DOCSLIB.ORG

On Probability of Success in Linear and Differential Cryptanalysis

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
On Probability of Success in Linear and Differential Cryptanalysis J. Cryptol. (2008) 21: 131–147 DOI: 10.1007/s00145-007-9013-7 On Probability of Success in Linear and Differential Cryptanalysis Ali Aydın Selçuk Department of Computer Engineering, Bilkent University, Ankara, 06800, Turkey [email protected] Communicated by Eli Biham Received 28 April 2003 and revised 7 August 2007 Online publication 14 September 2007 Abstract. Despite their widespread usage in block cipher security, linear and dif- ferential cryptanalysis still lack a robust treatment of their success probability, and the success chances of these attacks have commonly been estimated in a rather ad hoc fashion. In this paper, we present an analytical calculation of the success probability of linear and differential cryptanalytic attacks. The results apply to an extended sense of the term “success” where the correct key is found not necessarily as the highest-ranking candidate but within a set of high-ranking candidates. Experimental results show that the analysis provides accurate results in most cases, especially in linear cryptanalysis. In cases where the results are less accurate, as in certain cases of differential cryptanaly- sis, the results are useful to provide approximate estimates of the success probability and the necessary plaintext requirement. The analysis also reveals that the attacked key length in differential cryptanalysis is one of the factors that affect the success probabil- ity directly besides the signal-to-noise ratio and the available plaintext amount. Key words. Block ciphers, Linear cryptanalysis, Differential cryptanalysis, Success probability, Order statistics. 1. Introduction Differential cryptanalysis (DC) [1] and linear cryptanalysis (LC) [11,12]aretwoofthe most important techniques in block cipher cryptanalysis today. Virtually every mod- ern block cipher has its security checked against these attacks and a number of them have actually been broken. Despite this widespread utilization, evaluation of the suc- cess probability of these attacks is usually done in a rather ad hoc fashion: Success chances of differential attacks are typically evaluated according to the empirical ob- servations based on the “signal-to-noise ratio” [1]. In the case of linear cryptanalysis, arbitrary ciphers are analyzed using Matsui’s results for his DES attacks [11,12], which were in fact carefully calculated for and were specific to those particular attacks. In this paper, we present an analytical, generally applicable calculation of the success probability of linear and differential attacks. Throughout the analysis, a generalized 131 132 A.A. Selçuk definition of the term “success” is dealt with: If an attack on an m-bit key gets the correct value ranked among the top r out of 2m possible candidates, we say the attack obtained an (m − lg r)-bit advantage over exhaustive search. The traditional, more strict definition of success, where the attack discovers the right key as the first candidate, corresponds to obtaining an m-bit advantage over an m-bit key. The analysis presented provides formulas for direct calculation of the success prob- ability of linear and differential attacks. The amount of data required for an attack to achieve a certain success probability can also be calculated through these formulas. Furthermore, the analysis shows that the aimed advantage level—that is, in more tra- ditional terms, the number of key bits attacked—is one of the factors that affect the success probability in differential cryptanalysis directly besides the already established factors of the signal-to-noise ratio and the expected number of right pairs. The notations in the paper common to all sections include φ and for the probabil- ity density and the cumulative distribution functions of the standard normal distribution. Besides, B, N , and P are used for denoting the binomial, normal, and Poisson distrib- utions, respectively. 2. Success Probability in Linear Cryptanalysis Linear cryptanalysis, developed by Matsui [11], is a known-plaintext attack that exploits the statistical correlation among the plaintext, ciphertext, and key bits of a block cipher to discover the encryption key. The first step in a linear attack is to find a linear ap- proximation for the cipher. A linear approximation is a binary equation of the bits of the plaintext, ciphertext, and the key, which holds with a probability p = 1/2. The quantity |p −1/2|, known as the bias, is a measure of correlation among the plaintext, ciphertext, and key bits, and it can be used to distinguish the actual key from random key values. In an attack, the attacker collects a large number of plaintext-ciphertext blocks, and for each possible key value he counts the number of plaintext-ciphertext blocks that satisfy the approximation. Assuming that the bias of the approximation with the right key will be significantly higher than the bias with a random key, the key value that maximizes the bias over the given plaintext sample is taken as the right key. In general, it may be sufficient to have the right key ranked reasonably high among the candidates rather than having it as the absolute highest. For example, in Matsui’s attack on DES, a 26-bit portion of the key was attacked where the right key was ranked among the top 213. In this kind of ranking attacks, all candidates ranked higher than the right key must be tried before the right key can be reached. Each candidate must be checked with all combinations of the remaining, unattacked bits to see if it is the right value. In such an attack, where an m-bit key is attacked and the right key is ranked rth among all 2m candidates, the attack provides a complexity reduction by a factor of 2m−lg r over the exhaustive search. In our analysis, we refer to m − lg r as the advantage provided by the attack. 2.1. Problem Statement Consider the problem where an attacker is interested in getting the right key ranked within the r top candidates among a total of 2m keys, where an m-bit key is attacked, On Probability of Success in Linear and Differential Cryptanalysis 133 with an approximation of probability p,usingN plaintext blocks. Let k0 denote the m m right key and ki, 1 ≤ i ≤ 2 − 1, be the wrong key values, and let n denote 2 − 1. Let Xi = Ti/N − 1/2 and Yi =|Xi|, where Ti is the counter for the plaintexts satisfying the m approximation with key ki .LetWi, 1 ≤ i ≤ 2 − 1, be the Yi,i= 0, sorted in increasing order. That is, W1 is the lowest sample bias |Ti/N − 1/2| obtained among the wrong keys, Wn is the highest. Then, the two conditions for the success of the attack are X0/(p − 1/2)>0, (1) that is, T0/N − 1/2 and p − 1/2 have the same sign, and |X0| >Wn−r+1. (2) In the rest of this analysis, we assume for simplicity that p>1/2.1 Hence, the two conditions become X0 > 0, (3) X0 >Wn−r+1. (4) This modeling of the success probability was originally given by Junod [7], where he derived an expression of the success probability in terms of Euler’s incomplete beta integral assuming that the Ti s are independent and they are identically distributed for i = 0. He also presented a numerical calculation of that expression for Matsui’s 26-bit DES attack [12] assuming that the approximation has a zero bias for a wrong key, i.e., E[Ti/N − 1/2]=0fori = 0. Here, we present a more general calculation of the success probability using the nor- mal approximation for order statistics. Like Junod, we also assume the independence of the Ti counters and a zero bias for the wrong keys. Since the zero bias for the wrong keys is the ideal case for an attacker, the results can be seen as an upper bound for the actual success probability. 2.2. Order Statistics In this section we give a brief review of order statistics, as treated in [13]. Theorem 1, the key for our analysis, states the normal approximation for the order statistics. Definition 1. Let ξ1,ξ2,...,ξn be independent, identically distributed random vari- ∗ ∗ ∗ ables. Arrange the values of ξ1,ξ2,...,ξn in increasing order, resulting in ξ ,ξ ,...,ξn . ∗ 1 2 The statistic ξi is called the i-th order statistic of the sample ξ1,ξ2,...,ξn. Definition 2. For 0 <q<1, the sample quantile of order q is the qn+1-th order ∗ statistic ξqn+1. Theorem 1. Let ξ1,ξ2,...,ξn be independent, identically distributed random vari- ables, with an absolutely continuous distribution function F(x). Suppose that the 1 The corresponding results for the case p<1/2 can easily be obtained by substituting −X0 for X0. 134 A.A. Selçuk density function f(x) = F (x) is continuous and positive on the interval [a,b). If 0 <F(a)<q<F(b)<1, and if i(n) is a sequence of integers such that √ i(n) lim n − q = 0, n→∞ n ∗ ∗ further if ξi denotes i-th order statistic of the sample ξ1,ξ2,...,ξn, then ξi(n) is in the limit normally distributed, i.e., ∗ ξ − μq lim P i(n) <x = (x), →∞ n σq where −1 μq = F (q), 1 q(1 − q) σq = . f(μq ) n Taking i(n) =qn+1, the theorem states that the empirical sample quantile of order q of a sample of n elements is for sufficiently large n nearly normally distributed with − expectation μ = F −1(q) and standard deviation σ = 1 q(1 q). q q f(μq ) n 2.3. Success Probability The sample bias of the right key, X0 = T0/N − 1/2, approximately follows a normal N 2 = − 2 = distribution (μ0,σ0 ) with μ0 p 1/2 and σ0 1/(4N).
