DOCSLIB.ORG

Cipher and Hash Function Design Strategies Based on Linear and Differential Cryptanalysis

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Cipher and Hash Function Design Strategies Based on Linear and Differential Cryptanalysis Cipher and Hash Function Design Strategies based on linear and differential cryptanalysis Joan Daemen March 1995 i Note: This version has been compiled in January 2004. With respect to the original version,the formatting of some formulas was modified for layout purposes and some sentences were rephrased to allow easier line breaks. ii Voorwoord In deze inleiding maak ik van de gelegenheid gebruik om al diegenen te bedanken die er voor hebben gezorgd dat dit doctoraat tot stand is gekomen in een informele en vriendschappelijke werksfeer met veel ruimte voor samenwerking,creativiteit en persoonlijk initiatief. In de eerste plaats denk ik hierbij aan mijn promotoren Prof. Ren´e Govaerts en Prof. Joos Vandewalle,die mij op weg hebben geholpen met concrete voorstellen voor onderzoek. Door mij steeds te wijzen op het belang van de praktische toepasbaarheid van onderzoeksresultaten hebben zij voor een belangrijk deel de toon gezet voor deze verhandeling. Voorts wil ik graag de overige leden van het leescomit´e bedanken,Prof. Bart De Decker van het Dept. Computerwetenschappen en Prof. Jean-Jacques Quisquater van de UCL. Mijn oprechte dank gaat ook uit naar mijn collega en jurylid Bart Preneel,die het manuscript op vrijwillige basis heeft nagelezen en met wie ik vele leerrijke gesprekken gevoerd heb. Een speciaal woord van dank gaat naar jurylid Prof. Luc Claesen van IMEC voor zijn inzet en enthousiasme die hebben geleid tot de vlotte implementatie en demonstratie van de Subterranean chip. I am also grateful to Prof. Peter Landrock of the university of Arhus˚ for serving in my jury despite his busy agenda. Als laatste jurylid bedank ik voorzitter Prof. Willy Dutr´e. Verder bedank ik graag mijn collega’s met wie ik binnen ESAT heb samengewerkt en op wie ik nooit tevergeefs een beroep heb gedaan. Ik denk hierbij speciaal aan Jan Verschuren die meer dan wie ook heeft bijgedragen tot de positieve sfeer. Verder vermeld ik graag Luc Van Linden,Antoon Bosselaers,Cristian Radu,Vincent Rij- men,Ria Vanden Eynde,Rita Dewolf,Steven Vanleemput,Patrick Wuytens,Mark Vandenwauver,Andr´eBarb´e,Elvira Wouters,Marc Genoe,Gert Peeters en Zohair Sahraoui. I would also like to thank all people from the international scientific community who have supported or helped me during my research. Among them are Tsutomu Matsumoto,Markus Dichtl,William Wolfowicz,Jorge Davila,Bert Den Boer,Dou- glas Stinson,Ronald Rivest and Jan Egil Øye. Ik wil graag besluiten met die mensen te bedanken die mij het nauwst aan het hart liggen. Mijn ouders,voor hun onvoorwaardelijke steun,hun aanmoedigingen en hun oprechte interesse. Mijn verloofde Ilse,voor haar voortdurende toewijding en liefde waardoor het mij nooit aan motivatie en energie ontbroken heeft of zal ontbreken. iii Abstract This thesis contains a new approach to design block ciphers,synchronous and self-synchronizing stream ciphers and cryptographic hash functions. The goal of this approach is the specification of cryptographic schemes that are secure,simple to describe and that can be implemented efficiently on a wide variety of platforms. Key words are simplicity,symmetry and parallelism. An overview of the different types of ciphers,encryption schemes and hash functions is given,the nature of cryptographic security is discussed and some new security-related definitions are presented. The design is mainly guided by the resistance against differential and linear cryptanalysis. The basic mechanisms of these two attacks are investigated and their structure is clarified by adopting a new formalism for their description and analysis. The resistance against differential and linear cryptanalysis is obtained by applying the new wide trail strategy that emphasizes the mechanism of diffusion. The application of this strategy for the different types of ciphers and hash functions leads to a number of new structures and specific designs. A new self-reciprocal block cipher structure is introduced together with a new type of cryptographic component: the stream/hash module. The design of single-bit self-synchronizing stream ciphers is treated and the potential weaknesses of ciphers that make use of arithmetic operations are analyzed. The design approach is supported by a number of new cryptanalytic results. iv Contents 1 Introduction 1 1.1Communicationandcomputersecurity................. 1 1.2Cryptography............................... 2 1.3 Research goals . ............................ 3 1.4Aboutthisthesis............................. 4 2 Encryption, Ciphers and Hash Functions 7 2.1Introduction................................ 7 2.2Thegenericencryptionscheme...................... 7 2.2.1 Encryptionthroughtransposition................ 8 2.2.2 Therealworld.......................... 9 2.2.3 Somedefinitions.......................... 10 2.2.4 Errorsensitivity.......................... 11 2.2.5 Streamversusblockencryption................. 13 2.3Synchronousstreamciphers....................... 14 2.3.1 Repeatedoccurrences....................... 16 2.3.2 Filteredcounterstreamciphers................. 16 2.4Self-synchronizingstreamciphers.................... 18 2.4.1 Repeatedoccurrences....................... 19 2.4.2 Outputfeedback(OFB)mode.................. 19 2.5Blockciphers............................... 20 2.5.1 Electroniccodebook(ECB)mode............... 21 2.5.2 Cipherblockchaining(CBC)mode............... 22 2.5.3 Outputfeedback(OFB)mode.................. 24 2.5.4 Filteredcounterscheme(FCS)mode.............. 26 2.5.5 Cipherfeedback(CFB)mode.................. 26 2.6Ciphersandencryptionschemes..................... 27 2.7Cryptographichashfunctions...................... 27 2.7.1 Hierarchicalhashingschemes.................. 29 2.7.2 Repeatedoccurrences....................... 29 2.8Conclusions................................ 31 3 Cryptographic Security 33 3.1Introduction................................ 33 3.2Thecryptanalyticsetting......................... 33 v vi CONTENTS 3.2.1 Ways of access .......................... 34 3.2.2 Exhaustivekeysearch...................... 35 3.3Provablesecurity............................. 36 3.3.1 Informationtheoreticapproach................. 37 3.3.2 Thecomplexitytheoreticapproach............... 38 3.4Securityinpractice............................ 42 3.4.1 Thecryptologicactivity..................... 43 3.5Definitionsofsecurity........................... 45 3.5.1 Superciphers........................... 45 3.5.2 Superencryptionschemes.................... 46 3.5.3 Supercryptographichashfunctions............... 46 3.5.4 K-secureprimitives........................ 47 3.5.5 Hermeticschemes......................... 48 3.6Manipulationdetectionindecryption.................. 49 3.7Conclusions................................ 52 4 Design Strategies 53 4.1Introduction................................ 53 4.2Generalrequirements........................... 53 4.2.1 Simplicity............................. 53 4.2.2 Structuraltransparency..................... 54 4.3Specificrequirements........................... 55 4.3.1 Portability ............................. 55 4.3.2 Dedicated hardware suitability .................. 55 4.4Blockciphers............................... 56 4.4.1 Ourapproach........................... 58 4.5Self-synchronizingstreamciphers.................... 58 4.5.1 Ourapproach........................... 59 4.6Synchronousstreamciphers....................... 59 4.6.1 Ourapproach........................... 61 4.7Cryptographichashfunctions...................... 62 4.7.1 Ourapproach........................... 64 4.8Choiceofbasicoperations........................ 65 4.8.1 Bitpermutations......................... 65 4.8.2 BitwiseBooleanoperations.................... 66 4.8.3 Substitution boxes ........................ 66 4.8.4 Modulararithmeticoperations.................. 67 4.8.5 Ourchoice............................. 68 4.9Conclusions................................ 68 5 Propagation and Correlation 69 5.1Introduction................................ 69 5.2TheDataEncryptionStandard..................... 69 5.3Differentialandlinearcryptanalysis................... 71 5.3.1 Differentialcryptanalysis..................... 71 CONTENTS vii 5.3.2 Linearcryptanalysis....................... 72 5.4Analyticalanddescriptivetools..................... 74 5.4.1 TheWalsh-Hadamardtransform................. 74 5.4.2 Correlationmatrices....................... 77 5.4.3 Derivedproperties........................ 79 5.4.4 Difference propagation ...................... 82 5.5Applicationtoiteratedtransformations................. 85 5.5.1 Correlation............................ 85 5.5.2 Difference propagation ...................... 87 5.5.3 DEScryptanalysisrevisited................... 89 5.6Thewidetrailstrategy.......................... 91 5.6.1 Traditionalapproach....................... 92 5.7Conclusions................................ 92 6 Shift-Invariant Transformations 95 6.1Introduction................................ 95 6.2Shift-invarianceandthestatespace................... 96 6.3Localmaps................................ 97 6.4 Invertibility ................................ 97 6.5Linearshift-invarianttransformations.................. 99 6.5.1 Invertibility ............................ 99 6.6 Nonlinear transformations with finite ν .................101 6.6.1 Local invertibility .........................101 6.6.2 Global invertibility ........................103 6.7Cyclicmultiplication...........................104 6.8Diffusion..................................105 6.8.1 Diffusion in invertible linear φ ..................106 6.9 Nonlinearity properties of χ .......................109
Load more

Recommended publications
  • GPU-Based Password Cracking on the Security of Password Hashing Schemes Regarding Advances in Graphics Processing Units
    Radboud University Nijmegen Faculty of Science Kerckhoffs Institute Master of Science Thesis GPU-based Password Cracking On the Security of Password Hashing Schemes regarding Advances in Graphics Processing Units by Martijn Sprengers [email protected] Supervisors: Dr. L. Batina (Radboud University Nijmegen) Ir. S. Hegt (KPMG IT Advisory) Ir. P. Ceelen (KPMG IT Advisory) Thesis number: 646 Final Version Abstract Since users rely on passwords to authenticate themselves to computer systems, ad- versaries attempt to recover those passwords. To prevent such a recovery, various password hashing schemes can be used to store passwords securely. However, recent advances in the graphics processing unit (GPU) hardware challenge the way we have to look at secure password storage. GPU's have proven to be suitable for crypto- graphic operations and provide a significant speedup in performance compared to traditional central processing units (CPU's). This research focuses on the security requirements and properties of prevalent pass- word hashing schemes. Moreover, we present a proof of concept that launches an exhaustive search attack on the MD5-crypt password hashing scheme using modern GPU's. We show that it is possible to achieve a performance of 880 000 hashes per second, using different optimization techniques. Therefore our implementation, executed on a typical GPU, is more than 30 times faster than equally priced CPU hardware. With this performance increase, `complex' passwords with a length of 8 characters are now becoming feasible to crack. In addition, we show that between 50% and 80% of the passwords in a leaked database could be recovered within 2 months of computation time on one Nvidia GeForce 295 GTX.
    [Show full text]
  • The Design of Rijndael: AES - the Advanced Encryption Standard/Joan Daemen, Vincent Rijmen
    Joan Daernen · Vincent Rijrnen Theof Design Rijndael AES - The Advanced Encryption Standard With 48 Figures and 17 Tables Springer Berlin Heidelberg New York Barcelona Hong Kong London Milan Paris Springer TnL-1Jn Joan Daemen Foreword Proton World International (PWI) Zweefvliegtuigstraat 10 1130 Brussels, Belgium Vincent Rijmen Cryptomathic NV Lei Sa 3000 Leuven, Belgium Rijndael was the surprise winner of the contest for the new Advanced En­ cryption Standard (AES) for the United States. This contest was organized and run by the National Institute for Standards and Technology (NIST) be­ ginning in January 1997; Rij ndael was announced as the winner in October 2000. It was the "surprise winner" because many observers (and even some participants) expressed scepticism that the U.S. government would adopt as Library of Congress Cataloging-in-Publication Data an encryption standard any algorithm that was not designed by U.S. citizens. Daemen, Joan, 1965- Yet NIST ran an open, international, selection process that should serve The design of Rijndael: AES - The Advanced Encryption Standard/Joan Daemen, Vincent Rijmen. as model for other standards organizations. For example, NIST held their p.cm. Includes bibliographical references and index. 1999 AES meeting in Rome, Italy. The five finalist algorithms were designed ISBN 3540425802 (alk. paper) . .. by teams from all over the world. 1. Computer security - Passwords. 2. Data encryption (Computer sCIence) I. RIJmen, In the end, the elegance, efficiency, security, and principled design of Vincent, 1970- II. Title Rijndael won the day for its two Belgian designers, Joan Daemen and Vincent QA76.9.A25 D32 2001 Rijmen, over the competing finalist designs from RSA, IBl\!I, Counterpane 2001049851 005.8-dc21 Systems, and an English/Israeli/Danish team.
    [Show full text]
  • A Quantitative Study of Advanced Encryption Standard Performance
    United States Military Academy USMA Digital Commons West Point ETD 12-2018 A Quantitative Study of Advanced Encryption Standard Performance as it Relates to Cryptographic Attack Feasibility Daniel Hawthorne United States Military Academy, [email protected] Follow this and additional works at: https://digitalcommons.usmalibrary.org/faculty_etd Part of the Information Security Commons Recommended Citation Hawthorne, Daniel, "A Quantitative Study of Advanced Encryption Standard Performance as it Relates to Cryptographic Attack Feasibility" (2018). West Point ETD. 9. https://digitalcommons.usmalibrary.org/faculty_etd/9 This Doctoral Dissertation is brought to you for free and open access by USMA Digital Commons. It has been accepted for inclusion in West Point ETD by an authorized administrator of USMA Digital Commons. For more information, please contact [email protected]. A QUANTITATIVE STUDY OF ADVANCED ENCRYPTION STANDARD PERFORMANCE AS IT RELATES TO CRYPTOGRAPHIC ATTACK FEASIBILITY A Dissertation Presented in Partial Fulfillment of the Requirements for the Degree of Doctor of Computer Science By Daniel Stephen Hawthorne Colorado Technical University December, 2018 Committee Dr. Richard Livingood, Ph.D., Chair Dr. Kelly Hughes, DCS, Committee Member Dr. James O. Webb, Ph.D., Committee Member December 17, 2018 © Daniel Stephen Hawthorne, 2018 1 Abstract The advanced encryption standard (AES) is the premier symmetric key cryptosystem in use today. Given its prevalence, the security provided by AES is of utmost importance. Technology is advancing at an incredible rate, in both capability and popularity, much faster than its rate of advancement in the late 1990s when AES was selected as the replacement standard for DES. Although the literature surrounding AES is robust, most studies fall into either theoretical or practical yet infeasible.
    [Show full text]
  • Bison Instantiating the Whitened Swap-Or-Not Construction (Full Version)
    bison Instantiating the Whitened Swap-Or-Not Construction (Full Version) Anne Canteaut1, Virginie Lallemand2, Gregor Leander2, Patrick Neumann2 and Friedrich Wiemer2 1 Inria, Paris, France [email protected] 2 Horst Görtz Institute for IT-Security, Ruhr University Bochum, Germany [email protected] Abstract. We give the first practical instance – bison – of the Whitened Swap-Or-Not construction. After clarifying inherent limitations of the construction, we point out that this way of building block ciphers allows easy and very strong arguments against differential attacks. Keywords: Whitened Swap-Or-Not · Instantiating Provable Security · Block Cipher Design · Differential Cryptanalysis 1 Introduction Block ciphers are among the most important cryptographic primitives as they are at the core responsible for a large fraction of all our data that is encrypted. Depending on the mode of operation (or used construction), a block cipher can be turned into an encryption function, a hash-function, a message authentication code or an authenticated encryption function. Due to their importance, it is not surprising that block ciphers are also among the best understood primitives. In particular the Advanced Encryption Standard (AES) [Fip] has been scrutinized by cryptanalysts ever since its development in 1998 [DR98] without any significant security threat discovered for the full cipher (see e. g. [BK09; Bir+09; Der+13; Dun+10; Fer+01; GM00; Gra+16; Gra+17; Røn+17]). The overall structure of AES, being built on several (round)-permutations interleaved with a (binary) addition of round keys is often referred to as key-alternating cipher and is depicted in Figure1. k0 k1 kr 1 kr − m R1 ..
    [Show full text]
  • Implementation and Performance Analysis of PBKDF2, Bcrypt, Scrypt Algorithms
    Implementation and Performance Analysis of PBKDF2, Bcrypt, Scrypt Algorithms Levent Ertaul, Manpreet Kaur, Venkata Arun Kumar R Gudise CSU East Bay, Hayward, CA, USA. [email protected], [email protected], [email protected] Abstract- With the increase in mobile wireless or data lookup. Whereas, Cryptographic hash functions are technologies, security breaches are also increasing. It has used for building blocks for HMACs which provides become critical to safeguard our sensitive information message authentication. They ensure integrity of the data from the wrongdoers. So, having strong password is that is transmitted. Collision free hash function is the one pivotal. As almost every website needs you to login and which can never have same hashes of different output. If a create a password, it’s tempting to use same password and b are inputs such that H (a) =H (b), and a ≠ b. for numerous websites like banks, shopping and social User chosen passwords shall not be used directly as networking websites. This way we are making our cryptographic keys as they have low entropy and information easily accessible to hackers. Hence, we need randomness properties [2].Password is the secret value from a strong application for password security and which the cryptographic key can be generated. Figure 1 management. In this paper, we are going to compare the shows the statics of increasing cybercrime every year. Hence performance of 3 key derivation algorithms, namely, there is a need for strong key generation algorithms which PBKDF2 (Password Based Key Derivation Function), can generate the keys which are nearly impossible for the Bcrypt and Scrypt.
    [Show full text]
  • Speeding up Linux Disk Encryption Ignat Korchagin @Ignatkn $ Whoami
    Speeding Up Linux Disk Encryption Ignat Korchagin @ignatkn $ whoami ● Performance and security at Cloudflare ● Passionate about security and crypto ● Enjoy low level programming @ignatkn Encrypting data at rest The storage stack applications @ignatkn The storage stack applications filesystems @ignatkn The storage stack applications filesystems block subsystem @ignatkn The storage stack applications filesystems block subsystem storage hardware @ignatkn Encryption at rest layers applications filesystems block subsystem SED, OPAL storage hardware @ignatkn Encryption at rest layers applications filesystems LUKS/dm-crypt, BitLocker, FileVault block subsystem SED, OPAL storage hardware @ignatkn Encryption at rest layers applications ecryptfs, ext4 encryption or fscrypt filesystems LUKS/dm-crypt, BitLocker, FileVault block subsystem SED, OPAL storage hardware @ignatkn Encryption at rest layers DBMS, PGP, OpenSSL, Themis applications ecryptfs, ext4 encryption or fscrypt filesystems LUKS/dm-crypt, BitLocker, FileVault block subsystem SED, OPAL storage hardware @ignatkn Storage hardware encryption Pros: ● it’s there ● little configuration needed ● fully transparent to applications ● usually faster than other layers @ignatkn Storage hardware encryption Pros: ● it’s there ● little configuration needed ● fully transparent to applications ● usually faster than other layers Cons: ● no visibility into the implementation ● no auditability ● sometimes poor security https://support.microsoft.com/en-us/help/4516071/windows-10-update-kb4516071 @ignatkn Block
    [Show full text]
  • SHA-3 and the Hash Function Keccak
    Christof Paar Jan Pelzl SHA-3 and The Hash Function Keccak An extension chapter for “Understanding Cryptography — A Textbook for Students and Practitioners” www.crypto-textbook.com Springer 2 Table of Contents 1 The Hash Function Keccak and the Upcoming SHA-3 Standard . 1 1.1 Brief History of the SHA Family of Hash Functions. .2 1.2 High-level Description of Keccak . .3 1.3 Input Padding and Generating of Output . .6 1.4 The Function Keccak- f (or the Keccak- f Permutation) . .7 1.4.1 Theta (q)Step.......................................9 1.4.2 Steps Rho (r) and Pi (p).............................. 10 1.4.3 Chi (c)Step ........................................ 10 1.4.4 Iota (i)Step......................................... 11 1.5 Implementation in Software and Hardware . 11 1.6 Discussion and Further Reading . 12 1.7 Lessons Learned . 14 Problems . 15 References ......................................................... 17 v Chapter 1 The Hash Function Keccak and the Upcoming SHA-3 Standard This document1 is a stand-alone description of the Keccak hash function which is the basis of the upcoming SHA-3 standard. The description is consistent with the approach used in our book Understanding Cryptography — A Textbook for Students and Practioners [11]. If you own the book, this document can be considered “Chap- ter 11b”. However, the book is most certainly not necessary for using the SHA-3 description in this document. You may want to check the companion web site of Understanding Cryptography for more information on Keccak: www.crypto-textbook.com. In this chapter you will learn: A brief history of the SHA-3 selection process A high-level description of SHA-3 The internal structure of SHA-3 A discussion of the software and hardware implementation of SHA-3 A problem set and recommended further readings 1 We would like to thank the Keccak designers as well as Pawel Swierczynski and Christian Zenger for their extremely helpful input to this document.
    [Show full text]
  • Forgery and Key Recovery Attacks for Calico
    Forgery and Key Recovery Attacks for Calico Christoph Dobraunig, Maria Eichlseder, Florian Mendel, Martin Schl¨affer Institute for Applied Information Processing and Communications Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria April 1, 2014 1 Calico v8 Calico [3] is an authenticated encryption design submitted to the CAESAR competition by Christopher Taylor. In Calico v8 in reference mode, ChaCha-14 and SipHash-2-4 work together in an Encrypt-then-MAC scheme. For this purpose, the key is split into a Cipher Key KC and a MAC Key KM . The plaintext is encrypted with ChaCha under the Cipher Key to a ciphertext with the same length as the plaintext. Then, the tag is calculated as the SipHash MAC of the concatenated ciphertext and associated data. The key used for SipHash is generated by xoring the nonce to the (lower, least significant part of the) MAC Key: (C; T ) = EncCalico(KC k KM ; N; A; P ); where k is concatenation, and with ⊕ denoting xor, the ciphertext and tag are calculated vi C = EncChaCha-14(KC ; N; P ) T = MACSipHash-2-4(KM ⊕ N; C k A): Here, A; P; C denote associated data, plaintext and ciphertext, respectively, all of arbitrary length. T is the 64-bit tag, N the 64-bit nonce, and the 384-bit key K is split into a 256-bit encryption and 128-bit authentication part, K = KC k KM . 2 Missing Domain Separation As shown above, the tag is calculated over the concatenation C k A of ciphertext and asso- ciated data. Due to the missing domain separation between ciphertext and associated data in the generation of the tag, the following attack is feasible.
    [Show full text]
  • Advanced Encryption Standard AES Alternatives
    Outline Advanced Encryption Standard AES Alternatives CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 5 January 23, 2012 CPSC 467b, Lecture 5 1/35 Outline Advanced Encryption Standard AES Alternatives Advanced Encryption Standard AES Alternatives CPSC 467b, Lecture 5 2/35 Outline Advanced Encryption Standard AES Alternatives Advanced Encryption Standard CPSC 467b, Lecture 5 3/35 Outline Advanced Encryption Standard AES Alternatives New Standard Rijndael was the winner of NISTs competition for a new symmetric key block cipher to replace DES. An open call for algorithms was made in 1997 and in 2001 NIST announced that AES was approved as FIPS PUB 197. Minimum requirements: I Block size of 128-bits I Key sizes of 128-, 192-, and 256-bits I Strength at the level of triple DES I Better performance than triple DES I Available royalty-free worldwide Five AES finalists: I MARS, RC6, Rijndael, Serpent, and Twofish CPSC 467b, Lecture 5 4/35 Outline Advanced Encryption Standard AES Alternatives Details Rijndael was developed by two Belgian cryptographers Vincent Rijmen and Joan Daemen. Rijndael is pronounced like Reign Dahl, Rain Doll or Rhine Dahl. Name confusion I AES is the name of a standard. I Rijndael is the name of a cipher. I AES is a restricted version of Rijndael which was designed to handle additional block sizes and key lengths. CPSC 467b, Lecture 5 5/35 Outline Advanced Encryption Standard AES Alternatives More details AES was a replacement for DES. I Like DES, AES is an iterated block cipher. I Unlike DES, AES is not a Feistel cipher.
    [Show full text]
  • How to Handle Rainbow Tables with External Memory
    How to Handle Rainbow Tables with External Memory Gildas Avoine1;2;5, Xavier Carpent3, Barbara Kordy1;5, and Florent Tardif4;5 1 INSA Rennes, France 2 Institut Universitaire de France, France 3 University of California, Irvine, USA 4 University of Rennes 1, France 5 IRISA, UMR 6074, France [email protected] Abstract. A cryptanalytic time-memory trade-off is a technique that aims to reduce the time needed to perform an exhaustive search. Such a technique requires large-scale precomputation that is performed once for all and whose result is stored in a fast-access internal memory. When the considered cryptographic problem is overwhelmingly-sized, using an ex- ternal memory is eventually needed, though. In this paper, we consider the rainbow tables { the most widely spread version of time-memory trade-offs. The objective of our work is to analyze the relevance of storing the precomputed data on an external memory (SSD and HDD) possibly mingled with an internal one (RAM). We provide an analytical evalua- tion of the performance, followed by an experimental validation, and we state that using SSD or HDD is fully suited to practical cases, which are identified. Keywords: time memory trade-off, rainbow tables, external memory 1 Introduction A cryptanalytic time-memory trade-off (TMTO) is a technique introduced by Martin Hellman in 1980 [14] to reduce the time needed to perform an exhaustive search. The key-point of the technique resides in the precomputation of tables that are then used to speed up the attack itself. Given that the precomputation phase is much more expensive than an exhaustive search, a TMTO makes sense in a few scenarios, e.g., when the adversary has plenty of time for preparing the attack while she has a very little time to perform it, the adversary must repeat the attack many times, or the adversary is not powerful enough to carry out an exhaustive search but she can download precomputed tables.
    [Show full text]
  • Research on Microarchitectural Cache Attacks
    Advances in Computer Science Research (ACSR), volume 90 3rd International Conference on Computer Engineering, Information Science & Application Technology (ICCIA 2019) Research on Microarchitectural Cache Attacks Yao Lu a, Kaiyan Chen b, Yinlong Wang c Simulation Center of Ordnance Engineering College Army Engineering University Shijiazhuang, Hebei Province, China [email protected], [email protected], [email protected] Abstract. This paper summarizes the basic concepts and development process of cache side- channel attack, analyses three basic methods (Evict and Time, Prime and Probe, Flush and Reload) from four aspects: Attack conditions, realization process, applicability, and characteristics, then I expound how to apply side-channel attack methods on CPU vulnerability. Keywords: Side-channel attacks; Cache; CPU vulnerability; Microarchitecture. 1. Background Cryptography is a technique used to confuse plaintext [1], It transforms normally identifiable information (plaintext) into unrecognizable information (ciphertext). At the same time, the encrypted ciphertext can be transferred back to the normal information through the key, the privacy information of users at this stage is mostly realized by encryption technology [28], so the security of personal information depends on the security of the encryption algorithm. 1.1 Cryptographic Algorithms Cryptographic algorithms have always been an important research object in cryptography, in recent years has also been rapid development, these algorithms are: RIJINDAEL, MARS, RC6, Twofish, Serpent, IDEA, CS-Cipher, MMB, CA-1.1, SKIPJACK Symmetric cryptographic algorithms such as Karn and backpack public key cryptography, RSA, ElGamal [29], ECC [19], NTRU and other asymmetric cryptographic algorithms [27]. in the opinion of the development trend of international mainstream cryptographic algorithms at present [25]: The symmetric cryptographic algorithm transitions from DES-3 to AES, and the password length is gradually increased: 128, 192, 256.
    [Show full text]
  • Securing Audio Using AES-Based Authenticated Encryption with Python
    Preprints (www.preprints.org) | NOT PEER-REVIEWED | Posted: 9 August 2021 doi:10.20944/preprints202108.0185.v1 Article Securing Audio Using AES-based Authenticated Encryption with Python Jessy Ayala 1 1 New York University, Tandon School of Engineering; [email protected] Featured Application: Securing communication of audio files utilizing symmetric authenticated encryption. Abstract: The focus of this research is to analyze the results of encrypting audio using various au- thenticated encryption algorithms implemented in the Python cryptography library for ensuring authenticity and confidentiality of the original contents. The Advanced Encryption Standard (AES) is used as the underlying cryptographic primitive in conjunction with various modes including Gal- ois Counter Mode (GCM), Counter with Cipher Block Chaining Message Authentication Code (CCM), and Cipher Block Chaining (CBC) with Keyed-Hashing for encrypting a relatively small audio file. The resulting encrypted audio shows similarity in the variance when encrypting using AES-GCM and AES-CCM. There is a noticeable reduction in variance of the performed encodings and an increase in the amount of time it takes to encrypt and decrypt the same audio file using AES- CBC with Keyed-Hashing. In addition, the corresponding encrypted using this mode audio spans a longer duration. As a result, AES should either have GCM or CCM for an efficient and reliable authenticated encryption integration within a workflow. Keywords: AES; Audio analysis; Authenticated encryption; Cryptography; Python 1. Introduction Cryptography is used worldwide for adhering to the security CIA triad: confidenti- ality, integrity, and availability. In an environment where mobile devices have become ubiquitous, voice messages are more common than one may think.
    [Show full text]