DOCSLIB.ORG

Copyright by Gokhan Sayilar 2014 the Thesis Committee for Gokhan Sayilar Certifies That This Is the Approved Version of the Following Thesis

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Copyright by Gokhan Sayilar 2014 the Thesis Committee for Gokhan Sayilar Certifies That This Is the Approved Version of the Following Thesis Copyright by Gokhan Sayilar 2014 The Thesis Committee for Gokhan Sayilar Certifies that this is the approved version of the following thesis: Cryptoraptor: High Throughput Reconfigurable Cryptographic Processor for Symmetric Key Encryption and Cryptographic Hash Functions APPROVED BY SUPERVISING COMMITTEE: Derek Chiou, Supervisor Mohit Tiwari Cryptoraptor: High Throughput Reconfigurable Cryptographic Processor for Symmetric Key Encryption and Cryptographic Hash Functions by Gokhan Sayilar, B.S. THESIS Presented to the Faculty of the Graduate School of The University of Texas at Austin in Partial Fulfillment of the Requirements for the Degree of MASTER OF SCIENCE IN ENGINEERING THE UNIVERSITY OF TEXAS AT AUSTIN December 2014 To my family and many friends... Acknowledgments A major research project like this is never the work of anyone alone. I would like to extend my appreciation especially to the following. First and foremost I offer my sincerest gratitude to my supervisor, Dr. Derek Chiou, for his excellent guidance, caring, and patience. I would also like to thank him for being an open person to ideas, encouraging and helping me to shape my interest and ideas, and giving me the freedom to work in my own way. He’s the funniest advisor and one of the smartest people I know. Besides my advisor, I would like to thank to my second reader, Dr. Mohit Tiwari, for his advises and insightful comments. I am also thankful to my friends in US, Turkey, and other parts of the World for being sources of laughter, joy, and support. Last but not least, I would like to thank my parents and my brother for their continuous love and unconditional support in any decision that I make. I also want to thank to Semiconductor Research Corporation and Freescale Semiconductor, Inc for their financial support which allowed me to undertake this research For any errors or inadequacies that may remain in this work, of course, the responsibility is entirely my own. v Cryptoraptor: High Throughput Reconfigurable Cryptographic Processor for Symmetric Key Encryption and Cryptographic Hash Functions Gokhan Sayilar, M.S.E The University of Texas at Austin, 2014 Supervisor: Derek Chiou In cryptographic processor design, the selection of functional primitives and connection structures between these primitives are extremely crucial to maximize throughput and flexibility. Hence, detailed analysis on the speci- fications and requirements of existing crypto-systems plays a crucial role in cryptographic processor design. This thesis provides the most comprehensive literature review that we are aware of on the widest range of existing cryp- tographic algorithms, their specifications, requirements, and hardware struc- tures. In the light of this analysis, it also describes a high performance, low power, and highly flexible cryptographic processor, Cryptoraptor, that is de- signed to support both today’s and tomorrow’s encryption standards. To the best of our knowledge, the proposed cryptographic processor supports the widest range of cryptographic algorithms compared to other solutions in the literature and is the only crypto-specific processor targeting the future stan- dards as well. Unlike previous work, we aim for maximum throughput for all vi known encryption standards, and to support future standards as well. Our 1GHz design achieves a peak throughput of 128Gbps for AES-128 which is competitive with ASIC designs and has 25X and 160X higher throughput per area than CPU and GPU solutions, respectively. vii Table of Contents Acknowledgments v Abstract vi List of Tables xi List of Figures xiii Chapter 1. Introduction and Motivation 1 1.1 Introduction . 1 1.2 Our Contributions . 4 1.3 Thesis Outline . 5 Chapter 2. Related Work 7 2.1 Instruction Set Architecture Extensions . 8 2.2 Algorithm Specific Hardware . 10 2.3 Domain Independent Configurable Processors . 11 2.4 Configurable Cryptographic Processors . 13 Chapter 3. Cryptographic Algorithm Analysis 17 3.1 Existing Workload Characterizations . 17 3.2 Algorithm Selection . 19 3.3 Analysis Methodology . 23 3.4 Detailed Analysis . 24 3.4.1 Operation Classes . 24 3.4.2 Table Lookup Structure . 28 3.4.3 Bundled Operation Patterns . 31 3.4.4 Special Functional Units . 33 3.4.5 Processing Element Width . 37 viii 3.4.6 Connection Structures . 39 3.4.7 Storage Requirements . 41 Chapter 4. Cryptographic Algorithm Instrumentation 43 4.1 Existing Binary Instrumentation of Cryptographic Algorithms 43 4.2 Instrumentation Methodology . 45 4.3 Detailed Analysis . 47 Chapter 5. Cryptoraptor: Reconfigurable Cryptographic Pro- cessor 51 5.1 Design Methodology . 51 5.2 Cryptoraptor . 53 5.3 Execution Tile . 54 5.4 Connection Row . 56 5.5 Processing Element Row . 59 5.6 Processing Element . 60 5.7 Functional Units . 64 5.7.1 Logical Operation Unit (LOU) . 64 5.7.2 Table Lookup Unit (TLU) . 67 5.7.3 Arithmetic Unit (AU) . 69 5.7.4 Permutation/Expansion Unit (PEU) . 71 5.7.5 Shifter/Rotator Unit (SRU) . 72 Chapter 6. Processor Analysis 75 6.1 Implementation . 75 6.2 Timing Analysis . 77 6.3 Area Analysis . 79 6.4 Power Analysis . 82 6.5 Performance Analysis . 86 6.6 Resource Utilization . 93 6.7 Current Algorithm Coverage . 95 6.8 Limitations . 97 ix Chapter 7. Cryptographic Algorithm Mapping 100 7.1 Block Ciphers . 103 7.1.1 Advanced Encryption Standard (AES) . 104 7.1.2 Blowfish . 107 7.1.3 Camellia . 109 7.1.4 CAST-128 . 112 7.1.5 Data Encryption Standard (DES) . 115 7.1.6 GOST . 118 7.1.7 Kasumi . 119 7.1.8 Rivest Cipher 5 (RC5) . 122 7.1.9 SEED . 124 7.1.10 Twofish . 126 7.2 Stream Ciphers . 129 7.2.1 Rivest Cipher 4 (RC4) . 129 7.2.2 Phelix . 131 7.3 Cryptographic Hash Functions . 133 7.3.1 Message Digest Algorithm-4 (MD4) . 134 7.3.2 Message Digest Algorithm-5 (MD5) . 136 7.3.3 Secure Hash Algorithm-1 (SHA1) . 138 7.3.4 Secure Hash Algorithm-2 (SHA2) . 139 Chapter 8. Future Work 143 Chapter 9. Conclusion 145 Appendices 147 Appendix A. Detailed Operation Classes Usage 148 Appendix B. Operation Clusters 153 Appendix C. Operation Bundles 155 Appendix D. Detailed Processing Element Width Usage 157 Bibliography 159 x List of Tables 3.1 The distribution number of parallel lookup operation in cryp- tographic algorithms . 31 3.2 The distribution of XOR and SBOX patterns in cryptographic algorithms . 33 3.3 The distribution of Shift/rotate and logic operation patterns in cryptographic algorithms . 33 3.4 The distribution of XOR and Arithmetic operation patterns in cryptographic algorithms . 34 3.5 The special functional unit requirements in cryptographic algo- rithms . 34 3.6 The modular arithmetic base distribution in cryptographic al- gorithms . 36 4.1 Instruction Classes ......................... 46 4.2 Instruction Class Frequencies .................... 47 4.3 Operation Class Frequencies .................... 47 4.4 Distribution of Memory Accesses . 49 4.5 Distribution of Data Read/Write Granularities . 49 5.1 The control structure of one PE connector . 57 5.2 The input selection structure of PE connector (least significant 4 bits of 6 selection bits) . 58 5.3 The input structure of PE . 61 5.4 The output structure of PE . 62 5.5 The control signal structure of PE . 62 5.6 The Configurable Logic Block functionality . 66 5.7 The Table Lookup Unit functionality . 68 5.8 The Arithmetic Unit functionality . 70 5.9 The Bit Selector control structure . 72 5.10 The Shifter/Rotator Unit functionality . 73 xi 5.11 The Operation Block functionality . 74 6.1 The cycle time of functional units in PE . 77 6.2 The cycle time comparison of functional units with bundles . 78 6.3 The cycle time of sub-modules in Cryptoraptor . 