Cryptanalysis of Symmetric-Key Primitives: Automated Techniques
|
|
- Garey Thomas
- 5 years ago
- Views:
Transcription
1 1 / 39 Cryptanalysis of Symmetric-Key Primitives: Automated Techniques Nicky Mouha ESAT/COSIC, KU Leuven, Belgium IBBT, Belgium Summer School on Tools, Mykonos Tuesday, May 29, 2012
2 2 / 39 Outline
3 Symmetric-key Ciphers: Types of attacks 3 / 39 Statistical attacks Linear and differential cryptanalysis, slide attacks,... Detect statistical non-randomness
4 Symmetric-key Ciphers: Types of attacks 3 / 39 Statistical attacks Linear and differential cryptanalysis, slide attacks,... Detect statistical non-randomness Meet-in-the-middle attacks Many techniques (splice-and cut, partial matching, partial fixing,...), guess-and-determine attacks, attack on 2DES,... Separate equations into two or more groups to solve them more efficiently
5 Symmetric-key Ciphers: Types of attacks 3 / 39 Statistical attacks Linear and differential cryptanalysis, slide attacks,... Detect statistical non-randomness Meet-in-the-middle attacks Many techniques (splice-and cut, partial matching, partial fixing,...), guess-and-determine attacks, attack on 2DES,... Separate equations into two or more groups to solve them more efficiently Algebraic attacks See next slide
6 Algebraic Attacks: Definition 4 / 39 Represent cryptographic primitive as system of equations Use equation solver to retrieve key
7 Algebraic Attacks: Definition 4 / 39 Represent cryptographic primitive as system of equations Use equation solver to retrieve key SAT solvers MiniSat2, CryptoMiniSat,... Gröbner basis method Buchberger s algorithm, F 4, F 5,... Mixed Integer Linear Programming (MILP) CPLEX, SYMPHONY,...
8 Algebraic Attacks: Definition 4 / 39 Represent cryptographic primitive as system of equations Use equation solver to retrieve key SAT solvers MiniSat2, CryptoMiniSat,... Gröbner basis method Buchberger s algorithm, F 4, F 5,... Mixed Integer Linear Programming (MILP) CPLEX, SYMPHONY,... Hopefully detects inherent structure, and solves equations faster than brute force!
9 Algebraic Attacks: Advantages and Disadvantages 5 / 39 Algebraic attacks on symmetric-key ciphers Biggest disadvantages: Can only find practical attacks, no high-complexity attacks
10 Algebraic Attacks: Advantages and Disadvantages 5 / 39 Algebraic attacks on symmetric-key ciphers Biggest disadvantages: Can only find practical attacks, no high-complexity attacks Execution time (and memory requirements): unpredictable
11 Algebraic Attacks: Advantages and Disadvantages 5 / 39 Algebraic attacks on symmetric-key ciphers Biggest disadvantages: Can only find practical attacks, no high-complexity attacks Execution time (and memory requirements): unpredictable Not a single proper block cipher has been broken using pure algebraic techniques faster than with other techniques. (Albrecht)
12 Algebraic Attacks: Advantages and Disadvantages 5 / 39 Algebraic attacks on symmetric-key ciphers Biggest disadvantages: Can only find practical attacks, no high-complexity attacks Execution time (and memory requirements): unpredictable Not a single proper block cipher has been broken using pure algebraic techniques faster than with other techniques. (Albrecht) Biggest advantages: Black box technique, no crypto knowledge required
13 Algebraic Attacks: Advantages and Disadvantages 5 / 39 Algebraic attacks on symmetric-key ciphers Biggest disadvantages: Can only find practical attacks, no high-complexity attacks Execution time (and memory requirements): unpredictable Not a single proper block cipher has been broken using pure algebraic techniques faster than with other techniques. (Albrecht) Biggest advantages: Black box technique, no crypto knowledge required Can work with very few plaintext-ciphertext pairs
14 Algebraic Attacks: Advantages and Disadvantages 5 / 39 Algebraic attacks on symmetric-key ciphers Biggest disadvantages: Can only find practical attacks, no high-complexity attacks Execution time (and memory requirements): unpredictable Not a single proper block cipher has been broken using pure algebraic techniques faster than with other techniques. (Albrecht) Biggest advantages: Black box technique, no crypto knowledge required Can work with very few plaintext-ciphertext pairs Useful to break extremely weak ciphers: Crypto-1 in 40s, HiTag2 in 6.5h on one Xeon 2.33GHz (Soos)
15 Automated Techniques: Still Useful 6 / 39 Tool to construct statistical and MitM attacks Therefore, program execution time: not so important
16 Automated Techniques: Still Useful 6 / 39 Tool to construct statistical and MitM attacks Therefore, program execution time: not so important Program: executed only once
17 Automated Techniques: Still Useful 6 / 39 Tool to construct statistical and MitM attacks Therefore, program execution time: not so important Program: executed only once More time spent on: coding, debugging, optimizing, parallel implementation, verifying,... Verifying correctness: very difficult
18 Automated Techniques: Still Useful 6 / 39 Tool to construct statistical and MitM attacks Therefore, program execution time: not so important Program: executed only once More time spent on: coding, debugging, optimizing, parallel implementation, verifying,... Verifying correctness: very difficult Programmer s time: costs more than CPU time!
19 Automated Techniques: Still Useful 6 / 39 Tool to construct statistical and MitM attacks Therefore, program execution time: not so important Program: executed only once More time spent on: coding, debugging, optimizing, parallel implementation, verifying,... Verifying correctness: very difficult Programmer s time: costs more than CPU time! More important: Easy to program Easy to verify Easy to parallelize
20 Goal of this lecture 7 / 39 Use three easy, automated techniques MILP programming SAT solvers Regular expressions as tools to construct attacks... and start breaking ciphers today!
21 8 / 39 Outline
22 9 / 39 Differential Cryptanalysis Differential characteristic a 1 a a 2 b 1 c 1 b c b 2 c 2 d 1 d d 2
23 10 / 39 Differential Cryptanalysis: S-box a α a α Differential Probability DP( α β): #{0 a < 2 8 : S(a) S(a α) = β} 2 8 S S S(a) S(a α) = β? Max. diff. prob. (MDP): 4/256 = 2 6 AES: only component that is non-linear in GF(2 8 ) Non-active S-box: DP(0 0) = 1 Count active S-boxes!
