DOCSLIB.ORG

United States Patent (19) 11 Patent Number: 5,724,428 Rivest 45) Date of Patent: Mar

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
United States Patent (19) 11 Patent Number: 5,724,428 Rivest 45) Date of Patent: Mar US005724428A United States Patent (19) 11 Patent Number: 5,724,428 Rivest 45) Date of Patent: Mar. 3, 1998 54 BLOCK ENCRYPTIONALGORTHM WITH 5,351.299 9/1994 Matsuzaki et al. ....................... 38037 DATA-DEPENDENT ROTATIONS 5,454,039 9/1995 Coppersmith et al. ................... 380/28 75) Inventor: Ronald L. Rivest, Arlington, Mass. OTHER PUBLICATIONS Ronald L. Rivest, “The RC5 Encryption Algorithm". Dr. 73) Assignee: RSA Data Security, Inc.. Redwood Dobb's Journal, Jan. 1995 pp. 146-148. City, Calif. Applied Cryptography, Protocols, Algorithms, and Source Code in C, Bruce Schneier, pp. 154-185: 219–272. (21) Appl. No.: 548,318 "A High Performance Encryption Algorithm." W.E. 22 Filed: Nov. 1, 1995 Madryga, Computer Secuirty, pp. 557-570. (51) Int. Cl. ........................... H04L 9/06 Primary Examiner Thomas H. Tarcza 52 U.S. Cl. .................. 380/37:380/28; 380/43 Assistant Examiner-Pinchus M. Laufer (58) Field of Search .................................. 380/37, 42, 43, Attorney, Agent, or Firm-Nixon & Vanderhye PC. 380/44, 46, 57, 28, 9.50; 364/717 57 ABSTRACT 56 References Cited A simple encryption and decryption device has been devel oped. The underlying algorithm is a fast block cipher that U.S. PATENT DOCUMENTS may be implemented efficiently in hardware or software. 4.078,152 3/1978 Tuckerman, III ......................... 380/37 The algorithm makes heavy use of data-dependent rotations. 4,157,454 6/1979 Becker .............. ... 380/37 The amount of each rotation depends on the data being 4.249,180 2/1981 Eberde et al. ... 380/37 encrypted and intermediate encryption results. The variables 4,255,811 3/1981 Adler ........ ... 380/37 for the algorithm include word size, rounds, and the length 4,724.541 2/1988 Mallick. ..., 380/28 5,003.597 3/1991 Merkle .......... ... 38037 of a secret key. 5,054.067 10/1991 Moroney et al 380/37 5,214,704 5/1993 Mittenthal ................................. 380/37 16 Claims, 4 Drawing Sheets ENCRYPTION U.S. Patent Mar. 3, 1998 Sheet 1 of 4 5,724,428 KEY EXPANSION ALOGORTHM FIG. 1A U.S. Patent Mar. 3, 1998 Sheet 2 of 4 5,724,428 ENCRYPTION FIG 1B U.S. Patent Mar. 3, 1998 Sheet 3 of 4 5,724,428 DECRYPTION FIG. 1C U.S. Patent Mar. 3, 1998 Sheet 4 of 4 5,724,428 104 102 PROCESSOR MEMORY 118 OEXECUTABLE CODE O PLAN TEXT 108 32 o KEY TABLE e ENCRYPTED TEXT UNSECURE CHANNEL CONTROL, BLOCK MEMORY OEXECUTABLE CODE o PLAIN TEXT o ENCRYPTED TEXT 110 o KEY TABLE FIG. 2 5,724.428 1. 2 BLOCK ENCRYPTIONALGORTHM WITH The cipher is suitable for implementation in hardware and DATA-DEPENDENT ROTATIONS software. To this end, the cipher invokes primarily compu tational primitive operations that are commonly found and BACKGROUND AND FELD OF INVENTION executed on conventional microprocessors. The cipher is exceptionally simple and short, especially in its encryption/ The present invention relates broadly to cipher methods decryption algorithms. The simplicity and brevity of the and devices, and in particular to block-cipher cryptographic cipher allows for easy implementation and analysis, as methods and devices. The invention also has applicability in compared to other block ciphers. In a preferred embodiment other fields, such as that of pseudo-random number genera of the cipher, its algorithms do not resort to operations that tors used in randomized computations. Generally, crypto 10 are difficult to execute on conventional processors. The graphic devices are used to encrypt and decrypt data trans cipher is also fast. To achieve its speed, the cipher is mitted