79 6.4 The area comparison between Design Compiler and CACTI . 80 6.5 The area of functional units in PE . 80 6.6 The area comparison of functional units with bundles . 81 6.7 The area of sub-modules in Cryptoraptor . 81 6.8 The power usage comparison for memory blocks . 82 6.9 The power usage of functional units in PE . 83 6.10 The power usage comparison of functional units with bundles . 84 6.11 The power usage of modules in Cryptoraptor . 84 6.12 Power usage comparison of GPPs . 85 6.13 AES Performance comparison of ASIC solutions . 88 6.14 AES Performance comparison of FPGA solutions . 90 6.15 AES Performance comparison of GPP solutions . 91 6.16 Performance summary of algorithms on Cryptoraptor . 92 6.17 Resource utilization summary of mapped algorithms on Cryptoraptor 94 6.18 Resource utilization summary of mapped algorithms on Cryptoraptor 94 6.19 The current coverage of cryptographic algorithms . 96 7.1 Algorithm summary and selection for mapping process . 101 7.2 Instruction List . 102 A.1 The special functional unit requirements in cryptographic algo- rithms . 148 B.1 Operation clusters and patterns . 153 C.1 Operation patterns . 155 D.1 Operation width (PE way) . 157 xii List of Figures 2.1 The distribution of energy dissipation in an in-order RISC pro- cessor [92] . 12 3.1 The use of operation classes in cryptographic algorithm classes 25 3.2 The ratio of different table sizes used in cryptographic algorithms 29 3.3 The ratio of different table entry widths used in cryptographic algorithms . 30 3.4 The distribution of logical operation patterns in cryptographic algorithms . 32 3.5 The coverage ratio of algorithms that require modular arithmetic 37 3.6 The distribution of algorithms requires 1, 2, 4, 8 and 16-way processing elements . 38 3.7 The trend of connection structure among processing elements used for implementing algorithms . 40 4.1 Instruction and Operation Class Distribution . 48 5.1 The internal structure of Cryptoraptor . 53 5.2 The high level structure of Execution Tile .
Load more

Recommended publications
  • The Design of Rijndael: AES - the Advanced Encryption Standard/Joan Daemen, Vincent Rijmen
    Joan Daernen · Vincent Rijrnen Theof Design Rijndael AES - The Advanced Encryption Standard With 48 Figures and 17 Tables Springer Berlin Heidelberg New York Barcelona Hong Kong London Milan Paris Springer TnL-1Jn Joan Daemen Foreword Proton World International (PWI) Zweefvliegtuigstraat 10 1130 Brussels, Belgium Vincent Rijmen Cryptomathic NV Lei Sa 3000 Leuven, Belgium Rijndael was the surprise winner of the contest for the new Advanced En­ cryption Standard (AES) for the United States. This contest was organized and run by the National Institute for Standards and Technology (NIST) be­ ginning in January 1997; Rij ndael was announced as the winner in October 2000. It was the "surprise winner" because many observers (and even some participants) expressed scepticism that the U.S. government would adopt as Library of Congress Cataloging-in-Publication Data an encryption standard any algorithm that was not designed by U.S. citizens. Daemen, Joan, 1965- Yet NIST ran an open, international, selection process that should serve The design of Rijndael: AES - The Advanced Encryption Standard/Joan Daemen, Vincent Rijmen. as model for other standards organizations. For example, NIST held their p.cm. Includes bibliographical references and index. 1999 AES meeting in Rome, Italy. The five finalist algorithms were designed ISBN 3540425802 (alk. paper) . .. by teams from all over the world. 1. Computer security - Passwords. 2. Data encryption (Computer sCIence) I. RIJmen, In the end, the elegance, efficiency, security, and principled design of Vincent, 1970- II. Title Rijndael won the day for its two Belgian designers, Joan Daemen and Vincent QA76.9.A25 D32 2001 Rijmen, over the competing finalist designs from RSA, IBl\!I, Counterpane 2001049851 005.8-dc21 Systems, and an English/Israeli/Danish team.
