Bounds for Balanced and Generalized Feistel Constructions
Size: px
Start display at page:

Download "Bounds for Balanced and Generalized Feistel Constructions"

Transcription

1 Bounds for Balanced and Generalized Feistel Constructions Andrey Bogdanov Katholieke Universiteit Leuven, Belgium ECRYPT II SymLab Bounds 2010

2 Outline Feistel Constructions Efficiency Metrics Bounds for Feistel Ciphers Efficiency Comparison

3 Balanced and Generalized Feistel Networks High-Level Constructions BFN Type-I GFN Type-II GFN Type-III GFN Feistel

4 Balanced and Generalized Feistel Networks High-Level Constructions BFN Type-I GFN Type-II GFN Type-III GFN Feistel almost identical encryption and decryption functions

5 Balanced and Generalized Feistel Networks High-Level Constructions BFN Type-I GFN Type-II GFN Type-III GFN Feistel almost identical encryption and decryption functions easy extension of smaller non-linear functions to bigger permutations

6 Balanced and Generalized Feistel Networks High-Level Constructions BFN Type-I GFN Type-II GFN Type-III GFN Feistel almost identical encryption and decryption functions easy extension of smaller non-linear functions to bigger permutations some security proofs available

7 Balanced and Generalized Feistel Functions: SP vs SPS k i SP k i SPS s s s... M i vs s M i s s k i

8 Balanced and Generalized Feistel Functions: SP vs SPS k i SP k i SPS s s s... M i vs s M i s s k i Which one is more efficient for Feistel?

9 Balanced and Generalized Feistel Functions: SP vs SPS k i SP k i SPS s s s... M i vs s M i s s k i Which one is more efficient for Feistel? in terms of resistance against differential and linear cryptanalysis

10 Balanced and Generalized Feistel Functions: SP vs SPS k i SP k i SPS s s s... M i vs s M i s s k i Which one is more efficient for Feistel? in terms of resistance against differential and linear cryptanalysis SP has less S-boxes per function than SPS

11 Balanced and Generalized Feistel Functions: SP vs SPS k i SP k i SPS s s s... M i vs s M i s s k i Which one is more efficient for Feistel? in terms of resistance against differential and linear cryptanalysis SP has less S-boxes per function than SPS SPS turns out consistently more efficient than SP for Feistel!

12 Active S-Boxes

13 Active S-Boxes Differential and linear cryptanalysis

14 Active S-Boxes Differential and linear cryptanalysis two crucial types of attacks

15 Active S-Boxes Differential and linear cryptanalysis two crucial types of attacks tell in a sense how fast the cipher gets close to idealized cipher

16 Active S-Boxes Differential and linear cryptanalysis two crucial types of attacks tell in a sense how fast the cipher gets close to idealized cipher used as subroutines in numerous cryptanalytic extensions

17 Active S-Boxes Differential and linear cryptanalysis two crucial types of attacks tell in a sense how fast the cipher gets close to idealized cipher used as subroutines in numerous cryptanalytic extensions Active S-box

18 Active S-Boxes Differential and linear cryptanalysis two crucial types of attacks tell in a sense how fast the cipher gets close to idealized cipher used as subroutines in numerous cryptanalytic extensions Active S-box involved into the propagation of differential and linear patterns along differential and linear trails

19 Active S-Boxes Differential and linear cryptanalysis two crucial types of attacks tell in a sense how fast the cipher gets close to idealized cipher used as subroutines in numerous cryptanalytic extensions Active S-box involved into the propagation of differential and linear patterns along differential and linear trails contributes to the reduction of the trail probability

20 Active S-Boxes Differential and linear cryptanalysis two crucial types of attacks tell in a sense how fast the cipher gets close to idealized cipher used as subroutines in numerous cryptanalytic extensions Active S-box involved into the propagation of differential and linear patterns along differential and linear trails contributes to the reduction of the trail probability most clear and elaborated tool for security evaluation

21 Active S-Boxes Differential and linear cryptanalysis two crucial types of attacks tell in a sense how fast the cipher gets close to idealized cipher used as subroutines in numerous cryptanalytic extensions Active S-box involved into the propagation of differential and linear patterns along differential and linear trails contributes to the reduction of the trail probability most clear and elaborated tool for security evaluation Limits

22 Active S-Boxes Differential and linear cryptanalysis two crucial types of attacks tell in a sense how fast the cipher gets close to idealized cipher used as subroutines in numerous cryptanalytic extensions Active S-box involved into the propagation of differential and linear patterns along differential and linear trails contributes to the reduction of the trail probability most clear and elaborated tool for security evaluation Limits no evidence against impossible differential attacks

23 Active S-Boxes Differential and linear cryptanalysis two crucial types of attacks tell in a sense how fast the cipher gets close to idealized cipher used as subroutines in numerous cryptanalytic extensions Active S-box involved into the propagation of differential and linear patterns along differential and linear trails contributes to the reduction of the trail probability most clear and elaborated tool for security evaluation Limits no evidence against impossible differential attacks no evidence against multiset analysis/other structural attacks

24 Proportion of active S-boxes to all S-boxes [Shirai-Preneel04]

25 Proportion of active S-boxes to all S-boxes [Shirai-Preneel04] S-box layer is often the most costly operation of ciphers

26 Proportion of active S-boxes to all S-boxes [Shirai-Preneel04] S-box layer is often the most costly operation of ciphers A r,m = # active S-boxes over r rounds for block width m

27 Proportion of active S-boxes to all S-boxes [Shirai-Preneel04] S-box layer is often the most costly operation of ciphers A r,m = # active S-boxes over r rounds for block width m S r,m = # all S-boxes over r rounds for block width m

28 Proportion of active S-boxes to all S-boxes [Shirai-Preneel04] S-box layer is often the most costly operation of ciphers A r,m = # active S-boxes over r rounds for block width m S r,m = # all S-boxes over r rounds for block width m Proportion of active S-boxes over r rounds

29 Proportion of active S-boxes to all S-boxes [Shirai-Preneel04] S-box layer is often the most costly operation of ciphers A r,m = # active S-boxes over r rounds for block width m S r,m = # all S-boxes over r rounds for block width m Proportion of active S-boxes over r rounds E r,m = A r,m /S r,m

30 Proportion of active S-boxes to all S-boxes [Shirai-Preneel04] S-box layer is often the most costly operation of ciphers A r,m = # active S-boxes over r rounds for block width m S r,m = # all S-boxes over r rounds for block width m Proportion of active S-boxes over r rounds E r,m = A r,m /S r,m Asymptotic proportion of active S-boxes for r

31 Proportion of active S-boxes to all S-boxes [Shirai-Preneel04] S-box layer is often the most costly operation of ciphers A r,m = # active S-boxes over r rounds for block width m S r,m = # all S-boxes over r rounds for block width m Proportion of active S-boxes over r rounds E r,m = A r,m /S r,m Asymptotic proportion of active S-boxes for r E m = lim r E r,m

32 Proportion of active S-boxes to all S-boxes [Shirai-Preneel04] S-box layer is often the most costly operation of ciphers A r,m = # active S-boxes over r rounds for block width m S r,m = # all S-boxes over r rounds for block width m Proportion of active S-boxes over r rounds E r,m = A r,m /S r,m Asymptotic proportion of active S-boxes for r E m = lim r E r,m Asymptotic proportion of active S-boxes for r, m

33 Proportion of active S-boxes to all S-boxes [Shirai-Preneel04] S-box layer is often the most costly operation of ciphers A r,m = # active S-boxes over r rounds for block width m S r,m = # all S-boxes over r rounds for block width m Proportion of active S-boxes over r rounds E r,m = A r,m /S r,m Asymptotic proportion of active S-boxes for r E m = lim r E r,m Asymptotic proportion of active S-boxes for r, m E = lim m E m

34 Proportion of active S-boxes to all S-boxes [Shirai-Preneel04] S-box layer is often the most costly operation of ciphers A r,m = # active S-boxes over r rounds for block width m S r,m = # all S-boxes over r rounds for block width m Proportion of active S-boxes over r rounds E r,m = A r,m /S r,m Asymptotic proportion of active S-boxes for r E m = lim r E r,m Asymptotic proportion of active S-boxes for r, m E = lim m E m None of these metrics takes into account the linear operations!

35 Proportion of active S-boxes to all S-boxes [Shirai-Preneel04] S-box layer is often the most costly operation of ciphers A r,m = # active S-boxes over r rounds for block width m S r,m = # all S-boxes over r rounds for block width m Proportion of active S-boxes over r rounds E r,m = A r,m /S r,m Asymptotic proportion of active S-boxes for r E m = lim r E r,m Asymptotic proportion of active S-boxes for r, m E = lim m E m None of these metrics takes into account the linear operations! Large dense MDS matrices can also involve costly computation

36 Proportion of active S-Boxes to S-box and linear operations [Bogdanov09]

37 Proportion of active S-Boxes to S-box and linear operations [Bogdanov09] A r,m = # active S-boxes over r rounds

38 Proportion of active S-Boxes to S-box and linear operations [Bogdanov09] A r,m = # active S-boxes over r rounds S r,m = # all S-boxes over r rounds

39 Proportion of active S-Boxes to S-box and linear operations [Bogdanov09] A r,m = # active S-boxes over r rounds S r,m = # all S-boxes over r rounds L r,m = # all multiplications by constant in F 2 n over r rounds

40 Proportion of active S-Boxes to S-box and linear operations [Bogdanov09] A r,m = # active S-boxes over r rounds S r,m = # all S-boxes over r rounds L r,m = # all multiplications by constant in F 2 n over r rounds λ = cost of one multiplication by constant in F 2 n related to one S-box invocation

41 Proportion of active S-Boxes to S-box and linear operations [Bogdanov09] A r,m = # active S-boxes over r rounds S r,m = # all S-boxes over r rounds L r,m = # all multiplications by constant in F 2 n over r rounds λ = cost of one multiplication by constant in F 2 n related to one S-box invocation Proportion of active S-boxes over r rounds A r,m E r,m = S r,m + λl r,m

42 Proportion of active S-Boxes to S-box and linear operations [Bogdanov09] A r,m = # active S-boxes over r rounds S r,m = # all S-boxes over r rounds L r,m = # all multiplications by constant in F 2 n over r rounds λ = cost of one multiplication by constant in F 2 n related to one S-box invocation Proportion of active S-boxes over r rounds A r,m E r,m = S r,m + λl r,m Asymptotic proportion of active S-boxes for r E m = lim r E r,m

43 Proportion of active S-Boxes to S-box and linear operations [Bogdanov09] A r,m = # active S-boxes over r rounds S r,m = # all S-boxes over r rounds L r,m = # all multiplications by constant in F 2 n over r rounds λ = cost of one multiplication by constant in F 2 n related to one S-box invocation Proportion of active S-boxes over r rounds A r,m E r,m = S r,m + λl r,m Asymptotic proportion of active S-boxes for r E m = lim r E r,m Asymptotic proportion of active S-boxes for r, m E = lim m E m

44 Bounds for Feistel Ciphers Minimum # active S-boxes for SP-functions from literature: [Kanda01], [Shirai-Preneel04], [Wu-Zhang-Lin06], [Shibutani10] BFN-SP GFNI-SP GFNII-SP single-round diffusion M i = M round 4R rounds BR + R 2 16R rounds (3B + 1)R 6R rounds (2B + 2)R multiple-round diffusion M i distinct 3R rounds B R

45 Bounds for Feistel Ciphers Minimum # active S-boxes for SPS-functions: [Bogdanov10], [Bogdanov-Shibutani10] BFN-SPS GFNI-SPS GFNII-SPS GFNIII-SPS 3R rounds 2B 14R rounds 7BR 6R rounds 6BR 14R rounds 7BR

46 Bounds for Feistel Ciphers Minimum # active S-boxes for SPS-functions: [Bogdanov10], [Bogdanov-Shibutani10] BFN-SPS GFNI-SPS GFNII-SPS GFNIII-SPS 3R rounds 2B 14R rounds 7BR 6R rounds 6BR 14R rounds 7BR all single-round diffusion with M i = M in each round

47 Bounds for Feistel Ciphers Minimum # active S-boxes for SPS-functions: [Bogdanov10], [Bogdanov-Shibutani10] BFN-SPS GFNI-SPS GFNII-SPS GFNIII-SPS 3R rounds 2B 14R rounds 7BR 6R rounds 6BR 14R rounds 7BR all single-round diffusion with M i = M in each round proofs basically derive lower bounds on # active function

48 Bounds for Feistel Ciphers Minimum # active S-boxes for SPS-functions: [Bogdanov10], [Bogdanov-Shibutani10] BFN-SPS GFNI-SPS GFNII-SPS GFNIII-SPS 3R rounds 2B 14R rounds 7BR 6R rounds 6BR 14R rounds 7BR all single-round diffusion with M i = M in each round proofs basically derive lower bounds on # active function string-based approach to proofs

49 Bounds for Feistel Ciphers Minimum # active S-boxes for SPS-functions: [Bogdanov10], [Bogdanov-Shibutani10] BFN-SPS GFNI-SPS GFNII-SPS GFNIII-SPS 3R rounds 2B 14R rounds 7BR 6R rounds 6BR 14R rounds 7BR all single-round diffusion with M i = M in each round proofs basically derive lower bounds on # active function string-based approach to proofs all bounds are actually tight

50 Efficiency Comparison SP vs SPS: E = lim r,m A r,m/s r,m, MDS diffusion

51 Efficiency Comparison SP vs SPS: E m = lim r A r,m/s r,m, MDS diffusion

52 Efficiency Comparison SP vs SPS: E m = lim r A r,m/(s r,m + λl r,m), λ = 0.1, m = 8, MDS diffusion

53 Efficiency Comparison SP vs SPS: E m = lim r A r,m/(s r,m + λl r,m), λ = 0.1, m = 16, MDS diffusion

54 Efficiency Comparison SP vs SPS: E m = lim r A r,m/(s r,m + λl r,m), λ = 0.1, m = 32, MDS diffusion

55 Efficiency Comparison SP vs SPS: E m = lim r A r,m/(s r,m + λl r,m), λ = 0.1, m = 64, MDS diffusion

56 Conjecture Instead of Conclusion Conjecture BFN-SPS is optimal with respect to E in the class of all BFN, GFNI, GFNII, and GFNIII designs with SP-, SPS-, SPSP-, SPSPS-,... -type functions instantiated with MDS matrices.

Similar documents

Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3 Cryptography and Network Security Chapter 3 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 3 Block Ciphers and the Data Encryption Standard All the afternoon

More information

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Lecture No. # 11 Block Cipher Standards (DES) (Refer Slide

More information

The 128-bit Blockcipher CLEFIA Design Rationale

The 128-bit Blockcipher CLEFIA Design Rationale The 128-bit Blockcipher CLEFIA Design Rationale Revision 1.0 June 1, 2007 Sony Corporation NOTICE THIS DOCUMENT IS PROVIDED AS IS, WITH NO WARRANTIES WHATSOVER, INCLUDING ANY WARRANTY OF MERCHANTABIL-

More information

CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Secret Key Cryptography (I) 1 Introductory Remarks Roadmap Feistel Cipher DES AES Introduction

More information

Cryptography and Network Security

Cryptography and Network Security Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 3: Block ciphers and DES Ion Petre Department of IT, Åbo Akademi University January 17, 2012 1 Data Encryption Standard

More information

A New 128-bit Key Stream Cipher LEX

A New 128-bit Key Stream Cipher LEX A New 128-it Key Stream Cipher LEX Alex Biryukov Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenerg 10, B 3001 Heverlee, Belgium http://www.esat.kuleuven.ac.e/~airyuko/ Astract.

More information

A PPENDIX H RITERIA FOR AES E VALUATION C RITERIA FOR

A PPENDIX H RITERIA FOR AES E VALUATION C RITERIA FOR A PPENDIX H RITERIA FOR AES E VALUATION C RITERIA FOR William Stallings Copyright 20010 H.1 THE ORIGINS OF AES...2 H.2 AES EVALUATION...3 Supplement to Cryptography and Network Security, Fifth Edition

More information

The Advanced Encryption Standard: Four Years On

The Advanced Encryption Standard: Four Years On The Advanced Encryption Standard: Four Years On Matt Robshaw Reader in Information Security Information Security Group Royal Holloway University of London September 21, 2004 The State of the AES 1 The

More information

Hash Function JH and the NIST SHA3 Hash Competition

Hash Function JH and the NIST SHA3 Hash Competition Hash Function JH and the NIST SHA3 Hash Competition Hongjun Wu Nanyang Technological University Presented at ACNS 2012 1 Introduction to Hash Function Hash Function Design Basics Hash function JH Design

More information

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 12 Block Cipher Standards

More information

How To Encrypt With A 64 Bit Block Cipher

How To Encrypt With A 64 Bit Block Cipher The Data Encryption Standard (DES) As mentioned earlier there are two main types of cryptography in use today - symmetric or secret key cryptography and asymmetric or public key cryptography. Symmetric

More information

{(i,j) 1 < i,j < n} pairs, X and X i, such that X and X i differ. exclusive-or sums. ( ) ( i ) V = f x f x

{(i,j) 1 < i,j < n} pairs, X and X i, such that X and X i differ. exclusive-or sums. ( ) ( i ) V = f x f x ON THE DESIGN OF S-BOXES A. F. Webster and S. E. Tavares Department of Electrical Engineering Queen's University Kingston, Ont. Canada The ideas of completeness and the avalanche effect were first introduced

More information

WINTER SCHOOL ON COMPUTER SECURITY. Prof. Eli Biham

WINTER SCHOOL ON COMPUTER SECURITY. Prof. Eli Biham WINTR SCHOOL ON COMPUTR SCURITY Prof. li Biham Computer Science Department Technion, Haifa 3200003, Israel January 27, 2014 c li Biham c li Biham - January 27, 2014 1 Cryptanalysis of Modes of Operation

More information

Block encryption. CS-4920: Lecture 7 Secret key cryptography. Determining the plaintext ciphertext mapping. CS4920-Lecture 7 4/1/2015

Block encryption. CS-4920: Lecture 7 Secret key cryptography. Determining the plaintext ciphertext mapping. CS4920-Lecture 7 4/1/2015 CS-4920: Lecture 7 Secret key cryptography Reading Chapter 3 (pp. 59-75, 92-93) Today s Outcomes Discuss block and key length issues related to secret key cryptography Define several terms related to secret

More information

The Stream Cipher HC-128

The Stream Cipher HC-128 The Stream Cipher HC-128 Hongjun Wu Katholieke Universiteit Leuven, ESAT/SCD-COSIC Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium [email protected] Statement 1. HC-128 supports 128-bit

More information

1 Data Encryption Algorithm

1 Data Encryption Algorithm Date: Monday, September 23, 2002 Prof.: Dr Jean-Yves Chouinard Design of Secure Computer Systems CSI4138/CEG4394 Notes on the Data Encryption Standard (DES) The Data Encryption Standard (DES) has been

More information

Split Based Encryption in Secure File Transfer

Split Based Encryption in Secure File Transfer Split Based Encryption in Secure File Transfer Parul Rathor, Rohit Sehgal Assistant Professor, Dept. of CSE, IET, Nagpur University, India Assistant Professor, Dept. of CSE, IET, Alwar, Rajasthan Technical

More information

Application of cube attack to block and stream ciphers

Application of cube attack to block and stream ciphers Application of cube attack to block and stream ciphers Janusz Szmidt joint work with Piotr Mroczkowski Military University of Technology Military Telecommunication Institute Poland 23 czerwca 2009 1. Papers

More information

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal Symmetric Crypto Pierre-Alain Fouque Birthday Paradox In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal N=365, about 23 people are

More information

MAC. SKE in Practice. Lecture 5

MAC. SKE in Practice. Lecture 5 MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary An active adversary can inject messages into the channel Active Adversary An active adversary can inject messages into the channel Eve

More information

Table of Contents. Bibliografische Informationen http://d-nb.info/996514864. digitalisiert durch

Table of Contents. Bibliografische Informationen http://d-nb.info/996514864. digitalisiert durch 1 Introduction to Cryptography and Data Security 1 1.1 Overview of Cryptology (and This Book) 2 1.2 Symmetric Cryptography 4 1.2.1 Basics 4 1.2.2 Simple Symmetric Encryption: The Substitution Cipher...

More information

Lecture 4 Data Encryption Standard (DES)

Lecture 4 Data Encryption Standard (DES) Lecture 4 Data Encryption Standard (DES) 1 Block Ciphers Map n-bit plaintext blocks to n-bit ciphertext blocks (n = block length). For n-bit plaintext and ciphertext blocks and a fixed key, the encryption

More information

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. #01 Lecture No. #10 Symmetric Key Ciphers (Refer

More information

More information

Network Security. Chapter 3 Symmetric Cryptography. Symmetric Encryption. Modes of Encryption. Symmetric Block Ciphers - Modes of Encryption ECB (1)

Network Security. Chapter 3 Symmetric Cryptography. Symmetric Encryption. Modes of Encryption. Symmetric Block Ciphers - Modes of Encryption ECB (1) Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 3 Symmetric Cryptography General Description Modes of ion Data ion Standard (DES)

More information

VALLIAMMAI ENGINEERING COLLEGE

VALLIAMMAI ENGINEERING COLLEGE VALLIAMMAI ENGINEERING COLLEGE (A member of SRM Institution) SRM Nagar, Kattankulathur 603203. DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING Year and Semester : I / II Section : 1 Subject Code : NE7202

More information

Secret File Sharing Techniques using AES algorithm. C. Navya Latha 200201066 Garima Agarwal 200305032 Anila Kumar GVN 200305002

Secret File Sharing Techniques using AES algorithm. C. Navya Latha 200201066 Garima Agarwal 200305032 Anila Kumar GVN 200305002 Secret File Sharing Techniques using AES algorithm C. Navya Latha 200201066 Garima Agarwal 200305032 Anila Kumar GVN 200305002 1. Feature Overview The Advanced Encryption Standard (AES) feature adds support

More information

The Advanced Encryption Standard (AES)

The Advanced Encryption Standard (AES) The Advanced Encryption Standard (AES) All of the cryptographic algorithms we have looked at so far have some problem. The earlier ciphers can be broken with ease on modern computation systems. The DES

More information

Cryptography and Network Security Block Cipher

Cryptography and Network Security Block Cipher Cryptography and Network Security Block Cipher Xiang-Yang Li Modern Private Key Ciphers Stream ciphers The most famous: Vernam cipher Invented by Vernam, ( AT&T, in 1917) Process the message bit by bit

More information

Lecture Note 8 ATTACKS ON CRYPTOSYSTEMS I. Sourav Mukhopadhyay

Lecture Note 8 ATTACKS ON CRYPTOSYSTEMS I. Sourav Mukhopadhyay Lecture Note 8 ATTACKS ON CRYPTOSYSTEMS I Sourav Mukhopadhyay Cryptography and Network Security - MA61027 Attacks on Cryptosystems Up to this point, we have mainly seen how ciphers are implemented. We

More information

Enhancing Advanced Encryption Standard S-Box Generation Based on Round Key

Enhancing Advanced Encryption Standard S-Box Generation Based on Round Key Enhancing Advanced Encryption Standard S-Box Generation Based on Round Key Julia Juremi Ramlan Mahmod Salasiah Sulaiman Jazrin Ramli Faculty of Computer Science and Information Technology, Universiti Putra

More information

How To Understand And Understand The History Of Cryptography

How To Understand And Understand The History Of Cryptography CSE497b Introduction to Computer and Network Security - Spring 2007 - Professors Jaeger Lecture 5 - Cryptography CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/

More information

Modern Block Cipher Standards (AES) Debdeep Mukhopadhyay

Modern Block Cipher Standards (AES) Debdeep Mukhopadhyay Modern Block Cipher Standards (AES) Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Introduction

More information

Keywords Web Service, security, DES, cryptography.

Keywords Web Service, security, DES, cryptography. Volume 3, Issue 10, October 2013 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Provide the

More information

EXAM questions for the course TTM4135 - Information Security May 2013. Part 1

EXAM questions for the course TTM4135 - Information Security May 2013. Part 1 EXAM questions for the course TTM4135 - Information Security May 2013 Part 1 This part consists of 5 questions all from one common topic. The number of maximal points for every correctly answered question

More information

Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator

Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel Katholieke Universiteit Leuven, Dept. ESAT/COSIC, Kasteelpark Arenberg 10, B 3001 Leuven-Heverlee,

More information

A Comparative Study Of Two Symmetric Encryption Algorithms Across Different Platforms.

A Comparative Study Of Two Symmetric Encryption Algorithms Across Different Platforms. A Comparative Study Of Two Symmetric Algorithms Across Different Platforms. Dr. S.A.M Rizvi 1,Dr. Syed Zeeshan Hussain 2 and Neeta Wadhwa 3 Deptt. of Computer Science, Jamia Millia Islamia, New Delhi,

More information

Lightweight Block Ciphers Revisited: Cryptanalysis of Reduced Round PRESENT and HIGHT

Lightweight Block Ciphers Revisited: Cryptanalysis of Reduced Round PRESENT and HIGHT Lightweight Block Ciphers Revisited: Cryptanalysis of Reduced Round PRESENT and HIGHT Onur Özen1, Kerem Varıcı 2, Cihangir Tezcan 3, and Çelebi Kocair 4 1 EPFL IC LACAL Station 14. CH-1015 Lausanne, Switzerland

More information

6 Data Encryption Standard (DES)

6 Data Encryption Standard (DES) 6 Data Encryption Standard (DES) Objectives In this chapter, we discuss the Data Encryption Standard (DES), the modern symmetric-key block cipher. The following are our main objectives for this chapter:

More information

Survey on Enhancing Cloud Data Security using EAP with Rijndael Encryption Algorithm

Survey on Enhancing Cloud Data Security using EAP with Rijndael Encryption Algorithm Global Journal of Computer Science and Technology Software & Data Engineering Volume 13 Issue 5 Version 1.0 Year 2013 Type: Double Blind Peer Reviewed International Research Journal Publisher: Global Journals

More information

CS 758: Cryptography / Network Security

CS 758: Cryptography / Network Security CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: [email protected] my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html

More information

SHA3 WHERE WE VE BEEN WHERE WE RE GOING

SHA3 WHERE WE VE BEEN WHERE WE RE GOING SHA3 WHERE WE VE BEEN WHERE WE RE GOING Bill Burr May 1, 2013 updated version of John Kelsey s RSA2013 presentation Overview of Talk Where We ve Been: Ancient history 2004 The Competition Where We re Going

More information

6.857 Computer and Network Security Fall Term, 1997 Lecture 4 : 16 September 1997 Lecturer: Ron Rivest Scribe: Michelle Goldberg 1 Conditionally Secure Cryptography Conditionally (or computationally) secure

More information

Message Authentication

Message Authentication Message Authentication message authentication is concerned with: protecting the integrity of a message validating identity of originator non-repudiation of origin (dispute resolution) will consider the

More information

A NEW DNA BASED APPROACH OF GENERATING KEY-DEPENDENT SHIFTROWS TRANSFORMATION

A NEW DNA BASED APPROACH OF GENERATING KEY-DEPENDENT SHIFTROWS TRANSFORMATION A NEW DNA BASED APPROACH OF GENERATING KEY-DEPENDENT SHIFTROWS TRANSFORMATION Auday H. Al-Wattar 1, Ramlan Mahmod 2, Zuriati Ahmad Zukarnain3, and Nur Izura Udzir4, 1 Faculty of Computer Science and Information

More information

A PPENDIX G S IMPLIFIED DES

A PPENDIX G S IMPLIFIED DES A PPENDIX G S IMPLIFIED DES William Stallings opyright 2010 G.1 OVERVIEW...2! G.2 S-DES KEY GENERATION...3! G.3 S-DES ENRYPTION...4! Initial and Final Permutations...4! The Function f K...5! The Switch

More information

KALE: A High-Degree Algebraic-Resistant Variant of The Advanced Encryption Standard

KALE: A High-Degree Algebraic-Resistant Variant of The Advanced Encryption Standard KALE: A High-Degree Algebraic-Resistant Variant of The Advanced Encryption Standard Dr. Gavekort c/o Vakiopaine Bar Kauppakatu 6, 41 Jyväskylä FINLAND [email protected] Abstract. We have discovered that the

More information

1) Explain the following evolutionary process models: a) The spiral model. b) The concurrent development model.

1) Explain the following evolutionary process models: a) The spiral model. b) The concurrent development model. (DMSIT 21) ASSIGNMENT - 1, MAY-2014. PAPER- I : SOFTWARE ENGINEERING 1) Explain the following evolutionary process models: a) The spiral model. b) The concurrent development model. 2) What are requirements

More information

RC6. Marcel Felipe Weschenfelder

RC6. Marcel Felipe Weschenfelder RC6 Marcel Felipe Weschenfelder Introduction Operations Algorithm Performance Crypto analyse Highlight/lowlight Conclusion References Agenda RC6 Introduction Designed by: Ron Rivest, Matt Robshaw, Ray

More information

A NEW DNA BASED APPROACH OF GENERATING KEY- DEPENDENTMIXCOLUMNS TRANSFORMATION

A NEW DNA BASED APPROACH OF GENERATING KEY- DEPENDENTMIXCOLUMNS TRANSFORMATION A NEW DNA BASED APPROACH OF GENERATING KEY- DEPENDENTMIXCOLUMNS TRANSFORMATION Auday H. Al-Wattar 1, Ramlan Mahmod 2,Zuriati Ahmad Zukarnain 3 and NurIzura Udzir 4 1 Faculty of Computer Science and Information

More information

Lightweight Cryptography From an Engineers Perspective

Lightweight Cryptography From an Engineers Perspective Lightweight Cryptography From an Engineers Perspective ECC 2007 Acknowledgement Christof Paar A. Bogdanov, L. Knudsen, G. Leander, M. Robshaw, Y. Seurin, C. Vikkelsoe S. Kumar 2 Outline Motivation Hardware

More information

AC76/AT76 CRYPTOGRAPHY & NETWORK SECURITY DEC 2014

AC76/AT76 CRYPTOGRAPHY & NETWORK SECURITY DEC 2014 Q.2a. Define Virus. What are the four phases of Viruses? In addition, list out the types of Viruses. A virus is a piece of software that can infect other programs by modifying them; the modification includes

More information

Lecture 3: Block Ciphers and the Data Encryption Standard. Lecture Notes on Computer and Network Security. by Avi Kak (kak@purdue.

Lecture 3: Block Ciphers and the Data Encryption Standard. Lecture Notes on Computer and Network Security. by Avi Kak (kak@purdue. Lecture 3: Block Ciphers and the Data Encryption Standard Lecture Notes on Computer and Network Security by Avi Kak ([email protected]) January 15, 2016 12:28am c 2016 Avinash Kak, Purdue University Goals:

More information

Hash Function of Finalist SHA-3: Analysis Study

Hash Function of Finalist SHA-3: Analysis Study International Journal of Advanced Computer Science and Information Technology (IJACSIT) Vol. 2, No. 2, April 2013, Page: 1-12, ISSN: 2296-1739 Helvetic Editions LTD, Switzerland www.elvedit.com Hash Function

More information

Introduction to SHA-3 and Keccak

Introduction to SHA-3 and Keccak Introduction to SHA-3 and Keccak Joan Daemen STMicroelectronics and Radboud University Crypto summer school 2015 Šibenik, Croatia, May 31 - June 5, 2015 1 / 45 Outline 1 The SHA-3 competition 2 The sponge

More information

Cryptanalysis of Grain using Time / Memory / Data Tradeoffs

Cryptanalysis of Grain using Time / Memory / Data Tradeoffs Cryptanalysis of Grain using Time / Memory / Data Tradeoffs v1.0 / 2008-02-25 T.E. Bjørstad The Selmer Center, Department of Informatics, University of Bergen, Pb. 7800, N-5020 Bergen, Norway. Email :

More information

Solutions to Problem Set 1

Solutions to Problem Set 1 YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Handout #8 Zheng Ma February 21, 2005 Solutions to Problem Set 1 Problem 1: Cracking the Hill cipher Suppose

More information

On the Key Schedule Strength of PRESENT

On the Key Schedule Strength of PRESENT On the Key Schedule Strength of PRESENT Julio Cesar Hernandez-Castro 1, Pedro Peris-Lopez 2 Jean-Philippe Aumasson 3 1 School of Computing, Portsmouth University, UK 2 Information Security & Privacy Lab,

More information

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm Error oracle attacks and CBC encryption Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm Agenda 1. Introduction 2. CBC mode 3. Error oracles 4. Example 1 5. Example 2 6. Example 3 7. Stream ciphers

More information

Review Jeopardy. Blue vs. Orange. Review Jeopardy

Review Jeopardy. Blue vs. Orange. Review Jeopardy Review Jeopardy Blue vs. Orange Review Jeopardy Jeopardy Round Lectures 0-3 Jeopardy Round $200 How could I measure how far apart (i.e. how different) two observations, y 1 and y 2, are from each other?

More information

On the Influence of the Algebraic Degree of the Algebraic Degree of

On the Influence of the Algebraic Degree of the Algebraic Degree of IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 59, NO. 1, JANUARY 2013 691 On the Influence of the Algebraic Degree of the Algebraic Degree of Christina Boura and Anne Canteaut on Abstract We present a

More information

Cryptography & Network Security. Introduction. Chester Rebeiro IIT Madras

Cryptography & Network Security. Introduction. Chester Rebeiro IIT Madras Cryptography & Network Security Introduction Chester Rebeiro IIT Madras The Connected World 2 Information Storage 3 Increased Security Breaches 81% more in 2015 http://www.pwc.co.uk/assets/pdf/2015-isbs-executive-summary-02.pdf

More information

Linear (Hull) and Algebraic Cryptanalysis of the Block Cipher PRESENT

Linear (Hull) and Algebraic Cryptanalysis of the Block Cipher PRESENT Linear (Hull) and Algebraic Cryptanalysis of the Block Cipher PRESENT Jorge Nakahara Jr 1, Pouyan Sepehrdad 1, Bingsheng Zhang 2, Meiqin Wang 3 1 EPFL, Lausanne, Switzerland 2 Cybernetica AS, Estonia and

More information

Network Security. Omer Rana

Network Security. Omer Rana Network Security Omer Rana CM0255 Material from: Cryptography Components Sender Receiver Plaintext Encryption Ciphertext Decryption Plaintext Encryption algorithm: Plaintext Ciphertext Cipher: encryption

More information

CIS433/533 - Computer and Network Security Cryptography

CIS433/533 - Computer and Network Security Cryptography CIS433/533 - Computer and Network Security Cryptography Professor Kevin Butler Winter 2011 Computer and Information Science A historical moment Mary Queen of Scots is being held by Queen Elizabeth and

More information

Ahsay Online Backup. Whitepaper Data Security

Ahsay Online Backup. Whitepaper Data Security Ahsay Online Backup Version 5.x Jun 2006 Table of Content 1 Introduction...3 2 Server Secure, Robust and Reliable...4 2.1 Secure 128-bit SSL communication...4 2.2 Backup data are securely encrypted...4

More information

Hardware Implementation of AES Encryption and Decryption System Based on FPGA

Hardware Implementation of AES Encryption and Decryption System Based on FPGA Send Orders for Reprints to [email protected] The Open Cybernetics & Systemics Journal, 2015, 9, 1373-1377 1373 Open Access Hardware Implementation of AES Encryption and Decryption System Based

More information

A Study of New Trends in Blowfish Algorithm

A Study of New Trends in Blowfish Algorithm A Study of New Trends in Blowfish Algorithm Gurjeevan Singh*, Ashwani Kumar**, K. S. Sandha*** *(Department of ECE, Shaheed Bhagat Singh College of Engg. & Tech. (Polywing), Ferozepur-152004) **(Department

More information

Security Evaluation of the SPECTR-128. Block Cipher

Security Evaluation of the SPECTR-128. Block Cipher pplied Mathematical Sciences, ol. 7,, no. 4, 6945-696 HIKI td, www.m-hikari.com http://dx.doi.org/.988/ams..584 Security Evaluation of the SPECT-8 Block Cipher Manh Tuan Pham, am T. u Posts and Telecommunications

More information

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch CSC474/574 - Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a one-round Feistel cipher

More information

Data Superhero Online Backup Whitepaper Data Security

Data Superhero Online Backup Whitepaper Data Security Data Superhero Online Backup Whitepaper Data Security Cottage Computers Ltd. Page 1 of 5 (April 15, 2008) Table of Contents Contents 1. Data Superhero Offsite Backup Server Secure, Robust and Reliable...

More information

Note on naming. Note on naming

Note on naming. Note on naming Joan Daemen Vincent Rijmen Note on naming Rijndael 1. Introduction Note on naming After the selection of Rijndael as the AES, it was decided to change the names of some of its component functions in order

More information

A STUDY OF DES ALGORITHM WITH CELLULAR AUTOMATA

A STUDY OF DES ALGORITHM WITH CELLULAR AUTOMATA International Journal of Innovative Management, Information & Production ISME International c2013 ISSN 2185-5439 Volume 4, Number 1, June 2013 PP. 10-16 A STUDY OF DES ALGORITHM WITH CELLULAR AUTOMATA

More information

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Introduction to Cryptography What is cryptography?

More information

Comparison of CBC MAC Variants and Comments on NIST s Consultation Paper

Comparison of CBC MAC Variants and Comments on NIST s Consultation Paper Comparison of CBC MAC Variants and Comments on NIST s Consultation Paper Tetsu Iwata Department of Computer and Information Sciences, Ibaraki University 4 12 1 Nakanarusawa, Hitachi, Ibaraki 316-8511,

More information

F3 Symmetric Encryption

F3 Symmetric Encryption F3 Symmetric Encryption Cryptographic Algorithms: Overview During this course two main applications of cryptographic algorithms are of principal interest: Encryption of data: transforms plaintext data

More information

Data Structure [Question Bank]

Data Structure [Question Bank] Unit I (Analysis of Algorithms) 1. What are algorithms and how they are useful? 2. Describe the factor on best algorithms depends on? 3. Differentiate: Correct & Incorrect Algorithms? 4. Write short note:

More information

Fast Implementations of AES on Various Platforms

Fast Implementations of AES on Various Platforms Fast Implementations of AES on Various Platforms Joppe W. Bos 1 Dag Arne Osvik 1 Deian Stefan 2 1 EPFL IC IIF LACAL, Station 14, CH-1015 Lausanne, Switzerland {joppe.bos, dagarne.osvik}@epfl.ch 2 Dept.

More information

Parallel AES Encryption with Modified Mix-columns For Many Core Processor Arrays M.S.Arun, V.Saminathan

Parallel AES Encryption with Modified Mix-columns For Many Core Processor Arrays M.S.Arun, V.Saminathan Parallel AES Encryption with Modified Mix-columns For Many Core Processor Arrays M.S.Arun, V.Saminathan Abstract AES is an encryption algorithm which can be easily implemented on fine grain many core systems.

More information

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Karagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Karagpur Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Karagpur Lecture No. #06 Cryptanalysis of Classical Ciphers (Refer

More information
2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback | Do Not Sell My Personal Information