Weak Keys of the Full MISTY1 Block Cipher for Related-Key Cryptanalysis
|
|
- Shanon Pearson
- 6 years ago
- Views:
Transcription
1 Weak eys for a Related-ey Differential Attack Weak eys of the Full MISTY1 Block Cipher for Related-ey Cryptanalysis Institute for Infocomm Research, Agency for Science, Technology and Research, 1 Fusionopolis Way, Singapore jlu@i2r.a-star.edu.sg, lvjiqiang@hotmail.com Joint work with Wun-She Yap and Yongzhuang Wei. 28 March 212
2 Weak eys for a Related-ey Differential Attack Outline: 1 Block Cipher Cryptanalysis 2 The MISTY1 Block Cipher Weak eys for a Related-ey Differential Attack Weak eys for a Related-ey Amplified Boomerang Attack 5 Conclusions
3 Weak eys for a Related-ey Differential Attack 1.1 Block Cipher 1.1 Block Cipher 1.2 A Cryptanalytic Attack 1.3 Four Cryptanalytic Scenarios 1.4 Three Elementary Cryptanalysis Techniques 1.5 Advanced Cryptanalysis Techniques An important primitive in symmetric-key cryptography. * Main purpose: provide confidentiality A most fundamental security goal. An algorithm that transforms a fixed-length data block into another data block of the same length under a secret user key. * Input: plaintext. * Output: ciphertext. * Three sub-algorithms: encryption, decryption, key schedule. Constructed by repeating a simple function many times, known as the iterated method. * An iteration: a round. * The repeated function: the round function. * The key used in a round: a round subkey. * The number of iterations: the number of rounds. * The round subkeys are generated from the user key under a key schedule algorithm.
4 Weak eys for a Related-ey Differential Attack 1.2 A Cryptanalytic Attack 1.1 Block Cipher 1.2 A Cryptanalytic Attack 1.3 Four Cryptanalytic Scenarios 1.4 Three Elementary Cryptanalysis Techniques 1.5 Advanced Cryptanalysis Techniques An algorithm that distinguishes a cryptosystem from a random function. Usually measured using the following three metrics: * Data complexity The numbers of plaintexts and/or ciphertexts required. * Memory (storage) complexity The amount of memory required. * Time (computational) complexity The amount of computation or time required, how many encryptions/decryptions or memory accesses. Goals: * Break a cryptosystem (ideally, in a practical complexity). * Enable more secure cryptosystems to be designed.
5 Weak eys for a Related-ey Differential Attack 1.3 Four Cryptanalysis Scenarios 1.1 Block Cipher 1.2 A Cryptanalytic Attack 1.3 Four Cryptanalytic Scenarios 1.4 Three Elementary Cryptanalysis Techniques 1.5 Advanced Cryptanalysis Techniques Ciphertext-only attack scenario * Have access to a number of ciphertexts. nown-plaintext attack scenario * Have access to a number of ciphertexts and the corresponding plaintexts. Chosen-plaintext/cipertext attack scenario * Can choose a number of plaintexts (or ciphertexts), and be given the corresponding ciphertexts (or plaintexts). Adaptive chosen plaintext and ciphertext attack scenario * Can choose plaintexts (or ciphertexts) and be given the corresponding ciphertexts (or plaintexts). Based on the information obtained, the attacker can then choose further plaintexts/ciphertexts, and be given the corresponding ciphertexts/plaintexts...
6 Weak eys for a Related-ey Differential Attack 1.1 Block Cipher 1.2 A Cryptanalytic Attack 1.3 Four Cryptanalytic Scenarios 1.4 Three Elementary Cryptanalysis Techniques 1.5 Advanced Cryptanalysis Techniques 1.4 Three Elementary Cryptanalysis Techniques Assume an n-bit block cipher with a k-bit user key E ( ). A dictionary attack * Build a table of all possible ciphertexts corresponding to one particular plaintext, with one entry for each possible key: C i = E i (P). * Data: 2 k ciphertexts, Memory: 2 k n-bit, Time: negligible. A codebook attack: * Build a table of the ciphertexts for all the plaintexts encrypted using one unknown key: C i = E (P i ). * Data: 2 n plaintext-ciphertext pairs, Memory: 2 n n-bit, Time: negligible. An exhaustive key search (or brute force search) attack: * Try every possible key, given a known plaintext-ciphertext pair. The correct key will yield the correct correspondence: E i (P)? C. * Data: negligible, Memory: negligible, Time: 2 k encryptions.
7 Weak eys for a Related-ey Differential Attack 1.5 Advanced Cryptanalysis Techniques 1.1 Block Cipher 1.2 A Cryptanalytic Attack 1.3 Four Cryptanalytic Scenarios 1.4 Three Elementary Cryptanalysis Techniques 1.5 Advanced Cryptanalysis Techniques An attack is commonly regarded as effective if it is faster than an exhaustive key search. A trade-off between data, time and/or memory. Meet-in-the-middle attack * Reflection-meet-in-the-middle attack, Higher-order meet-in-the-middle attack Differential cryptanalysis * Truncated differential, Higher-order differential, Impossible differential * Boomerang, Amplified boomerang, Rectangle attacks, Impossible boomerang Linear cryptanalysis Differential-linear cryptanalysis Integral cryptanalysis * Square attack, Saturation attack Slide attack, Reflection attack Related-key attack Algebraic cryptanalysis
8 Weak eys for a Related-ey Differential Attack Differential Cryptanalysis Introduced in 199 by Biham and Shamir. 1.1 Block Cipher 1.2 A Cryptanalytic Attack 1.3 Four Cryptanalytic Scenarios 1.4 Three Elementary Cryptanalysis Techniques 1.5 Advanced Cryptanalysis Techniques Work in a chosen-plaintext/ciphertext attack scenario. Take advantage of how a specific difference in a pair of plaintexts can affect a difference in the pair of ciphertexts (under the same key). A differential is the combination of the input difference and the output difference. The probability of the differential (α, β) for an n-bit block cipher E, written α β, is Pr E ( α β) = Pr P {,1} n(e(p) E(P α) = β). For a random function, the expected probability of any differential is 2 n. If Pr E ( α β) > 2 n, we can use the differential to distinguish E from a random function.
9 Weak eys for a Related-ey Differential Attack 1.1 Block Cipher 1.2 A Cryptanalytic Attack 1.3 Four Cryptanalytic Scenarios 1.4 Three Elementary Cryptanalysis Techniques 1.5 Advanced Cryptanalysis Techniques Related-ey (Differential) Cryptanalysis Independently introduced by nudsen in 1992 and Biham in Different from differential cryptanalysis: The pair of ciphertexts are obtained by encrypting the pair of plaintexts using two different keys with a particular relationship, e.g. certain difference. Probability of a related-key differential: Pr E,E ( α β) = Pr P {,1} n(e (P) E (P α) = β). For a random function, the expected probability of any related-key differential is 2 n. If Pr E,E ( α β) > 2 n, we can use the related-key differential to distinguish E from a random function.
10 Weak eys for a Related-ey Differential Attack Amplified Boomerang Attack 1.1 Block Cipher 1.2 A Cryptanalytic Attack 1.3 Four Cryptanalytic Scenarios 1.4 Three Elementary Cryptanalysis Techniques 1.5 Advanced Cryptanalysis Techniques Introduced in 2 by elsey, ohno and Schneier (as a variant of the boomerang attack). Work in a chosen-plaintext/ciphertext attack scenario. Based on an amplified boomerang distinguisher: * Treat a block cipher E as a cascade of two sub-ciphers E = E E 1. * Defined to be a pair of differentials ( α β, γ δ): α β for E with probability p; γ δ for E 1 with probability q. * Concerned event: E(P) E(P ) = δ and E(P α) E(P α) = δ * Probability: p 2 q 2 2 n approximately (under assumptions). For a random function, the expected probability of any amplified boomerang distinguisher is 2 2n. If p 2 q 2 > 2 n, we can use the distinguisher to distinguish between E and a random function.
