DOCSLIB.ORG

Better Bounds for Block Cipher Modes of Operation Via Nonce-Based Key Derivation

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Better Bounds for Block Cipher Modes of Operation Via Nonce-Based Key Derivation Session E1: Hardening Crypto CCS’17, October 30-November 3, 2017, Dallas, TX, USA Beer Bounds for Block Cipher Modes of Operation via Nonce-Based Key Derivation Shay Gueron Yehuda Lindell University of Haifa and Amazon Web Services Bar-Ilan University [email protected] [email protected] ABSTRACT block size of 3DES is 64 bits, and thus collisions occur at just 232 Block cipher modes of operation provide a way to securely en- blocks, or 32GB of data, which can be transferred in under an hour crypt using a block cipher. The main factors in analyzing modes on a fast Internet connection, and in seconds within a data center. of operation are the level of security achieved (chosen-plaintext At rst sight, this problem of birthday collisions is a problem security, authenticated encryption, nonce-misuse resistance, and that is only of relevance for 3DES. Modern block ciphers, like AES, 64 so on) and performance. When measuring the security level of a have a block size of 128, and the birthday bound is thus 2 , which mode of operation, it does not suce to consider asymptotics, and corresponds to a whopping 1 million Petabytes of data. However, a concrete analysis is necessary. This is especially the case today, in reality, birthday collisions are a concern, even for AES or other when encryption rates can be very high, and so birthday bounds 128-bit block ciphers. This is because the standard NIST recom- may be approached or even reached. mendation is to stop using a key when the probability of some −32 48 In this paper, we show that key-derivation at every encryp- leakage exceeds 2 . Thus, after encrypting 2 blocks, keys must tion signicantly improves the security bounds in many cases. We be changed. Furthermore, in many popular modes of operation, present a new key-derivation method that utilizes a truncated block birthday bounds are actually reached far earlier. Two important cipher, and show that this is far better than standard block-cipher examples are counter (CTR) mode and AES-GCM, when using ran- based key derivation. We prove that by using our key derivation dom IVs. In both of these case, the standard implementation used a −32 method, we obtain greatly improved bounds for many modes of 96-bit IV, and thus collisions occur in the IV with probability 2 32 operation, with a result that the lifetime of a key can be signicantly after encrypting only 2 dierent messages (with fresh random extended. We demonstrate this for AES-CTR (CPA-security), AES- IVs). Therefore, the number of messages that can be encrypted with GCM (authenticated encryption) and AES-GCM-SIV (nonce-misuse a single key is actually quite low. resistance). Finally, we demonstrate that when using modern hard- A real example – QUIC. QUIC [19] is a new transport protocol ware with AES instructions (AES-NI), the performance penalty of that is designed to improve the performance of connection-oriented deriving keys at each encryption is insignicant for most uses. web applications that are currently using TCP, while providing 1 INTRODUCTION security protection that is comparable to that of TLS. QUIC encrypts “source-address tokens”, with the property that a cluster of servers Block ciphers are a basic building block in encryption. Modes of can recognize them in the future, but without clients being able operation are ways of using block ciphers in order to obtain se- to forge them. Simply adding a MAC would suce, but for future- cure encryption, and have been studied for decades. Nevertheless, proong they should also be condential. All servers can share a new computing settings and threats make the design of new and fairly long-lived secret key, but the servers need to be able to create better modes of operation a very active eld of research. For just these tokens quickly, and independently. Since a central allocation one example, the construction of nonce-misuse resistant modes system for nonces is not operationally viable, random selection of operation, that remain secure even if a nonce repeats, is one of nonces is the only possibility. AES-GCM’s limit of 232 random consideration in the recent CAESAR competition. nonces (per key) suggests that, even if the system rotates these One issue that has recently become a concern is the block size secret keys daily, it could not issue more than about 50K tokens per of block ciphers and the ramication that this has on security. second. However, in order to process DDoS attacks the system may Specically, when a block cipher with block size n is used to encrypt need to be able to issue hundreds of millions of tokens per second. n=2 2 blocks, then birthday collisions occur with high probability, A similar problem arises in TLS with session tickets [2]. Although potentially resulting in a security breach. Although the threat due the demands are signicantly reduced in this context, a limit of 50K to such collisions is often thought to be theoretical in nature, it was tickets per second is still insucient for many sites, and thus plain recently shown that real attacks can be carried out when 3DES is AES-GCM is unsuitable for this as well. used in TLS, because of the small block size [5]. Specically, the Permission to make digital or hard copies of all or part of this work for personal or 1.1 Our Results classroom use is granted without fee provided that copies are not made or distributed for prot or commercial advantage and that copies bear this notice and the full citation We introduce a generic technique for signicantly extending the life- on the rst page. Copyrights for components of this work owned by others than ACM time of a key. The idea is very simple: rst derive a per-message key must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specic permission and/or a by applying a key-derivation function with the master-key and nonce, fee. Request permissions from [email protected]. and then use the per-message key to encrypt the message. Intuitively, CCS’17, Oct. 30–Nov. 3, 2017, Dallas, TX, USA. this ensures that no single key is used too much, and so many more © 2017 ACM. 978-1-4503-4946-8/17/10...$15.00 DOI: 10.1145/3133956.3133992 blocks can be encrypted. Furthermore, it requires only minimal 1019 Session E1: Hardening Crypto CCS’17, October 30-November 3, 2017, Dallas, TX, USA changes to existing schemes, which is important for deployment. we achieve to the bounds of the basic modes without key generation, However, implementing this idea has two major challenges: and show that the lifetime of keys can be greatly extended using (1) On the one hand, key derivation based on a hash function would our technique. To illustrate this, with a standard 96-bit nonce, AES- yield good bounds but is very slow. On the other hand, stan- CTR and AES-GCM can be used to encrypt at most 248 blocks (e.g., dard key derivation based on AES in counter mode yields poor 232 messages of length 216 each), while keeping the adversarial bounds. In particular, collisions would occur with probability advantage below 2−32. In contrast, using our key derivation, the 2−32 after 248 derivations. same modes can be used to encrypt 264 messages of length 216 each, (2) Even if one were to overcome the key derivation bound using a with an adversarial advantage of at most 2−32. block cipher, this would require running an AES key expansion Encryption with a nonce vs a random IV. Throughout this paper, for every message. Standard methods of key expansion, e.g., we refer to a nonce as a non-repeating value that is unique but not aeskeygenassist using the AES-NI instruction, are very slow. necessarily random. This is in contrast to an IV that is considered We address the above challenges and show how to use continual random. It is well known that for modes of operation for which key derivation in an ecient way, and with very good bounds. nonce uniqueness suces (like CTR), if nonce uniqueness can be guaranteed, then this is preferable to choosing a random IV. This Continual key derivation. We indeed use AES-based key deriva- is because random IVs collide at the birthday bound, and possibly tion. However, in contrast to the standard counter-mode based key earlier if the device encrypting has poor entropy. It is interesting to derivation [4], we use a truncated block cipher. For example, in note that our key-derivation method does not increase the number order to derive a 128-bit key, two AES encryptions are computed of messages that one can encrypt, when a random IV is used. This and the key is taken to be the concatenation of the rst half of each is due to the fact that IV collisions still happen with the same output block; likewise, to derive a 256-bit key, four AES encryptions probability, and when they collide the same key and nonce is used are used. The reason that this key derivation is preferable is due even with key derivation. Nevertheless, in these cases, our method to the fact that the “best” key derivation utilizes a pseudorandom does enable one to encrypt longer messages (and so overall many function, whereas block ciphers are pseudorandom permutations. more blocks). However, in the unique nonce setting, where we Thus, as the number of derivations approaches the birthday bound, assume that the parties can guarantee uniqueness (e.g., by keeping the keys derived can no longer be assumed to be random.
Load more

Recommended publications
  • GPU-Based Password Cracking on the Security of Password Hashing Schemes Regarding Advances in Graphics Processing Units
    Radboud University Nijmegen Faculty of Science Kerckhoffs Institute Master of Science Thesis GPU-based Password Cracking On the Security of Password Hashing Schemes regarding Advances in Graphics Processing Units by Martijn Sprengers [email protected] Supervisors: Dr. L. Batina (Radboud University Nijmegen) Ir. S. Hegt (KPMG IT Advisory) Ir. P. Ceelen (KPMG IT Advisory) Thesis number: 646 Final Version Abstract Since users rely on passwords to authenticate themselves to computer systems, ad- versaries attempt to recover those passwords. To prevent such a recovery, various password hashing schemes can be used to store passwords securely. However, recent advances in the graphics processing unit (GPU) hardware challenge the way we have to look at secure password storage. GPU's have proven to be suitable for crypto- graphic operations and provide a significant speedup in performance compared to traditional central processing units (CPU's). This research focuses on the security requirements and properties of prevalent pass- word hashing schemes. Moreover, we present a proof of concept that launches an exhaustive search attack on the MD5-crypt password hashing scheme using modern GPU's. We show that it is possible to achieve a performance of 880 000 hashes per second, using different optimization techniques. Therefore our implementation, executed on a typical GPU, is more than 30 times faster than equally priced CPU hardware. With this performance increase, `complex' passwords with a length of 8 characters are now becoming feasible to crack. In addition, we show that between 50% and 80% of the passwords in a leaked database could be recovered within 2 months of computation time on one Nvidia GeForce 295 GTX.
    [Show full text]
  • Reconsidering the Security Bound of AES-GCM-SIV
    Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Reconsidering the Security Bound of AES-GCM-SIV Tetsu Iwata1 and Yannick Seurin2 1Nagoya University, Japan 2ANSSI, France March 7, 2018 — FSE 2018 T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 1 / 26 Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Summary of the contribution • we reconsider the security of the AEAD scheme AES-GCM-SIV designed by Gueron, Langley, and Lindell • we identify flaws in the designers’ security analysis and propose a new security proof • our findings leads to significantly reduced security claims, especially for long messages • we propose a simple modification to the scheme (key derivation function) improving security without efficiency loss T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 2 / 26 Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Summary of the contribution • we reconsider the security of the AEAD scheme AES-GCM-SIV designed by Gueron, Langley, and Lindell • we identify flaws in the designers’ security analysis and propose a new security proof • our findings leads to significantly reduced security claims, especially for long messages • we propose a simple modification to the scheme (key derivation function) improving security without efficiency loss T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 2 / 26 Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Summary of the contribution • we reconsider the security of the AEAD scheme AES-GCM-SIV designed by Gueron, Langley, and Lindell • we identify flaws in the designers’ security analysis and propose a new security proof • our findings leads to significantly reduced security claims, especially for long messages • we propose a simple modification to the scheme (key derivation function) improving security without efficiency loss T.
    [Show full text]
  • Block Ciphers and the Data Encryption Standard
    Lecture 3: Block Ciphers and the Data Encryption Standard Lecture Notes on “Computer and Network Security” by Avi Kak ([email protected]) January 26, 2021 3:43pm ©2021 Avinash Kak, Purdue University Goals: To introduce the notion of a block cipher in the modern context. To talk about the infeasibility of ideal block ciphers To introduce the notion of the Feistel Cipher Structure To go over DES, the Data Encryption Standard To illustrate important DES steps with Python and Perl code CONTENTS Section Title Page 3.1 Ideal Block Cipher 3 3.1.1 Size of the Encryption Key for the Ideal Block Cipher 6 3.2 The Feistel Structure for Block Ciphers 7 3.2.1 Mathematical Description of Each Round in the 10 Feistel Structure 3.2.2 Decryption in Ciphers Based on the Feistel Structure 12 3.3 DES: The Data Encryption Standard 16 3.3.1 One Round of Processing in DES 18 3.3.2 The S-Box for the Substitution Step in Each Round 22 3.3.3 The Substitution Tables 26 3.3.4 The P-Box Permutation in the Feistel Function 33 3.3.5 The DES Key Schedule: Generating the Round Keys 35 3.3.6 Initial Permutation of the Encryption Key 38 3.3.7 Contraction-Permutation that Generates the 48-Bit 42 Round Key from the 56-Bit Key 3.4 What Makes DES a Strong Cipher (to the 46 Extent It is a Strong Cipher) 3.5 Homework Problems 48 2 Computer and Network Security by Avi Kak Lecture 3 Back to TOC 3.1 IDEAL BLOCK CIPHER In a modern block cipher (but still using a classical encryption method), we replace a block of N bits from the plaintext with a block of N bits from the ciphertext.
    [Show full text]
  • KLEIN: a New Family of Lightweight Block Ciphers
    KLEIN: A New Family of Lightweight Block Ciphers Zheng Gong1, Svetla Nikova1;2 and Yee Wei Law3 1Faculty of EWI, University of Twente, The Netherlands fz.gong, [email protected] 2 Dept. ESAT/SCD-COSIC, Katholieke Universiteit Leuven, Belgium 3 Department of EEE, The University of Melbourne, Australia [email protected] Abstract Resource-efficient cryptographic primitives become fundamental for realizing both security and efficiency in embedded systems like RFID tags and sensor nodes. Among those primitives, lightweight block cipher plays a major role as a building block for security protocols. In this paper, we describe a new family of lightweight block ciphers named KLEIN, which is designed for resource-constrained devices such as wireless sensors and RFID tags. Compared to the related proposals, KLEIN has ad- vantage in the software performance on legacy sensor platforms, while its hardware implementation can be compact as well. Key words. Block cipher, Wireless sensor network, Low-resource implementation. 1 Introduction With the development of wireless communication and embedded systems, we become increasingly de- pendent on the so called pervasive computing; examples are smart cards, RFID tags, and sensor nodes that are used for public transport, pay TV systems, smart electricity meters, anti-counterfeiting, etc. Among those applications, wireless sensor networks (WSNs) have attracted more and more attention since their promising applications, such as environment monitoring, military scouting and healthcare. On resource-limited devices the choice of security algorithms should be very careful by consideration of the implementation costs. Symmetric-key algorithms, especially block ciphers, still play an important role for the security of the embedded systems.
    [Show full text]
  • A Password-Based Key Derivation Algorithm Using the KBRP Method
    American Journal of Applied Sciences 5 (7): 777-782, 2008 ISSN 1546-9239 © 2008 Science Publications A Password-Based Key Derivation Algorithm Using the KBRP Method 1Shakir M. Hussain and 2Hussein Al-Bahadili 1Faculty of CSIT, Applied Science University, P.O. Box 22, Amman 11931, Jordan 2Faculty of Information Systems and Technology, Arab Academy for Banking and Financial Sciences, P.O. Box 13190, Amman 11942, Jordan Abstract: This study presents a new efficient password-based strong key derivation algorithm using the key based random permutation the KBRP method. The algorithm consists of five steps, the first three steps are similar to those formed the KBRP method. The last two steps are added to derive a key and to ensure that the derived key has all the characteristics of a strong key. In order to demonstrate the efficiency of the algorithm, a number of keys are derived using various passwords of different content and length. The features of the derived keys show a good agreement with all characteristics of strong keys. In addition, they are compared with features of keys generated using the WLAN strong key generator v2.2 by Warewolf Labs. Key words: Key derivation, key generation, strong key, random permutation, Key Based Random Permutation (KBRP), key authentication, password authentication, key exchange INTRODUCTION • The key size must be long enough so that it can not Key derivation is the process of generating one or be easily broken more keys for cryptography and authentication, where a • The key should have the highest possible entropy key is a sequence of characters that controls the process (close to unity) [1,2] of a cryptographic or authentication algorithm .
    [Show full text]
  • Chapter 3 – Block Ciphers and the Data Encryption Standard
    Symmetric Cryptography Chapter 6 Block vs Stream Ciphers • Block ciphers process messages into blocks, each of which is then en/decrypted – Like a substitution on very big characters • 64-bits or more • Stream ciphers process messages a bit or byte at a time when en/decrypting – Many current ciphers are block ciphers • Better analyzed. • Broader range of applications. Block vs Stream Ciphers Block Cipher Principles • Block ciphers look like an extremely large substitution • Would need table of 264 entries for a 64-bit block • Arbitrary reversible substitution cipher for a large block size is not practical – 64-bit general substitution block cipher, key size 264! • Most symmetric block ciphers are based on a Feistel Cipher Structure • Needed since must be able to decrypt ciphertext to recover messages efficiently Ideal Block Cipher Substitution-Permutation Ciphers • in 1949 Shannon introduced idea of substitution- permutation (S-P) networks – modern substitution-transposition product cipher • These form the basis of modern block ciphers • S-P networks are based on the two primitive cryptographic operations we have seen before: – substitution (S-box) – permutation (P-box) (transposition) • Provide confusion and diffusion of message Diffusion and Confusion • Introduced by Claude Shannon to thwart cryptanalysis based on statistical analysis – Assume the attacker has some knowledge of the statistical characteristics of the plaintext • Cipher needs to completely obscure statistical properties of original message • A one-time pad does this Diffusion
    [Show full text]
  • Implementation and Performance Analysis of PBKDF2, Bcrypt, Scrypt Algorithms
    Implementation and Performance Analysis of PBKDF2, Bcrypt, Scrypt Algorithms Levent Ertaul, Manpreet Kaur, Venkata Arun Kumar R Gudise CSU East Bay, Hayward, CA, USA. [email protected], [email protected], [email protected] Abstract- With the increase in mobile wireless or data lookup. Whereas, Cryptographic hash functions are technologies, security breaches are also increasing. It has used for building blocks for HMACs which provides become critical to safeguard our sensitive information message authentication. They ensure integrity of the data from the wrongdoers. So, having strong password is that is transmitted. Collision free hash function is the one pivotal. As almost every website needs you to login and which can never have same hashes of different output. If a create a password, it’s tempting to use same password and b are inputs such that H (a) =H (b), and a ≠ b. for numerous websites like banks, shopping and social User chosen passwords shall not be used directly as networking websites. This way we are making our cryptographic keys as they have low entropy and information easily accessible to hackers. Hence, we need randomness properties [2].Password is the secret value from a strong application for password security and which the cryptographic key can be generated. Figure 1 management. In this paper, we are going to compare the shows the statics of increasing cybercrime every year. Hence performance of 3 key derivation algorithms, namely, there is a need for strong key generation algorithms which PBKDF2 (Password Based Key Derivation Function), can generate the keys which are nearly impossible for the Bcrypt and Scrypt.
    [Show full text]
  • Speeding up Linux Disk Encryption Ignat Korchagin @Ignatkn $ Whoami
    Speeding Up Linux Disk Encryption Ignat Korchagin @ignatkn $ whoami ● Performance and security at Cloudflare ● Passionate about security and crypto ● Enjoy low level programming @ignatkn Encrypting data at rest The storage stack applications @ignatkn The storage stack applications filesystems @ignatkn The storage stack applications filesystems block subsystem @ignatkn The storage stack applications filesystems block subsystem storage hardware @ignatkn Encryption at rest layers applications filesystems block subsystem SED, OPAL storage hardware @ignatkn Encryption at rest layers applications filesystems LUKS/dm-crypt, BitLocker, FileVault block subsystem SED, OPAL storage hardware @ignatkn Encryption at rest layers applications ecryptfs, ext4 encryption or fscrypt filesystems LUKS/dm-crypt, BitLocker, FileVault block subsystem SED, OPAL storage hardware @ignatkn Encryption at rest layers DBMS, PGP, OpenSSL, Themis applications ecryptfs, ext4 encryption or fscrypt filesystems LUKS/dm-crypt, BitLocker, FileVault block subsystem SED, OPAL storage hardware @ignatkn Storage hardware encryption Pros: ● it’s there ● little configuration needed ● fully transparent to applications ● usually faster than other layers @ignatkn Storage hardware encryption Pros: ● it’s there ● little configuration needed ● fully transparent to applications ● usually faster than other layers Cons: ● no visibility into the implementation ● no auditability ● sometimes poor security https://support.microsoft.com/en-us/help/4516071/windows-10-update-kb4516071 @ignatkn Block
    [Show full text]
  • Security Policy: Informacast Java Crypto Library
    FIPS 140-2 Non-Proprietary Security Policy: InformaCast Java Crypto Library FIPS 140-2 Non-Proprietary Security Policy InformaCast Java Crypto Library Software Version 3.0 Document Version 1.2 June 26, 2017 Prepared For: Prepared By: Singlewire Software SafeLogic Inc. 1002 Deming Way 530 Lytton Ave, Suite 200 Madison, WI 53717 Palo Alto, CA 94301 www.singlewire.com www.safelogic.com Document Version 1.2 © Singlewire Software Page 1 of 35 FIPS 140-2 Non-Proprietary Security Policy: InformaCast Java Crypto Library Abstract This document provides a non-proprietary FIPS 140-2 Security Policy for InformaCast Java Crypto Library. Document Version 1.2 © Singlewire Software Page 2 of 35 FIPS 140-2 Non-Proprietary Security Policy: InformaCast Java Crypto Library Table of Contents 1 Introduction .................................................................................................................................................. 5 1.1 About FIPS 140 ............................................................................................................................................. 5 1.2 About this Document.................................................................................................................................... 5 1.3 External Resources ....................................................................................................................................... 5 1.4 Notices .........................................................................................................................................................
    [Show full text]
  • Key Derivation Functions and Their GPU Implementation
    MASARYK UNIVERSITY FACULTY}w¡¢£¤¥¦§¨ OF I !"#$%&'()+,-./012345<yA|NFORMATICS Key derivation functions and their GPU implementation BACHELOR’S THESIS Ondrej Mosnáˇcek Brno, Spring 2015 This work is licensed under a Creative Commons Attribution- NonCommercial-ShareAlike 4.0 International License. https://creativecommons.org/licenses/by-nc-sa/4.0/ cbna ii Declaration Hereby I declare, that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Ondrej Mosnáˇcek Advisor: Ing. Milan Brož iii Acknowledgement I would like to thank my supervisor for his guidance and support, and also for his extensive contributions to the Cryptsetup open- source project. Next, I would like to thank my family for their support and pa- tience and also to my friends who were falling behind schedule just like me and thus helped me not to panic. Last but not least, access to computing and storage facilities owned by parties and projects contributing to the National Grid In- frastructure MetaCentrum, provided under the programme “Projects of Large Infrastructure for Research, Development, and Innovations” (LM2010005), is also greatly appreciated. v Abstract Key derivation functions are a key element of many cryptographic applications. Password-based key derivation functions are designed specifically to derive cryptographic keys from low-entropy sources (such as passwords or passphrases) and to counter brute-force and dictionary attacks. However, the most widely adopted standard for password-based key derivation, PBKDF2, as implemented in most applications, is highly susceptible to attacks using Graphics Process- ing Units (GPUs).
    [Show full text]
  • A Block Cipher Algorithm to Enhance the Avalanche Effect Using Dynamic Key- Dependent S-Box and Genetic Operations 1Balajee Maram and 2J.M
    International Journal of Pure and Applied Mathematics Volume 119 No. 10 2018, 399-418 ISSN: 1311-8080 (printed version); ISSN: 1314-3395 (on-line version) url: http://www.ijpam.eu Special Issue ijpam.eu A Block Cipher Algorithm to Enhance the Avalanche Effect Using Dynamic Key- Dependent S-Box and Genetic Operations 1Balajee Maram and 2J.M. Gnanasekar 1Department of CSE, GMRIT, Rajam, India. Research and Development Centre, Bharathiar University, Coimbatore. [email protected] 2Department of Computer Science & Engineering, Sri Venkateswara College of Engineering, Sriperumbudur Tamil Nadu. [email protected] Abstract In digital data security, an encryption technique plays a vital role to convert digital data into intelligible form. In this paper, a light-weight S- box is generated that depends on Pseudo-Random-Number-Generators. According to shared-secret-key, all the Pseudo-Random-Numbers are scrambled and input to the S-box. The complexity of S-box generation is very simple. Here the plain-text is encrypted using Genetic Operations and S-box which is generated based on shared-secret-key. The proposed algorithm is experimentally investigates the complexity, quality and performance using the S-box parameters which includes Hamming Distance, Balanced Output and the characteristic of cryptography is Avalanche Effect. Finally the comparison results motivates that the dynamic key-dependent S-box has good quality and performance than existing algorithms. 399 International Journal of Pure and Applied Mathematics Special Issue Index Terms:S-BOX, data security, random number, cryptography, genetic operations. 400 International Journal of Pure and Applied Mathematics Special Issue 1. Introduction In public network, several types of attacks1 can be avoided by applying Data Encryption/Decryption2.
    [Show full text]
  • A Tutorial on the Implementation of Block Ciphers: Software and Hardware Applications
    A Tutorial on the Implementation of Block Ciphers: Software and Hardware Applications Howard M. Heys Memorial University of Newfoundland, St. John's, Canada email: [email protected] Dec. 10, 2020 2 Abstract In this article, we discuss basic strategies that can be used to implement block ciphers in both software and hardware environments. As models for discussion, we use substitution- permutation networks which form the basis for many practical block cipher structures. For software implementation, we discuss approaches such as table lookups and bit-slicing, while for hardware implementation, we examine a broad range of architectures from high speed structures like pipelining, to compact structures based on serialization. To illustrate different implementation concepts, we present example data associated with specific methods and discuss sample designs that can be employed to realize different implementation strategies. We expect that the article will be of particular interest to researchers, scientists, and engineers that are new to the field of cryptographic implementation. 3 4 Terminology and Notation Abbreviation Definition SPN substitution-permutation network IoT Internet of Things AES Advanced Encryption Standard ECB electronic codebook mode CBC cipher block chaining mode CTR counter mode CMOS complementary metal-oxide semiconductor ASIC application-specific integrated circuit FPGA field-programmable gate array Table 1: Abbreviations Used in Article 5 6 Variable Definition B plaintext/ciphertext block size (also, size of cipher state) κ number
    [Show full text]