DOCSLIB.ORG

E2 - a Candidate Cipher for AES

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
E2 - a Candidate Cipher for AES E2 - A Candidate Cipher for AES Masayuki Kanda, Shiho Moriai, Kazumaro Aoki, Hiroki Ueda, Miyako Ohkubo, Youichi Takashima, Kazuo Ohta, Tsutomu Matsumoto* [email protected] http://info.isl.ntt.co.jp/e2/ Nippon Telegraph and Telephone Corporation (NTT) *Yokohama National University First AES Candidate Conference Copyright NTT 1998 Outline · Overview · Design · Security · Performance · Conclusion E2 First AES Candidate Conference Copyright NTT 1998 Design Goals · A 128-bit symmetric block cipher · Key length of 128, 192, and 256 bits · Security : secure against all known attacks and more · Efficiency : faster than DES · Flexibility : efficient implementations on various platforms First AES Candidate Conference Copyright NTT 1998 Security of E2 (1) There are many attacks…. First AES Candidate Conference Copyright NTT 1998 Security of E2 (1) BruteBrute ForceForce AttacksAttacks There are many attacks…. First AES Candidate Conference Copyright NTT 1998 Security of E2 (1) BruteBrute ForceForce AttacksAttacks DifferentialDifferential CryptanalysisCryptanalysis There are many attacks…. First AES Candidate Conference Copyright NTT 1998 Security of E2 (1) BruteBrute ForceForce AttacksAttacks DifferentialDifferential LinearLinear CryptanalysisCryptanalysis CryptanalysisCryptanalysis There are many attacks…. First AES Candidate Conference Copyright NTT 1998 Security of E2 (1) BruteBrute ForceForce AttacksAttacks DifferentialDifferential LinearLinear CryptanalysisCryptanalysis CryptanalysisCryptanalysis HigherHigher OrderOrder DifferentialDifferential AttackAttack There are many attacks…. First AES Candidate Conference Copyright NTT 1998 Security of E2 (1) BruteBrute ForceForce AttacksAttacks DifferentialDifferential LinearLinear CryptanalysisCryptanalysis CryptanalysisCryptanalysis HigherHigher OrderOrder InterpolationInterpolation DifferentialDifferential AttackAttack AttackAttack There are many attacks…. First AES Candidate Conference Copyright NTT 1998 Security of E2 (1) BruteBrute ForceForce AttacksAttacks DifferentialDifferential LinearLinear CryptanalysisCryptanalysis CryptanalysisCryptanalysis HigherHigher OrderOrder InterpolationInterpolation PartitioningPartitioning DifferentialDifferential AttackAttack CryptanalysisCryptanalysis AttackAttack There are many attacks…. First AES Candidate Conference Copyright NTT 1998 Security of E2 (2) DifferentialDifferential LinearLinear CryptanalysisCryptanalysis CryptanalysisCryptanalysis E2 E2 is proven to have sufficient security First AES Candidate Conference Copyright NTT 1998 Security of E2 (3) DifferentialDifferential LinearLinear CryptanalysisCryptanalysis CryptanalysisCryptanalysis HigherHigher OrderOrder Interpolation Partitioning DifferentialDifferential Interpolation Partitioning Attack Cryptanalysis AttackAttack Attack Cryptanalysis E2 S-box is designed to have no vulnerabilities First AES Candidate Conference Copyright NTT 1998 Security of E2 (4) BruteBrute ForceForce AttacksAttacks E2 E2 supports 128-bit block size and 128,192, 256-bit key sizes First AES Candidate Conference Copyright NTT 1998 Design Goals (cont.) · A 128-bit symmetric block cipher · Key length of 128, 192, and 256 bits · Security : secure against all known attacks and more · Efficiency : faster than DES · Flexibility : efficient implementations on various platforms First AES Candidate Conference Copyright NTT 1998 Efficiency and Flexibility of E2 32-bit 200MHz Intel Pentium Pro CPU ANSI C Assembly (Borland C++ 5.02) 711 clocks/block 420 clocks/block 36.0 Mbits/sec 61.0 Mbits/sec 64-bit 8-bit CPU CPU 600MHz DEC 21164A 5MHz Hitachi H8/300 Assembly Assembly 600 clocks/block 6,374 clocks/block 128 Mbits/sec 100.5 k bits/sec First AES Candidate Conference Copyright NTT 1998 Efficiency and Flexibility of E2 32-bit 200MHz Intel Pentium Pro CPU ANSI C cf. DESAssembly (RSAREF, (Borland