DOCSLIB.ORG

Generalized in a Straightforward Way to Include More Than One Round

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

A REPORT ON BLOCK CIPHERS (Literature Survey) A Report on BLOCK CIPHERS (Literature Survey) ANUJ PRATEEK R GURUPRASAD BITS, PILANI NAL, BANGALORE Reviewed by: Dr Vidyadhar Mudkavi NAL, BANGALORE OCTOBER 2006 NATIONAL AEROSPACE LABORATORIES BANGALORE ACKNOWLEDGEMENT ACKNOWLEDGEMENT I would like to extend my deep gratitude to Dr. A. R. Upadhya, Director, NAL and Dr. Ranjan Moodithaya, Head KTMD, NAL for granting me the permission and resources, which were indispensable for writing this report. I am also extremely grateful to Dr. M. R. Nayak, Head, TS and Dr. R. M. Jha, Scientist, ALD for their kind permission and very useful suggestions to work in this very interesting area. I would also like to express my deep gratitude to Dr. Vidyadhar Mudkavi, Scientist, CTFD and Dr. U. N. Sinha, Head, FSD for their guidance, technical help and constant motivation throughout the writing of the report. I would like to extend my acknowledgement to Dr. S. Bhogle who provided the initial motivation to carry out this report. Last but not the least; I would like to extend my special thanks to Mr. R. Guruprasad for contributing immensely to the SECTION ONE. It would not be wrong to say that it is completely his work. I would also like to thank him for providing me various resources from his lab and in person too. CONTENT CONTENT S.No. TITLE Page No. A ABSTRACT & INTRODUCTION I B SECTION ONE III 1 INTRODUCTION TO CRYPTOGRAPHY 1 2 EVOLUTION OF CRYPTOGRAPHY 6 3 CHARACTERSTICS OF A GOOD CIPHER 9 REFERENCES R-I C SECTION TWO IV 4 PRODUCT CIPHERS 11 5 BLOCK MODES 13 6 FEISTEL NETWORK 17 7 S-BOX 19 REFERENCES R-II D SECTION THREE V 8 LUCIFER 23 9 DES 25 10 IDEA 32 11 CAST 34 12 LOKI 37 13 SERPENT 41 14 DEAL 45 15 MARS 47 16 SQUARE 55 17 AES 58 18 ANUBIS 66 19 CMEA 72 20 PHELIX 74 21 TIGER 78 22 OTHER ALGORITHMS 80 REFERENCES R-III E SECTION FOUR VI 23 CRYPTANALYSIS 84 24 DIFFERENTIAL CRYPTANALYSIS 96 25 LINEAR CRYPTANALYSIS 99 REFERENCES R-V 26 CONCLUSION 100 27 FUTURE APPLICATION 100 ABSTRACT & INTRODUCTION ABSTRACT This document is a literature survey about block ciphers, especially based on Feistel Network, presented in form of a report. The report concentrates on providing a starting point for designing strong, secure, and efficient cryptosystems. Various design issues and algorithms have been described in the report. Description about various forms of cryptanalysis has also been provided. Report explains the key players of design of block ciphers in detail. The report will provide as a excellent reference material for anyone who wants to design a Feistel network based block cipher. KEYWORDS: Evolution, Good Cipher Characteristics, Product Ciphers, Feistel Network, S-Box, LUCIFER, DES, IDEA, CAST, LOKI97, SERPENT, DEAL, MARS, SQUARE, AES, ANUBIS, CMEA, PHELIX, TIGER, Cryptanalysis, Differential & Linear Cryptanalysis INTRODUCTION Horst Feistel in his famous article, “Cryptography & Computer Privacy,” published in Scientific American, in May 1973, rightly wrote in the very first paragraph of the article, “There is growing concern that computers now constitute a dangerous threat to individual privacy. Since many computers contain personal data and are accessible from distant terminals, they are viewed as unexcelled means of assembling large amount of information about individual or a group. It is asserted that it will soon be feasible to compile dossiers in depth of an entire citizenry, where until recently the material for such dossiers was scattered in many separate locations under widely diverse jurisdictions. It will be argued here, however, a computer system can be adapted to guard its content from everyone but authorized individuals by enciphering the materials in forms highly resistant to cipher breaking.” Feistel clearly reflected in his words that as the amount of digital content is growing, the need of secrecy and authorized access to the information is increasing and future systems should be able to answer these needs. In modern era, these needs have been answered by cryptography, the science and cryptosystem, the product. In these all years the need has grown manifold in various forms and so has the elicit activities related to acquiring unauthorized information has grown. Every science has its advantages and disadvantages, so has cryptography. People involved in various illegal businesses have started using cryptosystems to mask their activities and this has forced law implementers to force the evolution of cryptanalysis i.e. the science of unmasking the crypts. Not arguing on the pros and cons of cryptography, the thing that remains as a concern for learners of this science is development of secure cryptosystems. Cryptography is divided into category and two of the broad categories of general interest are private and public key cryptography. This report talks about private key cryptography and in particular, the sub-sub domain known as Feistel Network based block ciphers. I ABSTRACT & INTRODUCTION The report has been divided into four parts, named as sections. The report flows in a way that the key concepts that are required in design of mentioned cryptosystems are touched and they appear in a progressive sequence. The report neither goes into deep mathematical aspects like efficiency analysis and attack testing etc nor does it sways away from the basic mathematics. The first section introduces cryptography, evolution of cryptography and the desired characteristics of a cryptosystem, in brief. The second section briefs product ciphers, Modes of operation of block ciphers, Feistel Network and S-boxes. Feistel Networks fall in the broad category of product ciphers which is a sub-domain of block ciphers. As any block ciphers have various modes of operation, they are introduced too in this section. S-boxes constitute a very important part of Feistel Network, are most prone to attacks, and hence make place in the section. The third section, the major part of this report, presents various cryptographic algorithms that have come in the modern age. Algorithms are introduced, explained and the attacks have been mentioned. Algorithms that were picked for presentation includes LUCIFER, DES, IDEA, CAST, LOKI, SERPENT, DEAL, MARS, SQUARE, AES, ANUBIS, CMEA, PHELIX, and TIGER. These algorithms provide a strong base for development of new algorithms and show the variety of attacks that can be made on them. CMEA, PHELIX, and TIGER are odd among the mentioned algorithms but have been included for completeness and the lessons that they teach. CMEA provides an insight of embedded-efficient algorithms. PHELIX and TIGER show the other side of private key encryption namely stream ciphers and use hashes. At the end of this section, an introduction about various algorithms existing today is mentioned, though the details are omitted as they are covered more or less by the mentioned detailed algorithms. The last part of the section will help in improving the general knowledge about the algorithms, will provide with the names of key people in the field, and lastly will provide a place to look for reference. The last section or section four introduces cryptanalysis. The section briefs about various methodologies of cryptanalysis. In addition, at the end talks about differential and linear cryptanalysis, the most powerful types of attacks on present day cryptosystems. The report will serve as an excellent reference to anyone who wants to develop a cryptosystem of the type mentioned, whether an advanced reader or an amateur. It is not as everything related to the design has been covered but yes most have been and after reading the report, the reader will know how to proceed and where to look for help. Lastly, the report does not guarantee that the reader will be able to actualize the concept, but yes, a step would be taken in direction of actualization. “Every science needs effort but cryptography is not a mere science, but broader, it is an art; one needs to feel it, imagine it, and breathe it.” II SECTION ONE SECTION - I Introduction to Cryptography Evolution of Cryptography Characteristics of a Good Cipher - R. Guruprasad - Anuj Prateek III INTRODUCTION TO CRYPTOGRAPHY 1. INTRODUCTION TO CRYPTOGRAPHY The word “cryptography” is a Greek word and means “secret writing.” Earlier cryptography was used primarily by the military for the purposes of espionage. Cryptography is defined as the science of devising methods that allow information to be sent in a secure form in such a way that the only person able to retrieve this information is the intended recipient. With the advances in modern communication, technology has enabled businesses and individuals to transport information at a very low cost via public networks such as the Internet. This development comes at the cost of potentially exposing the data transmitted over such a medium. Therefore, it becomes imperative for businesses to make sure that sensitive data is transferred from one point to another in an airtight, secure manner over public networks. Cryptography helps to achieve this goal by making messages unintelligible to all but the intended recipient. Cryptography as a technique can be summarized by the set {P, C, K, E, D} where, • P = Plaintext space • C = Ciphertext Space • K = Key Space • E = Encryption Function Space • D = De-Encryption Function Space The basic principle is this: A message being sent is known as plaintext. The message is then coded using a cryptographic algorithm. This process is called encryption. An encrypted message is known as ciphertext, and is turned back into plaintext by the process of decryption. Figure 1.1 Schematic of cryptosystem It must be assumed that any eavesdropper has access to all communications between the sender and the recipient. A method of encryption is only secure if even with this complete access, the eavesdropper is still unable to recover the original plaintext from the ciphertext.
Recommended publications
  • The Design of Rijndael: AES - the Advanced Encryption Standard/Joan Daemen, Vincent Rijmen

