DOCSLIB.ORG

Introduction to Modern Cryptography

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Introduction to Modern Cryptography Mihir Bellare1 Phillip Rogaway2 May 11, 2005 1 Department of Computer Science and Engineering, University of California at San Diego, La Jolla, CA 92093, USA. [email protected], http://www-cse.ucsd.edu/users/mihir 2 Department of Computer Science, Kemper Hall of Engineering, University of California at Davis, Davis, CA 95616, USA; and Department of Computer Science, Faculty of Science, Chiang Mai University, Chiang Mai, 50200 Thailand. [email protected], http://www.cs.ucdavis.edu/∼rogaway 2 Preface This is a set of class notes that we have been developing jointly for some years. We use them for cryptography courses that we teach at our respective institutions. Each time one of us teaches the class, he takes the token and updates the notes a bit. The process has resulted in an evolving document that has lots of gaps, as well as plenty of “unharmonized” parts. One day it will, with luck, be complete and cogent. The viewpoint taken throughout these notes is to emphasize the theory of cryptography as it can be applied to practice. This is an approach that the two of us have pursued in our research, and it seems to be a pedagogically desirable approach as well. We would like to thank the following students of past versions of our courses who have pointed out errors and made suggestions for changes: Andre Barroso, Keith Bell, Kostas Bimpikis, Alexan- dra Boldyreva, Dustin Boswell, Brian Buesker, Michael Burton, Chris Calabro, Sashka Davis, Alex Gantman, Bradley Huffaker, Hyun Min Kang, Vivek Manpuria, Chanathip Namprempre, Adriana Palacio, Wenjing Rao, Fritz Schneider, Juliana Wong. We welcome further corrections, comments and suggestions. Mihir Bellare San Diego, California USA Phillip Rogaway Davis, California USA c Mihir Bellare and Phillip Rogaway, 1997–2005. Contents 1 Introduction 7 1.1Goalsandsettings..................................... 7 1.2 Other goals . ................................... 13 1.3Whatcryptographyisabout................................ 16 1.4 Approaches to the study of cryptography . ....................... 18 1.5WhatbackgrounddoIneed?............................... 25 1.6Problems.......................................... 25 2 Classical Encryption 29 2.1 Substitution ciphers . ................................... 29 2.2One-time-padencryption.................................. 33 2.3Problems.......................................... 36 3 Blockciphers 39 3.1Whatisablockcipher?................................... 39 3.2DataEncryptionStandard(DES)............................. 40 3.3 Key recovery attacks on blockciphers ........................... 45 3.4Iterated-DESandDESX.................................. 47 3.5AdvancedEncryptionStandard(AES).......................... 50 3.6 Limitations of key-recovery based security . ....................... 54 3.7Problems.......................................... 55 4 Pseudorandom Functions 59 4.1 Function families . ................................... 59 4.2 Random functions and permutations ........................... 60 4.3 Pseudorandom functions . ............................... 64 4.4Pseudorandompermutations............................... 67 4.5Modelingblockciphers................................... 69 4.6Exampleattacks...................................... 71 4.7 Security against key recovery ............................... 73 4.8 The birthday attack . ................................... 77 4.9ThePRP/PRFswitchinglemma............................. 78 4.10 Unix one-way function ................................... 82 4.11Historicalnotes....................................... 87 4.12Problems.......................................... 87 3 4 CONTENTS 5 Symmetric Encryption 93 5.1Symmetricencryptionschemes.............................. 93 5.2Somesymmetricencryptionschemes........................... 95 5.3Issuesinprivacy......................................100 5.4 Indistinguishability under chosen-plaintext attack . ...................102 5.5Examplechosen-plaintextattacks.............................106 5.6Semanticsecurity......................................109 5.7SecurityofCTRmodes..................................111 5.8SecurityofCBCwitharandomIV............................123 5.9 Indistinguishability under chosen-ciphertext attack ...................127 5.10Examplechosen-ciphertextattacks............................129 5.11Historicalnotes.......................................132 5.12Problems..........................................133 6 Hash Functions 139 6.1 The hash function SHA1 . ...............................139 6.2 Collision-resistant hash functions . ...........................141 6.3 Collision-finding attacks . ...............................144 6.4 One-wayness of collision-resistant hash functions . ...................147 6.5TheMDtransform.....................................149 7 Message Authentication 155 7.1Thesetting.........................................155 7.2 Privacy does not imply authenticity ...........................158 7.3 Syntax for message authentication . ...........................159 7.4Definitionsofsecurity...................................160 7.5Examples..........................................164 7.6 The PRF-as-a-MAC paradigm . ...........................167 7.7TheCBCMAC.......................................168 7.8Theuniversal-hashingapproach..............................171 7.9Problems..........................................172 8 Authenticated Encryption 177 9 Computational Number Theory 179 9.1Thebasicgroups......................................179 9.2Algorithms.........................................181 9.3Cyclicgroupsandgenerators...............................186 9.4Squaresandnon-squares..................................190 9.5Groupsofprimeorder...................................195 9.6HistoricalNotes.......................................196 9.7 Exercises and Problems . ...............................196 CONTENTS 5 10 Number-Theoretic Primitives 197 10.1 Discrete logarithm related problems ...........................197 10.2Thechoiceofgroup....................................201 10.3TheRSAsystem......................................204 10.4Historicalnotes.......................................208 10.5 Exercises and Problems . ...............................208 11 Asymmetric Encryption 211 11.1Asymmetricencryptionschemes..............................211 11.2Notionsofsecurity.....................................213 11.3Oneencryptionqueryormany?..............................216 11.4Hybridencryption.....................................220 11.5ElGamalschemeanditsvariants.............................231 12 Digital signatures 237 12.1Digitalsignatureschemes.................................237 12.2Anotionofsecurity....................................238 12.3RSAbasedsignatures...................................240 13 Authenticated Key Exchange 257 14 The Asymptotic Approach 259 15 Interactive Proofs and Zero Knowledge 261 15.1Introduction.........................................261 15.2 Interactive functions and the accepting probability ...................265 15.3Proofsoflanguage-membership..............................267 15.4 NP proof-systems.....................................271 15.5 Exercises and Problems . ...............................272 A The Birthday Problem 273 B Information-Theoretic Security 275 6 CONTENTS Chapter 1 Introduction Historically, cryptography arose as a means to enable parties to maintain privacy of the information they send to each other, even in the presence of an adversary with access to the communication channel. While providing privacy remains a central goal, the field has expandeded to encompass many others, including not just other goals of communication security, such as guaranteeing in- tegrity and authenticity of communications, but many more sophisticated and fascinating goals. Once largely the domain of the military, cryptography is now in widespread use, and you are likely to have used it even if you don’t know it. When you shop on the Internet, for example to buy abookatwww.amazon.com, cryptography is used to ensure privacy of your credit card number as it travels from you to the shop’s server. Or, in electronic banking, cryptography is used to ensure that your checks cannot be forged. Cryptography has been used almost since writing was invented. For the larger part of its history, cryptography remained an art, a game of ad hoc designs and attacks. Although the field retains some of this flavor, the last twenty-five years have brought in something new. The art of cryptography has now been supplemented with a legitimate science. In this course we shall focus on that science, which is modern cryptography. Modern cryptography is a remarkable discipline. It is a cornerstone of computer and communi- cations security, with end products that are imminently practical. Yet its study touches on branches of mathematics that may have been considered esoteric, and it brings together fields like number theory, computational-complexity theory, and probabiltity theory. This course is your invitation to this fascinating field. 1.1 Goals and settings Modern cryptography addresses a wide range of problems. But the most basic problem remains the classical one of ensuring security of communication across an insecure medium. To describe it, let’s introduce the first two members of our cast of characters: our sender, S, and our receiver, R. (Sometimes people call these characters Alice, A, and Bob, B. Alice and Bob figure in many works on cryptography. But we’re going to want the
Recommended publications
  • Mihir Bellare Curriculum Vitae Contents

    Mihir Bellare Curriculum Vitae Contents

    Mihir Bellare Curriculum vitae August 2018 Department of Computer Science & Engineering, Mail Code 0404 University of California at San Diego 9500 Gilman Drive, La Jolla, CA 92093-0404, USA. Phone: (858) 534-4544 ; E-mail: [email protected] Web Page: http://cseweb.ucsd.edu/~mihir Contents 1 Research areas 2 2 Education 2 3 Distinctions and Awards 2 4 Impact 3 5 Grants 4 6 Professional Activities 5 7 Industrial relations 5 8 Work Experience 5 9 Teaching 6 10 Publications 6 11 Mentoring 19 12 Personal Information 21 2 1 Research areas ∗ Cryptography and security: Provable security; authentication; key distribution; signatures; encryp- tion; protocols. ∗ Complexity theory: Interactive and probabilistically checkable proofs; approximability ; complexity of zero-knowledge; randomness in protocols and algorithms; computational learning theory. 2 Education ∗ Massachusetts Institute of Technology. Ph.D in Computer Science, September 1991. Thesis title: Randomness in Interactive Proofs. Thesis supervisor: Prof. S. Micali. ∗ Massachusetts Institute of Technology. Masters in Computer Science, September 1988. Thesis title: A Signature Scheme Based on Trapdoor Permutations. Thesis supervisor: Prof. S. Micali. ∗ California Institute of Technology. B.S. with honors, June 1986. Subject: Mathematics. GPA 4.0. Class rank 4 out of 227. Summer Undergraduate Research Fellow 1984 and 1985. ∗ Ecole Active Bilingue, Paris, France. Baccalauréat Série C, June 1981. 3 Distinctions and Awards ∗ PET (Privacy Enhancing Technologies) Award 2015 for publication [154]. ∗ Fellow of the ACM (Association for Computing Machinery), 2014. ∗ ACM Paris Kanellakis Theory and Practice Award 2009. ∗ RSA Conference Award in Mathematics, 2003. ∗ David and Lucille Packard Foundation Fellowship in Science and Engineering, 1996. (Twenty awarded annually in all of Science and Engineering.) ∗ Test of Time Award, ACM CCS 2011, given for [81] as best paper from ten years prior.
  • Design and Analysis of Secure Encryption Schemes

    Design and Analysis of Secure Encryption Schemes

    UNIVERSITY OF CALIFORNIA, SAN DIEGO Design and Analysis of Secure Encryption Schemes A dissertation submitted in partial satisfaction of the requirements for the degree Doctor of Philosophy in Computer Science by Michel Ferreira Abdalla Committee in charge: Professor Mihir Bellare, Chairperson Professor Yeshaiahu Fainman Professor Adriano Garsia Professor Mohan Paturi Professor Bennet Yee 2001 Copyright Michel Ferreira Abdalla, 2001 All rights reserved. The dissertation of Michel Ferreira Abdalla is approved, and it is acceptable in quality and form for publication on micro¯lm: Chair University of California, San Diego 2001 iii DEDICATION To my father (in memorian) iv TABLE OF CONTENTS Signature Page . iii Dedication . iv Table of Contents . v List of Figures . vii List of Tables . ix Acknowledgements . x Vita and Publications . xii Fields of Study . xiii Abstract . xiv I Introduction . 1 A. Encryption . 1 1. Background . 2 2. Perfect Privacy . 3 3. Modern cryptography . 4 4. Public-key Encryption . 5 5. Broadcast Encryption . 5 6. Provable Security . 6 7. Concrete Security . 7 B. Contributions . 8 II E±cient public-key encryption schemes . 11 A. Introduction . 12 B. De¯nitions . 17 1. Represented groups . 17 2. Message Authentication Codes . 17 3. Symmetric Encryption . 19 4. Asymmetric Encryption . 21 C. The Scheme DHIES . 23 D. Attributes and Advantages of DHIES . 24 1. Encrypting with Di±e-Hellman: The ElGamal Scheme . 25 2. De¯ciencies of ElGamal Encryption . 26 3. Overcoming De¯ciencies in ElGamal Encryption: DHIES . 29 E. Di±e-Hellman Assumptions . 31 F. Security against Chosen-Plaintext Attack . 38 v G. Security against Chosen-Ciphertext Attack . 41 H. ODH and SDH .
  • Compact E-Cash and Simulatable Vrfs Revisited

