DOCSLIB.ORG

Some Words on Cryptanalysis of Stream Ciphers Maximov, Alexander

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Some Words on Cryptanalysis of Stream Ciphers Maximov, Alexander Some Words on Cryptanalysis of Stream Ciphers Maximov, Alexander 2006 Link to publication Citation for published version (APA): Maximov, A. (2006). Some Words on Cryptanalysis of Stream Ciphers. Department of Information Technology, Lund Univeristy. Total number of authors: 1 General rights Unless other specific re-use rights are stated the following general rights apply: Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain • You may freely distribute the URL identifying the publication in the public portal Read more about Creative commons licenses: https://creativecommons.org/licenses/ Take down policy If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. LUND UNIVERSITY PO Box 117 221 00 Lund +46 46-222 00 00 Some Words on Cryptanalysis of Stream Ciphers Alexander Maximov Ph.D. Thesis, June 16, 2006 Alexander Maximov Department of Information Technology Lund University Box 118 S-221 00 Lund, Sweden e-mail: [email protected] http://www.it.lth.se/ ISBN: 91-7167-039-4 ISRN: LUTEDX/TEIT-06/1035-SE c Alexander Maximov, 2006 Abstract n the world of cryptography, stream ciphers are known as primitives used Ito ensure privacy over a communication channel. One common way to build a stream cipher is to use a keystream generator to produce a pseudo- random sequence of symbols. In such algorithms, the ciphertext is the sum of the keystream and the plaintext, resembling the one-time pad principal. Although the idea behind stream ciphers is simple, serious investigation of these primitives has started only in the late 20th century. Therefore, crypt- analysis and design of stream ciphers are important. In recent years, many designs of stream ciphers have been proposed in an effort to find a proper candidate to be chosen as a world standard for data encryption. That potential candidate should be proven good by time and by the results of cryptanalysis. Different methods of analysis, in fact, explain how a stream cipher should be constructed. Thus, techniques for cryptanalysis are also important. This thesis starts with an overview of cryptography in general, and in- troduces the reader to modern cryptography. Later, we focus on basic prin- ciples of design and analysis of stream ciphers. Since statistical methods are the most important cryptanalysis techniques, they will be described in detail. The practice of statistical methods reveals several bottlenecks when im- plementing various analysis algorithms. For example, a common property of a cipher to produce n-bit words instead of just bits makes it more natural to perform a multidimensional analysis of such a design. However, in prac- tice, one often has to truncate the words simply because the tools needed for analysis are missing. We propose a set of algorithms and data structures for multidimensional cryptanalysis when distributions over a large probability space have to be constructed. This thesis also includes results of cryptanalysis for various cryptographic primitives, such as A5/1, Grain, SNOW 2.0, Scream, Dragon, VMPC, RC4, and RC4A. Most of these results were achieved with the help of intensive use of the proposed tools for cryptanalysis. iii To my Family Contents Abstract iii Preface xi 1 Introduction 1 1.1 Modern Cryptography in the Digital World ........... 3 1.2 Cryptographic Services . ...................... 4 1.3 Cryptographic Primitives . .................. 6 1.4 Recent History of Cryptography . ........... 8 1.5 Thesis Outline . .......................... 10 2 Symmetric Primitives — Introduction to Stream Ciphers 13 2.1 Definitions of Block and Stream Ciphers . ........... 15 2.2 Designing a Perfect Cipher . .................. 18 2.2.1 Unbreakable Cipher . .................. 18 2.2.2 Alternative Principles for Designs . ........... 19 2.2.3 Confusion and Diffusion .................. 19 2.3 Overview of Block Ciphers . .................. 20 2.4 Stream Ciphers in a Nutshell . .................. 24 2.4.1 General Structure of Stream Ciphers........... 24 2.4.2 Pseudo-Random Number Generators . ....... 27 2.5 Stream Cipher Building Blocks .................. 30 2.5.1 Boolean Functions . .................. 30 2.5.2 Finite Fields . ...................... 34 2.5.3 Linear Feedback Shift Registers . ........... 37 2.5.4 Nonlinear Feedback Shift Registers ........... 42 2.5.5 S-boxes and P-boxes . .................. 43 v vi Contents 3 Techniques for Cryptanalysis 47 3.1 Introduction . .......................... 49 3.1.1 Attack Scenarios ...................... 49 3.1.2 Success Criteria . ...................... 49 3.1.3 Complexity Issues . .................. 50 3.2 Generic Attacks . .......................... 51 3.2.1 Brute-Force Attack . .................. 51 3.2.2 Time-Memory Trade-Offs . ........... 51 3.2.3 Relationship Between the Size of the Key, the IV, And the Internal State ...................... 53 3.3 Hypothesis Testing . ...................... 53 3.3.1 Basic Definitions ...................... 53 3.3.2 Hypothesis Testing in General . ........... 55 3.4 Distinguishing Attacks . ...................... 57 3.4.1 General Idea and Scenario . ........... 58 3.4.2 Assumptions . ...................... 59 3.4.3 Distinguishing via Hypothesis Testing . ....... 60 3.4.4 Distinguisher and Advantage . ........... 61 3.4.5 The Case When Both Noise and Random Distributions are Known .......................... 62 3.4.6 Special Case – Binary Distributions ........... 63 3.4.7 X-Distinguisher for Unknown Noise Distribution . 63 3.4.8 Analysis of the U-Distinguisher . ........... 67 3.4.9 On Distinguishers and Resynchronisation . ....... 70 3.5 Correlation Attacks . ...................... 72 3.5.1 Bit Estimation . ...................... 72 3.5.2 Correlation Attacks on LFSRs with Combiners . 72 3.5.3 LFSR Reconstruction via General Decoding Problem . 73 3.6 Other Attacks . .......................... 75 3.6.1 Differential Cryptanalysis . ........... 75 3.6.2 Algebraic Attacks ...................... 75 3.6.3 Side-Channel Attacks . .................. 76 4 Tools for Cryptanalysis 79 4.1 Pseudo-Linear Functions Modulo 2n ............... 81 4.1.1 A Pseudo-Linear Function Modulo 2n .......... 81 4.1.2 Algorithm for Calculating the Distribution for a PLFM 82 4.2 Distributions of Functions With Arbitrarily Distributed Inputs 90 4.2.1 Convolution over .................... 90 4.2.2 Convolution over ⊕ .................... 91 4.3 Data Structures for Large Distributions and Operations . 92 4.3.1 Data Structure Proposal .................. 92 4.3.2 A PLFM Distribution Construction . ........... 93 Contents vii 4.3.3 A Function Y = F (X) Evaluation Distribution . 93 4.3.4 Convolution over ⊕ .................... 95 4.3.5 Convolution over .................... 96 4.4 Application Example: 32 bit Cryptanalysis of SNOW 2.0 . 96 4.4.1 A Short Description of SNOW 2.0 . ........... 96 4.4.2 Basic Idea Behind the New Attack . ........... 98 4.4.3 Computational Aspects ..................100 4.4.4 Simulation Results and Discussion . ...........100 4.5 Summary . ..............................101 5 Cryptanalysis of A5/1 103 5.1 Description of A5/1 . ......................105 5.2 A Short Description of the Ekdahl-Johansson Attack on A5/1 107 5.3 Explaining the New Attack . ..................109 5.3.1 Statistical Analysis of m Frames . ...........110 5.3.2 Creating Candidate Tables of s(l)-Sequences . 114 5.3.3 Design of Intervals . ..................117 5.3.4 Strategies for Intersection of the Tables ∗ ÌIi ......120 5.4 Simulation Results . ......................121 5.5 Summary . ..............................125 6 Cryptanalysis of VMPC and RC4A. Weakness of RC4-like Ciphers 127 6.1 Introduction . ..........................128 6.1.1 Notation . ..........................128 6.1.2 Cryptanalysis Assumptions . ...........128 6.2 Descriptions of VMPC-k, RC4-k, and RC4A-k .........129 6.3 Investigation of the RC4 Family of Stream Ciphers . 130 6.3.1 Digraphs Approach, on the Instance of VMPC-k ....130 6.3.2 Theoretical Weakness of the RC4 Family of Stream Ci- phers . ..........................133 6.4 Our Distinguisher for VMPC-k ..................135 6.4.1 What Should the Probability of zt = zt+1 =0, When i =0and j =1,Be?.....................135 6.4.2 Calculating Pr{zt = zt+1 =0|i =0}, When j and R[·] are Random. ......................137 6.4.3 Simulations of the Attack on VMPC-k ..........138 6.4.4 Subalgorithm for Algorithm 2 . ...........140 6.5 Our Distinguisher for RC4A-k ..................141 6.5.1 Building a Distinguisher ..................141 6.5.2 Checking the Assumptions . ...........142 6.5.3 Simulations of the Attack on RC4A-k ..........143 6.6 Summary . ..............................143 viii Contents 7 Cryptanalysis of “Scream” 145 7.1 A Short Description of Scream . ..................147 7.2 Preparing a Distinguisher for Scream . ...........151 7.2.1 Ideas for the Distinguisher . ...........151 7.2.2 Assumptions . ......................152 7.2.3 A Distinguisher for Scream . ...........153 7.3 Scream Structure Analysis . ..................155 7.3.1 The F
Load more

Recommended publications
  • Models and Algorithms for Physical Cryptanalysis
    MODELS AND ALGORITHMS FOR PHYSICAL CRYPTANALYSIS Dissertation zur Erlangung des Grades eines Doktor-Ingenieurs der Fakult¨at fur¨ Elektrotechnik und Informationstechnik an der Ruhr-Universit¨at Bochum von Kerstin Lemke-Rust Bochum, Januar 2007 ii Thesis Advisor: Prof. Dr.-Ing. Christof Paar, Ruhr University Bochum, Germany External Referee: Prof. Dr. David Naccache, Ecole´ Normale Sup´erieure, Paris, France Author contact information: [email protected] iii Abstract This thesis is dedicated to models and algorithms for the use in physical cryptanalysis which is a new evolving discipline in implementation se- curity of information systems. It is based on physically observable and manipulable properties of a cryptographic implementation. Physical observables, such as the power consumption or electromag- netic emanation of a cryptographic device are so-called `side channels'. They contain exploitable information about internal states of an imple- mentation at runtime. Physical effects can also be used for the injec- tion of faults. Fault injection is successful if it recovers internal states by examining the effects of an erroneous state propagating through the computation. This thesis provides a unified framework for side channel and fault cryptanalysis. Its objective is to improve the understanding of physi- cally enabled cryptanalysis and to provide new models and algorithms. A major motivation for this work is that methodical improvements for physical cryptanalysis can also help in developing efficient countermea- sures for securing cryptographic implementations. This work examines differential side channel analysis of boolean and arithmetic operations which are typical primitives in cryptographic algo- rithms. Different characteristics of these operations can support a side channel analysis, even of unknown ciphers.
    [Show full text]
  • LNCS 9065, Pp
    Combined Cache Timing Attacks and Template Attacks on Stream Cipher MUGI Shaoyu Du1,4, , Zhenqi Li1, Bin Zhang1,2, and Dongdai Lin3 1 Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences, Beijing, China 2 State Key Laboratory of Computer Science, Institute of Software, Chinese Academy of Sciences, Beijing, China 3 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China 4 University of Chinese Academy of Sciences, Beijing, China du [email protected] Abstract. The stream cipher MUGI was proposed by Hitachi, Ltd. in 2002 and it was specified as ISO/IEC 18033-4 for keystream genera- tion. Assuming that noise-free cache timing measurements are possible, we give the cryptanalysis of MUGI under the cache attack model. Our simulation results show that we can reduce the computation complexity of recovering all the 1216-bits internal state of MUGI to about O(276) when it is implemented in processors with 64-byte cache line. The at- tack reveals some new inherent weaknesses of MUGI’s structure. The weaknesses can also be used to conduct a noiseless template attack of O(260.51 ) computation complexity to restore the state of MUGI. And then combining these two attacks we can conduct a key-recovery attack on MUGI with about O(230) computation complexity. To the best of our knowledge, it is the first time that the analysis of cache timing attacks and template attacks are applied to full version of MUGI and that these two classes of attacks are combined to attack some cipher.
