Modular Arithmetic and Cryptography! Math Circle Thursday January 22, 2015
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Integral Cryptanalysis on Full MISTY1⋆
Integral Cryptanalysis on Full MISTY1? Yosuke Todo NTT Secure Platform Laboratories, Tokyo, Japan [email protected] Abstract. MISTY1 is a block cipher designed by Matsui in 1997. It was well evaluated and standardized by projects, such as CRYPTREC, ISO/IEC, and NESSIE. In this paper, we propose a key recovery attack on the full MISTY1, i.e., we show that 8-round MISTY1 with 5 FL layers does not have 128-bit security. Many attacks against MISTY1 have been proposed, but there is no attack against the full MISTY1. Therefore, our attack is the first cryptanalysis against the full MISTY1. We construct a new integral characteristic by using the propagation characteristic of the division property, which was proposed in 2015. We first improve the division property by optimizing a public S-box and then construct a 6-round integral characteristic on MISTY1. Finally, we recover the secret key of the full MISTY1 with 263:58 chosen plaintexts and 2121 time complexity. Moreover, if we can use 263:994 chosen plaintexts, the time complexity for our attack is reduced to 2107:9. Note that our cryptanalysis is a theoretical attack. Therefore, the practical use of MISTY1 will not be affected by our attack. Keywords: MISTY1, Integral attack, Division property 1 Introduction MISTY [Mat97] is a block cipher designed by Matsui in 1997 and is based on the theory of provable security [Nyb94,NK95] against differential attack [BS90] and linear attack [Mat93]. MISTY has a recursive structure, and the component function has a unique structure, the so-called MISTY structure [Mat96]. -
New Security Proofs for the 3GPP Confidentiality and Integrity
An extended abstract of this paper appears in Fast Software Encryption, FSE 2004, Lecture Notes in Computer Science, W. Meier and B. Roy editors, Springer-Verlag, 2004. This is the full version. New Security Proofs for the 3GPP Confidentiality and Integrity Algorithms Tetsu Iwata¤ Tadayoshi Kohnoy January 26, 2004 Abstract This paper analyses the 3GPP confidentiality and integrity schemes adopted by Universal Mobile Telecommunication System, an emerging standard for third generation wireless commu- nications. The schemes, known as f8 and f9, are based on the block cipher KASUMI. Although previous works claim security proofs for f8 and f90, where f90 is a generalized versions of f9, it was recently shown that these proofs are incorrect. Moreover, Iwata and Kurosawa (2003) showed that it is impossible to prove f8 and f90 secure under the standard PRP assumption on the underlying block cipher. We address this issue here, showing that it is possible to prove f80 and f90 secure if we make the assumption that the underlying block cipher is a secure PRP-RKA against a certain class of related-key attacks; here f80 is a generalized version of f8. Our results clarify the assumptions necessary in order for f8 and f9 to be secure and, since no related-key attacks are known against the full eight rounds of KASUMI, lead us to believe that the confidentiality and integrity mechanisms used in real 3GPP applications are secure. Keywords: Modes of operation, PRP-RKA, f8, f9, KASUMI, security proofs. ¤Dept. of Computer and Information Sciences, Ibaraki University, 4–12–1 Nakanarusawa, Hitachi, Ibaraki 316- 8511, Japan. -
Known and Chosen Key Differential Distinguishers for Block Ciphers
Known and Chosen Key Differential Distinguishers for Block Ciphers Ivica Nikoli´c1?, Josef Pieprzyk2, Przemys law Soko lowski2;3, Ron Steinfeld2 1 University of Luxembourg, Luxembourg 2 Macquarie University, Australia 3 Adam Mickiewicz University, Poland [email protected], [email protected], [email protected], [email protected] Abstract. In this paper we investigate the differential properties of block ciphers in hash function modes of operation. First we show the impact of differential trails for block ciphers on collision attacks for various hash function constructions based on block ciphers. Further, we prove the lower bound for finding a pair that follows some truncated differential in case of a random permutation. Then we present open-key differential distinguishers for some well known round-reduced block ciphers. Keywords: Block cipher, differential attack, open-key distinguisher, Crypton, Hierocrypt, SAFER++, Square. 1 Introduction Block ciphers play an important role in symmetric cryptography providing the basic tool for encryp- tion. They are the oldest and most scrutinized cryptographic tool. Consequently, they are the most trusted cryptographic algorithms that are often used as the underlying tool to construct other cryp- tographic algorithms. One such application of block ciphers is for building compression functions for the hash functions. There are many constructions (also called hash function modes) for turning a block cipher into a compression function. Probably the most popular is the well-known Davies-Meyer mode. Preneel et al. in [27] have considered all possible modes that can be defined for a single application of n-bit block cipher in order to produce an n-bit compression function. -
