A block cipher enciphers each block with the same key.

Similar documents
Lecture Notes. Advanced Discrete Structures COT S

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

Lecture 4: DES and block ciphers

Lecture 12: Block ciphers

Public-key Cryptography: Theory and Practice

Block ciphers And modes of operation. Table of contents

CSc 466/566. Computer Security. 5 : Cryptography Basics

Lecture Notes. Advanced Discrete Structures COT S

Symmetric Encryption

Symmetric Crypto Systems

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Symmetric Crypto Systems

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

Block ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit

CTR mode of operation

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

Modern Cryptography Lecture 4

A Pseudo-Random Encryption Mode

ORYX. ORYX not an acronym, but upper case Designed for use with cell phones. Standard developed by. Cipher design process not open

CS 6260 Applied Cryptography

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

Lecture 5: Pseudorandom functions from pseudorandom generators

Private-key Systems. Block ciphers. Stream ciphers

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

5199/IOC5063 Theory of Cryptology, 2014 Fall

STREAM CIPHER. Chapter - 3

CS 6260 Applied Cryptography

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version

Outline. Computer Science 418. Number of Keys in the Sum. More on Perfect Secrecy, One-Time Pad, Entropy. Mike Jacobson. Week 3

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Solution of Exercise Sheet 7

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Implementation Tutorial on RSA

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Chapter 2 Classical Cryptosystems

Outline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

The Vigenère cipher is a stronger version of the Caesar cipher The encryption key is a word/sentence/random text ( and )

monoalphabetic cryptanalysis Character Frequencies (English) Security in Computing Common English Digrams and Trigrams Chapter 2

... Assignment 3 - Cryptography. Information & Communication Security (WS 2018/19) Abtin Shahkarami, M.Sc.

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

Algebraic Attack Against Trivium

EME : extending EME to handle arbitrary-length messages with associated data

Processing with Block Ciphers. CSC/ECE 574 Computer and Network Security. Issues (Cont d) Issues for Block Chaining Modes. Electronic Code Book (ECB)

CPA-Security. Definition: A private-key encryption scheme

Real scripts backgrounder 3 - Polyalphabetic encipherment - XOR as a cipher - RSA algorithm. David Morgan

SYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:

CPSC 467b: Cryptography and Computer Security

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Algebraic attack on stream ciphers Master s Thesis

Classical Cryptography

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions

Outline. CPSC 418/MATH 318 Introduction to Cryptography. Information Theory. Partial Information. Perfect Secrecy, One-Time Pad

Attacks on DES , K 2. ) L 3 = R 2 = L 1 f ( R 1, K 2 ) R 4 R 2. f (R 1 = L 1 ) = L 1. ) f ( R 3 , K 4. f (R 3 = L 3

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

Secret Key: stream ciphers & block ciphers

Menu. Lecture 5: DES Use and Analysis. DES Structure Plaintext Initial Permutation. DES s F. S-Boxes 48 bits Expansion/Permutation

Topics. Probability Theory. Perfect Secrecy. Information Theory

Jay Daigle Occidental College Math 401: Cryptology

FORGERY ON STATELESS CMCC WITH A SINGLE QUERY. Guy Barwell University of Bristol

Modes of Operations for Wide-Block Encryption

Cryptanalysis of Achterbahn

Solution to Midterm Examination

Cryptographic Engineering

Binary Additive Counter Stream Ciphers

Akelarre. Akelarre 1

Analysis of Modern Stream Ciphers

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Introduction to Cryptology. Lecture 2

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

9 Knapsack Cryptography

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Chapter 2 : Perfectly-Secret Encryption

Introduction to Modern Cryptography Lecture 4

Lecture Note 3 Date:

Modern symmetric encryption

CSCI3381-Cryptography

Hashes and Message Digests Alex X. Liu & Haipeng Dai

Lecture 9 - Symmetric Encryption

CHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER

RSA RSA public key cryptosystem

Alternative Approaches: Bounded Storage Model

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

Security Implications of Quantum Technologies

Unpredictable Binary Strings

Parallel Implementation of Proposed One Way Hash Function

Cryptography Lecture 4 Block ciphers, DES, breaking DES

Cryptography CS 555. Topic 2: Evolution of Classical Cryptography CS555. Topic 2 1

A survey of algebraic attacks against stream ciphers

CRC Press has granted the following specific permissions for the electronic version of this book:

Online Cryptography Course. Using block ciphers. Review: PRPs and PRFs. Dan Boneh

Truncated differential cryptanalysis of five rounds of Salsa20

Modified Hill Cipher for a Large Block of Plaintext with Interlacing and Iteration

Security of Networks (12) Exercises

Shannon s Theory of Secrecy Systems

Perfectly-Secret Encryption

Transcription:

Ciphers are classified as block or stream ciphers. All ciphers split long messages into blocks and encipher each block separately. Block sizes range from one bit to thousands of bits per block. A block cipher enciphers each block with the same key. A stream cipher has a sequence or stream of keys and enciphers each block with the next key. The key stream may be periodic, as in the Vigenère cipher or a linear feedback shift register, or not periodic, as in a one-time pad. Ciphertext is often formed in stream ciphers by exclusive-oring the plaintext with the key, as in the Vernam cipher. 1

Modes of operation of block ciphers: Electronic Code Book ECB: c i = E k (m i ). Cipher Block Chaining CBC: c 0 = IV, c i = E k (c i 1 m i ). Output Feed Back OFB: r 0 = IV, r i = E k (r i 1 ), c i = m i r i. (n-bit) Counter CTR: ctr = IV, r i = E k ((ctr +i) mod 2 n ), c i = m i r i. Cipher Feed Back CFB: c 0 = IV, c i = E k (c i 1 ) m i. 2

Linear Feedback Shift Registers A linear feedback shift register is a device which generates a key stream for a stream cipher. It consists of an n-bit shift register and an XOR gate. Let the shift register hold the vector R = (r 0,r 1,...,r n 1 ), numbered left to right. The inputs to the XOR gate are several bits selected (tapped) from fixed bit positions in the register. Let the 1 bits in the vector T = (t 0,t 1,...,t n 1 ) specify the tapped bit positions. Then the output of the XOR gate is the scalar product TR = n 1 i=0 t ir i mod 2, and this bit is shifted into the shift register. 3

0 0 0 1 Let R = (r 0,r 1,...,r n 1 ) be the contents of the register after the shift. Then r i = r i 1 for 1 i < n and r 0 = TR. In other words, R HR mod 2, where H is the n n matrix with T as its first row, 1 s just below the main diagonal and 0 s elsewhere. 4

H = t 0 t 1... t n 2 t n 1 1 0... 0 0 0 1... 0 0....... 0 0... 0 0 0 0... 1 0 The bit r n 1 is shifted out of the register and into the key stream. One can choose T so that the period of the bit stream is 2 n 1, which is the maximum possible period. If n is a few thousand, this length may make the cipher appear secure, but the linearity makes it easy to break. 5

Suppose 2n consecutive key bits k 0,...,k 2n 1 are known. Let X and Y be the n n matrices X = k n 1 k n... k 2n 2 k n 2. k n 1.... k 2n 3.... k 0 k 1... k n 1 Y = k n k n+1... k 2n 1 k n 1 k n... k 2n 2...... k 1 k 2... k n 6

From R HR mod 2 it follows that Y HX mod 2, so H may be computed from H YX 1 mod 2. The inverse matrix X 1 mod 2 is easy to compute by Gaussian elimination for n up to at least 10 4. The tap vector T is the first row of H and the initial contents R of the shift register are (k n 1,...,k 0 ). See Ding, Xiao and Shan [1991]for more information about linear feedback shift registers and variations of them. 7

Meet in the Middle Attacks One might think that a way to make a block cipher more secure is to use it twice with different keys. If the key length is n bits, a brute force known plaintext attack on the basic block cipher would take up to 2 n encryptions. It might appear that the double encryption C = E K2 (E K1 (M)), where K 1 and K 2 are independent n-bit keys, would take up to 2 2n encryptions to find the two keys. The meet-in-the-middle attack is a known plaintext attack which trades time for memory and breaks the double cipher using only about 2 n+1 encryptions, and space to store 2 n blocks and keys. Let M 1 and M 2 be two known plaintexts, and let C 1 and C 2 be the corresponding ciphertexts. (A third pair may be needed.) 8

For each possible key K store (K,E K (M 1 )) in a file. Sort the 2 n pairs by second component. For each possible key K compute D K (C 1 ) and look for this value as the second component of a pair in the file. If it is found, the current key might be K 2 and the key in the pair found in the file might be K 1. Check whether C 2 = E K2 (E K1 (M 2 )) to determine whether K 1 and K 2 really are the keys. In the case of DES, n = 56 and the meetin-the-middle attack requires enough memory to store 2 56 plaintext-ciphertext pairs, more than is easily available now. But the attack is feasible with cloud computing. 9

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback