AlgebraicDierential Cryptanalysis of DES
|
|
- Amos Todd
- 5 years ago
- Views:
Transcription
1 AlgebraicDierential Cryptanalysis of DES JeanCharles Faugère Ludovic Perret PierreJean Spaenlehauer UPMC LIP6 CNRS INRIA Paris - Rocquencourt SALSA team Journées C2 1/33 PJ Spaenlehauer
2 Plan Introduction 1 Introduction 2 Data Encryption Standard Modeling Experimental results 3 2/33 PJ Spaenlehauer
3 Plan Introduction 1 Introduction 2 Data Encryption Standard Modeling Experimental results 3 3/33 PJ Spaenlehauer
4 Algebraic Cryptanalysis 4/33 PJ Spaenlehauer
5 Algebraic Cryptanalysis Algebraic representation of a cryptographic primitive. Tools for ecient polynomial system solving. 1 Gröbner Bases algorithms (Buchberger, Faugère F4 and F5). 2 SAT Solvers. Remark There is a very strong link between the modeling and the tools used for the resolution. Challenge Can algebraic cryptanalysis be ecient against block ciphers? 5/33 PJ Spaenlehauer
6 Our work SAT Solvers attacks against DES using dierent modelings of the DES S-boxes. Incorporation of elements from dierential cryptanalysis new attacks against 6,7 and 8 rounds of DES using dedicated characteristics. Tradeo between time and data complexity. 6/33 PJ Spaenlehauer
7 Polynomial System Solving SAT Solvers? Very ecient and exible dedicated softwares. SAT-competition. Active research eld. Easy to use. Low memory comsumption. 7/33 PJ Spaenlehauer
8 Courtois N.T., Bard G.V. and Jeerson C. Ecient Methods for Conversion and Solution of Sparse Systems of Low-Degree Multivariate Polynomials over GF (2) via SAT-Solvers. Replace each monomial by a new variable. Cut linear equations into smaller equations (by adding new variables). + optimizations. MiniSat2 Een, N. and Sorensson, N. MiniSat: A SAT solver with conict-clause minimization 8/33 PJ Spaenlehauer
9 Sparse quadratic systems 9/33 PJ Spaenlehauer
10 Plan Introduction Data Encryption Standard Modeling Experimental results 1 Introduction 2 Data Encryption Standard Modeling Experimental results 3 10/33 PJ Spaenlehauer
11 Data Encryption Standard Data Encryption Standard Modeling Experimental results Iterative Block Cipher Bloc size : 64 bits Eective size of the key : 56 bits Encryption standard between 1976 and 2002 Why did we choose to study the DES? 11/33 PJ Spaenlehauer
12 Main attacks against DES Data Encryption Standard Modeling Experimental results Wiener, M.J. Ecient DES key search. Technical Report Biham, E. and Shamir, A. Dierential cryptanalysis of the full 16-round DES. Crypto'1992 Knudsen, L.R. Partial and higher order dierentials and applications to the DES. BRICS report Matsui, M. Linear cryptanalysis method for DES cipher. EUROCRYPT' /33 PJ Spaenlehauer
13 DES Structure Data Encryption Standard Modeling Experimental results Feistel network 3/33 PJ Spaenlehauer
14 DES Structure Data Encryption Standard Modeling Experimental results Feistel network S-boxes : non-linear part of the system 3/33 PJ Spaenlehauer
15 Data Encryption Standard Modeling Experimental results Starting point N.T. Courtois, G.V. Bard Algebraic Cryptanalysis of the Data Encryption Standard IMA Int. Conf General principle Remark 1 known plaintext. Model the cryptosystem by a set of clauses. Use Minisat to extract the key. We can combine this approach with an exhaustive search over some bits of the key. 14/33 PJ Spaenlehauer
16 S-boxes modeling (I) Data Encryption Standard Modeling Experimental results We have considered several modelings of the DES S-boxes. The choice of the modeling is very important. Our modeling We search (exhaustively) for the set of polynomials which verify : P(x1,..., x6, y1,..., y4) = (x i + α i ) (y i + β i ), α i, β i {0, 1} such that S(x1,..., x6) = (y1,..., y4) P(x1,..., x6, y1,..., y4) = 0 Complexity : /33 PJ Spaenlehauer
17 S-box modeling (II) Data Encryption Standard Modeling Experimental results S-box Nb of clauses S S S S S S S S For 6 rounds : 792 variables and clauses. + partial exhaustive search on 28 bits of the key. 16/33 PJ Spaenlehauer
18 Experimental results Data Encryption Standard Modeling Experimental results 17/33 PJ Spaenlehauer
19 Plan Introduction 1 Introduction 2 Data Encryption Standard Modeling Experimental results 3 18/33 PJ Spaenlehauer