24 11 / 39 Representation of variables Every pair of bytes is shrunk to one bit x i : x i = 0 if the bytes are the same x i = 1 if the bytes are different
25 11 / 39 Representation of variables Every pair of bytes is shrunk to one bit x i : x i = 0 if the bytes are the same x i = 1 if the bytes are different Note: simplifies the analysis! Our results prove lower bounds, but characteristics may contain a contradiction
26 11 / 39 Representation of variables Every pair of bytes is shrunk to one bit x i : x i = 0 if the bytes are the same x i = 1 if the bytes are different Note: simplifies the analysis! Our results prove lower bounds, but characteristics may contain a contradiction Next slides: focus on AES but technique can analyze any cipher based on XORs, three-forked branches, MDS operations,... Details: see Mouha et al., Inscrypt 2011
27 12 / 39 One Round of AES x 0 x 4 x 8 x 12 x 1 x 5 x 9 x 13 x 2 x 6 x 10 x 14 x 3 x 7 x 11 x 15 x 0 x 4 x 8 x 12 x 5 x 9 x 13 x 1 x 10 x 14 x 2 x 6 x 15 x 3 x 7 x 11 AR+SB MC x 0 x 4 x 8 x 12 x 1 x 5 x 9 x 13 x 2 x 6 x 10 x 14 x 3 x 7 x 11 x 15 x 16 x 20 x 24 x 28 x 17 x 21 x 25 x 29 x 18 x 22 x 26 x 30 x 19 x 23 x 27 x 31 SR
28 13 / 39 MixColumns MDS Property: x 0 x 5 x 10 MDS x 16 x 17 x 18 x 0 + x 5 + x 10 + x 15 + x 16 + x 17 + x 18 + x 19 5 or x 15 x 19 x 0 = x 5 = x 10 = x 15 = x 16 = x 17 = x 18 = x 19 = 0
29 14 / 39 MixColumns MDS Property: x 0 x 5 x 10 MDS x 16 x 17 x 18 x 0 + x 5 + x 10 + x 15 + x 16 + x 17 + x 18 + x 19 5d and x 15 x 19 d = max( x 0, x 5, x 10, x 15, x 16, x 17, x 18, x 19 )
30 15 / 39 MixColumns MDS Property: x 0 x 5 x 10 MDS x 16 x 17 x 18 x 0 + x 5 + x 10 + x 15 + x 16 + x 17 + x 18 + x 19 5d and x 15 x 19 d x 0, d x 5, d x 10, d x 15, d x 16, d x 17, d x 18, d x 19
31 16 / 39 Mixed-Integer Linear Programming Mimimize Sum of S-box variables Subject To 9 equations for every MixColumns step (+1 dummy variable) (SubBytes, ShiftRows, add key: no equations/variables) Sum of plaintext variables 1 Binary All variables / All input variables End
32 17 / 39 Single-key AES: Bounds # Rounds Min. # active S-boxes # Rounds Min. # active S-boxes Using the IBM ILOG CPLEX optimizer Free for academic use Execution time no problem takes longer than 0.40 s (Intel Xeon 2.93GHz)
33 18 / 39 Related-key AES: Strategy Also one x i -variable per key byte, (x i = 1 iff. bytes different)
34 18 / 39 Related-key AES: Strategy Also one x i -variable per key byte, (x i = 1 iff. bytes different) Equations for every XOR operation: x in1 x in2 x in1 + x in2 + x out 2d d x in1 d x in2 x out d x out
35 19 / 39 Related-key AES: Bounds Minimum number of active S-boxes: # Rounds AES AES AES # Rounds AES AES AES
36 20 / 39 Related-key AES: Execution Time 24-core Intel Xeon 2.93GHz System used concurrently by at least 5 other people... execution times are upper bounds
37 20 / 39 Related-key AES: Execution Time 24-core Intel Xeon 2.93GHz System used concurrently by at least 5 other people... execution times are upper bounds Bounds for full AES: all less than one minute except 14-round AES-256: bound in s
38 21 / 39 Comparison to other work Biryukov, Nikolić (EUROCRYPT 2010, SAC 2010) determine byte differences, not just zero/non-zero difference
39 21 / 39 Comparison to other work Biryukov, Nikolić (EUROCRYPT 2010, SAC 2010) determine byte differences, not just zero/non-zero difference AES-192, 11 rounds: Biryukov, Nikolić: 31 active S-boxes, computation takes weeks
40 21 / 39 Comparison to other work Biryukov, Nikolić (EUROCRYPT 2010, SAC 2010) determine byte differences, not just zero/non-zero difference AES-192, 11 rounds: Biryukov, Nikolić: 31 active S-boxes, computation takes weeks Our result: 19 active S-boxes, found in s
41 21 / 39 Comparison to other work Biryukov, Nikolić (EUROCRYPT 2010, SAC 2010) determine byte differences, not just zero/non-zero difference AES-192, 11 rounds: Biryukov, Nikolić: 31 active S-boxes, computation takes weeks Our result: 19 active S-boxes, found in s xaes-128, 10 rounds: Nikolić: more than 22 active S-boxes ( a few hours on a single core ) using split method
42 21 / 39 Comparison to other work Biryukov, Nikolić (EUROCRYPT 2010, SAC 2010) determine byte differences, not just zero/non-zero difference AES-192, 11 rounds: Biryukov, Nikolić: 31 active S-boxes, computation takes weeks Our result: 19 active S-boxes, found in s xaes-128, 10 rounds: Nikolić: more than 22 active S-boxes ( a few hours on a single core ) using split method Our result: 22 active S-boxes (2.68 s, single core) using split method
43 21 / 39 Comparison to other work Biryukov, Nikolić (EUROCRYPT 2010, SAC 2010) determine byte differences, not just zero/non-zero difference AES-192, 11 rounds: Biryukov, Nikolić: 31 active S-boxes, computation takes weeks Our result: 19 active S-boxes, found in s xaes-128, 10 rounds: Nikolić: more than 22 active S-boxes ( a few hours on a single core ) using split method Our result: 22 active S-boxes (2.68 s, single core) using split method Not using split method: 25 active S-boxes (4 minutes on a single core, or s using 24 cores)
44 22 / 39 How to program Complex bookkeeping of variables is unnecessary! Stay as close as possible to the original C code
45 22 / 39 How to program Complex bookkeeping of variables is unnecessary! Stay as close as possible to the original C code int next: index i for next unused x i int dummy: index j for next unused d j
46 22 / 39 How to program Complex bookkeeping of variables is unnecessary! Stay as close as possible to the original C code int next: index i for next unused x i int dummy: index j for next unused d j remove round constants
47 22 / 39 How to program Complex bookkeeping of variables is unnecessary! Stay as close as possible to the original C code int next: index i for next unused x i int dummy: index j for next unused d j remove round constants intercept XOR, MixColumns: generate equations, increase next and dummy
48 22 / 39 How to program Complex bookkeeping of variables is unnecessary! Stay as close as possible to the original C code int next: index i for next unused x i int dummy: index j for next unused d j remove round constants intercept XOR, MixColumns: generate equations, increase next and dummy intercept S-box: keep track of indices for objective function
49 22 / 39 How to program Complex bookkeeping of variables is unnecessary! Stay as close as possible to the original C code int next: index i for next unused x i int dummy: index j for next unused d j remove round constants intercept XOR, MixColumns: generate equations, increase next and dummy intercept S-box: keep track of indices for objective function More details: see source code
50 22 / 39 How to program Complex bookkeeping of variables is unnecessary! Stay as close as possible to the original C code int next: index i for next unused x i int dummy: index j for next unused d j remove round constants intercept XOR, MixColumns: generate equations, increase next and dummy intercept S-box: keep track of indices for objective function More details: see source code To debug/visualize: print indices i of internal states x i and fill in solution
51 23 / 39 Related-key AES: How to program (2) Reference implementation (rijndael-alg-ref.c) assume 256-bit key, 10 rounds Implementation needs = 1408 key bits but rounds up: = 1536 key bits calculated Result: unnecessary S-box lookups, and wrong bounds! solution: reorder loops and terminate sooner
52 24 / 39 Outline
53 25 / 39 SAT solvers: SAT solvers: input in Conjunctive Normal Form (CNF) CNF = the AND of a set of OR -clauses Every variable = 1 bit CryptoMiniSAT: also understands XOR clauses Example of CNF: (x 1 x 5 x 4 ) ( x 1 x 5 x 3 x 4 ) ( x 3 x 4 ) Conversion from C code to CNF needed + convert back to interpret solution
54 26 / 39 SAT solvers: to CNF and back Custom approach: specific to certain (families of) ciphers e.g. Grain of Salt (Soos): stream ciphers based on NLFSRs
55 26 / 39 SAT solvers: to CNF and back Custom approach: specific to certain (families of) ciphers e.g. Grain of Salt (Soos): stream ciphers based on NLFSRs Using software to synthesize hardware circuits e.g. CryptLogVer (Morawiecki et al.): Altera Quartus II + simple postprocessing
56 26 / 39 SAT solvers: to CNF and back Custom approach: specific to certain (families of) ciphers e.g. Grain of Salt (Soos): stream ciphers based on NLFSRs Using software to synthesize hardware circuits e.g. CryptLogVer (Morawiecki et al.): Altera Quartus II + simple postprocessing Tool to convert C code to CNF and back e.g. C32SAT (Brummayer)
57 27 / 39 HAS-V Step Function A i B i C i D i E i <<< S f W i K i <<< 2 A i+1 B i+1 C i+1 D i+1 E i+1
58 28 / 39 HAS-V Step Function: Local Collisions W t [0] W t+1 [S] W t+2 [0] W t+3 [30] W t+4 [30] W t+5 [30] A t [0] A t+1 [S] A t+2 [0] A t+3 [30] A t+4 [30] A t+5 [30] B t+1 [0] 50% C t+2 [30] 50% 50% (f 1,f 3 ) 100% (f 2 ) 50% D t+3 [30] E t+4 [30]
59 29 / 39 HAS-V: Using C32SAT Chabaud and Joux: local collision = perturbation + correction(s) Message words are reused: one message difference W i introduces many perturbations!
60 29 / 39 HAS-V: Using C32SAT Chabaud and Joux: local collision = perturbation + correction(s) Message words are reused: one message difference W i introduces many perturbations! For HAS-V: Step 0: Msg. diff. W 0 = Perturb. P 0 (32-bit word) Step 1: Msg. diff. W 1 = Perturb. P 1 Corr. (P 0 11)
61 29 / 39 HAS-V: Using C32SAT Chabaud and Joux: local collision = perturbation + correction(s) Message words are reused: one message difference W i introduces many perturbations! For HAS-V: Step 0: Msg. diff. W 0 = Perturb. P 0 (32-bit word) Step 1: Msg. diff. W 1 = Perturb. P 1 Corr. (P 0 11) Step 2: Msg. diff. W 2 = Perturb. P 2 Corr. (P 1 7) Corr. (P 0 D 0 )... (W 0, W 1,... are reused in later steps) Dummy variable D 0 : indicates if Boolean function f absorbs or propagates difference
62 30 / 39 HAS-V: C32SAT results Processor: Intel Core 2 Duo 3GHz If P i { , } Best solution: 192 local collisions for 60 steps (41s) No solution with fewer than 192 local collisions (42s)
63 30 / 39 HAS-V: C32SAT results Processor: Intel Core 2 Duo 3GHz If P i { , } Best solution: 192 local collisions for 60 steps (41s) No solution with fewer than 192 local collisions (42s) If P i { , , , } Best solution: 144 local collisions for 60 steps (3m 14s) No solution with fewer than 144 local collisions (11m 10s)
64 30 / 39 HAS-V: C32SAT results Processor: Intel Core 2 Duo 3GHz If P i { , } Best solution: 192 local collisions for 60 steps (41s) No solution with fewer than 192 local collisions (42s) If P i { , , , } Best solution: 144 local collisions for 60 steps (3m 14s) No solution with fewer than 144 local collisions (11m 10s) More details: my Master s thesis (only in Dutch)
65 31 / 39 Outline
66 32 / 39 : : to match patterns in strings Text editor s Find or Find/Replace, but on steroids Included in several programming languages Java, C++11, Apple s Objective-C, C#, PHP, VB.NET, Python, Perl, JavaScript,...
67 32 / 39 : : to match patterns in strings Text editor s Find or Find/Replace, but on steroids Included in several programming languages Java, C++11, Apple s Objective-C, C#, PHP, VB.NET, Python, Perl, JavaScript,...
68 33 / 39 : Notation x character x. any character [ac] character a or c [^a-c] any character except a, b or c e.g. d, A, 9,... ([a-c]) save match for later use x* zero or more x s x+ one or more x s x? zero or one x s x{m} exactly m x s x{m,} at least m x s x{m,n} at least m, but at most n x s
69 34 / 39 Meet-in-the-Middle Attack on XTEA XTEA: 64 rounds, 4 subkeys One subkey used in every round Round key order as a string: Meet-in-the-middle attack on 23 rounds First and last rounds: one subkey is not used Middle rounds: all keys can be used, max. 15 rounds Details: Sekar, Mouha, Velichkov, Preneel, CT-RSA 2010 Regular expression?
70 35 / 39 Meet-in-the-Middle Attack on XTEA XTEA: 64 rounds, 4 subkeys One subkey used in every round Round key order as a string: Meet-in-the-middle attack on 23 rounds First and last rounds: one subkey is not used Middle rounds: all keys can be used, max. 15 rounds Details: Sekar, Mouha, Velichkov, Preneel, CT-RSA 2010 [^0]*.{1,15}[^0]*,
71 36 / 39 Meet-in-the-Middle Attack on XTEA XTEA: 64 rounds, 4 subkeys One subkey used in every round Round key order as a string: Meet-in-the-middle attack on 23 rounds First and last rounds: one subkey is not used Middle rounds: all keys can be used, max. 15 rounds Details: Sekar, Mouha, Velichkov, Preneel, CT-RSA 2010 [^0]*.{1,15}[^0]*, [^2]*.{1,15}[^2]*, [^1]*.{1,15}[^1]*, [^3]*.{1,15}[^3]*
72 37 / 39 1 #! / usr / bin / p e r l 2 3 # XTEA key schedule 4 $x = " ". 5 " " ; 6 7 # subkey $ i i s excluded i n the outer rounds 8 f o r ( $ i =0; $i <4; $ i ++) { 9 while ( $x =~ / ( [ ^ $ i ].{1, 1 5 } [ ^ $ i ] ) / g ) { 10 i f ( l e n g t h ( $1 ) >= 23) { # show only 23 round a t t a c k s 11 p r i n t l e n g t h ( $1 ), " round a t t a c k : ", $1, 12 " ( rounds : ", $ [1]+1, " ", $ + [ 1 ], " ) \ n " ; 13 } 14 pos ( $x ) = $ [1]+1; # matches may overlap 15 } 16 }
73 ECRYPT II 38 / 39 Research papers should be verifiable... releasing source code is therefore crucial! ECRYPT II Currently 16 tools listed Tools used in this lecture will be added today Other new submissions are very welcome!
74 39 / 39 If we use an automated technique, The execution time is unpredictable, and the inner workings are not well understood.
75 39 / 39 If we use an automated technique, The execution time is unpredictable, and the inner workings are not well understood. Yet, such techniques can be extremely useful: typically not to break a cipher (requires too much time/memory) but to use as a tool to construct an attack.
76 39 / 39 If we use an automated technique, The execution time is unpredictable, and the inner workings are not well understood. Yet, such techniques can be extremely useful: typically not to break a cipher (requires too much time/memory) but to use as a tool to construct an attack. How to do this? We gave examples for three approaches: MILP programming, SAT solvers, regular expressions.
77 39 / 39 If we use an automated technique, The execution time is unpredictable, and the inner workings are not well understood. Yet, such techniques can be extremely useful: typically not to break a cipher (requires too much time/memory) but to use as a tool to construct an attack. How to do this? We gave examples for three approaches: MILP programming, SAT solvers, regular expressions. Questions?
Attacks on Advanced Encryption Standard: Results and Perspectives
Attacks on Advanced Encryption Standard: Results and Perspectives Dmitry Microsoft Research 29 February 2012 Design Cryptanalysis history Advanced Encryption Standard Design Cryptanalysis history AES 2
More informationSAT Solvers in the Context of Cryptography
SAT Solvers in the Context of Cryptography v2.0 Presentation at Montpellier Mate Soos UPMC LIP6, PLANETE team INRIA, SALSA Team INRIA 10th of June 2010 Mate Soos (UPMC LIP6, PLANETE team SAT INRIA, solvers
More informationBlock Ciphers Introduction
Technicalities Block Models Block Ciphers Introduction Orr Dunkelman Computer Science Department University of Haifa, Israel March 10th, 2013 Orr Dunkelman Cryptanalysis of Block Ciphers Seminar Introduction
More informationAutomatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers
Automatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers 1 June 2010 1 Block Ciphers 2 The tool 3 Applications 4 Conclusion Basics P Block cipher E K (P) Input: Plaintext
More informationDr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Secret Key Cryptography Block cipher DES 3DES
More informationMegoSAT project Differential cryptanalysis with SAT solvers
MegoSAT project Differential cryptanalysis with SAT solvers Today: master thesis presentation Lukas Prokop Advisors: Florian Mendel, Maria Eichlseder Institute of Applied Information Processing and Communications
More informationAlgebraicDierential Cryptanalysis of DES
AlgebraicDierential Cryptanalysis of DES JeanCharles Faugère Ludovic Perret PierreJean Spaenlehauer UPMC LIP6 CNRS INRIA Paris - Rocquencourt SALSA team Journées C2 1/33 PJ Spaenlehauer Plan Introduction
More informationCourse Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here
Course Business Midterm is on March 1 Allowed to bring one index card (double sided) Final Exam is Monday, May 1 (7 PM) Location: Right here 1 Cryptography CS 555 Topic 18: AES, Differential Cryptanalysis,
More informationComputational Security, Stream and Block Cipher Functions
Computational Security, Stream and Block Cipher Functions 18 March 2019 Lecture 3 Most Slides Credits: Steve Zdancewic (UPenn) 18 March 2019 SE 425: Communication and Information Security 1 Topics for
More informationSecurity Analysis of Extended Sponge Functions. Thomas Peyrin
Security Analysis of Extended Sponge Functions Hash functions in cryptology: theory and practice Leiden, Netherlands Orange Labs University of Versailles June 4, 2008 Outline 1 The Extended Sponge Functions
More informationEncryption Details COMP620
Encryption Details COMP620 Encryption is a powerful defensive weapon for free people. It offers a technical guarantee of privacy, regardless of who is running the government It s hard to think of a more
More informationComputer and Data Security. Lecture 3 Block cipher and DES
Computer and Data Security Lecture 3 Block cipher and DES Stream Ciphers l Encrypts a digital data stream one bit or one byte at a time l One time pad is example; but practical limitations l Typical approach
More informationL3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015
L3. An Introduction to Block Ciphers Rocky K. C. Chang, 29 January 2015 Outline Product and iterated ciphers A simple substitution-permutation network DES and AES Modes of operations Cipher block chaining
More informationAnalysis of the Use of Whirlpool s S-box, S1 and S2 SEED s S- box in AES Algorithm with SAC Test Novita Angraini, Bety Hayat Susanti, Magfirawaty
Information Systems International Conference (ISICO), 2 4 December 2013 Analysis of the Use of Whirlpool s S-box, S1 and S2 SEED s S- box in AES Algorithm with SAC Test Novita Angraini, Bety Hayat Susanti,
More informationAlgebraic-Differential Cryptanalysis of DES
Algebraic-Differential Cryptanalysis of DES Jean-Charles FAUGÈRE, Ludovic PERRET, Pierre-Jean SPAENLEHAUER UPMC, Univ Paris 06, LIP6 INRIA, Centre Paris-Rocquencourt, SALSA Project CNRS, UMR 7606, LIP6
More informationContent of this part
UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Introduction to Cryptography ECE 597XX/697XX Part 4 The Advanced Encryption Standard (AES) Israel Koren ECE597/697 Koren Part.4.1
More informationThis document is downloaded from DR-NTU, Nanyang Technological University Library, Singapore.
This document is downloaded from DR-NTU, Nanyang Technological University Library, Singapore. Title Improved Meet-in-the-Middle cryptanalysis of KTANTAN (poster) Author(s) Citation Wei, Lei; Rechberger,
More information3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some
3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some popular block ciphers Triple DES Advanced Encryption
More informationBlock Ciphers. Secure Software Systems
1 Block Ciphers 2 Block Cipher Encryption function E C = E(k, P) Decryption function D P = D(k, C) Symmetric-key encryption Same key is used for both encryption and decryption Operates not bit-by-bit but
More informationWeak Keys of the Full MISTY1 Block Cipher for Related-Key Cryptanalysis
3. 2 13.57 Weak eys for a Related-ey Differential Attack Weak eys of the Full MISTY1 Block Cipher for Related-ey Cryptanalysis Institute for Infocomm Research, Agency for Science, Technology and Research,
More informationBlock Ciphers. Lucifer, DES, RC5, AES. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk Block Ciphers 1
Block Ciphers Lucifer, DES, RC5, AES CS 470 Introduction to Applied Cryptography Ali Aydın Selçuk CS470, A.A.Selçuk Block Ciphers 1 ... Block Ciphers & S-P Networks Block Ciphers: Substitution ciphers
More informationin a 4 4 matrix of bytes. Every round except for the last consists of 4 transformations: 1. ByteSubstitution - a single non-linear transformation is a
Cryptanalysis of Reduced Variants of Rijndael Eli Biham Λ Nathan Keller y Abstract Rijndael was submitted to the AES selection process, and was later selected as one of the five finalists from which one
More informationSecret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34
Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34 Definition a symmetric key cryptographic algorithm is characterized by having the same key used for both encryption and decryption.
More informationLecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24
Assume encryption and decryption use the same key. Will discuss how to distribute key to all parties later Symmetric ciphers unusable for authentication of sender Lecturers: Mark D. Ryan and David Galindo.
More informationP2_L6 Symmetric Encryption Page 1
P2_L6 Symmetric Encryption Page 1 Reference: Computer Security by Stallings and Brown, Chapter 20 Symmetric encryption algorithms are typically block ciphers that take thick size input. In this lesson,
More informationImproved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN
Improved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN Shahram Rasoolzadeh and Håvard Raddum Simula Research Laboratory Abstract. We study multidimensional meet-in-the-middle attacks on the
More informationChosen Ciphertext Attack on SSS
Chosen Ciphertext Attack on SSS Joan Daemen 1, Joseph Lano 2, and Bart Preneel 2 1 STMicroelectronics Belgium joan.daemen@st.com 2 Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC {joseph.lano,bart.preneel}@esat.kuleuven.ac.be
More informationGoals for Today. Substitution Permutation Ciphers. Substitution Permutation stages. Encryption Details 8/24/2010
Encryption Details COMP620 Goals for Today Understand how some of the most common encryption algorithms operate Learn about some new potential encryption systems Substitution Permutation Ciphers A Substitution
More informationAn Improved Truncated Differential Cryptanalysis of KLEIN
An Improved Truncated Differential Cryptanalysis of KLEIN hahram Rasoolzadeh 1, Zahra Ahmadian 2, Mahmoud almasizadeh 3, and Mohammad Reza Aref 3 1 imula Research Laboratory, Bergen, Norway, 2 hahid Beheshti
More informationImproved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN
Improved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN Shahram Rasoolzadeh and Håvard Raddum Simula Research Laboratory {shahram,haavardr}@simula.no Abstract. We study multidimensional meet-in-the-middle
More informationECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos
ECE596C: Handout #7 Analysis of DES and the AES Standard Electrical and Computer Engineering, University of Arizona, Loukas Lazos Abstract. In this lecture we analyze the security properties of DES and
More informationKey Separation in Twofish
Twofish Technical Report #7 Key Separation in Twofish John Kelsey April 7, 2000 Abstract In [Mur00], Murphy raises questions about key separation in Twofish. We discuss this property of the Twofish key
More informationFundamentals of Cryptography
Fundamentals of Cryptography Topics in Quantum-Safe Cryptography June 23, 2016 Part III Data Encryption Standard The Feistel network design m m 0 m 1 f k 1 1 m m 1 2 f k 2 2 DES uses a Feistel network
More informationpage 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas
Introduction to Cryptography Lecture 3 Benny Pinkas page 1 1 Pseudo-random generator Pseudo-random generator seed output s G G(s) (random, s =n) Deterministic function of s, publicly known G(s) = 2n Distinguisher
