Design of block ciphers
|
|
- Myron Cain
- 6 years ago
- Views:
Transcription
1 Design of block ciphers Joan Daemen STMicroelectronics and Radboud University University of Zagreb Zagreb, Croatia, March 23, / 49
2 Outline 1 Data Encryption Standard 2 Wide Trail Strategy 3 Rijndael 4 Lessons learnt from 17 years of public scrutiny 5 Conclusions 2 / 49
3 What modern block ciphers look like Iterated block cipher: Data path: transforms P to C iteration of a round function that shall be non-linear depends on a round key Key schedule generates round keys from cipher key K 3 / 49
4 Substitution-permutation network Round function with two (or three) layers substitution layer: lookup tables applied in parallel to blocks S-boxes non-linear: S(x y) = S(x) S(y) permutation layer: moves bits to different S-box positions either key-dependent S-boxes or third layer of key addition 4 / 49
5 But what do we want our block cipher to achieve? Formal security notion: PRP security PRP: Pseudorandom Permutation Infeasibility to distinguish B[K] from random permutation Covers all use cases where key is fixed and secret 5 / 49
6 Data Encryption Standard Outline 1 Data Encryption Standard 2 Wide Trail Strategy 3 Rijndael 4 Lessons learnt from 17 years of public scrutiny 5 Conclusions 6 / 49
7 Data Encryption Standard Data encryption standard Standard by and for US government By National Institute for Standardization and Technology (NIST) Designed by IBM in collaboration with NSA 1977: Federal Information Processing Standard (FIPS) 46 complete block cipher specification block length: 64 bits, key length: 56 bits no design rationale freely usable Massively adopted by banks and industry worldwide Dominated symmetric crypto for more than 20 years 7 / 49
8 Data Encryption Standard The Feistel structure State: left half L and right half R Alteration of involutions apply F to R i and add to L i swap left and right omit swap in last round B 1 similar to B same sequence of operations round keys in reversed order no need for F 1 used in DES 8 / 49
9 Data Encryption Standard Data encryption standard: overview data path key schedule 9 / 49
10 Data Encryption Standard DES algorithmic structure Data path 16-round Feistel Initial (IP) and final permutations (FP): no cryptographic significance historical, due to addressing in hardware implementation Key schedule 8 bits thrown away in permuted choice 1 (PC1) remaining 56-bit string split in two 28-bit strings rotated for each round over 1 or 2 bits 48-bit round key obtained with PC2 of these 56 bits each round key bit is just a cipher key bit 10 / 49
11 Data Encryption Standard Data encryption standard: F-function 4 layers: expansion E: from 32 to 48 bits bitwise round key addition substitution: 8 different 6-to-4 bit non-linear S-boxes permutation P: moving nearby bits to remote positions clearly hardware-oriented 11 / 49
12 Data Encryption Standard Data encryption standard: F-function 1 32 E RK S1 S2 S3 S4 S5 S6 S7 S8 P layers: expansion E: from 32 to 48 bits bitwise round key addition substitution: 8 different 6-to-4 bit non-linear S-boxes permutation P: moving nearby bits to remote positions clearly hardware-oriented 11 / 49
13 Data Encryption Standard Trouble for DES: Weak Keys What happens if the cipher key is all-zero? all round keys are all-zero all rounds are the same cipher and its inverse are the same Same is true for an all-one cipher key And two more keys due to symmetry in key schedule Weak key K w : DES[K w ] DES[K w ] = I Also 6 semi-weak key pairs (K 1, K 2 ) Mostly of academic interest DES[K 1 ] DES[K 2 ] = I 12 / 49
14 Data Encryption Standard Trouble for DES: Complementation Property What happens if we complement the cipher input? flip all bits in key flip all bits in plaintext In first round input to F complemented so output of E complemented round key also complemented so input to S-boxes unaffected output of F unaffected Output of first round is simply complemented Repeat this until you reach the ciphertext Complementation property: DES[K](P) = C = DES[K](P) = C Reduces effective key length from 56 bits to 55 bits 13 / 49
15 Data Encryption Standard Intermezzo: statistical attacks (simplified) Distinguisher Ω over r 1 rounds, for (almost) all keys property Ω should not be present in a random permutation Online part: collect many couples (C i, P i ) Offline part: recover k a of last round key make a guess k a for k a compute a i from C i K P if not Ω, k a is wrong Assumption: Key Data wrong k a destroys Ω variants and optimizations sched. path rounds rounds C 14 / 49
16 Data Encryption Standard Intermezzo: statistical attacks (simplified) Distinguisher Ω over r 1 rounds, for (almost) all keys property Ω should not be present in a random permutation Online part: collect many couples (C i, P i ) Offline part: recover k a of last round key make a guess k a for k a P compute a i from C i if not Ω, k a is wrong Assumption: wrong k a destroys Ω Distinguisher variants and optimizations a k a C 14 / 49
17 Data Encryption Standard Intermezzo: statistical attacks (simplified) Distinguisher Ω over r 1 rounds, for (almost) all keys property Ω should not be present in a random permutation Online part: collect many couples (C i, P i ) Offline part: recover k a of last round key make a guess k a for k a P compute a i from C i if not Ω, k a is wrong Assumption: p wrong k a destroys Ω variants and optimizations DP( p, a ) a a k a C 14 / 49
18 Data Encryption Standard Intermezzo: statistical attacks (simplified) Distinguisher Ω over r 1 rounds, for (almost) all keys property Ω should not be present in a random permutation Online part: collect many couples (C i, P i ) Offline part: recover k a of last round key make a guess k a for k a P compute a i from C i if not Ω, k a is wrong u Assumption: p wrong k a destroys Ω variants and optimizations C 2 (u p, u a ) u a a k a C 14 / 49
