A Cautionary Note on Weak Implementations of Block Ciphers
|
|
- Collin Payne
- 5 years ago
- Views:
Transcription
1 A Cautionary Note on Weak Implementations of Block Ciphers Tim Kerins and Klaus Kursawe Information and System Security Group, Philips Research Europe Prof. Holstlaan 4, 5656 AA, Eindhoven, The Netherlands. {Tim.Kerins, Abstract. An easy way to mount an attack on software binaries without error checking for the AES, DES and other block ciphers is presented. It is detailed how full key recovery is possible and how common cipher modes of operation are then circumvented. The application of this method to recover key material and data from security systems is then discussed along with a number of possible countermeasures. Key words: AES, DES, Sbox, implementation 1 Introduction There is potentially a wide gap between the theoretical design and analysis of cryptographic primitives and the quality of real-world instantiations and implementations of these. Ciphers and protocols are developed within particular models to resist the current known mathematical attacks within the bounds of the model. The problems begin when a protocol or security system is implemented in software or hardware as the real-world implementation may not satisfy the development model. One of the most common model failures is that of the black-box assumption i.e. that potential attackers do not have access to the cryptographic software or hardware itself. It can be argued that the black-box assumption rarely holds in naive software implementations of cryptographic primitives. In a similar vein to other recent works, for example [1], the aim of this paper is to illustrate the potential difference between cryptography as theoretically developed and security systems as implemented in practice. It is well known that sufficient care is required in the implementation phase or an entire scheme may be broken. See for example the work of Anderson and Kuhn [2, 3]. However it is dangerous for system designers to assume that cracking implementations of ciphers is only within the capabilities of experts with specialized knowledge and equipment. This paper illustrates the dangers of weak implementations of block ciphers by demonstration of a key recovery method that can be mounted in a matter of minutes. Using only a hex editor program, and a single execution of a modified AES binary the authors were able to extract 128 key bits from a compiled software implementation. This method can be applied to a wide variety of block ciphers with static Sboxes. This easy to
2 2 Tim Kerins and Klaus Kursawe perform cipher modification also results in the complete break of some common block cipher modes. The layout of this paper is as follows: Section 2 describes how naive implementations of block ciphers appear in software and a common weakness that can be exploited and some related work. Section 3 details how this weakness can be exploited to recover either data or key material. Then, Section 4 continues to develop how this weakness can be used to break a number of commonly used block cipher modes.section 5 presents some known methods for hardening implementations against this vulnerability. 2 Software Implementations of Block Ciphers Many commonly used block ciphers (such as DES and AES) contain lookup tables (substitution- or Sboxes). These are generally inferred as static arrays in software implementations for efficiency reasons. If an attacker can gain access to the compiled code, i.e. the software binary, it is a trivial matter to load the binary into a hex editor and view the compiled source. If a lookup table has been statically defined it will be easily identifiable. For example, the initial bytes of the AES Sbox are 63 7C 77 7B [5], and these can be located in the compiled source of an AES implementation by simple search (Figure 1). Other information such as program control flow and possibly key material are much more difficult to extract from the compiled code as this will involve a software reverse engineering effort and tracking the execution of code. The level of expertise is required for such an approach, may be beyond the ability of many would be hobbyist crackers. Further details on this approach are sketched by Hoglund and McGraw in [6]. The method of Sbox modification described here is simpler and only requires access to a static binary. The idea is that static cryptographic keys embedded in a binary may be (relatively) difficult to identify and extract or may come from a different source, while the Sbox will be easy to identify. Once the Sbox is found in memory, it is usually relatively easy to apply modifications. This has dramatic consequences; if the Sbox of an AES cipher is replaced by zero values, the key can be directly derived from the ciphers output. The work of Shamir and van Someren [7] uses a related method to that described here to search for cryptographic keys embedded in the binary by testing sections for randomness properties. The assumption being that a good key will have more entropy than the surrounding code and thus be identifiable in this manner. While this attack like ours does not require the attacker to have intimate knowledge about the underlying platform, it also requires an amount of effort and understanding of the attacker. By contrast, identifying the Sbox is trivial with an editor s search functionality. Fault insertion techniques are well known in the cryptographic community specific analysis appears to have been largely focused on differential fault analysis. See [8 11] for examples of representative attacks of this type. In this case, even introducing a single random fault in an implementation of the AES [11] can lead to a successful attack. The importance of checking cryptographic protocols
3 A Cautionary Note on Weak Implementations of Block Ciphers 3 Fig. 1. Identifying the AES Sbox in a software binary for faults is well understood [8]. Another attack on block ciphers containing large static lookup is to use the side channels of cache hits and cache misses, as it has previously been discussed (particularly for the AES) [12, 13]. These are dynamic attack methods that require access to a processor running an AES implementation and also some understanding of cache hit and miss issues on a particular processor. This paper and the works of Bernstein and Osvik et al. [12, 13] illustrate a trend that cryptographic primitives in software with large static Sboxes appear to leave the implementation vulnerable to attacks capable of recovering key bits if extra precautions are not taken in the implementation. The main difference between the above implementations and our approach is that we require no skills or special tools on the side of the attacker; a simple search and replace is sufficient. Once Sboxes have been found they can be changed to arbitrary values chosen by an attacker, resulting in potentially dangerous security breaks. Thus, the aim is to demonstrate how easy it is to attack a security system with weak implementations of cryptographic primitives by a low resource attacker (without any specialist tools or knowledge of cryptography, differential fault analysis, software reverse engineering etc). The method of scanning software binaries for known patterns is previously known to the security community and software crackers. However, the risk lies on the potential assumption of security engineers, that breaking cryptographic functionality is only possible using specialist tools and a particular level of expertise. This paper is intended to help to dispel this misconception. This paper concentrates on
