Lecture 12: Block ciphers

Similar documents
Symmetric Crypto Systems

Block ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit

Symmetric Crypto Systems

Module 2 Advanced Symmetric Ciphers

Lecture 4: DES and block ciphers

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Lecture Notes. Advanced Discrete Structures COT S

Block Cipher Cryptanalysis: An Overview

Block Ciphers and Feistel cipher

Solution of Exercise Sheet 7

Product Systems, Substitution-Permutation Networks, and Linear and Differential Analysis

Public-key Cryptography: Theory and Practice

A block cipher enciphers each block with the same key.

Classical Cryptography

DD2448 Foundations of Cryptography Lecture 3

Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers

MATH3302 Cryptography Problem Set 2

Symmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway

Cryptography Lecture 4 Block ciphers, DES, breaking DES

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Lecture 5: Pseudorandom functions from pseudorandom generators

Menu. Lecture 5: DES Use and Analysis. DES Structure Plaintext Initial Permutation. DES s F. S-Boxes 48 bits Expansion/Permutation

Linear Cryptanalysis

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

Cook-Levin Theorem. SAT is NP-complete

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

CSc 466/566. Computer Security. 5 : Cryptography Basics

Complementing Feistel Ciphers

CHAPTER 5 A BLOCK CIPHER INVOLVING A KEY APPLIED ON BOTH THE SIDES OF THE PLAINTEXT

A Weak Cipher that Generates the Symmetric Group

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

Differential-Linear Cryptanalysis of Serpent

Outline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael

Bernoulli variables. Let X be a random variable such that. 1 with probability p X = 0 with probability q = 1 p

Symmetric Encryption

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and

Thesis Research Notes

Structural Cryptanalysis of SASAS

Written examination. Tuesday, August 18, 2015, 08:30 a.m.

Type 1.x Generalized Feistel Structures

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version

Solution of Exercise Sheet 6

Cryptanalysis of SP Networks with Partial Non-Linear Layers

Extended Criterion for Absence of Fixed Points

Introduction to Cryptology. Lecture 2

Optimized Interpolation Attacks on LowMC

AES side channel attacks protection using random isomorphisms

Linear Cryptanalysis of Reduced-Round Speck

Cryptanalysis of Achterbahn

Block ciphers And modes of operation. Table of contents

A Five-Round Algebraic Property of the Advanced Encryption Standard

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

Lecture 10-11: General attacks on LFSR based stream ciphers

A Block Cipher using an Iterative Method involving a Permutation

A Large Block Cipher using an Iterative Method and the Modular Arithmetic Inverse of a key Matrix

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Cube Attacks on Stream Ciphers Based on Division Property

Fast Correlation Attacks: an Algorithmic Point of View

Sol: First, calculate the number of integers which are relative prime with = (1 1 7 ) (1 1 3 ) = = 2268

On the computation of best second order approximations of Boolean Functions ΕΤΗΣΙΑ ΕΚΘΕΣΗ 2010

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Differential Attack on Five Rounds of the SC2000 Block Cipher

Exercise Sheet Cryptography 1, 2011

Similarities between encryption and decryption: how far can we go?

Attacks on DES , K 2. ) L 3 = R 2 = L 1 f ( R 1, K 2 ) R 4 R 2. f (R 1 = L 1 ) = L 1. ) f ( R 3 , K 4. f (R 3 = L 3

Akelarre. Akelarre 1

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Alternative Approaches: Bounded Storage Model

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

CTR mode of operation

Towards Provable Security of Substitution-Permutation Encryption Networks

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

Division Property: a New Attack Against Block Ciphers

Secret Key: stream ciphers & block ciphers

CHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER

Private-key Systems. Block ciphers. Stream ciphers

BISON Instantiating the Whitened Swap-Or-Not Construction November 14th, 2018

Candidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used.

MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity

Linear Cryptanalysis of DES with Asymmetries

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

MasterMath Cryptology /2 - Cryptanalysis

Block Ciphers. Chester Rebeiro IIT Madras. STINSON : chapters 3

Fast Correlation Attacks: An Algorithmic Point of View

Modified Hill Cipher for a Large Block of Plaintext with Interlacing and Iteration

Introduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES

FFT-Based Key Recovery for the Integral Attack

MATH 509 Differential Cryptanalysis on DES

Introduction to Cybersecurity Cryptography (Part 4)

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

Cryptography - Session 2

Low Complexity Differential Cryptanalysis and Fault Analysis of AES

(Solution to Odd-Numbered Problems) Number of rounds. rounds

Algebraic Techniques in Differential Cryptanalysis

Transcription:

Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19

Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is controlled by a secret key K, and it is written E K (x) = y. Each key defines a fixed mapping from the plaintext block to the ciphertext block. If the block size is b bits the number of different input values to the block ciphers is 2 b. a substitution cipher of alphabet size 2 b. Only a very small fraction of all possible permutations on alphabet size 2 b will correspond to a certain key T. Johansson (Lund University) 2 / 19

Iterated ciphers In an iterated cipher we apply a simple encryption function iteratively a number of times (rounds), say N. The simple function applied is called the round function. It often uses a round key, which is derived from the key K. The way the round keys are derived from K is called the key schedule. T. Johansson (Lund University) 3 / 19

Iterated ciphers Let w i, i = 0..N, denote intermediate values in the implementation process of the block cipher, where w 0 = x is the plaintext block. w 0 = x w 1 = h(w 0, K 1 ) w 2 = h(w 1, K 2 ). w N 1 = h(w N 2, K N 1 ) w N = h(w N 1, K N ) and w N = y is the ciphertext block. h(w i 1, K i ) denotes the round function and K i is the round key used in round i., T. Johansson (Lund University) 4 / 19

Efficient decryption For an iterated cipher this property can be reduced to the property of efficiently being able to invert the round function h(w i 1, K i ), We need a function h 1 () such that h 1 (h(w i 1, K i ), K i ) = w i 1. Then the decryption function D K (y) for an iterated cipher can be implemented in the same iterated style as the encryption with the difference that the round keys are used in reverse order, and w 0 = x. w N = y w N 1 = h 1 (w N, K N ) w N 2 = h 1 (w N 1, K N 1 ). w 1 = h 1 (w 2, K 2 ) w 0 = h 1 (w 1, K 1 ) T. Johansson (Lund University) 5 / 19,

First type of iterated cipher: Feistel cipher we split the intermediate values w i in a left half and a right half, denoted w i = (L i, R i ). the round function (L i, R i ) = h(l i 1, R i 1, K i ) is implemented as L i = R i 1, R i = L i 1 f(r i 1, K i ), where f(r i 1, K i ) can be any function. decryption function h 1 (), implemented as and (L 0, R 0 ) gives back x. R i 1 = L i, L i 1 = R i f(r i 1, K i ), T. Johansson (Lund University) 6 / 19

Second type of iterated cipher: SP network An SP network consists of a mix between many substitutions (substitution ciphers) and permutations or linear transformations (like a transposition cipher or affine cipher). The substitutions, also called S-boxes, are taken over a small alphabet, typically 4, 6, or 8 bits input. The round key is added to the input to the round function in some simple way, usually bitwise xor. AES T. Johansson (Lund University) 7 / 19

Modes of Operation Decide on how to encrypt a sequence of plaintext bits Split the plaintext sequence in blocks and encrypt each block. x 1, x 2,..., x N, x N+1,... Let X 1 = (x 1, x 2,..., x N ) be the first block consisting of the first N bits, X 2 = (x N+1, x N+2,..., x 2N ) be the second block Encryption is done blockwise, i.e., ECB (Electronic codebook) C i = E K (X i ), i = 1, 2,.... T. Johansson (Lund University) 8 / 19

