K 2r+8 PHT <<<1 MDS MDS
|
|
- Hector Simmons
- 8 years ago
- Views:
Transcription
1 )*.1,(/-+032 THE INSTITUTE OF ELECTRONICS, INFORMATION AND COMMUNICATION ENGINEERS 034- TECHNICAL REPORT OF IEICE. 7865'9 Twosh ;<= (:; 2) 3 B&C y 3 NTT FRUX_a[\]Ye`khE f Gnql #Hw~ ˆ g 1-1 shiho@isl.ntt.co.jp y NTT Multimedia Communications Laboratories 250 Cambridge Ave., Palo Alto, CA 94306, USA yiqun@nttmcl.com ª «OŒ zkd!š AES Žƒ Q "œž ^b[z!š Twosh Lxp šdi}{ truncated dierential V šj%cys 2 057:3 žjt 16 W truncated dierential mœ šd 2 51 rvnm u c truncated dierential \good pair" 1 st c good pair i 2 77 st Ÿ} ž d šc Knudsen open problem Ÿ šc 5 W Twosh random permutationÿ Pž $oi truncated dierential mœ šd ± ³ ² µ, ¹, truncated dierential, Twosh, AES Cryptanalysis of Twosh (II) Shiho Moriai 3 Yiqun Lisa Yin y 3 NTT Information Sharing Platform Laboratories 1-1 Hikarinooka, Yokosuka, , Japan shiho@isl.ntt.co.jp y NTT Multimedia Communications Laboratories 250 Cambridge Ave., Palo Alto, CA 94306, USA yiqun@nttmcl.com Abstract We present truncated dierential cryptanalysis of the block cipher Twosh, which is one of the ve nalists for the Advanced Encryption Standard (AES). From our experimental results, we found a 16-round truncated dierential with probability of about 2 057:3. One can expect to get one good pair following the truncated dierential from 2 51 chosen plaintexts, and there are a total of 2 77 such goodpairs. We also found 5-round truncated dierentials which can be useful in distinguishing Twosh reduced to 5 rounds from a random permutation. This was considered to be an open problem by Knudsen. key words cryptanalysis, dierential cryptanalysis, truncated dierential, Twosh, AES
2 1 Introduction Twosh is a 128-bit block cipher proposed by Schneier et al. [SKW+98]. It is one of the ve nalists of AES, and it is used in many products such as GnuPG, SSH Secure Shell, and so on [C99]. The best known attack on variants of Twosh claimed by the designers is an impossible dierential attack on 6-round Twosh [F99]. Recently Knudsen [K00] showed that there are dierentials for Twosh for up to 16 rounds, predicting at least 32 bits of nontrivial information in every round. The probability of the truncated dierentials are too small to distinguish Twosh with more than a few rounds from a random permutation, but he claimed that it is possible, at least in theory, to nd one good pair of plaintexts following the dierential through all 16 rounds. Murphy and Robshaw [MR00] made some observations on key-dependent S-boxes and dierential cryptanalysis of Twosh. Their approach was to choose the S-box to t the dierential characteristic, instead of choosing the dierential characteristic to t the S-box. They found a 6-round dierential characteristic which holds for a fraction of at least of the S-boxes and claimed possible attacks of 8-round Twosh. Table 1 summarizes the known results on cryptanalysis of Twosh. In this paper we study truncated dierential cryptanalysis of Twosh. The type of truncated dierentials to be used are \byte characteristics," that is, the values of the dierence in a byte are distinguished between non-zero and zero, and the measure of dierence is exclusive-or. Note that Knudsen's truncated dierentials were based on the integer subtraction dierence between two 32-bit words. By using byte wise characteristics instead, we can make a thorough investigation of the non-uniformity in the distribution of the dierences, which was left as an open question by Knudsen [K00]. Twosh consists of both byte-oriented and non-byte-oriented operations as shown in Figure 1. The non-byte-oriented operations include the 1-bit rotates, addition with subkeys, and PHT (pseudo-hadamard transform), which comprises of two additions modular To search for byte characteristics of Twosh, we begin by computing the truncated dierential probability of addition modular 2 n. Based on the ecient computation of dierential probability of addition modular 2 n shown in [M00], we give an ecient computation of truncated dierential probability of addition modular 2 n in Section 2. In Section 3, we consider truncated dierential probability of the MDS. Finally in Section 4 we present the truncated dierentials that we found by computer experiments. 2 Ecient Computation of Truncated Dierential Probabilities of Addition Modular 2 n In [M00], an ecient algorithm was presented for computing dierential probabilities of addition mod 2 n. The algorithm can be extended to compute truncated dierential probabilities of addition of 2 n, but a straightforward extension to the case of truncated dierentials can still be computationally very expensive. In this section, we study how to further speed up the round whitening key size cryptanalysis complexity conditions reference 4 w/ any distinguishing attack [K00] 6 w/o 128 impossible dierential [F99] 6 w/o 192 impossible dierential [F99] 6 w/o 256 impossible dierential [F99] 6 w/ 256 impossible dierential [F99] 8* w/ any dierential attack > fraction [MR00] of the S-boxes Table 1: Twosh cryptanalysis
3 K 0 K 1 K 2 K 3 input whitening S-box 0 S-box 1 S-box 2 MDS K 2r+8 PHT <<<1 S-box 3 <<<8 S-box 0 S-box 1 S-box 2 S-box 3 MDS K 2r+9 >>>1 1 round : 15 more rounds K 4 K 5 K 6 K 7 output whitening Figure 1: Twosh computation of truncated dierential probabilities. We will follow the denitions and notation in [M00], and here we will only restate some of them if they are directly related to our discussion below. For x; y; z 2 GF(2) n, the function addition mod 2 n is dened as follows: f(x; y) =x + y = z (mod2 n ): We divide 1x 2 GF(2) n into t-bit sub-blocks and denote them by 1x [t] least signicant sub-block. So 1x =(1x [t] m01 ;:::;1x[t] 1 ; 1x[t] 0 ); 0 ; 1x[t] 1 ;::: from the where m = n=t is the number of sub-blocks. A very ecient algorithm for computing dierential probabilities of f (denoted by DP f (1x; 1y;1z)) is given in [M00]. For each triplet (1x; 1y; 1z), the running time of the algorithm is O(n) 1, while a naive approach would require a running time of O(2 2n ). The truncated dierential probabilities for f are dened as follows. TDP f (x;y;z) = 1 c X (1x;1y;1z)=(x;y;z) DP f (1x; 1y; 1z); (1) where c is the number of pairs (1x; 1y) satisfying the condition (1x; 1y) =(x; y). Let w H (x) denote the Hamming weight ofx. Then it is easy to see that c =(2 t 0 1) w H(x)+w H (y) : In a typical setting (e.g., byte characteristics), we have n =32andt = 8. So the number of possible truncated dierentials is (2 n=t ) 3 =2 12. Some of these truncated dierentials may have a very large c value. For example, when w H (x) +w H (y) 6, we have c Therefore, computation of all truncated dierential probabilities using Equation (1) can still be very expensive, even when the dierential probabilities themselves can be calculated eciently. 1 Later the complexity was further improved to 2(log n) in the worst-case and 2(1) in the average-case.