    The Design of Rijndael: AES - the Advanced Encryption Standard/Joan Daemen, Vincent Rijmen

    Joan Daernen · Vincent Rijrnen Theof Design Rijndael AES - The Advanced Encryption Standard With 48 Figures and 17 Tables Springer Berlin Heidelberg New York Barcelona Hong Kong London Milan Paris Springer TnL-1Jn Joan Daemen Foreword Proton World International (PWI) Zweefvliegtuigstraat 10 1130 Brussels, Belgium Vincent Rijmen Cryptomathic NV Lei Sa 3000 Leuven, Belgium Rijndael was the surprise winner of the contest for the new Advanced En­ cryption Standard (AES) for the United States. This contest was organized and run by the National Institute for Standards and Technology (NIST) be­ ginning in January 1997; Rij ndael was announced as the winner in October 2000. It was the "surprise winner" because many observers (and even some participants) expressed scepticism that the U.S. government would adopt as Library of Congress Cataloging-in-Publication Data an encryption standard any algorithm that was not designed by U.S. citizens. Daemen, Joan, 1965- Yet NIST ran an open, international, selection process that should serve The design of Rijndael: AES - The Advanced Encryption Standard/Joan Daemen, Vincent Rijmen. as model for other standards organizations. For example, NIST held their p.cm. Includes bibliographical references and index. 1999 AES meeting in Rome, Italy. The five finalist algorithms were designed ISBN 3540425802 (alk. paper) . .. by teams from all over the world. 1. Computer security - Passwords. 2. Data encryption (Computer sCIence) I. RIJmen, In the end, the elegance, efficiency, security, and principled design of Vincent, 1970- II. Title Rijndael won the day for its two Belgian designers, Joan Daemen and Vincent QA76.9.A25 D32 2001 Rijmen, over the competing finalist designs from RSA, IBl\!I, Counterpane 2001049851 005.8-dc21 Systems, and an English/Israeli/Danish team.
  • Chapter 3 – Block Ciphers and the Data Encryption Standard

    Chapter 3 – Block Ciphers and the Data Encryption Standard

    Chapter 3 –Block Ciphers and the Data Cryptography and Network Encryption Standard Security All the afternoon Mungo had been working on Stern's Chapter 3 code, principally with the aid of the latest messages which he had copied down at the Nevin Square drop. Stern was very confident. He must be well aware London Central knew about that drop. It was obvious Fifth Edition that they didn't care how often Mungo read their messages, so confident were they in the by William Stallings impenetrability of the code. —Talking to Strange Men, Ruth Rendell Lecture slides by Lawrie Brown Modern Block Ciphers Block vs Stream Ciphers now look at modern block ciphers • block ciphers process messages in blocks, each one of the most widely used types of of which is then en/decrypted cryptographic algorithms • like a substitution on very big characters provide secrecy /hii/authentication services – 64‐bits or more focus on DES (Data Encryption Standard) • stream ciphers process messages a bit or byte at a time when en/decrypting to illustrate block cipher design principles • many current ciphers are block ciphers – better analysed – broader range of applications Block vs Stream Ciphers Block Cipher Principles • most symmetric block ciphers are based on a Feistel Cipher Structure • needed since must be able to decrypt ciphertext to recover messages efficiently • bloc k cihiphers lklook like an extremely large substitution • would need table of 264 entries for a 64‐bit block • instead create from smaller building blocks • using idea of a product cipher 1 Claude
  • Analysis of Selected Block Cipher Modes for Authenticated Encryption

