DOCSLIB.ORG

DES-X (Or DESX) DES-X Is a 64-Bit Block Cipher with a 2 64 + 56 = 184-Bit Key, Which Is a Simple Extension of DES

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
DES-X (Or DESX) DES-X Is a 64-Bit Block Cipher with a 2 64 + 56 = 184-Bit Key, Which Is a Simple Extension of DES DES-X (or DESX) DES-X is a 64-bit block cipher with a 2 64 + 56 = 184-bit key, which is a simple extension of DES. The construction was· suggested by Rivest in 1984 in order to overcome the problem of the short 56-bit key-size which made the cipher vulner- able to exhaustive key search attack. The idea is just to XOR a secret 64-bit key K1 to the input of DES and to XOR another 64-bit secret key K2 to the out- put of DES: C = K2 DESK (P K1). The keys K1,K2 are called whitening keys and are a popular⊕ element of⊕ modern cipher design. The construction itself goes back to the work of Shannon [5, pp.713], who suggested to use fixed mix- ing permutation whose input and output are masked by the secret keys. This construction has been shown to have provable security by Even-Mansour [4] if the underlying permutation is pseudorandom (i.e. computationally indistin- guishable from a random permutation). A thorough study of DES-X was given in the work of Kilian-Rogaway, which builds on [4] and uses a blackbox model of security. Currently best attack on DES-X is a known-plaintext slide attack discovered by Biryukov-Wagner [1] which has complexity of 232.5 known plain- texts and 287.5 time of analysis. Moreover the attack is easily converted into a ciphertext-only attack with the same data complexity and 295 offline time complexity. These attacks are mainly of theoretical interest due to their high time complexities. However, the attack is generic and would work for any cipher F used together with post- and pre-whitening with complexity 2(n+1)/2 known plaintexts and 2k+(n+1)/2 time steps (here n is the block size, and k is the key- size of the internal cipher F . A related key-attack on DES-X is given in [6]. Best conventional attack, which exploits the internal structure of DES, would be a linear cryptanalysis attack, using 261 known plaintexts [2]. –Alex Biryukov. References [1] A. Biryukov, D. Wagner, Advanced Slide Attacks Lecture Notes in Computer Sci- ence 1807, Advances in Cryptology – EUROCRYPT’2000, pp.589–606, Springer- Verlag, 2000. [2] B. Kaliski, M. Robshaw, Multiple encryption: weighing security and performance, Dr. Dobb’s Journal, pp.123–127, Vol.1, 1996. [3] J. Kilian, P. Rogaway, How to Protect Against Exhaustive Key Search, Lecture Notes in Computer Science 1109, Advances in Cryptology – CRYPTO’96, pp.252– 267, Springer-Verlag, 1996. [4] S. Even, Y. Mansour, A Construction of a Cipher from a Single Pseudorandom Permutation, Journal of Cryptology, Vol.10, No.3, pp.151–161, Springer-Verlag, 1997. [5] C. Shannon, Communication Theory of Secrecy Systems, Bell Sys. Tech. J., Vol. 28, pp. 656–715, October 1949. (A declassified report from 1945.) [6] J. Kelsey, B. Schneier, D. Wagner, Related-Key Cryptanalysis of 3-WAY, Biham- DES,CAST, DES-X, NewDES, RC2, and TEA, proceedings of ICICS, pp.233– 246, 1997. 1 Ciphertext-Only Attack Ciphertext-Only attack scenario assumes that the attacker has only passive capability to listen to the encrypted communication. The attacker thus only knows ciphertexts Ci,i = 1,...N but not their corresponding plaintexts. He may however rely on certain redundancy assumptions about the plaintexts, for example that plaintext is ASCII encoded English text. This scenario is the weak- est in terms of capabilities of the attacker and thus it is the most practical in real life applications. In certain cases conversion of a known-plaintext attack [2] or even chosen plaintext attack [1] into a ciphertext-only attack is possible. References [1] A. Biryukov and E. Kushilevitz, “From differential cryptanalysis to ciphertext-only attacks,” in Advances in Cryptology – CRYPTO’98 (H. Krawczyk, ed.), vol. 1462 of Lecture Notes in Computer Science, pp. 72–88, Springer-Verlag, 1998. [2] M. Matsui, “Linear cryptanalysis method for DES cipher,” in Advances in Cryptol- ogy – EUROCRYPT’93 (T. Helleseth, ed.), vol. 765 of Lecture Notes in Computer Science, pp. 386–397, Springer-Verlag, 1993. 