DOCSLIB.ORG

Secret-Key Ciphers ECE 646 – Lecture 7 Data Encryption Standard

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

ECE 646 – Lecture 7 Data Encryption Standard Secret-Key Ciphers DES NBS public request for a standard Secret agreement between IBM & NSA, 1974 cryptographic algorithm Obligations of IBM: May 15, 1973, August 27, 1974 • Algorithm developed in secret by IBM The algorithm must be: • NSA reserved a right to monitor the development and propose changes • secure • No software implementations, just hardware chips • public - completely specified • IBM not allowed to ship implementations to certain - easy to understand countries - available to all users • License required to ship to carefully selected • economic and efficient in hardware customers in approved countries • able to be validated Obligations of NSA: • exportable • seal of approval 1 DES - chronicle of events Controversies surrounding DES 1973 - NBS issues a public request for proposals for Unknown Slow Too short a standard cryptographic algorithm design in software key 1975 - first publication of the IBMs algorithm criteria and request for comments Only Most criteria Theoretical 1976 - NBS organizes two workshops to evaluate hardware reconstructed designs implementations the algorithm from cipher of DES breaking certified 1977 - official publication as analysis machines FIPS PUB 46: Data Encryption Standard 1990 1993 1983, 1987, 1993 - recertification of the algorithm 1998 Reinvention Software, firmware for another five years Practical of differential and hardware 1993 - software implementations allowed to be validated DES cracker cryptanalysis treated equally built Life of DES DES - external look 1980 1990 2000 2010 2020 2030 plaintext block 1977 1999 Triple DES DES 112, 168 bit 168 bit only 64 bits American 56 bit key AES - Rijndael standards AES 2002 128, 192, and 256 bit keys DES key contest 56 bits IDEA Serpent Other 64 bits popular RC5 Twofish algorithms Blowfish RC6 ciphertext block CAST Mars 2 Typical Flow Diagram of DES – high-level internal structure a Secret-Key Block Cipher Round Key[0] Initial transformation i:=1 Round Key[i] Cipher Round i:=i+1 #rounds times i<#rounds? Round Key[#rounds+1] Final transformation Classical Feistel Network IP DES Main Loop L0 R0 Feistel Structure K1 plaintext = L0R0 f for i=1 to n { L1 R1 K2 Li=Ri-1 f L =R Ri=Li-1Å f(Ri-1, Ki) n+1 n } L2 R2 Rn+1=LnÅ f(Rn, Kn+1) . Ln+1 = Rn Rn+1 = Ln L15 R15 K16 ciphertext = Ln+1Rn+1 f R16 L16 IP-1 3 Feistel Structure IP-1 Decryption IP L0 R0 R16 L16 Encryption Decryption K1 K16 f f Ln Rn Ln Rn L1 R1 R15 L15 f Kn+1 f Kn+1 K2 K15 f f L2 R2 R14 L14 Ln+1 Rn+1 Ln+1 Rn+1 . L15 R15 R1 L1 Ln+1, Rn+1 ? ? K16 K1 f f f Kn+1 R16 L16 L0 R0 -1 Ln, Rn ? ? IP IP Mangler Function of DES, F 4 Notation for Permutations Input i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 … i56 i57 i58 i59 i60 i61 i62 i63 i64 58 50 42 34 26 18 10 2 … 5 63 55 47 39 31 23 15 7 i58 i50 i42 i34 i26 i18 i10 i2 … i5 i63 i55 i47 i39 i31 i23 i15 i7 Output Notation for S-boxes Input i1 i2 i3 i4 i5 i6 i1 i6 determines a row number in the S-box table, 0..3 i2 i3 i4 i5 determine a column in the S-box table, 0..15 o1 o2 o3 o4 is a binary representation of a number from 0..15 in the given row and the given column o1 o2 o3 o4 Output 5 General design criteria of DES 1. Randomness 2. Avalanche property changing a single bit at the input changes on average half of the bits at the output 3. Completeness property every output bit is a complex function of all input bits (and not just a subset of input bits) 4. Nonlinearity encryption function is non-affine for any value of the key 5. Correlation immunity output bits are statistically independent of any subset of input bits Completeness property Linear Transformations Every output bit is a complex function of all input bits Transformations that fulfill the condition: (and not just a subset of input bits) T(X[m x 1]) = Y[n x 1] = A[n x m] × X[m x 1] Formal requirement: or For all values of i and j, i=1..64, j=1..64 T(X1 Å X2) = T(X1) Å T(X2) there exist inputs X1 and X2, such that X1 x1 x2 x3 . xi-1 0 xi+1 . x63 x64 Affine Transformations X2 x1 x2 x3 . xi-1 1 xi+1 . x63 x64 Transformations that fulfill the condition: Y1 = DES(X1) y1 y2 y3 . yj-1 yj yj+1 . y63 y64 T(X[m x 1]) = Y[n x 1] = A[n x m] × X[m x 1] Å B[n x 1] Y2 = DES(X2) y1 y2 y3 . yj-1 yj yj+1 . y63 y64 6 Linear Transformations of DES Design of S-boxes IP, IP-1, E, PC1, PC2, SHIFT S[0..15] e.g., IP(X1 Å X2) = IP(X1 ) Å IP( X2) S Non-Linear and non-affine in out = S[in] transformations of DES S • 16! » 2 × 1013 possibilities There are no such matrices A and B that • precisely defined initially unpublished criteria [4x6] [4x1] • resistant against differential cryptanalysis S(X[6x1]) = A[4x6] × X[6x1] Å B[4x1] (attack known to the designers and rediscovered in the open research in 1990 by E. Biham and A. Shamir) Theoretical design of the specialized DES breaking machine machine to break DES known ciphertext key counter Round key Project: Michael Wiener, Entrust Technologies, key 1 1993, 1997 Encryption Round 1 Key Scheduling Round 1 Method: exhaustive key search attack Basic component: specialized integrated circuit Encryption Round 2 Key Scheduling Round 2 in CMOS technology, 75 MHz Round . Checks: 200 mln keys per second key 2 Costs: $10 Encryption Round 16 Key Scheduling Round 16 Total cost Estimated time Round plaintext key 16 $ 1 mln 35 minutes $ 100.000 6 hours comparator known plaintext 7 Deep Crack Deep Crack Electronic Frontier Parameters Foundation, 1998 Number of ASIC chips 1800 Total cost: $220,000 Average time of search: Clock frequency 40 MHz 4.5 days/key Number of clock cycles per key 16 Number of search units per ASIC 24 Search speed 90 bln keys/s 1800 ASIC chips, 40 MHz clock Average time to recover the key 4.5 days COPACOBANA COPACOBANA Cost-Optimized Parallel COde Breaker • Based on Xilinx FPGAs (Field Programmable Gate Arrays) Ruhr University, Bochum, University of Kiel, Germany, 2006 • ver. 1 – based on 120 Spartan 3 FPGAs • ver. 2 – based on 128 Virtex 4 SX 35 FPGAs Cost: € 8980 (ver. 1) • Description, FAQ, and news available at http://www.copacobana.org/ • For ver. 1 based on Spartan FPGAs Clock frequency = 136 MHz Average search time for a single DES key = 6.4 days Worst case search time for a single DES key = 12.8 days 8 Secure key length today and in 20 years Secure key length - discussion (against an intelligence agency with the budget of $300M) • increasing key length in a newly developed cipher key length costs NOTHING • increasing effective key length, assuming the use of 128 bits IDEA, minimum key length in AES an existing cipher has a limited influence on the efficiency of implementation (Triple