DOCSLIB.ORG

Block Cipher Cryptanalysis: an Overview

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Block Cipher Cryptanalysis: an Overview Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17th May, 2017 0/52 Iterated Block Cipher Outline 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix 0/52 Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix 1/52 Iterated Block Cipher Iterated Block Cipher Iterated Block Cipher A block cipher is a function E : f0; 1gk × f0; 1gn ! f0; 1gn such k that for each K 2 f0; 1g , the function EK (·) = E(K; ·) is a permutation of f0; 1gn. The n-bit input to the block cipher is called the plaintext; and the n-bit output of the block cipher is called the ciphertext. The k-bit quantity K is called the secret key. 2/52 The secret key is expanded using a function called the Key Scheduling Algorithm (KSA), to obtain the round keys. Iterated Block Cipher Iterated Block Cipher (Cont.) Most practical constructions of block ciphers are obtained by iterating one (or several) functions over several rounds. 3/52 Iterated Block Cipher Iterated Block Cipher (Cont.) Most practical constructions of block ciphers are obtained by iterating one (or several) functions over several rounds. The secret key is expanded using a function called the Key Scheduling Algorithm (KSA), to obtain the round keys. 3/52 Iterated Block Cipher Designs Outline 1 Iterated Block Cipher Designs Attacks 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix 3/52 Iterated Block Cipher Designs Substitution-Permutation Network (SPN) P1 ::: Plaintext ::: P16 Sub-key k(1) Mixing S11 S12 S13 S14 Round 1 Sub-key k(2) Mixing S21 S22 S23 S24 Round 2 Sub-key k(3) Mixing S31 S32 S33 S34 Round 3 Sub-key k(4) Mixing Round 4 S41 S42 S43 S44 Sub-key k(5) Mixing C1 ::: Ciphertext ::: C16 Figure : A Basic Substitution Permutation Network (SPN) Cipher (Courtesy: Heys's Tutorial). 4/52 Decryption for an SPN is typically done by simply reversing the process of encryption, i.e., using inverse S-boxes, inverse permutations and applying the round keys in reverse order. Note that some ciphers like Khazad uses involution (f (f (x)) = x) to make encryption and decryption look similar. Examples: AES (Rijndael), 3-Way, PRESENT, SAFER, SHARK, Square etc. Iterated Block Cipher Designs Substitution-Permutation Network (SPN) (Cont.) The substitution must be a bijection to ensure decryption. 5/52 Note that some ciphers like Khazad uses involution (f (f (x)) = x) to make encryption and decryption look similar. Examples: AES (Rijndael), 3-Way, PRESENT, SAFER, SHARK, Square etc. Iterated Block Cipher Designs Substitution-Permutation Network (SPN) (Cont.) The substitution must be a bijection to ensure decryption. Decryption for an SPN is typically done by simply reversing the process of encryption, i.e., using inverse S-boxes, inverse permutations and applying the round keys in reverse order. 5/52 Examples: AES (Rijndael), 3-Way, PRESENT, SAFER, SHARK, Square etc. Iterated Block Cipher Designs Substitution-Permutation Network (SPN) (Cont.) The substitution must be a bijection to ensure decryption. Decryption for an SPN is typically done by simply reversing the process of encryption, i.e., using inverse S-boxes, inverse permutations and applying the round keys in reverse order. Note that some ciphers like Khazad uses involution (f (f (x)) = x) to make encryption and decryption look similar. 5/52 Iterated Block Cipher Designs Substitution-Permutation Network (SPN) (Cont.) The substitution must be a bijection to ensure decryption. Decryption for an SPN is typically done by simply reversing the process of encryption, i.e., using inverse S-boxes, inverse permutations and applying the round keys in reverse order. Note that some ciphers like Khazad uses involution (f (f (x)) = x) to make encryption and decryption look similar. Examples: AES (Rijndael), 3-Way, PRESENT, SAFER, SHARK, Square etc. 5/52 Iterated Block Cipher Designs Feistel Cipher Encryption Decryption Plaintext Ciphertext L0 R0 Rr+1 Lr+1 k(0) k(r) L F L F k(1) k(r−1) L F L F k(r) k(0) L F L F Rr+1 Lr+1 L0 R0 Ciphertext Plaintext Figure : Encryption and Decryption Network of a Basic Feistel Cipher (Courtesy: Wikipedia). 6/52 Iterated Block Cipher Designs Feistel Cipher vs. SPN The main advantage of this type of design is that encryption and decryption are very similar, even identical in some cases, requiring only a reversal of the key schedule. One advantage of the Feistel cipher over an SPN is that unlike SPN, here the round function F need not be invertible. 7/52 Iterated Block Cipher Designs Feistel Cipher: Variants and Examples Unbalanced Feistel cipher: Two halves are unequal in length. Generalised Feistel cipher: Plaintext is divided into more than two parts. Examples: RC6, Skipjack, etc. Other Examples: Blowfish, DES, FEAL , RC5 , LOKI etc. 8/52 Iterated Block Cipher Designs Lai Massey Encryption Decryption Plaintext Ciphertext L0 R0 Lr+1 Rr+1 H H−1 k(0) k(r) F F H H−1 k(1) k(r−1) F F H H−1 k(r) k(0) F F H H−1 Lr Rr L0 R0 Ciphertext Plaintext Figure : Encryption and Decryption Network of a Basic Lai-Massey Scheme (Courtesy: Wikipedia). 9/52 Iterated Block Cipher Designs Lai Massey (Cont.) The security properties of the Lai-Massey scheme is similar to those of the Feistel structure. Like the Feistel cipher it also shares the advantage that the round function F need not be invertible. Example: IDEA. 10/52 Iterated Block Cipher Designs We will be considering SPN type block ciphers. 11/52 Iterated Block Cipher Attacks Outline 1 Iterated Block Cipher Designs Attacks 2 S-Boxes 3 A Basic Substitution Permutation Network 4 Linear Cryptanalysis 5 Differential Cryptanalysis 6 Appendix 11/52 Buchberger's Algorithm Linearization Technique Relinearization Technique The XL algorithm (XL - eXtended Linearization) Slide Attack and Advanced Slide Attack ... Iterated Block Cipher Attacks Attacks Algebraic Attacks 12/52 Linearization Technique Relinearization Technique The XL algorithm (XL - eXtended Linearization) Slide Attack and Advanced Slide Attack ... Iterated Block Cipher Attacks Attacks Algebraic Attacks Buchberger's Algorithm 12/52 Relinearization Technique The XL algorithm (XL - eXtended Linearization) Slide Attack and Advanced Slide Attack ... Iterated Block Cipher Attacks Attacks Algebraic Attacks Buchberger's Algorithm Linearization Technique 12/52 The XL algorithm (XL - eXtended Linearization) Slide Attack and Advanced Slide Attack ... Iterated Block Cipher Attacks Attacks Algebraic Attacks Buchberger's Algorithm Linearization Technique Relinearization Technique 12/52 Slide Attack and Advanced Slide Attack ... Iterated Block Cipher Attacks Attacks Algebraic Attacks Buchberger's Algorithm Linearization Technique Relinearization Technique The XL algorithm (XL - eXtended Linearization) 12/52 ... Iterated Block Cipher Attacks Attacks Algebraic Attacks Buchberger's Algorithm Linearization Technique Relinearization Technique The XL algorithm (XL - eXtended Linearization) Slide Attack and Advanced Slide Attack 12/52 Iterated Block Cipher Attacks Attacks Algebraic Attacks Buchberger's Algorithm Linearization Technique Relinearization Technique The XL algorithm (XL - eXtended Linearization) Slide Attack and Advanced Slide Attack ... 12/52 Distinguishing Attacks Linear Cryptanalysis and variants like Zero-correlation attack Differential Cryptanalysis and variants like Higher Order Differentials Truncated Differential Cryptanalysis Impossible Differential Cryptanalysis Improbable Differential Cryptanalysis Boomerang Attack Cube Attack Other Attacks Differential-linear attack The Integral or Square attack The Saturation attack ... Iterated Block Cipher Attacks Attacks (Cont.) Statistical Attacks 13/52 Linear Cryptanalysis and variants like Zero-correlation attack Differential Cryptanalysis and variants like Higher Order Differentials Truncated Differential Cryptanalysis Impossible Differential Cryptanalysis Improbable Differential Cryptanalysis Boomerang Attack Cube Attack Other Attacks Differential-linear attack The Integral or Square attack The Saturation attack ... Iterated Block Cipher Attacks Attacks (Cont.) Statistical Attacks Distinguishing Attacks 13/52 and variants like Zero-correlation attack Differential Cryptanalysis and variants like Higher Order Differentials Truncated Differential Cryptanalysis Impossible Differential Cryptanalysis Improbable Differential Cryptanalysis Boomerang Attack Cube Attack Other Attacks Differential-linear attack The Integral or Square attack The Saturation attack ... Iterated Block Cipher Attacks Attacks (Cont.) Statistical