19 Data Encryption Standard Trouble for DES: Differential Cryptanalysis (DC) Statistical attack published by [Biham and Shamir, 1990] Distinguishing property: differential ( p, a ) difference p leads to difference a with probability DP( p, a ) Online phase: collect many pairs (P i, C i ), (P i, C i ) with P i P i = p Offline phase: per key guess k a compute a from C i and C i Required # pairs proportionate to 1/DP( p, a ) Biham-Shamir broke DES with 2 47 chosen plaintexts: 1000 TeraByte 13-round differential with DP guessing part of keys of last 2 rounds many subtleties and optimizations 15 / 49
20 Data Encryption Standard DC of DES: origin of fatal differential Difference propagation over multiple rounds called characteristic or differential trail Q differential probability of a trail DP(Q) product over the rounds special case: iterative trails important: # active S-boxes in trail for this trail DP( p, a ) DP(Q) for p Q a 1 S1 S2 S3 S4 S5 S6 S7 S8 32 E RK P / 49
21 Data Encryption Standard DC of DES: origin of fatal differential Difference propagation over multiple rounds called characteristic or differential trail Q differential probability of a trail DP(Q) product over the rounds special case: iterative trails important: # active S-boxes in trail for this trail DP( p, a ) DP(Q) for p Q a 16 / 49
22 Data Encryption Standard Trouble for DES: Linear Cryptanalysis (LC) Statistical attack published by Matsui 1992 Distinguishing property: correlation C(u p, u a ) between sum of plaintext bits u T pp and sum of output bits u T aa correlation C(u p, u a ) ranges between 1 and +1 Online phase: collect many couples (P i, C i ) Offline phase: per key guess k a compute a i from C i Required # pairs proportionate to 1/C 2 (u p, u a ) = 1/LP(u p, u a ) High correlation C(u p, u a ) constructed using linear trail dual of differential trails, propagation of masks u rather than difference patterns used trail has few active S-boxes Matsui broke DES with 2 43 known plaintexts: 64 TeraByte 17 / 49
23 Data Encryption Standard LC of DES: origin of fatal correlation Correlations over F If output mask is active in a single S-box only Its parity has high correlation with parity for some input mask Correlation contribution of a trail is product of correlation of rounds 1 32 E RK S1 S2 S3 S4 S5 S6 S7 S8 P / 49
24 Data Encryption Standard LC of DES: origin of fatal correlation Correlations over F If output mask is active in a single S-box only Its parity has high correlation with parity for some input mask Correlation contribution of a trail is product of correlation of rounds 18 / 49
25 Data Encryption Standard Trouble for DES: the short key Exhaustive key search: about trials More than 15 years ago: software cracking about workstations trials per second per workstation expected time: seconds: 2,5 months applied in cracking RSA labs DES challenge, June 97 Cracking using dedicated hardware COPACOBANA RIVYERA (2008) costs about $ board with 128 Spartan FPGAs. finds a DES key in less than a day Short DES key is real-world concern! 19 / 49
26 Data Encryption Standard The solution: Triple DES (FIPS 46-2 and 46-3) Double DES allows meet-in-the-middle attacks Three variants of Triple-DES 3-key: 168-bit key, only option allowed by NIST 2-key: 112-bit key K 3 = K 1 still massively deployed by banks worldwide 1-key: 56-bit key K 3 = K 2 = K 1 falls back to single DES thanks to inverse in middle 20 / 49
27 Wide Trail Strategy Outline 1 Data Encryption Standard 2 Wide Trail Strategy 3 Rijndael 4 Lessons learnt from 17 years of public scrutiny 5 Conclusions 21 / 49
28 Wide Trail Strategy Wide trail strategy a rationale for designing the data path round function main objectives: absence of differential trails with high DP absence of linear trails with high LP how? See next slides 22 / 49
29 Wide Trail Strategy Trails in substitution-permutation networks active S-box: non-zero input difference DP(Q) is product over its active S-boxes: i DP(Sbox i ) Assuming independence of propagation in active S-boxes 23 / 49
30 Wide Trail Strategy Trails in substitution-permutation networks active S-box: non-zero input difference DP(Q) is product over its active S-boxes: i DP(Sbox i ) Assuming independence of propagation in active S-boxes 23 / 49
31 Wide Trail Strategy NOT the wide trail strategy Naive approach to cipher design DP(Q) = i DP(Sbox i ) i DP max (Sbox i ) DC/LC of DES and SPN: few active S-boxes per round decrease DP(Q) (or LP(Q)): S-boxes with low maximum DP/LP For given S-box width b, upper bounds: DP max (Sbox) 2 1 b LP max (Sbox) 2 b Consensus in nineties: bigger S-boxes are better! Implementation complexity of S-boxes strongly increases with size software: lookup tables of size 2 b hardware: increase of combinatorial logic 24 / 49
32 Wide Trail Strategy Principle of wide trail Principle of the wide trail strategy Instead of big S-boxes have many active S-boxes Ensure that any trail has many active S-boxes multiple active S-boxes per round Separate layers for nonlinearity and diffusion nonlinear layer: S-boxes with some maximum DP and LP diffusion layer: ensures many S-boxes per trail Origin introduced early nineties for lightweight bit-oriented designs particular flavor became mainstream after Rijndael was chosen AES 25 / 49
33 Wide Trail Strategy Mixing layers and branch number Introducing mixing layers and their branch number A new type of transformation in the round function: mixing layer linear goal: each output bit depends on multiple input bits Desired properties of mixing layer: avalanche: few active bits at input many at output avalanche of inverse: few at output many at input Branch number B of a mixing layer minimum number of active bits at input and output two types: linear and differential relative to a state partition in bits, bytes, or 26 / 49
34 Wide Trail Strategy First-order approach Wide trail: first-order approach Round function with three layers round key addition nonlinearity: n S-boxes of b bits (say b = 8) mixing Use a mixing layer with highest possible branch number value: B = n + 1 defines a maximum distance separable code: MDS matrix # active S-boxes per two rounds B Strategy adopted in SHARK [SHARK, FSE 1996] b = 8, n = 8 so block length is 64 9 active S-boxes per 2 rounds first-order: locally optimizes worst-case 2-round behaviour 27 / 49
