DOCSLIB.ORG

Designing Cryptography for the New Century

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Susan Landau Designing Cryptography for the New Century ryptography was once the domain of generals is 56 bits. With narrow exceptions, products incorpo- and curious children, but the advent of the rating DES could not be exported. A 1996 National CInformation Age changed that. In the early Research Council report on cryptography policy rec- 1970s the National Security Agency (NSA) and the ommended an immediate loosening of export con- National Bureau of Standards (NBS) realized that trols. No changes occurred until 1998, when a non-combatant adults needed to protect their sen- $250,000 special-purpose machine built by the Elec- sitive, but unclassified, information. Though NSA tronic Frontier Foundation cracked a DES-encrypted is the usual government agency for building cryp- message in 56 hours [5]. (This has since been tosystems, the agency was unwilling to design a improved to 22 hours through a combination of cryptosystem for public use. Instead NBS issued a 100,000 networked PCs and the EFF machine.) At public solicitation for a cryptosystem. IBM that point, U.S. export controls were relaxed to per- responded. The company submitted a cryptosys- mit DES in exported products. In recent months tem with a 56-bit key. The new algorithm became export controls have been further eased. the Data Encryption Standard (DES). Many in industry and academia were skeptical of A New Standard DES. Concern centered on whether NSA had placed A DES replacement was overdue. In 1997 the a trapdoor, a shortcut to decryption, in the algorithm. National Institute of Standards and Technology There were also objections to DES’s key length; crit- (NIST) announced a competition for the algorith- 1 ics believed the relatively short key length had been m’s replacement, and held public meetings to discuss chosen so that NSA could read DES-encrypted traffic. the criteria for a proposed Advanced Encryption (IBM said its own engineers had insisted on parity bits Standard (AES). Key length was most important. A for the register-to-register transfer of key data, thus 1996 ad hoc committee had argued 90 bits was cur- decreasing the key length to 56 from the original 64.) rently the minimum key length needed to provide During the next two decades there were frequent data security for 20 years [1]. NIST sought that battles over cryptography. Using export controls and much security and more—encrypted files should threats of other legal action, the U.S. government remain confidential well after AES was retired. attempted to stop the spread of strong cryptography. NIST settled on a minimum key length of 128 bits.2 Seeking to build secure computer systems, industry Given the government’s intransigence over export- found export controls on cryptography to be a serious ing strong cryptography, initial reaction was mistrust- blockage (though, to be sure, not the only one). [4] ful. One concern was the role of the NSA in the Industry battles centered on bits: how many would process. Another was foreign participation; after all, the government allow in exported products? Under a cryptanalysis expertise is international. Both concerns 1992 agreement, the magic number was 40 bits. DES seem to have been allayed. While NSA is—appropri- 1 2 DES is a private-key, or symmetric, cryptographic system, in which encryption and Triple-DES—-three iterations of DES with either two keys (K1, K2, K1) or three decryption use the same key. Public-key cryptography typically needs significantly (K1, K2, K3)—had become popular. But triple-DES does not take optimal advantage more bits to achieve the same level of security as a private-key algorithm. of 32-bit processors and is too slow. COMMUNICATIONS OF THE ACM May 2000/Vol. 43, No. 5 115 ately enough—studying the candidates, there have Cryptosystem Design been no complaints about its part in NIST’s evalua- The simplest techniques for encrypting a block of tion. And NIST allowed foreign participation in the symbols are substitution and transposition. Substi- AES competition. tution replaces a symbol by another; transposition After public input, NIST settled on straight- permutes the symbols of a block around. Crypt- forward requirements: the algorithm must implement analysis can be viewed as trying to determine the symmetric (secret) key cryptography, the algorithm plaintext by approximating the encryption function. must be a block cipher, and the algorithm must work Viewed this way, linear functions of the input and on 128-bit blocks and with three key sizes: 128, 192, key are poor design choices; such functions can be and 256 bits. If selected, candidates would have to be easily solved. Thus nonlinear functions form the available worldwide on a nonexclusive, royalty-free basis of cryptographic design. But cryptographic basis. Evaluations would be on security, cost, and functions must be invertible, fast