Advanced Encryption Standard

Total Page:16

File Type:pdf, Size:1020Kb

Advanced Encryption Standard Advanced Encryption Standard Lars R. Knudsen June 2014 L.R. Knudsen Advanced Encryption Standard AES - Advanced Encryption Standard US governmental encryption standard Open (world) competition announced January 97 Blocks: 128 bits Keys: choice of 128-bit, 192-bit, and 256-bit keys October 2000: AES=Rijndael Standard: FIPS 197, November 2001 L.R. Knudsen Advanced Encryption Standard AES=Rijndael Designed by Joan Daemen and Vincent Rijmen Simple design, byte-oriented Operations: XOR and table lookup S-box, substitutes a byte by a byte Rounds 10 12 14 Key size 128 192 256 Focus on 128-bit key version with 10 iterations L.R. Knudsen Advanced Encryption Standard Multiplication in GF(256) - AES In AES the finite field GF (28) is determined by irreducible polynomial m(x)=x8 + x4 + x3 + x + 1 Elements of GF (28) are all polynomials of degree less than eight and with coefficients in GF (2) 1-to-1 correspondence between 8-bit vectors and elements in GF (28): 7 i finite field element p(x)= i=0 bi x . 8-bit vector v =(b7, b6, b5,Pb4, b3, b2, b1, b0) L.R. Knudsen Advanced Encryption Standard Multiplication in GF(256) (cont.) 7 i Compute p(x) times q(x),wherep(x)= i=0 bi x , q(x)= 7 c xi : i=0 i P Do straightforward multiplication of polynomials p(x) q(x); P · Reduce result modulo m(x). Example Compute x6 + x4 + x2 + x + 1 times x7 + x + 1 (x6 + x4 + x2 + x + 1)(x7 + x + 1)= x13 + x11 + x9 + x8 + x6 + x5 + x4 + x3 + 1 x13+x11+x9+x8+x6+x5+x4+x3+1modx8+x4+x3+x+1 = x7 + x6 + 1 Alternative representation: 57 83 = c1 (hex notation) x ⇥ x x L.R. Knudsen Advanced Encryption Standard Multiplication by x in GF(256) 7 i 8 Find the product r(x) of p(x)= i=0 bi x and x in GF (2 ): 7 i+1 Compute p(x) x = biPx · i=0 If b = 0, r(x)=p(xP) x 7 · If b = 1, r(x)=p(x) x mod m(x)=p(x) x + m(x) 7 · · Example (x7 + x6 + x5 + x4 + x2) x = x8 + x7 + x6 + x5 + x3 ⇥ reduce modulo m(x)=x8 + x4 + x3 + x + 1 result is x7 + x6 + x5 + x4 + x + 1 Hex notation: f 4 02 = f 3 x ⇥ x x L.R. Knudsen Advanced Encryption Standard Multiplication by x+1 in GF(256) 7 i 8 Find the product r(x) of p(x)= i=0 bi x and x + 1 in GF (2 ): 7 i i+1 Compute (p(x) x)+p(x)=P bi (x + x ) · i=0 If b = 0, r(x)=p(x) x + p(Px) 7 · If b7 = 1, r(x)=(p(x) x)+p(x) mod m(x)=p(x) x + p(x)+m(x) · · Example (x7 + x6 + x5 + x4 + x2) (x + 1) = x8 + x4 + x3 + x2 ⇥ reduce modulo m(x)=x8 + x4 + x3 + x + 1 result is x2 + x + 1 Hex notation: f 4 03 = 07 x ⇥ x x L.R. Knudsen Advanced Encryption Standard AES - iterated cipher, key schedule Input: user selected key of 128 bits Output: 11 round keys k0, k1, k2,...,k10 p = c0 plaintext ci = F (ki , ci 1) − c10 ciphertext Details of key-schedule are self-study L.R. Knudsen Advanced Encryption Standard AES round tranformation Arrange the 16 input bytes in a 4 4 matrix ⇥ Subfunctions 1 SubBytes (byte substitution via S-box) 2 ShiftRows 3 MixColumns 4 AddRoundKey L.R. Knudsen Advanced Encryption Standard SubBytes - S a0,0 a0,1 a0,2 a0,3 b0,0 b0,1 b0,2 b0,3 a1,0 a1,1 a1,2 a1,3 b1,0 b1,1 b1,2 b1,3 a2,0 a2,1 a2,2 a2,3 b2,0 b2,1 b2,2 b2,3 a3,0 a3,1 a3,2 a3,3 b3,0 b3,1 b3,2 b3,3 S-box S is the S-box (invertible) One S-box for the whole cipher (simplicity) L.R. Knudsen Advanced Encryption Standard ShiftRows a b c d a b c d e f g h - f g h e i j k l - k l i j m n o p - p m n o Rows shifted over different offsets: 0,1,2, and 3 L.R. Knudsen Advanced Encryption Standard MixColumns - mix four bytes a0,0 a0,1 a0,2 a0,3 b0,0 b0,1 b0,2 b0,3 a1,0 a1,1 a1,2 a1,3 b1,0 b1,1 b1,2 b1,3 a2,0 a2,1 a2,2 a2,3 b2,0 b2,1 b2,2 b2,3 a3,0 a3,1 a3,2 a3,3 b3,0 b3,1 b3,2 b3,3 Each of four bi,j in a column depends on all four ai,j from same column L.R. Knudsen Advanced Encryption Standard AddRoundKey (bit-wise XOR) a0,0 a0,1 a0,2 a0,3 k0,0 k0,1 k0,2 k0,3 b0,0 b0,1 b0,2 b0,3 a1,0 a1,1 a1,2 a1,3 k1,0 k1,1 k1,2 k1,3 b1,0 b1,1 b1,2 b1,3 = a2,0 a2,1 a2,2 a2,3 ⊕ k2,0 k2,1 k2,2 k2,3 b2,0 b2,1 b2,2 b2,3 a3,0 a3,1 a3,2 a3,3 k3,0 k3,1 k3,2 k3,3 b3,0 b3,1 b3,2 b3,3 b = a k i,j i,j ⊕ i,j L.R. Knudsen Advanced Encryption Standard AES - 10-round version Arrange the 16 input bytes in a 4 4 matrix ⇥ AddRoundKey Do nine times SubBytes (byte substitution via S-box) ShiftRows MixColumns AddRoundKey SubBytes ShiftRows AddRoundKey L.R. Knudsen Advanced Encryption Standard SubBytes Input a,outputb,bothbytes Let f (x)=x 1 in GF (28)/ 0 and f (0)=0 − { } Then b = A(f (a)),whereA is affine mapping over GF (2). With t = f (a)=(t7, t6,...,t1, t0) output is: 1 0 0 0 1 1 1 1 t0 1 1 1 0 0 0 1 1 1 t1 1 2 3 2 3 2 3 1 1 1 0 0 0 1 1 t2 0 6 1 1 1 1 0 0 0 1 7 6 t 7 6 0 7 6 7 6 3 7 6 7 6 1 1 1 1 1 0 0 0 7 6 t 7 ⊕ 6 0 7 6 7 6 4 7 6 7 6 0 1 1 1 1 1 0 0 7 6 t 7 6 1 7 6 7 6 5 7 6 7 6 7 6 t 7 6 7 6 0 0 1 1 1 1 1 0 7 6 6 7 6 1 7 6 7 6 t 7 6 7 6 0 0 0 1 1 1 1 1 7 6 7 7 6 0 7 4 5 4 5 4 5 L.R. Knudsen Advanced Encryption Standard MixColumns 2 3 1 1 1 2 3 1 - 2 3 1 1 2 3 ⇥ 6 3 1 1 2 7 a a a a 6 7 0,0 0,1 0,2 0,3 4 5 b0,0 b0,1 b0,2 b0,3 a1,0 a1,1 a1,2 a1,3 b1,0 b1,1 b1,2 b1,3 a2,0 a2,1 a2,2 a2,3 b2,0 b2,1 b2,2 b2,3 a3,0 a3,1 a3,2 a3,3 b3,0 b3,1 b3,2 b3,3 Bytes in columns are combined linearly b = 2 a + 3 a + 1 a + 1 a 0,2 { }⇥ 0,2 { }⇥ 1,2 { }⇥ 2,2 { }⇥ 3,2 Multiplication is over GF(28) L.R. Knudsen Advanced Encryption Standard Diffusion in AES Shift Mix - - Rows Col. Shift Mix - - Rows Col. L.R. Knudsen Advanced Encryption Standard Differential characteristics and active S-boxes Consider SP-networks like AES, where a round consists of key addition S-box layer linear layer (linear mapping) Definition In a differential characteristic an S-box is active if the inputs to the S-box are assumed to be different. Fact (or assumption) The transition of differences is deterministic through the key additions and linear layers. is non-deterministic through the S-box layers. L.R. Knudsen Advanced Encryption Standard Differential characteristics and active S-boxes (2) Max probability Let pmax be the maximum probability for a non-trivial characteristic for the S-boxes. Active S-boxes Let d be the minimum number of active S-boxes in an r-round characteristic. Bound d Then pmax is an upper bound of any r-round characteristic. L.R. Knudsen Advanced Encryption Standard AES and Wide-Trail The AES design uses the wide-trail strategy: Theorem Any differential/linear characteristic over 4 rounds of AES has at least 25 active Sboxes. AES has 10 (or more) rounds Together with the good Sbox: More than enough. L.R. Knudsen Advanced Encryption Standard 2Rounds S S S S Linear Layer L S S S S Aim Give a bound on the number of active Sboxes in a differential characteristic. We assume S and L are bijective. L linear, so L(x y)=L(x) L(y). ⊕ ⊕ No further assumptions on S L.R. Knudsen Advanced Encryption Standard 2Rounds S S S S Linear Layer L S S S S Aim Give an lower bound on the number of active Sboxes in a differential characteristic. Trivial bounds: Lower Bound for the lower bound: 2 Upper Bound for the lower bound: #sboxes + 1 (here 5).