35 Wide Trail Strategy First-order approach First-order approach illustrated 28 / 49
36 Wide Trail Strategy First-order approach First-order approach illustrated S S S S S S S S S MDS S S S S S S S S S MDS 28 / 49
37 Wide Trail Strategy First-order approach The trouble with the first-order approach Mappings with high branch numbers are expensive software: n look-up tables with 2 8 entries of size 8n hardware: # gates per bit grows quickly as a function of n Instead of expensive big S-boxes, we now have expensive big MDS matrices 29 / 49
38 Wide Trail Strategy Second-order approach Second-order approach Round function with four layers round key addition nonlinearity: n S-boxes mixing: m parallel MDS mappings each taking n/m bytes dispersion: moving bytes/bits around Use an optimal dispersion layer moves bytes in MDS block to all different MDS blocks # active S-boxes per four rounds B 2 Strategy adopted in Square [Square, FSE 1997] b = 8, m = 4, n = 16 so block length is active S-boxes per 4 rounds 30 / 49
39 Wide Trail Strategy Second-order approach Second-order approach illustrated 31 / 49
40 Wide Trail Strategy Second-order approach Second-order approach illustrated 31 / 49
41 Rijndael Outline 1 Data Encryption Standard 2 Wide Trail Strategy 3 Rijndael 4 Lessons learnt from 17 years of public scrutiny 5 Conclusions 32 / 49
42 Rijndael The AES competition The start of the AES competition January 1997: NIST announces the AES initiative replacement of DES open call for block cipher proposals and for analysis, comparisons, etc. September 1997: official request for proposals faster than Triple-DES 128-bit blocks, 128-, 192- and 256-bit keys specs, reference and optimized code, test vectors design rationale and preliminary analysis patent waiver Vincent Rijmen and I decided to submit a variant of Square Most important change: multiple key and block lengths We call it Rijndael 33 / 49
43 Rijndael The AES competition The AES competition First round: August 1998 to August candidates at 1st AES conference in Ventura, California analysis presented at 2nd AES conf. in Rome, March 1999 NIST narrowed down to 5 finalists using this analysis Second round: August 1999 to summer 2000 analysis presented at 3rd AES conf. in New York, April 2000 NIST selected winner using this analysis Criteria security margin efficiency in software and hardware key agility simplicity NIST motivated their choice with two solid reports 34 / 49
44 Rijndael The cipher Rijndael Block cipher with block and key lengths {128, 160, 192, 224, 256} set of 25 block ciphers AES fixes block length to 128 and limits key length to multiples of 64 Simple round function with four steps (like Square) all rounds are identical except for the round keys and omission of mixing layer in last round parallel and symmetric Key schedule Expansion of cipher key to round key sequence Recursive procedure that can be done in-place Manipulates bytes with simple operations in GF(2 8 ) 35 / 49
45 Rijndael The layers of the round function The non-linear layer: SubBytes Single S-box with two layers y = x 1 in GF(2 8 ), or more exactly y = x 254 max LP = max DP = 2 6 [Nyberg, Eurocrypt 1993] Affine mapping: multiplication by 8 8 matrix in GF(2) to complicate the algebraic expressions 36 / 49
46 Rijndael The layers of the round function The mixing layer: MixColumns Single MDS mapping applied to columns: B = 5 Multiplication by a 4 4 circulant matrix in GF(2 8 ) Elements: 1, 1, x and x + 1 circulant MDS matrix with the simplest elements Inverse has more complex elements 37 / 49
47 Rijndael The layers of the round function The dispersion layer: ShiftRows Each row is shifted by a different amount Different shift offsets for higher block lengths 38 / 49
48 Rijndael The layers of the round function Round key addition: AddRoundKey 39 / 49
49 Rijndael The layers of the round function Key schedule: 192-bit key, 128-bit block example k 0 k 1 k 2 k 3 k 4 k 5 k 6 k 7 k 8 k 9 k 10 k 11 k 12 k 13 k 14 k Round key 0 Round key 1 Round key 2 k 6n = k 6n 6 f(k 6n 1 ) k i = k i 6 k i 1, i = 6n 40 / 49
50 Rijndael The layers of the round function Rijndael: summary # rounds: 6 + max(l k, l b ) with l k key and l b block length in 32-bit words last round has no MixColumns to make inverse similar to cipher 41 / 49
51 Rijndael The layers of the round function Rijndael: some distinguishing features Bounds on trails: minimum 25 active S-boxes in any 4-round trail DP(Q) 2 150, LP(Q) Symmetric and simple too simple to be secure? no successful attacks up to now Inverse is different and slightly more expensive Table-lookup implementation: 4 Kbytes of table 1 table-lookup + 1 XOR per byte per round inverse uses different tables No integer arithmetic as opposed to IDEA, SHA-1, SHA-2 42 / 49
52 Lessons learnt from 17 years of public scrutiny Outline 1 Data Encryption Standard 2 Wide Trail Strategy 3 Rijndael 4 Lessons learnt from 17 years of public scrutiny 5 Conclusions 43 / 49
53 Lessons learnt from 17 years of public scrutiny Heavily (crypt-)analyzed Many papers on AES and Rijndael IACR Crypto DB search on AES: about hits IACR Crypto DB search on Rijndael: about 1490 hits Not all are equally relevant or interesting We discuss some instructive attacks: square attack algebraic attacks biclique attacks 44 / 49
54 Lessons learnt from 17 years of public scrutiny The Square attack The Square attack Consider Square, predecessor of Rijndael DP of 4-round differential trails LP of 4-round linear trails So we thought 6 rounds would be sufficient Knudsen invents Square attack [Square, FSE 1997] input sets: constant in some and complete in other bytes properties decay only slowly through steps of the round broke up to 6 rounds of Square (or Rijndael) Lesson learnt: interpret trail bounds with caution later even stronger attacks, e.g., impossible differentials helped by byte-alignment and strong local diffusion remedy: just add rounds 45 / 49
