DOCSLIB.ORG

1 Background: Uncertainty, Entropy and Conditional Entropy

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
1 Background: Uncertainty, Entropy and Conditional Entropy EE 418 Network Security and Cryptography Lecture #7 October 20, 2016 Perfect Secrecy and One-time Pads. Block and stream cipher. DES, Triple DES and AES. Modes of operation. Lecture notes prepared by Professor Radha Poovendran. Tamara Bonaci Department of Electrical Engineering University of Washington, Seattle Outline: 1. Background: Uncertainty, entropy and conditional entropy 2. Perfect secrecy and one-time pads 3. Block and stream cipher 4. Data Encryption Standard (DES) 5. Triple DES 6. Advanced Encryption Standard (AES) 7. Encrypting large plaintexts: Modes of operation { Electronic Code Book (ECB) mode { Cipher Block Chaining (CBC) mode { Counter (CTR) mode 1 Background: Uncertainty, Entropy and Conditional Entropy The idea of having knowledge (or an information) about something is closely related to the idea of uncertainty. Intuitively, it is not hard to see that information increases as an uncertainty decreases. To measure an increase in information, or a decrease in uncertainty we typically use entropy. Before we can talk about entropy, though, let's briefly refresh our memory about probability. 1.1 Random Variable Let's consider an experiment X with possible outcomes in some set X . Let's assume that each outcome from that set has some probability of occurring. If that is the case, then we can talk about an outcome of the considered experiment as a random variable. Therefore, for every possible outcome, x 2 X , we can now denote the probability that the outcome of the experiment is equal to x as follows: pX (x) = px = P[X = x] (1) For example, let's assume that we are rolling a six-sided fair die for our experiment. Then the set of all possible outcomes are numbers one through six, f1; 2;:::; 6g; and each of them is equally likely to occur. Then the probability of seeing any of the numbers 1{6 is equal to: 1 p (1) = p = [X = 1] = [X = 2] = [X = 3] = [X = 4] = [X = 5] = [X = 6] = X 1 P P P P P P 6 1.2 Entropy Let's now consider the following two simple experiments: rolling a six-sided and a ten-sided die. Intuitively, which of these two experiments do you think has more uncertainty? Well, if you make a guess at the outcome of a roll for each of the dies, you are more likely to be wrong with the ten-sided die than with the six-sided die. Therefore, the ten-sided die has more uncertainty. 1 Question: If this is our intuition about uncertainty, how do we measure it? Answer: We typically measure uncertainty with an entropy. Definition 1: For each random variable X with outcomes X = fx1; : : : ; xng having probabilities p1; : : : ; pn, an entropy H is a function satisfying a set of specific conditions [2]: 1. For each set of non-negative numbers p1; : : : ; pn where p1 + ··· + pn = 1, the uncertainty is given by a number H(p1; : : : ; pn): 2. Function H is a continuous function of the probability distribution, which means that a small change in the probability distribution does not cause a drastic change in uncertainty. 3. In a situation where all outcomes are equally likely, the uncertainty increases when there are more possible outcomes: 1 1 1 1 H ;:::; ≤ H ;:::; 8n > 0 n n n + 1 n + 1 4. If a j-outcome can be broken into two suboutcomes, with probabilities qpj and (1 − q)pj; then the entropy increases by the uncertainty caused by the choice between the two suboutcomes, multiplied by the probability pj that we are in the j-th outcome to begin with: H(p1; : : : ; qp1; (1 − q)pj; : : : ; pn) = H(p1; p2; : : : ; pn) + pjH(q; 1 − q) Function H(X) is itself defined as: X H(X)− = p(x) log2(p(x)) (2) x2X 1.3 Conditional Entropy H(YjX) In many cryptosystems, we might want to know the uncertainty of the cryptographic key, given knowledge about the ciphertext. This leads to the concept of conditional entropy, defined next. Definition 2: Conditional entropy is the amount of information in a random variable Y , given that we know random variable X: X X X pX (x)H(Y jX = x) = − pX;Y (x; y) log2 pY (yjx) (3) x x y 2 Perfect Secrecy and One-time Pads Let's assume that we have a cryptosystem with the set of possible plaintext P; the set of possible ciphertexts C and the set of possible keys K. Each plaintext in P has a certain probability of occurring, and some plaintexts are more likely than others. The choice of a key K in K is always assumed to be independent of the choice of plaintext. The possible ciphertexts in C can therefore take on various probabilities, depending on the probability distributions of P and C. The question that we are considering is: if an attacker intercepts a ciphertext y, how much information does (s)he obtain about the key? This question can be formalized by asking what is the conditional entropy of a key K given that we know a ciphertext C, H(KjC)? Initially, the entropy of the key is equal to H(K); but we are now investigating how has the knowledge of the ciphertext decreased the uncertainty. This leads us to the definition of perfect secrecy. Definition 3: A cryptosystem has perfect secrecy if it holds that knowing a ciphertext does not reveal anything about the chosen cryptographic key: H(P jC) = H(P ) (4) One-time pads are an example of a cryptographic system with perfect secrecy. 2 2.1 One-Time Pads The one-time pad is a cryptosystem developed by Gilbert Vernam and Joseph Mauborgne around 1918. In this cryptosystem, we start by representing a message as a binary string, i.e., a sequence of zeros and ones. This can be accomplished by using ASCII conversion to binary representation, or by trying to encrypt video and audio signals. The key is now a random sequence of zeros and ones, and it has the same length as the message being encrypted. The encryption consists of XOR-ing the key to the message bit by bit. Once the key used for encryption, it is discarded and never used again. Example 1: Let's assume that we are trying to encrypt message 00101001 using the one-time pad key 10101100. The ciphertext can then be found as follows: plaintext 00101001 key 10101100 ciphertext 10000101 Question 1: Why is the cryptographic key discarded after every use? Because of a low computational load of a bitwise XOR operation, if a cryptographic key was being used multiple times, both a chosen plaintext or a chosen ciphertext attacks would be very efficient in finding the key, and compromising the confidentiality of the communication. Because of that, the key is typically not being reused. Not reusing the key guarantees that, even if the part of the key gets compromised, the whole system is still secure, since the knowledge of used key does not reveal anything about the next key to be used. Theorem 1. The one-time pad cryptosystem has perfect secrecy. Proof. Please refer to Trappe and Washington, Section 14.4. A disadvantage of the one-time pads is that this cryptosystem requires a very long cryptographic key, which is in general expensive to generate and to transmit. Moreover, once such key is used, it is being discarded. To reduce the cost of key generation and transmission, various approximation to one-time pads are being used. In those methods, a small input is typically used to generate a reasonably random sequence of zeros and ones. One such approximation method is the Linear Feedback Shift Register, which we consider next. 3 Block and Stream Cipher A block cipher is a cryptosystem in which successive plaintext elements are encrypted using the same cryptographic key, K. That is, the ciphertext string y is obtained as follows: y = y1y2 ··· = eK (x1)eK (x2) ::: (5) All of the cryptosystems that we have seen thus far (expect one-time pads) are examples of block ciphers, where a successive plaintext element can be a single alphabetic character (e.g., Shift and Affine ciphers) or blocks of several alphabetic characters (e.g., Vigenere and Hill ciphers). The alternative idea to block ciphers are cryptosystems referred to as stream ciphers. The idea of a stream cipher is to generate a keystream z = z1z2 ::: , and then encrypt each successive element xi of the plaintext with a different key zi: y = y1y2 ··· = ez1 (x1)ez2 (x2) ::: In its simplest form, the keystream is independent of the plaintext, and it is generated from a unique key K using some specified algorithm. This type of a stream is called synchronous stream cipher. Definition 4: A synchronous stream ciphers are tuples (P; C; K; L; E; D), together with function g, where: 3 { P represents a finite set of possible plaintexts, { C a finite set of possible ciphertexts, { K a finite set of possible keys (keyspace), { L a finite set called the keystream alphabet Function g is the keystream generator. It takes a key K as input, and generates an infinite string z1z2 ::: called keystream, where zi 2 L8i ≥ 1. For every z 2 L, there exists an encryption rue ez 2 E, and a corresponding decryption rule, dz 2 D, such that dz(ez(x)) = x for every plaintext element x 2 P. Note 1: We can think of any block cipher as a special case of a stream cipher where the keystream is aa constant, zi = K for all i ≥ 1. Note 2: A stream cipher is a periodic stream cipher with period d if for all integers i ≥ 1 it holds that: zi+d = zi (6) 3.1 Generating a Keystream: Linear Feedback Shift Register (LFSR) Let's assume we are encrypting a plaintext represented using a binary alphabet.
Load more

Recommended publications
  • Improved Rectangle Attacks on SKINNY and CRAFT
    Improved Rectangle Attacks on SKINNY and CRAFT Hosein Hadipour1, Nasour Bagheri2 and Ling Song3( ) 1 Department of Mathematics and Computer Science, University of Tehran, Tehran, Iran, [email protected] 2 Electrical Engineering Department, Shahid Rajaee Teacher Training University, Tehran, Iran, [email protected] 3 Jinan University, Guangzhou, China [email protected] Abstract. The boomerang and rectangle attacks are adaptions of differential crypt- analysis that regard the target cipher E as a composition of two sub-ciphers, i.e., 2 2 E = E1 ◦ E0, to construct a distinguisher for E with probability p q by concatenat- ing two short differential trails for E0 and E1 with probability p and q respectively. According to the previous research, the dependency between these two differential characteristics has a great impact on the probability of boomerang and rectangle distinguishers. Dunkelman et al. proposed the sandwich attack to formalise such dependency that regards E as three parts, i.e., E = E1 ◦ Em ◦ E0, where Em contains the dependency between two differential trails, satisfying some differential propagation with probability r. Accordingly, the entire probability is p2q2r. Recently, Song et al. have proposed a general framework to identify the actual boundaries of Em and systematically evaluate the probability of Em with any number of rounds, and applied their method to accurately evaluate the probabilities of the best SKINNY’s boomerang distinguishers. In this paper, using a more advanced method to search for boomerang distinguishers, we show that the best previous boomerang distinguishers for SKINNY can be significantly improved in terms of probability and number of rounds.
    [Show full text]
  • Hardware Performance Evaluation of Authenticated Encryption SAEAES with Threshold Implementation
    cryptography Article Hardware Performance Evaluation of Authenticated Encryption SAEAES with Threshold Implementation Takeshi Sugawara Department of Informatics, The University of Electro-Communications, Tokyo 182-8585, Japan; [email protected] Received: 30 June 2020; Accepted: 5 August 2020; Published: 9 August 2020 Abstract: SAEAES is the authenticated encryption algorithm instantiated by combining the SAEB mode of operation with AES, and a candidate of the NIST’s lightweight cryptography competition. Using AES gives the advantage of backward compatibility with the existing accelerators and coprocessors that the industry has invested in so far. Still, the newer lightweight block cipher (e.g., GIFT) outperforms AES in compact implementation, especially with the side-channel attack countermeasure such as threshold implementation. This paper aims to implement the first threshold implementation of SAEAES and evaluate the cost we are trading with the backward compatibility. We design a new circuit architecture using the column-oriented serialization based on the recent 3-share and uniform threshold implementation (TI) of the AES S-box based on the generalized changing of the guards. Our design uses 18,288 GE with AES’s occupation reaching 97% of the total area. Meanwhile, the circuit area is roughly three times the conventional SAEB-GIFT implementation (6229 GE) because of a large memory size needed for the AES’s non-linear key schedule and the extended states for satisfying uniformity in TI. Keywords: threshold implementation; SAEAES; authenticated encryption, side-channel attack; changing of the guards; lightweight cryptography; implementation 1. Introduction There is an increasing demand for secure data communication between embedded devices in many areas, including automotive, industrial, and smart-home applications.