More informationAn Overview of Cryptanalysis Research for the Advanced Encryption Standard
An Overview of Cryptanalysis Research for the Advanced Encryption Standard Alan Kaminsky, Rochester Institute of Technology Michael Kurdziel, Harris Corporation Stanisław Radziszowski, Rochester Institute
More informationRecent Meet-in-the-Middle Attacks on Block Ciphers
ASK 2012 Nagoya, Japan Recent Meet-in-the-Middle Attacks on Block Ciphers Takanori Isobe Sony Corporation (Joint work with Kyoji Shibutani) Outline 1. Meet-in-the-Middle (MitM) attacks on Block ciphers
More informationCSE 127: Computer Security Cryptography. Kirill Levchenko
CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified
More informationComplementing Feistel Ciphers
Ivica Nikolić (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg 11 March 2013 1 Complementation Property 2 General Complementation Property
More informationChapter 3 Block Ciphers and the Data Encryption Standard
Chapter 3 Block Ciphers and the Data Encryption Standard Last Chapter have considered: terminology classical cipher techniques substitution ciphers cryptanalysis using letter frequencies transposition
More informationCryptography and Network Security. Sixth Edition by William Stallings
Cryptography and Network Security Sixth Edition by William Stallings Chapter 5 Advanced Encryption Standard Advance Encryption Standard Topics Origin of AES Basic AES Inside Algorithm Final Notes Origins
More informationThe Rectangle Attack
The Rectangle Attack and Other Techniques for Cryptanalysis of Block Ciphers Orr Dunkelman Computer Science Dept. Technion joint work with Eli Biham and Nathan Keller Topics Block Ciphers Cryptanalysis
More informationAnalysis of Involutional Ciphers: Khazad and Anubis
Analysis of Involutional Ciphers: Khazad and Anubis Alex Biryukov Katholieke Universiteit Leuven, Dept. ESAT/COSIC, Leuven, Belgium abiryuko@esat.kuleuven.ac.be Abstract. In this paper we study structural
More informationNew Impossible Differential Search Tool from Design and Cryptanalysis Aspects -- Revealing Structural Properties of Several Ciphers
New Impossible Differential earch Tool from Design and Cryptanalysis Aspects -- Revealing tructural Properties of everal Ciphers Yu asaki and Yosuke Todo Eurocrypt 217 3 May 217 Impossible Differential
More informationA Brief Outlook at Block Ciphers
A Brief Outlook at Block Ciphers Pascal Junod École Polytechnique Fédérale de Lausanne, Suisse CSA 03, Rabat, Maroc, 10-09-2003 Content Generic Concepts DES / AES Cryptanalysis of Block Ciphers Provable
More informationAttack on DES. Jing Li
Attack on DES Jing Li Major cryptanalytic attacks against DES 1976: For a very small class of weak keys, DES can be broken with complexity 1 1977: Exhaustive search will become possible within 20 years,
More informationInformation Security CS526
Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1 Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for
More informationSymmetric Cryptography. Chapter 6
Symmetric Cryptography Chapter 6 Block vs Stream Ciphers Block ciphers process messages into blocks, each of which is then en/decrypted Like a substitution on very big characters 64-bits or more Stream
More informationCryptography and Network Security
Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 6: Advanced Encryption Standard (AES) Ion Petre Department of IT, Åbo Akademi University 1 Origin of AES 1999: NIST
More informationGoals of Modern Cryptography
Goals of Modern Cryptography Providing information security: Data Privacy Data Integrity and Authenticity in various computational settings. Data Privacy M Alice Bob The goal is to ensure that the adversary
More informationFew Other Cryptanalytic Techniques
Few Other Cryptanalytic Techniques Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Boomerang Attack
More informationTwo Attacks on Reduced IDEA (Extended Abstract)
1 Two Attacks on Reduced IDEA (Extended Abstract) Johan Borst 1, Lars R. Knudsen 2, Vincent Rijmen 2 1 T.U. Eindhoven, Discr. Math., P.O. Box 513, NL-5600 MB Eindhoven, borst@win.tue.nl 2 K.U. Leuven,
More informationIntroduction to Cryptology. Lecture 17
Introduction to Cryptology Lecture 17 Announcements HW7 due Thursday 4/7 Looking ahead: Practical constructions of CRHF Start Number Theory background Agenda Last time SPN (6.2) This time Feistel Networks
More informationA Meet in the Middle Attack on Reduced Round Kuznyechik
IEICE TRANS. FUNDAMENTALS, VOL.Exx??, NO.xx XXXX 200x 1 LETTER Special Section on Cryptography and Information Security A Meet in the Middle Attack on Reduced Round Kuznyechik Riham ALTAWY a), Member and
More informationA Meet-in-the-Middle Attack on 8-Round AES
A Meet-in-the-Middle Attack on 8-Round AES Hüseyin Demirci 1 and Ali Aydın Selçuk 2 1 Tübitak UEKAE, 41470 Gebze, Kocaeli, Turkey huseyind@uekae.tubitak.gov.tr 2 Department of Computer Engineering Bilkent
More informationCSCI 454/554 Computer and Network Security. Topic 3.1 Secret Key Cryptography Algorithms
CSCI 454/554 Computer and Network Security Topic 3.1 Secret Key Cryptography Algorithms Outline Introductory Remarks Feistel Cipher DES AES 2 Introduction Secret Keys or Secret Algorithms? Security by
More informationAES Variants Secure Against Related-Key Differential and Boomerang Attacks
AES Variants Secure Against Related-Key Differential and Boomerang Attacks Jiali Choy 1, Aileen Zhang 1, Khoongming Khoo 1, Matt Henricksen 2 and Axel Poschmann 3 1 DSO National Laboratories 20 Science
More informationSymmetric Cryptography CS461/ECE422
Symmetric Cryptography CS461/ECE422 1 Outline Overview of Cryptosystem design Commercial Symmetric systems DES AES Modes of block and stream ciphers 2 Reading Section 2.4-2.6 and 12.2 in Security in Computing
More informationSymmetric Encryption Algorithms
Symmetric Encryption Algorithms CS-480b Dick Steflik Text Network Security Essentials Wm. Stallings Lecture slides by Lawrie Brown Edited by Dick Steflik Symmetric Cipher Model Plaintext Encryption Algorithm
More informationSecret Key Cryptography (Spring 2004)
Secret Key Cryptography (Spring 2004) Instructor: Adi Shamir Teaching assistant: Eran Tromer 1 Background Lecture notes: DES Until early 1970 s: little cryptographic research in industry and academcy.