through communication and transmission systems. word-oriented. The basic computational operations used in Typically, the data is encrypted at the transmitting station the cipher are operations that act on complete words of data, utilizing a unique key, and transmitted in its encrypted form. rather than smaller segments of words. Moreover, the cipher At the receiving station, the encrypted data is passed through 15 requires minimal memory and may be readily implemented a decryption unit supplied with the same unique key such on smart cards. and other computing and data processing that clear text is output from the decrypt section of the devices with limited available memory. receiver. An example of a conventional block-cipher cryp The cipher employs parameterized algorithms with sev tographic system is the Data Encryption Standard (DES). eral variable parameters. The variable parameters include: DES and other block-cipher systems are described in word size (w), rounds (r) of data rotations, and secret key Schneier. Applied Cryptography, pp. 154-185 and 219–272. length (b). The flexibility afforded by these variable param John Wiley & Sons, Inc. (1993). This text in its entirety eters allows the cipher to be tailored to match the word size provides a good general description of cryptography and used in a selected processor, and to suit the security and block-cipher systems. speed requirements of a particular cryptographic applica A novel aspect of the cipher of the present invention is its 25 tion. The cipher may be adapted to processors of different heavy use of data-dependent rotations and employing inter word-lengths by having the number of bits "w" in a word be mediate encryption results to determine the amount of each a variable parameter of the cipher. For example, the word rotation of the data being encrypted. The invention is one of length of the cipher may be set for the relatively-long word the first to use data dependant rotation for encryption. An lengths used by 64-bit processors, as those processors example of a prior cipher that employs data-dependent 30 become available. The number of rounds "r" is a second rotations is described in W. E. Madryga "A High Perfor variable parameter of the cipher. By properly selecting the mance Encryption Algorithm' Computer Security: A Global number of rounds, the execution speed of the cipher may be Challenge. pp. 557-70 (1994). The Madryga cipher lacks balanced with the security requirements for the application the broad generality and flexibility afforded by the present of the cipher. invention and does not have a so-called "Feistel" (DES-like) 35 It is another objective of the inventive cipher to have a structure, as has the present invention. Moreover, doubts variable-length cryptographic key. Since the cipher is have been expressed about the strength of the Madryga symmetric, the same secret cryptographic key is used for algorithm. See Schneier. Applied Cryptography, pp. both encryption and for decryption. By properly selecting 244-247. Another example of data-dependant rotation in a the length of the key, the cipher can be tailored to provide cipher is described in U.S. Pat. No. 4157.454, entitled the desired level of security that is appropriate for a par "Method And System For Machine Enciphering And Deci ticular application or other requirement. The key length "b" phering” which discloses a cipher algorithm having rotation (in bytes) is the third selectable parameter of the cipher. By dependent on a key, rather than on the message. These prior selecting a relatively-long key length "b", the resulting examples of data-dependent rotation in a cipher are few and cipher application will have a relatively-high degree of infrequent. Most of the prior art ciphers that have used 45 