Load more

Recommended publications
  • Miss in the Middle
    Miss in the middle By: Gal Leonard Keret Miss in the Middle Attacks on IDEA, Khufu and Khafre • Written by: – Prof. Eli Biham. – Prof. Alex Biryukov. – Prof. Adi Shamir. Introduction • So far we used traditional differential which predict and detect statistical events of highest possible probability. Introduction • A new approach is to search for events with probability one, whose condition cannot be met together (events that never happen). Impossible Differential • Random permutation: 휎 푀0 = 푎푛푦 퐶 표푓 푠푖푧푒 푀0. • Cipher (not perfect): 퐸 푀0 = 푠표푚푒 퐶 표푓 푠푖푧푒 푀0. • Events (푚 ↛ 푐) that never happen distinguish a cipher from a random permutation. Impossible Differential • Impossible events (푚 ↛ 푐) can help performing key elimination. • All the keys that lead to impossibility are obviously wrong. • This way we can filter wrong key guesses and leaving the correct key. Enigma – for example • Some of the attacks on Enigma were based on the observation that letters can not be encrypted to themselves. 퐸푛푖푔푚푎(푀0) ≠ 푀0 In General • (푀0, 퐶1) is a pair. If 푀0 푀0 → 퐶1. • 푀 ↛ 퐶 . 0 0 Some rounds For any key • ∀ 푘푒푦| 퐶1 → 퐶0 ↛ is an impossible key. Cannot lead to 퐶0. Some rounds Find each keys Decrypt 퐶1back to 퐶0. IDEA • International Data Encryption Algorithm. • First described in 1991. • Block cipher. • Symmetric. • Key sizes: 128 bits. • Block sizes: 64 bits. ⊕ - XOR. ⊞ - Addition modulo 216 ⊙ - Multiplication modulo 216+1 Encryption security • Combination of different mathematical groups. • Creation of "incompatibility“: ∗ • 푍216+1 → 푍216 ∗ • 푍216 → 푍216+1 ∗ ∗ Remark: 푍216+1 doesn’t contain 0 like 푍216 , so in 푍216+1 0 will be converted to 216 since 0 ≡ 216(푚표푑 216).
    [Show full text]
  • Miss in the Middle Attacks on IDEA and Khufu
    Miss in the Middle Attacks on IDEA and Khufu Eli Biham? Alex Biryukov?? Adi Shamir??? Abstract. In a recent paper we developed a new cryptanalytic techni- que based on impossible differentials, and used it to attack the Skipjack encryption algorithm reduced from 32 to 31 rounds. In this paper we describe the application of this technique to the block ciphers IDEA and Khufu. In both cases the new attacks cover more rounds than the best currently known attacks. This demonstrates the power of the new cryptanalytic technique, shows that it is applicable to a larger class of cryptosystems, and develops new technical tools for applying it in new situations. 1 Introduction In [5,17] a new cryptanalytic technique based on impossible differentials was proposed, and its application to Skipjack [28] and DEAL [17] was described. In this paper we apply this technique to the IDEA and Khufu cryptosystems. Our new attacks are much more efficient and cover more rounds than the best previously known attacks on these ciphers. The main idea behind these new attacks is a bit counter-intuitive. Unlike tra- ditional differential and linear cryptanalysis which predict and detect statistical events of highest possible probability, our new approach is to search for events that never happen. Such impossible events are then used to distinguish the ci- pher from a random permutation, or to perform key elimination (a candidate key is obviously wrong if it leads to an impossible event). The fact that impossible events can be useful in cryptanalysis is an old idea (for example, some of the attacks on Enigma were based on the observation that letters can not be encrypted to themselves).
