DOCSLIB.ORG

Basic Cryptography

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Basic cryptography • How cryptography works... • Symmetric cryptography... • Public key cryptography... • Online Resources... • Printed Resources... I VP R 1 © Copyright 2002-2007 Haim Levkowitz How cryptography works • Plaintext • Ciphertext • Cryptographic algorithm • Key Decryption Key Algorithm Plaintext Ciphertext Encryption I VP R 2 © Copyright 2002-2007 Haim Levkowitz Simple cryptosystem ... ! ABCDEFGHIJKLMNOPQRSTUVWXYZ ! DEFGHIJKLMNOPQRSTUVWXYZABC • Caesar Cipher • Simple substitution cipher • ROT-13 • rotate by half the alphabet • A => N B => O I VP R 3 © Copyright 2002-2007 Haim Levkowitz Keys cryptosystems … • keys and keyspace ... • secret-key and public-key ... • key management ... • strength of key systems ... I VP R 4 © Copyright 2002-2007 Haim Levkowitz Keys and keyspace … • ROT: key is N • Brute force: 25 values of N • IDEA (international data encryption algorithm) in PGP: 2128 numeric keys • 1 billion keys / sec ==> >10,781,000,000,000,000,000,000 years I VP R 5 © Copyright 2002-2007 Haim Levkowitz Symmetric cryptography • DES • Triple DES, DESX, GDES, RDES • RC2, RC4, RC5 • IDEA Key • Blowfish Plaintext Encryption Ciphertext Decryption Plaintext Sender Recipient I VP R 6 © Copyright 2002-2007 Haim Levkowitz DES • Data Encryption Standard • US NIST (‘70s) • 56-bit key • Good then • Not enough now (cracked June 1997) • Discrete blocks of 64 bits • Often w/ CBC (cipherblock chaining) • Each blocks encr. depends on contents of previous => detect missing block I VP R 7 © Copyright 2002-2007 Haim Levkowitz Triple DES, DESX, GDES, RDES • Variants on DES: decrease risk of brute-force guessing • Triple-DES • 1. encrypt W/ Key 1 (56-bit) • 2. encrypt W/ Key 2 • 3. encrypt W/ Key 1 • ==> Effective key length 112 bits I VP R 8 © Copyright 2002-2007 Haim Levkowitz RC2, RC4, RC5 • Proprietary (RSA Data Security, Inc.) • Variable length keys (up to 2,048 bits) • Outside US: 40-bit versions of RC2 & RC4 • ==> Web browsers & servers I VP R 9 © Copyright 2002-2007 Haim Levkowitz IDEA • Int’l Data Encryption Algorithm • Patented (AscomTech AG) • Popular in Europe • 128-bit key ==> more secure than DES • (One of) at heart of PGP • (Other is RSA) I VP R 10 © Copyright 2002-2007 Haim Levkowitz Blowfish • Unpatented (Bruce Schneier) • In many commercial & freeware • Var-length key (up to 448 bits) I VP R 11 © Copyright 2002-2007 Haim Levkowitz Symmetric not fit for Internet • Spontaneous comm ==> can’t exchange keys • Multiway comm ==> key secrecy compromised I VP R 12 © Copyright 2002-2007 Haim Levkowitz Public key cryptography • Two-in-one • Cryptography • Digital signatures I VP R 13 © Copyright 2002-2007 Haim Levkowitz Public key cryptography • Asymmetric Key Key Plaintext Encryption Ciphertext Decryption Plaintext Recipient’s Recipient’s public key secret key Recipient Senders I VP R 14 © Copyright 2002-2007 Haim Levkowitz Digital signatures • But, problem ... Authenticate Key Key d Plaintext Plaintext Encryption Digital Decryption y =? signature Sender’s Sender’s secret key public key Sender Recipient I VP R 15 © Copyright 2002-2007 Haim Levkowitz Problem ... • Can cut & paste from older • Solutions • A --> B: random “challenge” phrase • B --> A: sign w/ secret key, return • A: decrypts w/ B’s public key, compare to original • Or, message digest functions Cryptography and digital signature: “challenge” Key Signature text Signature text Key (“challenge”) (“challenge”) Message Sender’s text secret key Sender’s y public key =? Authenticate Digital d Message signature Key Key Ciphertext text sig. Recipient’s Recipient’s Recipient Sender public key secret key I VP R 17 © Copyright 2002-2007 Haim Levkowitz Cryptography and digital signature: digest Hash function Hash function ==> “message Key ==> “message Key digest” (unique) digest” (unique) Message Sender’s secret key Sender’s text y public key =? Authenticate Digital d Message signature Key Key Ciphertext text sig. Recipient’s Recipient’s Recipient public key secret key Sender I VP R 18 © Copyright 2002-2007 Haim Levkowitz Message digest functions & message integrity • One-way hashes • Digital fingerprint for original message • Sender ... • Recipient I VP R 19 © Copyright 2002-2007 Haim Levkowitz Sender • 1. Run message through digest function • 2. Sign hash with secret key • 3. Send signed hash & original message to recipient I VP R 20 © Copyright 2002-2007 Haim Levkowitz Recipient • Decrypt hash w/ sender’s public key • Compare with result of running message through digest function • Match ==> verified integrity • In SSL (later): Message Authenticity Check (MAC) • MAC = digest(secret + digest(secret - message)) I VP R 21 © Copyright 2002-2007 Haim Levkowitz Message Digest Algorithms • MD4 (Rivest, MIT) • 128-bit hashes • Weaknesses ==> (randomness) • MD5 (Rivest) • Most widely used • SHA: Secure Hash Algorithm (NIST/NSA) • 160-bit hash Digital envelopes • Public key encryption SLOWER than symmetric ==> Hybrid • 1. Random secret key (“session key”; discard when done) • 2. Encrypt message w/ session key & symmetric alg. • Encrypt session key w/ recipient’s public key (==> “digital envelope”) • Send encrypted message + digital envelope Digital envelopes Key Key Message Message Ciphertext plaintext plaintext Session Session key key Key Key Recipient’s Recipient’s secret key public key Recipient Sender I VP R 24 © Copyright 2002-2007 Haim Levkowitz Certifying authorities & public key infrastructure • Large public-key database • ==> management? Trusted third party • Certifying authorities (CA)... I VP R 25 © Copyright 2002-2007 Haim Levkowitz Certifying authorities (CA) Key Certifying Authority (CA): 1. Verify individual’s ID 2. Create certificate 3. Generate message digest from certificate, signs hash w/ its secret key Individual’s 4. Return certificate to individual public key Key Individual’s CA’s secret Signed Certificate key distinguished request certificate name (w/ public key) $$$ Pay CA’s fee ID info I VP R 26 © Copyright 2002-2007 Haim Levkowitz Public key infrastructure • Site certificates: authenticate Web servers • Personal certificate: individuals • SW publisher certificates: executables • Certifying authority certificates • Common format: X.509v3 • CPS: certification practice statement I VP R 27 © Copyright 2002-2007 Haim Levkowitz Root CAs & certificate chains • Browsers delivered w/ signed certificates of well-known CAs (root) • Root CAs can sign • End user’s public key • Another (secondary) CA’s public key • ==> Signing authority • ==> Certificate chain • ==> “Hierarchy of trust” I VP R 28 © Copyright 2002-2007 Haim Levkowitz Certificate expiration and revocation list • Invalidate public/secret key pair • Loss/corruption/theft of secret key • Change in ID info in certificate • Compromise of CA’s secret key • CRL: Certificate Revocation List • Certificate expiration date (1 year) I VP R 29 © Copyright 2002-2007 Haim Levkowitz Diffie-Helman: encrypton without authentication • Encryption + authentication usually together • At least one party produces signed certificate ==> no anonymous comm. • Diffie-Helman key exchange: negotiate session key w/o sending key • Each party picks partial key independently I VP R 30 © Copyright 2002-2007 Haim Levkowitz Diffie-Helman (cont.) • Send part of key info • Other side calculates common key value • Eavesdropper can’t reconstruct key • Use symmetric algorithm • Discard session key at end • No authentication ==> “man-in-the-middle” attack I VP R 31 © Copyright 2002-2007 Haim Levkowitz Man-in-the-middle attack • A, B want to communicate • C imposes in network between two wo arousing suspicions • A negotiates w/ C thinking it’s B • B negotiates w/ C thinking it’s A • A & B sending messages, C relaying • A & B think comm is secure; C reads & can modify • Hard to accomplish Securing private (secret) keys • Stored on hard disk encrypted • When first invoked, prompt for pass phrase to unlock • Key read into memory • Problem: virus/other sw looking for private keys • Solution: on removable (take away) I VP R 33 © Copyright 2002-2007 Haim Levkowitz Key length and security • Longer key ==> more secure message • How long? How secure? • Good alg. + implementation + key management ==> brute-force only • Cost to crack vs. cost of normal use • Estimated cracking cost... I VP R 34 © Copyright 2002-2007 Haim Levkowitz Estimated cracking cost... Cost ($) Key length $ thousands $ millions 40 bits Seconds < 1 Second 56 bits Days Hours 64 bits Months Days 80 bits Eons Millennia 128 bits > Age of universe > Age of universe I VP R 35 © Copyright 2002-2007 Haim Levkowitz Key length & US encryption policy (old = history) • Strong encryption classified as munition • SW must get export license • RC2, RC4 w/ 40-bit keys (or less) • RSA w/ 512-bit keys • Digital signature but no encryption • Financial app’s (e.g., Quicken) I VP R 36 © Copyright 2002-2007 Haim Levkowitz US policy (cont.) • Slowing effect on SW dev • Online products limited to export version • ==> Most browsers crippled • Servers overseas crippled • Must have both side for secure transaction • Versions of Netscape + IE exempt ==>128-bit keys I VP R 37 © Copyright 2002-2007 Haim Levkowitz RSA PKI math • Separate I VP R 38 © Copyright 2002-2007 Haim Levkowitz Problems • Usability!!!! I VP R 39 © Copyright 2002-2007 Haim Levkowitz Resources • Schneier’s blogs • Several books/articles/Web-sites • Stein’s on-line resource • B. Schneier: Practical Cryptography, 2nd Edition (Wiley, 1995) • R. E. Smith: Internet Cryptography (Addison-Wesley, 1997) I VP R 40 © Copyright 2002-2007 Haim Levkowitz.
Recommended publications
  • Block Ciphers and the Data Encryption Standard

    Block Ciphers and the Data Encryption Standard

    Lecture 3: Block Ciphers and the Data Encryption Standard Lecture Notes on “Computer and Network Security” by Avi Kak ([email protected]) January 26, 2021 3:43pm ©2021 Avinash Kak, Purdue University Goals: To introduce the notion of a block cipher in the modern context. To talk about the infeasibility of ideal block ciphers To introduce the notion of the Feistel Cipher Structure To go over DES, the Data Encryption Standard To illustrate important DES steps with Python and Perl code CONTENTS Section Title Page 3.1 Ideal Block Cipher 3 3.1.1 Size of the Encryption Key for the Ideal Block Cipher 6 3.2 The Feistel Structure for Block Ciphers 7 3.2.1 Mathematical Description of Each Round in the 10 Feistel Structure 3.2.2 Decryption in Ciphers Based on the Feistel Structure 12 3.3 DES: The Data Encryption Standard 16 3.3.1 One Round of Processing in DES 18 3.3.2 The S-Box for the Substitution Step in Each Round 22 3.3.3 The Substitution Tables 26 3.3.4 The P-Box Permutation in the Feistel Function 33 3.3.5 The DES Key Schedule: Generating the Round Keys 35 3.3.6 Initial Permutation of the Encryption Key 38 3.3.7 Contraction-Permutation that Generates the 48-Bit 42 Round Key from the 56-Bit Key 3.4 What Makes DES a Strong Cipher (to the 46 Extent It is a Strong Cipher) 3.5 Homework Problems 48 2 Computer and Network Security by Avi Kak Lecture 3 Back to TOC 3.1 IDEAL BLOCK CIPHER In a modern block cipher (but still using a classical encryption method), we replace a block of N bits from the plaintext with a block of N bits from the ciphertext.
  • 1 Perfect Secrecy of the One-Time Pad

    1 Perfect Secrecy of the One-Time Pad

    1 Perfect secrecy of the one-time pad In this section, we make more a more precise analysis of the security of the one-time pad. First, we need to define conditional probability. Let’s consider an example. We know that if it rains Saturday, then there is a reasonable chance that it will rain on Sunday. To make this more precise, we want to compute the probability that it rains on Sunday, given that it rains on Saturday. So we restrict our attention to only those situations where it rains on Saturday and count how often this happens over several years. Then we count how often it rains on both Saturday and Sunday. The ratio gives an estimate of the desired probability. If we call A the event that it rains on Saturday and B the event that it rains on Sunday, then the intersection A ∩ B is when it rains on both days. The conditional probability of A given B is defined to be P (A ∩ B) P (B | A)= , P (A) where P (A) denotes the probability of the event A. This formula can be used to define the conditional probability of one event given another for any two events A and B that have probabilities (we implicitly assume throughout this discussion that any probability that occurs in a denominator has nonzero probability). Events A and B are independent if P (A ∩ B)= P (A) P (B). For example, if Alice flips a fair coin, let A be the event that the coin ends up Heads. If Bob rolls a fair six-sided die, let B be the event that he rolls a 3.
  • Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, Newdes, RC2, and TEA

    Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, Newdes, RC2, and TEA

    Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, NewDES, RC2, and TEA John Kelsey Bruce Schneier David Wagner Counterpane Systems U.C. Berkeley kelsey,schneier @counterpane.com [email protected] f g Abstract. We present new related-key attacks on the block ciphers 3- WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA. Differen- tial related-key attacks allow both keys and plaintexts to be chosen with specific differences [KSW96]. Our attacks build on the original work, showing how to adapt the general attack to deal with the difficulties of the individual algorithms. We also give specific design principles to protect against these attacks. 1 Introduction Related-key cryptanalysis assumes that the attacker learns the encryption of certain plaintexts not only under the original (unknown) key K, but also under some derived keys K0 = f(K). In a chosen-related-key attack, the attacker specifies how the key is to be changed; known-related-key attacks are those where the key difference is known, but cannot be chosen by the attacker. We emphasize that the attacker knows or chooses the relationship between keys, not the actual key values. These techniques have been developed in [Knu93b, Bih94, KSW96]. Related-key cryptanalysis is a practical attack on key-exchange protocols that do not guarantee key-integrity|an attacker may be able to flip bits in the key without knowing the key|and key-update protocols that update keys using a known function: e.g., K, K + 1, K + 2, etc. Related-key attacks were also used against rotor machines: operators sometimes set rotors incorrectly.
  • Serpent: a Proposal for the Advanced Encryption Standard

    Serpent: a Proposal for the Advanced Encryption Standard

    Serpent: A Proposal for the Advanced Encryption Standard Ross Anderson1 Eli Biham2 Lars Knudsen3 1 Cambridge University, England; email [email protected] 2 Technion, Haifa, Israel; email [email protected] 3 University of Bergen, Norway; email [email protected] Abstract. We propose a new block cipher as a candidate for the Ad- vanced Encryption Standard. Its design is highly conservative, yet still allows a very efficient implementation. It uses S-boxes similar to those of DES in a new structure that simultaneously allows a more rapid avalanche, a more efficient bitslice implementation, and an easy anal- ysis that enables us to demonstrate its security against all known types of attack. With a 128-bit block size and a 256-bit key, it is as fast as DES on the market leading Intel Pentium/MMX platforms (and at least as fast on many others); yet we believe it to be more secure than three-key triple-DES. 1 Introduction For many applications, the Data Encryption Standard algorithm is nearing the end of its useful life. Its 56-bit key is too small, as shown by a recent distributed key search exercise [28]. Although triple-DES can solve the key length problem, the DES algorithm was also designed primarily for hardware encryption, yet the great majority of applications that use it today implement it in software, where it is relatively inefficient. For these reasons, the US National Institute of Standards and Technology has issued a call for a successor algorithm, to be called the Advanced Encryption Standard or AES.
  • Rotational Cryptanalysis of ARX

    Rotational Cryptanalysis of ARX

    Rotational Cryptanalysis of ARX Dmitry Khovratovich and Ivica Nikoli´c University of Luxembourg [email protected], [email protected] Abstract. In this paper we analyze the security of systems based on modular additions, rotations, and XORs (ARX systems). We provide both theoretical support for their security and practical cryptanalysis of real ARX primitives. We use a technique called rotational cryptanalysis, that is universal for the ARX systems and is quite efficient. We illustrate the method with the best known attack on reduced versions of the block cipher Threefish (the core of Skein). Additionally, we prove that ARX with constants are functionally complete, i.e. any function can be realized with these operations. Keywords: ARX, cryptanalysis, rotational cryptanalysis. 1 Introduction A huge number of symmetric primitives using modular additions, bitwise XORs, and intraword rotations have appeared in the last 20 years. The most famous are the hash functions from MD-family (MD4, MD5) and their descendants SHA-x. While modular addition is often approximated with XOR, for random inputs these operations are quite different. Addition provides diffusion and nonlinearity, while XOR does not. Although the diffusion is relatively slow, it is compensated by a low price of addition in both software and hardware, so primitives with relatively high number of additions (tens per byte) are still fast. The intraword rotation removes disbalance between left and right bits (introduced by the ad- dition) and speeds up the diffusion. Many recently design primitives use only XOR, addition, and rotation so they are grouped into a single family ARX (Addition-Rotation-XOR).
  • Chapter 2 the Data Encryption Standard (DES)

    Chapter 2 the Data Encryption Standard (DES)

    Chapter 2 The Data Encryption Standard (DES) As mentioned earlier there are two main types of cryptography in use today - symmet- ric or secret key cryptography and asymmetric or public key cryptography. Symmet- ric key cryptography is the oldest type whereas asymmetric cryptography is only being used publicly since the late 1970’s1. Asymmetric cryptography was a major milestone in the search for a perfect encryption scheme. Secret key cryptography goes back to at least Egyptian times and is of concern here. It involves the use of only one key which is used for both encryption and decryption (hence the use of the term symmetric). Figure 2.1 depicts this idea. It is necessary for security purposes that the secret key never be revealed. Secret Key (K) Secret Key (K) ? ? - - - - Plaintext (P ) E{P,K} Ciphertext (C) D{C,K} Plaintext (P ) Figure 2.1: Secret key encryption. To accomplish encryption, most secret key algorithms use two main techniques known as substitution and permutation. Substitution is simply a mapping of one value to another whereas permutation is a reordering of the bit positions for each of the inputs. These techniques are used a number of times in iterations called rounds. Generally, the more rounds there are, the more secure the algorithm. A non-linearity is also introduced into the encryption so that decryption will be computationally infeasible2 without the secret key. This is achieved with the use of S-boxes which are basically non-linear substitution tables where either the output is smaller than the input or vice versa. 1It is claimed by some that government agencies knew about asymmetric cryptography before this.
  • Data Encryption Standard

    Data Encryption Standard

    Data Encryption Standard The Data Encryption Standard (DES /ˌdiːˌiːˈɛs, dɛz/) is a Data Encryption Standard symmetric-key algorithm for the encryption of electronic data. Although insecure, it was highly influential in the advancement of modern cryptography. Developed in the early 1970s atIBM and based on an earlier design by Horst Feistel, the algorithm was submitted to the National Bureau of Standards (NBS) following the agency's invitation to propose a candidate for the protection of sensitive, unclassified electronic government data. In 1976, after consultation with theNational Security Agency (NSA), the NBS eventually selected a slightly modified version (strengthened against differential cryptanalysis, but weakened against brute-force attacks), which was published as an official Federal Information Processing Standard (FIPS) for the United States in 1977. The publication of an NSA-approved encryption standard simultaneously resulted in its quick international adoption and widespread academic scrutiny. Controversies arose out of classified The Feistel function (F function) of DES design elements, a relatively short key length of the symmetric-key General block cipher design, and the involvement of the NSA, nourishing Designers IBM suspicions about a backdoor. Today it is known that the S-boxes that had raised those suspicions were in fact designed by the NSA to First 1975 (Federal Register) actually remove a backdoor they secretly knew (differential published (standardized in January 1977) cryptanalysis). However, the NSA also ensured that the key size was Derived Lucifer drastically reduced such that they could break it by brute force from [2] attack. The intense academic scrutiny the algorithm received over Successors Triple DES, G-DES, DES-X, time led to the modern understanding of block ciphers and their LOKI89, ICE cryptanalysis.
  • Investigations of Cellular Automata-Based Stream Ciphers

    Investigations of Cellular Automata-Based Stream Ciphers

    Rochester Institute of Technology RIT Scholar Works Theses 2008 Investigations of cellular automata-based stream ciphers Joseph S. Testa Follow this and additional works at: https://scholarworks.rit.edu/theses Recommended Citation Testa, Joseph S., "Investigations of cellular automata-based stream ciphers" (2008). Thesis. Rochester Institute of Technology. Accessed from This Thesis is brought to you for free and open access by RIT Scholar Works. It has been accepted for inclusion in Theses by an authorized administrator of RIT Scholar Works. For more information, please contact [email protected]. Investigations of Cellular Automata-based Stream Ciphers by Joseph S. Testa II A Thesis Submitted to the Faculty of the ROCHESTER INSTITUTE OF TECHNOLOGY In partial fulfillment of the requirements for the Degree of Master of Science in Computer Security and Information Assurance by _________________________________ May 12, 2008 APPROVED: __________________________________ Professor Alan Kaminsky, Thesis Advisor __________________________________ Professor Hans-Peter Bischof, Reader __________________________________ Professor Peter Lutz, Observer ABSTRACT In this thesis paper, we survey the literature arising from Stephan Wolfram©s original paper, ªCryptography with Cellular Automataº [WOL86] that first suggested stream ciphers could be constructed with cellular automata. All published research directly and indirectly quoting this paper are summarized up until the present. We also present a novel stream cipher design called Sum-4 that is shown to have good randomness properties and resistance to approximation using linear finite shift registers. Sum-4 is further studied to determine its effective strength with respect to key size given that an attack with a SAT solver is more efficient than a brute-force attack.
  • Chap 2. Basic Encryption and Decryption

    Chap 2. Basic Encryption and Decryption

    Chap 2. Basic Encryption and Decryption H. Lee Kwang Department of Electrical Engineering & Computer Science, KAIST Objectives • Concepts of encryption • Cryptanalysis: how encryption systems are “broken” 2.1 Terminology and Background • Notations – S: sender – R: receiver – T: transmission medium – O: outsider, interceptor, intruder, attacker, or, adversary • S wants to send a message to R – S entrusts the message to T who will deliver it to R – Possible actions of O • block(interrupt), intercept, modify, fabricate • Chapter 1 2.1.1 Terminology • Encryption and Decryption – encryption: a process of encoding a message so that its meaning is not obvious – decryption: the reverse process • encode(encipher) vs. decode(decipher) – encoding: the process of translating entire words or phrases to other words or phrases – enciphering: translating letters or symbols individually – encryption: the group term that covers both encoding and enciphering 2.1.1 Terminology • Plaintext vs. Ciphertext – P(plaintext): the original form of a message – C(ciphertext): the encrypted form • Basic operations – plaintext to ciphertext: encryption: C = E(P) – ciphertext to plaintext: decryption: P = D(C) – requirement: P = D(E(P)) 2.1.1 Terminology • Encryption with key If the encryption algorithm should fall into the interceptor’s – encryption key: KE – decryption key: K hands, future messages can still D be kept secret because the – C = E(K , P) E interceptor will not know the – P = D(KD, E(KE, P)) key value • Keyless Cipher – a cipher that does not require the
  • Improved Masking for Tweakable Blockciphers with Applications to Authenticated Encryption

    Improved Masking for Tweakable Blockciphers with Applications to Authenticated Encryption

    Improved Masking for Tweakable Blockciphers with Applications to Authenticated Encryption Robert Granger1, Philipp Jovanovic2, Bart Mennink3, and Samuel Neves4 1 Laboratory for Cryptologic Algorithms, École polytechnique fédérale de Lausanne, Switzerland, [email protected] 2 Decentralized and Distributed Systems Lab, École polytechnique fédérale de Lausanne, Switzerland, [email protected] 3 Dept. Electrical Engineering, ESAT/COSIC, KU Leuven, and iMinds, Belgium, [email protected] 4 CISUC, Dept. of Informatics Engineering, University of Coimbra, Portugal, [email protected] Abstract. A popular approach to tweakable blockcipher design is via masking, where a certain primitive (a blockcipher or a permutation) is preceded and followed by an easy-to-compute tweak-dependent mask. In this work, we revisit the principle of masking. We do so alongside the introduction of the tweakable Even-Mansour construction MEM. Its masking function combines the advantages of word-oriented LFSR- and powering-up-based methods. We show in particular how recent advancements in computing discrete logarithms over finite fields of characteristic 2 can be exploited in a constructive way to realize highly efficient, constant-time masking functions. If the masking satisfies a set of simple conditions, then MEM is a secure tweakable blockcipher up to the birthday bound. The strengths of MEM are exhibited by the design of fully parallelizable authenticated encryption schemes OPP (nonce-respecting) and MRO (misuse-resistant). If instantiated with a reduced-round BLAKE2b permutation, OPP and MRO achieve speeds up to 0.55 and 1.06 cycles per byte on the Intel Haswell microarchitecture, and are able to significantly outperform their closest competitors.
  • Block Cipher and Data Encryption Standard (DES)

    Block Cipher and Data Encryption Standard (DES)

    Block Cipher and Data Encryption Standard (DES) 2021.03.09 Presented by: Mikail Mohammed Salim Professor 박종혁 Cryptography and Information Security 1 Block Cipher and Data Encryption Standard (DES) Contents • What is Block Cipher? • Padding in Block Cipher • Ideal Block Cipher • What is DES? • DES- Key Discarding Process • Des- 16 rounds of Encryption • How secure is DES? 2 Block Cipher and Data Encryption Standard (DES) What is Block Cipher? • An encryption technique that applies an algorithm with parameters to encrypt blocks of text. • Each plaintext block has an equal length of ciphertext block. • Each output block is the same size as the input block, the block being transformed by the key. • Block size range from 64 -128 bits and process the plaintext in blocks of 64 or 128 bits. • Several bits of information is encrypted with each block. Longer messages are encoded by invoking the cipher repeatedly. 3 Block Cipher and Data Encryption Standard (DES) What is Block Cipher? • Each message (p) grouped in blocks is encrypted (enc) using a key (k) into a Ciphertext (c). Therefore, 푐 = 푒푛푐푘(푝) • The recipient requires the same k to decrypt (dec) the p. Therefore, 푝 = 푑푒푐푘(푐) 4 Block Cipher and Data Encryption Standard (DES) Padding in Block Cipher • Block ciphers process blocks of fixed sizes, such as 64 or 128 bits. The length of plaintexts is mostly not a multiple of the block size. • A 150-bit plaintext provides two blocks of 64 bits each with third block of remaining 22 bits. • The last block of bits needs to be padded up with redundant information so that the length of the final block equal to block size of the scheme.
  • A Gentle Introduction to Cryptography

    A Gentle Introduction to Cryptography

    A Gentle Introduction Prof. Philip Koopman to Cryptography 18-642 / Fall 2020 “Cryptography [without system integrity] is like investing in an armored car to carry money between a customer living in a cardboard box and a person doing business on a park bench.” – Gene Spafford © 2020 Philip Koopman 1 Cryptography Overview Anti-Patterns for Cryptography Using a home-made cryptographic algorithm Using private key when public key is required Not considering key distribution in design Cryptography terms: Plaintext: the original data Ciphertext: data after a encryption Encryption: converting plaintext to ciphertext Avalanche effect: – Confusion: multiple bits in plaintext are combined to make a ciphertext bit – Diffusion: each bit of plaintext affects many bits of ciphertext – Ideally, ciphertext is random function of plaintext bits © 2020 Philip Koopman 2 Classical Cryptography Simple substitution cipher (Caesar Cipher) “IBM” left shifted 1 becomes “HAL” – 4 or 5 bit key (26 wheel positions) https://de.wikipedia.org/wiki/Caesar- Verschl%C3%BCsselung#/media/File:Ciph erDisk2000.jpg https://en.wikipedia.org/wiki/Caesar_cipher Readily broken via frequency analysis Most common letters correspond to E, T, A, O, … https://en.wikipedia.org/wiki/Caesar_cipher Gives secrecy but not explicit integrity © 2020 Philip Koopman 3 WWII Cryptography Complex Subsitution Cipher German “Enigma” machine The “Bombe” broke Enigma Electromechanical sequencing to search for correlations using guessed plaintext – See the movie: “The Imitation Game”