DES) 112 bits Triple DES with three different keys It is economical to use THE SAME 100 bits Secure key length in 2027 secure key length FOR ALL aplications 94 bits Secure key length in 2018 The primary barriers blocking the use of symmetric ciphers 80 bits Skipjack with a secure key length have been of the political nature (e.g., export policy of USA) 56 bits DES 9 Triple DES EDE mode with two keys Triple DES EDE mode with three keys encryption decryption Diffie, encryption decryption Diffie, Hellman, Hellman, plaintext ciphertext 1977 plaintext ciphertext 1977 E D E D K1 K1 K1 K1 encryption 56 decryption 56 encryption 56 decryption 56 D E D E K2 K2 K2 K2 decryption 56 encryption 56 decryption 56 encryption 56 E D E D K1 K1 K3 K3 encryption 56 decryption 56 encryption 56 decryption 56 ciphertext plaintext ciphertext plaintext Triple DES Best Attacks Against Triple DES Advantages: • Version with three keys (168 bits of key) • secure key length (112 or 168 bits) Meet-in-the-middle attack • increased compared to DES resistance to linear 232 known plaintexts and differential cryptanalysis 113 2 steps • possibility of utilizing existing implementations of DES 290 single DES encryptions, and 288 memory Disadvantages: Effective key size = 2112 • relatively slow, especially in software • Version with two keys (112 bits of key) Effective key size = 280 10 Why a new standard? 1. Old standard insecure against brute-force attacks 2. Straightforward fixes lead to inefficient implementations Advanced Encryption Standard K1 K2 K3 AES • Triple DES in out 3. New trends in fast software encryption • use of basic instructions of the microprocessor 4. New ways of assessing cipher strength • differential cryptanalysis • linear cryptanalysis Why a contest? External format of the AES algorithm • Focus the effort of cryptographic community plaintext block Small number of specialists in the open research 128 bits • Stimulate the research on methods of constructing secure ciphers AES key • Avoid backdoor theories 128, 192, 256 bits 128 bits • Speed-up the acceptance of the standard ciphertext block 11 Rules of the contest AES Contest Effort Each team submits June 1998 15 Candidates Round 1 Detailed Justification Tentative from USA, Canada, Belgium, Security France, Germany, Norway, UK, Isreal, Software efficiency cipher of design results Korea, Japan, Australia, Costa Rica description decisions of cryptanalysis August 1999 Round 2 5 final candidates Security Source Mars, RC6, Rijndael, Serpent, Twofish Source Test Hardware efficiency code code vectors in C in Java October 2000 1 winner: Rijndael Belgium AES contest - First Round AES: Candidate algorithms North America (8) Europe (4) Asia (2) 15 June 1998 Deadline for submitting candidates 21 submissions, Canada: Germany: Korea: 15 fulfilled all requirements CAST-256 Magenta Crypton Deal August 1998 1st AES Conference in Ventura, CA Belgium: Japan: USA: Presentation of candidates Mars Rijndael E2 RC6 March 1999 2nd AES Conference in w Rome, Italy Twofish France: Safer+ Australia (1) Review of results of the First Round DFC HPC analysis Israel, UK, Costa Rica: Australia: August 1999 NIST announces five final candidates Norway: LOKI97 Frog Serpent 12 AES Finalists (1) AES Finalists (2) USA Mars - IBM Europe C.
Recommended publications
  • Vector Boolean Functions: Applications in Symmetric Cryptography

    Vector Boolean Functions: Applications in Symmetric Cryptography

    Vector Boolean Functions: Applications in Symmetric Cryptography José Antonio Álvarez Cubero Departamento de Matemática Aplicada a las Tecnologías de la Información y las Comunicaciones Universidad Politécnica de Madrid This dissertation is submitted for the degree of Doctor Ingeniero de Telecomunicación Escuela Técnica Superior de Ingenieros de Telecomunicación November 2015 I would like to thank my wife, Isabel, for her love, kindness and support she has shown during the past years it has taken me to finalize this thesis. Furthermore I would also liketo thank my parents for their endless love and support. Last but not least, I would like to thank my loved ones such as my daughter and sisters who have supported me throughout entire process, both by keeping me harmonious and helping me putting pieces together. I will be grateful forever for your love. Declaration The following papers have been published or accepted for publication, and contain material based on the content of this thesis. 1. [7] Álvarez-Cubero, J. A. and Zufiria, P. J. (expected 2016). Algorithm xxx: VBF: A library of C++ classes for vector Boolean functions in cryptography. ACM Transactions on Mathematical Software. (In Press: http://toms.acm.org/Upcoming.html) 2. [6] Álvarez-Cubero, J. A. and Zufiria, P. J. (2012). Cryptographic Criteria on Vector Boolean Functions, chapter 3, pages 51–70. Cryptography and Security in Computing, Jaydip Sen (Ed.), http://www.intechopen.com/books/cryptography-and-security-in-computing/ cryptographic-criteria-on-vector-boolean-functions. (Published) 3. [5] Álvarez-Cubero, J. A. and Zufiria, P. J. (2010). A C++ class for analysing vector Boolean functions from a cryptographic perspective.
  • The Data Encryption Standard (DES) – History

    The Data Encryption Standard (DES) – History

    Chair for Network Architectures and Services Department of Informatics TU München – Prof. Carle Network Security Chapter 2 Basics 2.1 Symmetric Cryptography • Overview of Cryptographic Algorithms • Attacking Cryptographic Algorithms • Historical Approaches • Foundations of Modern Cryptography • Modes of Encryption • Data Encryption Standard (DES) • Advanced Encryption Standard (AES) Cryptographic algorithms: outline Cryptographic Algorithms Symmetric Asymmetric Cryptographic Overview En- / Decryption En- / Decryption Hash Functions Modes of Cryptanalysis Background MDC’s / MACs Operation Properties DES RSA MD-5 AES Diffie-Hellman SHA-1 RC4 ElGamal CBC-MAC Network Security, WS 2010/11, Chapter 2.1 2 Basic Terms: Plaintext and Ciphertext Plaintext P The original readable content of a message (or data). P_netsec = „This is network security“ Ciphertext C The encrypted version of the plaintext. C_netsec = „Ff iThtIiDjlyHLPRFxvowf“ encrypt key k1 C P key k2 decrypt In case of symmetric cryptography, k1 = k2. Network Security, WS 2010/11, Chapter 2.1 3 Basic Terms: Block cipher and Stream cipher Block cipher A cipher that encrypts / decrypts inputs of length n to outputs of length n given the corresponding key k. • n is block length Most modern symmetric ciphers are block ciphers, e.g. AES, DES, Twofish, … Stream cipher A symmetric cipher that generats a random bitstream, called key stream, from the symmetric key k. Ciphertext = key stream XOR plaintext Network Security, WS 2010/11, Chapter 2.1 4 Cryptographic algorithms: overview
  • Block Ciphers and the Data Encryption Standard

    Block Ciphers and the Data Encryption Standard

    Lecture 3: Block Ciphers and the Data Encryption Standard Lecture Notes on “Computer and Network Security” by Avi Kak ([email protected]) January 26, 2021 3:43pm ©2021 Avinash Kak, Purdue University Goals: To introduce the notion of a block cipher in the modern context. To talk about the infeasibility of ideal block ciphers To introduce the notion of the Feistel Cipher Structure To go over DES, the Data Encryption Standard To illustrate important DES steps with Python and Perl code CONTENTS Section Title Page 3.1 Ideal Block Cipher 3 3.1.1 Size of the Encryption Key for the Ideal Block Cipher 6 3.2 The Feistel Structure for Block Ciphers 7 3.2.1 Mathematical Description of Each Round in the 10 Feistel Structure 3.2.2 Decryption in Ciphers Based on the Feistel Structure 12 3.3 DES: The Data Encryption Standard 16 3.3.1 One Round of Processing in DES 18 3.3.2 The S-Box for the Substitution Step in Each Round 22 3.3.3 The Substitution Tables 26 3.3.4 The P-Box Permutation in the Feistel Function 33 3.3.5 The DES Key Schedule: Generating the Round Keys 35 3.3.6 Initial Permutation of the Encryption Key 38 3.3.7 Contraction-Permutation that Generates the 48-Bit 42 Round Key from the 56-Bit Key 3.4 What Makes DES a Strong Cipher (to the 46 Extent It is a Strong Cipher) 3.5 Homework Problems 48 2 Computer and Network Security by Avi Kak Lecture 3 Back to TOC 3.1 IDEAL BLOCK CIPHER In a modern block cipher (but still using a classical encryption method), we replace a block of N bits from the plaintext with a block of N bits from the ciphertext.
  • On the Decorrelated Fast Cipher (DFC) and Its Theory