4 4 Tim Kerins and Klaus Kursawe the AES and DES as a specific examples. Both are currently widely and standard implementations contain identifiable Sboxes. 3 Sbox Manipulations This section details some manipulations that can be applied to the AES and other similar block ciphers in order to recover key bits, and how Feistel ciphers such as DES can be easily removed from a security system. 3.1 SPN Ciphers and Sbox Blanking An SPN block cipher is an iterated block cipher where each round is composed of substitutions and permutations (and a round key addition) of an intermediate cipher state. This attack method works generally on SPN ciphers with a key whitening (a final round key addition) at the end of the cipher operation) and static Sboxes. The final S (substitution Sbox) and P (permutation) operations in this type of cipher are illustrated in Figure 2. Note that an addition of n expanded key bits k w (key whitening) is the last operation to be performed on n bits of intermediate state before cipher output. This key whitening operation is often performed by a logical XOR operation, but other methods of key addition such as modulo arithmetic can also be used. Generally SPN ciphers work in this manner for both encryption and decryption. In the case of encryption the key whitening bits are the last n bits from the expanded key and for decryption they are the first n bits. x S S(x) P P(S(x)) n n k w P(S(x))+k w y Fig. 2. The key whitening operation in a generic SPN n bit block cipher This operation is represented as y P (S(x)) + k w (1)
5 A Cautionary Note on Weak Implementations of Block Ciphers 5 If the output of S is set to a constant value say S(x) = c for all x then the key whitening bits k w become y P (c) + k w (2) As P (c) is constant the key whitening bits k w can be recovered from the cipher output y. A particular case on this is when all entries in the Sbox are set to zero, i.e. c = 0, then the key whitening bits are outputted directly from the cipher as y (P (0) = 0) + k w (3) It may then be possible to recover n bits of the original cipher key k from the n recovered key whitening bits k w if the key expansion schedule can be suitably reversed. The AES is a n = 128 bit iterated block cipher which can use cipher keys of 128, 192 and 256 bits, and has 10, 12 or 14 rounds (AES-128, AES-192 and AES-256) [5]. Its final round structure matches that in Figure 2 and 128 bits of expanded key material k w can be recovered from the output of the cipher by blanking the final Sbox. The result of this is that the final key whitening operation (XOR) results in the direct output of 128 bits of expanded key material. 3.2 The Weakened AES Key Schedule A full description of the AES including the original key schedule be found in [4, 5]. Once 4 32-bits of expanded key material have been extracted from the forward cipher it is then possible to reverse the AES key expansion to recover bits of the original cipher key k. With Sbox blanking however, this operation can be made even simpler, as the Sbox is also used in the round key expansion. The modified key schedule for AES-128 with the assumption that the AES Sbox has been blanked to zero is illustrated as Algorithm 1. Algorithm 1 AES-128 Weakened Key Expansion with Sbox Blanking Require: 128 bit cipher key {k 0, k 1, k 2, k 3}, Ensure: 1408 bit expanded key {w 0, w 1,..., w 43} 1: w 0 k 0, w 1 k 1, w 2 k 2, w 3 k 3 2: for i from 3 to 43 do 3: if i(mod 4) = 0 then 4: w i w i 4 + r i/4 5: else 6: w i w i 1 + w i 4 7: end if 8: end for 9: {w 0, w 1,... w 43} Here k = {k 0, k 1, k 2, k 3 } are the 4 original 32-bit words of key material (the cipher key) and {w 0, w 1,..., w 43 } are the bit words of expanded key
6 6 Tim Kerins and Klaus Kursawe material. The constants r i, i = are the round constants as 32 bit words as indicated in the cipher specification and + is a 32 bit XOR operation. The 4 32-bit words of expanded key material outputted from the forward cipher as a result of Sbox blanking are k w = {w 40, w 41, w 42, w 43 }. Using the weakened key expansion in Algorithm 1 the 4 32-bit words of key material k = {k 0, k 1, k 2, k 3 } can be recovered from k w by k 0 = w 40 + R (128) 0 k 1 = w 41 + R (128) 1 k 2 = w 42 + w 40 + R (128) 2 k 3 = w 43 + w 41 + R (128) 3 (4) Here the constants R (128) i, i = i... 3 are simple XOR sums of the cipher round constants R (128) 0 = 10 i=1 r i R (128) 1 = r 2 + r 4 + r 6 + r 8 + r 10 R (128) (5) 2 = r 3 + r 4 + r 7 + r 8 R (128) 3 = r 4 + r 8 For the reverse cipher (decryption) it is even easier to recover the cipher key k after Sbox blanking. Here k w = {w 0, w 1, w 2, w 3 } as the round keys are applied in the reverse order, and the words of k = {k 0, k 1, k 2, k 3 } are directly outputted. A similar analysis can be applied to the forward and reverse operations of the AES-192 and AES-256 ciphers to recover 128 bits of key material. The remaining key bits could be recovered by other means. Interestingly, increasing the block size of the cipher, as per the original Rijndael specification serves to further weaken the cipher with Sbox blanking as more key bits k w are recovered from cipher output. This gives more bits of expanded key material for analysis. Some high performance AES implementations use four large known lookup tables instead of the implementation described here however the method can also be adapted to this case. 3.3 Other SPN Based Ciphers Although this analysis has been applied in detail to the AES, in general this method is applicable to SPN block ciphers with: unprotected implementations static Sboxes in cipher rounds key whitening operation after the final round a suitable round key expansion possibly also containing static Sboxes Other SPN block ciphers that contain static Sboxes and key whitening and whose unprotected software binaries may be vulnerable to this type of analysis and manipulations. An example of another cipher that may be susceptible to this attack is another AES candidate Serpent [15].