    Compact E-Cash and Simulatable Vrfs Revisited

    Compact E-Cash and Simulatable VRFs Revisited Mira Belenkiy1, Melissa Chase2, Markulf Kohlweiss3, and Anna Lysyanskaya4 1 Microsoft, [email protected] 2 Microsoft Research, [email protected] 3 KU Leuven, ESAT-COSIC / IBBT, [email protected] 4 Brown University, [email protected] Abstract. Efficient non-interactive zero-knowledge proofs are a powerful tool for solving many cryptographic problems. We apply the recent Groth-Sahai (GS) proof system for pairing product equations (Eurocrypt 2008) to two related cryptographic problems: compact e-cash (Eurocrypt 2005) and simulatable verifiable random functions (CRYPTO 2007). We present the first efficient compact e-cash scheme that does not rely on a ran- dom oracle. To this end we construct efficient GS proofs for signature possession, pseudo randomness and set membership. The GS proofs for pseudorandom functions give rise to a much cleaner and substantially faster construction of simulatable verifiable random functions (sVRF) under a weaker number theoretic assumption. We obtain the first efficient fully simulatable sVRF with a polynomial sized output domain (in the security parameter). 1 Introduction Since their invention [BFM88] non-interactive zero-knowledge proofs played an important role in ob- taining feasibility results for many interesting cryptographic primitives [BG90,GO92,Sah99], such as the first chosen ciphertext secure public key encryption scheme [BFM88,RS92,DDN91]. The inefficiency of these constructions often motivated independent practical instantiations that were arguably conceptually less elegant, but much more efficient ([CS98] for chosen ciphertext security). We revisit two important cryptographic results of pairing-based cryptography, compact e-cash [CHL05] and simulatable verifiable random functions [CL07], that have very elegant constructions based on non-interactive zero-knowledge proof systems, but less elegant practical instantiations.
  • Substitution-Permutation Networks, Pseudorandom Functions, and Natural Proofs∗

    Substitution-Permutation Networks, Pseudorandom Functions, and Natural Proofs∗

    Substitution-permutation networks, pseudorandom functions, and natural proofs∗ Eric Miles† Emanuele Viola‡ August 20, 2015 Abstract This paper takes a new step towards closing the gap between pseudorandom func- tions (PRF) and their popular, bounded-input-length counterparts. This gap is both quantitative, because these counterparts are more efficient than PRF in various ways, and methodological, because these counterparts usually fit in the substitution-permutation network paradigm (SPN), which has not been used to construct PRF. We give several candidate PRF that are inspired by the SPN paradigm. Most Fi of our candidates are more efficient than previous ones. Our main candidates are: : 0, 1 n 0, 1 n is an SPN whose S-box is a random function on b bits given F1 { } → { } as part of the seed. We prove that resists attacks that run in time 2ǫb. F1 ≤ : 0, 1 n 0, 1 n is an SPN where the S-box is (patched) field inversion, F2 { } → { } a common choice in practical constructions. We show that is computable with F2 boolean circuits of size n logO(1) n, and that it has exponential security 2Ω(n) against · linear and differential cryptanalysis. : 0, 1 n 0, 1 is a non-standard variant on the SPN paradigm, where F3 { } → { } “states” grow in length. We show that is computable with TC0 circuits of size F3 n1+ǫ, for any ǫ> 0, and that it is almost 3-wise independent. : 0, 1 n 0, 1 uses an extreme setting of the SPN parameters (one round, F4 { } → { } one S-box, no diffusion matrix). The S-box is again (patched) field inversion.
  • 1 Review of Counter-Mode Encryption ¡

    1 Review of Counter-Mode Encryption ¡

    Comments to NIST concerning AES Modes of Operations: CTR-Mode Encryption Helger Lipmaa Phillip Rogaway Helsinki University of Technology (Finland) and University of California at Davis (USA) and University of Tartu (Estonia) Chiang Mai University (Thailand) [email protected] [email protected] http://www.tml.hut.fi/ helger http://www.cs.ucdavis.edu/ rogaway David Wagner University of California Berkeley (USA) [email protected] http://www.cs.berkeley.edu/ wagner Abstract Counter-mode encryption (“CTR mode”) was introduced by Diffie and Hellman already in 1979 [5] and is already standardized by, for example, [1, Section 6.4]. It is indeed one of the best known modes that are not standardized in [10]. We suggest that NIST, in standardizing AES modes of operation, should include CTR-mode encryption as one possibility for the next reasons. First, CTR mode has significant efficiency advantages over the standard encryption modes without weakening the security. In particular its tight security has been proven. Second, most of the perceived disadvantages of CTR mode are not valid criticisms, but rather caused by the lack of knowledge. 1 Review of Counter-Mode Encryption ¡ Notation. Let EK X ¢ denote the encipherment of an n-bit block X using key K and a block cipher E. For concreteness £ ¤ we assume that E £ AES, so n 128. If X is a nonempty string and i is a nonnegative integer, then X i denotes ¥ the ¥ X -bit string that one gets by regarding X as a nonnegative number (written in binary, most significant bit first), X ¦ ¥ ¥ adding i to this number, taking the result modulo 2 ¦ , and converting this number back into an X -bit string.
  • Transferable Constant-Size Fair E-Cash