Differential-Linear Crypt Analysis
Differential-Linear Crypt analysis Susan K. Langfordl and Martin E. Hellman Department of Electrical Engineering Stanford University Stanford, CA 94035-4055 Abstract. This paper introduces a new chosen text attack on iterated cryptosystems, such as the Data Encryption Standard (DES). The attack is very efficient for 8-round DES,2 recovering 10 bits of key with 80% probability of success using only 512 chosen plaintexts. The probability of success increases to 95% using 768 chosen plaintexts. More key can be recovered with reduced probability of success. The attack takes less than 10 seconds on a SUN-4 workstation. While comparable in speed to existing attacks, this 8-round attack represents an order of magnitude improvement in the amount of required text. 1 Summary Iterated cryptosystems are encryption algorithms created by repeating a simple encryption function n times. Each iteration, or round, is a function of the previ- ous round’s oulpul and the key. Probably the best known algorithm of this type is the Data Encryption Standard (DES) [6].Because DES is widely used, it has been the focus of much of the research on the strength of iterated cryptosystems and is the system used as the sole example in this paper. Three major attacks on DES are exhaustive search [2, 71, Biham-Shamir’s differential cryptanalysis [l], and Matsui’s linear cryptanalysis [3, 4, 51. While exhaustive search is still the most practical attack for full 16 round DES, re- search interest is focused on the latter analytic attacks, in the hope or fear that improvements will render them practical as well. -
Introduction to Public Key Cryptography and Clock Arithmetic Lecture Notes for Access 2010, by Erin Chamberlain and Nick Korevaar
1 Introduction to Public Key Cryptography and Clock Arithmetic Lecture notes for Access 2010, by Erin Chamberlain and Nick Korevaar We’ve discussed Caesar Shifts and other mono-alphabetic substitution ciphers, and we’ve seen how easy it can be to break these ciphers by using frequency analysis. If Mary Queen of Scots had known this, perhaps she would not have been executed. It was a long time from Mary Queen of Scots and substitution ciphers until the end of the 1900’s. Cryptography underwent the evolutionary and revolutionary changes which Si- mon Singh chronicles in The Code Book. If you are so inclined and have appropriate leisure time, you might enjoy reading Chapters 2-5, to learn some of these historical cryptography highlights: People came up with more complicated substitution ciphers, for example the Vigen`ere square. This Great Cipher of France baffled people for quite a while but a de- termined cryptographer Etienne Bazeries had a Eureka moment after three years of work, cracked the code, and possibly found the true identity of the Man in the Iron Mask, one of the great mysteries of the seventeeth century. Edgar Allan Poe and Sir Arthur Conan Doyle even dabbled in cryptanalysis. Secrecy was still a problem though because the key needed to be sent, and with the key anyone could encrypt and decrypt the messages. Frequency analysis was used to break all of these codes. In 1918 Scherbius invented his Enigma machine, but Alan Turing’s machine (the first computer?) helped in figuring out that supposedly unbreakable code, and hastened the end of the second World War. -
Modular Arithmetic
CS 70 Discrete Mathematics and Probability Theory Fall 2009 Satish Rao, David Tse Note 5 Modular Arithmetic One way to think of modular arithmetic is that it limits numbers to a predefined range f0;1;:::;N ¡ 1g, and wraps around whenever you try to leave this range — like the hand of a clock (where N = 12) or the days of the week (where N = 7). Example: Calculating the day of the week. Suppose that you have mapped the sequence of days of the week (Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday) to the sequence of numbers (0;1;2;3;4;5;6) so that Sunday is 0, Monday is 1, etc. Suppose that today is Thursday (=4), and you want to calculate what day of the week will be 10 days from now. Intuitively, the answer is the remainder of 4 + 10 = 14 when divided by 7, that is, 0 —Sunday. In fact, it makes little sense to add a number like 10 in this context, you should probably find its remainder modulo 7, namely 3, and then add this to 4, to find 7, which is 0. What if we want to continue this in 10 day jumps? After 5 such jumps, we would have day 4 + 3 ¢ 5 = 19; which gives 5 modulo 7 (Friday). This example shows that in certain circumstances it makes sense to do arithmetic within the confines of a particular number (7 in this example), that is, to do arithmetic by always finding the remainder of each number modulo 7, say, and repeating this for the results, and so on. -
