c Eli Biham - March 13, Cryptanalysis of Modes of Operation (4) c Eli Biham - March 13, Cryptanalysis of Modes of Operation (4)
|
|
- Felix Thornton
- 5 years ago
- Views:
Transcription
1 Single Modes: the S Modes of Operation Modes of Operation are used to hide patterns in the plaintexts, protect against chosen plaintext attacks, and to support fast on-line encryption with precomputation. None of the modes can protect against known plaintext attacks. Cryptanalysis of Modes of Operation c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Single Modes: the S Modes of Operation (cont.) The standard modes of S are: Multiple Modes of Operation ue to the recent development in the analysis of S (including the ability to exhaustively search for keys), it was proposed to use multiple (cascaded) modes of operation. CB CBC CFB OFB Other modes were proposed: PCBC, counter mode, PFF, etc. We will call these modes single modes. c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) xample: The Triple-CB Mode: Triple-S xample: The Triple-CBC Mode Claimed to be as secure as triple-s in (single) CBC mode: c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) xample: The CBC CBC 1 CBC Mode Was almost accepted as an ANSI standard: Advantages of Multiple Modes Multiple modes were claimed to have several advantages: 1. More secure than single modes, 2. As fast as single encryption on pipelinable hardware, 3. Attackers cannot know the feedbacks used during encryption, and thus cannot even mount known plaintext attacks! c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4)
2 ANSI Triple Modes Standardization ANSI X9F1 committee is working on a triple modes standard, already several years, which had to be accepted at the end of It included three kinds of modes: 1. The standard S modes, with (two or three-key) triple S as the underlying cipher. 2. Interleaved variants of the same modes, to allow efficient hardware implementations. 3. The CBCM mode (described later). Multiple Modes Cannot Reduce Strength Let A and B be two modes and let C be the combined double mode C=AB, whose component keys K A and K B are chosen independently. The following theorem shows that C is not weaker than either of its components. theorem: The cracking problem of either A or B is efficiently reducible to the cracking problem of C=AB. conclusion: A multiple mode may not be weaker than its strongest component, if the component keys are chosen independently. c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Multiple Modes Cannot Reduce Strength (cont.) A counter-example when the keys are not independent: Multiple Modes Cannot Reduce Strength (cont.) The weakest components in this mode are those using. By methods described later, we can find the key K 1 of the first component using 2 18 chosen ciphertexts, and thus also of the third component using S. The key of the second component can then be easily found using 1000 chosen ciphertexts (or 2 24 known plaintexts). The third component (which uses S) by itself is much more resistant than the whole system, and cannot be attacked successfully by any known method with complexity smaller than S S S S S c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Cryptanalysis of Multiple Modes of Operation All the triple (cascaded) modes of operation of S are not much more secure than single modes (as they require up to complexity and plaintexts). The cryptanalytic techniques to attack multiple modes attack one single component mode at a time, and can be based on any technique to attack single modes, including differential and linear cryptanalysis, avies attack, and exhaustive search. The main observation is that the attacker can have some control over the unknown feedbacks, and can thus feed them with the data required to apply cryptanalysis of the single modes. To feed these values, the attacks are usually chosen plaintext or chosen ciphertext. Technique A: ifferential Cryptanalysis As an example we attack the CB CBC CBC mode: c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Technique A: ifferential Cryptanalysis (cont.) 1. Let Ω T be the ciphertext difference required to attack S with chosen ciphertexts (the usual attack from the opposite direction). 2. Assume that n pairs are required for an attack of S using this Ω T. Technique A: ifferential Cryptanalysis (cont.) 3. The attacker chooses n pairs of ciphertext tuples (,, ), and ( Ω T,, ), with arbitrary,,. 4. The attacker requests to decrypt the 6n blocks by the triple mode under the unknown keys. 5. The ciphertext difference in each pair of tuples is (Ω T, 0, 0). 6. After decryption of one component the difference is (, Ω T, 0). 7. After decryption of two components the difference is (,, Ω T ). 8. The plaintexts are known, and in particular and P 2. c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4)
