DOCSLIB.ORG

A New Method for Designing Lightweight S-Boxes with High Differential and Linear Branch Numbers, and Its Application?

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

A New Method for Designing Lightweight S-Boxes with High Differential and Linear Branch Numbers, and Its Application? Hangi Kim1, Yongjin Jeon1, Giyoon Kim1, Jongsung Kim1;2??, Bo-Yeon Sim1, Dong-Guk Han1;2, Hwajeong Seo3, Seonggyeom Kim4, Seokhie Hong4, Jaechul Sung5, and Deukjo Hong6 1 Department of Financial Information Security, Kookmin University, Republic of Korea 2 Department of Information Security, Cryptology, and Mathematics, Kookmin University, Republic of Korea 3 Division of IT Convergence Engineering, Hansung University, Republic of Korea 4 School of Cyber Security, Korea University, Republic of Korea 5 Department of Mathematics, University of Seoul, Republic of Korea 6 Department of Information Technology & Engineering, Jeonbuk National University, Republic of Korea 1 Abstract. Bit permutations are efficient linear functions often used for 2 lightweight cipher designs. However, they have low diffusion effects, com- 3 pared to word-oriented binary and MDS matrices. Thus, the security of 4 bit permutation-based ciphers is significantly affected by differential and 5 linear branch numbers (DBN and LBN) of nonlinear functions. In this 6 paper, we introduce a widely applicable method for constructing S-boxes 7 with high DBN and LBN. Our method exploits constructions of S-boxes 8 from smaller S-boxes and it derives/proves the required conditions for 9 smaller S-boxes so that the DBN and LBN of the constructed S-boxes 10 are at least 3. These conditions enable us to significantly reduce the 11 search space required to create such S-boxes. In order to make crypto- 12 graphically good and efficient S-boxes, we propose a unbalanced-Bridge 13 structure that accepts one 3-bit and two 5-bit S-boxes, and produces 14 8-bit S-boxes. Using the proposed structure, we develop a variety of new 15 lightweight S-boxes that provide not only both DBN and LBN of at 16 least 3 but also efficient bitsliced implementations including at most 11 17 nonlinear bitwise operations. The new S-boxes are the first that exhibit 18 these characteristics. Moreover, we propose a block cipher PIPO based 19 on one of the new S-boxes, which supports a 64-bit plaintext and a 128 20 or 256-bit key. Our implementations demonstrate that PIPO outperforms 21 existing block ciphers (for the same block and key lengths) in both side- 22 channel protected and unprotected environments, on an 8-bit AVR. The ? This paper is partially based on the paper \PIPO: A Lightweight Block Cipher with Efficient Higher-Order Masking Software Implementations" [43] presented at the 23rd annual International Conference on Information Security and Cryptology (ICISC 2020). ?? Corresponding author, [email protected] 2 Hangi Kim et al. 23 security of PIPO has been scrutinized with regards to state-of-the-art 24 cryptanalysis. 25 Keywords: Lightweight S-boxes · Differential and linear branch num- 26 bers · PIPO · Higher-order masking 27 1 Introduction 28 The fourth industrial revolution encompasses a wide range of advanced technolo- 29 gies. One of its core elements is the Internet of Things (IoT), which binds together 30 people, objects, processes, data, applications, and services to make networked 31 connections more relevant and valuable than ever before. However, trustworthy 32 systems are required to enable secure and reliable IoT-based infrastructures, and 33 an essential building block for such systems is cryptography. 34 Most devices in IoT environments are miniature and resource-constrained. 35 Therefore, lightweight cryptography, which is an active area of research, is es- 36 sential. Some lightweight block ciphers such as PRESENT [25] and CLEFIA [64] 37 have been standardized by ISO/IEC. In addition, a lightweight cryptography 38 standardization project is ongoing at NIST. 39 In 1996, Paul Kocher first introduced side-channel attacks, which extract se- 40 cret information by analyzing side-channel information [51]. Since secure designs 41 for mathematical cryptanalysis cannot guarantee security against side-channel 42 attacks, various countermeasures have been studied. With side-channel attacks 43 becoming more advanced and the associated equipment cost decreasing [71], the 44 application of side-channel countermeasures to ciphers has become crucial. Re- 45 cently, various studies have been actively conducted on efficient implementations 46 of side-channel countermeasures, especially on efficient masked implementations. 47 To minimize performance overhead, the focus has been on reducing the number 48 of nonlinear operations. Several lightweight block ciphers, with the design goal 49 of low nonlinear operation count, have been proposed [2,3,40]. 50 The lightweightness of block ciphers and the efficiency of their side-channel 51 protected implementations depend significantly on their nonlinear functions. 52 Many of lightweight block ciphers use 4-bit S-boxes [2,9,13,25,42] or 8-bit S- 53 boxes [1,14,40,48,64] as nonlinear functions. One of the main design approaches 54 of lightweight 8-bit S-boxes is to use existing structures, such as Feistel, Lai- 55 Massey and MISTY, employing smaller S-boxes (e.g., 3, 4, or 5-bit S-boxes). 56 However, most related studies have focused on the S-box construction to combine 57 with the linear functions such as word-oriented binary or MDS matrices [1,28,40]. 58 Contributions. In this paper, we introduce a construction method for a differ- 59 ent type of lightweight 8-bit S-boxes that are well-suited to a linear bit permu- 60 tation layer, based on which we develop many of new S-boxes with both DBN 61 and LBN of at least 3 and with efficient masked software implementations. We 1 62 employ one of them to design a new lightweight versatile block cipher PIPO , 1 PIPO stands for \Plug-In" and \Plug-Out", representing its use in side-channel pro- tected and unprotected environments, respectively. Title Suppressed Due to Excessive Length 3 63 which can be used in diverse resource-constrained environments, because it is 64 secure and efficient for multiple platforms. Our proposed S-box construction and 65 cipher have the following characteristics and advantages. 66 1. Our S-box construction methodology enables both DBN and LBN of at least 67 3, and this property, in combination with a bit permutation, enhances secu- 68 rity. It can be used in the construction of a variety of S-boxes from smaller 69 S-boxes. In this study, the Feistel, Lai{Massey, and unbalanced-MISTY struc- 70 tures as well as our proposed unbalanced-Bridge structure have been ana- 71 lyzed. Our framework eliminates all the input and output differences (or 72 masks) where the sum of their Hamming weights is two, during which some 73 conditions of the employed smaller S-boxes are induced. These conditions 74 could accelerate the S-box search, resulting in more than 8,000 new lightweight 75 8-bit S-boxes with both DBN and LBN of 3. Their bitsliced implementations 76 include 11 nonlinear bitwise operations each. One of them, whose crypto- 77 graphic properties and efficiency are overall superior or comparable to those 78 of state-of-the-art lightweight S-boxes, was employed for PIPO. Our method- 79 ology was also used to find more than 1,000 8-bit S-boxes with DBN of 4 and 80 LBN of 3. To the best of our knowledge, all the aforementioned S-boxes are 81 the first S-boxes with such properties. Furthermore, we found 6 and 7-bit 82 new S-boxes with both DBN and LBN of 3 which are more efficient than 83 existing ones. 84 2. During the PIPO design process, the focus was on minimizing the number of 85 nonlinear operations bacause this is the most significant factor for efficient 86 higher-order masking implementations. Consequently, PIPO-64/128 achieves 87 fast higher-order masking implementations on an 8-bit AVR, and its execu- 88 tion time increases less with the number of shares (i.e., the masking order) 89 compared with other lightweight 64-bit block ciphers with 128-bit keys. PIPO 90 also shows excellent performance on 8-bit microcontrollers. For the 128-bit 91 key version, the bitsliced implementation for a single-block data requires 92 only 320 bytes of ROM, 31 bytes of RAM, and 197 cycles/byte on an 8MHz 93 ATmega CPU. Accordingly, PIPO-64/128 outperforms other lightweight 64- 94 bit block ciphers with 128-bit keys in terms of 8-bit AVR implementa- 95 tions. It is also competitive in round-based hardware implementations. Using 96 130nm CMOS technology, the round-based and area optimized implemen- 97 tation of PIPO-64/128 requires only 1,446 gates and achieves 492 Kbps at 98 100KHz. Although more gates are required to implement PIPO-64/128 than 99 CRAFT-64/128 [13], Piccolo-64/128 [63], and SIMON-64/128 [12], it can be 100 implemented with at least twice the throughput. Accordingly, PIPO-64/128 101 records a higher FOM. Furthermore, PIPO can be efficiently implemented 102 with minimal memory consumption, other than for storing a plaintext (fol- 103 lowed by an intermediate state) and a key. Predefined tables are unnecessary 104 for the nonlinear and linear layers, due to their efficient bitsliced implemen- 105 tations. The advantage of low memory usage elevates PIPO as the preferred 106 choice for low-resource devices. 4 Hangi Kim et al. 107 Organization. In section 2, we introduce a method for constructing S-boxes 108 with DBN and LBN greater than 2. In section 3, we describe the S-box selection 109 procedure for PIPO and new other S-boxes, based on a comparison of our and 110 existing S-boxes. Section 4 specifies the PIPO cipher and its design choices, and 111 section 5 offers our security and performance evaluations of PIPO.
Recommended publications
  • Zero Correlation Linear Cryptanalysis on LEA Family Ciphers

    Zero Correlation Linear Cryptanalysis on LEA Family Ciphers

    Journal of Communications Vol. 11, No. 7, July 2016 Zero Correlation Linear Cryptanalysis on LEA Family Ciphers Kai Zhang, Jie Guan, and Bin Hu Information Science and Technology Institute, Zhengzhou 450000, China Email: [email protected]; [email protected]; [email protected] Abstract—In recent two years, zero correlation linear Zero correlation linear cryptanalysis was firstly cryptanalysis has shown its great potential in cryptanalysis and proposed by Andrey Bogdanov and Vicent Rijmen in it has proven to be effective against massive ciphers. LEA is a 2011 [2], [3]. Generally speaking, this cryptanalytic block cipher proposed by Deukjo Hong, who is the designer of method can be concluded as “use linear approximation of an ISO standard block cipher - HIGHT. This paper evaluates the probability 1/2 to eliminate the wrong key candidates”. security level on LEA family ciphers against zero correlation linear cryptanalysis. Firstly, we identify some 9-round zero However, in this basic model of zero correlation linear correlation linear hulls for LEA. Accordingly, we propose a cryptanalysis, the data complexity is about half of the full distinguishing attack on all variants of 9-round LEA family code book. The high data complexity greatly limits the ciphers. Then we propose the first zero correlation linear application of this new method. In FSE 2012, multiple cryptanalysis on 13-round LEA-192 and 14-round LEA-256. zero correlation linear cryptanalysis [4] was proposed For 13-round LEA-192, we propose a key recovery attack with which use multiple zero correlation linear approximations time complexity of 2131.30 13-round LEA encryptions, data to reduce the data complexity.
  • Block Ciphers and the Data Encryption Standard

    Block Ciphers and the Data Encryption Standard

    Lecture 3: Block Ciphers and the Data Encryption Standard Lecture Notes on “Computer and Network Security” by Avi Kak ([email protected]) January 26, 2021 3:43pm ©2021 Avinash Kak, Purdue University Goals: To introduce the notion of a block cipher in the modern context. To talk about the infeasibility of ideal block ciphers To introduce the notion of the Feistel Cipher Structure To go over DES, the Data Encryption Standard To illustrate important DES steps with Python and Perl code CONTENTS Section Title Page 3.1 Ideal Block Cipher 3 3.1.1 Size of the Encryption Key for the Ideal Block Cipher 6 3.2 The Feistel Structure for Block Ciphers 7 3.2.1 Mathematical Description of Each Round in the 10 Feistel Structure 3.2.2 Decryption in Ciphers Based on the Feistel Structure 12 3.3 DES: The Data Encryption Standard 16 3.3.1 One Round of Processing in DES 18 3.3.2 The S-Box for the Substitution Step in Each Round 22 3.3.3 The Substitution Tables 26 3.3.4 The P-Box Permutation in the Feistel Function 33 3.3.5 The DES Key Schedule: Generating the Round Keys 35 3.3.6 Initial Permutation of the Encryption Key 38 3.3.7 Contraction-Permutation that Generates the 48-Bit 42 Round Key from the 56-Bit Key 3.4 What Makes DES a Strong Cipher (to the 46 Extent It is a Strong Cipher) 3.5 Homework Problems 48 2 Computer and Network Security by Avi Kak Lecture 3 Back to TOC 3.1 IDEAL BLOCK CIPHER In a modern block cipher (but still using a classical encryption method), we replace a block of N bits from the plaintext with a block of N bits from the ciphertext.
  • KLEIN: a New Family of Lightweight Block Ciphers

    KLEIN: a New Family of Lightweight Block Ciphers

    KLEIN: A New Family of Lightweight Block Ciphers Zheng Gong1, Svetla Nikova1;2 and Yee Wei Law3 1Faculty of EWI, University of Twente, The Netherlands fz.gong, [email protected] 2 Dept. ESAT/SCD-COSIC, Katholieke Universiteit Leuven, Belgium 3 Department of EEE, The University of Melbourne, Australia [email protected] Abstract Resource-efficient cryptographic primitives become fundamental for realizing both security and efficiency in embedded systems like RFID tags and sensor nodes. Among those primitives, lightweight block cipher plays a major role as a building block for security protocols. In this paper, we describe a new family of lightweight block ciphers named KLEIN, which is designed for resource-constrained devices such as wireless sensors and RFID tags. Compared to the related proposals, KLEIN has ad- vantage in the software performance on legacy sensor platforms, while its hardware implementation can be compact as well. Key words. Block cipher, Wireless sensor network, Low-resource implementation. 1 Introduction With the development of wireless communication and embedded systems, we become increasingly de- pendent on the so called pervasive computing; examples are smart cards, RFID tags, and sensor nodes that are used for public transport, pay TV systems, smart electricity meters, anti-counterfeiting, etc. Among those applications, wireless sensor networks (WSNs) have attracted more and more attention since their promising applications, such as environment monitoring, military scouting and healthcare. On resource-limited devices the choice of security algorithms should be very careful by consideration of the implementation costs. Symmetric-key algorithms, especially block ciphers, still play an important role for the security of the embedded systems.
  • On the NIST Lightweight Cryptography Standardization

    On the NIST Lightweight Cryptography Standardization

    On the NIST Lightweight Cryptography Standardization Meltem S¨onmez Turan NIST Lightweight Cryptography Team ECC 2019: 23rd Workshop on Elliptic Curve Cryptography December 2, 2019 Outline • NIST's Cryptography Standards • Overview - Lightweight Cryptography • NIST Lightweight Cryptography Standardization Process • Announcements 1 NIST's Cryptography Standards National Institute of Standards and Technology • Non-regulatory federal agency within U.S. Department of Commerce. • Founded in 1901, known as the National Bureau of Standards (NBS) prior to 1988. • Headquarters in Gaithersburg, Maryland, and laboratories in Boulder, Colorado. • Employs around 6,000 employees and associates. NIST's Mission to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. 2 NIST Organization Chart Laboratory Programs Computer Security Division • Center for Nanoscale Science and • Cryptographic Technology Technology • Secure Systems and Applications • Communications Technology Lab. • Security Outreach and Integration • Engineering Lab. • Security Components and Mechanisms • Information Technology Lab. • Security Test, Validation and • Material Measurement Lab. Measurements • NIST Center for Neutron Research • Physical Measurement Lab. Information Technology Lab. • Advanced Network Technologies • Applied and Computational Mathematics • Applied Cybersecurity • Computer Security • Information Access • Software and Systems • Statistical
  • Chapter 3 – Block Ciphers and the Data Encryption Standard

    Chapter 3 – Block Ciphers and the Data Encryption Standard

    Symmetric Cryptography Chapter 6 Block vs Stream Ciphers • Block ciphers process messages into blocks, each of which is then en/decrypted – Like a substitution on very big characters • 64-bits or more • Stream ciphers process messages a bit or byte at a time when en/decrypting – Many current ciphers are block ciphers • Better analyzed. • Broader range of applications. Block vs Stream Ciphers Block Cipher Principles • Block ciphers look like an extremely large substitution • Would need table of 264 entries for a 64-bit block • Arbitrary reversible substitution cipher for a large block size is not practical – 64-bit general substitution block cipher, key size 264! • Most symmetric block ciphers are based on a Feistel Cipher Structure • Needed since must be able to decrypt ciphertext to recover messages efficiently Ideal Block Cipher Substitution-Permutation Ciphers • in 1949 Shannon introduced idea of substitution- permutation (S-P) networks – modern substitution-transposition product cipher • These form the basis of modern block ciphers • S-P networks are based on the two primitive cryptographic operations we have seen before: – substitution (S-box) – permutation (P-box) (transposition) • Provide confusion and diffusion of message Diffusion and Confusion • Introduced by Claude Shannon to thwart cryptanalysis based on statistical analysis – Assume the attacker has some knowledge of the statistical characteristics of the plaintext • Cipher needs to completely obscure statistical properties of original message • A one-time pad does this Diffusion
  • A Block Cipher Algorithm to Enhance the Avalanche Effect Using Dynamic Key- Dependent S-Box and Genetic Operations 1Balajee Maram and 2J.M

    A Block Cipher Algorithm to Enhance the Avalanche Effect Using Dynamic Key- Dependent S-Box and Genetic Operations 1Balajee Maram and 2J.M

    International Journal of Pure and Applied Mathematics Volume 119 No. 10 2018, 399-418 ISSN: 1311-8080 (printed version); ISSN: 1314-3395 (on-line version) url: http://www.ijpam.eu Special Issue ijpam.eu A Block Cipher Algorithm to Enhance the Avalanche Effect Using Dynamic Key- Dependent S-Box and Genetic Operations 1Balajee Maram and 2J.M. Gnanasekar 1Department of CSE, GMRIT, Rajam, India. Research and Development Centre, Bharathiar University, Coimbatore. [email protected] 2Department of Computer Science & Engineering, Sri Venkateswara College of Engineering, Sriperumbudur Tamil Nadu. [email protected] Abstract In digital data security, an encryption technique plays a vital role to convert digital data into intelligible form. In this paper, a light-weight S- box is generated that depends on Pseudo-Random-Number-Generators. According to shared-secret-key, all the Pseudo-Random-Numbers are scrambled and input to the S-box. The complexity of S-box generation is very simple. Here the plain-text is encrypted using Genetic Operations and S-box which is generated based on shared-secret-key. The proposed algorithm is experimentally investigates the complexity, quality and performance using the S-box parameters which includes Hamming Distance, Balanced Output and the characteristic of cryptography is Avalanche Effect. Finally the comparison results motivates that the dynamic key-dependent S-box has good quality and performance than existing algorithms. 399 International Journal of Pure and Applied Mathematics Special Issue Index Terms:S-BOX, data security, random number, cryptography, genetic operations. 400 International Journal of Pure and Applied Mathematics Special Issue 1. Introduction In public network, several types of attacks1 can be avoided by applying Data Encryption/Decryption2.
  • LEA 192: High Speed Architecture of Lightweight Block Cipher

    LEA 192: High Speed Architecture of Lightweight Block Cipher

    International Journal of Innovative Technology and Exploring Engineering (IJITEE) ISSN: 2278-3075, Volume-9 Issue-2S, December 2019 LEA 192: High Speed Architecture of Lightweight Block Cipher Zeesha Mishra, Shubham Mishra, Bibhudendra Acharya The communication among connected things must be secure Abstract: High-throughput lightweight cryptography and fast while processing confidential data. Due to a calculation is the need of the present world to convey between two substantial amount of sensitive and valuable data and low asset obliged devices Pipelining is the technique have been used computational resources in the network, it has become to achieve high throughput. In this paper we have target to cumbersome to provide security in the IoT[2]. lightweight block cipher LEA. Block size of LEA is 128 and key Resource-constrained applications comprising of sensor size 128, 192, and 256 bit. In this paper we have focus on LEA architecture for 192- bit key size and achieve very good nodes in wireless sensor networks, RFID tags require smaller throughput. This method has a higher capability of throughput as footprint with minimum battery consumption. compared to previous LEA ciphers. Proposed work is 56% LEA[3] is a lightweight block cipher. LEA has 128-bit improved version of compared paper for respective Speed and block size with 128, 192, 256-bit key sizes and rounds 24, 28 area also less than previous architecture. Graph representation and 32 respectively. LEA supports simple ARX (addition have been shown of different matrices and comparison. rotation XOR ) operation, LEA is not using complex S-box Keywords : ARX, Block Cipher, Cryptography, LEA, structure like AES [4] hence it will give high-speed Lightweight, Pipeline, Throughput.
  • A Tutorial on the Implementation of Block Ciphers: Software and Hardware Applications

    A Tutorial on the Implementation of Block Ciphers: Software and Hardware Applications

    A Tutorial on the Implementation of Block Ciphers: Software and Hardware Applications Howard M. Heys Memorial University of Newfoundland, St. John's, Canada email: [email protected] Dec. 10, 2020 2 Abstract In this article, we discuss basic strategies that can be used to implement block ciphers in both software and hardware environments. As models for discussion, we use substitution- permutation networks which form the basis for many practical block cipher structures. For software implementation, we discuss approaches such as table lookups and bit-slicing, while for hardware implementation, we examine a broad range of architectures from high speed structures like pipelining, to compact structures based on serialization. To illustrate different implementation concepts, we present example data associated with specific methods and discuss sample designs that can be employed to realize different implementation strategies. We expect that the article will be of particular interest to researchers, scientists, and engineers that are new to the field of cryptographic implementation. 3 4 Terminology and Notation Abbreviation Definition SPN substitution-permutation network IoT Internet of Things AES Advanced Encryption Standard ECB electronic codebook mode CBC cipher block chaining mode CTR counter mode CMOS complementary metal-oxide semiconductor ASIC application-specific integrated circuit FPGA field-programmable gate array Table 1: Abbreviations Used in Article 5 6 Variable Definition B plaintext/ciphertext block size (also, size of cipher state) κ number
  • State of the Art in Lightweight Symmetric Cryptography

    State of the Art in Lightweight Symmetric Cryptography

    State of the Art in Lightweight Symmetric Cryptography Alex Biryukov1 and Léo Perrin2 1 SnT, CSC, University of Luxembourg, [email protected] 2 SnT, University of Luxembourg, [email protected] Abstract. Lightweight cryptography has been one of the “hot topics” in symmetric cryptography in the recent years. A huge number of lightweight algorithms have been published, standardized and/or used in commercial products. In this paper, we discuss the different implementation constraints that a “lightweight” algorithm is usually designed to satisfy. We also present an extensive survey of all lightweight symmetric primitives we are aware of. It covers designs from the academic community, from government agencies and proprietary algorithms which were reverse-engineered or leaked. Relevant national (nist...) and international (iso/iec...) standards are listed. We then discuss some trends we identified in the design of lightweight algorithms, namely the designers’ preference for arx-based and bitsliced-S-Box-based designs and simple key schedules. Finally, we argue that lightweight cryptography is too large a field and that it should be split into two related but distinct areas: ultra-lightweight and IoT cryptography. The former deals only with the smallest of devices for which a lower security level may be justified by the very harsh design constraints. The latter corresponds to low-power embedded processors for which the Aes and modern hash function are costly but which have to provide a high level security due to their greater connectivity. Keywords: Lightweight cryptography · Ultra-Lightweight · IoT · Internet of Things · SoK · Survey · Standards · Industry 1 Introduction The Internet of Things (IoT) is one of the foremost buzzwords in computer science and information technology at the time of writing.
  • Construction of Stream Ciphers from Block Ciphers and Their Security

    Construction of Stream Ciphers from Block Ciphers and Their Security

    Sridevi, International Journal of Computer Science and Mobile Computing, Vol.3 Issue.9, September- 2014, pg. 703-714 Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology ISSN 2320–088X IJCSMC, Vol. 3, Issue. 9, September 2014, pg.703 – 714 RESEARCH ARTICLE Construction of Stream Ciphers from Block Ciphers and their Security Sridevi, Assistant Professor, Department of Computer Science, Karnatak University, Dharwad Abstract: With well-established encryption algorithms like DES or AES at hand, one could have the impression that most of the work for building a cryptosystem -for example a suite of algorithms for the transmission of encrypted data over the internet - is already done. But the task of a cipher is very specific: to encrypt or decrypt a data block of a specified length. Given an plaintext of arbitrary length, the most simple approach would be to break it down to blocks of the desired length and to use padding for the final block. Each block is encrypted separately with the same key, which results in identical ciphertext blocks for identical plaintext blocks. This is known as Electronic Code Book (ECB) mode of operation, and is not recommended in many situations because it does not hide data patterns well. Furthermore, ciphertext blocks are independent from each other, allowing an attacker to substitute, delete or replay blocks unnoticed. The feedback modes in fact turn the block cipher into a stream cipher by using the algorithm as a keystream generator. Since every mode may yield different usage and security properties, it is necessary to analyse them in detail.
  • Tongan Ways of Talking

    Tongan Ways of Talking

    TONGAN WAYS OF TALKING MELENAITE TAUMOEFOLAU University of Auckland Some excellent work has been published on Tongan speech levels from a sociolinguistic perspective (e.g., Philips 1991). The purpose of this article is to contribute to the literature by describing some important, not previously well-described features of ways of talking (WOT) in Tongan. I will use as my theoretical framework George Grace’s theory of language; he argued that a language is “a generalized way of talking about things” (Grace 1987: 99), a device for saying things, and it is, in turn, made up of “conventionalized ways of talking about consecrated subject-matters” (p. 103). In this article I will distinguish the following “ways of talking” (WOT):1 WOT 1. lea fakatu‘i—way of talking to or about the monarch/king (tu‘i) WOT 2. lea fakahouhou‘eiki—way of talking to or about chiefly people (hou‘eiki) WOT 3. lea fakamatäpule—polite way of talking that is characteristic of titled orators (matäpule) WOT 4. lea fakatökilalo / faka‘aki‘akimui—self-derogatory way of talking when addressing those of higher rank WOT 5. lea tavale—way of talking to a person with whom one is familiar or with whom one is socially equal, or way of talking to or about commoners (tu‘a) WOT 6. lea ‘ita—abusive way of talking Here I make four main claims about Tongan ways of talking: • The number of registers described for Tongan has been underestimated. I distinguish six (above) instead of the three that are traditionally described: of king—tu‘i, of chiefs—hou‘eiki, of commoners—tu‘a.
  • Chapter 2 Block Ciphers

    Chapter 2 Block Ciphers

    Chapter 2 Block Ciphers Block ciphers are the central tool in the design of protocols for shared-key cryp- tography. They are the main available “technology” we have at our disposal. This chapter will take a look at these objects and describe the state of the art in their construction. It is important to stress that block ciphers are just tools—raw ingredients for cooking up something more useful. Block ciphers don’t, by themselves, do something that an end-user would care about. As with any powerful tool, one has to learn to use this one. Even a wonderful block cipher won’t give you security if you use don’t use it right. But used well, these are powerful tools indeed. Accordingly, an important theme in several upcoming chapters will be on how to use block ciphers well. We won’t be emphasizing how to design or analyze block ciphers, as this remains very much an art. The main purpose of this chapter is just to get you acquainted with what typical block ciphers look like. We’ll look at two examples, DES and AES. DES is the “old standby.” It is currently (year 2001) the most widely-used block cipher in existence, and it is of sufficient historical significance that every trained cryptographer needs to have seen its description. AES is a modern block cipher, and it is expected to supplant DES in the years to come. 2.1 What is a block cipher? A block cipher is a function E: {0, 1}k ×{0, 1}n →{0, 1}n that takes two inputs, a k- bit key K and an n-bit “plaintext” M, to return an n-bit “ciphertext” C = E(K, M).