Data Encryption Standard, As Specified in FIPS Publication 46- = = + 3 [31], Is a Block Cipher Operating on 64-Bit Data L2 R1 R2 L1 F(R1, K2) Blocks

Total Page:16

File Type:pdf, Size:1020Kb

Data Encryption Standard, As Specified in FIPS Publication 46- = = + 3 [31], Is a Block Cipher Operating on 64-Bit Data L2 R1 R2 L1 F(R1, K2) Blocks P1: FAW/SPH P2: FAW/SPH QC: FAW/SPH T1: FAW KI194-Tilborg April 22, 2005 10:40 D DATA ENCRYPTION word Ri is fed to a function f and the result is STANDARD (DES) added to the first word Li . Then both words are swapped and the algorithm proceeds to the next View metadata, citationThe and Data similar Encryptionpapers at core.ac.uk Standard (DES) [31] has iteration. brought to you by CORE been around for more than 25 years. During this The function f is key-dependentprovided by Open Repository and and consists Bibliography - Luxembourg time the standard was revised three times: as of four stages (see Figure 2). Their description is FIPS-46-1 in 1988, as FIPS-46-2 in 1993 and given below. Note that all bits in DES are num- as FIPS-46-3 in 1999. DES was an outcome of a bered from left to right, i.e., the leftmost bit of a call for primitives in 1974, which did not result block (the most significant bit) is bit 1. in many serious candidates except for a prede- 1. Expansion (E). The 32-bit input word is first cessor of DES, Lucifer [15, 36] designed by IBM expanded to 48 bits by duplicating and reorder- around 1971. It took another year for a joint IBM– ing half of the bits. The selection of bits is spec- NSA effort to turn Lucifer into DES. The struc- ified by Table 1. The first row in the table refers ture of Lucifer was significantly altered: since to the first 6 bits of the expanded word, the sec- the design rationale was never made public and ond row to bits 7–12, and so on. Thus bit 41 of the secret key size was reduced from 128-bit to the expanded word, for example, gets its value 56-bits, this initially resulted in controversy, and from bit 28 of the input word. some distrust among the public. After some de- 2. Key mixing. The expanded word is XORed lay, FIPS-46 was published by NBS (National with a round key constructed by selecting 48 Bureau of Standards)—now NIST (National In- bits from the 56-bit secret key. As explained be- stitute of Standards and Technology)—on Jan- low, a different selection is used in each round. uary 15, 1977 [31] (see [35] for a discussion of the standardization process). INPUT However, in spite of all the controversy it is hard to underestimate the role of DES [31]. DES was INITIAL PERMUTATION one of the first commercially developed (as opposed to government developed) ciphers whose structure PERMUTED L R INPUT O O was fully published. This effectively created a com- K1 munity of researchers who could analyse it and + f propose their own designs. This lead to a wave of public interest in cryptography, from which much L = R R = L + f(R , K ) of the cryptography as we know it today was born. 1 0 1 0 O 1 K2 + f DESCRIPTION OF DES: The Data Encryption Standard, as specified in FIPS Publication 46- = = + 3 [31], is a block cipher operating on 64-bit data L2 R1 R2 L1 f(R1, K2) blocks. The encryption transformation depends on Kn a 56-bit secret key and consists of sixteen Feistel + f iterations surrounded by two permutation layers: an initial bit permutation IP at the input, and its − 1 = = + inverse IP at the output. The structure of the L15 R14 R15 L14 f(R14, K15) cipher is depicted in Figure 1. The decryption pro- K16 cess is the same as the encryption, except for the + f order of the round keys used in the Feistel iter- PREOUTPUT R = L + f(R , K ) L = R ations. As a result, most of the circuitry can be 16 15 15 16 16 15 reused in hardware implementations of DES. The 16-round Feistel network, which consti- INVERSE INITIAL PERM tutes the cryptographic core of DES, splits the 64- OUTPUT bit data blocks into two 32-bit words (denoted by L0 and R0). In each iteration (or round), the second Fig. 1. The encryption function 129 P1: FAW/SPH P2: FAW/SPH QC: FAW/SPH T1: FAW KI194-Tilborg April 22, 2005 10:40 130 Data encryption standard (DES) R (32 BITS) according to a permutation PC1 (see Table 4). The result is split into two 28-bit words C0 and D0, E which are cyclically rotated over 1 position to the left after rounds 1, 2, 9, 16, and over 2 positions af- 48 BITS K (48 BITS) ter all other rounds (the rotated words are denoted by Ci and Di ). The round keys are constructed + by repeatedly extracting 48 bits from Ci and Di at 48 fixed positions determined by a table PC2 (see Table 4). A convenient feature of this key S1 S2 S3 S4 S5 S6 S7 S8 scheduling algorithm is that the 28-bit words C0 and D0 are rotated over exactly 28 positions after 16 rounds. This allows hardware implementations P to efficiently compute the round keys on-the-fly, both for the encryption and the decryption. 