3 Technique A: ifferential Cryptanalysis (cont.) Technique A: ifferential Cryptanalysis (cont.) 9. We result with n pairs, P 2, for which Ω T Ω T 0 K1 ( ) K1 (P 2 ) = Ω T This is exactly the data required for differential cryptanalysis! 10. If the underlying cipher is S, we need 2 47 chosen ciphertext blocks to find the key of the CB component. The other component keys can be recovered by other techniques. Ω T 0 0 Known differences Known values c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Technique C: Linear Cryptanalysis As an example we attack the CBC CB CBC mode: Technique C: Linear Cryptanalysis (cont.) 1. The attacker chooses n tuples (,, ), with is chosen arbitrarily for each tuple, but and are fixed for all the tuples. 2. The attacker requests to decrypt the 3n blocks by the triple mode under the unknown keys. 3. The plaintexts are known, and in particular. 4. He gets n encryptions of the form K2 ( V 2 ) V 1 = where V 1 and V 2 are fixed, depend only on and. c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Technique C: Linear Cryptanalysis (cont.) V 2 V 1 V 2 Fixed Fixed V 1 Technique C: Linear Cryptanalysis (cont.) 5. The independent key variant of linear cryptanalysis can find the actual subkeys used in this encryption, to which V 1 and V 2 are combined. Then, the key K 2, and V 1 and V 2 can be recovered. 6. If the underlying cipher is S, we need 2 60 chosen ciphertext blocks to find the key of the CB component. c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Technique : Using xhaustive Search This technique uses exhaustive search for the component keys, and can thus be applied for any underlying cipher, independent of its internal operations. All the techniques described later use exhaustive search as a basic tool for more complex analysis, and thus also have this property. Technique : Using xhaustive Search (cont.) As an example we attack the CBC CBC CB mode: c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4)
4 Technique : Using xhaustive Search (cont.) 1. The attacker chooses one pair of tuples (,, ), (C 0,, ), where C He requests the plaintexts (,, ) and (P 0,P 1,P 2 ). 3. The value P 2 is the difference of the CB mode in the first block! Technique : Using xhaustive Search (cont.) P 2 P 2 0 P ifferences c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Technique : Using xhaustive Search (cont.) 4. The attacker exhaustively search all keys for K3 ( ) K3 (C 0) = P 2 Technique : Using xhaustive Search (cont.) A known plaintext variant: Given about 2 65 random known plaintext tuples, the birthday paradox predicts the existence of a pair (,, ) and (C 0,C 1, C 2) with = C 1 and = C 2! 5. The two tuples can be generated with only four chosen ciphertext blocks. c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Technique : Using xhaustive Search (cont.) Another example: CBC 1 CB CBC Technique : Using xhaustive Search (cont.) xercise: Find all the three keys with 3 chosen plaintexts, or 2 64 known plaintexts. c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Technique F: The Birthday Technique escribed on the triple-cbc mode: Technique F: The Birthday Technique (cont.) 1. We choose ciphertext tuples of the form (C,C,C,C). c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4)
5 Technique F: The Birthday Technique (cont.) 2. uring decryption we get Y X X X Y Z Technique F: The Birthday Technique (cont.) 3. The function X = K3 (C) C behaves like a random function, thus, given 2 33 such tuples, a collision is expected to occur with a high probability. 4. This collision can be identified by comparing the resultant plaintext block Z. A key search can be applied with 2 57 S encryptions. 5. Note: Collisions can occur in each of the CBC components, thus only a third occur in the last component. This increases the complexity by a factor of at most 3, without increase in the number of chosen ciphertexts. C C C C c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Technique G This technique enables to attack modes whose plaintext and ciphertext are mixed with some unknown feedback, or do not affect the encryption box at all. Technique G (cont.) The CB CB OFB mode: It is later used as a building block by the techniques described afterwards. We describe two variants of this technique on two examples: the triple mode CB CB OFB and on the double mode CBC OFB. c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Technique G (cont.) Technique G (cont.) To attack this mode we choose a plaintext consisting of 2 64 equal blocks P. The CBC OFB mode: We result with a ciphertext,,..., which equals the output of the OFB component V i XORed with a fixed value. We choose some value u arbitrarily, and guess that it appears in the OFB stream. We encrypt it under all possible keys K, and test whether the difference u K (u) is a difference between two consecutive ciphertext blocks. We usually succeed, as the cycle of the OFB mode includes about 2 63 different blocks. Otherwise, we try another value u. c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Technique G (cont.) In this case we attack the CBC component: we choose the ciphertext to consist of 2 64 C followed by 2 64 C. We get p pairs of the form Technique I: ouble Stream Ciphers The double-ofb mode seems difficult to analyze, as we cannot control the feedbacks: C V i = K1 (P i C V i 1 ) C V i = K1 (P i C V i 1 ) where p is the period of the OFB component. Again, we guess a value u arbitrarily, and hope that it is one of the V i s in the cycle (whose period is very easily identified from the plaintexts). We compute P i V i 1 and Pi V i 1 (for the unknown i) by the above equations, and test whether the resultant difference equals P i Pi for some i. As a bonus we also recover the OFB stream. c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4)