to compute, and implementation flexibility. As simplicity aids in should have small key size and memory require- understanding, implementing, and assessing the secu- ments. So linear functions end up playing an essen- rity of the candidates, design simplicity would count. tial role. A proper combination of simple operations The winner should work in a variety of venues, such as XOR (exclusive or addition modulo 2, including 8-bit processors, smartcards, ATM net- sometimes written as ), substitution, and permu- works, HDTV, voice, and satellite communications. tation, produces a cryptosystem whose strength is A year into the evaluation procedure, NIST would greater than the sum of its parts. determine five finalists, a year later, the winner (or These operations are all that is behind DES, which winners—NIST might pick more than one). NIST’s is an iterated block cipher, a cryptosystem on a block biggest challenge was determining the candidates’ of symbols that sequentially repeats an internal func- strength. Cryptanalysis is a young science without an tion, called a round. It is currently customary to overarching theory. Certifying a 128-bit symmetric encrypt data using a primitive that operates on a key algorithm is a voyage into the unknown. NIST block of symbols of moderate size. Although there are could use mathematical arguments and various mea- non-iterative block ciphers (RSA), iteration is a nat- sures (for example, how much a candidate’s output ural way to procede because that yields a small object was indistinguishable from a random permutation) to (this is useful in hardware) with good complexity. establish an algorithm’s security. But such approaches Some version of self invertibility is also useful. This are only as strong as the imagined attack model. At enables one object (a chip, a piece of software) to both the end one is left with statements of the form: “We encrypt and decrypt. Feistel ciphers, in which the tried, and algorithm X could not be attacked by 2t–bit input is split into t-bit halves L0, R0 and methods D, L, or S.” Such an approach does not mapped after r rounds to Lr, Rr, succinctly accomplish inspire confidence. this. In the ith round, the right half of the previous If an algorithm uses a k-bit key, the measure of round becomes the new left half, Li <— Ri–1, while the k security is how close the algorithm is to being 2 - new right half Ri is a function of a round subkey Ki secure, that is, whether there are significantly better (derived from the key K), and both halves from the methods for breaking the system than a brute-force previous round, Ri <— Li–1 f (Ri–1, Ki ) where f is an search of the entire key space. (An assumption, first arbitrary function. Decryption is the algorithm run in codified by Kerckhoffs in the 18th century, holds reverse, with subkeys used in the opposite order. DES that security of a cryptosystem should rest entirely in is a 16-round Feistel cipher. the secrecy of the key, and not in the secrecy of the One school of thought in cryptosystem design lets algorithm.) Sometimes an algorithm’s weakness is technology strongly guide the choice of operations, readily apparent, but frequently weaknesses may take thereby obtaining algorithmic complexity with high- years to discover. With DES, one strong form of speed performance. NSA takes a different tack. Any attack—differential cryptanalysis—had apparently widely deployed system will be implemented across a been known to the algorithm’s designers, but linear variety of hardware and software systems, so the cryptanalysis, discovered in 1993, seems to be new. agency believes in “keep it simple,” and prefers to use DES was indeed at least theoretically vulnerable to elementary primitives such as XOR and table look- this type of attack. up. As opposed to more complex operations such as 116 May 2000/Vol. 43, No. 5 COMMUNICATIONS OF THE ACM floating-point arithmetic, these functions act the same bits that reveal information about the key. th way regardless of system architecture. There are Let B[i] denote the i bit of an array B, and B[i1, i2, countless other tradeoffs, with perhaps the most fun- …, ik] = B[i1] B[i2] … B[ikk], and P, C and K damental being between those algorithms that are be the plaintext, ciphertext, and key respectively. Fun- simpler to verify, and those that are more complex but damentally one is seeking relationships of the form: more difficult to verify. In a block-structured cryp- P[i1, i2, …, ia] C[j1, j2,… jb] = K[k1, k2, …, kc]. tosystem, this particular issue plays out on the ques- In the case of DES, both differential and linear tion of rounds: should there be many simple rounds cryptanalysis are theoretical rather than practical or fewer, more complex ones? Even relatively simple attacks. Yet these are very powerful cryptanalytic tech- cryptosystems can be secure when run for 32 rounds.
Recommended publications
  • A Quantitative Study of Advanced Encryption Standard Performance