32 BITS CRYPTANALYSIS OF DES: DES has been sub- Fig. 2. The function f ject to very intensive cryptanalysis. Initial at- tempts [16] did not identify any serious weak- 3. Substitution. The 48-bit result is split into nesses except for the short key-size. It was noted eight 6-bit words which are substituted in eight that DES has a complementation property, i.e., parallel 6 × 4-bit S-boxes. All eight S-boxes, given an encryption of the plaintext P into the ciphertext C under the secret key K: EK (P) = C, called S1, S2,...,S8, are different but have the same special structure, as appears from their one knows that the complement of the plaintext specifications in Table 2. Each row of the S- will be encrypted to the complement of the cipher- = box tables consists of a permutation of the 4-bit text under the complement of the key: EK¯ (P) values 0,...,15. The 6-bit input word is sub- C (by complement we mean flipping of all the stituted as follows: first a row is selected ac- bits). Another feature was the existence of four cording to the value of the binary word formed weak keys, for which the cipher is an involution: = by concatenating the first and the sixth input EK (EK (m)) m (for these keys the contents of the bit. The algorithm then picks the column given key-schedule registers C and D is either all zeros by the value of the four middle bits and outputs or all ones), and six additional pairs of semi-weak = the corresponding 4-bit word. keys for which EK1(EK2(m)) m. The complemen- 4. Permutation (P). The resulting 32 bits are re- tation and the weak-key properties are the result ordered according to a fixed permutation spec- of interaction of the key-schedule, which splits the ified in Table 1 before being sent to the output. key-bits into two separate registers and the Feistel As before, the first row of the table refers to the structure of the cipher. A careful study of the cycle first four bits of the output. structure of DES for weak and semi-weak keys has The selection of key bits in each round is deter- been given by Moore and Simmons [30]. See the mined by a simple key scheduling algorithm. The book of Davies and Price [11] for a more detailed algorithm starts from a 64-bit secret key which in- account on these and other features of DES iden- cludes 8 parity bits that are discarded after verifi- tified prior to 1989. The properties of the group cation (the parity of each byte needs to be odd). The generated by DES permutations have also been remaining 56 secret key bits are first permuted studied intensively. Coppersmith and Grossman have shown [9] that in principle DES-like com- ponents can generate any permutation from the Table 1. Expansion E and permutation P alternating group A264 (all even permutations, i.e., those that can be represented with an even num- EP ber of transpositions). However, DES implements 3212345 1672021only 256 permutations, which is a tiny fraction of 456789 29122817all the even permutations. If the set of 256 DES 891011 12 13 1 15 23 26 permutations was closed under composition, then 12 13 14 15 16 17 5 18 31 10 multiple encryption as used, for example in Triple- 16 17 18 19 20 21 2 8 24 14 DES would be equivalent to single encryption and 20 21 22 23 24 25 32 27 3 9 thus would not provide any additional strength. 24 25 26 27 28 29 19 13 30 6 A similar weakness would be present if the size 28 29 30 31 32 1 22 11 4 25 of the group generated by the DES permutations P1: FAW/SPH P2: FAW/SPH QC: FAW/SPH T1: FAW KI194-Tilborg April 22, 2005 10:40 Data encryption standard (DES) 131 Table 2. DES S-boxes S1 : 0123456789101112131415 0: 14 41312151183106125907 1: 0157414213110612119538 2: 4114813621115129731050 3: 15 12824917511314100613 S2 :0123456789101112131415 0: 1518146113497213120510 1: 3 134715281412011069115 2: 0147111041315812693215 3: 13 8 1013154211671205149 S3 :0123456789101112131415 0: 1009146315511312711428 1: 1370934610285141211151 2: 1364981530111212510147 3: 1101306987415143115212 S4 :0123456789101112131415 0: 7131430691012851112415 1: 13 81156150347212110149 2: 1069012117131513145284 3: 3150610113894511127214 S5 :0123456789101112131415 0: 2124171011685315130149 1: 14 11 212471315015103986 2: 4211110137815912563014 3: 11 81271142136150910453 S6 :0123456789101112131415 0: 12 11015926801334147511 1: 10 15427129561131401138 2: 9141552812370410113116 3: 4321295151011141760813 S7 :0123456789101112131415 0: 4112141508133129751061 1: 13 01174911014351221586 2: 1411131237141015680592 3: 6111381410795015142312 S8 :0123456789101112131415 0: 1328461511110931450127 1: 1151381037412561101492 2: 7114191214206101315358 3: 2114741081315129035611 P1: FAW/SPH P2: FAW/SPH QC: FAW/SPH T1: FAW KI194-Tilborg April 22, 2005 10:40 132 Data encryption standard (DES) Table 3.