55 Lessons learnt from 17 years of public scrutiny Algebraic cryptanalysis Algebraic attacks Algebraic attack on AES [Courtois, Pieprzyk, Asiacrypt 2002] consider the cipher as a set of algebraic equations simple equations due to multiplicative inverse, e.g. xy = 1 Another suspect property [Murphy, Robshaw, Crypto 2002] embedding AES in 8 times larger structure BES BES is fully linear in GF(2 8 ) except multiplicative inverse Both turned out to be false alarms ambitions of algebraic attacks have been adjusted since tools in statistical attacks attacks exploiting low degree of round function 46 / 49
56 Lessons learnt from 17 years of public scrutiny Biclique attacks Biclique attack [Khovratovich, Bogdanov, Rechberger, 2011] first academic single-key attacks of full AES covers all three AES key lengths Speed-up of exhaustive keysearch by a small factor (2 or 3) large (2 88 ) to modest (2 40 ) data complexity reducing proportion of AES to be computed for each key by combination of sophisticated tools and techniques Lessons learnt no practical threat and unlikely it can be improved some say this does not even qualify as an academic attack quasi all modern ciphers are vulnerable to biclique or similar attacks protecting against possible but very costly: huge # rounds 47 / 49
57 Conclusions Outline 1 Data Encryption Standard 2 Wide Trail Strategy 3 Rijndael 4 Lessons learnt from 17 years of public scrutiny 5 Conclusions 48 / 49
58 Conclusions Conclusions Modern block ciphers iterate a simple round function DES: historically important as test bed for attacks 3-key Triple-DES still reasonably secure today Wide trail strategy: inspired by linear and differential cryptanalysis Rijndael is fully based on the wide trail strategy AES (Rijndael) is the dominating block cipher nowadays omnipresent, even dedicated instructions in Intel CPUs (AES-NI) inspired many other block cipher and permutation designs 17 years of public scrutiny: no threatening attacks Thanks for your attention! 49 / 49
Introduction to Cryptology. Lecture 17
Introduction to Cryptology Lecture 17 Announcements HW7 due Thursday 4/7 Looking ahead: Practical constructions of CRHF Start Number Theory background Agenda Last time SPN (6.2) This time Feistel Networks
More informationGoals of Modern Cryptography
Goals of Modern Cryptography Providing information security: Data Privacy Data Integrity and Authenticity in various computational settings. Data Privacy M Alice Bob The goal is to ensure that the adversary
More informationWeek 5: Advanced Encryption Standard. Click
Week 5: Advanced Encryption Standard Click http://www.nist.gov/aes 1 History of AES Calendar 1997 : Call For AES Candidate Algorithms by NIST 128-bit Block cipher 128/192/256-bit keys Worldwide-royalty
More informationLecture 2: Secret Key Cryptography
T-79.159 Cryptography and Data Security Lecture 2: Secret Key Cryptography Helger Lipmaa Helsinki University of Technology helger@tcs.hut.fi 1 Reminder: Communication Model Adversary Eve Cipher, Encryption
More informationDr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Secret Key Cryptography Block cipher DES 3DES
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 5 January 23, 2012 CPSC 467b, Lecture 5 1/35 Advanced Encryption Standard AES Alternatives CPSC 467b,
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 5a January 29, 2013 CPSC 467b, Lecture 5a 1/37 Advanced Encryption Standard AES Alternatives CPSC 467b,
More informationCourse Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here
Course Business Midterm is on March 1 Allowed to bring one index card (double sided) Final Exam is Monday, May 1 (7 PM) Location: Right here 1 Cryptography CS 555 Topic 18: AES, Differential Cryptanalysis,
More informationFew Other Cryptanalytic Techniques
Few Other Cryptanalytic Techniques Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Boomerang Attack
More informationCryptography and Network Security. Sixth Edition by William Stallings
Cryptography and Network Security Sixth Edition by William Stallings Chapter 5 Advanced Encryption Standard Advance Encryption Standard Topics Origin of AES Basic AES Inside Algorithm Final Notes Origins
More informationUnderstanding Cryptography by Christof Paar and Jan Pelzl. Chapter 4 The Advanced Encryption Standard (AES) ver. October 28, 2009
Understanding Cryptography by Christof Paar and Jan Pelzl www.crypto-textbook.com Chapter 4 The Advanced Encryption Standard (AES) ver. October 28, 29 These slides were prepared by Daehyun Strobel, Christof
More informationContent of this part
UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Introduction to Cryptography ECE 597XX/697XX Part 4 The Advanced Encryption Standard (AES) Israel Koren ECE597/697 Koren Part.4.1
More informationFundamentals of Cryptography
Fundamentals of Cryptography Topics in Quantum-Safe Cryptography June 23, 2016 Part III Data Encryption Standard The Feistel network design m m 0 m 1 f k 1 1 m m 1 2 f k 2 2 DES uses a Feistel network
More informationSymmetric Cryptography. Chapter 6
Symmetric Cryptography Chapter 6 Block vs Stream Ciphers Block ciphers process messages into blocks, each of which is then en/decrypted Like a substitution on very big characters 64-bits or more Stream
More informationBlock Ciphers. Secure Software Systems
1 Block Ciphers 2 Block Cipher Encryption function E C = E(k, P) Decryption function D P = D(k, C) Symmetric-key encryption Same key is used for both encryption and decryption Operates not bit-by-bit but
More informationBlock Ciphers Introduction
Technicalities Block Models Block Ciphers Introduction Orr Dunkelman Computer Science Department University of Haifa, Israel March 10th, 2013 Orr Dunkelman Cryptanalysis of Block Ciphers Seminar Introduction
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Symmetric Cryptography January 20, 2011 Practical Aspects of Modern Cryptography 2 Agenda Symmetric key ciphers Stream ciphers Block ciphers Cryptographic hash
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 7 September 23, 2015 CPSC 467, Lecture 7 1/1 Advanced Encryption Standard AES Alternatives CPSC 467,
More informationCSCI 454/554 Computer and Network Security. Topic 3.1 Secret Key Cryptography Algorithms
CSCI 454/554 Computer and Network Security Topic 3.1 Secret Key Cryptography Algorithms Outline Introductory Remarks Feistel Cipher DES AES 2 Introduction Secret Keys or Secret Algorithms? Security by
More informationin a 4 4 matrix of bytes. Every round except for the last consists of 4 transformations: 1. ByteSubstitution - a single non-linear transformation is a
Cryptanalysis of Reduced Variants of Rijndael Eli Biham Λ Nathan Keller y Abstract Rijndael was submitted to the AES selection process, and was later selected as one of the five finalists from which one
More informationData Encryption Standard (DES)
Data Encryption Standard (DES) Best-known symmetric cryptography method: DES 1973: Call for a public cryptographic algorithm standard for commercial purposes by the National Bureau of Standards Goals:
More informationCryptography and Network Security
Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 6: Advanced Encryption Standard (AES) Ion Petre Department of IT, Åbo Akademi University 1 Origin of AES 1999: NIST
More informationL3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015
L3. An Introduction to Block Ciphers Rocky K. C. Chang, 29 January 2015 Outline Product and iterated ciphers A simple substitution-permutation network DES and AES Modes of operations Cipher block chaining
More informationAIT 682: Network and Systems Security
AIT 682: Network and Systems Security Topic 3.1 Secret Key Cryptography Algorithms Instructor: Dr. Kun Sun Outline Introductory Remarks Feistel Cipher DES AES 2 Introduction Secret Keys or Secret Algorithms?
More informationNetwork Security. Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar
Network Security Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar Modern Block Ciphers now look at modern block ciphers one of the most widely used types
More informationAdvanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50
Advanced Encryption Standard and Modes of Operation Foundations of Cryptography - AES pp. 1 / 50 AES Advanced Encryption Standard (AES) is a symmetric cryptographic algorithm AES has been originally requested
More informationCSc 466/566. Computer Security. 6 : Cryptography Symmetric Key
1/56 CSc 466/566 Computer Security 6 : Cryptography Symmetric Key Version: 2012/02/22 16:14:16 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian Collberg
More informationUNIT - II Traditional Symmetric-Key Ciphers. Cryptography & Network Security - Behrouz A. Forouzan
UNIT - II Traditional Symmetric-Key Ciphers 1 Objectives To define the terms and the concepts of symmetric key ciphers To emphasize the two categories of traditional ciphers: substitution and transposition
More informationComp527 status items. Crypto Protocols, part 2 Crypto primitives. Bart Preneel July Install the smart card software. Today
Comp527 status items Crypto Protocols, part 2 Crypto primitives Today s talk includes slides from: Bart Preneel, Jonathan Millen, and Dan Wallach Install the smart card software Bring CDs back to Dan s
More informationpage 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas
Introduction to Cryptography Lecture 3 Benny Pinkas page 1 1 Pseudo-random generator Pseudo-random generator seed output s G G(s) (random, s =n) Deterministic function of s, publicly known G(s) = 2n Distinguisher
More informationFPGA Based Design of AES with Masked S-Box for Enhanced Security
International Journal of Engineering Science Invention ISSN (Online): 2319 6734, ISSN (Print): 2319 6726 Volume 3 Issue 5ǁ May 2014 ǁ PP.01-07 FPGA Based Design of AES with Masked S-Box for Enhanced Security
More informationComputer and Data Security. Lecture 3 Block cipher and DES
Computer and Data Security Lecture 3 Block cipher and DES Stream Ciphers l Encrypts a digital data stream one bit or one byte at a time l One time pad is example; but practical limitations l Typical approach
More informationChapter 7 Advanced Encryption Standard (AES) 7.1
Chapter 7 Advanced Encryption Standard (AES) 7.1 Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 7 Objectives To review a short history of AES To define
More informationICT 6541 Applied Cryptography. Hossen Asiful Mustafa
ICT 6541 Applied Cryptography Hossen Asiful Mustafa Encryption & Decryption Key (K) Plaintext (P) Encrypt (E) Ciphertext (C) C = E K (P) Same Key (K) Ciphertext (C) Decrypt (D) Plaintext (P) P = D K (C)
More informationData Encryption Standard
ECE 646 Lecture 6 Data Encryption Standard Required Reading: I. W. Stallings, "Cryptography and Network-Security," 5th Edition, Chapter 3: Block Ciphers and the Data Encryption Standard Chapter 6.1: Multiple
More informationEncryption Details COMP620
Encryption Details COMP620 Encryption is a powerful defensive weapon for free people. It offers a technical guarantee of privacy, regardless of who is running the government It s hard to think of a more
More informationA Brief Outlook at Block Ciphers
A Brief Outlook at Block Ciphers Pascal Junod École Polytechnique Fédérale de Lausanne, Suisse CSA 03, Rabat, Maroc, 10-09-2003 Content Generic Concepts DES / AES Cryptanalysis of Block Ciphers Provable
More informationData Encryption Standard
ECE 646 Lecture 7 Data Encryption Standard Required Reading W. Stallings, "Cryptography and Network-Security," 5th Edition, Chapter 3: Block Ciphers and the Data Encryption Standard Chapter 6.1: Multiple
More informationBlock Ciphers. Lucifer, DES, RC5, AES. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk Block Ciphers 1
Block Ciphers Lucifer, DES, RC5, AES CS 470 Introduction to Applied Cryptography Ali Aydın Selçuk CS470, A.A.Selçuk Block Ciphers 1 ... Block Ciphers & S-P Networks Block Ciphers: Substitution ciphers
More informationBlock Ciphers and Stream Ciphers. Block Ciphers. Stream Ciphers. Block Ciphers
Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2... M N. Then, each block M i is encrypted to the ciphertext block C i = K (M i ), and
More informationLecture 5. Encryption Continued... Why not 2-DES?
Lecture 5 Encryption Continued... 1 Why not 2-DES? 2DES: C = DES ( K1, DES ( K2, P ) ) Seems to be hard to break by brute force, approx. 2 111 trials Assume Eve is trying to break 2DES and has a single
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.2 Secret Key Cryptography CSC 474/574 Dr. Peng Ning 1 Agenda Generic block cipher Feistel cipher DES Modes of block ciphers Multiple encryptions Message
More informationStream Ciphers and Block Ciphers
Stream Ciphers and Block Ciphers Ruben Niederhagen September 18th, 2013 Introduction 2/22 Recall from last lecture: Public-key crypto: Pair of keys: public key for encryption, private key for decryption.
More informationSecret Key Cryptography
Secret Key Cryptography 1 Block Cipher Scheme Encrypt Plaintext block of length N Decrypt Secret key Cipher block of length N 2 Generic Block Encryption Convert a plaintext block into an encrypted block:
More informationComputer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Cryptography Part II Paul Krzyzanowski Rutgers University Spring 2018 March 23, 2018 CS 419 2018 Paul Krzyzanowski 1 Block ciphers Block ciphers encrypt a block of plaintext at a
More informationL3: Basic Cryptography II. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806
L3: Basic Cryptography II Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806 8/29/2016 CSCI 451 -Fall 2016 1 Acknowledgement Many slides are from or
More informationSecret Key Algorithms (DES)
Secret Key Algorithms (DES) G. Bertoni L. Breveglieri Foundations of Cryptography - Secret Key pp. 1 / 34 Definition a symmetric key cryptographic algorithm is characterized by having the same key used
More informationVortex: A New Family of One-way Hash Functions Based on AES Rounds and Carry-less Multiplication
Vortex: A New Family of One-way Hash Functions Based on AES Rounds and Carry-less ultiplication Shay Gueron 2, 3, 4 and ichael E. Kounavis 1 1 Corresponding author, Corporate Technology Group, Intel Corporation,
More information6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 6 Block Ciphers 6.1 Block Ciphers Block Ciphers Plaintext is divided into blocks of fixed length and every block is encrypted one at a time. A block cipher is a
More informationIntegral Cryptanalysis of the BSPN Block Cipher
Integral Cryptanalysis of the BSPN Block Cipher Howard Heys Department of Electrical and Computer Engineering Memorial University hheys@mun.ca Abstract In this paper, we investigate the application of
More informationOn the Design of Secure Block Ciphers
On the Design of Secure Block Ciphers Howard M. Heys and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University Kingston, Ontario K7L 3N6 email: tavares@ee.queensu.ca
More informationCryptographic Algorithms - AES
Areas for Discussion Cryptographic Algorithms - AES CNPA - Network Security Joseph Spring Department of Computer Science Advanced Encryption Standard 1 Motivation Contenders Finalists AES Design Feistel
More informationCryptography and Network Security Chapter 3. Modern Block Ciphers. Block vs Stream Ciphers. Block Cipher Principles
Cryptography and Network Security Chapter 3 Fifth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 3 Block Ciphers and the Data Encryption Standard All the afternoon Mungo had been working
More informationAdvanced Encryption Standard
Advanced Encryption Standard Vincent Rijmen Institute for Applied Information Processing and Communications (IAIK) - Krypto Group Faculty of Computer Science Graz University of Technology Outline Modern
More informationSecret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34
Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34 Definition a symmetric key cryptographic algorithm is characterized by having the same key used for both encryption and decryption.
More informationLecture 4. Encryption Continued... Data Encryption Standard (DES)
Lecture 4 Encryption Continued... 1 Data Encryption Standard (DES) 64 bit input block 64 bit output block 16 rounds 64 (effective 56) bit key Key schedule computed at startup Aimed at bulk data >16 rounds
More informationComputer Security 3/23/18
s s encrypt a block of plaintext at a time and produce ciphertext Computer Security 08. Cryptography Part II Paul Krzyzanowski DES & AES are two popular block ciphers DES: 64 bit blocks AES: 128 bit blocks
More informationLecture 3: Symmetric Key Encryption
Lecture 3: Symmetric Key Encryption CS996: Modern Cryptography Spring 2007 Nitesh Saxena Outline Symmetric Key Encryption Continued Discussion of Potential Project Topics Project proposal due 02/22/07
More informationCENG 520 Lecture Note III
CENG 520 Lecture Note III Symmetric Ciphers block ciphers process messages in blocks, each of which is then en/decrypted like a substitution on very big characters 64-bits or more stream ciphers process
More informationChapter 3 Block Ciphers and the Data Encryption Standard
Chapter 3 Block Ciphers and the Data Encryption Standard Last Chapter have considered: terminology classical cipher techniques substitution ciphers cryptanalysis using letter frequencies transposition
More informationECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos
ECE596C: Handout #7 Analysis of DES and the AES Standard Electrical and Computer Engineering, University of Arizona, Loukas Lazos Abstract. In this lecture we analyze the security properties of DES and
More informationLecture 4: Symmetric Key Encryption
Lecture 4: Symmetric ey Encryption CS6903: Modern Cryptography Spring 2009 Nitesh Saxena Let s use the board, please take notes 2/20/2009 Lecture 1 - Introduction 2 Data Encryption Standard Encrypts by
More informationAnalysis of the Use of Whirlpool s S-box, S1 and S2 SEED s S- box in AES Algorithm with SAC Test Novita Angraini, Bety Hayat Susanti, Magfirawaty
Information Systems International Conference (ISICO), 2 4 December 2013 Analysis of the Use of Whirlpool s S-box, S1 and S2 SEED s S- box in AES Algorithm with SAC Test Novita Angraini, Bety Hayat Susanti,
More informationStream Ciphers and Block Ciphers
Stream Ciphers and Block Ciphers 2MMC10 Cryptology Fall 2015 Ruben Niederhagen October 6th, 2015 Introduction 2/32 Recall: Public-key crypto: Pair of keys: public key for encryption, private key for decryption.