Recommended publications
  • Cryptanalysis of Feistel Networks with Secret Round Functions Alex Biryukov, Gaëtan Leurent, Léo Perrin
    Cryptanalysis of Feistel Networks with Secret Round Functions Alex Biryukov, Gaëtan Leurent, Léo Perrin To cite this version: Alex Biryukov, Gaëtan Leurent, Léo Perrin. Cryptanalysis of Feistel Networks with Secret Round Functions. Selected Areas in Cryptography - SAC 2015, Aug 2015, Sackville, Canada. hal-01243130 HAL Id: hal-01243130 https://hal.inria.fr/hal-01243130 Submitted on 14 Dec 2015 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Cryptanalysis of Feistel Networks with Secret Round Functions ? Alex Biryukov1, Gaëtan Leurent2, and Léo Perrin3 1 [email protected], University of Luxembourg 2 [email protected], Inria, France 3 [email protected], SnT,University of Luxembourg Abstract. Generic distinguishers against Feistel Network with up to 5 rounds exist in the regular setting and up to 6 rounds in a multi-key setting. We present new cryptanalyses against Feistel Networks with 5, 6 and 7 rounds which are not simply distinguishers but actually recover completely the unknown Feistel functions. When an exclusive-or is used to combine the output of the round function with the other branch, we use the so-called yoyo game which we improved using a heuristic based on particular cycle structures.
    [Show full text]
  • Integral Cryptanalysis on Full MISTY1⋆
    Integral Cryptanalysis on Full MISTY1? Yosuke Todo NTT Secure Platform Laboratories, Tokyo, Japan [email protected] Abstract. MISTY1 is a block cipher designed by Matsui in 1997. It was well evaluated and standardized by projects, such as CRYPTREC, ISO/IEC, and NESSIE. In this paper, we propose a key recovery attack on the full MISTY1, i.e., we show that 8-round MISTY1 with 5 FL layers does not have 128-bit security. Many attacks against MISTY1 have been proposed, but there is no attack against the full MISTY1. Therefore, our attack is the first cryptanalysis against the full MISTY1. We construct a new integral characteristic by using the propagation characteristic of the division property, which was proposed in 2015. We first improve the division property by optimizing a public S-box and then construct a 6-round integral characteristic on MISTY1. Finally, we recover the secret key of the full MISTY1 with 263:58 chosen plaintexts and 2121 time complexity. Moreover, if we can use 263:994 chosen plaintexts, the time complexity for our attack is reduced to 2107:9. Note that our cryptanalysis is a theoretical attack. Therefore, the practical use of MISTY1 will not be affected by our attack. Keywords: MISTY1, Integral attack, Division property 1 Introduction MISTY [Mat97] is a block cipher designed by Matsui in 1997 and is based on the theory of provable security [Nyb94,NK95] against differential attack [BS90] and linear attack [Mat93]. MISTY has a recursive structure, and the component function has a unique structure, the so-called MISTY structure [Mat96].