    On the Decorrelated Fast Cipher (DFC) and Its Theory

    On the Decorrelated Fast Cipher (DFC) and Its Theory Lars R. Knudsen and Vincent Rijmen ? Department of Informatics, University of Bergen, N-5020 Bergen Abstract. In the first part of this paper the decorrelation theory of Vaudenay is analysed. It is shown that the theory behind the propo- sed constructions does not guarantee security against state-of-the-art differential attacks. In the second part of this paper the proposed De- correlated Fast Cipher (DFC), a candidate for the Advanced Encryption Standard, is analysed. It is argued that the cipher does not obtain prova- ble security against a differential attack. Also, an attack on DFC reduced to 6 rounds is given. 1 Introduction In [6,7] a new theory for the construction of secret-key block ciphers is given. The notion of decorrelation to the order d is defined. Let C be a block cipher with block size m and C∗ be a randomly chosen permutation in the same message space. If C has a d-wise decorrelation equal to that of C∗, then an attacker who knows at most d − 1 pairs of plaintexts and ciphertexts cannot distinguish between C and C∗. So, the cipher C is “secure if we use it only d−1 times” [7]. It is further noted that a d-wise decorrelated cipher for d = 2 is secure against both a basic linear and a basic differential attack. For the latter, this basic attack is as follows. A priori, two values a and b are fixed. Pick two plaintexts of difference a and get the corresponding ciphertexts.
  • Towards the Generation of a Dynamic Key-Dependent S-Box to Enhance Security

    Towards the Generation of a Dynamic Key-Dependent S-Box to Enhance Security

    Towards the Generation of a Dynamic Key-Dependent S-Box to Enhance Security 1 Grasha Jacob, 2 Dr. A. Murugan, 3Irine Viola 1Research and Development Centre, Bharathiar University, Coimbatore – 641046, India, [email protected] [Assoc. Prof., Dept. of Computer Science, Rani Anna Govt College for Women, Tirunelveli] 2 Assoc. Prof., Dept. of Computer Science, Dr. Ambedkar Govt Arts College, Chennai, India 3Assoc. Prof., Dept. of Computer Science, Womens Christian College, Nagercoil, India E-mail: [email protected] ABSTRACT Secure transmission of message was the concern of early men. Several techniques have been developed ever since to assure that the message is understandable only by the sender and the receiver while it would be meaningless to others. In this century, cryptography has gained much significance. This paper proposes a scheme to generate a Dynamic Key-dependent S-Box for the SubBytes Transformation used in Cryptographic Techniques. Keywords: Hamming weight, Hamming Distance, confidentiality, Dynamic Key dependent S-Box 1. INTRODUCTION Today communication networks transfer enormous volume of data. Information related to healthcare, defense and business transactions are either confidential or private and warranting security has become more and more challenging as many communication channels are arbitrated by attackers. Cryptographic techniques allow the sender and receiver to communicate secretly by transforming a plain message into meaningless form and then retransforming that back to its original form. Confidentiality is the foremost objective of cryptography. Even though cryptographic systems warrant security to sensitive information, various methods evolve every now and then like mushroom to crack and crash the cryptographic systems. NSA-approved Data Encryption Standard published in 1977 gained quick worldwide adoption.
  • Report on the AES Candidates

    Report on the AES Candidates

    Rep ort on the AES Candidates 1 2 1 3 Olivier Baudron , Henri Gilb ert , Louis Granb oulan , Helena Handschuh , 4 1 5 1 Antoine Joux , Phong Nguyen ,Fabrice Noilhan ,David Pointcheval , 1 1 1 1 Thomas Pornin , Guillaume Poupard , Jacques Stern , and Serge Vaudenay 1 Ecole Normale Sup erieure { CNRS 2 France Telecom 3 Gemplus { ENST 4 SCSSI 5 Universit e d'Orsay { LRI Contact e-mail: [email protected] Abstract This do cument rep orts the activities of the AES working group organized at the Ecole Normale Sup erieure. Several candidates are evaluated. In particular we outline some weaknesses in the designs of some candidates. We mainly discuss selection criteria b etween the can- didates, and make case-by-case comments. We nally recommend the selection of Mars, RC6, Serp ent, ... and DFC. As the rep ort is b eing nalized, we also added some new preliminary cryptanalysis on RC6 and Crypton in the App endix which are not considered in the main b o dy of the rep ort. Designing the encryption standard of the rst twentyyears of the twenty rst century is a challenging task: we need to predict p ossible future technologies, and wehavetotake unknown future attacks in account. Following the AES pro cess initiated by NIST, we organized an op en working group at the Ecole Normale Sup erieure. This group met two hours a week to review the AES candidates. The present do cument rep orts its results. Another task of this group was to up date the DFC candidate submitted by CNRS [16, 17] and to answer questions which had b een omitted in previous 1 rep orts on DFC.
  • Development of the Advanced Encryption Standard

    Development of the Advanced Encryption Standard

    Volume 126, Article No. 126024 (2021) https://doi.org/10.6028/jres.126.024 Journal of Research of the National Institute of Standards and Technology Development of the Advanced Encryption Standard Miles E. Smid Formerly: Computer Security Division, National Institute of Standards and Technology, Gaithersburg, MD 20899, USA [email protected] Strong cryptographic algorithms are essential for the protection of stored and transmitted data throughout the world. This publication discusses the development of Federal Information Processing Standards Publication (FIPS) 197, which specifies a cryptographic algorithm known as the Advanced Encryption Standard (AES). The AES was the result of a cooperative multiyear effort involving the U.S. government, industry, and the academic community. Several difficult problems that had to be resolved during the standard’s development are discussed, and the eventual solutions are presented. The author writes from his viewpoint as former leader of the Security Technology Group and later as acting director of the Computer Security Division at the National Institute of Standards and Technology, where he was responsible for the AES development. Key words: Advanced Encryption Standard (AES); consensus process; cryptography; Data Encryption Standard (DES); security requirements, SKIPJACK. Accepted: June 18, 2021 Published: August 16, 2021; Current Version: August 23, 2021 This article was sponsored by James Foti, Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology (NIST). The views expressed represent those of the author and not necessarily those of NIST. https://doi.org/10.6028/jres.126.024 1. Introduction In the late 1990s, the National Institute of Standards and Technology (NIST) was about to decide if it was going to specify a new cryptographic algorithm standard for the protection of U.S.
  • Chapter 3 – Block Ciphers and the Data Encryption Standard

    Chapter 3 – Block Ciphers and the Data Encryption Standard

    Symmetric Cryptography Chapter 6 Block vs Stream Ciphers • Block ciphers process messages into blocks, each of which is then en/decrypted – Like a substitution on very big characters • 64-bits or more • Stream ciphers process messages a bit or byte at a time when en/decrypting – Many current ciphers are block ciphers • Better analyzed. • Broader range of applications. Block vs Stream Ciphers Block Cipher Principles • Block ciphers look like an extremely large substitution • Would need table of 264 entries for a 64-bit block • Arbitrary reversible substitution cipher for a large block size is not practical – 64-bit general substitution block cipher, key size 264! • Most symmetric block ciphers are based on a Feistel Cipher Structure • Needed since must be able to decrypt ciphertext to recover messages efficiently Ideal Block Cipher Substitution-Permutation Ciphers • in 1949 Shannon introduced idea of substitution- permutation (S-P) networks – modern substitution-transposition product cipher • These form the basis of modern block ciphers • S-P networks are based on the two primitive cryptographic operations we have seen before: – substitution (S-box) – permutation (P-box) (transposition) • Provide confusion and diffusion of message Diffusion and Confusion • Introduced by Claude Shannon to thwart cryptanalysis based on statistical analysis – Assume the attacker has some knowledge of the statistical characteristics of the plaintext • Cipher needs to completely obscure statistical properties of original message • A one-time pad does this Diffusion
  • Cryptographic Sponge Functions

    Cryptographic Sponge Functions

    Cryptographic sponge functions Guido B1 Joan D1 Michaël P2 Gilles V A1 http://sponge.noekeon.org/ Version 0.1 1STMicroelectronics January 14, 2011 2NXP Semiconductors Cryptographic sponge functions 2 / 93 Contents 1 Introduction 7 1.1 Roots .......................................... 7 1.2 The sponge construction ............................... 8 1.3 Sponge as a reference of security claims ...................... 8 1.4 Sponge as a design tool ................................ 9 1.5 Sponge as a versatile cryptographic primitive ................... 9 1.6 Structure of this document .............................. 10 2 Definitions 11 2.1 Conventions and notation .............................. 11 2.1.1 Bitstrings .................................... 11 2.1.2 Padding rules ................................. 11 2.1.3 Random oracles, transformations and permutations ........... 12 2.2 The sponge construction ............................... 12 2.3 The duplex construction ............................... 13 2.4 Auxiliary functions .................................. 15 2.4.1 The absorbing function and path ...................... 15 2.4.2 The squeezing function ........................... 16 2.5 Primary aacks on a sponge function ........................ 16 3 Sponge applications 19 3.1 Basic techniques .................................... 19 3.1.1 Domain separation .............................. 19 3.1.2 Keying ..................................... 20 3.1.3 State precomputation ............................ 20 3.2 Modes of use of sponge functions .........................
  • The Long Road to the Advanced Encryption Standard

    The Long Road to the Advanced Encryption Standard

    The Long Road to the Advanced Encryption Standard Jean-Luc Cooke CertainKey Inc. [email protected], http://www.certainkey.com/˜jlcooke Abstract 1 Introduction This paper will start with a brief background of the Advanced Encryption Standard (AES) process, lessons learned from the Data Encryp- tion Standard (DES), other U.S. government Two decades ago the state-of-the-art in cryptographic publications and the fifteen first the private sector cryptography was—we round candidate algorithms. The focus of the know now—far behind the public sector. presentation will lie in presenting the general Don Coppersmith’s knowledge of the Data design of the five final candidate algorithms, Encryption Standard’s (DES) resilience to and the specifics of the AES and how it dif- the then unknown Differential Cryptanaly- fers from the Rijndael design. A presentation sis (DC), the design principles used in the on the AES modes of operation and Secure Secure Hash Algorithm (SHA) in Digital Hash Algorithm (SHA) family of algorithms Signature Standard (DSS) being case and will follow and will include discussion about point[NISTDSS][NISTDES][DC][NISTSHA1]. how it is directly implicated by AES develop- ments. The selection and design of the DES was shrouded in controversy and suspicion. This very controversy has lead to a fantastic acceler- Intended Audience ation in private sector cryptographic advance- ment. So intrigued by the NSA’s modifica- tions to the Lucifer algorithm, researchers— This paper was written as a supplement to a academic and industry alike—powerful tools presentation at the Ottawa International Linux in assessing block cipher strength were devel- Symposium.
  • Optimization of Core Components of Block Ciphers Baptiste Lambin

    Optimization of Core Components of Block Ciphers Baptiste Lambin

    Optimization of core components of block ciphers Baptiste Lambin To cite this version: Baptiste Lambin. Optimization of core components of block ciphers. Cryptography and Security [cs.CR]. Université Rennes 1, 2019. English. NNT : 2019REN1S036. tel-02380098 HAL Id: tel-02380098 https://tel.archives-ouvertes.fr/tel-02380098 Submitted on 26 Nov 2019 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. THÈSE DE DOCTORAT DE L’UNIVERSITE DE RENNES 1 COMUE UNIVERSITE BRETAGNE LOIRE Ecole Doctorale N°601 Mathématique et Sciences et Technologies de l’Information et de la Communication Spécialité : Informatique Par Baptiste LAMBIN Optimization of Core Components of Block Ciphers Thèse présentée et soutenue à RENNES, le 22/10/2019 Unité de recherche : IRISA Rapporteurs avant soutenance : Marine Minier, Professeur, LORIA, Université de Lorraine Jacques Patarin, Professeur, PRiSM, Université de Versailles Composition du jury : Examinateurs : Marine Minier, Professeur, LORIA, Université de Lorraine Jacques Patarin, Professeur, PRiSM, Université de Versailles Jean-Louis Lanet, INRIA Rennes Virginie Lallemand, Chargée de Recherche, LORIA, CNRS Jérémy Jean, ANSSI Dir. de thèse : Pierre-Alain Fouque, IRISA, Université de Rennes 1 Co-dir. de thèse : Patrick Derbez, IRISA, Université de Rennes 1 Remerciements Je tiens à remercier en premier lieu mes directeurs de thèse, Pierre-Alain et Patrick.
  • Security Evaluation of the K2 Stream Cipher

    Security Evaluation of the K2 Stream Cipher

    Security Evaluation of the K2 Stream Cipher Editors: Andrey Bogdanov, Bart Preneel, and Vincent Rijmen Contributors: Andrey Bodganov, Nicky Mouha, Gautham Sekar, Elmar Tischhauser, Deniz Toz, Kerem Varıcı, Vesselin Velichkov, and Meiqin Wang Katholieke Universiteit Leuven Department of Electrical Engineering ESAT/SCD-COSIC Interdisciplinary Institute for BroadBand Technology (IBBT) Kasteelpark Arenberg 10, bus 2446 B-3001 Leuven-Heverlee, Belgium Version 1.1 | 7 March 2011 i Security Evaluation of K2 7 March 2011 Contents 1 Executive Summary 1 2 Linear Attacks 3 2.1 Overview . 3 2.2 Linear Relations for FSR-A and FSR-B . 3 2.3 Linear Approximation of the NLF . 5 2.4 Complexity Estimation . 5 3 Algebraic Attacks 6 4 Correlation Attacks 10 4.1 Introduction . 10 4.2 Combination Generators and Linear Complexity . 10 4.3 Description of the Correlation Attack . 11 4.4 Application of the Correlation Attack to KCipher-2 . 13 4.5 Fast Correlation Attacks . 14 5 Differential Attacks 14 5.1 Properties of Components . 14 5.1.1 Substitution . 15 5.1.2 Linear Permutation . 15 5.2 Key Ideas of the Attacks . 18 5.3 Related-Key Attacks . 19 5.4 Related-IV Attacks . 20 5.5 Related Key/IV Attacks . 21 5.6 Conclusion and Remarks . 21 6 Guess-and-Determine Attacks 25 6.1 Word-Oriented Guess-and-Determine . 25 6.2 Byte-Oriented Guess-and-Determine . 27 7 Period Considerations 28 8 Statistical Properties 29 9 Distinguishing Attacks 31 9.1 Preliminaries . 31 9.2 Mod n Cryptanalysis of Weakened KCipher-2 . 32 9.2.1 Other Reduced Versions of KCipher-2 .