rotation, do not make the rotation data dependent. Examples security against an exhaustive search of each possible key. of ciphers using rotation that is not data dependent, include Similarly, a short key length is believed to provide a lesser FEAL and the ciphers disclosed in U.S. Pat. Nos. 5.351,299 degree of security. ("Apparatus And Method For Data Encryption With Block The inventive cipher, its potential applications and Selection Keys And Data Encryption Keys"); 5,045,067 50 implementations, and other objectives of the cryptographic ("Block-Cipher Cryptographic Device Based Upon A Pseu system of the present invention will become more apparent dorandom Nonlinear Sequence Generator"); 5,003.597 by the following detailed description of the invention. With (Method And Apparatus For Data Encryption) and 4.255. the inventive cipher, a flexible data encryption system is 811 ("Key Controlled Block Cipher Cryptographic available that can be tailored to particular applications and System"). meet specific security requirements. In addition, the inven 55 tive data encryption system is capable of being processed at SUMMARY OF NVENTION high speeds and/or high security for use in open digital An encryption algorithm has been invented that is a fast, communication. Moreover, the invention is applicable to block cipher. A novel feature of the cipher is its heavy use other uses, such as pseudo-random number generation. of data-dependent rotations which are an intriguing crypto BRIEF DESCRIPTION OF DRAWINGS graphic primitive. Data-dependent rotations operate such that one word of intermediate results is cyclically rotated by The objectives, advantages and features of the invention an amount determined for example, by some low-order bits will become more apparent from the following description of another word of the intermediate results. The data that includes the accompanying drawings and detailed writ dependent rotations in the cipher should frustrate differential 55 ten description. In the drawings: cryptanalysis and linear cryptanalysis, which are two pow FIGS. 1A, 1B and 1C are a series of flow charts showing erful techniques for cryptanalyzing block ciphers. a sequence of executable instructions for preforming an 5,724,428 3 4 exemplary key expansion (FIG. 1A), encryption (Fig. 1B) These primitive operations are directly and efficiently sup and decryption (FIG. 1C), all in accordance with an embodi ported by most processors. ment of the present invention, and A novel feature of the cipher is that the rotations are FIG.
Load more

Recommended publications
  • US 2007/0043.668A1 Baxter Et Al
    US 2007.0043.668A1 (19) United States (12) Patent Application Publication (10) Pub. No.: US 2007/0043.668A1 Baxter et al. (43) Pub. Date: Feb. 22, 2007 (54) METHODS AND SYSTEMS FOR Related U.S. Application Data NEGOTABLE-INSTRUMENT FRAUD PREVENTION (63) Continuation of application No. 10/371,984, filed on Feb. 20, 2003, now Pat. No. 7,072,868. (75) Inventors: Craig A. Baxter, Castle Rock, CO (US); John Charles Ciaccia, Parker, Publication Classification CO (US); Rodney J. Esch, Littleton, CO (US) (51) Int. Cl. G06Q 99/00 (2006.01) Correspondence Address: (52) U.S. Cl. ................................................................ 705/50 TOWNSEND AND TOWNSEND AND CREW, LLP (57) ABSTRACT TWO EMBARCADERO CENTER EIGHTH FLOOR SAN FRANCISCO, CA 94111-3834 (US) An authentication value is provided in a magnetic-ink field of a negotiable instrument. The authentication value is (73) Assignee: First Data Corporation, Greenwood derived from application of an encryption algorithm defined Village, CO (US) by a secure key. The authentication value may be used to authenticate the instrument through reapplication of the (21) Appl. No.: 11/481,062 encryption algorithm and comparing the result with the authentication value. The instrument is authenticated if there (22) Filed: Jul. 3, 2006 is a match between the two. 530 instrument Presented at Port of Sae instrument Conveyed to First Financial MCR line Scanned and instrument 534 Institution Authenticated at Point of Sale 538 Electronic Package Generated with MICR-Line Information andlor image 542 Electronic
