AESMixCBC a fast wide block encryption mode
|
|
- Georgina Armstrong
- 6 years ago
- Views:
Transcription
1 AESMixCBC a fast wide block encryption mode Submitted to the 2013 Fast Software Encryption call for papers Nov Abstract We describe a wide block cipher encryption algorithm AESMixCBC, which is a combination of a standard CBC encryption mode and a pseudo-random permutation of the plaintext, AESMix. This mode allows efficient optimization in software and hardware. The AESMix can be implemented with only the XOR and table lookup operations. The AESMixCBC mode upgrades the security of popular narrow block modes, such as XTS, to the wide block security without performance penalty that is incurred by other wide block modes, such as EME. The overhead of our wide block encryption when compared with the CBC encryption is 10% when measured against the standard AES-128-CBC, and even lower for the standard AES-256-CBC. Keywords Wide block-cipher, AESMix, CBC, efficient plaintext mixer, tweakable block cipher. I. INTRODUCTION The narrow block encryption modes, such as XTS, CBC, and PGP CFB2, are more widely used encryption algorithms than the wide block encryption algorithms, such as [EME]. One of the reasons why the the wide block encryption mode has not gained acceptance in the whole disk encryption product category is a noticeable performance penalty it incurs against the baseline encryption, which we assume to be the Cipher Block Chaining mode with an AES as the block cipher (AES-CBC. We designed a wide block encryption mode that is very close to the performance of the CBC encryption and is identical in the performance to the popular narrow block disk encryption modes. When implemented on an x86 CPU, our performance goal is assisted by the widely available AESNI instruction set as the basic building block of the algorithm, in particular, the aesenc and aesdec instructions. In general, all performance-critical CPU operations of the algorithm can be implemented with the table lookups and XORs, therefore, the algorithm should be well-suited for any architecture that can execute the AES-128 encryption algorithm. Because the algorithm is built from the same building blocks that are used in the AES implementation, the AESMixCBC maximizes the investments already made in the research, hardware, and software implementations of the AES algorithm. II. NOTATIONS The AESMixCBC mode is defined for the wide cipher block, which byte size is l = 16 n, where n is an integer multiple of 4 and n 8. In practical applications the l 512, is a power of two, and is usually a fixed value for a given operating system and disk firmware. AESMixCBC works with any underlying block cipher that has 16 byte block size, such as AES-128-CBC or AES-256-CBC. Thus, each wide block P, C is represented by n 16 byte blocks, which are denoted as P i,c i i {0,n 1}. P i denotes the block of the plaintext such that P=P 0 P 1... P n 1, while C i is the result of the application of the AESMix algorithm. P 0 refers to the block of the P that occupies the lowest 16 bytes of the memory range in which the P resides. This is known a little-endian notation 1. (As will be described later, the order of the iteration in AESMix algorithms is inverse: from the P n 1 down to the P 0. AESMix is a secret key permutation. Each key k i that is used with the AESMix is 16 bytes long. Given that the AESMix operates on 16 byte plaintext blocks, the index correspondence is the 1:1 relationship of the key k i and the block P i or C i. All additions between the 16 byte blocks in this paper are XOR operations, for which we use the operator. Cycles used to describe the algorithm loops use all-inclusive index notation. For example, the body of the following loop is executed for P 1 and P 0 : 1The indexing follows the C or Java programming language notation for array indexing.
2 for i=1 to 0 some_operation (P i end for III. SPECIFICATION OF THE AESMIXCBC AESMixCBC mode assumes that the AESMix will be complemented by the 16 byte symmetric algorithm used in the CBC mode. For example, it can be the AES-128-CBC 2. Encryption C = AESMix( P, block_number_iv C = Encrypt_CBC( C, IV Decryption C = Decrypt_CBC( C, IV P = AESUnMix( C, block_number_iv TABLE I: AESMIXCBC OVERVIEW It follows that the security of the AESMixCBC is at the minimum equals that of the standard CBC mode. From the point of view of the CBC mode, AESMix performs a permutation of the plaintext into another plaintext. The rest of the paper mostly focuses on the properties of the AESMix and its inverse, the AESUnMix. These are the operations that transform the CBC mode into a wide block encryption mode. AESMix is a secret permutation of P=P 0 P 1... P n 1 that consists of the underlying secret permutations performed on n 16 byte blocks P i. We use the term encryption and decryption here to refer to the AESMix secret permutation of the plaintext and AESUnMix secret permutation of the modified plaintext. Note, however, that these terms have no relationship with the encryption and the decryption of the CBC mode other than the requirement for the matching alignment on the 16 byte boundary. AESMix operation relies on 3 lower-level operations that operate on one or four 16 byte blocks at a time: the XOR of two 16 byte blocks (or GF (2 polynomial field addition The ROUND LAST operation of the AES algorithm (or AESENC1 for short and its inverse The SWEEP64 operation Generally speaking, the SWEEP64 operation largely relies on the AESENC1 operation, making the AESENC1 the only complex operation of the AESMix algorithm 3. A. Building blocks of AESMix: ROUNDLAST and SWEEP64 1 ROUNDLAST (or AESENC1 operation M i (x In 5.1 Cipher section of the [AES], Figure 5, the AES algorithm is