    [Show full text]
  • Camellia: a 128-Bit Block Cipher Suitable for Multiple Platforms
    gopyright x nd witsuishi iletri gorp ortion PHHHEPHHI g mel l iX e IPVEfit flo k gipher uitle for wultiple ltforms y z y uzumro eoki etsuyshikw wsyuki und z y z z witsuru wtsui hiho worii tunkoxkjim oshio okit y xipp on elegrph nd elephone gorp ortion IEI rikrino okD okosukD ungwD PQWEHVRU tpn fmroDkndDshihogdislFnttFoFjp z witsuishi iletri gorp ortion SEIEI yfunD umkurD ungwD PRUEVSHI tpn fihikwDmtsuiDjuneISDtokitgdissFislFmeloFoFjp er IFHX tuly IQD PHHH er PFHX eptemer PTD PHHI estrtF e present new IPVEit lo k ipher lled gmel liF gmelli supp orts IPVEit lo ksizend IPVED IWPED nd PSTEit keysD iFeF the sme interfe sp eitions s the edvned inryption tndrd @eiAF iieny on oth softE wre nd hrdwre pltforms is remrkle hrteristi of gmelli in ddition to its high level of seurityF st is onrmed tht gmelli provides strong seurity ginst dierentil nd liner ryptnlysisF gompred to the ei nlistsD iFeF weD gTD ijndelD erp entD nd woshD gmelli oers t lest omprle enryption sp eed in softwre nd hrdwreF en optimized implementtion of gmelE li in ssemly lnguge n enrypt on entiums s s @IFIQqrzA t the rte of RUI wits p er seondF sn dditionD distinguishing feture is its smll hrdwre designF e hrdwre implementtionD whih inludes enryptionD deryptionD nd the key shedule for IPVEit keysD o upies only VFIPu gtes using HFIV"m gwy esg lirryF his is in the smllest lss mong ll existing IPVEit lo k iphersF gopyright x nd witsuishi iletri gorp ortion PHHHEPHHI gontents I sntro dution I P hesign tionle Q PFI p Efuntion X X X X X X X X X X X X X X X X X X X X X X X X X
    [Show full text]
  • Detection and Exploitation of Small Correlations in Stream Ciphers
    Detection and Exploitation of Small Correlations in Stream Ciphers Masterthesis conducted under the guidance of Prof. Dr. Joachim Rosenthal and Dr. Gérard Maze Institute of Mathematics, University of Zurich 2008 Urs Wagner Outline This thesis gives an overview of stream ciphers based on linear feedback shift registers (LFSR) and their vulnerability to correlation attacks. In the rst chapter, a short introduction to symmetric key ciphers is given. The main focus hereby is on LFSR based stream ciphers. Further, the principles of LFSR are presented. The chapter is then closed by a stream cipher example, the Gee Generator. The second chapter treats the general approach of correlation attacks. Moreover a correlation attack is mounted on the Gee Generator and the practical results are presented. Boolean functions play an important role in stream cipher designs. The Walsh transform, a tool to analyze the cryptographic properties of Boolean functions, is introduced in chapter 3. Additionally, the cryptographic properties themselves are discussed. In the fourth chapter, an improved kind of correlation attack -the fast correlation attack- is presented. It exploits the same weaknesses in the stream cipher designs as the correlation attack, the mode of operation is however dierent. In the last chapter, the insights gained in the previous chapters are used to suggest an attack on a stream cipher by Philips, named Hitag 2. 1 Acknowledgments This thesis was written in the course of my master's studies at the University of Zurich. I am grateful to Prof. Joachim Rosenthal who gave me the opportunity to write my master thesis in cryptography. Special thanks go to Dr.
    [Show full text]
  • Zero Correlation Linear Cryptanalysis on LEA Family Ciphers
    Journal of Communications Vol. 11, No. 7, July 2016 Zero Correlation Linear Cryptanalysis on LEA Family Ciphers Kai Zhang, Jie Guan, and Bin Hu Information Science and Technology Institute, Zhengzhou 450000, China Email: [email protected]; [email protected]; [email protected] Abstract—In recent two years, zero correlation linear Zero correlation linear cryptanalysis was firstly cryptanalysis has shown its great potential in cryptanalysis and proposed by Andrey Bogdanov and Vicent Rijmen in it has proven to be effective against massive ciphers. LEA is a 2011 [2], [3]. Generally speaking, this cryptanalytic block cipher proposed by Deukjo Hong, who is the designer of method can be concluded as “use linear approximation of an ISO standard block cipher - HIGHT. This paper evaluates the probability 1/2 to eliminate the wrong key candidates”. security level on LEA family ciphers against zero correlation linear cryptanalysis. Firstly, we identify some 9-round zero However, in this basic model of zero correlation linear correlation linear hulls for LEA. Accordingly, we propose a cryptanalysis, the data complexity is about half of the full distinguishing attack on all variants of 9-round LEA family code book. The high data complexity greatly limits the ciphers. Then we propose the first zero correlation linear application of this new method. In FSE 2012, multiple cryptanalysis on 13-round LEA-192 and 14-round LEA-256. zero correlation linear cryptanalysis [4] was proposed For 13-round LEA-192, we propose a key recovery attack with which use multiple zero correlation linear approximations time complexity of 2131.30 13-round LEA encryptions, data to reduce the data complexity.
    [Show full text]
  • Blockchain Beyond Cryptocurrency Or Is Private Chain a Hoax Or How I Lose Money in Bitcoin but Still Decide to Get in the Research
    Blockchain Beyond Cryptocurrency Or Is Private Chain a Hoax Or How I Lose Money in Bitcoin but still Decide to Get in the Research Hong Wan Edward P. Fitts Department of Industrial and Systems Engineering Sept 2019 In this talk: • Blockchain and trust • Different kinds of blockchain • Cases and Examples • Discussions First Things First https://images.app.goo.gl/JuNznV8dZKTaHWEf9 Disclaimer Block and Chain https://youtu.be/SSo_EIwHSd4 https://youtu.be/SSo_EIwHSd4 Blockchain Design Questions • Who can access data: Private vs. Public • Who can validate data/add block: Permissioned vs Permissionless • Consensus to be used: Trade-off among security and efficiency. https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&ved=2ahUKEwinjN2s7_DkAhXlmeAKHXxhAIUQjRx6BAgBEAQ&url=ht tps%3A%2F%2F101blockchains.com%2Fconsensus-algorithms-blockchain%2F&psig=AOvVaw23pKh4qS8W_xgyajJ3aFl9&ust=1569669093339830 Bad News First • “Private blockchains are completely uninteresting… -- the only reason to operate one is to ride on the blockchain hype…” Bruce Schneier Tonight we will talk about cryptocurrencies… .everything you don’t understand money combined by everything you don’t understand about computers…. Cryptocurrencies: Last Week Tonight with John Oliver (HBO) https://www.schneier.com/blog/archives/2019/02/blockchain_and_.html http://shorturl.at/ahsRU, shorturl.at/gETV2 https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&ved=2ahUKEwj- https://d279m997dpfwgl.cloudfront.net/wp/2017/11/Trustp72L7vDkAhVjQt8KHU18CjsQjRx6BAgBEAQ&url=https%3A%2F%2Fwww.wbur.org%2Fonpoint%2F2017%2F11%2F20%2Fwho-can-cropped.jpg-you-
    [Show full text]
  • Impossible Differentials in Twofish
    Twofish Technical Report #5 Impossible differentials in Twofish Niels Ferguson∗ October 19, 1999 Abstract We show how an impossible-differential attack, first applied to DEAL by Knudsen, can be applied to Twofish. This attack breaks six rounds of the 256-bit key version using 2256 steps; it cannot be extended to seven or more Twofish rounds. Keywords: Twofish, cryptography, cryptanalysis, impossible differential, block cipher, AES. Current web site: http://www.counterpane.com/twofish.html 1 Introduction 2.1 Twofish as a pure Feistel cipher Twofish is one of the finalists for the AES [SKW+98, As mentioned in [SKW+98, section 7.9] and SKW+99]. In [Knu98a, Knu98b] Lars Knudsen used [SKW+99, section 7.9.3] we can rewrite Twofish to a 5-round impossible differential to attack DEAL. be a pure Feistel cipher. We will demonstrate how Eli Biham, Alex Biryukov, and Adi Shamir gave the this is done. The main idea is to save up all the ro- technique the name of `impossible differential', and tations until just before the output whitening, and applied it with great success to Skipjack [BBS99]. apply them there. We will use primes to denote the In this report we show how Knudsen's attack can values in our new representation. We start with the be applied to Twofish. We use the notation from round values: [SKW+98] and [SKW+99]; readers not familiar with R0 = ROL(Rr;0; (r + 1)=2 ) the notation should consult one of these references. r;0 b c R0 = ROR(Rr;1; (r + 1)=2 ) r;1 b c R0 = ROL(Rr;2; r=2 ) 2 The attack r;2 b c R0 = ROR(Rr;3; r=2 ) r;3 b c Knudsen's 5-round impossible differential works for To get the same output we update the rule to com- any Feistel cipher where the round function is in- pute the output whitening.
    [Show full text]
  • A Low-Latency Block Cipher for Pervasive Computing Applications Extended Abstract?
    PRINCE { A Low-latency Block Cipher for Pervasive Computing Applications Extended Abstract? Julia Borghoff1??, Anne Canteaut1;2???, Tim G¨uneysu3, Elif Bilge Kavun3, Miroslav Knezevic4, Lars R. Knudsen1, Gregor Leander1y, Ventzislav Nikov4, Christof Paar3, Christian Rechberger1, Peter Rombouts4, Søren S. Thomsen1, and Tolga Yal¸cın3 1 Technical University of Denmark 2 INRIA, Paris-Rocquencourt, France 3 Ruhr-University Bochum, Germany 4 NXP Semiconductors, Leuven, Belgium Abstract. This paper presents a block cipher that is optimized with respect to latency when implemented in hardware. Such ciphers are de- sirable for many future pervasive applications with real-time security needs. Our cipher, named PRINCE, allows encryption of data within one clock cycle with a very competitive chip area compared to known solutions. The fully unrolled fashion in which such algorithms need to be implemented calls for innovative design choices. The number of rounds must be moderate and rounds must have short delays in hardware. At the same time, the traditional need that a cipher has to be iterative with very similar round functions disappears, an observation that increases the design space for the algorithm. An important further requirement is that realizing decryption and encryption results in minimum additional costs. PRINCE is designed in such a way that the overhead for decryp- tion on top of encryption is negligible. More precisely for our cipher it holds that decryption for one key corresponds to encryption with a re- lated key. This property we refer to as α-reflection is of independent interest and we prove its soundness against generic attacks. 1 Introduction The area of lightweight cryptography, i.e., ciphers with particularly low imple- mentation costs, has drawn considerable attention over the last years.
    [Show full text]
  • On the Feistel Counterpart of the Boomerang Connectivity Table Introduction and Analysis of the FBCT
    IACR Transactions on Symmetric Cryptology ISSN 2519-173X, Vol. 2020, No. 1, pp. 331–362. DOI:10.13154/tosc.v2020.i1.331-362 On the Feistel Counterpart of the Boomerang Connectivity Table Introduction and Analysis of the FBCT Hamid Boukerrou, Paul Huynh, Virginie Lallemand, Bimal Mandal and Marine Minier Université de Lorraine, CNRS, Inria, LORIA, F-54000 Nancy, France [email protected] Abstract. At Eurocrypt 2018, Cid et al. introduced the Boomerang Connectivity Table (BCT), a tool to compute the probability of the middle round of a boomerang distinguisher from the description of the cipher’s Sbox(es). Their new table and the following works led to a refined understanding of boomerangs, and resulted in a series of improved attacks. Still, these works only addressed the case of Substitution Permutation Networks, and completely left out the case of ciphers following a Feistel construction. In this article, we address this lack by introducing the FBCT, the Feistel counterpart of the BCT. We show that the coefficient at row ∆i, ∇o corresponds to the number of times the second order derivative at points (∆i, ∇o) cancels out. We explore the properties of the FBCT and compare it to what is known on the BCT. Taking matters further, we show how to compute the probability of a boomerang switch over multiple rounds with a generic formula. Keywords: Cryptanalysis · Feistel cipher · Boomerang attack · Boomerang switch 1 Introduction Boomerang attacks date back to 1999, when David Wagner introduced them at FSE to break COCONUT98 [Wag99]. When presented, this variant of differential attacks [BS91] shook up the conventional thinking that consisted in believing that a cipher with only small probability differentials is secure.
    [Show full text]
  • Lecture Notes on Error-Correcting Codes and Their Applications to Symmetric Cryptography
    Lecture Notes on Error-Correcting Codes and their Applications to Symmetric Cryptography Anne Canteaut Inria [email protected] https://www.rocq.inria.fr/secret/Anne.Canteaut/ version: December 4, 2017 Contents 10 Reed-Muller Codes and Boolean Functions 5 10.1 Boolean functions and their representations . .5 10.1.1 Truth table and Algebraic normal form . .5 10.1.2 Computing the Algebraic Normal Form . .8 10.2 Reed-Muller codes . 11 10.2.1 Definition . 11 10.2.2 The (uju + v) construction . 12 10.3 Weight distributions of Reed-Muller codes . 13 10.3.1 Minimum distance of R(r; m) ........................ 13 10.3.2 Weight distribution of R(1; m) ....................... 14 10.3.3 Weight distribution of R(m − 1; m) ..................... 15 10.3.4 Weight distribution of R(2; m) ....................... 15 10.3.5 Duality . 15 10.3.6 Other properties of the weights of R(r; m) ................. 17 11 Stream Cipher Basics 19 11.1 Basic principle . 19 11.1.1 Synchronous additive stream ciphers . 19 11.1.2 Pseudo-random generators . 21 11.1.3 General functionalities of stream ciphers and usage . 22 11.2 Models of attacks . 23 11.3 Generic attacks on stream ciphers . 24 11.3.1 Period of the sequence of internal states . 24 11.3.2 Time-Memory-Data Trade-off attacks . 27 11.3.3 Statistical tests . 36 11.4 The main families of stream ciphers . 37 11.4.1 Information-theoretically generators . 37 11.4.2 Generators based on a difficult mathematical problem . 38 11.4.3 Generators based on block ciphers .
    [Show full text]
  • Report on the AES Candidates
    Rep ort on the AES Candidates 1 2 1 3 Olivier Baudron , Henri Gilb ert , Louis Granb oulan , Helena Handschuh , 4 1 5 1 Antoine Joux , Phong Nguyen ,Fabrice Noilhan ,David Pointcheval , 1 1 1 1 Thomas Pornin , Guillaume Poupard , Jacques Stern , and Serge Vaudenay 1 Ecole Normale Sup erieure { CNRS 2 France Telecom 3 Gemplus { ENST 4 SCSSI 5 Universit e d'Orsay { LRI Contact e-mail: [email protected] Abstract This do cument rep orts the activities of the AES working group organized at the Ecole Normale Sup erieure. Several candidates are evaluated. In particular we outline some weaknesses in the designs of some candidates. We mainly discuss selection criteria b etween the can- didates, and make case-by-case comments. We nally recommend the selection of Mars, RC6, Serp ent, ... and DFC. As the rep ort is b eing nalized, we also added some new preliminary cryptanalysis on RC6 and Crypton in the App endix which are not considered in the main b o dy of the rep ort. Designing the encryption standard of the rst twentyyears of the twenty rst century is a challenging task: we need to predict p ossible future technologies, and wehavetotake unknown future attacks in account. Following the AES pro cess initiated by NIST, we organized an op en working group at the Ecole Normale Sup erieure. This group met two hours a week to review the AES candidates. The present do cument rep orts its results. Another task of this group was to up date the DFC candidate submitted by CNRS [16, 17] and to answer questions which had b een omitted in previous 1 rep orts on DFC.
    [Show full text]
  • The Mathemathics of Secrets.Pdf
    THE MATHEMATICS OF SECRETS THE MATHEMATICS OF SECRETS CRYPTOGRAPHY FROM CAESAR CIPHERS TO DIGITAL ENCRYPTION JOSHUA HOLDEN PRINCETON UNIVERSITY PRESS PRINCETON AND OXFORD Copyright c 2017 by Princeton University Press Published by Princeton University Press, 41 William Street, Princeton, New Jersey 08540 In the United Kingdom: Princeton University Press, 6 Oxford Street, Woodstock, Oxfordshire OX20 1TR press.princeton.edu Jacket image courtesy of Shutterstock; design by Lorraine Betz Doneker All Rights Reserved Library of Congress Cataloging-in-Publication Data Names: Holden, Joshua, 1970– author. Title: The mathematics of secrets : cryptography from Caesar ciphers to digital encryption / Joshua Holden. Description: Princeton : Princeton University Press, [2017] | Includes bibliographical references and index. Identifiers: LCCN 2016014840 | ISBN 9780691141756 (hardcover : alk. paper) Subjects: LCSH: Cryptography—Mathematics. | Ciphers. | Computer security. Classification: LCC Z103 .H664 2017 | DDC 005.8/2—dc23 LC record available at https://lccn.loc.gov/2016014840 British Library Cataloging-in-Publication Data is available This book has been composed in Linux Libertine Printed on acid-free paper. ∞ Printed in the United States of America 13579108642 To Lana and Richard for their love and support CONTENTS Preface xi Acknowledgments xiii Introduction to Ciphers and Substitution 1 1.1 Alice and Bob and Carl and Julius: Terminology and Caesar Cipher 1 1.2 The Key to the Matter: Generalizing the Caesar Cipher 4 1.3 Multiplicative Ciphers 6
    [Show full text]
  • The Daily Egyptian, March 09, 1982
    Southern Illinois University Carbondale OpenSIUC March 1982 Daily Egyptian 1982 3-9-1982 The aiD ly Egyptian, March 09, 1982 Daily Egyptian Staff Follow this and additional works at: https://opensiuc.lib.siu.edu/de_March1982 Volume 67, Issue 114 Recommended Citation , . "The aiD ly Egyptian, March 09, 1982." (Mar 1982). This Article is brought to you for free and open access by the Daily Egyptian 1982 at OpenSIUC. It has been accepted for inclusion in March 1982 by an authorized administrator of OpenSIUC. For more information, please contact [email protected]. Wrestling, water polo cut from sports By Steve MeeHl! student affairs. Both sports Swinburne said SIU-C will try SpIns E4II ... hltve finished their seasons and dual meets this season after a 9- records. He said makiDJ the to continue to offer the 7 record a year ago. The Swinburne said the cutback "diversity" in athletics it has cutback effective immediately The Inten:oUegiate Athletics takes effect immediately. WTP..atllll, program started at frees wrestlers to seek AcIvisM'y Committee Monday bad in the past. Sh] in 1950. HartzOl said droppiDl the two Hartzog said the dropping of scholarships at other schools. unanimously apPro~ed drop­ Hartzog said wrestling Coach sports would save aboUt 135.000. the two intercollegiate sports "This gives the opportunity to piDl water polo and wrestling which wiD be used to improve Linn LofII will not be left "high our two reaUy good Wrestlers to from the athletics program. was a "hard decision to make" and dry" by elimination of the men's athletin programs.
    [Show full text]