DOCSLIB.ORG

Towards a Unifying View of Block Cipher Cryptanalysis

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Towards a Unifying View of Block Cipher Cryptanalysis Towards a unifying view of block cipher cryptanalysis David Wagner⋆ University of California, Berkeley Abstract. We introduce commutative diagram cryptanalysis, a frame- work for expressing certain kinds of attacks on product ciphers. We show that many familiar attacks, including linear cryptanalysis, differential cryptanalysis, differential-linear cryptanalysis, mod n attacks, truncated differential cryptanalysis, impossible differential cryptanalysis, higher- order differential cryptanalysis, and interpolation attacks can be ex- pressed within this framework. Thus, we show that commutative diagram attacks provide a unifying view into the field of block cipher cryptanal- ysis. Then, we use the language of commutative diagram cryptanalysis to compare the power of many previously known attacks. Finally, we introduce two new attacks, generalized truncated differential cryptanaly- sis and bivariate interpolation, and we show how these new techniques generalize and unify many previous attack methods. 1 Introduction How do we tell if a block cipher is secure? How do we design good ciphers? These two questions are central to the study of block ciphers, and yet, after decades of research, definitive answers remain elusive. For the moment, the art of cipher evaluation boils down to two key tasks: we strive to identify as many novel cryptanalytic attacks on block ciphers as we can, and we evaluate new designs by how well they resist known attacks. The research community has been very successful at this task. We have accu- mulated a large variety of different attack techniques: differential cryptanalysis, linear cryptanalysis, differential-linear attacks, truncated differential cryptanal- ysis, higher-order differentials, impossible differentials, mod n attacks, integrals, boomerangs, sliding, interpolation, the yo-yo game, and so on. The list continues to grow. Yet, how do we make sense of this list? Are there any common threads tying these different attacks together? In this paper, we seek unifying themes that can put these attacks on a com- mon foundation. We have by no means accomplished such an ambitious goal; rather, this paper is intended as a first step in that direction. In this paper, we show how a small set of ideas can be used to generate many of today’s known attacks. Then, we show how this viewpoint allows us to compare the strength of different types of attacks, and possibly to discover new attack techniques. We ⋆ This work is supposed by NSF ITR CNS-0113941. g A - X f i ? h ? B - Y Fig. 1. An example of a commutative diagram. The intended meaning of this diagram is that h ◦ f = i ◦ g. hope this perspective will be of some interest, if only to see a different way to think about the known cryptanalytic attacks on block ciphers. 2 Background What is a block cipher? A block cipher is a map E : so that Ek is −1 K×M→M invertible for all keys k , and both Ek and Ek can be efficiently computed. The set is the space∈ of K texts; for instance, for AES, it is = 0, 1 128. M M { } When is a block cipher secure? A block cipher is secure if it behaves as a pseudorandom permutation. In other words, it must be secure against distin- guishing attacks: no efficient algorithm A given interactive access to encryption and decryption black boxes should be to distinguish the real cipher (i.e., Ek and −1 −1 Ek ) from a truly random permutation (i.e., π and π , where π is uniformly distributed on the set of all permutations on ) with non-negligible advantage. −1 M E ,E The distinguishing advantage of an attack A is given by Adv A = Pr[A k k = −1 1] Pr[Aπ,π = 1]. − In this paper, we focus exclusively on distinguishing attacks. Usually, once a distinguishing attack is found, a key-recovery attack soon follows; the hard part is in finding a distinguishing attack in the first place, or in building a cipher secure against distinguishing attacks. How are block ciphers built? Most block ciphers are product ciphers. In other words, the cipher is built as the composition of individual round transformations: we choose a round function f : , compute a sequence of round keys M → M k1,...,kn as a function of the key k, and set Ek = fkn fk1 . The function f computes one round of the cipher. ◦···◦ Commutative diagrams. In the discussion to follow, it will be useful to introduce a concept from abstract algebra: that of commutative diagrams. Commutative diagrams are a concise notation for expressing functional composition properties. An example of a commutative diagram can be found in Fig. 1. In this example, the symbols A,B,X,Y represent sets, and the symbols f,g,h,i are functions with signatures f : A B, g : A X, h : B Y , and i : X Y . We say that the diagram “commutes”→ if h f =→i g, or in other→ words, if h(f→(a)) = i(g(a)) for ◦ ◦ all a A. Notice how paths correspond to functions, obtained by composing the maps∈ associated with each edge in the path. In this diagram, there are two paths from A to Y , corresponding to two functions with signature A Y . Informally, the idea is that it doesn’t matter which path we follow from→A to Y ; we will obtain the same map either way. More complicated diagrams can be used to express more complex relationships, and identifying the set of implied identities is merely a matter of chasing arrows through the diagram. Markov processes. Also, we recall the notion of Markov processes. A Markov process is a pair of random variables I,J, and to it we associate a transition matrix M given by Mi,j = Pr[J = j I = i]. We call the sequence of random variables I J K a Markov chain if |K is conditionally independent of I given J. We can− associate− transition matrices M,M ′,M ′′ to the Markov processes I J, J K, and I K, respectively, and if I J K forms a Markov chain, we− will have− M ′′ = M− ′ M. In other words, composition− − of Markov processes corresponds to multiplication· of their associated transition matrices. The maximum advantage of an adversary at distinguishing one Markov pro- cess from another can be calculated using decorrelation theory [14]. Let M ∞ || || denote the ℓ∞ norm of the matrix M, i.e., M ∞ = maxi Mi,j . We can || || j | | consider an adversary A who is allowed to choose a single input,P feed it through the Markov process, and observe the corresponding output. The maximum ad- vantage of any such adversary at distinguishing M from M ′ will then be exactly 1 ′ M M ∞. If U denotes the uniform m n transition matrix, i.e., Ui,j = 1/n 2 || − || × for all i, j, then M1M2 U ∞ M1 U ∞ M2 U ∞. The above calculations|| − can|| be≤ extended || − to|| calculate· || − the|| advantage Adv A = ′ Pr[AM = 1] Pr[AM = 1] of an adversary A who can interact repeatedly with − 1 ′ the Markov process. First, if 2 M M ∞ = ǫ denotes the advantage of a single- query adversary, then an adversary|| − making|| q queries has advantage at most q ǫ. In practice, when ǫ is small, the advantage of a q-query adversary often scales· roughly as √q ǫ. Hence, as a rough rule of thumb, Θ(1/ǫ2) queries often are necessary and∼ sufficient· to distinguish M from M ′ with non-trivial probability [3]. We emphasize, though, that this heuristic is not always valid; there are many important exceptions. The advantage of a q-query adversary can be computed more precisely. If M is q q q q a m n matrix, let [M] denote the m n matrix given by ([M] )i,j = Mi1,j1 × × × Mi ,j . Define the matrix norm M a = maxi1 maxi Mi,j . · · · × q q || || j1 · · · q jq | | Then, in an adaptive attack, the maximum advantageP of any q-queryP adver- 1 q ′ q sary is exactly maxA Adv A = 2 [M] [M ] a. In a non-adaptive attack, the || − || 1 q maximum advantage of any q-query non-adaptive adversary is exactly 2 [M] ′ q || − [M ] ∞. || Organization. The rest of this paper studies cryptanalysis of product ciphers. First, we describe commutative diagrams and their relevance to cryptanalysis. Then, we explore statistical attacks, a probabilistic generalization of commuta- tive diagram attacks, and then we further generalize by introducing the notion of higher-order attacks. Finally, we explore algebraic attacks. ρ M - Y fk g ? ′ ? ρ ′ M - Y Fig. 2. A local property of the round function fk. 3 Commutative diagram attacks The basic recipe for analyzing a product cipher is simple: 1. Identify local properties of the cipher’s round functions. 2. Piece these together to obtain a global property of the cipher as a whole. In this way, we seek to exploit the structure of a product cipher—namely, its construction as a composition of round functions—to simplify the cryptanalyst’s task. How do we identify local properties of the round function that are both non-trivial and can be spliced together suitably? This is where commutative diagrams can help. Let fk : denote a round function. Suppose we can find a property of the inputM that → M is preserved by the round function; then this would suffice as a local property. If there is some partial information about x that allows to predict part of the value of fk(x), this indicates a pattern of non-randomness in the round function that might be exploitable. One way to formalize this is using projections. A projection is a function ρ : Y from the text space to a smaller set Y . If we have two projections ρ, ρ′ M →′ so that ρ (fk(x)) can be predicted from ρ(x), then we have a local property of the round function.
Load more

Recommended publications
  • US 2007/0043.668A1 Baxter Et Al
    US 2007.0043.668A1 (19) United States (12) Patent Application Publication (10) Pub. No.: US 2007/0043.668A1 Baxter et al. (43) Pub. Date: Feb. 22, 2007 (54) METHODS AND SYSTEMS FOR Related U.S. Application Data NEGOTABLE-INSTRUMENT FRAUD PREVENTION (63) Continuation of application No. 10/371,984, filed on Feb. 20, 2003, now Pat. No. 7,072,868. (75) Inventors: Craig A. Baxter, Castle Rock, CO (US); John Charles Ciaccia, Parker, Publication Classification CO (US); Rodney J. Esch, Littleton, CO (US) (51) Int. Cl. G06Q 99/00 (2006.01) Correspondence Address: (52) U.S. Cl. ................................................................ 705/50 TOWNSEND AND TOWNSEND AND CREW, LLP (57) ABSTRACT TWO EMBARCADERO CENTER EIGHTH FLOOR SAN FRANCISCO, CA 94111-3834 (US) An authentication value is provided in a magnetic-ink field of a negotiable instrument. The authentication value is (73) Assignee: First Data Corporation, Greenwood derived from application of an encryption algorithm defined Village, CO (US) by a secure key. The authentication value may be used to authenticate the instrument through reapplication of the (21) Appl. No.: 11/481,062 encryption algorithm and comparing the result with the authentication value. The instrument is authenticated if there (22) Filed: Jul. 3, 2006 is a match between the two. 530 instrument Presented at Port of Sae instrument Conveyed to First Financial MCR line Scanned and instrument 534 Institution Authenticated at Point of Sale 538 Electronic Package Generated with MICR-Line Information andlor image 542 Electronic
    [Show full text]
  • Report on the AES Candidates
    Rep ort on the AES Candidates 1 2 1 3 Olivier Baudron , Henri Gilb ert , Louis Granb oulan , Helena Handschuh , 4 1 5 1 Antoine Joux , Phong Nguyen ,Fabrice Noilhan ,David Pointcheval , 1 1 1 1 Thomas Pornin , Guillaume Poupard , Jacques Stern , and Serge Vaudenay 1 Ecole Normale Sup erieure { CNRS 2 France Telecom 3 Gemplus { ENST 4 SCSSI 5 Universit e d'Orsay { LRI Contact e-mail: [email protected] Abstract This do cument rep orts the activities of the AES working group organized at the Ecole Normale Sup erieure. Several candidates are evaluated. In particular we outline some weaknesses in the designs of some candidates. We mainly discuss selection criteria b etween the can- didates, and make case-by-case comments. We nally recommend the selection of Mars, RC6, Serp ent, ... and DFC. As the rep ort is b eing nalized, we also added some new preliminary cryptanalysis on RC6 and Crypton in the App endix which are not considered in the main b o dy of the rep ort. Designing the encryption standard of the rst twentyyears of the twenty rst century is a challenging task: we need to predict p ossible future technologies, and wehavetotake unknown future attacks in account. Following the AES pro cess initiated by NIST, we organized an op en working group at the Ecole Normale Sup erieure. This group met two hours a week to review the AES candidates. The present do cument rep orts its results. Another task of this group was to up date the DFC candidate submitted by CNRS [16, 17] and to answer questions which had b een omitted in previous 1 rep orts on DFC.
    [Show full text]
  • Rotational Cryptanalysis of ARX
    Rotational Cryptanalysis of ARX Dmitry Khovratovich and Ivica Nikoli´c University of Luxembourg [email protected], [email protected] Abstract. In this paper we analyze the security of systems based on modular additions, rotations, and XORs (ARX systems). We provide both theoretical support for their security and practical cryptanalysis of real ARX primitives. We use a technique called rotational cryptanalysis, that is universal for the ARX systems and is quite efficient. We illustrate the method with the best known attack on reduced versions of the block cipher Threefish (the core of Skein). Additionally, we prove that ARX with constants are functionally complete, i.e. any function can be realized with these operations. Keywords: ARX, cryptanalysis, rotational cryptanalysis. 1 Introduction A huge number of symmetric primitives using modular additions, bitwise XORs, and intraword rotations have appeared in the last 20 years. The most famous are the hash functions from MD-family (MD4, MD5) and their descendants SHA-x. While modular addition is often approximated with XOR, for random inputs these operations are quite different. Addition provides diffusion and nonlinearity, while XOR does not. Although the diffusion is relatively slow, it is compensated by a low price of addition in both software and hardware, so primitives with relatively high number of additions (tens per byte) are still fast. The intraword rotation removes disbalance between left and right bits (introduced by the ad- dition) and speeds up the diffusion. Many recently design primitives use only XOR, addition, and rotation so they are grouped into a single family ARX (Addition-Rotation-XOR).
    [Show full text]
  • Security Evaluation of the K2 Stream Cipher
    Security Evaluation of the K2 Stream Cipher Editors: Andrey Bogdanov, Bart Preneel, and Vincent Rijmen Contributors: Andrey Bodganov, Nicky Mouha, Gautham Sekar, Elmar Tischhauser, Deniz Toz, Kerem Varıcı, Vesselin Velichkov, and Meiqin Wang Katholieke Universiteit Leuven Department of Electrical Engineering ESAT/SCD-COSIC Interdisciplinary Institute for BroadBand Technology (IBBT) Kasteelpark Arenberg 10, bus 2446 B-3001 Leuven-Heverlee, Belgium Version 1.1 | 7 March 2011 i Security Evaluation of K2 7 March 2011 Contents 1 Executive Summary 1 2 Linear Attacks 3 2.1 Overview . 3 2.2 Linear Relations for FSR-A and FSR-B . 3 2.3 Linear Approximation of the NLF . 5 2.4 Complexity Estimation . 5 3 Algebraic Attacks 6 4 Correlation Attacks 10 4.1 Introduction . 10 4.2 Combination Generators and Linear Complexity . 10 4.3 Description of the Correlation Attack . 11 4.4 Application of the Correlation Attack to KCipher-2 . 13 4.5 Fast Correlation Attacks . 14 5 Differential Attacks 14 5.1 Properties of Components . 14 5.1.1 Substitution . 15 5.1.2 Linear Permutation . 15 5.2 Key Ideas of the Attacks . 18 5.3 Related-Key Attacks . 19 5.4 Related-IV Attacks . 20 5.5 Related Key/IV Attacks . 21 5.6 Conclusion and Remarks . 21 6 Guess-and-Determine Attacks 25 6.1 Word-Oriented Guess-and-Determine . 25 6.2 Byte-Oriented Guess-and-Determine . 27 7 Period Considerations 28 8 Statistical Properties 29 9 Distinguishing Attacks 31 9.1 Preliminaries . 31 9.2 Mod n Cryptanalysis of Weakened KCipher-2 . 32 9.2.1 Other Reduced Versions of KCipher-2 .
    [Show full text]
  • Analysis of Arx Round Functions in Secure Hash Functions
    ANALYSIS OF ARX ROUND FUNCTIONS IN SECURE HASH FUNCTIONS by Kerry A. McKay B.S. in Computer Science, May 2003, Worcester Polytechnic Institute M.S. in Computer Science, May 2005, Worcester Polytechnic Institute A Dissertation submitted to the Faculty of The School of Engineering and Applied Science of The George Washington University in partial satisfaction of the requirements for the degree of Doctor of Science May 15, 2011 Dissertation directed by Poorvi L. Vora Associate Professor of Computer Science The School of Engineering and Applied Science of The George Washington University certifies that Kerry A. McKay has passed the Final Examination for the degree of Doctor of Science as of March 25, 2011. This is the final and approved form of the dissertation. ANALYSIS OF ARX ROUND FUNCTIONS IN SECURE HASH FUNCTIONS Kerry A. McKay Dissertation Research Committee: Poorvi L. Vora, Associate Professor of Computer Science, Dissertation Director Gabriel Parmer, Assistant Professor of Computer Science, Committee Member Rahul Simha, Associate Professor of Engineering and Applied Science, Committee Member Abdou Youssef, Professor of Engineering and Applied Science, Committee Member Lily Chen, Mathematician, National Institute of Standards and Technology, Committee Member ii Dedication To my family and friends, for all of their encouragement and support. iii Acknowledgements This work was supported in part by the NSF Scholarship for Service Program, grant DUE-0621334, and NSF Award 0830576. I would like to thank my collaborators Niels Ferguson and Stefan Lucks for our collaborative research on the analysis of the CubeHash submission to the SHA-3 competition. I would also like to thank the entire Skein team for their support.
    [Show full text]
  • Bruce Schneier 2
    Committee on Energy and Commerce U.S. House of Representatives Witness Disclosure Requirement - "Truth in Testimony" Required by House Rule XI, Clause 2(g)(5) 1. Your Name: Bruce Schneier 2. Your Title: none 3. The Entity(ies) You are Representing: none 4. Are you testifying on behalf of the Federal, or a State or local Yes No government entity? X 5. Please list any Federal grants or contracts, or contracts or payments originating with a foreign government, that you or the entity(ies) you represent have received on or after January 1, 2015. Only grants, contracts, or payments related to the subject matter of the hearing must be listed. 6. Please attach your curriculum vitae to your completed disclosure form. Signatur Date: 31 October 2017 Bruce Schneier Background Bruce Schneier is an internationally renowned security technologist, called a security guru by the Economist. He is the author of 14 books—including the New York Times best-seller Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World—as well as hundreds of articles, essays, and academic papers. His influential newsletter Crypto-Gram and blog Schneier on Security are read by over 250,000 people. Schneier is a fellow at the Berkman Klein Center for Internet and Society at Harvard University, a Lecturer in Public Policy at the Harvard Kennedy School, a board member of the Electronic Frontier Foundation and the Tor Project, and an advisory board member of EPIC and VerifiedVoting.org. He is also a special advisor to IBM Security and the Chief Technology Officer of IBM Resilient.
    [Show full text]
  • ASBE Defeats Statistical Analysis and Other Cryptanalysis
    Introduction | Statistical Analysis ASBE Defeats Statistical Analysis and Other Cryptanalysis By: Prem Sobel, CTO MerlinCryption, LLC Introduction ASBE, Anti-Statistical Block Encryption, uses blocks [Ref 33, p.43-82] as part of the algorithm. These blocks are manipulated in ways different from all currently known and published existing encryption algorithms in a variable way which depends on the key. The ASBE algorithm is designed to be exponentially stronger than existing encryption algorithms and to defeat known Statistical Analysis and Cryptanalysis. The purpose of this white paper is to describe how ASBE succeeds in these goals. Statistical Analysis Early encryption techniques are typically variations of substitution ciphers. Statistical analysis attempts to defeat such substitution ciphers, based on statistical knowledge of the language (for example, English) [Ref-1] [Ref-2] [Ref-3] [Ref-32, p.10-13]. These techniques include substitution ciphers such as: . Letter frequency, . Letter frequency of first letter of a word, . Most likely duplicate letter pairs (such as LL EE SS OO TT FF RR NN PP CC in English), . Most likely different letter pairs (in English: TH HE AN RE ER IN ON AT ND ST ES EN OF TE ED OR TI HI AS TO) and non-occurring letter pairs (for example, XJ QG HZ in English), . Most likely letter triples and non-occurring letter triples, . Most likely letter quadruples and non-occurring letter quadruples, and . Most frequent words. Clearly these statistics and patterns of multi-letter sequences are language-dependent. In the early days of cryptography, there were several limitations and/or assumptions made that are no longer valid today, due to the availability of digital communications.
    [Show full text]
  • Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1
    International Journal of Grid and Distributed Computing Vol. 10, No. 11 (2017), pp.79-98 http://dx.doi.org/10.14257/ijgdc.2017.10.11.08 Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1 Rahul Saha1, G. Geetha2, Gulshan Kumar3 and Hye-Jim Kim4 1,3School of Computer Science and Engineering, Lovely Professional University, Punjab, India 2Division of Research and Development, Lovely Professional University, Punjab, India 4Business Administration Research Institute, Sungshin W. University, 2 Bomun-ro 34da gil, Seongbuk-gu, Seoul, Republic of Korea Abstract Cryptography has always been a core component of security domain. Different security services such as confidentiality, integrity, availability, authentication, non-repudiation and access control, are provided by a number of cryptographic algorithms including block ciphers, stream ciphers and hash functions. Though the algorithms are public and cryptographic strength depends on the usage of the keys, the ciphertext analysis using different functions and operations used in the algorithms can lead to the path of revealing a key completely or partially. It is hard to find any survey till date which identifies different operations and functions used in cryptography. In this paper, we have categorized our survey of cryptographic functions and operations in the algorithms in three categories: block ciphers, stream ciphers and cryptanalysis attacks which are executable in different parts of the algorithms. This survey will help the budding researchers in the society of crypto for identifying different operations and functions in cryptographic algorithms. Keywords: cryptography; block; stream; cipher; plaintext; ciphertext; functions; research problems 1. Introduction Cryptography [1] in the previous time was analogous to encryption where the main task was to convert the readable message to an unreadable format.
    [Show full text]
  • New Cryptanalysis of Block Ciphers with Low Algebraic Degree
    New Cryptanalysis of Block Ciphers with Low Algebraic Degree Bing Sun1,LongjiangQu1,andChaoLi1,2 1 Department of Mathematics and System Science, Science College of National University of Defense Technology, Changsha, China, 410073 2 State Key Laboratory of Information Security, Graduate University of Chinese Academy of Sciences, China, 10039 happy [email protected], ljqu [email protected] Abstract. Improved interpolation attack and new integral attack are proposed in this paper, and they can be applied to block ciphers using round functions with low algebraic degree. In the new attacks, we can determine not only the degree of the polynomial, but also coefficients of some special terms. Thus instead of guessing the round keys one by one, we can get the round keys by solving some algebraic equations over finite field. The new methods are applied to PURE block cipher successfully. The improved interpolation attacks can recover the first round key of 8-round PURE in less than a second; r-round PURE with r ≤ 21 is breakable with about 3r−2 chosen plaintexts and the time complexity is 3r−2 encryptions; 22-round PURE is breakable with both data and time complexities being about 3 × 320. The new integral attacks can break PURE with rounds up to 21 with 232 encryptions and 22-round with 3 × 232 encryptions. This means that PURE with up to 22 rounds is breakable on a personal computer. Keywords: block cipher, Feistel cipher, interpolation attack, integral attack. 1 Introduction For some ciphers, the round function can be described either by a low degree polynomial or by a quotient of two low degree polynomials over finite field with characteristic 2.
    [Show full text]
  • ICEBERG : an Involutional Cipher Efficient for Block Encryption in Reconfigurable Hardware
    1 ICEBERG : an Involutional Cipher Efficient for Block Encryption in Reconfigurable Hardware. Francois-Xavier Standaert, Gilles Piret, Gael Rouvroy, Jean-Jacques Quisquater, Jean-Didier Legat UCL Crypto Group Laboratoire de Microelectronique Universite Catholique de Louvain Place du Levant, 3, B-1348 Louvain-La-Neuve, Belgium standaert,piret,rouvroy,quisquater,[email protected] Abstract. We present a fast involutional block cipher optimized for re- configurable hardware implementations. ICEBERG uses 64-bit text blocks and 128-bit keys. All components are involutional and allow very effi- cient combinations of encryption/decryption. Hardware implementations of ICEBERG allow to change the key at every clock cycle without any per- formance loss and its round keys are derived “on-the-fly” in encryption and decryption modes (no storage of round keys is needed). The result- ing design offers better hardware efficiency than other recent 128-key-bit block ciphers. Resistance against side-channel cryptanalysis was also con- sidered as a design criteria for ICEBERG. Keywords: block cipher design, efficient implementations, reconfigurable hardware, side-channel resistance. 1 Introduction In October 2000, NIST (National Institute of Standards and Technology) se- lected Rijndael as the new Advanced Encryption Standard. The selection pro- cess included performance evaluation on both software and hardware platforms. However, as implementation versatility was a criteria for the selection of the AES, it appeared that Rijndael is not optimal for reconfigurable hardware im- plementations. Its highly expensive substitution boxes are a typical bottleneck but the combination of encryption and decryption in hardware is probably as critical. In general, observing the AES candidates [1, 2], one may assess that the cri- teria selected for their evaluation led to highly conservative designs although the context of certain cryptanalysis may be considered as very unlikely (e.g.