    [Show full text]
  • Hash Functions and the (Amplified) Boomerang Attack
    Hash Functions and the (Amplified) Boomerang Attack Antoine Joux1,3 and Thomas Peyrin2,3 1 DGA 2 France T´el´ecomR&D [email protected] 3 Universit´ede Versailles Saint-Quentin-en-Yvelines [email protected] Abstract. Since Crypto 2004, hash functions have been the target of many at- tacks which showed that several well-known functions such as SHA-0 or MD5 can no longer be considered secure collision free hash functions. These attacks use classical cryptographic techniques from block cipher analysis such as differential cryptanal- ysis together with some specific methods. Among those, we can cite the neutral bits of Biham and Chen or the message modification techniques of Wang et al. In this paper, we show that another tool of block cipher analysis, the boomerang attack, can also be used in this context. In particular, we show that using this boomerang attack as a neutral bits tool, it becomes possible to lower the complexity of the attacks on SHA-1. Key words: hash functions, boomerang attack, SHA-1. 1 Introduction The most famous design principle for dedicated hash functions is indisputably the MD-SHA family, firstly introduced by R. Rivest with MD4 [16] in 1990 and its improved version MD5 [15] in 1991. Two years after, the NIST publishes [12] a very similar hash function, SHA-0, that will be patched [13] in 1995 to give birth to SHA-1. This family is still very active, as NIST recently proposed [14] a 256-bit new version SHA-256 in order to anticipate the potential cryptanalysis results and also to increase its security with regard to the fast growth of the computation power.
    [Show full text]
  • Boomerang Analysis Method Based on Block Cipher
    International Journal of Security and Its Application Vol.11, No.1 (2017), pp.165-178 http://dx.doi.org/10.14257/ijsia.2017.11.1.14 Boomerang Analysis Method Based on Block Cipher Fan Aiwan and Yang Zhaofeng Computer School, Pingdingshan University, Pingdingshan, 467002 Henan province, China { Fan Aiwan} [email protected] Abstract This paper fused together the related key analysis and differential analysis and did multiple rounds of attack analysis for the DES block cipher. On the basis of deep analysis of Boomerang algorithm principle, combined with the characteristics of the key arrangement of the DES block cipher, the 8 round DES attack experiment and the 9 round DES attack experiment were designed based on the Boomerang algorithm. The experimental results show that, after the design of this paper, the value of calculation complexity of DES block cipher is only 240 and the analysis performance is greatly improved by the method of Boomerang attack. Keywords: block cipher, DES, Boomerang, Computational complexity 1. Introduction With the advent of the information society, especially the extensive application of the Internet to break the traditional limitations of time and space, which brings great convenience to people. However, at the same time, a large amount of sensitive information is transmitted through the channel or computer network, especially the rapid development of e-commerce and e-government, more and more personal information such as bank accounts require strict confidentiality, how to guarantee the security of information is particularly important [1-2]. The essence of information security is to protect the information system or the information resources in the information network from various types of threats, interference and destruction, that is, to ensure the security of information [3].
    [Show full text]
  • Rotational Cryptanalysis of ARX
    Rotational Cryptanalysis of ARX Dmitry Khovratovich and Ivica Nikoli´c University of Luxembourg [email protected], [email protected] Abstract. In this paper we analyze the security of systems based on modular additions, rotations, and XORs (ARX systems). We provide both theoretical support for their security and practical cryptanalysis of real ARX primitives. We use a technique called rotational cryptanalysis, that is universal for the ARX systems and is quite efficient. We illustrate the method with the best known attack on reduced versions of the block cipher Threefish (the core of Skein). Additionally, we prove that ARX with constants are functionally complete, i.e. any function can be realized with these operations. Keywords: ARX, cryptanalysis, rotational cryptanalysis. 1 Introduction A huge number of symmetric primitives using modular additions, bitwise XORs, and intraword rotations have appeared in the last 20 years. The most famous are the hash functions from MD-family (MD4, MD5) and their descendants SHA-x. While modular addition is often approximated with XOR, for random inputs these operations are quite different. Addition provides diffusion and nonlinearity, while XOR does not. Although the diffusion is relatively slow, it is compensated by a low price of addition in both software and hardware, so primitives with relatively high number of additions (tens per byte) are still fast. The intraword rotation removes disbalance between left and right bits (introduced by the ad- dition) and speeds up the diffusion. Many recently design primitives use only XOR, addition, and rotation so they are grouped into a single family ARX (Addition-Rotation-XOR).