Recommended publications
  • Cryptanalysis of Feistel Networks with Secret Round Functions Alex Biryukov, Gaëtan Leurent, Léo Perrin
    Cryptanalysis of Feistel Networks with Secret Round Functions Alex Biryukov, Gaëtan Leurent, Léo Perrin To cite this version: Alex Biryukov, Gaëtan Leurent, Léo Perrin. Cryptanalysis of Feistel Networks with Secret Round Functions. Selected Areas in Cryptography - SAC 2015, Aug 2015, Sackville, Canada. hal-01243130 HAL Id: hal-01243130 https://hal.inria.fr/hal-01243130 Submitted on 14 Dec 2015 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Cryptanalysis of Feistel Networks with Secret Round Functions ? Alex Biryukov1, Gaëtan Leurent2, and Léo Perrin3 1 [email protected], University of Luxembourg 2 [email protected], Inria, France 3 [email protected], SnT,University of Luxembourg Abstract. Generic distinguishers against Feistel Network with up to 5 rounds exist in the regular setting and up to 6 rounds in a multi-key setting. We present new cryptanalyses against Feistel Networks with 5, 6 and 7 rounds which are not simply distinguishers but actually recover completely the unknown Feistel functions. When an exclusive-or is used to combine the output of the round function with the other branch, we use the so-called yoyo game which we improved using a heuristic based on particular cycle structures.
    [Show full text]
  • Public-Key Cryptography
    Public Key Cryptography EJ Jung Basic Public Key Cryptography public key public key ? private key Alice Bob Given: Everybody knows Bob’s public key - How is this achieved in practice? Only Bob knows the corresponding private key Goals: 1. Alice wants to send a secret message to Bob 2. Bob wants to authenticate himself Requirements for Public-Key Crypto ! Key generation: computationally easy to generate a pair (public key PK, private key SK) • Computationally infeasible to determine private key PK given only public key PK ! Encryption: given plaintext M and public key PK, easy to compute ciphertext C=EPK(M) ! Decryption: given ciphertext C=EPK(M) and private key SK, easy to compute plaintext M • Infeasible to compute M from C without SK • Decrypt(SK,Encrypt(PK,M))=M Requirements for Public-Key Cryptography 1. Computationally easy for a party B to generate a pair (public key KUb, private key KRb) 2. Easy for sender to generate ciphertext: C = EKUb (M ) 3. Easy for the receiver to decrypt ciphertect using private key: M = DKRb (C) = DKRb[EKUb (M )] Henric Johnson 4 Requirements for Public-Key Cryptography 4. Computationally infeasible to determine private key (KRb) knowing public key (KUb) 5. Computationally infeasible to recover message M, knowing KUb and ciphertext C 6. Either of the two keys can be used for encryption, with the other used for decryption: M = DKRb[EKUb (M )] = DKUb[EKRb (M )] Henric Johnson 5 Public-Key Cryptographic Algorithms ! RSA and Diffie-Hellman ! RSA - Ron Rives, Adi Shamir and Len Adleman at MIT, in 1977. • RSA
    [Show full text]
  • 25 Years of Linear Cryptanalysis -Early History and Path Search Algorithm
