DOCSLIB.ORG

Developments in Authenticated Encryption

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Developments in Authenticated Encryption Dr. Markku-Juhani O. Saarinen [email protected] Norwegian University of Science and Technology Finse Winter School, 05 May 2014 1 / 59 1. Layman’s Introduction to Authenticated Encryption 2 / 59 Authenticated Encryption An Authenticated Encryption (AE) primitive provides both: I Authentication or message integrity protection, and I Encryption or confidentiality / privacy protection. Preferably in a single processing step, allowing parallelism. Security protocols such as IPSec and SSL/TLS usually required two processing steps for each packet in 1990’s and 200x’s. I Authentication was handled with HMAC (Hash Message Authentication Code), which builds a MAC from a hash H: SQ HMAC(K; m) = H(K ⊕ opad j H(K ⊕ ipad j m)). I Encryption was provided either with block cipher such as 3DES-CBC or AES-CBC or a stream cipher such as RC4. Hardware implementation of such a twin set-up is cumbersome. This is still the standard mechanism in TLS 1.3, although transition to authenticated encryption has been swift during last few years. 3 / 59 Encrypt-then-MAC vs. MAC-then-Encrypt (1) M. Bellare and C. Nampremprey: “Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm” ASIACRYPT 2000. This paper was quite influential about 10+ years ago, but the results have been overstated and often misinterpreted. It claimed that Encrypt-and-MAC (i.e. any modern Authenticated Encryption algorithm) “does not preserve privacy” .. because the MAC could reveal information about the plaintext. Solution: Just use any (randomized) MAC that does not reveal such information. 4 / 59 Encrypt-then-MAC vs. MAC-then-Encrypt (2) M. Bellare and C. Nampremprey: E & M also fails to provide integrity of ciphertexts. This is because there are secure encryption schemes with the property that a ciphertext can be modified without changing its decryption. Solution: Show that your encryption scheme does not have that property. For example all stream ciphers are bijective and do not have that property; Integrity of ciphertext exists for those. One can reasonably argue that the models (for “secure encryption schemes” and “secure MACs”) that Bellare & Co. chose to use were broken, not Encrypt-and-MAC itself. 5 / 59 Authenticated Encryption with Associated Data An Authenticated Encryption with Associated Data (AEAD) primitive additionally allows associated (plaintext) data to be authenticated (integrity protection only). Inputs: I Secret Key for both confidentiality and integrity. I Initialization Vector (IV) which is typically a nonce. I Associated Data which is not encrypted, only authenticated. I Plaintext which is encrypted for confidentiality protection, and also authenticated. Outputs: I Ciphertext, which corresponds to the plaintext above. I Authentication Code, against modification of Ciphertext or Associated Data. (Ciphertext and MAC may be intermixed.) 6 / 59 Role of Associated Data (1) Authenticated Associated Data (AAD) typically consists of information such as: I Session identifier or Security Association I Source and destination address of message I Sequence number and other information stream reassembly This information must be transmitted in clear for correct delivery, but its content must still be integrity protected with an authentication key for security. Associated Data is typically managed by the secure transport protocol or layer, and is transmitted in clear. 7 / 59 Role of Associated Data (2) Managed by a Transport Protocol such as TLS, IPSec, SSH, ZRTP etc From Alice's Application Message Payload Associated Data Nonce Secret Key confidentiality and integrity integrity protection only usually unique for message for auth and encrypt AEAD Authenticated Ciphertext transmitted in clear optionally transmitted not transmitted, shared encrypted payload tag AEAD−1 Message Payload or FAIL confidentiality and integrity To Bob's Application 8 / 59 2010s: With AES-GCM AE is now mainstream Your gmail, facebook, and VPN probably uses AES-GCM. GCM: Galois / Counter Mode, FIPS SP 800-38D (2007) is an AEAD mode for AES. 9 / 59 AES-GCM Only Approved “Suite B” Algorithm AES-GCM is currently the only approved algorithm in NSA’s unclassified “Suite B”, making it basically the only choice for Governmental and NATO COTS information processing. Currently certified up to TOP SECRET with 256-bit keys. 10 / 59 Historical Timeline I Authenticated encryption schemes go back some 30+ years (ANSI X9.9 CBC-MAC, 1981). I First “provably secure” AEAD mode in year 2000 (IACBC). I The 2004 total break of MD5 by Xiaoyun Wang & Co. resulted in near-panic with regard to SHA security, which in turn led to the SHA-3 competition (2007-2012). I Apparently fear for HMAC-SHA security caused NSA to adopt AES-GCM in Suite B (2005) and to issue IETF RFCs for AES-GCM use in SSH, TLS, and IPSec. I This is of course really quite silly as we know that even HMAC-MD5 is more secure than AES-GCM (later). I Some fear the the push by NSA to put AES-GCM everywhere is driven by some nefarious motives (I don’t think so). I AES-GCM was applauded by the industry (e.g. CISCO) since AES-GCM is significantly easier/cheaper to implement for high-speed links in hardware. Intel adopted hardware assistance in its processors in the form of AES NIS. 11 / 59 -H11- 56E6F098 -H12- E5431535 01 D6E6F098 -H10- D1BC7534 E5431535 90D04D25 74C952DB D1BC7534 01 01 F93556E6 12 74C952DB 9F58CE2F -H13- 8D035A94 12178D40 05 26DA1DCA 09 03 01 03 06 42967787 -H09- 30EB9A9E 82C7C065 01 DFEF4B2C 10 DDCEB9A8 06 BDE8C00A -H14- C636BDBD 01 1C7643D3 09 4EE4BB1B 12 F9CA084F -H08- 542130FD 12 3AAC5E19 01 0C72CC9C C92192D1 10 09 -H00- 80000000 01 00000000 00 00000000 06 00000000 -H07- 02C7C065 05 DFEF4B2C 01 DDCEB9A8 03 BDE8C00A 03 -H01- 06 C4F17DD8 01 C39908FF 932A02B3 -H06- 09 4422C845 92178D40 01 05 26DA1DCA 42967787 12 -H02- 30EB9A9E 09 10 06 12 D42130FD 01 3AAC5E19 -H05- 0C72CC9C 01 10D04D25 C92192D1 -H03- F93556E6 03 9F58CE2F -H04- 4636BDBD 01 8D035A94 01 44F17DD8 1C7643D3 C39908FF 4EE4BB1B 932A02B3 F9CA084F 4422C845 1 12 “Cycling Attacks on GCM, GHASH and Other Polynomial MACs and Hashes” FSE 2012, Washington D.C. 20 March 2012 12 / 59 2. 21st Century crypto: Sponges, KECCAK, and CAESAR 13 / 59 SHA-3 Algorithm KECCAK: A Sponge-Based Hash I 11 Feb 2007 NIST Call for Proposals I 31 Oct 2008 SHA3 Submissions (64) I 10 Dec 2008 First Round (54) I 24 Jul 2009 Second Round (14) I 09 Dec 2010 SHA3 Finalists (5) I 12 Aug 2011 KECCAK Team in SAC ’11: “Duplexing the sponge..” I 02 Oct 2012 KECCAK Chosen KECCAK and “Sponge I Functions” were invented by: 04 Apr 2014 NIST publishes “DRAFT FIPS 202, SHA-3 Standard: Guido Bertoni (STMicro) Permutation-Based Hash and Joan Daemen (STMicro) Extendable-Output Functions” Michaël Peeters (NXP) ≈ 2015 KECCAK will be officially Giles Van Assche (STMicro) Secure Hash Algorithm 3. 14 / 59 SHA-3 Algorithm KECCAK: An U.S. Standard I So.. an European Sponge will become the new U.S. Civilian, Federal Government and Military cryptographic hash standard for digital signatures and other uses. I And it might also become the standard for Authenticated Encryption ! 15 / 59 The Sponge Construction for Hashing I More general than traditional hash function: arbitrary-length output I Built from a b-bit permutation f (π commonly used), with b = r + c I r bits of rate, related to hashing speed I c bits of capacity, related to security 16 / 59 Generic Security as a Hash (from Keccak team) RO-differentiating adv. ≤ N2/2c+1 I Proven by Keccak team, Eurocrypt 2008 I As strong as random oracle against attacks with N < 2c/2 Bound assumes f to be a random I N is the number of f permutation invocations I Covers generic attacks against I r is the rate in bits the mode I c is the capacity in bits I .. but not attacks that exploit specific properties of f 17 / 59 Regular Hashing and Salted Hashing Unkeyed Hash Mode (SHA-3) I Electronic signatures (PKCS #1 RSA, ECDSA) I Data integrity (sha1sum etc) I Data id (git, anti-virus, P2P) Salted Mode I Randomized hashing (RSASSA-PSS, Salt = IV) I Password storage (/etc/shadow) I Message Authentication Codes (Salt = KEY) I Different security parameters 18 / 59 Other Provable Uses for Sponge Permutations Key Padded message MAC Key IV 0 f f f … f f 0 f f f Key stream MAC Mode: Provably secure. Key IV Padded message MAC Stream Cipher Mode: Provably secure. 0 f f f … f f Authenticated Encryption is Key stream encryption + MAC. We’ll come back to this later. 19 / 59 DuplexWrap (basic Sponge AE Scheme) Bounds Theorem The DuplexWrap and BLNK authenticated encryption modes satisfy the following privacy and authentication security bounds: 2 − M + 4MN Advpriv (A) < (M + N)2 k + sbob 2c+1 2 − M + 4MN Advauth(A) < (M + N)2 k + sbob 2c+1 against any single adversary A if K $ f0; 1gk, tags of l ≥ t bits are used, and π is a randomly chosen permutation. M is the data complexity (total number of blocks queried from keyed sponge instance) and N is the time complexity (total number equivalents of π or its inverse execution time). Proof. Theorem 4 of [KeyakV1]. See also [AnMePr10,BeDaPeAs11]. 20 / 59 CAESAR 2014-2017 NIST-Funded Competition for Authenticated Encryption: Security, Applicability, and Robustness. http://competitions.cr.yp.to/caesar.html I 15 Jan 2013 Announced by Dan Bernstein I 15 Mar 2014 First round submissions (57) I 15 May 2014 First-round software I 23-24 Aug 2014 DIAC ’14, UCSB I 15 Jan 2015 Second round candidates I 15 Feb 2015 Second round tweaks (fixes) I 15 Dec 2015 Third round candidates I 15 Dec 2016 Final round candidates I 15 Dec 2017 Portfolio announcement 21 / 59 CAESAR Situation May 1, 2014 See https://aezoo.compute.dtu.dk for updates.
Recommended publications
  • The Missing Difference Problem, and Its Applications to Counter Mode