20 Our approach Limit Algebraic cryptanalysis usually consider only one known plaintext. We combine algebraic cryptanalysis and statistical techniques to exploit eciently the knowledge of several plaintexts. Tradeo time/plaintexts. In particular, we consider dierential cryptanalysis. 19/33 PJ Spaenlehauer
21 Dierential cryptanalysis (I) The principle was known by the DES designers. Based on a statistical bias of the S-boxes. Key recovery attack. We try to predict how the dierence of a pair of plaintexts will diuse through the cipher. 20/33 PJ Spaenlehauer
22 Dierential cryptanalysis of the 3 round-reduced DES A0 L x x + F x x A0 L B + F 2 A0 L A0 L B out = A0 L A3 R in = B = A3 L + F 3 A3 L A3 R 21/33 PJ Spaenlehauer
23 Dierential cryptanalysis (II) more than 3 rounds Statistical method. dierential characteristics. A lot of plaintexts needed. 22/33 PJ Spaenlehauer
24 Motivations Compromise between algebraic cryptanalysis and dierential cryptanalysis. We can use the strong correlation between the subkeys. The notion of dierence is easy to represent with clauses. We only need one pair following the characteristic to retrieve the key. 23/33 PJ Spaenlehauer
25 General algorithm Repeat until the key is found : Choose a dierential characteristic. Choose two plaintexts with dierence xed by the characteristic. Construct the system of clauses for DES, and add the clauses corresponding to the characteristic. Solve with MiniSat. If the result is UNSATISFIABLE, restart (it means that the pair didn't follow the characteristic). If the result is SATISFIABLE, then MiniSat returns the key. 24/33 PJ Spaenlehauer
26 Six rounds Approach Classical dierential characteristics. Combination of dierent characteristics to reduce the data complexity. 25/33 PJ Spaenlehauer
27 Six rounds Approach Classical dierential characteristics. Combination of dierent characteristics to reduce the data complexity. How to combine We can run MiniSat 6 times with 7 plaintexts. Six 3-rounds characteristics 1,..., 6. 7 plaintexts m 0,..., m 6 such that m i = m 0 δ i. 25/33 PJ Spaenlehauer
28 Experimental results Cryptanalysis Plaintexts Time Dierential (Biham, Shamir) 240 0,3 seconds Dierential (Knudsen) 46 a few seconds Algebraic with SAT Solver seconds (Courtois, Bard) Algebraic-dierential seconds Algebraic-dierential 22 <10 hours (combination of characteristics) 26/33 PJ Spaenlehauer
29 Seven rounds For seven rounds and more, the classical dierential characteristics don't seem to be adapted. We have used a dedicated dierential characteristic. Truncated characteristic with probability 1/ /33 PJ Spaenlehauer
30 S-Box δ in δ out Proba S1 4 x 6 x 10/64 8 x 3 x 12/64 S2 4 x 10 x 10/64 4 x 12 x 10/64 8 x 9 x 10/64 8 x 10 x 16/64 12 x 5 x 14/64 S3 4 x 9 x 12/64 8 x 3 x 10/64 12 x 5 x 12/64 12 x 6 x 12/64 S4 4 x 6 x 12/64 4 x 9 x 12/64 Boîte-S δ in δ out Proba S5 4 x 6 x 10/64 8 x 6 x 10/64 8 x 10 x 10/64 12 x 3 x 10/64 12 x 6 x 10/64 12 x 10 x 10/64 S6 8 x 6 x 16/64 12 x 3 x 12/64 12 x 5 x 10/64 S7 8 x 10 x 12/64 12 x 12 x 14/64 S8 4 x 12 x 10/64 12 x 5 x 10/64 12 x 6 x 10/64 28/33 PJ Spaenlehauer
31 0L = R = F k with probability L = R = F k with probability 1 2L = R = F k with probability L = R = F k with probability 100/64 2 4L = R = F k with probability 1 5L = R = %%0%00%00%%%%0000%%%0%000%0%%00% 29/33 PJ Spaenlehauer
32 Experimental results 7 rounds cryptanalysis 2000 chosen plaintexts 3 hours Not so much results on 7 rounds in the literature. 30/33 PJ Spaenlehauer
33 Eight rounds We have found a 5-round truncated dierential characteristic with probability 1/ partial exhaustive search over 8 bits of the key. 8 rounds cryptanalysis chosen plaintexts and 2 25 seconds. 31/33 PJ Spaenlehauer
34 Summary Rounds Cryptanalysis Nb of plaintexts Time 6 di (Biham,Shamir) 240 (chosen) 0,3 s di (Knudsen) 46 (chosen) <10 s alg (Courtois,Bard) 1 (known) 2 25 s di + alg 32 (chosen) 3000 s di + alg 22 (chosen) <10 h 7 di + alg 2000 (chosen) s 8 di (Biham,Shamir) (chosen) 100 s lin (Matsui) 2 20 (known) 40 s di + alg (chosen) 2 25 s di+lin (Hellman,Langford) 512 (chosen) few seconds 32/33 PJ Spaenlehauer
35 Conclusion Use of statistical methods in algebraic cryptanalysis. New attacks on 6, 7 and 8 rounds of DES using dedicated characteristics. Tradeo plaintexts/time.