    A Quantitative Study of Advanced Encryption Standard Performance

    United States Military Academy USMA Digital Commons West Point ETD 12-2018 A Quantitative Study of Advanced Encryption Standard Performance as it Relates to Cryptographic Attack Feasibility Daniel Hawthorne United States Military Academy, [email protected] Follow this and additional works at: https://digitalcommons.usmalibrary.org/faculty_etd Part of the Information Security Commons Recommended Citation Hawthorne, Daniel, "A Quantitative Study of Advanced Encryption Standard Performance as it Relates to Cryptographic Attack Feasibility" (2018). West Point ETD. 9. https://digitalcommons.usmalibrary.org/faculty_etd/9 This Doctoral Dissertation is brought to you for free and open access by USMA Digital Commons. It has been accepted for inclusion in West Point ETD by an authorized administrator of USMA Digital Commons. For more information, please contact [email protected]. A QUANTITATIVE STUDY OF ADVANCED ENCRYPTION STANDARD PERFORMANCE AS IT RELATES TO CRYPTOGRAPHIC ATTACK FEASIBILITY A Dissertation Presented in Partial Fulfillment of the Requirements for the Degree of Doctor of Computer Science By Daniel Stephen Hawthorne Colorado Technical University December, 2018 Committee Dr. Richard Livingood, Ph.D., Chair Dr. Kelly Hughes, DCS, Committee Member Dr. James O. Webb, Ph.D., Committee Member December 17, 2018 © Daniel Stephen Hawthorne, 2018 1 Abstract The advanced encryption standard (AES) is the premier symmetric key cryptosystem in use today. Given its prevalence, the security provided by AES is of utmost importance. Technology is advancing at an incredible rate, in both capability and popularity, much faster than its rate of advancement in the late 1990s when AES was selected as the replacement standard for DES. Although the literature surrounding AES is robust, most studies fall into either theoretical or practical yet infeasible.
  • Impossible Differentials in Twofish

    Impossible Differentials in Twofish

    Twofish Technical Report #5 Impossible differentials in Twofish Niels Ferguson∗ October 19, 1999 Abstract We show how an impossible-differential attack, first applied to DEAL by Knudsen, can be applied to Twofish. This attack breaks six rounds of the 256-bit key version using 2256 steps; it cannot be extended to seven or more Twofish rounds. Keywords: Twofish, cryptography, cryptanalysis, impossible differential, block cipher, AES. Current web site: http://www.counterpane.com/twofish.html 1 Introduction 2.1 Twofish as a pure Feistel cipher Twofish is one of the finalists for the AES [SKW+98, As mentioned in [SKW+98, section 7.9] and SKW+99]. In [Knu98a, Knu98b] Lars Knudsen used [SKW+99, section 7.9.3] we can rewrite Twofish to a 5-round impossible differential to attack DEAL. be a pure Feistel cipher. We will demonstrate how Eli Biham, Alex Biryukov, and Adi Shamir gave the this is done. The main idea is to save up all the ro- technique the name of `impossible differential', and tations until just before the output whitening, and applied it with great success to Skipjack [BBS99]. apply them there. We will use primes to denote the In this report we show how Knudsen's attack can values in our new representation. We start with the be applied to Twofish. We use the notation from round values: [SKW+98] and [SKW+99]; readers not familiar with R0 = ROL(Rr;0; (r + 1)=2 ) the notation should consult one of these references. r;0 b c R0 = ROR(Rr;1; (r + 1)=2 ) r;1 b c R0 = ROL(Rr;2; r=2 ) 2 The attack r;2 b c R0 = ROR(Rr;3; r=2 ) r;3 b c Knudsen's 5-round impossible differential works for To get the same output we update the rule to com- any Feistel cipher where the round function is in- pute the output whitening.
  • KLEIN: a New Family of Lightweight Block Ciphers