More informationSecret Key Algorithms (DES)
Secret Key Algorithms (DES) G. Bertoni L. Breveglieri Foundations of Cryptography - Secret Key pp. 1 / 34 Definition a symmetric key cryptographic algorithm is characterized by having the same key used
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Pseudorandom Permutations unctions that look like random permutations Syntax: Key space K (usually {0,1}
More informationDigital Logic Design using Verilog and FPGA devices Part 2. An Introductory Lecture Series By Chirag Sangani
Digital Logic Design using Verilog and FPGA devices Part 2 An Introductory Lecture Series By A Small Recap Verilog allows us to design circuits, FPGAs allow us to test these circuits in real-time. The
More informationAEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2014 AEGIS 1
AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University KU Leuven and iminds 1 AEGIS: A shield carried by Athena and Zeus 2 Different Design Approaches:
More informationAutomatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers: Application to AES, Camellia, Khazad and Others
Automatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers: Application to AES, Camellia, Khazad and Others Alex Biryukov and Ivica Nikolić University of Luxembourg {alex.biryukov,ivica.nikolic}uni.lu
More informationGrain of Salt An Automated Way to Test Stream Ciphers through SAT Solvers
Grain of Salt An Automated Way to Test Stream Ciphers through SAT Solvers Mate Soos UPMC LIP6, PLANETE team INRIA, SALSA team INRIA Abstract. In this paper we describe Grain of Salt, a tool developed to
More informationUsing SAT Solvers to Detect Contradictions in Differential Characteristics
Using SAT Solvers to Detect Contradictions in Differential Characteristics Lukas Prokop Advisors: Florian Mendel, Martin Schläffer Institute for Applied Information Processing
More informationImproved Key Recovery Attacks on Reduced-Round AES with Practical Data and Memory Complexities
Improved Key Recovery Attacks on Reduced-Round AES with Practical Data and Memory Complexities Achiya Bar-On 1, Orr Dunkelman 2, Nathan Keller 1, Eyal Ronen 3, and Adi Shamir 3 1 Department of Mathematics,
More informationPiret and Quisquater s DFA on AES Revisited
Piret and Quisquater s DFA on AES Revisited Christophe Giraud 1 and Adrian Thillard 1,2 1 Oberthur Technologies, 4, allée du doyen Georges Brus, 33 600 Pessac, France. c.giraud@oberthur.com 2 Université
More informationDesign of block ciphers
Design of block ciphers Joan Daemen STMicroelectronics and Radboud University University of Zagreb Zagreb, Croatia, March 23, 2016 1 / 49 Outline 1 Data Encryption Standard 2 Wide Trail Strategy 3 Rijndael
More informationSymmetric Key Encryption. Symmetric Key Encryption. Advanced Encryption Standard ( AES ) DES DES DES 08/01/2015. DES and 3-DES.
Symmetric Key Encryption Symmetric Key Encryption and 3- Tom Chothia Computer Security: Lecture 2 Padding Block cipher modes Advanced Encryption Standard ( AES ) AES is a state-of-the-art block cipher.
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Previously on COS 433 Confusion/Diffusion Paradigm f 1 f 2 f 3 f 4 f 5 f 6 Round π 1 f 7 f 8 f 9 f 10 f 11 f 12 π 2 Substitution
More informationReport on Present State of CIPHERUNICORN-A Cipher Evaluation (full evaluation)
Report on Present State of CIPHERUNICORN-A Cipher Evaluation (full evaluation) January 28, 2002 Masayuki Kanda, Member Symmetric-Key Cryptography Subcommittee 1 CIPHERUNICORN-A CIPHERUNICORN-A was presented
More informationComp527 status items. Crypto Protocols, part 2 Crypto primitives. Bart Preneel July Install the smart card software. Today
Comp527 status items Crypto Protocols, part 2 Crypto primitives Today s talk includes slides from: Bart Preneel, Jonathan Millen, and Dan Wallach Install the smart card software Bring CDs back to Dan s
More informationIntegral Cryptanalysis of the BSPN Block Cipher
Integral Cryptanalysis of the BSPN Block Cipher Howard Heys Department of Electrical and Computer Engineering Memorial University hheys@mun.ca Abstract In this paper, we investigate the application of
More informationVortex: A New Family of One-way Hash Functions Based on AES Rounds and Carry-less Multiplication
Vortex: A New Family of One-way Hash Functions Based on AES Rounds and Carry-less ultiplication Shay Gueron 2, 3, 4 and ichael E. Kounavis 1 1 Corresponding author, Corporate Technology Group, Intel Corporation,
More informationDifferential Cryptanalysis
Differential Cryptanalysis See: Biham and Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer Verlag, 1993. c Eli Biham - March, 28 th, 2012 1 Differential Cryptanalysis The Data
More informationSymmetric Cryptography
CSE 484 (Winter 2010) Symmetric Cryptography Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials...