More informationCryptography Trends: A US-Based Perspective. Burt Kaliski, RSA Laboratories IPA/TAO Cryptography Symposium October 20, 2000
Cryptography Trends: A US-Based Perspective Burt Kaliski, RSA Laboratories IPA/TAO Cryptography Symposium October 20, 2000 Outline Advanced Encryption Standard Dominant design Thoughts on key size Advanced
More informationSymmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.
Symmetric Key Algorithms Definition A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting. 1 Block cipher and stream cipher There are two main families
More informationPrivate-Key Encryption
Private-Key Encryption Ali El Kaafarani Mathematical Institute Oxford University 1 of 50 Outline 1 Block Ciphers 2 The Data Encryption Standard (DES) 3 The Advanced Encryption Standard (AES) 4 Attacks
More informationIntroduction to Modern Symmetric-Key Ciphers
Introduction to Modern Symmetric-Key Ciphers 1 Objectives Review a short history of DES. Define the basic structure of DES. List DES alternatives. Introduce the basic structure of AES. 2 Data Encryption
More informationWeek 4. : Block Ciphers and DES
Week 4. : Block Ciphers and DES Model of Symmetric Cryptosystem Cryptanalyst Adversary M K E Insecure Channel D Plaintext M Ciphertext C Secure Channel Plaintext M Key K Shared Secret Key C = E K (M) D
More informationA Meet in the Middle Attack on Reduced Round Kuznyechik
IEICE TRANS. FUNDAMENTALS, VOL.Exx??, NO.xx XXXX 200x 1 LETTER Special Section on Cryptography and Information Security A Meet in the Middle Attack on Reduced Round Kuznyechik Riham ALTAWY a), Member and
More informationArea Optimization in Masked Advanced Encryption Standard
IOSR Journal of Engineering (IOSRJEN) ISSN (e): 2250-3021, ISSN (p): 2278-8719 Vol. 04, Issue 06 (June. 2014), V1 PP 25-29 www.iosrjen.org Area Optimization in Masked Advanced Encryption Standard R.Vijayabhasker,
More informationThe NSA's Role In Computer Security. Adrien Cheval Joe Willage
The NSA's Role In Computer Security Adrien Cheval Joe Willage Introduction NSA was created in 1952 Located in Ft. Meade, Maryland Cryptographic intelligence agency of the U.S. government Part of the Department
More informationAttacks on Advanced Encryption Standard: Results and Perspectives
Attacks on Advanced Encryption Standard: Results and Perspectives Dmitry Microsoft Research 29 February 2012 Design Cryptanalysis history Advanced Encryption Standard Design Cryptanalysis history AES 2
More informationCryptography Functions
Cryptography Functions Lecture 3 1/29/2013 References: Chapter 2-3 Network Security: Private Communication in a Public World, Kaufman, Perlman, Speciner Types of Cryptographic Functions Secret (Symmetric)
More informationImplementation and Performance analysis of Skipjack & Rijndael Algorithms. by Viswnadham Sanku ECE646 Project Fall-2001
Implementation and Performance analysis of Skipjack & Rijndael Algorithms by Viswnadham Sanku ECE646 Project Fall-2001 TABLE OF CONTENTS TABLE OF CONTENTS 2 1. OBJECTIVE 3 2. SKIPJACK CIPHER 3 2.1 CIPHER
More informationHOST Cryptography III ECE 525 ECE UNM 1 (1/18/18)
AES Block Cipher Blockciphers are central tool in the design of protocols for shared-key cryptography What is a blockcipher? It is a function E of parameters k and n that maps { 0, 1} k { 0, 1} n { 0,
More informationSymmetric Cryptography. CS4264 Fall 2016
Symmetric Cryptography CS4264 Fall 2016 Correction: TA Office Hour Stefan Nagy (snagy2@vt.edu) Office hour: Thursday Friday 10-11 AM, 106 McBryde Hall 2 Slides credit to Abdou Illia RECAP AND HIGH-LEVEL
More informationEnhanced Cryptanalysis of Substitution Cipher Chaining mode (SCC-128)
Enhanced Cryptanalysis of Substitution Cipher Chaining mode (SCC-128) Mohamed Abo El-Fotouh and Klaus Diepold Institute for Data Processing (LDV) Technische Universität München (TUM) 80333 Munich Germany
More information3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some
3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some popular block ciphers Triple DES Advanced Encryption
More informationA Meet-in-the-Middle Attack on 8-Round AES
A Meet-in-the-Middle Attack on 8-Round AES Hüseyin Demirci 1 and Ali Aydın Selçuk 2 1 Tübitak UEKAE, 41470 Gebze, Kocaeli, Turkey huseyind@uekae.tubitak.gov.tr 2 Department of Computer Engineering Bilkent
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Previously on COS 433 Confusion/Diffusion Paradigm f 1 f 2 f 3 f 4 f 5 f 6 Round π 1 f 7 f 8 f 9 f 10 f 11 f 12 π 2 Substitution
More informationSecurity Analysis of Extended Sponge Functions. Thomas Peyrin
Security Analysis of Extended Sponge Functions Hash functions in cryptology: theory and practice Leiden, Netherlands Orange Labs University of Versailles June 4, 2008 Outline 1 The Extended Sponge Functions