    [Show full text]
  • Related-Key Statistical Cryptanalysis
    Related-Key Statistical Cryptanalysis Darakhshan J. Mir∗ Poorvi L. Vora Department of Computer Science, Department of Computer Science, Rutgers, The State University of New Jersey George Washington University July 6, 2007 Abstract This paper presents the Cryptanalytic Channel Model (CCM). The model treats statistical key recovery as communication over a low capacity channel, where the channel and the encoding are determined by the cipher and the specific attack. A new attack, related-key recovery – the use of n related keys generated from k independent ones – is defined for all ciphers vulnera- ble to single-key recovery. Unlike classical related-key attacks such as differential related-key cryptanalysis, this attack does not exploit a special structural weakness in the cipher or key schedule, but amplifies the weakness exploited in the basic single key recovery. The related- key-recovery attack is shown to correspond to the use of a concatenated code over the channel, where the relationship among the keys determines the outer code, and the cipher and the attack the inner code. It is shown that there exists a relationship among keys for which the communi- cation complexity per bit of independent key is finite, for any probability of key recovery error. This may be compared to the unbounded communication complexity per bit of the single-key- recovery attack. The practical implications of this result are demonstrated through experiments on reduced-round DES. Keywords: related keys, concatenated codes, communication channel, statistical cryptanalysis, linear cryptanalysis, DES Communicating Author: Poorvi L. Vora, [email protected] ∗This work was done while the author was in the M.S.
    [Show full text]
  • Optimization of Core Components of Block Ciphers Baptiste Lambin
    Optimization of core components of block ciphers Baptiste Lambin To cite this version: Baptiste Lambin. Optimization of core components of block ciphers. Cryptography and Security [cs.CR]. Université Rennes 1, 2019. English. NNT : 2019REN1S036. tel-02380098 HAL Id: tel-02380098 https://tel.archives-ouvertes.fr/tel-02380098 Submitted on 26 Nov 2019 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. THÈSE DE DOCTORAT DE L’UNIVERSITE DE RENNES 1 COMUE UNIVERSITE BRETAGNE LOIRE Ecole Doctorale N°601 Mathématique et Sciences et Technologies de l’Information et de la Communication Spécialité : Informatique Par Baptiste LAMBIN Optimization of Core Components of Block Ciphers Thèse présentée et soutenue à RENNES, le 22/10/2019 Unité de recherche : IRISA Rapporteurs avant soutenance : Marine Minier, Professeur, LORIA, Université de Lorraine Jacques Patarin, Professeur, PRiSM, Université de Versailles Composition du jury : Examinateurs : Marine Minier, Professeur, LORIA, Université de Lorraine Jacques Patarin, Professeur, PRiSM, Université de Versailles Jean-Louis Lanet, INRIA Rennes Virginie Lallemand, Chargée de Recherche, LORIA, CNRS Jérémy Jean, ANSSI Dir. de thèse : Pierre-Alain Fouque, IRISA, Université de Rennes 1 Co-dir. de thèse : Patrick Derbez, IRISA, Université de Rennes 1 Remerciements Je tiens à remercier en premier lieu mes directeurs de thèse, Pierre-Alain et Patrick.