    [Show full text]
  • Foreword by Whitfield Diffie Preface About the Author Chapter 1
    Applied Cryptography: Second Edition - Bruce Schneier Applied Cryptography, Second Edition: Protocols, Algorthms, and Source Code in C by Bruce Schneier Wiley Computer Publishing, John Wiley & Sons, Inc. ISBN: 0471128457 Pub Date: 01/01/96 Foreword By Whitfield Diffie Preface About the Author Chapter 1—Foundations 1.1 Terminology 1.2 Steganography 1.3 Substitution Ciphers and Transposition Ciphers 1.4 Simple XOR 1.5 One-Time Pads 1.6 Computer Algorithms 1.7 Large Numbers Part I—Cryptographic Protocols Chapter 2—Protocol Building Blocks 2.1 Introduction to Protocols 2.2 Communications Using Symmetric Cryptography 2.3 One-Way Functions 2.4 One-Way Hash Functions 2.5 Communications Using Public-Key Cryptography 2.6 Digital Signatures 2.7 Digital Signatures with Encryption 2.8 Random and Pseudo-Random-Sequence Generation Chapter 3—Basic Protocols 3.1 Key Exchange 3.2 Authentication 3.3 Authentication and Key Exchange 3.4 Formal Analysis of Authentication and Key-Exchange Protocols 3.5 Multiple-Key Public-Key Cryptography 3.6 Secret Splitting 3.7 Secret Sharing 3.8 Cryptographic Protection of Databases Chapter 4—Intermediate Protocols 4.1 Timestamping Services 4.2 Subliminal Channel 4.3 Undeniable Digital Signatures 4.4 Designated Confirmer Signatures 4.5 Proxy Signatures 4.6 Group Signatures 4.7 Fail-Stop Digital Signatures 4.8 Computing with Encrypted Data 4.9 Bit Commitment 4.10 Fair Coin Flips 4.11 Mental Poker 4.12 One-Way Accumulators 4.13 All-or-Nothing Disclosure of Secrets Page 1 of 666 Applied Cryptography: Second Edition - Bruce
    [Show full text]
  • Ontario Superior Court of Justice
    CourtFileNo.: CV-17- -OOCP ONTARIO SUPERIOR COURT OF JUSTICE MATTER OF a Proceeding under the Class Proceedings Act, 1992, S.O. 1992, C. 6 ARLENE MCDOWELL and BRYAN MADRYGA Plaintiffs - and- FORTRESS REAL CAPITAL INC., FORTRESS REAL DEVELOPMENTS INC., JAWAD RA TH ORE, VINCENZO PETROZZA, LAMB CALGARY INC., ORCHARD CALGARY INC., BUILDING & DEVELOPMENT MORTGAGES CANADA INC., ILDINA GALATI, FFM CAPITAL INC., ROSALIA SPADAFORA, KRISH KOCHHAR, TONY MAZZO LI, SAUL PERLOV, FMP MORTGAGE INVESTMENTS INC., MICHAEL DARAMOLA, TONINO AMENDOLA, GRAHAM MCWATERS, DEREK SORRENTI, GRANT MORGAN, SORRENTI LAW PROFESSIONAL CORPORATION, OLYMPIA TRUST COMPANY Defendants STATEMENT OF CLAIM TO THE DEFENDANT(S): A LEGAL PROCEEDING HAS BEEN COMMENCED AGAINST YOU by the Plaintiff. The Claim made against you is set out in the following pages. IF YOU WISH TO DEFEND THIS PROCEEDING, you or an Ontario lawyer acting for you must prepare a Statement of Defence in Form l 8A prescribed by the Rules of Civil Procedure, serve it on the Plaintiff lawyer or, where the Plaintiff do not have a lawyer, serve it on the Plaintiff, and file it, with proof of service, in this court office, WITHIN TWENTY DAYS after this Statement of Claim is served on you, if you are served in Ontario. If you are served in another province or territory of Canada or in the United States of America, the period for serving and filing your Statement of Defence is forty days. If you are served outside Canada and the United States of America, the period is sixty days. Instead of serving and filing a Statement of Defence, you may serve and file a Notice of Intent to Defend in Form 18B prescribed by the Rules of Civil Procedure.