    The Missing Difference Problem, and Its Applications to Counter Mode

    The Missing Difference Problem, and its Applications to Counter Mode Encryption? Ga¨etanLeurent and Ferdinand Sibleyras Inria, France fgaetan.leurent,[email protected] Abstract. The counter mode (CTR) is a simple, efficient and widely used encryption mode using a block cipher. It comes with a security proof that guarantees no attacks up to the birthday bound (i.e. as long as the number of encrypted blocks σ satisfies σ 2n=2), and a matching attack that can distinguish plaintext/ciphertext pairs from random using about 2n=2 blocks of data. The main goal of this paper is to study attacks against the counter mode beyond this simple distinguisher. We focus on message recovery attacks, with realistic assumptions about the capabilities of an adversary, and evaluate the full time complexity of the attacks rather than just the query complexity. Our main result is an attack to recover a block of message with complexity O~(2n=2). This shows that the actual security of CTR is similar to that of CBC, where collision attacks are well known to reveal information about the message. To achieve this result, we study a simple algorithmic problem related to the security of the CTR mode: the missing difference problem. We give efficient algorithms for this problem in two practically relevant cases: where the missing difference is known to be in some linear subspace, and when the amount of data is higher than strictly required. As a further application, we show that the second algorithm can also be used to break some polynomial MACs such as GMAC and Poly1305, with a universal forgery attack with complexity O~(22n=3).
  • State of the Art in Lightweight Symmetric Cryptography

    State of the Art in Lightweight Symmetric Cryptography

    State of the Art in Lightweight Symmetric Cryptography Alex Biryukov1 and Léo Perrin2 1 SnT, CSC, University of Luxembourg, [email protected] 2 SnT, University of Luxembourg, [email protected] Abstract. Lightweight cryptography has been one of the “hot topics” in symmetric cryptography in the recent years. A huge number of lightweight algorithms have been published, standardized and/or used in commercial products. In this paper, we discuss the different implementation constraints that a “lightweight” algorithm is usually designed to satisfy. We also present an extensive survey of all lightweight symmetric primitives we are aware of. It covers designs from the academic community, from government agencies and proprietary algorithms which were reverse-engineered or leaked. Relevant national (nist...) and international (iso/iec...) standards are listed. We then discuss some trends we identified in the design of lightweight algorithms, namely the designers’ preference for arx-based and bitsliced-S-Box-based designs and simple key schedules. Finally, we argue that lightweight cryptography is too large a field and that it should be split into two related but distinct areas: ultra-lightweight and IoT cryptography. The former deals only with the smallest of devices for which a lower security level may be justified by the very harsh design constraints. The latter corresponds to low-power embedded processors for which the Aes and modern hash function are costly but which have to provide a high level security due to their greater connectivity. Keywords: Lightweight cryptography · Ultra-Lightweight · IoT · Internet of Things · SoK · Survey · Standards · Industry 1 Introduction The Internet of Things (IoT) is one of the foremost buzzwords in computer science and information technology at the time of writing.
  • Thesis Submitted for the Degree of Doctor of Philosophy

    Thesis Submitted for the Degree of Doctor of Philosophy

    Optimizations in Algebraic and Differential Cryptanalysis Theodosis Mourouzis Department of Computer Science University College London A thesis submitted for the degree of Doctor of Philosophy January 2015 Title of the Thesis: Optimizations in Algebraic and Differential Cryptanalysis Ph.D. student: Theodosis Mourouzis Department of Computer Science University College London Address: Gower Street, London, WC1E 6BT E-mail: [email protected] Supervisors: Nicolas T. Courtois Department of Computer Science University College London Address: Gower Street, London, WC1E 6BT E-mail: [email protected] Committee Members: 1. Reviewer 1: Professor Kenny Paterson 2. Reviewer 2: Dr Christophe Petit Day of the Defense: Signature from head of PhD committee: ii Declaration I herewith declare that I have produced this paper without the prohibited assistance of third parties and without making use of aids other than those specified; notions taken over directly or indirectly from other sources have been identified as such. This paper has not previously been presented in identical or similar form to any other English or foreign examination board. The following thesis work was written by Theodosis Mourouzis under the supervision of Dr Nicolas T. Courtois at University College London. Signature from the author: Abstract In this thesis, we study how to enhance current cryptanalytic techniques, especially in Differential Cryptanalysis (DC) and to some degree in Al- gebraic Cryptanalysis (AC), by considering and solving some underlying optimization problems based on the general structure of the algorithm. In the first part, we study techniques for optimizing arbitrary algebraic computations in the general non-commutative setting with respect to sev- eral metrics [42, 44].
  • Linear-XOR and Additive Checksums Don't Protect Damgård-Merkle

    Linear-XOR and Additive Checksums Don't Protect Damgård-Merkle

    Linear-XOR and Additive Checksums Don’t Protect Damg˚ard-Merkle Hashes from Generic Attacks Praveen Gauravaram1! and John Kelsey2 1 Technical University of Denmark (DTU), Denmark Queensland University of Technology (QUT), Australia. [email protected] 2 National Institute of Standards and Technology (NIST), USA [email protected] Abstract. We consider the security of Damg˚ard-Merkle variants which compute linear-XOR or additive checksums over message blocks, inter- mediate hash values, or both, and process these checksums in computing the final hash value. We show that these Damg˚ard-Merkle variants gain almost no security against generic attacks such as the long-message sec- ond preimage attacks of [10,21] and the herding attack of [9]. 1 Introduction The Damg˚ard-Merkle construction [3, 14] (DM construction in the rest of this article) provides a blueprint for building a cryptographic hash function, given a fixed-length input compression function; this blueprint is followed for nearly all widely-used hash functions. However, the past few years have seen two kinds of surprising results on hash functions, that have led to a flurry of research: 1. Generic attacks apply to the DM construction directly, and make few or no assumptions about the compression function. These attacks involve attacking a t-bit hash function with more than 2t/2 work, in order to violate some property other than collision resistance. Exam- ples of generic attacks are Joux multicollision [8], long-message second preimage attacks [10,21] and herding attack [9]. 2. Cryptanalytic attacks apply to the compression function of the hash function.
  • CRYPTANALYSIS of GOST in the MULTIPLE-KEY SCENARIO 1. The

    CRYPTANALYSIS of GOST in the MULTIPLE-KEY SCENARIO 1. The

    Ø Ñ ÅØÑØÐ ÈÙ ÐØÓÒ× DOI: 10.2478/tmmp-2013-0035 Tatra Mt. Math. Publ. 57 (2013), 45–63 CRYPTANALYSIS OF GOST IN THE MULTIPLE-KEY SCENARIO Nicolas T. Courtois ABSTRACT. GOST 28147-89 is a well-known 256-bit block cipher. In 2010 GOST was submitted to ISO, to become an international standard. Then many academic attacks which allow to break full GOST faster than brute force have been found. The fastest known single-key attack on GOST for 264 of data is 2179 of [Courtois, N.: An improved differential attack on full GOST, Cryptol- ogy ePrint Archive, Report 2012/138, http://eprint.iacr.org/2012/138]and for 232 of data it is 2191 of [Courtois, N.: Algebraic complexity reduction and cryptanalysis of GOST, Preprint, 2010–13, http://eprint.iacr.org/2011/626]. Other results are slower but require significantly less memory [Courtois, N.: Al- gebraic complexity reduction and cryptanalysis of GOST, Preprint, 2010–2013, http://eprint.iacr.org/2011/626], [Dinur, I.—Dunkelman, O.—Shamir, A.: Improved attacks on full GOST, in: Fast Software Encryption—FSE ’12, 19th Internat. Workshop, Washington, USA, 2012, Lecture Notes in Comput. Sci., Vol. 7549, Springer, Berlin, 2012, pp. 9–28, http://eprint.iacr.org/2011/558/]. The common stereotype is that these will be “the best” attacks on GOST. However, ciphers are not used in practice with single keys, on the contrary. In this paper we intend to show that there exist attacks on GOST which are more versatile and even somewhat more “practical” than the best single key attack. We argument that multiple random key attacks not single key attacks, are more practical and more likely to be executed in the real life.
  • Exponential S-Boxes: a Link Between the S-Boxes of Belt and Kuznyechik/Streebog

    Exponential S-Boxes: a Link Between the S-Boxes of Belt and Kuznyechik/Streebog

    Exponential S-Boxes: a Link Between the S-Boxes of BelT and Kuznyechik/Streebog Léo Perrin and Aleksei Udovenko SnT, University of Luxembourg {leo.perrin,aleksei.udovenko}@uni.lu Abstract. The block cipher Kuznyechik and the hash function Streebog were recently standardized by the Russian Federation. These primitives use a common 8-bit S-Box, denoted 휋, which is given only as a look-up table. The rationale behind its design is, for all practical purposes, kept secret by its authors. In a paper presented at Eurocrypt 2016, Biryukov et al. reverse-engineered this S-Box and recovered an unusual Feistel-like structure relying on finite field multiplications. In this paper, we provide a new decomposition of this S-Box and describe how we obtained it. The first step was the analysis of the 8-bit S-Box of the current standard block cipher of Belarus, BelT. This S-Box is a variant of a so-called exponential substitution, a concept we generalize into pseudo-exponential substitution. We derive distinguishers for such permutations based on properties of their linear approximation tables and notice that 휋 shares some of them. We then show that 휋 indeed has a decomposition based on a pseudo-exponential substitution. More precisely, we obtain a simpler structure based on an 8-bit finite field exponentiation, one 4-bit S-Box, a linear layer and a few modular arithmetic operations. We also make several observations which may help cryptanalysts attempting to reverse-engineer other S-Boxes. For example, the visual pattern used in the previous work as a starting point to decompose 휋 is mathematically formalized and the use of differential patterns involving operations other than exclusive-or is explored.
  • On Hash Functions Using Checksums

    On Hash Functions Using Checksums

    Downloaded from orbit.dtu.dk on: Sep 27, 2021 On hash functions using checksums Gauravaram, Praveen; Kelsey, John; Knudsen, Lars Ramkilde; Thomsen, Søren Steffen Publication date: 2008 Document Version Early version, also known as pre-print Link back to DTU Orbit Citation (APA): Gauravaram, P., Kelsey, J., Knudsen, L. R., & Thomsen, S. S. (2008). On hash functions using checksums. MAT report No. 2008-06 General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. Users may download and print one copy of any publication from the public portal for the purpose of private study or research. You may not further distribute the material or use it for any profit-making activity or commercial gain You may freely distribute the URL identifying the publication in the public portal If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. On hash functions using checksums ⋆ Praveen Gauravaram1⋆⋆, John Kelsey2, Lars Knudsen1, and Søren Thomsen1⋆ ⋆ ⋆ 1 DTU Mathematics, Technical University of Denmark, Denmark [email protected],[email protected],[email protected] 2 National Institute of Standards and Technology (NIST), USA [email protected] Abstract. We analyse the security of iterated hash functions that compute an input dependent check- sum which is processed as part of the hash computation.
  • Streebog and Kuznyechik Inconsistencies in the Claims of Their Designers

    Streebog and Kuznyechik Inconsistencies in the Claims of Their Designers

    Streebog and Kuznyechik Inconsistencies in the Claims of their Designers Léo Perrin [email protected] @lpp_crypto IETF Workshop, Montréal Standards and S-boxes On the S-box of RFC 6986 and 7801 The Core Issue: the S-Box Generation Process Conclusion Partitions in the S-Box of Streebog and Kuznyechik Transactions in Symmetric Léo Perrin Inria, France [email protected] Cryptology, Volume 2019, No. 1, pp. Abstract. Streebog and Kuznyechik are the latest symmetric cryptographic primitives standardized by the Russian GOST. They share the same S-Box, 휋, whose design process was not described by its authors. In previous works, Biryukov, Perrin and 302-329. Best paper award! Udovenko recovered two completely different decompositions of this S-Box. We revisit their results and identify a third decomposition of 휋. It is an instance of a fairly small family of permutations operating on 2푚 bits which we call TKlog and which is closely related tofnitefeld logarithms. Its simplicity and the small number of components it uses lead us to claim that it has to be the structure intentionally used by the designers of Streebog and Kuznyechik. The 2푚-bit permutations of this type have a very strong algebraic structure: they 푚 푚 map multiplicative cosets of the subfield GF(2 )* to additive cosets of GF(2 )*. Furthermore, the function relating each multiplicative coset to the corresponding additive coset is always essentially the same. To the best of our knowledge, we are thefrst to expose this very strong algebraic structure. We also investigate other properties of the TKlog and show in particular that it can always be decomposed in a fashion similar to thefrst decomposition of Biryukov et al., thus explaining the relation between the two previous decompositions.
  • Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES

    Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES

    Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES John Kclscy I3ruc.e Schrieier David Wagner Counterpane Sysi,enis U.C. Berkeley 101 E. Minriehaha Parkway (’.?I.Div., Soda Hall Minneapolis, MN 55419 Bcrkcley, CA 94720- 1776 {kelsey ,schneier}Qcounterpane. corn dawQcs.berkeley.edu Abstract. We present new athcks on key schedules of block ciphers. These attacks are based on the principles of related-key differential crypt- analysis: a1,tac:ks (,hat,allow both keys and plainkxts t,o be rhoscn with specific diflercnccs. We show how t,hese attacks can be exploited in actual protocols and cryptanalyze the key schedules of a variety of algorithms, including three-key Iriplc-DES. 1 Introduction A key schedule is ari algorithrii that exparids a relalively short master key (typ- ically bet,ween 40 and 256 bit#slong) to a. rclat,ivcly la.rge expanded key (typically several hundred or t,housand bits) for later iisc 111 an encryption and decryption algorillirri. Key scliedules are used in several ways: a. To specify the round krys uf a product, ciphcr. DES [NBS77] uses its key schediile in this way, as do many other product, ciphers. b. To initializc somc fixed elements of a cryptographic transform. Khufu [MerSl], Rlowfish [Sch94], md SEAL [RC:94] use a key schcdulc this way. c. To initialize the state of a st,rearii cipher prior t,o gener:hng keystream. RC4 [SchSG] uses a key schedule iri tliis way. Note that (b) and (c) are the only inst,nnces where synchronous stream ciphers car1 fall prey to any clioseri-input attack.
  • Applications of Search Techniques to Cryptanalysis and the Construction of Cipher Components. James David Mclaughlin Submitted F

    Applications of Search Techniques to Cryptanalysis and the Construction of Cipher Components. James David Mclaughlin Submitted F

    Applications of search techniques to cryptanalysis and the construction of cipher components. James David McLaughlin Submitted for the degree of Doctor of Philosophy (PhD) University of York Department of Computer Science September 2012 2 Abstract In this dissertation, we investigate the ways in which search techniques, and in particular metaheuristic search techniques, can be used in cryptology. We address the design of simple cryptographic components (Boolean functions), before moving on to more complex entities (S-boxes). The emphasis then shifts from the construction of cryptographic arte- facts to the related area of cryptanalysis, in which we first derive non-linear approximations to S-boxes more powerful than the existing linear approximations, and then exploit these in cryptanalytic attacks against the ciphers DES and Serpent. Contents 1 Introduction. 11 1.1 The Structure of this Thesis . 12 2 A brief history of cryptography and cryptanalysis. 14 3 Literature review 20 3.1 Information on various types of block cipher, and a brief description of the Data Encryption Standard. 20 3.1.1 Feistel ciphers . 21 3.1.2 Other types of block cipher . 23 3.1.3 Confusion and diffusion . 24 3.2 Linear cryptanalysis. 26 3.2.1 The attack. 27 3.3 Differential cryptanalysis. 35 3.3.1 The attack. 39 3.3.2 Variants of the differential cryptanalytic attack . 44 3.4 Stream ciphers based on linear feedback shift registers . 48 3.5 A brief introduction to metaheuristics . 52 3.5.1 Hill-climbing . 55 3.5.2 Simulated annealing . 57 3.5.3 Memetic algorithms . 58 3.5.4 Ant algorithms .
  • Performance Analysis of Cryptographic Hash Functions Suitable for Use in Blockchain

    Performance Analysis of Cryptographic Hash Functions Suitable for Use in Blockchain

    I. J. Computer Network and Information Security, 2021, 2, 1-15 Published Online April 2021 in MECS (http://www.mecs-press.org/) DOI: 10.5815/ijcnis.2021.02.01 Performance Analysis of Cryptographic Hash Functions Suitable for Use in Blockchain Alexandr Kuznetsov1 , Inna Oleshko2, Vladyslav Tymchenko3, Konstantin Lisitsky4, Mariia Rodinko5 and Andrii Kolhatin6 1,3,4,5,6 V. N. Karazin Kharkiv National University, Svobody sq., 4, Kharkiv, 61022, Ukraine E-mail: [email protected], [email protected], [email protected], [email protected], [email protected] 2 Kharkiv National University of Radio Electronics, Nauky Ave. 14, Kharkiv, 61166, Ukraine E-mail: [email protected] Received: 30 June 2020; Accepted: 21 October 2020; Published: 08 April 2021 Abstract: A blockchain, or in other words a chain of transaction blocks, is a distributed database that maintains an ordered chain of blocks that reliably connect the information contained in them. Copies of chain blocks are usually stored on multiple computers and synchronized in accordance with the rules of building a chain of blocks, which provides secure and change-resistant storage of information. To build linked lists of blocks hashing is used. Hashing is a special cryptographic primitive that provides one-way, resistance to collisions and search for prototypes computation of hash value (hash or message digest). In this paper a comparative analysis of the performance of hashing algorithms that can be used in modern decentralized blockchain networks are conducted. Specifically, the hash performance on different desktop systems, the number of cycles per byte (Cycles/byte), the amount of hashed message per second (MB/s) and the hash rate (KHash/s) are investigated.
  • Algebraic Cryptanalysis of GOST Encryption Algorithm

    Algebraic Cryptanalysis of GOST Encryption Algorithm

    Journal of Computer and Communications, 2014, 2, 10-17 Published Online March 2014 in SciRes. http://www.scirp.org/journal/jcc http://dx.doi.org/10.4236/jcc.2014.24002 Algebraic Cryptanalysis of GOST Encryption Algorithm Ludmila Babenko, Ekaterina Maro Department of Information Security, Southern Federal University, Taganrog, Russia Email: [email protected] Received October 2013 Abstract This paper observes approaches to algebraic analysis of GOST 28147-89 encryption algorithm (also known as simply GOST), which is the basis of most secure information systems in Russia. The general idea of algebraic analysis is based on the representation of initial encryption algorithm as a system of multivariate quadratic equations, which define relations between a secret key and a cipher text. Extended linearization method is evaluated as a method for solving the nonlinear sys- tem of equations. Keywords Encryption Algorithm GOST; GOST⊕; S-Box; Systems of Multivariate Quadratic Equations; Algebraic Cryptanalysis; Extended Linearization Method; Gaussian Elimination 1. Introduction The general idea of algebraic cryptanalysis is finding equations that describe nonlinear transformations of S- boxes followed by finding solution of these equations and obtaining the secret key. This method of cryptanalysis belongs to the class of attacks with known plaintext. It is enough to have a single plaintext/ciphertext pair for the success. Algebraic methods of cryptanalysis contain the following stages: • Creation of the system of equations that describe transformations in non-linear cryptographic primitives of the analyzed cipher (i.e., S-boxes for most symmetric ciphers); • Finding solution of this system. The idea to describe an encryption algorithm as system of linear equations originated quite long time ago.