7 A Cautionary Note on Weak Implementations of Block Ciphers DES and Feistel based Ciphers Feistel network based block ciphers operate in a different manner, in that round key addition is often performed before Sbox substitution operation for example in DES [16] and the substitution and permutation operations are performed differently. At the beginning of each round in this type of Feistel based cipher the n bit intermediate cipher state x is divided into two sections (x l, x r ) and the state is updated to y = (y l, y r ) as y l x r y r x l + P (S(x r + k )) (6) where P and S represent the permutation and substitution operations as before and k represents bits of the expanded cipher key k. Equation (6) is also illustrated as Figure 3. x l P(S(x r +k )) S(x r +k ) x r +k k' x r P S y l y r Fig. 3. Round operation of a Feistel cipher with round key addition before substitution If S is implemented by a publicly known static Sbox in a weak implementation, as before it can be trivially identified and modified and set to a constant value S(x) = c. As the round key addition happens before the substitution in this case all information on k is lost and (6) becomes y l x r y r x l + P (c) (7) Again the case where c = 0 is of particular interest and in this case the constant P (0) = 0 if P is a strict permutation function and all cryptographic functionality is removed from the round and the left and right sections of the intermediate cipher state are merely transposed. After an even number of rounds the cipher output is simply the cipher input (y l, y r ) (x l, x r ). The result of an odd number of rounds is simply a swapping of the left and right sections (y l, y r ) (x r, x l ). This is the result of Sbox blanking on weak implementations of the DES cipher. Clearly, this method will not help in the recovery of key material or the decryption of previously decrypted content. However, it will remove the capability
8 8 Tim Kerins and Klaus Kursawe to encrypt content and without correct checks would result in plaintexts x sent over a channel in the clear. In general Feistel based block ciphers with unprotected implementations static Sboxes round key addition before substitution operation are vulnerable to this type of modification to trivially remove cryptographic functionality. Examples of more complicated Feistel based ciphers which may be identifiable by their static Sboxes, and also weakened by Sbox blanking are the phase 2 Nessie cipher MISTY1 [17] and the final round AES candidate MARS [18]. 4 Effect on Cipher Modes In practical systems block ciphers are generally used in one of a number of block cipher modes. A weakened block cipher as a result of the attack method previously described in Section 3 used in the common cipher modes also allows a trivial key recovery. The block ciphers are expected to operate on an n bit plaintext block x to produce ciphertext block y during encryption and the opposite operation during decryption. These operations are commonly denoted as y E k (x) and x E 1 k (y) respectively, where by design there is a strong interdependence between x, y and k. A plain text message m is broken into t n-bit blocks, labelled x j, 1 j t. Two commonly used block cipher modes are: ECB electronic codebook mode encryption : y j E k (x j ), 1 j t decryption : x j E 1 k (y j), 1 j t CBC cipher block chaining mode encryption : y 0 IV y j E k (y j 1 + x j ), 1 j t decryption : y 0 IV x j y j 1 + E 1 k (y j), 1 j t Here IV is an n-bit initialization vector. Dependant on the implementation this may also be considered secret although the mode of operation is defined so that the security of the system does not depend on the secrecy of the IV. Here the + operation represents an n-bitwise XOR operation. A more in depth description of these modes can be found in [14]. The effect of Sbox blanking when S(x) = 0 on these cipher modes is now discussed for weak implementations of SPN ciphers with a final key whitening operation and Feistel based block ciphers with an even number of rounds and round key addition before the substitution operations.
9 A Cautionary Note on Weak Implementations of Block Ciphers SPN Ciphers If a weakened SPN based block cipher is used where a blanking attack is performed as described in Section 3.3, then all input information is lost and the cipher outputs constant values k w for constant k regardless on the input values x and c for encryption and decryption respectively. Denote these blanked ciphers as k w E k (x) and k w E 1 (y) respectively. Now consider the effect this has on the block cipher modes of operation. In ECB mode, as expected both encryption and decryption modes of operation output the n bits of expanded key material used in the key whitening operation regardless of input. Once the key has been recovered from the leaked key bits k w then arbitrary messages can then be encrypted and decrypted as desired. CBC mode for encryption also returns, as expected the constant k w E k (y j 1 + x j ), 1 j t, regardless of input plaintext x j, provided that the cipher key k is unchanged. CBC mode for decryption also returns the IV as well as k w, as y 0 = IV and k w E 1 k (y j) for constant k IV + k w y j 1 + E 1 k (y j), j(mod 2) = 1 IV y j 1 + E 1 k (y j), j(mod 2) = 0 (8) Equation (8) indicates that using an Sbox blanked CBC cipher for decryption allows recovery of both the IV and n bits of key related material. Of course, the security of CBC mode does not depend on the secrecy of the IV, however in some applications it is not made public. 4.2 Feistel Ciphers Consider a simple Feistel based ciphers with round key addition before the substitution, as described in Section 3.4. Sbox blanking results in a complete removal of cryptographic functionality after an even number of rounds, so for encryption x j E k (x j). ECB mode them simply results in the transmission of the entire plaintext message across the channel. For an odd number of rounds the left and right sides of the plaintext are simply flipped. Assume a weakened cipher with an even number of rounds. In CBC mode this results in y j y j 1 + x j, 1 j t Recalling that y 0 IV this implies that each block y j of the ciphertext is formed (recalling that addition is modulo 2) by y j IV + j x i (9) Now the t n-bit blocks of the original message can them be recovered by i=1 x 1 y 1 + IV x j y j + y j 1, 2 j t (10)