More informationP2_L6 Symmetric Encryption Page 1
P2_L6 Symmetric Encryption Page 1 Reference: Computer Security by Stallings and Brown, Chapter 20 Symmetric encryption algorithms are typically block ciphers that take thick size input. In this lesson,
More informationThe Grindahl hash functions
The Grindahl hash functions Søren S. Thomsen joint work with Lars R. Knudsen Christian Rechberger Fast Software Encryption March 26 28, 2007 Luxembourg 1/ 17 1 Introduction 2 Grindahl 3 Design considerations
More informationBlock Ciphers and Data Encryption Standard. CSS Security and Cryptography
Block Ciphers and Data Encryption Standard CSS 322 - Security and Cryptography Contents Block Cipher Principles Feistel Structure for Block Ciphers DES Simplified DES Real DES DES Design Issues CSS 322
More informationImplementation of the block cipher Rijndael using Altera FPGA
Regular paper Implementation of the block cipher Rijndael using Altera FPGA Piotr Mroczkowski Abstract A short description of the block cipher Rijndael is presented. Hardware implementation by means of
More informationBlock Ciphers that are Easier to Mask How Far Can we Go?
Block Ciphers that are Easier to Mask How Far Can we Go? Benoît Gérard, Vincent Grosso, María Naya-Plasencia, François-Xavier Standaert DGA & UCL Crypto Group & INRIA CHES 2013 Santa Barbara, USA Block
More informationSymmetric Key Cryptography
Symmetric Key Cryptography Michael Huth M.Huth@doc.ic.ac.uk www.doc.ic.ac.uk/~mrh/430/ Symmetric Key Cryptography (3.1) Introduction Also known as SECRET KEY, SINGLE KEY, PRIVATE KEY Sender and Receiver
More informationSecurity against Timing Analysis Attack
International Journal of Electrical and Computer Engineering (IJECE) Vol. 5, No. 4, August 2015, pp. 759~764 ISSN: 2088-8708 759 Security against Timing Analysis Attack Deevi Radha Rani 1, S. Venkateswarlu
More informationCIT 380: Securing Computer Systems. Symmetric Cryptography
CIT 380: Securing Computer Systems Symmetric Cryptography Topics 1. Modular Arithmetic 2. What is Cryptography? 3. Transposition Ciphers 4. Substitution Ciphers 1. Cæsar cipher 2. Vigènere cipher 5. Cryptanalysis:
More informationKey Separation in Twofish
Twofish Technical Report #7 Key Separation in Twofish John Kelsey April 7, 2000 Abstract In [Mur00], Murphy raises questions about key separation in Twofish. We discuss this property of the Twofish key
More informationPRNGs & DES. Luke Anderson. 16 th March University Of Sydney.
PRNGs & DES Luke Anderson luke@lukeanderson.com.au 16 th March 2018 University Of Sydney Overview 1. Pseudo Random Number Generators 1.1 Sources of Entropy 1.2 Desirable PRNG Properties 1.3 Real PRNGs
More informationGoals for Today. Substitution Permutation Ciphers. Substitution Permutation stages. Encryption Details 8/24/2010
Encryption Details COMP620 Goals for Today Understand how some of the most common encryption algorithms operate Learn about some new potential encryption systems Substitution Permutation Ciphers A Substitution
More informationLinear Cryptanalysis of Reduced Round Serpent
Linear Cryptanalysis of Reduced Round Serpent Eli Biham 1, Orr Dunkelman 1, and Nathan Keller 2 1 Computer Science Department, Technion Israel Institute of Technology, Haifa 32000, Israel, {biham,orrd}@cs.technion.ac.il,
More informationDifferential Cryptanalysis
Differential Cryptanalysis See: Biham and Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer Verlag, 1993. c Eli Biham - March, 28 th, 2012 1 Differential Cryptanalysis The Data
More information3 Symmetric Cryptography
CA4005: CRYPTOGRAPHY AND SECURITY PROTOCOLS 1 3 Symmetric Cryptography Symmetric Cryptography Alice Bob m Enc c = e k (m) k c c Dec m = d k (c) Symmetric cryptography uses the same secret key k for encryption
More informationEEC-484/584 Computer Networks
EEC-484/584 Computer Networks Lecture 23 wenbing@ieee.org (Lecture notes are based on materials supplied by Dr. Louise Moser at UCSB and Prentice-Hall) Outline 2 Review of last lecture Introduction to
More informationSymmetric key cryptography
The best system is to use a simple, well understood algorithm which relies on the security of a key rather than the algorithm itself. This means if anybody steals a key, you could just roll another and
More informationCryptography 2017 Lecture 3
Cryptography 2017 Lecture 3 Block Ciphers - AES, DES Modes of Operation - ECB, CBC, CTR November 7, 2017 1 / 1 What have seen? What are we discussing today? What is coming later? Lecture 2 One Time Pad
More informationThe CS 2 Block Cipher
The CS 2 Block Cipher Tom St Denis Secure Science Corporation tom@securescience.net Abstract. In this paper we describe our new CS 2 block cipher which is an extension of the original CS-Cipher. Our new
More information