The Salsa20 Family of Stream Ciphers
Size: px
Start display at page:

Download "The Salsa20 Family of Stream Ciphers"

Transcription

1 The Salsa20 Family of Stream Ciphers Based on [Bernstein, 2008] Erin Hales, Gregor Matl, Simon-Philipp Merz Introduction to Cryptology November 13, 2017

2 From a security perspective, if you re connected, you re screwed. Daniel J. Bernstein

3 From a security perspective, if you re connected, you re screwed. Daniel J. Bernstein The average user doesn t give a damn what happens, as long as (1) it works and (2) it s fast. Daniel J. Bernstein

4 From a security perspective, if you re connected, you re screwed. Daniel J. Bernstein The average user doesn t give a damn what happens, as long as (1) it works and (2) it s fast. Daniel J. Bernstein I won t be satisfied until I ve put the entire security industry out of work. Daniel J. Bernstein

5 The Salsa20 Family Introduction Low Level High Level Medium Level

6 Introduction Introduction Salsa 20/r is a family of stream ciphers designed by Daniel J. Bernstein submitted to estream in / 36

7 Introduction Introduction Salsa 20/r is a family of stream ciphers designed by Daniel J. Bernstein submitted to estream in 2005 will explain decisions that were made while designing the code on different levels i.e. the operations used, how blocks interact and how blocks are generated 4 / 36

8 Introduction Introduction Salsa 20/r is a family of stream ciphers designed by Daniel J. Bernstein submitted to estream in 2005 will explain decisions that were made while designing the code on different levels i.e. the operations used, how blocks interact and how blocks are generated Bernstein released variant of Salsa20, named Chacha, on which SHA-3 finalist BLAKE is based 4 / 36

9 Introduction Introduction Salsa 20/r is a family of stream ciphers designed by Daniel J. Bernstein submitted to estream in 2005 will explain decisions that were made while designing the code on different levels i.e. the operations used, how blocks interact and how blocks are generated Bernstein released variant of Salsa20, named Chacha, on which SHA-3 finalist BLAKE is based Salsa20 is free for any use 4 / 36

10 Introduction General facts on Salsa20/r sender and receiver share short secret key (128 and 256 bit keys are supported) secret key, 64 bit nonce, 64 bit counter and four blocks of 32 bit constants used to construct 512 bit initial state using r rounds the 512 initial state gets updated and finally algorithm puts 512 bit keystream out keystream of Salsa20 can be used to encrypt series of messages (short or long messages and just one or billions of messages) - maximum keystream 2 70 bits 5 / 36

11 The Salsa20 Family Introduction Low Level High Level Medium Level

12 Low Level Goal of design fast encryption function suitable for wide range of applications (encrypt large amount of data, in little time with limited resources) security 7 / 36

13 Low Level Goal of design fast encryption function suitable for wide range of applications (encrypt large amount of data, in little time with limited resources) security to satisfy different needs in security vs. performance trade-off, there are three versions of Salsa20 proposed: Salsa20/20, Salsa20/12 and Salsa20/8 7 / 36

14 Low Level Low level: Which operations are used? Round transformations of Salsa20 use combination of three simple operations: addition of two 32-bit words modulo bit XOR constant-distance 32-bit rotation 8 / 36

15 Low Level Low level: Which operations are used? Round transformations of Salsa20 use combination of three simple operations: addition of two 32-bit words modulo bit XOR constant-distance 32-bit rotation Can we get the same security at higher speed? 8 / 36

16 Low Level Why no integer multiplication? Advantages: output bits are complicated functions of input (mixed very thoroughly) impressively fast multiplication circuits included in some CPU 9 / 36

17 Low Level Why no integer multiplication? Advantages: output bits are complicated functions of input (mixed very thoroughly) impressively fast multiplication circuits included in some CPU Disadvantages: massive speed penalties on other CPU s (comparable sequence of simple integer operations always reasonable fast) higher risk of timing leaks 9 / 36

18 Low Level Why no S-Box lookups? Advantages: single table lookup can mangle input thoroughly 10 / 36

19 Low Level Why no S-Box lookups? Advantages: single table lookup can mangle input thoroughly Disadvantages: integer operation takes 32-bit input instead of 8-bit, thus mangels several inputs at once vulnerable to timing attacks (S-Box lookups in constant time would be slow) 10 / 36

20 The Salsa20 Family Introduction Low Level High Level Medium Level

21 High Level High Level: How do blocks interact? What does Salsa20 do? Expands 256-bit key and 64-bit nonce into byte stream. Salsa20 encrypts a b-byte plaintext by XOR-ing plaintext with the first b bytes of the stream and discarding the rest of the stream. Salsa20 decrypts a b-byte ciphertext by XOR-ing the first b bytes of the stream with the ciphertext. 12 / 36

22 High Level High Level: How do blocks interact? What does Salsa20 do? Expands 256-bit key and 64-bit nonce into byte stream. Salsa20 encrypts a b-byte plaintext by XOR-ing plaintext with the first b bytes of the stream and discarding the rest of the stream. Salsa20 decrypts a b-byte ciphertext by XOR-ing the first b bytes of the stream with the ciphertext. What does this mean? There is no feedback from the plaintext or ciphertext in to the stream. There is no chaining from one block to the next. Parallel computing. No preprocessing costs. 12 / 36

23 High Level Should encryption and decryption be different? In counter mode, OFB mode and CBC mode each ciphertext block is the XOR of the plaintext block and stream block at the same position. 13 / 36

24 High Level Should encryption and decryption be different? In counter mode, OFB mode and CBC mode each ciphertext block is the XOR of the plaintext block and stream block at the same position. In contrast, some ciphers mangle the plaintext in a more complicated way. For example AES in CBC mode: the nth plaintext block p n is converted into the nth ciphertext block c n by the formula: c n = AES k (C n 1 p n ). 13 / 36

25 High Level Should encryption and decryption be different? Why is CBC mode so popular? Historical accident? 14 / 36

26 High Level Should encryption and decryption be different? Why is CBC mode so popular? Historical accident? 14 / 36

27 High Level Should encryption and decryption be different? Why is CBC mode so popular? Historical accident? Increased costs as it requires different codes. Extra communication required is a security threat, so extra round needed which adds extra time. Security proof assumes block cipher outputs for attacker-controlled inputs are indistinguishable from uniform. 14 / 36

28 High Level Should stream cipher depend on the plaintext? For Salsa20 ciphertext and plaintext don t depend on the stream. However, some stream ciphers produce a stream which depends on plaintext. 15 / 36

29 High Level Should stream cipher depend on the plaintext? For Salsa20 ciphertext and plaintext don t depend on the stream. However, some stream ciphers produce a stream which depends on plaintext. Advantage: allows message authentication for free. 15 / 36

30 High Level Should stream cipher depend on the plaintext? For Salsa20 ciphertext and plaintext don t depend on the stream. However, some stream ciphers produce a stream which depends on plaintext. Advantage: allows message authentication for free. Disadvantages: free is an exaggeration, it does take time. Incorporation of plaintext is a security threat. 15 / 36

31 High Level Should stream cipher depend on the plaintext? For Salsa20 ciphertext and plaintext don t depend on the stream. However, some stream ciphers produce a stream which depends on plaintext. Advantage: allows message authentication for free. Disadvantages: free is an exaggeration, it does take time. Incorporation of plaintext is a security threat. State-of-the-art 128-bit authenticators can be computed in just a few cycles per byte. While this may exceed the cost of free authentication for legitimate packets it is much less expensive than free authentication for forged packets. 15 / 36

32 High Level Should there be more state? Salsa20 carries minimal state between blocks, whereas most stream ciphers carry a larger state, reusing part of the first block as an input to the second etc. 16 / 36

33 High Level Should there be more state? Salsa20 carries minimal state between blocks, whereas most stream ciphers carry a larger state, reusing part of the first block as an input to the second etc. Advantage of larger state: saves time after first block since we don t need as many cipher rounds to achieve same security level. Disadvantages of larger state: Ciphers that chain can handle fewer communication channels simultaneously. 16 / 36

34 High Level Should there be more state? Salsa20 carries minimal state between blocks, whereas most stream ciphers carry a larger state, reusing part of the first block as an input to the second etc. Advantage of larger state: saves time after first block since we don t need as many cipher rounds to achieve same security level. Disadvantages of larger state: Ciphers that chain can handle fewer communication channels simultaneously. Reuse forces serialisation. Random access to the stream is prohibited unless the stream is precomputed (memory costs) and saved. inability to exploit parallelism is often a disaster". 16 / 36

35 High Level Should blocks be larger than 64 bytes? Salsa20 hashes key, nonce and block counter in to 64 byte block. Should a larger block size be used? 17 / 36

36 High Level Should blocks be larger than 64 bytes? Salsa20 hashes key, nonce and block counter in to 64 byte block. Should a larger block size be used? Advantage of larger block size: Not as many rounds are needed to achieve same conjectured security level. 17 / 36

37 High Level Should blocks be larger than 64 bytes? Salsa20 hashes key, nonce and block counter in to 64 byte block. Should a larger block size be used? Advantage of larger block size: Not as many rounds are needed to achieve same conjectured security level. Disadvantage of larger block size: Larger block sizes lose time; CPUs are designed to work with less data. Increases overhead for inconvenient message sizes. 17 / 36

38 High Level Should keys be smaller than 256 bits? The original estream call was for 128-bit software ciphers. Salsa20 is a 256-bit cipher but allows smaller keys. The author recommends 256-bit keys. 18 / 36

39 High Level Should keys be smaller than 256 bits? The original estream call was for 128-bit software ciphers. Salsa20 is a 256-bit cipher but allows smaller keys. The author recommends 256-bit keys. Larger keys are more expensive so why are they necessary? 18 / 36

40 High Level Should keys be smaller than 256 bits? The original estream call was for 128-bit software ciphers. Salsa20 is a 256-bit cipher but allows smaller keys. The author recommends 256-bit keys. Larger keys are more expensive so why are they necessary? The argument in favour of 128-bit keys is that they cannot be found by a brute force attack because it is too expensive. If checking 2 20 keys per scond has CPU costing aboout 2 6 euros, then searching keys in a year will cost 2 89 euros. 18 / 36

41 High Level Should keys be smaller than 256 bits? Why is this unrealistic? 19 / 36

42 High Level Should keys be smaller than 256 bits? Why is this unrealistic? No advances in technology are required to reduce the time and cost required. 19 / 36

43 High Level Should keys be smaller than 256 bits? Why is this unrealistic? No advances in technology are required to reduce the time and cost required. The attacker can succeed in fewer than computations. He reaches success probability p afer just p computations. 19 / 36

44 High Level Should keys be smaller than 256 bits? Why is this unrealistic? No advances in technology are required to reduce the time and cost required. The attacker can succeed in fewer than computations. He reaches success probability p afer just p computations. Each key checking circuit costs less than 2 6 euros since in bulk one or more circuits can fit on a single chip which reduces the attacker s costs by a factor of / 36

45 High Level Should keys be smaller than 256 bits? Why is this unrealistic? No advances in technology are required to reduce the time and cost required. The attacker can succeed in fewer than computations. He reaches success probability p afer just p computations. Each key checking circuit costs less than 2 6 euros since in bulk one or more circuits can fit on a single chip which reduces the attacker s costs by a factor of Attacker can reduce cost by factor of 2 40 by simultaneously attacking (say) 2 40 keys. We can counter this by adding extra randomness in to nonces. However, putting extra randomness in to keys is less expensive. 19 / 36

46 The Salsa20 Family Introduction Low Level High Level Medium Level

47 Medium Level The Algorithm The Algorithm Input: 32 byte key: k 0... k byte key repeat it twice 10 byte key pad it with 0s to 16 bytes and repeat that twice 16 byte nonce: n 0... n byte block counter: c 0... c 15 Initial State: 0x k 3 k 2 k 1 k 0 k 7 k 6 k 5 k 4 k 11 k 10 k 9 k 8 k 15 k 14 k 13 k 12 0x e n 3 n 2 n 1 n 0 n 7 n 6 n 5 n 4 c 3 c 2 c 1 c 0 c 7 c 6 c 5 c 4 0x79622d32 k 19 k 18 k 17 k 16 k 23 k 22 k 21 k 20 k 27 k 26 k 25 k 24 k 31 k 30 k 29 k 28 0x6b / 36

48 Medium Level The Algorithm The Algorithm 0x k 3 k 2 k 1 k 0 k 7 k 6 k 5 k 4 k 11 k 10 k 9 k 8 k 15 k 14 k 13 k 12 0x e n 3 n 2 n 1 n 0 n 7 n 6 n 5 n 4 c 3 c 2 c 1 c 0 c 7 c 6 c 5 c 4 0x79622d32 k 19 k 18 k 17 k 16 k 23 k 22 k 21 k 20 k 27 k 26 k 25 k 24 k 31 k 30 k 29 k 28 0x6b / 36

49 Medium Level The Algorithm The Algorithm Confusion: 0x k 3 k 2 k 1 k 0 k 7 k 6 k 5 k 4 k 11 k 10 k 9 k 8 k 15 k 14 k 13 k 12 0x e n 3 n 2 n 1 n 0 n 7 n 6 n 5 n 4 c 3 c 2 c 1 c 0 c 7 c 6 c 5 c 4 0x79622d32 k 19 k 18 k 17 k 16 k 23 k 22 k 21 k 20 k 27 k 26 k 25 k 24 k 31 k 30 k 29 k 28 0x6b below diagonal := below diagonal (( diagonal + above diagonal ) 7) 23 / 36

50 Medium Level The Algorithm The Algorithm Confusion: 0x k 3 k 2 k 1 k 0 k 7 k 6 k 5 k 4 k 11 k 10 k 9 k 8 0x e n 3 n 2 n 1 n 0 n 7 n 6 n 5 n 4 c 3 c 2 c 1 c 0 c 7 c 6 c 5 c 4 0x79622d32 k 19 k 18 k 17 k 16 k 23 k 22 k 21 k 20 k 27 k 26 k 25 k 24 k 31 k 30 k 29 k 28 0x6b below diagonal := below diagonal (( diagonal + above diagonal ) 7) 24 / 36

51 Medium Level The Algorithm The Algorithm Confusion: 0x k 3 k 2 k 1 k 0 k 7 k 6 k 5 k 4 k 11 k 10 k 9 k 8 0x e n 3 n 2 n 1 n 0 n 7 n 6 n 5 n 4 c 3 c 2 c 1 c 0 c 7 c 6 c 5 c 4 0x79622d32 k 19 k 18 k 17 k 16 k 23 k 22 k 21 k 20 k 27 k 26 k 25 k 24 k 31 k 30 k 29 k 28 0x6b below diagonal := below diagonal (( diagonal + above diagonal ) 7) two below diagonal := two below diagonal (( below diagonal + diagonal ) 9) 25 / 36

52 Medium Level The Algorithm The Algorithm Confusion: 0x k 3 k 2 k 1 k 0 k 7 k 6 k 5 k 4 k 11 k 10 k 9 k 8 0x e n 3 n 2 n 1 n 0 n 7 n 6 n 5 n 4 c 7 c 6 c 5 c 4 0x79622d32 k 19 k 18 k 17 k 16 k 23 k 22 k 21 k 20 k 27 k 26 k 25 k 24 k 31 k 30 k 29 k 28 0x6b below diagonal := below diagonal (( diagonal + above diagonal ) 7) two below diagonal := two below diagonal (( below diagonal + diagonal ) 9) 26 / 36

53 Medium Level The Algorithm The Algorithm Confusion: 0x k 3 k 2 k 1 k 0 k 7 k 6 k 5 k 4 k 11 k 10 k 9 k 8 0x e n 3 n 2 n 1 n 0 n 7 n 6 n 5 n 4 c 7 c 6 c 5 c 4 0x79622d32 k 19 k 18 k 17 k 16 k 23 k 22 k 21 k 20 k 27 k 26 k 25 k 24 k 31 k 30 k 29 k 28 0x6b below diagonal := below diagonal (( diagonal + above diagonal ) 7) two below diagonal := two below diagonal (( below diagonal + diagonal ) 9) above diagonal := above diagonal (( two below diagonal + below diagonal ) 13) 27 / 36

54 Medium Level The Algorithm The Algorithm Confusion: 0x k 3 k 2 k 1 k 0 k 7 k 6 k 5 k 4 k 11 k 10 k 9 k 8 0x e n 3 n 2 n 1 n 0 n 7 n 6 n 5 n 4 c 7 c 6 c 5 c 4 0x79622d32 k 19 k 18 k 17 k 16 k 27 k 26 k 25 k 24 k 31 k 30 k 29 k 28 0x6b below diagonal := below diagonal (( diagonal + above diagonal ) 7) two below diagonal := two below diagonal (( below diagonal + diagonal ) 9) above diagonal := above diagonal (( two below diagonal + below diagonal ) 13) 28 / 36

55 Medium Level The Algorithm The Algorithm Confusion: 0x k 3 k 2 k 1 k 0 k 7 k 6 k 5 k 4 k 11 k 10 k 9 k 8 0x e n 3 n 2 n 1 n 0 n 7 n 6 n 5 n 4 c 7 c 6 c 5 c 4 0x79622d32 k 19 k 18 k 17 k 16 k 27 k 26 k 25 k 24 k 31 k 30 k 29 k 28 0x6b below diagonal := below diagonal (( diagonal + above diagonal ) 7) two below diagonal := two below diagonal (( below diagonal + diagonal ) 9) above diagonal := above diagonal (( two below diagonal + below diagonal ) 13) diagonal := diagonal (( above diagonal + two below diagonal ) 18) 29 / 36

56 Medium Level The Algorithm The Algorithm Confusion: k 3 k 2 k 1 k 0 k 7 k 6 k 5 k 4 k 11 k 10 k 9 k 8 0x e n 3 n 2 n 1 n 0 n 7 n 6 n 5 n 4 c 7 c 6 c 5 c 4 0x79622d32 k 19 k 18 k 17 k 16 k 27 k 26 k 25 k 24 k 31 k 30 k 29 k 28 0x6b below diagonal := below diagonal (( diagonal + above diagonal ) 7) two below diagonal := two below diagonal (( below diagonal + diagonal ) 9) above diagonal := above diagonal (( two below diagonal + below diagonal ) 13) diagonal := diagonal (( above diagonal + two below diagonal ) 18) 30 / 36

57 Medium Level The Algorithm The Algorithm Confusion: below diagonal := below diagonal (( diagonal + above diagonal ) 7) two below diagonal := two below diagonal (( below diagonal + diagonal ) 9) above diagonal := above diagonal (( two below diagonal + below diagonal ) 13) diagonal := diagonal (( above diagonal + two below diagonal ) 18) 31 / 36

58 Medium Level The Algorithm The Algorithm Algorithm 1: Salsa 20/r where r {8, 12, 20} assemble array from key, nonce and block counter; for r times do confuse each column; transpose array; add initial array; 32 / 36

59 Medium Level The Algorithm The Algorithm Algorithm 1: Salsa 20/r where r {8, 12, 20} assemble array from key, nonce and block counter; for r times do confuse each column; transpose array; add initial array; Advantages: key is part of array not necessary to store it additionally locality: extremely cache-efficient short & simple code decryption identical to encryption 32 / 36

60 Medium Level Cryptanalysis Cryptanalysis Cryptanalysis: heavily analysed since 2005 best known attack by [Aumasson et al., 2008] based on probabilistic neutral bits (PNBs) operation attack on Salsa 20/ operation attack on Salsa 20/7 Salsa 20/6 broken 33 / 36

61 References References I Aumasson, J.-P., Fischer, S., Khazaei, S., Meier, W., and Rechberger, C. (2008). New Features of Latin Dances: Analysis of Salsa, ChaCha, and Rumba, pages Springer Berlin Heidelberg, Berlin, Heidelberg. Bernstein, D. J. (2008). The Salsa20 Family of Stream Ciphers, pages Springer Berlin Heidelberg, Berlin, Heidelberg. 34 / 36

62 Thank you for your attention! Any questions?

63 Thank you for your attention! Discussion!

Similar documents

ChaCha, a variant of Salsa20

ChaCha, a variant of Salsa20 ChaCha, a variant of Salsa20 Daniel J. Bernstein Department of Mathematics, Statistics, and Computer Science (M/C 249) The University of Illinois at Chicago Chicago, IL 60607 7045 snuffle6@box.cr.yp.to

More information

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some 3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some popular block ciphers Triple DES Advanced Encryption

More information

Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Goals of authenticated encryption Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven More details, credits: competitions.cr.yp.to /features.html Encryption sender

More information

ECE 646 Lecture 8. Modes of operation of block ciphers

ECE 646 Lecture 8. Modes of operation of block ciphers ECE 646 Lecture 8 Modes of operation of block ciphers Required Reading: I. W. Stallings, "Cryptography and Network-Security," 5 th and 6 th Edition, Chapter 6 Block Cipher Operation II. A. Menezes, P.

More information

The Calico Family of Authenticated Ciphers

The Calico Family of Authenticated Ciphers The Calico Family of Authenticated Ciphers Version 8 First round CAESAR Competition Submission Document Designer/Submitter Christopher Taylor, MSEE mrcatid@gmail.com March 15, 2014 Latest information available

More information

Some Aspects of Block Ciphers

Some Aspects of Block Ciphers Some Aspects of Block Ciphers Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in CU-ISI Tutorial Workshop on Cryptology, 17 th July 2011 Palash Sarkar

More information

Salsa20 speed. Daniel J. Bernstein

Salsa20 speed. Daniel J. Bernstein Salsa20 speed Daniel J. Bernstein Department of Mathematics, Statistics, and Computer Science (M/C 249) The University of Illinois at Chicago Chicago, IL 60607 7045 snuffle@box.cr.yp.to 1 Introduction

More information

Content of this part

Content of this part UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Introduction to Cryptography ECE 597XX/697XX Part 5 More About Block Ciphers Israel Koren ECE597/697 Koren Part.5.1 Content of this

More information

Double-DES, Triple-DES & Modes of Operation

Double-DES, Triple-DES & Modes of Operation Double-DES, Triple-DES & Modes of Operation Prepared by: Dr. Mohamed Abd-Eldayem Ref.: Cryptography and Network Security by William Stallings & Lecture slides by Lawrie Brown Multiple Encryption & DES

More information

Block Cipher Operation. CS 6313 Fall ASU

Block Cipher Operation. CS 6313 Fall ASU Chapter 7 Block Cipher Operation 1 Outline q Multiple Encryption and Triple DES q Electronic Codebook q Cipher Block Chaining Mode q Cipher Feedback Mode q Output Feedback Mode q Counter Mode q XTS-AES

More information

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas Introduction to Cryptography Lecture 3 Benny Pinkas page 1 1 Pseudo-random generator Pseudo-random generator seed output s G G(s) (random, s =n) Deterministic function of s, publicly known G(s) = 2n Distinguisher

More information

Private-Key Encryption

Private-Key Encryption Private-Key Encryption Ali El Kaafarani Mathematical Institute Oxford University 1 of 50 Outline 1 Block Ciphers 2 The Data Encryption Standard (DES) 3 The Advanced Encryption Standard (AES) 4 Attacks

More information

1 Achieving IND-CPA security

1 Achieving IND-CPA security ISA 562: Information Security, Theory and Practice Lecture 2 1 Achieving IND-CPA security 1.1 Pseudorandom numbers, and stateful encryption As we saw last time, the OTP is perfectly secure, but it forces

More information

Cycle counts for authenticated encryption

Cycle counts for authenticated encryption Cycle counts for authenticated encryption Daniel J. Bernstein Department of Mathematics, Statistics, and Computer Science (M/C 249) The University of Illinois at Chicago, Chicago, IL 60607 7045 djb@cr.yp.to

More information

Symmetric Cryptography

Symmetric Cryptography CSE 484 (Winter 2010) Symmetric Cryptography Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials...

More information

Network Security Essentials Chapter 2

Network Security Essentials Chapter 2 Network Security Essentials Chapter 2 Fourth Edition by William Stallings Lecture slides by Lawrie Brown Encryption What is encryption? Why do we need it? No, seriously, let's discuss this. Why do we need

More information

Secret Key Cryptography

Secret Key Cryptography Secret Key Cryptography General Block Encryption: The general way of encrypting a 64-bit block is to take each of the: 2 64 input values and map it to a unique one of the 2 64 output values. This would

More information

CIS 4360 Secure Computer Systems Symmetric Cryptography

CIS 4360 Secure Computer Systems Symmetric Cryptography CIS 4360 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2017 Previous Class Classical Cryptography Frequency analysis Never use home-made cryptography Goals of Cryptography

More information

Chapter 6 Contemporary Symmetric Ciphers

Chapter 6 Contemporary Symmetric Ciphers Chapter 6 Contemporary Symmetric Ciphers "I am fairly familiar with all the forms of secret writings, and am myself the author of a trifling monograph upon the subject, in which I analyze one hundred and

More information

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018 Computer Security 08. Cryptography Part II Paul Krzyzanowski Rutgers University Spring 2018 March 23, 2018 CS 419 2018 Paul Krzyzanowski 1 Block ciphers Block ciphers encrypt a block of plaintext at a

More information

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d) CIS 6930/4930 Computer and Network Security Topic 3.1 Secret Key Cryptography (Cont d) 1 Principles for S-Box Design S-box is the only non-linear part of DES Each row in the S-Box table should be a permutation

More information

Solutions to exam in Cryptography December 17, 2013

Solutions to exam in Cryptography December 17, 2013 CHALMERS TEKNISKA HÖGSKOLA Datavetenskap Daniel Hedin DIT250/TDA351 Solutions to exam in Cryptography December 17, 2013 Hash functions 1. A cryptographic hash function is a deterministic function that

More information

CSC 474/574 Information Systems Security

CSC 474/574 Information Systems Security CSC 474/574 Information Systems Security Topic 2.2 Secret Key Cryptography CSC 474/574 Dr. Peng Ning 1 Agenda Generic block cipher Feistel cipher DES Modes of block ciphers Multiple encryptions Message

More information

CSCE 813 Internet Security Symmetric Cryptography

CSCE 813 Internet Security Symmetric Cryptography CSCE 813 Internet Security Symmetric Cryptography Professor Lisa Luo Fall 2017 Previous Class Essential Internet Security Requirements Confidentiality Integrity Authenticity Availability Accountability

More information

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl www.crypto-textbook.com Chapter 5 More About Block Ciphers ver. November 26, 2010 Last modified 10-2-17

More information

An Introduction to new Stream Cipher Designs

An Introduction to new Stream Cipher Designs An Introduction to new Stream Cipher Designs Ways of Turning Your Data into Line Noise T. E. Bjørstad The Selmer Center, Department of Informatics University of Bergen, Norway 25th Chaos Communications

More information

Chapter 6: Contemporary Symmetric Ciphers

Chapter 6: Contemporary Symmetric Ciphers CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Chapter 6: Contemporary Symmetric Ciphers Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Why Triple-DES?

More information

Stream Ciphers An Overview

Stream Ciphers An Overview Stream Ciphers An Overview Palash Sarkar Indian Statistical Institute, Kolkata email: palash@isicalacin stream cipher overview, Palash Sarkar p1/51 Classical Encryption Adversary message ciphertext ciphertext

More information

Cryptography MIS

Cryptography MIS Cryptography MIS-5903 http://community.mis.temple.edu/mis5903sec011s17/ Cryptography History Substitution Monoalphabetic Polyalphabetic (uses multiple alphabets) uses Vigenere Table Scytale cipher (message

More information

Lecture 1 Applied Cryptography (Part 1)

Lecture 1 Applied Cryptography (Part 1) Lecture 1 Applied Cryptography (Part 1) Patrick P. C. Lee Tsinghua Summer Course 2010 1-1 Roadmap Introduction to Security Introduction to Cryptography Symmetric key cryptography Hash and message authentication

More information

IDEA, RC5. Modes of operation of block ciphers

IDEA, RC5. Modes of operation of block ciphers C 646 - Lecture 8 IDA, RC5 Modes of operation of block ciphers Required Reading: I. W. Stallings, "Cryptography and Network-Security," 5th dition, Chapter 6 Block Cipher Operation II. A. Menezes, P. van

More information

CHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))

CHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P)) CHAPTER 6. SYMMETRIC CIPHERS Multiple encryption is a technique in which an encryption algorithm is used multiple times. In the first instance, plaintext is converted to ciphertext using the encryption

More information

POMELO A Password Hashing Algorithm (Version 2)

POMELO A Password Hashing Algorithm (Version 2) POMELO A Password Hashing Algorithm (Version 2) Designer and Submitter: Hongjun Wu Division of Mathematical Sciences Nanyang Technological University wuhongjun@gmail.com 2015.01.31 Contents 1 Specifications

More information

Encryption: The ChaCha20 Symmetric Stream Cipher

Encryption: The ChaCha20 Symmetric Stream Cipher Encryption: The ChaCha20 Symmetric Stream Cipher Michael Brockway March 5, 2018 Overview Transport-layer security employs an asymmetric public cryptosystem to allow two paries (usually a client application

More information

Cryptography [Symmetric Encryption]

Cryptography [Symmetric Encryption] CSE 484 / CSE M 584: Computer Security and Privacy Cryptography [Symmetric Encryption] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,

More information

Introduction to Cryptography. Lecture 3

Introduction to Cryptography. Lecture 3 Introduction to Cryptography Lecture 3 Benny Pinkas March 6, 2011 Introduction to Cryptography, Benny Pinkas page 1 Pseudo-random generator seed s (random, s =n) Pseudo-random generator G Deterministic

More information

Wheesht: an AEAD stream cipher.

Wheesht: an AEAD stream cipher. Wheesht: an AEAD stream cipher. Peter Maxwell (designer and submitter) peter@allicient.co.uk 14th March 2014: v0.3 Abstract Wheesht is an authenticated stream cipher with associated data. Internally, it

More information

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security CS555 Spring 2012/Topic 11 1 Outline and Readings Outline Encryption modes CCA security Readings: Katz and Lindell: 3.6.4, 3.7 CS555 Spring

More information

Sensor Networks. Xueying Zhang, Howard M. Heys, and Cheng Li. Electrical and Computer Engineering. Faculty of Engineering and Applied Science

Sensor Networks. Xueying Zhang, Howard M. Heys, and Cheng Li. Electrical and Computer Engineering. Faculty of Engineering and Applied Science Energy Efficiency of Encryption Schemes Applied to Wireless Sensor Networks Xueying Zhang, Howard M. Heys, and Cheng Li Electrical and Computer Engineering Faculty of Engineering and Applied Science Memorial

More information

Data Integrity & Authentication. Message Authentication Codes (MACs)

Data Integrity & Authentication. Message Authentication Codes (MACs) Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice (sender) Bob (receiver) Fran

More information

Improving the Diffusion of the Stream Cipher Salsa20 by Employing a Chaotic Logistic Map

Improving the Diffusion of the Stream Cipher Salsa20 by Employing a Chaotic Logistic Map J Inf Process Syst, Vol.11, No.2, pp.310~324, June 2015 http://dx.doi.org/10.3745/jips.02.0024 ISSN 1976-913X (Print) ISSN 2092-805X (Electronic) Improving the Diffusion of the Stream Cipher Salsa20 by

More information

ECE 646 Lecture 7. Modes of Operation of Block Ciphers. Modes of Operation. Required Reading:

ECE 646 Lecture 7. Modes of Operation of Block Ciphers. Modes of Operation. Required Reading: C 646 Lecture 7 Modes of Operation of Block Ciphers Required Reading: I. W. Stallings, "Cryptography and Network-Security," 5th dition, Chapter 6 Block Cipher Operation II. A. Menezes, P. van Oorschot,

More information

P2_L6 Symmetric Encryption Page 1

P2_L6 Symmetric Encryption Page 1 P2_L6 Symmetric Encryption Page 1 Reference: Computer Security by Stallings and Brown, Chapter 20 Symmetric encryption algorithms are typically block ciphers that take thick size input. In this lesson,

More information

ECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

ECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos ECE596C: Handout #7 Analysis of DES and the AES Standard Electrical and Computer Engineering, University of Arizona, Loukas Lazos Abstract. In this lecture we analyze the security properties of DES and

More information

Symmetric Encryption

Symmetric Encryption Symmetric Encryption Ahmed Y. Banihammd & Ihsan, ALTUNDAG Mon November 5, 2007 Advanced Cryptography 1st Semester 2007-2008 University Joseph Fourrier, Verimag Master Of Information Security And Coding

More information

Lecture 2B. RTL Design Methodology. Transition from Pseudocode & Interface to a Corresponding Block Diagram

Lecture 2B. RTL Design Methodology. Transition from Pseudocode & Interface to a Corresponding Block Diagram Lecture 2B RTL Design Methodology Transition from Pseudocode & Interface to a Corresponding Block Diagram Structure of a Typical Digital Data Inputs Datapath (Execution Unit) Data Outputs System Control

More information

Introduction to Cryptography. Lecture 3

Introduction to Cryptography. Lecture 3 Introduction to Cryptography Lecture 3 Benny Pinkas March 6, 2011 Introduction to Cryptography, Benny Pinkas page 1 Pseudo-random generator seed s (random, s =n) Pseudo-random generator G Deterministic

More information

Block Cipher Modes of Operation

Block Cipher Modes of Operation Block Cipher Modes of Operation Luke Anderson luke@lukeanderson.com.au 23 rd March 2018 University Of Sydney Overview 1. Crypto-Bulletin 2. Modes Of Operation 2.1 Evaluating Modes 2.2 Electronic Code Book

More information

CENG 520 Lecture Note III

CENG 520 Lecture Note III CENG 520 Lecture Note III Symmetric Ciphers block ciphers process messages in blocks, each of which is then en/decrypted like a substitution on very big characters 64-bits or more stream ciphers process

More information

Chapter 3 Block Ciphers and the Data Encryption Standard

Chapter 3 Block Ciphers and the Data Encryption Standard Chapter 3 Block Ciphers and the Data Encryption Standard Last Chapter have considered: terminology classical cipher techniques substitution ciphers cryptanalysis using letter frequencies transposition

More information

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016 Block ciphers CS 161: Computer Security Prof. Raluca Ada Popa February 26, 2016 Announcements Last time Syntax of encryption: Keygen, Enc, Dec Security definition for known plaintext attack: attacker provides

More information

More on Cryptography CS 136 Computer Security Peter Reiher January 19, 2017

More on Cryptography CS 136 Computer Security Peter Reiher January 19, 2017 More on Cryptography CS 136 Computer Security Peter Reiher January 19, 2017 Page 1 Outline Desirable characteristics of ciphers Stream and block ciphers Cryptographic modes Uses of cryptography Symmetric

More information

Salsa20 security. Daniel J. Bernstein

Salsa20 security. Daniel J. Bernstein Salsa20 security Daniel J. Bernstein Department of Mathematics, Statistics, and Computer Science (M/C 249) The University of Illinois at Chicago Chicago, IL 60607 7045 snuffle@box.cr.yp.to 1 Introduction

More information

Computer and Data Security. Lecture 3 Block cipher and DES

Computer and Data Security. Lecture 3 Block cipher and DES Computer and Data Security Lecture 3 Block cipher and DES Stream Ciphers l Encrypts a digital data stream one bit or one byte at a time l One time pad is example; but practical limitations l Typical approach

More information

Computer Security 3/23/18

Computer Security 3/23/18 s s encrypt a block of plaintext at a time and produce ciphertext Computer Security 08. Cryptography Part II Paul Krzyzanowski DES & AES are two popular block ciphers DES: 64 bit blocks AES: 128 bit blocks

More information

Cache Timing Attacks on estream Finalists

Cache Timing Attacks on estream Finalists Cache Timing Attacks on estream Finalists Erik Zenner Technical University Denmark (DTU) Institute for Mathematics e.zenner@mat.dtu.dk Echternach, Jan. 9, 2008 Erik Zenner (DTU-MAT) Cache Timing Attacks

More information

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018 Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS

More information

How many DES keys, on the average, encrypt a particular plaintext block to a particular ciphertext block?

How many DES keys, on the average, encrypt a particular plaintext block to a particular ciphertext block? Homework 1. Come up with as efficient an encoding as you can to specify a completely general one-to-one mapping between 64-bit input values and 64-bit output values. 2. Token cards display a number that

More information

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING ENEE 457 Computer Systems Security Instructor: Charalampos Papamanthou Homework 2 Out: 09/23/16 Due: 09/30/16 11:59pm Instructions

More information

Data Integrity & Authentication. Message Authentication Codes (MACs)

Data Integrity & Authentication. Message Authentication Codes (MACs) Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice (sender) Bob (reciever) Fran

More information

MTAT Applied Cryptography

MTAT Applied Cryptography MTAT.07.017 Applied Cryptography Block Ciphers (AES) University of Tartu Spring 2017 1 / 17 Block Ciphers Properties: Deterministic Without the key plaintext cannot be found Valid plaintext-ciphertext

More information

05 - WLAN Encryption and Data Integrity Protocols

05 - WLAN Encryption and Data Integrity Protocols 05 - WLAN Encryption and Data Integrity Protocols Introduction 802.11i adds new encryption and data integrity methods. includes encryption algorithms to protect the data, cryptographic integrity checks

More information

Goals of Modern Cryptography

Goals of Modern Cryptography Goals of Modern Cryptography Providing information security: Data Privacy Data Integrity and Authenticity in various computational settings. Data Privacy M Alice Bob The goal is to ensure that the adversary

More information

SAT Solvers in the Context of Cryptography

SAT Solvers in the Context of Cryptography SAT Solvers in the Context of Cryptography v2.0 Presentation at Montpellier Mate Soos UPMC LIP6, PLANETE team INRIA, SALSA Team INRIA 10th of June 2010 Mate Soos (UPMC LIP6, PLANETE team SAT INRIA, solvers

More information

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018 Lecture 6: Symmetric Cryptography CS 5430 February 21, 2018 The Big Picture Thus Far Attacks are perpetrated by threats that inflict harm by exploiting vulnerabilities which are controlled by countermeasures.

More information

Private-Key Encryption

Private-Key Encryption Private-Key Encryption Ali El Kaafarani Mathematical Institute Oxford University 1 of 32 Outline 1 Historical Ciphers 2 Probability Review 3 Security Definitions: Perfect Secrecy 4 One Time Pad (OTP) 2

More information

Cryptographic Concepts

Cryptographic Concepts Outline Identify the different types of cryptography Learn about current cryptographic methods Chapter #23: Cryptography Understand how cryptography is applied for security Given a scenario, utilize general

More information

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75 Block cipher modes Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 75 Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 76 Block cipher modes Block ciphers (like

More information

Stream Ciphers. Stream Ciphers 1

Stream Ciphers. Stream Ciphers 1 Stream Ciphers Stream Ciphers 1 Stream Ciphers Generate a pseudo-random key stream & xor to the plaintext. Key: The seed of the PRNG Traditional PRNGs (e.g. those used for simulations) are not secure.

More information

A Cache Timing Analysis of HC-256

A Cache Timing Analysis of HC-256 A Cache Timing Analysis of HC-256 Erik Zenner Technical University Denmark (DTU) Institute for Mathematics e.zenner@mat.dtu.dk SAC 2008, Aug. 14, 2008 Erik Zenner (DTU-MAT) A Cache Timing Analysis of HC-256

More information

Symmetric Encryption Algorithms

Symmetric Encryption Algorithms Symmetric Encryption Algorithms CS-480b Dick Steflik Text Network Security Essentials Wm. Stallings Lecture slides by Lawrie Brown Edited by Dick Steflik Symmetric Cipher Model Plaintext Encryption Algorithm

More information

Block Ciphers. Secure Software Systems

Block Ciphers. Secure Software Systems 1 Block Ciphers 2 Block Cipher Encryption function E C = E(k, P) Decryption function D P = D(k, C) Symmetric-key encryption Same key is used for both encryption and decryption Operates not bit-by-bit but

More information

Information Security CS526

Information Security CS526 Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1 Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for

More information

Computer Security CS 526

Computer Security CS 526 Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes CS555 Topic 4 1 Readings for This Lecture Required reading from wikipedia Block Cipher Ciphertext Indistinguishability

More information

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm CIS 4360 Introduction to Computer Security Fall 2010 WITH ANSWERS in bold Name:.................................... Number:............ First Midterm Instructions This is a closed-book examination. Maximum

More information

ENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel

ENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel (a) Introduction - recall symmetric key cipher: III. BLOCK CIPHERS k Symmetric Key Cryptography k x e k y yʹ d k xʹ insecure channel Symmetric Key Ciphers same key used for encryption and decryption two

More information

Low-cost hardware implementations of Salsa20 stream cipher in programmable devices

Low-cost hardware implementations of Salsa20 stream cipher in programmable devices Journal of Polish Safety and Reliability Association Summer Safety and Reliability Seminars, Volume 4, Number 1, 2013 Wrocław University of Technology, Wrocław, Poland Low-cost hardware implementations

More information

Data Encryption Standard (DES)

Data Encryption Standard (DES) Data Encryption Standard (DES) Best-known symmetric cryptography method: DES 1973: Call for a public cryptographic algorithm standard for commercial purposes by the National Bureau of Standards Goals:

More information

Block Cipher Modes of Operation

Block Cipher Modes of Operation Block Cipher Modes of Operation Luke Anderson luke@lukeanderson.com.au 24th March 2016 University Of Sydney Overview 1. Crypto-Bulletin 2. Modes Of Operation 2.1 Evaluating Modes 2.2 Electronic Code Book

More information

Key Separation in Twofish

Key Separation in Twofish Twofish Technical Report #7 Key Separation in Twofish John Kelsey April 7, 2000 Abstract In [Mur00], Murphy raises questions about key separation in Twofish. We discuss this property of the Twofish key

More information

City, University of London Institutional Repository

City, University of London Institutional Repository City Research Online City, University of London Institutional Repository Citation: Komninos, N. (2007). Morpheus: stream cipher for software & hardware applications. Paper presented at the IEEE 9th International

More information

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017 COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Pseudorandom Permutations unctions that look like random permutations Syntax: Key space K (usually {0,1}

More information

CSCI 454/554 Computer and Network Security. Topic 3.2 Secret Key Cryptography Modes of Operation

CSCI 454/554 Computer and Network Security. Topic 3.2 Secret Key Cryptography Modes of Operation CSCI 454/554 Computer and Network Security Topic 3.2 Secret Key Cryptography Modes of Operation Processing with Block Ciphers Most ciphers work on blocks of fixed (small) size How to encrypt long messages?

More information

Computational Security, Stream and Block Cipher Functions

Computational Security, Stream and Block Cipher Functions Computational Security, Stream and Block Cipher Functions 18 March 2019 Lecture 3 Most Slides Credits: Steve Zdancewic (UPenn) 18 March 2019 SE 425: Communication and Information Security 1 Topics for

More information

L2. An Introduction to Classical Cryptosystems. Rocky K. C. Chang, 23 January 2015

L2. An Introduction to Classical Cryptosystems. Rocky K. C. Chang, 23 January 2015 L2. An Introduction to Classical Cryptosystems Rocky K. C. Chang, 23 January 2015 This and the next set of slides 2 Outline Components of a cryptosystem Some modular arithmetic Some classical ciphers Shift

More information

Winter 2011 Josh Benaloh Brian LaMacchia

Winter 2011 Josh Benaloh Brian LaMacchia Winter 2011 Josh Benaloh Brian LaMacchia Symmetric Cryptography January 20, 2011 Practical Aspects of Modern Cryptography 2 Agenda Symmetric key ciphers Stream ciphers Block ciphers Cryptographic hash

More information

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers Stream Ciphers Start with a secret key ( seed ) Generate a keying stream i-th bit/byte of keying stream is a function

More information

Applied Cryptography Data Encryption Standard

Applied Cryptography Data Encryption Standard Applied Cryptography Data Encryption Standard Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1 History DES has a checkered history. The book provided fascinating reading

More information

Feedback Week 4 - Problem Set

Feedback Week 4 - Problem Set 4/26/13 Homework Feedback Introduction to Cryptography Feedback Week 4 - Problem Set You submitted this homework on Mon 17 Dec 2012 11:40 PM GMT +0000. You got a score of 10.00 out of 10.00. Question 1

More information

Introduction to cryptology (GBIN8U16)

Introduction to cryptology (GBIN8U16) Introduction to cryptology (GBIN8U16) Finite fields, block ciphers Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 01 31 Finite fields,

More information

Symmetric Encryption. Thierry Sans

Symmetric Encryption. Thierry Sans Symmetric Encryption Thierry Sans Design principles (reminder) 1. Kerkoff Principle The security of a cryptosystem must not rely on keeping the algorithm secret 2. Diffusion Mixing-up symbols 3. Confusion

More information

ICT 6541 Applied Cryptography. Hossen Asiful Mustafa

ICT 6541 Applied Cryptography. Hossen Asiful Mustafa ICT 6541 Applied Cryptography Hossen Asiful Mustafa Encryption & Decryption Key (K) Plaintext (P) Encrypt (E) Ciphertext (C) C = E K (P) Same Key (K) Ciphertext (C) Decrypt (D) Plaintext (P) P = D K (C)

More information

Processing with Block Ciphers

Processing with Block Ciphers AIT 682: Network and Systems Security Topic 3.2 Secret Cryptography Modes of Operation Instructor: r. Kun Sun rocessing with Block Ciphers Most ciphers work on blocks of fixed (small) size How to encrypt

More information

CSC/ECE 574 Computer and Network Security. Processing with Block Ciphers. Issues for Block Chaining Modes

CSC/ECE 574 Computer and Network Security. Processing with Block Ciphers. Issues for Block Chaining Modes CSC/C 574 Computer and Network Security Topic 3.2 Secret Cryptography Modes of Operation CSC/C 574 r. eng Ning 1 rocessing with Block Ciphers Most ciphers work on blocks of fixed (small) size How to encrypt

More information

CS 161 Computer Security. Week of September 11, 2017: Cryptography I

CS 161 Computer Security. Week of September 11, 2017: Cryptography I Weaver Fall 2017 CS 161 Computer Security Discussion 3 Week of September 11, 2017: Cryptography I Question 1 Activity: Cryptographic security levels (20 min) Say Alice has a randomly-chosen symmetric key

More information

Multiple forgery attacks against Message Authentication Codes

Multiple forgery attacks against Message Authentication Codes Multiple forgery attacks against Message Authentication Codes David A. McGrew and Scott R. Fluhrer Cisco Systems, Inc. {mcgrew,sfluhrer}@cisco.com May 31, 2005 Abstract Some message authentication codes

More information

EEC-484/584 Computer Networks

EEC-484/584 Computer Networks EEC-484/584 Computer Networks Lecture 23 wenbing@ieee.org (Lecture notes are based on materials supplied by Dr. Louise Moser at UCSB and Prentice-Hall) Outline 2 Review of last lecture Introduction to

More information

Passwords. CS 166: Introduction to Computer Systems Security. 3/1/18 Passwords J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.

Passwords. CS 166: Introduction to Computer Systems Security. 3/1/18 Passwords J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2. Passwords CS 166: Introduction to Computer Systems Security 1 Source: https://shop.spectator.co.uk/wp-content/uploads/2015/03/open-sesame.jpg 2 Password Authentication 3 What Do These Passwords Have in

More information

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks. Presented by Paul Ruggieri

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks. Presented by Paul Ruggieri TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Chris Karlof, Naveen Sastry,, David Wagner Presented by Paul Ruggieri 1 Introduction What is TinySec? Link-layer security architecture

More information

Stream Ciphers and Block Ciphers

Stream Ciphers and Block Ciphers Stream Ciphers and Block Ciphers 2MMC10 Cryptology Fall 2015 Ruben Niederhagen October 6th, 2015 Introduction 2/32 Recall: Public-key crypto: Pair of keys: public key for encryption, private key for decryption.

More information
2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback