Cryptographic Security Analysis of T-310∗

Total Page:16

File Type:pdf, Size:1020Kb

Cryptographic Security Analysis of T-310∗ Cryptographic Security Analysis of T-310∗ Nicolas T. Courtois1, Klaus Schmeh3, J¨orgDrobick5, Jacques Patarin2, Maria-Bristena Oprisanu1, Matteo Scarlata1;4, Om Bhallamudi1 1University College London, Gower Street, London, UK 2 UVSQ, CNRS, Universit´ede Paris-Saclay, France 3 cryptovision, Gelsenkirchen, Germany 4 Computer Science, University of Pisa, Italy 5 Harnekop NVA Museum, Pr¨otzel,Germany Abstract. T-310 is an important Cold War cipher [98]. It was the prin- cipal encryption algorithm used to protect various state communication lines in Eastern Germany throughout the 1980s. The cipher seems to be quite robust, and until now, no cryptography researcher has proposed an attack on T-310. In this paper we provide a detailed analysis of T-310 in the context of modern cryptography research and other important or similar ciphers developed in the same period. We introduce new nota- tions which show the peculiar internal structure of this cipher in a new light. We point out a number of significant strong and weak properties of this cipher. Finally we propose several new attacks on T-310. * This is our \master paper" on T-310. It can be seen as an extended version of several papers which appear in Cryptologia in 2017 and 2018. This eprint paper is our extended monography paper which shows how different questions and different attacks are related and connected to each other. It contains a substantial amount of additional research and technical details. Recent Updates: This paper is no longer guaranteed to be completely up-to-date with recent developments. Important recent additions are non-linear invariant attacks in Section 23 and Appendix I.3 on the cipher stepping. Key Words: Cold War, block ciphers, T-310, SKS V/1, unbalanced com- pressing Feistel ciphers, algebraic cryptanalysis, ElimLin, SAT Solvers, Differen- tial Cryptanalysis, Linear Cryptanalysis, correlation attacks, slide attacks, self- similarity attacks, ciphertext-only attacks, polynomial invariant attacks, related- key differential attacks. Acknowledgments. We thank Bernd Lippmann, Jens Raeder, Bernhard Esslinger, Marek Grajek, Philippe Guillot, Nathan Keller, Jean-Jacques Quisquater, Angela Sasse, Mate Soos, Kristina Zatylna and Bingsheng Zhang for their com- ments and suggestions. Some of this work was done by UCL students doing project work for GA18 Cryptanalysis course taught at University College London in 2014-2018. Students who participated are: Om Bhallamudi, Simon Boehm, Kwok Cheng, Killian Davitt, Maxine Emuobosa, Mario D'Onghia, Mark Daniels, Lizhou Feng, Istvan Hoffer, Gaixin Hong, Marios Georgiou, Tereza Loffelman- nova, Alexios Nikos, Maria-Bristena Oprisanu, Nikolai Rozanov, Matteo Scar- lata, Qin Tang, Varnavas Papaioannou, Rei Valera, Moyu Wang, Dongni Zhang. 2 N. T. Courtois et. al., https://ia.cr/2017/440/ March 27, 2019 Table of Contents 0 Abstract ::::::::::::::::::::::::::::::::::::::::::::::::: 1 1 Basic Facts and History of T-310 9 1.1 Chronology on T-310 . 9 2 A Block Cipher in A Stream Cipher Mode 10 2.1 A First Look At the T-310 Block cipher Internals . 11 3 Feistel and Generalized Feistel Ciphers vs. T-310 12 3.1 T-310 vs. Other Contemporary Block Ciphers . 12 3.2 Weak or Strong - Cryptanalysis . 13 4 Feistel Ciphers and High-Level Structure of T-310 14 4.1 Long-Term Keys - Notation . 14 4.2 The Importance of Long-Term Keys . 15 4.3 Basic LZS Classification . 15 4.4 Unbalanced Feistel Reinforced with a Permutation . 16 4.5 Permutation D and Chosen Long-Term Key Attacks . 