6 Technique I: ouble Stream Ciphers (cont.) The attack: Preliminaries: enote the stream by: s i = a i b i where a i and b i are the original two OFB streams. The sum stream is known by s i = P i C i. We start by finding the periods of the two components OFBs: denote them by k and l (WLG k < l, and k + l is even). Both periods are expected to be about 2 64, and thus the expected period of {s i } is about Technique I: ouble Stream Ciphers (cont.) We know that And thus also s i = a i b i = a i modk b i modl s 0 = a 0 b 0 s k = a k b k = a 0 b k s l = a l b l = a l b 0 s k+l = a k+l b k+l = a l b k from which we derive s 0 s k s l s k+l = 0 c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Technique I: ouble Stream Ciphers (cont.) In order to use this equation, we need to know both k and l, and there are too many possibilities to try. Therefore, we rewrite the equations (shifted in the stream by i (k + l)/2 blocks, for any i) as s i (k+l)/2 = a i (k+l)/2 b i (k+l)/2 s i (l k)/2 = a i (l k)/2 b i (l k)/2 = a i (k+l)/2 b i+(k+l)/2 s i+(l k)/2 = a i+(l k)/2 b i+(l k)/2 = a i+(k+l)/2 b i (k+l)/2 s i+(k+l)/2 = a i+(k+l)/2 b i+(k+l)/2 Technique I: ouble Stream Ciphers (cont.) We define S i to be the concatenation of s i and s i+1, in order to increase the block size and to reduce random effects. Then, We define S i (k+l)/2 S i+(k+l)/2 = S i (l k)/2 S i+(l k)/2. and for i = 2 64 get the equation j = S 2 64 j S j and thus s i (k+l)/2 s i+(k+l)/2 = s i (l k)/2 s i+(l k)/2. (k+l)/2 = (l k)/2. c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Technique I: ouble Stream Ciphers (cont.) Finding the periods: The attack we use is a start in the middle attack. Given 2 65 stream blocks, we compute j for each j = 1, 2,...,2 64 and search for two distinct j s (j 1 > j 2 ) for which Technique I: ouble Stream Ciphers (cont.) Given the periods, we can compute the component streams up to XOR with an unknown value. Technique G can then be applied and find the keys. This technique (I) can be used against many other modes which can be viewed as double-ofb-like, such as the CBC 1 CBC OFB, whose first two components have period about 2 64 when fed with a fixed plaintext block. j1 = j2 by keeping the values in a hash table, and waiting till some value is entered twice into the table. These j 1 and j 2 satisfy from which we conclude that S 2 64 j1 S 2 64 j2 S j2 S j1 = 0 k = j 1 j 2 and l = j 1 + j 2. c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Technique J: Multiple Stream Ciphers The triple-ofb mode is more complex: Technique J: Multiple Stream Ciphers (cont.) The following LFSR generates this mode: s k+l+m = s 0 s k s l s m s k+l s k+m s l+m The previous technique is not applicable to more than two components. So, how can we recover this LFSR? c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4)
7 Technique J: Multiple Stream Ciphers (cont.) The Berlekamp-Massey algorithm: The Berlekamp-Massey algorithm finds the shortest generating polynomial of a given sequence. Assume that s k+l+m = s 0 s k s l s m s k+l s k+m s l+m is the minimal polynomial, it gives us the periods! But it is not minimal. Technique J: Multiple Stream Ciphers (cont.) In polynomial notation where Q(x) = x k+l+m + x l+m + x k+m + x k+l + x m + x l + x k + x 0 = = Q k (x)q l (x)q m (x) = 0, Q k (x) = x k + 1 = ( k 1 Q l(x) = x l + 1 = ( l 1 j=0 xj )(x + 1) j=0 xj )(x + 1) Q m (x) = x m + 1 = ( m 1 j=0 xj )(x + 1) The minimal polynomial of s i is, Q (x) = lcm(q k (x),q l (x),q m (x)) which, when k, l, and m are coprimes is Q (x) = Q(x)/(x + 1) 2 of degree k + l + m 2. c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Technique J: Multiple Stream Ciphers (cont.) Thus, it is usually easy to find the polynomial Q(x) from the minimal polynomial, and thus the periods can be found. Then, technique G can be used to find the keys. Technique J: Multiple Stream Ciphers (cont.) Problem: The Berlekamp-Massey algorithm has complexity n 2, and thus it takes steps to find the minimal polynomial, given a stream of size k + l + m < However, there is a variant of the Berlekamp-Massey algorithm, called the recursive Berlekamp-Massey algorithm, whose complexity is only O(n log n log log n). This complexity is about log 66 = 2 75 when n 2 66, i.e., when up to four OFB streams are combined. These 2 75 steps are very simple, and are faster to apply than 2 66 S encryptions. c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Technique H This mode is one of the most complicated to attack: Technique H (cont.) It would be too complicated do describe the attack here. c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) The CBCM Mode The CBCM Mode (cont.) This mode was designed by IBM (Coppersmith, Johnson, Matyas) to be invulnerable to the attacks described above, and will soon be an ANSI standard. P 5 It uses two kinds of feedbacks: 1. Outer CBC feedback. 2. Two application of additional inner OFB single mode. M1 M2 M3 M4 M5 It is claimed that this construction is immune against the above attacks, as the cryptanalyst has no way to affect the inner feedbacks. C 5 c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4)
8 The CBCM Mode (cont.) where M 1, M 2,... are the output blocks of an OFB mode with as the initial value, encrypted under the key K 3 : Related Works 1. Attacking 4-round Feistel ciphers, in which S is used as the roundfunction (Biham; Knudsen; Coppersmith) 2. All-or-Nothing encryption (Rivest) 3. ANSI X9.52 triple modes, and the CBCM mode. M1 M2 M3 M4 M5 c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4)
Technion - Computer Science Department - Technical Report CS
[13] National Bureau of Standards, DS Modes of Operation, U.S. Department of Commerce, FIPS pub. 81, December 1980. [14] Paul C. van Oorschot, Michael J. Wiener, A Known Plaintext Attack on Two-Key Triple
More informationDifferential Cryptanalysis