    [Show full text]
  • Foreword by Whitfield Diffie Preface About the Author Chapter 1
    Applied Cryptography: Second Edition - Bruce Schneier Applied Cryptography, Second Edition: Protocols, Algorthms, and Source Code in C by Bruce Schneier Wiley Computer Publishing, John Wiley & Sons, Inc. ISBN: 0471128457 Pub Date: 01/01/96 Foreword By Whitfield Diffie Preface About the Author Chapter 1—Foundations 1.1 Terminology 1.2 Steganography 1.3 Substitution Ciphers and Transposition Ciphers 1.4 Simple XOR 1.5 One-Time Pads 1.6 Computer Algorithms 1.7 Large Numbers Part I—Cryptographic Protocols Chapter 2—Protocol Building Blocks 2.1 Introduction to Protocols 2.2 Communications Using Symmetric Cryptography 2.3 One-Way Functions 2.4 One-Way Hash Functions 2.5 Communications Using Public-Key Cryptography 2.6 Digital Signatures 2.7 Digital Signatures with Encryption 2.8 Random and Pseudo-Random-Sequence Generation Chapter 3—Basic Protocols 3.1 Key Exchange 3.2 Authentication 3.3 Authentication and Key Exchange 3.4 Formal Analysis of Authentication and Key-Exchange Protocols 3.5 Multiple-Key Public-Key Cryptography 3.6 Secret Splitting 3.7 Secret Sharing 3.8 Cryptographic Protection of Databases Chapter 4—Intermediate Protocols 4.1 Timestamping Services 4.2 Subliminal Channel 4.3 Undeniable Digital Signatures 4.4 Designated Confirmer Signatures 4.5 Proxy Signatures 4.6 Group Signatures 4.7 Fail-Stop Digital Signatures 4.8 Computing with Encrypted Data 4.9 Bit Commitment 4.10 Fair Coin Flips 4.11 Mental Poker 4.12 One-Way Accumulators 4.13 All-or-Nothing Disclosure of Secrets Page 1 of 666 Applied Cryptography: Second Edition - Bruce
    [Show full text]
  • A Brief Outlook at Block Ciphers
    A Brief Outlook at Block Ciphers Pascal Junod Ecole¶ Polytechnique F¶ed¶eralede Lausanne, Suisse CSA'03, Rabat, Maroc, 10-09-2003 Content F Generic Concepts F DES / AES F Cryptanalysis of Block Ciphers F Provable Security CSA'03, 10 septembre 2003, Rabat, Maroc { i { Block Cipher P e d P C K K CSA'03, 10 septembre 2003, Rabat, Maroc { ii { Block Cipher (2) F Deterministic, invertible function: e : {0, 1}n × K → {0, 1}n d : {0, 1}n × K → {0, 1}n F The function is parametered by a key K. F Mapping an n-bit plaintext P to an n-bit ciphertext C: C = eK(P ) F The function must be a bijection for a ¯xed key. CSA'03, 10 septembre 2003, Rabat, Maroc { iii { Product Ciphers and Iterated Block Ciphers F A product cipher combines two or more transformations in a manner intending that the resulting cipher is (hopefully) more secure than the individual components. F An iterated block cipher is a block cipher involving the sequential repeti- tion of an internal function f called a round function. Parameters include the number of rounds r, the block bit size n and the bit size k of the input key K from which r subkeys ki (called round keys) are derived. For invertibility purposes, the round function f is a bijection on the round input for each value ki. CSA'03, 10 septembre 2003, Rabat, Maroc { iv { Product Ciphers and Iterated Block Ciphers (2) P K f k1 f k2 f kr C CSA'03, 10 septembre 2003, Rabat, Maroc { v { Good and Bad Block Ciphers F Flexibility F Throughput F Estimated Security Level CSA'03, 10 septembre 2003, Rabat, Maroc { vi { Data Encryption Standard (DES) F American standard from (1976 - 1998).
    [Show full text]