16 5 Alterations to the Unbalanced Feistel Construction 18 5.1 Mainstream T-310: Non-Bijective D . 18 5.2 Consequences of D(i)=0..................... 18 5.3 Unbalanced Feistel vs. KT1 Keys (Most Common Case) . 19 5.4 The High-Level Structure of KT1 Keys . 19 5.5 Comparison to SKS Ciphers and How It Impacts T-310 Ciphers 21 5.6 Alterations to the Unbalanced Feistel Construction with KT2 Keys . 22 6 Detailed Description of T-310 23 7 Construction of One Encryption Round φ 25 7.1 Compact High-Level Description of One Round φ . 25 7.2 Definition of P ........................... 25 7.3 Definition of T ........................... 26 7.4 Definition of D ........................... 26 7.5 Summary: Main Part of φ ..................... 27 7.6 A Potential Serious Vulnerability - Divide And Conquer Attacks on Key Space . 29 8 Long Term Keys D, P 30 8.1 Example of D, P of Popular Type KT1 . 30 8.2 Properties of KT1 Keys . 30 Cryptographic Security Analysis of T-310 3 8.3 On Strength of Real-Life Cold War Keys . 31 8.4 KT2 Key Class . 31 8.5 Other Keys and Key Classes . 31 8.6 Key Sizes for the Long Term Keys . 32 8.7 Long Term Keys vs. Security . 32 9 Detailed Description of T () Inside One Round 33 9.1 Design of T and Alternative Descriptions . 34 9.2 Design Criteria of T ........................ 34 9.3 Another Point of View on T and One Round φ . 34 9.4 Observations on T () . 35 9.5 Vulnerabilities of the Whole T Component . 35 9.6 Observations on T () Combined with Final XORs . 36 10 The Non-Linear Component of T-310 37 10.1 Description of the Boolean Function Z . 37 10.2 Implementation of the Boolean Function Z . 37 10.3 Design Criteria for the Boolean Function Z from 1973 . 37 10.4 Another Set of Design Criteria From 1975 . 38 11 Properties of T-310 Round Function φ 39 11.1 Is One Encryption Round φ a Permutation? . 39 11.2 Another Result on φ ........................ 39 12 Differential Attacks and Vulnerabilities in T-310 40 12.1 Structural Differential Attacks vs. S-boxes . 40 12.2 Missing Bits - Serious Differential Vulnerability of T for Any P 40 12.3 Missing Bits - Applications . 41 12.4 Missing Bits - Application to Related-Key Differential Attacks 42 12.5 Examples of Differential Attacks on T-310 . 45 12.6 Differential Vulnerabilities with Different IVs . 45 12.7 Differential vs. Linear Cryptanalysis . 46 13 Key and IV Scheduling Parts in T-310 47 13.1 Basic Facts About T-310 Keys . 47 13.2 Key Scheduling and sm;1−2 .................... 47 13.3 On Parity Bits . 47 13.4 IV Generation and Transmission in T-310 . 47 13.5 IV Expansion and fm ....................... 47 13.6 A Zero-Attack on IV Expansion and fm . 47 14 T-310 Keystream Generation Process 48 14.1 Bit Selection For Encryption . 48 14.2 Discussion - Low-Rate Extraction . 48 15 Estimating the Strength of T-310 Against Direct Software Algebraic Attacks 49 4 N. T. Courtois et. al., https://ia.cr/2017/440/ March 27, 2019 15.1 Attacks on 1 Bit - How to Access u127,α . 49 15.2 Attacks on Full State or P/C Pairs . 50 15.3 Computer Simulations . 50 16 Encryption in T-310 - Double One-Time Pad 52 16.1 On the Choice of α ......................... 52 17 Basic Observations and Basic Attacks on T-310 Encryption Process 53 17.1 Timing and Side Channel Attacks on T-310 . 53 17.2 A Known Plaintext Attack on T-310 . 53 17.3 The Zero Value Attacks on T-310 . 54 17.4 Bad News - Tentative Applications of Zero-Value Attack . 54 18 Preliminary Analysis for Correlation Attacks and the Space Shrinking Properties 56 18.1 Useful Natural Language Statistics . 56 18.2 Correlation Attack vs. Weak Keys in T-310 . 57 18.3 A Specific Reason Why Correlations Exist . 57 18.4 A Method for Fast Estimation of Output Space . 