    Transferable Constant-Size Fair E-Cash

    Transferable Constant-Size Fair E-Cash Georg Fuchsbauer, David Pointcheval, and Damien Vergnaud Ecole´ normale sup´erieure,LIENS - CNRS - INRIA, Paris, France http://www.di.ens.fr/f~fuchsbau,~pointche,~vergnaudg Abstract. We propose an efficient blind certification protocol with interesting properties. It falls in the Groth-Sahai framework for witness-indistinguishable proofs, thus extended to a certified signature it immediately yields non-frameable group signatures. We use blind certification to build an efficient (offline) e-cash system that guarantees user anonymity and transferability of coins without increasing their size. As required for fair e-cash, in case of fraud, anonymity can be revoked by an authority, which is also crucial to deter from double spending. 1 Introduction 1.1 Motivation The issue of anonymity in electronic transactions was introduced for e-cash and e-mail in the early 1980's by Chaum, with the famous primitive of blind signatures [Cha83,Cha84]: a signer accepts to sign a message, without knowing the message itself, and without being able to later link a message- signature pair to the transaction it originated from. In e-cash systems, the message is a serial number to make a coin unique. The main security property is resistance to \one-more forgeries" [PS00], which guarantees the signer that after t transactions a user cannot have more than t valid signatures. Blind signatures have thereafter been widely used for many variants of e-cash systems; in particular fair blind signatures [SPC95], which allow to provide revocable anonymity. They deter from abuse since in such a case the signer can ask an authority to reveal the identity of the defrauder.
  • The WG Stream Cipher

    The WG Stream Cipher

    The WG Stream Cipher Yassir Nawaz and Guang Gong Department of Electrical and Computer Engineering University of Waterloo Waterloo, ON, N2L 3G1, CANADA [email protected], [email protected] Abstract. In this paper we propose a new synchronous stream cipher, called WG ci- pher. The cipher is based on WG (Welch-Gong) transformations. The WG cipher has been designed to produce keystream with guaranteed randomness properties, i.e., bal- ance, long period, large and exact linear complexity, 3-level additive autocorrelation, and ideal 2-level multiplicative autocorrelation. It is resistant to Time/Memory/Data tradeoff attacks, algebraic attacks and correlation attacks. The cipher can be imple- mented with a small amount of hardware. 1 Introduction A synchronous stream cipher consists of a keystream generator which produces a sequence of binary digits. This sequence is called the running key or simply the keystream. The keystream is added (XORed) to the plaintext digits to produce the ciphertext. A secret key K is used to initialize the keystream generator and each secret key corresponds to a generator output sequence. Since the secret key is shared between the sender and the receiver, an identical keystream can be generated at the receiving end. The addition of this keystream with the ciphertext recovers the original plaintext. Stream ciphers can be divided into two major categories: bit-oriented stream ci- phers and word-oriented stream ciphers. The bit-oriented stream ciphers are usually based on binary linear feedback shift registors (LFSRs) (regularly clocked or irregu- larly clocked) together with filter or combiner functions. They can be implemented in hardware very efficiently.
  • A Somewhat Historic View of Lightweight Cryptography

