DOCSLIB.ORG

Cryptanalysis of Block Ciphers and Hash Functions John Erik Mathiassen

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Cryptanalysis of Block Ciphers and Hash Functions John Erik Mathiassen Cryptanalysis of Block Ciphers and Hash Functions John Erik Mathiassen The PhD degree The Selmer Center Department of Informatics University of Bergen Norway July 20, 2005 ¢¡¤£¦¥¨§ ©¢ ¥ ! ¨"$#%'&(*)$+,%-/.,01&(2$34*%65(%7+/&8#"9%7.("$#:%<;0$.=0$%6#:"9%7>?@%-+*%'&(#:A7% /0$,0$%7*:6B CD+,*.(E&(#:#FG;H.I)$#>J#:3(%/.?/01&82$3LKM.N>PORQS%6T'&()$*%@;U/0$.I)V!0$W/0X:M/0$%6,: ;H.I)$#>?2X.(Y01&'5I%MQS%6%72Z"S.I*,Q$#:%8B [? Z,)$"9%7+\5N:,.(+,<].I+<^Y%7##:%7*%6,0_&(2$>_`&8+,<aY&(=3b:#:>X%dc-2b)$>$*%72eQ9.(/0Z>$%7*%7+*5(% *"S%6T7f&8#g/01&82$3bYEh.I+0X%7#:"X:2$i=%M&=#.(>$)X+,:2Xij,0$:"X+,.lk*%6T6Y"S%6+,.V>PB ].I+¦>$%6,%6+*5I%64/01&82$3b¦Eh.I+=iI5N:2Xim=%?,0$:@.I"$"9.I+*,)$2$Un IO&(2X>oEh.I+=QS%6:2$im! *)$"S%6+*5N:*.I+7Bp^ %0$%7#"S%6>q=%d&=#:.(;U/0?QS.8/0Z,%7Tr0$2X:T'&8#R&82$>q"$+,&(T6,:T7&(#tsb)$%7\/:.(2$7B ^Y%d&8#;u&v N3(%6"X 0$:.(w=T6%.("S%62PO$;0$:Tr0?u%62x/%7+*%7>q&j#.('B M;p&(2xj/.y,01&(2$3z`&8+,{Eh.I+{Q9%72$ie! m,)$"9%7+\5V,.I+6Ou&82$>|Eh.I+j&(#:#H0$:d5(&8#:)1&(QX#:% 0$%6#:"PB¤}m.I+*3N2$i{/.(iI%6,0$%7+p;U/00$:¢01&(p/&()$iI0x=%M&j#.('BDH01&8>,0$%M"$#:%7&(,)X+,%</. 5N:*0$>$%7"$&(+*,@%62bEh.I+01&8#ER&j (%'&(+6O$;0$:Tr0Zix&'5I%M=%M,0$%M"$+,.(iI+,%6,Yu2$%6%7>$%6>Z/. ~ 2X:,0y2q/@%8BGY&(#,.4%62b,%7+*%7>e0$:G.(w=T7%&4#.('B ;u&(2x-/.@/01&(2X3?,0$%"S%6.I"$#%{&8 ,0$%M]R%6Tr0$2$:T7&(# 2X5I%6+,*n ¨.(EDG%62$¦&8+,3¦Eh.I+&j2$T7%-,.NT7:&(#t&8,@.(,"$0$%6+,%8B &(#:*.4;p&(2x-,.4/01&(2X3_p&(+\F+,%72X%7%7#¤Eh.(+<#:% ,/2$i4=%!5N:*-0$<iI+*.I)$"m MV\ &8HcM&8,0$.I#:%738%GY2$5(%7+,*,%7H`t%7)V5I%72gB]0$&(2$3bH,.d/0X%G"9%7.I"$#%Y&8ud j.(w=T7%<&82$>4&(## ,0$%M.(/0$%6+.I2$%6Y,01&8@&(>$%-! ¨\r&' ¨2ZH%7#:i(:)$@%6@.(+/&(Q$#%(B ;p&82bM,.¦/01&82$3_&(##,0$%"$+*%7,%62x!&82$>y"1&(\-@%6{Q9%7+,G.(E/0$%=V%6#:=%7+<u%72x/%6+ Eh.I+/0$%¦2$:T6%¦;u.(+,3b:2$i_&8/=.I,"X0$%7+*%(O&(2$>|d mE&(=:#U e&(2$>mEh+,:%62$>$!Eh.(+d/0X%7:+d#:.v5I% &(2X>ZT7&(+,%8BHG&(ijG+,2X%! <\5V34>$%6,%7+\5I%6G/01&82$3bEh.(+#:%6*/2$i@%M)$*%M0$:Y<¨T7.N>$%(B }U/0$.I)Vtt1;H.I)$#>*"S%62$>@.I2x,0$t:2$\/%7&(>-.(EN;u%6%73b;u&(U/:2XiuEh.I+P! <<&l,r&8Tr3N ~ ,. 2$:*0PB ;u.I)X#:>j&(#,.-#:3(%u,.</01&82$3!! !"1&(+*%72x/K-%7+*>@&82$>=(.I0$2@[q&8,0$f&8[q&8,0$f&(*,%62 Eh.I+p,%'&(Tr0X:2$ij=%</.=>$.j! ¨Q9%7*7O&(2$>2$% 5I%7+YiIU5I%M)$"PB [? <;UEh%[Z:+*%7#:&p>$%7*%7+*5(%7R,"9%7T7:&(#(,01&(2$3bEh.I+P,)X"$"S.(+*/2$i@%&82$>M%72$T6.I)$+/&8iI:2$i =%p/0$+*.I)$iI0,0$:6B¤,0$.v;H&#.(F.(EST7.()$+/&(i(%p/[email protected](%Eh+*.IY.I+*;u&' {/.G%62$¦&8+,3 ~ &(2X> 21&(#:#U /.u%7#iI:)X ;0$#:%_*0$%y;p&8¨"$+,%6iI21&(2x'O<&(2$>/.|iIU5I%yQ$+*,0/..I)$+ >1&8)$iI0x/%6+[Z:+,&(2$>1&42eu%7#iI:)$?B-}z.v;Md]01&(2$3b-/.Z[Z+/&(2$>$&¦Eh.I+<iIU5V2$i4>1&8>$>X ,0$:p;H.I2$>$%6+*Eh)$#t,:=%(B ¢¡¤£¦¥¨§¨© §¨ ¥¨§¨ ! #"#$&%¨(')"(*)+,.