57 18.5 Space Shrinking - Original Keys vs. Special Keys . 59 18.6 Shrinking vs. Choice of Key and IV Bits - Key 208 . 59 18.7 Weaker Rank-Deficient Keys in KT2b Style . 60 18.8 Class KT3d - More Weak LZS Keys Generated At Random . 61 18.9 How Output Space Reduction Produces Bias . 62 18.10Application to SKS V/1 . 64 19 On Chosen LZS Attacks 65 19.1 A Problematic LZS Question . 65 19.2 On Rank Deficiency of Some Otherwise Well-Formed Keys . 65 20 A Ciphertext-Only Faulty LZS Correlation Attack 67 20.1 On Key Scheduling in T-310 . 67 20.2 A Ciphertext-Only Correlation Attack on T-310 . 68 20.3 A Ciphertext-Only Correlation Attack on SKS V/1 . 70 21 T-310 and Linear Cryptanalysis 71 21.1 Historical Background . 71 21.2 Application to Several Rounds of T-310 . 72 21.3 Invariant Linear Characteristics for T-310 . 73 21.4 Generating Very Weak Long Term Keys for LC . 73 21.5 LC-Weak Keys with One-Bit Correlations . 75 21.6 A Short Explanation for Key 741 . 76 21.7 A Classification of One-Bit Correlations α ! α . 78 21.8 Specific Types of Near-Bit Correlations . 78 21.9 A Detailed Example of How T-310 Can Be Weak w.r.t. LC . 79 Cryptographic Security Analysis of T-310 5 21.10Can More KT1 Keys be Pathological? . 80 21.11Generation of KT1 Keys [General or LC-Weak] . 80 21.12More Complex Periodic Properties . 81 21.13Periodic Properties which Involve Key Bits . 81 21.14Strongly Pathological LC-Weak Keys . 82 21.15Weak LZS with 8 Round Properties . 83 21.16More Pathological LC-Weak Keys Not KT1 . 84 21.17Keys With Self-Similarity and Level 2 Linear Cryptanalysis . 85 21.18First Classification of LC-Weak KT1 Keys . 86 21.19A More Detailed Classification of LC-Weak KT1 Keys . 86 21.20On Frequency of LC-Vulnerable KT1 Keys . 86 21.21How to Avoid LC-Weak KT1 Keys . 86 21.22Pre-Conditions for Selected LC-Weak KT1 Keys . 87 21.23Software for KT1 Key Generation Tool and LC-Weak Keys .
Recommended publications
  • Vector Boolean Functions: Applications in Symmetric Cryptography
    Vector Boolean Functions: Applications in Symmetric Cryptography José Antonio Álvarez Cubero Departamento de Matemática Aplicada a las Tecnologías de la Información y las Comunicaciones Universidad Politécnica de Madrid This dissertation is submitted for the degree of Doctor Ingeniero de Telecomunicación Escuela Técnica Superior de Ingenieros de Telecomunicación November 2015 I would like to thank my wife, Isabel, for her love, kindness and support she has shown during the past years it has taken me to finalize this thesis. Furthermore I would also liketo thank my parents for their endless love and support. Last but not least, I would like to thank my loved ones such as my daughter and sisters who have supported me throughout entire process, both by keeping me harmonious and helping me putting pieces together. I will be grateful forever for your love. Declaration The following papers have been published or accepted for publication, and contain material based on the content of this thesis. 1. [7] Álvarez-Cubero, J. A. and Zufiria, P. J. (expected 2016). Algorithm xxx: VBF: A library of C++ classes for vector Boolean functions in cryptography. ACM Transactions on Mathematical Software. (In Press: http://toms.acm.org/Upcoming.html) 2. [6] Álvarez-Cubero, J. A. and Zufiria, P. J. (2012). Cryptographic Criteria on Vector Boolean Functions, chapter 3, pages 51–70. Cryptography and Security in Computing, Jaydip Sen (Ed.), http://www.intechopen.com/books/cryptography-and-security-in-computing/ cryptographic-criteria-on-vector-boolean-functions. (Published) 3. [5] Álvarez-Cubero, J. A. and Zufiria, P. J. (2010). A C++ class for analysing vector Boolean functions from a cryptographic perspective.
    [Show full text]
  • A Quantitative Study of Advanced Encryption Standard Performance
    United States Military Academy USMA Digital Commons West Point ETD 12-2018 A Quantitative Study of Advanced Encryption Standard Performance as it Relates to Cryptographic Attack Feasibility Daniel Hawthorne United States Military Academy, [email protected] Follow this and additional works at: https://digitalcommons.usmalibrary.org/faculty_etd Part of the Information Security Commons Recommended Citation Hawthorne, Daniel, "A Quantitative Study of Advanced Encryption Standard Performance as it Relates to Cryptographic Attack Feasibility" (2018). West Point ETD. 9. https://digitalcommons.usmalibrary.org/faculty_etd/9 This Doctoral Dissertation is brought to you for free and open access by USMA Digital Commons. It has been accepted for inclusion in West Point ETD by an authorized administrator of USMA Digital Commons. For more information, please contact [email protected]. A QUANTITATIVE STUDY OF ADVANCED ENCRYPTION STANDARD PERFORMANCE AS IT RELATES TO CRYPTOGRAPHIC ATTACK FEASIBILITY A Dissertation Presented in Partial Fulfillment of the Requirements for the Degree of Doctor of Computer Science By Daniel Stephen Hawthorne Colorado Technical University December, 2018 Committee Dr. Richard Livingood, Ph.D., Chair Dr. Kelly Hughes, DCS, Committee Member Dr. James O. Webb, Ph.D., Committee Member December 17, 2018 © Daniel Stephen Hawthorne, 2018 1 Abstract The advanced encryption standard (AES) is the premier symmetric key cryptosystem in use today. Given its prevalence, the security provided by AES is of utmost importance. Technology is advancing at an incredible rate, in both capability and popularity, much faster than its rate of advancement in the late 1990s when AES was selected as the replacement standard for DES. Although the literature surrounding AES is robust, most studies fall into either theoretical or practical yet infeasible.
    [Show full text]
  • Group Developed Weighing Matrices∗
    AUSTRALASIAN JOURNAL OF COMBINATORICS Volume 55 (2013), Pages 205–233 Group developed weighing matrices∗ K. T. Arasu Department of Mathematics & Statistics Wright State University 3640 Colonel Glenn Highway, Dayton, OH 45435 U.S.A. Jeffrey R. Hollon Department of Mathematics Sinclair Community College 444 W 3rd Street, Dayton, OH 45402 U.S.A. Abstract A weighing matrix is a square matrix whose entries are 1, 0 or −1,such that the matrix times its transpose is some integer multiple of the identity matrix. We examine the case where these matrices are said to be devel- oped by an abelian group. Through a combination of extending previous results and by giving explicit constructions we will answer the question of existence for 318 such matrices of order and weight both below 100. At the end, we are left with 98 open cases out of a possible 1,022. Further, some of the new results provide insight into the existence of matrices with larger weights and orders. 1 Introduction 1.1 Group Developed Weighing Matrices A weighing matrix W = W (n, k) is a square matrix, of order n, whose entries are in t the set wi,j ∈{−1, 0, +1}. This matrix satisfies WW = kIn, where t denotes the matrix transpose, k is a positive integer known as the weight, and In is the identity matrix of size n. Definition 1.1. Let G be a group of order n.Ann×n matrix A =(agh) indexed by the elements of the group G (such that g and h belong to G)issaidtobeG-developed if it satisfies the condition agh = ag+k,h+k for all g, h, k ∈ G.
    [Show full text]
  • Chapter 3 – Block Ciphers and the Data Encryption Standard
    Chapter 3 –Block Ciphers and the Data Cryptography and Network Encryption Standard Security All the afternoon Mungo had been working on Stern's Chapter 3 code, principally with the aid of the latest messages which he had copied down at the Nevin Square drop. Stern was very confident. He must be well aware London Central knew about that drop. It was obvious Fifth Edition that they didn't care how often Mungo read their messages, so confident were they in the by William Stallings impenetrability of the code. —Talking to Strange Men, Ruth Rendell Lecture slides by Lawrie Brown Modern Block Ciphers Block vs Stream Ciphers now look at modern block ciphers • block ciphers process messages in blocks, each one of the most widely used types of of which is then en/decrypted cryptographic algorithms • like a substitution on very big characters provide secrecy /hii/authentication services – 64‐bits or more focus on DES (Data Encryption Standard) • stream ciphers process messages a bit or byte at a time when en/decrypting to illustrate block cipher design principles • many current ciphers are block ciphers – better analysed – broader range of applications Block vs Stream Ciphers Block Cipher Principles • most symmetric block ciphers are based on a Feistel Cipher Structure • needed since must be able to decrypt ciphertext to recover messages efficiently • bloc k cihiphers lklook like an extremely large substitution • would need table of 264 entries for a 64‐bit block • instead create from smaller building blocks • using idea of a product cipher 1 Claude
    [Show full text]
  • Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, Newdes, RC2, and TEA
    Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, NewDES, RC2, and TEA John Kelsey Bruce Schneier David Wagner Counterpane Systems U.C. Berkeley kelsey,schneier @counterpane.com [email protected] f g Abstract. We present new related-key attacks on the block ciphers 3- WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA. Differen- tial related-key attacks allow both keys and plaintexts to be chosen with specific differences [KSW96]. Our attacks build on the original work, showing how to adapt the general attack to deal with the difficulties of the individual algorithms. We also give specific design principles to protect against these attacks. 1 Introduction Related-key cryptanalysis assumes that the attacker learns the encryption of certain plaintexts not only under the original (unknown) key K, but also under some derived keys K0 = f(K). In a chosen-related-key attack, the attacker specifies how the key is to be changed; known-related-key attacks are those where the key difference is known, but cannot be chosen by the attacker. We emphasize that the attacker knows or chooses the relationship between keys, not the actual key values. These techniques have been developed in [Knu93b, Bih94, KSW96]. Related-key cryptanalysis is a practical attack on key-exchange protocols that do not guarantee key-integrity|an attacker may be able to flip bits in the key without knowing the key|and key-update protocols that update keys using a known function: e.g., K, K + 1, K + 2, etc. Related-key attacks were also used against rotor machines: operators sometimes set rotors incorrectly.
    [Show full text]
  • Middleware in Action 2007
    Technology Assessment from Ken North Computing, LLC Middleware in Action Industrial Strength Data Access May 2007 Middleware in Action: Industrial Strength Data Access Table of Contents 1.0 Introduction ............................................................................................................. 2 Mature Technology .........................................................................................................3 Scalability, Interoperability, High Availability ...................................................................5 Components, XML and Services-Oriented Architecture..................................................6 Best-of-Breed Middleware...............................................................................................7 Pay Now or Pay Later .....................................................................................................7 2.0 Architectures for Distributed Computing.................................................................. 8 2.1 Leveraging Infrastructure ........................................................................................ 8 2.2 Multi-Tier, N-Tier Architecture ................................................................................. 9 2.3 Persistence, Client-Server Databases, Distributed Data ....................................... 10 Client-Server SQL Processing ......................................................................................10 Client Libraries ..............................................................................................................
    [Show full text]
  • KLEIN: a New Family of Lightweight Block Ciphers
    KLEIN: A New Family of Lightweight Block Ciphers Zheng Gong1, Svetla Nikova1;2 and Yee Wei Law3 1Faculty of EWI, University of Twente, The Netherlands fz.gong, [email protected] 2 Dept. ESAT/SCD-COSIC, Katholieke Universiteit Leuven, Belgium 3 Department of EEE, The University of Melbourne, Australia [email protected] Abstract Resource-efficient cryptographic primitives become fundamental for realizing both security and efficiency in embedded systems like RFID tags and sensor nodes. Among those primitives, lightweight block cipher plays a major role as a building block for security protocols. In this paper, we describe a new family of lightweight block ciphers named KLEIN, which is designed for resource-constrained devices such as wireless sensors and RFID tags. Compared to the related proposals, KLEIN has ad- vantage in the software performance on legacy sensor platforms, while its hardware implementation can be compact as well. Key words. Block cipher, Wireless sensor network, Low-resource implementation. 1 Introduction With the development of wireless communication and embedded systems, we become increasingly de- pendent on the so called pervasive computing; examples are smart cards, RFID tags, and sensor nodes that are used for public transport, pay TV systems, smart electricity meters, anti-counterfeiting, etc. Among those applications, wireless sensor networks (WSNs) have attracted more and more attention since their promising applications, such as environment monitoring, military scouting and healthcare. On resource-limited devices the choice of security algorithms should be very careful by consideration of the implementation costs. Symmetric-key algorithms, especially block ciphers, still play an important role for the security of the embedded systems.
    [Show full text]
  • Performance and Energy Efficiency of Block Ciphers in Personal Digital Assistants
    Performance and Energy Efficiency of Block Ciphers in Personal Digital Assistants Creighton T. R. Hager, Scott F. Midkiff, Jung-Min Park, Thomas L. Martin Bradley Department of Electrical and Computer Engineering Virginia Polytechnic Institute and State University Blacksburg, Virginia 24061 USA {chager, midkiff, jungmin, tlmartin} @ vt.edu Abstract algorithms may consume more energy and drain the PDA battery faster than using less secure algorithms. Due to Encryption algorithms can be used to help secure the processing requirements and the limited computing wireless communications, but securing data also power in many PDAs, using strong cryptographic consumes resources. The goal of this research is to algorithms may also significantly increase the delay provide users or system developers of personal digital between data transmissions. Thus, users and, perhaps assistants and applications with the associated time and more importantly, software and system designers need to energy costs of using specific encryption algorithms. be aware of the benefits and costs of using various Four block ciphers (RC2, Blowfish, XTEA, and AES) were encryption algorithms. considered. The experiments included encryption and This research answers questions regarding energy decryption tasks with different cipher and file size consumption and execution time for various encryption combinations. The resource impact of the block ciphers algorithms executing on a PDA platform with the goal of were evaluated using the latency, throughput, energy- helping software and system developers design more latency product, and throughput/energy ratio metrics. effective applications and systems and of allowing end We found that RC2 encrypts faster and uses less users to better utilize the capabilities of PDA devices.
    [Show full text]
  • CIT 380: Securing Computer Systems
    CIT 380: Securing Computer Systems Symmetric Cryptography Topics 1. Modular Arithmetic 2. What is Cryptography? 3. Transposition Ciphers 4. Substitution Ciphers 1. Cæsar cipher 2. Vigènere cipher 5. Cryptanalysis: frequency analysis 6. Block Ciphers 7. AES and DES 8. Stream Ciphers Modular Arithmetic Congruence – a = b (mod N) iff a = b + kN – ex: 37=27 mod 10 b is the residue of a, modulo N – Integers 0..N-1 are the set of residues mod N Modulo 12 number system What is Cryptography? Cryptography: The art and science of keeping messages secure. Cryptanalysis: the art and science of decrypting messages. Cryptology: cryptography + cryptanalysis Terminology Plaintext: message P to be encrypted. Also called Plaintext cleartext. Encryption: altering a Encryption message to keep its Procedure contents secret. Ciphertext: encrypted message C. Ciphertext Cæsar cipher Plaintext is HELLO WORLD Change each letter to the third letter following it (X goes to A, Y to B, Z to C) – Key is 3, usually written as letter ‘D’ Ciphertext is KHOOR ZRUOG ROT 13 Cæsar cipher with key of 13 13 chosen since encryption and decryption are same operation Used to hide spoilers, punchlines, and offensive material online. Kerckhoff’s Principle Security of cryptosystem should only depend on 1. Quality of shared encryption algorithm E 2. Secrecy of key K Security through obscurity tends to fail ex: DVD Content Scrambling System Cryptanalysis Goals 1. Decrypt a given message. 2. Recover encryption key. Threat models vary based on 1. Type of information available to adversary 2. Interaction with cryptosystem. Cryptanalysis Threat Models ciphertext only: adversary has only ciphertext; goal is to find plaintext, possibly key.
    [Show full text]
  • Towards the Generation of a Dynamic Key-Dependent S-Box to Enhance Security
    Towards the Generation of a Dynamic Key-Dependent S-Box to Enhance Security 1 Grasha Jacob, 2 Dr. A. Murugan, 3Irine Viola 1Research and Development Centre, Bharathiar University, Coimbatore – 641046, India, [email protected] [Assoc. Prof., Dept. of Computer Science, Rani Anna Govt College for Women, Tirunelveli] 2 Assoc. Prof., Dept. of Computer Science, Dr. Ambedkar Govt Arts College, Chennai, India 3Assoc. Prof., Dept. of Computer Science, Womens Christian College, Nagercoil, India E-mail: [email protected] ABSTRACT Secure transmission of message was the concern of early men. Several techniques have been developed ever since to assure that the message is understandable only by the sender and the receiver while it would be meaningless to others. In this century, cryptography has gained much significance. This paper proposes a scheme to generate a Dynamic Key-dependent S-Box for the SubBytes Transformation used in Cryptographic Techniques. Keywords: Hamming weight, Hamming Distance, confidentiality, Dynamic Key dependent S-Box 1. INTRODUCTION Today communication networks transfer enormous volume of data. Information related to healthcare, defense and business transactions are either confidential or private and warranting security has become more and more challenging as many communication channels are arbitrated by attackers. Cryptographic techniques allow the sender and receiver to communicate secretly by transforming a plain message into meaningless form and then retransforming that back to its original form. Confidentiality is the foremost objective of cryptography. Even though cryptographic systems warrant security to sensitive information, various methods evolve every now and then like mushroom to crack and crash the cryptographic systems. NSA-approved Data Encryption Standard published in 1977 gained quick worldwide adoption.
    [Show full text]
  • Chapter 3 – Block Ciphers and the Data Encryption Standard
    Symmetric Cryptography Chapter 6 Block vs Stream Ciphers • Block ciphers process messages into blocks, each of which is then en/decrypted – Like a substitution on very big characters • 64-bits or more • Stream ciphers process messages a bit or byte at a time when en/decrypting – Many current ciphers are block ciphers • Better analyzed. • Broader range of applications. Block vs Stream Ciphers Block Cipher Principles • Block ciphers look like an extremely large substitution • Would need table of 264 entries for a 64-bit block • Arbitrary reversible substitution cipher for a large block size is not practical – 64-bit general substitution block cipher, key size 264! • Most symmetric block ciphers are based on a Feistel Cipher Structure • Needed since must be able to decrypt ciphertext to recover messages efficiently Ideal Block Cipher Substitution-Permutation Ciphers • in 1949 Shannon introduced idea of substitution- permutation (S-P) networks – modern substitution-transposition product cipher • These form the basis of modern block ciphers • S-P networks are based on the two primitive cryptographic operations we have seen before: – substitution (S-box) – permutation (P-box) (transposition) • Provide confusion and diffusion of message Diffusion and Confusion • Introduced by Claude Shannon to thwart cryptanalysis based on statistical analysis – Assume the attacker has some knowledge of the statistical characteristics of the plaintext • Cipher needs to completely obscure statistical properties of original message • A one-time pad does this Diffusion
    [Show full text]
  • Cryptographic Sponge Functions
    Cryptographic sponge functions Guido B1 Joan D1 Michaël P2 Gilles V A1 http://sponge.noekeon.org/ Version 0.1 1STMicroelectronics January 14, 2011 2NXP Semiconductors Cryptographic sponge functions 2 / 93 Contents 1 Introduction 7 1.1 Roots .......................................... 7 1.2 The sponge construction ............................... 8 1.3 Sponge as a reference of security claims ...................... 8 1.4 Sponge as a design tool ................................ 9 1.5 Sponge as a versatile cryptographic primitive ................... 9 1.6 Structure of this document .............................. 10 2 Definitions 11 2.1 Conventions and notation .............................. 11 2.1.1 Bitstrings .................................... 11 2.1.2 Padding rules ................................. 11 2.1.3 Random oracles, transformations and permutations ........... 12 2.2 The sponge construction ............................... 12 2.3 The duplex construction ............................... 13 2.4 Auxiliary functions .................................. 15 2.4.1 The absorbing function and path ...................... 15 2.4.2 The squeezing function ........................... 16 2.5 Primary aacks on a sponge function ........................ 16 3 Sponge applications 19 3.1 Basic techniques .................................... 19 3.1.1 Domain separation .............................. 19 3.1.2 Keying ..................................... 20 3.1.3 State precomputation ............................ 20 3.2 Modes of use of sponge functions .........................
    [Show full text]