Attacks Distinguishing Attacks Linear Cryptanalysis 13/52 Differential Cryptanalysis and variants like Higher Order Differentials Truncated Differential Cryptanalysis Impossible Differential Cryptanalysis Improbable Differential Cryptanalysis Boomerang Attack Cube Attack Other Attacks Differential-linear attack The Integral or Square attack The Saturation attack ... Iterated Block Cipher Attacks Attacks (Cont.) Statistical Attacks Distinguishing Attacks Linear Cryptanalysis and variants like Zero-correlation attack 13/52 and variants like Higher Order Differentials Truncated Differential Cryptanalysis Impossible Differential Cryptanalysis Improbable Differential Cryptanalysis Boomerang Attack Cube Attack Other Attacks Differential-linear attack The Integral or Square attack The Saturation attack ... Iterated Block Cipher Attacks
Load more

Recommended publications
  • Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher
    Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher Florian Mendel1, Thomas Peyrin2, Christian Rechberger1, and Martin Schl¨affer1 1 IAIK, Graz University of Technology, Austria 2 Ingenico, France [email protected],[email protected] Abstract. In this paper, we propose two new ways to mount attacks on the SHA-3 candidates Grøstl, and ECHO, and apply these attacks also to the AES. Our results improve upon and extend the rebound attack. Using the new techniques, we are able to extend the number of rounds in which available degrees of freedom can be used. As a result, we present the first attack on 7 rounds for the Grøstl-256 output transformation3 and improve the semi-free-start collision attack on 6 rounds. Further, we present an improved known-key distinguisher for 7 rounds of the AES block cipher and the internal permutation used in ECHO. Keywords: hash function, block cipher, cryptanalysis, semi-free-start collision, known-key distinguisher 1 Introduction Recently, a new wave of hash function proposals appeared, following a call for submissions to the SHA-3 contest organized by NIST [26]. In order to analyze these proposals, the toolbox which is at the cryptanalysts' disposal needs to be extended. Meet-in-the-middle and differential attacks are commonly used. A recent extension of differential cryptanalysis to hash functions is the rebound attack [22] originally applied to reduced (7.5 rounds) Whirlpool (standardized since 2000 by ISO/IEC 10118-3:2004) and a reduced version (6 rounds) of the SHA-3 candidate Grøstl-256 [14], which both have 10 rounds in total.
    [Show full text]
  • Key-Dependent Approximations in Cryptanalysis. an Application of Multiple Z4 and Non-Linear Approximations
    KEY-DEPENDENT APPROXIMATIONS IN CRYPTANALYSIS. AN APPLICATION OF MULTIPLE Z4 AND NON-LINEAR APPROXIMATIONS. FX Standaert, G Rouvroy, G Piret, JJ Quisquater, JD Legat Universite Catholique de Louvain, UCL Crypto Group, Place du Levant, 3, 1348 Louvain-la-Neuve, standaert,rouvroy,piret,quisquater,[email protected] Linear cryptanalysis is a powerful cryptanalytic technique that makes use of a linear approximation over some rounds of a cipher, combined with one (or two) round(s) of key guess. This key guess is usually performed by a partial decryp- tion over every possible key. In this paper, we investigate a particular class of non-linear boolean functions that allows to mount key-dependent approximations of s-boxes. Replacing the classical key guess by these key-dependent approxima- tions allows to quickly distinguish a set of keys including the correct one. By combining different relations, we can make up a system of equations whose solu- tion is the correct key. The resulting attack allows larger flexibility and improves the success rate in some contexts. We apply it to the block cipher Q. In parallel, we propose a chosen-plaintext attack against Q that reduces the required number of plaintext-ciphertext pairs from 297 to 287. 1. INTRODUCTION In its basic version, linear cryptanalysis is a known-plaintext attack that uses a linear relation between input-bits, output-bits and key-bits of an encryption algorithm that holds with a certain probability. If enough plaintext-ciphertext pairs are provided, this approximation can be used to assign probabilities to the possible keys and to locate the most probable one.