    [Show full text]
  • (SMC) MODULE of RC4 STREAM CIPHER ALGORITHM for Wi-Fi ENCRYPTION
    InternationalINTERNATIONAL Journal of Electronics and JOURNAL Communication OF Engineering ELECTRONICS & Technology (IJECET),AND ISSN 0976 – 6464(Print), ISSN 0976 – 6472(Online), Volume 6, Issue 1, January (2015), pp. 79-85 © IAEME COMMUNICATION ENGINEERING & TECHNOLOGY (IJECET) ISSN 0976 – 6464(Print) IJECET ISSN 0976 – 6472(Online) Volume 6, Issue 1, January (2015), pp. 79-85 © IAEME: http://www.iaeme.com/IJECET.asp © I A E M E Journal Impact Factor (2015): 7.9817 (Calculated by GISI) www.jifactor.com VHDL MODELING OF THE SRAM MODULE AND STATE MACHINE CONTROLLER (SMC) MODULE OF RC4 STREAM CIPHER ALGORITHM FOR Wi-Fi ENCRYPTION Dr.A.M. Bhavikatti 1 Mallikarjun.Mugali 2 1,2Dept of CSE, BKIT, Bhalki, Karnataka State, India ABSTRACT In this paper, VHDL modeling of the SRAM module and State Machine Controller (SMC) module of RC4 stream cipher algorithm for Wi-Fi encryption is proposed. Various individual modules of Wi-Fi security have been designed, verified functionally using VHDL-simulator. In cryptography RC4 is the most widely used software stream cipher and is used in popular protocols such as Transport Layer Security (TLS) (to protect Internet traffic) and WEP (to secure wireless networks). While remarkable for its simplicity and speed in software, RC4 has weaknesses that argue against its use in new systems. It is especially vulnerable when the beginning of the output key stream is not discarded, or when nonrandom or related keys are used; some ways of using RC4 can lead to very insecure cryptosystems such as WEP . Many stream ciphers are based on linear feedback shift registers (LFSRs), which, while efficient in hardware, are less so in software.
    [Show full text]
  • Exploiting Switching Noise for Stealthy Data Exfiltration from Desktop Computers
    Your Noise, My Signal: Exploiting Switching Noise for Stealthy Data Exfiltration from Desktop Computers Zhihui Shao∗ Mohammad A. Islam∗† Shaolei Ren University of California, Riverside University of Texas at Arlington University of California, Riverside [email protected] [email protected] [email protected] ABSTRACT program’s usage pattern of CPU resources, if detected by another Attacks based on power analysis have been long existing and stud- program, can be modulated for information transfer between the ied, with some recent works focused on data exfiltration from victim two [50, 57]. Consequently, to mitigate data theft risks, enterprise systems without using conventional communications (e.g., WiFi). users commonly have restricted access to outside networks — all Nonetheless, prior works typically rely on intrusive direct power data transfer from and to the outside is tightly scrutinized. measurement, either by implanting meters in the power outlet or Nevertheless, such systems may still suffer from data exfiltration tapping into the power cable, thus jeopardizing the stealthiness of at- attacks that bypass the conventional communications protocols tacks. In this paper, we propose NoDE (Noise for Data Exfiltration), (e.g., WiFi) by transforming the affected computer into a transmitter a new system for stealthy data exfiltration from enterprise desk- and establishing a covert channel. For example, the transmitting top computers. Specifically, NoDE achieves data exfiltration over computer can modulate the intensity of the generated acoustic a building’s power network by exploiting high-frequency voltage noise by varying its cooling fan or hard disk spinning speed to ripples (i.e., switching noises) generated by power factor correction carry 1/0 bit information (e.g., a high fan noise represents “1” and circuits built into today’s computers.
    [Show full text]
  • Ensuring Fast Implementations of Symmetric Ciphers on the Intel Pentium 4 and Beyond
    This may be the author’s version of a work that was submitted/accepted for publication in the following source: Henricksen, Matthew& Dawson, Edward (2006) Ensuring Fast Implementations of Symmetric Ciphers on the Intel Pentium 4 and Beyond. Lecture Notes in Computer Science, 4058, Article number: AISP52-63. This file was downloaded from: https://eprints.qut.edu.au/24788/ c Consult author(s) regarding copyright matters This work is covered by copyright. Unless the document is being made available under a Creative Commons Licence, you must assume that re-use is limited to personal use and that permission from the copyright owner must be obtained for all other uses. If the docu- ment is available under a Creative Commons License (or other specified license) then refer to the Licence for details of permitted re-use. It is a condition of access that users recog- nise and abide by the legal requirements associated with these rights. If you believe that this work infringes copyright please provide details by email to [email protected] Notice: Please note that this document may not be the Version of Record (i.e. published version) of the work. Author manuscript versions (as Sub- mitted for peer review or as Accepted for publication after peer review) can be identified by an absence of publisher branding and/or typeset appear- ance. If there is any doubt, please refer to the published source. https://doi.org/10.1007/11780656_5 Ensuring Fast Implementations of Symmetric Ciphers on the Intel Pentium 4 and Beyond Matt Henricksen and Ed Dawson Information Security Institute, Queensland University of Technology, GPO Box 2434, Brisbane, Queensland, 4001, Australia.
    [Show full text]
  • RC4-2S: RC4 Stream Cipher with Two State Tables
    RC4-2S: RC4 Stream Cipher with Two State Tables Maytham M. Hammood, Kenji Yoshigoe and Ali M. Sagheer Abstract One of the most important symmetric cryptographic algorithms is Rivest Cipher 4 (RC4) stream cipher which can be applied to many security applications in real time security. However, RC4 cipher shows some weaknesses including a correlation problem between the public known outputs of the internal state. We propose RC4 stream cipher with two state tables (RC4-2S) as an enhancement to RC4. RC4-2S stream cipher system solves the correlation problem between the public known outputs of the internal state using permutation between state 1 (S1) and state 2 (S2). Furthermore, key generation time of the RC4-2S is faster than that of the original RC4 due to less number of operations per a key generation required by the former. The experimental results confirm that the output streams generated by the RC4-2S are more random than that generated by RC4 while requiring less time than RC4. Moreover, RC4-2S’s high resistivity protects against many attacks vulnerable to RC4 and solves several weaknesses of RC4 such as distinguishing attack. Keywords Stream cipher Á RC4 Á Pseudo-random number generator This work is based in part, upon research supported by the National Science Foundation (under Grant Nos. CNS-0855248 and EPS-0918970). Any opinions, findings and conclusions or recommendations expressed in this material are those of the author (s) and do not necessarily reflect the views of the funding agencies or those of the employers. M. M. Hammood Applied Science, University of Arkansas at Little Rock, Little Rock, USA e-mail: [email protected] K.
    [Show full text]
  • Effects of Architecture on Information Leakage of a Hardware Advanced Encryption Standard Implementation Eric A
    Air Force Institute of Technology AFIT Scholar Theses and Dissertations Student Graduate Works 9-13-2012 Effects of Architecture on Information Leakage of a Hardware Advanced Encryption Standard Implementation Eric A. Koziel Follow this and additional works at: https://scholar.afit.edu/etd Part of the Computer and Systems Architecture Commons, and the Information Security Commons Recommended Citation Koziel, Eric A., "Effects of Architecture on Information Leakage of a Hardware Advanced Encryption Standard Implementation" (2012). Theses and Dissertations. 1127. https://scholar.afit.edu/etd/1127 This Thesis is brought to you for free and open access by the Student Graduate Works at AFIT Scholar. It has been accepted for inclusion in Theses and Dissertations by an authorized administrator of AFIT Scholar. For more information, please contact [email protected]. EFFECTS OF ARCHITECTURE ON INFORMATION LEAKAGE OF A HARDWARE ADVANCED ENCRYPTION STANDARD IMPLEMENTATION THESIS Eric A. Koziel AFIT/GCO/ENG/12-25 DEPARTMENT OF THE AIR FORCE AIR UNIVERSITY AIR FORCE INSTITUTE OF TECHNOLOGY Wright-Patterson Air Force Base, Ohio APPROVED FOR PUBLIC RELEASE; DISTRIBUTION UNLIMITED The views expressed in this thesis are those of the author and do not reflect the official policy or position of the United States Air Force, Department of Defense, or the United States Government. This material is declared a work of the U.S. Government and is not subject to copyright protection in the United States. AFIT/GCO/ENG/12-25 EFFECTS OF ARCHITECTURE ON INFORMATION LEAKAGE OF A HARDWARE ADVANCED ENCRYPTION STANDARD IMPLEMENTATION THESIS Presented to the Faculty Department of Electrical & Computer Engineering Graduate School of Engineering and Management Air Force Institute of Technology Air University Air Education and Training Command In Partial Fulfillment of the Requirements for the Degree of Master of Science in Cyber Operations Eric A.