    [Show full text]
  • Giza and the Pyramids, Veteran Hosni Mubarak
    An aeroplane flies over the pyramids and Sphinx on the Giza Plateau near Cairo. ARCHAEOLOGY The wonder of the pyramids Andrew Robinson enjoys a volume rounding up research on the complex at Giza, Egypt. n Giza and the Pyramids, veteran Hosni Mubarak. After AERAGRAM 16(2), 8–14; 2015), the tomb’s Egyptologists Mark Lehner and Zahi Mubarak fell from four sides, each a little more than 230 metres Hawass cite an Arab proverb: “Man power during the long, vary by at most just 18.3 centimetres. Ifears time, but time fears the pyramids.” It’s Arab Spring that year, Lehner and Hawass reject the idea that a reminder that the great Egyptian complex Hawass resigned, amid armies of Egyptian slaves constructed the on the Giza Plateau has endured for some controversy. pyramids, as the classical Greek historian four and a half millennia — the last monu- The Giza complex Herodotus suggested. They do, however, ment standing of that classical-era must-see invites speculation embrace the concept that the innovative list, the Seven Wonders of the World. and debate. Its three administrative and social organization Lehner and Hawass have produced an pyramids are the Giza and the demanded by the enormous task of build- astonishingly comprehensive study of the tombs of pharaohs Pyramids ing the complex were key factors in creating excavations and scientific investigations Khufu, Khafre and MARK LEHNER & ZAHI Egyptian civilization. CREATIVE GEOGRAPHIC L. STANFIELD/NATL JAMES that have, over two centuries, uncovered Menkaure, also known HAWASS The authors are also in accord over a the engineering techniques, religious and as Cheops, Chephren Thames & Hudson: theory regarding the purpose of the Giza cultural significance and other aspects of and Mycerinus, 2017.
    [Show full text]
  • Encryption Block Cipher
    10/29/2007 Encryption Encryption Block Cipher Dr.Talal Alkharobi 2 Block Cipher A symmetric key cipher which operates on fixed-length groups of bits, termed blocks, with an unvarying transformation. When encrypting, a block cipher take n-bit block of plaintext as input, and output a corresponding n-bit block of ciphertext. The exact transformation is controlled using a secret key. Decryption is similar: the decryption algorithm takes n-bit block of ciphertext together with the secret key, and yields the original n-bit block of plaintext. Mode of operation is used to encrypt messages longer than the block size. 1 Dr.Talal Alkharobi 10/29/2007 Encryption 3 Encryption 4 Decryption 2 Dr.Talal Alkharobi 10/29/2007 Encryption 5 Block Cipher Consists of two algorithms, encryption, E, and decryption, D. Both require two inputs: n-bits block of data and key of size k bits, The output is an n-bit block. Decryption is the inverse function of encryption: D(E(B,K),K) = B For each key K, E is a permutation over the set of input blocks. n Each key K selects one permutation from the possible set of 2 !. 6 Block Cipher The block size, n, is typically 64 or 128 bits, although some ciphers have a variable block size. 64 bits was the most common length until the mid-1990s, when new designs began to switch to 128-bit. Padding scheme is used to allow plaintexts of arbitrary lengths to be encrypted. Typical key sizes (k) include 40, 56, 64, 80, 128, 192 and 256 bits.
    [Show full text]
  • Foreword by Whitfield Diffie Preface About the Author Chapter 1
    Applied Cryptography: Second Edition - Bruce Schneier Applied Cryptography, Second Edition: Protocols, Algorthms, and Source Code in C by Bruce Schneier Wiley Computer Publishing, John Wiley & Sons, Inc. ISBN: 0471128457 Pub Date: 01/01/96 Foreword By Whitfield Diffie Preface About the Author Chapter 1—Foundations 1.1 Terminology 1.2 Steganography 1.3 Substitution Ciphers and Transposition Ciphers 1.4 Simple XOR 1.5 One-Time Pads 1.6 Computer Algorithms 1.7 Large Numbers Part I—Cryptographic Protocols Chapter 2—Protocol Building Blocks 2.1 Introduction to Protocols 2.2 Communications Using Symmetric Cryptography 2.3 One-Way Functions 2.4 One-Way Hash Functions 2.5 Communications Using Public-Key Cryptography 2.6 Digital Signatures 2.7 Digital Signatures with Encryption 2.8 Random and Pseudo-Random-Sequence Generation Chapter 3—Basic Protocols 3.1 Key Exchange 3.2 Authentication 3.3 Authentication and Key Exchange 3.4 Formal Analysis of Authentication and Key-Exchange Protocols 3.5 Multiple-Key Public-Key Cryptography 3.6 Secret Splitting 3.7 Secret Sharing 3.8 Cryptographic Protection of Databases Chapter 4—Intermediate Protocols 4.1 Timestamping Services 4.2 Subliminal Channel 4.3 Undeniable Digital Signatures 4.4 Designated Confirmer Signatures 4.5 Proxy Signatures 4.6 Group Signatures 4.7 Fail-Stop Digital Signatures 4.8 Computing with Encrypted Data 4.9 Bit Commitment 4.10 Fair Coin Flips 4.11 Mental Poker 4.12 One-Way Accumulators 4.13 All-or-Nothing Disclosure of Secrets Page 1 of 666 Applied Cryptography: Second Edition - Bruce
    [Show full text]
  • Analyses of Curupira Block Cipher
    VIII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais 89 Analyses of Curupira Block Cipher Jorge Nakahara Jr 1jorge [email protected] Abstract. Curupira is a 96-bit block cipher, with keys of 96, 144 or 192 bits, and variable number of rounds, an algorithm described at SBRC 2007. This paper1 presents impossible-differential, boomerang and higher-order multiset attacks on reduced-round versions of Curupira, that were not previously considered in the security analysis by its designers. Also, we provide security analyses based solely on the block size and on the key size of the cipher, such as plaintext leakage and related-key attacks. Our analyses indicate new attacks on up to 6-round Curupira. 1. Introduction Curupira is a block cipher designed by Barreto and Simpl´ıcio and presented at SBRC 2007 [Barreto and Simpl´ıcio Jr 2007]. This cipher has a Substitution Permutation Net- work (SPN) structure, like the AES [AES 1997] and is based on the wide-trail design strategy [Daemen 1995]. In [Barreto and Simpl´ıcio Jr 2007], the designers of Curupira argued about its security under several attack settings. The best reported attack was the square or saturation attack [Daemen et al. 1997] on up to seven rounds of Curupira, with a complexity smaller than that of an exhaustive key search. In this paper, we describe impossible-differential (ID), boomerang and higher-order multiset attacks on reduced- round versions of Curupira. The motivation for the ID and boomerang attacks are the fact that these techniques exploit the cipher from both the encryption and decryption di- rections, namely, the corresponding distinguishers are based on differentials constructed from both ends of a given cipher.
    [Show full text]
  • Pyramids of the Giza Plateau Pyramid Complexes of Khufu, Khafre, and Menkaure
    Pyramids of the Giza Plateau Pyramid Complexes of Khufu, Khafre, and Menkaure Charles Rigano AuthorHouse™ 1663 Liberty Drive Bloomington, IN 47403 www.authorhouse.com Phone: 1-800-839-8640 © 2014 Charles Rigano. All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted by any means without the written permission of the author. Published by AuthorHouse 05/14/2015 ISBN: 978-1-4969-5249-3 (sc) ISBN: 978-1-4969-5248-6 (e) Any people depicted in stock imagery provided by Thinkstock are models, and such images are being used for illustrative purposes only. Certain stock imagery © Thinkstock. Because of the dynamic nature of the Internet, any web addresses or links contained in this book may have changed since publication and may no longer be valid. The views expressed in this work are solely those of the author and do not necessarily reflect the views of the publisher, and the publisher hereby disclaims any responsibility for them. Front Cover: - Khufu’s Great Pyramid at dusk as seen from near the Sphinx. Photo by the author. Back Cover: Top - The three Giza Pyramids from close to far: Menkaure and subsidiary pyramids, Khafre, and Khufu. Photo by author. Bottom - Author Charles Rigano with Menkaure’s Pyramid in the background. Author’s photo. Contents Preface The Gizeh Plateau Area Surrounding the Giza Plateau Giza Plateau Pyramid Complexes Chapter 1: The Giza Plateau Chapter 2: Khufu’s Pyramid Exterior Chapter 3: Khufu’s Pyramid Interior Chapter 4: Khufu’s Mortuary Complex Chapter 5: Khufu’s Pyramid – Designing, Closing, and Opening Chapter 6: Khafre’s Pyramid Site Chapter 7: Khafre’s Pyramid Interior Chapter 8: Khafre’s Mortuary Complex Chapter 9: The Sphinx Complex Chapter 10: Menkaure’s Pyramid Exterior Chapter 11: Menkaure’s Pyramid Interior Chapter 12: Menkaure’s Mortuary Complex Appendix: The Tuthmosis IV Stele Between the Sphinx Paws Photo Credits Suggested Reading and References Preface I remember the moment in 1970 that my fascination for Ancient Egypt started.
    [Show full text]
  • 2019: Alexandria, Virginia
    THE 70TH ANNUAL MEETING OF THE AMERICAN RESEARCH CENTER IN EGYPT April 12-14, 2019 Washington, D.C. ANNUAL MEETING OF THE AMERICAN RESEARCH CENTER IN EGYPT April 12-14, 2019 Washington, D.C. U.S. Headquarters 909 North Washington Street, Suite 320 Alexandria, Virginia, 22314 703.721.3479 Cairo Center 2 Midan Simón Bolívar Garden City, Cairo, 11461 20.2.2794.8239 [email protected] 2 3 *Dr. Ahmed Abu-Zayed, Head of Libraries and Archives TABLE CONTENTS Janie Abdul Aziz, Grant Administrator of *Djodi Deutsch, Academic Programs Manager Itinerary 12 Zakaria Yacoub, IT Manager Session Schedule 14 *Sally El Sabbahy, Communications & Outreach Associate *Samira El Adawy, Programs Coordinator Presentation Abstracts 18 Andreas Kostopoulos, Project Archives Specialist Student Poster Abstracts 99 Noha Atef Halim, Assistant Finance Manager Yasser Tharwat, Project Financial & Reporting Manager ARCE STAFF Doaa Adel, Accountant U.S. Staff Salah Metwally, Associate for Governmental Affairs Osama Abdel Fatah Mohamed , Supervising Librarian *Dr. Fatma Ismail, Interim US Operations Director Amira Gamal, Cataloguing Librarian *Michael Wiles, Chief Financial Officier Reda Anwar, Administrative Assistant to Office Manager *Laura Rheintgen, Director of Development Salah Rawash, Security & Reception Coordinator *Dr. Heba Abdel Salam, US Programs Advisor Abdrabou Ali Hassan, Maintenance Assistant & Director’s Driver *Claire Haymes, Board Relations Manager Ahmed Hassan, Senior Traffic Department Officer & Driver *Megan Allday, Annual Meeting Coordinator (Consultant) Ramadan Khalil Abdou, ARCE Representative Ellen Flanagan, US Human Resources Coordinator (Consultant) Mohamed Hassan Mohamed, Transportation Assistant & Messenger *Rebecca Cook, Membership & Development Manager Eid Fawzy, Technical Clerk & Messenger Freddy Feliz, IT Manager Nour Ibrahim, Messenger *Beth Wang, Development & Research Assistant ARCE STAFF ARCE STAFF Cairo Staff Luxor Staff *Dr.
    [Show full text]
  • Petrie, W. M. Flinders. the Pyramids and Temples of Gizeh. London
    THE PYRAMIDS AND TEMPLES OF GIZEH Drawing by F. Petrie W.M FLINDERS PETRIE with an update by ZAHI HAWASS THE PYRAMIDS AND TEMPLES OF GIZEH. GREAT PYRAMID. SMALL PYRAMIDS. PE.R1 BOLUS. SMALL PYRAMIDS. THIRD PYRAMID. PERlBOLUS. EXCAVATION. SEGOND PYRAMID. THE NINE PYRAMIDS OF GIZEH. FROM THE SOUTH . THE PYRAMIDS AND TEMPLES OF GIZEH. BY W. M. FLINDERS PETRIE, Author of "Inductive Metrology," "Stonehenge," "Tanis," &c. NEW AND REVISED EDITION. HISTORIES & MYSTERIES OF MAN LTD. LONDON, ENGLAND 1990 Printed in the U.S.A. © Zahi Hawass Further Titles in Series include: I) BALLAS by J. E. Quibell II) The RAMESSEUM by J. E. Quibell & The Tomb of PTAHHETEP by F. L. L. Griffith III) EL KAB by J. E. Quibell IV) HIERAKONPOLIS I by J. E. Quibell V) HIERAKONPOLIS II by F. W. Green and J. E. Quibell VI) EL ARABAH by J. Garstang VII) MAHASNA by J. Garstang VIII) TEMPLE OF THE KINGS AT ABYDOS by A. St. G. Caulfield IX) The OSIREION by Margaret Alice Murray X) SAQQARA MASTABAS I by Margaret Alice Murray SAQQARA MASTABAS II by Margaret Alice Murray HYKSOS & ISRAELITE CITIES Double Volume by Petrie & Duncan ANCIENT RECORDS OF EGYPT by James Henry Breasted ANCIENT RECORDS OF ASSYRIA by David Luckenbill THE CHRONOLOGY OF ANCIENT KINGDOMS AMENDED by Sir Isaac Newton STONEHENGE by Petrie. Updated by Gerald Hawkins TELL EL HESY (LACHISH) by W. M. Flinders Petrie A HISTORY OF EGYPTIAN ARCHITECTURE by Alexander Badawy For further details please write for catalogue to HISTORIES & MYSTERIES OF MAN LTD. The Glassmill 1, Battersea Bridge Road London SW11 3BG ENGLAND ISBN 1-85417-051-1 THE FIRST EDITION OF THIS WORK WAS PUBLISHED WITH THE ASSISTANCE OF A VOTE OF ONE HUNDRED POUNDS FROM THE GOVERNMENT-GRANT COMMITTEE OF THE ROYAL SOCIETY.
    [Show full text]
  • This Is a Chapter from the Handbook of Applied Cryptography, by A. Menezes, P. Van Oorschot, and S. Vanstone, CRC Press, 1996. F
    This is a Chapter from the Handbook of Applied Cryptography, by A. Menezes, P. van Oorschot, and S. Vanstone, CRC Press, 1996. For further information, see www.cacr.math.uwaterloo.ca/hac CRC Press has granted the following specific permissions for the electronic version of this book: Permission is granted to retrieve, print and store a single copy of this chapter for personal use. This permission does not extend to binding multiple chapters of the book, photocopying or producing copies for other than personal use of the person creating the copy, or making electronic copies available for retrieval by others without prior permission in writing from CRC Press. Except where over-ridden by the specific permission above, the standard copyright notice from CRC Press applies to this electronic version: Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, microfilming, and recording, or by any information storage or retrieval system, without prior permission in writing from the publisher. The consent of CRC Press does not extend to copying for general distribution, for promotion, for creating new works, or for resale. Specific permission must be obtained in writing from CRC Press for such copying. c 1997 by CRC Press, Inc. Chapter 15 Patents and Standards Contents in Brief 15.1 Introduction :::::::::::::::::::::::::::::635 15.2 Patents on cryptographic techniques ::::::::::::::::635 15.3 Cryptographic standards ::::::::::::::::::::::645 15.4 Notes and further references ::::::::::::::::::::657 15.1 Introduction This chapter discusses two topics which have signi®cant impact on the use of cryptogra- phy in practice: patents and standards.