    KLEIN: a New Family of Lightweight Block Ciphers

    KLEIN: A New Family of Lightweight Block Ciphers Zheng Gong1, Svetla Nikova1;2 and Yee Wei Law3 1Faculty of EWI, University of Twente, The Netherlands fz.gong, [email protected] 2 Dept. ESAT/SCD-COSIC, Katholieke Universiteit Leuven, Belgium 3 Department of EEE, The University of Melbourne, Australia [email protected] Abstract Resource-efficient cryptographic primitives become fundamental for realizing both security and efficiency in embedded systems like RFID tags and sensor nodes. Among those primitives, lightweight block cipher plays a major role as a building block for security protocols. In this paper, we describe a new family of lightweight block ciphers named KLEIN, which is designed for resource-constrained devices such as wireless sensors and RFID tags. Compared to the related proposals, KLEIN has ad- vantage in the software performance on legacy sensor platforms, while its hardware implementation can be compact as well. Key words. Block cipher, Wireless sensor network, Low-resource implementation. 1 Introduction With the development of wireless communication and embedded systems, we become increasingly de- pendent on the so called pervasive computing; examples are smart cards, RFID tags, and sensor nodes that are used for public transport, pay TV systems, smart electricity meters, anti-counterfeiting, etc. Among those applications, wireless sensor networks (WSNs) have attracted more and more attention since their promising applications, such as environment monitoring, military scouting and healthcare. On resource-limited devices the choice of security algorithms should be very careful by consideration of the implementation costs. Symmetric-key algorithms, especially block ciphers, still play an important role for the security of the embedded systems.
  • Performance and Energy Efficiency of Block Ciphers in Personal Digital Assistants

    Performance and Energy Efficiency of Block Ciphers in Personal Digital Assistants

    Performance and Energy Efficiency of Block Ciphers in Personal Digital Assistants Creighton T. R. Hager, Scott F. Midkiff, Jung-Min Park, Thomas L. Martin Bradley Department of Electrical and Computer Engineering Virginia Polytechnic Institute and State University Blacksburg, Virginia 24061 USA {chager, midkiff, jungmin, tlmartin} @ vt.edu Abstract algorithms may consume more energy and drain the PDA battery faster than using less secure algorithms. Due to Encryption algorithms can be used to help secure the processing requirements and the limited computing wireless communications, but securing data also power in many PDAs, using strong cryptographic consumes resources. The goal of this research is to algorithms may also significantly increase the delay provide users or system developers of personal digital between data transmissions. Thus, users and, perhaps assistants and applications with the associated time and more importantly, software and system designers need to energy costs of using specific encryption algorithms. be aware of the benefits and costs of using various Four block ciphers (RC2, Blowfish, XTEA, and AES) were encryption algorithms. considered. The experiments included encryption and This research answers questions regarding energy decryption tasks with different cipher and file size consumption and execution time for various encryption combinations. The resource impact of the block ciphers algorithms executing on a PDA platform with the goal of were evaluated using the latency, throughput, energy- helping software and system developers design more latency product, and throughput/energy ratio metrics. effective applications and systems and of allowing end We found that RC2 encrypts faster and uses less users to better utilize the capabilities of PDA devices.
  • A Novel and Highly Efficient AES Implementation Robust Against Differential Power Analysis Massoud Masoumi K

    A Novel and Highly Efficient AES Implementation Robust Against Differential Power Analysis Massoud Masoumi K

    A Novel and Highly Efficient AES Implementation Robust against Differential Power Analysis Massoud Masoumi K. N. Toosi University of Tech., Tehran, Iran [email protected] ABSTRACT been proposed. Unfortunately, most of these techniques are Developed by Paul Kocher, Joshua Jaffe, and Benjamin Jun inefficient or costly or vulnerable to higher-order attacks in 1999, Differential Power Analysis (DPA) represents a [6]. They include randomized clocks, memory unique and powerful cryptanalysis technique. Insight into encryption/decryption schemes [7], power consumption the encryption and decryption behavior of a cryptographic randomization [8], and decorrelating the external power device can be determined by examining its electrical power supply from the internal power consumed by the chip. signature. This paper describes a novel approach for Moreover, the use of different hardware logic, such as implementation of the AES algorithm which provides a complementary logic, sense amplifier based logic (SABL), significantly improved strength against differential power and asynchronous logic [9, 10] have been also proposed. analysis with a minimal additional hardware overhead. Our Some of these techniques require about twice as much area method is based on randomization in composite field and will consume twice as much power as an arithmetic which entails an area penalty of only 7% while implementation that is not protected against power attacks. does not decrease the working frequency, does not alter the For example, the technique proposed in [10] adds area 3 algorithm and keeps perfect compatibility with the times and reduces throughput by a factor of 4. Another published standard. The efficiency of the proposed method is masking which involves ensuring the attacker technique was verified by practical results obtained from cannot predict any full registers in the system without real implementation on a Xilinx Spartan-II FPGA.
  • Report on the AES Candidates

    Report on the AES Candidates

    Rep ort on the AES Candidates 1 2 1 3 Olivier Baudron , Henri Gilb ert , Louis Granb oulan , Helena Handschuh , 4 1 5 1 Antoine Joux , Phong Nguyen ,Fabrice Noilhan ,David Pointcheval , 1 1 1 1 Thomas Pornin , Guillaume Poupard , Jacques Stern , and Serge Vaudenay 1 Ecole Normale Sup erieure { CNRS 2 France Telecom 3 Gemplus { ENST 4 SCSSI 5 Universit e d'Orsay { LRI Contact e-mail: [email protected] Abstract This do cument rep orts the activities of the AES working group organized at the Ecole Normale Sup erieure. Several candidates are evaluated. In particular we outline some weaknesses in the designs of some candidates. We mainly discuss selection criteria b etween the can- didates, and make case-by-case comments. We nally recommend the selection of Mars, RC6, Serp ent, ... and DFC. As the rep ort is b eing nalized, we also added some new preliminary cryptanalysis on RC6 and Crypton in the App endix which are not considered in the main b o dy of the rep ort. Designing the encryption standard of the rst twentyyears of the twenty rst century is a challenging task: we need to predict p ossible future technologies, and wehavetotake unknown future attacks in account. Following the AES pro cess initiated by NIST, we organized an op en working group at the Ecole Normale Sup erieure. This group met two hours a week to review the AES candidates. The present do cument rep orts its results. Another task of this group was to up date the DFC candidate submitted by CNRS [16, 17] and to answer questions which had b een omitted in previous 1 rep orts on DFC.
  • Development of the Advanced Encryption Standard

    Development of the Advanced Encryption Standard

    Volume 126, Article No. 126024 (2021) https://doi.org/10.6028/jres.126.024 Journal of Research of the National Institute of Standards and Technology Development of the Advanced Encryption Standard Miles E. Smid Formerly: Computer Security Division, National Institute of Standards and Technology, Gaithersburg, MD 20899, USA [email protected] Strong cryptographic algorithms are essential for the protection of stored and transmitted data throughout the world. This publication discusses the development of Federal Information Processing Standards Publication (FIPS) 197, which specifies a cryptographic algorithm known as the Advanced Encryption Standard (AES). The AES was the result of a cooperative multiyear effort involving the U.S. government, industry, and the academic community. Several difficult problems that had to be resolved during the standard’s development are discussed, and the eventual solutions are presented. The author writes from his viewpoint as former leader of the Security Technology Group and later as acting director of the Computer Security Division at the National Institute of Standards and Technology, where he was responsible for the AES development. Key words: Advanced Encryption Standard (AES); consensus process; cryptography; Data Encryption Standard (DES); security requirements, SKIPJACK. Accepted: June 18, 2021 Published: August 16, 2021; Current Version: August 23, 2021 This article was sponsored by James Foti, Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology (NIST). The views expressed represent those of the author and not necessarily those of NIST. https://doi.org/10.6028/jres.126.024 1. Introduction In the late 1990s, the National Institute of Standards and Technology (NIST) was about to decide if it was going to specify a new cryptographic algorithm standard for the protection of U.S.
  • The Long Road to the Advanced Encryption Standard

    The Long Road to the Advanced Encryption Standard

    The Long Road to the Advanced Encryption Standard Jean-Luc Cooke CertainKey Inc. [email protected], http://www.certainkey.com/˜jlcooke Abstract 1 Introduction This paper will start with a brief background of the Advanced Encryption Standard (AES) process, lessons learned from the Data Encryp- tion Standard (DES), other U.S. government Two decades ago the state-of-the-art in cryptographic publications and the fifteen first the private sector cryptography was—we round candidate algorithms. The focus of the know now—far behind the public sector. presentation will lie in presenting the general Don Coppersmith’s knowledge of the Data design of the five final candidate algorithms, Encryption Standard’s (DES) resilience to and the specifics of the AES and how it dif- the then unknown Differential Cryptanaly- fers from the Rijndael design. A presentation sis (DC), the design principles used in the on the AES modes of operation and Secure Secure Hash Algorithm (SHA) in Digital Hash Algorithm (SHA) family of algorithms Signature Standard (DSS) being case and will follow and will include discussion about point[NISTDSS][NISTDES][DC][NISTSHA1]. how it is directly implicated by AES develop- ments. The selection and design of the DES was shrouded in controversy and suspicion. This very controversy has lead to a fantastic acceler- Intended Audience ation in private sector cryptographic advance- ment. So intrigued by the NSA’s modifica- tions to the Lucifer algorithm, researchers— This paper was written as a supplement to a academic and industry alike—powerful tools presentation at the Ottawa International Linux in assessing block cipher strength were devel- Symposium.
  • Twofish Algorithm for Encryption and Decryption

    Twofish Algorithm for Encryption and Decryption

    © 2019 JETIR January 2019, Volume 6, Issue 1 www.jetir.org (ISSN-2349-5162) TWOFISH ALGORITHM FOR ENCRYPTION AND DECRYPTION *1 Anil G. Sawant,2 Dr. Vilas N. Nitnaware, 3Pranali Dengale, 4Sayali Garud, 5Akshay Gandewar *1 Research Scholar (Asst. Professor) ,2 Principal, 3Student, 4Student, 5Student *1 JJT University, Rajasthan, India (Trinity College of Engineering and Research, Pune), 2 D. Y. Patil School of Engineering Academy, Pune, India, 3Trinity College of Engineering and Research Pune, 4Trinity College of Engineering and Research, Pune5 Trinity College of Engineering and Research, Pune. Email:* [email protected], [email protected], [email protected], [email protected], [email protected] Abstract - In this paper, a novel VLSI architecture of the TWOFISH block cipher is presented. TWOFISH is one of the most secure cryptographic algorithm. The characteristic features of the TWOFISH Algorithm are good security margin and has fast encryption/decryption in software, moderately fast in hardware and moderate flexibility. Based on the loop-folding technique combined with efficient hardware mapping, the architecture of twofish Algorithm can make data encryption/ decryption more efficient and secure. To demonstrate the correctness of our Algorithm , a prototype chip for the architecture has been implemented. The chip can achieve an encryption rate and low power consumption while operating clock rate. Designed TWOFISH cryptographic algorithm improved the MDS block that improved a process speed, and decreased complexity and power consumption. Therefore, the chip can be applied to encryption in high-speed networking protocols like ATM networks. This paper will be implemented in Xilinx 14.2 in Verilog HDL. Keywords - Verilog , MDS, PHT, DES, Function F and h.
  • Bruce Schneier 2

    Bruce Schneier 2

    Committee on Energy and Commerce U.S. House of Representatives Witness Disclosure Requirement - "Truth in Testimony" Required by House Rule XI, Clause 2(g)(5) 1. Your Name: Bruce Schneier 2. Your Title: none 3. The Entity(ies) You are Representing: none 4. Are you testifying on behalf of the Federal, or a State or local Yes No government entity? X 5. Please list any Federal grants or contracts, or contracts or payments originating with a foreign government, that you or the entity(ies) you represent have received on or after January 1, 2015. Only grants, contracts, or payments related to the subject matter of the hearing must be listed. 6. Please attach your curriculum vitae to your completed disclosure form. Signatur Date: 31 October 2017 Bruce Schneier Background Bruce Schneier is an internationally renowned security technologist, called a security guru by the Economist. He is the author of 14 books—including the New York Times best-seller Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World—as well as hundreds of articles, essays, and academic papers. His influential newsletter Crypto-Gram and blog Schneier on Security are read by over 250,000 people. Schneier is a fellow at the Berkman Klein Center for Internet and Society at Harvard University, a Lecturer in Public Policy at the Harvard Kennedy School, a board member of the Electronic Frontier Foundation and the Tor Project, and an advisory board member of EPIC and VerifiedVoting.org. He is also a special advisor to IBM Security and the Chief Technology Officer of IBM Resilient.
  • Elastic Block Ciphers: the Basic Design

    Elastic Block Ciphers: the Basic Design

    Elastic Block Ciphers: The Basic Design ∗ † Debra Cook Angelos Keromytis Moti Yung Bell Labs Columbia University RSA Labs, EMC Corp, and Murray Hill, NJ, USA Dept. of Computer Science Columbia University [email protected] New York, NY, USA Dept. of Computer Science [email protected] [email protected] ABSTRACT We introduce the concept of an elastic block cipher, which We introduce the concept of an elastic block cipher, which allows us to ”stretch” the supported block size of a block refers to stretching the supported block size of a block ci- cipher up to a length double the original block size, while pher to any length up to twice the original block size while increasing the computational workload proportionally to the incurring a computational workload that is proportional to block size. This, together with modes of operation, permits the block size. We define a method for converting any ex- block sizes to be set based on an application’s requirements, isting block cipher into an elastic block cipher and mention allowing, for example, a non-traditional block size to be used our analysis of the construction. for all blocks, or a traditional block size to be used for all but the last block in a given mode of operation. We pro- Categories and Subject Descriptors pose a general method for creating an elastic block cipher E.0 [General]: Data Encryption from an existing block cipher. Our intent is not to design a new ad-hoc cipher, but to systematically build upon existing General Terms block ciphers. Our method consists of a network structure block ciphers, algorithms, encryption that uses the round function from an existing block cipher, allowing us to treat the round function of the original ci- Keywords pher as a black box and reuse its properties.
  • Mars Pathfinder

    Mars Pathfinder

    NASA Facts National Aeronautics and Space Administration Jet Propulsion Laboratory California Institute of Technology Pasadena, CA 91109 Mars Pathfinder Mars Pathfinder was the first completed mission events, ending in a touchdown which left all systems in NASAs Discovery Program of low-cost, rapidly intact. developed planetary missions with highly focused sci- The landing site, an ancient flood plain in Mars ence goals. With a development time of only three northern hemisphere known as Ares Vallis, is among years and a total cost of $265 million, Pathfinder was the rockiest parts of Mars. It was chosen because sci- originally designed entists believed it to as a technology be a relatively safe demonstration of a surface to land on way to deliver an and one which con- instrumented lander tained a wide vari- and a free-ranging ety of rocks robotic rover to the deposited during a surface of the red catastrophic flood. planet. Pathfinder In the event early in not only accom- Mars history, sci- plished this goal but entists believe that also returned an the flood plain was unprecedented cut by a volume of amount of data and water the size of outlived its primary North Americas design life. Great Lakes in Pathfinder used about two weeks. an innovative The lander, for- method of directly mally named the entering the Carl Sagan Martian atmos- Memorial Station phere, assisted by a following its suc- parachute to slow cessful touchdown, its descent through and the rover, the thin Martian atmosphere and a giant system of named Sojourner after American civil rights crusader airbags to cushion the impact.