    [Show full text]
  • Stream Cipher Designs: a Review
    SCIENCE CHINA Information Sciences March 2020, Vol. 63 131101:1–131101:25 . REVIEW . https://doi.org/10.1007/s11432-018-9929-x Stream cipher designs: a review Lin JIAO1*, Yonglin HAO1 & Dengguo FENG1,2* 1 State Key Laboratory of Cryptology, Beijing 100878, China; 2 State Key Laboratory of Computer Science, Institute of Software, Chinese Academy of Sciences, Beijing 100190, China Received 13 August 2018/Accepted 30 June 2019/Published online 10 February 2020 Abstract Stream cipher is an important branch of symmetric cryptosystems, which takes obvious advan- tages in speed and scale of hardware implementation. It is suitable for using in the cases of massive data transfer or resource constraints, and has always been a hot and central research topic in cryptography. With the rapid development of network and communication technology, cipher algorithms play more and more crucial role in information security. Simultaneously, the application environment of cipher algorithms is in- creasingly complex, which challenges the existing cipher algorithms and calls for novel suitable designs. To accommodate new strict requirements and provide systematic scientific basis for future designs, this paper reviews the development history of stream ciphers, classifies and summarizes the design principles of typical stream ciphers in groups, briefly discusses the advantages and weakness of various stream ciphers in terms of security and implementation. Finally, it tries to foresee the prospective design directions of stream ciphers. Keywords stream cipher, survey, lightweight, authenticated encryption, homomorphic encryption Citation Jiao L, Hao Y L, Feng D G. Stream cipher designs: a review. Sci China Inf Sci, 2020, 63(3): 131101, https://doi.org/10.1007/s11432-018-9929-x 1 Introduction The widely applied e-commerce, e-government, along with the fast developing cloud computing, big data, have triggered high demands in both efficiency and security of information processing.
    [Show full text]
  • New Developments in Cryptology Outline Outline Block Ciphers AES
    New Developments in Cryptography March 2012 Bart Preneel Outline New developments in cryptology • 1. Cryptology: concepts and algorithms Prof. Bart Preneel • 2. Cryptology: protocols COSIC • 3. Public-Key Infrastructure principles Bart.Preneel(at)esatDOTkuleuven.be • 4. Networking protocols http://homes.esat.kuleuven.be/~preneel • 5. New developments in cryptology March 2012 • 6. Cryptography best practices © Bart Preneel. All rights reserved 1 2 Outline Block ciphers P1 P2 P3 • Block ciphers/stream ciphers • Hash functions/MAC algorithms block block block • Modes of operation and authenticated cipher cipher cipher encryption • How to encrypt/sign using RSA C1 C2 C3 • Multi-party computation • larger data units: 64…128 bits •memoryless • Concluding remarks • repeat simple operation (round) many times 3 3-DES: NIST Spec. Pub. 800-67 AES (2001) (May 2004) S S S S S S S S S S S S S S S S • Single DES abandoned round • two-key triple DES: until 2009 (80 bit security) • three-key triple DES: until 2030 (100 bit security) round MixColumnsS S S S MixColumnsS S S S MixColumnsS S S S MixColumnsS S S S hedule Highly vulnerable to a c round • Block length: 128 bits related key attack • Key length: 128-192-256 . Key S Key . bits round A $ 10M machine that cracks a DES Clear DES DES-1 DES %^C& key in 1 second would take 149 trillion text @&^( years to crack a 128-bit key 1 23 1 New Developments in Cryptography March 2012 Bart Preneel AES variants (2001) AES implementations: • AES-128 • AES-192 • AES-256 efficient/compact • 10 rounds • 12 rounds • 14 rounds • sensitive • classified • secret and top • NIST validation list: 1953 implementations (2008: 879) secret plaintext plaintext plaintext http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html round round.