defined as a sequence of 1..Nr-1 rounds in the body of the loop, followed by a slightly simpler transformation of the state after the loop. The body of the loop corresponds to the ROUND and the sequence of transformations after the loop to the LAST. Permutation M i (x is a sequential application of ROUND and LAST, where: ROUND SubBytes(state ShiftRows(state MixColumns(state AddRoundKey(state, k i LAST SubBytes(state ShiftRows(state AddRoundKey(state, zero TABLE II: DEFINITION OF ROUND AND LAST k i is a key at index i {0, n} and zero is 16 zero bytes. The ROUND and LAST are standard operations of the [AES], other than that the keys k i and zero are used instead of the subkeys of the AES key schedule. Simplifying the above, the following table compares the encryption and decryption steps. The inverse operation reverses the ROUNDLAST steps and we use the AESDEC1 to refer to the inverse of the AESENC1. 2Other similar chaining modes, such as CFB mode, are equally suitable, but not considered here. 3AESENC1, in turn, consists of 2 internal building blocks of the standard AES algorithm, commonly available in hardware
3 ROUNDLAST SubBytes(state ShiftRows(state MixColumns(state AddRoundKey(state, k i SubBytes(state ShiftRows(state Inverse of ROUNDLAST InvSubBytes(state InvShiftRows(state InvMixColumns(state AddRoundKey(state, InvShiftRows(state InvSubBytes(state TABLE III: AESENC1 AND AESDEC1 DEFINITION k i 1 2 SWEEP64 i (t 0, t 1, t 2, t 3 operation SWEEP64 i (t 0, t 1, t 2, t 3 operates on 4 16 byte blocks {t 0, t 1, t 2, t 3 } as follows: Each SWEEP64 i (t 0, t 1, t 2, t 3 =M i ( Perm 0 (t 0 Perm 1 (t 1 Perm 2 (t 2 Perm 3 (t 3 Perm i ( X is a fixed permutation that changes positions of every one of the 16 bytes of x, as defined by the following permutation tables. Assume that X =x 0 x 1... x 15 and Y i =Perm i ( X, where x 0 and y 0 are the bytes at the lowest memory address, respectively. / x i Y i x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 13 x 14 x 15 Y 1 x 11 x 15 x 7 x 14 x 5 x 10 x 13 x 3 x 6 x 1 x 0 x 2 x 4 x 8 x 9 Y 2 x 8 x 11 x 7 x 5 x 13 x 6 x 1 x 0 x 4 x 9 x 15 x 14 x 10 x 3 x 2 Y 3 x 9 x 4 x 1 x 0 x 6 x 13 x 5 x 7 x 11 x 8 x 2 x 3 x 10 x 14 x 15 Y 3 x 7 x 15 x 6 x 11 x 3 x 9 x 8 x 10 x 4 x 5 x 2 x 14 x 1 x 0 TABLE IV: PERMUTATIONS 1, 2, 3, AND 4 The table for the permutations is generated using a simple algorithm provided in the Appendix A.. The main purpose of the SWEEP64 i (t 0, t 1, t 2, t 3 permutation is to reduce the number of more expensive M i (x permutations from 4 to 1. 3 The IV calculation of the AESMix and AESUnMix The IV of the AESMix algorithm is a 16 byte value that is calculated from the caller-supplied 64 bit input IV 0. In case of a storage encryption application the IV 0 is expected to be a 64 byte integer that identifies a data chunk, such as a disk sector number. IV 0 =0 64 IV 0 ( perform little-endian zero-padding to make a 16 byte block from the 8 byte IV 0 IV=SWEEP64 n (IV 0, M n (IV 0, 0,0; The IV calculation is the same for the AESMix and AESUnMix. B. The key schedule of the AESMix and AESUnMix 1 There are n encryption keys k i, n decryption keys k i, and one encryption key k n used to derive the IV. Each key is 16 bytes. Its important that the keys k i are uniformly random because they serve the purpose of binding 1 the operation on each block P i to the index i. Decryption key k i is derived from the encryption key k i using the standard procedure as documented in the section 5.3 of [AES]. This paper defines one method to derive the keys k i,i [0, n], but alternative methods can be defined in the future (for example, based on [SP ]
4 Input: K is the key used with the CBC encryption mode Return: n1 keys k i for i=0 to n k i = Encrypt K (i1 end for TABLE V: THE KEY DERIVATION METHOD Encrypt K (x is the encryption of the 16 byte value x that returns the 16 byte result, i.e. this is an ECB encryption mode. The value i1 that is passed to the Encrypt K (x is the loop counter in the big endian representation formatted to fit the 16 bytes by padding the counter with zero bytes. In other words, the 16 bytes passed to the first Encrypt K (x as x are 15 bytes with the value 0 and 1 byte, residing at highest memory address, with the value 1. C. The AESMix algorithm The AESMix algorithm is a two-pass algorithm; the passes are called the MIX and the SWEEP. Both passes operate on the 16 byte blocks using the 3 lower-level operations defined above. Both passes sequentially read every 16 byte block of the wide block. The MIX pass modifies every 16 byte block of the wide block, while the SWEEP pass only the first one. Both passes process the 16 byte blocks from the block at the highest memory address down to the first 16 bytes of the wide block. This order of the processing is inverse to the order of the CBC encryption. 1 The MIX pass Input: P=P 0 P 1... P n 1, IV Return: C=MIX ( P =M n 1 ( P n 1 IV for i=n 2 to 0 C i =M i ( P i P i 1 end for = C 0 // XOR the first 16 bytes into the last 16 bytes 2 The SWEEP pass TABLE VI: THE MIX PASS Input: Return: P=P 0 P 1... P n 1 C=SWEEP (P T =0 ; for k =n/ 4 to 2 T =T SWEEP64 k 4 4 (P k 4 4, P k 4 3, P k 4 2, P k 4 1 end for T =M 0 (T SWEEP64 0 (0, P 1, P 2, P 3 C 0 =P 0 T // XOR the checksum into the first 16 bytes C i =P i i [1,n 1] // the rest stays unchanged TABLE VII: THE SWEEP PASS The first used key is k n 4, accessed in SWEEP64 n 1 (..., the next key is k n 8, and the last key is k 0. The SWEEP algorithm is exactly the same for AESMix and AESUnMix, in particular, the keys k i are the encryption keys. D. The AESUnMix algorithm The AESUnMix algorithm is the inverse of the AESMix algorithm. It consists of the UNMIX step and the same SWEEP step as defined for the AESMix algorithm.