11 Weak eys for a Related-ey Differential Attack An Amplified Boomerang Distinguisher 1.1 Block Cipher 1.2 A Cryptanalytic Attack 1.3 Four Cryptanalytic Scenarios 1.4 Three Elementary Cryptanalysis Techniques 1.5 Advanced Cryptanalysis Techniques P α P P α P E E E E β γ γ β E 1 E 1 E 1 E 1 C C δ δ C C concerned
12 Weak eys for a Related-ey Differential Attack 1.1 Block Cipher 1.2 A Cryptanalytic Attack 1.3 Four Cryptanalytic Scenarios 1.4 Three Elementary Cryptanalysis Techniques 1.5 Advanced Cryptanalysis Techniques Related-ey Amplified Boomerang Attack A combination of the amplified boomerang attack and related-key cryptanalysis. Based on a related-key amplified boomerang distinguisher. * Treat a block cipher E as E = E E 1. * Work typically in a related-key attack scenario with four related keys A, B, C, D : A B = C D ; A C = B D. * Consist of four related-key differentials. * Concerned event: E A (P) E C (P ) = δ and E B (P α) E D (P α) = δ. * Probability: p 2 q 2 2 n approximately (under assumptions). For a random function, the expected probability of any related-key amplified boomerang distinguisher is 2 2n. If p 2 q 2 > 2 n, we can use the distinguisher to distinguish between E and a random function.
13 Weak eys for a Related-ey Differential Attack 1.1 Block Cipher 1.2 A Cryptanalytic Attack 1.3 Four Cryptanalytic Scenarios 1.4 Three Elementary Cryptanalysis Techniques 1.5 Advanced Cryptanalysis Techniques A Related-ey Amplified Boomerang Distinguisher P α P P α P E B E D E A E C β γ γ β E 1 B E 1 D E 1 A E 1 C C C δ δ C C concerned
14 Weak eys for a Related-ey Differential Attack 2.1 Introduction 2.1 Introduction 2.2 Structure 2.3 ey Schedule 2.4 Security Designed by Mitsubishi (Matsui et al.), published in A 64-bit block cipher, a user key of 128 bits, and a recommended number of 8 rounds, with a total of 1 key-dependent logical functions FL: * two FL functions at the beginning; * two FL functions inserted after every two rounds. A Japanese CRYPTREC-recommended e-government cipher, an European NESSIE selected cipher, an ISO international standard. Widely used in Mitsubishi products as well as in Japanese military.
15 Weak eys for a Related-ey Differential Attack 2.2 Structure 2.1 Introduction 2.2 Structure 2.3 ey Schedule 2.4 Security I ij2 FL 1 FL 2 L i1 L i2 Extnd Trunc Extnd S 9 S 7 S 9 FO 1 FO 2 (a) : FL i I ij1 (b) : FI ij FL 3 FL 4 FO 3. FL 9 FL 1 O i1 O i2 O i3 O i4 FI i1 FI i2 FI i3 (c) : FO i (d) : MISTY1
16 Weak eys for a Related-ey Differential Attack 2.3 ey Schedule 2.1 Introduction 2.2 Structure 2.3 ey Schedule 2.4 Security 1. Represent a user key as eight 16-bit words = ( 1, 2,, 8 ). 2. Generate a different set of eight 16-bit words 1, 2,, 8 by 3. Subkeys: i = FI( i, i+1 ), for i = 1, 2,, 8. O i1 = i, O i2 = i+2, O i3 = i+7, O i4 = i+4 ; I i1 = i+5, I i2 = i+1, I i3 = i+3; L i = i+1 i+1 +6, for i = 1, 3, 5, 7, 9; otherwise, L i = i +2 i
17 Weak eys for a Related-ey Differential Attack 2.4 Security 2.1 Introduction 2.2 Structure 2.3 ey Schedule 2.4 Security Has been extensively analysed against a variety of cryptanalytic methods. No whatever cryptanalytic attack on the full version.
18 Weak eys for a Related-ey Differential Attack 3.1 Related Work 3.1 Related Work 3.2 A Corrected Class of Weak eys and Improved 7-Round Related-ey Diff. 3.3 Attacking the Full MISTY1 under Weak eys 3.4 Another Class of Weak eys Dai and Chen s related-key differential attack on 8-round MISTY1 with only the last 8 FL functions (INSCRYPT 211). A class of 2 15 weak keys. * A weak key is a user key under which a cipher is more vulnerable to be attacked. A 7-round related-key differential characteristic with probability 2 6. Attacking the 8-round reduced version under weak keys. * Attack procedure is straightforward, by conducting a key recovery on FO 1 in a way similar to the early abort technique for impossible differential cryptanalysis. * Data complexity: 2 63 chosen ciphertexts. * Memory complexity: 2 35 bytes. * Time complexity: encryptions.
19 Weak eys for a Related-ey Differential Attack A Class of 2 15 Weak eys Three binary constants: * 7-bit a = 1; * 16-bit b = 11; * 16-bit c = 1. Let A, B be two 128-bit user keys: 3.1 Related Work 3.2 A Corrected Class of Weak eys and Improved 7-Round Related-ey Diff. 3.3 Attacking the Full MISTY1 under Weak eys 3.4 Another Class of Weak eys A = ( 1, 2, 3, 4, 5, 6, 7, 8), B = ( 1, 2, 3, 4, 5, 6, 7, 8). Let A, B be the corresponding 128-bit words generated by the key schedule: A = ( 1, 2, 3, 4, 5, 6, 7, 8 ), B = ( 1, 2, 3, 4, 5, 6, 7, 8 ). The class of weak keys is defined to be the set of all possible ( A, B ) satisfying the following 1 conditions: 6 6 = c, 5 5 = b, 6 6 = c, 6,12 =, 7,3 = 1, 7,12 =, 8,3 = 1, 4,3 = 1, 4,12 = 1, 7,3 =. The number: 1 = 2 16, 2 = 2 16, 3 = 2 16, ( 4, 5) = 2 3, ( 6, 7, 8) = Therefore, a total of 2 15 weak keys.
