Cryptanalysis of the ISDB Scrambling Algorithm (MULTI2)
|
|
- Piers Neal
- 5 years ago
- Views:
Transcription
1 Cryptanalysis of the ISDB Scrambling Algorithm (MULTI) Jean-Philippe Aumasson 1,, Jorge Nakahara Jr.,, and Pouyan Sepehrdad 1 FHNW, Windisch, Switzerland jeanphilippe.aumasson@gmail.com EPFL, Lausanne, Switzerland {jorge.nakahara,pouyan.sepehrdad}@epfl.ch Abstract. MULTI is the block cipher used in the ISDB standard for scrambling digital multimedia content. MULTI is used in Japan to secure multimedia broadcasting, including recent applications like HDTV and mobile TV. It is the only cipher specified in the 7 Japanese ARIB standard for conditional access systems. This paper presents a theoretical break of MULTI (not relevant in practice), with shortcut key recovery attacks for any number of rounds. We also describe equivalent keys and linear attacks on reduced versions with up rounds (out of ), improving on the previous 1-round attack by Matsui and Yamagishi. Practical attacks are presented on up to 16 rounds. Keywords: ISDB, ARIB, MULTI, block cipher, linear cryptanalysis, conditional access. 1 Introduction MULTI is a block cipher developed by Hitachi in 1988 for general-purpose applications, but which has mainly been used for securing multimedia content. It was registered in ISO/IEC [8] in 199, and is patented in the U.S. [1,1] and in Japan [7]. MULTI is the only cipher specified in the 7 Japanese standard ARIB for conditional access systems []. ARIB is the basic standard of the recent ISDB (for Integrated Services Digital Broadcasting), Japan s standard for digital television and digital radio (see Since 1995, MULTI is the cipher used by satellite and terrestrial broadcasters in Japan [16,18] for protecting audio and video streams, including HDTV, mobile and interactive TV. In 6, Brazil adopted ISDB as a standard for digital-tv, and several other countries are progressively switching to ISDB (Chile, Ecuador, Supported by the Swiss National Science Foundation, project no The work described in this paper has been supported in part by the European Commission through the ICT Programme under contract ICT ECRYPT II. The information in this document reflects only the author s views, is provided as is and no guarantee or warranty is given that the information is fit for any particular purpose. The user thereof uses the information at its sole risk and liability. 1 The ISO/IEC 9979, under which cryptographic algorithms were registered, was withdrawn on Feb. 6 because of its redundancy with the ISO/IEC 18 standard. O. Dunkelman (Ed.): FSE 9, LNCS 5665, pp. 96 7, 9. c International Association for Cryptologic Research 9
2 Cryptanalysis of the ISDB Scrambling Algorithm (MULTI) 97 Peru, Philippines and Venezuela). But for the moment only Japan uses the conditional access features of ISDB, thus MULTI is only used in Japan. MULTI has a Feistel structure and encrypts 6-bit blocks using a 56- bit system key and a 6-bit data key. The ISO register recommends at least rounds. A previous work by Matsui and Yamagishi [11] reports attacks on a reduced version of MULTI with 1 rounds. Another work by Aoki and Kurokawa [1] reports an analysis of the round mappings of MULTI, with results independently rediscovered in the present work. Contribution. This paper presents new cryptanalytic results on MULTI, including the description of large sets of equivalent keys, a guess-and-determine attack for any number of rounds, a linear attack on rounds, and a relatedkey slide attack (see Table 1 for complexities). Despite no practical threat to conditional access systems, our results raise concerns on the intrinsic security of MULTI. Table 1. Summary of our attacks on MULTI (Data is given in known plaintexts) #Rounds Time Data Memory Attack linear distinguisher linear distinguisher linear distinguisher linear distinguisher linear key-recovery r guess-and-determine key-recovery r mod8 18 /r related-key slide key-recovery : time complexity is # of parity computations instead of # of encryptions. Description of MULTI MULTI (Multi-Media Encryption Algorithm ) is a Feistel block cipher that operates on 6-bit blocks, parametrized by a 6-bit data key and a 56-bit system key. Encryption depends only on a 56-bit key derived from the data and system keys. This encryption key is divided into eight subkeys. MULTI uses four keydependent round functions 1,,,and, repeated in this order. The ISO register entry recommends at least rounds, which is the number of rounds used in the ISDB standard. We denote MULTI s keys as follows, parsing them into -bit words (see Fig. 1): d =(d 1,d ) is the 6-bit data key s =(s 1,s,s,s,s 5,s 6,s 7,s 8 ) is the 56-bit system key k =(k 1,k,k,k,k 5,k 6,k 7,k 8 ) is the 56-bit encryption key MULTI uses no S-boxes, but only a combination of XOR ( ), modulo addition (+) and subtraction ( ), left rotation ( ) and logical OR ( ). Below we denote L (resp. R) the left (resp. right) half of the encrypted data, and k i a -bit encryption subkey:
3 98 J.-P. Aumasson, J. Nakahara Jr., and P. Sepehrdad Key Schedule Plaintext (6 bits) d1 d L R 1 1 s 1 k 1 k s 1 s k k s k k k 1 1 s 5 k k 5 k s 5 6 s 7 k6 k 7 k 7 1 s 8 k6 k8 k8 1 k1 k k k Lr Ciphertext (6 bits) Fig. 1. Key schedule (left) and encryption (right) in MULTI: the encryption key k is derived from the system key s and the data key d. Only k is used during the encryption. Rr
4 Cryptanalysis of the ISDB Scrambling Algorithm (MULTI) 99 1 is the identity mapping: 1 (L) =L. It is the only surjective and key independent round transformation. maps 6 bits to bits, and returns (R, k i )=(x ) x (1) where x =((R + k i ) 1) + R + k i 1. From the definition (1) it follows that (R, k i )= (k i,r), for any k i,r {, 1}.Moreover, can be expressed as a function of a single value, R + k i. Due to the feed forward in (1), can not be surjective. The range of contains exactly elements (only 6.% of {, 1}, against 6% expected for a random function [1,.1.6]). Moreover, the set of bit values output by is always the same. This follows from the observation that for fixed R if k i 1, then R + k i 1 and the same holds if k i is fixed and R 1. maps 96 bits to bits, and returns (L, k i,k j )=(x 16) (x L) () where x = (( ) ) ( ) (y 8) y + k j 1 (y 8) y + kj where y =((L+k i ) )+L+k i +1. The range of spans approximately.8 values, that is, % of {, 1},forafixed encryption key. The fraction of the range covered by is not the same for every k i,k j {, 1}, because (L, k i,k j ) (L, k j,k i ). maps 6 bits to bits, and returns (R, k i )= ( (R + k i ) ) + R + k i +1. () From the definition of, it follows that (R, k i )= (k i,r) for any k i,r {, 1}. The range of contains exactly elements (i.e.,.6% of {, 1} ). The reasoning is the same as for. An additional property is the fact that these j functions do not commute, that is, i j j i,fori j, where is functional composition. Thus, the j mapping cannot be purposefully clustered or permuted in the cipher framework to ease cryptanalysis. Encryption. Given subkeys k 1,...,k 8 and a plaintext (L,R ), MULTI computes the first eight rounds as follows (see Fig. 1): 1. R 1 R 1 (L ). L 1 L ; L L 1 (R 1,k 1 ). R R 1 ; R R (L,k,k ). L L ; L L (R,k ) 5. R R ; R 5 R 1 (L ) 6. L 5 L ; L 6 L 5 (R 5,k 5 )
5 J.-P. Aumasson, J. Nakahara Jr., and P. Sepehrdad 7. R 6 R 5 ; R 7 R 6 (L 6,k 6,k 7 ) 8. L 7 L 6 ; L 8 L 7 (R 7,k 8 ) 9. R 8 R 7 This sequence is repeated (with suitably incremented subscripts) until the desired number of rounds r, and the ciphertext (L r,r r ) is returned. The subkeys k 1,...,k 8 are reused for each sequence 1,...,, 1,...,. Key Schedule. The key schedule of MULTI encrypts a data key (d 1,d ) (as plaintext) through nine rounds, using the system key s 1,...,s 8. The round subkeys k 1,...,k 8 are extracted as follows (see Fig. 1): k 1 d 1 (d 1 d,s 1 ) k d 1 d (k 1,s,s ) k k 1 (k,s ) k k k k 5 k (k,s 5 ) k 6 k (k 5,s 6,s 7 ) k 7 k 5 (k 6,s 8 ) k 8 k 6 k 7 MULTI in ISDB. In ISDB, MULTI is mainly used via the B-CAS card [6] for copy control to ensure that only valid subscribers are using the service. MULTI encrypts transport stream packets in CBC or OFB mode. The same system key is used for all conditional-access applications, and another system key is used for other applications (DTV, satellite, etc.). The 6-bit data key is refreshed every second, sent by the broadcaster and encrypted with another block cipher. Therefore only the data key is really secret, since the system key can be obtained from the receivers. Details can be found in the ARIB B5 standard []. Equivalent Keys The key schedule of MULTI maps a (56 + 6)-bit data-and-system key to a 56-bit encryption key (see Fig. 1). This means 6 bits of redundancy (leading to 6 collisions). Further, the 56-bit encryption key k =(k 1,...,k 8 ) has entropy at most 19 bits, because the key schedule sets k = k k and k 8 = k 7 k 6. Hence, the knowledge of two subkeys in (k,k,k ) is sufficient to compute the third. The key schedule thus induces a loss of at least 18 bits of entropy, from the -bit (s, d) key. Therefore, the average size of equivalence key classes is 18. Large sets of colliding pairs (s, d) can be found as follows: given (s, d), one just has to find s 1 such that (d 1 d,s 1)= (d 1 d,s 1 ); or s, s such that (k 1,s,s )= (k 1,s,s ); or s such that (k,s )= (k,s ); or s 5 such that (k,s 5 )= (k,s 5); or s 6, s 7 such that (k 5,s 6,s 7 )= (k 5,s 6,s 7); or s 8 such that (k 6,s 8 )= (k 6,s 8). Each of these conditions are independent.
6 Cryptanalysis of the ISDB Scrambling Algorithm (MULTI) 1 The result is a (series of) equivalent keys (s,d) that lead to the same encryption key as the pair (s, d). However, there exist no equivalent keys with the same system key and distinct data keys. This is because the key schedule uses the data key as plaintext, hence the encryption key is trivially invertible (see Fig. 1). Note that [8] suggests to use MULTI as building block for constructing hash functions. If the construction is not carefully chosen, however, equivalent keys in MULTI could lead to simple collisions. For example, in Davies-Meyer mode the compression function would return E m (h) h, withh a chaining value and m a message block; since equivalent keys are easy to find, it is easy as well to find two (or more) distinct message block that produce the same encryption key, and thus that give multicollisions. Guess-and-Determine Attack We describe a known-plaintext attack that recovers the 56-bit encryption key in about 185. r-round encryptions. The attack works for any number r of rounds, and uses only three known plaintexts/ciphertext pairs. We recall the loss of key entropy due to redundancy in the key schedule of MULTIdescribedinSect.. One recovers k 1,...,k 8 using a guess-and-determine strategy, exploiting the non-surjectivity of the round functions and (see key schedule in Fig. 1): 1. guess k 1 and k ( 6 choices). guess (k,s )(.7 choices), and deduce k = k 1 (k,s ). set k = k k. guess (k,s 5 )( 8 choices), and deduce k 5 = k (k,s 5 ) 5. guess (k 5,s 6,s 7 )( choices), and deduce k 6 = k (k 5,s 6,s 7 ) 6. guess (k 6,s 8 )(.7 choices), and deduce k 7 = k 5 (k 6,s 8 ) 7. set k 8 = k 6 k 7 Aguessofk 1,...,k 8 is verified using three known-plaintext/ciphertext pairs (each pair gives a 6-bit condition). The total cost is about 185. r-round encryptions and 1 -bit words of memory. Note that the non-surjectivity of (k 5,s 6,s 7 ) cannot be exploited here, because the range depends on the system subkeys, which are unknown. Once the encryption key k is found, one can recover all equivalent 56-bit system keys s and 6-bit data keys d as follows: starting from the end of the key schedule (Fig. 1), one iteratively searches for a valid s 8 ( -computations), then a valid pair (s 6,s 7 )( 6 -computations), and so on (the complexities add up) until recovering s. For computing (s,s )weneedthevalueofd 1 d. The cost for this case is ++ = 96 -computations. For s 1 we need the separate values of d 1 and d. Since we already computed d 1 d,thecostis + = 6 -computations. The final complexity is dominated by 96 - computations to recover all candidates pairs (s, d). The cost of computing one of the pairs (s, d) is dominated by -computations.
7 J.-P. Aumasson, J. Nakahara Jr., and P. Sepehrdad 5 Linear Attacks The non-surjectivity of the round functions,, motivates the study of linear relations [1] for particular bitmasks. Usually, one looks for nonzero input and output bitmasks for individual cipher components, with high bias. But for MULTI, we look for linear relations of the form i, i,. Because of -round repetition of i mappings in MULTI, and to optimize the search, we looked only for iterative linear relations that cover all four consecutive i round mappings. 1 1 (a) (b) Fig.. Four-round iterative linear trails In Fig. (a), only and are active, that is, effectively participate in the linear relation (linear trails are depicted by thick lines). In Fig. (b), and are active, but for the linear approximation has the form,where. Alternative iterative linear relations are depicted in Fig.. In Fig. (a), there is one instance of and, and two instances of active along the linear relation. Fig. (b) is just Fig. (a) slided by four rounds. We consider each round function as operating over -bit data (for a fixed, unknown key). Instead of deriving the bias for a given output bitmask, we have searched for promising bitmasks (with high bias), by exhaustive search over the inputs for each round function. From the linear relations listed above, the one in Fig. (a) is the most promising, since it involves only two active round functions for every four rounds: and. This is an indication that the left half of the MULTI encryption/decryption framework is weaker than the right half. Our search (over random keys) started with masks of low Hamming weight. The use of rotation suggests that masks with short repeating patterns tend to show higher biases, which our experiments confirmed: the -bit mask = AAAAAAAA x
8 Cryptanalysis of the ISDB Scrambling Algorithm (MULTI) (a) (b) Fig.. Eight-round iterative linear trails presented the highest bias: 1 for,and 6.7 for (Fig. (a)). The overall bias is p = 6.7, using the piling-up lemma [1]. This bitmask was independently discovered by Aoki and Kurokawa in [1]. Comparatively, for Fig. (b), the best mask we have found is = x, with bias 1 for,and 8.6 for. The overall bias for four rounds is 8.6. Using Fig. (a), one can distinguish -round MULTI from a random permutation using 8 (p ) = 16. known plaintexts (KP), for a high success rate attack; the memory complexity is negligible and the attack effort is essentially 16. parity computations. For eight rounds, the attack complexity is 8 ( (p ) ) =8 ( 1. ) = 7.8 KP and equivalent parity computations; for twelve rounds, the data complexity becomes 8 ( (p ) ) = 8 ( 18.1 ) = 9. KP; for sixteen rounds, 8 (.8 ) = 5.6 KP. For further rounds, more plaintexts than the codebook are required. For key-recovery attacks on twenty rounds, we use the 1-round linear relation described in the previous paragraph. Notice that across -round MULTI, the same sequence of four subkeys, k 1,...,k repeats at the first and at the last four
9 J.-P. Aumasson, J. Nakahara Jr., and P. Sepehrdad rounds. Thus, we place the 1-round relation in the middle of -round MULTI and guess consecutively k 1, k (cost for each of them), then k (cost.7 ), and finally k (free). Time complexity is thus about = round decryptions, that is, 1/ round encryptions. Storage of 9. ciphertexts is necessary. 6 Related-Key Slide Attack We present key-recovery known-plaintext related-key slide attacks [,,5]. These attacks exploit the partial similarity of -round sequences, and works for any version of MULTI whose number of rounds is a multiple of eight. Let F 1... stand for -round encryption involving 1,..., with subkeys k 1,...,k. Similarly, let F stand for -round encryption involving 1,..., with subkeys k 5,...,k 8 ; F 1... stand for 1,..., with subkeys k 1,...,k,and F stand for 1,..., with subkeys k 5,...,k 8. Given an unknown key pair (s, d), we consider a related-key pair (s,d )that gives k such that k 1 = k 5 k = k 6 k = k 7 k = k 8 k 5 = k 1 k 6 = k k 7 = k k 8 = k () Thus, F 1... F and F F For Eq. () to hold, it is necessary that the related key (s,d )satisfies d 1 = k d 1 d = k s 1 = s 5 s = s 6 s = s 7 s = s 8 s 5 = s 1 s 6 = s s 7 = s s 8 = s. The conditions k 1 = k 5 and k = k 6 require k (k,s 5 )=d 1 (d 1 d,s 1) k (k 5,s 6,s 7 )=d 1 d (k 1,s,s ). A slid pair gives P = F 1 (P ), which implies C = F 5 8(C) =F 1 (C), as shown below. P F1 X F F5 8 C P F F 1 Y F 5 8 C That is, one get two 6-bit conditions since both the plaintext and ciphertext slid pairs are keyed by the same subkeys. Thus one slid pair is sufficient to identify k 1,...,k. The attack goes as follows: 1. collect distinct (P i,c i )pairs,i =1,..., encrypted with k. collect distinct (P i,c i )pairs,i =1,..., encrypted with k. for each (i, j) {1,..., }
10 Cryptanalysis of the ISDB Scrambling Algorithm (MULTI) 5. find the value of k 1,...,k that satisfy P j = F 1 (P i )andc j = F 1 (C i ) 5. search exhaustively k 5,...,k 8 (there are 96 choices, exploiting the nonsurjectivity of and ) We cannot filter the wrong slid pairs, so we try all possible 6 pairs (P i,p j ). But each potential slid pairs provides 18-bit condition, because both the plaintext and ciphertext pairs are keyed by the same unknown subkeys. Thus, we can filter the wrong subkeys at once. To recover k 1,...,k we use the potential slid pair (P j,p i). Guess k 1 ( choices). Then, guess k ( choices), and find the k that yields the (known) output of. Deduce k,ask k and finally, test whether the current choice of k 1,...,k is consistent with the second potential slid pair (C j,c i). Finding k from k, the input of, and its output one has to solve an equation of the form (x 16) (x L) =b, thenanequation(t 1) t = x, where x and t are the unknowns. The first can be solved bit per bit, by iteratively storing the solutions for each pair (x i,x i+16 ). There are 16 such pairs, and for each pair there are at most two solutions. Hence in the worst case there will be 16 solutions. The effort up to this point is roughly + = 6 and -computations. In total, up to this point, there are ++16 = 8 possible values for (k 1,k,k,k ). The value of k = k k can be further checked using the (P i,p j ) pair. Let P i =(P L,P R )andp j =(P L,P R ). Then, P L P L (P R P L,k 1 )= (P R,k ), which is a condition on 6.7 bits, since the output of and intersect in 6.7 distinct values. Thus, we expect only 8 / 6.7 = 5. tuples (k 1,k,k,k ) to survive. Using (C i,c j ), a 6-bit condition, reduces the number of wrong key candidates to 5. / 6 < 1. The final attack complexity is thus about round computations, or ( 18 /r ) r-round computations to recover k 1,...,k. Further, to recover k 5,..., k 8, we run a similar procedure, but over r 8 rounds (after decrypting the top and bottom four rounds). The complexity is 96 (r 8)-round computations. Normalizing the complexity figures, the overall attack complexity is dominated by ( 18 /r ) r-round computations. The memory complexity is plaintext/ciphertext pairs. 7 Conclusions We showed that the -bit key of MULTI can be recovered in about 185 trials instead of ideally, for any number of rounds, and using only three plaintext/ciphertext pairs. This weakness is due to the loss of entropy induced by the key schedule and the non-surjective round functions. We also described a linear (key-recovery) attack on up to rounds, and a related-key slide attack in ( 18 /r ) r-round computations for any number r of rounds that is a multiple of eight (thus including the recommended rounds). Although our results do not represent any practical threat when the -round recommendation is followed, they show that the security of MULTI is not as
11 6 J.-P. Aumasson, J. Nakahara Jr., and P. Sepehrdad high as expected, and raise concerns on its long-term reliability. A practical break of MULTI would have dramatic consequences: millions of receivers would have to be replaced, a new technology and new standards would have to be designed and implemented. Finally, note that the Common Scrambling Algorithm (CSA), used in Europe through the digital-tv standard DVB also underwent some (non-practical) attacks [15,17]. For comparison, the American standard ATSC uses Triple-DES in CBC mode. Acknowledgments We wish to thank Kazumaro Aoki for communicating us a copy of his article, and also Tim Sharpe (NTT communication) and Jack Laudo for their assistance. We are also grateful to the reviewers of FSE 9 for their valuable comments, and for pointing out reference [9]. References 1. Aoki, K., Kurokawa, K.: A study on linear cryptanalysis of Multi (in Japanese). In: The 1995 Symposium on Cryptography and Information Security, SCIS 1995 (1995). ARIB. STD B5 v. 5. (7), Biham, E.: New types of cryptanalytic attacks using related keys. Journal of Cryptology 7(), 9 6 (199). Biryukov, A., Wagner, D.: Slide attacks. In: Knudsen, L.R. (ed.) FSE LNCS, vol. 166, pp Springer, Heidelberg (1999) 5. Biryukov, A., Wagner, D.: Advanced slide attacks. In: Preneel, B. (ed.) EURO- CRYPT. LNCS, vol. 187, pp Springer, Heidelberg () 6. BS Conditional Access Systems Co., Ltd., 7. Hitachi: Japanese laid-open patent application no. H (1998) 8. ISO. Algorithm registry entry 9979/9 (199) 9. Katagi, T., Inoue, T., Shimoyama, T., Tsujii, S.: A correlation attack on block ciphers with arithmetic operations (in Japanese). In: SCIS (), reference no. SCIS 5D- 1. Matsui, M.: Linear cryptoanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 199. LNCS, vol. 765, pp Springer, Heidelberg (199) 11. Matsui, M., Yamagishi, A.: On a statistical attack of secret key cryptosystems. Electronics and Communications in Japan, Part III: Fundamental Electronic Science (English translation of Denshi Tsushin Gakkai Ronbunshi) 77(9), 61 7 (199) 1. Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1997) 1. Takaragi, K., Nakagawa, F., Sasaki, R.: U.S. patent no. 989 (1989) 1. Takaragi, K., Nakagawa, F., Sasaki, R.: U.S. patent no (199) See See 7a with amend 1.pdf
12 Cryptanalysis of the ISDB Scrambling Algorithm (MULTI) Weinmann, R.-P., Wirt, K.: Analysis of the DVB common scrambling algorithm. In: 8th IFIP TC-6 TC-11 Conference on Communications and Multimedia Security (CMS). Springer, Heidelberg () 16. Wikipedia. Mobaho! (accessed February 5, 9) 17. Wirt, K.: Fault attack on the DVB common scrambling algorithm. In: Gervasi, O., Gavrilova, M.L., Kumar, V., Laganá, A., Lee, H.P., Mun, Y., Taniar, D., Tan, C.J.K. (eds.) ICCSA 5. LNCS, vol. 81, pp Springer, Heidelberg (5) 18. Yoshimura, T.: Conditional access system for digital broadcasting in Japan. Proceedings of the IEEE 9(1), 18 (6)
Cryptanalysis of the ISDB Scrambling Algorithm (MULTI2)
Cryptanalysis of the ISDB Scrambling Algorithm (MULTI) Jean-Philippe Aumasson 1, Jorge Nakahara Jr., and Pouyan Sepehrdad 1 FHNW, Windisch, Switzerland EPFL, Lausanne, Switzerland jeanphilippe.aumasson@gmail.com,
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham 1, Orr Dunkelman 1, and Nathan Keller 2 1 Computer Science Department, Technion, Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics
More informationLinear Cryptanalysis of Reduced Round Serpent
Linear Cryptanalysis of Reduced Round Serpent Eli Biham 1, Orr Dunkelman 1, and Nathan Keller 2 1 Computer Science Department, Technion Israel Institute of Technology, Haifa 32000, Israel, {biham,orrd}@cs.technion.ac.il,
More informationRelated-key Attacks on Triple-DES and DESX Variants
Related-key Attacks on Triple-DES and DESX Variants Raphael C.-W. han Department of Engineering, Swinburne Sarawak Institute of Technology, 1st Floor, State Complex, 93576 Kuching, Malaysia rphan@swinburne.edu.my
More informationA Chosen-Plaintext Linear Attack on DES
A Chosen-Plaintext Linear Attack on DES Lars R. Knudsen and John Erik Mathiassen Department of Informatics, University of Bergen, N-5020 Bergen, Norway {lars.knudsen,johnm}@ii.uib.no Abstract. In this
More informationDierential-Linear Cryptanalysis of Serpent? Haifa 32000, Israel. Haifa 32000, Israel
Dierential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel fbiham,orrdg@cs.technion.ac.il 2 Mathematics Department,
More informationA Related Key Attack on the Feistel Type Block Ciphers
International Journal of Network Security, Vol.8, No.3, PP.221 226, May 2009 221 A Related Key Attack on the Feistel Type Block Ciphers Ali Bagherzandi 1,2, Mahmoud Salmasizadeh 2, and Javad Mohajeri 2
More informationWeak Keys. References
Weak Keys The strength of the encryption function E K (P) may differ significantly for different keys K. If for some set WK of keys the encryption function is much weaker than for the others this set is
More informationInternational Journal for Research in Applied Science & Engineering Technology (IJRASET) Performance Comparison of Cryptanalysis Techniques over DES
Performance Comparison of Cryptanalysis Techniques over DES Anupam Kumar 1, Aman Kumar 2, Sahil Jain 3, P Kiranmai 4 1,2,3,4 Dept. of Computer Science, MAIT, GGSIP University, Delhi, INDIA Abstract--The
More informationOn the Security of the 128-Bit Block Cipher DEAL
On the Security of the 128-Bit Block Cipher DAL Stefan Lucks Theoretische Informatik University of Mannheim, 68131 Mannheim A5, Germany lucks@th.informatik.uni-mannheim.de Abstract. DAL is a DS-based block
More informationThe MESH Block Ciphers
The MESH Block Ciphers Jorge Nakahara Jr, Vincent Rijmen, Bart Preneel, Joos Vandewalle Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Belgium {jorge.nakahara,bart.preneel,joos.vandewalle}@esat.kuleuven.ac.be
More informationLinear Cryptanalysis of FEAL 8X Winning the FEAL 25 Years Challenge
Linear Cryptanalysis of FEAL 8X Winning the FEAL 25 Years Challenge Yaniv Carmeli Joint work with Prof. Eli Biham CRYPTODAY 2014 FEAL FEAL Published in 1987, designed by Miyaguchi and Shimizu (NTT). 64-bit
More informationImproved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN
Improved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN Shahram Rasoolzadeh and Håvard Raddum Simula Research Laboratory {shahram,haavardr}@simula.no Abstract. We study multidimensional meet-in-the-middle
More informationSecret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34
Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34 Definition a symmetric key cryptographic algorithm is characterized by having the same key used for both encryption and decryption.
More informationImproved Truncated Differential Attacks on SAFER
Improved Truncated Differential Attacks on SAFER Hongjun Wu * Feng Bao ** Robert H. Deng ** Qin-Zhong Ye * * Department of Electrical Engineering National University of Singapore Singapore 960 ** Information
More informationImproved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN
Improved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN Shahram Rasoolzadeh and Håvard Raddum Simula Research Laboratory Abstract. We study multidimensional meet-in-the-middle attacks on the
More informationNew attacks on the MacDES MAC Algorithm. 1st July Two new attacks are given on a CBC-MAC algorithm due to Knudsen and Preneel, [2],
New attacks on the MacDES MAC Algorithm Don Coppersmith IBM Research T. J. Watson Research Center Yorktown Heights, NY 10598, USA copper@watson.ibm.com Chris J. Mitchell Information Security Group Royal
More informationDifferential Cryptanalysis
Differential Cryptanalysis See: Biham and Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer Verlag, 1993. c Eli Biham - March, 28 th, 2012 1 Differential Cryptanalysis The Data
More informationAnalysis of MARS. January 12, 2001
Analysis of MARS January 12, 2001 Executive Summary This report presents the results of a limited evaluation of the block cipher MARS. No important weaknesses or flaws were found on MARS. The round function
More informationIntroduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard
Introduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard Egemen K. Çetinkaya Egemen K. Çetinkaya Department of Electrical & Computer Engineering Missouri University of
More informationA New Meet-in-the-Middle Attack on the IDEA Block Cipher
A New Meet-in-the-Middle Attack on the IDEA Block Cipher Hüseyin Demirci 1, Ali Aydın Selçuk, and Erkan Türe 3 1 Tübitak UEKAE, 41470 Gebze, Kocaeli, Turkey huseyind@uekae.tubitak.gov.tr Department of
More informationWeak Keys of the Full MISTY1 Block Cipher for Related-Key Cryptanalysis
3. 2 13.57 Weak eys for a Related-ey Differential Attack Weak eys of the Full MISTY1 Block Cipher for Related-ey Cryptanalysis Institute for Infocomm Research, Agency for Science, Technology and Research,
More informationTwo Attacks on Reduced IDEA (Extended Abstract)
1 Two Attacks on Reduced IDEA (Extended Abstract) Johan Borst 1, Lars R. Knudsen 2, Vincent Rijmen 2 1 T.U. Eindhoven, Discr. Math., P.O. Box 513, NL-5600 MB Eindhoven, borst@win.tue.nl 2 K.U. Leuven,
More informationImproved differential fault analysis on lightweight block cipher LBlock for wireless sensor networks
Jeong et al. EURASIP Journal on Wireless Communications and Networking 2013, 2013:151 RESEARCH Improved differential fault analysis on lightweight block cipher LBlock for wireless sensor networks Kitae
More informationA Meet in the Middle Attack on Reduced Round Kuznyechik
IEICE TRANS. FUNDAMENTALS, VOL.Exx??, NO.xx XXXX 200x 1 LETTER Special Section on Cryptography and Information Security A Meet in the Middle Attack on Reduced Round Kuznyechik Riham ALTAWY a), Member and
More informationA SIMPLIFIED IDEA ALGORITHM
A SIMPLIFIED IDEA ALGORITHM NICK HOFFMAN Abstract. In this paper, a simplified version of the International Data Encryption Algorithm (IDEA) is described. This simplified version, like simplified versions
More informationThe Rectangle Attack
The Rectangle Attack and Other Techniques for Cryptanalysis of Block Ciphers Orr Dunkelman Computer Science Dept. Technion joint work with Eli Biham and Nathan Keller Topics Block Ciphers Cryptanalysis
More informationUpdate on Tiger. Kasteelpark Arenberg 10, B 3001 Heverlee, Belgium
Update on Tiger Florian Mendel 1, Bart Preneel 2, Vincent Rijmen 1, Hirotaka Yoshida 3, and Dai Watanabe 3 1 Graz University of Technology Institute for Applied Information Processing and Communications
More informationNew Attacks on Feistel Structures with Improved Memory Complexities
New Attacks on Feistel Structures with Improved Memory Complexities Itai Dinur 1, Orr Dunkelman 2,4,, Nathan Keller 3,4,, and Adi Shamir 4 1 Département d Informatique, École Normale Supérieure, Paris,
More informationComplementing Feistel Ciphers
Ivica Nikolić (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg 11 March 2013 1 Complementation Property 2 General Complementation Property
More informationAttacking Triple Encryption
Attacking Triple Encryption Stefan Lucks Theoretische Informatik Universität Mannheim 68131 Mannheim A5, Germany lucks@pi3.informatik.uni-mannheim.de Abstract. The standard technique to attack triple encryption
More informationOn the Design of Secure Block Ciphers
On the Design of Secure Block Ciphers Howard M. Heys and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University Kingston, Ontario K7L 3N6 email: tavares@ee.queensu.ca
More informationA new key recovery attack on the ANSI retail MAC
A new key recovery attack on the ANSI retail MAC Chris J. Mitchell Information Security Group, Royal Holloway, University of London Egham, Surrey TW20 0EX, UK c.mitchell@rhul.ac.uk 13th November 2002 Abstract
More informationImproved Integral Attacks on MISTY1
Improved Integral Attacks on MISTY1 Xiaorui Sun and Xuejia Lai Department of Computer Science Shanghai Jiao Tong University Shanghai, 200240, China sunsirius@sjtu.edu.cn, lai-xj@cs.sjtu.edu.cn Abstract.
More informationAnalysis of Involutional Ciphers: Khazad and Anubis
Analysis of Involutional Ciphers: Khazad and Anubis Alex Biryukov Katholieke Universiteit Leuven, Dept. ESAT/COSIC, Leuven, Belgium abiryuko@esat.kuleuven.ac.be Abstract. In this paper we study structural
More informationSecret Key Algorithms (DES)
Secret Key Algorithms (DES) G. Bertoni L. Breveglieri Foundations of Cryptography - Secret Key pp. 1 / 34 Definition a symmetric key cryptographic algorithm is characterized by having the same key used
More informationAttack on DES. Jing Li
Attack on DES Jing Li Major cryptanalytic attacks against DES 1976: For a very small class of weak keys, DES can be broken with complexity 1 1977: Exhaustive search will become possible within 20 years,
More informationA Weight Based Attack on the CIKS-1 Block Cipher
A Weight Based Attack on the CIKS-1 Block Cipher Brian J. Kidney, Howard M. Heys, Theodore S. Norvell Electrical and Computer Engineering Memorial University of Newfoundland {bkidney, howard, theo}@engr.mun.ca
More informationAll Subkeys Recovery Attack on Block Ciphers: Extending Meet-in-the-Middle Approach
All Subkeys Recovery Attack on Block Ciphers: Extending Meet-in-the-Middle Approach Takanori Isobe and Kyoji Shibutani Sony Corporation 1-7-1 Konan, Minato-ku, Tokyo 108-0075, Japan {Takanori.Isobe,Kyoji.Shibutani}@jp.sony.com
More informationNew Attacks against Reduced-Round Versions of IDEA
New Attacks against Reduced-Round Versions of IDEA Pascal Junod École Polytechnique Fédérale de Lausanne Switzerland pascal@junod.info Abstract. In this paper, we describe a sequence of simple, yet efficient
More informationA Meet-in-the-Middle Attack on 8-Round AES
A Meet-in-the-Middle Attack on 8-Round AES Hüseyin Demirci 1 and Ali Aydın Selçuk 2 1 Tübitak UEKAE, 41470 Gebze, Kocaeli, Turkey huseyind@uekae.tubitak.gov.tr 2 Department of Computer Engineering Bilkent
More informationImproved and Multiple Linear Cryptanalysis of Reduced Round Serpent
Improved and Multiple Linear Cryptanalysis of Reduced Round Serpent Description of the Linear Approximations B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group, Microelectronics Laboratory,
More informationSymmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.
Symmetric Key Algorithms Definition A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting. 1 Block cipher and stream cipher There are two main families
More informationTechnion - Computer Science Department - Technical Report CS
[13] National Bureau of Standards, DS Modes of Operation, U.S. Department of Commerce, FIPS pub. 81, December 1980. [14] Paul C. van Oorschot, Michael J. Wiener, A Known Plaintext Attack on Two-Key Triple
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.2 Secret Key Cryptography CSC 474/574 Dr. Peng Ning 1 Agenda Generic block cipher Feistel cipher DES Modes of block ciphers Multiple encryptions Message
More informationA Cautionary Note on Weak Implementations of Block Ciphers
A Cautionary Note on Weak Implementations of Block Ciphers Tim Kerins and Klaus Kursawe Information and System Security Group, Philips Research Europe Prof. Holstlaan 4, 5656 AA, Eindhoven, The Netherlands.
More informationSecret Key Cryptography (Spring 2004)
Secret Key Cryptography (Spring 2004) Instructor: Adi Shamir Teaching assistant: Eran Tromer 1 Background Lecture notes: DES Until early 1970 s: little cryptographic research in industry and academcy.
More informationSlide Attacks. 1 Introduction. Alex Biryukov and David Wagner
Slide Attacks Alex Biryukov and David Wagner Abstract. It is a general belief among the designers of block-ciphers that even a relatively weak cipher may become very strong if its number of rounds is made
More informationOn the Notions of PRP-RKA, KR and KR-RKA for Block Ciphers
On the Notions of PRP-RKA, KR and KR-RKA for Block Ciphers Ermaliza Razali 1, Raphael C.-W. Phan 2, and Marc Joye 3 1 Information Security Research (isecures) Lab, Swinburne University of Technology, Sarawak
More informationAttacks on Advanced Encryption Standard: Results and Perspectives
Attacks on Advanced Encryption Standard: Results and Perspectives Dmitry Microsoft Research 29 February 2012 Design Cryptanalysis history Advanced Encryption Standard Design Cryptanalysis history AES 2
More informationStudy and Analysis of Symmetric Key-Cryptograph DES, Data Encryption Standard
Study and Analysis of Symmetric Key-Cryptograph DES, Data Encryption Standard Dr Atul Gonsai #1, Naimish Kakkad *2, Bhargavi Goswami $3, Dr Nikesh Shah @4 # Department of MCA, Saurashtra University, @
More informationChapter 3 Block Ciphers and the Data Encryption Standard
Chapter 3 Block Ciphers and the Data Encryption Standard Last Chapter have considered: terminology classical cipher techniques substitution ciphers cryptanalysis using letter frequencies transposition
More informationNew Cryptanalytic Results on IDEA
New Cryptanalytic Results on IDEA Eli Biham, Orr Dunkelman, Nathan Keller Computer Science Dept., Technion Dept. of Electrical Engineering ESAT SCD/COSIC, KUL Einstein Institute of Mathematics, Hebrew
More informationA New Technique for Sub-Key Generation in Block Ciphers
World Applied Sciences Journal 19 (11): 1630-1639, 2012 ISSN 1818-4952 IDOSI Publications, 2012 DOI: 10.5829/idosi.wasj.2012.19.11.1871 A New Technique for Sub-Key Generation in Block Ciphers Jamal N.
More informationCIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)
CIS 6930/4930 Computer and Network Security Topic 3.1 Secret Key Cryptography (Cont d) 1 Principles for S-Box Design S-box is the only non-linear part of DES Each row in the S-Box table should be a permutation
More informationBlock Ciphers and Stream Ciphers. Block Ciphers. Stream Ciphers. Block Ciphers
Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2... M N. Then, each block M i is encrypted to the ciphertext block C i = K (M i ), and
More informationA Methodology for Differential-Linear Cryptanalysis and Its Applications
A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter: Jian Guo Institute for Infocomm Research, Agency for Science, Technology and Research, 1 Fusionopolis Way,
More informationPreliminary Cryptanalysis of Reduced-Round Serpent
Preliminary Cryptanalysis of Reduced-Round Serpent Tadayoshi Kohno 1,JohnKelsey 2, and Bruce Schneier 2 1 Reliable Software Technologies kohno@rstcorp.com 2 Counterpane Internet Security, Inc. {kelsey,schneier}@counterpane.com
More informationpage 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas
Introduction to Cryptography Lecture 3 Benny Pinkas page 1 1 Pseudo-random generator Pseudo-random generator seed output s G G(s) (random, s =n) Deterministic function of s, publicly known G(s) = 2n Distinguisher
More informationA Simple Power Analysis Attack Against the Key Schedule of the Camellia Block Cipher
A Simple Power Analysis Attack Against the Key Schedule of the Camellia Block Cipher Lu Xiao and Howard M. Heys 2 QUALCOMM Incorporated, lxiao@qualcomm.com 2 Electrical and Computer Engineering, Faculty
More informationData Encryption Standard
ECE 646 Lecture 6 Data Encryption Standard Required Reading: I. W. Stallings, "Cryptography and Network-Security," 5th Edition, Chapter 3: Block Ciphers and the Data Encryption Standard Chapter 6.1: Multiple
More informationA Related-Key Attack on TREYFER
The Second International Conference on Emerging Security Information, Systems and Technologies A Related-ey Attack on TREYFER Aleksandar ircanski and Amr M Youssef Computer Security Laboratory Concordia
More informationImproved Attacks on Full GOST
Improved Attacks on Full GOST Itai Dinur 1, Orr Dunkelman 1,2 and Adi Shamir 1 1 Computer Science department, The Weizmann Institute, ehovot, Israel 2 Computer Science Department, University of Haifa,
More information7. Symmetric encryption. symmetric cryptography 1
CIS 5371 Cryptography 7. Symmetric encryption symmetric cryptography 1 Cryptographic systems Cryptosystem: t (MCKK GED) (M,C,K,K,G,E,D) M, plaintext message space C, ciphertext message space K, K, encryption
More informationKey Separation in Twofish
Twofish Technical Report #7 Key Separation in Twofish John Kelsey April 7, 2000 Abstract In [Mur00], Murphy raises questions about key separation in Twofish. We discuss this property of the Twofish key
More informationCryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái
Cryptography and Network Security Block Ciphers + DES Lectured by Nguyễn Đức Thái Outline Block Cipher Principles Feistel Ciphers The Data Encryption Standard (DES) (Contents can be found in Chapter 3,
More informationNew Cryptanalytic Results on IDEA
New Cryptanalytic Results on IDEA Eli Biham, Orr Dunkelman, Nathan Keller Computer Science Dept., Technion Dept. of Electrical Engineering ESAT SCD/COSIC, KUL Einstein Institute of Mathematics, Hebrew
More informationOn the Applicability of Distinguishing Attacks Against Stream Ciphers
On the Applicability of Distinguishing Attacks Against Stream Ciphers Greg Rose, Philip Hawkes QUALCOMM Australia {ggr, phawkes}@qualcomm.com Abstract. We demonstrate that the existence of distinguishing
More informationNetwork Security Essentials Chapter 2
Network Security Essentials Chapter 2 Fourth Edition by William Stallings Lecture slides by Lawrie Brown Encryption What is encryption? Why do we need it? No, seriously, let's discuss this. Why do we need
More informationThis document is downloaded from DR-NTU, Nanyang Technological University Library, Singapore.
This document is downloaded from DR-NTU, Nanyang Technological University Library, Singapore. Title Improved Meet-in-the-Middle cryptanalysis of KTANTAN (poster) Author(s) Citation Wei, Lei; Rechberger,
More informationDifferential Attack on Message Authentication Codes
Differential Attack on Message Authentication Codes Kazuo Ohtal and Mitsuru Matsui2 NTT Network Information Systems Laboratories Nippon Telegraph and Telephone Corporation 1-2356, Take, Yokosuka-shi, Kanagawa-ken,
More informationAn Improved Truncated Differential Cryptanalysis of KLEIN
An Improved Truncated Differential Cryptanalysis of KLEIN hahram Rasoolzadeh 1, Zahra Ahmadian 2, Mahmoud almasizadeh 3, and Mohammad Reza Aref 3 1 imula Research Laboratory, Bergen, Norway, 2 hahid Beheshti
More informationOn the Notions of PRP-RKA, KR and KR-RKA for Block Ciphers
Published in J.K. Liu and W. Susilo, Eds., Provable Security ProvSec 2007, vol. 4784 of Lecture Notes in Computer Science, pp. 188 197, Springer, 2007. On the Notions of PRP-RKA, KR and KR-RKA for Block
More informationImproved Linear Cryptanalysis of Round-Reduced ARIA
Improved Linear Cryptanalysis of Round-Reduced ARIA Ahmed Abdelkhalek, Mohamed Tolba, and Amr M. Youssef (B) Concordia Institute for Information Systems Engineering, Concordia University, Montréal, Québec,
More informationDiffie-Hellman Protocol as a Symmetric Cryptosystem
IJCSNS International Journal of Computer Science and Network Security, VOL.18 No.7, July 2018 33 Diffie-Hellman Protocol as a Symmetric Cryptosystem Karel Burda, Brno University of Technology, Brno, Czech
More informationPerformance enhancement of Blowfish and CAST-128 algorithms and Security analysis of improved Blowfish algorithm using Avalanche effect
244 Performance enhancement of Blowfish and CAST-128 algorithms and Security analysis of improved Blowfish algorithm using Avalanche effect Krishnamurthy G.N, Dr. V. Ramaswamy, Leela G.H and Ashalatha
More informationDistinguisher and Related-Key Attack on the Full AES-256
Distinguisher and Related-Key Attack on the Full AES-256 Alex Biryukov, Dmitry Khovratovich, Ivica Nikolić University of Luxembourg {alex.biryukov, dmitry.khovratovich, ivica.nikolic@uni.lu} Abstract.
More informationComputer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Cryptography Part II Paul Krzyzanowski Rutgers University Spring 2018 March 23, 2018 CS 419 2018 Paul Krzyzanowski 1 Block ciphers Block ciphers encrypt a block of plaintext at a
More informationImproved DST Cryptanalysis of IDEA
Improved DST Cryptanalysis of IDEA Eyüp Serdar Ayaz and Ali Aydın Selçuk Department of Computer Engineering Bilkent University Ankara, 06800, Turkey {serdara,selcuk}@cs.bilkent.edu.tr Abstract. In this
More informationPlaintext (P) + F. Ciphertext (T)
Applying Dierential Cryptanalysis to DES Reduced to 5 Rounds Terence Tay 18 October 1997 Abstract Dierential cryptanalysis is a powerful attack developed by Eli Biham and Adi Shamir. It has been successfully
More informationEvaluation of security level of CLEFIA
Evaluation of security level of CLEFIA An anonymous reviewer Version 1.0 January 25, 2011 1 Evaluation of security level of CLEFIA 1 Contents Executive Summary 3 References 4 1 Introduction 8 2 CLEFIA
More informationCryptanalysis of Block Ciphers: A Survey
UCL Crypto Group Technical Report Series Cryptanalysis of Block Ciphers: A Survey Francois-Xavier Standaert, Gilles Piret, Jean-Jacques Quisquater REGARDS GROUPE http://www.dice.ucl.ac.be/crypto/ Technical
More informationApplied Cryptography Data Encryption Standard
Applied Cryptography Data Encryption Standard Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1 History DES has a checkered history. The book provided fascinating reading
More informationBlock Ciphers and the Data Encryption Standard (DES) Modified by: Dr. Ramzi Saifan
Block Ciphers and the Data Encryption Standard (DES) Modified by: Dr. Ramzi Saifan Block ciphers Keyed, invertible Large key space, large block size A block of plaintext is treated as a whole and used
More informationL3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015
L3. An Introduction to Block Ciphers Rocky K. C. Chang, 29 January 2015 Outline Product and iterated ciphers A simple substitution-permutation network DES and AES Modes of operations Cipher block chaining
More informationSome Thoughts on Time-Memory-Data Tradeoffs
Some Thoughts on Time-Memory-Data Tradeoffs Alex Biryukov Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenberg 10, B 3001 Heverlee, Belgium Abstract. In this paper we show that Time-Memory
More informationA Block Cipher Basing Upon a Revisit to the Feistel Approach and the Modular Arithmetic Inverse of a Key Matrix
IAENG International Journal of Computer Science, 32:4, IJCS_32_4_ A Block Cipher Basing Upon a Revisit to the Feistel Approach and the Modular Arithmetic Inverse of a Key Matrix S. Udaya Kumar V. U. K.
More informationData Encryption Standard (DES)
Data Encryption Standard (DES) Best-known symmetric cryptography method: DES 1973: Call for a public cryptographic algorithm standard for commercial purposes by the National Bureau of Standards Goals:
More informationDouble-DES, Triple-DES & Modes of Operation
Double-DES, Triple-DES & Modes of Operation Prepared by: Dr. Mohamed Abd-Eldayem Ref.: Cryptography and Network Security by William Stallings & Lecture slides by Lawrie Brown Multiple Encryption & DES
More informationSymmetric Cryptography. Chapter 6
Symmetric Cryptography Chapter 6 Block vs Stream Ciphers Block ciphers process messages into blocks, each of which is then en/decrypted Like a substitution on very big characters 64-bits or more Stream
More informationA Differential Fault Attack against Early Rounds of (Triple-)DES
A Differential Fault Attack against Early Rounds of (Triple-)DES Ludger Hemme Giesecke & Devrient GmbH Prinzregentenstr. 159, 81677 Munich, Germany ludger.hemme@de.gi-de.com Abstract. Previously proposed
More informationFew Other Cryptanalytic Techniques
Few Other Cryptanalytic Techniques Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Boomerang Attack
More informationc Eli Biham - March 13, Cryptanalysis of Modes of Operation (4) c Eli Biham - March 13, Cryptanalysis of Modes of Operation (4)
Single Modes: the S Modes of Operation Modes of Operation are used to hide patterns in the plaintexts, protect against chosen plaintext attacks, and to support fast on-line encryption with precomputation.
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Symmetric Cryptography January 20, 2011 Practical Aspects of Modern Cryptography 2 Agenda Symmetric key ciphers Stream ciphers Block ciphers Cryptographic hash
More informationRECTIFIED DIFFERENTIAL CRYPTANALYSIS OF 16 ROUND PRESENT
RECTIFIED DIFFERENTIAL CRYPTANALYSIS OF 16 ROUND PRESENT Manoj Kumar 1, Pratibha Yadav, Meena Kumari SAG, DRDO, Metcalfe House, Delhi-110054, India mktalyan@yahoo.com 1 ABSTRACT In this paper, we have
More informationPractical attacks on the Maelstrom-0 compression function
Practical attacks on the Maelstrom-0 compression function Stefan Kölbl, Florian Mendel Graz University of Technology, A-8010 Graz, Austria stefan.koelbl@student.tugraz.at Abstract. In this paper we present
More informationBreaking Grain-128 with Dynamic Cube Attacks
Breaking Grain-128 with Dynamic Cube Attacks Itai Dinur and Adi Shamir Computer Science department The Weizmann Institute Rehovot 76100, Israel Abstract. We present a new variant of cube attacks called
More informationMultiplicative Differentials
Multiplicative Differentials Nikita Borisov, Monica Chew, Rob Johnson, and David Wagner University of California at Berkeley Abstract We present a new type of differential that is particularly suited to
More informationApplying Time-Memory-Data Trade-Off to Meet-in-the-Middle Attack
Applying Time-Memory-Data Trade-Off to Meet-in-the-Middle Attack Jiali Choy, Khoongming Khoo, and Chuan-Wen Loe DSO National Laboratories 20 Science Park Drive, Singapore 118230 Email: cjiali,kkhoongm,lchuanwe@dso.org.sg
More informationComputer Security 3/23/18
s s encrypt a block of plaintext at a time and produce ciphertext Computer Security 08. Cryptography Part II Paul Krzyzanowski DES & AES are two popular block ciphers DES: 64 bit blocks AES: 128 bit blocks
More information