DOCSLIB.ORG

Cryptanalysis and Design of Block Ciphers

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Cryptanalysis and Design of Block Ciphers KATHOLIEKE UNIVERSITEIT LEUVEN FACULTEIT DER TOEGEPASTE WETENSCHAPPEN DEPARTEMENT ELEKTROTECHNIEK-ESAT Kasteelpark Arenberg 10 – 3001 Leuven (Heverlee) CRYPTANALYSIS AND DESIGN OF BLOCK CIPHERS Promotoren : Proefschrift voorgedragen tot het Prof. Dr. ir. B. PRENEEL behalen van het doctoraat in de Prof. Dr. ir. J. VANDEWALLE toegepaste wetenschappen door Jorge NAKAHARA J´unior June 2003 KATHOLIEKE UNIVERSITEIT LEUVEN FACULTEIT DER TOEGEPASTE WETENSCHAPPEN DEPARTEMENT ELEKTROTECHNIEK-ESAT Kasteelpark Arenberg 10 – 3001 Leuven (Heverlee) CRYPTANALYSIS AND DESIGN OF BLOCK CIPHERS Jury : Proefschrift voorgedragen tot het Prof. J. Delrue, voorzitter behalen van het doctoraat in de Prof. B. Preneel, promotor toegepaste wetenschappen Prof. J. Vandewalle, promotor door Prof. A. Barb´e Jorge NAKAHARA J´unior Prof. S. Murphy (Royal Holloway, Univ. of London) Prof. J.-J. Quisquater (Univ. Catholique de Louvain) Prof. M. Van Barel U.D.C. 681.3*E3 June 2003 °c Katholieke Universiteit Leuven - Faculteit Toegepaste Wetenschappen Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee (Belgium) Alle rechten voorbehouden. Niets uit deze uitgave mag worden vermenigvuldigd en/of openbaar gemaakt worden door middel van druk, fotocopie, microfilm, elektronisch of op welke andere wijze ook zonder voorafgaande schriftelijke toestemmimg van de uitgever. All rights reserved. No part of the publication may be reproduced in any form by print, photoprint, microfilm or any other means without written permission from the publisher. D/2003/7515/20 ISBN 90-5682-407-4 Foreword It is a pleasure for me to acknowledge the help of so many people who con- tributed for a great time in Leuven. First of all, I would like to express my deepest gratitude to Prof. Bart Preneel and Prof. Joos Vandewalle, who not only allowed me the opportunity to come to Leuven, but also continously supported and assisted me along the years, not only concerning research matters, but also with many practical issues. I am also very grateful to Prof. Jean-Jacques Quisquater, Prof. Marc Van Barel, Prof. Andr´eBarb´e,and Prof. Sean Murphy for agreeing to serve as jury members and for their many comments regarding this work, and to Prof. J. Del- rue for chairing the jury. The financial assistance provided by K. U. Leuven Research and Develop- ment, the Katholieke Universiteit Leuven, and the Concerted Research Action (GOA) project Mefisto 2000/06 of the Flemish Government, are greatly appre- ciated. My sincere thanks also go to the current and past COSIC members for the many collaborations, and great times we shared together: Alex, An, Antoon, Bart, Berna, Christophe, Claudia, Cristian, Dai, Danny, Dries, Eric, Evelyne, Frederik, Jasper, Joan, Joe, Johan, Joris, Ju-Sung, Keith, Mark, Michael, Paul, Raimondo, Robert, Stef, Stefaan, Svetla, Thomas, Vincent, Wim. Many thanks to Elvira, Ida, P´elaand all system administrators for their invaluable help at uncountable times. Let me also thank my dear friends Abelha, Ann, Anna, Alex(s), Augusto, Bia, Cibele, Daniela, Deca, Dendˆe,Denise, Diana, Fernanda, Golfinho, Gus- tavo, Haley, Jaque, Jo˜ao,Margarida, Maria, Marta, Paulo, Reinaldo, Richard, Rog´erio,Rozenn, Samuel, Silvio, Sofie, Ueda, Wunga and so many others who made my life in Leuven so much more enjoyable. Last but not least, I would like to dedicate this work to my father, Jorge, to my mother, Misao, and to my sister, M´arcia.Though far away, they were never away from my mind, and from my heart. Jorge Nakahara J´unior Leuven, June 2003 Abstract This thesis focuses on cryptanalysis techniques and design of block ciphers. In particular, modern analysis methods such as square, boomerang, impossible differential and linear attacks are described and applied to real block ciphers. The first part of this thesis concentrates on the two most relevant modern cryptanalysis techniques: linear and differential cryptanalysis. These and re- lated techniques have been applied to SAFER K/SK/+/++, IDEA, Hierocrypt- 3, Hierocrypt-L1, Skipjack and the PES ciphers. In many attacks, the interac- tion between the block cipher and its key schedule algorithm was exploited, so that the complexity of key-recovery attacks could be reduced. These analyses often led to the discovery of weak keys, namely, key values for which the attack complexity was comparatively lower than for a random key. In some cases, the existence of weak keys, derived from the original key schedule, and holding for the whole cipher, might suggest a need for a redesign of the key setup algorithm. The second part of this thesis describes and analyzes new block ciphers, called MESH, which were designed with the same group operations as the IDEA block cipher. Three designs are presented: MESH-64, MESH-96, and MESH- 128. Their novel features include: (i) flexible block sizes (in increments of 32 bits), (ii) larger round functions (MA-boxes) compared to IDEA, (iii) distinct key-mixing layers for odd and even rounds, and (iv) new key schedule algorithms that achieve fast key avalanche. Estimates for the software performance of MESH ciphers indicate better or comparable speed to that of triple-DES. A preliminary security evaluation of these three ciphers included truncated and impossible differentials, linear, square, slide and advanced-slide, multiplicative differentials (on simplified versions), and Demirci’s attacks, among others. The initial results of these attacks seem to indicate that the MESH ciphers present a relatively large margin of security against modern cryptanalysis techniques. Other cipher designs are further suggested, based on the flexible MA-boxes, and on the alternative AM-boxes. Samenvatting Dit proefschrift behandelt de cryptanalyse en het ontwerp van blokcijfers. In het bijzonder moderne cryptanalyse-methoden zoals “Square”-aanvallen, boemerang- aanvallen, onmogelijke differenti¨elenen lineaire cryptanalyse worden beschreven en toegepast op blokcijfers. In het eerste deel van dit proefschrift behandelen we de twee belangrijkste moderne cryptanalysemethodes: lineaire en differenti¨elecryptanalyse. Deze en aanverwante methodes hebben we toegepast op SAFER K/SK/+/++, IDEA, Hierocrypt-3, Hierocrypt-L1, Skipjack en de PES cijfers. In vele gevallen kun- nen we de complexiteit van aanvallen reduceren door de interactie tussen een blokcijfer en zijn sleutelschema uit te buiten. Deze analyses leiden dan tot de definitie van zwakke sleutels, namelijk sleutels waarvoor de complexiteit van de aanval lager is dan gemiddeld. In sommige gevallen duidt het bestaan van zwakke sleutels, afgeleid van het oorspronkelijke sleutelschema en geldig voor het volledige cijfer, op een nood om het ontwerp van het sleutelschema te her- bekijken. In het tweede deel van dit proefschrift beschrijven en analyzeren we een nieuwe familie van blokcijfers, “MESH” genaamd, die we ontworpen hebben op basis van dezelfde groepsoperaties als het blokcijfer IDEA. We beschrijven drie ontwerpen: MESH-64, MESH-96 en MESH-128. Enkele van de nieuwigheden in deze ontwerpen zijn: (i) de flexibiliteit op het gebied van bloklengte (in stappen van 32 bits); (ii) ronde-functies (“MA-boxen”) met grotere afmetingen dan bij IDEA; (iii) verschillende manieren om de rondesleutel in te brengen voor even en oneven ronden, en (iv) nieuwe sleutelschema’s die een groot lawine-effect hebben. Schattingen voor de performantie van software-implementaties van de MESH-cijfers wijzen op een snelheid vergelijkbaar met of groter dan die van 3- DES. We presenteren een eerste evaluatie van de veiligheid van deze drie cijfers, die onder andere de volgende technieken omvatte: “truncated” en onmogelijke differenti¨elen,lineaire cryptanalyze, “Square”-aanvallen, schuif- en geavanceerde schuif-aanvallen, multiplicatieve differenti¨elen,en de technieken beschreven door Demirci. De voorlopige resultaten lijken aan te wijzen dat de MESH cijfers een relatief grote veiligheidsmarge bezitten tegen modere cryptanalysemethodes. Daarnaast stellen we enkele andere ontwerpen voor cijfers voor, gebaseerd op de flexibele MA-boxen en op de alternatieve AM-boxen. Contents Foreword iii Abstract v Samenvatting vii Contents ix List of Figures xiii List of Tables xv List of Abbreviations xvii List of Cryptographic Algorithms xviii List of Notations xviii 1 Introduction 1 1.1 Thesis Outline and Contributions . 2 1.2 The AES Development Process . 4 1.3 The NESSIE Project . 5 2 An Overview of Block Ciphers 7 2.1 Threat Model . 9 2.2 Attack Complexity . 10 2.3 Types of Attack . 11 2.4 Attack Outcome . 12 2.5 Security Terminology . 12 2.6 Diffusion and Confusion . 15 2.6.1 The Diffusion Property . 15 2.6.2 The Confusion Property . 17 2.7 Iterated Block Ciphers . 19 2.8 Rijndael and AES . 21 2.9 Modes of Operation . 24 ix 2.10 Birthday Paradox . 29 2.11 Key-Collision Attack . 30 2.12 Brute-Force Attacks . 31 2.13 Shortcut Attacks . 34 2.14 Conclusions . 35 3 Linear Cryptanalysis 37 3.1 Introduction . 37 3.2 Preliminaries . 37 3.3 Linear Attack on DES . 43 3.4 Linear Cryptanalysis of SAFER Ciphers . 48 3.4.1 Non-Homomorphic Linear Relations . 49 3.4.2 Linear Attack on SAFER-32 . 51 3.4.3 Linear Attack on SAFER SK . 53 3.4.4 Linear Attack on SAFER+ . 55 3.4.5 Linear Attack on SAFER++ . 56 3.5 A Ciphertext-only Attack . 57 3.6 Linear Cryptanalysis of the PES Cipher . 58 3.7 Conclusions . 61 4 Differential Cryptanalysis 63 4.1 Introduction . 63 4.2 Preliminaries . 63 4.2.1 Known-Plaintext DC Attacks . 66 4.3 Higher-Order Differential Cryptanalysis . 67 4.4 The Square Attack . 68 4.4.1 Square Attacks on IDEA and PES . 70 4.4.1.1 Related-Key Square Attack . 74 4.4.2 Square Attacks on Hierocrypt-L1 and Hierocrypt-3 . 76 4.4.3 Square Attacks on Skipjack . 80 4.5 The Impossible Differential Attack . 91 4.5.1 Impossible Differential Attack on SAFER SK . 92 4.5.2 Impossible Differential Attack on SAFER+/128 . 95 4.5.3 Impossible Differential Attack on SAFER++/128 . 97 4.6 The Boomerang Attack . 98 4.6.1 Boomerang Attacks on IDEA .
Load more

Recommended publications
  • The Design of Rijndael: AES - the Advanced Encryption Standard/Joan Daemen, Vincent Rijmen
    Joan Daernen · Vincent Rijrnen Theof Design Rijndael AES - The Advanced Encryption Standard With 48 Figures and 17 Tables Springer Berlin Heidelberg New York Barcelona Hong Kong London Milan Paris Springer TnL-1Jn Joan Daemen Foreword Proton World International (PWI) Zweefvliegtuigstraat 10 1130 Brussels, Belgium Vincent Rijmen Cryptomathic NV Lei Sa 3000 Leuven, Belgium Rijndael was the surprise winner of the contest for the new Advanced En­ cryption Standard (AES) for the United States. This contest was organized and run by the National Institute for Standards and Technology (NIST) be­ ginning in January 1997; Rij ndael was announced as the winner in October 2000. It was the "surprise winner" because many observers (and even some participants) expressed scepticism that the U.S. government would adopt as Library of Congress Cataloging-in-Publication Data an encryption standard any algorithm that was not designed by U.S. citizens. Daemen, Joan, 1965- Yet NIST ran an open, international, selection process that should serve The design of Rijndael: AES - The Advanced Encryption Standard/Joan Daemen, Vincent Rijmen. as model for other standards organizations. For example, NIST held their p.cm. Includes bibliographical references and index. 1999 AES meeting in Rome, Italy. The five finalist algorithms were designed ISBN 3540425802 (alk. paper) . .. by teams from all over the world. 1. Computer security - Passwords. 2. Data encryption (Computer sCIence) I. RIJmen, In the end, the elegance, efficiency, security, and principled design of Vincent, 1970- II. Title Rijndael won the day for its two Belgian designers, Joan Daemen and Vincent QA76.9.A25 D32 2001 Rijmen, over the competing finalist designs from RSA, IBl\!I, Counterpane 2001049851 005.8-dc21 Systems, and an English/Israeli/Danish team.
    [Show full text]
  • Cryptanalysis of Feistel Networks with Secret Round Functions Alex Biryukov, Gaëtan Leurent, Léo Perrin
    Cryptanalysis of Feistel Networks with Secret Round Functions Alex Biryukov, Gaëtan Leurent, Léo Perrin To cite this version: Alex Biryukov, Gaëtan Leurent, Léo Perrin. Cryptanalysis of Feistel Networks with Secret Round Functions. Selected Areas in Cryptography - SAC 2015, Aug 2015, Sackville, Canada. hal-01243130 HAL Id: hal-01243130 https://hal.inria.fr/hal-01243130 Submitted on 14 Dec 2015 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Cryptanalysis of Feistel Networks with Secret Round Functions ? Alex Biryukov1, Gaëtan Leurent2, and Léo Perrin3 1 [email protected], University of Luxembourg 2 [email protected], Inria, France 3 [email protected], SnT,University of Luxembourg Abstract. Generic distinguishers against Feistel Network with up to 5 rounds exist in the regular setting and up to 6 rounds in a multi-key setting. We present new cryptanalyses against Feistel Networks with 5, 6 and 7 rounds which are not simply distinguishers but actually recover completely the unknown Feistel functions. When an exclusive-or is used to combine the output of the round function with the other branch, we use the so-called yoyo game which we improved using a heuristic based on particular cycle structures.
    [Show full text]
  • Models and Algorithms for Physical Cryptanalysis
    MODELS AND ALGORITHMS FOR PHYSICAL CRYPTANALYSIS Dissertation zur Erlangung des Grades eines Doktor-Ingenieurs der Fakult¨at fur¨ Elektrotechnik und Informationstechnik an der Ruhr-Universit¨at Bochum von Kerstin Lemke-Rust Bochum, Januar 2007 ii Thesis Advisor: Prof. Dr.-Ing. Christof Paar, Ruhr University Bochum, Germany External Referee: Prof. Dr. David Naccache, Ecole´ Normale Sup´erieure, Paris, France Author contact information: [email protected] iii Abstract This thesis is dedicated to models and algorithms for the use in physical cryptanalysis which is a new evolving discipline in implementation se- curity of information systems. It is based on physically observable and manipulable properties of a cryptographic implementation. Physical observables, such as the power consumption or electromag- netic emanation of a cryptographic device are so-called `side channels'. They contain exploitable information about internal states of an imple- mentation at runtime. Physical effects can also be used for the injec- tion of faults. Fault injection is successful if it recovers internal states by examining the effects of an erroneous state propagating through the computation. This thesis provides a unified framework for side channel and fault cryptanalysis. Its objective is to improve the understanding of physi- cally enabled cryptanalysis and to provide new models and algorithms. A major motivation for this work is that methodical improvements for physical cryptanalysis can also help in developing efficient countermea- sures for securing cryptographic implementations. This work examines differential side channel analysis of boolean and arithmetic operations which are typical primitives in cryptographic algo- rithms. Different characteristics of these operations can support a side channel analysis, even of unknown ciphers.
    [Show full text]
  • A Quantitative Study of Advanced Encryption Standard Performance
    United States Military Academy USMA Digital Commons West Point ETD 12-2018 A Quantitative Study of Advanced Encryption Standard Performance as it Relates to Cryptographic Attack Feasibility Daniel Hawthorne United States Military Academy, [email protected] Follow this and additional works at: https://digitalcommons.usmalibrary.org/faculty_etd Part of the Information Security Commons Recommended Citation Hawthorne, Daniel, "A Quantitative Study of Advanced Encryption Standard Performance as it Relates to Cryptographic Attack Feasibility" (2018). West Point ETD. 9. https://digitalcommons.usmalibrary.org/faculty_etd/9 This Doctoral Dissertation is brought to you for free and open access by USMA Digital Commons. It has been accepted for inclusion in West Point ETD by an authorized administrator of USMA Digital Commons. For more information, please contact [email protected]. A QUANTITATIVE STUDY OF ADVANCED ENCRYPTION STANDARD PERFORMANCE AS IT RELATES TO CRYPTOGRAPHIC ATTACK FEASIBILITY A Dissertation Presented in Partial Fulfillment of the Requirements for the Degree of Doctor of Computer Science By Daniel Stephen Hawthorne Colorado Technical University December, 2018 Committee Dr. Richard Livingood, Ph.D., Chair Dr. Kelly Hughes, DCS, Committee Member Dr. James O. Webb, Ph.D., Committee Member December 17, 2018 © Daniel Stephen Hawthorne, 2018 1 Abstract The advanced encryption standard (AES) is the premier symmetric key cryptosystem in use today. Given its prevalence, the security provided by AES is of utmost importance. Technology is advancing at an incredible rate, in both capability and popularity, much faster than its rate of advancement in the late 1990s when AES was selected as the replacement standard for DES. Although the literature surrounding AES is robust, most studies fall into either theoretical or practical yet infeasible.
    [Show full text]
  • BOUNDARY LAYERS with FLOW REVERSAL John F. Nush
    NASA CONTRACTOR REPORT FURTHER STUDIES OF UNSTEADY BOUNDARY LAYERS WITH FLOW REVERSAL John F. Nush Prepared by SYBUCON, INC. Atlanta, Ga. 303 39 for Ames Research Center TECH LIBRARY KAFB, NU NASA CR-2767 I I 4. Title nd Subtitle I 5. Report Date "Further Studies of Unsteady Boundary Layers with . December 1976 Flow Reversalll Organization 6. Performing Code 7. Author($) 8. Performing Orgnization Report No. John F. Nash 10. Work Unit No. 9. Performing Orpmization Nama and Address Sybucon, Inc. 11.Contract or GrantNo. 9 960) Perimeter Place,N.W. (Suite 2-8771 Atlanta, Georgia 30339 - NAS 13.Type of Report andPeriod Covered 12. Sponsoring myName md Address 6 Contractor Report- National Aeronautics Space Administration 14.Sponsorirg Aqmcy Code Washington, D. C. 20546 I 15.Supplementary Notas 16. Abstract Further computational experiments have been conducted to study the charac- teristics of flow reversal and separation in unsteady boundary layers. One set of calculations was performed using thefirst-order, time-dependent turbulent boundary-layer equations, and extended earlier work by Nash and Pate1 to a wider rangeof flows. Another set of calculations was performed for laminar flow using the time-dependent Navier-Stokesequati.ons. 1 The results of the calculations confirm previous conclusions concerning the existence of a regime of unseparated flow, containing an embedded regionof reversal, which is accessible to first-order boundary-layer theory.However certain doubts are caston the precise natureof the events which accompany the eventual breakdownof the theory due to singularity onset.The earlier view that the singularity appearsas the final event in a sequence involving rapid thickeningof the boundary layer and the formationof a localized region of steep gradients, is called into questionby the present results.
    [Show full text]
  • Non-Interactive Key Establishment in Wireless Mesh Networks
    Chapter 1 Non-Interactive Key Establishment in Wireless Mesh Networks Zhenjiang Li†, J.J. Garcia-Luna-Aceves †∗ zhjli,jj @soe.ucsc.edu { } †Computer Engineering, University of California, Santa Cruz 1156 high street, Santa Cruz, CA 95064, USA Phone:1-831-4595436, Fax: 1-831-4594829 ∗Palo Alto Research Center (PARC) 3333 Coyote Hill Road, Palo Alto, CA 94304, USA Symmetric cryptographic primitives are preferable in designing security protocols for wireless mesh networks (WMNs) because they are computationally affordable for resource- constrained mobile devices forming a WMN. Most proposed key-establishment schemes for symmetric cryptosystem assume services from a centralized authority (either on-line or off- line), or involve the interaction between communicating parties. However, requiring access 1 c Springer, 2005. This is a revision of the work published in the proceedings of AdhocNow’05, LNCS 3738, pp. 164-177, Cancun," Mexico, Oct. 2005. 2This work was supported in part by the Baskin Chair of Computer Engineering at UCSC, the National Science Foundation under Grant CNS-0435522, the U.S. Army Research Office under grant No. W911NF-05-1-0246. Any opinions, findings, and conclusions are those of the authors and do not necessarily reflect the views of the funding agencies. 1 2CHAPTER 1. NON-INTERACTIVE KEY ESTABLISHMENT IN WIRELESS MESH NETWORKS to a centralized authority, or ensuring that correct routing be established before the key agreement is done, is difficult to attain in wireless networks. We present a new non-interactive key agreement and progression (NIKAP) scheme for wireless networks, which does not require an on-line centralized authority, can establish and update pairwise shared keys between any two nodes in a non-interactive manner, is configurable to operate synchronously (S-NIKAP) or asynchronously (A-NIKAP), and has the ability to provide differentiated security services w.r.t.
    [Show full text]
  • Mesh Segmentation Guided by Seed Points
    Bulletin of the JSME Vol.9, No.4, 2015 Journal of Advanced Mechanical Design, Systems, and Manufacturing Mesh segmentation guided by seed points Xue JIAO*, Huixin ZHANG* and Tieru WU* *Institute of Mathematics, Jilin University Changchun, Jilin130012, China E-mail: [email protected] Received 3 January 2015 Abstract Segmenting 3D models into meaningful parts is a fundamental problem in computer graphics. In this paper, we present an algorithm which is guided by the mesh vertices for segmenting a mesh into meaningful sub-meshes. First, a candidate set of feature points is selected to highlight the most significant features of the model. After that, a diversity measure is calculated by using Hausdorff distance. The collection of seed points we defined is a subset of the candidate set. The collection of seed points consists of two parts, namely, the basic point and lucky points. By maximizing the diversity measure between the seed set and candidate set, an appropriate seed point is selected. Based on the collection of seed points, the segmentation process can be guided by these seeds. Because humans generally perceive desirable segmentations at concave regions, and the geodesic distance and curvature are well-known noise sensitive. Considering the above factors, in order to partition the target into meaningful parts, we define a distance function between each pair of mesh vertices. This function is formed by arc length, angular distance and curvature-related correction term. We have tested the method developed in this paper with 3D meshes from the Princeton segmentation benchmark. Moreover, our segmentation method also has been compared with other methods.
    [Show full text]
  • ("DSCC") Files This Complaint Seeking an Immediate Investigation by the 7
    COMPLAINT BEFORE THE FEDERAL ELECTION CBHMISSIOAl INTRODUCTXON - 1 The Democratic Senatorial Campaign Committee ("DSCC") 7-_. J _j. c files this complaint seeking an immediate investigation by the 7 c; a > Federal Election Commission into the illegal spending A* practices of the National Republican Senatorial Campaign Committee (WRSCIt). As the public record shows, and an investigation will confirm, the NRSC and a series of ostensibly nonprofit, nonpartisan groups have undertaken a significant and sustained effort to funnel "soft money101 into federal elections in violation of the Federal Election Campaign Act of 1971, as amended or "the Act"), 2 U.S.C. 5s 431 et seq., and the Federal Election Commission (peFECt)Regulations, 11 C.F.R. 85 100.1 & sea. 'The term "aoft money" as ueed in this Complaint means funds,that would not be lawful for use in connection with any federal election (e.g., corporate or labor organization treasury funds, contributions in excess of the relevant contribution limit for federal elections). THE FACTS IN TBIS CABE On November 24, 1992, the state of Georgia held a unique runoff election for the office of United States Senator. Georgia law provided for a runoff if no candidate in the regularly scheduled November 3 general election received in excess of 50 percent of the vote. The 1992 runoff in Georg a was a hotly contested race between the Democratic incumbent Wyche Fowler, and his Republican opponent, Paul Coverdell. The Republicans presented this election as a %ust-win81 election. Exhibit 1. The Republicans were so intent on victory that Senator Dole announced he was willing to give up his seat on the Senate Agriculture Committee for Coverdell, if necessary.
    [Show full text]
  • KLEIN: a New Family of Lightweight Block Ciphers
    KLEIN: A New Family of Lightweight Block Ciphers Zheng Gong1, Svetla Nikova1;2 and Yee Wei Law3 1Faculty of EWI, University of Twente, The Netherlands fz.gong, [email protected] 2 Dept. ESAT/SCD-COSIC, Katholieke Universiteit Leuven, Belgium 3 Department of EEE, The University of Melbourne, Australia [email protected] Abstract Resource-efficient cryptographic primitives become fundamental for realizing both security and efficiency in embedded systems like RFID tags and sensor nodes. Among those primitives, lightweight block cipher plays a major role as a building block for security protocols. In this paper, we describe a new family of lightweight block ciphers named KLEIN, which is designed for resource-constrained devices such as wireless sensors and RFID tags. Compared to the related proposals, KLEIN has ad- vantage in the software performance on legacy sensor platforms, while its hardware implementation can be compact as well. Key words. Block cipher, Wireless sensor network, Low-resource implementation. 1 Introduction With the development of wireless communication and embedded systems, we become increasingly de- pendent on the so called pervasive computing; examples are smart cards, RFID tags, and sensor nodes that are used for public transport, pay TV systems, smart electricity meters, anti-counterfeiting, etc. Among those applications, wireless sensor networks (WSNs) have attracted more and more attention since their promising applications, such as environment monitoring, military scouting and healthcare. On resource-limited devices the choice of security algorithms should be very careful by consideration of the implementation costs. Symmetric-key algorithms, especially block ciphers, still play an important role for the security of the embedded systems.
    [Show full text]
  • Performance and Energy Efficiency of Block Ciphers in Personal Digital Assistants
    Performance and Energy Efficiency of Block Ciphers in Personal Digital Assistants Creighton T. R. Hager, Scott F. Midkiff, Jung-Min Park, Thomas L. Martin Bradley Department of Electrical and Computer Engineering Virginia Polytechnic Institute and State University Blacksburg, Virginia 24061 USA {chager, midkiff, jungmin, tlmartin} @ vt.edu Abstract algorithms may consume more energy and drain the PDA battery faster than using less secure algorithms. Due to Encryption algorithms can be used to help secure the processing requirements and the limited computing wireless communications, but securing data also power in many PDAs, using strong cryptographic consumes resources. The goal of this research is to algorithms may also significantly increase the delay provide users or system developers of personal digital between data transmissions. Thus, users and, perhaps assistants and applications with the associated time and more importantly, software and system designers need to energy costs of using specific encryption algorithms. be aware of the benefits and costs of using various Four block ciphers (RC2, Blowfish, XTEA, and AES) were encryption algorithms. considered. The experiments included encryption and This research answers questions regarding energy decryption tasks with different cipher and file size consumption and execution time for various encryption combinations. The resource impact of the block ciphers algorithms executing on a PDA platform with the goal of were evaluated using the latency, throughput, energy- helping software and system developers design more latency product, and throughput/energy ratio metrics. effective applications and systems and of allowing end We found that RC2 encrypts faster and uses less users to better utilize the capabilities of PDA devices.
    [Show full text]
  • On the Decorrelated Fast Cipher (DFC) and Its Theory
    On the Decorrelated Fast Cipher (DFC) and Its Theory Lars R. Knudsen and Vincent Rijmen ? Department of Informatics, University of Bergen, N-5020 Bergen Abstract. In the first part of this paper the decorrelation theory of Vaudenay is analysed. It is shown that the theory behind the propo- sed constructions does not guarantee security against state-of-the-art differential attacks. In the second part of this paper the proposed De- correlated Fast Cipher (DFC), a candidate for the Advanced Encryption Standard, is analysed. It is argued that the cipher does not obtain prova- ble security against a differential attack. Also, an attack on DFC reduced to 6 rounds is given. 1 Introduction In [6,7] a new theory for the construction of secret-key block ciphers is given. The notion of decorrelation to the order d is defined. Let C be a block cipher with block size m and C∗ be a randomly chosen permutation in the same message space. If C has a d-wise decorrelation equal to that of C∗, then an attacker who knows at most d − 1 pairs of plaintexts and ciphertexts cannot distinguish between C and C∗. So, the cipher C is “secure if we use it only d−1 times” [7]. It is further noted that a d-wise decorrelated cipher for d = 2 is secure against both a basic linear and a basic differential attack. For the latter, this basic attack is as follows. A priori, two values a and b are fixed. Pick two plaintexts of difference a and get the corresponding ciphertexts.
    [Show full text]
  • Report on the AES Candidates
    Rep ort on the AES Candidates 1 2 1 3 Olivier Baudron , Henri Gilb ert , Louis Granb oulan , Helena Handschuh , 4 1 5 1 Antoine Joux , Phong Nguyen ,Fabrice Noilhan ,David Pointcheval , 1 1 1 1 Thomas Pornin , Guillaume Poupard , Jacques Stern , and Serge Vaudenay 1 Ecole Normale Sup erieure { CNRS 2 France Telecom 3 Gemplus { ENST 4 SCSSI 5 Universit e d'Orsay { LRI Contact e-mail: [email protected] Abstract This do cument rep orts the activities of the AES working group organized at the Ecole Normale Sup erieure. Several candidates are evaluated. In particular we outline some weaknesses in the designs of some candidates. We mainly discuss selection criteria b etween the can- didates, and make case-by-case comments. We nally recommend the selection of Mars, RC6, Serp ent, ... and DFC. As the rep ort is b eing nalized, we also added some new preliminary cryptanalysis on RC6 and Crypton in the App endix which are not considered in the main b o dy of the rep ort. Designing the encryption standard of the rst twentyyears of the twenty rst century is a challenging task: we need to predict p ossible future technologies, and wehavetotake unknown future attacks in account. Following the AES pro cess initiated by NIST, we organized an op en working group at the Ecole Normale Sup erieure. This group met two hours a week to review the AES candidates. The present do cument rep orts its results. Another task of this group was to up date the DFC candidate submitted by CNRS [16, 17] and to answer questions which had b een omitted in previous 1 rep orts on DFC.
    [Show full text]