5 E. Performance Input: C=C 0 C 1..., IV Return: P=UNMIX (C // XOR the first 16 bytes and the IV into the last 16 bytes, decrypt: P n 1 =M n 1 1 (C n 1 C 0 IV for i=n 2 to 0 P i =M i 1 (C i P i1 end for TABLE VIII: THE UNMIX PASS The following numbers show that the AESMix introduces approximately 10% performance penalty over the CBC encryption mode. The following measurements were performed on an Intel Core i GHz, Linux x86_64, compiled with the gcc 4.6.3: Operation Absolute performance (Mb/sec Ratio Repeated AES-128-CBC on 256 bytes % (baseline Repeated AESMixCBC on 512 bytes, l=512 byte wide block % Repeated AESMix on 512 bytes,, l=512 byte wide block 7, % TABLE IX: AESMIXCBC PEFORMANCE These performance numbers dont include any multi-wide-block parallelism discussed bellow. Assuming the use of the AES- CBC algorithm for encryption, the AESMixCBC guarantees the same performance penalty against the standard AES-CBC performance on any architecture, with or without the hardware support for AES, because AESMix executes essentially the subset of the AES algorithm. For comparison, another wide block encryption algorithm was described in [BL] and was able to reach only the 50% performance penalty (30 cycles v.s. 20 of AES-CBC, the ratio that the AESMix should be able to reliably improve. F. Parallelism We expect that the proposed wide block encryption method is beneficial for the applications and protocols with the following properties: random read/write access to individual wide blocks more than one wide block is processed in the same request on average This environment is typical for the bulk encryption product category, which includes the whole disk encryption or encrypted file products. This model is compatible with how the storage subsystem is organized in modern operating systems. Next we explain why the degree to which the parallelism is facilitated by the wide block algorithm itself is not a main concern under the above assumptions. When each protocol request contains more than one wide block (of l bytes each on average, it is possible to parallelize the implementation by viewing the operation on l bytes at a time as a unit of encryption (there are multiple l byte wide blocks available and the result of each wide blocks processing is independent from others. We call this parallelism basic. It essentially means that when there are multiple CPU cores available to process multiple l byte blocks, this can always be done under our assumptions. The other CPU capability enabling parallelism is per-cpu pipelining. The pipelining is a feature limited to a single CPU, that allows parallel execution of multiple instruction on a single CPU core. Its a lower-granularity parallelism that is only possible for instructions without data interdependencies. Under our assumptions of processing multiple wide blocks on average the AESMixCBC can take advantage of the pipelining with an extra implementation effort as follows. Using 4-factor pipelining parallelism as an example, first observe that the standard CBC encryption can be pipelined by implementing a x 4 mode when the implementation processes 4 l byte blocks at a time (whenever possible by combing 16 byte block from each of the 4 wide blocks in parallel, v.s. a simpler sequential implementation that processes the first one of the 4 wide blocks completely, followed by the second, and so on. The same method can be used to take advantage of the pipeline parallelism with the AESMix algorithm. We summarize the parallel capability of the AESMixCBC and its inverse in the following table:
6 Mode CBC encrypt CBC decrypt AESMix AESUnMix Parallelism multi-wide-block unlimited unlimited multi-wide-block G. Security 3 Overview TABLE X: PARALLEL CAPABILITY OF AESMIXCBC AND AESUNMIXCBC The security of the AESMixCBC algorithm depends on the property that each 16 byte block used in the CBC encryption is aligned with the block boundary used in the AESMix/AESUnMix. The AESMix algorithm consists of two passes, followed by the CBC encryption, which makes the final mode more difficult to analyse than, for example, the [LRW] tweakable block cipher construction. Here we give the initial steps of the analysis. In this section we widen the review and look at the CBC and AESMix operations together. We start from the encryption. The result of inner block encryption is E k (C i 1 M (P i P i1, which is the CBC operation after the plaintext substitution P i cbc =M (P i P i1 Observe the enhanced symmetry v.s. the standard CBC encryption: the CBC mode adds the ciphertext from the left ( C i 1 to ensure the error propagation in the encryption direction, while the AESMix adds the plaintext from the right ( P i1 to ensure the error propagation in the decryption direction. The plaintext in the center is permuted. Likewise for the decryption direction, the AESMixCBC on each individual block translates into P i =M i 1 (P i1 E k 1 (C i C i 1, which is a CBC decryption for P i cbc after the following plaintext substitution: P i cbc =E k 1 (C i C i 1 cbc In the canonical CBC decryption the P i =P i. The presence of the extra P i1 adds the error propagation to the CBC mode in the decryption direction. Consider an attack in which the block j is modified with the goal to affect the block i, i j. There are two cases here: j<i and j>i, and in both these cases the change to the block j affects the cbc P n 1 cbc P n 1 through the operation of SWEEP. It can be shown by induction that eventually affects the P i in the UNMIX pass. M i ( is a secret permutation that mitigates the malleability property that is caused by the XOR of the C i with the plaintext, makes sure that the P i1 doesnt collide with the plaintext in block i, and mitigates the cut and paste attacks. There is no direct oracle access available to the functionality of the secret permutation M i (P i or its inverse. AESENC1 can be alternatively defined to fully integrate and MIX pass into a unified definition. This is shown next to show the high similarity of such an alternative definition of AESENC1MIX algorithm with the standard AES algorithm. Consider an attack that modifies the ciphertext at the block i1 of the AESMixCBC algorithm. Decryption of the block with the chosen block cipher will result in a plaintext P cbc i1, which will be processed to produce the P i1. We can think of the P i1 as some unknown uniformly distributed 16 byte value seen by the attacker, just like the key k i is. Recall that the AESUnMix step for the block i is the following step P i =M 1 i (P i1 P cbc i, which is mapped to the following alternative definition of AESENC1 and AESDEC1 operations:
7 ROUNDLASTMIX AddRoundKey(state, zero Inverse of ROUNDLASTUNMIX AddRoundKey(state, P i1 SubBytes(state ShiftRows(state MixColumns(state AddRoundKey(state, k i InvSubBytes(state InvShiftRows(state InvMixColumns(state AddRoundKey(state, k i 1 SubBytes(state ShiftRows(state AddRoundKey(state, P i1 InvShiftRows(state InvSubBytes(state AddRoundKey(state, zero TABLE XI: ALTERNATIVE AESMIX/AESUNMIX DEFINITION WITH THE INTEGRATED MIX/UNMIX PASS Note that the alternative AESENC1 and AESDEC1 that include the MIX and UNMIX operations remain exactly the 2-round AES, except the use of the alternative key scheduling that includes k i and P i1 subkey. 4 Select statements about the AESMixCBC as the 2 subkeys and zero pre-whitening The following facts are stated for the AESMix/AESUnMix algorithm without the CBC step. Fact 1. A single bit change of an encrypted wide block changes every one of the n plaintext blocks with the probability at least This follows from the chained nature of the two passes of the AESMix algorithm and that the 16 byte block operations are permutations. Note that the SWEEP uses two nested M i (x permutations. For a one byte differential this means that every one of the 16 bytes of the SWEEP output is active. Fact 2. No two blocks of any of the n blocks can be swapped or copied with the probability of detection lower than This follows from the binding effect of the unique subkey associated with every 16 byte block of the wide block. Fact 3. A single bit change in a wide block plaintext changes at least one byte of the first 16 bytes of the wide block with the probability This behaviour has the effect of tweaking the IV value of the CBC algorithm based on the value of each byte of the plaintext of the wide block. The SWEEP operation is responsible for this. Fact 4. There is an advantage available to the attacker if the attacker compensates the single bit change in Fact 1 with an additional bit change in the wide block. The SWEEP operation includes a step of {0,1} {0,1} 16 8 mapping for each group of 4 16 byte blocks (512 bits total, which is trivial to forge within the said 512 bit block. To do this the change in any byte of the 512 bit block can be compensated with a corresponding change at another index, per Table IV, such that the XOR result of the two changes is cancelled out. A more involved collision is the change in two separate 512 bit blocks to the bytes at the same offset in respect to their 512 bit blocks. One byte AES ROUND differential results in the 4 byte change on the output of the round. The probability that no other byte change in any of the s blocks will mask the single byte change is Prob(s=( s (s 1/ 2, where s=n /4 1. We eliminate the first 512 bits due to their special handling. For a typical 512 byte wide block s=7 and Prob(7> For non-adjacent blocks this will cause the in-between blocks k (i, j to change, while leaving the preceding and following blocks unchanged. Note, however, that these two attacks on the SWEEP step were assuming an ability of the attacker to change a single byte of the plaintext by changing the ciphertext for the two cipher blocks. This probability exceeds the security of the corresponding block cipher, because it essentially depends on the ability to perform a two byte plaintext modification in a 16*2 byte double-block ciphertext. Fact 5. Each of the n blocks is processed at least twice by the AESENC1 operation or its inverse. This follows from the algorithm description. Fact 6. AESMixCBC resists the chosen plaintext attacks.
8 Consider the MIX pass of the AESMix algorithm with the assumption of an attacker who controls the input and sees the output. It would be possible to employ the following algorithm that explores the byte-to-four-bytes differential of the M i ( to try to recover the subkey as follows. Given a wide plaintext block, consider 3 changes to two adjacent plaintext blocks as follows: Plaintext: P i, P i1 P i, P i1 D 1 P i D 2, P i1 D 1 Result after the ROUND pass: M i (P i P i1,c i1 M i (P i P i1 D 1, C i1 M i (P i D 2 P i1 D 1, C i1 The goal is to vary the D 1 and D 2 so that the change in M i (P i D 2 due to D 2 is cancelled by D 1, i.e. the attacker has an encryption oracle. An example of this is 1 byte D 2, resulting in 4 byte change in M i (P i D 2, which can be compensated by a 4 byte D 1. This attack, is mitigated by the SWEEP pass. First, note that C i 1 will change as well. The three-block change will affect the results of the SWEEP pass, which will change the first block of the wide block. The change of the first block has the effect of changing the IV in the CBC step, which, in turn, will likely change the ciphertext of the entire wide block. IV. CONCLUSIONS AESMixCBC is a fast wide encryption mode suitable for high-performance applications on a broad range of platforms. The algorithm portion that is responsible for the wide block behavior is built from the subset of functionality of the AES algorithm. When AESMixCBC is used with the AES-CBC as an external block cipher, the most likely case today, the design of AESMixCBC offers the deterministic performance penalty assessment in terms of the