    25 Years of Linear Cryptanalysis -Early History and Path Search Algorithm- Asiacrypt 2018, December 3 2018 Mitsuru Matsui © Mitsubishi Electric Corporation Back to 1990… 2 © Mitsubishi Electric Corporation FEAL (Fast data Encipherment ALgorithm) • Designed by Miyaguchi and Shimizu (NTT). • 64-bit block cipher family with the Feistel structure. • 4 rounds (1987) • 8 rounds (1988) • N rounds(1990) N=32 recommended • Key size is 64 bits (later extended to 128 bits). • Optimized for 8-bit microprocessors (no lookup tables). • First commercially successful cipher in Japan. • Inspired many new ideas, including linear cryptanalysis. 3 © Mitsubishi Electric Corporation FEAL-NX Algorithm [Miyaguchi 90] subkey 4 © Mitsubishi Electric Corporation The Round Function of FEAL 2-byte subkey Linear Relations 푌 2 = 푋1 0 ⊕ 푋2 0 푌 2 = 푋1 0 ⊕ 푋2 0 ⊕ 1 (푁표푡푎푡푖표푛: 푌 푖 = 푖-푡ℎ 푏푖푡 표푓 푌) 5 © Mitsubishi Electric Corporation Linear Relations of the Round Function Linear Relations 푂 16,26 ⊕ 퐼 24 = 퐾 24 K 푂 18 ⊕ 퐼 0,8,16,24 = 퐾 8,16 ⊕ 1 푂 10,16 ⊕ 퐼 0,8 = 퐾 8 S 0 푂 2,8 ⊕ 퐼 0 = 퐾 0 ⊕ 1 (푁표푡푎푡푖표푛: 퐴 푖, 푗, 푘 = 퐴 푖 ⊕ 퐴 푗 ⊕ 퐴 푘 ) S1 O I f S0 f 3-round linear relations with p=1 S1 f modified round function f at least 3 subkey (with whitening key) f bytes affect output6 6 © Mitsubishi Electric Corporation History of Cryptanalysis of FEAL • 4-round version – 100-10000 chosen plaintexts [Boer 88] – 20 chosen plaintexts [Murphy 90] – 8 chosen plaintexts [Biham, Shamir 91] differential – 200 known plaintexts [Tardy-Corfdir, Gilbert 91] – 5 known plaintexts [Matsui, Yamagishi
    [Show full text]
  • A Quantitative Study of Advanced Encryption Standard Performance
    United States Military Academy USMA Digital Commons West Point ETD 12-2018 A Quantitative Study of Advanced Encryption Standard Performance as it Relates to Cryptographic Attack Feasibility Daniel Hawthorne United States Military Academy, [email protected] Follow this and additional works at: https://digitalcommons.usmalibrary.org/faculty_etd Part of the Information Security Commons Recommended Citation Hawthorne, Daniel, "A Quantitative Study of Advanced Encryption Standard Performance as it Relates to Cryptographic Attack Feasibility" (2018). West Point ETD. 9. https://digitalcommons.usmalibrary.org/faculty_etd/9 This Doctoral Dissertation is brought to you for free and open access by USMA Digital Commons. It has been accepted for inclusion in West Point ETD by an authorized administrator of USMA Digital Commons. For more information, please contact [email protected]. A QUANTITATIVE STUDY OF ADVANCED ENCRYPTION STANDARD PERFORMANCE AS IT RELATES TO CRYPTOGRAPHIC ATTACK FEASIBILITY A Dissertation Presented in Partial Fulfillment of the Requirements for the Degree of Doctor of Computer Science By Daniel Stephen Hawthorne Colorado Technical University December, 2018 Committee Dr. Richard Livingood, Ph.D., Chair Dr. Kelly Hughes, DCS, Committee Member Dr. James O. Webb, Ph.D., Committee Member December 17, 2018 © Daniel Stephen Hawthorne, 2018 1 Abstract The advanced encryption standard (AES) is the premier symmetric key cryptosystem in use today. Given its prevalence, the security provided by AES is of utmost importance. Technology is advancing at an incredible rate, in both capability and popularity, much faster than its rate of advancement in the late 1990s when AES was selected as the replacement standard for DES. Although the literature surrounding AES is robust, most studies fall into either theoretical or practical yet infeasible.
    [Show full text]
  • Public Key Cryptography And
    PublicPublic KeyKey CryptographyCryptography andand RSARSA Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 [email protected] Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/ Washington University in St. Louis CSE571S ©2011 Raj Jain 9-1 OverviewOverview 1. Public Key Encryption 2. Symmetric vs. Public-Key 3. RSA Public Key Encryption 4. RSA Key Construction 5. Optimizing Private Key Operations 6. RSA Security These slides are based partly on Lawrie Brown’s slides supplied with William Stallings’s book “Cryptography and Network Security: Principles and Practice,” 5th Ed, 2011. Washington University in St. Louis CSE571S ©2011 Raj Jain 9-2 PublicPublic KeyKey EncryptionEncryption Invented in 1975 by Diffie and Hellman at Stanford Encrypted_Message = Encrypt(Key1, Message) Message = Decrypt(Key2, Encrypted_Message) Key1 Key2 Text Ciphertext Text Keys are interchangeable: Key2 Key1 Text Ciphertext Text One key is made public while the other is kept private Sender knows only public key of the receiver Asymmetric Washington University in St. Louis CSE571S ©2011 Raj Jain 9-3 PublicPublic KeyKey EncryptionEncryption ExampleExample Rivest, Shamir, and Adleman at MIT RSA: Encrypted_Message = m3 mod 187 Message = Encrypted_Message107 mod 187 Key1 = <3,187>, Key2 = <107,187> Message = 5 Encrypted Message = 53 = 125 Message = 125107 mod 187 = 5 = 125(64+32+8+2+1) mod 187 = {(12564 mod 187)(12532 mod 187)... (1252 mod 187)(125 mod 187)} mod 187 Washington University in
    [Show full text]
  • The Data Encryption Standard (DES) – History
    Chair for Network Architectures and Services Department of Informatics TU München – Prof. Carle Network Security Chapter 2 Basics 2.1 Symmetric Cryptography • Overview of Cryptographic Algorithms • Attacking Cryptographic Algorithms • Historical Approaches • Foundations of Modern Cryptography • Modes of Encryption • Data Encryption Standard (DES) • Advanced Encryption Standard (AES) Cryptographic algorithms: outline Cryptographic Algorithms Symmetric Asymmetric Cryptographic Overview En- / Decryption En- / Decryption Hash Functions Modes of Cryptanalysis Background MDC’s / MACs Operation Properties DES RSA MD-5 AES Diffie-Hellman SHA-1 RC4 ElGamal CBC-MAC Network Security, WS 2010/11, Chapter 2.1 2 Basic Terms: Plaintext and Ciphertext Plaintext P The original readable content of a message (or data). P_netsec = „This is network security“ Ciphertext C The encrypted version of the plaintext. C_netsec = „Ff iThtIiDjlyHLPRFxvowf“ encrypt key k1 C P key k2 decrypt In case of symmetric cryptography, k1 = k2. Network Security, WS 2010/11, Chapter 2.1 3 Basic Terms: Block cipher and Stream cipher Block cipher A cipher that encrypts / decrypts inputs of length n to outputs of length n given the corresponding key k. • n is block length Most modern symmetric ciphers are block ciphers, e.g. AES, DES, Twofish, … Stream cipher A symmetric cipher that generats a random bitstream, called key stream, from the symmetric key k. Ciphertext = key stream XOR plaintext Network Security, WS 2010/11, Chapter 2.1 4 Cryptographic algorithms: overview
    [Show full text]
  • Block Ciphers and the Data Encryption Standard
    Lecture 3: Block Ciphers and the Data Encryption Standard Lecture Notes on “Computer and Network Security” by Avi Kak ([email protected]) January 26, 2021 3:43pm ©2021 Avinash Kak, Purdue University Goals: To introduce the notion of a block cipher in the modern context. To talk about the infeasibility of ideal block ciphers To introduce the notion of the Feistel Cipher Structure To go over DES, the Data Encryption Standard To illustrate important DES steps with Python and Perl code CONTENTS Section Title Page 3.1 Ideal Block Cipher 3 3.1.1 Size of the Encryption Key for the Ideal Block Cipher 6 3.2 The Feistel Structure for Block Ciphers 7 3.2.1 Mathematical Description of Each Round in the 10 Feistel Structure 3.2.2 Decryption in Ciphers Based on the Feistel Structure 12 3.3 DES: The Data Encryption Standard 16 3.3.1 One Round of Processing in DES 18 3.3.2 The S-Box for the Substitution Step in Each Round 22 3.3.3 The Substitution Tables 26 3.3.4 The P-Box Permutation in the Feistel Function 33 3.3.5 The DES Key Schedule: Generating the Round Keys 35 3.3.6 Initial Permutation of the Encryption Key 38 3.3.7 Contraction-Permutation that Generates the 48-Bit 42 Round Key from the 56-Bit Key 3.4 What Makes DES a Strong Cipher (to the 46 Extent It is a Strong Cipher) 3.5 Homework Problems 48 2 Computer and Network Security by Avi Kak Lecture 3 Back to TOC 3.1 IDEAL BLOCK CIPHER In a modern block cipher (but still using a classical encryption method), we replace a block of N bits from the plaintext with a block of N bits from the ciphertext.
    [Show full text]
  • Constructing Low-Weight Dth-Order Correlation-Immune Boolean Functions Through the Fourier-Hadamard Transform Claude Carlet and Xi Chen*
    1 Constructing low-weight dth-order correlation-immune Boolean functions through the Fourier-Hadamard transform Claude Carlet and Xi Chen* Abstract The correlation immunity of Boolean functions is a property related to cryptography, to error correcting codes, to orthogonal arrays (in combinatorics, which was also a domain of interest of S. Golomb) and in a slightly looser way to sequences. Correlation-immune Boolean functions (in short, CI functions) have the property of keeping the same output distribution when some input variables are fixed. They have been widely used as combiners in stream ciphers to allow resistance to the Siegenthaler correlation attack. Very recently, a new use of CI functions has appeared in the framework of side channel attacks (SCA). To reduce the cost overhead of counter-measures to SCA, CI functions need to have low Hamming weights. This actually poses new challenges since the known constructions which are based on properties of the Walsh-Hadamard transform, do not allow to build unbalanced CI functions. In this paper, we propose constructions of low-weight dth-order CI functions based on the Fourier- Hadamard transform, while the known constructions of resilient functions are based on the Walsh-Hadamard transform. We first prove a simple but powerful result, which makes that one only need to consider the case where d is odd in further research. Then we investigate how constructing low Hamming weight CI functions through the Fourier-Hadamard transform (which behaves well with respect to the multiplication of Boolean functions). We use the characterization of CI functions by the Fourier-Hadamard transform and introduce a related general construction of CI functions by multiplication.
    [Show full text]
  • Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, Newdes, RC2, and TEA
    Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, NewDES, RC2, and TEA John Kelsey Bruce Schneier David Wagner Counterpane Systems U.C. Berkeley kelsey,schneier @counterpane.com [email protected] f g Abstract. We present new related-key attacks on the block ciphers 3- WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA. Differen- tial related-key attacks allow both keys and plaintexts to be chosen with specific differences [KSW96]. Our attacks build on the original work, showing how to adapt the general attack to deal with the difficulties of the individual algorithms. We also give specific design principles to protect against these attacks. 1 Introduction Related-key cryptanalysis assumes that the attacker learns the encryption of certain plaintexts not only under the original (unknown) key K, but also under some derived keys K0 = f(K). In a chosen-related-key attack, the attacker specifies how the key is to be changed; known-related-key attacks are those where the key difference is known, but cannot be chosen by the attacker. We emphasize that the attacker knows or chooses the relationship between keys, not the actual key values. These techniques have been developed in [Knu93b, Bih94, KSW96]. Related-key cryptanalysis is a practical attack on key-exchange protocols that do not guarantee key-integrity|an attacker may be able to flip bits in the key without knowing the key|and key-update protocols that update keys using a known function: e.g., K, K + 1, K + 2, etc. Related-key attacks were also used against rotor machines: operators sometimes set rotors incorrectly.
    [Show full text]
  • Camellia: a 128-Bit Block Cipher Suitable for Multiple Platforms
    Copyright NTT and Mitsubishi Electric Corporation 2000 Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms † ‡ † Kazumaro Aoki Tetsuya Ichikawa Masayuki Kanda ‡ † ‡ ‡ Mitsuru Matsui Shiho Moriai Junko Nakajima Toshio Tokita † Nippon Telegraph and Telephone Corporation 1-1 Hikarinooka, Yokosuka, Kanagawa, 239-0847 Japan {maro,kanda,shiho}@isl.ntt.co.jp ‡ Mitsubishi Electric Corporation 5-1-1 Ofuna, Kamakura, Kanagawa, 247-8501 Japan {ichikawa,matsui,june15,tokita}@iss.isl.melco.co.jp September 26, 2000 Abstract. We present a new 128-bit block cipher called Camellia. Camellia sup- ports 128-bit block size and 128-, 192-, and 256-bit key lengths, i.e. the same interface specifications as the Advanced Encryption Standard (AES). Camellia was carefully designed to withstand all known cryptanalytic attacks and even to have a sufficiently large security leeway for use of the next 10-20 years. There are no hidden weakness inserted by the designers. It was also designed to have suitability for both software and hardware implementations and to cover all possible encryption applications that range from low-cost smart cards to high-speed network systems. Compared to the AES finalists, Camellia offers at least comparable encryption speed in software and hardware. An optimized implementation of Camellia in assembly language can en- crypt on a PentiumIII (800MHz) at the rate of more than 276 Mbits per second, which is much faster than the speed of an optimized DES implementation. In ad- dition, a distinguishing feature is its small hardware design. The hardware design, which includes key schedule, encryption and decryption, occupies approximately 11K gates, which is the smallest among all existing 128-bit block ciphers as far as we know.
    [Show full text]
  • On the NIST Lightweight Cryptography Standardization
    On the NIST Lightweight Cryptography Standardization Meltem S¨onmez Turan NIST Lightweight Cryptography Team ECC 2019: 23rd Workshop on Elliptic Curve Cryptography December 2, 2019 Outline • NIST's Cryptography Standards • Overview - Lightweight Cryptography • NIST Lightweight Cryptography Standardization Process • Announcements 1 NIST's Cryptography Standards National Institute of Standards and Technology • Non-regulatory federal agency within U.S. Department of Commerce. • Founded in 1901, known as the National Bureau of Standards (NBS) prior to 1988. • Headquarters in Gaithersburg, Maryland, and laboratories in Boulder, Colorado. • Employs around 6,000 employees and associates. NIST's Mission to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. 2 NIST Organization Chart Laboratory Programs Computer Security Division • Center for Nanoscale Science and • Cryptographic Technology Technology • Secure Systems and Applications • Communications Technology Lab. • Security Outreach and Integration • Engineering Lab. • Security Components and Mechanisms • Information Technology Lab. • Security Test, Validation and • Material Measurement Lab. Measurements • NIST Center for Neutron Research • Physical Measurement Lab. Information Technology Lab. • Advanced Network Technologies • Applied and Computational Mathematics • Applied Cybersecurity • Computer Security • Information Access • Software and Systems • Statistical
    [Show full text]
  • Ohio IT Standard ITS-SEC-01 Data Encryption and Cryptography
    Statewide Standard State of Ohio IT Standard Standard Number: Title: ITS-SEC-01 Data Encryption and Cryptography Effective Date: Issued By: 03/12/2021 Ervan D. Rodgers II, Assistant Director/State Chief Information Officer Office of Information Technology Ohio Department of Administrative Services Version Identifier: Published By: 2.0 Investment and Governance Division Ohio Office of Information Technology 1.0 Purpose This state IT standard defines the minimum requirements for cryptographic algorithms that are cryptographically strong and are used in security services that protect at-risk or sensitive data as defined and required by agency or State policy, standard or rule. This standard does not classify data elements; does not define the security schemes and mechanisms for devices such as tape backup systems, storage systems, mobile computers or removable media; and does not identify or approve secure transmission protocols that may be used to implement security requirements. 2.0 Scope Pursuant to Ohio Administrative Policy IT-01, “Authority of the State Chief Information Officer to Establish Ohio IT Policy,” this state IT standard is applicable to every organized body, office, or agency established by the laws of the state for the exercise of any function of state government except for those specifically exempted. 3.0 Background The National Institute for Science and Technology (NIST) conducts extensive research and development in cryptography techniques. Their publications include technical standards for data encryption, digital signature and message authentication as well as guidelines for implementing information security and managing cryptographic keys. These standards and guidelines have been mandated for use in federal agencies and adopted by state governments and private enterprises.
    [Show full text]