20 2 3 1 b c S 9 S7 S 9 I 311 S 9 S7 6 = c I 312 I 412 S 9 I 411 I 512 S 9 S7 S 9 I 511 I 612 S 9 S7 S 9 I = c 7 8 S 9 S7 I 322 S 9 I 321 I 422 = ( 2 a) S 9 S7 S 9 2 a I 421 = a S 9 S7 S 9 S7 I 522 = S 9 I 521 = a I 622 S 9 I 621 b S 9 S7 I 332 = S 9 S7 S 9 I 331 = a S 9 S7 S 9 S7 I 432 S 9 I 431 I 632 I 631 I 532 I 531 S 9 S 9 4 8,3 = c P r = 2 S 9 S7 S 9 S7 S 9 S7 I 212 S 9 I 211 I 712 S 9 I 711 c 4 1 S 9 S7 S 9 S7 I 222 S 9 I 221 I 722 S 9 I 721 c c 1 I 232 = ( 2 a) S 9 S7 S 9 2 a I 231 = a = c I S 9 S7 S 9 I 731 4,3 = 1, 4,12 = 1, 6,12 = P r = 2 8 R 4,3 = 1, R 4,12 = 1, 7,3 = 1, 7,12 = 6 = c P r = 2 16 c P r = 2 8 I 812 = ( 2 a) S 9 I 811 = a 2 S 9 S7 I 822 S 9 I S 9 S7 I 832 S 9 I 831 c 6 = c b 4 7,3 = 5 = b 7 b b 6 = c c Block Cipher Cryptanalysis Weak eys for a Related-ey Differential Attack 3.1 Related Work 3.2 A Corrected Class of Weak eys and Improved 7-Round Related-ey Diff. 3.3 Attacking the Full MISTY1 under Weak eys 3.4 Another Class of Weak eys A 7-Round Related-ey Differential Characteristic b c 16 P r = 2 8 Round b P r = 2 1 Round 3 Round 4 P r = a b Round 5 Round 6 c 16 2 c c P r = 2 1 Round 7 Round 8 c c 16
21 Weak eys for a Related-ey Differential Attack 3.2 A Corrected Class of Weak eys 3.1 Related Work 3.2 A Corrected Class of Weak eys and Improved 7-Round Related-ey Diff. 3.3 Attacking the Full MISTY1 under Weak eys 3.4 Another Class of Weak eys Focus on the 7-round related-key differential characteristic. P r = 2 16 c P r = 2 8 c Round 2 2 I 212 b S 9 S7 S 9 I 211 c 4 I 222 S 9 S7 S 9 I 221 c I 232 = ( 2 1 a) S 9 S7 S 9 2 a I 231 = a 6 = c Not all the 2 15 possible 7 (i.e. I 21 ) defined by the weak key class make Pr FI21 ( b c) >! The number of 7 defined by the weak key class is 2 15, the number of 7 satisfying Pr FI21 ( b c) > is about The number of 7 defined by the weak key class & satisfying Pr FI21 ( b c) > is about Pr FI21 ( b c) = 2 15 /2 14 /
22 Weak eys for a Related-ey Differential Attack 3.1 Related Work 3.2 A Corrected Class of Weak eys and Improved 7-Round Related-ey Diff. 3.3 Attacking the Full MISTY1 under Weak eys 3.4 Another Class of Weak eys P r = 2 16 c Round 7 I S 9 S7 S 9 I S 9 S7 S 9 6 = c I S 9 S7 S 9 I 711 I 721 I 731 Not all the 2 16 possible 2 (i.e. I 73 ) defined by the weak key class make Pr FI73 ( c c) >! The number of 2 defined by the weak key class is 2 16, the number of 2 satisfying Pr FI21 ( b c) > is The number of 2 defined by the weak key class & satisfying Pr FI73 ( c c) > is Pr FI73 ( c c) = 2 15.
23 Weak eys for a Related-ey Differential Attack 3.1 Related Work 3.2 A Corrected Class of Weak eys and Improved 7-Round Related-ey Diff. 3.3 Attacking the Full MISTY1 under Weak eys 3.4 Another Class of Weak eys As a result, A class of weak keys: 1 = 2 16, ( 2, 3 ) = 2 31, ( 4, 5 ) = 2 3, ( 6, 7, 8 ) * 3 = 2 16, 5 = * 7 = ; 7, 212 ( 6, 8). * 2,8 16 = 28, 3 = 216, 4,8 16 = 28. A 7-round related-key differential with probability * (b 32 c) ( 32 c 16 ).
24 Weak eys for a Related-ey Differential Attack Precomputation 3.1 Related Work 3.2 A Corrected Class of Weak eys and Improved 7-Round Related-ey Diff. 3.3 Attacking the Full MISTY1 under Weak eys 3.4 Another Class of Weak eys Hash table T 1 : (x, x η): The left halves of a plaintext pair 32 bits {}}{ Only three possible input differences η =?? X: output difference of FI 12 Store satisfying ( 1, 3, 2,8 16) into Table T 1 indexed by (x, η, X) (x, x η) c c 9 a Round 1 I 112 = 1 S 9 S7 S 9 I 111 = a b I 122 / 3 2,8 16 S 9 S7 S 9 I 121 X I S 9 S7 S 9 I 131 Y 5 b c Memory complexity: bytes; Time complexity: FI computations. For every (x, η, X), there are 2 23 satisfying ( 1, 3, 2,8 16) on average.
25 Weak eys for a Related-ey Differential Attack Hash table T 2 : 3.1 Related Work 3.2 A Corrected Class of Weak eys and Improved 7-Round Related-ey Diff. 3.3 Attacking the Full MISTY1 under Weak eys 3.4 Another Class of Weak eys Y : output difference of FI 13 Store satisfying ( 6, 7, 8 ) into Table T 2 indexed by (x, η, Y, 1, 4,8 16) (x, x η) c c 9 a X ( 9 a) Round 1 I 112 / 6,8 16 = 1 3 I 122 S 9 S7 b S 9 S 9 S7 S 9 I 111 / 6,1 7 = a I 121 X I 132 / 8 4,8 16 S 9 S7 S 9 I 131 Y 5 b c Memory complexity: bytes; Time complexity: FI computations. For every (x, η, Y, 1, 4,8 16), there are satisfying ( 6, 7, 8 ) on average.
26 Weak eys for a Related-ey Differential Attack Attack Outline 3.1 Related Work 3.2 A Corrected Class of Weak eys and Improved 7-Round Related-ey Diff. 3.3 Attacking the Full MISTY1 under Weak eys 3.4 Another Class of Weak eys η? FL c Output difference of FL 2 : (X c) (X Y ( 9 a)) 3 5 FL 2 Round 1 c 9 a X ( 9 a) I 112 = 1 I 122 I FI 11 3 FI 12 8 FI S 9 S7 b S 9 S 9 S7 S 9 S 9 S7 S 9 I 111 = a I 121 X I 131 Y X Y ( 9 a) 5 X ( 9 a) b 16 Step 1: Choose 2 6 ciphertext pairs with difference ( 32 c 16 ). Step 2: eep plaintext pairs with difference (η?) Step 3: Focus on FL 2. Guess ( 3, 5 ), compute X, Y. Step 4: Focus on FL 1 and FI 12. Obtain satisfying ( 1, 3, 2,8 16) from Table T 1. Step 5: Retrieve 4 from 3 = FI( 3, 4 ), compute 4 = FI( 4, 5 ). Step 6: Focus on FL 1, FI 11 and FI 13. Obtain satisfying ( 6, 7, 8 ) from Table T 2. Step 7: Increase 1 to counters for ( 1, 2,8 16, 3, 4, 5, 6, 7, 8 ). Step 8: For a subkey guess whose counter number is larger than or equal to 3, exhaustively search the remaining 7 key bits. 16 c
27 Weak eys for a Related-ey Differential Attack Attack Complexity 3.1 Related Work 3.2 A Corrected Class of Weak eys and Improved 7-Round Related-ey Diff. 3.3 Attacking the Full MISTY1 under Weak eys 3.4 Another Class of Weak eys Data complexity: 2 61 chosen ciphertexts. Memory complexity: bytes. Time complexity: encryptions. Success probability: 76%.
28 Weak eys for a Related-ey Differential Attack 3.4 Another Class of Weak eys Focus on the 7-round related-key differential characteristic: 3.1 Related Work 3.2 A Corrected Class of Weak eys and Improved 7-Round Related-ey Diff. 3.3 Attacking the Full MISTY1 under Weak eys 3.4 Another Class of Weak eys b c P r = 2 16 c P r = 2 8 c Round 2 I b S 9 S7 S 9 c I S 9 S7 S 9 c I 232 = ( 2 1 a) S 9 S7 S 9 6 = c I 211 I a I 231 = a. c 16 P r = 2 8 Round 8 I 812 = ( 2 a) 8 c S 9 S7 S 9 I S 9 S7 S 9 I S 9 S7 S 9 4 I 811 = a I 821 I 831 FL9 5 3 Consider the other possible value of 7,3, further classified by 1,3: 7,3 = 1, 1,3 = 1, = c c 7,3 = 1, 1,3 =, = 16 c FL1 7 7,3 = 1 c
29 Weak eys for a Related-ey Differential Attack 4.1 Related Work 4.1 Related Work 4.2 An Improved 7-Round Distinguisher 4.3 Attacking the Full MISTY1 under Weak eys 4.4 Three Other Classes of 2 9 Weak eys Chen and Dai s related-key amplified boomerang attack on 8-round MISTY1 with only the first 8 FL functions (CHINACRYPT 211). A class of 2 9 weak keys. A 7-round related-key amplified boomerang distinguisher with probability Attacking the 8-round reduced version under weak keys. * Attack procedure is straightforward, by conducting a key recovery on FO 8 in a way similar to the early abort technique. * Data complexity: 2 63 chosen plaintexts. * Memory complexity: 2 65 bytes. * Time complexity: 2 7 encryptions.