    [Show full text]
  • Security Analysis of Data Method Using MIPS Encryption Algorithm (MEA) Sangeeta
    Security Analysis of data Method using MIPS Encryption Algorithm (MEA) Sangeeta [email protected] ABSTRACT The MEA is an integral approach of block cipher and transposition cipher method. It takes 64 bit plain text input and produces 64 bit cipher text as in IDEA with modified key schedule to avoid possibilities of weak keys. It further makes transposition of the 64 bit cipher text to 128 bit end cipher text for disk storage. The increased length of end cipher text is a trade-off between the degree of increased security to SI and the nominal cost of storage media in the present state_of_the_art development. Keywords: Encryption, Decryption, Block cipher, Transposition cipher, MEA 1. INTRODUCTION Since PCs can be utilized to rapidly break credulous cryptosystems one should utilize encryption calculations that are free from and scientific shortcomings and that are computationally infeasible to break by making splitting additional tedious. In the meantime, the computational multifaceted nature of encryption and unscrambling ought to be inside sensible points of confinement since they speak to handling overheads too. One calculation that is accepted to give a sensible trade off among these necessities depends on the Data Encryption Standards (DES) [4,5,10]. For as far back as 20 years, the best security the greater part of us have caught wind of has been given by DES. In spite of the fact that there has been a shortcoming of shrouded trapdoors through s- encloses DES [6,10], still it has been a decent and secure calculation against the mid seventies innovations. Presently with the appearance of rapid PCs it is confronting more feedback for not sufficiently giving security due to its 56 bit key size.
    [Show full text]
  • 7.4.2 DES Algorithm DES Is a Feistel Cipher Which Processes Plaintext Blocks of N =64Bits, Producing 64-Bit Ciphertext Blocks (Figure 7.8)
    252 Ch. 7 Block Ciphers 7.4.2 DES algorithm DES is a Feistel cipher which processes plaintext blocks of n =64bits, producing 64-bit ciphertext blocks (Figure 7.8). The effective size of the secret key K is k =56bits; more precisely, the input key K is speci®ed as a 64-bit key, 8 bits of which (bits 8; 16;::: ;64) may be used as parity bits. The 256 keys implement (at most) 256 of the 264! possible bijec- tions on 64-bit blocks. A widely held belief is that the parity bits were introduced to reduce the effective key size from 64 to 56 bits, to intentionally reduce the cost of exhaustive key search by a factor of 256. K K plaintext P 56 56 ciphertext C K 64key 64 −1 PCDESC DES P Figure 7.8: DES input-output. Full details of DES are given in Algorithm 7.82 and Figures 7.9 and 7.10. An overview follows. Encryption proceeds in 16 stages or rounds. From the input key K, sixteen 48-bit subkeys Ki are generated, one for each round. Within each round, 8 ®xed, carefully selected 6-to-4 bit substitution mappings (S-boxes) Si, collectively denoted S, are used. The 64-bit plaintext is divided into 32-bit halves L0 and R0. Each round is functionally equivalent, taking 32-bit inputs Li−1 and Ri−1 from the previous round and producing 32-bit outputs Li and Ri for 1 ≤ i ≤ 16, as follows: Li = Ri−1; (7.4) Ri = Li−1 ⊕ f(Ri−1;Ki); where f(Ri−1;Ki)=P (S(E(Ri−1) ⊕ Ki))(7.5) Here E is a ®xed expansion permutation mapping Ri−1 from 32 to 48 bits (all bits are used once; some are used twice).
    [Show full text]
  • A Advanced Encryption Standard See AES AES 35–64 AES Process And
    Index A DFC and DFC v2 196, 199 E2 196 Advanced Encryption Standard see AES FEAL and FEAL-NX 194, 198, 202–203 AES 35–64 FOX 199 AES process and finalists 196 FROG 196 algebraic attack 60 GOST 194 bottleneck attack 58 Grand Cru 198 key schedule 45, 178 Hasty Pudding Cipher 196 related-key attack 62 Hierocrypt-L1 and Hierocrypt-3 198 s-box 44, 50, 191 Hight 200 side-channel cryptanalysis 63 ICE 195 square attack 55 IDEA 194, 198, 205–207 algebraic attack see AES KASUMI 178, 185, 207–212 amplified boomerang attack see differential KFC 199 cryptanalysis Khazad 198 authenticated encryption 82–85 Khufu and Khafre 194 CCM 83 LION and LIONESS 195 EAX 84 LOKI, LOKI91, and LOKI97 194, 196 Lucifer 13, 194 B Madygra 194 Magenta 196 block cipher MARS 196, 198 3-way 195 mCrypton 200 Akelarre 195 Mercy 199 Anubis 191, 198 MISTY 185, 191, 195, 198, 207 BaseKing 195 MULTI2 194 BEAR 195 Nimbus 198 Blowfish 195 Noekeon 198 Camellia 198 NUSH 198 CAST-128 and CAST-256 195, 196 PES and IPES 194 CIPHERUNICORN-A 198 PRESENT 191, 200, 217–218 CIPHERUNICORN-E 198 Q 198 Clefia 200 RC2 194 Crypton 196 RC5 179, 195, 212–214 CS-Cipher 198 RC6 196, 198 DEAL 179, 196 REDOC II 194 DES-based variants see DES Rijndael see AES, 195 L.R. Knudsen and M.J.B. Robshaw, The Block Cipher Companion, Information Security 221 and Cryptography, DOI 10.1007/978-3-642-17342-4, © Springer-Verlag Berlin Heidelberg 2011 222 Index SAFER and variants 195, 196, 198 boomerang attack 162 SC2000 198 countermeasures 184 SEA 200 definition of difference 145 Serpent 178, 196, 197 difference distribution
    [Show full text]
  • Introduction to Cryptography
    Introduction to Cryptography By Marcus K. G. Adomey Chief Operations Manager AfricaCERT Email: [email protected] OVERVIEW . Cryptography Definition Terminology History Goal and Services . Types of Cryptography Symmetric Key Cryptography Asymmetric Key Cryptography Hash Functions CRYPTOGRAPHY Definition Terminology History Goal and Services Cryptography Definition Cryptography is the science of using mathematics to encrypt and decrypt data. Phil Zimmermann Cryptography is the art and science of keeping messages secure. Bruce Schneier The art and science of concealing the messages to introduce secrecy in information security is recognized as cryptography. Cryptography Terminologies A message is plaintext (sometimes called cleartext). The process of disguising a message in such a way as to hide its substance is encryption. An encrypted message is ciphertext. The process of turning ciphertext back into plaintext is decryption. A cipher (or cypher) is an algorithm for performing encryption or decryption—a series of well-defined steps that can be followed as a procedure. Cryptography Terminology A cryptosystem is an implementation of cryptographic techniques and their accompanying infrastructure to provide information security services. A cryptosystem is also referred to as a cipher system. The various components of a basic cryptosystem are as follows − . Plaintext . Encryption Algorithm . Ciphertext . Decryption Algorithm . Encryption Key . Decryption Key Cryptography Terminology While cryptography is the science of securing data, cryptanalysis is the science of analyzing and breaking secure communication. Classical cryptanalysis involves an interesting combination of analytical reasoning, application of mathematical tools, pattern finding, patience, determination, and luck. Cryptanalysts are also called attackers. Cryptology embraces both cryptography and cryptanalysis. Cryptography History of Cryptography History of Cryptography History of Cryptography As civilizations evolved, human beings got organized in tribes, groups, and kingdoms.
    [Show full text]
  • Towards a Unifying View of Block Cipher Cryptanalysis
    Towards a unifying view of block cipher cryptanalysis David Wagner⋆ University of California, Berkeley Abstract. We introduce commutative diagram cryptanalysis, a frame- work for expressing certain kinds of attacks on product ciphers. We show that many familiar attacks, including linear cryptanalysis, differential cryptanalysis, differential-linear cryptanalysis, mod n attacks, truncated differential cryptanalysis, impossible differential cryptanalysis, higher- order differential cryptanalysis, and interpolation attacks can be ex- pressed within this framework. Thus, we show that commutative diagram attacks provide a unifying view into the field of block cipher cryptanal- ysis. Then, we use the language of commutative diagram cryptanalysis to compare the power of many previously known attacks. Finally, we introduce two new attacks, generalized truncated differential cryptanaly- sis and bivariate interpolation, and we show how these new techniques generalize and unify many previous attack methods. 1 Introduction How do we tell if a block cipher is secure? How do we design good ciphers? These two questions are central to the study of block ciphers, and yet, after decades of research, definitive answers remain elusive. For the moment, the art of cipher evaluation boils down to two key tasks: we strive to identify as many novel cryptanalytic attacks on block ciphers as we can, and we evaluate new designs by how well they resist known attacks. The research community has been very successful at this task. We have accu- mulated a large variety of different attack techniques: differential cryptanalysis, linear cryptanalysis, differential-linear attacks, truncated differential cryptanal- ysis, higher-order differentials, impossible differentials, mod n attacks, integrals, boomerangs, sliding, interpolation, the yo-yo game, and so on.
    [Show full text]
  • My Crazy Boss Asked Me to Design a New Block Cipher. What's Next?
    Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. What’s next? Pascal Junod University of Applied Sciences Western Switzerland Pascal Junod -- Advanced Block Cipher Design 1 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria Outline •High-Level Schemes •Confusion •Diffusion •Key-Schedule •Beyond the Design Pascal Junod -- Advanced Block Cipher Design 2 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria Introduction Pascal Junod -- Advanced Block Cipher Design 3 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria Some Simple Facts • As of today, nobody knows how to design a (mathematically proven) secure block cipher. • Problem related to fundamental open questions in mathematics/computer science • A secure block cipher is a block cipher that nobody can break... • A good block cipher is a secure block cipher that people like to implement. Pascal Junod -- Advanced Block Cipher Design 4 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria So many Designs in the Hierocrypt G-DES Wild... LOKI MacGuffin LION RC2 Akellare Coconut98 DFC Square E0 Twofish Anubis CAST Skipjack CS-Cipher DEAL Shark RC5 Rijndael IDEA Camellia Aria Present Noekeon Magenta DES-X Threefish RC6 Seed Mars FOX Serpent BassOmatic GOST DES MESH 3-Way E2 TEA Blowfish Misty XTEA Triple DES Cipherunicorn BEAR CLEFIA FEAL XXTEA 5 Madryga Designing a New Block Cipher • Several good and bad reasons: • Faster/smaller than any other one ✔ • With «better» security guarantees than any other one ✔✔ • My boss crazily asked me to design a new, secret (!) and patented (!!) block cipher ~ • Not enough proposals/diversity in the wild ✖ • I desperately need to publish something to finish my PhD thesis ! ✖ Pascal Junod -- Advanced Block Cipher Design 6 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria Designing a New Block Cipher • Claude E.
    [Show full text]
  • APPLIED CRYPTOGRAPHY, SECOND EDITION: Protocols, Algorithms, and Source Code in C:Table of Contents
    To access the contents, click the chapter and section titles. Applied Cryptography, Second Edition: Protocols, Algorthms, and Source Code in C (cloth) (Publisher: John Wiley & Sons, Inc.) Author(s): Bruce Schneier ISBN: 0471128457 Publication Date: 01/01/96 Brief Full Advanced Search Search Tips Search this book: Foreword by Whitfield Diffie Preface About the Author Chapter 1—Foundations 1.1 Terminology 1.2 Steganography 1.3 Substitution Ciphers and Transposition Ciphers 1.4 Simple XOR 1.5 One-Time Pads 1.6 Computer Algorithms 1.7 Large Numbers Part I—Cryptographic Protocols Chapter 2—Protocol Building Blocks 2.1 Introduction to Protocols 2.2 Communications Using Symmetric Cryptography 2.3 One-Way Functions 2.4 One-Way Hash Functions 2.5 Communications Using Public-Key Cryptography 2.6 Digital Signatures 2.7 Digital Signatures with Encryption 2.8 Random and Pseudo-Random-Sequence Generation Chapter 3—Basic Protocols 3.1 Key Exchange 3.2 Authentication 3.3 Authentication and Key Exchange 3.4 Formal Analysis of Authentication and Key-Exchange Protocols 3.5 Multiple-Key Public-Key Cryptography 3.6 Secret Splitting 3.7 Secret Sharing 3.8 Cryptographic Protection of Databases Chapter 4—Intermediate Protocols 4.1 Timestamping Services 4.2 Subliminal Channel 4.3 Undeniable Digital Signatures 4.4 Designated Confirmer Signatures 4.5 Proxy Signatures 4.6 Group Signatures 4.7 Fail-Stop Digital Signatures 4.8 Computing with Encrypted Data 4.9 Bit Commitment 4.10 Fair Coin Flips 4.11 Mental Poker 4.12 One-Way Accumulators 4.13 All-or-Nothing Disclosure
    [Show full text]
  • (12) United States Patent (10) Patent No.: US 6,182,216 B1 Luyster (45) Date of Patent: Jan
    US006182216B1 (12) United States Patent (10) Patent No.: US 6,182,216 B1 Luyster (45) Date of Patent: Jan. 30, 2001 (54) BLOCK CIPHER METHOD nology Laboratory National Institute of Standards and Technology. (76) Inventor: Frank C. Luyster, 100 Riverside La., Riverside, CT (US) 06878 Burton S. Kaliski Jr. and Yiqun Lisa Yin, On Differential and Linear Cryptanalysis of the RC5 Encryption Algorithm, (*) Notice: Under 35 U.S.C. 154(b), the term of this Lecture Notes in Computer Science, vol. 963, pp. 171-184, patent shall be extended for 0 days. Aug. 1995. (21) Appl. No.: 09/154.391 (List continued on next page.) (22) Filed: Sep. 16, 1998 Related U.S. Application Data Primary Examiner Thomas R. Peeso (60) Provisional application No. 60/059,142, filed on Sep. 17, 1997, provisional application No. 60/062.992, filed on Oct. (74) Attorney, Agent, or Firm-Cantor Colburn LLP 23, 1997, provisional application No. 60/064.331, filed on Oct. 30, 1997, provisional application No. 60/094,632, filed (57) ABSTRACT on Jul. 30, 1998, provisional application No. 60/096,788, filed on Aug. 17, 1998, provisional application No. 60/096, A data encryption System for encrypting an n-bit block of 921, filed on Aug. 18, 1998, and provisional application No. 60/098,905, filed on Sep. 2, 1998. input in a plurality of rounds is presented, where n is preferably 128 bits or more. The data encryption system (51) Int. Cl. ................................................. G06F 1/26 includes a computing unit for the execution of each round; (52) U.S. Cl.
    [Show full text]
  • Cryptanalysis of Akelarre 1 Description of Akelarre
    Cryptanalysis of Akelarre Niels Ferguson Bruce Schneier DigiCash bv Counterpane Systems Kruislaan 419 101 E Minnehaha Parkway 1098 VA Amsterdam, Netherlands Minneap olis, MN 55419, USA [email protected] [email protected] July 23, 1997 Abstract We showtwo practical attacks against the Akelarre blo ck cipher. The b est 42 attack retrieves the 128-bit key using less than 100 chosen plaintexts and 2 o -line trial encryptions. Our attacks use a weakness in the round function that preserves the parity of the input, a set of 1-round di erential character- istics with probability1, and the lackofavalanche and one-way prop erties in the key-schedule. We suggest some ways of xing these immediate weak- nesses, but conclude that the algorithm should be abandoned in favor of b etter-studied alternatives. 1 Description of Akelarre Akelarre [AGMP96A , AGMP96B ] is a 128-bit blo ck cipher that uses the same overall structure as idea [LMM91 ]; instead of idea's 16-bit sub-blo cks Akelarre uses 32-bit sub-blo cks. Furthermore, Akelarre do es not use mo dular multiplica- tions, but instead uses a combination of a 128-bit key-dep endent rotate at the b eginning of each round, and rep eated key additions and data-dep endent rota- 1 tions in its MA-b ox called an \addition-rotation structure" in Akelarre. Akelarre is de ned for a variable-length key and a variable numb er of rounds. The authors recommend using Akelarre with four rounds and a 128-bit key; this is the version that we will cryptanalyze.
    [Show full text]