-/'10&2#34'1$&$&%¨658792):;$&%¨(<=4'3>?0@%BAC0DE3F#%G'HE5 0&0@'IKJ :MLN+POQ?RSUTN?OVIK2##%¨3F%GH¨WV%¨"#3>0&:;HGWCXY.ZB[E\]_^`[bacYdKe,fPgihBd`jKkQ[mln].g¤o)p?p?p.Wq:;=F )rM% ts?uvw:x yeKhB[mzCd@e{|].[_eKZ}l~gP].NkQzV[SeBd|\hBlneBgihKeBWQ'%G$ 1? ) ;u VOV#H&3>#;%¨H %¨H&=F'#W 1;;) CV|V ! #"#$&%¨¦'#"*)V+,#-/'.0@2#3F'$&$%GPU0@2)%:;=F%:x %¨OVIK2#%¨"# #=F%¨$ 3F 5 00K'IKJ!$|:;R0@%GH&'10@%¨"793>#2#%GH$GMRS<O)'rM'H@'10&3nW<;'WDL}D:;=>=FrM'#W '1#"-:=>q1')WQ%G"#30@:;H$GWfc\P 16\o)p?pB W¡q;:;=> #r¢%(£)s£M:x yeKhB[bzVd@e|{].[SeKZ l~g¤P].NkQzV[SeBd \hBlneBgihKeBW)'%G$£? ; C£;£¥#¦OC#H&3>#;%GH_ %¨H&=4'1#W# 1;¥# £V¡Q! #")$&%G§'1#"*)Q+,¨-/'10@2)34'$$&%Gi<¦H%G3>rU'%'#"79:=F=F3>$&3>:;¤5 0&0@'IKJ!$ :©-/L CªRS¬«3>=F­Q%GH0'#"©«|«'#"#$IK2! #2W}%¨"#3>0&:;H&$¨W}XY.ZB[®\]_^`[bacYd@e fPgihBd`jKkQ[mln].go)p?p¯WQq:;=F )rM%}£?°;°;uw:x yeKhB[mzCd@e}{|].[_eKZ(l~g±P].NkQzC[_eBd|\hBlneBgihKeBW #';%G$ ;°°) ?uCOV#H3F#%GH %GH=4'#W# ;?°C ¥)¡¡ C )"#$&%¨W*)¡+,Q-/'.0@2#3F'$&$%GWQ'#"²9Q- )=F=F%¨HGP79HC)0@''=C$&3F$:x0@2#% r¢"¡ }2'1$&2¦x³ ##I¨0&3F:;i(´¨]MµBe ZBz)µG®l~[m[Se&¶U[S]w·¡].zCd`gQY¸D]_^¢¹d`j`kQ[S].¸F]&ºj. °CN*)¡+,¨-/'10&2#34'1$&$&%¨'#"Q|¡ ! #"#$%GE3F)%t'H #:»<=4'3>?0@%BAC05 0&0@'IKJ :LN+POQQ¼%GIK2)#3FIG'=EH&%¨¨:;H0 ;u1¥#W#½#3q;%GH$&30S¦:x¹TP%GH&%GWQ ¥# VN*)+,?-/'10&2#34'1$&$&%¨¹RSr¢#H&:q%G"M79:;=F=>3F$3F:;|5 0&0@'IKJ}:;¢7 TN¼D%¨IK2##3FIG'=#H%GQ:;H0 £;)W½#3>q%GH&$3>0S¤:1x¹T9%¨H&;%¨WQ ;;°V uC«|-:;=>=4')"W*)E+,-/'10&2#34'$$&%¨W6'1#"§¼ «%G=>=F%¨$&%¨0&2®RSr¢#H&:q;%¨"¤²¡'$079:;H H%G=F'10@3>:;¾5 0&0@'IKJ¿ #$3F#E:»À'.0@%Á79:V")%G$GÂRSÃw,w<D'10@%¨H&$&:W%G")3>0@:HGW ¹d`jKkQ[_]&ºdYBkÄCj¦YgQ¶§P]G¶l~gCºW¡q;:;=> #rM%} s;svU:x yeKhB[mzCd@e{|].[SeKZ®l~gP].NkQzV[SeBd \hBlneBgihKeBWV';%¨$?uVv)¦OV#H3F#;%¨H %GH&=F'#W# ;;£) vV¼ OV%G%GH&$¨W¼ «%G=>=F%G$%¨0&2WE-Á-/';'$¨W')"*)+,-'10@2#3F'$&$%GE3>#%t'HIG:;r® )=F%BAV30SÁ:q%GH}x³¤:1x,$&3>"#%G=mÅÆ#3>J:q$&%¨ÇC )%G#I¨%G$GÁ@fcf¦fÈ´#dYg)ZGYChB[bln].g±].g¤`gt^t].dBÉ ¢Y[bln].g±´ÄeK].d`j.W¡°)ÊË 1¥?;v) 1¥!u; CW# ¥# sV¼ ¨OV%¨;%GH$GW¡¼ Q«%¨=F=F%¨$&%B0@2W¨-Á¨-/';'1$GWQ'#"Ì*)¡+¨-/'.0@2#3F'$&$%G,E3>#%t'H79:;r® )=F%BAV30S¤:q;%GH²:1x¦OV3>"#%G=mÅÆ#3>J:qOV%¨Ç! #%G#I¨%G$¨RS/Kf¦f¦f¿Bg[nÍ\¡j.Nk]ZBl~zCÎ].g `gt^t].d`¢Y[mln].g8´ÄeK].dBj.W#'1;%w £)W¡ 1;¥# ¢¡¤£¦¥¨§ © © § ¨! "$#%&'( )+*-,/.10)32 45262¨.87:9;,=<=>?0A@A9CB%<1*-,ED FHG->?9I0=.EJ1K¨>CLM0AG/>?0ON:PQ0=KSRT7:LM<1*E269CU FHG->?9I0=.EJ1K¨>CLM0AG/>?0OVWB%UC*YXZJ1G1K¨>CLM0AG [ JE\]\]B%9I,]0%^>?*12¤_W9I>?LQK6PQ26U `baEcedf] [ g!LMGE2hB%9jikG10lGnmoPMB%LMG->C2qpf>_r>C>?B%KSRT0AGYsbt uZvwfxny{z}|M~%wf|' S qx%x(%z? kbxZE qx `baEcedf] [ G/>?*120APM2k0^ik2¨, KS*126.EJ1PM2¨UWLQG_r>I>SB%KSRU50AG¦F>?2¨9?B>C26.n7:LM<1*12¨9CU %z? kbxZ1 qx%x(OuZvwfxny:z}|M~%wf|' S qx `baEcedf] FH\O<19C0%26.n7:0APMPQLMUCLQ0AGT_r>I>SB%KSRT0%G 7rN uZvwfxny{z}|M~%wf|' S qx `baEcedf]q me9C2¨LM\]B%@A2kBG1.YK¨0APMPQLMUILM0AGB>C>?B%KSRU50%G8nsb %z? kbxZ1 qx%x(OuZvwfxny:z}|M~%wf|' S qx `baEcedfO 7:9;,=<=>SB%GZBPQ,fUCLQUj0%^$>C*12 nskOVB%UI*nXZJ1G1Kq>?LQ0AG %z? kbxZ1 qxEu vwfxy:z}|M~%wf|' S qx%x(¡z?Cfqz}|£¢bn=¤¤Mqz Introduction 1 Why do We Need Cryptography? We use a lot of physical security in our everyday life to protect us physically. For the same reason we need (digital) cryptography to protect our digital possessions/information. Compared to the physi- cal world it is much easier to \steal" a digital document. Thousands of copies of a digital document are made in no time on a computer. Today more and more valuable information is stored electroni- cally, and a lot of transactions are made electronically. By electroni- cally we mean in digital format with zeroes and ones. Some decades ago most information were stored written on paper, and the only way of protecting a paper from intruders was to keep the intruders away from the paper. This could be done by a locked house, room, cupboard or safe, and to have access to the paper people need a key or a number combination or both. Sometimes we also need to identify ourselves to some security guards to enter the building, and thereby accessing information. The same security issues apply if the information is moved from one place to another. We need a secure (anonymous and/or physi- cally protected) courier. The way to get information stored on paper is to steal or copy the document, which is hard if security is good. Information in digital format can also be physically protected in the same way as paper documents. However this kind of protection would be very inconvenient, especially when it comes to transport- ing the information. The way we store and move digital data makes it impossible to keep any possible intruder from accessing the data. Just think of radio networks where the data is sent on the air, and is accessible to any person able to capture the signal. Also the com- munication over the Internet goes unencrypted (by default) through public networks, so it should be considered insecure.
Load more

Recommended publications
  • BRISK: Dynamic Encryption Based Cipher for Long Term Security
    sensors Article BRISK: Dynamic Encryption Based Cipher for Long Term Security Ashutosh Dhar Dwivedi Cyber Security Section, Department of Applied Mathematics and Computer Science, Technical University of Denmark, 2800 Kgs. Lyngby, Denmark; [email protected] or [email protected] Abstract: Several emerging areas like the Internet of Things, sensor networks, healthcare and dis- tributed networks feature resource-constrained devices that share secure and privacy-preserving data to accomplish some goal. The majority of standard cryptographic algorithms do not fit with these constrained devices due to heavy cryptographic components. In this paper, a new block cipher, BRISK, is proposed with a block size of 32-bit. The cipher design is straightforward due to simple round operations, and these operations can be efficiently run in hardware and suitable for software. Another major concept used with this cipher is dynamism during encryption for each session; that is, instead of using the same encryption algorithm, participants use different ciphers for each session. Professor Lars R. Knudsen initially proposed dynamic encryption in 2015, where the sender picks a cipher from a large pool of ciphers to encrypt the data and send it along with the encrypted message. The receiver does not know about the encryption technique used before receiving the cipher along with the message. However, in the proposed algorithm, instead of choosing a new cipher, the process uses the same cipher for each session, but varies the cipher specifications from a given small pool, e.g., the number of rounds, cipher components, etc. Therefore, the dynamism concept is used here in a different way.
    [Show full text]
  • Related-Key Impossible Boomerang Cryptanalysis on Lblock-S
    KSII TRANSACTIONS ON INTERNET AND INFORMATION SYSTEMS VOL. 13, NO. 11, Nov. 2019 5717 Copyright ⓒ 2019 KSII Related-key Impossible Boomerang Cryptanalysis on LBlock-s Min Xie*, Qiya Zeng State Key Laboratory of Integrated Service Networks, Xidian University Xi’an 710071, China [e-mail: [email protected], [email protected]] *Corresponding author: Min Xie Received March 26, 2018; revised April 2, 2019; accepted May 3, 2019; published November 30, 2019 Abstract LBlock-s is the core block cipher of authentication encryption algorithm LAC, which uses the same structure of LBlock and an improved key schedule algorithm with better diffusion property. Using the differential properties of the key schedule algorithm and the cryptanalytic technique which combines impossible boomerang attacks with related-key attacks, a 15-round related-key impossible boomerang distinguisher is constructed for the first time. Based on the distinguisher, an attack on 22-round LBlock-s is proposed by adding 4 rounds on the top and 3 rounds at the bottom. The time complexity is about only 2 . 22-round encryptions and the data complexity is about 2 chosen plaintexts. Compared68 76 with published cryptanalysis results on LBlock-s, there has58 been a sharp decrease in time complexity and an ideal data complexity. Keywords: LBlock-s, lightweight block cipher, related-key, impossible differential, boomerang cryptanalysis This research was supported in part by the National Key Research and Development Program of China (Grant No. 2016YFB0800601) and Key Program of NSFC-Tongyong Union Foundation (Grant No. U1636209). http://doi.org/10.3837/tiis.2019.11.024 ISSN : 1976-7277 5718 Min Xie & Qiya Zeng: Related-key Impossible Boomerang Cryptanalysis on LBlock-s 1.