8.6 Modular Arithmetic
“mcs” — 2015/5/18 — 1:43 — page 263 — #271 8.6 Modular Arithmetic On the first page of his masterpiece on number theory, Disquisitiones Arithmeticae, Gauss introduced the notion of “congruence.” Now, Gauss is another guy who managed to cough up a half-decent idea every now and then, so let’s take a look at this one. Gauss said that a is congruent to b modulo n iff n .a b/. This is j written a b.mod n/: ⌘ For example: 29 15 .mod 7/ because 7 .29 15/: ⌘ j It’s not useful to allow a modulus n 1, and so we will assume from now on that moduli are greater than 1. There is a close connection between congruences and remainders: Lemma 8.6.1 (Remainder). a b.mod n/ iff rem.a; n/ rem.b; n/: ⌘ D Proof. By the Division Theorem 8.1.4, there exist unique pairs of integers q1;r1 and q2;r2 such that: a q1n r1 D C b q2n r2; D C “mcs” — 2015/5/18 — 1:43 — page 264 — #272 264 Chapter 8 Number Theory where r1;r2 Œ0::n/. Subtracting the second equation from the first gives: 2 a b .q1 q2/n .r1 r2/; D C where r1 r2 is in the interval . n; n/. Now a b.mod n/ if and only if n ⌘ divides the left side of this equation. This is true if and only if n divides the right side, which holds if and only if r1 r2 is a multiple of n. -
The Mathemathics of Secrets.Pdf
THE MATHEMATICS OF SECRETS THE MATHEMATICS OF SECRETS CRYPTOGRAPHY FROM CAESAR CIPHERS TO DIGITAL ENCRYPTION JOSHUA HOLDEN PRINCETON UNIVERSITY PRESS PRINCETON AND OXFORD Copyright c 2017 by Princeton University Press Published by Princeton University Press, 41 William Street, Princeton, New Jersey 08540 In the United Kingdom: Princeton University Press, 6 Oxford Street, Woodstock, Oxfordshire OX20 1TR press.princeton.edu Jacket image courtesy of Shutterstock; design by Lorraine Betz Doneker All Rights Reserved Library of Congress Cataloging-in-Publication Data Names: Holden, Joshua, 1970– author. Title: The mathematics of secrets : cryptography from Caesar ciphers to digital encryption / Joshua Holden. Description: Princeton : Princeton University Press, [2017] | Includes bibliographical references and index. Identifiers: LCCN 2016014840 | ISBN 9780691141756 (hardcover : alk. paper) Subjects: LCSH: Cryptography—Mathematics. | Ciphers. | Computer security. Classification: LCC Z103 .H664 2017 | DDC 005.8/2—dc23 LC record available at https://lccn.loc.gov/2016014840 British Library Cataloging-in-Publication Data is available This book has been composed in Linux Libertine Printed on acid-free paper. ∞ Printed in the United States of America 13579108642 To Lana and Richard for their love and support CONTENTS Preface xi Acknowledgments xiii Introduction to Ciphers and Substitution 1 1.1 Alice and Bob and Carl and Julius: Terminology and Caesar Cipher 1 1.2 The Key to the Matter: Generalizing the Caesar Cipher 4 1.3 Multiplicative Ciphers 6 -
Algebraic and Slide Attacks on Keeloq
Algebraic and Slide Attacks on KeeLoq Nicolas T. Courtois 1 Gregory V. Bard 2 David Wagner 3 1 - University College of London , UK 2 - Fordham University, NY , US 3 - University of California - Berkeley, US Algebraic and Slide Attacks on KeeLoq Roadmap • KeeLoq. • Direct algebraic attacks, – 160 rounds / 528 . Periodic structure => • Slide-Algebraic: – 216 KP and about 253 KeeLoq encryptions. • Slide-Determine: – 223 - 230 KeeLoq encryptions. 2 Courtois, Bard, Wagner, FSE 2008 Algebraic and Slide Attacks on KeeLoq KeeLoq Block cipher used to unlock doors and the alarm in Chrysler, Daewoo, Fiat, GM, Honda, Jaguar, Toyota, Volvo, Volkswagen, etc… 3 Courtois, Bard, Wagner, FSE 2008 Algebraic and Slide Attacks on KeeLoq Our Goal: To learn about cryptanalysis… Real life: brute force attacks with FPGA’s. 4 Courtois, Bard, Wagner, FSE 2008 Algebraic and Slide Attacks on KeeLoq How Much Worth is KeeLoq • Designed in the 80's by Willem Smit. • In 1995 sold to Microchip Inc for more than 10 Million of US$. ?? 5 Courtois, Bard, Wagner, FSE 2008 Algebraic and Slide Attacks on KeeLoq How Secure is KeeLoq According to Microchip, KeeLoq should have “a level of security comparable to DES”. Yet faster. Miserably bad cipher, main reason: its periodic structure: cannot be defended. The complexity of most attacks on KeeLoq does NOT depend on the number of rounds of KeeLoq. 6 Courtois, Bard, Wagner, FSE 2008 Algebraic and Slide Attacks on KeeLoq Remarks • Paying 10 million $ for a proprietary algorithm doesn ’t prevent it from being very weak. • In comparison, RSA Security has offered ( “only ”) 70 K$ as a challenge for breaking RC5. -
TS 135 202 V7.0.0 (2007-06) Technical Specification
ETSI TS 135 202 V7.0.0 (2007-06) Technical Specification Universal Mobile Telecommunications System (UMTS); Specification of the 3GPP confidentiality and integrity algorithms; Document 2: Kasumi specification (3GPP TS 35.202 version 7.0.0 Release 7) 3GPP TS 35.202 version 7.0.0 Release 7 1 ETSI TS 135 202 V7.0.0 (2007-06) Reference RTS/TSGS-0335202v700 Keywords SECURITY, UMTS ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 Important notice Individual copies of the present document can be downloaded from: http://www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http://portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http://portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authorized by written permission. -
The Enigma History and Mathematics
The Enigma History and Mathematics by Stephanie Faint A thesis presented to the University of Waterloo in fulfilment of the thesis requirement for the degree of Master of Mathematics m Pure Mathematics Waterloo, Ontario, Canada, 1999 @Stephanie Faint 1999 I hereby declare that I am the sole author of this thesis. I authorize the University of Waterloo to lend this thesis to other institutions or individuals for the purpose of scholarly research. I further authorize the University of Waterloo to reproduce this thesis by pho tocopying or by other means, in total or in part, at the request of other institutions or individuals for the purpose of scholarly research. 11 The University of Waterloo requires the signatures of all persons using or pho tocopying this thesis. Please sign below, and give address and date. ill Abstract In this thesis we look at 'the solution to the German code machine, the Enigma machine. This solution was originally found by Polish cryptologists. We look at the solution from a historical perspective, but most importantly, from a mathematical point of view. Although there are no complete records of the Polish solution, we try to reconstruct what was done, sometimes filling in blanks, and sometimes finding a more mathematical way than was originally found. We also look at whether the solution would have been possible without the help of information obtained from a German spy. IV Acknowledgements I would like to thank all of the people who helped me write this thesis, and who encouraged me to keep going with it. In particular, I would like to thank my friends and fellow grad students for their support, especially Nico Spronk and Philippe Larocque for their help with latex. -
Encryption Is Futile: Delay Attacks on High-Precision Clock Synchronization 1
R. ANNESSI, J. FABINI, F.IGLESIAS, AND T. ZSEBY: ENCRYPTION IS FUTILE: DELAY ATTACKS ON HIGH-PRECISION CLOCK SYNCHRONIZATION 1 Encryption is Futile: Delay Attacks on High-Precision Clock Synchronization Robert Annessi, Joachim Fabini, Felix Iglesias, and Tanja Zseby Institute of Telecommunications TU Wien, Austria Email: fi[email protected] Abstract—Clock synchronization has become essential to mod- endanger control decisions, and adversely affect the overall ern societies since many critical infrastructures depend on a functionality of a wide range of (critical) services that depend precise notion of time. This paper analyzes security aspects on accurate time. of high-precision clock synchronization protocols, particularly their alleged protection against delay attacks when clock syn- In recent years, security of clock synchronization received chronization traffic is encrypted using standard network security increased attention as various attacks on clock synchronization protocols such as IPsec, MACsec, or TLS. We use the Precision protocols (and countermeasures) were proposed. For this Time Protocol (PTP), the most widely used protocol for high- reason, clock synchronization protocols need to be secured precision clock synchronization, to demonstrate that statistical whenever used outside of fully trusted network environments. traffic analysis can identify properties that support selective message delay attacks even for encrypted traffic. We furthermore Clock synchronization protocols are specifically susceptible to identify a fundamental conflict in secure clock synchronization delay attacks since the times when messages are sent and between the need of deterministic traffic to improve precision and received have an actual effect on the receiver’s notion of the need to obfuscate traffic in order to mitigate delay attacks.