Power Analysis of MAC-Keccak: A Side Channel Attack
|
|
- Sheryl Beasley
- 5 years ago
- Views:
Transcription
1 Power Analysis of MAC-Keccak: A Side Channel Attack Advanced Cryptography Kyle McGlynn Professor Stanislaw Radziszowski May 6, Introduction Recently in the spring of 2017, two documents were discovered to have the same hash value when run through the Secure Hashing Algorithm 1 (SHA-1) cryptographic hash algorithm. Although these documents were found through great effort and time, this discovery is an indicator that SHA-1 may not be secure for much longer. One consequence of a general attack upon SHA-1 would be the security of hash-based message authentication codes (HMAC) that use SHA-1 as their hash function. According to the National Institute of Technology and Information s (NIST) FIPS PUB 128, the strength of HMAC is based on reasonable assumptions of the underlying hash function... [10]. Even without a general attack upon SHA-1, the continued security of HMAC is now in question. With the inevitable fall of SHA-1 now much more imminent, many have begun to look towards Keccak. Chosen as the finalist for NIST s SHA-3 competition, Keccak differs from SHA-1 in that it is based upon a sponge construction. Furthermore, when used to produce keyed message authentication codes, it does not require a nested construction as HMAC does to prevent length extension attacks. Until relatively recently, NIST had not issued any recommended algorithm for producing message authentication codes with Keccak. Between the time Keccak was declared as the winner of the SHA-3 competition and NIST s recent publication of a recommended algorithm, a number of attacks have been proposed against Keccak. Perhaps most dangerous amongst these are attacks that glean secret information from the physical effects of running Keccak on a device. These types of attacks are known in general as side channel attacks. This paper will explore a form of side channel attack against Keccak based message authentication codes (MAC-Keccak) known as power analysis. Three types of power analysis shall be introduced: simple, differential, and correlation. A brief overview of Keccak shall then give context to a discussion of a differential power analysis attack against Keccak proposed by Taha et al.[14] and a 1
2 correlation power analysis attack against Keccak by Luo et al.[8]. The results of these attacks shall be analyzed, and then different countermeasures against power analysis shall be introduced before concluding with a discussion of the feasibility of these attacks. 2 Side Channel Attack When attempting to break a cryptographic operation, there are a number of possible avenues of attack. Perhaps the algorithm behind the cryptographic operation is mathematically weak, in which case it is possible to develop an algorithm which can break the operation in a reasonable amount of time. A good example of this would be the use of Index Calculus to break discrete log based cryptographic systems that operate in Z p. Or perhaps the implementation of the cryptographic operation is incorrect and thus vulnerable to attack. Each of these can be easily remedied; discrete log based cryptographic systems can use elliptic curves, thereby preventing the use of Index Calculus, and significant analysis, review, and testing of an implementation before delivery can ensure that the implementation is correct. However, even if cryptographic operations are mathematically strong and implemented without error, it is still possible to break an operation by taking advantage of the physical side effects produced by the execution of the operation on hardware. These physical effects include electromagnetic radiation, thermal radiation, acoustic emanations, and power consumption, and unintentionally leak information about the cryptographic operation. Attacks that gather secret information from these physical affects to break a cryptographic operation are known as side channel attacks. Figure 1: Abstract overview of possible side channels [15] 3 Power Analysis Power analysis is one such side channel attack that leverages the power consumption of a device running a cryptographic operation to retrieve secret information about that operation. This secret information is usually the secret keys 2
3 used by the cryptographic operation to encrypt, sign, or hash. The idea behind power analysis is that the power consumption of a device running a cryptographic operation is influenced by the data being processed by the operation. This influence can be seen in the form of power traces taken while the device is running a cryptographic operation. A power trace is simply a collection of a number of measurements taken per second of a device s power consumption while a cryptographic operation is being performed. When plotted over time, this collection appears as a wave, as seen in figure 2. These power traces can be used in three different types of power analysis; simple power analysis, differential power analysis, and correlation power analysis. Figure 2: Power trace of AES-128 taken across three milliseconds [7] 3.1 Simple Power Analysis (SPA) As its name implies, simple power analysis is a straightforward process that makes little use of mathematical machinery. Here, features of the power trace that are directly visible are analyzed to draw inferences of the cryptographic operation s behavior. For example, in figure 2 the ten rounds of the AES-128 can be clearly seen as ten distinct humps in the power trace. These segments can then be compared to discern secret information. While simple power analysis is effective and efficient for most devices, it is severely affected by noise in the data. Again, as can be seen in figure 2, although the ten rounds of the AES-128 are clearly visible, these is too much noise in the data to make a simple comparison between the different segments meaningful. Because of this, techniques such as differential power analysis and correlation power analysis appear to be more useful as they reduce the role that noise plays in the analysis. 3.2 Differential Power Analysis (DPA) Unlike simple power analysis, differential power analysis makes use of statistical methods to analyze power traces to retrieve secret information. It does so by making use of a selection function to partition a collection of power traces into two sets, and determining secret information through their comparison. 3
4 The selection function makes an educated guess of the possible values of one or more unknown, intermediate values of a cryptographic operation. For example, a selection function for the AES-128 may determine that, based upon the data seen so far in a power trace, that the least significant bit of the encrypted text, after the very first AddRoundKey operation, will be a 0 or 1 [7]. Whether this guess was correct or wrong is used to sort the power traces into two partitions. Mathematically, the selection function can be expressed as: D(C i, K n )[7] where C i is the set of known and unknown values for power trace T i at time j (T i [j]) and K n is the candidate values(s) for the unknown values(s). The selection function should target an operation that mixes known and unknown information, such as in the AddRoundKey example above. Once a set of m power traces is partitioned into two groups according to the selection function, the average of each group is taken and then the difference of the groups is calculated at every j point in time. The idea is that, if the candidate value K n was correct, then the resulting power trace achieved by calculating the difference between the two averaged groups should show a large spike at the guessed location at time j. If the candidate value was not correct, then a relatively flat power trace is expected