30 Weak eys for a Related-ey Differential Attack A Class of 2 9 Weak eys 4.1 Related Work 4.2 An Improved 7-Round Distinguisher 4.3 Attacking the Full MISTY1 under Weak eys 4.4 Three Other Classes of 2 9 Weak eys Let A, B, C, D be four 128-bit user keys: A = ( 1, 2, 3, 4, 5, 6, 7, 8), B = ( 1, 2, 3, 4, 5, 6, 7, 8), C = ( 1, 2, 3, 4, 5, 6, 7, 8), D = ( 1, 2, 3, 4, 5, 6, 7, 8). Let A, B, C, D be the corresponding 128-bit words generated by the key schedule: A = ( 1, 2, 3, 4, 5, 6, 7, 8 ), B = ( 1, 2, 3, 4, 5, 6, 7, 8 ), C = ( 1, 2, 3, 4, 5, 6, 7, 8 ), D = ( 1, 2, 3, 4, 5, 6, 7, 8 ). The class of weak keys is defined to be the set of all possible ( A, B, C, D ) satisfying the following 12 conditions: 2 2 = c, 6 6 = c, 1 1 = b, 5 5 = b, 2 2 = c, 6 6 = c, 5,3 = 1, 5,12 =, 4,3 =, 7,3 = 1, 7,12 =, 8,3 =. The number: 1 = 2 16, ( 2, 3) = 2 16, ( 4, 5) = 2 29, ( 6, 7) = 2 14, 8 = Therefore, a total of 2 9 weak keys.
31 Weak eys for a Related-ey Differential Attack 4.1 Related Work 4.2 An Improved 7-Round Distinguisher 4.3 Attacking the Full MISTY1 under Weak eys 4.4 Three Other Classes of 2 9 Weak eys A 7-Round Related-ey Amp. Boo. Distinguisher A 7-round related-key amplified boomerang distinguisher with probability p 2 q 2 2 n = 1 2 (2 27 ) = under weak keys. * E : Rounds 1 2, including FL 4 but excluding FL 3. * E 1: Rounds 3 7, including FL 3 (but excluding FL 4). * Related-key differential α β for E : ( 48 b) ( 32 c 16 ) with probability 1. * Related-key differential γ δ for E 1: ( 48 b) with probability 2 27.
32 1 c 2 = = 5 2 = c c S 9 S7 S 9 I 311 S 9 S7 6 = c I 312 I 412 = S 9 I 411 = I 512 = S 9 S7 S 9 I 511 = I 612 S 9 S7 S 9 I = c 7 8 S 9 S7 I 322 S 9 I 321 I 422 = ( 2 a) S 9 S7 S 9 2 a I 421 = a S 9 S7 S 9 S7 I 522 = S 9 I 521 = a I 622 S 9 I 621 b 2 = S 9 S7 S 9 I 331 = a S 9 S7 S 9 S7 S 9 S7 I 332 = I 432 S 9 I 431 I 532 I 531 S 9 I 632 = S 9 I 631 = 4 8,3 = 2 = 7 S 9 S7 S 9 S7 S 9 S7 I 112 = S 9 I 111 = I 212 S 9 I 211 I 712 S 9 I S 9 S7 S 9 S7 S 9 S7 I 122 = S 9 I 121 = a I 222 S 9 I 221 I 722 S 9 I 721 b 8 1 S 9 S7 S 9 S7 I 132 S 9 I 131 I 232 = S 9 I 231 = 5,3 = 1, 5,12 = = 6 = c I 732 = 3 S 9 S7 S 9 I 731 = 5 4,3 = P r = 2 8 R 4,3 = 1, R 4,12 = 1, 7,3 = 1, 7,12 = 6 = P r = 2 16 c b b = b 5 = b 7 b b 6 = c c 8 P r = 2 2 P r = Block Cipher Cryptanalysis Weak eys for a Related-ey Differential Attack 4.1 Related Work 4.2 An Improved 7-Round Distinguisher 4.3 Attacking the Full MISTY1 under Weak eys 4.4 Three Other Classes of 2 9 Weak eys The Two Related-ey Differentials Used 16 b a b Round 1 Round 2 c 16 c 16 (a): The related-key differential for Rounds b Round 3 Round 4 Round 5 9 a b Round 6 c c Round 7 (b): The related-key differential for Rounds 3 7
33 Weak eys for a Related-ey Differential Attack 4.2 An Improved 7-Round Distinguisher Focus on the second related-key differential: 4.1 Related Work 4.2 An Improved 7-Round Distinguisher 4.3 Attacking the Full MISTY1 under Weak eys 4.4 Three Other Classes of 2 9 Weak eys P r = 2 16 c Round 7 I S 9 S7 S 9 I S 9 S7 S 9 6 = c I 732 = 3 S 9 S7 S 9 I 711 I 721 I 731 = Surprisingly, all the possible ( 2, 2 ) (i.e. I 73 ) defined by the weak key class make Pr FI73 ( c c) >! Pr FI73 ( c c) = Thus, a 7-round related-key amplified boomerang distinguisher with probability
34 Weak eys for a Related-ey Differential Attack Precomputation 4.1 Related Work 4.2 An Improved 7-Round Distinguisher 4.3 Attacking the Full MISTY1 under Weak eys 4.4 Three Other Classes of 2 9 Weak eys Hash table T 1 : x {, 1} 32 : Input of FO 8 without 8. X: The right 9 bits of the output difference of FL 81 Y : Output difference of FL 83 Store satisfying x into Table T 1 indexed by ( 3, 5, 7, X, Y ). Round 8 a X a X Y (a X) 8 5 = b 1 = 2 = FI 81 FI 82 FI 83 a X Y a X 5 3? I 812 = ( 2 a) S 9 S7 S 9 a I 811 = a Memory complexity: 2 79 bytes; Time complexity: 2 71 FI computations. For every ( 3, 5, 7, X, Y ), there are 2 8 satisfying x on average. a X 7 1
35 Weak eys for a Related-ey Differential Attack Hash table T 2 : 4.1 Related Work 4.2 An Improved 7-Round Distinguisher 4.3 Attacking the Full MISTY1 under Weak eys 4.4 Three Other Classes of 2 9 Weak eys x {, 1} 32 : Input of FL 1 1. λ: Output of FL 1 1 after being xored with ( 8 16 ). Store ( 1, 8 ) into Table T 2 indexed first by 7 and then by (x, λ). Round = b 1 = 2 = 7 3 FI 81 FI 82 FI FL 1? Memory complexity: 2 78 bytes; Time complexity: 2 76 FL computations. Set a binary marker, up and down, to the set of 2 32 (x, λ) under each ( 7, 1, 8 ).
36 Weak eys for a Related-ey Differential Attack Attack Outline 4.1 Related Work 4.2 An Improved 7-Round Distinguisher 4.3 Attacking the Full MISTY1 under Weak eys 4.4 Three Other Classes of 2 9 Weak eys a X a X Y (a X) 8 5 = b 1 = 2 = 7 3 FI 81 FI 82 FI 83 a X Y 4 a X a X Y (a X) FL 9 FL 1? Step 1: Choose two sets of plaintext pairs with difference ( 48 b). Step 2: eep the quartets such that each ciphertext pair has difference (? ). Step 3: Focus on FL 9. Guess 3, keep the quartets such that each pair has 7-bit difference a. Step 4: Focus on FL 9. Guess 5, compute (X, Y ) and (X, Y ). Step 5: Guess 7, get the two possible values for 6, and compute 5. Step 6: Focus on FI 81 and FI 83. Obtain possible inputs to FO 8 excluding XOR with 8 from Table T 1. Step 7: Focus on FL 1. Obtain ( 1, 8) from Table T 2. Step 8: For a subkey guess whose counter is non-zero, exhaustively search the remaining key bits.
37 Weak eys for a Related-ey Differential Attack Attack Complexity 4.1 Related Work 4.2 An Improved 7-Round Distinguisher 4.3 Attacking the Full MISTY1 under Weak eys 4.4 Three Other Classes of 2 9 Weak eys Data complexity: chosen plaintexts. Memory complexity: bytes. * On-line: ; * Off-line: Time complexity: encryptions. Success probability: 86%.
38 Weak eys for a Related-ey Differential Attack 4.1 Related Work 4.2 An Improved 7-Round Distinguisher 4.3 Attacking the Full MISTY1 under Weak eys 4.4 Three Other Classes of 2 9 Weak eys 4.4 Three Other Classes of 2 9 Weak eys Focus on the first related-key differential: Consider the three other possible combinations of (5,3, 5,12), further classified by ( 3,3, 3,12) FL1 Round 1 16 b ,3 = 1, 5,12 = 5 b I 112 = 1 I 122 = 3 I S b 9 S7 S b 9 S 9 S7 S 9 S 9 S7 S 9 I 111 = I 121 = a I 131 FL2 9 a b Round 2 c 16 I 2 = c 212 c S 9 S7 S 9 I S 9 S7 S 9 1 I 232 = S 9 S7 S 9 6 = I 211 I 221 I 231 = 4 4,3 = 6 = c 16 Thus, a total of 2 92 weak keys.
39 Weak eys for a Related-ey Differential Attack Have presented related-key differential and amplified boomerang attacks on the full MISTY1 algorithm under certain weak key assumptions. * Have described weak keys for a related-key differential attack on the full MISTY1. * Have described 2 92 weak keys for a related-key amplified boomerang attack on the full MISTY1. * Quite theoretical, for the attacks work under the assumptions of weak-key and related-key scenarios and their complexities are very high. The MISTY1 cipher does not behave like a random function (in the related-key model), and cannot be regarded to be an ideal cipher.
40 Weak eys for a Related-ey Differential Attack Summary of Main Cryptanalytic Results #Rounds FL #eys Attack Type Data Time Year 6 (1 6) yes Impossible differential 2 51 CP Enc (1 6) yes Higher-order differential CP Enc (3 8) yes Integral 2 32 CC Enc (1 7) yes Higher-order differential CP Enc (2 8) yes 2 73 Related-key amplified boomerang 2 54 CP Enc (1 8) yes 2 9 Related-key amplified boomerang 2 63 CP 2 7 Enc (1 8) yes 2 15 Related-key differential 2 63 CC Enc. 211 full yes Related-key differential 2 61 CC Enc Related-key amplified boomerang CP Enc. 212 CP: Chosen Plaintexts, CC: Chosen Ciphertexts, Enc.: Encryptions, : Exclude the first/last layer of two FL functions, : There is a flaw.
41 Weak eys for a Related-ey Differential Attack Thank you! Questions or Comments?
A Methodology for Differential-Linear Cryptanalysis and Its Applications
A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter: Jian Guo Institute for Infocomm Research, Agency for Science, Technology and Research, 1 Fusionopolis Way,
More informationThe Rectangle Attack
The Rectangle Attack and Other Techniques for Cryptanalysis of Block Ciphers Orr Dunkelman Computer Science Dept. Technion joint work with Eli Biham and Nathan Keller Topics Block Ciphers Cryptanalysis
More informationNew Cryptanalytic Results on IDEA
New Cryptanalytic Results on IDEA Eli Biham, Orr Dunkelman, Nathan Keller Computer Science Dept., Technion Dept. of Electrical Engineering ESAT SCD/COSIC, KUL Einstein Institute of Mathematics, Hebrew
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham 1, Orr Dunkelman 1, and Nathan Keller 2 1 Computer Science Department, Technion, Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics
More informationNew Cryptanalytic Results on IDEA
New Cryptanalytic Results on IDEA Eli Biham, Orr Dunkelman, Nathan Keller Computer Science Dept., Technion Dept. of Electrical Engineering ESAT SCD/COSIC, KUL Einstein Institute of Mathematics, Hebrew
More informationLinear Cryptanalysis of Reduced Round Serpent
Linear Cryptanalysis of Reduced Round Serpent Eli Biham 1, Orr Dunkelman 1, and Nathan Keller 2 1 Computer Science Department, Technion Israel Institute of Technology, Haifa 32000, Israel, {biham,orrd}@cs.technion.ac.il,
More informationAttack on DES. Jing Li
Attack on DES Jing Li Major cryptanalytic attacks against DES 1976: For a very small class of weak keys, DES can be broken with complexity 1 1977: Exhaustive search will become possible within 20 years,
More informationMeet-in-the-Middle Attack on Reduced Versions of the Camellia Block Cipher
Meet-in-the-Middle Attack on educed Versions of the Camellia Block Cipher Jiqiang u 1,, Yongzhuang Wei 2,3, Enes Pasalic 4, and Pierre-Alain Fouque 5 1 Institute for Infocomm esearch, Agency for Science,
More informationAttacks on Advanced Encryption Standard: Results and Perspectives
Attacks on Advanced Encryption Standard: Results and Perspectives Dmitry Microsoft Research 29 February 2012 Design Cryptanalysis history Advanced Encryption Standard Design Cryptanalysis history AES 2
More informationPAPER Attacking 44 Rounds of the SHACAL-2 Block Cipher Using Related-Key Rectangle Cryptanalysis
IEICE TRANS FUNDAMENTALS VOLExx?? NOxx XXXX 2x PAPER Attacking 44 Rounds of the SHACAL-2 Block Cipher Using Related-Key Rectangle Cryptanalysis Jiqiang LU a and Jongsung KIM b SUMMARY SHACAL-2 is a 64-round
More informationDierential-Linear Cryptanalysis of Serpent? Haifa 32000, Israel. Haifa 32000, Israel
Dierential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel fbiham,orrdg@cs.technion.ac.il 2 Mathematics Department,
More informationSymmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.
Symmetric Key Algorithms Definition A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting. 1 Block cipher and stream cipher There are two main families
More informationMeet-in-the-Middle Attack on 8 Rounds of the AES Block Cipher under 192 Key Bits
Meet-in-the-Middle Attack on 8 Rounds of the AES Block Cipher under 192 Key Bits Yongzhuang Wei 1,3,, Jiqiang Lu 2,, and Yupu Hu 3 1 Guilin University of Electronic Technology, Guilin City, Guangxi Province
More informationSyrvey on block ciphers
Syrvey on block ciphers Anna Rimoldi Department of Mathematics - University of Trento BunnyTn 2012 A. Rimoldi (Univ. Trento) Survey on block ciphers 12 March 2012 1 / 21 Symmetric Key Cryptosystem M-Source
More informationCryptanalysis of Block Ciphers: A Survey
UCL Crypto Group Technical Report Series Cryptanalysis of Block Ciphers: A Survey Francois-Xavier Standaert, Gilles Piret, Jean-Jacques Quisquater REGARDS GROUPE http://www.dice.ucl.ac.be/crypto/ Technical
More informationFew Other Cryptanalytic Techniques
Few Other Cryptanalytic Techniques Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Boomerang Attack
More informationNew Attacks against Reduced-Round Versions of IDEA
New Attacks against Reduced-Round Versions of IDEA Pascal Junod École Polytechnique Fédérale de Lausanne Switzerland pascal@junod.info Abstract. In this paper, we describe a sequence of simple, yet efficient
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.2 Secret Key Cryptography CSC 474/574 Dr. Peng Ning 1 Agenda Generic block cipher Feistel cipher DES Modes of block ciphers Multiple encryptions Message
More informationDifferential Cryptanalysis
Differential Cryptanalysis See: Biham and Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer Verlag, 1993. c Eli Biham - March, 28 th, 2012 1 Differential Cryptanalysis The Data
More informationAutomatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers
Automatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers 1 June 2010 1 Block Ciphers 2 The tool 3 Applications 4 Conclusion Basics P Block cipher E K (P) Input: Plaintext
More informationLinear Cryptanalysis of FEAL 8X Winning the FEAL 25 Years Challenge
Linear Cryptanalysis of FEAL 8X Winning the FEAL 25 Years Challenge Yaniv Carmeli Joint work with Prof. Eli Biham CRYPTODAY 2014 FEAL FEAL Published in 1987, designed by Miyaguchi and Shimizu (NTT). 64-bit
More informationCSCE 813 Internet Security Symmetric Cryptography
CSCE 813 Internet Security Symmetric Cryptography Professor Lisa Luo Fall 2017 Previous Class Essential Internet Security Requirements Confidentiality Integrity Authenticity Availability Accountability
More informationSecret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34
Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34 Definition a symmetric key cryptographic algorithm is characterized by having the same key used for both encryption and decryption.
More informationAn Improved Truncated Differential Cryptanalysis of KLEIN
An Improved Truncated Differential Cryptanalysis of KLEIN hahram Rasoolzadeh 1, Zahra Ahmadian 2, Mahmoud almasizadeh 3, and Mohammad Reza Aref 3 1 imula Research Laboratory, Bergen, Norway, 2 hahid Beheshti
More informationKey Separation in Twofish
Twofish Technical Report #7 Key Separation in Twofish John Kelsey April 7, 2000 Abstract In [Mur00], Murphy raises questions about key separation in Twofish. We discuss this property of the Twofish key
More informationChapter 3 Block Ciphers and the Data Encryption Standard
Chapter 3 Block Ciphers and the Data Encryption Standard Last Chapter have considered: terminology classical cipher techniques substitution ciphers cryptanalysis using letter frequencies transposition
More informationTwo Attacks on Reduced IDEA (Extended Abstract)
1 Two Attacks on Reduced IDEA (Extended Abstract) Johan Borst 1, Lars R. Knudsen 2, Vincent Rijmen 2 1 T.U. Eindhoven, Discr. Math., P.O. Box 513, NL-5600 MB Eindhoven, borst@win.tue.nl 2 K.U. Leuven,
More informationPreliminary Cryptanalysis of Reduced-Round Serpent
Preliminary Cryptanalysis of Reduced-Round Serpent Tadayoshi Kohno 1,JohnKelsey 2, and Bruce Schneier 2 1 Reliable Software Technologies kohno@rstcorp.com 2 Counterpane Internet Security, Inc. {kelsey,schneier}@counterpane.com
More informationSymmetric Cryptography. Chapter 6
Symmetric Cryptography Chapter 6 Block vs Stream Ciphers Block ciphers process messages into blocks, each of which is then en/decrypted Like a substitution on very big characters 64-bits or more Stream
More informationSymmetric key cryptography
The best system is to use a simple, well understood algorithm which relies on the security of a key rather than the algorithm itself. This means if anybody steals a key, you could just roll another and
More informationReport on Present State of CIPHERUNICORN-A Cipher Evaluation (full evaluation)
Report on Present State of CIPHERUNICORN-A Cipher Evaluation (full evaluation) January 28, 2002 Masayuki Kanda, Member Symmetric-Key Cryptography Subcommittee 1 CIPHERUNICORN-A CIPHERUNICORN-A was presented
More informationA Brief Outlook at Block Ciphers
A Brief Outlook at Block Ciphers Pascal Junod École Polytechnique Fédérale de Lausanne, Suisse CSA 03, Rabat, Maroc, 10-09-2003 Content Generic Concepts DES / AES Cryptanalysis of Block Ciphers Provable
More informationImproved Integral Attacks on MISTY1
Improved Integral Attacks on MISTY1 Xiaorui Sun and Xuejia Lai Department of Computer Science Shanghai Jiao Tong University Shanghai, 200240, China sunsirius@sjtu.edu.cn, lai-xj@cs.sjtu.edu.cn Abstract.
More informationNarrow-Bicliques: Cryptanalysis of Full IDEA. Gaetan Leurent, University of Luxembourg Christian Rechberger, DTU MAT
Narrow-Bicliques: Cryptanalysis of Full IDEA Dmitry Khovratovich, h Microsoft Research Gaetan Leurent, University of Luxembourg Christian Rechberger, DTU MAT Cryptanalysis 101 Differential attacks Linear
More informationCryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái
Cryptography and Network Security Block Ciphers + DES Lectured by Nguyễn Đức Thái Outline Block Cipher Principles Feistel Ciphers The Data Encryption Standard (DES) (Contents can be found in Chapter 3,
More informationSecret Key Algorithms (DES)
Secret Key Algorithms (DES) G. Bertoni L. Breveglieri Foundations of Cryptography - Secret Key pp. 1 / 34 Definition a symmetric key cryptographic algorithm is characterized by having the same key used
More informationCryptography and Network Security Chapter 3. Modern Block Ciphers. Block vs Stream Ciphers. Block Cipher Principles
Cryptography and Network Security Chapter 3 Fifth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 3 Block Ciphers and the Data Encryption Standard All the afternoon Mungo had been working
More informationComputer Security 3/23/18
s s encrypt a block of plaintext at a time and produce ciphertext Computer Security 08. Cryptography Part II Paul Krzyzanowski DES & AES are two popular block ciphers DES: 64 bit blocks AES: 128 bit blocks
More informationA Practical Related-Key Boomerang Attack for the Full MMB Block Cipher
A Practical Related-Key Boomerang Attack for the Full MMB Block Cipher Tomer Ashur 1 and Orr Dunkelman 2 1 Department of Electrical Engineering and iminds ESAT/COSIC, KU Leuven, Belgium tashur@esat.kuleuven.be
More informationA Chosen-Plaintext Linear Attack on DES
A Chosen-Plaintext Linear Attack on DES Lars R. Knudsen and John Erik Mathiassen Department of Informatics, University of Bergen, N-5020 Bergen, Norway {lars.knudsen,johnm}@ii.uib.no Abstract. In this
More informationNetwork Security. Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar
Network Security Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar Modern Block Ciphers now look at modern block ciphers one of the most widely used types
More informationRelated-key Attacks on Triple-DES and DESX Variants
Related-key Attacks on Triple-DES and DESX Variants Raphael C.-W. han Department of Engineering, Swinburne Sarawak Institute of Technology, 1st Floor, State Complex, 93576 Kuching, Malaysia rphan@swinburne.edu.my
More informationFundamentals of Cryptography
Fundamentals of Cryptography Topics in Quantum-Safe Cryptography June 23, 2016 Part III Data Encryption Standard The Feistel network design m m 0 m 1 f k 1 1 m m 1 2 f k 2 2 DES uses a Feistel network
More informationBlock Ciphers and Data Encryption Standard. CSS Security and Cryptography
Block Ciphers and Data Encryption Standard CSS 322 - Security and Cryptography Contents Block Cipher Principles Feistel Structure for Block Ciphers DES Simplified DES Real DES DES Design Issues CSS 322
More informationImproved Integral Attacks on MISTY1
Improved Integral Attacks on MISTY1 Xiaorui Sun Xuejia Lai Abstract We present several integral attacks on MISTY1 using the F O Relation, which is derived from Sakurai-Zheng Property used in previous attacks.