C++ 5.02) Borland C++ 5.0) 711 clocks/block 10.610.6420 Mbitsclocks/block/sec 36.0 Mbits/sec 61.0 Mbits/sec 64-bit 8-bit CPU CPU 600MHz DEC 21164A 5MHz Hitachi H8/300 Assembly Assembly 600 clocks/block 6,374 clocks/block 128 Mbits/sec 100.5 k bits/sec First AES Candidate Conference Copyright NTT 1998 Outline · Overview · Design · Security · Performance · Conclusion E2 First AES Candidate Conference Copyright NTT 1998 High-level Structure of E2 Plaintext P Key K IT k13 k14 k1 F Key Scheduling Part k2 F k12 F k FT 15 k16 First AES Candidate Conference Ciphertext C Copyright NTT 1998 High-level Structure of E2 Plaintext P Key K k IT k13 Data 14 k1 randomizing F Key Scheduling Part part k2 F k12 F k FT 15 k16 First AES Candidate Conference Ciphertext C Copyright NTT 1998 High-level Structure of E2 Plaintext P Key K k IT k13 Data 14 Key k1 randomizing F Key Scheduling Part scheduling part k2 F part k12 F k FT 15 k16 First AES Candidate Conference Ciphertext C Copyright NTT 1998 Data Randomizing Part Framework · IT-Function k (Initial Transformation) IT 13 k14 k1 · Feistel structure F k2 · FT-Function F (Final Transformation) k12 F k FT 15 k16 First AES Candidate Conference Copyright NTT 1998 Design Rationale of Framework · Feistel structure w Widely known and thought to offer long-term security w Symmetric encryption and decryption w Evaluation of security against DC and LC has been well studied · IT-Function and FT-Function w Offer a proactive design and hinder later attacks First AES Candidate Conference Copyright NTT 1998 Design Rationale of Framework · Feistel structure w Widely known and thought to offer long-term security w Symmetric encryption and decryption w Evaluation of security against DC and LC has been well studied · IT-Function and FT-Function w Offer a proactive design and hinder later attacks First AES Candidate Conference Copyright NTT 1998 Design Rationale of F-Function (1) · Structures for which security evaluation against DC and LC is easy w 1-round SPN structure (e.g., DES) w Recursive structure (e.g., MISTY) w 2-round SPN structure · Comparing the speed at the same level of security, we decided to adopt 2-round SPN structure First AES Candidate Conference Copyright NTT 1998 Design Rationale of F-Function (1) · Structures for which security evaluation against DC and LC is easy w 1-round SPN structure (e.g., DES) w Recursive structure (e.g., MISTY) w 2-round SPN structure · Comparing the speed at the same level of security, we decided to adopt 2-round SPN structure First AES Candidate Conference Copyright NTT 1998 Design Rationale of F-Function (1) · Structures for which security evaluation against DC and LC is easy w 1-round SPN structure (e.g., DES) w Recursive structure (e.g., MISTY) w 2-round SPN structure · Comparing the speed at the same level of security, we decided to adopt 2-round SPN structure Evaluated using practical measure First AES Candidate Conference Copyright NTT 1998 Practical Measure for Feistel Cipher · General case [Knudsen (FSE’93)] w Number of rounds: R = 2r, 2r + 1 (R) r (R) r w Evaluation: UDCP = p , ULCP = q · Bijective case [Kanda et al. (SAC’98)] w Number of rounds: R = 3r, 3r + 1, 3r + 2 (R) 2r (R) 2r w Evaluation: UDCP = p , ULCP = q (R = 3r, 3r + 1) (R) 2r+1 (R) 2r+1 UDCP = p , ULCP = q (R = 3r + 2) Note: p, q : Maximum differential and linear prob. of round function First AES Candidate Conference Copyright NTT 1998 Practical Measure for Feistel Cipher · General case [Knudsen (FSE’93)] w Number of rounds: R = 2r, 2r + 1 When R = 6 (R) r (R) r w Evaluation: UDCP = p , UDCP ULCP = p3 [=General] q · Bijective case [Kanda et al.UDCP (SAC =’98) p4 ][Bijective] w Number of rounds: R = 3r, 3r + 1, 3r + 2 (R) 2r (R) 2r w Evaluation: UDCP = p , ULCP = q (R = 3r, 3r + 1) (R) 2r+1 (R) 2r+1 UDCP = p , ULCP = q (R = 3r + 2) Note: p, q : Maximum differential and linear prob. of round function First AES Candidate Conference Copyright NTT 1998 Design Rationale of F-Function (2) 350 slow 