryptosystems on Boolean functions, Prikl. Diskr. Mat., 2018, Number 40, 23 33 DOI: https://doi.org/10.17223/20710410/40/3
More informationAn average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and
An average case analysis of a dierential attack on a class of SP-networks Luke O'Connor Distributed Systems Technology Centre, and Information Security Research Center, QUT Brisbane, Australia Abstract
More informationType 1.x Generalized Feistel Structures
Noname manuscript No. (will be inserted by the editor) Type 1.x Generalized eistel Structures Shingo Yanagihara Tetsu Iwata Received: date / Accepted: date Abstract We formalize the Type 1.x Generalized
More informationCryptanalysis of the Full DES and the Full 3DES Using a New Linear Property
Cryptanalysis of the ull DES and the ull 3DES Using a New Linear Property Tomer Ashur 1 and Raluca Posteuca 1 imec-cosic, KU Leuven, Leuven, Belgium [tomer.ashur, raluca.posteuca]@esat.kuleuven.be Abstract.
More informationNotes on Alekhnovich s cryptosystems
Notes on Alekhnovich s cryptosystems Gilles Zémor November 2016 Decisional Decoding Hypothesis with parameter t. Let 0 < R 1 < R 2 < 1. There is no polynomial-time decoding algorithm A such that: Given
More informationMasterMath Cryptology /2 - Cryptanalysis
MasterMath Cryptology 2015 2/2 Cryptanalysis Wednesday, 8 April, 2015 10:38 9. Differential cryptanalysis (v2) 9.1. Differential cryptanalysis In differential analysis we simultaneously consider two encryptions
More informationCryptanalysis of a Generalized Unbalanced Feistel Network Structure
Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li, Bing Sun, Chao Li, Longjiang Qu National University of Defense Technology, Changsha, China ACISP 2010, Sydney, Australia 5
More informationImproved Impossible Differential Attack on Reduced Version of Camellia-192/256
Improved Impossible Differential ttack on educed Version of Camellia-92/256 Ya iu, Dawu Gu, Zhiqiang iu, Wei i 2,3 Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai
More informationAnalysis of cryptographic hash functions
Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43 Symmetric key cryptography Alice and Bob share
More informationLinks Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT
Links Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT Céline Blondeau, Benoît Gérard SECRET-Project-Team, INRIA, France TOOLS for Cryptanalysis - 23th June 2010 C.Blondeau
More informationLOOKING INSIDE AES AND BES
23 LOOKING INSIDE AES AND BES Ilia Toli, Alberto Zanoni Università degli Studi di Pisa Dipartimento di Matematica Leonida Tonelli Via F. Buonarroti 2, 56127 Pisa, Italy {toli, zanoni}@posso.dm.unipi.it
More informationInvariant Subspace Attack Against Full Midori64
Invariant Subspace Attack Against Full Midori64 Jian Guo 1, Jérémy Jean 1, Ivica Nikolić 1, Kexin Qiao 1,2, Yu Sasaki 1,3, and Siang Meng Sim 1 1 Nanyang Technological University, Singapore 2 Institute
More informationCryptanalysis of a Generalized Unbalanced Feistel Network Structure
Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li 1, Bing Sun 1, Chao Li 1,2, and Longjiang Qu 1,3 1 Department of Mathematics and System Science, Science College, National
More informationLinear and Statistical Independence of Linear Approximations and their Correlations
Linear and Statistical Independence of Linear Approximations and their Correlations Kaisa Nyberg Aalto University School of Science kaisa.nyberg@aalto.fi Boolean Functions and their Applications Os, Norway,
More informationSequences, DFT and Resistance against Fast Algebraic Attacks
Sequences, DFT and Resistance against Fast Algebraic Attacks Guang Gong Department of Electrical and Computer Engineering University of Waterloo Waterloo, Ontario N2L 3G1, CANADA Email. ggong@calliope.uwaterloo.ca
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES
CS355: Cryptography Lecture 9: Encryption modes. AES Encryption modes: ECB } Message is broken into independent blocks of block_size bits; } Electronic Code Book (ECB): each block encrypted separately.
More informationShift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3
Shift Cipher For 0 i 25, the ith plaintext character is shifted by some value 0 k 25 (mod 26). E.g. k = 3 a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V W X Y
More information