ECB A problem with the ECB mode: If two plaintext blocks are the same, then the two corresponding ciphertext blocks are also the same. We need better ways... T. Johansson (Lund University) 9 / 19

CBC and counter mode CBC mode (Cipher block chaining mode). It follows the rule Y i = E K (Y i 1 X i ), where Y 0 is some fixed and known initial value. This will produce the output sequence Y 1, Y 2,.... Verify how to decrypt! Another mode of operation that will turn the block cipher into a stream cipher is counter mode. The keystream sequence is given by E K (0), E K (1), E K (2),.... T. Johansson (Lund University) 10 / 19

Attacks: Linear cryptanalysis One of the most powerful general ideas for cryptanalysis of block ciphers is called linear cryptanalysis. Assume the cipher consist only of linear operations. Then there would be a linear relationship between the plaintext bits and the ciphertext bits. Then for each ciphertext bit c i we would be able to write one equation c i = N d ij x j + e i (K), (1) j=1 where e(k) denotes the direct contribution from the key K. T. Johansson (Lund University) 11 / 19

Linear cryptanalysis The cipher contains nonlinear operations and the above is not true. Introduce linear approximations of nonlinear parts A linear approximation is when we replace a nonlinear function with a linear one. When we do so, we will not always get the correct value. Probability p that the linear function gives the same value as the original nonlinear one = a measure of the effectiveness of a linear approximation. T. Johansson (Lund University) 12 / 19

Linear cryptanalysis Our goal: find a linear expression through the whole cipher, i.e., a sum of expressions of the form (1) such that the probability p is as far away from 0.5 as possible. Consider a known-ciphertext attack and write the key contribution e(k) as a sum of known values, e(k) = N d j c j j=1 N d jx j. j=1 Note that this expression holds with probability p. It is clear that if we evaluate the right hand side above for different plaintext-ciphertext pairs, we will eventually know the value of e(k). T. Johansson (Lund University) 13 / 19

Linear cryptanalysis The hard problem in linear cryptanalysis is to find the best linear approximation. Introducing many, but still as few as possible, linear approximations along a trail in the cipher. A trail corresponds to a chain of linear expressions (using intermediate values) through the cipher connecting the plaintext bits and the ciphertext bits. T. Johansson (Lund University) 14 / 19

Project 4 Notation: P plaintext block, C ciphertext block, and P [i 1, i 2,..., i n ] = n p it, t=1 etc. The purpose of linear cryptanalysis is to find the following effective linear expression for a given cipher algorithm: P [i 1, i 2,..., i a ] C[j 1, j 2,..., j b ] = K[k 1, k 2,..., k c ], (2) holds with probability p 1/2 for randomly given plaintext P and the corresponding ciphertext C. T. Johansson (Lund University) 15 / 19

Project 4 Once we succeed in reaching an effective linear expression, it is possible to determine one key bit K[k 1, k 2,..., k c ]. Define a noise random variable to be: N = P [i 1, i 2,..., i a ] C[j 1, j 2,..., j b ] K[k 1, k 2,..., k c ], (3) which has some bias P (N = 0) = p. T. Johansson (Lund University) 16 / 19

T. Johansson (Lund University) 17 / 19

Your task: Find the best linear approximation Hints: First find the relation R 1 [3, 8, 14, 25] P [...] = K[...], and then R 1 [3, 8, 14, 25] C[...] = K[...]. The sum gives us the required relation. The best linear approximation for the f-function is found to be: B[26] = f(r x, K x )[3, 8, 14, 25], (4) i.e., the noise N = B[26] f(r x, K x )[3, 8, 14, 25] has the maximum bias and the corresponding probability is P (N = 0) 0.19. T. Johansson (Lund University) 18 / 19

Your task: Simulate to check your linear approximation For the linear approximation that you have derived, find the bias by simulation. Make a sufficient number ( 10 5 ) of random selections of (P, K), and calculate C. Compute an estimate of p. T. Johansson (Lund University) 19 / 19

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback