K 2r+8 PHT <<<1 MDS MDS


 Hector Simmons
 2 years ago
 Views:
Transcription
1 )*.1,(/+032 THE INSTITUTE OF ELECTRONICS, INFORMATION AND COMMUNICATION ENGINEERS 034 TECHNICAL REPORT OF IEICE. 7865'9 Twosh ;<= (:; 2) 3 B&C y 3 NTT FRUX_a[\]Ye`khE f Gnql #Hw~ ˆ g 11 y NTT Multimedia Communications Laboratories 250 Cambridge Ave., Palo Alto, CA 94306, USA ª «OŒ zkd!š AES Žƒ Q "œž ^b[z!š Twosh Lxp šdi}{ truncated dierential V šj%cys 2 057:3 žjt 16 W truncated dierential mœ šd 2 51 rvnm u c truncated dierential \good pair" 1 st c good pair i 2 77 st Ÿ} ž d šc Knudsen open problem Ÿ šc 5 W Twosh random permutationÿ Pž $oi truncated dierential mœ šd ± ³ ² µ, ¹, truncated dierential, Twosh, AES Cryptanalysis of Twosh (II) Shiho Moriai 3 Yiqun Lisa Yin y 3 NTT Information Sharing Platform Laboratories 11 Hikarinooka, Yokosuka, , Japan y NTT Multimedia Communications Laboratories 250 Cambridge Ave., Palo Alto, CA 94306, USA Abstract We present truncated dierential cryptanalysis of the block cipher Twosh, which is one of the ve nalists for the Advanced Encryption Standard (AES). From our experimental results, we found a 16round truncated dierential with probability of about 2 057:3. One can expect to get one good pair following the truncated dierential from 2 51 chosen plaintexts, and there are a total of 2 77 such goodpairs. We also found 5round truncated dierentials which can be useful in distinguishing Twosh reduced to 5 rounds from a random permutation. This was considered to be an open problem by Knudsen. key words cryptanalysis, dierential cryptanalysis, truncated dierential, Twosh, AES
2 1 Introduction Twosh is a 128bit block cipher proposed by Schneier et al. [SKW+98]. It is one of the ve nalists of AES, and it is used in many products such as GnuPG, SSH Secure Shell, and so on [C99]. The best known attack on variants of Twosh claimed by the designers is an impossible dierential attack on 6round Twosh [F99]. Recently Knudsen [K00] showed that there are dierentials for Twosh for up to 16 rounds, predicting at least 32 bits of nontrivial information in every round. The probability of the truncated dierentials are too small to distinguish Twosh with more than a few rounds from a random permutation, but he claimed that it is possible, at least in theory, to nd one good pair of plaintexts following the dierential through all 16 rounds. Murphy and Robshaw [MR00] made some observations on keydependent Sboxes and dierential cryptanalysis of Twosh. Their approach was to choose the Sbox to t the dierential characteristic, instead of choosing the dierential characteristic to t the Sbox. They found a 6round dierential characteristic which holds for a fraction of at least of the Sboxes and claimed possible attacks of 8round Twosh. Table 1 summarizes the known results on cryptanalysis of Twosh. In this paper we study truncated dierential cryptanalysis of Twosh. The type of truncated dierentials to be used are \byte characteristics," that is, the values of the dierence in a byte are distinguished between nonzero and zero, and the measure of dierence is exclusiveor. Note that Knudsen's truncated dierentials were based on the integer subtraction dierence between two 32bit words. By using byte wise characteristics instead, we can make a thorough investigation of the nonuniformity in the distribution of the dierences, which was left as an open question by Knudsen [K00]. Twosh consists of both byteoriented and nonbyteoriented operations as shown in Figure 1. The nonbyteoriented operations include the 1bit rotates, addition with subkeys, and PHT (pseudohadamard transform), which comprises of two additions modular To search for byte characteristics of Twosh, we begin by computing the truncated dierential probability of addition modular 2 n. Based on the ecient computation of dierential probability of addition modular 2 n shown in [M00], we give an ecient computation of truncated dierential probability of addition modular 2 n in Section 2. In Section 3, we consider truncated dierential probability of the MDS. Finally in Section 4 we present the truncated dierentials that we found by computer experiments. 2 Ecient Computation of Truncated Dierential Probabilities of Addition Modular 2 n In [M00], an ecient algorithm was presented for computing dierential probabilities of addition mod 2 n. The algorithm can be extended to compute truncated dierential probabilities of addition of 2 n, but a straightforward extension to the case of truncated dierentials can still be computationally very expensive. In this section, we study how to further speed up the round whitening key size cryptanalysis complexity conditions reference 4 w/ any distinguishing attack [K00] 6 w/o 128 impossible dierential [F99] 6 w/o 192 impossible dierential [F99] 6 w/o 256 impossible dierential [F99] 6 w/ 256 impossible dierential [F99] 8* w/ any dierential attack > fraction [MR00] of the Sboxes Table 1: Twosh cryptanalysis
3 K 0 K 1 K 2 K 3 input whitening Sbox 0 Sbox 1 Sbox 2 MDS K 2r+8 PHT <<<1 Sbox 3 <<<8 Sbox 0 Sbox 1 Sbox 2 Sbox 3 MDS K 2r+9 >>>1 1 round : 15 more rounds K 4 K 5 K 6 K 7 output whitening Figure 1: Twosh computation of truncated dierential probabilities. We will follow the denitions and notation in [M00], and here we will only restate some of them if they are directly related to our discussion below. For x; y; z 2 GF(2) n, the function addition mod 2 n is dened as follows: f(x; y) =x + y = z (mod2 n ): We divide 1x 2 GF(2) n into tbit subblocks and denote them by 1x [t] least signicant subblock. So 1x =(1x [t] m01 ;:::;1x[t] 1 ; 1x[t] 0 ); 0 ; 1x[t] 1 ;::: from the where m = n=t is the number of subblocks. A very ecient algorithm for computing dierential probabilities of f (denoted by DP f (1x; 1y;1z)) is given in [M00]. For each triplet (1x; 1y; 1z), the running time of the algorithm is O(n) 1, while a naive approach would require a running time of O(2 2n ). The truncated dierential probabilities for f are dened as follows. TDP f (x;y;z) = 1 c X (1x;1y;1z)=(x;y;z) DP f (1x; 1y; 1z); (1) where c is the number of pairs (1x; 1y) satisfying the condition (1x; 1y) =(x; y). Let w H (x) denote the Hamming weight ofx. Then it is easy to see that c =(2 t 0 1) w H(x)+w H (y) : In a typical setting (e.g., byte characteristics), we have n =32andt = 8. So the number of possible truncated dierentials is (2 n=t ) 3 =2 12. Some of these truncated dierentials may have a very large c value. For example, when w H (x) +w H (y) 6, we have c Therefore, computation of all truncated dierential probabilities using Equation (1) can still be very expensive, even when the dierential probabilities themselves can be calculated eciently. 1 Later the complexity was further improved to 2(log n) in the worstcase and 2(1) in the averagecase.
4 2.1 Basic idea The main idea for speeding up the computation of truncated dierential probabilities is to treat each subblock somewhat independently. More specically, we will rst compute some properly dened \partial sums of dierential probabilities" for each subblock ignoring the carry from one subblock to the next, and then we will join these probabilities together to obtain the total truncated dierential probability for f. For each subblock, we need to consider both the dierence in the carryin (denoted by 1cin) from the previous subblock and dierence in the carryout (denoted by 1cout) to the next subblock. There are two possible values for 1cin: 0,1. Let P 1cout denote the probability that there is carry from one subblock to the next. That is, P 1cout =Pr[1cout =1]: Based on the results in [M00], there are only three possible values for P 1cout : 0,0.5,1. For a give subblock (the ith subblock), let (x i ;y i ;z i ) be the values of (x; y; z) restricted to the subblock. Below, we dene 6 partial sums for the dierential probabilities, one corresponding to a possible combination of (1cin; P 1cout )=(d; p) ford =0; 1andp =0; 0:5; 1. where Condition PS is 2.2 Detailed algorithm = X PS(x i ;y i ;z i ;d;p) Condition PS DP(1x [t] i ; 1y[t] i ; 1z[t] i ); (2) (1x [t] i ; 1y[t] i ; 1z[t] i ) = (x i;y i ;z i ); 1cin = d; P 1cout = p: Our algorithm for computing truncated dierential probabilities contains two major components: precomputing partial sums and joining partial sums of subblocks. Precomputing partial sums We observe that the partial sums dened by Equation (2) only depend on the values restricted to a particular subblock. Therefore, these partial sums can be precomputed and stored in a table. Typically, eachx i ;y i ;z i is just a single bit. So the total number of partial sums to be stored is = 48. Joining subblocks Given the partial sums for anytwo consecutive subblocks H and L (each of length t bits), we can compute the partial sums for the subblock HjjL of length 2t bits. Let PS L (x i ;y i ;z i ;d;p); PS H (x i+1 ;y i+1 ;z i+1 ;d;p); and PS HjjL (x i+1 jjx i ;y i+1 jjy i ;z i+1 jjz i ;d;p)
5 denote the partial sums of dierential probabilities for the corresponding subblocks. PS HjjL is computed as Then PS HjjL (1; 1; 1;d;p)=[ ]: PS H (1; 1; 1; 0;p) 2 PS L (1; 1; 1;d;0) + PS H (1; 1; 1; 1;p) 2 PS L (1; 1; 1;d;1) + PS H (1; 1; 1; 0;p) 2 PS L (1; 1; 1;d;0:5) 2 0:5 + PS H (1; 1; 1; 1;p) 2 PS L (1; 1; 1;d;0:5) 2 0:5 In general, the two subblocks H and L can have anynumberofbits,say t 1 and t 2, respectively. Using the above formula, we can compute the new partial sums for the subblock HjjL of length (t 1 + t 2 ) bits. Computing the total TDP By repetitively joining successive subblocks, we can obtain the 6 partial sums PS(x;y;z; d;p) for the entire block of length n. Since 1cin = 0 for the least signicant subblock, 3 of these partial sums (for which d = 1) actually have value zero. Therefore, the total truncated dierential probability is TDP f (x; y;z) = 1 2 [ PS(x; y; z; 0; 0) c + PS(x; y; z; 0; 1) ]: + PS(x; y; z; 0; 0:5) Eciency analysis The algorithm given in this section is independent of the Hamming weight of x and y. For n = 32 and t =8,eachofthe2 12 truncated dierential probabilities can be computed using a constantnumber of table lookups, additions, and multiplications. Experiments show that all the 2 12 probabilities can be computed in less than one second on a PC. 3 Truncated Dierential Probabilities of MDS The truncated dierential probabilities for the MDS are dened as follows. TDP MDS (x; y) = 1 c X (1x;1y)=(x;y) Pr[MDS(x) 8 MDS(x 8 1x) =1y]; (3) where c is the number of 1x satisfying the condition (1x) =x. The distribution of TDP MDS (x;y) is related to the weight distribution of the MDS (Maximum Distance Separable) code. TDP MDS (x;y) is determined by the Hamming weights of x and y, astable 2 shows. 4 Search for Truncated Dierentials of Twosh In this section, we present our search results for truncated dierentials of Twosh. Our search uses the dierential probabilities of PHT and MDS computed in Sections 2 and 3. For speeding up the search, we rst set the probability to be one for 1bit rotations. Once we found the truncated dierentials, we then adjust the probability as follows. If the input dierence (32bit) of the 1bit rotation is f 2, the output dierence is still f. Otherwise, we need some adjustment. For example, if the input dierence of the 1bit right rotation is 8, the output 2 In this section we usetypewriter font for the hexadecimal representation of truncated dierentials.
6 w H (y) w H (x) : : : : : : : : :023 Table 2: Truncated dierential probabilities of MDS dierence is 8 with probability 2 01, c with probability and 4 with probability 2 08 (here we have multiple paths, but in most cases the multiple paths join at the next MDS). For additions with subkeys (i.e., f(x; k) =x + k = z (mod 2 n ), where k is some subkey), the value corresponding to k = 0 in our precomputed table gives the truncated dierential probability when we average over all possible keys. For any xed subkey k, the probability depends on k, and it can be larger or smaller than the average probability: the maximum probability can be 1 for a fraction of the subkeys. For easy treatment of probability after the search, we set the probability to be one for additions with subkeys. 4.1 Truncated dierentials with high probability First, we searched for truncated dierentials that hold with relatively high probability, although they may not be exploited in general (wellknown) cryptanalytic attacks. As Knudsen [K00] wrote, such dierentials can provide some bits of nontrivial information in every round. Our computer experiments found a 12round truncated dierential with probability of about 2 040:9.InTable 3, the output dierence of each round are shown in hexadecimal representation. One can expect to get one good pair following the truncated dierential from about 2 34 chosen plaintexts by using a structure in the last byte of the plaintext. There are a total of 2 94 such good pairs. More interestingly, we found a truncated dierential for the full 16 rounds of Twosh with probability of about 2 057:3 (see Table 4). One can expect to get one good pair following the truncated dierential from about chosen plaintexts, and there are 2 28 such good pairs. In [K00] Knudsen showed a 16round truncated dierential with probability The probability of our 16round truncated dierential is much higher than what was found by Knudsen, and the total number of good pairs for our dierential is also much larger. 4.2 Truncated dierentials useful for distinguishing attacks We also searched for truncated dierentials that may be useful in distinguishing attacks. As a result, we found one 4round truncated dierential, and four 5round truncated dierentials (see Tables 6 and 5). The 4round truncated dierential is a path included in the 4round truncated dierential that Knudsen used for the 2 tests in [K00, Section 5.2]. Note that Knudsen's 4round truncated dierential contains multiple paths and the probability is much higher. Knudsen concluded that for more than 4 rounds, it is an open question how nonuniform the distribution of dierences can be. Now that we found 5round truncated dierentials with probability slightly higher than a random permutation, in theory we can perform statistical tests such as 2 tests. Note that the probabilities in Table 5 can be a little smaller due to 1bit rotations or a little larger due to the eect of multiple paths.
7 round probability : f f 2 00: f f f e 2 08: f e f f 2 08: f f 7 f 2 016: f f f 2 016: f f b f 2 024: b f f f 2 024: f f 7 f 2 032: f f f 2 032: f f b f 2 040: b f f f 2 040: Table 3: 12round truncated dierential round probability : f f 2 00: f f f e 2 08: f e f f 2 08: f f 7 f 2 016: f f f 2 016: f f b f 2 024: b f f f 2 024: f f 7 f 2 032: f f f 2 032: f f b f 2 040: b f f f 2 040: f f 7 f 2 049: f f f 2 049: f f b f 2 057: b f f f 2 057: Table 4: 16round truncated dierential 5 Conclusion We presented truncated dierential cryptanalysis of the block cipher Twosh. We performed the search by computer experiments, and found a 16round truncated dierential with probability of about 2 057:3, which ismuch larger than previously known results. We also found 5round truncated dierentials which can be useful in distinguishing Twosh reduced to 5 rounds from a random permutation. We will implement some tests to conrm our conjecture. References [C99] [F99] N. Ferguson, \Impossible dierentials in Twosh," Twosh Technical Report #5, October 5, [K00] [K95] [KN96] [KRW99] [M00] L. R. Knudsen, \Trawling Twosh (revisited)," Presentation at rump session of AES3. Public comment on AES Candidate Algorithms { Round 2. csrc.nist.gov/encryption/aes/round2/comments/ lknudsen2.pdf L. R. Knudsen, \Truncated and Higher Order Dierentials," Fast Software Encryption Second International Workshop, Lecture Notes in Computer Science 1008, pp.196{211, SpringerVerlag, L. R. Knudsen and T. A. Berson, \Truncated dierentials of SAFER," Fast Software Encryption, 3rd International Workshop, Lecture Notes in Computer Science 1039, pp.15{26, SpringerVerlag, L. R. Knudsen, M. J. B. Robshaw, and D. Wagner, \Truncated Dierentials and Skipjack," Advances in Cryptology CRYPTO'99, Lecture Notes in Computer Science 1666, pp.165{180, SpringerVerlag, S. Moriai,\Cryptanalysis of Twosh (I)", In Proceedings of the 2000 Symposium on Cryptography and Information Security, Okinawa, Japan, January 2628, 2000.
8 round probability : f f 2 00: f f : : : c 0 2 0: c 0 e e 2 08: e e c : c : c : e 0 2 0: e 0 c c 2 015: c c e : e : e : f 0 2 0: f : f : f : f : Table 5: 5round truncated dierentials round probability : f f 2 00: f f : f f 2 055: Table 6: 4round truncated dierential [MR00] S. Murphy and M.J.B Robshaw, \Dierential Cryptanalysis, Keydependent S boxes, and Twosh", Public comment on AES Candidate Algorithms  Round 2. pdf [MSAK99] [MT99] [SKW+98] S. Moriai, M. Sugita, K. Aoki, and M. Kanda, \Security of E2 against Truncated Dierential Cryptanalysis," SAC'99, 6th Annual International Workshop on Selected Areas in Cryptography, Workshop Record, pp.133{143, 1999, (to appear in Lecture Notes in Computer Science, SpringerVerlag, 2000). M. Matsui and T. Tokita, \Cryptanalysis of a Reduced Version of the Block Cipher E2," Fast Software Encryption, 6th International Workshop, Lecture Notes in Computer Science 1636, pp.71{80, SpringerVerlag, B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. Hall, and N. Ferguson, \Twosh: A 128Bit Block Cipher".
Specication of Camellia a 128bit Block Cipher Kazumaro AOKI y, Tetsuya ICHIKAWA z, Masayuki KANDA y, Mitsuru MATSUI z, Shiho MORIAI y, Junko NAKAJIMA z, Toshio TOKITA z y Nippon Telegraph and Telephone
More informationEnhancing Advanced Encryption Standard SBox Generation Based on Round Key
Enhancing Advanced Encryption Standard SBox Generation Based on Round Key Julia Juremi Ramlan Mahmod Salasiah Sulaiman Jazrin Ramli Faculty of Computer Science and Information Technology, Universiti Putra
More informationRelated Key Differential Attacks on 27 rounds of XTEA and Fullround GOST
Related Key Differential Attacks on 27 rounds of XTEA and ullround GOST Youngdai Ko 1, Seokhie Hong 1, Wonil Lee 1, Sangjin Lee 1, and JuSung Kang 2 1 Center for Information Security Technologies (CIST),
More informationThe 128bit Blockcipher CLEFIA Design Rationale
The 128bit Blockcipher CLEFIA Design Rationale Revision 1.0 June 1, 2007 Sony Corporation NOTICE THIS DOCUMENT IS PROVIDED AS IS, WITH NO WARRANTIES WHATSOVER, INCLUDING ANY WARRANTY OF MERCHANTABIL
More informationCamellia: A 128Bit Block Cipher Suitable for Multiple Platforms Design and Analysis
Camellia: A 128Bit Block Cipher Suitable for Multiple Platforms Design and Analysis Kazumaro Aoki Tetsuya Ichikawa Masayuki Kanda Mitsuru Matsui Shiho Moriai Junko Nakajima Toshio Tokita Nippon Telegraph
More informationThe Advanced Encryption Standard (AES)
The Advanced Encryption Standard (AES) Conception  Why A New Cipher? Conception  Why A New Cipher? DES had outlived its usefulness Vulnerabilities were becoming known 56bit key was too small Too slow
More informationCSCE 465 Computer & Network Security
CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Secret Key Cryptography (I) 1 Introductory Remarks Roadmap Feistel Cipher DES AES Introduction
More information6.857 Computer and Network Security Fall Term, 1997 Lecture 4 : 16 September 1997 Lecturer: Ron Rivest Scribe: Michelle Goldberg 1 Conditionally Secure Cryptography Conditionally (or computationally) secure
More informationDierential Cryptanalysis of DESlike Cryptosystems Eli Biham Adi Shamir The Weizmann Institute of Science Department of Apllied Mathematics July 19, 1990 Abstract The Data Encryption Standard (DES) is
More informationAlgebraic Attacks on SOBERt32 and SOBERt16 without stuttering
Algebraic Attacks on SOBERt32 and SOBERt16 without stuttering Joo Yeon Cho and Josef Pieprzyk Center for Advanced Computing Algorithms and Cryptography, Department of Computing, Macquarie University,
More informationThe 128bit Blockcipher CLEFIA Security and Performance Evaluations
The 128bit Blockcipher CLEFIA Security and Performance Evaluations Revision 1.0 June 1, 2007 Sony Corporation NOTICE THIS DOCUMENT IS PROVIDED AS IS, WITH NO WARRANTIES WHATSOVER, INCLUDING ANY WARRANTY
More informationCryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 12 Block Cipher Standards
More informationCryptography and Network Security Block Cipher
Cryptography and Network Security Block Cipher XiangYang Li Modern Private Key Ciphers Stream ciphers The most famous: Vernam cipher Invented by Vernam, ( AT&T, in 1917) Process the message bit by bit
More informationThe Advanced Encryption Standard: Four Years On
The Advanced Encryption Standard: Four Years On Matt Robshaw Reader in Information Security Information Security Group Royal Holloway University of London September 21, 2004 The State of the AES 1 The
More informationComparative Analysis for Performance acceleration of Modern Asymmetric Crypto Systems
J. of Comp. and I.T. Vol. 3(1&2), 16 (2012). Comparative Analysis for Performance acceleration of Modern Asymmetric Crypto Systems RAJ KUMAR 1 and V.K. SARASWAT 2 1,2 Department of Computer Science, ICIS
More informationCryptography and Network Security
Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 3: Block ciphers and DES Ion Petre Department of IT, Åbo Akademi University January 17, 2012 1 Data Encryption Standard
More informationASELFSTUDY COURSE IN BLOCKCIPHER CRYPTANALYSIS
Schneier ASelfStudy Course in BlockCipher Cryptanalysis ASELFSTUDY COURSE IN BLOCKCIPHER CRYPTANALYSIS Bruce Schneier ADDRESS: Counterpane Internet Security, In., 3031 Tisch Way, San Jose CA 95128
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Lecture No. # 11 Block Cipher Standards (DES) (Refer Slide
More informationTiming Attacks on Implementations of DieHellman, RSA, DSS, and Other Systems Paul C. Kocher Cryptography Research, Inc. 607 Market Street, 5th Floor, San Francisco, CA 94105, USA. Email: paul@cryptography.com.
More informationThe Data Encryption Standard (DES)
The Data Encryption Standard (DES) As mentioned earlier there are two main types of cryptography in use today  symmetric or secret key cryptography and asymmetric or public key cryptography. Symmetric
More informationIMPLICATIONS OF BITSUM ATTACK ON TINY ENCRYPTION ALGORITHM AND XTEA
Journal of Computer Science 10 (6): 10771083, 2014 ISSN: 15493636 2014 doi:10.3844/jcssp.2014.1077.1083 Published Online 10 (6) 2014 (http://www.thescipub.com/jcs.toc) IMPLICATIONS OF BITSUM ATTACK ON
More informationFINDING EFFICIENT DISTINGUISHERS FOR CRYPTOGRAPHIC MAPPINGS, WITH AN APPLICATION TO THE BLOCK CIPHER TEA
FINDING EFFICIENT DISTINGUISHERS FOR CRYPTOGRAPHIC MAPPINGS, WITH AN APPLICATION TO THE BLOCK CIPHER TEA JULIO C. HERNANDEZ CAPS Team, INRIAIRISA, Campus de Beaulieu, France PEDRO ISASI Artificial Intelligence
More information1 Data Encryption Algorithm
Date: Monday, September 23, 2002 Prof.: Dr JeanYves Chouinard Design of Secure Computer Systems CSI4138/CEG4394 Notes on the Data Encryption Standard (DES) The Data Encryption Standard (DES) has been
More informationSection 2.1: Shift Ciphers and Modular Arithmetic
1 Section 2.1: Shift Ciphers and Modular Arithmetic Practice HW from Barr Textbook (not to hand in) p.66 # 1, 2, 36, 912, 13, 15 The purpose of this section is to learn about modular arithmetic, which
More informationA Practical Attack on Broadcast RC4
A Practical Attack on Broadcast RC4 Itsik Mantin and Adi Shamir Computer Science Department, The Weizmann Institute, Rehovot 76100, Israel. {itsik,shamir}@wisdom.weizmann.ac.il Abstract. RC4is the most
More informationRC6. Marcel Felipe Weschenfelder
RC6 Marcel Felipe Weschenfelder Introduction Operations Algorithm Performance Crypto analyse Highlight/lowlight Conclusion References Agenda RC6 Introduction Designed by: Ron Rivest, Matt Robshaw, Ray
More informationThe Stream Cipher HC128
The Stream Cipher HC128 Hongjun Wu Katholieke Universiteit Leuven, ESAT/SCDCOSIC Kasteelpark Arenberg 10, B3001 LeuvenHeverlee, Belgium wu.hongjun@esat.kuleuven.be Statement 1. HC128 supports 128bit
More informationLecture 4 Data Encryption Standard (DES)
Lecture 4 Data Encryption Standard (DES) 1 Block Ciphers Map nbit plaintext blocks to nbit ciphertext blocks (n = block length). For nbit plaintext and ciphertext blocks and a fixed key, the encryption
More informationThe Twofish Team s Final Comments on AES Selection
The Twofish Team s Final Comments on AES Selection Bruce Schneier John Kelsey Doug Whiting David Wagner Chris Hall Niels Ferguson Tadayoshi Kohno Mike Stay May 15, 2000 1 Introduction In 1996, the National
More informationA NOVEL STRATEGY TO PROVIDE SECURE CHANNEL OVER WIRELESS TO WIRE COMMUNICATION
A NOVEL STRATEGY TO PROVIDE SECURE CHANNEL OVER WIRELESS TO WIRE COMMUNICATION Prof. Dr. Alaa Hussain Al Hamami, Amman Arab University for Graduate Studies Alaa_hamami@yahoo.com Dr. Mohammad Alaa Al
More informationLecture Note 8 ATTACKS ON CRYPTOSYSTEMS I. Sourav Mukhopadhyay
Lecture Note 8 ATTACKS ON CRYPTOSYSTEMS I Sourav Mukhopadhyay Cryptography and Network Security  MA61027 Attacks on Cryptosystems Up to this point, we have mainly seen how ciphers are implemented. We
More informationModern Block Cipher Standards (AES) Debdeep Mukhopadhyay
Modern Block Cipher Standards (AES) Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA 721302 Objectives Introduction
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Karagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Karagpur Lecture No. #06 Cryptanalysis of Classical Ciphers (Refer
More informationCryptography and Network Security Chapter 3
Cryptography and Network Security Chapter 3 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 3 Block Ciphers and the Data Encryption Standard All the afternoon
More informationSecurity Evaluation of the SPECTR128. Block Cipher
pplied Mathematical Sciences, ol. 7,, no. 4, 6945696 HIKI td, www.mhikari.com http://dx.doi.org/.988/ams..584 Security Evaluation of the SPECT8 Block Cipher Manh Tuan Pham, am T. u Posts and Telecommunications
More informationA PPENDIX H RITERIA FOR AES E VALUATION C RITERIA FOR
A PPENDIX H RITERIA FOR AES E VALUATION C RITERIA FOR William Stallings Copyright 20010 H.1 THE ORIGINS OF AES...2 H.2 AES EVALUATION...3 Supplement to Cryptography and Network Security, Fifth Edition
More informationCRYPTOGRAPHIC ALGORITHMS (AES, RSA)
CALIFORNIA STATE POLYTECHNIC UNIVERSITY, POMONA CRYPTOGRAPHIC ALGORITHMS (AES, RSA) A PAPER SUBMITTED TO PROFESSOR GILBERT S. YOUNG IN PARTIAL FULFILLMENT OF THE REQUIREMENT FOR THE COURSE CS530 : ADVANCED
More informationALGEBRAIC CRYPTANALYSIS OF AES: AN OVERVIEW
ALGEBRAIC CRYPTANALYSIS OF AES: AN OVERVIEW HARRIS NOVER Abstract. In this paper, we examine algebraic attacks on the Advanced Encryption Standard (AES, also known as Rijndael). We begin with a brief review
More informationHelix. Fast Encryption and Authentication in a Single Cryptographic Primitive
Helix Fast Encryption and Authentication in a Single Cryptographic Primitive Niels Ferguson 1, Doug Whiting 2, Bruce Schneier 3, John Kelsey 4, Stefan Lucks 5, and Tadayoshi Kohno 6 1 MacFergus, niels@ferguson.net
More informationA Comparative Study Of Two Symmetric Encryption Algorithms Across Different Platforms.
A Comparative Study Of Two Symmetric Algorithms Across Different Platforms. Dr. S.A.M Rizvi 1,Dr. Syed Zeeshan Hussain 2 and Neeta Wadhwa 3 Deptt. of Computer Science, Jamia Millia Islamia, New Delhi,
More informationOn the Security of Double and 2key Triple Modes of Operation
On the Security of Double and 2key Triple Modes of Operation [Published in L. Knudsen, d., Fast Software ncryption, vol. 1636 of Lecture Notes in Computer Science, pp. 215 230, SpringerVerlag, 1999.]
More informationCryptography and Cryptanalysis
Cryptography and Cryptanalysis Feryâl Alayont University of Arizona December 9, 2003 1 Cryptography: derived from the Greek words kryptos, meaning hidden, and graphos, meaning writing. Cryptography is
More informationRemotely Keyed Encryption Using NonEncrypting Smart Cards
THE ADVANCED COMPUTING SYSTEMS ASSOCIATION The following paper was originally published in the USENIX Workshop on Smartcard Technology Chicago, Illinois, USA, May 10 11, 1999 Remotely Keyed Encryption
More informationBlock encryption. CS4920: Lecture 7 Secret key cryptography. Determining the plaintext ciphertext mapping. CS4920Lecture 7 4/1/2015
CS4920: Lecture 7 Secret key cryptography Reading Chapter 3 (pp. 5975, 9293) Today s Outcomes Discuss block and key length issues related to secret key cryptography Define several terms related to secret
More informationOscillations of the Sending Window in Compound TCP
Oscillations of the Sending Window in Compound TCP Alberto Blanc 1, Denis Collange 1, and Konstantin Avrachenkov 2 1 Orange Labs, 905 rue Albert Einstein, 06921 Sophia Antipolis, France 2 I.N.R.I.A. 2004
More information6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 6 Block Ciphers 6.1 Block Ciphers Block Ciphers Plaintext is divided into blocks of fixed length and every block is encrypted one at a time. A block cipher is a
More informationUnderstanding the division property
Understanding the division property Christina Boura (joint work with Anne Canteaut) ASK 2015, October 1, 2015 1 / 36 Introduction In Eurocrypt 2015, Yosuke Todo introduces a new property, called the division
More informationThe Advanced Encryption Standard (AES)
The Advanced Encryption Standard (AES) All of the cryptographic algorithms we have looked at so far have some problem. The earlier ciphers can be broken with ease on modern computation systems. The DES
More informationLightWeight Cryptography for Ubiquitous Computing
LightWeight Cryptography for Ubiquitous Computing Securing Cyberspace Workshop IV: Special purpose hardware for cryptography Attacks and Applications University of California at Los Angeles, December
More informationLightWeight Cryptography for Ubiquitous Computing
LightWeight Cryptography for Ubiquitous Computing Securing Cyberspace Workshop IV: Special purpose hardware for cryptography Attacks and Applications University of California at Los Angeles, December
More informationT Cryptology Spring 2009
T79.5501 Cryptology Spring 2009 Homework 2 Tutor : Joo Y. Cho joo.cho@tkk.fi 5th February 2009 Q1. Let us consider a cryptosystem where P = {a, b, c} and C = {1, 2, 3, 4}, K = {K 1, K 2, K 3 }, and the
More informationHash Function JH and the NIST SHA3 Hash Competition
Hash Function JH and the NIST SHA3 Hash Competition Hongjun Wu Nanyang Technological University Presented at ACNS 2012 1 Introduction to Hash Function Hash Function Design Basics Hash function JH Design
More informationEncryption Quality Analysis and Security Evaluation of CAST128 Algorithm and its Modified Version using Digital Images
Encryption Quality Analysis and Security Evaluation CAST128 Algorithm and its Modified Version using Digital s Krishnamurthy G N, Dr. V Ramaswamy Abstract this paper demonstrates analysis well known block
More informationSplit Based Encryption in Secure File Transfer
Split Based Encryption in Secure File Transfer Parul Rathor, Rohit Sehgal Assistant Professor, Dept. of CSE, IET, Nagpur University, India Assistant Professor, Dept. of CSE, IET, Alwar, Rajasthan Technical
More informationPreimage Attacks on 41Step SHA256 and 46Step SHA512
Preimage Attacks on 4Step SHA256 and 46Step SHA52 Yu Sasaki, Lei Wang 2, and Kazumaro Aoki NTT Information Sharing Platform Laboratories, NTT Corporation 39 Midoricho, Musashinoshi, Tokyo, 88585
More informationRijndael Encryption implementation on different platforms, with emphasis on performance
Rijndael Encryption implementation on different platforms, with emphasis on performance KAFUUMA JOHN SSENYONJO Bsc (Hons) Computer Software Theory University of Bath May 2005 Rijndael Encryption implementation
More informationArithmetic Circuits Addition, Subtraction, & Multiplication
Arithmetic Circuits Addition, Subtraction, & Multiplication The adder is another classic design example which we are obliged look at. Simple decimal arithmetic is something which we rarely give a second
More informationA PPENDIX G S IMPLIFIED DES
A PPENDIX G S IMPLIFIED DES William Stallings opyright 2010 G.1 OVERVIEW...2! G.2 SDES KEY GENERATION...3! G.3 SDES ENRYPTION...4! Initial and Final Permutations...4! The Function f K...5! The Switch
More informationA new test for randomness and its application to some cryptographic problems
Journal of Statistical Planning and Inference 123 (2004) 365 376 www.elsevier.com/locate/jspi A new test for randomness and its application to some cryptographic problems B.Ya. Ryabko, V.S. Stognienko,
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. #01 Lecture No. #10 Symmetric Key Ciphers (Refer
More informationModular arithmetic. x ymodn if x = y +mn for some integer m. p. 1/??
p. 1/?? Modular arithmetic Much of modern number theory, and many practical problems (including problems in cryptography and computer science), are concerned with modular arithmetic. While this is probably
More informationKALE: A HighDegree AlgebraicResistant Variant of The Advanced Encryption Standard
KALE: A HighDegree AlgebraicResistant Variant of The Advanced Encryption Standard Dr. Gavekort c/o Vakiopaine Bar Kauppakatu 6, 41 Jyväskylä FINLAND mjos@iki.fi Abstract. We have discovered that the
More informationUnknown Plaintext Template Attacks
Unknown Plaintext Template Attacks Neil Hanley, Michael Tunstall 2, and William P. Marnane Department of Electrical and Electronic Engineering, University College Cork, Ireland. neilh@eleceng.ucc.ie, l.marnane@ucc.ie
More informationSQUARE Attacks on ReducedRound PES and IDEA Block Ciphers
SQURE ttacks on ReducedRound ES and IDE Block Ciphers Jorge Nakahara Jr, aulo S.L.M. Barreto 2, Bart reneel, Joos Vandewalle, and Hae Y. Kim 2 Katholieke Universiteit Leuven, Dept. EST/COSIC, Leuven,
More informationAStudyofEncryptionAlgorithmsAESDESandRSAforSecurity
Global Journal of Computer Science and Technology Network, Web & Security Volume 13 Issue 15 Version 1.0 Year 2013 Type: Double Blind Peer Reviewed International Research Journal Publisher: Global Journals
More informationBlock Ciphers that are Easier to Mask: How Far Can we Go?
Block Ciphers that are Easier to Mask: How Far Can we Go? Benoît Gérard 1,2, Vincent Grosso 1, María NayaPlasencia 3, FrançoisXavier Standaert 1 1 ICTEAM/ELEN/Crypto Group, Université catholique de Louvain,
More informationCryptanalysis of Dynamic SHA(2)
Cryptanalysis of Dynamic SHA(2) JeanPhilippe Aumasson 1,, Orr Dunkelman 2,, Sebastiaan Indesteege 3,4,, and Bart Preneel 3,4 1 FHNW, Windisch, Switzerland. 2 École Normale Supérieure, INRIA, CNRS, Paris,
More informationA New Digital Encryption Scheme: Binary Matrix Rotations Encryption Algorithm
International Journal of Research Studies in Computer Science and Engineering (IJRSCSE) Volume 2, Issue 2, February 2015, PP 1827 ISSN 23494840 (Print) & ISSN 23494859 (Online) www.arcjournals.org A
More informationDifferential Cryptanalysis of PUFFIN and PUFFIN.
Differential Cryptanalysis of PUFFIN and PUFFIN2 Céline Blondeau 1 and Benoît Gérard 2 1 Aalto University School of Science, Department of Information and Computer Science 2 Université catholique de Louvain,
More informationCS 758: Cryptography / Network Security
CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html
More informationECE 842 Report Implementation of Elliptic Curve Cryptography
ECE 842 Report Implementation of Elliptic Curve Cryptography WeiYang Lin December 15, 2004 Abstract The aim of this report is to illustrate the issues in implementing a practical elliptic curve cryptographic
More informationC Simplified DES. William Stallings Copyright 2006
APPENDIX C Simplified DES C.1 Overview...2 C.2 SDES Key Generation...3 C.3 SDES Encryption...3 Initial and Final Permutations...3 The Function... The Switch Function...5 C. Analysis of Simplified DES...5
More informationDifferential Fault Analysis of Secret Key Cryptosystems
Differential Fault Analysis of Secret Key Cryptosystems Eli Biham Computer Science Department Technion  Israel Institute of Technology Haifa 32000, Israel bihamocs.technion.ac.il http://www.cs.technion.ac.il/
More informationAnalysis of Nonfortuitous Predictive States of the RC4 Keystream Generator
Analysis of Nonfortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel Katholieke Universiteit Leuven, Dept. ESAT/COSIC, Kasteelpark Arenberg 10, B 3001 LeuvenHeverlee,
More informationNumber Theory. Proof. Suppose otherwise. Then there would be a finite number n of primes, which we may
Number Theory Divisibility and Primes Definition. If a and b are integers and there is some integer c such that a = b c, then we say that b divides a or is a factor or divisor of a and write b a. Definition
More informationStatistical weakness in Spritz against VMPCR: in search for the RC4 replacement
Statistical weakness in Spritz against VMPCR: in search for the RC4 replacement Bartosz Zoltak www.vmpcfunction.com bzoltak@vmpcfunction.com Abstract. We found a statistical weakness in the Spritz algorithm
More informationSecret File Sharing Techniques using AES algorithm. C. Navya Latha 200201066 Garima Agarwal 200305032 Anila Kumar GVN 200305002
Secret File Sharing Techniques using AES algorithm C. Navya Latha 200201066 Garima Agarwal 200305032 Anila Kumar GVN 200305002 1. Feature Overview The Advanced Encryption Standard (AES) feature adds support
More informationLinear (Hull) and Algebraic Cryptanalysis of the Block Cipher PRESENT
Linear (Hull) and Algebraic Cryptanalysis of the Block Cipher PRESENT Jorge Nakahara Jr 1, Pouyan Sepehrdad 1, Bingsheng Zhang 2, Meiqin Wang 3 1 EPFL, Lausanne, Switzerland 2 Cybernetica AS, Estonia and
More informationTable of Contents. Bibliografische Informationen http://dnb.info/996514864. digitalisiert durch
1 Introduction to Cryptography and Data Security 1 1.1 Overview of Cryptology (and This Book) 2 1.2 Symmetric Cryptography 4 1.2.1 Basics 4 1.2.2 Simple Symmetric Encryption: The Substitution Cipher...
More informationA New 128bit Key Stream Cipher LEX
A New 128it Key Stream Cipher LEX Alex Biryukov Katholieke Universiteit Leuven, Dept. ESAT/SCDCOSIC, Kasteelpark Arenerg 10, B 3001 Heverlee, Belgium http://www.esat.kuleuven.ac.e/~airyuko/ Astract.
More informationElementary Number Theory We begin with a bit of elementary number theory, which is concerned
CONSTRUCTION OF THE FINITE FIELDS Z p S. R. DOTY Elementary Number Theory We begin with a bit of elementary number theory, which is concerned solely with questions about the set of integers Z = {0, ±1,
More informationAn Efficient and Secure Key Management Scheme for Hierarchical Access Control Based on ECC
An Efficient and Secure Key Management Scheme for Hierarchical Access Control Based on ECC Laxminath Tripathy 1 Nayan Ranjan Paul 2 1Department of Information technology, Eastern Academy of Science and
More informationA comparison of different finite fields for use in elliptic curve cryptosystems
University of Bristol DEPARTMENT OF COMPUTER SCIENCE A comparison of different finite fields for use in elliptic curve cryptosystems N. P. Smart June 2000 CSTR00007 A COMPARISON OF DIFFERENT FINITE FIELDS
More informationIn this paper a new signature scheme and a public key cryptotsystem are proposed. They can be seen as a compromise between the RSA and ElGamaltype sc
Digital Signature and Public Key Cryptosystem in a Prime Order Subgroup of Z n Colin Boyd Information Security Research Centre, School of Data Communications Queensland University of Technology, Brisbane
More informationExtended TEA Algorithms
Extended TEA Algorithms Tom St Denis April 20th 1999 Abstract. This paper presents some natural manners to use TEA [1] and XTEA [2] in a variety of designs while improving security and keeping with the
More informationThe Skein Hash Function Family
The Skein Hash Function Family Version 1.3 1 Oct 2010 Niels Ferguson Stefan Lucks Bruce Schneier Doug Whiting Mihir Bellare Tadayoshi Kohno Jon Callas Jesse Walker Microsoft Corp., niels@microsoft.com
More informationA Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0
A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0 James Manger Telstra Research Laboratories, Level 7, 242 Exhibition Street, Melbourne 3000,
More informationSerpent: A Proposal for the Advanced Encryption Standard
Serpent: A Proposal for the Advanced Encryption Standard Ross Anderson 1 Eli Biham 2 Lars Knudsen 3 1 Cambridge University, England; email rja14@cl.cam.ac.uk 2 Technion, Haifa, Israel; email biham@cs.technion.ac.il
More informationPrime numbers for Cryptography
Prime numbers for Cryptography What this is going to cover Primes, products of primes and factorisation How to win a million dollars Generating small primes quickly How many primes are there and how many
More informationStream Ciphers. Example of Stream Decryption. Example of Stream Encryption. Real Cipher Streams. Terminology. Introduction to Modern Cryptography
Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers Stream Ciphers Start with a secret key ( seed ) Generate a keying stream ith bit/byte of keying stream is a function
More informationApplication of cube attack to block and stream ciphers
Application of cube attack to block and stream ciphers Janusz Szmidt joint work with Piotr Mroczkowski Military University of Technology Military Telecommunication Institute Poland 23 czerwca 2009 1. Papers
More informationAPNIC elearning: Cryptography Basics. Contact: esec02_v1.0
APNIC elearning: Cryptography Basics Contact: training@apnic.net esec02_v1.0 Overview Cryptography Cryptographic Algorithms Encryption SymmetricKey Algorithm Block and Stream Cipher Asymmetric Key Algorithm
More informationUseful Number Systems
Useful Number Systems Decimal Base = 10 Digit Set = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9} Binary Base = 2 Digit Set = {0, 1} Octal Base = 8 = 2 3 Digit Set = {0, 1, 2, 3, 4, 5, 6, 7} Hexadecimal Base = 16 = 2
More informationHow to Break MD5 and Other Hash Functions
How to Break MD5 and Other Hash Functions Xiaoyun Wang and Hongbo Yu Shandong University, Jinan 250100, China xywang@sdu.edu.cn yhb@mail.sdu.edu.cn Abstract. MD5 is one of the most widely used cryptographic
More informationA Study of New Trends in Blowfish Algorithm
A Study of New Trends in Blowfish Algorithm Gurjeevan Singh*, Ashwani Kumar**, K. S. Sandha*** *(Department of ECE, Shaheed Bhagat Singh College of Engg. & Tech. (Polywing), Ferozepur152004) **(Department
More informationAn Introduction to Galois Fields and ReedSolomon Coding
An Introduction to Galois Fields and ReedSolomon Coding James Westall James Martin School of Computing Clemson University Clemson, SC 296341906 October 4, 2010 1 Fields A field is a set of elements on
More informationImplementation and Design of AES SBox on FPGA
International Journal of Research in Engineering and Science (IJRES) ISSN (Online): 2329364, ISSN (Print): 2329356 Volume 3 Issue ǁ Jan. 25 ǁ PP.94 Implementation and Design of AES SBox on FPGA Chandrasekhar
More informationThe Misuse of RC4 in Microsoft Word and Excel
The Misuse of RC4 in Microsoft Word and Excel Hongjun Wu Institute for Infocomm Research, Singapore hongjun@i2r.astar.edu.sg Abstract. In this report, we point out a serious security flaw in Microsoft
More informationLecture 8: Stream ciphers  LFSR sequences
Lecture 8: Stream ciphers  LFSR sequences Thomas Johansson T. Johansson (Lund University) 1 / 42 Introduction Symmetric encryption algorithms are divided into two main categories, block ciphers and stream
More informationDeveloping and Investigation of a New Technique Combining Message Authentication and Encryption
Developing and Investigation of a New Technique Combining Message Authentication and Encryption Eyas ElQawasmeh and Saleem Masadeh Computer Science Dept. Jordan University for Science and Technology P.O.
More information