    [Show full text]
  • 25 Years of Linear Cryptanalysis -Early History and Path Search Algorithm
    25 Years of Linear Cryptanalysis -Early History and Path Search Algorithm- Asiacrypt 2018, December 3 2018 Mitsuru Matsui © Mitsubishi Electric Corporation Back to 1990… 2 © Mitsubishi Electric Corporation FEAL (Fast data Encipherment ALgorithm) • Designed by Miyaguchi and Shimizu (NTT). • 64-bit block cipher family with the Feistel structure. • 4 rounds (1987) • 8 rounds (1988) • N rounds(1990) N=32 recommended • Key size is 64 bits (later extended to 128 bits). • Optimized for 8-bit microprocessors (no lookup tables). • First commercially successful cipher in Japan. • Inspired many new ideas, including linear cryptanalysis. 3 © Mitsubishi Electric Corporation FEAL-NX Algorithm [Miyaguchi 90] subkey 4 © Mitsubishi Electric Corporation The Round Function of FEAL 2-byte subkey Linear Relations 푌 2 = 푋1 0 ⊕ 푋2 0 푌 2 = 푋1 0 ⊕ 푋2 0 ⊕ 1 (푁표푡푎푡푖표푛: 푌 푖 = 푖-푡ℎ 푏푖푡 표푓 푌) 5 © Mitsubishi Electric Corporation Linear Relations of the Round Function Linear Relations 푂 16,26 ⊕ 퐼 24 = 퐾 24 K 푂 18 ⊕ 퐼 0,8,16,24 = 퐾 8,16 ⊕ 1 푂 10,16 ⊕ 퐼 0,8 = 퐾 8 S 0 푂 2,8 ⊕ 퐼 0 = 퐾 0 ⊕ 1 (푁표푡푎푡푖표푛: 퐴 푖, 푗, 푘 = 퐴 푖 ⊕ 퐴 푗 ⊕ 퐴 푘 ) S1 O I f S0 f 3-round linear relations with p=1 S1 f modified round function f at least 3 subkey (with whitening key) f bytes affect output6 6 © Mitsubishi Electric Corporation History of Cryptanalysis of FEAL • 4-round version – 100-10000 chosen plaintexts [Boer 88] – 20 chosen plaintexts [Murphy 90] – 8 chosen plaintexts [Biham, Shamir 91] differential – 200 known plaintexts [Tardy-Corfdir, Gilbert 91] – 5 known plaintexts [Matsui, Yamagishi
    [Show full text]
  • Integral Cryptanalysis on Full MISTY1⋆
    Integral Cryptanalysis on Full MISTY1? Yosuke Todo NTT Secure Platform Laboratories, Tokyo, Japan [email protected] Abstract. MISTY1 is a block cipher designed by Matsui in 1997. It was well evaluated and standardized by projects, such as CRYPTREC, ISO/IEC, and NESSIE. In this paper, we propose a key recovery attack on the full MISTY1, i.e., we show that 8-round MISTY1 with 5 FL layers does not have 128-bit security. Many attacks against MISTY1 have been proposed, but there is no attack against the full MISTY1. Therefore, our attack is the first cryptanalysis against the full MISTY1. We construct a new integral characteristic by using the propagation characteristic of the division property, which was proposed in 2015. We first improve the division property by optimizing a public S-box and then construct a 6-round integral characteristic on MISTY1. Finally, we recover the secret key of the full MISTY1 with 263:58 chosen plaintexts and 2121 time complexity. Moreover, if we can use 263:994 chosen plaintexts, the time complexity for our attack is reduced to 2107:9. Note that our cryptanalysis is a theoretical attack. Therefore, the practical use of MISTY1 will not be affected by our attack. Keywords: MISTY1, Integral attack, Division property 1 Introduction MISTY [Mat97] is a block cipher designed by Matsui in 1997 and is based on the theory of provable security [Nyb94,NK95] against differential attack [BS90] and linear attack [Mat93]. MISTY has a recursive structure, and the component function has a unique structure, the so-called MISTY structure [Mat96].
    [Show full text]
  • Linear Cryptanalysis: Key Schedules and Tweakable Block Ciphers
    Linear Cryptanalysis: Key Schedules and Tweakable Block Ciphers Thorsten Kranz, Gregor Leander and Friedrich Wiemer Horst Görtz Institute for IT Security, Ruhr-Universität Bochum, Germany {thorsten.kranz,gregor.leander,friedrich.wiemer}@rub.de Abstract. This paper serves as a systematization of knowledge of linear cryptanalysis and provides novel insights in the areas of key schedule design and tweakable block ciphers. We examine in a step by step manner the linear hull theorem in a general and consistent setting. Based on this, we study the influence of the choice of the key scheduling on linear cryptanalysis, a – notoriously difficult – but important subject. Moreover, we investigate how tweakable block ciphers can be analyzed with respect to linear cryptanalysis, a topic that surprisingly has not been scrutinized until now. Keywords: Linear Cryptanalysis · Key Schedule · Hypothesis of Independent Round Keys · Tweakable Block Cipher 1 Introduction Block ciphers are among the most important cryptographic primitives. Besides being used for encrypting the major fraction of our sensible data, they are important building blocks in many cryptographic constructions and protocols. Clearly, the security of any concrete block cipher can never be strictly proven, usually not even be reduced to a mathematical problem, i. e. be provable in the sense of provable cryptography. However, the concrete security of well-known ciphers, in particular the AES and its predecessor DES, is very well studied and probably much better scrutinized than many of the mathematical problems on which provable secure schemes are based on. This been said, there is a clear lack of understanding when it comes to the key schedule part of block ciphers.
    [Show full text]
  • Lecture Note 8 ATTACKS on CRYPTOSYSTEMS I Sourav Mukhopadhyay
    Lecture Note 8 ATTACKS ON CRYPTOSYSTEMS I Sourav Mukhopadhyay Cryptography and Network Security - MA61027 Attacks on Cryptosystems • Up to this point, we have mainly seen how ciphers are implemented. • We have seen how symmetric ciphers such as DES and AES use the idea of substitution and permutation to provide security and also how asymmetric systems such as RSA and Diffie Hellman use other methods. • What we haven’t really looked at are attacks on cryptographic systems. Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 1 • An understanding of certain attacks will help you to understand the reasons behind the structure of certain algorithms (such as Rijndael) as they are designed to thwart known attacks. • Although we are not going to exhaust all possible avenues of attack, we will get an idea of how cryptanalysts go about attacking ciphers. Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 2 • This section is really split up into two classes of attack: Cryptanalytic attacks and Implementation attacks. • The former tries to attack mathematical weaknesses in the algorithms whereas the latter tries to attack the specific implementation of the cipher (such as a smartcard system). • The following attacks can refer to either of the two classes (all forms of attack assume the attacker knows the encryption algorithm): Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 3 – Ciphertext-only attack: In this attack the attacker knows only the ciphertext to be decoded. The attacker will try to find the key or decrypt one or more pieces of ciphertext (only relatively weak algorithms fail to withstand a ciphertext-only attack).
    [Show full text]
  • Differential Cryptanalysis of the BSPN Block Cipher Structure
    Differential Cryptanalysis of the BSPN Block Cipher Structure Liam Keliher AceCrypt Research Group Department of Mathematics & Computer Science Mount Allison University Sackville, New Brunswick, Canada [email protected] Abstract. BSPN (byte-oriented SPN ) is a general block cipher struc­ ture presented at SAC’96 by Youssef et al. It was designed as a more ef­ ficient version of the bit-oriented SPN structure published earlier in 1996 by Heys and Tavares in the Journal of Cryptology. BSPN is a flexible SPN structure in which only the linear transformation layer is exactly specified, while s-boxes, key-scheduling details, and number of rounds are intentionally left unspecified. Because BSPN can be implemented very efficiently in hardware, several researchers have recommended the 64-bit version as a lightweight cipher for use in wireless sensor networks (WSNs). Youssef et al. perform preliminary analysis on BSPN (using typical block sizes and numbers of rounds) and claim it is resistant to differential and linear cryptanalysis. However, in this paper we show that even if BSPN (similarly parameterized) is instantiated with strong AES- like s-boxes, there exist high probability differentials that allow BSPN to be broken using differential cryptanalysis. In particular, up to 9 rounds of BSPN with a 64-bit block size can be attacked, and up to 18 rounds with a 128-bit block size can be attacked. Keywords: BSPN, block cipher, SPN, differential cryptanalysis, wire­ less sensor network (WSN) 1 Introduction BSPN (byte-oriented SPN ) is a general block cipher structure presented at SAC’96 by Youssef et al. [19]. It was designed as a more efficient byte-oriented version of the bit-oriented SPN structure published by Heys and Tavares in the Journal of Cryptology [5].