More informationComplementing Feistel Ciphers
Ivica Nikolić (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg 11 March 2013 1 Complementation Property 2 General Complementation Property
More informationRECTIFIED DIFFERENTIAL CRYPTANALYSIS OF 16 ROUND PRESENT
RECTIFIED DIFFERENTIAL CRYPTANALYSIS OF 16 ROUND PRESENT Manoj Kumar 1, Pratibha Yadav, Meena Kumari SAG, DRDO, Metcalfe House, Delhi-110054, India mktalyan@yahoo.com 1 ABSTRACT In this paper, we have
More informationSome Aspects of Block Ciphers
Some Aspects of Block Ciphers Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in CU-ISI Tutorial Workshop on Cryptology, 17 th July 2011 Palash Sarkar
More informationComputer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Cryptography Part II Paul Krzyzanowski Rutgers University Spring 2018 March 23, 2018 CS 419 2018 Paul Krzyzanowski 1 Block ciphers Block ciphers encrypt a block of plaintext at a
More informationpage 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas
Introduction to Cryptography Lecture 3 Benny Pinkas page 1 1 Pseudo-random generator Pseudo-random generator seed output s G G(s) (random, s =n) Deterministic function of s, publicly known G(s) = 2n Distinguisher
More information7. Symmetric encryption. symmetric cryptography 1
CIS 5371 Cryptography 7. Symmetric encryption symmetric cryptography 1 Cryptographic systems Cryptosystem: t (MCKK GED) (M,C,K,K,G,E,D) M, plaintext message space C, ciphertext message space K, K, encryption
More informationCryptanalysis. Andreas Klappenecker Texas A&M University
Cryptanalysis Andreas Klappenecker Texas A&M University How secure is a cipher? Typically, we don t know until it is too late Typical Attacks against Encryption Algorithms Ciphertext only attack: The attacker
More informationBlock Ciphers and Stream Ciphers. Block Ciphers. Stream Ciphers. Block Ciphers
Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2... M N. Then, each block M i is encrypted to the ciphertext block C i = K (M i ), and
More informationImproved Truncated Differential Attacks on SAFER
Improved Truncated Differential Attacks on SAFER Hongjun Wu * Feng Bao ** Robert H. Deng ** Qin-Zhong Ye * * Department of Electrical Engineering National University of Singapore Singapore 960 ** Information
More informationKey Recovery Attacks of Practical Complexity on AES-256 Variants With Up To 10 Rounds
Key Recovery Attacks of Practical Complexity on AES-256 Variants With Up To 10 Rounds Alex Biryukov 1, Orr Dunkelman 2,4, Nathan Keller 3,4, Dmitry Khovratovich 1, and Adi Shamir 4 1 University of Luxembourg,
More informationInternational Journal for Research in Applied Science & Engineering Technology (IJRASET) Performance Comparison of Cryptanalysis Techniques over DES
Performance Comparison of Cryptanalysis Techniques over DES Anupam Kumar 1, Aman Kumar 2, Sahil Jain 3, P Kiranmai 4 1,2,3,4 Dept. of Computer Science, MAIT, GGSIP University, Delhi, INDIA Abstract--The
More information1-7 Attacks on Cryptosystems
1-7 Attacks on Cryptosystems In the present era, not only business but almost all the aspects of human life are driven by information. Hence, it has become imperative to protect useful information from
More informationNew Attacks on Feistel Structures with Improved Memory Complexities
New Attacks on Feistel Structures with Improved Memory Complexities Itai Dinur 1, Orr Dunkelman 2,4,, Nathan Keller 3,4,, and Adi Shamir 4 1 Département d Informatique, École Normale Supérieure, Paris,
More informationBlock Ciphers Introduction
Technicalities Block Models Block Ciphers Introduction Orr Dunkelman Computer Science Department University of Haifa, Israel March 10th, 2013 Orr Dunkelman Cryptanalysis of Block Ciphers Seminar Introduction
More informationComputer Security CS 526
Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes CS555 Topic 4 1 Readings for This Lecture Required reading from wikipedia Block Cipher Ciphertext Indistinguishability
More informationA Chosen-key Distinguishing Attack on Phelix
A Chosen-key Distinguishing Attack on Phelix Yaser Esmaeili Salehani* and Hadi Ahmadi** * Zaeim Electronic Industries Co., Tehran, Iran. ** School of Electronic Engineering, Sharif University of Technology,
More informationCIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm
CIS 4360 Introduction to Computer Security Fall 2010 WITH ANSWERS in bold Name:.................................... Number:............ First Midterm Instructions This is a closed-book examination. Maximum
More informationA Related-Key Attack on TREYFER
The Second International Conference on Emerging Security Information, Systems and Technologies A Related-ey Attack on TREYFER Aleksandar ircanski and Amr M Youssef Computer Security Laboratory Concordia
More informationA SIMPLIFIED IDEA ALGORITHM
A SIMPLIFIED IDEA ALGORITHM NICK HOFFMAN Abstract. In this paper, a simplified version of the International Data Encryption Algorithm (IDEA) is described. This simplified version, like simplified versions
More informationElastic Block Ciphers: The Feistel Cipher Case
Elastic Block Ciphers: The Feistel Cipher Case Debra L. Cook Moti Yung Angelos D. Keromytis Department of Computer Science Columbia University, New York, NY dcook,moti,angelos @cs.columbia.edu Technical
More informationOn the Security of the 128-Bit Block Cipher DEAL
On the Security of the 128-Bit Block Cipher DAL Stefan Lucks Theoretische Informatik University of Mannheim, 68131 Mannheim A5, Germany lucks@th.informatik.uni-mannheim.de Abstract. DAL is a DS-based block
More informationSome Thoughts on Time-Memory-Data Tradeoffs
Some Thoughts on Time-Memory-Data Tradeoffs Alex Biryukov Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenberg 10, B 3001 Heverlee, Belgium Abstract. In this paper we show that Time-Memory
More informationContent of this part
UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Introduction to Cryptography ECE 597XX/697XX Part 5 More About Block Ciphers Israel Koren ECE597/697 Koren Part.5.1 Content of this
More informationA Meet-in-the-Middle Attack on 8-Round AES
A Meet-in-the-Middle Attack on 8-Round AES Hüseyin Demirci 1 and Ali Aydın Selçuk 2 1 Tübitak UEKAE, 41470 Gebze, Kocaeli, Turkey huseyind@uekae.tubitak.gov.tr 2 Department of Computer Engineering Bilkent
More informationBiclique Cryptanalysis of the Full AES
Biclique Cryptanalysis of the Full AES Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger K.U. Leuven, Belgium; Microsoft Research Redmond, USA; ENS Paris and Chaire France Telecom, France
More informationSymmetric Encryption Algorithms
Symmetric Encryption Algorithms CS-480b Dick Steflik Text Network Security Essentials Wm. Stallings Lecture slides by Lawrie Brown Edited by Dick Steflik Symmetric Cipher Model Plaintext Encryption Algorithm
More informationEncryption Details COMP620
Encryption Details COMP620 Encryption is a powerful defensive weapon for free people. It offers a technical guarantee of privacy, regardless of who is running the government It s hard to think of a more
More informationEnhanced Cryptanalysis of Substitution Cipher Chaining mode (SCC-128)
Enhanced Cryptanalysis of Substitution Cipher Chaining mode (SCC-128) Mohamed Abo El-Fotouh and Klaus Diepold Institute for Data Processing (LDV) Technische Universität München (TUM) 80333 Munich Germany
More informationc Eli Biham - March 13, Cryptanalysis of Modes of Operation (4) c Eli Biham - March 13, Cryptanalysis of Modes of Operation (4)
Single Modes: the S Modes of Operation Modes of Operation are used to hide patterns in the plaintexts, protect against chosen plaintext attacks, and to support fast on-line encryption with precomputation.