36 Conclusion Use of statistical methods in algebraic cryptanalysis. New attacks on 6, 7 and 8 rounds of DES using dedicated characteristics. Tradeo plaintexts/time. Related work (Cryptanalysis of Present) M. Albrecht and C. Cid Algebraic Techniques in Dierential Cryptanalysis FSE2009
37 Conclusion Use of statistical methods in algebraic cryptanalysis. New attacks on 6, 7 and 8 rounds of DES using dedicated characteristics. Tradeo plaintexts/time. Related work (Cryptanalysis of Present) M. Albrecht and C. Cid Algebraic Techniques in Dierential Cryptanalysis FSE2009 Future work Extension of this attack for more rounds? Algebraic-dierential cryptanalysis of DES with Gröbner Bases? Other cryptosystems? Other statistical tools (dierential-linear cryptanalysis,... )?
Algebraic-Differential Cryptanalysis of DES
Algebraic-Differential Cryptanalysis of DES Jean-Charles FAUGÈRE, Ludovic PERRET, Pierre-Jean SPAENLEHAUER UPMC, Univ Paris 06, LIP6 INRIA, Centre Paris-Rocquencourt, SALSA Project CNRS, UMR 7606, LIP6
More informationAlgebraic Techniques in Differential Cryptanalysis
Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London Egham, Surrey TW20 0EX, United Kingdom {M.R.Albrecht,carlos.cid}@rhul.ac.uk
More informationA Methodology for Differential-Linear Cryptanalysis and Its Applications
A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter: Jian Guo Institute for Infocomm Research, Agency for Science, Technology and Research, 1 Fusionopolis Way,
More informationDierential-Linear Cryptanalysis of Serpent? Haifa 32000, Israel. Haifa 32000, Israel
Dierential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel fbiham,orrdg@cs.technion.ac.il 2 Mathematics Department,
More informationDifferential Cryptanalysis
Differential Cryptanalysis See: Biham and Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer Verlag, 1993. c Eli Biham - March, 28 th, 2012 1 Differential Cryptanalysis The Data
More informationTwo Attacks on Reduced IDEA (Extended Abstract)
1 Two Attacks on Reduced IDEA (Extended Abstract) Johan Borst 1, Lars R. Knudsen 2, Vincent Rijmen 2 1 T.U. Eindhoven, Discr. Math., P.O. Box 513, NL-5600 MB Eindhoven, borst@win.tue.nl 2 K.U. Leuven,
More informationSAT Solvers in the Context of Cryptography
SAT Solvers in the Context of Cryptography v2.0 Presentation at Montpellier Mate Soos UPMC LIP6, PLANETE team INRIA, SALSA Team INRIA 10th of June 2010 Mate Soos (UPMC LIP6, PLANETE team SAT INRIA, solvers
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham 1, Orr Dunkelman 1, and Nathan Keller 2 1 Computer Science Department, Technion, Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics
More informationEvaluation of security level of CLEFIA
Evaluation of security level of CLEFIA An anonymous reviewer Version 1.0 January 25, 2011 1 Evaluation of security level of CLEFIA 1 Contents Executive Summary 3 References 4 1 Introduction 8 2 CLEFIA
More informationA Chosen-Plaintext Linear Attack on DES
A Chosen-Plaintext Linear Attack on DES Lars R. Knudsen and John Erik Mathiassen Department of Informatics, University of Bergen, N-5020 Bergen, Norway {lars.knudsen,johnm}@ii.uib.no Abstract. In this
More informationCryptanalysis of Symmetric-Key Primitives: Automated Techniques
1 / 39 Cryptanalysis of Symmetric-Key Primitives: Automated Techniques Nicky Mouha ESAT/COSIC, KU Leuven, Belgium IBBT, Belgium Summer School on Tools, Mykonos Tuesday, May 29, 2012 2 / 39 Outline 1 2
More informationThe Rectangle Attack
The Rectangle Attack and Other Techniques for Cryptanalysis of Block Ciphers Orr Dunkelman Computer Science Dept. Technion joint work with Eli Biham and Nathan Keller Topics Block Ciphers Cryptanalysis
More informationA Brief Outlook at Block Ciphers
A Brief Outlook at Block Ciphers Pascal Junod École Polytechnique Fédérale de Lausanne, Suisse CSA 03, Rabat, Maroc, 10-09-2003 Content Generic Concepts DES / AES Cryptanalysis of Block Ciphers Provable
More informationOn the Design of Secure Block Ciphers
On the Design of Secure Block Ciphers Howard M. Heys and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University Kingston, Ontario K7L 3N6 email: tavares@ee.queensu.ca
More informationTwo Attacks Against the HBB Stream Cipher
Two Attacks Against the HBB Stream Cipher Antoine Joux 1 and Frédéric Muller 2 1 DGA and Univ. Versailles St-Quentin Antoine.Joux@m4x.org 2 DCSSI Crypto Lab Frederic.Muller@sgdn.pm.gouv.fr Abstract. Hiji-Bij-Bij
More informationRECTIFIED DIFFERENTIAL CRYPTANALYSIS OF 16 ROUND PRESENT
RECTIFIED DIFFERENTIAL CRYPTANALYSIS OF 16 ROUND PRESENT Manoj Kumar 1, Pratibha Yadav, Meena Kumari SAG, DRDO, Metcalfe House, Delhi-110054, India mktalyan@yahoo.com 1 ABSTRACT In this paper, we have