    [Show full text]
  • Cryptanalysis of a Reduced Version of the Block Cipher E2
    Cryptanalysis of a Reduced Version of the Block Cipher E2 Mitsuru Matsui and Toshio Tokita Information Technology R&D Center Mitsubishi Electric Corporation 5-1-1, Ofuna, Kamakura, Kanagawa, 247, Japan [email protected], [email protected] Abstract. This paper deals with truncated differential cryptanalysis of the 128-bit block cipher E2, which is an AES candidate designed and submitted by NTT. Our analysis is based on byte characteristics, where a difference of two bytes is simply encoded into one bit information “0” (the same) or “1” (not the same). Since E2 is a strongly byte-oriented algorithm, this bytewise treatment of characteristics greatly simplifies a description of its probabilistic behavior and noticeably enables us an analysis independent of the structure of its (unique) lookup table. As a result, we show a non-trivial seven round byte characteristic, which leads to a possible attack of E2 reduced to eight rounds without IT and FT by a chosen plaintext scenario. We also show that by a minor modification of the byte order of output of the round function — which does not reduce the complexity of the algorithm nor violates its design criteria at all —, a non-trivial nine round byte characteristic can be established, which results in a possible attack of the modified E2 reduced to ten rounds without IT and FT, and reduced to nine rounds with IT and FT. Our analysis does not have a serious impact on the full E2, since it has twelve rounds with IT and FT; however, our results show that the security level of the modified version against differential cryptanalysis is lower than the designers’ estimation.
    [Show full text]
  • Historical Ciphers • A
    ECE 646 - Lecture 6 Required Reading • W. Stallings, Cryptography and Network Security, Chapter 2, Classical Encryption Techniques Historical Ciphers • A. Menezes et al., Handbook of Applied Cryptography, Chapter 7.3 Classical ciphers and historical development Why (not) to study historical ciphers? Secret Writing AGAINST FOR Steganography Cryptography (hidden messages) (encrypted messages) Not similar to Basic components became modern ciphers a part of modern ciphers Under special circumstances modern ciphers can be Substitution Transposition Long abandoned Ciphers reduced to historical ciphers Transformations (change the order Influence on world events of letters) Codes Substitution The only ciphers you Ciphers can break! (replace words) (replace letters) Selected world events affected by cryptology Mary, Queen of Scots 1586 - trial of Mary Queen of Scots - substitution cipher • Scottish Queen, a cousin of Elisabeth I of England • Forced to flee Scotland by uprising against 1917 - Zimmermann telegram, America enters World War I her and her husband • Treated as a candidate to the throne of England by many British Catholics unhappy about 1939-1945 Battle of England, Battle of Atlantic, D-day - a reign of Elisabeth I, a Protestant ENIGMA machine cipher • Imprisoned by Elisabeth for 19 years • Involved in several plots to assassinate Elisabeth 1944 – world’s first computer, Colossus - • Put on trial for treason by a court of about German Lorenz machine cipher 40 noblemen, including Catholics, after being implicated in the Babington Plot by her own 1950s – operation Venona – breaking ciphers of soviet spies letters sent from prison to her co-conspirators stealing secrets of the U.S. atomic bomb in the encrypted form – one-time pad 1 Mary, Queen of Scots – cont.
    [Show full text]
  • The SKINNY Family of Block Ciphers and Its Low-Latency Variant MANTIS (Full Version)
    The SKINNY Family of Block Ciphers and its Low-Latency Variant MANTIS (Full Version) Christof Beierle1, J´er´emy Jean2, Stefan K¨olbl3, Gregor Leander1, Amir Moradi1, Thomas Peyrin2, Yu Sasaki4, Pascal Sasdrich1, and Siang Meng Sim2 1 Horst G¨ortzInstitute for IT Security, Ruhr-Universit¨atBochum, Germany [email protected] 2 School of Physical and Mathematical Sciences Nanyang Technological University, Singapore [email protected], [email protected], [email protected] 3 DTU Compute, Technical University of Denmark, Denmark [email protected] 4 NTT Secure Platform Laboratories, Japan [email protected] Abstract. We present a new tweakable block cipher family SKINNY, whose goal is to compete with NSA recent design SIMON in terms of hardware/software perfor- mances, while proving in addition much stronger security guarantees with regards to differential/linear attacks. In particular, unlike SIMON, we are able to provide strong bounds for all versions, and not only in the single-key model, but also in the related-key or related-tweak model. SKINNY has flexible block/key/tweak sizes and can also benefit from very efficient threshold implementations for side-channel protection. Regarding performances, it outperforms all known ciphers for ASIC round-based implementations, while still reaching an extremely small area for serial implementations and a very good efficiency for software and micro-controllers im- plementations (SKINNY has the smallest total number of AND/OR/XOR gates used for encryption process). Secondly, we present MANTIS, a dedicated variant of SKINNY for low-latency imple- mentations, that constitutes a very efficient solution to the problem of designing a tweakable block cipher for memory encryption.
    [Show full text]
  • The QARMA Block Cipher Family
    The QARMA Block Cipher Family Almost MDS Matrices Over Rings With Zero Divisors, Nearly Symmetric Even-Mansour Constructions With Non-Involutory Central Rounds, and Search Heuristics for Low-Latency S-Boxes Roberto Avanzi Qualcomm Product Security, Munich, Germany [email protected], [email protected] Abstract. This paper introduces QARMA, a new family of lightweight tweakable block ciphers targeted at applications such as memory encryption, the generation of very short tags for hardware-assisted prevention of software exploitation, and the con- struction of keyed hash functions. QARMA is inspired by reflection ciphers such as PRINCE, to which it adds a tweaking input, and MANTIS. However, QARMA differs from previous reflector constructions in that it is a three-round Even-Mansour scheme instead of a FX-construction, and its middle permutation is non-involutory and keyed. We introduce and analyse a family of Almost MDS matrices defined over a ring with zero divisors that allows us to encode rotations in its operation while maintaining the minimal latency associated to {0, 1}-matrices. The purpose of all these design choices is to harden the cipher against various classes of attacks. We also describe new S-Box search heuristics aimed at minimising the critical path. QARMA exists in 64- and 128-bit block sizes, where block and tweak size are equal, and keys are twice as long as the blocks. We argue that QARMA provides sufficient security margins within the constraints de- termined by the mentioned applications, while still achieving best-in-class latency. Implementation results on a state-of-the art manufacturing process are reported.
    [Show full text]
  • On Recent Attacks Against Cryptographic Hash Functions
    On recent attacks against Cryptographic Hash Functions Martin Ekerå & Henrik Ygge 1 Outline ‣ First part ‣ Preliminaries ‣ Which cryptographic hash functions exist? ‣ What degree of security do they offer? ‣ An introduction to Wang’s attack ‣ Second part ‣ Wang’s attack applied to MD5 ‣ Demo 2 Part I 3 Operators Symbol Meaning x ⊞ y Addition modulo 2n x ⊟ y Subtraction modulo 2n x ⊕ y Exclusive OR x ⋀ y Bitwise AND x ⋁ y Bitwise OR ¬ x The negation of x. x ≪ s Shifting of x by s bits to the left. x ⋘ s Rotation of x by s bits to the left. 4 Bitwise Functions Function IF (x, y, z) (x ⋀ y) ⋁ ((¬ x) ⋀ z) XOR (x, y, z) x ⊕ y ⊕ z MAJ (x, y, z) (x ⋀ y) ⋁ (y ⋀ z) ⋁ (z ⋀ x) XNO (x, y, z) y ⊕ ((¬ z) ⋁ x) ‣ The functions above are all bitwise. 5 Hash Functions ‣ A hash function maps elements from a finite or infinite domain, into elements of a fixed size domain. 6 Attacks on Hash Functions ‣ Collision attack Find m and m’ ≠ m such that H(m) = H(m’). ‣ First pre-image attack Given h find m such that h = H(m). ‣ Second pre-image attack Given m find m’ ≠ m such that H(m) = H(m’). 7 Attack Complexities ‣ Collision attack Naïve complexity O(2n/2) due to the birthday paradox. ‣ First pre-image attack Naïve complexity O(2n) ‣ Second pre-image attack Naïve complexity O(2n) 8 Cryptographic Hash Functions ‣ It is desirable for a cryptographic hash function to be collision resistant, first pre-image resistant and second pre-image resistant.
    [Show full text]
  • The Quasigroup Block Cipher and Its Analysis Matthew .J Battey University of Nebraska at Omaha
    University of Nebraska at Omaha DigitalCommons@UNO Student Work 5-2014 The Quasigroup Block Cipher and its Analysis Matthew .J Battey University of Nebraska at Omaha Follow this and additional works at: https://digitalcommons.unomaha.edu/studentwork Part of the Computer Sciences Commons Recommended Citation Battey, Matthew J., "The Quasigroup Block Cipher and its Analysis" (2014). Student Work. 2892. https://digitalcommons.unomaha.edu/studentwork/2892 This Thesis is brought to you for free and open access by DigitalCommons@UNO. It has been accepted for inclusion in Student Work by an authorized administrator of DigitalCommons@UNO. For more information, please contact [email protected]. The Quasigroup Block Cipher and its Analysis A Thesis Presented to the Department of Computer Sience and the Faculty of the Graduate College University of Nebraska In partial satisfaction of the requirements for the degree of Masters of Science by Matthew J. Battey May, 2014 Supervisory Committee: Abhishek Parakh, Co-Chair Haifeng Guo, Co-Chair Kenneth Dick Qiuming Zhu UMI Number: 1554776 All rights reserved INFORMATION TO ALL USERS The quality of this reproduction is dependent upon the quality of the copy submitted. In the unlikely event that the author did not send a complete manuscript and there are missing pages, these will be noted. Also, if material had to be removed, a note will indicate the deletion. UMI 1554776 Published by ProQuest LLC (2014). Copyright in the Dissertation held by the Author. Microform Edition © ProQuest LLC. All rights reserved. This work is protected against unauthorized copying under Title 17, United States Code ProQuest LLC. 789 East Eisenhower Parkway P.O.
    [Show full text]
  • Advanced Meet-In-The-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2
    Advanced Meet-in-the-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2 Jian Guo1, San Ling1, Christian Rechberger2, and Huaxiong Wang1 1 Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore 2 Dept. of Electrical Engineering ESAT/COSIC, K.U.Leuven, and Interdisciplinary Institute for BroadBand Technology (IBBT), Kasteelpark Arenberg 10, B–3001 Heverlee, Belgium. [email protected] Abstract. We revisit narrow-pipe designs that are in practical use, and their security against preimage attacks. Our results are the best known preimage attacks on Tiger, MD4, and reduced SHA-2, with the result on Tiger being the first cryptanalytic shortcut attack on the full hash function. Our attacks runs in time 2188.8 for finding preimages, and 2188.2 for second-preimages. Both have memory requirement of order 28, which is much less than in any other recent preimage attacks on reduced Tiger. Using pre-computation techniques, the time complexity for finding a new preimage or second-preimage for MD4 can now be as low as 278.4 and 269.4 MD4 computations, respectively. The second-preimage attack works for all messages longer than 2 blocks. To obtain these results, we extend the meet-in-the-middle framework recently developed by Aoki and Sasaki in a series of papers. In addition to various algorithm-specific techniques, we use a number of conceptually new ideas that are applicable to a larger class of constructions. Among them are (1) incorporating multi-target scenarios into the MITM framework, leading to faster preimages from pseudo-preimages, (2) a simple precomputation technique that allows for finding new preimages at the cost of a single pseudo-preimage, and (3) probabilistic initial structures, to reduce the attack time complexity.
    [Show full text]