    [Show full text]
  • Division Property: Efficient Method to Estimate Upper Bound of Algebraic Degree
    Division Property: Efficient Method to Estimate Upper Bound of Algebraic Degree Yosuke Todo1;2 1 NTT Secure Platform Laboratories, Tokyo, Japan [email protected] 2 Kobe University, Kobe, Japan Abstract. We proposed the division property, which is a new method to find integral characteristics, at EUROCRYPT 2015. In this paper, we expound the division property, its effectiveness, and follow-up results. Higher-Order Differential and Integral Cryptanalyses. After the pro- posal of the differential cryptanalysis [1], many extended cryptanalyses have been proposed. The higher-order differential cryptanalysis is one of such extensions. The concept was first introduced by Lai [6] and the advantage over the classical differential cryptanalysis was studied by Knudsen [4]. Assuming the algebraic degree of the target block cipher Ek is upper-bounded by d for any k, the dth order differential is always constant. Then, we can distinguish the target cipher Ek as ideal block ciphers because it is unlikely that ideal block ciphers have such property, and we call this property the higher-order differential characteristics in this paper. The similar technique to the higher-order differential cryptanalysis was used as the dedicated attack against the block cipher Square [3], and the dedicated attack was later referred to the square attack. In 2002, Knudsen and Wagner formalized the square attack as the integral cryptanalysis [5]. In the integral cryptanalysis, attackers first prepare N chosen plaintexts. If the XOR of all cor- responding ciphertexts is 0, we say that the cipher has an integral characteristic with N chosen plaintexts. The integral characteristic is found by evaluating the propagation of four integral properties: A, C, B, and U.
    [Show full text]
  • New Cryptanalysis of Block Ciphers with Low Algebraic Degree
    New Cryptanalysis of Block Ciphers with Low Algebraic Degree Bing Sun1,LongjiangQu1,andChaoLi1,2 1 Department of Mathematics and System Science, Science College of National University of Defense Technology, Changsha, China, 410073 2 State Key Laboratory of Information Security, Graduate University of Chinese Academy of Sciences, China, 10039 happy [email protected], ljqu [email protected] Abstract. Improved interpolation attack and new integral attack are proposed in this paper, and they can be applied to block ciphers using round functions with low algebraic degree. In the new attacks, we can determine not only the degree of the polynomial, but also coefficients of some special terms. Thus instead of guessing the round keys one by one, we can get the round keys by solving some algebraic equations over finite field. The new methods are applied to PURE block cipher successfully. The improved interpolation attacks can recover the first round key of 8-round PURE in less than a second; r-round PURE with r ≤ 21 is breakable with about 3r−2 chosen plaintexts and the time complexity is 3r−2 encryptions; 22-round PURE is breakable with both data and time complexities being about 3 × 320. The new integral attacks can break PURE with rounds up to 21 with 232 encryptions and 22-round with 3 × 232 encryptions. This means that PURE with up to 22 rounds is breakable on a personal computer. Keywords: block cipher, Feistel cipher, interpolation attack, integral attack. 1 Introduction For some ciphers, the round function can be described either by a low degree polynomial or by a quotient of two low degree polynomials over finite field with characteristic 2.
    [Show full text]
  • Deep Learning-Based Cryptanalysis of Lightweight Block Ciphers
    Hindawi Security and Communication Networks Volume 2020, Article ID 3701067, 11 pages https://doi.org/10.1155/2020/3701067 Research Article Deep Learning-Based Cryptanalysis of Lightweight Block Ciphers Jaewoo So Department of Electronic Engineering, Sogang University, Seoul 04107, Republic of Korea Correspondence should be addressed to Jaewoo So; [email protected] Received 5 February 2020; Revised 21 June 2020; Accepted 26 June 2020; Published 13 July 2020 Academic Editor: Umar M. Khokhar Copyright © 2020 Jaewoo So. +is is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. Most of the traditional cryptanalytic technologies often require a great amount of time, known plaintexts, and memory. +is paper proposes a generic cryptanalysis model based on deep learning (DL), where the model tries to find the key of block ciphers from known plaintext-ciphertext pairs. We show the feasibility of the DL-based cryptanalysis by attacking on lightweight block ciphers such as simplified DES, Simon, and Speck. +e results show that the DL-based cryptanalysis can successfully recover the key bits when the keyspace is restricted to 64 ASCII characters. +e traditional cryptanalysis is generally performed without the keyspace restriction, but only reduced-round variants of Simon and Speck are successfully attacked. Although a text-based key is applied, the proposed DL-based cryptanalysis can successfully break the full rounds of Simon32/64 and Speck32/64. +e results indicate that the DL technology can be a useful tool for the cryptanalysis of block ciphers when the keyspace is restricted.
    [Show full text]
  • Performance Analysis of Advanced Encryption Standard (AES) S-Boxes
    International Journal of Recent Technology and Engineering (IJRTE) ISSN: 2277-3878, Volume-9, Issue-1, May 2020 Performance Analysis of Advanced Encryption Standard (AES) S-boxes Eslam w. afify, Abeer T. Khalil, Wageda I. El sobky, Reda Abo Alez Abstract : The Advanced Encryption Standard (AES) algorithm The fundamental genuine data square length for AES is 128 is available in a wide scope of encryption packages and is the bits that as it might; the key length for AES possibly 128, single straightforwardly accessible cipher insisted by the 192, or 256 bits [2, 3]. The conversation is focused on National Security Agency (NSA), The Rijndael S-box is a Rijndael S-Box yet a huge amount of the trade can in like substitution box S-Box assumes a significant job in the AES manner be associated with the ideal security of block cipher algorithm security. The quality of S-Box relies upon the plan and mathematical developments. Our paper gives an outline of AES and the objective of the cryptanalysis. As follows the paper S-Box investigation, the paper finds that algebraic attack is the is sorted out: Section II gives a detailed analysis of the most security gap of AES S-Box, likewise give a thought structure of the AES. Section III scope in the cryptanalysis regarding distinctive past research to improve the static S- study of algebraic techniques against block ciphers, gives a confines that has been utilized AES, to upgrade the quality of detailed analysis of S-Box algebraic structure and AES Performance by shocking the best S-box.
    [Show full text]
  • Optimization and Guess-Then-Solve Attacks in Cryptanalysis
    Optimization and Guess-then-Solve Attacks in Cryptanalysis Guangyan Song A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy of University College London. Department of Computer Science University College London December 4, 2018 2 I, Guangyan Song, confirm that the work presented in this thesis is my own. Where information has been derived from other sources, I confirm that this has been indicated in the work. Abstract In this thesis we study two major topics in cryptanalysis and optimization: software algebraic cryptanalysis and elliptic curve optimizations in cryptanalysis. The idea of algebraic cryptanalysis is to model a cipher by a Multivariate Quadratic (MQ) equation system. Solving MQ is an NP-hard problem. However, NP-hard prob- lems have a point of phase transition where the problems become easy to solve. This thesis explores different optimizations to make solving algebraic cryptanalysis problems easier. We first worked on guessing a well-chosen number of key bits, a specific opti- mization problem leading to guess-then-solve attacks on GOST cipher. In addition to attacks, we propose two new security metrics of contradiction immunity and SAT immunity applicable to any cipher. These optimizations play a pivotal role in recent highly competitive results on full GOST. This and another cipher Simon, which we cryptanalyzed were submitted to ISO to become a global encryption standard which is the reason why we study the security of these ciphers in a lot of detail. Another optimization direction is to use well-selected data in conjunction with Plaintext/Ciphertext pairs following a truncated differential property.
    [Show full text]
  • 1. Classical Cryptography
    1. Classical Cryptography Some Simple Cryptosystems • Shift Cipher, • Substitution Cipher, • Affine Cipher, • Vigenere Cipher, • Hill Cipher, • Permutation Cipher, • Stream Cipher Modular Arithmetic, Number theory, and Group Cryptanalysis The RSA Cryptosystem 1 Classical Cryptography Definition 1.1: A cryptosystem is a five-tuple (P, C, H, E, D), where the following conditions are satisfied: 1. P is a finite set of possible plaintexts 2. C is a finite set of possible ciphertexts 3. H the keyspace, is a finite set of possible keys 4. For each K H, there is an encryption rule eK E : P C and a corresponding decryption rule dK D: C P such that x C, dK (eK(x)) = x Oscar x y x Alice Encrypter Decrypter Bob Secure chanel K Key source 2 Modular Arithmetic Definition 1.2: Suppose a and b are integers, and m is positive integer. Then we write a b (mod m) if m divides b-a. • a b mod m if and only if (a-b) = km for some k •Zm the equivalence class under mod m • Canonical form Zm = {0,1,2,…,m-1}, we use the positive remainder as the standard representation. • -1 m -1 mod m • (Zm, +, 0) is a Group . + is closed . Associative: (a + b) + c = a + (b + c) . Commutative: a + b = b + a (abelian group) . 0 is the identity for +: a + 0 = a + 0 = a . Additive inverse: (-a) + a = a + (-a) = 0 3 Modular Arithmetic • (Zm, +, , 0, 1) is a Ring . +, are closed . +, are associative and commutative (abelian ring) . Operation distributes over +: a (b + c) = a b + a c .
    [Show full text]
  • Integral Cryptanalysis of the BSPN Block Cipher
    Integral Cryptanalysis of the BSPN Block Cipher Howard Heys Department of Electrical and Computer Engineering Memorial University [email protected] Abstract— In this paper, we investigate the application of inte- and decryption, thereby facilitating efficient implementations gral cryptanalysis to the Byte-oriented Substitution Permutation based on the re-use of components or memory when both Network (BSPN) block cipher. The BSPN block cipher has been encryption and decryption operations are required. In order shown to be an efficient block cipher structure, particularly for environments using 8-bit microcontrollers. In our analysis, to achieve involution, the use of involutory S-boxes and a we are able to show that integral cryptanalysis has limited linear transformation that is an involution are required. For success when applied to BSPN. A first order attack, based on BSPN, as defined in [1], no particular S-box is specified. a deterministic integral, is only applicable to structures with 3 However, the S-box is assumed to be 8 × 8 (where one input or fewer rounds, while higher order attacks and attacks using byte is replaced with an output byte) and must satisfy specific a probabilistic integral were found to be only applicable to structures with 4 or less rounds. Since a typical BSPN block properties, such as involution, small linear bias, and small cipher is recommended to have 8 or more rounds, it is expected maximum differential. that the BSPN structure is resistant to integral cryptanalysis. The BSPN is most notably characterized by its linear transformation, for which a specific function is defined. Let Index Terms— cryptography, block ciphers, cryptanalysis the block size of the cipher be N bytes or 8N bits with Ui = [U ;U ; :::; U ] and V = [V ;V ; :::; V ] representing the I.
    [Show full text]
  • Discrete Square Roots Cryptosystems Rabin Cryptosystem
    CHAPTER 6: OTHER CRYPTOSYSTEMS and BASIC CRYPTOGRAPHY PRIMITIVES A large number of interesting and important cryptosystems have already been designed. In this chapter we present several other of them in order to illustrate other principles and techniques that can be used to design cryptosystems. Part VI At first, we present several cryptosystems security of which is based on the fact that computation of square roots and discrete logarithms is in general infeasible in some Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash groups. functions Secondly, we discuss one of the fundamental questions of modern cryptography: when can a cryptosystem be considered as (computationally) perfectly secure? In order to do that we will: discuss the role randomness play in the cryptography; introduce the very fundamental definitions of perfect security of cryptosystem present some examples of perfectly secure cryptosystems. Finally, we discuss in some details such important cryptography primitives as pseudo-random number generators and hash functions prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 2/66 DISCRETE SQUARE ROOTS CRYPTOSYSTEMS RABIN CRYPTOSYSTEM Let Blum primes p, q are kept secret, and let the Blum integer n = pq be the public key. Encryption: of a plaintext w < n c = w 2 (mod n) Decryption: -briefly It is easy to verify (using Euler’s criterion which says that if c is a quadratic residue (p 1)/2 modulo p, then c − 1 (mod p),) that DISCRETE SQUARE ROOTS CRYPTOSYSTEMS ≡ c(p+1)/4mod p and c(q+1)/4mod q ± ± p+1 p 1 are two square roots of c modulo p and q.
    [Show full text]