4 2.1 Basic idea The main idea for speeding up the computation of truncated dierential probabilities is to treat each sub-block somewhat independently. More specically, we will rst compute some properly dened \partial sums of dierential probabilities" for each sub-block ignoring the carry from one sub-block to the next, and then we will join these probabilities together to obtain the total truncated dierential probability for f. For each sub-block, we need to consider both the dierence in the carryin (denoted by 1cin) from the previous sub-block and dierence in the carryout (denoted by 1cout) to the next sub-block. There are two possible values for 1cin: 0,1. Let P 1cout denote the probability that there is carry from one sub-block to the next. That is, P 1cout =Pr[1cout =1]: Based on the results in [M00], there are only three possible values for P 1cout : 0,0.5,1. For a give sub-block (the ith sub-block), let (x i ;y i ;z i ) be the values of (x; y; z) restricted to the sub-block. Below, we dene 6 partial sums for the dierential probabilities, one corresponding to a possible combination of (1cin; P 1cout )=(d; p) ford =0; 1andp =0; 0:5; 1. where Condition PS is 2.2 Detailed algorithm = X PS(x i ;y i ;z i ;d;p) Condition PS DP(1x [t] i ; 1y[t] i ; 1z[t] i ); (2) (1x [t] i ; 1y[t] i ; 1z[t] i ) = (x i;y i ;z i ); 1cin = d; P 1cout = p: Our algorithm for computing truncated dierential probabilities contains two major components: precomputing partial sums and joining partial sums of sub-blocks. Precomputing partial sums We observe that the partial sums dened by Equation (2) only depend on the values restricted to a particular sub-block. Therefore, these partial sums can be precomputed and stored in a table. Typically, eachx i ;y i ;z i is just a single bit. So the total number of partial sums to be stored is = 48. Joining sub-blocks Given the partial sums for anytwo consecutive sub-blocks H and L (each of length t bits), we can compute the partial sums for the sub-block HjjL of length 2t bits. Let PS L (x i ;y i ;z i ;d;p); PS H (x i+1 ;y i+1 ;z i+1 ;d;p); and PS HjjL (x i+1 jjx i ;y i+1 jjy i ;z i+1 jjz i ;d;p)
5 denote the partial sums of dierential probabilities for the corresponding sub-blocks. PS HjjL is computed as Then PS HjjL (1; 1; 1;d;p)=[ ]: PS H (1; 1; 1; 0;p) 2 PS L (1; 1; 1;d;0) + PS H (1; 1; 1; 1;p) 2 PS L (1; 1; 1;d;1) + PS H (1; 1; 1; 0;p) 2 PS L (1; 1; 1;d;0:5) 2 0:5 + PS H (1; 1; 1; 1;p) 2 PS L (1; 1; 1;d;0:5) 2 0:5 In general, the two sub-blocks H and L can have anynumberofbits,say t 1 and t 2, respectively. Using the above formula, we can compute the new partial sums for the sub-block HjjL of length (t 1 + t 2 ) bits. Computing the total TDP By repetitively joining successive sub-blocks, we can obtain the 6 partial sums PS(x;y;z; d;p) for the entire block of length n. Since 1cin = 0 for the least signicant sub-block, 3 of these partial sums (for which d = 1) actually have value zero. Therefore, the total truncated dierential probability is TDP f (x; y;z) = 1 2 [ PS(x; y; z; 0; 0) c + PS(x; y; z; 0; 1) ]: + PS(x; y; z; 0; 0:5) Eciency analysis The algorithm given in this section is independent of the Hamming weight of x and y. For n = 32 and t =8,eachofthe2 12 truncated dierential probabilities can be computed using a constantnumber of table lookups, additions, and multiplications. Experiments show that all the 2 12 probabilities can be computed in less than one second on a PC. 3 Truncated Dierential Probabilities of MDS The truncated dierential probabilities for the MDS are dened as follows. TDP MDS (x; y) = 1 c X (1x;1y)=(x;y) Pr[MDS(x) 8 MDS(x 8 1x) =1y]; (3) where c is the number of 1x satisfying the condition (1x) =x. The distribution of TDP MDS (x;y) is related to the weight distribution of the MDS (Maximum Distance Separable) code. TDP MDS (x;y) is determined by the Hamming weights of x and y, astable 2 shows. 4 Search for Truncated Dierentials of Twosh In this section, we present our search results for truncated dierentials of Twosh. Our search uses the dierential probabilities of PHT and MDS computed in Sections 2 and 3. For speeding up the search, we rst set the probability to be one for 1-bit rotations. Once we found the truncated dierentials, we then adjust the probability as follows. If the input dierence (32-bit) of the 1-bit rotation is f 2, the output dierence is still f. Otherwise, we need some adjustment. For example, if the input dierence of the 1-bit right rotation is 8, the output 2 In this section we usetypewriter font for the hexadecimal representation of truncated dierentials.
6 w H (y) w H (x) : : : : : : : : :023 Table 2: Truncated dierential probabilities of MDS dierence is 8 with probability 2 01, c with probability and 4 with probability 2 08 (here we have multiple paths, but in most cases the multiple paths join at the next MDS). For additions with subkeys (i.e., f(x; k) =x + k = z (mod 2 n ), where k is some subkey), the value corresponding to k = 0 in our precomputed table gives the truncated dierential probability when we average over all possible keys. For any xed subkey k, the probability depends on k, and it can be larger or smaller than the average probability: the maximum probability can be 1 for a fraction of the subkeys. For easy treatment of probability after the search, we set the probability to be one for additions with subkeys. 4.1 Truncated dierentials with high probability First, we searched for truncated dierentials that hold with relatively high probability, although they may not be exploited in general (well-known) cryptanalytic attacks. As Knudsen [K00] wrote, such dierentials can provide some bits of nontrivial information in every round. Our computer experiments found a 12-round truncated dierential with probability of about 2 040:9.InTable 3, the output dierence of each round are shown in hexadecimal representation. One can expect to get one good pair following the truncated dierential from about 2 34 chosen plaintexts by using a structure in the last byte of the plaintext. There are a total of 2 94 such good pairs. More interestingly, we found a truncated dierential for the full 16 rounds of Twosh with probability of about 2 057:3 (see Table 4). One can expect to get one good pair following the truncated dierential from about chosen plaintexts, and there are 2 28 such good pairs. In [K00] Knudsen showed a 16-round truncated dierential with probability The probability of our 16-round truncated dierential is much higher than what was found by Knudsen, and the total number of good pairs for our dierential is also much larger. 4.2 Truncated dierentials useful for distinguishing attacks We also searched for truncated dierentials that may be useful in distinguishing attacks. As a result, we found one 4-round truncated dierential, and four 5-round truncated dierentials (see Tables 6 and 5). The 4-round truncated dierential is a path included in the 4-round truncated dierential that Knudsen used for the 2 -tests in [K00, Section 5.2]. Note that Knudsen's 4-round truncated dierential contains multiple paths and the probability is much higher. Knudsen concluded that for more than 4 rounds, it is an open question how nonuniform the distribution of dierences can be. Now that we found 5-round truncated dierentials with probability slightly higher than a random permutation, in theory we can perform statistical tests such as 2 tests. Note that the probabilities in Table 5 can be a little smaller due to 1-bit rotations or a little larger due to the eect of multiple paths.
7 round probability : f f 2 00: f f f e 2 08: f e f f 2 08: f f 7 f 2 016: f f f 2 016: f f b f 2 024: b f f f 2 024: f f 7 f 2 032: f f f 2 032: f f b f 2 040: b f f f 2 040: Table 3: 12-round truncated dierential round probability : f f 2 00: f f f e 2 08: f e f f 2 08: f f 7 f 2 016: f f f 2 016: f f b f 2 024: b f f f 2 024: f f 7 f 2 032: f f f 2 032: f f b f 2 040: b f f f 2 040: f f 7 f 2 049: f f f 2 049: f f b f 2 057: b f f f 2 057: Table 4: 16-round truncated dierential 5 Conclusion We presented truncated dierential cryptanalysis of the block cipher Twosh. We performed the search by computer experiments, and found a 16-round truncated dierential with probability of about 2 057:3, which ismuch larger than previously known results. We also found 5-round truncated dierentials which can be useful in distinguishing Twosh reduced to 5 rounds from a random permutation. We will implement some tests to conrm our conjecture. References [C99] [F99] N. Ferguson, \Impossible dierentials in Twosh," Twosh Technical Report #5, October 5, [K00] [K95] [KN96] [KRW99] [M00] L. R. Knudsen, \Trawling Twosh (revisited)," Presentation at rump session of AES3. Public comment on AES Candidate Algorithms { Round 2. csrc.nist.gov/encryption/aes/round2/comments/ lknudsen-2.pdf L. R. Knudsen, \Truncated and Higher Order Dierentials," Fast Software Encryption Second International Workshop, Lecture Notes in Computer Science 1008, pp.196{211, Springer-Verlag, L. R. Knudsen and T. A. Berson, \Truncated dierentials of SAFER," Fast Software Encryption, 3rd International Workshop, Lecture Notes in Computer Science 1039, pp.15{26, Springer-Verlag, L. R. Knudsen, M. J. B. Robshaw, and D. Wagner, \Truncated Dierentials and Skipjack," Advances in Cryptology CRYPTO'99, Lecture Notes in Computer Science 1666, pp.165{180, Springer-Verlag, S. Moriai,\Cryptanalysis of Twosh (I)", In Proceedings of the 2000 Symposium on Cryptography and Information Security, Okinawa, Japan, January 26-28, 2000.
8 round probability : f f 2 00: f f : : : c 0 2 0: c 0 e e 2 08: e e c : c : c : e 0 2 0: e 0 c c 2 015: c c e : e : e : f 0 2 0: f : f : f : f : Table 5: 5-round truncated dierentials round probability : f f 2 00: f f : f f 2 055: Table 6: 4-round truncated dierential [MR00] S. Murphy and M.J.B Robshaw, \Dierential Cryptanalysis, Key-dependent S- boxes, and Twosh", Public comment on AES Candidate Algorithms - Round 2. pdf [MSAK99] [MT99] [SKW+98] S. Moriai, M. Sugita, K. Aoki, and M. Kanda, \Security of E2 against Truncated Dierential Cryptanalysis," SAC'99, 6th Annual International Workshop on Selected Areas in Cryptography, Workshop Record, pp.133{143, 1999, (to appear in Lecture Notes in Computer Science, Springer-Verlag, 2000). M. Matsui and T. Tokita, \Cryptanalysis of a Reduced Version of the Block Cipher E2," Fast Software Encryption, 6th International Workshop, Lecture Notes in Computer Science 1636, pp.71{80, Springer-Verlag, B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. Hall, and N. Ferguson, \Twosh: A 128-Bit Block Cipher".
Specication of Camellia a 128-bit Block Cipher Kazumaro AOKI y, Tetsuya ICHIKAWA z, Masayuki KANDA y, Mitsuru MATSUI z, Shiho MORIAI y, Junko NAKAJIMA z, Toshio TOKITA z y Nippon Telegraph and Telephone
More informationEnhancing Advanced Encryption Standard S-Box Generation Based on Round Key
Enhancing Advanced Encryption Standard S-Box Generation Based on Round Key Julia Juremi Ramlan Mahmod Salasiah Sulaiman Jazrin Ramli Faculty of Computer Science and Information Technology, Universiti Putra
More informationThe 128-bit Blockcipher CLEFIA Design Rationale
The 128-bit Blockcipher CLEFIA Design Rationale Revision 1.0 June 1, 2007 Sony Corporation NOTICE THIS DOCUMENT IS PROVIDED AS IS, WITH NO WARRANTIES WHATSOVER, INCLUDING ANY WARRANTY OF MERCHANTABIL-
More informationCamellia: A 128-Bit Block Cipher Suitable for Multiple Platforms Design and Analysis
Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms Design and Analysis Kazumaro Aoki Tetsuya Ichikawa Masayuki Kanda Mitsuru Matsui Shiho Moriai Junko Nakajima Toshio Tokita Nippon Telegraph
More informationThe Advanced Encryption Standard (AES)
The Advanced Encryption Standard (AES) Conception - Why A New Cipher? Conception - Why A New Cipher? DES had outlived its usefulness Vulnerabilities were becoming known 56-bit key was too small Too slow
More informationDierential Cryptanalysis of DES-like Cryptosystems Eli Biham Adi Shamir The Weizmann Institute of Science Department of Apllied Mathematics July 19, 1990 Abstract The Data Encryption Standard (DES) is
More information6.857 Computer and Network Security Fall Term, 1997 Lecture 4 : 16 September 1997 Lecturer: Ron Rivest Scribe: Michelle Goldberg 1 Conditionally Secure Cryptography Conditionally (or computationally) secure
More informationCSCE 465 Computer & Network Security
CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Secret Key Cryptography (I) 1 Introductory Remarks Roadmap Feistel Cipher DES AES Introduction
More informationAlgebraic Attacks on SOBER-t32 and SOBER-t16 without stuttering
Algebraic Attacks on SOBER-t32 and SOBER-t16 without stuttering Joo Yeon Cho and Josef Pieprzyk Center for Advanced Computing Algorithms and Cryptography, Department of Computing, Macquarie University,
More informationCryptography and Network Security Block Cipher
Cryptography and Network Security Block Cipher Xiang-Yang Li Modern Private Key Ciphers Stream ciphers The most famous: Vernam cipher Invented by Vernam, ( AT&T, in 1917) Process the message bit by bit
More informationCryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 12 Block Cipher Standards
More informationCryptography and Network Security
Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 3: Block ciphers and DES Ion Petre Department of IT, Åbo Akademi University January 17, 2012 1 Data Encryption Standard
More informationThe Advanced Encryption Standard: Four Years On
The Advanced Encryption Standard: Four Years On Matt Robshaw Reader in Information Security Information Security Group Royal Holloway University of London September 21, 2004 The State of the AES 1 The
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Lecture No. # 11 Block Cipher Standards (DES) (Refer Slide
More informationHow To Encrypt With A 64 Bit Block Cipher
The Data Encryption Standard (DES) As mentioned earlier there are two main types of cryptography in use today - symmetric or secret key cryptography and asymmetric or public key cryptography. Symmetric
More informationTiming Attacks on Implementations of Die-Hellman, RSA, DSS, and Other Systems Paul C. Kocher Cryptography Research, Inc. 607 Market Street, 5th Floor, San Francisco, CA 94105, USA. E-mail: paul@cryptography.com.
More informationA Practical Attack on Broadcast RC4
A Practical Attack on Broadcast RC4 Itsik Mantin and Adi Shamir Computer Science Department, The Weizmann Institute, Rehovot 76100, Israel. {itsik,shamir}@wisdom.weizmann.ac.il Abstract. RC4is the most
More information1 Data Encryption Algorithm
Date: Monday, September 23, 2002 Prof.: Dr Jean-Yves Chouinard Design of Secure Computer Systems CSI4138/CEG4394 Notes on the Data Encryption Standard (DES) The Data Encryption Standard (DES) has been
More informationRC6. Marcel Felipe Weschenfelder
RC6 Marcel Felipe Weschenfelder Introduction Operations Algorithm Performance Crypto analyse Highlight/lowlight Conclusion References Agenda RC6 Introduction Designed by: Ron Rivest, Matt Robshaw, Ray
More informationThe Twofish Team s Final Comments on AES Selection
The Twofish Team s Final Comments on AES Selection Bruce Schneier John Kelsey Doug Whiting David Wagner Chris Hall Niels Ferguson Tadayoshi Kohno Mike Stay May 15, 2000 1 Introduction In 1996, the National
More informationLecture Note 8 ATTACKS ON CRYPTOSYSTEMS I. Sourav Mukhopadhyay
Lecture Note 8 ATTACKS ON CRYPTOSYSTEMS I Sourav Mukhopadhyay Cryptography and Network Security - MA61027 Attacks on Cryptosystems Up to this point, we have mainly seen how ciphers are implemented. We
More informationThe Stream Cipher HC-128
The Stream Cipher HC-128 Hongjun Wu Katholieke Universiteit Leuven, ESAT/SCD-COSIC Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium wu.hongjun@esat.kuleuven.be Statement 1. HC-128 supports 128-bit
More informationLecture 4 Data Encryption Standard (DES)
Lecture 4 Data Encryption Standard (DES) 1 Block Ciphers Map n-bit plaintext blocks to n-bit ciphertext blocks (n = block length). For n-bit plaintext and ciphertext blocks and a fixed key, the encryption
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Karagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Karagpur Lecture No. #06 Cryptanalysis of Classical Ciphers (Refer
More informationCryptography and Network Security Chapter 3
Cryptography and Network Security Chapter 3 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 3 Block Ciphers and the Data Encryption Standard All the afternoon
More informationModern Block Cipher Standards (AES) Debdeep Mukhopadhyay
Modern Block Cipher Standards (AES) Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Introduction
More informationSecurity Evaluation of the SPECTR-128. Block Cipher
pplied Mathematical Sciences, ol. 7,, no. 4, 6945-696 HIKI td, www.m-hikari.com http://dx.doi.org/.988/ams..584 Security Evaluation of the SPECT-8 Block Cipher Manh Tuan Pham, am T. u Posts and Telecommunications
More informationSplit Based Encryption in Secure File Transfer
Split Based Encryption in Secure File Transfer Parul Rathor, Rohit Sehgal Assistant Professor, Dept. of CSE, IET, Nagpur University, India Assistant Professor, Dept. of CSE, IET, Alwar, Rajasthan Technical
More informationA NOVEL STRATEGY TO PROVIDE SECURE CHANNEL OVER WIRELESS TO WIRE COMMUNICATION
A NOVEL STRATEGY TO PROVIDE SECURE CHANNEL OVER WIRELESS TO WIRE COMMUNICATION Prof. Dr. Alaa Hussain Al- Hamami, Amman Arab University for Graduate Studies Alaa_hamami@yahoo.com Dr. Mohammad Alaa Al-
More informationRemotely Keyed Encryption Using Non-Encrypting Smart Cards
THE ADVANCED COMPUTING SYSTEMS ASSOCIATION The following paper was originally published in the USENIX Workshop on Smartcard Technology Chicago, Illinois, USA, May 10 11, 1999 Remotely Keyed Encryption
More informationOn the Security of Double and 2-key Triple Modes of Operation
On the Security of Double and 2-key Triple Modes of Operation [Published in L. Knudsen, d., Fast Software ncryption, vol. 1636 of Lecture Notes in Computer Science, pp. 215 230, Springer-Verlag, 1999.]
More informationBlock encryption. CS-4920: Lecture 7 Secret key cryptography. Determining the plaintext ciphertext mapping. CS4920-Lecture 7 4/1/2015
CS-4920: Lecture 7 Secret key cryptography Reading Chapter 3 (pp. 59-75, 92-93) Today s Outcomes Discuss block and key length issues related to secret key cryptography Define several terms related to secret
More informationA PPENDIX H RITERIA FOR AES E VALUATION C RITERIA FOR
A PPENDIX H RITERIA FOR AES E VALUATION C RITERIA FOR William Stallings Copyright 20010 H.1 THE ORIGINS OF AES...2 H.2 AES EVALUATION...3 Supplement to Cryptography and Network Security, Fifth Edition
More informationHelix. Fast Encryption and Authentication in a Single Cryptographic Primitive
Helix Fast Encryption and Authentication in a Single Cryptographic Primitive Niels Ferguson 1, Doug Whiting 2, Bruce Schneier 3, John Kelsey 4, Stefan Lucks 5, and Tadayoshi Kohno 6 1 MacFergus, niels@ferguson.net
More informationThe Advanced Encryption Standard (AES)
The Advanced Encryption Standard (AES) All of the cryptographic algorithms we have looked at so far have some problem. The earlier ciphers can be broken with ease on modern computation systems. The DES
More informationA Comparative Study Of Two Symmetric Encryption Algorithms Across Different Platforms.
A Comparative Study Of Two Symmetric Algorithms Across Different Platforms. Dr. S.A.M Rizvi 1,Dr. Syed Zeeshan Hussain 2 and Neeta Wadhwa 3 Deptt. of Computer Science, Jamia Millia Islamia, New Delhi,
More informationOscillations of the Sending Window in Compound TCP
Oscillations of the Sending Window in Compound TCP Alberto Blanc 1, Denis Collange 1, and Konstantin Avrachenkov 2 1 Orange Labs, 905 rue Albert Einstein, 06921 Sophia Antipolis, France 2 I.N.R.I.A. 2004
More informationBlock Ciphers that are Easier to Mask: How Far Can we Go?
Block Ciphers that are Easier to Mask: How Far Can we Go? Benoît Gérard 1,2, Vincent Grosso 1, María Naya-Plasencia 3, François-Xavier Standaert 1 1 ICTEAM/ELEN/Crypto Group, Université catholique de Louvain,
More informationEncryption Quality Analysis and Security Evaluation of CAST-128 Algorithm and its Modified Version using Digital Images
Encryption Quality Analysis and Security Evaluation CAST-128 Algorithm and its Modified Version using Digital s Krishnamurthy G N, Dr. V Ramaswamy Abstract this paper demonstrates analysis well known block
More informationA PPENDIX G S IMPLIFIED DES
A PPENDIX G S IMPLIFIED DES William Stallings opyright 2010 G.1 OVERVIEW...2! G.2 S-DES KEY GENERATION...3! G.3 S-DES ENRYPTION...4! Initial and Final Permutations...4! The Function f K...5! The Switch
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. #01 Lecture No. #10 Symmetric Key Ciphers (Refer
More informationUnknown Plaintext Template Attacks
Unknown Plaintext Template Attacks Neil Hanley, Michael Tunstall 2, and William P. Marnane Department of Electrical and Electronic Engineering, University College Cork, Ireland. neilh@eleceng.ucc.ie, l.marnane@ucc.ie
More informationDifferential Fault Analysis of Secret Key Cryptosystems
Differential Fault Analysis of Secret Key Cryptosystems Eli Biham Computer Science Department Technion - Israel Institute of Technology Haifa 32000, Israel bihamocs.technion.ac.il http://www.cs.technion.ac.il/-
More informationAnalysis of Non-fortuitous Predictive States of the RC4 Keystream Generator
Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel Katholieke Universiteit Leuven, Dept. ESAT/COSIC, Kasteelpark Arenberg 10, B 3001 Leuven-Heverlee,
More informationKALE: A High-Degree Algebraic-Resistant Variant of The Advanced Encryption Standard
KALE: A High-Degree Algebraic-Resistant Variant of The Advanced Encryption Standard Dr. Gavekort c/o Vakiopaine Bar Kauppakatu 6, 41 Jyväskylä FINLAND mjos@iki.fi Abstract. We have discovered that the
More informationRijndael Encryption implementation on different platforms, with emphasis on performance
Rijndael Encryption implementation on different platforms, with emphasis on performance KAFUUMA JOHN SSENYONJO Bsc (Hons) Computer Software Theory University of Bath May 2005 Rijndael Encryption implementation
More informationHash Function JH and the NIST SHA3 Hash Competition
Hash Function JH and the NIST SHA3 Hash Competition Hongjun Wu Nanyang Technological University Presented at ACNS 2012 1 Introduction to Hash Function Hash Function Design Basics Hash function JH Design
More informationHow To Attack Preimage On Hash Function 2.2 With A Preimage Attack On A Pre Image
Preimage Attacks on 4-Step SHA-256 and 46-Step SHA-52 Yu Sasaki, Lei Wang 2, and Kazumaro Aoki NTT Information Sharing Platform Laboratories, NTT Corporation 3-9- Midori-cho, Musashino-shi, Tokyo, 8-8585
More informationFSE 2011 - A Case Study on PUFFIN2
Differential Cryptanalysis of PUFFIN and PUFFIN2 Céline Blondeau 1 and Benoît Gérard 2 1 Aalto University School of Science, Department of Information and Computer Science 2 Université catholique de Louvain,
More informationA New Digital Encryption Scheme: Binary Matrix Rotations Encryption Algorithm
International Journal of Research Studies in Computer Science and Engineering (IJRSCSE) Volume 2, Issue 2, February 2015, PP 18-27 ISSN 2349-4840 (Print) & ISSN 2349-4859 (Online) www.arcjournals.org A
More informationStatistical weakness in Spritz against VMPC-R: in search for the RC4 replacement
Statistical weakness in Spritz against VMPC-R: in search for the RC4 replacement Bartosz Zoltak www.vmpcfunction.com bzoltak@vmpcfunction.com Abstract. We found a statistical weakness in the Spritz algorithm
More informationAStudyofEncryptionAlgorithmsAESDESandRSAforSecurity
Global Journal of Computer Science and Technology Network, Web & Security Volume 13 Issue 15 Version 1.0 Year 2013 Type: Double Blind Peer Reviewed International Research Journal Publisher: Global Journals
More informationLinear (Hull) and Algebraic Cryptanalysis of the Block Cipher PRESENT
Linear (Hull) and Algebraic Cryptanalysis of the Block Cipher PRESENT Jorge Nakahara Jr 1, Pouyan Sepehrdad 1, Bingsheng Zhang 2, Meiqin Wang 3 1 EPFL, Lausanne, Switzerland 2 Cybernetica AS, Estonia and
More informationOn the Influence of the Algebraic Degree of the Algebraic Degree of
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 59, NO. 1, JANUARY 2013 691 On the Influence of the Algebraic Degree of the Algebraic Degree of Christina Boura and Anne Canteaut on Abstract We present a
More informationTable of Contents. Bibliografische Informationen http://d-nb.info/996514864. digitalisiert durch
1 Introduction to Cryptography and Data Security 1 1.1 Overview of Cryptology (and This Book) 2 1.2 Symmetric Cryptography 4 1.2.1 Basics 4 1.2.2 Simple Symmetric Encryption: The Substitution Cipher...
More informationAn Efficient and Secure Key Management Scheme for Hierarchical Access Control Based on ECC
An Efficient and Secure Key Management Scheme for Hierarchical Access Control Based on ECC Laxminath Tripathy 1 Nayan Ranjan Paul 2 1Department of Information technology, Eastern Academy of Science and
More informationThe Skein Hash Function Family
The Skein Hash Function Family Version 1.3 1 Oct 2010 Niels Ferguson Stefan Lucks Bruce Schneier Doug Whiting Mihir Bellare Tadayoshi Kohno Jon Callas Jesse Walker Microsoft Corp., niels@microsoft.com
More informationCS 758: Cryptography / Network Security
CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html
More informationNumber Theory. Proof. Suppose otherwise. Then there would be a finite number n of primes, which we may
Number Theory Divisibility and Primes Definition. If a and b are integers and there is some integer c such that a = b c, then we say that b divides a or is a factor or divisor of a and write b a. Definition
More informationCryptanalysis of Dynamic SHA(2)
Cryptanalysis of Dynamic SHA(2) Jean-Philippe Aumasson 1,, Orr Dunkelman 2,, Sebastiaan Indesteege 3,4,, and Bart Preneel 3,4 1 FHNW, Windisch, Switzerland. 2 École Normale Supérieure, INRIA, CNRS, Paris,
More informationECE 842 Report Implementation of Elliptic Curve Cryptography
ECE 842 Report Implementation of Elliptic Curve Cryptography Wei-Yang Lin December 15, 2004 Abstract The aim of this report is to illustrate the issues in implementing a practical elliptic curve cryptographic
More informationApplication of cube attack to block and stream ciphers
Application of cube attack to block and stream ciphers Janusz Szmidt joint work with Piotr Mroczkowski Military University of Technology Military Telecommunication Institute Poland 23 czerwca 2009 1. Papers
More informationThe Misuse of RC4 in Microsoft Word and Excel
The Misuse of RC4 in Microsoft Word and Excel Hongjun Wu Institute for Infocomm Research, Singapore hongjun@i2r.a-star.edu.sg Abstract. In this report, we point out a serious security flaw in Microsoft
More informationRandomly Encryption Using Genetic Algorithm
Randomly Encryption Using Genetic Algorithm ALI JASSIM MOHAMED ALI Department of physics, College of Science, Al-Mustansiriyah University, Baghdad, Iraq. SUMMARY In this research work a genetic algorithm
More informationDeveloping and Investigation of a New Technique Combining Message Authentication and Encryption
Developing and Investigation of a New Technique Combining Message Authentication and Encryption Eyas El-Qawasmeh and Saleem Masadeh Computer Science Dept. Jordan University for Science and Technology P.O.
More informationCSE331: Introduction to Networks and Security. Lecture 20 Fall 2006
CSE331: Introduction to Networks and Security Lecture 20 Fall 2006 Announcements Homework 2 has been assigned: **NEW DUE DATE** It's now due on Friday, November 3rd. Midterm 2 is Friday, November 10th
More informationSymmetric Key cryptosystem
SFWR C03: Computer Networks and Computer Security Mar 8-11 200 Lecturer: Kartik Krishnan Lectures 22-2 Symmetric Key cryptosystem Symmetric encryption, also referred to as conventional encryption or single
More informationA New 128-bit Key Stream Cipher LEX
A New 128-it Key Stream Cipher LEX Alex Biryukov Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenerg 10, B 3001 Heverlee, Belgium http://www.esat.kuleuven.ac.e/~airyuko/ Astract.
More informationSerpent: A Proposal for the Advanced Encryption Standard
Serpent: A Proposal for the Advanced Encryption Standard Ross Anderson 1 Eli Biham 2 Lars Knudsen 3 1 Cambridge University, England; email rja14@cl.cam.ac.uk 2 Technion, Haifa, Israel; email biham@cs.technion.ac.il
More informationBounds for Balanced and Generalized Feistel Constructions
Bounds for Balanced and Generalized Feistel Constructions Andrey Bogdanov Katholieke Universiteit Leuven, Belgium ECRYPT II SymLab Bounds 2010 Outline Feistel Constructions Efficiency Metrics Bounds for
More informationMulti-Layered Cryptographic Processor for Network Security
International Journal of Scientific and Research Publications, Volume 2, Issue 10, October 2012 1 Multi-Layered Cryptographic Processor for Network Security Pushp Lata *, V. Anitha ** * M.tech Student,
More informationUseful Number Systems
Useful Number Systems Decimal Base = 10 Digit Set = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9} Binary Base = 2 Digit Set = {0, 1} Octal Base = 8 = 2 3 Digit Set = {0, 1, 2, 3, 4, 5, 6, 7} Hexadecimal Base = 16 = 2
More informationSecret File Sharing Techniques using AES algorithm. C. Navya Latha 200201066 Garima Agarwal 200305032 Anila Kumar GVN 200305002
Secret File Sharing Techniques using AES algorithm C. Navya Latha 200201066 Garima Agarwal 200305032 Anila Kumar GVN 200305002 1. Feature Overview The Advanced Encryption Standard (AES) feature adds support
More informationKeywords Web Service, security, DES, cryptography.
Volume 3, Issue 10, October 2013 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Provide the
More informationPRESENT: An Ultra-Lightweight Block Cipher
PRESENT: An Ultra-Lightweight Block Cipher A. Bogdanov 1, L.R. Knudsen 2, G. Leander 1, C. Paar 1, A. Poschmann 1, M.J.B. Robshaw 3, Y. Seurin 3, and C. Vikkelsoe 2 1 Horst-Görtz-Institute for IT-Security,
More informationThe mathematics of RAID-6
The mathematics of RAID-6 H. Peter Anvin 1 December 2004 RAID-6 supports losing any two drives. The way this is done is by computing two syndromes, generally referred P and Q. 1 A quick
More information7! Cryptographic Techniques! A Brief Introduction
7! Cryptographic Techniques! A Brief Introduction 7.1! Introduction to Cryptography! 7.2! Symmetric Encryption! 7.3! Asymmetric (Public-Key) Encryption! 7.4! Digital Signatures! 7.5! Public Key Infrastructures
More informationHow to Break MD5 and Other Hash Functions
How to Break MD5 and Other Hash Functions Xiaoyun Wang and Hongbo Yu Shandong University, Jinan 250100, China xywang@sdu.edu.cn yhb@mail.sdu.edu.cn Abstract. MD5 is one of the most widely used cryptographic
More informationA Study of New Trends in Blowfish Algorithm
A Study of New Trends in Blowfish Algorithm Gurjeevan Singh*, Ashwani Kumar**, K. S. Sandha*** *(Department of ECE, Shaheed Bhagat Singh College of Engg. & Tech. (Polywing), Ferozepur-152004) **(Department
More informationImplementation and Design of AES S-Box on FPGA
International Journal of Research in Engineering and Science (IJRES) ISSN (Online): 232-9364, ISSN (Print): 232-9356 Volume 3 Issue ǁ Jan. 25 ǁ PP.9-4 Implementation and Design of AES S-Box on FPGA Chandrasekhar
More information6 Data Encryption Standard (DES)
6 Data Encryption Standard (DES) Objectives In this chapter, we discuss the Data Encryption Standard (DES), the modern symmetric-key block cipher. The following are our main objectives for this chapter:
More informationPublic Key Cryptography: RSA and Lots of Number Theory
Public Key Cryptography: RSA and Lots of Number Theory Public vs. Private-Key Cryptography We have just discussed traditional symmetric cryptography: Uses a single key shared between sender and receiver
More informationAdvanced Cryptography
Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.
More informationStudy of algorithms for factoring integers and computing discrete logarithms
Study of algorithms for factoring integers and computing discrete logarithms First Indo-French Workshop on Cryptography and Related Topics (IFW 2007) June 11 13, 2007 Paris, France Dr. Abhijit Das Department
More informationFPGA BASED HARDWARE KEY FOR TEMPORAL ENCRYPTION
FPGA BASED HARDWARE KEY FOR TEMPORAL ENCRYPTION Abstract In this paper, a novel encryption scheme with time based key technique on an FPGA is presented. Time based key technique ensures right key to be
More informationLightweight Block Ciphers Revisited: Cryptanalysis of Reduced Round PRESENT and HIGHT
Lightweight Block Ciphers Revisited: Cryptanalysis of Reduced Round PRESENT and HIGHT Onur Özen1, Kerem Varıcı 2, Cihangir Tezcan 3, and Çelebi Kocair 4 1 EPFL IC LACAL Station 14. CH-1015 Lausanne, Switzerland
More informationBasic Algorithms In Computer Algebra
Basic Algorithms In Computer Algebra Kaiserslautern SS 2011 Prof. Dr. Wolfram Decker 2. Mai 2011 References Cohen, H.: A Course in Computational Algebraic Number Theory. Springer, 1993. Cox, D.; Little,
More informationDr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Introduction to Cryptography What is cryptography?
More informationEffective Secure Encryption Scheme [One Time Pad] Using Complement Approach Sharad Patil 1 Ajay Kumar 2
Effective Secure Encryption Scheme [One Time Pad] Using Complement Approach Sharad Patil 1 Ajay Kumar 2 Research Student, Bharti Vidyapeeth, Pune, India sd_patil057@rediffmail.com Modern College of Engineering,
More informationA SOFTWARE COMPARISON OF RSA AND ECC
International Journal Of Computer Science And Applications Vol. 2, No. 1, April / May 29 ISSN: 974-13 A SOFTWARE COMPARISON OF RSA AND ECC Vivek B. Kute Lecturer. CSE Department, SVPCET, Nagpur 9975549138
More informationRSA Attacks. By Abdulaziz Alrasheed and Fatima
RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.
More informationDesign and Analysis of Parallel AES Encryption and Decryption Algorithm for Multi Processor Arrays
IOSR Journal of VLSI and Signal Processing (IOSR-JVSP) Volume 5, Issue, Ver. III (Jan - Feb. 205), PP 0- e-issn: 239 4200, p-issn No. : 239 497 www.iosrjournals.org Design and Analysis of Parallel AES
More informationError oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm
Error oracle attacks and CBC encryption Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm Agenda 1. Introduction 2. CBC mode 3. Error oracles 4. Example 1 5. Example 2 6. Example 3 7. Stream ciphers
More information1 Formulating The Low Degree Testing Problem
6.895 PCP and Hardness of Approximation MIT, Fall 2010 Lecture 5: Linearity Testing Lecturer: Dana Moshkovitz Scribe: Gregory Minton and Dana Moshkovitz In the last lecture, we proved a weak PCP Theorem,
More informationImplementation of Full -Parallelism AES Encryption and Decryption
Implementation of Full -Parallelism AES Encryption and Decryption M.Anto Merline M.E-Commuication Systems, ECE Department K.Ramakrishnan College of Engineering-Samayapuram, Trichy. Abstract-Advanced Encryption
More informationSD12 REPLACES: N19780
ISO/IEC JTC 1/SC 27 N13432 ISO/IEC JTC 1/SC 27 Information technology - Security techniques Secretariat: DIN, Germany SD12 REPLACES: N19780 DOC TYPE: TITLE: Standing document ISO/IEC JTC 1/SC 27 Standing
More informationNetwork Security - ISA 656 Introduction to Cryptography
Network Security - ISA 656 Angelos Stavrou September 18, 2007 Codes vs. K = {0, 1} l P = {0, 1} m C = {0, 1} n, C C E : P K C D : C K P p P, k K : D(E(p, k), k) = p It is infeasible to find F : P C K Let
More informationSosemanuk, a fast software-oriented stream cipher
Sosemanuk, a fast software-oriented stream cipher C. Berbain 1, O. Billet 1, A. Canteaut 2, N. Courtois 3, H. Gilbert 1, L. Goubin 4, A. Gouget 5, L. Granboulan 6, C. Lauradoux 2, M. Minier 2, T. Pornin
More informationFault attack on the DVB Common Scrambling Algorithm
Fault attack on the DVB Common Scrambling Algorithm Kai Wirt Technical University Darmstadt Department of Computer Science Darmstadt, Germany wirt@informatik.tu-darmstadt.de Abstract. The Common Scrambling
More informationEfficient Parallel Data Processing For Resource Sharing In Cloud Computing
IOSR Journal of Computer Engineering (IOSRJCE) ISSN: 2278-0661 Volume 2, Issue 3 (July-Aug. 2012), PP 01-05 Efficient Parallel Data Processing For Resource Sharing In Cloud Computing R.Balasubramanian
More information