    Analysis of Selected Block Cipher Modes for Authenticated Encryption

    Analysis of Selected Block Cipher Modes for Authenticated Encryption by Hassan Musallam Ahmed Qahur Al Mahri Bachelor of Engineering (Computer Systems and Networks) (Sultan Qaboos University) – 2007 Thesis submitted in fulfilment of the requirement for the degree of Doctor of Philosophy School of Electrical Engineering and Computer Science Science and Engineering Faculty Queensland University of Technology 2018 Keywords Authenticated encryption, AE, AEAD, ++AE, AEZ, block cipher, CAESAR, confidentiality, COPA, differential fault analysis, differential power analysis, ElmD, fault attack, forgery attack, integrity assurance, leakage resilience, modes of op- eration, OCB, OTR, SHELL, side channel attack, statistical fault analysis, sym- metric encryption, tweakable block cipher, XE, XEX. i ii Abstract Cryptography assures information security through different functionalities, es- pecially confidentiality and integrity assurance. According to Menezes et al. [1], confidentiality means the process of assuring that no one could interpret infor- mation, except authorised parties, while data integrity is an assurance that any unauthorised alterations to a message content will be detected. One possible ap- proach to ensure confidentiality and data integrity is to use two different schemes where one scheme provides confidentiality and the other provides integrity as- surance. A more compact approach is to use schemes, called Authenticated En- cryption (AE) schemes, that simultaneously provide confidentiality and integrity assurance for a message. AE can be constructed using different mechanisms, and the most common construction is to use block cipher modes, which is our focus in this thesis. AE schemes have been used in a wide range of applications, and defined by standardisation organizations. The National Institute of Standards and Technol- ogy (NIST) recommended two AE block cipher modes CCM [2] and GCM [3].
  • COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Cryptography Is Everywhere a Long & Rich History

    COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Cryptography Is Everywhere a Long & Rich History

    COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Cryptography Is Everywhere A Long & Rich History Examples: • ~50 B.C. – Caesar Cipher • 1587 – Babington Plot • WWI – Zimmermann Telegram • WWII – Enigma • 1976/77 – Public Key Cryptography • 1990’s – Widespread adoption on the Internet Increasingly Important COS 433 Practice Theory Inherent to the study of crypto • Working knowledge of fundamentals is crucial • Cannot discern security by experimentation • Proofs, reductions, probability are necessary COS 433 What you should expect to learn: • Foundations and principles of modern cryptography • Core building blocks • Applications Bonus: • Debunking some Hollywood crypto • Better understanding of crypto news COS 433 What you will not learn: • Hacking • Crypto implementations • How to design secure systems • Viruses, worms, buffer overflows, etc Administrivia Course Information Instructor: Mark Zhandry (mzhandry@p) TA: Fermi Ma (fermima1@g) Lectures: MW 1:30-2:50pm Webpage: cs.princeton.edu/~mzhandry/2017-Spring-COS433/ Office Hours: please fill out Doodle poll Piazza piaZZa.com/princeton/spring2017/cos433mat473_s2017 Main channel of communication • Course announcements • Discuss homework problems with other students • Find study groups • Ask content questions to instructors, other students Prerequisites • Ability to read and write mathematical proofs • Familiarity with algorithms, analyZing running time, proving correctness, O notation • Basic probability (random variables, expectation) Helpful: • Familiarity with NP-Completeness, reductions • Basic number theory (modular arithmetic, etc) Reading No required text Computer Science/Mathematics Chapman & Hall/CRC If you want a text to follow along with: Second CRYPTOGRAPHY AND NETWORK SECURITY Cryptography is ubiquitous and plays a key role in ensuring data secrecy and Edition integrity as well as in securing computer systems more broadly.
  • Block Ciphers