42 rounds 300 250 200 150 6 rounds 9 rounds 100 Performance 1-round SPN structure Recursive structure Total number of s-boxes 50 2-round SPN structure fast 0 -32 -64 -96 -128 -160 -192 -224 Upper bounds of max differential/linear prob( log2 ) Security secure First AES Candidate Conference Copyright NTT 1998 F - Function Overview K (2) K (1) F - Function s s s s s s s s s s s s s s s s S - Function P - Function S - Function First AES Candidate Conference Copyright NTT 1998 Design Rationale of P-Function · Maximize minimum number of active s-boxes w Minimize upper bound of maximum differential / linear prob. of round function · Use only XOR operation w Simple construction w Efficient implementations in both software and hardware · Minimize gate counts required for hardware First AES Candidate Conference Copyright NTT 1998 Design Rationale of P-Function · Maximize minimum number of active s-boxes w Minimize upper bound of maximum differential / linear prob. of round function · Use only XOR operation w Simple construction w Efficient implementations in both software and hardware · Minimize gate counts required for hardware First AES Candidate Conference Copyright NTT 1998 # of Active s-boxes 3 (Bad P-Function) K (2) K (1) F - Function s s s s s s D Y s s D X s s s s s s s s P - Function Many active s-boxes mean high security against DC. First AES Candidate Conference Copyright NTT 1998 # of Active s-boxes 5 (E2 P-Function) K (2) K (1) F - Function s s s s s s D Y s s D X s s s s s s s s P - Function First AES Candidate Conference Copyright NTT 1998 # of Active s-boxes 5 (cont.) K (2) K (1) F - Function s s s s s s D Y s s D X s s s s s s s s P - Function First AES Candidate Conference Copyright NTT 1998 Design Rationale of s-box 1. Suitability for various platforms 2. No trap-doors 3. No vulnerability to known attacks First AES Candidate Conference Copyright NTT 1998 Rationale 1 : Suitability for Various Platforms · Table-lookup w efficiency does not depend on processors with various word-lengths (8, 16, 32, 64 bits) · One 8-by-8-bit s-box w consideration for 8-bit smart card implementations First AES Candidate Conference Copyright NTT 1998 Rationale 2 : No trap-doors · Design principle is publicly given · Based on well-known mathematical functions First AES Candidate Conference Copyright NTT 1998 Candidates of s-box · s : GF(2)8 GF(2)8 ; x s(x) = g ( f (x) ) candidates of f (x) and g(x) k 8 I.
Load more

Recommended publications
  • On the Decorrelated Fast Cipher (DFC) and Its Theory
    On the Decorrelated Fast Cipher (DFC) and Its Theory Lars R. Knudsen and Vincent Rijmen ? Department of Informatics, University of Bergen, N-5020 Bergen Abstract. In the first part of this paper the decorrelation theory of Vaudenay is analysed. It is shown that the theory behind the propo- sed constructions does not guarantee security against state-of-the-art differential attacks. In the second part of this paper the proposed De- correlated Fast Cipher (DFC), a candidate for the Advanced Encryption Standard, is analysed. It is argued that the cipher does not obtain prova- ble security against a differential attack. Also, an attack on DFC reduced to 6 rounds is given. 1 Introduction In [6,7] a new theory for the construction of secret-key block ciphers is given. The notion of decorrelation to the order d is defined. Let C be a block cipher with block size m and C∗ be a randomly chosen permutation in the same message space. If C has a d-wise decorrelation equal to that of C∗, then an attacker who knows at most d − 1 pairs of plaintexts and ciphertexts cannot distinguish between C and C∗. So, the cipher C is “secure if we use it only d−1 times” [7]. It is further noted that a d-wise decorrelated cipher for d = 2 is secure against both a basic linear and a basic differential attack. For the latter, this basic attack is as follows. A priori, two values a and b are fixed. Pick two plaintexts of difference a and get the corresponding ciphertexts.