    [Show full text]
  • Impossible Differential Cryptanalysis of Reduced Round Hight
    1 IMPOSSIBLE DIFFERENTIAL CRYPTANALYSIS OF REDUCED ROUND HIGHT A THESIS SUBMITTED TO THE GRADUATE SCHOOL OF APPLIED MATHEMATICS OF MIDDLE EAST TECHNICAL UNIVERSITY BY CIHANG˙ IR˙ TEZCAN IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTER OF SCIENCE IN CRYPTOGRAPHY JUNE 2009 Approval of the thesis: IMPOSSIBLE DIFFERENTIAL CRYPTANALYSIS OF REDUCED ROUND HIGHT submitted by CIHANG˙ IR˙ TEZCAN in partial fulfillment of the requirements for the degree of Master of Science in Department of Cryptography, Middle East Technical University by, Prof. Dr. Ersan Akyıldız Director, Graduate School of Applied Mathematics Prof. Dr. Ferruh Ozbudak¨ Head of Department, Cryptography Assoc. Prof. Dr. Ali Doganaksoy˘ Supervisor, Mathematics Examining Committee Members: Prof. Dr. Ersan Akyıldız METU, Institute of Applied Mathematics Assoc. Prof. Ali Doganaksoy˘ METU, Department of Mathematics Dr. Muhiddin Uguz˘ METU, Department of Mathematics Dr. Meltem Sonmez¨ Turan Dr. Nurdan Saran C¸ankaya University, Department of Computer Engineering Date: I hereby declare that all information in this document has been obtained and presented in accordance with academic rules and ethical conduct. I also declare that, as required by these rules and conduct, I have fully cited and referenced all material and results that are not original to this work. Name, Last Name: CIHANG˙ IR˙ TEZCAN Signature : iii ABSTRACT IMPOSSIBLE DIFFERENTIAL CRYPTANALYSIS OF REDUCED ROUND HIGHT Tezcan, Cihangir M.Sc., Department of Cryptography Supervisor : Assoc. Prof. Dr. Ali Doganaksoy˘ June 2009, 49 pages Design and analysis of lightweight block ciphers have become more popular due to the fact that the future use of block ciphers in ubiquitous devices is generally assumed to be extensive.
    [Show full text]
  • Mixture Differential Cryptanalysis and Structural Truncated Differential Attacks on Round-Reduced
    Mixture Differential Cryptanalysis and Structural Truncated Differential Attacks on round-reduced AES Lorenzo Grassi IAIK, Graz University of Technology, Austria [email protected] Abstract. At Eurocrypt 2017 the first secret-key distinguisher for 5-round AES - based on the “multiple-of-8” property - has been presented. Although it allows to distinguish a random permutation from an AES-like one, it seems rather hard to implement a key-recovery attack different than brute-force like using such a distinguisher. In this paper we introduce “Mixture Differential Cryptanalysis” on round-reduced AES- like ciphers, a way to translate the (complex) “multiple-of-8” 5-round distinguisher into a simpler and more convenient one (though, on a smaller number of rounds). Given a pair of chosen plaintexts, the idea is to construct new pairs of plaintexts by mixing the generating variables of the original pair of plaintexts. Here we theoretically prove that for 4-round AES the corresponding ciphertexts of the original pair of plaintexts lie in a particular subspace if and only if the corresponding pairs of ciphertexts of the new pairs of plaintexts have the same property. Such secret-key distinguisher - which is independent of the secret-key, of the details of the S-Box and of the MixColumns matrix (except for the branch number equal to 5) - can be used as starting point to set up new key-recovery attacks on round-reduced AES. Besides a theoretical explanation, we also provide a practical verification both of the distinguisher and of the attack. As a second contribution, we show how to combine this new 4-round distinguisher with a modified version of a truncated differential distinguisher in order to set up new 5-round distinguishers, that exploit properties which are independent of the secret key, of the details of the S-Box and of the MixColumns matrix.
    [Show full text]
  • Secure Block Ciphers - Cryptanalysis and Design
    View metadata,Downloaded citation and from similar orbit.dtu.dk papers on:at core.ac.uk Dec 18, 2017 brought to you by CORE provided by Online Research Database In Technology Secure Block Ciphers - Cryptanalysis and Design Tiessen, Tyge; Rechberger, Christian; Knudsen, Lars Ramkilde Publication date: 2017 Document Version Publisher's PDF, also known as Version of record Link back to DTU Orbit Citation (APA): Tiessen, T., Rechberger, C., & Knudsen, L. R. (2017). Secure Block Ciphers - Cryptanalysis and Design. Kgs. Lyngby: Technical University of Denmark (DTU). (DTU Compute PHD-2016; No. 412). General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain • You may freely distribute the URL identifying the publication in the public portal If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. Secure Block Ciphers Cryptanalysis and Design Tyge Tiessen Ph.D. Thesis April 2016 Document compiled on April 25, 2016. Supervisor: Christian Rechberger Co-supervisor: Lars R. Knudsen Technical University of Denmark Department of Applied Mathematics and Computer Science ISSN: 0909-3192 Serial no.: PHD-2016-412 Abstract The rapid evolution of computational devices and the widespread adoption of digital communication have deeply transformed the way we conduct both business and everyday life and they continue to do so.
    [Show full text]
  • 1 Introduction
    A pictorial illustration of conventional cryptography Lars Ramkilde Knudsen March 1993 Abstract In this pap er we consider conventional cryptosystems. We illus- trate the di erences b etween substitution, transp osition and pro duct ciphers by showing encryptions of a highly redundant cleartext, a p or- trait. Also it is pictorially demonstrated that no conventional cryp- tosystem in its basic mo de provides sucient security for redundant cleartexts. 1 Intro duction The history of cryptography is long and go es back at least 4,000 years to the Egyptians, who used hieroglyphic co des for inscription on tombs [2]. Since then many ciphers have b een develop ed and used. Many of these old ciphers are much to o weak to be used in applications to day, b ecause of the tremendous progress in computer technology. Until 1977 all ciphers were so-called one-key ciphers or conventional ciphers. In these ciphers the keys for encryption and decryption are identical or easily derived from each other. In 1977 Die and Hellman intro duced two-key ciphers or public-key ciphers, where the knowledge of one key gives no knowledge ab out the other key. In this pap er we consider only conventional ciphers. We divide these ciphers into three groups: Substitution Ciphers, Itansp osition Ciphers and Pro duct Ciphers. For each group we consider a sp eci c cipher and give a pictorial 1 illustration of an encryption. Finally we give an illustration that the strong conventional cipher, DES, in its basic mo de is insucient to ensure protection when used on a large plaintext.
    [Show full text]
  • Joëlle ROUÉ Analyse De La Résistance Des Chiffrements Par
    THÈSE DE DOCTORAT DE l’UNIVERSITÉ PIERRE ET MARIE CURIE Spécialité Informatique École doctorale Informatique, Télécommunications et Électronique (Paris) Présentée par Joëlle ROUÉ Pour obtenir le grade de DOCTEUR de l’UNIVERSITÉ PIERRE ET MARIE CURIE Sujet de la thèse : Analyse de la résistance des chiffrements par blocs aux attaques linéaires et différentielles soutenue le 14 octobre 2015 devant le jury composé de : Anne Canteaut Inria Paris-Rocquencourt Directrice de thèse Daniel augot Inria Saclay Rapporteur Thierry berger Université de Limoges Rapporteur Joan daemen STMicroelectronics Examinateur Henri gilbert ANSSI Examinateur Antoine joux UPMC Examinateur Marine minier INSA Lyon Examinatrice María naya-plasencia Inria Paris-Rocquencourt Examinatrice Analyse de la re´sistance des chiffrements par blocs aux attaques lineaires´ et differentielles´ Jo e¨lle Roue´ Sous la direction d’Anne Canteaut Financé par l’Agence Nationale de la Recherche grâce au projet BLOC Inria Paris-Rocquencourt Équipe-Projet SECRET Remerciements Ces trois années de thèse, précédées d’un stage, ont été effectuées au sein du projet SECRET de l’Inria Paris-Rocquencourt. Un grand merci à toutes les personnes qui ont participé de près ou de loin au bon déroulement de ma thèse. En particulier, je tiens à remercier Anne Canteaut pour m’avoir offert la possibilité de travailler sur un sujet aussi intéressant, pour sa disponibilité, pour m’avoir guidée et conseillée durant ces trois années. Elle a été la meilleure directrice de thèse que l’on puisse imaginer. Je remercie les rapporteurs de ma thèse, Daniel Augot et Thierry Berger. Je vous suis très reconnaissante d’avoir accepté de relire mon manuscrit : vos suggestions et remarques m’ont permis d’améliorer sa qualité.