    [Show full text]
  • Block Ciphers and the Data Encryption Standard
    Lecture 3: Block Ciphers and the Data Encryption Standard Lecture Notes on “Computer and Network Security” by Avi Kak ([email protected]) January 26, 2021 3:43pm ©2021 Avinash Kak, Purdue University Goals: To introduce the notion of a block cipher in the modern context. To talk about the infeasibility of ideal block ciphers To introduce the notion of the Feistel Cipher Structure To go over DES, the Data Encryption Standard To illustrate important DES steps with Python and Perl code CONTENTS Section Title Page 3.1 Ideal Block Cipher 3 3.1.1 Size of the Encryption Key for the Ideal Block Cipher 6 3.2 The Feistel Structure for Block Ciphers 7 3.2.1 Mathematical Description of Each Round in the 10 Feistel Structure 3.2.2 Decryption in Ciphers Based on the Feistel Structure 12 3.3 DES: The Data Encryption Standard 16 3.3.1 One Round of Processing in DES 18 3.3.2 The S-Box for the Substitution Step in Each Round 22 3.3.3 The Substitution Tables 26 3.3.4 The P-Box Permutation in the Feistel Function 33 3.3.5 The DES Key Schedule: Generating the Round Keys 35 3.3.6 Initial Permutation of the Encryption Key 38 3.3.7 Contraction-Permutation that Generates the 48-Bit 42 Round Key from the 56-Bit Key 3.4 What Makes DES a Strong Cipher (to the 46 Extent It is a Strong Cipher) 3.5 Homework Problems 48 2 Computer and Network Security by Avi Kak Lecture 3 Back to TOC 3.1 IDEAL BLOCK CIPHER In a modern block cipher (but still using a classical encryption method), we replace a block of N bits from the plaintext with a block of N bits from the ciphertext.
    [Show full text]
  • Block Ciphers
    Block Ciphers Chester Rebeiro IIT Madras CR STINSON : chapters 3 Block Cipher KE KD untrusted communication link Alice E D Bob #%AR3Xf34^$ “Attack at Dawn!!” message encryption (ciphertext) decryption “Attack at Dawn!!” Encryption key is the same as the decryption key (KE = K D) CR 2 Block Cipher : Encryption Key Length Secret Key Plaintext Ciphertext Block Cipher (Encryption) Block Length • A block cipher encryption algorithm encrypts n bits of plaintext at a time • May need to pad the plaintext if necessary • y = ek(x) CR 3 Block Cipher : Decryption Key Length Secret Key Ciphertext Plaintext Block Cipher (Decryption) Block Length • A block cipher decryption algorithm recovers the plaintext from the ciphertext. • x = dk(y) CR 4 Inside the Block Cipher PlaintextBlock (an iterative cipher) Key Whitening Round 1 key1 Round 2 key2 Round 3 key3 Round n keyn Ciphertext Block • Each round has the same endomorphic cryptosystem, which takes a key and produces an intermediate ouput • Size of the key is huge… much larger than the block size. CR 5 Inside the Block Cipher (the key schedule) PlaintextBlock Secret Key Key Whitening Round 1 Round Key 1 Round 2 Round Key 2 Round 3 Round Key 3 Key Expansion Expansion Key Key Round n Round Key n Ciphertext Block • A single secret key of fixed size used to generate ‘round keys’ for each round CR 6 Inside the Round Function Round Input • Add Round key : Add Round Key Mixing operation between the round input and the round key. typically, an ex-or operation Confusion Layer • Confusion layer : Makes the relationship between round Diffusion Layer input and output complex.