    [Show full text]
  • Hemiunu Used Numerically Tagged Surface Ratios to Mark Ceilings Inside the Great Pyramid Hinting at Designed Spaces Still Hidden Within
    Archaeological Discovery, 2018, 6, 319-337 http://www.scirp.org/journal/ad ISSN Online: 2331-1967 ISSN Print: 2331-1959 Hemiunu Used Numerically Tagged Surface Ratios to Mark Ceilings inside the Great Pyramid Hinting at Designed Spaces Still Hidden Within Manu Seyfzadeh Institute for the Study of the Origins of Civilization (ISOC)1, Boston University’s College of General Studies, Boston, USA How to cite this paper: Seyfzadeh, M. Abstract (2018). Hemiunu Used Numerically Tagged Surface Ratios to Mark Ceilings inside the In 1883, W. M. Flinders Petrie noticed that the vertical thickness and height Great Pyramid Hinting at Designed Spaces of certain stone courses of the Great Pyramid2 of Khufu/Cheops at Giza, Still Hidden Within. Archaeological Dis- Egypt markedly increase compared to those immediately lower periodically covery, 6, 319-337. https://doi.org/10.4236/ad.2018.64016 and conspicuously interrupting a general trend of progressive course thinning towards the summit. Having calculated the surface area of each course, Petrie Received: September 10, 2018 further noted that the courses immediately below such discrete stone thick- Accepted: October 5, 2018 Published: October 8, 2018 ness peaks tended to mark integer multiples of 1/25th of the surface area at ground level. Here I show that the probable architect of the Great Pyramid, Copyright © 2018 by author and Khufu’s vizier Hemiunu, conceptualized its vertical construction design using Scientific Research Publishing Inc. surface areas based on the same numerical principles used to design his own This work is licensed under the Creative Commons Attribution International mastaba in Giza’s western cemetery and conspicuously used this numerical License (CC BY 4.0).
    [Show full text]
  • Report on the AES Candidates
    Rep ort on the AES Candidates 1 2 1 3 Olivier Baudron , Henri Gilb ert , Louis Granb oulan , Helena Handschuh , 4 1 5 1 Antoine Joux , Phong Nguyen ,Fabrice Noilhan ,David Pointcheval , 1 1 1 1 Thomas Pornin , Guillaume Poupard , Jacques Stern , and Serge Vaudenay 1 Ecole Normale Sup erieure { CNRS 2 France Telecom 3 Gemplus { ENST 4 SCSSI 5 Universit e d'Orsay { LRI Contact e-mail: [email protected] Abstract This do cument rep orts the activities of the AES working group organized at the Ecole Normale Sup erieure. Several candidates are evaluated. In particular we outline some weaknesses in the designs of some candidates. We mainly discuss selection criteria b etween the can- didates, and make case-by-case comments. We nally recommend the selection of Mars, RC6, Serp ent, ... and DFC. As the rep ort is b eing nalized, we also added some new preliminary cryptanalysis on RC6 and Crypton in the App endix which are not considered in the main b o dy of the rep ort. Designing the encryption standard of the rst twentyyears of the twenty rst century is a challenging task: we need to predict p ossible future technologies, and wehavetotake unknown future attacks in account. Following the AES pro cess initiated by NIST, we organized an op en working group at the Ecole Normale Sup erieure. This group met two hours a week to review the AES candidates. The present do cument rep orts its results. Another task of this group was to up date the DFC candidate submitted by CNRS [16, 17] and to answer questions which had b een omitted in previous 1 rep orts on DFC.
    [Show full text]
  • Cryptanalysis of a Reduced Version of the Block Cipher E2
    Cryptanalysis of a Reduced Version of the Block Cipher E2 Mitsuru Matsui and Toshio Tokita Information Technology R&D Center Mitsubishi Electric Corporation 5-1-1, Ofuna, Kamakura, Kanagawa, 247, Japan [email protected], [email protected] Abstract. This paper deals with truncated differential cryptanalysis of the 128-bit block cipher E2, which is an AES candidate designed and submitted by NTT. Our analysis is based on byte characteristics, where a difference of two bytes is simply encoded into one bit information “0” (the same) or “1” (not the same). Since E2 is a strongly byte-oriented algorithm, this bytewise treatment of characteristics greatly simplifies a description of its probabilistic behavior and noticeably enables us an analysis independent of the structure of its (unique) lookup table. As a result, we show a non-trivial seven round byte characteristic, which leads to a possible attack of E2 reduced to eight rounds without IT and FT by a chosen plaintext scenario. We also show that by a minor modification of the byte order of output of the round function — which does not reduce the complexity of the algorithm nor violates its design criteria at all —, a non-trivial nine round byte characteristic can be established, which results in a possible attack of the modified E2 reduced to ten rounds without IT and FT, and reduced to nine rounds with IT and FT. Our analysis does not have a serious impact on the full E2, since it has twelve rounds with IT and FT; however, our results show that the security level of the modified version against differential cryptanalysis is lower than the designers’ estimation.