    [Show full text]
  • Block Ciphers - Analysis, Design and Applications
    Block Ciphers - Analysis, Design and Applications Lars Ramkilde Knudsen July 1, 1994 2 Contents 1 Introduction 11 1.1 Birthday Paradox ......................... 12 2 Block Ciphers - Introduction 15 2.1 Substitution Ciphers . ..................... 16 2.2 Simple Substitution . ..................... 16 2.2.1 Caesar substitution .................... 16 2.3 Polyalphabetic Substitution . ................ 17 2.3.1 The Vigen´ere cipher . ................ 17 2.4 Transposition Systems . ..................... 17 2.4.1 Row transposition cipher . ................ 18 2.5 Product Systems ......................... 18 3 Applications of Block Ciphers 21 3.1 Modes of Operations . ..................... 21 3.2 Cryptographic Hash Fhctions . ................ 24 3.3 Digital Signatures ......................... 31 3.3.1 Private digital signature systems ............ 31 3.3.2 Public digital signature systems . ............ 32 4 Security of Secret Key Block Ciphers 39 3 4 CONTENTS 4.1 The Model of Reality . ..................... 39 4.2 Classification of Attacks ..................... 40 4.3 Theoretical Secrecy . ..................... 41 4.4 Practical Secrecy ......................... 44 4.4.1 Other modes of operation ................ 50 5 Cryptanalysis of Block Ciphers 53 5.1 Introduction . ......................... 53 5.2 Differential Cryptanalysis .................... 54 5.2.1 Iterative characteristics . ................ 64 5.2.2 Iterative characteristics for DES-like ciphers . .... 64 5.2.3 Differentials . ..................... 67 5.2.4 Higher order differentials . ................ 69 5.2.5 Attacks using higher order differentials . ........ 70 5.2.6 Partial differentials .................... 76 5.2.7 Differential cryptanalysis in different modes of operation 79 5.3 Linear Cryptanalysis . ..................... 80 5.3.1 The probabilities of linear characteristics ........ 84 5.3.2 Iterative linear characteristics for DES-like ciphers . 85 5.4 Analysis of the Key Schedules . ................ 89 5.4.1 Weak and pairs of semi-weak keys ...........
    [Show full text]
  • QUAD: Overview and Recent Developments
    QUAD: Overview and Recent Developments David Arditti1, Cˆome Berbain1, Olivier Billet1, Henri Gilbert1, and Jacques Patarin2 1 France Telecom Research and Development, 38-40 rue du G´en´eralLeclerc, F-92794 Issy-les-Moulineaux, France. [email protected] 2 Universit´ede Versailles, 45 avenue des Etats-Unis, F-78035 Versailles cedex, France. [email protected] Abstract. We give an outline of the specification and provable security features of the QUAD stream cipher proposed at Eurocrypt 2006 [5]. The cipher relies on the iteration of a multivariate system of quadratic equations over a finite field, typically GF(2) or a small extension. In the binary case, the security of the keystream generation can be related, in the concrete security model, to the conjectured intractability of the MQ problem of solving a random system of m equations in n unknowns. We show that this security reduction can be extended to incorporate the key and IV setup and provide a security argument related to the whole stream cipher. We also briefly address software and hardware performance issues and show that if one is willing to pseudorandomly generate the systems of quadratic polynomials underlying the cipher, this leads to suprisingly inexpensive hardware implementations of QUAD. Key words: MQ problem, stream cipher, provable security, Gr¨obnerbasis computation 1 Introduction Symmetric ciphers can be broadly classified into two main families of encryp- tion algorithms: block ciphers and stream ciphers. Unlike block ciphers, stream ciphers do not produce a key-dependent permutation over a large block space, but a key-dependent sequence of numbers over a small alphabet, typically the binary alphabet {0, 1}.