    A Somewhat Historic View of Lightweight Cryptography

    Intro History KATAN PRINTcipher Summary A Somewhat Historic View of Lightweight Cryptography Orr Dunkelman Department of Computer Science, University of Haifa Faculty of Mathematics and Computer Science Weizmann Institute of Science September 29th, 2011 Orr Dunkelman A Somewhat Historic View of Lightweight Cryptography 1/ 40 Intro History KATAN PRINTcipher Summary Outline 1 Introduction Lightweight Cryptography Lightweight Cryptography Primitives 2 The History of Designing Block Ciphers 3 The KATAN/KTANTAN Family The KATAN/KTANTAN Block Ciphers The Security of the KATAN/KTANTAN Family Attacks on the KTANTAN Family 4 The PRINTcipher The PRINTcipher Family Attacks on PRINTcipher 5 Future of Cryptanalysis for Lightweight Crypto Orr Dunkelman A Somewhat Historic View of Lightweight Cryptography 2/ 40 Intro History KATAN PRINTcipher Summary LWC Primitives Outline 1 Introduction Lightweight Cryptography Lightweight Cryptography Primitives 2 The History of Designing Block Ciphers 3 The KATAN/KTANTAN Family The KATAN/KTANTAN Block Ciphers The Security of the KATAN/KTANTAN Family Attacks on the KTANTAN Family 4 The PRINTcipher The PRINTcipher Family Attacks on PRINTcipher 5 Future of Cryptanalysis for Lightweight Crypto Orr Dunkelman A Somewhat Historic View of Lightweight Cryptography 3/ 40 Intro History KATAN PRINTcipher Summary LWC Primitives Lightweight Cryptography ◮ Targets constrained environments. ◮ Tries to reduce the computational efforts needed to obtain security. ◮ Optimization targets: size, power, energy, time, code size, RAM/ROM consumption, etc. Orr Dunkelman A Somewhat Historic View of Lightweight Cryptography 4/ 40 Intro History KATAN PRINTcipher Summary LWC Primitives Lightweight Cryptography ◮ Targets constrained environments. ◮ Tries to reduce the computational efforts needed to obtain security. ◮ Optimization targets: size, power, energy, time, code size, RAM/ROM consumption, etc.
  • Proving Tight Security for Rabin/Williams Signatures

    Proving Tight Security for Rabin/Williams Signatures

    Proving tight security for Rabin/Williams signatures Daniel J. Bernstein Department of Mathematics, Statistics, and Computer Science (M/C 249) The University of Illinois at Chicago, Chicago, IL 60607–7045 [email protected] Date of this document: 2007.10.07. Permanent ID of this document: c30057d690a8fb42af6a5172b5da9006. Abstract. This paper proves “tight security in the random-oracle model relative to factorization” for the lowest-cost signature systems available today: every hash-generic signature-forging attack can be converted, with negligible loss of efficiency and effectiveness, into an algorithm to factor the public key. The most surprising system is the “fixed unstructured B = 0 Rabin/Williams” system, which has a tight security proof despite hashing unrandomized messages. At a lower level, the three main accomplishments of the paper are (1) a “B ≥ 1” proof that handles some of the lowest-cost signature systems by pushing an idea of Katz and Wang beyond the “claw-free permutation pair” context; (2) a new expository structure, elaborating upon an idea of Koblitz and Menezes; and (3) a proof that uses a new idea and that breaks through the “B ≥ 1” barrier. B, number of bits of hash randomization large B B = 1 B = 0: no random bits in hash input Variable unstructured tight security no security no security Rabin/Williams (1996 Bellare/Rogaway) (easy attack) (easy attack) Variable principal tight security loose security loose security∗ Rabin/Williams (this paper) Variable RSA tight security loose security loose security (1996 Bellare/Rogaway) (1993 Bellare/Rogaway) (1993 Bellare/Rogaway) Fixed RSA tight security tight security loose security (1996 Bellare/Rogaway) (2003 Katz/Wang) (1993 Bellare/Rogaway) Fixed principal tight security tight security loose security∗ Rabin/Williams (this paper) (this paper) Fixed unstructured tight security tight security tight security Rabin/Williams (1996 Bellare/Rogaway) (this paper) (this paper) Table 1.
  • WAGE: an Authenticated Encryption with a Twist