More informationSymmetric Cryptography. Chapter 6
Symmetric Cryptography Chapter 6 Block vs Stream Ciphers Block ciphers process messages into blocks, each of which is then en/decrypted Like a substitution on very big characters 64-bits or more Stream
More informationWeak Keys of the Full MISTY1 Block Cipher for Related-Key Cryptanalysis
3. 2 13.57 Weak eys for a Related-ey Differential Attack Weak eys of the Full MISTY1 Block Cipher for Related-ey Cryptanalysis Institute for Infocomm Research, Agency for Science, Technology and Research,
More informationData Encryption Standard (DES)
Data Encryption Standard (DES) GA18 Nicolas T. Courtois University College London, UK DES history/standardisation/speed 2 DES Federal Standard FIPS 46-3 Intended to be used to protect all US government
More informationPractical Algebraic Attacks on the HITAG2 TM Stream Cipher
Practical Algebraic Attacks on the HITAG2 TM Stream Cipher Nicolas T. Courtois 1 Sean O Neil 2 Jean-Jacques Quisquater 3 1 - University College London, UK 2 - VEST Corporation, France 3 - Université Catholique
More informationCryptography and Network Security Chapter 3. Modern Block Ciphers. Block vs Stream Ciphers. Block Cipher Principles
Cryptography and Network Security Chapter 3 Fifth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 3 Block Ciphers and the Data Encryption Standard All the afternoon Mungo had been working
More informationImproved Truncated Differential Attacks on SAFER
Improved Truncated Differential Attacks on SAFER Hongjun Wu * Feng Bao ** Robert H. Deng ** Qin-Zhong Ye * * Department of Electrical Engineering National University of Singapore Singapore 960 ** Information
More informationCryptanalysis of Block Ciphers: A Survey
UCL Crypto Group Technical Report Series Cryptanalysis of Block Ciphers: A Survey Francois-Xavier Standaert, Gilles Piret, Jean-Jacques Quisquater REGARDS GROUPE http://www.dice.ucl.ac.be/crypto/ Technical
More informationAnalysis of MARS. January 12, 2001
Analysis of MARS January 12, 2001 Executive Summary This report presents the results of a limited evaluation of the block cipher MARS. No important weaknesses or flaws were found on MARS. The round function
More informationLinear Cryptanalysis of FEAL 8X Winning the FEAL 25 Years Challenge
Linear Cryptanalysis of FEAL 8X Winning the FEAL 25 Years Challenge Yaniv Carmeli Joint work with Prof. Eli Biham CRYPTODAY 2014 FEAL FEAL Published in 1987, designed by Miyaguchi and Shimizu (NTT). 64-bit
More informationLinear Cryptanalysis of Reduced Round Serpent
Linear Cryptanalysis of Reduced Round Serpent Eli Biham 1, Orr Dunkelman 1, and Nathan Keller 2 1 Computer Science Department, Technion Israel Institute of Technology, Haifa 32000, Israel, {biham,orrd}@cs.technion.ac.il,
More informationImproved Attack on Full-round Grain-128
Improved Attack on Full-round Grain-128 Ximing Fu 1, and Xiaoyun Wang 1,2,3,4, and Jiazhe Chen 5, and Marc Stevens 6, and Xiaoyang Dong 2 1 Department of Computer Science and Technology, Tsinghua University,
More informationNetwork Security. Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar
Network Security Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar Modern Block Ciphers now look at modern block ciphers one of the most widely used types
More informationInternational Journal for Research in Applied Science & Engineering Technology (IJRASET) Performance Comparison of Cryptanalysis Techniques over DES
Performance Comparison of Cryptanalysis Techniques over DES Anupam Kumar 1, Aman Kumar 2, Sahil Jain 3, P Kiranmai 4 1,2,3,4 Dept. of Computer Science, MAIT, GGSIP University, Delhi, INDIA Abstract--The
More informationGrain of Salt An Automated Way to Test Stream Ciphers through SAT Solvers
Grain of Salt An Automated Way to Test Stream Ciphers through SAT Solvers Mate Soos UPMC LIP6, PLANETE team INRIA, SALSA team INRIA Abstract. In this paper we describe Grain of Salt, a tool developed to
More informationOn the Security of the 128-Bit Block Cipher DEAL
On the Security of the 128-Bit Block Cipher DAL Stefan Lucks Theoretische Informatik University of Mannheim, 68131 Mannheim A5, Germany lucks@th.informatik.uni-mannheim.de Abstract. DAL is a DS-based block
More informationPractical Algebraic Attacks on the HITAG2 TM Stream Cipher in RFID Transponders
Practical Algebraic Attacks on the HITAG2 TM Stream Cipher in RFID Transponders Nicolas T. Courtois 1 Sean O Neil 2 Jean-Jacques Quisquater 3 1 - University College London, UK 2 - VEST Corporation, France
More informationA Related Key Attack on the Feistel Type Block Ciphers