Differential Cryptanalysis See: Biham and Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer Verlag, 1993. c Eli Biham - March, 28 th, 2012 1 Differential Cryptanalysis The Data
More informationCHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))
CHAPTER 6. SYMMETRIC CIPHERS Multiple encryption is a technique in which an encryption algorithm is used multiple times. In the first instance, plaintext is converted to ciphertext using the encryption
More informationBlock Ciphers and Stream Ciphers. Block Ciphers. Stream Ciphers. Block Ciphers
Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2... M N. Then, each block M i is encrypted to the ciphertext block C i = K (M i ), and
More informationThe Rectangle Attack
The Rectangle Attack and Other Techniques for Cryptanalysis of Block Ciphers Orr Dunkelman Computer Science Dept. Technion joint work with Eli Biham and Nathan Keller Topics Block Ciphers Cryptanalysis
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham 1, Orr Dunkelman 1, and Nathan Keller 2 1 Computer Science Department, Technion, Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics
More informationRelated-key Attacks on Triple-DES and DESX Variants
Related-key Attacks on Triple-DES and DESX Variants Raphael C.-W. han Department of Engineering, Swinburne Sarawak Institute of Technology, 1st Floor, State Complex, 93576 Kuching, Malaysia rphan@swinburne.edu.my
More informationBlock Cipher Operation. CS 6313 Fall ASU
Chapter 7 Block Cipher Operation 1 Outline q Multiple Encryption and Triple DES q Electronic Codebook q Cipher Block Chaining Mode q Cipher Feedback Mode q Output Feedback Mode q Counter Mode q XTS-AES
More informationIDEA, RC5. Modes of operation of block ciphers
C 646 - Lecture 8 IDA, RC5 Modes of operation of block ciphers Required Reading: I. W. Stallings, "Cryptography and Network-Security," 5th dition, Chapter 6 Block Cipher Operation II. A. Menezes, P. van
More information3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some
3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some popular block ciphers Triple DES Advanced Encryption
More informationNew Cryptanalytic Results on IDEA
New Cryptanalytic Results on IDEA Eli Biham, Orr Dunkelman, Nathan Keller Computer Science Dept., Technion Dept. of Electrical Engineering ESAT SCD/COSIC, KUL Einstein Institute of Mathematics, Hebrew
More informationChapter 3 Block Ciphers and the Data Encryption Standard
Chapter 3 Block Ciphers and the Data Encryption Standard Last Chapter have considered: terminology classical cipher techniques substitution ciphers cryptanalysis using letter frequencies transposition
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.2 Secret Key Cryptography CSC 474/574 Dr. Peng Ning 1 Agenda Generic block cipher Feistel cipher DES Modes of block ciphers Multiple encryptions Message
More informationLinear Cryptanalysis of Reduced Round Serpent
Linear Cryptanalysis of Reduced Round Serpent Eli Biham 1, Orr Dunkelman 1, and Nathan Keller 2 1 Computer Science Department, Technion Israel Institute of Technology, Haifa 32000, Israel, {biham,orrd}@cs.technion.ac.il,
More informationCIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)
CIS 6930/4930 Computer and Network Security Topic 3.1 Secret Key Cryptography (Cont d) 1 Principles for S-Box Design S-box is the only non-linear part of DES Each row in the S-Box table should be a permutation
More informationin a 4 4 matrix of bytes. Every round except for the last consists of 4 transformations: 1. ByteSubstitution - a single non-linear transformation is a
Cryptanalysis of Reduced Variants of Rijndael Eli Biham Λ Nathan Keller y Abstract Rijndael was submitted to the AES selection process, and was later selected as one of the five finalists from which one
More information7. Symmetric encryption. symmetric cryptography 1
CIS 5371 Cryptography 7. Symmetric encryption symmetric cryptography 1 Cryptographic systems Cryptosystem: t (MCKK GED) (M,C,K,K,G,E,D) M, plaintext message space C, ciphertext message space K, K, encryption
More informationDierential-Linear Cryptanalysis of Serpent? Haifa 32000, Israel. Haifa 32000, Israel
Dierential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel fbiham,orrdg@cs.technion.ac.il 2 Mathematics Department,
More informationNew Cryptanalytic Results on IDEA
New Cryptanalytic Results on IDEA Eli Biham, Orr Dunkelman, Nathan Keller Computer Science Dept., Technion Dept. of Electrical Engineering ESAT SCD/COSIC, KUL Einstein Institute of Mathematics, Hebrew
More informationDouble-DES, Triple-DES & Modes of Operation
Double-DES, Triple-DES & Modes of Operation Prepared by: Dr. Mohamed Abd-Eldayem Ref.: Cryptography and Network Security by William Stallings & Lecture slides by Lawrie Brown Multiple Encryption & DES
More informationPrivate-Key Encryption
Private-Key Encryption Ali El Kaafarani Mathematical Institute Oxford University 1 of 50 Outline 1 Block Ciphers 2 The Data Encryption Standard (DES) 3 The Advanced Encryption Standard (AES) 4 Attacks
More informationImproved Truncated Differential Attacks on SAFER
Improved Truncated Differential Attacks on SAFER Hongjun Wu * Feng Bao ** Robert H. Deng ** Qin-Zhong Ye * * Department of Electrical Engineering National University of Singapore Singapore 960 ** Information
More informationContent of this part
UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Introduction to Cryptography ECE 597XX/697XX Part 5 More About Block Ciphers Israel Koren ECE597/697 Koren Part.5.1 Content of this