    Block Ciphers

    Block Ciphers Chester Rebeiro IIT Madras CR STINSON : chapters 3 Block Cipher KE KD untrusted communication link Alice E D Bob #%AR3Xf34^$ “Attack at Dawn!!” message encryption (ciphertext) decryption “Attack at Dawn!!” Encryption key is the same as the decryption key (KE = K D) CR 2 Block Cipher : Encryption Key Length Secret Key Plaintext Ciphertext Block Cipher (Encryption) Block Length • A block cipher encryption algorithm encrypts n bits of plaintext at a time • May need to pad the plaintext if necessary • y = ek(x) CR 3 Block Cipher : Decryption Key Length Secret Key Ciphertext Plaintext Block Cipher (Decryption) Block Length • A block cipher decryption algorithm recovers the plaintext from the ciphertext. • x = dk(y) CR 4 Inside the Block Cipher PlaintextBlock (an iterative cipher) Key Whitening Round 1 key1 Round 2 key2 Round 3 key3 Round n keyn Ciphertext Block • Each round has the same endomorphic cryptosystem, which takes a key and produces an intermediate ouput • Size of the key is huge… much larger than the block size. CR 5 Inside the Block Cipher (the key schedule) PlaintextBlock Secret Key Key Whitening Round 1 Round Key 1 Round 2 Round Key 2 Round 3 Round Key 3 Key Expansion Expansion Key Key Round n Round Key n Ciphertext Block • A single secret key of fixed size used to generate ‘round keys’ for each round CR 6 Inside the Round Function Round Input • Add Round key : Add Round Key Mixing operation between the round input and the round key. typically, an ex-or operation Confusion Layer • Confusion layer : Makes the relationship between round Diffusion Layer input and output complex.
  • Development of the Advanced Encryption Standard

    Development of the Advanced Encryption Standard

    Volume 126, Article No. 126024 (2021) https://doi.org/10.6028/jres.126.024 Journal of Research of the National Institute of Standards and Technology Development of the Advanced Encryption Standard Miles E. Smid Formerly: Computer Security Division, National Institute of Standards and Technology, Gaithersburg, MD 20899, USA [email protected] Strong cryptographic algorithms are essential for the protection of stored and transmitted data throughout the world. This publication discusses the development of Federal Information Processing Standards Publication (FIPS) 197, which specifies a cryptographic algorithm known as the Advanced Encryption Standard (AES). The AES was the result of a cooperative multiyear effort involving the U.S. government, industry, and the academic community. Several difficult problems that had to be resolved during the standard’s development are discussed, and the eventual solutions are presented. The author writes from his viewpoint as former leader of the Security Technology Group and later as acting director of the Computer Security Division at the National Institute of Standards and Technology, where he was responsible for the AES development. Key words: Advanced Encryption Standard (AES); consensus process; cryptography; Data Encryption Standard (DES); security requirements, SKIPJACK. Accepted: June 18, 2021 Published: August 16, 2021; Current Version: August 23, 2021 This article was sponsored by James Foti, Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology (NIST). The views expressed represent those of the author and not necessarily those of NIST. https://doi.org/10.6028/jres.126.024 1. Introduction In the late 1990s, the National Institute of Standards and Technology (NIST) was about to decide if it was going to specify a new cryptographic algorithm standard for the protection of U.S.
  • Rotational Cryptanalysis of ARX

    Rotational Cryptanalysis of ARX

    Rotational Cryptanalysis of ARX Dmitry Khovratovich and Ivica Nikoli´c University of Luxembourg [email protected], [email protected] Abstract. In this paper we analyze the security of systems based on modular additions, rotations, and XORs (ARX systems). We provide both theoretical support for their security and practical cryptanalysis of real ARX primitives. We use a technique called rotational cryptanalysis, that is universal for the ARX systems and is quite efficient. We illustrate the method with the best known attack on reduced versions of the block cipher Threefish (the core of Skein). Additionally, we prove that ARX with constants are functionally complete, i.e. any function can be realized with these operations. Keywords: ARX, cryptanalysis, rotational cryptanalysis. 1 Introduction A huge number of symmetric primitives using modular additions, bitwise XORs, and intraword rotations have appeared in the last 20 years. The most famous are the hash functions from MD-family (MD4, MD5) and their descendants SHA-x. While modular addition is often approximated with XOR, for random inputs these operations are quite different. Addition provides diffusion and nonlinearity, while XOR does not. Although the diffusion is relatively slow, it is compensated by a low price of addition in both software and hardware, so primitives with relatively high number of additions (tens per byte) are still fast. The intraword rotation removes disbalance between left and right bits (introduced by the ad- dition) and speeds up the diffusion. Many recently design primitives use only XOR, addition, and rotation so they are grouped into a single family ARX (Addition-Rotation-XOR).
  • Chapter 3 – Block Ciphers and the Data Encryption Standard

    Chapter 3 – Block Ciphers and the Data Encryption Standard

    Symmetric Cryptography Chapter 6 Block vs Stream Ciphers • Block ciphers process messages into blocks, each of which is then en/decrypted – Like a substitution on very big characters • 64-bits or more • Stream ciphers process messages a bit or byte at a time when en/decrypting – Many current ciphers are block ciphers • Better analyzed. • Broader range of applications. Block vs Stream Ciphers Block Cipher Principles • Block ciphers look like an extremely large substitution • Would need table of 264 entries for a 64-bit block • Arbitrary reversible substitution cipher for a large block size is not practical – 64-bit general substitution block cipher, key size 264! • Most symmetric block ciphers are based on a Feistel Cipher Structure • Needed since must be able to decrypt ciphertext to recover messages efficiently Ideal Block Cipher Substitution-Permutation Ciphers • in 1949 Shannon introduced idea of substitution- permutation (S-P) networks – modern substitution-transposition product cipher • These form the basis of modern block ciphers • S-P networks are based on the two primitive cryptographic operations we have seen before: – substitution (S-box) – permutation (P-box) (transposition) • Provide confusion and diffusion of message Diffusion and Confusion • Introduced by Claude Shannon to thwart cryptanalysis based on statistical analysis – Assume the attacker has some knowledge of the statistical characteristics of the plaintext • Cipher needs to completely obscure statistical properties of original message • A one-time pad does this Diffusion
  • MERGING+ANUBIS User Manual

    MERGING+ANUBIS User Manual

    USER MANUAL V27.09.2021 2 Contents Thank you for purchasing MERGING+ANUBIS ........................................................................................... 6 Important Safety and Installation Instructions ........................................................................................... 7 Product Regulatory Compliance .................................................................................................................... 9 MERGING+ANUBIS Warranty Information................................................................................................ 11 INTRODUCTION .............................................................................................................................................. 12 Package Content ........................................................................................................................................ 12 OVERVIEW ................................................................................................................................................... 13 MERGING+ANUBIS VARIANTS AND KEY FEATURES ........................................................................ 13 ABOUT RAVENNA ...................................................................................................................................... 16 MISSION CONTROL - MODULAR BY SOFTWARE ............................................................................... 16 MERGING+ANUBIS panels description ....................................................................................................
  • The EAX Mode of Operation

    The EAX Mode of Operation

    A preliminary version of this papers appears in Fast Software Encryption ’04, Lecture Notes in Computer Science, vol. ?? , R. Bimal and W. Meier ed., Springer-Verlag, 2004. This is the full version. The EAX Mode of Operation (A Two-Pass Authenticated-Encryption Scheme Optimized for Simplicity and Efficiency) ∗ † ‡ M. BELLARE P. ROGAWAY D. WAGNER January 18, 2004 Abstract We propose a block-cipher mode of operation, EAX, for solving the problem of authenticated-encryption with associated-data (AEAD). Given a nonce N, a message M, and a header H, our mode protects the privacy of M and the authenticity of both M and H. Strings N, M, and H are arbitrary bit strings, and the mode uses 2|M|/n + |H|/n + |N|/n block-cipher calls when these strings are nonempty and n is the block length of the underlying block cipher. Among EAX’s characteristics are that it is on-line (the length of a message isn’t needed to begin processing it) and a fixed header can be pre-processed, effectively removing the per-message cost of binding it to the ciphertext. EAX is obtained by first creating a generic-composition method, EAX2, and then collapsing its two keys into one. EAX is provably secure under a standard complexity-theoretic assumption. The proof of this fact is novel and involved. EAX is an alternative to CCM [26], which was created to answer the wish within standards bodies for a fully-specified and patent-free AEAD mode. As such, CCM and EAX are two-pass schemes, with one pass for achieving privacy and one for authenticity.
  • The Mathemathics of Secrets.Pdf

    The Mathemathics of Secrets.Pdf

    THE MATHEMATICS OF SECRETS THE MATHEMATICS OF SECRETS CRYPTOGRAPHY FROM CAESAR CIPHERS TO DIGITAL ENCRYPTION JOSHUA HOLDEN PRINCETON UNIVERSITY PRESS PRINCETON AND OXFORD Copyright c 2017 by Princeton University Press Published by Princeton University Press, 41 William Street, Princeton, New Jersey 08540 In the United Kingdom: Princeton University Press, 6 Oxford Street, Woodstock, Oxfordshire OX20 1TR press.princeton.edu Jacket image courtesy of Shutterstock; design by Lorraine Betz Doneker All Rights Reserved Library of Congress Cataloging-in-Publication Data Names: Holden, Joshua, 1970– author. Title: The mathematics of secrets : cryptography from Caesar ciphers to digital encryption / Joshua Holden. Description: Princeton : Princeton University Press, [2017] | Includes bibliographical references and index. Identifiers: LCCN 2016014840 | ISBN 9780691141756 (hardcover : alk. paper) Subjects: LCSH: Cryptography—Mathematics. | Ciphers. | Computer security. Classification: LCC Z103 .H664 2017 | DDC 005.8/2—dc23 LC record available at https://lccn.loc.gov/2016014840 British Library Cataloging-in-Publication Data is available This book has been composed in Linux Libertine Printed on acid-free paper. ∞ Printed in the United States of America 13579108642 To Lana and Richard for their love and support CONTENTS Preface xi Acknowledgments xiii Introduction to Ciphers and Substitution 1 1.1 Alice and Bob and Carl and Julius: Terminology and Caesar Cipher 1 1.2 The Key to the Matter: Generalizing the Caesar Cipher 4 1.3 Multiplicative Ciphers 6
  • Mcoe: a Family of Almost Foolproof On-Line Authenticated Encryption Schemes

    Mcoe: a Family of Almost Foolproof On-Line Authenticated Encryption Schemes

    McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes Ewan Fleischmann Christian Forler Stefan Lucks Bauhaus-Universit¨atWeimar FSE 2012 Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . {1{ Overview Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . {2{ 1. Motivation I Goldwasser and Micali (1984): requirement: given 2 ciphertexts, adversary cannot even detect when the same plaintext has been encrypted twice consequence: encryption stateful or probabilitistic (or both) I Rogaway (FSE 2004): formalizes state/randomness by nonces Plaintext Header Key Nonce 01 02 03 ... Ciphertext Authentication Tag Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . {3{ Authenticated Encryption I first studied by Katz and Young (FSE 2000) and Bellare and Namprempre (Asiacrypt 2000) I since then many proposed schemes, I nonce based, Plaintext Header Key Nonce I and proven secure assuming a \nonce-respecting01 02 03 ... adversary" I any implementation allowing a nonce reuse is not our problem . but maybe it shouldCiphertext Authentication Tag Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . {4{ Nonce Reuse in Practice I IEEE 802.11 [Borisov, Goldberg, Wagner 2001] I PS3 [Hotz 2010] I WinZip Encryption [Kohno 2004] I RC4 in MS Word and Excel [Wu 2005] I ... application programmer other issues: mistakes: I restoring a file from a backup I cloning the virtual machine the application runs on I ... Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . {5{ Nonce Reuse { what to Expect? our reasonable (?) expectations I some plaintext information leaks: I identical plaintexts I common prefixes I ect. I but not too much damage: 1. authentication not affected 2.