International Journal of Network Security, Vol.8, No.3, PP.221 226, May 2009 221 A Related Key Attack on the Feistel Type Block Ciphers Ali Bagherzandi 1,2, Mahmoud Salmasizadeh 2, and Javad Mohajeri 2
More informationTechnion - Computer Science Department - Technical Report CS
[13] National Bureau of Standards, DS Modes of Operation, U.S. Department of Commerce, FIPS pub. 81, December 1980. [14] Paul C. van Oorschot, Michael J. Wiener, A Known Plaintext Attack on Two-Key Triple
More informationWeak Keys. References
Weak Keys The strength of the encryption function E K (P) may differ significantly for different keys K. If for some set WK of keys the encryption function is much weaker than for the others this set is
More informationChapter 3 Block Ciphers and the Data Encryption Standard
Chapter 3 Block Ciphers and the Data Encryption Standard Last Chapter have considered: terminology classical cipher techniques substitution ciphers cryptanalysis using letter frequencies transposition
More informationPractically secure Feistel ciphers
Practically secure Feistel ciphers Lars R. Knudsen /~rhus University, Denmark** Abstract. In this paper we give necessary design principles to be used, when constructing secure Feistel ciphers. We introduce
More informationCryptanalysis. Andreas Klappenecker Texas A&M University
Cryptanalysis Andreas Klappenecker Texas A&M University How secure is a cipher? Typically, we don t know until it is too late Typical Attacks against Encryption Algorithms Ciphertext only attack: The attacker
More informationIntegral Cryptanalysis of the BSPN Block Cipher
Integral Cryptanalysis of the BSPN Block Cipher Howard Heys Department of Electrical and Computer Engineering Memorial University hheys@mun.ca Abstract In this paper, we investigate the application of
More informationGrain of Salt An Automated Way to Test Stream Ciphers through SAT Solvers
Grain of Salt An Automated Way to Test Stream Ciphers through SAT Solvers Mate Soos UPMC LIP6, PLANETE team INRIA, SALSA team INRIA Abstract. In this paper we describe Grain of Salt, a tool developed to
More informationImproved Integral Attacks on MISTY1
Improved Integral Attacks on MISTY1 Xiaorui Sun and Xuejia Lai Department of Computer Science Shanghai Jiao Tong University Shanghai, 200240, China sunsirius@sjtu.edu.cn, lai-xj@cs.sjtu.edu.cn Abstract.
More informationImproved Algebraic Cryptanalysis of QUAD, Bivium and Trivium via Graph Partitioning on Equation Systems
Improved Algebraic of QUAD, Bivium and Trivium via on Equation Systems Kenneth Koon-Ho Wong 1, Gregory V. Bard 2 1 Information Security Institute Queensland University of Technology, Brisbane, Australia
More informationA Meet-in-the-Middle Attack on 8-Round AES
A Meet-in-the-Middle Attack on 8-Round AES Hüseyin Demirci 1 and Ali Aydın Selçuk 2 1 Tübitak UEKAE, 41470 Gebze, Kocaeli, Turkey huseyind@uekae.tubitak.gov.tr 2 Department of Computer Engineering Bilkent
More informationBreaking Grain-128 with Dynamic Cube Attacks
Breaking Grain-128 with Dynamic Cube Attacks Itai Dinur and Adi Shamir Computer Science department The Weizmann Institute Rehovot 76100, Israel Abstract. We present a new variant of cube attacks called
More informationThe Security of Elastic Block Ciphers Against Key-Recovery Attacks
The Security of Elastic Block Ciphers Against Key-Recovery Attacks Debra L. Cook 1, Moti Yung 2, Angelos D. Keromytis 2 1 Alcatel-Lucent Bell Labs, New Providence, New Jersey, USA dcook@alcatel-lucent.com
More informationNew Cryptanalytic Results on IDEA
New Cryptanalytic Results on IDEA Eli Biham, Orr Dunkelman, Nathan Keller Computer Science Dept., Technion Dept. of Electrical Engineering ESAT SCD/COSIC, KUL Einstein Institute of Mathematics, Hebrew
More informationExternal Encodings Do not Prevent Transient Fault Analysis
External Encodings Do not Prevent Transient Fault Analysis Christophe Clavier Gemalto, Security Labs CHES 2007 Vienna - September 12, 2007 Christophe Clavier CHES 2007 Vienna September 12, 2007 1 / 20
More informationLecture 2: Secret Key Cryptography
T-79.159 Cryptography and Data Security Lecture 2: Secret Key Cryptography Helger Lipmaa Helsinki University of Technology helger@tcs.hut.fi 1 Reminder: Communication Model Adversary Eve Cipher, Encryption
More informationNew Attacks against Reduced-Round Versions of IDEA
New Attacks against Reduced-Round Versions of IDEA Pascal Junod École Polytechnique Fédérale de Lausanne Switzerland pascal@junod.info Abstract. In this paper, we describe a sequence of simple, yet efficient
More informationSmall-Footprint Block Cipher Design -How far can you go?
Small-Footprint Block Cipher Design - How far can you go? A. Bogdanov 1, L.R. Knudsen 2, G. Leander 1, C. Paar 1, A. Poschmann 1, M.J.B. Robshaw 3, Y. Seurin 3, C. Vikkelsoe 2 1 Ruhr-University Bochum,
More informationBlock Ciphers Tutorial. c Eli Biham - May 3, Block Ciphers Tutorial (5)
Block Ciphers Tutorial c Eli Biham - May 3, 2005 146 Block Ciphers Tutorial (5) A Known Plaintext Attack on 1-Round DES After removing the permutations IP and FP we get: L R 48 K=? F L R c Eli Biham -
More informationPublic-Key Cryptanalysis
http://www.di.ens.fr/ pnguyen INRIA and École normale supérieure, Paris, France MPRI, 2010 Outline 1 Introduction Asymmetric Cryptology Course Overview 2 Textbook RSA 3 Euclid s Algorithm Applications
More informationImproved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN
Improved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN Shahram Rasoolzadeh and Håvard Raddum Simula Research Laboratory {shahram,haavardr}@simula.no Abstract. We study multidimensional meet-in-the-middle
More informationDesign of block ciphers
Design of block ciphers Joan Daemen STMicroelectronics and Radboud University University of Zagreb Zagreb, Croatia, March 23, 2016 1 / 49 Outline 1 Data Encryption Standard 2 Wide Trail Strategy 3 Rijndael
More informationCryptanalysis of TWIS Block Cipher
Cryptanalysis of TWIS Block Cipher Onur Koçak and Neşe Öztop Institute of Applied Mathematics, Middle East Technical University, Turkey {onur.kocak,noztop}@metu.edu.tr Abstract. TWIS is a 128-bit lightweight
More informationTechnion - Computer Science Department - Technical Report CS
How to Forge DES-Encrypted Messages in 2 28 Steps Eli Biham 1 Abstract In this paper we suggest key-collision attacks, and show that the theoretic strength of a cipher cannot exceed the square root of
More informationA Meet in the Middle Attack on Reduced Round Kuznyechik
IEICE TRANS. FUNDAMENTALS, VOL.Exx??, NO.xx XXXX 200x 1 LETTER Special Section on Cryptography and Information Security A Meet in the Middle Attack on Reduced Round Kuznyechik Riham ALTAWY a), Member and
More informationNew Cryptanalytic Results on IDEA
New Cryptanalytic Results on IDEA Eli Biham, Orr Dunkelman, Nathan Keller Computer Science Dept., Technion Dept. of Electrical Engineering ESAT SCD/COSIC, KUL Einstein Institute of Mathematics, Hebrew
More informationStream Ciphers An Overview
Stream Ciphers An Overview Palash Sarkar Indian Statistical Institute, Kolkata email: palash@isicalacin stream cipher overview, Palash Sarkar p1/51 Classical Encryption Adversary message ciphertext ciphertext
More informationImproved differential fault analysis on lightweight block cipher LBlock for wireless sensor networks
Jeong et al. EURASIP Journal on Wireless Communications and Networking 2013, 2013:151 RESEARCH Improved differential fault analysis on lightweight block cipher LBlock for wireless sensor networks Kitae
More informationRonald L. Rivest. Abstract. This document describes the RC5 encryption algorithm. RC5
The RC5 Encryption Algorithm? Ronald L. Rivest MIT Laboratory for Computer Science 545 Technology Square, Cambridge, Mass. 02139 rivest@theory.lcs.mit.edu Abstract. This document describes the RC5 encryption
More informationOn the structure of Skipjack
Discrete Applied Mathematics 111 (2001) 103 116 On the structure of Skipjack Lars Knudsen a;, David Wagner b a Department of Informatics, University of Bergen, N-5020 Bergen, Norway b University of California
More informationAn Overview of Cryptanalysis Research for the Advanced Encryption Standard
An Overview of Cryptanalysis Research for the Advanced Encryption Standard Alan Kaminsky, Rochester Institute of Technology Michael Kurdziel, Harris Corporation Stanisław Radziszowski, Rochester Institute
More informationFrom Dierential Cryptanalysis to. Ciphertext-Only Attacks.
From Dierential Cryptanalysis to Ciphertext-Only Attacks Alex Biryukov 1; and Eyal Kushilevitz 2; (1) Applied Mathematics Department, (2) Computer Science Department, Technion - Israel Institute of Technology,
More informationThe MESH Block Ciphers
The MESH Block Ciphers Jorge Nakahara Jr, Vincent Rijmen, Bart Preneel, Joos Vandewalle Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Belgium {jorge.nakahara,bart.preneel,joos.vandewalle}@esat.kuleuven.ac.be
More informationData Encryption Standard
ECE 646 Lecture 7 Data Encryption Standard Required Reading W. Stallings, "Cryptography and Network-Security," 5th Edition, Chapter 3: Block Ciphers and the Data Encryption Standard Chapter 6.1: Multiple
More informationImproved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN
Improved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN Shahram Rasoolzadeh and Håvard Raddum Simula Research Laboratory Abstract. We study multidimensional meet-in-the-middle attacks on the
More informationA New Technique for Sub-Key Generation in Block Ciphers
World Applied Sciences Journal 19 (11): 1630-1639, 2012 ISSN 1818-4952 IDOSI Publications, 2012 DOI: 10.5829/idosi.wasj.2012.19.11.1871 A New Technique for Sub-Key Generation in Block Ciphers Jamal N.
More informationCryptanalysis of Lightweight Block Ciphers
Cryptanalysis of Lightweight Block Ciphers María Naya-Plasencia INRIA, France Šibenik 2014 Outline Introduction Impossible Differential Attacks Meet-in-the-middle and improvements Multiple Differential
More informationImproved Integral Attacks on MISTY1
Improved Integral Attacks on MISTY1 Xiaorui Sun Xuejia Lai Abstract We present several integral attacks on MISTY1 using the F O Relation, which is derived from Sakurai-Zheng Property used in previous attacks.
More informationpage 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas
Introduction to Cryptography Lecture 3 Benny Pinkas page 1 1 Pseudo-random generator Pseudo-random generator seed output s G G(s) (random, s =n) Deterministic function of s, publicly known G(s) = 2n Distinguisher
More informationComp527 status items. Crypto Protocols, part 2 Crypto primitives. Bart Preneel July Install the smart card software. Today
Comp527 status items Crypto Protocols, part 2 Crypto primitives Today s talk includes slides from: Bart Preneel, Jonathan Millen, and Dan Wallach Install the smart card software Bring CDs back to Dan s
More informationCryptanalysis of Two GOST Variants with 128-Bit Keys
Cryptologia, 38:348 361, 2014 Published with license by Taylor & Francis ISSN: 0161-1194 print DOI: 10.1080/01611194.2014.915706 Cryptanalysis of Two GOST Variants with 128-Bit Keys NICOLAS T. COURTOIS
More informationSolving Quadratic Equations with XL on Parallel Architectures
Solving Quadratic Equations with XL on Parallel Architectures Chen-Mou Cheng 1, Tung Chou 2, Ruben Niederhagen 2, and Bo-Yin Yang 2 1 Intel-NTU Connected Context Computing Center, National Taiwan University,
More informationModern Block Ciphers
Modern Block Ciphers now look at modern block ciphers one of the most widely used types of cryptographic algorithms provide secrecy /authentication services focus on DES (Data Encryption Standard) to illustrate
More informationData Encryption Standard
ECE 646 Lecture 6 Data Encryption Standard Required Reading: I. W. Stallings, "Cryptography and Network-Security," 5th Edition, Chapter 3: Block Ciphers and the Data Encryption Standard Chapter 6.1: Multiple
More informationContemporary Block Ciphers
Contemporary Block Ciphers Lars R. Knudsen University of Bergen, Department of Informatics, Hi-techcenter N-5020 Bergen, Norway Abstract. This paper considers modern secret-key block ciphers. The theory
More informationTechnion - Computer Science Department - Technical Report CS
Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication? Elad Barkan 1 Eli Biham 1 Nathan Keller 2 1 Computer Science Department Technion { Israel Institute of Technology Haifa 32000, Israel
More informationA practical attack on patched MIFARE Classic
A practical attack on patched MIFARE Classic Abstract MIFARE Classic is the world s most widely deployed RFID (radio-frequency identification) technology, and it is supposed to be protected by the proprietary
More informationFull Plaintext Recovery Attack on Broadcast RC4
11 March, 2013 FSE 2013 @ Singapore Full Plaintext Recovery Attack on Broadcast RC4 Takanori Isobe () Toshihiro Ohigashi (Hiroshima University) Yuhei Watanabe () Masakatu Morii () Target Broadcast setting
More informationA SIMPLIFIED IDEA ALGORITHM
A SIMPLIFIED IDEA ALGORITHM NICK HOFFMAN Abstract. In this paper, a simplified version of the International Data Encryption Algorithm (IDEA) is described. This simplified version, like simplified versions
More informationCSCE 813 Internet Security Symmetric Cryptography
CSCE 813 Internet Security Symmetric Cryptography Professor Lisa Luo Fall 2017 Previous Class Essential Internet Security Requirements Confidentiality Integrity Authenticity Availability Accountability
More informationTechnion - Computer Science Department - Technical Report CS
Dierential Fault Analysis of Secret Key Eli Biham Computer Science Department Technion { Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationRelated-key Attacks on Triple-DES and DESX Variants
Related-key Attacks on Triple-DES and DESX Variants Raphael C.-W. han Department of Engineering, Swinburne Sarawak Institute of Technology, 1st Floor, State Complex, 93576 Kuching, Malaysia rphan@swinburne.edu.my
More informationNew Attacks on Feistel Structures with Improved Memory Complexities
New Attacks on Feistel Structures with Improved Memory Complexities Itai Dinur 1, Orr Dunkelman 2,4,, Nathan Keller 3,4,, and Adi Shamir 4 1 Département d Informatique, École Normale Supérieure, Paris,
More informationDifferential Attack on Message Authentication Codes
Differential Attack on Message Authentication Codes Kazuo Ohtal and Mitsuru Matsui2 NTT Network Information Systems Laboratories Nippon Telegraph and Telephone Corporation 1-2356, Take, Yokosuka-shi, Kanagawa-ken,
More informationThe Davies-Murphy Power Attack. Sébastien Kunz-Jacques Frédéric Muller Frédéric Valette DCSSI Crypto Lab
The Davies-Murphy Power Attack Sébastien Kunz-Jacques Frédéric Muller Frédéric Valette DCSSI Crypto Lab Introduction Two approaches for attacking crypto devices traditional cryptanalysis Side Channel Attacks
More informationCryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái
Cryptography and Network Security Block Ciphers + DES Lectured by Nguyễn Đức Thái Outline Block Cipher Principles Feistel Ciphers The Data Encryption Standard (DES) (Contents can be found in Chapter 3,
More informationPlaintext (P) + F. Ciphertext (T)
Applying Dierential Cryptanalysis to DES Reduced to 5 Rounds Terence Tay 18 October 1997 Abstract Dierential cryptanalysis is a powerful attack developed by Eli Biham and Adi Shamir. It has been successfully
More informationPrivate-Key Encryption
Private-Key Encryption Ali El Kaafarani Mathematical Institute Oxford University 1 of 50 Outline 1 Block Ciphers 2 The Data Encryption Standard (DES) 3 The Advanced Encryption Standard (AES) 4 Attacks
More informationPARAMETRIC TROJANS FOR FAULT-BASED ATTACKS ON CRYPTOGRAPHIC HARDWARE
PARAMETRIC TROJANS FOR FAULT-BASED ATTACKS ON CRYPTOGRAPHIC HARDWARE Raghavan Kumar, University of Massachusetts Amherst Contributions by: Philipp Jovanovic, University of Passau Wayne P. Burleson, University
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.2 Secret Key Cryptography CSC 474/574 Dr. Peng Ning 1 Agenda Generic block cipher Feistel cipher DES Modes of block ciphers Multiple encryptions Message
More informationEfficient Implementation of Grand Cru with TI C6x+ Processor
Efficient Implementation of Grand Cru with TI C6x+ Processor Azhar Ali Khan 1, Ghulam Murtaza 2 1 Sichuan University, Chengdu, China 2 National University of Sciences and Technology, Islamabad, Pakistan
More informationCryptography and Network Security. Sixth Edition by William Stallings
Cryptography and Network Security Sixth Edition by William Stallings Chapter 3 Block Ciphers and the Data Encryption Standard All the afternoon Mungo had been working on Stern's code, principally with
More informationBlock Ciphers and the Data Encryption Standard (DES) Modified by: Dr. Ramzi Saifan
Block Ciphers and the Data Encryption Standard (DES) Modified by: Dr. Ramzi Saifan Block ciphers Keyed, invertible Large key space, large block size A block of plaintext is treated as a whole and used
More informationReport on Present State of CIPHERUNICORN-A Cipher Evaluation (full evaluation)
Report on Present State of CIPHERUNICORN-A Cipher Evaluation (full evaluation) January 28, 2002 Masayuki Kanda, Member Symmetric-Key Cryptography Subcommittee 1 CIPHERUNICORN-A CIPHERUNICORN-A was presented
More informationMulti-Stage Fault Attacks
Multi-Stage Fault Attacks Applications to the Block Cipher PRINCE Philipp Jovanovic Department of Informatics and Mathematics University of Passau March 27, 2013 Outline 1. Motivation 2. The PRINCE Block
More informationDesign and Analysis of Cryptographic Algorithms for Mobile Communication Systems. Henri Gilbert Orange Labs.
Design and Analysis of Cryptographic Algorithms for Mobile Communication Systems Henri Gilbert Orange Labs {firstname.lastname@orange-ftgroup.com} outline development of cryptographic algorithms for a
More informationImproved and Multiple Linear Cryptanalysis of Reduced Round Serpent
Improved and Multiple Linear Cryptanalysis of Reduced Round Serpent Description of the Linear Approximations B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group, Microelectronics Laboratory,
More informationFew Other Cryptanalytic Techniques
Few Other Cryptanalytic Techniques Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Boomerang Attack
More information