Reducing the collision probability of Alleged. Abstract. Wagner, Goldberg and Briceno have recently published an
|
|
- Conrad Reynolds
- 5 years ago
- Views:
Transcription
1 Reducing the collision probability of Alleged Comp128 Helena Handschuh Pascal Paillier ENST GEMPLUS Computer Science Department Cryptography Department 46, rue Barrault 34, rue Guynemer F Paris Cedex 13 F Issy-les-Moulineaux Both authors jointly work with Gemplus and ENST Abstract. Wagner, Goldberg and Briceno have recently published an attack [2] on what they believe to be Comp128, the GSM A3A8 authentication hash function [1]. Provided that the attacker has physical access to the card and to its secret PIN code (the card has to be activated), this chosen plaintext attack recovers the secret key of the personalized SIM (Secure Identication Module) card by inducing collisions on the second (out of 40) round of the hash function. In this paper we suggest two dierent approaches to strengthen the alleged Comp128 algorithm with respect to this attack. An evaluation of the number of chosen plaintexts and the new complexity of the attack are given. Keywords. Alleged Comp128, chosen plaintext attack, authentication, hash function, cryptanalysis, smart cards, GSM. 1 Introduction GSM networks use an authentication and session key generation algorithm called A3A8. An example of A3A8 is the Comp128 algorithm. An alleged version of Comp128 (we shall call it AComp128 hereafter) was recently published on the Web [1]. AComp128 is a hash function that takes the card's secret key Ki and a challenge sent over the air by the base station as an input to compute a MAC and a session key. The SIM card sends the MAC back to the base station for authentication and uses the session key for voice encryption with A5. Briceno, Goldberg and Wagner's attack [2] is a chosen plaintext attack which induces collisions on the second round of the hash function and performs a 2R-attack to recover the secret key Ki. Details of AComp128 and of the attack are given in the next two sections. In this paper we suggest two ways to prevent this attack; the rst is by slightly modifying the protocol in order to disable any collisions after the second or third round, and
2 the second is by changing the structure of the inner permutations of indices referred to as a buttery structure. Both methods oer protection against this attack but may also be of independent interest. 2 The AComp128 algorithm The hash function takes 256 bits as an input and computes a hash value of 128 bits. The 32 leftmost bits are used as a MAC and sent back to the basestation, and the 64 rightmost bits are used as a session key for voice encryption with the A5 algorithm. Let Ki be the secret key of the target SIM card, and R the challenge sent to the card by the base station. Ki and R are each 16 bytes long. Let X[0..15] = Ki and X[16..31] = R be the 32 byte input to the hash function. Let T0[0..511], T1[0..255], T2[0..127], T3[0..63] and T4[0..31] be the four secret tables. Then there are 8 loops of the following compression function : apply 5 rounds of table lookups and substitutions using tables T0 to T4, and except in the last loop, perform a permutation on the 128 output bits before entering the next loop. In order to achieve a better comprehension of the attack, we will describe the 5 rounds inside one loop in pseudocode : For i = 0 to 4 do : For j = 0 to 2 i? 1 do : For k = 0 to 2 4?i? 1 do : f s = k + j*2 5?i t = s + 2 4?i x = (X[s] + 2X[t]) mod 2 9?i y = (2X[s] + X[t]) mod 2 9?i X[s] = Ti[x] X[t] = Ti[y] g The way the substitutions are performed in each round is referred to by Wagner et al. as a buttery structure. The size of the elements in the tables decreases from one table to the next. Starting from 8 bit outputs for table T0, and 7 bit outputs for table T1, we get down to 4 bit outputs in table T4. Actually, the 32 output bytes only have 4 signicant bits each. Therefore these 32 bytes are reorganised into 16 bytes. After the permutation, the 16 byte output updates X[16..31], and X[0..15] is updated with the key Ki. 3 BGW's attack After the second round of the rst loop, the bytes X[i],X[i+8],X[i+16],X[i+24] depend only on the input bytes having the same indexes. Two of these bytes are key bytes, namely X[i] = Ki[i] and X[i+8] = Ki[i+8] (for every i from 0 to 7). Thus, performing
3 a chosen challenge attack, we can hope to nd a collision on the four bytes after the second round. The birthday paradox guarantees that with 2 14 random challenges, a collision most probably occurs on the corresponding 28 bit output (table T1 has 7 bit outputs). Once a collision occurs on the second round, it propagates right through the hash function until the end of the last round. Comparing the MACs that are sent back by the card, this collision can be recognized. Next, perform a 2R-attack to recover the two secret key bytes involved in the collision. This attack can be iterated for each pair of key bytes (i.e. for i from 0 to 7), and the whole secret key Ki can be recovered. The attack requires approximately 8*2 14 = 2 17 chosen plaintexts and can be performed on a card within 8 hours. 4 Modifying the authentication protocol The rst suggestion we make in order to x the aw in AComp128, is to reduce the size of the input challenge in a specic way. The rst thing to mention here is that collisions cannot occur after the rst round. Actually, T0 has the following property : Consider the function t(x,y) = T0[(x + 2y) mod 512]. When either x or y are xed, the partial functions t(x,.) and t(.,y) of one variable are both permutations. Thus no collision can occur after the rst round. Let us now consider the second and the following rounds. The birthday paradox guarantees that with enough random challenges a collision can be found on each combination of four output bytes as mentioned in the last section. The idea is to x some parts of the challenge to a constant value in order to reduce the probability that there exists a collision. Say we x for example the 8 rst bytes of the challenge to a given value. Then 2 8 random challenges will almost certainly not produce a collision on 28 output bits. Let N be the maximum number of challenges that can be issued to the card. Actually the probability to have no collision on these 28 bits can be approximated to : N2 P i = e? = e?2?13 This probability is very close to 1. The probability to have no collision on either of the 8 combinations of four input bytes (two key bytes, one constant challenge byte, and one variable challenge byte) is approximately : P = (e? (28 ) ) 8 = e?2?10 There are many dierent ways to x parts of the challenge, each one with a corresponding probability to get no collision at all. We suggest xing half of the challenge,
4 but considering each pair of bytes R[i],R[i+8] involved in a birthday attack, one might want to x only l i bits out of the 16. The location of those bits is not relevant. The l i parameter may even vary for each index i. Dierent combinations can be found giving a satisfactory probability to be protected from the BGW attack. We can even allow some of the key bytes to be found, leaving the rest to be found by exhaustive search, but this game seems rather dangerous to us. Note that collisions on the third or even fourth round seem easier to achieve as the size of the outputs of tables T2 and T3 decreases, but if we x some parts of the challenge this will not be the case any more. At round 3 for example, 8 bytes (4 key bytes and 4 challenge bytes) are involved in a collision search. In the BGW case, 2 32 random challenges eventually lead to a collision on 48 bits (8 times 6 output bits). Nevertheless, with only half of the bits available for collision search, the probabilities are even worse than in the 2 round case. 5 Generalized Attack on AComp128 The birthday attack works out ne because there is a \narrow pipe" in this hash function that causes bad diusion of small changes in the input. We suggest to change the indexes to the table lookups in a way such that no narrow pipe subsists. In other words, if you choose one byte of the challenge and follow the bytes that are modied at the second round, going upwards in that network, far more than four bytes should be involved in the structure. In this section we give an evaluation of the complexity of a generalized BGW-style attack. We suppose that a given network structure is given instead of the buttery structure and analyse the probability of having an exploitable collision after the second round, as well as the number of chosen challenges an attacker has to perfom in order to extract some information on the key. Details will be given in the full version of the paper. 6 Using Mix-Optimal Permutations This is the second modication we suggest in order to repaire AComp128. Following the analysis of the previous section, we suggest a new structure for the diusion network instead of the buttery structure used in the actual version of AComp128. We still use one key byte and one random byte for the index of every table lookup at the rst and the following rounds, but we change the byte permutations in the rst and second rounds, such that the collision-free property is still valid on the rst round, and such that the probability of having a collision on the second or the next rounds is optimally low. We analyse the new probability of success for a "narrow pipe" attack, and deduce the number of cards needed in order for one of them to reveal it's secret key.
5 6.1 Round1 Let f be the permutation on byte indexes at the rst round; the buttery structure mixes X[i] and X[i+16], which means that indexes i and i+16 are used to update indexes i and i+16. We adopt the following notation : f = (0; 16)(1; 17)(2; 18)(3; 19):::(14; 30)(15; 31) This means that index 0 updates itself and index 16, index 16 updates itself and index 0, index 1 updates itself and index 17, etc. f is to be read as a permutation on indexes : the current buttery structure is therefore represented with 16 transpositions. It is easy to see that f is an involution. For a new rst round function we suggest a cyclic f' function which destroys part of the symmetry. Nevertheless, keep in mind that one key byte and one challenge byte are requested to update each byte of X at the rst round. f 0 = (0; 16; 1; 17; 2; 18; :::; 14; 30; 15; 31) Index 0 updates itself and index f'( 0 ) = 16, index 16 updates itself and index f'(16) = 1, etc. f' is no more involutive and its cyclic structure guarantees a minimal cycle length of 32, whereas the minimal cycle length of f is only Round2 The cyclic structure is not enough in the rst round. The new permutation on the second round, noted g' hereafter, is mix-optimal in the sense that for a realistic collision search (no more than 8 challenge bytes involved), the bytes involved after round 2 are suciently numerous to achieve optimally low collision probabilities. An exhaustive search of the best g' led us to the following results : we can achieve at least a factor 3 between the number of involved challenge bytes, and the number of bytes involved in a collision after round 2. In the buttery structure, this factor is only 2, which makes BGW's birthday attack feasible. In order to dene g', let us introduce the following notation. If f' is read from left to right, we call f'(k)(0), the k-th element in the list, i.e. if f' is applied k times the index of the involved byte is f'(k)(0). There are 2 mix-optimal g' functions dened as follows : and g 0 (k)(0) = f 0 (9k + 3mod32)(0) (1) g 0 (k)(0) = f 0 (9k + 2mod32)(0) (2) For example (1) has a maximal cycle length of 16 and two cylces of length 8.
6 6.3 New probabilities With a factor of at least 3 between the number of bytes involved at the second round and the number i of challenge bytes on which an attacker chooses to perform a collision search, the probabilities of such a collision drop to a reasonable value. For small i values (such as i = 1), the factor is at least 4 or 5. More details will be given in the full paper. For large i (at least 3), we achieve the following lower bound on the probability of having no collision : P = e? (28i ) i = e?2?5i?1 These mix-optimal permutations at rounds 1 and 2 suggest that the attacker has to have a fair amount of dierent activated cards in order to recover at least one secret key, which achieves some improvement over the actual performance of AComp128 with respect to BGW's attack. Attacks on subsequent rounds are even harder. 7 Conclusion We have shown two ways to x the aw in AComp128, an example of the GSM A3A8 authentication algorithm. We analysed the probability of success of a narrow pipe attack in a general case with dierent permutation structures. These results may lead to the implementation of algorithms with higher collision-resistance derived from AComp128- like algorithms with buttery structures, by introducing only minor changes. References This article was processed using the LATEX macro package with LLNCS style
CRYPTOLOGY KEY MANAGEMENT CRYPTOGRAPHY CRYPTANALYSIS. Cryptanalytic. Brute-Force. Ciphertext-only Known-plaintext Chosen-plaintext Chosen-ciphertext
CRYPTOLOGY CRYPTOGRAPHY KEY MANAGEMENT CRYPTANALYSIS Cryptanalytic Brute-Force Ciphertext-only Known-plaintext Chosen-plaintext Chosen-ciphertext 58 Types of Cryptographic Private key (Symmetric) Public
More informationH must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls)
What is a hash function? mapping of: {0, 1} {0, 1} n H must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls) The Merkle-Damgård algorithm
More informationDierential-Linear Cryptanalysis of Serpent? Haifa 32000, Israel. Haifa 32000, Israel
Dierential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel fbiham,orrdg@cs.technion.ac.il 2 Mathematics Department,
More informationImproved Truncated Differential Attacks on SAFER
Improved Truncated Differential Attacks on SAFER Hongjun Wu * Feng Bao ** Robert H. Deng ** Qin-Zhong Ye * * Department of Electrical Engineering National University of Singapore Singapore 960 ** Information
More informationLecture 1 Applied Cryptography (Part 1)
Lecture 1 Applied Cryptography (Part 1) Patrick P. C. Lee Tsinghua Summer Course 2010 1-1 Roadmap Introduction to Security Introduction to Cryptography Symmetric key cryptography Hash and message authentication
More informationHow many DES keys, on the average, encrypt a particular plaintext block to a particular ciphertext block?
Homework 1. Come up with as efficient an encoding as you can to specify a completely general one-to-one mapping between 64-bit input values and 64-bit output values. 2. Token cards display a number that
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Lecture 6 Michael J. Fischer Department of Computer Science Yale University January 27, 2010 Michael J. Fischer CPSC 467b, Lecture 6 1/36 1 Using block ciphers
More informationSymmetric Cryptography. Chapter 6
Symmetric Cryptography Chapter 6 Block vs Stream Ciphers Block ciphers process messages into blocks, each of which is then en/decrypted Like a substitution on very big characters 64-bits or more Stream
More informationCryptography and Network Security
Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 14: Folklore, Course summary, Exam requirements Ion Petre Department of IT, Åbo Akademi University 1 Folklore on
More informationComputer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Cryptography Part II Paul Krzyzanowski Rutgers University Spring 2018 March 23, 2018 CS 419 2018 Paul Krzyzanowski 1 Block ciphers Block ciphers encrypt a block of plaintext at a
More informationHomework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING
UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING ENEE 457 Computer Systems Security Instructor: Charalampos Papamanthou Homework 2 Out: 09/23/16 Due: 09/30/16 11:59pm Instructions
More informationDifferential Cryptanalysis
Differential Cryptanalysis See: Biham and Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer Verlag, 1993. c Eli Biham - March, 28 th, 2012 1 Differential Cryptanalysis The Data
More informationComputer Security 3/23/18
s s encrypt a block of plaintext at a time and produce ciphertext Computer Security 08. Cryptography Part II Paul Krzyzanowski DES & AES are two popular block ciphers DES: 64 bit blocks AES: 128 bit blocks
More informationNew attacks on the MacDES MAC Algorithm. 1st July Two new attacks are given on a CBC-MAC algorithm due to Knudsen and Preneel, [2],
New attacks on the MacDES MAC Algorithm Don Coppersmith IBM Research T. J. Watson Research Center Yorktown Heights, NY 10598, USA copper@watson.ibm.com Chris J. Mitchell Information Security Group Royal
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Symmetric Cryptography January 20, 2011 Practical Aspects of Modern Cryptography 2 Agenda Symmetric key ciphers Stream ciphers Block ciphers Cryptographic hash
More informationSecurity Analysis of Extended Sponge Functions. Thomas Peyrin
Security Analysis of Extended Sponge Functions Hash functions in cryptology: theory and practice Leiden, Netherlands Orange Labs University of Versailles June 4, 2008 Outline 1 The Extended Sponge Functions
More informationSecurity Requirements
Message Authentication and Hash Functions CSCI 454/554 Security Requirements disclosure traffic analysis masquerade content modification sequence modification timing modification source repudiation destination
More informationChapter 3 Block Ciphers and the Data Encryption Standard
Chapter 3 Block Ciphers and the Data Encryption Standard Last Chapter have considered: terminology classical cipher techniques substitution ciphers cryptanalysis using letter frequencies transposition
More informationIntroduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers
Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers Stream Ciphers Start with a secret key ( seed ) Generate a keying stream i-th bit/byte of keying stream is a function
More informationLecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24
Assume encryption and decryption use the same key. Will discuss how to distribute key to all parties later Symmetric ciphers unusable for authentication of sender Lecturers: Mark D. Ryan and David Galindo.
More informationThe question paper contains 40 multiple choice questions with four choices and students will have to pick the correct one (each carrying ½ marks.).
Time: 3hrs BCA III Network security and Cryptography Examination-2016 Model Paper 2 M.M:50 The question paper contains 40 multiple choice questions with four choices and students will have to pick the
More informationNetwork Security Essentials Chapter 2
Network Security Essentials Chapter 2 Fourth Edition by William Stallings Lecture slides by Lawrie Brown Encryption What is encryption? Why do we need it? No, seriously, let's discuss this. Why do we need
More informationComputer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS
More informationEncryption Details COMP620
Encryption Details COMP620 Encryption is a powerful defensive weapon for free people. It offers a technical guarantee of privacy, regardless of who is running the government It s hard to think of a more
More informationComputer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 10r. Recitation assignment & concept review Paul Krzyzanowski Rutgers University Spring 2018 April 3, 2018 CS 419 2018 Paul Krzyzanowski 1 1. What is a necessary condition for perfect
More informationGeneric collision attacks on hash-functions and HMAC
Generic collision attacks on hash-functions and HMAC Chris Mitchell Royal Holloway, University of London 1 Agenda 1. Hash-functions and collision attacks 2. Memoryless strategy for finding collisions 3.
More informationAppendix A: Introduction to cryptographic algorithms and protocols
Security and Cooperation in Wireless Networks http://secowinet.epfl.ch/ Appendix A: Introduction to cryptographic algorithms and protocols 2007 Levente Buttyán and Jean-Pierre Hubaux symmetric and asymmetric
More informationS. Erfani, ECE Dept., University of Windsor Network Security
4.11 Data Integrity and Authentication It was mentioned earlier in this chapter that integrity and protection security services are needed to protect against active attacks, such as falsification of data
More informationCSCE 715: Network Systems Security
CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina Next Topic in Cryptographic Tools Symmetric key encryption Asymmetric key encryption Hash functions and
More informationSolutions to exam in Cryptography December 17, 2013
CHALMERS TEKNISKA HÖGSKOLA Datavetenskap Daniel Hedin DIT250/TDA351 Solutions to exam in Cryptography December 17, 2013 Hash functions 1. A cryptographic hash function is a deterministic function that
More informationElements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy
Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy Homework 2 Due: Friday, 10/28/2016 at 11:55pm PT Will be posted on
More informationNetwork Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions
CHAPTER 3 Network Security Solutions to Review Questions and Exercises Review Questions. A nonce is a large random number that is used only once to help distinguish a fresh authentication request from
More informationReal Time Cryptanalysis of A5/1 on a PC
Real Time Cryptanalysis of A5/1 on a PC Alex Biryukov 1, Adi Shamir 1, and David Wagner 2 1 Computer Science department, The Weizmann Institute, Rehovot 76100, Israel 2 Computer Science department, University
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Previously on COS 433 Confusion/Diffusion Paradigm f 1 f 2 f 3 f 4 f 5 f 6 Round π 1 f 7 f 8 f 9 f 10 f 11 f 12 π 2 Substitution
More informationPractical Aspects of Modern Cryptography
Practical Aspects of Modern Cryptography Lecture 3: Symmetric s and Hash Functions Josh Benaloh & Brian LaMacchia Meet Alice and Bob Alice Bob Message Modern Symmetric s Setup: Alice wants to send a private
More informationP2_L6 Symmetric Encryption Page 1
P2_L6 Symmetric Encryption Page 1 Reference: Computer Security by Stallings and Brown, Chapter 20 Symmetric encryption algorithms are typically block ciphers that take thick size input. In this lesson,
More informationModule 13 Network Security. Version 1 ECE, IIT Kharagpur
Module 13 Network Security Lesson 40 Network Security 13.1.1 INTRODUCTION Network Security assumes a great importance in the current age. In this chapter we shall look at some of the security measures
More informationAttack on DES. Jing Li
Attack on DES Jing Li Major cryptanalytic attacks against DES 1976: For a very small class of weak keys, DES can be broken with complexity 1 1977: Exhaustive search will become possible within 20 years,
More informationDigests Requirements MAC Hash function Security of Hash and MAC Birthday Attack MD5 SHA RIPEMD Digital Signature Standard Proof of DSS
UNIT III AUTHENTICATION Digests Requirements MAC Hash function Security of Hash and MAC Birthday Attack MD5 SHA RIPEMD Digital Signature Standard Proof of DSS Authentication Requirements Disclosure Release
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 6 January 25, 2012 CPSC 467b, Lecture 6 1/46 Byte padding Chaining modes Stream ciphers Symmetric cryptosystem families Stream ciphers
More informationISSN: (Online) Volume 2, Issue 4, April 2014 International Journal of Advance Research in Computer Science and Management Studies
ISSN: 2321-7782 (Online) Volume 2, Issue 4, April 2014 International Journal of Advance Research in Computer Science and Management Studies Research Article / Paper / Case Study Available online at: www.ijarcsms.com
More information2/7/2013. CS 472 Network and System Security. Mohammad Almalag Lecture 2 January 22, Introduction To Cryptography
CS 472 Network and System Security Mohammad Almalag malmalag@cs.odu.edu Lecture 2 January 22, 2013 Introduction To Cryptography 1 Definitions Cryptography = the science (art) of encryption Cryptanalysis
More informationLecture 1: Course Introduction
Lecture 1: Course Introduction Thomas Johansson T. Johansson (Lund University) 1 / 37 Chapter 9: Symmetric Key Distribution To understand the problems associated with managing and distributing secret keys.
More informationthe validity of the signature can be checked by anyone who has knowledge of the sender's public key. In the signcryption scheme of [4], the unsigncryp
A Signcryption Scheme with Signature Directly Veriable by Public Key Feng Bao and Robert H. Deng Institute of Systems Science National University of Singapore Kent Ridge, Singapore 119597 Email: fbaofeng,
More informationTechnological foundation
Technological foundation Carte à puce et Java Card 2010-2011 Jean-Louis Lanet Jean-louis.lanet@unilim.fr Cryptology Authentication Secure upload Agenda Cryptology Cryptography / Cryptanalysis, Smart Cards
More informationA hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 8 Hash Functions 8.1 Hash Functions Hash Functions A hash function is an efficient function mapping binary strings of arbitrary length to binary strings of fixed
More informationFeedback Week 4 - Problem Set
4/26/13 Homework Feedback Introduction to Cryptography Feedback Week 4 - Problem Set You submitted this homework on Mon 17 Dec 2012 11:40 PM GMT +0000. You got a score of 10.00 out of 10.00. Question 1
More informationThe CS 2 Block Cipher
The CS 2 Block Cipher Tom St Denis Secure Science Corporation tom@securescience.net Abstract. In this paper we describe our new CS 2 block cipher which is an extension of the original CS-Cipher. Our new
More informationNetwork Security. Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar
Network Security Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar Modern Block Ciphers now look at modern block ciphers one of the most widely used types
More informationCryptanalysis of Block Ciphers: A Survey
UCL Crypto Group Technical Report Series Cryptanalysis of Block Ciphers: A Survey Francois-Xavier Standaert, Gilles Piret, Jean-Jacques Quisquater REGARDS GROUPE http://www.dice.ucl.ac.be/crypto/ Technical
More informationUNIT - II Traditional Symmetric-Key Ciphers. Cryptography & Network Security - Behrouz A. Forouzan
UNIT - II Traditional Symmetric-Key Ciphers 1 Objectives To define the terms and the concepts of symmetric key ciphers To emphasize the two categories of traditional ciphers: substitution and transposition
More informationA Related Key Attack on the Feistel Type Block Ciphers
International Journal of Network Security, Vol.8, No.3, PP.221 226, May 2009 221 A Related Key Attack on the Feistel Type Block Ciphers Ali Bagherzandi 1,2, Mahmoud Salmasizadeh 2, and Javad Mohajeri 2
More informationCourse Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here
Course Business Midterm is on March 1 Allowed to bring one index card (double sided) Final Exam is Monday, May 1 (7 PM) Location: Right here 1 Cryptography CS 555 Topic 18: AES, Differential Cryptanalysis,
More informationReal Time Cryptanalysis of A5/1 on a PC
Real Time Cryptanalysis of A5/1 on a PC Page 1 de 16 27 April 2000. Thanks to Adi Shamir. This paper was presented at the Fast Software Encryption Workshop 2000, April 10-12, 2000, New York City. It supercedes
More informationCryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái
Cryptography and Network Security Block Ciphers + DES Lectured by Nguyễn Đức Thái Outline Block Cipher Principles Feistel Ciphers The Data Encryption Standard (DES) (Contents can be found in Chapter 3,
More informationSymmetric Encryption 2: Integrity
http://wwmsite.wpengine.com/wp-content/uploads/2011/12/integrity-lion-300x222.jpg Symmetric Encryption 2: Integrity With material from Dave Levin, Jon Katz, David Brumley 1 Summing up (so far) Computational
More informationHash Function. Guido Bertoni Luca Breveglieri. Fundations of Cryptography - hash function pp. 1 / 18
Hash Function Guido Bertoni Luca Breveglieri Fundations of Cryptography - hash function pp. 1 / 18 Definition a hash function H is defined as follows: H : msg space digest space the msg space is the set
More informationTest 2 Review. (b) Give one significant advantage of a nonce over a timestamp.
Test 2 Review Name Student ID number Notation: {X} Bob Apply Bob s public key to X [Y ] Bob Apply Bob s private key to Y E(P, K) Encrypt P with symmetric key K D(C, K) Decrypt C with symmetric key K h(x)
More informationStream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91
Stream ciphers Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 91 Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 92 Stream Cipher Suppose you want to encrypt
More informationNew Kid on the Block Practical Construction of Block Ciphers. Table of contents
New Kid on the Block Practical Construction of Block Ciphers Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Substitution-permutation
More informationA Related-Key Attack on TREYFER
The Second International Conference on Emerging Security Information, Systems and Technologies A Related-ey Attack on TREYFER Aleksandar ircanski and Amr M Youssef Computer Security Laboratory Concordia
More informationWeek 4. : Block Ciphers and DES
Week 4. : Block Ciphers and DES Model of Symmetric Cryptosystem Cryptanalyst Adversary M K E Insecure Channel D Plaintext M Ciphertext C Secure Channel Plaintext M Key K Shared Secret Key C = E K (M) D
More informationECE Lecture 2. Basic Concepts of Cryptology. Basic Vocabulary CRYPTOLOGY. Symmetric Key Public Key Protocols
ECE 646 - Lecture 2 Basic Concepts of Cryptology 1 CRYPTOLOGY CRYPTOGRAPHY CRYPTANALYSIS Symmetric Key Public Key Protocols Block Cipher Stream Cipher from Greek cryptos - hidden, secret logos - word graphos
More informationFundamentals of Cryptography
Fundamentals of Cryptography Topics in Quantum-Safe Cryptography June 23, 2016 Part III Data Encryption Standard The Feistel network design m m 0 m 1 f k 1 1 m m 1 2 f k 2 2 DES uses a Feistel network
More informationL2. An Introduction to Classical Cryptosystems. Rocky K. C. Chang, 23 January 2015
L2. An Introduction to Classical Cryptosystems Rocky K. C. Chang, 23 January 2015 This and the next set of slides 2 Outline Components of a cryptosystem Some modular arithmetic Some classical ciphers Shift
More informationJaap van Ginkel Security of Systems and Networks
Jaap van Ginkel Security of Systems and Networks November 17, 2016 Part 3 Modern Crypto SSN Modern Cryptography Hashes MD5 SHA Secret key cryptography AES Public key cryptography DES Presentations Minimum
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.2 Secret Key Cryptography CSC 474/574 Dr. Peng Ning 1 Agenda Generic block cipher Feistel cipher DES Modes of block ciphers Multiple encryptions Message
More informationCSCE 813 Internet Security Symmetric Cryptography
CSCE 813 Internet Security Symmetric Cryptography Professor Lisa Luo Fall 2017 Previous Class Essential Internet Security Requirements Confidentiality Integrity Authenticity Availability Accountability
More informationKey Separation in Twofish
Twofish Technical Report #7 Key Separation in Twofish John Kelsey April 7, 2000 Abstract In [Mur00], Murphy raises questions about key separation in Twofish. We discuss this property of the Twofish key
More informationPlaintext (P) + F. Ciphertext (T)
Applying Dierential Cryptanalysis to DES Reduced to 5 Rounds Terence Tay 18 October 1997 Abstract Dierential cryptanalysis is a powerful attack developed by Eli Biham and Adi Shamir. It has been successfully
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.1 Introduction to Cryptography CSC 474/574 By Dr. Peng Ning 1 Cryptography Cryptography Original meaning: The art of secret writing Becoming a science that
More informationContent of this part
UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Introduction to Cryptography ECE 597XX/697XX Part 5 More About Block Ciphers Israel Koren ECE597/697 Koren Part.5.1 Content of this
More informationSecret Key Algorithms (DES)
Secret Key Algorithms (DES) G. Bertoni L. Breveglieri Foundations of Cryptography - Secret Key pp. 1 / 34 Definition a symmetric key cryptographic algorithm is characterized by having the same key used
More informationSymmetric Encryption
Symmetric Encryption Ahmed Y. Banihammd & Ihsan, ALTUNDAG Mon November 5, 2007 Advanced Cryptography 1st Semester 2007-2008 University Joseph Fourrier, Verimag Master Of Information Security And Coding
More informationDr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Secret Key Cryptography Block cipher DES 3DES
More informationOn the Diculty of Software Key Escrow. Abstract. At Eurocrypt'95, Desmedt suggested a scheme which allows individuals to encrypt
On the Diculty of Software Key Escrow Lars R. Knudsen Katholieke Universiteit Leuven Dept. Elektrotechniek-ESAT Kardinaal Mercierlaan 94 B-3001 Heverlee Torben P. Pedersen y Cryptomathic Arhus Science
More informationComp527 status items. Crypto Protocols, part 2 Crypto primitives. Bart Preneel July Install the smart card software. Today
Comp527 status items Crypto Protocols, part 2 Crypto primitives Today s talk includes slides from: Bart Preneel, Jonathan Millen, and Dan Wallach Install the smart card software Bring CDs back to Dan s
More informationThe Global Standard for Mobility (GSM) (see, e.g., [6], [4], [5]) yields a
Preprint 0 (2000)?{? 1 Approximation of a direction of N d in bounded coordinates Jean-Christophe Novelli a Gilles Schaeer b Florent Hivert a a Universite Paris 7 { LIAFA 2, place Jussieu - 75251 Paris
More informationOutline Basics of Data Encryption CS 239 Computer Security January 24, 2005
Outline Basics of Data Encryption CS 239 Computer Security January 24, 2005 What is data encryption? Basic encryption mechanisms Stream and block ciphers Characteristics of good ciphers Page 1 Page 2 Data
More informationParallelizing Cryptography. Gordon Werner Samantha Kenyon
Parallelizing Cryptography Gordon Werner Samantha Kenyon Outline Security requirements Cryptographic Primitives Block Cipher Parallelization of current Standards AES RSA Elliptic Curve Cryptographic Attacks
More informationDifferential Cryptanalysis of Madryga
Differential Cryptanalysis of Madryga Ken Shirriff Address: Sun Microsystems Labs, 2550 Garcia Ave., MS UMTV29-112, Mountain View, CA 94043. Ken.Shirriff@eng.sun.com Abstract: The Madryga encryption algorithm
More informationECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos
ECE596C: Handout #7 Analysis of DES and the AES Standard Electrical and Computer Engineering, University of Arizona, Loukas Lazos Abstract. In this lecture we analyze the security properties of DES and
More informationBlock Ciphers. Secure Software Systems
1 Block Ciphers 2 Block Cipher Encryption function E C = E(k, P) Decryption function D P = D(k, C) Symmetric-key encryption Same key is used for both encryption and decryption Operates not bit-by-bit but
More informationData Integrity & Authentication. Message Authentication Codes (MACs)
Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice (sender) Bob (receiver) Fran
More informationLecture 4: Authentication and Hashing
Lecture 4: Authentication and Hashing Introduction to Modern Cryptography 1 Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 1 These slides are based on Benny Chor s slides. Some Changes in Grading
More informationCryptography and Network Security. Sixth Edition by William Stallings
Cryptography and Network Security Sixth Edition by William Stallings Chapter 3 Block Ciphers and the Data Encryption Standard All the afternoon Mungo had been working on Stern's code, principally with
More informationSpring 2010: CS419 Computer Security
Spring 2010: CS419 Computer Security MAC, HMAC, Hash functions and DSA Vinod Ganapathy Lecture 6 Message Authentication message authentication is concerned with: protecting the integrity of a message validating
More informationISO/IEC INTERNATIONAL STANDARD
Provläsningsexemplar / Preview INTERNATIONAL STANDARD ISO/IEC 9797-1 First edition 1999-12-15 Information technology Security techniques Message Authentication Codes (MACs) Part 1: Mechanisms using a block
More informationCryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu
More informationApplied Cryptography Data Encryption Standard
Applied Cryptography Data Encryption Standard Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1 History DES has a checkered history. The book provided fascinating reading
More informationCryptography Math/CprE/InfAs 533
Unit 1 January 10, 2011 1 Cryptography Math/CprE/InfAs 533 Unit 1 January 10, 2011 2 Instructor: Clifford Bergman, Professor of Mathematics Office: 424 Carver Hall Voice: 515 294 8137 fax: 515 294 5454
More information3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some
3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some popular block ciphers Triple DES Advanced Encryption
More informationTest 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.
Test 2 Review Name Student ID number Notation: {X} Bob Apply Bob s public key to X [Y ] Bob Apply Bob s private key to Y E(P, K) Encrypt P with symmetric key K D(C, K) Decrypt C with symmetric key K h(x)
More informationCryptographic Concepts
Outline Identify the different types of cryptography Learn about current cryptographic methods Chapter #23: Cryptography Understand how cryptography is applied for security Given a scenario, utilize general
More informationTechnion - Computer Science Department - Technical Report CS
Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication? Elad Barkan 1 Eli Biham 1 Nathan Keller 2 1 Computer Science Department Technion { Israel Institute of Technology Haifa 32000, Israel
More informationCryptographic Algorithms - AES
Areas for Discussion Cryptographic Algorithms - AES CNPA - Network Security Joseph Spring Department of Computer Science Advanced Encryption Standard 1 Motivation Contenders Finalists AES Design Feistel
More informationCryptography and Network Security
Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 6: Advanced Encryption Standard (AES) Ion Petre Department of IT, Åbo Akademi University 1 Origin of AES 1999: NIST
More informationCSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography
CSCI 454/554 Computer and Network Security Topic 2. Introduction to Cryptography Outline Basic Crypto Concepts and Definitions Some Early (Breakable) Cryptosystems Key Issues 2 Basic Concepts and Definitions
More informationSymmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.
Symmetric Key Algorithms Definition A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting. 1 Block cipher and stream cipher There are two main families
More informationSecret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34
Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34 Definition a symmetric key cryptographic algorithm is characterized by having the same key used for both encryption and decryption.
More information