since the selection function will effectively have separated the set of power traces into two random groups. The difference of the averages of these two random groups will be close to zero all along the power trace. This difference can be mathematically expressed as: D [j] = m i=1 D(Ci,Kn)Ti[j] m i=1 D(Ci,Kn) 1 m i=1 D(Ci,Kn)Ti[j] 1 m i=1 D(Ci,Kn) [7] Figure 3 demonstrates this process. The top two power traces of the figure are the average power traces of the two partitions created by the selection function. If simple power analysis were applied here, it would be difficult to discern any meaningful information. However, by taking their difference and then magnifying, the power trace in the bottom of the figure can be obtained. As can be seen, there are a number of large spikes in the resulting power trace. Because of this, we can assume that the selection function and the candidate value were correct. By looking at figure 4, we can see instances where the resulting power traces were relatively flat for different candidate values. Amongst them, the middle power trace is considered the most likely to be the correct value of the unknown value since it demonstrates the greatest spikes in its power consumption at time j. 4
5 Figure 3: Partition, average, and magnification of AES-128 power traces[7] Figure 4: Resulting differences for values of K n [7] 3.3 Correlation Power Analysis (CPA) Similar to differential power analysis, correlation power analysis makes use of statistical methods. However, in this case correlation coefficients are used to determine the correctness of a candidate value. Once again, a selection function is used but, unlike in differential power analysis where it is used to partition a set of power traces, it is used to compute the correlation between the Hamming Distance or Hamming Weight of a candidate value and the actual power consumption. The Hamming Weight is the number of bits set to 1 in a data word. For example, the Hamming Weight of the data word is four. Similarly, the Hamming Distance is the number of bits that must be flipped to go from an one data word R to another data word D. Conceptually, this is a more general idea of the Hamming Weight[6], where R is assumed to be 0, and so can be expressed as: 5
6 HW (D R)[6] where HW calculates the Hamming Weight of the result of XOR-ing R and D, thereby determining the number of bits that must be flipped to go from R to D. For usage in correlation power analysis, a candidate value R for an unknown value is used alongside known information to calculate either a Hamming Distance or Hamming Weight. The result of either the Hamming Distance or Hamming Weight is then correlated to the actual power consumption of the device. The candidate R that produces the greatest correlation coefficient is considered to be the correct value of the unknown value. 4 Keccak (SHA3) This section serves as a brief introduction to Keccak to provide context to following sections on the power analysis of Keccak. Chosen as the winning algorithm of NIST s SHA-3 competition, Keccak is based upon the sponge construction. This construction is unique in that the size of its internal state is larger than the size of its input or output blocks. In addition, the sponge construction is modular in that the function used to encrypt, sign, or hash can be swapped out. Indeed, the part of the Keccak algorithm that sets it apart from any other sponge based cryptographic operation is the Keccak function. Sponge based cryptographic operations perform by first absorbing blocks of data. Once all of the data has been absorbed, the encrypted data, hash, or signature is squeezed out in blocks. Between every absorbed and squeezed block, the modular function of the sponge construction is run on the internal state. The security of this construction is claimed to be equivalent to that of a random oracle[3]. Figure 5: Overview of the sponge construction[3] 6
7 Figure 6: Overview of the internal state of Keccak[14] Keccak s internal state is imagined as a cube, and is recommended to be (x y z) bits in dimension for a total of 1600 bits of internal state. This cube is then abstractly considered in terms of planes, lanes, sheets, and columns, as shown in figure 6. The Keccak function operates upon this cube between every absorbed and squeezed block. This function is broken down into five steps: θ, ρ, π, χ, and υ. The θ step is responsible for the diffusion of the affects of the characters in the plain text upon the resulting cryptographic hash. It works by taking the parity of two columns and XOR-ing these parity bits with the value of a single bit in the state. This is done for every bit in the state. Mathematically: S(x, y, z) = S(x, y, z) ( 4 i=0 S(x 1, i, z)) ( 4 i=0s(x + 1, i, z 1))[14] Steps ρ and π essentially shuffle the lanes of the state around, while step χ provides non-linearity to the hash. It does this by flipping every bit in the state according to the values of two other bits in its row. This can be expressed as: S(x, y, z) = S(x, y, z) ((1 S(x + 1, y, z)) S(x + 2, y, z))[14] Finally, in the υ step a round constant is XOR-ed with every bit in the state. It is worth noting that every indexing operation done on the x and y dimensions is done modulo 5, while every indexing operation done on the z dimension is done modulo 64. This ensures that none of the steps stray outside of the state. Significant hand waving has been done here in regards to steps ρ, π, and υ. This is not done because these steps are insignificant, but rather because in terms of power analysis we are only interested in steps θ and χ, since it is at these steps that unknown information (a secret key) is mixed with known information (the plain text to be hashed). 5 DPA Against MAC-Keccak Assuming that an attacker is able to gather the information needed to perform power analysis on the power consumption of a device running MAC-Keccak, there are a few hurdles to the success of differential power analysis. First, the 7
8 length of the secret key used is not fixed. Unlike previous message authentication code algorithms, MAC-Keccak does not restrict the key to be of a certain length. In regards to differential power analysis, this makes it difficult to determine where the key ends and the message begins. Second, the target operations, namely steps θ and χ, are located deep within the algorithm. Unlike previous message authentication code algorithms where the key and message are XOR-ed together before entering the function, in MAC-Keccak the key is appended or prepended to the message and is finally mixed with the message at steps θ and χ. While nothing can be done steps θ and χ being located deep within the function, it is possible to discover the length of the key using correlation power analysis. This technique is described by Zohner et al.[16], whereby correlation power analysis is used upon every message bit. The function: HW (M i c)[16] is used to determine correlation where HW is the Hamming Weight, M i are the message bits processed so far and c is a 0 or 1. So long as a correlation is observed, the message bit is added to M i and the process continues. However, once no correlation is observed it must be the case that we have discovered the portion of the initial state that contains the key. Once the length of the key is determined, it is finally possible to begin recovery of the key by means of differential power analysis. Proposed by Taha et al.[14], the general idea is: 1. Add all known bits to a set V 2. Calculate all values that depend upon currently known bits and add them to V 3. Target an operation that processes some element(s) of V and an unknown bit 4. Run differential power analysis against the operation to recover the unknown and add it to V 5. Repeat steps two through four until all unknowns are recovered For most situations, targeting step θ is enough to recover the entire key. To do this, step θ is conceptually broken into two separate steps: θ 1 and θ 2. Step θ 1 calculates the parity of a given column, while θ 2 calculates the XOR of the parity bits of two columns and a bit of the state. For keys of length less than or equal to 320 bits in length, it is enough to target θ 1 since four known message bits are XOR-ed with one unknown key bit. It is trivial in this case to run differential power analysis, targeting the parity of a column, to determine the value of the unknown key bit. If the key is greater than 320 bits in length, than the parity of the columns must be added to V and step θ 2 must be targeted when it is applied to key bits. Here, two known values (the parity bits) are XOR-ed with a single unknown bit. Once again, it is simple to run differential 8
9 power analysis, targeting the result of XOR-ing the parity bits and unknown bit, to find the key bit. Figure 7: Abstract overview of step θ[14] In the unlikely event that the key bits are interleaved with the message bits, it is no longer enough to target step θ. In this case, step χ must be targeted. To do so, the parity bit of the columns with known values are found and added to V. The bits are then traced through steps ρ and π. In step χ, differential power analysis can be run, targeting the result of the XOR operation between a bit and two bits in its row, to recover an unknown bit. It is then necessary to return to step θ and use this recovered value to recover more unknowns. 6 CPA Against MAC-Keccak Unlike the differential power analysis attack described above, the correlation power analysis attack described by Luo et al.[8] is a hardware specific attack that targets the output of the first application of the Keccak function. Here, the output of the function, denoted by R 1, and the state of the register before the end of the first application of the function, denoted by I, are the main focus. The two forms of this attack, bit-by-bit and row-by-row, each take advantage of an observation that there is a strong correlation between HW (R 1 ) (the Hamming Weight of the register) and power consumption. In the bit-by-bit attack, a single bit of the register, denoted R 1 (x, y, z) is used in the correlation power analysis selection function: HD(I(x, y, z), R 1 (x, y, z)) = HW (R 1 (x, y, z))[8] Here, R 1 (x, y, z) is a candidate value for the output of step χ with the round constant added in step υ. However, the output of step χ is decided by three bits which, when traced back through steps ρ and π, are three bits from the output of step θ. These three bits can then be XOR-ed together to reveal secret 9
10 information. The bit-by-bit attack has a few drawbacks. First, the work done ends up being redundant and far too many traces are needed because of a low signal-tonoise ratio. Additionally, this process must be repeated for all 1600 bits of the state. An alternative to this is the row-by-row attack wherein an entire row of values is used, rather than a single bit. This row is denoted R 1 (X, y, z) where X indicates the entire row at x. Unlike the bit-by-bit attack, the row-by-row attack requires fewer power traces because of a higher signal-to-noise ratio and only requires 320 iterations (one for each row in the state) versus the 1600 needed for the bit-by-bit attack. As a result of attacking in this row-by-row fashion, the selection function becomes: HD(I(X, y, z), R 1 (X, y, z)) = HW (R 1 (X, y, z))[8] where the Hamming Distance of a row in the register and a row in the output of the Keccak function is compared to the Hamming Weight of the same row in the output. The idea behind the row-by-row attack is that, because of step π, the five bits in a row of the output of step χ depend upon only five bits of the output of step θ. By attacking the rows, fewer power traces are needed and there is less redundancy. The power of this attack can be seen in the resulting correlation graph. Compared to bit-by-bit, the correlation in row-by-row has less noise. 10
11 Figure 8: Result of row-by-row attack (a) vs. result of bit-by-bit attack (b)[8] 7 Results While these power analyses of Keccak may seem to be extremely powerful attacks against MAC-Keccak, there are a few caveats as shown in the results of the attacks presented by Taha et al.[14] and Luo et al.[8]. The results of these attacks, and their ramifications for MAC-Keccak, are discussed below. 7.1 DPA As demonstrated by Taha et al.[14], it is easy to find keys of length less than 320 bits by targeting the part of step θ designated as θ 1. However, it appears that as the length of the key is increased that the success of this attack decreases. Taha et al.[14] tested this approach on a number of large key lengths; their justification for doing so was that current cryptographic systems such as RSA make use of extremely large keys, so it would not be too far-fetched to imagine MAC-Keccak using a large key. Their results are presented in figure 8 where success rate is the percentage of key bits successfully recovered using their differential power 11
12 analysis attack. Figure 9: Results of DPA against MAC-Keccak using various key lengths[14] As can be seen, for keys of 768 bits, the success rate appears to plateau at a 90% success rate when more than 40,000 power traces are used. At face value, this seems to be quite a step up from not knowing anything at all. But, when we consider that recovery of 90% of 768 bits means that roughly 77 bits are still unknown, this is not much of an improvement. For 77 unknown bits there are 2 77 possible values for those bits; while the birthday paradox reduces the amount of work needed to be done to roughly 2 39, it is still computationally expensive. When we consider the worst case for the attacker when a key of 1024 bits is used, we can see that recovery tapers off at around 45% when more than 20,000 power traces are used. This leaves over 563 bits unknown for a whopping possibilities. Even after applying the birthday paradox, the amount of work needed to find the unknown bits is still over ; this is currently an infeasible amount to brute force on current hardware. 7.2 CPA The success of the correlation power analysis attack against MAC-Keccak, especially the row-by-row attack, is entirely dependent upon the key length. So long as the key is less than or equal to 320 bits in length, the row-by-row attack can be applied to quickly and efficiently recover the secret key. If the key is between 320 and 640 bits, the row-by-row attack must be modified to attack all of the rows of the state after the first round. If, however, the key is greater 12
13 than 640 bits in length, then the row-by-row attack must be abandoned in favor of a bit-by-bit attack. Figure 9 demonstrates the success rate of a row-by-row attack against a key length of 640 bits. As can be seen, this attack is quite effective when 35,000 power traces are used. Unfortunately, no similar graph or data was provided by Luo et al.[8] in regards to the success rate of a bit-by-bit attack against extremely long key lengths. Figure 10: Result of running CPA against MAC-Keccak with a key of 640 bits[8] 8 Counter Measures While differential power analysis and correlation power analysis pose significant threats to the security of MAC-Keccak, there are a number of counter measures to all forms of power analysis beyond simply increasing the length of the key. At the hardware level, gates and circuits can be designed and built in such a way that leakage is reduced. In code, the random insertion of dummy instructions or a randomized order of operations that does not break the behavior of the algorithm can increase the difficulty of aligning the power traces and thereby obfuscate the information. The algorithm of the cryptographic operation can be modified in such a way that operations are computed in a manner that reduces leakage. Finally, and perhaps most simply, the protocol controlling access to the cryptographic operation can be modified to detect an attacker and thereby prevent or reduce the number of times the attacker can run the cryptographic operation to gather power traces. The following sections will focus on counter measures at the algorithmic level, in particular masking, and on Keccak-MAC, a recent MAC algorithm proposed by NIST that uses Keccak. 13
14 8.1 Masking Also known as blinding, masking is a method whereby key or data words are represented using two or more shares. Each of these shares, save one, is generated randomly for every execution of the cryptographic operation. Once generated, these shares are used in such a way that there is never any correlation to the original value. For example, say we have data word x. Then we can generate at least two shares, x and r x, such that: x = x + r x Here, x is referred to as the masked variable and r x is referred to as the mask. We can understand the generation of these shares in the following way: k random shares are generated (ex r 1x, r 2x,..., r kx ) and their sum is applied to x to produce x. The word applied is used here because the operation used between the shares to produce the original is any group operation. This includes addition, subtraction, XOR, bit shift, and rotate. A nice feature of using these group operations is that the shares may be operated upon independently and yet produce the same result as if the original values had been used. For example, say a + b = c. Even if a and b are represented as shares, we can still create c by operating over the shares: a = a + r a c = a + b b = b + r b r c = r a + r b It is then possible to recover c, if we so choose, by combining the shares using the group operation (c = c + r c ). As mentioned by Bertoni el al.[1], there are some issues with using masking. Chiefly, when attempting to perform Boolean operations on shares in arithmetic form (ex. x = x +r x ) or attempting to perform arithmetic operations on shares in Boolean form (ex. x = x r x ). The solution is to convert between the two different forms in a secure manner by using elementary operations (AND, OR, etc.) and/or lookup tables. However, doing so greatly increases the number of elementary operations and/or memory of the cryptographic operation. 8.2 Keccak-MAC Keccak-MAC (KMAC) is a recently recommended hash-based keyed message authentication code algorithm published by NIST alongside other Keccak derived functions. Unlike HMAC which used a nested construction to prevent length extension attacks, KMAC does not require such a construction because of the sponge construction used in Keccak. However, unlike the MAC-Keccak considered so far, KMAC does not simply append or prepend the key to the message. Instead, a series of encodings and paddings are applied to the key before it is prepended to the message. After this, the key-message bit string is encoded and padded even further when it is passed to cshake, an extendable output function that was announced alongside KMAC. The pseudo-code 14
15 for KMAC-128[12] is shown below (note that indicates concatenation): KMAC128(K, X, L, S) : newx = byte pad(encode string(k), 168) X right encode(l) return cshake128(newx, L, KM AC, S) cshake128(x, L, N, S) : if N = ɛ && S = ɛ: return SHAKE(X,L) else: return KECCAK[256] = (byte pad(encode string(n) encode string(s), 168) X 00, L) The parameters to KMAC, K, X, L, and S, are the key, message, desired output length, and a customization bit string, respectively. The parameters to cshake, X, L, N, and S, are the message, desired output length, a function name as a bit string, and a customization bit string, respectively. The encode string function seen above prepends to its argument a byte string encoding of the argument s length as generated by the left encode function (not shown). Similarly, the byte pad function prepends a byte string encoding of its second argument to its first argument, and then appends a number of zeroes to the result until its length in bytes is a multiple of the second argument. Before the key is even prepended to the message in KMAC, it is of the form: left encode(168) left encode(len(k)) K Inside of the cshake function, the key-message-length value is prepended by a padded concatenation of encodings of the customization bit string and the function name bit string. After two zeroes are appended, the entire value is passed to the Keccak hashing algorithm. At this point, the key is buried deep within the value. Both of the power analysis attacks discussed earlier attack the first round of the hashing algorithm. However, as shown in the pseudo-code and has been discussed, the key is prepended by an encoding of the customization bit string and the function name bit string that is some multiple of 168 bytes in length. Assuming it is exactly 168 bytes in length, there are 256 bits left in the state in the first round that most likely contain the key. But, if the length of the bit string and function name bit string encodings and padding is some multiple of 168, say 336 or 504, than the key cannot possibly fit in the state in the first round. While the function name bit string is known ( KMAC ), the customization bit string may not be known. This makes it difficult to simply target a deeper round of the Keccak hashing algorithm since it is unknown how deep the attack will have to be moved. Furthermore, depending on the length of the customization bit string and function name bit string encodings and paddings, it could be the case that key bits are divided across two rounds of the algorithm. As mentioned, KMAC is a recent hash-based keyed message authentication code algorithm published by NIST. The power analysis attacks discussed so far were published before KMAC was announced and have assumed a prepending 15
16 or appending of the secret key to the message without any sort of encodings or paddings. 9 Conclusion In this paper a side channel attack known as power analysis has been discussed that leverages the power consumption of a machine running a cryptographic operation to retrieve secret information. In particular, this paper has looked at applications of differential and correlation power analyses in the retrieval of key bits from a Keccak-based keyed message authentication code algorithm (MAC-Keccak). Methods of countering power analysis of MAC-Keccak, such as masking and NIST s recent Keccak-MAC (KMAC) algorithm have also been looked at. A significant question is whether any of the attacks discussed are practical. The answer is an uninspiring yes and no. To begin with, the power analysis attacks discussed make a few assumptions about an attacker s access to a machine running a cryptographic operation and about the operation itself: that the attacker has physical access to the machine; that the attacker can run the cryptographic operation any number of times to gather the necessary number of power traces; that the MAC-Keccak implementation directly prepends or appends the key to the message without any encoding or padding; and that the secret key is less than 768 bits in length. If all of these assumptions are true, then the attacks described above can recover the secret key; conversely, if any of these assumptions are false, then the attacks become infeasible. While side channel attacks such as power analysis lay upon the edge of possibility, it is incumbent upon developers and implementers of cryptographic systems to keep in mind that implementation or algorithmic weaknesses are not the only ways to break a system. Indeed, as demonstrated by the discussed differential and correlation power analyses against MAC-Keccak, even an extremely strong cryptographic system such as Keccak can be broken without breaking the algorithm. It is necessary, therefor, to keep the physical effects of running a cryptographic operation in mind while designing and implementing cryptographic systems. References [1] Bertoni, G., Daemen, J., Peeters, M., Assche, G. V., and Keer, R. V. Note on side-channel attacks and their countermeasures. [2] Bertoni, G., Daemen, J., Peeters, M., Assche, G. V., and Keer, R. V. Teak keccak. [3] Bertoni, G., Daemen, J., Peeters, M., Assche, G. V., and Keer, R. V. Cryptographic Sponge Functions
17 [4] Bertoni, G., Daemen, J., Peeters, M., Assche, G. V., and Keer, R. V. The KECCAK Reference [5] Bertoni, G., Daemen, J., Peeters, M., Assche, G. V., and Keer, R. V. The KECCAK SHA-3 Submission [6] Brier, E., Clavier, C., and Olivier, F. Correlation Power Analysis with a Leakage Model. Springer, Heidelberg, [7] Kocher, P., Jaffe, J., Jun, B., and Rohatgi, P. Introduction to Differential Power Analysis. Springer, Heidelberg, [8] Luo, P., Fei, Y., Fang, X., Ding, A., Kaeli, D., and Leeser, M. Side-Channel Analysis of MAC-Keccak Hardware Implementations. In Proceedings of the Fourth Workshop on Hardware and Architectural Support for Secuirty and Privacy (2015). [9] Lynn, B. Pseudo-random functions. [10] National Institute of Technology and Information. FIPS PUB 198: The Keyed-Hash Message Authentication Code (HMAC). National Institute of Technology and Information, Gaithersburg, [11] National Institute of Technology and Information. FIPS PUB 202: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. National Institute of Technology and Information, Gaithersburg, [12] National Institute of Technology and Information. MIST Special Publication : SHA-3 Derived Functions. National Institute of Technology and Information, Gaithersburg, [13] Stinson, D. R. Cryptography: Theory and Practice, 3rd Edition. Chapman Hall/CRC. Boca Raton, [14] Taha, M., and Schaumont, P. Differential Power Analysis of MAC- Keccak at Any Key-Length. Springer, Heidelberg, [15] Tran, X. Power Analysis Attacks on Keccak. RIT Scholar Works, Rochester, [16] Zohner, M., Kasper, M., Stottinger, M., and Huss, S. Side Channel Analysis of the SHA-3 Finalists. In Design, Automation Test in Europe Conference Exhibitions (2012), pp
Power Analysis of MAC-Keccak: A Side Channel Attack. Advanced Cryptography Kyle McGlynn 4/12/18
Power Analysis of MAC-Keccak: A Side Channel Attack Advanced Cryptography Kyle McGlynn 4/12/18 Contents Side-Channel Attack Power Analysis Simple Power Analysis (SPA) Differential Power Analysis (DPA)
More informationDifferential Power Analysis of MAC-Keccak at Any Key-Length
Differential Power Analysis of MAC-Keccak at Any Key-Length Mostafa Taha and Patrick Schaumont Secure Embedded Systems Center for Embedded Systems for Critical Applications Bradley Department of ECE Virginia
More informationSide channel attack: Power Analysis. Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut
Side channel attack: Power Analysis Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut Conventional Cryptanalysis Conventional cryptanalysis considers crypto systems as mathematical objects Assumptions:
More informationKeccak discussion. Soham Sadhu. January 9, 2012
Keccak discussion Soham Sadhu January 9, 2012 Keccak (pronounced like Ketchak ) is a cryptographic hash function designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. Keccak is
More informationHOST Differential Power Attacks ECE 525
Side-Channel Attacks Cryptographic algorithms assume that secret keys are utilized by implementations of the algorithm in a secure fashion, with access only allowed through the I/Os Unfortunately, cryptographic
More informationCryptography. Summer Term 2010
Summer Term 2010 Chapter 2: Hash Functions Contents Definition and basic properties Basic design principles and SHA-1 The SHA-3 competition 2 Contents Definition and basic properties Basic design principles
More informationHOST Cryptography III ECE 525 ECE UNM 1 (1/18/18)
AES Block Cipher Blockciphers are central tool in the design of protocols for shared-key cryptography What is a blockcipher? It is a function E of parameters k and n that maps { 0, 1} k { 0, 1} n { 0,
More informationCS-E4320 Cryptography and Data Security Lecture 5: Hash Functions
Lecture 5: Hash Functions Céline Blondeau Email: celine.blondeau@aalto.fi Department of Computer Science Aalto University, School of Science Hash Functions Birthday Paradox Design of Hash Functions SHA-3
More informationCryptographic Hash Functions
Cryptographic Hash Functions Çetin Kaya Koç koc@cs.ucsb.edu Çetin Kaya Koç http://koclab.org Winter 2017 1 / 34 Cryptographic Hash Functions A hash function provides message integrity and authentication
More informationPushing the Limits of SHA-3 Hardware Implementations to Fit on RFID
Motivation Keccak Our Designs Results Comparison Conclusions 1 / 24 Pushing the Limits of SHA-3 Hardware Implementations to Fit on RFID Peter Pessl and Michael Hutter Motivation Keccak Our Designs Results
More informationH must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls)
What is a hash function? mapping of: {0, 1} {0, 1} n H must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls) The Merkle-Damgård algorithm
More informationKeccak specifications
Keccak specifications Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2 and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors http://keccak.noekeon.org/ Version 2 September 10, 2009 Keccak
More informationPreimage attacks on the round-reduced Keccak with the aid of differential cryptanalysis
Preimage attacks on the round-reduced Keccak with the aid of differential cryptanalysis Pawe l Morawiecki 1,3, Josef Pieprzyk 2, Marian Srebrny 1,3, and Micha l Straus 1 1 Section of Informatics, University
More informationLecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS
Lecture 5 Cryptographic Hash Functions Read: Chapter 5 in KPS 1 Purpose CHF one of the most important tools in modern cryptography and security CHF-s are used for many authentication, integrity, digital
More informationSecurity against Timing Analysis Attack
International Journal of Electrical and Computer Engineering (IJECE) Vol. 5, No. 4, August 2015, pp. 759~764 ISSN: 2088-8708 759 Security against Timing Analysis Attack Deevi Radha Rani 1, S. Venkateswarlu
More informationData Encryption Standard (DES)
Data Encryption Standard (DES) Best-known symmetric cryptography method: DES 1973: Call for a public cryptographic algorithm standard for commercial purposes by the National Bureau of Standards Goals:
More informationCSCI 454/554 Computer and Network Security. Topic 4. Cryptographic Hash Functions
CSCI 454/554 Computer and Network Security Topic 4. Cryptographic Hash Functions Hash function lengths Outline Hash function applications MD5 standard SHA-1 standard Hashed Message Authentication Code
More informationA hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 8 Hash Functions 8.1 Hash Functions Hash Functions A hash function is an efficient function mapping binary strings of arbitrary length to binary strings of fixed
More informationOutline. Hash Function. Length of Hash Image. AIT 682: Network and Systems Security. Hash Function Properties. Question
Hash function lengths Outline AIT 682: Network and Systems Security Topic 4. Cryptographic Hash Functions Instructor: Dr. Kun Sun Hash function applications MD5 standard SHA-1 standard Hashed Message Authentication
More informationOutline. AIT 682: Network and Systems Security. Hash Function Properties. Topic 4. Cryptographic Hash Functions. Instructor: Dr.
AIT 682: Network and Systems Security Topic 4. Cryptographic Hash Functions Instructor: Dr. Kun Sun Hash function lengths Outline Hash function applications MD5 standard SHA-1 standard Hashed Message Authentication
More informationCSC 580 Cryptography and Computer Security
CSC 580 Cryptography and Computer Security Cryptographic Hash Functions (Chapter 11) March 22 and 27, 2018 Overview Today: Quiz (based on HW 6) Graded HW 2 due Grad/honors students: Project topic selection
More informationOverview. CSC 580 Cryptography and Computer Security. Hash Function Basics and Terminology. March 28, Cryptographic Hash Functions (Chapter 11)
CSC 580 Cryptography and Computer Security Cryptographic Hash Functions (Chapter 11) March 28, 2017 Overview Today: Review Homework 8 solutions Discuss cryptographic hash functions Next: Study for quiz
More informationCSCE 715: Network Systems Security
CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina Next Topic in Cryptographic Tools Symmetric key encryption Asymmetric key encryption Hash functions and
More informationSecurity Analysis of Extended Sponge Functions. Thomas Peyrin
Security Analysis of Extended Sponge Functions Hash functions in cryptology: theory and practice Leiden, Netherlands Orange Labs University of Versailles June 4, 2008 Outline 1 The Extended Sponge Functions
More informationCryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015
Cryptographic Hash Functions Rocky K. C. Chang, February 5, 2015 1 This set of slides addresses 2 Outline Cryptographic hash functions Unkeyed and keyed hash functions Security of cryptographic hash functions
More informationAppendix K SHA-3. William Stallings
Appendix K SHA-3 William Stallings K.1 THE ORIGINS OF SHA-3... 2 K.2 EVALUATION CRITERIA FOR SHA-3... 4 K.3 THE SPONGE CONSTRUCTION... 6 K.4 THE SHA-3 ITERATION FUNCTION f... 13 Structure of f... 14 Theta
More informationSIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017
SIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017 WHAT WE DO What we do Robust and Efficient Cryptographic Protocols Research in Cryptography and
More informationThe road from Panama to Keccak via RadioGatún
The road from Panama to Keccak via RadioGatún Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2 and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract. In this paper, we explain the
More informationGoals of Modern Cryptography
Goals of Modern Cryptography Providing information security: Data Privacy Data Integrity and Authenticity in various computational settings. Data Privacy M Alice Bob The goal is to ensure that the adversary
More informatione-pgpathshala Subject : Computer Science Paper: Cryptography and Network Security Module: Hash Algorithm Module No: CS/CNS/28 Quadrant 1 e-text
e-pgpathshala Subject : Computer Science Paper: Cryptography and Network Security Module: Hash Algorithm Module No: CS/CNS/28 Quadrant 1 e-text Cryptography and Network Security Module 28- Hash Algorithms
More informationOn Boolean and Arithmetic Masking against Differential Power Analysis
On Boolean and Arithmetic Masking against Differential Power Analysis [Published in Ç.K. Koç and C. Paar, Eds., Cryptographic Hardware and Embedded Systems CHES 2000, vol. 1965 of Lecture Notes in Computer
More informationComputer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Cryptography Part II Paul Krzyzanowski Rutgers University Spring 2018 March 23, 2018 CS 419 2018 Paul Krzyzanowski 1 Block ciphers Block ciphers encrypt a block of plaintext at a
More informationChapter 3 Block Ciphers and the Data Encryption Standard
Chapter 3 Block Ciphers and the Data Encryption Standard Last Chapter have considered: terminology classical cipher techniques substitution ciphers cryptanalysis using letter frequencies transposition
More informationCube Attacks and Cube-attack-like Cryptanalysis on the Round-reduced Keccak Sponge Function
Cube Attacks and Cube-attack-like Cryptanalysis on the Round-reduced Keccak Sponge Function Itai Dinur 1, Pawe l Morawiecki 2,3, Josef Pieprzyk 4 Marian Srebrny 2,3, and Micha l Straus 3 1 Computer Science
More informationHash Function. Guido Bertoni Luca Breveglieri. Fundations of Cryptography - hash function pp. 1 / 18
Hash Function Guido Bertoni Luca Breveglieri Fundations of Cryptography - hash function pp. 1 / 18 Definition a hash function H is defined as follows: H : msg space digest space the msg space is the set
More informationA New Attack with Side Channel Leakage during Exponent Recoding Computations
A New Attack with Side Channel Leakage during Exponent Recoding Computations Yasuyuki Sakai 1 and Kouichi Sakurai 2 1 Mitsubishi Electric Corporation, 5-1-1 Ofuna, Kamakura, Kanagawa 247-8501, Japan ysakai@iss.isl.melco.co.jp
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Symmetric Cryptography January 20, 2011 Practical Aspects of Modern Cryptography 2 Agenda Symmetric key ciphers Stream ciphers Block ciphers Cryptographic hash
More informationComputer Security 3/23/18
s s encrypt a block of plaintext at a time and produce ciphertext Computer Security 08. Cryptography Part II Paul Krzyzanowski DES & AES are two popular block ciphers DES: 64 bit blocks AES: 128 bit blocks
More informationSide-channel Analysis of Grøstl and Skein
2012 IEEE IEEE Symposium CS Security on Security and Privacy and Workshops Privacy Workshops Side-channel Analysis of Grøstl and Skein Christina Boura, Sylvain Lévêque, David Vigilant Gemalto 6 rue de
More informationKey Separation in Twofish
Twofish Technical Report #7 Key Separation in Twofish John Kelsey April 7, 2000 Abstract In [Mur00], Murphy raises questions about key separation in Twofish. We discuss this property of the Twofish key
More informationSimplified Adaptive Multiplicative Masking for AES
Simplified Adaptive Multiplicative Masking for AES Elena Trichina, Domenico De Seta, and Lucia Germani Cryptographic Design Center, Gemplus Technology R& D Via Pio Emanuelli, 0043 Rome, Italy {elena.trichina,domenico.deseta,lucia.germani}@gemplus.com
More informationFEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION. SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions
FIPS PUB 202 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions CATEGORY: COMPUTER SECURITY SUBCATEGORY: CRYPTOGRAPHY Information
More informationCourse Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here
Course Business Midterm is on March 1 Allowed to bring one index card (double sided) Final Exam is Monday, May 1 (7 PM) Location: Right here 1 Cryptography CS 555 Topic 18: AES, Differential Cryptanalysis,
More informationJaap van Ginkel Security of Systems and Networks
Jaap van Ginkel Security of Systems and Networks November 17, 2016 Part 3 Modern Crypto SSN Modern Cryptography Hashes MD5 SHA Secret key cryptography AES Public key cryptography DES Presentations Minimum
More informationLecture 1 Applied Cryptography (Part 1)
Lecture 1 Applied Cryptography (Part 1) Patrick P. C. Lee Tsinghua Summer Course 2010 1-1 Roadmap Introduction to Security Introduction to Cryptography Symmetric key cryptography Hash and message authentication
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 5a January 29, 2013 CPSC 467b, Lecture 5a 1/37 Advanced Encryption Standard AES Alternatives CPSC 467b,
More informationA hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).
CA4005: CRYPTOGRAPHY AND SECURITY PROTOCOLS 1 5 5.1 A hash function is an efficient function mapping binary strings of arbitrary length to binary strings of fixed length (e.g. 128 bits), called the hash-value
More informationISA 562: Information Security, Theory and Practice. Lecture 1
ISA 562: Information Security, Theory and Practice Lecture 1 1 Encryption schemes 1.1 The semantics of an encryption scheme. A symmetric key encryption scheme allows two parties that share a secret key
More informationHashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5
Hashes, MACs & Passwords Tom Chothia Computer Security Lecture 5 Today s Lecture Hashes and Message Authentication Codes Properties of Hashes and MACs CBC-MAC, MAC -> HASH (slow), SHA1, SHA2, SHA3 HASH
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.2 Secret Key Cryptography CSC 474/574 Dr. Peng Ning 1 Agenda Generic block cipher Feistel cipher DES Modes of block ciphers Multiple encryptions Message
More informationIntroduction to Cryptology. Lecture 17
Introduction to Cryptology Lecture 17 Announcements HW7 due Thursday 4/7 Looking ahead: Practical constructions of CRHF Start Number Theory background Agenda Last time SPN (6.2) This time Feistel Networks
More informationMasking as a Side-Channel Countermeasure in Hardware
Masking as a Side-Channel Countermeasure in Hardware 6. September 2016 Ruhr-Universität Bochum 1 Agenda Physical Attacks and Side Channel Analysis Attacks Measurement setup Power Analysis Attacks Countermeasures
More informationA Countermeasure Circuit for Secure AES Engine against Differential Power Analysis
A Countermeasure Circuit for Secure AES Engine against Differential Power Analysis V.S.Subarsana 1, C.K.Gobu 2 PG Scholar, Member IEEE, SNS College of Engineering, Coimbatore, India 1 Assistant Professor
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Previously on COS 433 Confusion/Diffusion Paradigm f 1 f 2 f 3 f 4 f 5 f 6 Round π 1 f 7 f 8 f 9 f 10 f 11 f 12 π 2 Substitution
More informationL3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015
L3. An Introduction to Block Ciphers Rocky K. C. Chang, 29 January 2015 Outline Product and iterated ciphers A simple substitution-permutation network DES and AES Modes of operations Cipher block chaining
More informationCS 645 : Lecture 6 Hashes, HMAC, and Authentication. Rachel Greenstadt May 16, 2012
CS 645 : Lecture 6 Hashes, HMAC, and Authentication Rachel Greenstadt May 16, 2012 Reminders Graded midterm, available on bbvista Project 3 out (crypto) Hash Functions MAC HMAC Authenticating SSL Man-in-the-middle
More informationSymmetric Cryptography. Chapter 6
Symmetric Cryptography Chapter 6 Block vs Stream Ciphers Block ciphers process messages into blocks, each of which is then en/decrypted Like a substitution on very big characters 64-bits or more Stream
More informationLecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422
Lecture 18 Message Integrity Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422 Cryptography is the study/practice of techniques for secure communication,
More informationA Power Attack Method Based on Clustering Ruo-nan ZHANG, Qi-ming ZHANG and Ji-hua CHEN
2017 International Conference on Computer, Electronics and Communication Engineering (CECE 2017) ISBN: 978-1-60595-476-9 A Power Attack Method Based on Clustering Ruo-nan ZHANG, Qi-ming ZHANG and Ji-hua
More informationPower Analysis Attacks
Power Analysis Attacks Elisabeth Oswald Computer Science Department Crypto Group eoswald@cs.bris.ac.uk Elisabeth.Oswald@iaik.tugraz.at Outline Working principle of power analysis attacks DPA Attacks on
More informationFundamentals of Cryptography
Fundamentals of Cryptography Topics in Quantum-Safe Cryptography June 23, 2016 Part III Data Encryption Standard The Feistel network design m m 0 m 1 f k 1 1 m m 1 2 f k 2 2 DES uses a Feistel network
More informationCryptography and Network Security
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown Chapter 12 Hash Algorithms Each of the messages, like each one he had ever read of Stern's commands,
More informationCSE 127: Computer Security Cryptography. Kirill Levchenko
CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified
More informationCIS 4360 Secure Computer Systems Symmetric Cryptography
CIS 4360 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2017 Previous Class Classical Cryptography Frequency analysis Never use home-made cryptography Goals of Cryptography
More informationSHA-3 vs the world. David Wong
SHA-3 vs the world David Wong Sneru MD4 Sneru MD4 Sneru MD4 MD5 Merkle Damgård SHA-1 SHA-2 Sneru MD4 MD5 Merkle Damgård SHA-1 SHA-2 Sneru MD4 MD5 Merkle Damgård SHA-1 SHA-2 Sneru MD4 MD5 Merkle Damgård
More informationEfficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking
Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine Debraize Gemalto, 6 rue de la Verrerie, 92197 Meudon Cedex, France blandine.debraize@gemalto.com Abstract.
More informationEfficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking
Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine Debraize Gemalto, 6 rue de la Verrerie, 92197 Meudon Cedex, France blandine.debraize@gemalto.com Abstract.
More informationSpring 2010: CS419 Computer Security
Spring 2010: CS419 Computer Security MAC, HMAC, Hash functions and DSA Vinod Ganapathy Lecture 6 Message Authentication message authentication is concerned with: protecting the integrity of a message validating
More informationLecture 4: Authentication and Hashing
Lecture 4: Authentication and Hashing Introduction to Modern Cryptography 1 Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 1 These slides are based on Benny Chor s slides. Some Changes in Grading
More informationCryptography [Symmetric Encryption]
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography [Symmetric Encryption] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationExternal Encodings Do not Prevent Transient Fault Analysis
External Encodings Do not Prevent Transient Fault Analysis Christophe Clavier Gemalto, Security Labs CHES 2007 Vienna - September 12, 2007 Christophe Clavier CHES 2007 Vienna September 12, 2007 1 / 20
More informationA Key Management Scheme for DPA-Protected Authenticated Encryption
A Key Management Scheme for DPA-Protected Authenticated Encryption Mostafa Taha and Patrick Schaumont Virginia Tech DIAC-2013 This research was supported in part by the VT-MENA program of Egypt, and by
More informationThe most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who
1 The most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who exchange messages from any third party. However, it does
More informationNon-Profiled Deep Learning-Based Side-Channel Attacks
Non-Profiled Deep Learning-Based Side-Channel Attacks Benjamin Timon UL Transaction Security, Singapore benjamin.timon@ul.com Abstract. Deep Learning has recently been introduced as a new alternative to
More informationData Integrity. Modified by: Dr. Ramzi Saifan
Data Integrity Modified by: Dr. Ramzi Saifan Encryption/Decryption Provides message confidentiality. Does it provide message authentication? 2 Message Authentication Bob receives a message m from Alice,
More informationOn the parallelization of slice-based Keccak implementations on Xilinx FPGAs
On the parallelization of slice-based Keccak implementations on Xilinx FPGAs Jori Winderickx, Joan Daemen and Nele Mentens KU Leuven, ESAT/COSIC & iminds, Leuven, Belgium STMicroelectronics Belgium & Radboud
More informationMessage authentication codes
Message authentication codes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction security of MAC Constructions block cipher
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 5 January 23, 2012 CPSC 467b, Lecture 5 1/35 Advanced Encryption Standard AES Alternatives CPSC 467b,
More informationP2_L8 - Hashes Page 1
P2_L8 - Hashes Page 1 Reference: Computer Security by Stallings and Brown, Chapter 21 In this lesson, we will first introduce the birthday paradox and apply it to decide the length of hash, in order to
More informationSHA3 Core Specification. Author: Homer Hsing
SHA3 Core Specification Author: Homer Hsing homer.hsing@gmail.com Rev. 0.1 January 29, 2013 This page has been intentionally left blank. www.opencores.org Rev 0.1 ii Rev. Date Author Description 0.1 01/29/2013
More informationSecret Key Algorithms (DES)
Secret Key Algorithms (DES) G. Bertoni L. Breveglieri Foundations of Cryptography - Secret Key pp. 1 / 34 Definition a symmetric key cryptographic algorithm is characterized by having the same key used
More informationEncryption Details COMP620
Encryption Details COMP620 Encryption is a powerful defensive weapon for free people. It offers a technical guarantee of privacy, regardless of who is running the government It s hard to think of a more
More informationSymmetric Encryption Algorithms
Symmetric Encryption Algorithms CS-480b Dick Steflik Text Network Security Essentials Wm. Stallings Lecture slides by Lawrie Brown Edited by Dick Steflik Symmetric Cipher Model Plaintext Encryption Algorithm
More informationSingle Block Attacks and Statistical Tests on CubeHash
Single Block Attacks and Statistical Tests on CubeHash Benjamin Bloom Alan Kaminsky August 21, 2009 Abstract This paper describes a second preimage attack on the CubeHash cryptographic one-way hash function.
More informationA Mathematical Proof. Zero Knowledge Protocols. Interactive Proof System. Other Kinds of Proofs. When referring to a proof in logic we usually mean:
A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of statements. 2. Based on axioms. Zero Knowledge Protocols 3. Each statement is derived via the derivation rules.
More informationZero Knowledge Protocols. c Eli Biham - May 3, Zero Knowledge Protocols (16)
Zero Knowledge Protocols c Eli Biham - May 3, 2005 442 Zero Knowledge Protocols (16) A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of statements. 2. Based on axioms.
More informationAdvanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50
Advanced Encryption Standard and Modes of Operation Foundations of Cryptography - AES pp. 1 / 50 AES Advanced Encryption Standard (AES) is a symmetric cryptographic algorithm AES has been originally requested
More informationSecret Key Cryptography
Secret Key Cryptography 1 Block Cipher Scheme Encrypt Plaintext block of length N Decrypt Secret key Cipher block of length N 2 Generic Block Encryption Convert a plaintext block into an encrypted block:
More informationAn Improved Algebraic Attack on Hamsi-256
An Improved Algebraic Attack on Hamsi-256 Itai Dinur and Adi Shamir Computer Science department The Weizmann Institute Rehovot 76100, Israel Abstract. Hamsi is one of the 14 second-stage candidates in
More informationIntroduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms
Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms Egemen K. Çetinkaya Egemen K. Çetinkaya Department of Electrical & Computer Engineering Missouri University of
More informationThe Customizeable Shake Function (Cshake)
NIST Special Publication 800-XXX The Customizeable Shake Function (Cshake) John Kelsey Computer Security Division Information Technology Laboratory http://dx.doi.org/10.6028/nist.sp.xxx Month and Year
More informationComputer Security CS 526
Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes CS555 Topic 4 1 Readings for This Lecture Required reading from wikipedia Block Cipher Ciphertext Indistinguishability
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 7 September 23, 2015 CPSC 467, Lecture 7 1/1 Advanced Encryption Standard AES Alternatives CPSC 467,
More informationObservations and Attacks On The SHA-3 Candidate Blender
Observations and Attacks On The SHA-3 Candidate Blender Craig Newbold cjnewbold@googlemail.com Abstract 51 candidates have been accepted as first round candidates in NIST s SHA-3 competition, to decide
More informationL3: Basic Cryptography II. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806
L3: Basic Cryptography II Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806 8/29/2016 CSCI 451 -Fall 2016 1 Acknowledgement Many slides are from or
More informationComputational Security, Stream and Block Cipher Functions
Computational Security, Stream and Block Cipher Functions 18 March 2019 Lecture 3 Most Slides Credits: Steve Zdancewic (UPenn) 18 March 2019 SE 425: Communication and Information Security 1 Topics for
More informationA j-lanes tree hashing mode and j-lanes SHA-256
A j-lanes tree hashing mode and j-lanes SHA-5 Shay Gueron 1, 1 Department of Mathematics, University of Haifa, Israel Intel Corporation, Israel Development Center, Haifa, Israel August 1, Abstract. j-lanes
More informationCryptographic Algorithms - AES
Areas for Discussion Cryptographic Algorithms - AES CNPA - Network Security Joseph Spring Department of Computer Science Advanced Encryption Standard 1 Motivation Contenders Finalists AES Design Feistel
More informationFEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION. SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions
DRAFT FIPS PUB 202 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions CATEGORY: COMPUTER SECURITY SUBCATEGORY: CRYPTOGRAPHY Information
More informationSecret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34
Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34 Definition a symmetric key cryptographic algorithm is characterized by having the same key used for both encryption and decryption.
More information