external block cipher performance. Our implementation achieves the 0.1 factor performance penalty against the AES-CBC. Many well-studies encryption methods include the concept of a random permutation as a building block. We showed that constructing an encryption algorithm with the help of an imperfect permutation under the protection of a block cipher is a useful tool that can provide performance benefits. V. APPENDIX A The method to build the Table 3 is provided bellow. It can be used to build a permutation table on the fly for the constrained devices or to study the property of the permutation. Each index is treated as an element in the GF (16 with the primitive polynomial x 4 x 3 1. In the following algorithm this is represented as an integer 0x19 in the little-endian format, where 1 stands for 1, 2 for x, etc. This field has 2, 4, 6, and 7 as first generators, which are used to build each Perm i ( X, respectively. Input: i [0,3] is the index of the permutation G i ={2,4, 6,7} Return: Perm i for {0,1,2,3...15} Perm i ={G 1 i,g 2 i,g 3 i,...,g 14 1 i,0}mod 0x19 // G 0 Perm i is Perm i rotated left by 4 ((i1mod 4 positions corresponds to input index 0 TABLE XII: Perm i ( X CALCULATION
9 VI. APPENDIX B. MIX AND UNMIX QUICK REFERENCE P 0... P n 3 P n 2 P n 1 M 0 (P 0 M n 3 (P n 3 M n 2 (P n 2 M n 1 (P n 1 IV C 0 C n 3 C n 2 =C 0 C 0... C n 3 C n 2 M 0 1 (C 0 M 1 n 3 (C n 3 M 1 n 2 (C n 2 M 1 n 1 ( IV P 0 P n 3 P n 2 P n 1
10 VII. APPENDIX C. SWEEP QUICK REFERENCE P 0 P 1 P 2 P 3... P 12 P 11 P 10 P 9 P n 8 P n 7 P n 6 P n 5 P n 4 P n 3 P n 2 P n 1... SWEEP64(P n 5, P n 6, P n 7, P n 8 SWEEP64 0 (0, P 1, P 2, P 3 SWEEP64(P n 12, P n 11, P n 10, P n 9 SWEEP64(P n 4,P n 3, P n 2, P n 1 M 0 ( C i =P i i!=n C 0 =P 0 M n ( SWEEP64 k 4 4 (P k 4 4, P k 4 3, P k 4 2, P k 4 1 SWEEP64 0 (0, P 0, P 1,P 2 k=n/ 4 =P n 1 4 SWEEP64 k ( p 4, p 3, p 2, p 1 =M k ( (Perm i ( p i, where 1 Perm i ( pis a permutation of 16 bytes p={p [0],..., p[ j],... p [15]}, such that each p [ j]appears at the position k : i= 1 j= 0 k= IV=SWEEP64 n (IV 0, M n (IV 0, 0,0;
11 VIII. BIBLIOGRAPHY [1] EME: S. Halevi and P. Rogaway, A Parallelizable Enciphering Mode, 2003 [2] AES: NIST, ADVANCED ENCRYPTION STANDARD (AES, Nov 26, 2001 [3] SP : Lily Chen, Recommendation for Key Derivation Using Pseudorandom Functions, October 2009 [4] BL: Niels Ferguson, AES-CBC Elephant diffuser. A Disk Encryption Algorithm for Windows Vista, Aug 2006 [5] LRW: Moses Liskov, Ronald L. Rivest, and David Wagner, Tweakable Block Ciphers, 2002
7. Symmetric encryption. symmetric cryptography 1
CIS 5371 Cryptography 7. Symmetric encryption symmetric cryptography 1 Cryptographic systems Cryptosystem: t (MCKK GED) (M,C,K,K,G,E,D) M, plaintext message space C, ciphertext message space K, K, encryption
More informationCENG 520 Lecture Note III
CENG 520 Lecture Note III Symmetric Ciphers block ciphers process messages in blocks, each of which is then en/decrypted like a substitution on very big characters 64-bits or more stream ciphers process
More informationpage 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas
Introduction to Cryptography Lecture 3 Benny Pinkas page 1 1 Pseudo-random generator Pseudo-random generator seed output s G G(s) (random, s =n) Deterministic function of s, publicly known G(s) = 2n Distinguisher
More informationData Encryption Standard (DES)
Data Encryption Standard (DES) Best-known symmetric cryptography method: DES 1973: Call for a public cryptographic algorithm standard for commercial purposes by the National Bureau of Standards Goals:
More informationModern Symmetric Block cipher
Modern Symmetric Block cipher 81 Shannon's Guide to Good Ciphers Amount of secrecy should determine amount of labour appropriate for encryption and decryption The set of keys and enciphering algorithm
More informationSymmetric Encryption Algorithms
Symmetric Encryption Algorithms CS-480b Dick Steflik Text Network Security Essentials Wm. Stallings Lecture slides by Lawrie Brown Edited by Dick Steflik Symmetric Cipher Model Plaintext Encryption Algorithm
More informationChapter 3 Block Ciphers and the Data Encryption Standard
Chapter 3 Block Ciphers and the Data Encryption Standard Last Chapter have considered: terminology classical cipher techniques substitution ciphers cryptanalysis using letter frequencies transposition
More informationChapter 6 Contemporary Symmetric Ciphers
Chapter 6 Contemporary Symmetric Ciphers "I am fairly familiar with all the forms of secret writings, and am myself the author of a trifling monograph upon the subject, in which I analyze one hundred and
More informationElastic Block Ciphers: The Feistel Cipher Case
Elastic Block Ciphers: The Feistel Cipher Case Debra L. Cook Moti Yung Angelos D. Keromytis Department of Computer Science Columbia University, New York, NY dcook,moti,angelos @cs.columbia.edu Technical
More informationAdvanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50
Advanced Encryption Standard and Modes of Operation Foundations of Cryptography - AES pp. 1 / 50 AES Advanced Encryption Standard (AES) is a symmetric cryptographic algorithm AES has been originally requested
More informationP2_L6 Symmetric Encryption Page 1
P2_L6 Symmetric Encryption Page 1 Reference: Computer Security by Stallings and Brown, Chapter 20 Symmetric encryption algorithms are typically block ciphers that take thick size input. In this lesson,
More informationElastic Block Ciphers: Method, Security and Instantiations
Elastic Block Ciphers: Method, Security and Instantiations Debra L. Cook 1, Moti Yung 2, Angelos D. Keromytis 3 1 Department of Computer Science, Columbia University, New York, NY, USA dcook@cs.columbia.edu
More informationChapter 6: Contemporary Symmetric Ciphers
CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Chapter 6: Contemporary Symmetric Ciphers Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Why Triple-DES?
More informationENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel
(a) Introduction - recall symmetric key cipher: III. BLOCK CIPHERS k Symmetric Key Cryptography k x e k y yʹ d k xʹ insecure channel Symmetric Key Ciphers same key used for encryption and decryption two
More informationBlock ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016
Block ciphers CS 161: Computer Security Prof. Raluca Ada Popa February 26, 2016 Announcements Last time Syntax of encryption: Keygen, Enc, Dec Security definition for known plaintext attack: attacker provides
More informationBlock Cipher Operation. CS 6313 Fall ASU
Chapter 7 Block Cipher Operation 1 Outline q Multiple Encryption and Triple DES q Electronic Codebook q Cipher Block Chaining Mode q Cipher Feedback Mode q Output Feedback Mode q Counter Mode q XTS-AES
More informationNetwork Security Essentials Chapter 2
Network Security Essentials Chapter 2 Fourth Edition by William Stallings Lecture slides by Lawrie Brown Encryption What is encryption? Why do we need it? No, seriously, let's discuss this. Why do we need
More informationHomework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING
UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING ENEE 457 Computer Systems Security Instructor: Charalampos Papamanthou Homework 2 Out: 09/23/16 Due: 09/30/16 11:59pm Instructions
More informationA General Analysis of the Security of Elastic Block Ciphers
A General Analysis of the Security of Elastic Block Ciphers Debra L. Cook and Moti Yung and Angelos Keromytis Department of Computer Science, Columbia University {dcook,moti,angelos}@cs.columbia.edu September
More informationCryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1
Cryptography CS 555 Topic 11: Encryption Modes and CCA Security CS555 Spring 2012/Topic 11 1 Outline and Readings Outline Encryption modes CCA security Readings: Katz and Lindell: 3.6.4, 3.7 CS555 Spring
More informationEnhanced Cryptanalysis of Substitution Cipher Chaining mode (SCC-128)
Enhanced Cryptanalysis of Substitution Cipher Chaining mode (SCC-128) Mohamed Abo El-Fotouh and Klaus Diepold Institute for Data Processing (LDV) Technische Universität München (TUM) 80333 Munich Germany
More informationFundamentals of Cryptography
Fundamentals of Cryptography Topics in Quantum-Safe Cryptography June 23, 2016 Part III Data Encryption Standard The Feistel network design m m 0 m 1 f k 1 1 m m 1 2 f k 2 2 DES uses a Feistel network
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.2 Secret Key Cryptography CSC 474/574 Dr. Peng Ning 1 Agenda Generic block cipher Feistel cipher DES Modes of block ciphers Multiple encryptions Message
More informationCryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái
Cryptography and Network Security Block Ciphers + DES Lectured by Nguyễn Đức Thái Outline Block Cipher Principles Feistel Ciphers The Data Encryption Standard (DES) (Contents can be found in Chapter 3,
More informationSymmetric Cryptography. Chapter 6
Symmetric Cryptography Chapter 6 Block vs Stream Ciphers Block ciphers process messages into blocks, each of which is then en/decrypted Like a substitution on very big characters 64-bits or more Stream
More information3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some
3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some popular block ciphers Triple DES Advanced Encryption
More informationThe Encryption Standards
The Encryption Standards Appendix F Version 1.0 Computer Security: Art and Science, 2 nd Edition Slide F-1 Outline Data Encryption Standard Algorithm Advanced Encryption Standard Background mathematics
More informationSecret Key Cryptography
Secret Key Cryptography 1 Block Cipher Scheme Encrypt Plaintext block of length N Decrypt Secret key Cipher block of length N 2 Generic Block Encryption Convert a plaintext block into an encrypted block:
More informationIntroduction to Cryptography. Lecture 3
Introduction to Cryptography Lecture 3 Benny Pinkas March 6, 2011 Introduction to Cryptography, Benny Pinkas page 1 Pseudo-random generator seed s (random, s =n) Pseudo-random generator G Deterministic
More informationIDEA, RC5. Modes of operation of block ciphers
C 646 - Lecture 8 IDA, RC5 Modes of operation of block ciphers Required Reading: I. W. Stallings, "Cryptography and Network-Security," 5th dition, Chapter 6 Block Cipher Operation II. A. Menezes, P. van
More informationDouble-DES, Triple-DES & Modes of Operation
Double-DES, Triple-DES & Modes of Operation Prepared by: Dr. Mohamed Abd-Eldayem Ref.: Cryptography and Network Security by William Stallings & Lecture slides by Lawrie Brown Multiple Encryption & DES
More informationSecret Key Cryptography
Secret Key Cryptography General Block Encryption: The general way of encrypting a 64-bit block is to take each of the: 2 64 input values and map it to a unique one of the 2 64 output values. This would
More informationCIS 4360 Secure Computer Systems Symmetric Cryptography
CIS 4360 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2017 Previous Class Classical Cryptography Frequency analysis Never use home-made cryptography Goals of Cryptography
More informationElastic Block Ciphers: The Feistel Cipher Case
Elastic Block Ciphers: The Feistel Cipher Case Debra L. Cook Moti Yung Angelos D. Keromytis Department of Computer Science Columbia University, New York, NY dcook,moti,angelos @cs.columbia.edu Technical
More informationIntroduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers
Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers Stream Ciphers Start with a secret key ( seed ) Generate a keying stream i-th bit/byte of keying stream is a function
More informationSymmetric Cryptography
CSE 484 (Winter 2010) Symmetric Cryptography Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials...
More informationCryptography [Symmetric Encryption]
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography [Symmetric Encryption] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More information1 Achieving IND-CPA security
ISA 562: Information Security, Theory and Practice Lecture 2 1 Achieving IND-CPA security 1.1 Pseudorandom numbers, and stateful encryption As we saw last time, the OTP is perfectly secure, but it forces
More informationCIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)
CIS 6930/4930 Computer and Network Security Topic 3.1 Secret Key Cryptography (Cont d) 1 Principles for S-Box Design S-box is the only non-linear part of DES Each row in the S-Box table should be a permutation
More informationCHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))
CHAPTER 6. SYMMETRIC CIPHERS Multiple encryption is a technique in which an encryption algorithm is used multiple times. In the first instance, plaintext is converted to ciphertext using the encryption
More informationIntroduction to Cryptography. Lecture 3
Introduction to Cryptography Lecture 3 Benny Pinkas March 6, 2011 Introduction to Cryptography, Benny Pinkas page 1 Pseudo-random generator seed s (random, s =n) Pseudo-random generator G Deterministic
More informationENEE 459-C Computer Security. Symmetric key encryption in practice: DES and AES algorithms
ENEE 459-C Computer Security Symmetric key encryption in practice: DES and AES algorithms A perfect encryption of a block Say you have a block of n bits You want to encrypt it You want to use the same
More informationImplementation and Performance analysis of Skipjack & Rijndael Algorithms. by Viswnadham Sanku ECE646 Project Fall-2001
Implementation and Performance analysis of Skipjack & Rijndael Algorithms by Viswnadham Sanku ECE646 Project Fall-2001 TABLE OF CONTENTS TABLE OF CONTENTS 2 1. OBJECTIVE 3 2. SKIPJACK CIPHER 3 2.1 CIPHER
More informationComputer Security CS 526
Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes CS555 Topic 4 1 Readings for This Lecture Required reading from wikipedia Block Cipher Ciphertext Indistinguishability
More informationDataTraveler 5000 (DT5000) and DataTraveler 6000 (DT6000) Ultimate Security in a USB Flash Drive. Submitted by SPYRUS, Inc.