    WAGE: an Authenticated Encryption with a Twist

    WAGE: An Authenticated Encryption with a Twist Riham AlTawy1, Guang Gong2, Kalikinkar Mandal2 and Raghvendra Rohit2 1 Department of Electrical and Computer Engineering, University of Victoria, Victoria, Canada [email protected] 2 Department of Electrical and Computer Engineering, University of Waterloo, Waterloo, Canada {ggong,kmandal,rsrohit}@uwaterloo.ca Abstract. This paper presents WAGE, a new lightweight sponge-based authenticated cipher whose underlying permutation is based on a 37-stage Galois NLFSR over F27 . At its core, the round function of the permutation consists of the well-analyzed Welch- Gong permutation (WGP), primitive feedback polynomial, a newly designed 7-bit SB sbox and partial word-wise XORs. The construction of the permutation is carried out such that the design of individual components is highly coupled with cryptanalysis and hardware efficiency. As such, we analyze the security of WAGE against differential, linear, algebraic and meet/miss-in-the-middle attacks. For 128-bit authenticated encryption security, WAGE achieves a throughput of 535 Mbps with hardware area of 2540 GE in ASIC ST Micro 90 nm standard cell library. Additionally, WAGE is designed with a twist where its underlying permutation can be efficiently turned into a pseudorandom bit generator based on the WG transformation (WG-PRBG) whose output bits have theoretically proved randomness properties. Keywords: Authenticated encryption · Pseudorandom bit generators · Welch-Gong permutation · Lightweight cryptography 1 Introduction Designing a lightweight cryptographic primitive requires a comprehensive holistic ap- proach. With the promising ability of providing multiple cryptographic functionalities by the sponge-based constructions, there has been a growing interest in designing cryp- tographic permutations and sponge-variant modes.
  • The Dawn of American Cryptology, 1900–1917

    The Dawn of American Cryptology, 1900–1917

    United States Cryptologic History The Dawn of American Cryptology, 1900–1917 Special Series | Volume 7 Center for Cryptologic History David Hatch is technical director of the Center for Cryptologic History (CCH) and is also the NSA Historian. He has worked in the CCH since 1990. From October 1988 to February 1990, he was a legislative staff officer in the NSA Legislative Affairs Office. Previously, he served as a Congressional Fellow. He earned a B.A. degree in East Asian languages and literature and an M.A. in East Asian studies, both from Indiana University at Bloomington. Dr. Hatch holds a Ph.D. in international relations from American University. This publication presents a historical perspective for informational and educational purposes, is the result of independent research, and does not necessarily reflect a position of NSA/CSS or any other US government entity. This publication is distributed free by the National Security Agency. If you would like additional copies, please email [email protected] or write to: Center for Cryptologic History National Security Agency 9800 Savage Road, Suite 6886 Fort George G. Meade, MD 20755 Cover: Before and during World War I, the United States Army maintained intercept sites along the Mexican border to monitor the Mexican Revolution. Many of the intercept sites consisted of radio-mounted trucks, known as Radio Tractor Units (RTUs). Here, the staff of RTU 33, commanded by Lieutenant Main, on left, pose for a photograph on the US-Mexican border (n.d.). United States Cryptologic History Special Series | Volume 7 The Dawn of American Cryptology, 1900–1917 David A.
  • 1. History of Cryptography Cryptography (From Greek , Hidden

    1. History of Cryptography Cryptography (From Greek , Hidden

    1. History of cryptography Cryptography (from Greek , hidden, and , writing), is the practice and study of secret writing(or hidden information). Before the modern era, cryptography was concerned solely with message confidentiality (i.e., encryption) — conversion of messages from a comprehensible form into an incomprehensible one and back again at the other end, rendering it unreadable by interceptors or eavesdroppers without secret knowledge (namely the key needed for decryption of that message). History is filled with examples where people tried to keep information secret from adversaries. Kings and generals communicated with their troops using basic cryptographic methods to prevent the enemy from learning sensitive military information. In fact, Julius Caesar reportedly used a simple cipher, which has been named after him. As society has evolved, the need for more sophisticated methods of protecting data has increased. As the word becomes more connected, the demand for information and electronic services is growing, and with the increased demand comes increased dependency on electronic systems. Already the exchange of sensitive information, such as credit card numbers, over the internet is common practice. Protecting data and electronic system is crucial to our way of living. In recent decades, the field has expanded beyond confidentiality concerns to include techniques for message integrity checking, sender/receiver identity authentication, digital signatures, interactive proofs and secure computation, among others. Modern cryptography intersects the disciplines of mathematics, computer science, and engineering. It is necessary to distinct cryptography, crypto analysis and cryptology. Cryptography is a branch of cryptology dealing with the design of system for encryption and decryption intended to ensure confidentiality, integrity and authenticity of message.