    [Show full text]
  • Cryptography Weekly Independent Teaching Activities Teaching Credits Hours 4 6
    COURSE OUTLINE (1) GENERAL SCHOOL SCHOOL OF SCIENCES ACADEMIC UNIT DEPARTMENT OF MATHEMATICS LEVEL OF STUDIES UNDERGRADUATE PROGRAM COURSE CODE 311-2003 SEMESTER F COURSE TITLE CRYPTOGRAPHY WEEKLY INDEPENDENT TEACHING ACTIVITIES TEACHING CREDITS HOURS 4 6 COURSE TYPE Special background PREREQUISITE COURSES: NO LANGUAGE OF INSTRUCTION and GREEK EXAMINATIONS: IS THE COURSE OFFERED TO YES ERASMUS STUDENTS COURSE WEBSITE (URL) http://www.math.aegean.gr/index.php/en/academics/undergraduate- programs (2) LEARNING OUTCOMES Learning outcomes In this course the students are introduced to the basic complexity theory and how computational difficulty in solving problems can be exploited to build secure cryptographic protocols. The lectures are, then, focused on some elementary cryptographic schemes like Caesar’s cipher, general substitution ciphers, polyalphabetic ciphers and how they can be broken efficiently. Then the students are introduced to Shannon’s cryptographic principles of confusion and diffusion and how they lead to the Feistel-based block ciphers. Then, as case studies, the block ciphers DES, CAST-128 and AES are presented along with analysis of their security properties. In the middle of the course, the students are introduced to public key cryptography and the RSA, ElGamal scheme and the foundations of Elliptic Curve Cryptography as well as the state of the art in the cryptanalysis of RSA and ECC. The aim of this course is mainly to introduce the students into the basic concepts of cryptography and cryptanalysis. At the end of the course, they could develop and analyse certain cryptographic systems and they could be ready to use and modify certain cryptanalysis techniques.
    [Show full text]
  • Sok: Design Tools for Side-Channel-Aware Implementations
    SoK: Design Tools for Side-Channel-Aware Implementations Ileana Buhan∗, Lejla Batina∗, Yuval Yarom†, and Patrick Schaumont‡ ∗ Radboud University, Digital Security † University of Adelaide and Data61 ‡ Worcester Polytechnic Institute Abstract—Side-channel attacks that leak sensitive information involve collecting side-channel traces, e.g., power traces, from through a computing device’s interaction with its physical envi- the device and analyzing these traces to demonstrate an attack ronment have proven to be a severe threat to devices’ security, or the existence of leaks. While effective, such methodologies particularly when adversaries have unfettered physical access to the device. Traditional approaches for leakage detection measure require the physical device’s presence for evaluation, and this the physical properties of the device. Hence, they cannot be demand poses significant challenges. used during the design process and fail to provide root cause In the pre-silicon stage of the development, the device does analysis. An alternative approach that is gaining traction is to not yet exist; hence it cannot be adequately assessed. Con- automate leakage detection by modeling the device. The demand versely, in the post-silicone stage, detailed design information to understand the scope, benefits, and limitations of the proposed tools intensifies with the increase in the number of proposals. may not be accessible, for example, when using third-party In this SoK, we classify approaches to automated leakage components. Consequently, it may be challenging to identify detection based on the model’s source of truth. We classify the root cause of leakage. Moreover, detecting, verifying, and the existing tools on two main parameters: whether the model mitigating side-channel leaks require expert knowledge and includes measurements from a concrete device and the abstrac- expensive equipment.
    [Show full text]
  • Bad Cryptography Bruce Barnett Who Am I?
    Bad Cryptography Bruce Barnett Who am I? • Security consultant @ NYSTEC • 22 years a research scientist @ GE’s R&D Center • 15 years software developer, system administrator @ GE and Schlumberger • I’m not a cryptographer • I attended a lot of talks at Blackhat/DEFCON • Then I took a course on cryptography……….. Who should attend this talk? • Project Managers • Computer programmers • Those that are currently using cryptography • Those that are thinking about using cryptography in systems and protocols • Security professionals • Penetration testers who don’t know how to test cryptographic systems and want to learn more • … and anybody who is confused by cryptography Something for everyone What this presentation is … • A gentle introduction to cryptography • An explanation why cryptography can’t be just “plugged in” • Several examples of how cryptography can be done incorrectly • A brief description of why certain choices are bad and how to exploit it. • A checklist of warning signs that indicate when “Bad Cryptography” is happening. Example of Bad Cryptography!!! Siren from snottyboy http://soundbible.com/1355-Warning-Siren.html What this talk is not about • No equations • No certificates • No protocols • No mention of SSL/TLS/HTTPS • No quantum cryptography • Nothing that can cause headaches • (Almost) no math used Math: Exclusive Or (XOR) ⊕ Your Cat Your Roommates' Will you have Cat kittens? No kittens No kittens Note that this operator can “go backwards” (invertible) What is encryption and decryption? Plain text Good Morning, Mr. Phelps
    [Show full text]