Submitted by SPYRUS, Inc. Contents DT5000 and DT6000 Technology Overview...2 Why DT5000 and DT6000 Encryption Is Different...3 Why DT5000 and DT6000 Encryption Is Different - Summary...4 XTS-AES Sector-Based
More informationLecture 4: Symmetric Key Encryption
Lecture 4: Symmetric ey Encryption CS6903: Modern Cryptography Spring 2009 Nitesh Saxena Let s use the board, please take notes 2/20/2009 Lecture 1 - Introduction 2 Data Encryption Standard Encrypts by
More informationCSE 127: Computer Security Cryptography. Kirill Levchenko
CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified
More informationU-II BLOCK CIPHER ALGORITHMS
U-II BLOCK CIPHER ALGORITHMS IDEA: Idea is block cipher similar to DES Works on 64 bit plaintext block Key is longer and consist of 128 bits Idea is reversible like DES i.e. same algorithm can be used
More informationL3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015
L3. An Introduction to Block Ciphers Rocky K. C. Chang, 29 January 2015 Outline Product and iterated ciphers A simple substitution-permutation network DES and AES Modes of operations Cipher block chaining
More informationBlock ciphers, stream ciphers
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Jan 31, 2018 Announcements Project 1 is out, due Feb 14 midnight Recall: Block cipher A
More informationCryptology complementary. Symmetric modes of operation
Cryptology complementary Symmetric modes of operation Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 05 03 Symmetric modes 2018 05 03
More informationSecret Key Cryptography (Spring 2004)
Secret Key Cryptography (Spring 2004) Instructor: Adi Shamir Teaching assistant: Eran Tromer 1 Background Lecture notes: DES Until early 1970 s: little cryptographic research in industry and academcy.
More informationThe Rectangle Attack
The Rectangle Attack and Other Techniques for Cryptanalysis of Block Ciphers Orr Dunkelman Computer Science Dept. Technion joint work with Eli Biham and Nathan Keller Topics Block Ciphers Cryptanalysis
More informationLinear Cryptanalysis of Reduced Round Serpent
Linear Cryptanalysis of Reduced Round Serpent Eli Biham 1, Orr Dunkelman 1, and Nathan Keller 2 1 Computer Science Department, Technion Israel Institute of Technology, Haifa 32000, Israel, {biham,orrd}@cs.technion.ac.il,
More informationContent of this part
UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Introduction to Cryptography ECE 597XX/697XX Part 5 More About Block Ciphers Israel Koren ECE597/697 Koren Part.5.1 Content of this
More informationIntroduction to Symmetric Cryptography
Introduction to Symmetric Cryptography Tingting Chen Cal Poly Pomona 1 Some slides are from Dr. Cliff Zou. www.cs.ucf.edu/~czou/cis3360-12/ch08-cryptoconcepts.ppt Basic Cryptography Private Key Cryptography
More informationBlock cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75
Block cipher modes Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 75 Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 76 Block cipher modes Block ciphers (like
More informationModern Block Ciphers
Modern Block Ciphers now look at modern block ciphers one of the most widely used types of cryptographic algorithms provide secrecy /authentication services focus on DES (Data Encryption Standard) to illustrate
More informationDr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Secret Key Cryptography Block cipher DES 3DES
More informationInformation Security CS526
Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1 Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for
More informationNetwork Security. Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar
Network Security Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar Modern Block Ciphers now look at modern block ciphers one of the most widely used types
More information6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 6 Block Ciphers 6.1 Block Ciphers Block Ciphers Plaintext is divided into blocks of fixed length and every block is encrypted one at a time. A block cipher is a
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 8 2018 Review CPA-secure construction Security proof by reduction
More informationThe Extended Codebook (XCB) Mode of Operation
The Extended Codebook (XCB) Mode of Operation David A. McGrew and Scott Fluhrer Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95032 {mcgrew,sfluhrer}@cisco.com October 25, 2004 Abstract We describe
More informationSymmetric Encryption. Thierry Sans
Symmetric Encryption Thierry Sans Design principles (reminder) 1. Kerkoff Principle The security of a cryptosystem must not rely on keeping the algorithm secret 2. Diffusion Mixing-up symbols 3. Confusion
More informationLecture 6: Symmetric Cryptography. CS 5430 February 21, 2018
Lecture 6: Symmetric Cryptography CS 5430 February 21, 2018 The Big Picture Thus Far Attacks are perpetrated by threats that inflict harm by exploiting vulnerabilities which are controlled by countermeasures.
More informationECE 646 Lecture 8. Modes of operation of block ciphers
ECE 646 Lecture 8 Modes of operation of block ciphers Required Reading: I. W. Stallings, "Cryptography and Network-Security," 5 th and 6 th Edition, Chapter 6 Block Cipher Operation II. A. Menezes, P.
More informationComputer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Cryptography Part II Paul Krzyzanowski Rutgers University Spring 2018 March 23, 2018 CS 419 2018 Paul Krzyzanowski 1 Block ciphers Block ciphers encrypt a block of plaintext at a
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Pseudorandom Permutations unctions that look like random permutations Syntax: Key space K (usually {0,1}
More informationCryptography and Network Security Chapter 3. Modern Block Ciphers. Block vs Stream Ciphers. Block Cipher Principles
Cryptography and Network Security Chapter 3 Fifth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 3 Block Ciphers and the Data Encryption Standard All the afternoon Mungo had been working
More informationContent of this part
UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Introduction to Cryptography ECE 597XX/697XX Part 4 The Advanced Encryption Standard (AES) Israel Koren ECE597/697 Koren Part.4.1
More informationIntroduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space
Perfect Cipher Introduction to Cryptography Lecture 2 Benny Pinkas What type of security would we like to achieve? Given C, the adversary has no idea what M is Impossible since adversary might have a-priori
More informationUsing block ciphers 1
Using block ciphers 1 Using block ciphers DES is a type of block cipher, taking 64-bit plaintexts and returning 64-bit ciphetexts. We now discuss a number of ways in which block ciphers are employed in
More informationLecture 3: Symmetric Key Encryption
Lecture 3: Symmetric Key Encryption CS996: Modern Cryptography Spring 2007 Nitesh Saxena Outline Symmetric Key Encryption Continued Discussion of Potential Project Topics Project proposal due 02/22/07
More informationStatistical Analysis of the 3WAY Block Cipher
Statistical Analysis of the 3WAY Block Cipher By Himanshu Kale Project Report Submitted In Partial Fulfilment of the Requirements for the Degree of Master of Science In Computer Science Supervised by Professor
More informationLecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24
Assume encryption and decryption use the same key. Will discuss how to distribute key to all parties later Symmetric ciphers unusable for authentication of sender Lecturers: Mark D. Ryan and David Galindo.
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Symmetric Cryptography January 20, 2011 Practical Aspects of Modern Cryptography 2 Agenda Symmetric key ciphers Stream ciphers Block ciphers Cryptographic hash
More informationCourse Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here
Course Business Midterm is on March 1 Allowed to bring one index card (double sided) Final Exam is Monday, May 1 (7 PM) Location: Right here 1 Cryptography CS 555 Topic 18: AES, Differential Cryptanalysis,
More informationLecture 1 Applied Cryptography (Part 1)
Lecture 1 Applied Cryptography (Part 1) Patrick P. C. Lee Tsinghua Summer Course 2010 1-1 Roadmap Introduction to Security Introduction to Cryptography Symmetric key cryptography Hash and message authentication
More informationUNIT - II Traditional Symmetric-Key Ciphers. Cryptography & Network Security - Behrouz A. Forouzan
UNIT - II Traditional Symmetric-Key Ciphers 1 Objectives To define the terms and the concepts of symmetric key ciphers To emphasize the two categories of traditional ciphers: substitution and transposition
More informationImplementation of Full -Parallelism AES Encryption and Decryption
Implementation of Full -Parallelism AES Encryption and Decryption M.Anto Merline M.E-Commuication Systems, ECE Department K.Ramakrishnan College of Engineering-Samayapuram, Trichy. Abstract-Advanced Encryption
More informationSecret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General Considerations:
Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General Considerations: Secret Key Systems Encrypting a small block of text (say 64 bits) General Considerations: 1. Encrypted
More informationsymmetric cryptography s642 computer security adam everspaugh
symmetric cryptography s642 adam everspaugh ace@cs.wisc.edu computer security Announcements Midterm next week: Monday, March 7 (in-class) Midterm Review session Friday: March 4 (here, normal class time)
More informationUnderstanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl
Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl www.crypto-textbook.com Chapter 5 More About Block Ciphers ver. November 26, 2010 Last modified 10-2-17
More informationCryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security
Cryptography CS 555 Topic 8: Modes of Encryption, The Penguin and CCA security 1 Reminder: Homework 1 Due on Friday at the beginning of class Please typeset your solutions 2 Recap Pseudorandom Functions
More informationHOST Cryptography III ECE 525 ECE UNM 1 (1/18/18)
AES Block Cipher Blockciphers are central tool in the design of protocols for shared-key cryptography What is a blockcipher? It is a function E of parameters k and n that maps { 0, 1} k { 0, 1} n { 0,
More informationThe Salsa20 Family of Stream Ciphers
The Salsa20 Family of Stream Ciphers Based on [Bernstein, 2008] Erin Hales, Gregor Matl, Simon-Philipp Merz Introduction to Cryptology November 13, 2017 From a security perspective, if you re connected,
More informationFeedback Week 4 - Problem Set
4/26/13 Homework Feedback Introduction to Cryptography Feedback Week 4 - Problem Set You submitted this homework on Mon 17 Dec 2012 11:40 PM GMT +0000. You got a score of 10.00 out of 10.00. Question 1
More informationCryptography and Network Security
Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 6: Advanced Encryption Standard (AES) Ion Petre Department of IT, Åbo Akademi University 1 Origin of AES 1999: NIST
More informationApplied Cryptography Data Encryption Standard
Applied Cryptography Data Encryption Standard Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1 History DES has a checkered history. The book provided fascinating reading
More informationAssignment 3: Block Ciphers
Assignment 3: Block Ciphers CSCI3381-Cryptography Due October 3, 2014 1 Solutions to the Written Problems 1. Block Cipher Modes of Operation 6 points per part, 30 total. Parts (a)-(d) refer to the cipherblock
More informationChapter 8. Encipherment Using Modern Symmetric-Key Ciphers
Chapter 8 Encipherment Using Modern Symmetric-Key Ciphers Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 8.1 Chapter 18 Objectives To show how modern standard
More informationBlock Cipher Operation
Block Cipher Operation Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: 6-1 Overview 1. Double DES, Triple
More informationHow many DES keys, on the average, encrypt a particular plaintext block to a particular ciphertext block?
Homework 1. Come up with as efficient an encoding as you can to specify a completely general one-to-one mapping between 64-bit input values and 64-bit output values. 2. Token cards display a number that
More informationComputer Security 3/23/18
s s encrypt a block of plaintext at a time and produce ciphertext Computer Security 08. Cryptography Part II Paul Krzyzanowski DES & AES are two popular block ciphers DES: 64 bit blocks AES: 128 bit blocks
More informationSymmetric key cryptography
The best system is to use a simple, well understood algorithm which relies on the security of a key rather than the algorithm itself. This means if anybody steals a key, you could just roll another and
More informationVortex: A New Family of One-way Hash Functions Based on AES Rounds and Carry-less Multiplication
Vortex: A New Family of One-way Hash Functions Based on AES Rounds and Carry-less ultiplication Shay Gueron 2, 3, 4 and ichael E. Kounavis 1 1 Corresponding author, Corporate Technology Group, Intel Corporation,
More informationCS 161 Computer Security
Raluca Popa Spring 2018 CS 161 Computer Security Discussion 3 Week of February 5, 2018: Cryptography I Question 1 Activity: Cryptographic security levels (20 min) Say Alice has a randomly-chosen symmetric
More informationsymmetric cryptography s642 computer security adam everspaugh
symmetric cryptography s642 adam everspaugh ace@cs.wisc.edu computer security Announcement Midterm next week: Monday, March 7 (in-class) Midterm Review session Friday: March 4 (here, normal class time)
More informationAES Cryptosystem Acceleration Using Graphics Processing Units. Ethan Willoner Supervisors: Dr. Ramon Lawrence, Scott Fazackerley
AES Cryptosystem Acceleration Using Graphics Processing Units Ethan Willoner Supervisors: Dr. Ramon Lawrence, Scott Fazackerley Overview Introduction Compute Unified Device Architecture (CUDA) Advanced
More information