    [Show full text]
  • Impossible Differential Cryptanalysis of Reduced Round Hight
    1 IMPOSSIBLE DIFFERENTIAL CRYPTANALYSIS OF REDUCED ROUND HIGHT A THESIS SUBMITTED TO THE GRADUATE SCHOOL OF APPLIED MATHEMATICS OF MIDDLE EAST TECHNICAL UNIVERSITY BY CIHANG˙ IR˙ TEZCAN IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTER OF SCIENCE IN CRYPTOGRAPHY JULY 2009 Approval of the thesis: IMPOSSIBLE DIFFERENTIAL CRYPTANALYSIS OF REDUCED ROUND HIGHT submitted by CIHANG˙ IR˙ TEZCAN in partial fulfillment of the requirements for the degree of Master of Science in Department of Cryptography, Middle East Technical University by, Prof. Dr. Ersan Akyıldız Director, Graduate School of Applied Mathematics Prof. Dr. Ferruh Ozbudak¨ Head of Department, Cryptography Assoc. Prof. Dr. Ali Doganaksoy˘ Supervisor, Mathematics Examining Committee Members: Prof. Dr. Ersan Akyıldız METU, Institute of Applied Mathematics Assoc. Prof. Ali Doganaksoy˘ METU, Department of Mathematics Dr. Muhiddin Uguz˘ METU, Department of Mathematics Dr. Meltem Sonmez¨ Turan Dr. Nurdan Saran C¸ankaya University, Department of Computer Engineering Date: I hereby declare that all information in this document has been obtained and presented in accordance with academic rules and ethical conduct. I also declare that, as required by these rules and conduct, I have fully cited and referenced all material and results that are not original to this work. Name, Last Name: CIHANG˙ IR˙ TEZCAN Signature : iii ABSTRACT IMPOSSIBLE DIFFERENTIAL CRYPTANALYSIS OF REDUCED ROUND HIGHT Tezcan, Cihangir M.Sc., Department of Cryptography Supervisor : Assoc. Prof. Dr. Ali Doganaksoy˘ July 2009, 49 pages Design and analysis of lightweight block ciphers have become more popular due to the fact that the future use of block ciphers in ubiquitous devices is generally assumed to be extensive.
    [Show full text]
  • Analyse De La Résistance Des Chiffrements Par Blocs Aux Attaques Linéaires Et Différentielles Joëlle Roue
    Analyse de la résistance des chiffrements par blocs aux attaques linéaires et différentielles Joëlle Roue To cite this version: Joëlle Roue. Analyse de la résistance des chiffrements par blocs aux attaques linéaires et différentielles. Cryptographie et sécurité [cs.CR]. Université Pierre et Marie Curie - Paris VI, 2015. Français. NNT : 2015PA066512. tel-01245102v2 HAL Id: tel-01245102 https://hal.inria.fr/tel-01245102v2 Submitted on 29 Apr 2016 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. THÈSE DE DOCTORAT DE l’UNIVERSITÉ PIERRE ET MARIE CURIE Spécialité Informatique École doctorale Informatique, Télécommunications et Électronique (Paris) Présentée par Joëlle ROUÉ Pour obtenir le grade de DOCTEUR de l’UNIVERSITÉ PIERRE ET MARIE CURIE Sujet de la thèse : Analyse de la résistance des chiffrements par blocs aux attaques linéaires et différentielles soutenue le 14 octobre 2015 devant le jury composé de : Anne Canteaut Inria Paris-Rocquencourt Directrice de thèse Daniel augot Inria Saclay Rapporteur Thierry berger Université de Limoges Rapporteur Joan
    [Show full text]
  • Cryptanalysis of AES-Based Hash Functions
    Cryptanalysis of AES-Based Hash Functions by Martin Schl¨affer A PhD Thesis Presented to the Faculty of Computer Science in Partial Fulfillment of the Requirements for the PhD Degree Assessors Prof. Dr. Ir. Vincent Rijmen (TU Graz, Austria) Prof. Dr. Lars Ramkilde Knudsen (DTU, Denmark) March 2011 Institute for Applied Information Processing and Communications (IAIK) Faculty of Computer Science Graz University of Technology, Austria Abstract In this thesis we analyze the security of cryptographic hash functions. We fo- cus on AES-based designs submitted to the NIST SHA-3 competition. For most AES-based designs, proofs against differential and linear attacks exist. For exam- ple, the maximum differential probability of any 8-round differential trail of the 300 AES is 2− . Therefore, any standard differential attack is out of scope. How- ever, truncated differences can be used for simple AES-based round functions which has been shown in the attack on the hash function proposal Grindahl. For larger permutation- or block cipher-based hash functions, standard trun- cated differential attacks do not work either. Therefore, we proposed a new attack strategy to analyze AES-based hash functions: the rebound attack. The idea of the rebound attack is to use the available freedom in a collision attack to efficiently bypass the low probability parts of a (truncated) differential trail. The rebound attack consists of an inbound phase which exploits the available freedom, and a subsequent probabilistic outbound phase. Using this attack we are able to efficiently find right pairs for an 8-round truncated differential trail of the AES in known-key setting.
    [Show full text]