    [Show full text]
  • Provable Security Evaluation of Structures Against Impossible Differential and Zero Correlation Linear Cryptanalysis ⋆
    Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation Linear Cryptanalysis ⋆ Bing Sun1,2,4, Meicheng Liu2,3, Jian Guo2, Vincent Rijmen5, Ruilin Li6 1 College of Science, National University of Defense Technology, Changsha, Hunan, P.R.China, 410073 2 Nanyang Technological University, Singapore 3 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, P.R. China, 100093 4 State Key Laboratory of Cryptology, P.O. Box 5159, Beijing, P.R. China, 100878 5 Dept. Electrical Engineering (ESAT), KU Leuven and iMinds, Belgium 6 College of Electronic Science and Engineering, National University of Defense Technology, Changsha, Hunan, P.R.China, 410073 happy [email protected] [email protected] [email protected] [email protected] [email protected] Abstract. Impossible differential and zero correlation linear cryptanal- ysis are two of the most important cryptanalytic vectors. To character- ize the impossible differentials and zero correlation linear hulls which are independent of the choices of the non-linear components, Sun et al. proposed the structure deduced by a block cipher at CRYPTO 2015. Based on that, we concentrate in this paper on the security of the SPN structure and Feistel structure with SP-type round functions. Firstly, we prove that for an SPN structure, if α1 → β1 and α2 → β2 are possi- ble differentials, α1|α2 → β1|β2 is also a possible differential, i.e., the OR “|” operation preserves differentials. Secondly, we show that for an SPN structure, there exists an r-round impossible differential if and on- ly if there exists an r-round impossible differential α → β where the Hamming weights of both α and β are 1.
    [Show full text]
  • Recommendation for Block Cipher Modes of Operation Methods
    NIST Special Publication 800-38A Recommendation for Block 2001 Edition Cipher Modes of Operation Methods and Techniques Morris Dworkin C O M P U T E R S E C U R I T Y ii C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 December 2001 U.S. Department of Commerce Donald L. Evans, Secretary Technology Administration Phillip J. Bond, Under Secretary of Commerce for Technology National Institute of Standards and Technology Arden L. Bement, Jr., Director iii Reports on Information Security Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations. Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose.
    [Show full text]
  • Camellia: a 128-Bit Block Cipher Suitable for Multiple Platforms – Design Andanalysis
    Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms – Design andAnalysis Kazumaro Aoki1, Tetsuya Ichikawa2, Masayuki Kanda1, Mitsuru Matsui2, Shiho Moriai1, Junko Nakajima2, and Toshio Tokita2 1 Nippon Telegraph and Telephone Corporation, 1-1 Hikarinooka, Yokosuka, Kanagawa, 239-0847Japan {maro,kanda,shiho}@isl.ntt.co.jp 2 Mitsubishi Electric Corporation, 5-1-1 Ofuna, Kamakura, Kanagawa, 247-8501 Japan {ichikawa,matsui,june15,tokita}@iss.isl.melco.co.jp Abstract. We present a new 128-bit block cipher called Camellia. Camellia supports 128-bit block size and 128-, 192-, and 256-bit keys, i.e., the same interface specifications as the Advanced Encryption Stan- dard (AES). Efficiency on both software and hardware platforms is a remarkable characteristic of Camellia in addition to its high level of se- curity. It is confirmed that Camellia provides strong security against differential and linear cryptanalyses. Compared to the AES finalists, i.e., MARS, RC6, Rijndael, Serpent, and Twofish, Camellia offers at least comparable encryption speed in software and hardware. An optimized implementation of Camellia in assembly language can encrypt on a Pen- tium III (800MHz) at the rate of more than 276 Mbits per second, which is much faster than the speed of an optimized DES implementation. In addition, a distinguishing feature is its small hardware design. The hard- ware design, which includes encryption and decryption and key schedule, occupies approximately 11K gates, which is the smallest among all ex- isting 128-bit block ciphers as far as we know. 1 Introduction This paper presents a 128-bit block cipher called Camellia, which was jointly developed by NTT and Mitsubishi Electric Corporation.
    [Show full text]
  • New Cryptanalysis of Block Ciphers with Low Algebraic Degree
    New Cryptanalysis of Block Ciphers with Low Algebraic Degree Bing Sun1,LongjiangQu1,andChaoLi1,2 1 Department of Mathematics and System Science, Science College of National University of Defense Technology, Changsha, China, 410073 2 State Key Laboratory of Information Security, Graduate University of Chinese Academy of Sciences, China, 10039 happy [email protected], ljqu [email protected] Abstract. Improved interpolation attack and new integral attack are proposed in this paper, and they can be applied to block ciphers using round functions with low algebraic degree. In the new attacks, we can determine not only the degree of the polynomial, but also coefficients of some special terms. Thus instead of guessing the round keys one by one, we can get the round keys by solving some algebraic equations over finite field. The new methods are applied to PURE block cipher successfully. The improved interpolation attacks can recover the first round key of 8-round PURE in less than a second; r-round PURE with r ≤ 21 is breakable with about 3r−2 chosen plaintexts and the time complexity is 3r−2 encryptions; 22-round PURE is breakable with both data and time complexities being about 3 × 320. The new integral attacks can break PURE with rounds up to 21 with 232 encryptions and 22-round with 3 × 232 encryptions. This means that PURE with up to 22 rounds is breakable on a personal computer. Keywords: block cipher, Feistel cipher, interpolation attack, integral attack. 1 Introduction For some ciphers, the round function can be described either by a low degree polynomial or by a quotient of two low degree polynomials over finite field with characteristic 2.
    [Show full text]
  • Advanced Encryption Standard by Example 1.0 Preface 2.0 Terminology
    Written By: Adam Berent Advanced Encryption Standard by Example V.1.5 1.0 Preface The following document provides a detailed and easy to understand explanation of the implementation of the AES (RIJNDAEL) encryption algorithm. The purpose of this paper is to give developers with little or no knowledge of cryptography the ability to implement AES. 2.0 Terminology There are terms that are frequently used throughout this paper that need to be clarified. Block: AES is a block cipher. This means that the number of bytes that it encrypts is fixed. AES can currently encrypt blocks of 16 bytes at a time; no other block sizes are presently a part of the AES standard. If the bytes being encrypted are larger than the specified block then AES is executed concurrently. This also means that AES has to encrypt a minimum of 16 bytes. If the plain text is smaller than 16 bytes then it must be padded. Simply said the block is a reference to the bytes that are processed by the algorithm. State: Defines the current condition (state) of the block. That is the block of bytes that are currently being worked on. The state starts off being equal to the block, however it changes as each round of the algorithms executes. Plainly said this is the block in progress. XOR Refers to the bitwise operator Exclusive Or. XOR operates on the individual bits in a byte in the following way: 0 XOR 0 = 0 1 XOR 0 = 1 1 XOR 1 = 0 0 XOR 1 = 1 For example the Hex digits D4 XOR FF 11010100 XOR 11111111 = 00101011 (Hex 2B) Another interesting property of the XOR operator is that it is reversible.
    [Show full text]
  • Mixture Differential Cryptanalysis and Structural Truncated Differential Attacks on Round-Reduced
    Mixture Differential Cryptanalysis and Structural Truncated Differential Attacks on round-reduced AES Lorenzo Grassi IAIK, Graz University of Technology, Austria [email protected] Abstract. At Eurocrypt 2017 the first secret-key distinguisher for 5-round AES - based on the “multiple-of-8” property - has been presented. Although it allows to distinguish a random permutation from an AES-like one, it seems rather hard to implement a key-recovery attack different than brute-force like using such a distinguisher. In this paper we introduce “Mixture Differential Cryptanalysis” on round-reduced AES- like ciphers, a way to translate the (complex) “multiple-of-8” 5-round distinguisher into a simpler and more convenient one (though, on a smaller number of rounds). Given a pair of chosen plaintexts, the idea is to construct new pairs of plaintexts by mixing the generating variables of the original pair of plaintexts. Here we theoretically prove that for 4-round AES the corresponding ciphertexts of the original pair of plaintexts lie in a particular subspace if and only if the corresponding pairs of ciphertexts of the new pairs of plaintexts have the same property. Such secret-key distinguisher - which is independent of the secret-key, of the details of the S-Box and of the MixColumns matrix (except for the branch number equal to 5) - can be used as starting point to set up new key-recovery attacks on round-reduced AES. Besides a theoretical explanation, we also provide a practical verification both of the distinguisher and of the attack. As a second contribution, we show how to combine this new 4-round distinguisher with a modified version of a truncated differential distinguisher in order to set up new 5-round distinguishers, that exploit properties which are independent of the secret key, of the details of the S-Box and of the MixColumns matrix.
    [Show full text]
  • ICEBERG : an Involutional Cipher Efficient for Block Encryption in Reconfigurable Hardware
    1 ICEBERG : an Involutional Cipher Efficient for Block Encryption in Reconfigurable Hardware. Francois-Xavier Standaert, Gilles Piret, Gael Rouvroy, Jean-Jacques Quisquater, Jean-Didier Legat UCL Crypto Group Laboratoire de Microelectronique Universite Catholique de Louvain Place du Levant, 3, B-1348 Louvain-La-Neuve, Belgium standaert,piret,rouvroy,quisquater,[email protected] Abstract. We present a fast involutional block cipher optimized for re- configurable hardware implementations. ICEBERG uses 64-bit text blocks and 128-bit keys. All components are involutional and allow very effi- cient combinations of encryption/decryption. Hardware implementations of ICEBERG allow to change the key at every clock cycle without any per- formance loss and its round keys are derived “on-the-fly” in encryption and decryption modes (no storage of round keys is needed). The result- ing design offers better hardware efficiency than other recent 128-key-bit block ciphers. Resistance against side-channel cryptanalysis was also con- sidered as a design criteria for ICEBERG. Keywords: block cipher design, efficient implementations, reconfigurable hardware, side-channel resistance. 1 Introduction In October 2000, NIST (National Institute of Standards and Technology) se- lected Rijndael as the new Advanced Encryption Standard. The selection pro- cess included performance evaluation on both software and hardware platforms. However, as implementation versatility was a criteria for the selection of the AES, it appeared that Rijndael is not optimal for reconfigurable hardware im- plementations. Its highly expensive substitution boxes are a typical bottleneck but the combination of encryption and decryption in hardware is probably as critical. In general, observing the AES candidates [1, 2], one may assess that the cri- teria selected for their evaluation led to highly conservative designs although the context of certain cryptanalysis may be considered as very unlikely (e.g.
    [Show full text]
  • A Brief Outlook at Block Ciphers
    A Brief Outlook at Block Ciphers Pascal Junod Ecole¶ Polytechnique F¶ed¶eralede Lausanne, Suisse CSA'03, Rabat, Maroc, 10-09-2003 Content F Generic Concepts F DES / AES F Cryptanalysis of Block Ciphers F Provable Security CSA'03, 10 septembre 2003, Rabat, Maroc { i { Block Cipher P e d P C K K CSA'03, 10 septembre 2003, Rabat, Maroc { ii { Block Cipher (2) F Deterministic, invertible function: e : {0, 1}n × K → {0, 1}n d : {0, 1}n × K → {0, 1}n F The function is parametered by a key K. F Mapping an n-bit plaintext P to an n-bit ciphertext C: C = eK(P ) F The function must be a bijection for a ¯xed key. CSA'03, 10 septembre 2003, Rabat, Maroc { iii { Product Ciphers and Iterated Block Ciphers F A product cipher combines two or more transformations in a manner intending that the resulting cipher is (hopefully) more secure than the individual components. F An iterated block cipher is a block cipher involving the sequential repeti- tion of an internal function f called a round function. Parameters include the number of rounds r, the block bit size n and the bit size k of the input key K from which r subkeys ki (called round keys) are derived. For invertibility purposes, the round function f is a bijection on the round input for each value ki. CSA'03, 10 septembre 2003, Rabat, Maroc { iv { Product Ciphers and Iterated Block Ciphers (2) P K f k1 f k2 f kr C CSA'03, 10 septembre 2003, Rabat, Maroc { v { Good and Bad Block Ciphers F Flexibility F Throughput F Estimated Security Level CSA'03, 10 septembre 2003, Rabat, Maroc { vi { Data Encryption Standard (DES) F American standard from (1976 - 1998).
    [Show full text]