More informationHomework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING
UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING ENEE 457 Computer Systems Security Instructor: Charalampos Papamanthou Homework 2 Out: 09/23/16 Due: 09/30/16 11:59pm Instructions
More informationAttack on DES. Jing Li
Attack on DES Jing Li Major cryptanalytic attacks against DES 1976: For a very small class of weak keys, DES can be broken with complexity 1 1977: Exhaustive search will become possible within 20 years,
More informationpage 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas
Introduction to Cryptography Lecture 3 Benny Pinkas page 1 1 Pseudo-random generator Pseudo-random generator seed output s G G(s) (random, s =n) Deterministic function of s, publicly known G(s) = 2n Distinguisher
More informationA Related Key Attack on the Feistel Type Block Ciphers
International Journal of Network Security, Vol.8, No.3, PP.221 226, May 2009 221 A Related Key Attack on the Feistel Type Block Ciphers Ali Bagherzandi 1,2, Mahmoud Salmasizadeh 2, and Javad Mohajeri 2
More informationImproved Attack on Full-round Grain-128
Improved Attack on Full-round Grain-128 Ximing Fu 1, and Xiaoyun Wang 1,2,3,4, and Jiazhe Chen 5, and Marc Stevens 6, and Xiaoyang Dong 2 1 Department of Computer Science and Technology, Tsinghua University,
More informationCSCI 454/554 Computer and Network Security. Topic 3.2 Secret Key Cryptography Modes of Operation
CSCI 454/554 Computer and Network Security Topic 3.2 Secret Key Cryptography Modes of Operation Processing with Block Ciphers Most ciphers work on blocks of fixed (small) size How to encrypt long messages?
More informationData Encryption Standard (DES)
Data Encryption Standard (DES) Best-known symmetric cryptography method: DES 1973: Call for a public cryptographic algorithm standard for commercial purposes by the National Bureau of Standards Goals:
More informationSymmetric Cryptography. Chapter 6
Symmetric Cryptography Chapter 6 Block vs Stream Ciphers Block ciphers process messages into blocks, each of which is then en/decrypted Like a substitution on very big characters 64-bits or more Stream
More informationBlock Ciphers Tutorial. c Eli Biham - May 3, Block Ciphers Tutorial (5)
Block Ciphers Tutorial c Eli Biham - May 3, 2005 146 Block Ciphers Tutorial (5) A Known Plaintext Attack on 1-Round DES After removing the permutations IP and FP we get: L R 48 K=? F L R c Eli Biham -
More informationChapter 6: Contemporary Symmetric Ciphers
CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Chapter 6: Contemporary Symmetric Ciphers Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Why Triple-DES?
More informationCENG 520 Lecture Note III
CENG 520 Lecture Note III Symmetric Ciphers block ciphers process messages in blocks, each of which is then en/decrypted like a substitution on very big characters 64-bits or more stream ciphers process
More informationProcessing with Block Ciphers
AIT 682: Network and Systems Security Topic 3.2 Secret Cryptography Modes of Operation Instructor: r. Kun Sun rocessing with Block Ciphers Most ciphers work on blocks of fixed (small) size How to encrypt
More informationChapter 6 Contemporary Symmetric Ciphers
Chapter 6 Contemporary Symmetric Ciphers "I am fairly familiar with all the forms of secret writings, and am myself the author of a trifling monograph upon the subject, in which I analyze one hundred and
More informationCSC/ECE 574 Computer and Network Security. Processing with Block Ciphers. Issues for Block Chaining Modes
CSC/C 574 Computer and Network Security Topic 3.2 Secret Cryptography Modes of Operation CSC/C 574 r. eng Ning 1 rocessing with Block Ciphers Most ciphers work on blocks of fixed (small) size How to encrypt
More informationNetwork Security Essentials Chapter 2
Network Security Essentials Chapter 2 Fourth Edition by William Stallings Lecture slides by Lawrie Brown Encryption What is encryption? Why do we need it? No, seriously, let's discuss this. Why do we need
More informationData Encryption Standard
ECE 646 Lecture 7 Data Encryption Standard Required Reading W. Stallings, "Cryptography and Network-Security," 5th Edition, Chapter 3: Block Ciphers and the Data Encryption Standard Chapter 6.1: Multiple
More informationECE 646 Lecture 7. Modes of Operation of Block Ciphers. Modes of Operation. Required Reading:
C 646 Lecture 7 Modes of Operation of Block Ciphers Required Reading: I. W. Stallings, "Cryptography and Network-Security," 5th dition, Chapter 6 Block Cipher Operation II. A. Menezes, P. van Oorschot,
More informationData Integrity & Authentication. Message Authentication Codes (MACs)
Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice (sender) Bob (receiver) Fran
More informationBlock Ciphers and the Data Encryption Standard (DES) Modified by: Dr. Ramzi Saifan
Block Ciphers and the Data Encryption Standard (DES) Modified by: Dr. Ramzi Saifan Block ciphers Keyed, invertible Large key space, large block size A block of plaintext is treated as a whole and used
More informationLinear Cryptanalysis of FEAL 8X Winning the FEAL 25 Years Challenge
Linear Cryptanalysis of FEAL 8X Winning the FEAL 25 Years Challenge Yaniv Carmeli Joint work with Prof. Eli Biham CRYPTODAY 2014 FEAL FEAL Published in 1987, designed by Miyaguchi and Shimizu (NTT). 64-bit
More informationUsing block ciphers 1
Using block ciphers 1 Using block ciphers DES is a type of block cipher, taking 64-bit plaintexts and returning 64-bit ciphetexts. We now discuss a number of ways in which block ciphers are employed in
More informationModern Symmetric Block cipher
Modern Symmetric Block cipher 81 Shannon's Guide to Good Ciphers Amount of secrecy should determine amount of labour appropriate for encryption and decryption The set of keys and enciphering algorithm
More informationSome Thoughts on Time-Memory-Data Tradeoffs
Some Thoughts on Time-Memory-Data Tradeoffs Alex Biryukov Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenberg 10, B 3001 Heverlee, Belgium Abstract. In this paper we show that Time-Memory
More informationCryptanalysis of Block Ciphers: A Survey
UCL Crypto Group Technical Report Series Cryptanalysis of Block Ciphers: A Survey Francois-Xavier Standaert, Gilles Piret, Jean-Jacques Quisquater REGARDS GROUPE http://www.dice.ucl.ac.be/crypto/ Technical
More informationData Encryption Standard
ECE 646 Lecture 6 Data Encryption Standard Required Reading: I. W. Stallings, "Cryptography and Network-Security," 5th Edition, Chapter 3: Block Ciphers and the Data Encryption Standard Chapter 6.1: Multiple
More informationCIS 6930/4930 Computer and Network Security. Topic 3.2 Secret Key Cryptography Modes of Operation
CIS 6930/4930 Computer and Network Security Topic 3.2 Secret Key Cryptography Modes of Operation 1 Cipher Feedback Mode (CFB) IV Key 64 64 64 64 64 M 1 M 2 M 3 M 4 64 64 64 46 + padding 64 64 64 64 C 1
More informationLecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24
Assume encryption and decryption use the same key. Will discuss how to distribute key to all parties later Symmetric ciphers unusable for authentication of sender Lecturers: Mark D. Ryan and David Galindo.
More informationSymmetric Encryption. Thierry Sans
Symmetric Encryption Thierry Sans Design principles (reminder) 1. Kerkoff Principle The security of a cryptosystem must not rely on keeping the algorithm secret 2. Diffusion Mixing-up symbols 3. Confusion
More informationSymmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.
Symmetric Key Algorithms Definition A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting. 1 Block cipher and stream cipher There are two main families
More informationP2_L6 Symmetric Encryption Page 1
P2_L6 Symmetric Encryption Page 1 Reference: Computer Security by Stallings and Brown, Chapter 20 Symmetric encryption algorithms are typically block ciphers that take thick size input. In this lesson,
More informationCHAPTER Combining Block Ciphers DOUBLE ENCRYPTION TRIPLE ENCRYPTION
CHAPTER 15... 356 Combining Block Ciphers... 356 DOUBLE ENCRYPTION... 356 TRIPLE ENCRYPTION... 357 Triple Encryption Two Keys... 357 Triple Encryption with Three Keys... 359 Triple Encryption with Minimum
More information6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 6 Block Ciphers 6.1 Block Ciphers Block Ciphers Plaintext is divided into blocks of fixed length and every block is encrypted one at a time. A block cipher is a
More informationWeak Keys of the Full MISTY1 Block Cipher for Related-Key Cryptanalysis
3. 2 13.57 Weak eys for a Related-ey Differential Attack Weak eys of the Full MISTY1 Block Cipher for Related-ey Cryptanalysis Institute for Infocomm Research, Agency for Science, Technology and Research,
More informationElastic Block Ciphers: Method, Security and Instantiations
Elastic Block Ciphers: Method, Security and Instantiations Debra L. Cook 1, Moti Yung 2, Angelos D. Keromytis 3 1 Department of Computer Science, Columbia University, New York, NY, USA dcook@cs.columbia.edu
More informationComputer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS
More informationNetwork Security. Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar
Network Security Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar Modern Block Ciphers now look at modern block ciphers one of the most widely used types
More information3 Symmetric Cryptography
CA4005: CRYPTOGRAPHY AND SECURITY PROTOCOLS 1 3 Symmetric Cryptography Symmetric Cryptography Alice Bob m Enc c = e k (m) k c c Dec m = d k (c) Symmetric cryptography uses the same secret key k for encryption
More informationComputer and Data Security. Lecture 3 Block cipher and DES
Computer and Data Security Lecture 3 Block cipher and DES Stream Ciphers l Encrypts a digital data stream one bit or one byte at a time l One time pad is example; but practical limitations l Typical approach
More informationL3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015
L3. An Introduction to Block Ciphers Rocky K. C. Chang, 29 January 2015 Outline Product and iterated ciphers A simple substitution-permutation network DES and AES Modes of operations Cipher block chaining
More informationThe Security of Elastic Block Ciphers Against Key-Recovery Attacks
The Security of Elastic Block Ciphers Against Key-Recovery Attacks Debra L. Cook 1, Moti Yung 2, Angelos D. Keromytis 2 1 Alcatel-Lucent Bell Labs, New Providence, New Jersey, USA dcook@alcatel-lucent.com
More informationIntroduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space
Perfect Cipher Introduction to Cryptography Lecture 2 Benny Pinkas What type of security would we like to achieve? Given C, the adversary has no idea what M is Impossible since adversary might have a-priori
More informationSecret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34
Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34 Definition a symmetric key cryptographic algorithm is characterized by having the same key used for both encryption and decryption.
More informationIntroduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers
Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers Stream Ciphers Start with a secret key ( seed ) Generate a keying stream i-th bit/byte of keying stream is a function
More informationSecret Key Cryptography (Spring 2004)
Secret Key Cryptography (Spring 2004) Instructor: Adi Shamir Teaching assistant: Eran Tromer 1 Background Lecture notes: DES Until early 1970 s: little cryptographic research in industry and academcy.
More informationUnderstanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl
Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl www.crypto-textbook.com Chapter 5 More About Block Ciphers ver. November 26, 2010 Last modified 10-2-17
More informationSymmetric Encryption Algorithms
Symmetric Encryption Algorithms CS-480b Dick Steflik Text Network Security Essentials Wm. Stallings Lecture slides by Lawrie Brown Edited by Dick Steflik Symmetric Cipher Model Plaintext Encryption Algorithm
More informationFundamentals of Computer Security
Fundamentals of Computer Security Spring 2015 Radu Sion Ciphers 2005-15 Portions copyright by Matt Bishop and Wikipedia. Used with permission Overview m 3 m 2 m 1 cipher c i Bob Alice cipher -1 m 1 m 2
More informationStream Ciphers. Stream Ciphers 1
Stream Ciphers Stream Ciphers 1 Stream Ciphers Generate a pseudo-random key stream & xor to the plaintext. Key: The seed of the PRNG Traditional PRNGs (e.g. those used for simulations) are not secure.
More informationEEC-484/584 Computer Networks
EEC-484/584 Computer Networks Lecture 23 wenbing@ieee.org (Lecture notes are based on materials supplied by Dr. Louise Moser at UCSB and Prentice-Hall) Outline 2 Review of last lecture Introduction to
More informationLecture 1 Applied Cryptography (Part 1)
Lecture 1 Applied Cryptography (Part 1) Patrick P. C. Lee Tsinghua Summer Course 2010 1-1 Roadmap Introduction to Security Introduction to Cryptography Symmetric key cryptography Hash and message authentication
More informationData Integrity & Authentication. Message Authentication Codes (MACs)
Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice (sender) Bob (reciever) Fran
More informationBreaking Grain-128 with Dynamic Cube Attacks
Breaking Grain-128 with Dynamic Cube Attacks Itai Dinur and Adi Shamir Computer Science department The Weizmann Institute Rehovot 76100, Israel Abstract. We present a new variant of cube attacks called
More informationLecture 2: Secret Key Cryptography
T-79.159 Cryptography and Data Security Lecture 2: Secret Key Cryptography Helger Lipmaa Helsinki University of Technology helger@tcs.hut.fi 1 Reminder: Communication Model Adversary Eve Cipher, Encryption
More informationStream Ciphers An Overview
Stream Ciphers An Overview Palash Sarkar Indian Statistical Institute, Kolkata email: palash@isicalacin stream cipher overview, Palash Sarkar p1/51 Classical Encryption Adversary message ciphertext ciphertext
More informationOn the Security of the 128-Bit Block Cipher DEAL
On the Security of the 128-Bit Block Cipher DAL Stefan Lucks Theoretische Informatik University of Mannheim, 68131 Mannheim A5, Germany lucks@th.informatik.uni-mannheim.de Abstract. DAL is a DS-based block
More informationIntroduction to cryptology (GBIN8U16)
Introduction to cryptology (GBIN8U16) Finite fields, block ciphers Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 01 31 Finite fields,
More informationECE 646 Lecture 8. Modes of operation of block ciphers
ECE 646 Lecture 8 Modes of operation of block ciphers Required Reading: I. W. Stallings, "Cryptography and Network-Security," 5 th and 6 th Edition, Chapter 6 Block Cipher Operation II. A. Menezes, P.
