DOCSLIB.ORG

Differential Cryptanalysis

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Differential Cryptanalysis Differential Cryptanalysis The first method which reduced the complexity of attacking DES below (half of) exhaustive search. Differential Cryptanalysis Note: In all the following discussion we ignore the existence of the initial and the final permutations, since they do not affect the analysis. Motivation: 1. All the operations except for the S boxes are linear. 2. Mixing the key in all the rounds prohibits the attacker from knowing which entries of the S boxes are actually used, and thus he cannot know their output. See: Biham and Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer Ver- lag, 1993. c Eli Biham - May 3, 2005 520 Differential Cryptanalysis (18) c Eli Biham - May 3, 2005 521 Differential Cryptanalysis (18) Differential Cryptanalysis (cont.) Differential Cryptanalysis (cont.) How can we inhibit the key from hiding the information? Advantages: It is easy to predict the output difference of linear operations The basic idea of differential cryptanalysis: Study the differences given the input difference: between two encryptions of two different plaintexts: P and P . ∗ Unary operations (E, P, IP): Notation: For any value X during the encryption of P , and the corresponding • ∗ 0 ∗ (P (X))0 = P (X) P (X∗) = P (X0) value X during encryption of P ∗, denote the difference by X = X ⊕ X . ⊕ Binary operations (XOR): • (X Y )0 = (X Y ) (X∗ Y ∗) = X0 Y 0 ⊕ ⊕ ⊕ ⊕ ⊕ Mixing the key: • (X K)0 = (X K) (X∗ K) = X0 ⊕ ⊕ ⊕ ⊕ We conclude that the differences are linear in linear operations, and in partic- ular, the result is key independent. c Eli Biham - May 3, 2005 522 Differential Cryptanalysis (18) c Eli Biham - May 3, 2005 523 Differential Cryptanalysis (18) Differences and the S Boxes The Difference Distribution Table of S1 Assume we have two inputs X and X for the same S box, and that we know ∗ Input Output XOR 0 only their difference X . XOR 0x 1x 2x 3x 4x 5x 6x 7x 8x 9x Ax Bx Cx Dx Ex Fx 0x 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1x 0 0 0 6 0 2 4 4 0 10 12 4 10 6 2 4 2x 0 0 0 8 0 4 4 4 0 6 8 6 12 6 4 2 Denote Y = S(X). 3x 14 4 2 2 10 6 4 2 6 4 4 0 2 2 2 0 4x 0 0 0 6 0 10 10 6 0 4 6 4 2 8 6 2 0 5x 4 8 6 2 2 4 4 2 0 4 4 0 12 2 4 6 What do we know about Y ? 6x 0 4 2 4 8 2 6 2 8 4 4 2 4 2 0 12 7x 2 4 10 4 0 4 8 4 2 4 8 2 2 2 4 4 8x 0 0 0 12 0 8 8 4 0 6 2 8 8 2 2 4 0 0 9x 10 2 4 0 2 4 6 0 2 2 8 0 10 0 2 12 The simple case: when X = 0: S(X) = S(X∗) for any X, and Y = 0. Ax 0 8 6 2 2 8 6 0 6 4 6 0 4 0 2 10 Bx 2 4 0 10 2 2 4 0 2 6 2 6 6 4 2 12 Cx 0 0 0 8 0 6 6 0 0 6 6 4 6 6 14 2 0 Dx 6 6 4 8 4 8 2 6 0 6 4 6 0 2 0 2 If X =6 0: we do not know the output difference. Ex 0 4 8 8 6 6 4 0 6 6 4 0 0 4 0 8 Fx 2 0 2 4 4 6 4 2 4 8 2 2 2 6 8 8 10x 0 0 0 0 0 0 2 14 0 6 6 12 4 6 8 6 . Definition: Lets look on the distribution of the pairs (X 0; Y 0) of all the pos- . 27x 10 4 2 0 2 4 2 0 4 8 0 4 8 8 4 4 28x 12 2 2 8 2 6 12 0 0 2 6 0 4 0 6 2 sible inputs X. We call the table containing this information difference dis- 29x 4 2 2 10 0 2 4 0 0 14 10 2 4 6 0 4 2Ax 4 2 4 6 0 2 8 2 2 14 2 6 2 6 2 2 tribution table of the S box. 2Bx 12 2 2 2 4 6 6 2 0 2 6 2 6 0 8 4 2Cx 4 2 2 4 0 2 10 4 2 2 4 8 8 4 2 6 2Dx 6 2 6 2 8 4 4 4 2 4 6 0 8 2 0 6 2Ex 6 6 2 2 0 2 4 6 4 0 6 2 12 2 6 4 2Fx 2 2 2 2 2 6 8 8 2 4 4 6 8 2 4 2 30x 0 4 6 0 12 6 2 2 8 2 4 4 6 2 2 4 31x 4 8 2 10 2 2 2 2 6 0 0 2 2 4 10 8 32x 4 2 6 4 4 2 2 4 6 6 4 8 2 2 8 0 33x 4 4 6 2 10 8 4 2 4 0 2 2 4 6 2 4 34x 0 8 16 6 2 0 0 12 6 0 0 0 0 8 0 6 35x 2 2 4 0 8 0 0 0 14 4 6 8 0 2 14 0 36x 2 6 2 2 8 0 2 2 4 2 6 8 6 4 10 0 37x 2 2 12 4 2 4 4 10 4 4 2 6 0 2 2 4 38x 0 6 2 2 2 0 2 2 4 6 4 4 4 6 10 10 39x 6 2 2 4 12 6 4 8 4 0 2 4 2 4 4 0 3Ax 6 4 6 4 6 8 0 6 2 2 6 2 2 6 4 0 3Bx 2 6 4 0 0 2 4 6 4 6 8 6 4 4 6 2 3Cx 0 10 4 0 12 0 4 2 6 0 4 12 4 4 2 0 3Dx 0 8 6 2 2 6 0 8 4 4 0 4 0 12 4 4 3Ex 4 8 2 2 2 4 4 14 4 2 0 2 0 8 4 4 3Fx 4 8 4 2 4 0 2 4 4 2 4 8 8 6 2 2 c Eli Biham - May 3, 2005 524 Differential Cryptanalysis (18) c Eli Biham - May 3, 2005 525 Differential Cryptanalysis (18) The Difference Distribution Table of S1 (cont.) Differences and the S Boxes (cont.) Observe that: Definition: If the entry of the input difference X 0 and the output difference 0 0 Y 0 is greater than zero, we say that X may cause Y by the S box, and 0 0 In the first line X0 = 0 and thus all the 64 pairs satisfy Y 0 = 0. Y 0 = 0 denote X ! Y . • 6 is impossible. Definition: The probability of X0 ! Y 0 is the probability that for a pair with the input difference X , the output difference is Y , among all In the rest of the lines: The average value is 4, the sum in each line is 64. 0 0 the possible pairs. In DES, the probability is the corresponding value in the • The values are all even in the range 0{16. difference distribution table divided by 64. The entries with value 16 mean that for a quarter of the pairs with this Similarly we define X0 ! Y 0 by the F -function, and define the probability input difference X , the output difference is the particular Y . 0 0 as the product of the probabilities by the eight S boxes. The entries with value 0 mean that there are no pairs with the corre- sponding input difference X0 and the corresponding output difference Y 0. c Eli Biham - May 3, 2005 526 Differential Cryptanalysis (18) c Eli Biham - May 3, 2005 527 Differential Cryptanalysis (18) Differences and the S Boxes (cont.) Observation Differential cryptanalysis uses the entries with large values, and in particular Given an input and output differences of an S box, it is possible to list all the the 0 0 entry and the entries with value 16, and other large values. pairs with these differences. ! Example: For the entry 09 1 the 2 pairs are: x ! x 1. 33x, 3Ax 2. 3Ax, 33x For the entry 01 F the 4 pairs are: x ! x 1. 1Ex, 1Fx 2. 1Fx, 1Ex 3. 2Ax, 2Bx 4. 2Bx, 2Ax The lists of pairs of all the differences can easily be computed in advance. c Eli Biham - May 3, 2005 528 Differential Cryptanalysis (18) y c Eli Biham - May 3, 2005 529 Differential Cryptanalysis (18) Example of a Simple Attack Example of a Simple Attack (cont.) Assume a 3-round DES, in which for some pair of plaintexts Then, the differences in the various rounds are P 0 = 01 96 00 18 00 00 00 00x, and T 0 = 41 96 40 1A 48 00 00 00x. 0 We also assume that T = 00 00 00 00 08 00 00 00x and P = 01 96 00 18 00 00 00 00x T ∗ = 41 96 40 1A 40 00 00 00x. 0 0 (We use the notation T for the ciphertexts, as we use C for the third round A = 00 00 00 00x F a = 00 00 00 00x intermediate values.) 0 0 B = 48 00 00 00x F b = 01 96 00 18x = P (02 00 00 08x) 0 0 C = 40 00 40 02x F c = 48 00 00 00x = P (13 00 00 00x) T 0 = 41 96 40 1A 48 00 00 00x c Eli Biham - May 3, 2005 530 Differential Cryptanalysis (18) c Eli Biham - May 3, 2005 531 Differential Cryptanalysis (18) Example of a Simple Attack (cont.) Characteristics ( ¢¡¤£¥¡§¦¨ ) We identify that S1 in the third round accepts difference 09x in the input and In differential cryptanalysis we wish to know some statistical information on the outputs difference 1x in the output.
Load more

Recommended publications
  • Serpent: a Proposal for the Advanced Encryption Standard
    Serpent: A Proposal for the Advanced Encryption Standard Ross Anderson1 Eli Biham2 Lars Knudsen3 1 Cambridge University, England; email [email protected] 2 Technion, Haifa, Israel; email [email protected] 3 University of Bergen, Norway; email [email protected] Abstract. We propose a new block cipher as a candidate for the Ad- vanced Encryption Standard. Its design is highly conservative, yet still allows a very efficient implementation. It uses S-boxes similar to those of DES in a new structure that simultaneously allows a more rapid avalanche, a more efficient bitslice implementation, and an easy anal- ysis that enables us to demonstrate its security against all known types of attack. With a 128-bit block size and a 256-bit key, it is as fast as DES on the market leading Intel Pentium/MMX platforms (and at least as fast on many others); yet we believe it to be more secure than three-key triple-DES. 1 Introduction For many applications, the Data Encryption Standard algorithm is nearing the end of its useful life. Its 56-bit key is too small, as shown by a recent distributed key search exercise [28]. Although triple-DES can solve the key length problem, the DES algorithm was also designed primarily for hardware encryption, yet the great majority of applications that use it today implement it in software, where it is relatively inefficient. For these reasons, the US National Institute of Standards and Technology has issued a call for a successor algorithm, to be called the Advanced Encryption Standard or AES.
    [Show full text]
  • Data Encryption Standard
    Data Encryption Standard The Data Encryption Standard (DES /ˌdiːˌiːˈɛs, dɛz/) is a Data Encryption Standard symmetric-key algorithm for the encryption of electronic data. Although insecure, it was highly influential in the advancement of modern cryptography. Developed in the early 1970s atIBM and based on an earlier design by Horst Feistel, the algorithm was submitted to the National Bureau of Standards (NBS) following the agency's invitation to propose a candidate for the protection of sensitive, unclassified electronic government data. In 1976, after consultation with theNational Security Agency (NSA), the NBS eventually selected a slightly modified version (strengthened against differential cryptanalysis, but weakened against brute-force attacks), which was published as an official Federal Information Processing Standard (FIPS) for the United States in 1977. The publication of an NSA-approved encryption standard simultaneously resulted in its quick international adoption and widespread academic scrutiny. Controversies arose out of classified The Feistel function (F function) of DES design elements, a relatively short key length of the symmetric-key General block cipher design, and the involvement of the NSA, nourishing Designers IBM suspicions about a backdoor. Today it is known that the S-boxes that had raised those suspicions were in fact designed by the NSA to First 1975 (Federal Register) actually remove a backdoor they secretly knew (differential published (standardized in January 1977) cryptanalysis). However, the NSA also ensured that the key size was Derived Lucifer drastically reduced such that they could break it by brute force from [2] attack. The intense academic scrutiny the algorithm received over Successors Triple DES, G-DES, DES-X, time led to the modern understanding of block ciphers and their LOKI89, ICE cryptanalysis.
    [Show full text]
  • Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1
    International Journal of Grid and Distributed Computing Vol. 10, No. 11 (2017), pp.79-98 http://dx.doi.org/10.14257/ijgdc.2017.10.11.08 Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1 Rahul Saha1, G. Geetha2, Gulshan Kumar3 and Hye-Jim Kim4 1,3School of Computer Science and Engineering, Lovely Professional University, Punjab, India 2Division of Research and Development, Lovely Professional University, Punjab, India 4Business Administration Research Institute, Sungshin W. University, 2 Bomun-ro 34da gil, Seongbuk-gu, Seoul, Republic of Korea Abstract Cryptography has always been a core component of security domain. Different security services such as confidentiality, integrity, availability, authentication, non-repudiation and access control, are provided by a number of cryptographic algorithms including block ciphers, stream ciphers and hash functions. Though the algorithms are public and cryptographic strength depends on the usage of the keys, the ciphertext analysis using different functions and operations used in the algorithms can lead to the path of revealing a key completely or partially. It is hard to find any survey till date which identifies different operations and functions used in cryptography. In this paper, we have categorized our survey of cryptographic functions and operations in the algorithms in three categories: block ciphers, stream ciphers and cryptanalysis attacks which are executable in different parts of the algorithms. This survey will help the budding researchers in the society of crypto for identifying different operations and functions in cryptographic algorithms. Keywords: cryptography; block; stream; cipher; plaintext; ciphertext; functions; research problems 1. Introduction Cryptography [1] in the previous time was analogous to encryption where the main task was to convert the readable message to an unreadable format.
    [Show full text]
  • Eindhoven University of Technology MASTER Renewal Periods For
    Eindhoven University of Technology MASTER Renewal periods for cryptographic keys Posea, S. Award date: 2012 Link to publication Disclaimer This document contains a student thesis (bachelor's or master's), as authored by a student at Eindhoven University of Technology. Student theses are made available in the TU/e repository upon obtaining the required degree. The grade received is not published on the document as presented in the repository. The required complexity or quality of research of student theses may vary by program, and the required minimum study period may vary in duration. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain Renewal Periods for Cryptographic Keys Simona Posea August 2012 Eindhoven University of Technology Department of Mathematics and Computer Science Master's Thesis Renewal Periods for Cryptographic Keys Simona Posea Supervisors: dr. ir. L.A.M. (Berry) Schoenmakers (TU/e - W&I) drs. D.M. Wieringa RE CISSP (Deloitte - S&P) H. Hambartsumyan MSc. CISA (Deloitte - S&P) Eindhoven, August 2012 Abstract Periodically changing cryptographic keys is a common practice. Standards and publications recommending how long a key may be used before it should be renewed are available for guidance.
    [Show full text]
  • On Matsui's Linear Cryptanalysis Eli Biham Computer Science Department Technion - Israel Institute of Technology Haifa 32000, Israel
    On Matsui's Linear Cryptanalysis Eli Biham Computer Science Department Technion - Israel Institute of Technology Haifa 32000, Israel Abstract In [9] Matsui introduced a new method of cryptanalysis, called Linear Crypt- analysis. This method was used to attack DES using 24z known plaintexts. In this paper we formalize this method and show that although in the details level this method is quite different from differential crypta~alysis, in the structural level they are very similar. For example, characteristics can be defined in lin- ear cryptanalysis, but the concatenation rule has several important differences from the concatenation rule of differential cryptanalysis. We show that the attack of Davies on DES is closely related to linear cryptanalysis. We describe constraints on the size of S boxes caused by linear cryptanalysis. New results to Feal are also described. 1 Introduction In EUR.OCRYPT'93 Matsui introduced a new method of cryptanalysis, called Linear Cryptanalysis [9]. This method was used to attack DES using 24r known plaintexts. In this paper we formalize this method and show that although in the details level this method is quite different from differential cryptanalysis[2,1], in the structural level they are very similar. For example, characteristics can be defined in linear cryptanalysis, but the concatenation rule has several important differences from the concatenation rule of differential cryptanalysis. We show that the attack of Davies[5] on DES is closely related to linear cryptanalysis. We describe constraints on the size of S boxes caused by linear cryptanalysis. New results to Feal[15,11] are also described. 2 Overview of Linear Cryptanalysis Linear cryptanalysis studies statistical linear relations between bits of the plaintexts, the ciphertexts and the keys they are encrypted under.
    [Show full text]
  • AES3 Presentation
    Cryptanalytic Progress: Lessons for AES John Kelsey1, Niels Ferguson1, Bruce Schneier1, and Mike Stay2 1 Counterpane Internet Security, Inc., 3031 Tisch Way, 100 Plaza East, San Jose, CA 95128, USA 2 AccessData Corp., 2500 N University Ave. Ste. 200, Provo, UT 84606, USA 1 Introduction The cryptanalytic community is currently evaluating five finalist algorithms for the AES. Within the next year, one or more ciphers will be chosen. In this note, we argue caution in selecting a finalist with a small security margin. Known attacks continuously improve over time, and it is impossible to predict future cryptanalytic advances. If an AES algorithm chosen today is to be encrypting data twenty years from now (that may need to stay secure for another twenty years after that), it needs to be a very conservative algorithm. In this paper, we review cryptanalytic progress against three well-regarded block ciphers and discuss the development of new cryptanalytic tools against these ciphers over time. This review illustrates how cryptanalytic progress erodes a cipher’s security margin. While predicting such progress in the future is clearly not possible, we claim that assuming that no such progress can or will occur is dangerous. Our three examples are DES, IDEA, and RC5. These three ciphers have fundamentally different structures and were designed by entirely different groups. They have been analyzed by many researchers using many different techniques. More to the point, each cipher has led to the development of new cryptanalytic techniques that not only have been applied to that cipher, but also to others. 2 DES DES was developed by IBM in the early 1970s, and standardized made into a standard by NBS (the predecessor of NIST) [NBS77].
    [Show full text]
  • Zgureanu Aureliu CRIPTAREA ŞI SECURITATEA INFORMAŢIEI Note
    ACADEMIA DE TRANSPORTURI, INFORMATICĂ ŞI COMUNICAŢII Zgureanu Aureliu CRIPTAREA ŞI SECURITATEA INFORMAŢIEI Note de curs CHIŞINĂU 2013 Notele de Curs la disciplina „Criptarea şi securitatea informaţiei” a fost examinat şi aprobat la şedinţa catedrei „Matematică şi Informatică”, proces verbal nr. 3 din 11.11.2013, şi la şedinţa Comisiei metodice şi de calitate a FEI, proces verbal nr. 1 din 02.12.2013. © Zgureanu Aureliu, 2013 2 Cuprins Introducere ............................................................................................................4 Tema 1. Noţiuni de bază ale Criptografiei. .........................................................6 Tema 2. Cifruri clasice. Cifruri de substituţie ..................................................12 Tema 3. Cifruri clasice. Cifrul de transpoziţii ..................................................25 Tema 4. Maşini rotor...........................................................................................30 Tema 5. Algoritmi simetrici de criptare. Cifruri bloc. Reţeaua Feistel ..........40 Tema 6. Algoritmul de cifrare Lucifer ..............................................................46 Tema 7. Algoritmul DES.....................................................................................59 Tema 8. Cifrul AES .............................................................................................69 Tema 9. Algoritmi simetrici de tip şir (stream cypher)...................................80 Tema 10. Criptarea cu cheie publică .................................................................91
    [Show full text]
  • ASBE Defeats Statistical Analysis and Other Cryptanalysis
    Introduction | Statistical Analysis ASBE Defeats Statistical Analysis and Other Cryptanalysis By: Prem Sobel, CTO, MerlinCryption LLC Introduction Anti-Statistical Block Encryption, abbreviated ASBE, uses blocks [Ref 33, p.43-82] as part of the algorithm. These blocks are manipulated in ways different from all currently known and published existing encryption algorithms in variable ways which depend on the key. The ASBE algorithm is designed to be exponentially stronger than existing encryption algorithms and to defeat known Statistical Analysis, Cryptanalysis and Attacks. The purpose of this white paper is to describe how ASBE succeeds in these goals. Statistical Analysis Early encryption techniques are typically variations of substitution ciphers. Statistical analysis attempts to defeat such substitution ciphers, based on statistical knowledge of the language (for example, English) [Ref-1] [Ref-2] [Ref-3] [Ref-32, p.10-13]. These techniques include substitution ciphers such as: . Letter frequency, . Letter frequency of first letter of a word, . Most likely duplicate letter pairs (such as LL EE SS OO TT FF RR NN PP CC in English), . Most likely different letter pairs (in English: TH HE AN RE ER IN ON AT ND ST ES EN OF TE ED OR TI HI AS TO) and non-occurring letter pairs (for example, XJ QG HZ in English), . Most likely letter triples and non-occurring letter triples, . Most likely letter quadruples and non-occurring letter quadruples, and . Most frequent words. These statistics and patterns of multi-letter sequences are language-dependent and are also subject dependent. In the early days of cryptography, there were several limitations and/or assumptions made that are no longer valid today.
    [Show full text]
  • Statistical Cryptanalysis of Block Ciphers
    STATISTICAL CRYPTANALYSIS OF BLOCK CIPHERS THÈSE NO 3179 (2005) PRÉSENTÉE À LA FACULTÉ INFORMATIQUE ET COMMUNICATIONS Institut de systèmes de communication SECTION DES SYSTÈMES DE COMMUNICATION ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE POUR L'OBTENTION DU GRADE DE DOCTEUR ÈS SCIENCES PAR Pascal JUNOD ingénieur informaticien dilpômé EPF de nationalité suisse et originaire de Sainte-Croix (VD) acceptée sur proposition du jury: Prof. S. Vaudenay, directeur de thèse Prof. J. Massey, rapporteur Prof. W. Meier, rapporteur Prof. S. Morgenthaler, rapporteur Prof. J. Stern, rapporteur Lausanne, EPFL 2005 to Mimi and Chlo´e Acknowledgments First of all, I would like to warmly thank my supervisor, Prof. Serge Vaude- nay, for having given to me such a wonderful opportunity to perform research in a friendly environment, and for having been the perfect supervisor that every PhD would dream of. I am also very grateful to the president of the jury, Prof. Emre Telatar, and to the reviewers Prof. em. James L. Massey, Prof. Jacques Stern, Prof. Willi Meier, and Prof. Stephan Morgenthaler for having accepted to be part of the jury and for having invested such a lot of time for reviewing this thesis. I would like to express my gratitude to all my (former and current) col- leagues at LASEC for their support and for their friendship: Gildas Avoine, Thomas Baign`eres, Nenad Buncic, Brice Canvel, Martine Corval, Matthieu Finiasz, Yi Lu, Jean Monnerat, Philippe Oechslin, and John Pliam. With- out them, the EPFL (and the crypto) would not be so fun! Without their support, trust and encouragement, the last part of this thesis, FOX, would certainly not be born: I owe to MediaCrypt AG, espe- cially to Ralf Kastmann and Richard Straub many, many, many hours of interesting work.
    [Show full text]
  • A Pattern Recognition Approach to Block Cipher
    A PATTERN RECOGNITION APPROACH TO BLOCK CIPHER IDENTIFICATION A THESIS submitted by SREENIVASULU NAGIREDDY for the award of the degree of MASTER OF SCIENCE (by Research) DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING INDIAN INSTITUTE OF TECHNOLOGY MADRAS. October 2008 Dedicated to my parents i THESIS CERTIFICATE This is to certify that the thesis entitled A Pattern Recognition Approach to Block Cipher Identification submitted by Sreenivasulu Nagireddy to the Indian Institute of Technology Madras, for the award of the degree of Master of Science (By Research) is a bonafide record of research work carried out by him under our supervision and guidance. The contents of this thesis, in full or in parts, have not been submitted to any other Institute or University for the award of any degree or diploma. Dr. C. Chandra Sekhar Dr. Hema A. Murthy Chennai-600036 Date: ACKNOWLEDGEMENTS I wish to express my gratitude to everyone who contributed in making this work a reality. There are persons not mentioned here but, deserve my token of appreciation, first of all, I thank them all. Let me also thank the Indian Institute of Technology Madras for giving me an opportunity to pursue my post graduation. I am grateful to Computer science department for providing the facilities for the same. This institute has given me great exposure. There has been a drastic change in my vision of life. I enjoyed every moment of my IIT life. I would like to thank my guides, Prof. Hema A. Murthy and Dr. C Chandra Sekhar whose expertise, understanding, and patience, helped me through the course.
    [Show full text]
  • LNCS 1514, Pp
    Optimal Resistance Against the Davies and Murphy Attack Thomas Pornin Ecole´ Normale Sup´erieure, 45 rue d’Ulm, 75005 Paris, France, [email protected] Abstract. In recent years, three main types of attacks have been de- veloped against Feistel-based ciphers, such as DES[1]; these attacks are linear cryptanalysis[2], differential cryptanalysis[3], and the Davies and Murphy attack[4]. Using the discrete Fourier transform, we present here a quantitative criterion of security against the Davies and Murphy attack. Similar work has been done on linear and differential cryptanalysis[5,11]. 1 Introduction The Feistel scheme is a simple design which allows, when suitably iterated, the construction of efficient block cipher, whose deciphering algorithm is implemen- ted in a similar way. The most famous block cipher using a Feistel scheme is DES, where the scheme is iterated 16 times, with 16 subkeys extracted from a unique masterkey. The deciphering algorithm is just the same; the only difference is that the subkeys are taken in reverse order. The masterkey of DES is only 56 bits long; this is vulnerable to exhaustive search. Indeed, specialized DES chips, able to calculate half a million DES ciphers per second, have been considered since 1987[6] and their cost evaluated; it is estimated that a five millions dollars machine using a few thousands of such chips could break a DES with a single plaintext/ciphertext pair in two or three hours[7]; other more recent estimates give lower prices, thanks to continuous technological progress. More recently, following a challenge proposed by RSA Inc., a 56 bits DES key was retrieved from a plaintext/ciphertext pair using only the idle time of a few thousands generic purpose workstations around the world[8].
    [Show full text]
  • An Introduction to Applied Cryptography
    SI4 { R´eseauxAvanc´es Introduction `ala s´ecurit´edes r´eseauxinformatiques An Introduction to Applied Cryptography Dr. Quentin Jacquemart [email protected] http://www.qj.be/teaching/ 1 / 129 Outline ) Introduction • Classic Cryptography and Cryptanalysis • Principles of Cryptography • Symmetric Cryptography (aka. Secret-Key Cryptography) • Asymmetric Cryptography (aka. Public-Key Cryptography) • Hashes and Message Digests • Conclusion 1 / 129 2 / 129 Introduction I • Cryptography is at the crossroads of mathematics, electronics, and computer science • The use of cryptography to provide confidentiality is self-evident • But cryptography is a cornerstone of network security • Cryptology is a (mathematical) discipline that includes | cryptography: studies how to exchange confidential messages over an unsecured/untrusted channel | cryptanalysis: studies how to extract meaning out of a confidential message, i.e. how to breach cryptography 2 / 129 3 / 129 Introduction II • Plaintext: the message to be exchanged between Alice and Bob (P) • Ciphering: a cryptographic function that encodes the plaintext into ciphertext (encrypt: E(·)) • Ciphertext: result of applying the cipher function to the plain text (unreadable) (C) • Deciphering: a cryptographic function that decodes the ciphertext into plaintext (decrypt: D(·)) • Key: a secret parameter given to the cryptographic functions (K ) 3 / 129 4 / 129 Introduction III Trudy Alice Bob plaintext ciphertext plaintext P E(P) P E(P) = D(E(P)) Encryption Decryption Algorithm Algorithm E(·) D(·)
    [Show full text]