    [Show full text]
  • A New Symmetric Cryptosystem Based on Kronecker's
    KronCrypt - A New Symmetric Cryptosystem Based on Kronecker's Approximation Theorem Carsten Elsner Fachhochschule f¨urdie Wirtschaft, Freundallee 15, 30173 Hannover [email protected] Martin Schmidt Leibniz Universit¨atHannover, Institute of Applied Mathematics, Welfengarten 1, 30167 Hannover [email protected] Abstract. In this paper we show how to use an old mathematical concept of diophantine analysis, the approximation theorem of Kronecker, in symmetric cryptography. As a first practical application we propose and analyze the new symmetric 128-bit block cipher KronCrypt. The cipher is a 4-round Feistel network with a non-bijective round function f made up of a variable number of large key-dependent S-boxes, XORs and modular additions. Its key length is variable but not less than 128 bit. The main innovation of KronCrypt in the area of symmetric cryptography is the fact that the key-dependent S-boxes are based upon a constructive proof of the approximation theorem of Kronecker used as a boolean function. We prove the correctness of our concept in general and show how we designe the new cipher KronCrypt. Furthermore, results concerning statistical behaviour, i.e. confusion, diffusion and completeness, and differential cryptanalysis are presented. 1. Introduction The resumption of old mathematical ideas sometimes led to new concepts in cryptography, e.g. the modular arithmetic and its usage in public-key cryptography and the application of finite fields in AES. A lot of concepts of number theory and algebra influenced new research topics in cryptography or gave rise to new ciphers. In this paper we present a new idea for symmetric cryptography based on a well-known result from diophantine analysis.
    [Show full text]
  • 7.4.2 DES Algorithm DES Is a Feistel Cipher Which Processes Plaintext Blocks of N =64Bits, Producing 64-Bit Ciphertext Blocks (Figure 7.8)
    252 Ch. 7 Block Ciphers 7.4.2 DES algorithm DES is a Feistel cipher which processes plaintext blocks of n =64bits, producing 64-bit ciphertext blocks (Figure 7.8). The effective size of the secret key K is k =56bits; more precisely, the input key K is speci®ed as a 64-bit key, 8 bits of which (bits 8; 16;::: ;64) may be used as parity bits. The 256 keys implement (at most) 256 of the 264! possible bijec- tions on 64-bit blocks. A widely held belief is that the parity bits were introduced to reduce the effective key size from 64 to 56 bits, to intentionally reduce the cost of exhaustive key search by a factor of 256. K K plaintext P 56 56 ciphertext C K 64key 64 −1 PCDESC DES P Figure 7.8: DES input-output. Full details of DES are given in Algorithm 7.82 and Figures 7.9 and 7.10. An overview follows. Encryption proceeds in 16 stages or rounds. From the input key K, sixteen 48-bit subkeys Ki are generated, one for each round. Within each round, 8 ®xed, carefully selected 6-to-4 bit substitution mappings (S-boxes) Si, collectively denoted S, are used. The 64-bit plaintext is divided into 32-bit halves L0 and R0. Each round is functionally equivalent, taking 32-bit inputs Li−1 and Ri−1 from the previous round and producing 32-bit outputs Li and Ri for 1 ≤ i ≤ 16, as follows: Li = Ri−1; (7.4) Ri = Li−1 ⊕ f(Ri−1;Ki); where f(Ri−1;Ki)=P (S(E(Ri−1) ⊕ Ki))(7.5) Here E is a ®xed expansion permutation mapping Ri−1 from 32 to 48 bits (all bits are used once; some are used twice).
    [Show full text]