DOCSLIB.ORG

Secret-Key Ciphers ECE 646 – Lecture

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Secret-Key Ciphers ECE 646 – Lecture ECE 646 – Lecture 7 Data Encryption Standard Secret-Key Ciphers DES 1 2 NBS public request for a standard Secret agreement between IBM & NSA, 1974 cryptographic algorithm Obligations of IBM: May 15, 1973, August 27, 1974 • Algorithm developed in secret by IBM The algorithm must be: • NSA reserved a right to monitor the development and propose changes • secure • No software implementations, just hardware chips • public - completely specified • IBM not allowed to ship implementations to certain - easy to understand countries - available to all users • License required to ship to carefully selected • economic and efficient in hardware customers in approved countries • able to be validated Obligations of NSA: • exportable • seal of approval 3 4 DES - chronicle of events Controversies surrounding DES 1973 - NBS issues a public request for proposals for Unknown Slow Too short a standard cryptographic algorithm design in software key 1975 - first publication of the IBM’s algorithm criteria and request for comments Only Most criteria Theoretical 1976 - NBS organizes two workshops to evaluate hardware reconstructed designs the algorithm implementations from cipher of DES breaking certified 1977 - official publication as analysis machines FIPS PUB 46: Data Encryption Standard 1990 1993 1983, 1987, 1993 - recertification of the algorithm 1998 Reinvention Software, firmware for another five years Practical of differential and hardware 1993 - software implementations allowed to be validated DES cracker cryptanalysis treated equally built 5 6 1 Life of DES DES - external look 1980 1990 2000 2010 2020 2030 plaintext block 1977 1999 Triple DES DES 112, 168 bit 168 bit only 64 bits American 56 bit key AES - Rijndael standards AES 2002 128, 192, and 256 bit keys DES key contest 56 bits IDEA Serpent Other 64 bits popular RC5 Twofish ciphertext block algorithms Blowfish RC6 CAST Mars 7 8 Typical Flow Diagram of DES – high-level internal structure a Secret-Key Block Cipher Round Key[0] Initial transformation i:=1 Round Key[i] Cipher Round i:=i+1 #rounds times i<#rounds? Round Key[#rounds+1] Final transformation 9 10 Classical Feistel Network IP DES Main Loop L0 R0 Feistel Structure K1 plaintext = L0R0 f for i=1 to n { L1 R1 K2 Li=Ri-1 f Ln+1=Rn Ri=Li-1Å f(Ri-1, Ki) } L2 R2 Rn+1=LnÅ f(Rn, Kn+1) . Ln+1 = Rn Rn+1 = Ln L15 R15 K16 ciphertext = Ln+1Rn+1 f R16 L16 IP-1 11 12 2 Feistel Structure IP-1 Decryption IP L0 R0 R16 L16 Encryption Decryption K1 K16 f f Ln Rn Ln Rn L1 R1 R15 L15 f Kn+1 f Kn+1 K2 K15 f f L2 R2 R14 L14 Ln+1 Rn+1 Ln+1 Rn+1 . L15 R15 R1 L1 Ln+1, Rn+1 ? ? K16 K1 f f f Kn+1 R16 L16 L0 R0 Ln, Rn ? ? IP IP-1 13 14 Mangler Function of DES, F 15 16 Notation for Permutations Input i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 … i56 i57 i58 i59 i60 i61 i62 i63 i64 58 50 42 34 26 18 10 2 … 5 63 55 47 39 31 23 15 7 i58 i50 i42 i34 i26 i18 i10 i2 … i5 i63 i55 i47 i39 i31 i23 i15 i7 Output 17 18 3 Notation for S-boxes Input i1 i2 i3 i4 i5 i6 i1 i6 determines a row number in the S-box table, 0..3 i2 i3 i4 i5 determine a column in the S-box table, 0..15 o1 o2 o3 o4 is a binary representation of a number from 0..15 in the given row and the given column o1 o2 o3 o4 Output 19 20 General design criteria of DES 1. Randomness 2. Avalanche property changing a single bit at the input changes on average half of the bits at the output 3. Completeness property every output bit is a complex function of all input bits (and not just a subset of input bits) 4. Nonlinearity encryption function is non-affine for any value of the key 5. Correlation immunity output bits are statistically independent of any subset of input bits 21 22 Completeness property Linear Transformations Every output bit is a complex function of all input bits Transformations that fulfill the condition: (and not just a subset of input bits) T(X[m x 1]) = Y[n x 1] = A[n x m] × X[m x 1] Formal requirement: or For all values of i and j, i=1..64, j=1..64 T(X1 Å X2) = T(X1) Å T(X2) there exist inputs X1 and X2, such that X1 x1 x2 x3 . xi-1 0 xi+1 . x63 x64 Affine Transformations X x x x . x 1 x . x x 2 1 2 3 i-1 i+1 63 64 Transformations that fulfill the condition: Y1 = DES(X1) y1 y2 y3 . yj-1 yj yj+1 . y63 y64 T(X[m x 1]) = Y[n x 1] = A[n x m] × X[m x 1] Å B[n x 1] Y2 = DES(X2) y1’ y2’ y3’ . yj-1’ yj yj+1’ . y63’ y64’ 23 24 4 Linear Transformations of DES Design of S-boxes S[0..15] IP, IP-1, E, PC1, PC2, SHIFT e.g., IP(X1 Å X2) = IP(X1 ) Å IP( X2) S Non-Linear and non-affine in out = S[in] transformations of DES S • 16! » 2 × 1013 possibilities • precisely defined initially unpublished criteria There are no such matrices A[4x6] and B[4x1] that • resistant against differential cryptanalysis S(X[6x1]) = A[4x6] × X[6x1] Å B[4x1] (attack known to the designers and rediscovered in the open research in 1990 by E. Biham and A. Shamir) 25 26 Theoretical design of the specialized DES breaking machine machine to break DES known ciphertext key counter Round key Project: Michael Wiener, Entrust Technologies, key 1 1993, 1997 Encryption Round 1 Key Scheduling Round 1 Method: exhaustive key search attack Basic component: specialized integrated circuit Encryption Round 2 Key Scheduling Round 2 in CMOS technology, 75 MHz Round . Checks: 200 mln keys per second key 2 Costs: $10 Encryption Round 16 Key Scheduling Round 16 Total cost Estimated time Round plaintext key 16 $ 1 mln 35 minutes comparator $ 100.000 6 hours known plaintext 27 28 Deep Crack Deep Crack Electronic Frontier Parameters Foundation, 1998 Number of ASIC chips 1800 Total cost: $220,000 Average time of search: Clock frequency 40 MHz 4.5 days/key Number of clock cycles per key 16 Number of search units per ASIC 24 Search speed 90 bln keys/s 1800 ASIC chips, 40 MHz clock Average time to recover the key 4.5 days 29 30 5 COPACOBANA COPACOBANA Cost-Optimized Parallel COde Breaker • Based on Xilinx FPGAs (Field Programmable Gate Arrays) Ruhr University, Bochum, University of Kiel, Germany, 2006 • ver. 1 – based on 120 Spartan 3 FPGAs • ver. 2 – based on 128 Virtex 4 SX 35 FPGAs Cost: € 8980 (ver. 1) • Description, FAQ, and news available at http://www.copacobana.org/ • For ver. 1 based on Spartan FPGAs Clock frequency = 136 MHz Average search time for a single DES key = 6.4 days Worst case search time for a single DES key = 12.8 days 31 32 33 34 Secure key length today and in 20 years Secure key length - discussion (against an intelligence agency with the budget of $300M) • increasing key length in a newly developed cipher key length costs NOTHING • increasing effective key length, assuming the use of 128 bits IDEA, minimum key length in AES an existing cipher has a limited influence on the efficiency of implementation (Triple DES) 112 bits Triple DES with three different keys It is economical to use THE SAME 100 bits Secure key length in 2027 secure key length FOR ALL aplications 94 bits Secure key length in 2018 The primary barriers blocking the use of symmetric ciphers 80 bits Skipjack with a secure key length have been of the political nature (e.g., export policy of USA) 56 bits DES 35 36 6 Triple DES EDE mode with two keys Triple DES EDE mode with three keys encryption decryption Diffie, encryption decryption Diffie, Hellman, Hellman, plaintext ciphertext 1977 plaintext ciphertext 1977 E D E D K1 K1 K1 K1 encryption 56 decryption 56 encryption 56 decryption 56 D E D E K2 K2 K2 K2 decryption 56 encryption 56 decryption 56 encryption 56 E D E D K1 K1 K3 K3 encryption 56 decryption 56 encryption 56 decryption 56 ciphertext plaintext ciphertext plaintext 37 38 Triple DES Best Attacks Against Triple DES Advantages: • Version with three keys (168 bits of key) • secure key length (112 or 168 bits) Meet-in-the-middle attack • increased compared to DES resistance to linear 232 known plaintexts and differential cryptanalysis 113 2 steps • possibility of utilizing existing implementations of DES 290 single DES encryptions, and 288 memory Disadvantages: Effective key size = 2112 • relatively slow, especially in software • Version with two keys (112 bits of key) Effective key size = 280 39 40 Why a new standard? 1. Old standard insecure against brute-force attacks 2. Straightforward fixes lead to inefficient implementations Advanced Encryption Standard K1 K2 K3 AES • Triple DES in out 3. New trends in fast software encryption • use of basic instructions of the microprocessor 4. New ways of assessing cipher strength • differential cryptanalysis • linear cryptanalysis 41 42 7 Why a contest? External format of the AES algorithm • Focus the effort of cryptographic community plaintext block Small number of specialists in the open research 128 bits • Stimulate the research on methods of constructing secure ciphers AES key • Avoid backdoor theories 128, 192, 256 bits 128 bits • Speed-up the acceptance of the standard ciphertext block 43 44 Rules of the contest AES Contest Effort Each team suBmits June 1998 15 Candidates Round 1 Detailed Justification Tentative from USA, Canada, Belgium, Security France, Germany, Norway, UK, Isreal, Software efficiency cipher of design results Korea, Japan, Australia, Costa Rica description decisions of cryptanalysis August 1999 Round 2 5 final candidates Security Source Mars, RC6, Rijndael, Serpent, Twofish Source Test Hardware efficiency code code vectors in C in Java October 2000 1 winner: Rijndael Belgium 45 46 AES contest - First Round AES: Candidate algorithms North America (8) Europe (4) Asia (2) 15 June 1998 Deadline for submitting candidates 21 submissions, Canada: Germany: Korea: 15 fulfilled all requirements CAST-256 Magenta Crypton Deal August 1998 1st AES Conference in Ventura, CA Belgium: Japan: USA: Presentation of candidates Mars Rijndael E2 RC6 March 1999 2nd AES Conference in w Rome, Italy Twofish France: Safer+ Australia (1) Review of results of the First Round DFC HPC analysis Israel, UK, Costa Rica: Australia: August 1999 NIST announces five final candidates Norway: LOKI97 Frog Serpent 47 48 8 AES Finalists (1) AES Finalists (2) USA Mars - IBM Europe C.
Load more

Recommended publications
  • On the Decorrelated Fast Cipher (DFC) and Its Theory
    On the Decorrelated Fast Cipher (DFC) and Its Theory Lars R. Knudsen and Vincent Rijmen ? Department of Informatics, University of Bergen, N-5020 Bergen Abstract. In the first part of this paper the decorrelation theory of Vaudenay is analysed. It is shown that the theory behind the propo- sed constructions does not guarantee security against state-of-the-art differential attacks. In the second part of this paper the proposed De- correlated Fast Cipher (DFC), a candidate for the Advanced Encryption Standard, is analysed. It is argued that the cipher does not obtain prova- ble security against a differential attack. Also, an attack on DFC reduced to 6 rounds is given. 1 Introduction In [6,7] a new theory for the construction of secret-key block ciphers is given. The notion of decorrelation to the order d is defined. Let C be a block cipher with block size m and C∗ be a randomly chosen permutation in the same message space. If C has a d-wise decorrelation equal to that of C∗, then an attacker who knows at most d − 1 pairs of plaintexts and ciphertexts cannot distinguish between C and C∗. So, the cipher C is “secure if we use it only d−1 times” [7]. It is further noted that a d-wise decorrelated cipher for d = 2 is secure against both a basic linear and a basic differential attack. For the latter, this basic attack is as follows. A priori, two values a and b are fixed. Pick two plaintexts of difference a and get the corresponding ciphertexts.
    [Show full text]
  • Report on the AES Candidates
    Rep ort on the AES Candidates 1 2 1 3 Olivier Baudron , Henri Gilb ert , Louis Granb oulan , Helena Handschuh , 4 1 5 1 Antoine Joux , Phong Nguyen ,Fabrice Noilhan ,David Pointcheval , 1 1 1 1 Thomas Pornin , Guillaume Poupard , Jacques Stern , and Serge Vaudenay 1 Ecole Normale Sup erieure { CNRS 2 France Telecom 3 Gemplus { ENST 4 SCSSI 5 Universit e d'Orsay { LRI Contact e-mail: [email protected] Abstract This do cument rep orts the activities of the AES working group organized at the Ecole Normale Sup erieure. Several candidates are evaluated. In particular we outline some weaknesses in the designs of some candidates. We mainly discuss selection criteria b etween the can- didates, and make case-by-case comments. We nally recommend the selection of Mars, RC6, Serp ent, ... and DFC. As the rep ort is b eing nalized, we also added some new preliminary cryptanalysis on RC6 and Crypton in the App endix which are not considered in the main b o dy of the rep ort. Designing the encryption standard of the rst twentyyears of the twenty rst century is a challenging task: we need to predict p ossible future technologies, and wehavetotake unknown future attacks in account. Following the AES pro cess initiated by NIST, we organized an op en working group at the Ecole Normale Sup erieure. This group met two hours a week to review the AES candidates. The present do cument rep orts its results. Another task of this group was to up date the DFC candidate submitted by CNRS [16, 17] and to answer questions which had b een omitted in previous 1 rep orts on DFC.
    [Show full text]
  • Security Evaluation of the K2 Stream Cipher
    Security Evaluation of the K2 Stream Cipher Editors: Andrey Bogdanov, Bart Preneel, and Vincent Rijmen Contributors: Andrey Bodganov, Nicky Mouha, Gautham Sekar, Elmar Tischhauser, Deniz Toz, Kerem Varıcı, Vesselin Velichkov, and Meiqin Wang Katholieke Universiteit Leuven Department of Electrical Engineering ESAT/SCD-COSIC Interdisciplinary Institute for BroadBand Technology (IBBT) Kasteelpark Arenberg 10, bus 2446 B-3001 Leuven-Heverlee, Belgium Version 1.1 | 7 March 2011 i Security Evaluation of K2 7 March 2011 Contents 1 Executive Summary 1 2 Linear Attacks 3 2.1 Overview . 3 2.2 Linear Relations for FSR-A and FSR-B . 3 2.3 Linear Approximation of the NLF . 5 2.4 Complexity Estimation . 5 3 Algebraic Attacks 6 4 Correlation Attacks 10 4.1 Introduction . 10 4.2 Combination Generators and Linear Complexity . 10 4.3 Description of the Correlation Attack . 11 4.4 Application of the Correlation Attack to KCipher-2 . 13 4.5 Fast Correlation Attacks . 14 5 Differential Attacks 14 5.1 Properties of Components . 14 5.1.1 Substitution . 15 5.1.2 Linear Permutation . 15 5.2 Key Ideas of the Attacks . 18 5.3 Related-Key Attacks . 19 5.4 Related-IV Attacks . 20 5.5 Related Key/IV Attacks . 21 5.6 Conclusion and Remarks . 21 6 Guess-and-Determine Attacks 25 6.1 Word-Oriented Guess-and-Determine . 25 6.2 Byte-Oriented Guess-and-Determine . 27 7 Period Considerations 28 8 Statistical Properties 29 9 Distinguishing Attacks 31 9.1 Preliminaries . 31 9.2 Mod n Cryptanalysis of Weakened KCipher-2 . 32 9.2.1 Other Reduced Versions of KCipher-2 .
    [Show full text]
  • Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1
    International Journal of Grid and Distributed Computing Vol. 10, No. 11 (2017), pp.79-98 http://dx.doi.org/10.14257/ijgdc.2017.10.11.08 Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1 Rahul Saha1, G. Geetha2, Gulshan Kumar3 and Hye-Jim Kim4 1,3School of Computer Science and Engineering, Lovely Professional University, Punjab, India 2Division of Research and Development, Lovely Professional University, Punjab, India 4Business Administration Research Institute, Sungshin W. University, 2 Bomun-ro 34da gil, Seongbuk-gu, Seoul, Republic of Korea Abstract Cryptography has always been a core component of security domain. Different security services such as confidentiality, integrity, availability, authentication, non-repudiation and access control, are provided by a number of cryptographic algorithms including block ciphers, stream ciphers and hash functions. Though the algorithms are public and cryptographic strength depends on the usage of the keys, the ciphertext analysis using different functions and operations used in the algorithms can lead to the path of revealing a key completely or partially. It is hard to find any survey till date which identifies different operations and functions used in cryptography. In this paper, we have categorized our survey of cryptographic functions and operations in the algorithms in three categories: block ciphers, stream ciphers and cryptanalysis attacks which are executable in different parts of the algorithms. This survey will help the budding researchers in the society of crypto for identifying different operations and functions in cryptographic algorithms. Keywords: cryptography; block; stream; cipher; plaintext; ciphertext; functions; research problems 1. Introduction Cryptography [1] in the previous time was analogous to encryption where the main task was to convert the readable message to an unreadable format.
    [Show full text]
  • Improbable Differential from Impossible Differential
    Improbable Differential from Impossible Differential: On the Validity of the Model C´elineBlondeau Aalto University, School of Science, Department of Information and Computer Science [email protected] Abstract. Differentials with low probability are used in improbable dif- ferential cryptanalysis to distinguish a cipher from a random permuta- tion. Due to large diffusion, finding such differentials for actual ciphers re- mains a challenging task. At Indocrypt 2010, Tezcan proposed a method to derive improbable differential distinguishers from impossible differ- ential ones. In this paper, we discuss the validity of the assumptions made in the computation of the improbable differential probabilities. In particular, we show based on experiments that such improbable differ- ential cryptanalysis can fail. The validity of the improbable differential cryptanalyses on PRESENT and CLEFIA is discussed. Keywords:improbable differential, impossible differential, truncated differential, PRESENT, CLEFIA 1 Introduction Since the introduction of differential cryptanalysis [2] in the beginning of the 90's, many generalizations of this attack have been proposed to cryptanalyse a large number of block ciphers. While most of them exploit differentials with high probability, in the impossible differential cryptanalysis context [1] attackers take advantage of zero-probability differentials. Recently a variation of this attack called improbable differential cryptanalysis have been introduced by Tezcan [21] at Indocrypt 2010 and by Mala, Dakhilalian and Shakiba [15]. In this context, differentials with low probabilities are used to distinguish the cipher from a random permutation. While in theory this attack could be efficient on some ciphers, in practice, it may be hard to find differentials or truncated differentials with such small prob- abilities.
    [Show full text]
  • The Improbable Differential Attack: Cryptanalysis of Reduced Round
    The Improbable Differential Attack: Cryptanalysis of Reduced Round CLEFIA? Cihangir Tezcan Ecole´ Polytechnique F´ed´eralede Lausanne EDOC-IC BC 350 Station 14 CH-1015 Lausanne, Switzerland [email protected] Abstract. In this paper we present a new statistical cryptanalytic tech- nique that we call improbable differential cryptanalysis which uses a dif- ferential that is less probable when the correct key is used. We provide data complexity estimates for this kind of attacks and we also show a method to expand impossible differentials to improbable differentials. By using this expansion method, we cryptanalyze 13, 14, and 15-round CLEFIA for the key sizes of length 128, 192, and 256 bits, respectively. These are the best cryptanalytic results on CLEFIA up to this date. Keywords : Cryptanalysis, Improbable differential attack, CLEFIA 1 Introduction Statistical attacks on block ciphers make use of a property of the cipher so that an incident occurs with different probabilities depending on whether the correct key is used or not. For instance, differential cryptanalysis [1] considers characteristics or differentials which show that a particular out- put difference should be obtained with a relatively high probability when a particular input difference is used. Hence, when the correct key is used, the predicted differences occur more frequently. In a classical differen- tial characteristic the differences are fully specified and in a truncated differential [2] only parts of the differences are specified. On the other hand, impossible differential cryptanalysis [3] uses an impossible differential which shows that a particular difference cannot occur for the correct key (i.e. probability of this event is exactly zero).
    [Show full text]
  • A Brief Outlook at Block Ciphers
    A Brief Outlook at Block Ciphers Pascal Junod Ecole¶ Polytechnique F¶ed¶eralede Lausanne, Suisse CSA'03, Rabat, Maroc, 10-09-2003 Content F Generic Concepts F DES / AES F Cryptanalysis of Block Ciphers F Provable Security CSA'03, 10 septembre 2003, Rabat, Maroc { i { Block Cipher P e d P C K K CSA'03, 10 septembre 2003, Rabat, Maroc { ii { Block Cipher (2) F Deterministic, invertible function: e : {0, 1}n × K → {0, 1}n d : {0, 1}n × K → {0, 1}n F The function is parametered by a key K. F Mapping an n-bit plaintext P to an n-bit ciphertext C: C = eK(P ) F The function must be a bijection for a ¯xed key. CSA'03, 10 septembre 2003, Rabat, Maroc { iii { Product Ciphers and Iterated Block Ciphers F A product cipher combines two or more transformations in a manner intending that the resulting cipher is (hopefully) more secure than the individual components. F An iterated block cipher is a block cipher involving the sequential repeti- tion of an internal function f called a round function. Parameters include the number of rounds r, the block bit size n and the bit size k of the input key K from which r subkeys ki (called round keys) are derived. For invertibility purposes, the round function f is a bijection on the round input for each value ki. CSA'03, 10 septembre 2003, Rabat, Maroc { iv { Product Ciphers and Iterated Block Ciphers (2) P K f k1 f k2 f kr C CSA'03, 10 septembre 2003, Rabat, Maroc { v { Good and Bad Block Ciphers F Flexibility F Throughput F Estimated Security Level CSA'03, 10 septembre 2003, Rabat, Maroc { vi { Data Encryption Standard (DES) F American standard from (1976 - 1998).
    [Show full text]
  • Statistical Cryptanalysis of Block Ciphers
    STATISTICAL CRYPTANALYSIS OF BLOCK CIPHERS THÈSE NO 3179 (2005) PRÉSENTÉE À LA FACULTÉ INFORMATIQUE ET COMMUNICATIONS Institut de systèmes de communication SECTION DES SYSTÈMES DE COMMUNICATION ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE POUR L'OBTENTION DU GRADE DE DOCTEUR ÈS SCIENCES PAR Pascal JUNOD ingénieur informaticien dilpômé EPF de nationalité suisse et originaire de Sainte-Croix (VD) acceptée sur proposition du jury: Prof. S. Vaudenay, directeur de thèse Prof. J. Massey, rapporteur Prof. W. Meier, rapporteur Prof. S. Morgenthaler, rapporteur Prof. J. Stern, rapporteur Lausanne, EPFL 2005 to Mimi and Chlo´e Acknowledgments First of all, I would like to warmly thank my supervisor, Prof. Serge Vaude- nay, for having given to me such a wonderful opportunity to perform research in a friendly environment, and for having been the perfect supervisor that every PhD would dream of. I am also very grateful to the president of the jury, Prof. Emre Telatar, and to the reviewers Prof. em. James L. Massey, Prof. Jacques Stern, Prof. Willi Meier, and Prof. Stephan Morgenthaler for having accepted to be part of the jury and for having invested such a lot of time for reviewing this thesis. I would like to express my gratitude to all my (former and current) col- leagues at LASEC for their support and for their friendship: Gildas Avoine, Thomas Baign`eres, Nenad Buncic, Brice Canvel, Martine Corval, Matthieu Finiasz, Yi Lu, Jean Monnerat, Philippe Oechslin, and John Pliam. With- out them, the EPFL (and the crypto) would not be so fun! Without their support, trust and encouragement, the last part of this thesis, FOX, would certainly not be born: I owe to MediaCrypt AG, espe- cially to Ralf Kastmann and Richard Straub many, many, many hours of interesting work.
    [Show full text]
  • Cryptanalysis of Symmetric-Key Primitives Based on the AES Block Cipher Jérémy Jean
    Cryptanalysis of Symmetric-Key Primitives Based on the AES Block Cipher Jérémy Jean To cite this version: Jérémy Jean. Cryptanalysis of Symmetric-Key Primitives Based on the AES Block Cipher. Cryp- tography and Security [cs.CR]. Ecole Normale Supérieure de Paris - ENS Paris, 2013. English. tel- 00911049 HAL Id: tel-00911049 https://tel.archives-ouvertes.fr/tel-00911049 Submitted on 28 Nov 2013 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Université Paris Diderot École Normale Supérieure (Paris 7) Équipe Crypto Thèse de doctorat Cryptanalyse de primitives symétriques basées sur le chiffrement AES Spécialité : Informatique présentée et soutenue publiquement le 24 septembre 2013 par Jérémy Jean pour obtenir le grade de Docteur de l’Université Paris Diderot devant le jury composé de Directeur de thèse : Pierre-Alain Fouque (Université de Rennes 1, France) Rapporteurs : Anne Canteaut (INRIA, France) Henri Gilbert (ANSSI, France) Examinateurs : Arnaud Durand (Université Paris Diderot, France) Franck Landelle (DGA, France) Thomas Peyrin (Nanyang Technological University, Singapour) Vincent Rijmen (Katholieke Universiteit Leuven, Belgique) Remerciements Je souhaite remercier toutes les personnes qui ont contribué de près ou de loin à mes trois années de thèse.
    [Show full text]
  • Crypto 101 Lvh
    Crypto 101 lvh 1 2 Copyright 2013-2017, Laurens Van Houtven (lvh) This work is available under the Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0) license. You can find the full text of the license at https://creativecommons.org/licenses/by-nc/4.0/. The following is a human-readable summary of (and not a substitute for) the license. You can: • Share: copy and redistribute the material in any medium or format • Adapt: remix, transform, and build upon the material The licensor cannot revoke these freedoms as long as you follow the license terms: • Attribution: you must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. • NonCommercial: you may not use the material for commercial purposes. • No additional restrictions: you may not apply legal terms or technological measures that legally restrict others from doing anything the license permits. You do not have to comply with the license for elements of the material in the public domain or where your use is permitted by an applicable exception or limitation. 3 No warranties are given. The license may not give you all of the permissions necessary for your intended use. For example, other rights such as publicity, privacy, or moral rights may limit how you use the material. Pomidorkowi 4 Contents Contents 5 I Foreword 10 1 About this book 11 2 Advanced sections 13 3 Development 14 4 Acknowledgments 15 II Building blocks 17 5 Exclusive or 18 5.1 Description .....................
    [Show full text]
  • Statistical Cryptanalysis of Block Ciphers
    Statistical Cryptanalysis of Block Ciphers THESE` N◦ 3179 (2004) PRESENT´ EE´ A` LA FACULTE´ INFORMATIQUE & COMMUNICATIONS Institut de syst`emes de communication SECTION DES SYSTEMES` DE COMMUNICATION ECOLE´ POLYTECHNIQUE FED´ ERALE´ DE LAUSANNE POUR L'OBTENTION DU GRADE DE DOCTEUR ES` SCIENCES PAR Pascal JUNOD ing´enieur informaticien diplom´e EPF de nationalit´e suisse et originaire de Sainte-Croix (VD) accept´ee sur proposition du jury: Prof. Emre Telatar (EPFL), pr´esident du jury Prof. Serge Vaudenay (EPFL), directeur de th`ese Prof. Jacques Stern (ENS Paris, France), rapporteur Prof. em. James L. Massey (ETHZ & Lund University, Su`ede), rapporteur Prof. Willi Meier (FH Aargau), rapporteur Prof. Stephan Morgenthaler (EPFL), rapporteur Lausanne, EPFL 2005 to Mimi and Chlo´e Acknowledgments First of all, I would like to warmly thank my supervisor, Prof. Serge Vaude- nay, for having given to me such a wonderful opportunity to perform research in a friendly environment, and for having been the perfect supervisor that every PhD would dream of. I am also very grateful to the president of the jury, Prof. Emre Telatar, and to the reviewers Prof. em. James L. Massey, Prof. Jacques Stern, Prof. Willi Meier, and Prof. Stephan Morgenthaler for having accepted to be part of the jury and for having invested such a lot of time for reviewing this thesis. I would like to express my gratitude to all my (former and current) col- leagues at LASEC for their support and for their friendship: Gildas Avoine, Thomas Baign`eres, Nenad Buncic, Brice Canvel, Martine Corval, Matthieu Finiasz, Yi Lu, Jean Monnerat, Philippe Oechslin, and John Pliam.
    [Show full text]
  • Opentext Documentum System (Version 16.4) Upgrade And
    OpenText ™ Documentum ® System Version 16.4 Upgrade and Migration Guide Legal Notice This documentation has been created for software version 16.4 . It is also valid for subsequent software versions as long as no new document version is shipped with the product or is published at https://knowledge.opentext.com. Open Text Corporation 275 Frank Tompa Drive, Waterloo, Ontario, Canada, N2L 0A1 Tel: +1-519-888-7111 Toll Free Canada/USA: 1-800-499-6544 International: +800-4996-5440 Fax: +1-519-888-0677 Support: https://support.opentext.com For more information, visit https://www.opentext.com Copyright © 2018 Open Text. All Rights Reserved. Trademarks owned by Open Text. Adobe and Adobe PDF Library are trademarks or registered trademarks of Adobe Systems Inc. in the U.S. and other countries. Disclaimer No Warranties and Limitation of Liability Every effort has been made to ensure the accuracy of the features and techniques presented in this publication. However, Open Text Corporation and its affiliates accept no responsibility and offer no warranty whether expressed or implied, for the accuracy of this publication. Table of Contents Preface ................................................................................................................................. 9 Chapter 1 Upgrade and Migration Overview ................................................................ 11 Upgrade and migration..................................................................................... 11 Understanding migration.................................................................................
    [Show full text]