More informationAppendix A: Introduction to cryptographic algorithms and protocols
Security and Cooperation in Wireless Networks http://secowinet.epfl.ch/ Appendix A: Introduction to cryptographic algorithms and protocols 2007 Levente Buttyán and Jean-Pierre Hubaux symmetric and asymmetric
More informationInternational Journal for Research in Applied Science & Engineering Technology (IJRASET) Performance Comparison of Cryptanalysis Techniques over DES
Performance Comparison of Cryptanalysis Techniques over DES Anupam Kumar 1, Aman Kumar 2, Sahil Jain 3, P Kiranmai 4 1,2,3,4 Dept. of Computer Science, MAIT, GGSIP University, Delhi, INDIA Abstract--The
More informationA Methodology for Differential-Linear Cryptanalysis and Its Applications
A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter: Jian Guo Institute for Infocomm Research, Agency for Science, Technology and Research, 1 Fusionopolis Way,
More informationSymmetric key cryptography
The best system is to use a simple, well understood algorithm which relies on the security of a key rather than the algorithm itself. This means if anybody steals a key, you could just roll another and
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Lecture 6 Michael J. Fischer Department of Computer Science Yale University January 27, 2010 Michael J. Fischer CPSC 467b, Lecture 6 1/36 1 Using block ciphers
More informationNew Attacks on Feistel Structures with Improved Memory Complexities
New Attacks on Feistel Structures with Improved Memory Complexities Itai Dinur 1, Orr Dunkelman 2,4,, Nathan Keller 3,4,, and Adi Shamir 4 1 Département d Informatique, École Normale Supérieure, Paris,
More informationImproved Attacks on Full GOST
Improved Attacks on Full GOST Itai Dinur 1, Orr Dunkelman 1,2 and Adi Shamir 1 1 Computer Science department, The Weizmann Institute, ehovot, Israel 2 Computer Science Department, University of Haifa,
More informationSecret Key Algorithms (DES)
Secret Key Algorithms (DES) G. Bertoni L. Breveglieri Foundations of Cryptography - Secret Key pp. 1 / 34 Definition a symmetric key cryptographic algorithm is characterized by having the same key used
More informationCS6701- CRYPTOGRAPHY AND NETWORK SECURITY UNIT 2 NOTES
CS6701- CRYPTOGRAPHY AND NETWORK SECURITY UNIT 2 NOTES PREPARED BY R.CYNTHIA PRIYADHARSHINI AP/IT/SREC Block Ciphers A block cipher is an encryption/decryption scheme in which a block of plaintext is treated
More informationICT 6541 Applied Cryptography. Hossen Asiful Mustafa
ICT 6541 Applied Cryptography Hossen Asiful Mustafa Encryption & Decryption Key (K) Plaintext (P) Encrypt (E) Ciphertext (C) C = E K (P) Same Key (K) Ciphertext (C) Decrypt (D) Plaintext (P) P = D K (C)
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 6 January 25, 2012 CPSC 467b, Lecture 6 1/46 Byte padding Chaining modes Stream ciphers Symmetric cryptosystem families Stream ciphers
More informationCryptography and Network Security Chapter 3. Modern Block Ciphers. Block vs Stream Ciphers. Block Cipher Principles
Cryptography and Network Security Chapter 3 Fifth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 3 Block Ciphers and the Data Encryption Standard All the afternoon Mungo had been working
More informationCIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm
CIS 4360 Introduction to Computer Security Fall 2010 WITH ANSWERS in bold Name:.................................... Number:............ First Midterm Instructions This is a closed-book examination. Maximum
More informationA Chosen-key Distinguishing Attack on Phelix
A Chosen-key Distinguishing Attack on Phelix Yaser Esmaeili Salehani* and Hadi Ahmadi** * Zaeim Electronic Industries Co., Tehran, Iran. ** School of Electronic Engineering, Sharif University of Technology,
More informationComputer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Cryptography Part II Paul Krzyzanowski Rutgers University Spring 2018 March 23, 2018 CS 419 2018 Paul Krzyzanowski 1 Block ciphers Block ciphers encrypt a block of plaintext at a
More informationImproved Integral Attacks on MISTY1
Improved Integral Attacks on MISTY1 Xiaorui Sun and Xuejia Lai Department of Computer Science Shanghai Jiao Tong University Shanghai, 200240, China sunsirius@sjtu.edu.cn, lai-xj@cs.sjtu.edu.cn Abstract.
More informationJordan University of Science and Technology
Jordan University of Science and Technology Cryptography and Network Security - CPE 542 Homework #III Handed to: Dr. Lo'ai Tawalbeh By: Ahmed Saleh Shatnawi 20012171020 On: 8/11/2005 Review Questions RQ3.3
More information1 Achieving IND-CPA security
ISA 562: Information Security, Theory and Practice Lecture 2 1 Achieving IND-CPA security 1.1 Pseudorandom numbers, and stateful encryption As we saw last time, the OTP is perfectly secure, but it forces
More informationDr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Secret Key Cryptography Block cipher DES 3DES
More informationEEC-682/782 Computer Networks I
EEC-682/782 Computer Networks I Lecture 23 Wenbing Zhao wenbingz@gmail.com http://academic.csuohio.edu/zhao_w/teaching/eec682.htm (Lecture nodes are based on materials supplied by Dr. Louise Moser at UCSB
More information