More informationEEC-484/584 Computer Networks
EEC-484/584 Computer Networks Lecture 23 wenbing@ieee.org (Lecture notes are based on materials supplied by Dr. Louise Moser at UCSB and Prentice-Hall) Outline 2 Review of last lecture Introduction to
More informationWenling Wu, Lei Zhang
LBlock: A Lightweight Block Cipher Wenling Wu, Lei Zhang Institute t of Software, Chinese Academy of Sciences 09-Jun-2011 Outline Background and Previous Works LBlock: Specification Design Rationale Security
More informationNew Kid on the Block Practical Construction of Block Ciphers. Table of contents
New Kid on the Block Practical Construction of Block Ciphers Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Substitution-permutation
More informationData Encryption Standard
ECE 646 Lecture 7 Data Encryption Standard Required Reading W. Stallings, "Cryptography and Network-Security," 5th Edition, Chapter 3: Block Ciphers and the Data Encryption Standard Chapter 6.1: Multiple
More informationPUFFIN: A Novel Compact Block Cipher Targeted to Embedded Digital Systems
PUFFIN: A Novel Compact Block Cipher Targeted to Embedded Digital Systems Huiju Cheng, Howard M. Heys, and Cheng Wang Electrical and Computer Engineering Memorial University of Newfoundland St. John's,
More informationReport on Present State of CIPHERUNICORN-E Cipher Evaluation (full evaluation)
Report on Present State of CIPHERUNICORN-E Cipher Evaluation (full evaluation) January 28, 2002 Toshio Tokita, Member Symmetric-Key Cryptography Subcommittee 1 CIPHERUNICORN-E CIPHERUNICORN-E was presented
More informationImproved Key Recovery Attacks on Reduced-Round AES with Practical Data and Memory Complexities
Improved Key Recovery Attacks on Reduced-Round AES with Practical Data and Memory Complexities Achiya Bar-On 1, Orr Dunkelman 2, Nathan Keller 1, Eyal Ronen 3, and Adi Shamir 3 1 Department of Mathematics,
More informationThe MESH Block Ciphers
The MESH Block Ciphers Jorge Nakahara Jr, Vincent Rijmen, Bart Preneel, Joos Vandewalle Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Belgium {jorge.nakahara,bart.preneel,joos.vandewalle}@esat.kuleuven.ac.be
More informationImproved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN
Improved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN Shahram Rasoolzadeh and Håvard Raddum Simula Research Laboratory Abstract. We study multidimensional meet-in-the-middle attacks on the
More informationBlock Ciphers and the Data Encryption Standard (DES) Modified by: Dr. Ramzi Saifan
Block Ciphers and the Data Encryption Standard (DES) Modified by: Dr. Ramzi Saifan Block ciphers Keyed, invertible Large key space, large block size A block of plaintext is treated as a whole and used
More informationP2_L6 Symmetric Encryption Page 1
P2_L6 Symmetric Encryption Page 1 Reference: Computer Security by Stallings and Brown, Chapter 20 Symmetric encryption algorithms are typically block ciphers that take thick size input. In this lesson,
More informationExternal Encodings Do not Prevent Transient Fault Analysis
External Encodings Do not Prevent Transient Fault Analysis Christophe Clavier Gemalto, Security Labs CHES 2007 Vienna - September 12, 2007 Christophe Clavier CHES 2007 Vienna September 12, 2007 1 / 20
More informationDifferential Cryptanalysis of Madryga
Differential Cryptanalysis of Madryga Ken Shirriff Address: Sun Microsystems Labs, 2550 Garcia Ave., MS UMTV29-112, Mountain View, CA 94043. Ken.Shirriff@eng.sun.com Abstract: The Madryga encryption algorithm
More informationSecret Key Cryptography
Secret Key Cryptography 1 Block Cipher Scheme Encrypt Plaintext block of length N Decrypt Secret key Cipher block of length N 2 Generic Block Encryption Convert a plaintext block into an encrypted block:
More informationAutomatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers: Application to AES, Camellia, Khazad and Others
Automatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers: Application to AES, Camellia, Khazad and Others Alex Biryukov and Ivica Nikolić University of Luxembourg {alex.biryukov,ivica.nikolic}uni.lu
More informationA New Technique for Sub-Key Generation in Block Ciphers
World Applied Sciences Journal 19 (11): 1630-1639, 2012 ISSN 1818-4952 IDOSI Publications, 2012 DOI: 10.5829/idosi.wasj.2012.19.11.1871 A New Technique for Sub-Key Generation in Block Ciphers Jamal N.
More informationPlaintext (P) + F. Ciphertext (T)
Applying Dierential Cryptanalysis to DES Reduced to 5 Rounds Terence Tay 18 October 1997 Abstract Dierential cryptanalysis is a powerful attack developed by Eli Biham and Adi Shamir. It has been successfully
More informationThe signal to noise ratio in the differential cryptanalysis of 9 rounds of data encryption standard
The signal to noise ratio in the differential cryptanalysis of 9 rounds of data encryption standard Regular paper Michał Misztal Abstract There is presented the differential cryptanalysis method of attack
More informationLecture 4: Symmetric Key Encryption
Lecture 4: Symmetric ey Encryption CS6903: Modern Cryptography Spring 2009 Nitesh Saxena Let s use the board, please take notes 2/20/2009 Lecture 1 - Introduction 2 Data Encryption Standard Encrypts by
More informationData Encryption Standard
ECE 646 Lecture 6 Data Encryption Standard Required Reading: I. W. Stallings, "Cryptography and Network-Security," 5th Edition, Chapter 3: Block Ciphers and the Data Encryption Standard Chapter 6.1: Multiple
More informationElastic Block Ciphers: The Feistel Cipher Case
Elastic Block Ciphers: The Feistel Cipher Case Debra L. Cook Moti Yung Angelos D. Keromytis Department of Computer Science Columbia University, New York, NY dcook,moti,angelos @cs.columbia.edu Technical
More informationDoes Lightweight Cryptography Imply Slightsecurity?
Intro Security Examples Conclusions Does Lightweight Cryptography Imply Slightsecurity? Orr Dunkelman Computer Science Department University of Haifa 7 th July, 2014 Orr Dunkelman Lightweight? Slightsecurity
More informationCourse Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here
Course Business Midterm is on March 1 Allowed to bring one index card (double sided) Final Exam is Monday, May 1 (7 PM) Location: Right here 1 Cryptography CS 555 Topic 18: AES, Differential Cryptanalysis,
More informationCryptography and Network Security. Sixth Edition by William Stallings
Cryptography and Network Security Sixth Edition by William Stallings Chapter 3 Block Ciphers and the Data Encryption Standard All the afternoon Mungo had been working on Stern's code, principally with
More informationEvaluation of security level of CLEFIA
Evaluation of security level of CLEFIA An anonymous reviewer Version 1.0 January 25, 2011 1 Evaluation of security level of CLEFIA 1 Contents Executive Summary 3 References 4 1 Introduction 8 2 CLEFIA
More informationAn Overview of Cryptanalysis Research for the Advanced Encryption Standard
An Overview of Cryptanalysis Research for the Advanced Encryption Standard Alan Kaminsky, Rochester Institute of Technology Michael Kurdziel, Harris Corporation Stanisław Radziszowski, Rochester Institute
More information