More informationEfficient Implementation of Grand Cru with TI C6x+ Processor
Efficient Implementation of Grand Cru with TI C6x+ Processor Azhar Ali Khan 1, Ghulam Murtaza 2 1 Sichuan University, Chengdu, China 2 National University of Sciences and Technology, Islamabad, Pakistan
More informationCryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái
Cryptography and Network Security Block Ciphers + DES Lectured by Nguyễn Đức Thái Outline Block Cipher Principles Feistel Ciphers The Data Encryption Standard (DES) (Contents can be found in Chapter 3,
More informationAIT 682: Network and Systems Security
AIT 682: Network and Systems Security Topic 3.1 Secret Key Cryptography Algorithms Instructor: Dr. Kun Sun Outline Introductory Remarks Feistel Cipher DES AES 2 Introduction Secret Keys or Secret Algorithms?
More informationSymmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.
Symmetric Key Algorithms Definition A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting. 1 Block cipher and stream cipher There are two main families
More informationMILP Modeling for (Large) S-boxes to Optimize Probability of Differential Characteristics
MILP Modeling for (Large) S-boxes to Optimize Probability of Differential Characteristics Ahmed Abdelkhalek 1, Yu Sasaki 2, Yosuke Todo 2, Mohamed Tolba 1 and Amr M. Youssef 1 1 Concordia Institute for
More informationRelated-key Attacks on Triple-DES and DESX Variants
Related-key Attacks on Triple-DES and DESX Variants Raphael C.-W. han Department of Engineering, Swinburne Sarawak Institute of Technology, 1st Floor, State Complex, 93576 Kuching, Malaysia rphan@swinburne.edu.my
More informationGrain of Salt An Automated Way to Test Stream Ciphers through SAT Solvers
Grain of Salt An Automated Way to Test Stream Ciphers through SAT Solvers Mate Soos UPMC LIP6, PLANETE team INRIA, SALSA team INRIA Abstract. In this paper we describe Grain of Salt, a tool developed to
More informationA New Meet-in-the-Middle Attack on the IDEA Block Cipher
A New Meet-in-the-Middle Attack on the IDEA Block Cipher Hüseyin Demirci 1, Ali Aydın Selçuk, and Erkan Türe 3 1 Tübitak UEKAE, 41470 Gebze, Kocaeli, Turkey huseyind@uekae.tubitak.gov.tr Department of
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 7 September 23, 2015 CPSC 467, Lecture 7 1/1 Advanced Encryption Standard AES Alternatives CPSC 467,
More informationWeek 5: Advanced Encryption Standard. Click
Week 5: Advanced Encryption Standard Click http://www.nist.gov/aes 1 History of AES Calendar 1997 : Call For AES Candidate Algorithms by NIST 128-bit Block cipher 128/192/256-bit keys Worldwide-royalty
More informationH must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls)
What is a hash function? mapping of: {0, 1} {0, 1} n H must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls) The Merkle-Damgård algorithm
More informationNew Attacks on Feistel Structures with Improved Memory Complexities
New Attacks on Feistel Structures with Improved Memory Complexities Itai Dinur 1, Orr Dunkelman 2,4,, Nathan Keller 3,4,, and Adi Shamir 4 1 Département d Informatique, École Normale Supérieure, Paris,
More informationUNIT - II Traditional Symmetric-Key Ciphers. Cryptography & Network Security - Behrouz A. Forouzan
UNIT - II Traditional Symmetric-Key Ciphers 1 Objectives To define the terms and the concepts of symmetric key ciphers To emphasize the two categories of traditional ciphers: substitution and transposition
More informationPractical Key Recovery Attack on MANTIS 5
ractical Key Recovery Attack on ANTI Christoph Dobraunig, aria Eichlseder, Daniel Kales, and Florian endel Graz University of Technology, Austria maria.eichlseder@iaik.tugraz.at Abstract. ANTI is a lightweight
More informationSyrvey on block ciphers
Syrvey on block ciphers Anna Rimoldi Department of Mathematics - University of Trento BunnyTn 2012 A. Rimoldi (Univ. Trento) Survey on block ciphers 12 March 2012 1 / 21 Symmetric Key Cryptosystem M-Source
More informationSmall-Footprint Block Cipher Design -How far can you go?
Small-Footprint Block Cipher Design - How far can you go? A. Bogdanov 1, L.R. Knudsen 2, G. Leander 1, C. Paar 1, A. Poschmann 1, M.J.B. Robshaw 3, Y. Seurin 3, C. Vikkelsoe 2 1 Ruhr-University Bochum,
More informationHOST Cryptography III ECE 525 ECE UNM 1 (1/18/18)
AES Block Cipher Blockciphers are central tool in the design of protocols for shared-key cryptography What is a blockcipher? It is a function E of parameters k and n that maps { 0, 1} k { 0, 1} n { 0,
More informationCryptography. Summer Term 2010
Summer Term 2010 Chapter 2: Hash Functions Contents Definition and basic properties Basic design principles and SHA-1 The SHA-3 competition 2 Contents Definition and basic properties Basic design principles
More informationA SIMPLIFIED IDEA ALGORITHM
A SIMPLIFIED IDEA ALGORITHM NICK HOFFMAN Abstract. In this paper, a simplified version of the International Data Encryption Algorithm (IDEA) is described. This simplified version, like simplified versions
More informationLecture 2: Secret Key Cryptography
T-79.159 Cryptography and Data Security Lecture 2: Secret Key Cryptography Helger Lipmaa Helsinki University of Technology helger@tcs.hut.fi 1 Reminder: Communication Model Adversary Eve Cipher, Encryption
More informationHigh-Performance Cryptography in Software
High-Performance Cryptography in Software Peter Schwabe Research Center for Information Technology Innovation Academia Sinica September 3, 2012 ECRYPT Summer School: Challenges in Security Engineering
More informationCryptography and Network Security Chapter 3. Modern Block Ciphers. Block vs Stream Ciphers. Block Cipher Principles
Cryptography and Network Security Chapter 3 Fifth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 3 Block Ciphers and the Data Encryption Standard All the afternoon Mungo had been working
More informationComputer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Cryptography Part II Paul Krzyzanowski Rutgers University Spring 2018 March 23, 2018 CS 419 2018 Paul Krzyzanowski 1 Block ciphers Block ciphers encrypt a block of plaintext at a
More information