1 Codebook Attack Codebook attack is an example of a known plaintext attack scenario in which the attacker is given access to a set of plaintexts and their corresponding encryp- tions (for a fixed key): (Pi, Ci),i =1,...N. These pairs constitute a code-book which he could use to listen to further communication and which could help him partially decrypt the future messages even without the knowledge of the secret key. He could also use this knowledge in a replay attack by replacing blocks in the communication or by constructing miningfull messages from the blocks of the codebook. Codebook attack may even be applied in a passive trafic analysis scenario, i.e. as a ciphertext-only attack, which would start with frequency anal- ysis of the received blocks and attempts to guess their meaning. Ciphers with small block-size are vulnerable to the Codebook attack, especially if used in the simplest Electronic Codebook mode of operation. Already with N =2n/2 known pairs, where n is the block-size of the cipher, the attacker has good chances to observe familiar blocks in the future communications of size O(2n/2), due to the birthday paradox. If communication is redundant the size of the codebook required may be even smaller. Modern block ciphers use 128-bit block size to make such attacks harder to mount. A better way to combat such attacks is to use chaining modes of operation like Cipher-Block Chaining mode (which makes further blocks of ciphertext dependent on all the previous blocks) together with the authentication of the ciphertext. 1 Dictionary Attack Dictionary attack is an exhaustive cryptanalysis approach in which the attacker computes and stores a table of plaintext-ciphertext pairs (P, Ci = EKi (P ),Ki) sorted by the ciphertexts Ci. Here the plaintext P is chosen in advance among the most often encrypted texts like “login:”, “Hello John”, etc. and the key runs through all the possible keys Ki. If P is encrypted later by the user and the attacker observes its resulting ciphertext Cj , the attacker may search his table for the corresponding ciphertext and retrieve the secret key Kj. The term dictionary attack is also used in the area of password guessing, but with a different meaning. 1 Known Plaintext Attack Known plaintext attack is a scenario in which the attacker has access to the pairs (Pi, Ci),i = 1,...N of known plaintexts and their corresponding cipher- texts. This attack is considered to be highly practical, especially if the amount of pairs N is not too large. This attack scenario is more practical than the chosen plaintext attack. Probable word method which is a popular technique for solving classical simple substitution or transposition ciphers is an example of a known-plaintext attack. Another example is the cryptanalysis of the German Enigma cipher [1] using the so called bombs. It relied heavily on the properly guessed opening words of the cryptograms (which were at the time called cribs). One of the most popular cribs was “Nothing to report”. In modern cryptography linear cryptanalysis is a typical example of a known plaintext attack. References [1] C. A. Deavours, L. Kruh, Machine Cryptography and Modern Cryptanalysis, Artech House, 1985. 1 Chosen Plaintext Attack Chosen plaintext attack is a scenario in which the attacker has the ability to chose plaintexts Pi and to view their corresponding encryptions – ciphertexts Ci. This attack is considered to be less practical then the known plaintext attack, but still a very dangerous attack. If the cipher is vulnerable to a known plaintext attack it is automatically vulnerable to a chosen plaintext attack as well, but not necessarily the opposite. In modern cryptography differential cryptanalysis is a typical example of a chosen plaintext attack. It is also a rare technique for which conversion from chosen plaintext to known plaintext is possible (due to its work with pairs of texts). If chosen plaintext differential attack uses m pairs of texts for an n bit block cipher, then it can be converted to a known-plaintext n attack which will require 2 2 √2m known plaintexts, due to birthday paradox- n like arguments. Furthermore as shown in [1] the factor 2 2 may be considerably reduced if the known plaintexts are redundant (for ex. for the case of ASCII en- n−r coded English text to about 2 2 where r is redundancy of the text), which may even lead to a conversion of differential chosen-plaintext attack into a differential ciphertext-only attack. References [1] A. Biryukov and E. Kushilevitz, “From differential cryptanalysis to ciphertext-only attacks,” in Advances in Cryptology – CRYPTO’98 (H. Krawczyk, ed.), vol. 1462 of Lecture Notes in Computer Science, pp. 72–88, Springer-Verlag, 1998. 1 Chosen Ciphertext Attack Chosen plaintext attack is a scenario in which the attacker has ability to choose ciphertexts Ci and to view their corresponding decryptions – plaintexts Pi. It is essentially the same scenario as a chosen plaintext attack but applied to a decryption function, instead of the encryption function. The attack is considered to be less practical in real life situations than chosen ciphertext attacks. However there is no direct correspondence between complexities of chosen plaintext and chosen ciphertext attacks. A cipher may be vulnerable to one but not to the other and the opposite. Chosen ciphertext attack is a very important scenario in the public key cryptography, where known plaintext and even chosen plaitnext sce- narios are always available to the attacker due to publicly known encryption key. For example, plain RSA is not secure against adaptive chosen ciphertext attack.
Load more

Recommended publications
  • Improved Related-Key Attacks on DESX and DESX+
    Improved Related-key Attacks on DESX and DESX+ Raphael C.-W. Phan1 and Adi Shamir3 1 Laboratoire de s´ecurit´eet de cryptographie (LASEC), Ecole Polytechnique F´ed´erale de Lausanne (EPFL), CH-1015 Lausanne, Switzerland [email protected] 2 Faculty of Mathematics & Computer Science, The Weizmann Institute of Science, Rehovot 76100, Israel [email protected] Abstract. In this paper, we present improved related-key attacks on the original DESX, and DESX+, a variant of the DESX with its pre- and post-whitening XOR operations replaced with addition modulo 264. Compared to previous results, our attack on DESX has reduced text complexity, while our best attack on DESX+ eliminates the memory requirements at the same processing complexity. Keywords: DESX, DESX+, related-key attack, fault attack. 1 Introduction Due to the DES’ small key length of 56 bits, variants of the DES under multiple encryption have been considered, including double-DES under one or two 56-bit key(s), and triple-DES under two or three 56-bit keys. Another popular variant based on the DES is the DESX [15], where the basic keylength of single DES is extended to 120 bits by wrapping this DES with two outer pre- and post-whitening keys of 64 bits each. Also, the endorsement of single DES had been officially withdrawn by NIST in the summer of 2004 [19], due to its insecurity against exhaustive search. Future use of single DES is recommended only as a component of the triple-DES. This makes it more important to study the security of variants of single DES which increase the key length to avoid this attack.
    [Show full text]
  • Related-Key Statistical Cryptanalysis
    Related-Key Statistical Cryptanalysis Darakhshan J. Mir∗ Poorvi L. Vora Department of Computer Science, Department of Computer Science, Rutgers, The State University of New Jersey George Washington University July 6, 2007 Abstract This paper presents the Cryptanalytic Channel Model (CCM). The model treats statistical key recovery as communication over a low capacity channel, where the channel and the encoding are determined by the cipher and the specific attack. A new attack, related-key recovery – the use of n related keys generated from k independent ones – is defined for all ciphers vulnera- ble to single-key recovery. Unlike classical related-key attacks such as differential related-key cryptanalysis, this attack does not exploit a special structural weakness in the cipher or key schedule, but amplifies the weakness exploited in the basic single key recovery. The related- key-recovery attack is shown to correspond to the use of a concatenated code over the channel, where the relationship among the keys determines the outer code, and the cipher and the attack the inner code. It is shown that there exists a relationship among keys for which the communi- cation complexity per bit of independent key is finite, for any probability of key recovery error. This may be compared to the unbounded communication complexity per bit of the single-key- recovery attack. The practical implications of this result are demonstrated through experiments on reduced-round DES. Keywords: related keys, concatenated codes, communication channel, statistical cryptanalysis, linear cryptanalysis, DES Communicating Author: Poorvi L. Vora, [email protected] ∗This work was done while the author was in the M.S.
    [Show full text]
  • Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, Newdes, RC2, and TEA
    Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, NewDES, RC2, and TEA John Kelsey Bruce Schneier David Wagner Counterpane Systems U.C. Berkeley kelsey,schneier @counterpane.com [email protected] f g Abstract. We present new related-key attacks on the block ciphers 3- WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA. Differen- tial related-key attacks allow both keys and plaintexts to be chosen with specific differences [KSW96]. Our attacks build on the original work, showing how to adapt the general attack to deal with the difficulties of the individual algorithms. We also give specific design principles to protect against these attacks. 1 Introduction Related-key cryptanalysis assumes that the attacker learns the encryption of certain plaintexts not only under the original (unknown) key K, but also under some derived keys K0 = f(K). In a chosen-related-key attack, the attacker specifies how the key is to be changed; known-related-key attacks are those where the key difference is known, but cannot be chosen by the attacker. We emphasize that the attacker knows or chooses the relationship between keys, not the actual key values. These techniques have been developed in [Knu93b, Bih94, KSW96]. Related-key cryptanalysis is a practical attack on key-exchange protocols that do not guarantee key-integrity|an attacker may be able to flip bits in the key without knowing the key|and key-update protocols that update keys using a known function: e.g., K, K + 1, K + 2, etc. Related-key attacks were also used against rotor machines: operators sometimes set rotors incorrectly.
    [Show full text]
  • Performance and Energy Efficiency of Block Ciphers in Personal Digital Assistants
    Performance and Energy Efficiency of Block Ciphers in Personal Digital Assistants Creighton T. R. Hager, Scott F. Midkiff, Jung-Min Park, Thomas L. Martin Bradley Department of Electrical and Computer Engineering Virginia Polytechnic Institute and State University Blacksburg, Virginia 24061 USA {chager, midkiff, jungmin, tlmartin} @ vt.edu Abstract algorithms may consume more energy and drain the PDA battery faster than using less secure algorithms. Due to Encryption algorithms can be used to help secure the processing requirements and the limited computing wireless communications, but securing data also power in many PDAs, using strong cryptographic consumes resources. The goal of this research is to algorithms may also significantly increase the delay provide users or system developers of personal digital between data transmissions. Thus, users and, perhaps assistants and applications with the associated time and more importantly, software and system designers need to energy costs of using specific encryption algorithms. be aware of the benefits and costs of using various Four block ciphers (RC2, Blowfish, XTEA, and AES) were encryption algorithms. considered. The experiments included encryption and This research answers questions regarding energy decryption tasks with different cipher and file size consumption and execution time for various encryption combinations. The resource impact of the block ciphers algorithms executing on a PDA platform with the goal of were evaluated using the latency, throughput, energy- helping software and system developers design more latency product, and throughput/energy ratio metrics. effective applications and systems and of allowing end We found that RC2 encrypts faster and uses less users to better utilize the capabilities of PDA devices.
    [Show full text]
  • Bruce Schneier 2
    Committee on Energy and Commerce U.S. House of Representatives Witness Disclosure Requirement - "Truth in Testimony" Required by House Rule XI, Clause 2(g)(5) 1. Your Name: Bruce Schneier 2. Your Title: none 3. The Entity(ies) You are Representing: none 4. Are you testifying on behalf of the Federal, or a State or local Yes No government entity? X 5. Please list any Federal grants or contracts, or contracts or payments originating with a foreign government, that you or the entity(ies) you represent have received on or after January 1, 2015. Only grants, contracts, or payments related to the subject matter of the hearing must be listed. 6. Please attach your curriculum vitae to your completed disclosure form. Signatur Date: 31 October 2017 Bruce Schneier Background Bruce Schneier is an internationally renowned security technologist, called a security guru by the Economist. He is the author of 14 books—including the New York Times best-seller Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World—as well as hundreds of articles, essays, and academic papers. His influential newsletter Crypto-Gram and blog Schneier on Security are read by over 250,000 people. Schneier is a fellow at the Berkman Klein Center for Internet and Society at Harvard University, a Lecturer in Public Policy at the Harvard Kennedy School, a board member of the Electronic Frontier Foundation and the Tor Project, and an advisory board member of EPIC and VerifiedVoting.org. He is also a special advisor to IBM Security and the Chief Technology Officer of IBM Resilient.
    [Show full text]
  • Data Encryption Standard
    Data Encryption Standard The Data Encryption Standard (DES /ˌdiːˌiːˈɛs, dɛz/) is a Data Encryption Standard symmetric-key algorithm for the encryption of electronic data. Although insecure, it was highly influential in the advancement of modern cryptography. Developed in the early 1970s atIBM and based on an earlier design by Horst Feistel, the algorithm was submitted to the National Bureau of Standards (NBS) following the agency's invitation to propose a candidate for the protection of sensitive, unclassified electronic government data. In 1976, after consultation with theNational Security Agency (NSA), the NBS eventually selected a slightly modified version (strengthened against differential cryptanalysis, but weakened against brute-force attacks), which was published as an official Federal Information Processing Standard (FIPS) for the United States in 1977. The publication of an NSA-approved encryption standard simultaneously resulted in its quick international adoption and widespread academic scrutiny. Controversies arose out of classified The Feistel function (F function) of DES design elements, a relatively short key length of the symmetric-key General block cipher design, and the involvement of the NSA, nourishing Designers IBM suspicions about a backdoor. Today it is known that the S-boxes that had raised those suspicions were in fact designed by the NSA to First 1975 (Federal Register) actually remove a backdoor they secretly knew (differential published (standardized in January 1977) cryptanalysis). However, the NSA also ensured that the key size was Derived Lucifer drastically reduced such that they could break it by brute force from [2] attack. The intense academic scrutiny the algorithm received over Successors Triple DES, G-DES, DES-X, time led to the modern understanding of block ciphers and their LOKI89, ICE cryptanalysis.
    [Show full text]
  • Meet-In-The-Middle Attacks on Reduced-Round XTEA*
    Meet-in-the-Middle Attacks on Reduced-Round XTEA⋆ Gautham Sekar⋆⋆, Nicky Mouha⋆ ⋆ ⋆, Vesselin Velichkov†, and Bart Preneel 1 Department of Electrical Engineering ESAT/SCD-COSIC, Katholieke Universiteit Leuven, Kasteelpark Arenberg 10, B-3001 Heverlee, Belgium. 2 Interdisciplinary Institute for BroadBand Technology (IBBT), Belgium. {Gautham.Sekar,Nicky.Mouha,Vesselin.Velichkov, Bart.Preneel}@esat.kuleuven.be Abstract. The block cipher XTEA, designed by Needham and Wheeler, was published as a technical report in 1997. The cipher was a result of fixing some weaknesses in the cipher TEA (also designed by Wheeler and Needham), which was used in Microsoft’s Xbox gaming console. XTEA is a 64-round Feistel cipher with a block size of 64 bits and a key size of 128 bits. In this paper, we present meet-in-the-middle attacks on twelve vari- ants of the XTEA block cipher, where each variant consists of 23 rounds. Two of these require only 18 known plaintexts and a computational ef- fort equivalent to testing about 2117 keys, with a success probability of 1−2 −1025. Under the standard (single-key) setting, there is no attack re- ported on 23 or more rounds of XTEA, that requires less time and fewer data than the above. This paper also discusses a variant of the classical meet-in-the-middle approach. All attacks in this paper are applicable to XETA as well, a block cipher that has not undergone public analysis yet. TEA, XTEA and XETA are implemented in the Linux kernel. Keywords: Cryptanalysis, block cipher, meet-in-the-middle attack, Feis- tel network, XTEA, XETA.
    [Show full text]
  • Evaluation of Key Dependent S-Box Based Data Security Algorithm Using Hamming Distance and Balanced Output
    TEM J. 2016; 5:67–75 Evaluation of Key Dependent S-Box Based Data Security Algorithm using Hamming Distance and Balanced Output Balajee Maram K 1, J M Gnanasekar 2 1 Research and Development Centre, Bharathiar University, Coimbatore, Dept. of CSE, GMRIT, Rajam, India. 2Department of Computer Science & Engineering, Sri Venkateswara College of Engineering, Sriperumbudur Tamil Nadu, India Abstract: Data security is a major issue because of 1. INTRODUCTION rapid evolution of data communication over unsecured internetwork. Here the proposed system is concerned In digital communication, the data is being with the problem of randomly generated S-box. The captured by hackers [1]. Such type of attacks can be generation of S-box depends on Pseudo-Random- reduced by Data Encryption and Decryption Number-Generators and shared-secret-key. The Algorithms [2]. Symmetric-key encryption and process of Pseudo-Random-Number-Generator Asymmetric-key encryption are two categories of depends on large prime numbers. All Pseudo-Random- Encryption Algorithms. Symmetric-Key Numbers are scrambled according to shared-secret- cryptography algorithms are 1000 times faster than the Asymmetric-encryption algorithms [3]. Still, the key. After scrambling, the S-box is generated. In this data is being exchanged in insecure communication research, large prime numbers are the inputs to the channels [4]. The block ciphers such as DES (Data Pseudo-Random-Number-Generator. The proposed S- Encryption Standard) [5], AES (Advanced box will reduce the complexity of S-box generation. Encryption Standard) [6], and EES (Escrowed Based on S-box parameters, it experimentally Encryption Standard) [7] are popular Cryptography investigates the quality and robustness of the proposed algorithms.
    [Show full text]
  • Applications of Search Techniques to Cryptanalysis and the Construction of Cipher Components. James David Mclaughlin Submitted F
    Applications of search techniques to cryptanalysis and the construction of cipher components. James David McLaughlin Submitted for the degree of Doctor of Philosophy (PhD) University of York Department of Computer Science September 2012 2 Abstract In this dissertation, we investigate the ways in which search techniques, and in particular metaheuristic search techniques, can be used in cryptology. We address the design of simple cryptographic components (Boolean functions), before moving on to more complex entities (S-boxes). The emphasis then shifts from the construction of cryptographic arte- facts to the related area of cryptanalysis, in which we first derive non-linear approximations to S-boxes more powerful than the existing linear approximations, and then exploit these in cryptanalytic attacks against the ciphers DES and Serpent. Contents 1 Introduction. 11 1.1 The Structure of this Thesis . 12 2 A brief history of cryptography and cryptanalysis. 14 3 Literature review 20 3.1 Information on various types of block cipher, and a brief description of the Data Encryption Standard. 20 3.1.1 Feistel ciphers . 21 3.1.2 Other types of block cipher . 23 3.1.3 Confusion and diffusion . 24 3.2 Linear cryptanalysis. 26 3.2.1 The attack. 27 3.3 Differential cryptanalysis. 35 3.3.1 The attack. 39 3.3.2 Variants of the differential cryptanalytic attack . 44 3.4 Stream ciphers based on linear feedback shift registers . 48 3.5 A brief introduction to metaheuristics . 52 3.5.1 Hill-climbing . 55 3.5.2 Simulated annealing . 57 3.5.3 Memetic algorithms . 58 3.5.4 Ant algorithms .
    [Show full text]
  • Cryptanalysis of Feistel Networks with Secret Round Functions ⋆
    Cryptanalysis of Feistel Networks with Secret Round Functions ? Alex Biryukov1, Gaëtan Leurent2, and Léo Perrin3 1 [email protected], University of Luxembourg 2 [email protected], Inria, France 3 [email protected], SnT,University of Luxembourg Abstract. Generic distinguishers against Feistel Network with up to 5 rounds exist in the regular setting and up to 6 rounds in a multi-key setting. We present new cryptanalyses against Feistel Networks with 5, 6 and 7 rounds which are not simply distinguishers but actually recover completely the unknown Feistel functions. When an exclusive-or is used to combine the output of the round function with the other branch, we use the so-called yoyo game which we improved using a heuristic based on particular cycle structures. The complexity of a complete recovery is equivalent to O(22n) encryptions where n is the branch size. This attack can be used against 6- and 7-round Feistel n−1 n Networks in time respectively O(2n2 +2n) and O(2n2 +2n). However when modular addition is used, this attack does not work. In this case, we use an optimized guess-and-determine strategy to attack 5 rounds 3n=4 with complexity O(2n2 ). Our results are, to the best of our knowledge, the first recovery attacks against generic 5-, 6- and 7-round Feistel Networks. Keywords: Feistel Network, Yoyo, Generic Attack, Guess-and-determine 1 Introduction The design of block ciphers is a well researched area. An overwhelming majority of modern block ciphers fall in one of two categories: Substitution-Permutation Networks (SPN) and Feistel Networks (FN).
    [Show full text]
  • ICEBERG : an Involutional Cipher Efficient for Block Encryption in Reconfigurable Hardware
    1 ICEBERG : an Involutional Cipher Efficient for Block Encryption in Reconfigurable Hardware. Francois-Xavier Standaert, Gilles Piret, Gael Rouvroy, Jean-Jacques Quisquater, Jean-Didier Legat UCL Crypto Group Laboratoire de Microelectronique Universite Catholique de Louvain Place du Levant, 3, B-1348 Louvain-La-Neuve, Belgium standaert,piret,rouvroy,quisquater,[email protected] Abstract. We present a fast involutional block cipher optimized for re- configurable hardware implementations. ICEBERG uses 64-bit text blocks and 128-bit keys. All components are involutional and allow very effi- cient combinations of encryption/decryption. Hardware implementations of ICEBERG allow to change the key at every clock cycle without any per- formance loss and its round keys are derived “on-the-fly” in encryption and decryption modes (no storage of round keys is needed). The result- ing design offers better hardware efficiency than other recent 128-key-bit block ciphers. Resistance against side-channel cryptanalysis was also con- sidered as a design criteria for ICEBERG. Keywords: block cipher design, efficient implementations, reconfigurable hardware, side-channel resistance. 1 Introduction In October 2000, NIST (National Institute of Standards and Technology) se- lected Rijndael as the new Advanced Encryption Standard. The selection pro- cess included performance evaluation on both software and hardware platforms. However, as implementation versatility was a criteria for the selection of the AES, it appeared that Rijndael is not optimal for reconfigurable hardware im- plementations. Its highly expensive substitution boxes are a typical bottleneck but the combination of encryption and decryption in hardware is probably as critical. In general, observing the AES candidates [1, 2], one may assess that the cri- teria selected for their evaluation led to highly conservative designs although the context of certain cryptanalysis may be considered as very unlikely (e.g.
    [Show full text]
  • Cryptanalysis of Block Ciphers
    Cryptanalysis of Block Ciphers Jiqiang Lu Technical Report RHUL–MA–2008–19 30 July 2008 Royal Holloway University of London Department of Mathematics Royal Holloway, University of London Egham, Surrey TW20 0EX, England http://www.rhul.ac.uk/mathematics/techreports CRYPTANALYSIS OF BLOCK CIPHERS JIQIANG LU Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group Department of Mathematics Royal Holloway, University of London 2008 Declaration These doctoral studies were conducted under the supervision of Prof. Chris Mitchell. The work presented in this thesis is the result of original research carried out by myself, in collaboration with others, whilst enrolled in the Information Security Group of Royal Holloway, University of London as a candidate for the degree of Doctor of Philosophy. This work has not been submitted for any other degree or award in any other university or educational establishment. Jiqiang Lu July 2008 2 Acknowledgements First of all, I thank my supervisor Prof. Chris Mitchell for suggesting block cipher cryptanalysis as my research topic when I began my Ph.D. studies in September 2005. I had never done research in this challenging ¯eld before, but I soon found it to be really interesting. Every time I ¯nished a manuscript, Chris would give me detailed comments on it, both editorial and technical, which not only bene¯tted my research, but also improved my written English. Chris' comments are fantastic, and it is straightforward to follow them to make revisions. I thank my advisor Dr. Alex Dent for his constructive suggestions, although we work in very di®erent ¯elds.
    [Show full text]