10 10 Tim Kerins and Klaus Kursawe So, even if the IV is not known then the entire transmitted plaintext in this mode, except for the first n bit block, can be recovered by examining the transmitted output and applying equation (10). 5 Preventing these Attacks Due to the ease by which Sbox can be identified and hence modified in software binaries, is important that adequate defences be taken against their identification and that manipulation does not directly output key related bits. A number of precautions can be taken to prevent tampering of cryptographic primitives in software. The most obvious method is to take care that an attacker does not have access to any software binaries that contain implementations of cryptographic primitives. This is difficult to achieve in practice on open systems, but it is possible to take certain precautions. On a generic computing platform (for example, running the Linux Operating System), it can be ensured that the part of the file system containing cryptographic binaries is only accessible at the highest privilege level and not by regular users. This represents OS enforced access control protection of the binaries. Methods of code obfuscation can prevent a search as employed in this paper from locating the Sboxes. Another method which ensures that keys are difficult to extract from code is white box cryptography. See for example the work of Chow et al. in [19]. A by product of this is of course non-standard implementations of the block cipher in question. Another method to obtain non-standard implementations of ciphers is as simple as generating the Sbox dynamically on execution of the code, or using Sbox masking techniques. Alternatively the cipher could be modified somewhat so that different Sboxes are used but the input output behaviour of the cipher is the same [5]. The main method behind these techniques is to move away from the small number of widely used implementations with known static Sboxes, and either obfuscate, mask, implement non-standard versions Sboxes or generate them on the fly. Other more standard methods of protecting software primitives involve performing a checksum over the executable code before it is executed to ensure it is unmodified. Checking that the encryption, decryption behaviour of ciphers are matching and also checking cryptographic primitives for faults by performing trial tests against some known result should be standard practice. It is important that these checks are in place and are performed. These should prevent trivial leaks of key material from weak implementations of ciphers where an attacker potentially has access to the binaries. Another approach to protecting the output of block ciphers from trivial modifications as described in this paper is to use slightly non-standard versions of the ciphers rather than non-standard implementations as previously discussed. Doubling the key length and XORing n bits at the output of SPN ciphers would prevent the trivial output of easily extracted key material. This is precisely the method used in DESX for increasing the effective key length of DES [20]. A similar method could be used as a double key whitening to prevent the leakage of
11 A Cautionary Note on Weak Implementations of Block Ciphers 11 round key material in the case of Sbox blanking. If Sbox blanking is performed the attacker receives k w + k 2 at the output of the cipher and is left with the difficult problem of extracting useful key information from these. The cipher modes proposed in [21] will also help to defend against these attacks. The main point here is that if Sbox blanking is a threat then then a single key whitening operation should not be the final operation of a cipher. 6 Conclusions This paper has illustrated that potential attacks on security system are not only possible by professionals using specialist tools. Weak implementations of a strong algorithm can lead to the algorithm being vulnerable to even simple attacks. If precautions (as outlined in Section 5) are not taken the use of the standard implementations some common block ciphers can have dire consequences, ranging from a denial of service to full compromise of keys and data by attackers with minimal skill and understanding. The possibilities to locate and change Sboxes are a serious threat, and one easily carried out if software implementers do not take the necessary precautions. In a more general sense this is yet another illustration of the fact that cryptographic primitive should only be implemented within the models in which they were designed. With the wide number of software applications, containing block ciphers essentially in the clear, currently operating in potentially untrusted environments it appears that it is time for a rethink of some of the more traditional methods of implementing these ciphers. Acknowledgement The authors would like to thank Jorge Guajardo Merchan as well as a number of reviewers for comments in preparing this manuscript. References 1. K. G. Patterson and A. K. L. Yau. Crpytography in Theory and Practice: The Case of Encryption in IPSec, Cryptology eprint Archive, Report 2005/416 (2005) 2. R. J. Anderson and M. G. Kuhn. Tamper Resistance A Cautionary Note, The Second USENIX Workshop on Electronic Commerce Proceedings, pp. 1-11, (1996) 3. R. J. Anderson and M. G. Kuhn. Low Cost Attacks on Tamper Resistant Devices, M. Lomas et al. ed. Security Protocols, 5th International Workshop, LNCS 1351, Springer-Verlag, pp. pp , (1997) 4. FIPS PUB 197. Advanced Encryption Standard (AES) (2001) 5. J. Daemem and V. Rijmen. The Design of Rijndael: AES - The Advanced Encryption Standard (Information Security and Crpytography), Springer (2002)
12 12 Tim Kerins and Klaus Kursawe 6. G. Hoglund and G. McGraw. Exploiting Software: How to Break Code, Addison- Wesley, (2004) 7. A. Shamir and N. van Someren. Playing Hide and Seek with Stored Keys, M. K. Franklin ed. Financial Cryptography FC 99 LNCS 1648, Springer, pp , (1999) 8. D. Boneh, R. DeMillo and R. J. Lipton. On the Importance of Checking Cryptographic Protocols for Faults, W. Fumy ed. Advances in Cryptology - Eurocrypt 97, LNCS 1233, Springer, pp , (1997) 9. E. Biham and A. Shamir. Differential Fault Analysis of Secret Key Cryptosystems, B. S. Kaliski Jr. ed. Advances in Cryptology - CRYPTO 97, LNCS 1294, Springer, pp , (1997) 10. J. Blömer and J.-P. Seifert, Fault Based Cryptanalysis of the Advanced Encryption Standard, Financial Cryptology FC 04, LNCS 2742, Springer, pp , (2004) 11. C. Giraud. DFA on AES, H. Dobbertin, V. Rijmen, A. Sowa eds. Advanced Encryption Standard - AES: 4th International Conference, AES 2004, LNCS 3373, Springer pp , (2005) 12. D. Bernstein. Cache-timing attacks on AES, preprint, (2005) 13. D. A. Osvik, A. Shamir and E. Tromer. Cache Attacks and Countermeasures: The Case of AES, D. Pointcheval ed. Topics in Cryptology - CT-RSA 2006, LNCS 3860, Springer, pp. 1-20, (2006) 14. A. J. Menezes, P. C. van Oorschot and S. A. Vanstone. Handbook of Applied Crpytography, CRC Press, (1996) 15. E. Biham, R. J. Anderson and L. Knudsen. Serpent: A New Block Cipher Proposal, Fast Software Encryption FSE 98, LNCS 1372, Springer pp , (1998) 16. FIPS PUB Data Encryption Standard (DES), (1998) 17. M. Matsui. Block encryption algorithm MISTY, Fast Software Encryption FSE 97, LNCS 1267, Springer pp , (1997) 18. C. Burwick, D. Coppersmith, E. D Avignon, R. Gennaro, S. Halevi, C. Jutla, S. M. Matyas Jr, L. O Connor, M. Peyravian, D. Stafford and N. Zunic, MARS a candidate cipher for AES, NIST AES Proposal (1998) 19. S. Chow, P. Eisen, H. Johnson and P. C. van Oordchot. White-Box Cryptography and an AES Implementation, Selected Areas in Cryptography - SAC 2002, LNCS 2595, Springer, pp , (2002) 20. J. Killian and P. Rogaway. How to protect DES against exhaustive key search, Advances in Cryptology - CRYPTO 96, LNCS 1109, Springer-Verlag pp , (1996) 21. C. S. Jutla. Encryption Modes with Almost Free Message Integrity, Advances in Cryptology - EUROCRYPT 2001, LNCS 2045, Springer-Verlag, pp , (2001)
On the Design of Secure Block Ciphers
On the Design of Secure Block Ciphers Howard M. Heys and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University Kingston, Ontario K7L 3N6 email: tavares@ee.queensu.ca
More informationDFA on AES. Christophe Giraud. Oberthur Card Systems, 25, rue Auguste Blanche, Puteaux, France.
