DOCSLIB.ORG

Security Arguments and Tool-Based Design of Block Ciphers

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Security Arguments and Tool-Based Design of Block Ciphers Security Arguments and Tool-based Design of Block Ciphers Security Arguments and Tool-based Design of Block Ciphers Dissertation Thesis Friedrich Wiemer 16th August 2019 Submitted in partial fulfillment of the requirements for the degree of Doktor der Naturwissenschaften to the Faculty of Mathematics at Ruhr-Universität Bochum 1st Reviewer Prof. Dr. Gregor Leander 2nd Reviewer Prof. Dr. Alexander May Date of Defense 13th December 2019 IMPRINT Security Arguments and Tool-based Design of Block Ciphers Copyright © 2020 by Friedrich Wiemer. All rights reserved. Printed in Germany. Published by the Ruhr-Universität Bochum, Bochum, Germany. COLOPHON This thesis was typeset using LATEX and the memoir documentclass. It is based 1 1https://people.mpi-sws.org/ on Aaron Turon’s thesis Understanding and expressing scalable concurrency , ~turon/turon-thesis.pdf itself a mixture of classicthesis2 by André Miede and tufte-latex3, 2 https://bitbucket.org/amiede/ based on Edward Tufte’s Beautiful Evidence. The LATEX source is available on classicthesis/ GITHUB.4 3https://github.com/Tufte-LaTeX/ tufte-latex The bibliography was processed by Biblatex. All graphics and plots are made 4https://github.com/pfasante/phd_ with PGF/TikZ. thesis The body text is set 10/14pt (long primer) on a 26pc measure. The margin text is set 8/9pt (brevier) on a 12pc measure. Matthew Carter’s Charter acts as both the text and display typeface. Monospaced text uses Jim Lyles’s Bitstream Vera Mono (“Bera Mono”). If we knew what it was we were doing, it would not be called research, would it? —Albert Einstein Abstract Block ciphers form, without doubt, the backbone of today’s encrypted com- munication and are thus justifiably the workhorses of cryptography. While the efficiency of modern designs improved ever since the development of the DES and AES, the case with the corresponding security arguments dif- fers. The thesis at hand aims at two main points, both in the direction of improving security analysis of block ciphers. Part I studies a new notion for a better understanding of a special type of cryptanalysis and proposes a new block cipher instance. This instance comes with a tight bound on any differential, to the best of our knowledge the first such block cipher. Part II turns to automated methods in design and analysis of block ciphers. Our main contribution here is an algorithm to propagate subspaces through encryption rounds, together with two applications: an algorithmic security argument against a new type of cryptanalysis and an idea towards the automation of key recovery attacks. vii Zusammenfassung Blockchiffren bilden ohne Zweifel das Rückgrat unserer heutigen digitalen Kommunikation und werden somit zu Recht als Arbeitstier der Kryptographie bezeichnet. Während die Effizienz neuer Chiffren stetig steigt, gilt dies nur bedingt für deren Sicherheitsargumente. Die vorliegende Arbeit beschäftigt sich daher mit zwei Hauptthemen. In Teil I untersuchen wir eine neue Notation einer speziellen Kryptanalyse- Technik und geben neue theoretische Einsichten zu dieser. Außerdem kon- struieren wir eine Blockchiffre und zeigen scharfe Schranken für jedes Dif- ferential; nach bestem Wissen die erste solche Chiffre. In Teil II wenden wir uns algorithmischen Methoden für Design und Analyse von Blockchiffren zu. Der Hauptbeitrag ist ein Algorithmus um Un- terräume durch Chiffren-Runden zu propagieren. Abschließend diskutieren wir zwei Anwendungen: ein Sicherheitsargument für eine neue Kryptanalyse- Technik und einen Ansatz zur Automatisierung von Key Recovery-Angriffen. ix Contents ABSTRACT vii ZUSAMMENFASSUNG ix CONTENTS xi LIST OF ALGORITHMS xiii LIST OF FIGURES xiii LIST OF TABLES xiv ACKNOWLEDGMENTS xv I PROLOGUE 1 1 INTRODUCTION 3 1.1 Open Problems in Block Cipher Design . 4 1.2 Outline and Contributions . 6 1.3 Publications . 9 2 THE ART AND SCIENCE OF BLOCK CIPHER DESIGN 13 2.1 Basics and Notations . 13 2.2 Pseudorandom Permutations and Block ciphers . 16 2.3 Practical Security – Symmetric Cryptanalysis . 27 2.4 Boolean functions . 45 II SECURITY ARGUMENTS FOR BLOCK CIPHERS 53 3 ON AUTOCORRELATION TABLES 55 3.1 On the DLCT and ACT . 55 3.2 Lower bound on the absolute indicator . 61 4 INSTANTIATING THE WSN CONSTRUCTION 71 4.1 Introduction . 71 4.2 The Whitened Swap-or-Not construction . 74 4.3 Inherent Restrictions . 74 4.4 Differential Cryptanalysis of BISON-like instances . 79 4.5 Specification of BISON ......................... 85 4.6 Security Analysis of BISON ...................... 87 4.7 Implementation Aspects of BISON .................. 94 4.8 Specification of WISENT ........................ 95 4.9 Conclusion . 99 III AUTOMATED METHODS IN DESIGN AND ANALYSIS 101 5 HEURISTICS FOR XOR COUNTS 103 5.1 Introduction . 103 xi xii CONTENTS 5.2 MDS Matrices and Matrix Constructions . 105 5.3 XOR counts and Optimisation Strategies . 109 5.4 Application and Evaluation of the Heuristics . 113 5.5 Further work . 117 6 PROPAGATING TRUNCATED DIFFERENTIALS 123 6.1 Introduction . 123 6.2 Subspace Trails and Truncated Differentials . 126 6.3 Algorithmic Propagation of Differences . 128 6.4 Proving Resistance against Subspace Trail Attacks . 131 6.5 Open Problems . 139 6.6 Further work . 142 7 TOWARDS AUTOMATED KEY RECOVERY ATTACKS 143 7.1 Key Recovery Techniques . 143 7.2 Key Recovery by Example . 145 7.3 Algorithms for Key Recovery . 147 7.4 Future Work . 152 IV EPILOGUE 153 8 CONCLUSION 155 BIBLIOGRAPHY 157 List of Algorithms 1 Computation of subspace trails . 130 2 Computation of subspace trails for degree-two functions . 130 3 No Non-Trivial Linear Structures . 134 4 Generic Subspace Trail Search . 138 5 Basic Counting Key Recovery . 144 6 Computation of truncated differentials . 148 7 Naïve Dependencies Check . 150 List of Figures 2.1 Multiplication using a vector space isomorphism . 16 2.2 Modes of Operation . 22 2.3 Product cipher . 23 2.4 Key-Alternating Substitution Permutation Network . 24 2.5 One round of a Feistel network . 25 2.6 Generic key recovery strategy based on distinguisher . 28 4.1 Schematic view of the WSN construction. 74 4.2 Tree of possible output differences . 83 4.3 Number of BISON rounds needed to achieve full degree . 91 4.4 Behaviour of BISON’s algebraic degree . 91 4.5 Non-Linear Feedback Shift Register . 91 4.6 BISON’s DDT for n = 5.......................... 94 4.7 WISENT’s DDT for n = 6......................... 97 5.1 Correlations between naïve and BP XOR counts . 116 5.2 XOR count distributions for 4 4 MDS matrices over GL(4, F2) . 121 × 6.1 Graphical representation of Lemma 127. 127 6.2 Invariant subspaces vs. Subspace Trails . 135 7.1 Example Key Recovery . 146 xiii List of Tables 4.1 Benchmarking BISON ........................... 95 4.2 Benchmarking WISENT .......................... 98 5.1 XOR count distributions for optimised implementations . 115 5.2 MDS matrices with lowest known XOR count . 116 5.3 Comparison of 4 4 and 8 8 MDS matrices . 119 5.4 Comparison of matrices× used× in ciphers or hash functions . 120 6.1 Lengths of longest subspace trails without 1-linear structures . 135 6.2 Lengths of longest subspace trails with 1-linear structures . 138 6.3 Lengths of longest truncated differentials for Feistel Ciphers . 140 7.1 The 4-bit S-box used in PRESENT. 145 7.2 Exemplary I(α) ..............................152 xiv Acknowledgements “The acknowledgements section is the most interesting part of any thesis. It shows how Over three years have come and gone since I started my doctoral studies. the thesis emerged.” During my time at the HGI in Bochum, I had the great pleasure to work with —Thomas Pöppelmann many awesome colleagues. My biggest thanks go to Gregor for being the best boss I could imagine, for always supporting me with his advice, for setting up the great SymCrypt group, for lots of fun while sailing and for so many other things. I am looking forward, sailing to new directions not only in Symmetric Crypto with you – may you always have wind in your sails and a hand-width of water under your keel! Thank you, Alex, for (co-) reviewing and advising my theses, the PhD one and the master and bachelor ones, for always having a friendly ear for all kind of discussions and for all the advice ever since my bachelor. Marion, thank you for being our organisational mastermind, for helping out in every possible situation and for answering every (lazy) question – I will never forget the moment when I entered your office the first time, completely breathless after sprinting up all the stairs in NA to be on time. But many other people were and are responsible for having this great atmosphere at the whole crypto group and the HGI. To start with, many thanks to my direct office mates, Christof and Thorsten, Virginie, and Phil, for always being open for discussions, distractions and darts, for welcoming me in the group and for being wonderful collaborators. The same holds for the other members of the SymCrypt group, Vincent, Shahram, Marek, and Federico C., the remaining Wasserstraße-crew, Andre, der kleine Alex, Claire, Felix, Floyd, Matthias, Lars, Robert and Oleg, and also for the NA- “remainers”, Eike, Nils, Anja, Benedikt, Manuel, Federico G., Kathrin, Julian, Eduard, Bertram, Giorgia, Clara, Lisa, Kristina and Sebastian. Some of you found the time to check my thesis; thank you Christof, Felix, Shahram! Also thank you Lucas Hartmann and Phil Knüfer for proof-reading some parts. Most of my research evolved from teamwork with great coauthors. In a somewhat chronological sequence, thank you very much for the pleasant collaboration: Ralf, Elena, Alex (der große), Thorsten, Gregor, Ko Stoffelen, Cihangir Tezcan, Anne Canteaut, Virginie, Patrick Neumann, Lorenzo Grassi, Christian Rechberger and Lukas Kölsch. Also thanks to Peter Schwabe for helping out with benchmarks from time to time. Last but not least, a huge thank you to my family, my parents (-in-law), my wife Franziska and our little pirate Jonathan, for the great support at all times, for the understanding of sometimes unearthly working hours and for repeatedly showing me the important things in life.
Load more

Recommended publications
  • The Design of Rijndael: AES - the Advanced Encryption Standard/Joan Daemen, Vincent Rijmen
    Joan Daernen · Vincent Rijrnen Theof Design Rijndael AES - The Advanced Encryption Standard With 48 Figures and 17 Tables Springer Berlin Heidelberg New York Barcelona Hong Kong London Milan Paris Springer TnL-1Jn Joan Daemen Foreword Proton World International (PWI) Zweefvliegtuigstraat 10 1130 Brussels, Belgium Vincent Rijmen Cryptomathic NV Lei Sa 3000 Leuven, Belgium Rijndael was the surprise winner of the contest for the new Advanced En­ cryption Standard (AES) for the United States. This contest was organized and run by the National Institute for Standards and Technology (NIST) be­ ginning in January 1997; Rij ndael was announced as the winner in October 2000. It was the "surprise winner" because many observers (and even some participants) expressed scepticism that the U.S. government would adopt as Library of Congress Cataloging-in-Publication Data an encryption standard any algorithm that was not designed by U.S. citizens. Daemen, Joan, 1965- Yet NIST ran an open, international, selection process that should serve The design of Rijndael: AES - The Advanced Encryption Standard/Joan Daemen, Vincent Rijmen. as model for other standards organizations. For example, NIST held their p.cm. Includes bibliographical references and index. 1999 AES meeting in Rome, Italy. The five finalist algorithms were designed ISBN 3540425802 (alk. paper) . .. by teams from all over the world. 1. Computer security - Passwords. 2. Data encryption (Computer sCIence) I. RIJmen, In the end, the elegance, efficiency, security, and principled design of Vincent, 1970- II. Title Rijndael won the day for its two Belgian designers, Joan Daemen and Vincent QA76.9.A25 D32 2001 Rijmen, over the competing finalist designs from RSA, IBl\!I, Counterpane 2001049851 005.8-dc21 Systems, and an English/Israeli/Danish team.
    [Show full text]
  • Vector Boolean Functions: Applications in Symmetric Cryptography
    Vector Boolean Functions: Applications in Symmetric Cryptography José Antonio Álvarez Cubero Departamento de Matemática Aplicada a las Tecnologías de la Información y las Comunicaciones Universidad Politécnica de Madrid This dissertation is submitted for the degree of Doctor Ingeniero de Telecomunicación Escuela Técnica Superior de Ingenieros de Telecomunicación November 2015 I would like to thank my wife, Isabel, for her love, kindness and support she has shown during the past years it has taken me to finalize this thesis. Furthermore I would also liketo thank my parents for their endless love and support. Last but not least, I would like to thank my loved ones such as my daughter and sisters who have supported me throughout entire process, both by keeping me harmonious and helping me putting pieces together. I will be grateful forever for your love. Declaration The following papers have been published or accepted for publication, and contain material based on the content of this thesis. 1. [7] Álvarez-Cubero, J. A. and Zufiria, P. J. (expected 2016). Algorithm xxx: VBF: A library of C++ classes for vector Boolean functions in cryptography. ACM Transactions on Mathematical Software. (In Press: http://toms.acm.org/Upcoming.html) 2. [6] Álvarez-Cubero, J. A. and Zufiria, P. J. (2012). Cryptographic Criteria on Vector Boolean Functions, chapter 3, pages 51–70. Cryptography and Security in Computing, Jaydip Sen (Ed.), http://www.intechopen.com/books/cryptography-and-security-in-computing/ cryptographic-criteria-on-vector-boolean-functions. (Published) 3. [5] Álvarez-Cubero, J. A. and Zufiria, P. J. (2010). A C++ class for analysing vector Boolean functions from a cryptographic perspective.
    [Show full text]
  • Bison Instantiating the Whitened Swap-Or-Not Construction (Full Version)
    bison Instantiating the Whitened Swap-Or-Not Construction (Full Version) Anne Canteaut1, Virginie Lallemand2, Gregor Leander2, Patrick Neumann2 and Friedrich Wiemer2 1 Inria, Paris, France [email protected] 2 Horst Görtz Institute for IT-Security, Ruhr University Bochum, Germany [email protected] Abstract. We give the first practical instance – bison – of the Whitened Swap-Or-Not construction. After clarifying inherent limitations of the construction, we point out that this way of building block ciphers allows easy and very strong arguments against differential attacks. Keywords: Whitened Swap-Or-Not · Instantiating Provable Security · Block Cipher Design · Differential Cryptanalysis 1 Introduction Block ciphers are among the most important cryptographic primitives as they are at the core responsible for a large fraction of all our data that is encrypted. Depending on the mode of operation (or used construction), a block cipher can be turned into an encryption function, a hash-function, a message authentication code or an authenticated encryption function. Due to their importance, it is not surprising that block ciphers are also among the best understood primitives. In particular the Advanced Encryption Standard (AES) [Fip] has been scrutinized by cryptanalysts ever since its development in 1998 [DR98] without any significant security threat discovered for the full cipher (see e. g. [BK09; Bir+09; Der+13; Dun+10; Fer+01; GM00; Gra+16; Gra+17; Røn+17]). The overall structure of AES, being built on several (round)-permutations interleaved with a (binary) addition of round keys is often referred to as key-alternating cipher and is depicted in Figure1. k0 k1 kr 1 kr − m R1 ..
    [Show full text]
  • Chondrichthyan Fishes (Sharks, Skates, Rays) Announcements
    Chondrichthyan Fishes (sharks, skates, rays) Announcements 1. Please review the syllabus for reading and lab information! 2. Please do the readings: for this week posted now. 3. Lab sections: 4. i) Dylan Wainwright, Thursday 2 - 4/5 pm ii) Kelsey Lucas, Friday 2 - 4/5 pm iii) Labs are in the Northwest Building basement (room B141) 4. Lab sections done: first lab this week on Thursday! 5. First lab reading: Agassiz fish story; lab will be a bit shorter 6. Office hours: we’ll set these later this week Please use the course web site: note the various modules Outline Lecture outline: -- Intro. to chondrichthyan phylogeny -- 6 key chondrichthyan defining traits (synapomorphies) -- 3 chondrichthyan behaviors -- Focus on several major groups and selected especially interesting ones 1) Holocephalans (chimaeras or ratfishes) 2) Elasmobranchii (sharks, skates, rays) 3) Batoids (skates, rays, and sawfish) 4) Sharks – several interesting groups Not remotely possible to discuss today all the interesting groups! Vertebrate tree – key ―fish‖ groups Today Chondrichthyan Fishes sharks Overview: 1. Mostly marine 2. ~ 1,200 species 518 species of sharks 650 species of rays 38 species of chimaeras Skates and rays 3. ~ 3 % of all ―fishes‖ 4. Internal skeleton made of cartilage 5. Three major groups 6. Tremendous diversity of behavior and structure and function Chimaeras Chondrichthyan Fishes: 6 key traits Synapomorphy 1: dentition; tooth replacement pattern • Teeth are not fused to jaws • New rows move up to replace old/lost teeth • Chondrichthyan teeth are
    [Show full text]
  • Environmental DNA Reveals the Fine-Grained and Hierarchical
    www.nature.com/scientificreports OPEN Environmental DNA reveals the fne‑grained and hierarchical spatial structure of kelp forest fsh communities Thomas Lamy 1,2*, Kathleen J. Pitz 3, Francisco P. Chavez3, Christie E. Yorke1 & Robert J. Miller1 Biodiversity is changing at an accelerating rate at both local and regional scales. Beta diversity, which quantifes species turnover between these two scales, is emerging as a key driver of ecosystem function that can inform spatial conservation. Yet measuring biodiversity remains a major challenge, especially in aquatic ecosystems. Decoding environmental DNA (eDNA) left behind by organisms ofers the possibility of detecting species sans direct observation, a Rosetta Stone for biodiversity. While eDNA has proven useful to illuminate diversity in aquatic ecosystems, its utility for measuring beta diversity over spatial scales small enough to be relevant to conservation purposes is poorly known. Here we tested how eDNA performs relative to underwater visual census (UVC) to evaluate beta diversity of marine communities. We paired UVC with 12S eDNA metabarcoding and used a spatially structured hierarchical sampling design to assess key spatial metrics of fsh communities on temperate rocky reefs in southern California. eDNA provided a more‑detailed picture of the main sources of spatial variation in both taxonomic richness and community turnover, which primarily arose due to strong species fltering within and among rocky reefs. As expected, eDNA detected more taxa at the regional scale (69 vs. 38) which accumulated quickly with space and plateaued at only ~ 11 samples. Conversely, the discovery rate of new taxa was slower with no sign of saturation for UVC.
    [Show full text]
  • An Introduction to the Classification of Elasmobranchs
    An introduction to the classification of elasmobranchs 17 Rekha J. Nair and P.U Zacharia Central Marine Fisheries Research Institute, Kochi-682 018 Introduction eyed, stomachless, deep-sea creatures that possess an upper jaw which is fused to its cranium (unlike in sharks). The term Elasmobranchs or chondrichthyans refers to the The great majority of the commercially important species of group of marine organisms with a skeleton made of cartilage. chondrichthyans are elasmobranchs. The latter are named They include sharks, skates, rays and chimaeras. These for their plated gills which communicate to the exterior by organisms are characterised by and differ from their sister 5–7 openings. In total, there are about 869+ extant species group of bony fishes in the characteristics like cartilaginous of elasmobranchs, with about 400+ of those being sharks skeleton, absence of swim bladders and presence of five and the rest skates and rays. Taxonomy is also perhaps to seven pairs of naked gill slits that are not covered by an infamously known for its constant, yet essential, revisions operculum. The chondrichthyans which are placed in Class of the relationships and identity of different organisms. Elasmobranchii are grouped into two main subdivisions Classification of elasmobranchs certainly does not evade this Holocephalii (Chimaeras or ratfishes and elephant fishes) process, and species are sometimes lumped in with other with three families and approximately 37 species inhabiting species, or renamed, or assigned to different families and deep cool waters; and the Elasmobranchii, which is a large, other taxonomic groupings. It is certain, however, that such diverse group (sharks, skates and rays) with representatives revisions will clarify our view of the taxonomy and phylogeny in all types of environments, from fresh waters to the bottom (evolutionary relationships) of elasmobranchs, leading to a of marine trenches and from polar regions to warm tropical better understanding of how these creatures evolved.
    [Show full text]
  • A Preliminary Empirical Study to Compare MPI and Openmp ISI-TR-676
    A preliminary empirical study to compare MPI and OpenMP ISI-TR-676 Lorin Hochstein, Victor R. Basili December 2011 Abstract Context: The rise of multicore is bringing shared-memory parallelism to the masses. The community is struggling to identify which parallel models are most productive. Objective: Measure the effect of MPI and OpenMP models on programmer productivity. Design: One group of programmers solved the sharks and fishes problem using MPI and a second group solved the same problem using OpenMP, then each programmer switched models and solved the same problem again. The participants were graduate students in an HPC course. Measures: Development effort (hours), program correctness (grades), pro- gram performance (speedup versus serial implementation). Results: Mean OpenMP development time was 9.6 hours less than MPI (95% CI, 0.37 − 19 hours), a 43% reduction. No statistically significant difference was observed in assignment grades. MPI performance was better than OpenMP performance for 4 out of the 5 students that submitted correct implementations for both models. Conclusions: OpenMP solutions for this problem required less effort than MPI, but insufficient power to measure the effect on correctness. The perfor- mance data was insufficient to draw strong conclusions but suggests that unop- timized MPI programs perform better than unoptimized OpenMP programs, even with a similar parallelization strategy. Further studies are necessary to examine different programming problems, models, and levels of programmer experience. Chapter 1 INTRODUCTION In the high-performance computing community, the dominant parallel pro- gramming model today is MPI, with OpenMP as a distant but clear second place [1,2]. MPI’s advantage over OpenMP on distributed memory systems is well-known, and consequently MPI usage dominates in large-scale HPC sys- tems.
    [Show full text]
  • Report on the AES Candidates
    Rep ort on the AES Candidates 1 2 1 3 Olivier Baudron , Henri Gilb ert , Louis Granb oulan , Helena Handschuh , 4 1 5 1 Antoine Joux , Phong Nguyen ,Fabrice Noilhan ,David Pointcheval , 1 1 1 1 Thomas Pornin , Guillaume Poupard , Jacques Stern , and Serge Vaudenay 1 Ecole Normale Sup erieure { CNRS 2 France Telecom 3 Gemplus { ENST 4 SCSSI 5 Universit e d'Orsay { LRI Contact e-mail: [email protected] Abstract This do cument rep orts the activities of the AES working group organized at the Ecole Normale Sup erieure. Several candidates are evaluated. In particular we outline some weaknesses in the designs of some candidates. We mainly discuss selection criteria b etween the can- didates, and make case-by-case comments. We nally recommend the selection of Mars, RC6, Serp ent, ... and DFC. As the rep ort is b eing nalized, we also added some new preliminary cryptanalysis on RC6 and Crypton in the App endix which are not considered in the main b o dy of the rep ort. Designing the encryption standard of the rst twentyyears of the twenty rst century is a challenging task: we need to predict p ossible future technologies, and wehavetotake unknown future attacks in account. Following the AES pro cess initiated by NIST, we organized an op en working group at the Ecole Normale Sup erieure. This group met two hours a week to review the AES candidates. The present do cument rep orts its results. Another task of this group was to up date the DFC candidate submitted by CNRS [16, 17] and to answer questions which had b een omitted in previous 1 rep orts on DFC.
    [Show full text]
  • Cryptanalysis of a Reduced Version of the Block Cipher E2
    Cryptanalysis of a Reduced Version of the Block Cipher E2 Mitsuru Matsui and Toshio Tokita Information Technology R&D Center Mitsubishi Electric Corporation 5-1-1, Ofuna, Kamakura, Kanagawa, 247, Japan [email protected], [email protected] Abstract. This paper deals with truncated differential cryptanalysis of the 128-bit block cipher E2, which is an AES candidate designed and submitted by NTT. Our analysis is based on byte characteristics, where a difference of two bytes is simply encoded into one bit information “0” (the same) or “1” (not the same). Since E2 is a strongly byte-oriented algorithm, this bytewise treatment of characteristics greatly simplifies a description of its probabilistic behavior and noticeably enables us an analysis independent of the structure of its (unique) lookup table. As a result, we show a non-trivial seven round byte characteristic, which leads to a possible attack of E2 reduced to eight rounds without IT and FT by a chosen plaintext scenario. We also show that by a minor modification of the byte order of output of the round function — which does not reduce the complexity of the algorithm nor violates its design criteria at all —, a non-trivial nine round byte characteristic can be established, which results in a possible attack of the modified E2 reduced to ten rounds without IT and FT, and reduced to nine rounds with IT and FT. Our analysis does not have a serious impact on the full E2, since it has twelve rounds with IT and FT; however, our results show that the security level of the modified version against differential cryptanalysis is lower than the designers’ estimation.
    [Show full text]
  • MERGING+ANUBIS User Manual
    USER MANUAL V27.09.2021 2 Contents Thank you for purchasing MERGING+ANUBIS ........................................................................................... 6 Important Safety and Installation Instructions ........................................................................................... 7 Product Regulatory Compliance .................................................................................................................... 9 MERGING+ANUBIS Warranty Information................................................................................................ 11 INTRODUCTION .............................................................................................................................................. 12 Package Content ........................................................................................................................................ 12 OVERVIEW ................................................................................................................................................... 13 MERGING+ANUBIS VARIANTS AND KEY FEATURES ........................................................................ 13 ABOUT RAVENNA ...................................................................................................................................... 16 MISSION CONTROL - MODULAR BY SOFTWARE ............................................................................... 16 MERGING+ANUBIS panels description ....................................................................................................
    [Show full text]
  • Historical Ciphers • A
    ECE 646 - Lecture 6 Required Reading • W. Stallings, Cryptography and Network Security, Chapter 2, Classical Encryption Techniques Historical Ciphers • A. Menezes et al., Handbook of Applied Cryptography, Chapter 7.3 Classical ciphers and historical development Why (not) to study historical ciphers? Secret Writing AGAINST FOR Steganography Cryptography (hidden messages) (encrypted messages) Not similar to Basic components became modern ciphers a part of modern ciphers Under special circumstances modern ciphers can be Substitution Transposition Long abandoned Ciphers reduced to historical ciphers Transformations (change the order Influence on world events of letters) Codes Substitution The only ciphers you Ciphers can break! (replace words) (replace letters) Selected world events affected by cryptology Mary, Queen of Scots 1586 - trial of Mary Queen of Scots - substitution cipher • Scottish Queen, a cousin of Elisabeth I of England • Forced to flee Scotland by uprising against 1917 - Zimmermann telegram, America enters World War I her and her husband • Treated as a candidate to the throne of England by many British Catholics unhappy about 1939-1945 Battle of England, Battle of Atlantic, D-day - a reign of Elisabeth I, a Protestant ENIGMA machine cipher • Imprisoned by Elisabeth for 19 years • Involved in several plots to assassinate Elisabeth 1944 – world’s first computer, Colossus - • Put on trial for treason by a court of about German Lorenz machine cipher 40 noblemen, including Catholics, after being implicated in the Babington Plot by her own 1950s – operation Venona – breaking ciphers of soviet spies letters sent from prison to her co-conspirators stealing secrets of the U.S. atomic bomb in the encrypted form – one-time pad 1 Mary, Queen of Scots – cont.
    [Show full text]
  • On the Design and Performance of Chinese OSCCA-Approved Cryptographic Algorithms Louise Bergman Martinkauppi∗, Qiuping He† and Dragos Ilie‡ Dept
    On the Design and Performance of Chinese OSCCA-approved Cryptographic Algorithms Louise Bergman Martinkauppi∗, Qiuping Hey and Dragos Iliez Dept. of Computer Science Blekinge Institute of Technology (BTH), Karlskrona, Sweden ∗[email protected], yping95 @hotmail.com, [email protected] Abstract—SM2, SM3, and SM4 are cryptographic standards in transit and at rest [4]. The law, which came into effect authorized to be used in China. To comply with Chinese cryp- on January 1, 2020, divides encryption into three different tography laws, standard cryptographic algorithms in products categories: core, ordinary and commercial. targeting the Chinese market may need to be replaced with the algorithms mentioned above. It is important to know beforehand Core and ordinary encryption are used for protecting if the replaced algorithms impact performance. Bad performance China’s state secrets at different classification levels. Both may degrade user experience and increase future system costs. We present a performance study of the standard cryptographic core and ordinary encryption are considered state secrets and algorithms (RSA, ECDSA, SHA-256, and AES-128) and corre- thus are strictly regulated by the SCA. It is therefore likely sponding Chinese cryptographic algorithms. that these types of encryption will be based on the national Our results indicate that the digital signature algorithms algorithms mentioned above, so that SCA can exercise full SM2 and ECDSA have similar design and also similar perfor- control over standards and implementations. mance. SM2 and RSA have fundamentally different designs. SM2 performs better than RSA when generating keys and Commercial encryption is used to protect information that signatures. Hash algorithms SM3 and SHA-256 have many design similarities, but SHA-256 performs slightly better than SM3.
    [Show full text]