    [Show full text]
  • Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, Newdes, RC2, and TEA
    Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, NewDES, RC2, and TEA John Kelsey Bruce Schneier David Wagner Counterpane Systems U.C. Berkeley kelsey,schneier @counterpane.com [email protected] f g Abstract. We present new related-key attacks on the block ciphers 3- WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA. Differen- tial related-key attacks allow both keys and plaintexts to be chosen with specific differences [KSW96]. Our attacks build on the original work, showing how to adapt the general attack to deal with the difficulties of the individual algorithms. We also give specific design principles to protect against these attacks. 1 Introduction Related-key cryptanalysis assumes that the attacker learns the encryption of certain plaintexts not only under the original (unknown) key K, but also under some derived keys K0 = f(K). In a chosen-related-key attack, the attacker specifies how the key is to be changed; known-related-key attacks are those where the key difference is known, but cannot be chosen by the attacker. We emphasize that the attacker knows or chooses the relationship between keys, not the actual key values. These techniques have been developed in [Knu93b, Bih94, KSW96]. Related-key cryptanalysis is a practical attack on key-exchange protocols that do not guarantee key-integrity|an attacker may be able to flip bits in the key without knowing the key|and key-update protocols that update keys using a known function: e.g., K, K + 1, K + 2, etc. Related-key attacks were also used against rotor machines: operators sometimes set rotors incorrectly.
    [Show full text]
  • Camellia: a 128-Bit Block Cipher Suitable for Multiple Platforms
    Copyright NTT and Mitsubishi Electric Corporation 2000 Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms † ‡ † Kazumaro Aoki Tetsuya Ichikawa Masayuki Kanda ‡ † ‡ ‡ Mitsuru Matsui Shiho Moriai Junko Nakajima Toshio Tokita † Nippon Telegraph and Telephone Corporation 1-1 Hikarinooka, Yokosuka, Kanagawa, 239-0847 Japan {maro,kanda,shiho}@isl.ntt.co.jp ‡ Mitsubishi Electric Corporation 5-1-1 Ofuna, Kamakura, Kanagawa, 247-8501 Japan {ichikawa,matsui,june15,tokita}@iss.isl.melco.co.jp September 26, 2000 Abstract. We present a new 128-bit block cipher called Camellia. Camellia sup- ports 128-bit block size and 128-, 192-, and 256-bit key lengths, i.e. the same interface specifications as the Advanced Encryption Standard (AES). Camellia was carefully designed to withstand all known cryptanalytic attacks and even to have a sufficiently large security leeway for use of the next 10-20 years. There are no hidden weakness inserted by the designers. It was also designed to have suitability for both software and hardware implementations and to cover all possible encryption applications that range from low-cost smart cards to high-speed network systems. Compared to the AES finalists, Camellia offers at least comparable encryption speed in software and hardware. An optimized implementation of Camellia in assembly language can en- crypt on a PentiumIII (800MHz) at the rate of more than 276 Mbits per second, which is much faster than the speed of an optimized DES implementation. In ad- dition, a distinguishing feature is its small hardware design. The hardware design, which includes key schedule, encryption and decryption, occupies approximately 11K gates, which is the smallest among all existing 128-bit block ciphers as far as we know.
    [Show full text]
  • Differential-Linear Crypt Analysis
    Differential-Linear Crypt analysis Susan K. Langfordl and Martin E. Hellman Department of Electrical Engineering Stanford University Stanford, CA 94035-4055 Abstract. This paper introduces a new chosen text attack on iterated cryptosystems, such as the Data Encryption Standard (DES). The attack is very efficient for 8-round DES,2 recovering 10 bits of key with 80% probability of success using only 512 chosen plaintexts. The probability of success increases to 95% using 768 chosen plaintexts. More key can be recovered with reduced probability of success. The attack takes less than 10 seconds on a SUN-4 workstation. While comparable in speed to existing attacks, this 8-round attack represents an order of magnitude improvement in the amount of required text. 1 Summary Iterated cryptosystems are encryption algorithms created by repeating a simple encryption function n times. Each iteration, or round, is a function of the previ- ous round’s oulpul and the key. Probably the best known algorithm of this type is the Data Encryption Standard (DES) [6].Because DES is widely used, it has been the focus of much of the research on the strength of iterated cryptosystems and is the system used as the sole example in this paper. Three major attacks on DES are exhaustive search [2, 71, Biham-Shamir’s differential cryptanalysis [l], and Matsui’s linear cryptanalysis [3, 4, 51. While exhaustive search is still the most practical attack for full 16 round DES, re- search interest is focused on the latter analytic attacks, in the hope or fear that improvements will render them practical as well.
    [Show full text]