DFA on AES Christophe Giraud Oberthur Card Systems, 25, rue Auguste Blanche, 92800 Puteaux, France. c.giraud@oberthurcs.com Abstract. In this paper we describe two different DFA attacks on the AES. The
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham 1, Orr Dunkelman 1, and Nathan Keller 2 1 Computer Science Department, Technion, Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics
More informationIntroduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard
Introduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard Egemen K. Çetinkaya Egemen K. Çetinkaya Department of Electrical & Computer Engineering Missouri University of
More informationFundamentals of Cryptography
Fundamentals of Cryptography Topics in Quantum-Safe Cryptography June 23, 2016 Part III Data Encryption Standard The Feistel network design m m 0 m 1 f k 1 1 m m 1 2 f k 2 2 DES uses a Feistel network
More informationRelated-key Attacks on Triple-DES and DESX Variants
Related-key Attacks on Triple-DES and DESX Variants Raphael C.-W. han Department of Engineering, Swinburne Sarawak Institute of Technology, 1st Floor, State Complex, 93576 Kuching, Malaysia rphan@swinburne.edu.my
More informationChapter 3 Block Ciphers and the Data Encryption Standard
Chapter 3 Block Ciphers and the Data Encryption Standard Last Chapter have considered: terminology classical cipher techniques substitution ciphers cryptanalysis using letter frequencies transposition
More informationData Encryption Standard (DES)
Data Encryption Standard (DES) Best-known symmetric cryptography method: DES 1973: Call for a public cryptographic algorithm standard for commercial purposes by the National Bureau of Standards Goals:
More informationWhite-Box Cryptography
Based on: J. W. Bos, C. Hubain, W. Michiels, P. Teuwen. In CHES 2016: Differential computation analysis: Hiding your white-box designs is not enough. White-Box Cryptography Don't Forget About Grey Box
More informationL3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015
L3. An Introduction to Block Ciphers Rocky K. C. Chang, 29 January 2015 Outline Product and iterated ciphers A simple substitution-permutation network DES and AES Modes of operations Cipher block chaining
More informationElastic Block Ciphers: The Feistel Cipher Case
Elastic Block Ciphers: The Feistel Cipher Case Debra L. Cook Moti Yung Angelos D. Keromytis Department of Computer Science Columbia University, New York, NY dcook,moti,angelos @cs.columbia.edu Technical
More informationStream Ciphers and Block Ciphers
Stream Ciphers and Block Ciphers Ruben Niederhagen September 18th, 2013 Introduction 2/22 Recall from last lecture: Public-key crypto: Pair of keys: public key for encryption, private key for decryption.
More informationA Related Key Attack on the Feistel Type Block Ciphers
International Journal of Network Security, Vol.8, No.3, PP.221 226, May 2009 221 A Related Key Attack on the Feistel Type Block Ciphers Ali Bagherzandi 1,2, Mahmoud Salmasizadeh 2, and Javad Mohajeri 2
More informationWhite-Box Cryptography State of the Art. Paul Gorissen
White-Box Cryptography State of the Art Paul Gorissen paul.gorissen@philips.com Outline Introduction Attack models White-box cryptography How it is done Interesting properties State of the art Conclusion
More informationComputer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Cryptography Part II Paul Krzyzanowski Rutgers University Spring 2018 March 23, 2018 CS 419 2018 Paul Krzyzanowski 1 Block ciphers Block ciphers encrypt a block of plaintext at a
More informationpage 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas
Introduction to Cryptography Lecture 3 Benny Pinkas page 1 1 Pseudo-random generator Pseudo-random generator seed output s G G(s) (random, s =n) Deterministic function of s, publicly known G(s) = 2n Distinguisher
More informationSecret Key Cryptography
Secret Key Cryptography 1 Block Cipher Scheme Encrypt Plaintext block of length N Decrypt Secret key Cipher block of length N 2 Generic Block Encryption Convert a plaintext block into an encrypted block:
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.2 Secret Key Cryptography CSC 474/574 Dr. Peng Ning 1 Agenda Generic block cipher Feistel cipher DES Modes of block ciphers Multiple encryptions Message
More informationMulti-Stage Fault Attacks
Multi-Stage Fault Attacks Applications to the Block Cipher PRINCE Philipp Jovanovic Department of Informatics and Mathematics University of Passau March 27, 2013 Outline 1. Motivation 2. The PRINCE Block
More informationIntegral Cryptanalysis of the BSPN Block Cipher
Integral Cryptanalysis of the BSPN Block Cipher Howard Heys Department of Electrical and Computer Engineering Memorial University hheys@mun.ca Abstract In this paper, we investigate the application of
More informationA Fault Attack Against the FOX Cipher Family
A Fault Attack Against the FOX Cipher Family L. Breveglieri 1,I.Koren 2,andP.Maistri 1 1 Department of Electronics and Information Technology, Politecnico di Milano, Milano, Italy {brevegli, maistri}@elet.polimi.it
More informationDierential-Linear Cryptanalysis of Serpent? Haifa 32000, Israel. Haifa 32000, Israel
Dierential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel fbiham,orrdg@cs.technion.ac.il 2 Mathematics Department,
More informationData Encryption Standard
ECE 646 Lecture 6 Data Encryption Standard Required Reading: I. W. Stallings, "Cryptography and Network-Security," 5th Edition, Chapter 3: Block Ciphers and the Data Encryption Standard Chapter 6.1: Multiple
More informationLecture 2: Secret Key Cryptography
T-79.159 Cryptography and Data Security Lecture 2: Secret Key Cryptography Helger Lipmaa Helsinki University of Technology helger@tcs.hut.fi 1 Reminder: Communication Model Adversary Eve Cipher, Encryption
More informationOn the Security of the 128-Bit Block Cipher DEAL
On the Security of the 128-Bit Block Cipher DAL Stefan Lucks Theoretische Informatik University of Mannheim, 68131 Mannheim A5, Germany lucks@th.informatik.uni-mannheim.de Abstract. DAL is a DS-based block
More informationIntroduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers
Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers Stream Ciphers Start with a secret key ( seed ) Generate a keying stream i-th bit/byte of keying stream is a function
More informationLecture 3: Symmetric Key Encryption
Lecture 3: Symmetric Key Encryption CS996: Modern Cryptography Spring 2007 Nitesh Saxena Outline Symmetric Key Encryption Continued Discussion of Potential Project Topics Project proposal due 02/22/07
More informationSymmetric Cryptography. Chapter 6
Symmetric Cryptography Chapter 6 Block vs Stream Ciphers Block ciphers process messages into blocks, each of which is then en/decrypted Like a substitution on very big characters 64-bits or more Stream
More informationComputer Security 3/23/18
s s encrypt a block of plaintext at a time and produce ciphertext Computer Security 08. Cryptography Part II Paul Krzyzanowski DES & AES are two popular block ciphers DES: 64 bit blocks AES: 128 bit blocks
More informationLinear Cryptanalysis of Reduced Round Serpent
Linear Cryptanalysis of Reduced Round Serpent Eli Biham 1, Orr Dunkelman 1, and Nathan Keller 2 1 Computer Science Department, Technion Israel Institute of Technology, Haifa 32000, Israel, {biham,orrd}@cs.technion.ac.il,
More informationElastic Block Ciphers: The Feistel Cipher Case
Elastic Block Ciphers: The Feistel Cipher Case Debra L. Cook Moti Yung Angelos D. Keromytis Department of Computer Science Columbia University, New York, NY dcook,moti,angelos @cs.columbia.edu Technical
More informationA SIMPLIFIED IDEA ALGORITHM
A SIMPLIFIED IDEA ALGORITHM NICK HOFFMAN Abstract. In this paper, a simplified version of the International Data Encryption Algorithm (IDEA) is described. This simplified version, like simplified versions
More informationCryptography III: Symmetric Ciphers
Cryptography III: Symmetric Ciphers Computer Security Lecture 12 David Aspinall School of Informatics University of Edinburgh 14th February 2008 Outline Stream ciphers Block ciphers DES and Rijndael Summary
More informationOn Boolean and Arithmetic Masking against Differential Power Analysis
On Boolean and Arithmetic Masking against Differential Power Analysis [Published in Ç.K. Koç and C. Paar, Eds., Cryptographic Hardware and Embedded Systems CHES 2000, vol. 1965 of Lecture Notes in Computer
More informationStream Ciphers and Block Ciphers
Stream Ciphers and Block Ciphers 2MMC10 Cryptology Fall 2015 Ruben Niederhagen October 6th, 2015 Introduction 2/32 Recall: Public-key crypto: Pair of keys: public key for encryption, private key for decryption.
More informationContent of this part
UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Introduction to Cryptography ECE 597XX/697XX Part 5 More About Block Ciphers Israel Koren ECE597/697 Koren Part.5.1 Content of this
More informationLecture 4: Symmetric Key Encryption
Lecture 4: Symmetric ey Encryption CS6903: Modern Cryptography Spring 2009 Nitesh Saxena Let s use the board, please take notes 2/20/2009 Lecture 1 - Introduction 2 Data Encryption Standard Encrypts by
More information7. Symmetric encryption. symmetric cryptography 1
CIS 5371 Cryptography 7. Symmetric encryption symmetric cryptography 1 Cryptographic systems Cryptosystem: t (MCKK GED) (M,C,K,K,G,E,D) M, plaintext message space C, ciphertext message space K, K, encryption
More informationDifferential Fault Analysis on the AES Key Schedule
ifferential Fault Analysis on the AES Key Schedule Junko TAKAHASHI and Toshinori FUKUNAGA NTT Information Sharing Platform Laboratories, Nippon Telegraph and Telephone Corporation, {takahashi.junko, fukunaga.toshinori}@lab.ntt.co.jp
More informationThe Security of Elastic Block Ciphers Against Key-Recovery Attacks
The Security of Elastic Block Ciphers Against Key-Recovery Attacks Debra L. Cook 1, Moti Yung 2, Angelos D. Keromytis 2 1 Alcatel-Lucent Bell Labs, New Providence, New Jersey, USA dcook@alcatel-lucent.com
More informationStudy and Analysis of Symmetric Key-Cryptograph DES, Data Encryption Standard
Study and Analysis of Symmetric Key-Cryptograph DES, Data Encryption Standard Dr Atul Gonsai #1, Naimish Kakkad *2, Bhargavi Goswami $3, Dr Nikesh Shah @4 # Department of MCA, Saurashtra University, @
More informationENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel
(a) Introduction - recall symmetric key cipher: III. BLOCK CIPHERS k Symmetric Key Cryptography k x e k y yʹ d k xʹ insecure channel Symmetric Key Ciphers same key used for encryption and decryption two
More informationCIT 380: Securing Computer Systems. Symmetric Cryptography
CIT 380: Securing Computer Systems Symmetric Cryptography Topics 1. Modular Arithmetic 2. What is Cryptography? 3. Transposition Ciphers 4. Substitution Ciphers 1. Cæsar cipher 2. Vigènere cipher 5. Cryptanalysis:
More informationCryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Outline Basic concepts in cryptography systems Secret key cryptography Public key cryptography Hash functions 2 Encryption/Decryption
More informationCryptography and Network Security
Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 6: Advanced Encryption Standard (AES) Ion Petre Department of IT, Åbo Akademi University 1 Origin of AES 1999: NIST
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Symmetric Cryptography January 20, 2011 Practical Aspects of Modern Cryptography 2 Agenda Symmetric key ciphers Stream ciphers Block ciphers Cryptographic hash
More informationThe Rectangle Attack
The Rectangle Attack and Other Techniques for Cryptanalysis of Block Ciphers Orr Dunkelman Computer Science Dept. Technion joint work with Eli Biham and Nathan Keller Topics Block Ciphers Cryptanalysis
More informationSide channel attack: Power Analysis. Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut
Side channel attack: Power Analysis Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut Conventional Cryptanalysis Conventional cryptanalysis considers crypto systems as mathematical objects Assumptions:
More informationSecret Key Cryptography (Spring 2004)
Secret Key Cryptography (Spring 2004) Instructor: Adi Shamir Teaching assistant: Eran Tromer 1 Background Lecture notes: DES Until early 1970 s: little cryptographic research in industry and academcy.
More informationImproved Truncated Differential Attacks on SAFER
Improved Truncated Differential Attacks on SAFER Hongjun Wu * Feng Bao ** Robert H. Deng ** Qin-Zhong Ye * * Department of Electrical Engineering National University of Singapore Singapore 960 ** Information
More information3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some
3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some popular block ciphers Triple DES Advanced Encryption
More informationA Weight Based Attack on the CIKS-1 Block Cipher
A Weight Based Attack on the CIKS-1 Block Cipher Brian J. Kidney, Howard M. Heys, Theodore S. Norvell Electrical and Computer Engineering Memorial University of Newfoundland {bkidney, howard, theo}@engr.mun.ca
More informationPrivate-Key Encryption
Private-Key Encryption Ali El Kaafarani Mathematical Institute Oxford University 1 of 50 Outline 1 Block Ciphers 2 The Data Encryption Standard (DES) 3 The Advanced Encryption Standard (AES) 4 Attacks
More information9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng Basic concepts in cryptography systems Secret cryptography Public cryptography 1 2 Encryption/Decryption Cryptanalysis
More informationWeek 5: Advanced Encryption Standard. Click
Week 5: Advanced Encryption Standard Click http://www.nist.gov/aes 1 History of AES Calendar 1997 : Call For AES Candidate Algorithms by NIST 128-bit Block cipher 128/192/256-bit keys Worldwide-royalty
More informationDeKaRT: A New Paradigm for Key-Dependent Reversible Circuits
DeKaRT: A New Paradigm for Key-Dependent Reversible Circuits Jovan D. Golić System on Chip, Telecom Italia Lab Telecom Italia Via Guglielmo Reiss Romoli 274, I-00148 Turin, Italy jovan.golic@tilab.com
More informationCryptanalysis of FROG
Cryptanalysis of FROG David Wagner Niels Ferguson Bruce Schneier October 23, 1999 Abstract We examine some attacks on the FROG cipher. First we give a differential attack which uses about 2 58 chosen plaintexts
More informationNetwork Security. Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar
Network Security Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar Modern Block Ciphers now look at modern block ciphers one of the most widely used types
More informationData Encryption Standard
ECE 646 Lecture 7 Data Encryption Standard Required Reading W. Stallings, "Cryptography and Network-Security," 5th Edition, Chapter 3: Block Ciphers and the Data Encryption Standard Chapter 6.1: Multiple
More informationSymmetric Encryption Algorithms
Symmetric Encryption Algorithms CS-480b Dick Steflik Text Network Security Essentials Wm. Stallings Lecture slides by Lawrie Brown Edited by Dick Steflik Symmetric Cipher Model Plaintext Encryption Algorithm
More informationA White-Box DES Implementation for DRM Applications
A White-Box DES Implementation for DRM Applications S. Chow 1, P. Eisen 1, H. Johnson 1, P.C. van Oorschot 2 1 Cloakware Corporation, Ottawa, Canada 2 Carleton University, Ottawa, Canada (This research
More informationA Chosen-Plaintext Linear Attack on DES
A Chosen-Plaintext Linear Attack on DES Lars R. Knudsen and John Erik Mathiassen Department of Informatics, University of Bergen, N-5020 Bergen, Norway {lars.knudsen,johnm}@ii.uib.no Abstract. In this
More informationKeywords :Avalanche effect,hamming distance, Polynomial for S-box, Symmetric encryption,swapping words in S-box
Efficient Implementation of Aes By Modifying S-Box Vijay L Hallappanavar 1, Basavaraj P Halagali 2, Veena V Desai 3 1 KLES s College of Engineering & Technology, Chikodi, Karnataka 2 V S M Institute of
More informationAdvanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50
Advanced Encryption Standard and Modes of Operation Foundations of Cryptography - AES pp. 1 / 50 AES Advanced Encryption Standard (AES) is a symmetric cryptographic algorithm AES has been originally requested
More informationCryptography and Network Security Chapter 3. Modern Block Ciphers. Block vs Stream Ciphers. Block Cipher Principles
Cryptography and Network Security Chapter 3 Fifth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 3 Block Ciphers and the Data Encryption Standard All the afternoon Mungo had been working
More informationMARS Attacks! Preliminary Cryptanalysis of Reduced-Round MARS Variants
MARS Attacks! Preliminary Cryptanalysis of Reduced-Round MARS Variants John Kelsey and Bruce Schneier Counterpane Internet Security, Inc., 3031 Tisch Way, San Jose, CA 95128 {kelsey,schneier}@counterpane.com
More informationDESIGNING S-BOXES FOR CIPHERS RESISTANT TO DIFFERENTIAL CRYPTANALYSIS (Extended Abstract)
DESIGNING S-BOXES FOR CIPHERS RESISTANT TO DIFFERENTIAL CRYPTANALYSIS (Extended Abstract) CARLISLE M. ADAMS Bell-Northern Research, Ltd., P.O. Box 3511 Station C, Ottawa, Ontario, Canada, KI Y 4117 STAFFORD
More informationNetwork Security Essentials Chapter 2
Network Security Essentials Chapter 2 Fourth Edition by William Stallings Lecture slides by Lawrie Brown Encryption What is encryption? Why do we need it? No, seriously, let's discuss this. Why do we need
More informationDifferential Computation Analysis Hiding your White-Box Designs is Not Enough
Differential Computation Analysis Hiding your White-Box Designs is Not Enough Joppe W. Bos Microsoft Research Visit, August 24, 2016 Redmond, WA, USA 1. NXP Semiconductors Operations in > 35 countries,
More informationComputer Security CS 526
Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes CS555 Topic 4 1 Readings for This Lecture Required reading from wikipedia Block Cipher Ciphertext Indistinguishability
More informationCryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái
Cryptography and Network Security Block Ciphers + DES Lectured by Nguyễn Đức Thái Outline Block Cipher Principles Feistel Ciphers The Data Encryption Standard (DES) (Contents can be found in Chapter 3,
More informationSecret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34
Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34 Definition a symmetric key cryptographic algorithm is characterized by having the same key used for both encryption and decryption.
More informationTechnion - Computer Science Department - Technical Report CS
[13] National Bureau of Standards, DS Modes of Operation, U.S. Department of Commerce, FIPS pub. 81, December 1980. [14] Paul C. van Oorschot, Michael J. Wiener, A Known Plaintext Attack on Two-Key Triple
More informationA Simple Power Analysis Attack Against the Key Schedule of the Camellia Block Cipher
A Simple Power Analysis Attack Against the Key Schedule of the Camellia Block Cipher Lu Xiao and Howard M. Heys 2 QUALCOMM Incorporated, lxiao@qualcomm.com 2 Electrical and Computer Engineering, Faculty
More informationInternational Journal for Research in Applied Science & Engineering Technology (IJRASET) Performance Comparison of Cryptanalysis Techniques over DES
Performance Comparison of Cryptanalysis Techniques over DES Anupam Kumar 1, Aman Kumar 2, Sahil Jain 3, P Kiranmai 4 1,2,3,4 Dept. of Computer Science, MAIT, GGSIP University, Delhi, INDIA Abstract--The
More informationPUFFIN: A Novel Compact Block Cipher Targeted to Embedded Digital Systems
PUFFIN: A Novel Compact Block Cipher Targeted to Embedded Digital Systems Huiju Cheng, Howard M. Heys, and Cheng Wang Electrical and Computer Engineering Memorial University of Newfoundland St. John's,
More informationDr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Secret Key Cryptography Block cipher DES 3DES
More informationDifferential Computation Analysis Hiding your White-Box Designs is Not Enough
Differential Computation Analysis Hiding your White-Box Designs is Not Enough Joppe W. Bos Summer school on real-world crypto and privacy Šibenik, Croatia 1. NXP Semiconductors Operations in > 35 countries,
More informationCourse Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here
Course Business Midterm is on March 1 Allowed to bring one index card (double sided) Final Exam is Monday, May 1 (7 PM) Location: Right here 1 Cryptography CS 555 Topic 18: AES, Differential Cryptanalysis,
More informationA Differential Fault Attack against Early Rounds of (Triple-)DES
A Differential Fault Attack against Early Rounds of (Triple-)DES Ludger Hemme Giesecke & Devrient GmbH Prinzregentenstr. 159, 81677 Munich, Germany ludger.hemme@de.gi-de.com Abstract. Previously proposed
More informationJournal of Discrete Mathematical Sciences & Cryptography Vol. ( ), No., pp. 1 10
Randomizing encryption mode Yi-Shiung Yeh 1, I-Te Chen 1, Chan-Chi Wang 2, 1 Department of Computer Science and Information Engineering National Chiao-Tung University 1001 Ta Hsueh Road Hsinchu 30050 Taiwan
More informationArea Optimization in Masked Advanced Encryption Standard
IOSR Journal of Engineering (IOSRJEN) ISSN (e): 2250-3021, ISSN (p): 2278-8719 Vol. 04, Issue 06 (June. 2014), V1 PP 25-29 www.iosrjen.org Area Optimization in Masked Advanced Encryption Standard R.Vijayabhasker,
More informationECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos
ECE596C: Handout #7 Analysis of DES and the AES Standard Electrical and Computer Engineering, University of Arizona, Loukas Lazos Abstract. In this lecture we analyze the security properties of DES and
More informationKey Separation in Twofish
Twofish Technical Report #7 Key Separation in Twofish John Kelsey April 7, 2000 Abstract In [Mur00], Murphy raises questions about key separation in Twofish. We discuss this property of the Twofish key
More informationCSCE 813 Internet Security Symmetric Cryptography
CSCE 813 Internet Security Symmetric Cryptography Professor Lisa Luo Fall 2017 Previous Class Essential Internet Security Requirements Confidentiality Integrity Authenticity Availability Accountability
More informationParity-based Concurrent Error Detection of Substitution-Permutation Network Block Ciphers
Parity-based Concurrent Error Detection of Substitution-Permutation Network Block Ciphers Ramesh Karri 1, Grigori Kuznetsov 2 and Michael Goessel 2 1 Department of Electrical and Computer Engineering Polytechnic
More informationAn Efficient Stream Cipher Using Variable Sizes of Key-Streams
An Efficient Stream Cipher Using Variable Sizes of Key-Streams Hui-Mei Chao, Chin-Ming Hsu Department of Electronic Engineering, Kao Yuan University, #1821 Jhongshan Rd., Lujhu Township, Kao-Hsiung County,
More informationComputer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Lecture 6 Michael J. Fischer Department of Computer Science Yale University January 27, 2010 Michael J. Fischer CPSC 467b, Lecture 6 1/36 1 Using block ciphers
More informationA Meet in the Middle Attack on Reduced Round Kuznyechik
IEICE TRANS. FUNDAMENTALS, VOL.Exx??, NO.xx XXXX 200x 1 LETTER Special Section on Cryptography and Information Security A Meet in the Middle Attack on Reduced Round Kuznyechik Riham ALTAWY a), Member and
More informationSecret Key Algorithms (DES)
Secret Key Algorithms (DES) G. Bertoni L. Breveglieri Foundations of Cryptography - Secret Key pp. 1 / 34 Definition a symmetric key cryptographic algorithm is characterized by having the same key used
More informationChosen Ciphertext Attack on SSS
Chosen Ciphertext Attack on SSS Joan Daemen 1, Joseph Lano 2, and Bart Preneel 2 1 STMicroelectronics Belgium joan.daemen@st.com 2 Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC {joseph.lano,bart.preneel}@esat.kuleuven.ac.be
More informationCryptography [Symmetric Encryption]
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography [Symmetric Encryption] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationA NOVEL 256-BIT BLOCK CIPHER
5 A NOVEL 256-BIT BLOCK CIPHER Mohamed Fahmy Tolba mtolba@geganet.com. Mohamed Saeed Abdel Wahab wahabms@hotmail.com. Ashraf Saad Hussien ahrafh@acm.org. Mohamed Ahmed Abo El-Fotouh midono1@hotmail.com.
More informationCryptanalysis of malware encrypted output files. Nelson Uto CPqD
Cryptanalysis of malware encrypted output files Nelson Uto CPqD Agenda Introduction. Cryptanalysis of File #1. Cryptanalysis of File #2. Cryptanalysis of File #3. Introduction CPqD was hired by a big Brazilian
More informationPRNGs & DES. Luke Anderson. 16 th March University Of Sydney.
PRNGs & DES Luke Anderson luke@lukeanderson.com.au 16 th March 2018 University Of Sydney Overview 1. Pseudo Random Number Generators 1.1 Sources of Entropy 1.2 Desirable PRNG Properties 1.3 Real PRNGs
More informationCryptographic Algorithms - AES
Areas for Discussion Cryptographic Algorithms - AES CNPA - Network Security Joseph Spring Department of Computer Science Advanced Encryption Standard 1 Motivation Contenders Finalists AES Design Feistel
More informationFDTC 2010 Fault Diagnosis and Tolerance in Cryptography. PACA on AES Passive and Active Combined Attacks
FDTC 21 Fault Diagnosis and Tolerance in Cryptography PACA on AES Passive and Active Combined Attacks Christophe Clavier Benoît Feix Georges Gagnerot Mylène Roussellet Limoges University Inside Contactless
More informationTwo Attacks Against the HBB Stream Cipher
Two Attacks Against the HBB Stream Cipher Antoine Joux 1 and Frédéric Muller 2 1 DGA and Univ. Versailles St-Quentin Antoine.Joux@m4x.org 2 DCSSI Crypto Lab Frederic.Muller@sgdn.pm.gouv.fr Abstract. Hiji-Bij-Bij
More informationDiffie-Hellman Protocol as a Symmetric Cryptosystem
IJCSNS International Journal of Computer Science and Network Security, VOL.18 No.7, July 2018 33 Diffie-Hellman Protocol as a Symmetric Cryptosystem Karel Burda, Brno University of Technology, Brno, Czech
More information