DOCSLIB.ORG

A CLASSICAL INTRODUCTION to CRYPTOGRAPHY Applications for Communications Security a CLASSICAL INTRODUCTION to CRYPTOGRAPHY Applications for Communications Security

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
A CLASSICAL INTRODUCTION to CRYPTOGRAPHY Applications for Communications Security a CLASSICAL INTRODUCTION to CRYPTOGRAPHY Applications for Communications Security A CLASSICAL INTRODUCTION TO CRYPTOGRAPHY Applications for Communications Security A CLASSICAL INTRODUCTION TO CRYPTOGRAPHY Applications for Communications Security by Serge Vaudenay Swiss Federal Institute of Technologies (EPFL) Serge Vaudenay Ch. de Riant-Mont 4 CH-1023 Crissier Switzerland Library of Congress Cataloging-in-Publication Data A C.I.P. Catalogue record for this book is available from the Library of Congress. A CLASSICAL INTRODUCTION TO MODERN CRYPTOGRAPHY Applications for Communications Security by Serge Vaudenay Swiss Fédéralel Institute of Technologies (EPFL) ISBN-10: 0-387-25464-1 e-ISBN-10: 0-387-25880-9 ISBN-13: 978-0-387-25464-7 e-ISBN-13: 978-0-387-25880-5 Printed on acid-free paper. ¤ 2006 Springer Science+Business Media, Inc. All rights reserved. This work may not be translated or copied in whole or in part without the written permission of the publisher (Springer Science+Business Media, Inc., 233 Spring Street, New York, NY 10013, USA), except for brief excerpts in connection with reviews or scholarly analysis. Use in connection with any form of information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now know or hereafter developed is forbidden. The use in this publication of trade names, trademarks, service marks and similar terms, even if the are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights. Printed in the United States of America. 9 8 7 6 5 4 3 2 1 SPIN 11357582, 11426141 springeronline.com To Christine and Emilien Contents Preamble .............................................. xv 1 Prehistory of Cryptography .............................. 1 1.1 Foundations of Conventional Cryptography .................... 1 1.1.1 The Origins of Cryptography ......................... 1 1.1.2 Key Words ........................................ 2 1.1.3 Transpositions, Substitutions, and Secret Keys ............ 4 1.1.4 Vernam Cipher .................................... 7 1.1.5 Enigma: Toward Industrial Cryptography ................ 8 1.2 Roots of Modern Cryptography ............................. 10 1.2.1 Cryptographic Problems: The Fundamental Trilogy ........ 10 1.2.2 Assumptions of Modern Cryptography .................. 11 1.2.3 Adversarial Models ................................. 12 1.2.4 Cryptography from Various Perspectives ................ 13 1.2.5 Methodology ...................................... 15 1.3 The Shannon Theory of Secrecy ............................ 15 1.3.1 Secrecy of Communication .......................... 15 1.3.2 Entropy ......................................... 17 1.3.3 Perfect Secrecy ................................... 18 1.3.4 Product Ciphers ................................... 19 1.4 Exercises ............................................... 19 2 Conventional Cryptography .............................. 21 2.1 The Data Encryption Standard (DES)......................... 22 2.2 DES Modes of Operation .................................. 25 2.2.1 Electronic Code Book (ECB) ......................... 25 2.2.2 Cipher Block Chaining (CBC) ........................ 26 2.2.3 Output Feedback (OFB) ............................. 27 2.2.4 Cipher Feedback (CFB) .............................. 29 2.2.5 Counter Mode (CTR) ............................... 30 2.3 Multiple Encryption ...................................... 30 2.3.1 Double Mode ...................................... 30 2.3.2 Triple Mode ....................................... 31 2.4 An Application of DES: UNIX Passwords ..................... 31 viii Contents 2.5 Classical Cipher Skeletons ................................. 32 2.5.1 Feistel Schemes .................................... 32 2.5.2 Lai–Massey Scheme ................................ 33 2.5.3 Substitution–Permutation Network ..................... 36 2.6 Other Block Cipher Examples .............................. 37 2.6.1 FOX: A Lai–Massey Scheme ........................ 37 2.6.2 CS-CIPHER: A Substitution–Permutation Network ....... 40 2.7 The Advanced Encryption Standard (AES) .................... 42 2.8 Stream Ciphers .......................................... 46 2.8.1 Stream Ciphers versus Block Ciphers ................... 46 2.8.2 RC4 ............................................. 46 2.8.3 A5/1: GSM Encryption .............................. 48 2.8.4 E0: Bluetooth Encryption ............................ 50 2.9 Brute Force Attacks ...................................... 51 2.9.1 Exhaustive Search .................................. 52 2.9.2 Dictionary Attack .................................. 53 2.9.3 Codebook Attack ................................... 54 2.9.4 Time–Memory Tradeoffs............................ 54 2.9.5 Meet-in-the-Middle Attack ........................... 59 2.10 Exercises ............................................... 60 3 Dedicated Conventional Cryptographic Primitives .............. 63 3.1 Cryptographic Hashing .................................... 63 3.1.1 Usage ............................................ 63 3.1.2 Threat Models ..................................... 64 3.1.3 From Compression to Hashing ........................ 65 3.1.4 Example of MD5 ................................... 66 3.1.5 Examples of SHA and SHA-1 ......................... 67 3.2 The Birthday Paradox ..................................... 70 3.3 A Dedicated Attack on MD4 .............................. 74 3.4 Message Authentication Codes .............................. 78 3.4.1 Usage ............................................ 78 3.4.2 Threat Model ...................................... 79 3.4.3 MAC from Block Ciphers: CBC-MAC .................. 80 3.4.4 Analysis of CBC-MAC ............................. 82 3.4.5 MAC from Stream Ciphers .......................... 86 3.4.6 MAC from Hash Functions: HMAC .................... 88 3.4.7 An Authenticated Mode of Operation ................... 90 3.5 Cryptographic Pseudorandom Generators ..................... 92 3.5.1 Usage and Threat Model ............................. 92 3.5.2 Congruential Pseudorandom Generator ................ 92 3.5.3 Practical Examples ................................. 93 3.6 Exercises ............................................... 95 Contents ix 4 Conventional Security Analysis ........................... 97 4.1 Differential Cryptanalysis ................................. 97 4.2 Linear Cryptanalysis ..................................... 103 4.3 Classical Security Strengthening ........................... 111 4.3.1 Nonlinearities .................................... 111 4.3.2 Characteristics and Markov Ciphers ................... 112 4.3.3 Theoretical Differential and Linear Cryptanalysis ........ 114 4.3.4 Ad hoc Construction ............................... 120 4.4 Modern Security Analysis ................................. 123 4.4.1 Distinguishability Security Model..................... 123 4.4.2 The Luby–Rackoff Result ........................... 125 4.4.3 Decorrelation ..................................... 126 4.5 Exercises ............................................... 132 5 Security Protocols with Conventional Cryptography ............. 135 5.1 Password Access Control .................................. 135 5.1.1 UNIX Passwords ................................... 136 5.1.2 Basic Access Control in HTTP ........................ 136 5.1.3 PAP Access Control in PPP ........................... 137 5.2 Challenge–Response Protocols .............................. 137 5.2.1 Digest Access Control in HTTP ....................... 138 5.2.2 CHAP Access Control in PPP ......................... 140 5.3 One-Time Password ...................................... 140 5.3.1 Lamport Scheme ................................... 140 5.3.2 S/Key and OTP .................................... 141 5.4 Key Distribution ......................................... 142 5.4.1 The Needham–Schroeder Authentication Protocol ......... 142 5.4.2 Kerberos ......................................... 143 5.4.3 Merkle Puzzles ................................... 145 5.5 Authentication Chains .................................... 145 5.5.1 Merkle Tree ...................................... 145 5.5.2 Timestamps and Notary ............................. 147 5.6 Wireless Communication: Two Case Studies ................... 148 5.6.1 The GSM Network ................................. 148 5.6.2 The Bluetooth Network .............................. 150 5.7 Exercises ............................................... 153 6 Algorithmic Algebra ................................... 155 6.1 Basic Group Theory ...................................... 155 6.1.1 Basic Set Theory ................................... 155 6.1.2 Groups ........................................... 157 6.1.3 Generating a Group, Comparing Groups ................ 158 6.1.4 Building New Groups ............................... 159 6.1.5 Fundamentals on Groups ............................. 159 x Contents 6.2 The Ring Zn ............................................ 160 6.2.1 Rings ............................................ 160 6.2.2 Definition of Zn .................................... 161 6.2.3 Additions, Multiplications, Inversion ................... 162 ∗ 6.2.4 The Multiplicative Group Zn ......................... 166 6.2.5 Exponentiation .................................... 167 6.2.6 Zmn: The Chinese Remainder Theorem ................. 167 6.3 The Finite Field Zp ....................................... 169 6.3.1 Basic Properties of Zp ............................... 169 6.3.2 Quadratic
Load more

Recommended publications
  • Multiplicative Differentials
    Multiplicative Differentials Nikita Borisov, Monica Chew, Rob Johnson, and David Wagner University of California at Berkeley Abstract. We present a new type of differential that is particularly suited to an- alyzing ciphers that use modular multiplication as a primitive operation. These differentials are partially inspired by the differential used to break Nimbus, and we generalize that result. We use these differentials to break the MultiSwap ci- pher that is part of the Microsoft Digital Rights Management subsystem, to derive a complementation property in the xmx cipher using the recommended modulus, and to mount a weak key attack on the xmx cipher for many other moduli. We also present weak key attacks on several variants of IDEA. We conclude that cipher designers may have placed too much faith in multiplication as a mixing operator, and that it should be combined with at least two other incompatible group opera- ¡ tions. 1 Introduction Modular multiplication is a popular primitive for ciphers targeted at software because many CPUs have built-in multiply instructions. In memory-constrained environments, multiplication is an attractive alternative to S-boxes, which are often implemented us- ing large tables. Multiplication has also been quite successful at foiling traditional dif- ¢ ¥ ¦ § ferential cryptanalysis, which considers pairs of messages of the form £ ¤ £ or ¢ ¨ ¦ § £ ¤ £ . These differentials behave well in ciphers that use xors, additions, or bit permutations, but they fall apart in the face of modular multiplication. Thus, we con- ¢ sider differential pairs of the form £ ¤ © £ § , which clearly commute with multiplication. The task of the cryptanalyst applying multiplicative differentials is to find values for © that allow the differential to pass through the other operations in a cipher.
    [Show full text]
  • Applications of Search Techniques to Cryptanalysis and the Construction of Cipher Components. James David Mclaughlin Submitted F
    Applications of search techniques to cryptanalysis and the construction of cipher components. James David McLaughlin Submitted for the degree of Doctor of Philosophy (PhD) University of York Department of Computer Science September 2012 2 Abstract In this dissertation, we investigate the ways in which search techniques, and in particular metaheuristic search techniques, can be used in cryptology. We address the design of simple cryptographic components (Boolean functions), before moving on to more complex entities (S-boxes). The emphasis then shifts from the construction of cryptographic arte- facts to the related area of cryptanalysis, in which we first derive non-linear approximations to S-boxes more powerful than the existing linear approximations, and then exploit these in cryptanalytic attacks against the ciphers DES and Serpent. Contents 1 Introduction. 11 1.1 The Structure of this Thesis . 12 2 A brief history of cryptography and cryptanalysis. 14 3 Literature review 20 3.1 Information on various types of block cipher, and a brief description of the Data Encryption Standard. 20 3.1.1 Feistel ciphers . 21 3.1.2 Other types of block cipher . 23 3.1.3 Confusion and diffusion . 24 3.2 Linear cryptanalysis. 26 3.2.1 The attack. 27 3.3 Differential cryptanalysis. 35 3.3.1 The attack. 39 3.3.2 Variants of the differential cryptanalytic attack . 44 3.4 Stream ciphers based on linear feedback shift registers . 48 3.5 A brief introduction to metaheuristics . 52 3.5.1 Hill-climbing . 55 3.5.2 Simulated annealing . 57 3.5.3 Memetic algorithms . 58 3.5.4 Ant algorithms .
    [Show full text]
  • Dossier De Presse (Mai 2019) Press Release (May 2019)
    DOSSIER DE PRESSE (MAI 2019) PRESS RELEASE (MAY 2019) CONTACT PRESSE PRESS CONTACT Yasmina Sandoz Marketing & Communication Manager [email protected] Mobile : +33 6 27 67 25 29 SOMMAIRE / INDEX Français 3 Annonce 4 Histoire 5 L’équipe 6 Vision 8 Le coeur de la technologie 9 Lancement de trois applications 10 Interventions des acteurs du marché 14 Création de la filiale Global ID France 18 Levée de fond en DSO 18 English 20 Announcement 21 Story 22 Team 23 Vision 25 Heart oh the technology 26 Launch of three applications 27 Presentation of the market’s needs by three leaders 31 Creation of Global ID France 35 Scale up by DSO 35 Deutsch 37 Chinese 38 2 DOSSIER DE PRESSE « Usurpation d’identité, cybercriminalité, vol de données… A l’heure où les menaces sont toujours plus sophistiquées, il est impératif de s’appuyer sur une solution d’identification infalsifiable. » C’est pour répondre à cette nécessité que nous avons développé le premier système biométrique d’identification basé sur l’empreinte veineuse en trois dimensions. Le réseaux veineux est unique et ne peut être répliqué. Notre dispositif reconstitue en trois dimensions le plan veineux à partir d’images du doigt placé sous une source lumineuse. Nous utilisons les techniques de cryptographie de pointe. L’image ainsi reconstituée n’est jamais transmise en clair afin de protéger la sphère privée des utilisateurs. La reconnaissance est ainsi sécurisée au moment de l’identification ! Fruit de la collaboration de 3 laboratoires de pointe et mondialement reconnus dans leur domaine, IDIAP Research Institute, HES SO Valais / Wallis et l’EPFL, cette innovation majeure garantit un très haut niveau de sécurité exigé par nos clients issus des secteurs les plus sensibles (banques, gouvernements, ONG, santé...).
    [Show full text]
  • Decorrelation: a Theory for Block Cipher Security
    J. Cryptology (2003) 16: 249–286 DOI: 10.1007/s00145-003-0220-6 © 2003 International Association for Cryptologic Research Decorrelation: A Theory for Block Cipher Security Serge Vaudenay Swiss Federal Institute of Technology (EPFL), CH-1015 Lausanne, Switzerland Serge.Vaudenay@epfl.ch Communicated by Eli Biham Received 30 July 2002 and revised 15 May 2003 Online publication 15 August 2003 Abstract. Pseudorandomness is a classical model for the security of block ciphers. In this paper we propose convenient tools in order to study it in connection with the Shannon Theory, the Carter–Wegman universal hash functions paradigm, and the Luby– Rackoff approach. This enables the construction of new ciphers with security proofs under specific models. We show how to ensure security against basic differential and linear cryptanalysis and even more general attacks. We propose practical construction schemes. Key words. Block ciphers, Cryptanalysis, Pseudorandomness. 1. Introduction Conventional encryption is used in order to enforce confidentiality of communications in a network. Following the Kerckhoffs principles [34], schemes are defined by three public algorithms: a key generation scheme, an encryption scheme, and a decryption scheme. Two parties willing to communicate confidentially can generate a private key which is used as a parameter for encryption and decryption. Here encryption and decryption are formalized as functions C and D, respectively, such that D(C(x)) = x for any message x. In 1949 Shannon formalized the notion of secrecy [59]. He formally proved the uncon- ditional security (in his security model) of the Vernam cipher which had been published in 1926 [71]. Unfortunately, this scheme happens to be quite expensive to implement for networking because the sender and the receiver need to be synchronized, and they need quite cumbersome huge keys.
    [Show full text]
  • Resistance Against Iterated Attacks by Decorrelation Revisited
    Resistance Against Iterated Attacks by Decorrelation Revisited Aslı Bay?, Atefeh Mashatan??, and Serge Vaudenay EPFL, Switzerland fasli.bay, atefeh.mashatan, [email protected] Abstract. Iterated attacks are comprised of iterating adversaries who can make d plaintext queries, in each iteration to compute a bit, and are trying to distinguish between a random cipher C and the ideal random cipher C∗ based on all bits. In EUROCRYPT '99, Vaudenay showed that a 2d-decorrelated cipher resists to iterated attacks of order d when iter- ations make almost no common queries. Then, he first asked what the necessary conditions are for a cipher to resist a non-adaptive iterated at- tack of order d. Secondly, he speculated that repeating a plaintext query in different iterations does not provide any advantage to a non-adaptive distinguisher. We close here these two long-standing open problems. We show that, in order to resist non-adaptive iterated attacks of order d, decorrelation of order 2d − 1 is not sufficient. We do this by providing a counterexample consisting of a cipher decorrelated to the order 2d − 1 and a successful non-adaptive iterated attack of order d against it. Moreover, we prove that the aforementioned claim is wrong by showing that a higher probability of having a common query between different iterations can translate to a high advantage of the adversary in distin- guishing C from C∗. We provide a counterintuitive example consisting of a cipher decorrelated to the order 2d which can be broken by an iterated attack of order 1 having a high probability of common queries.
    [Show full text]
  • Statistical Cryptanalysis of Block Ciphers
    STATISTICAL CRYPTANALYSIS OF BLOCK CIPHERS THÈSE NO 3179 (2005) PRÉSENTÉE À LA FACULTÉ INFORMATIQUE ET COMMUNICATIONS Institut de systèmes de communication SECTION DES SYSTÈMES DE COMMUNICATION ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE POUR L'OBTENTION DU GRADE DE DOCTEUR ÈS SCIENCES PAR Pascal JUNOD ingénieur informaticien dilpômé EPF de nationalité suisse et originaire de Sainte-Croix (VD) acceptée sur proposition du jury: Prof. S. Vaudenay, directeur de thèse Prof. J. Massey, rapporteur Prof. W. Meier, rapporteur Prof. S. Morgenthaler, rapporteur Prof. J. Stern, rapporteur Lausanne, EPFL 2005 to Mimi and Chlo´e Acknowledgments First of all, I would like to warmly thank my supervisor, Prof. Serge Vaude- nay, for having given to me such a wonderful opportunity to perform research in a friendly environment, and for having been the perfect supervisor that every PhD would dream of. I am also very grateful to the president of the jury, Prof. Emre Telatar, and to the reviewers Prof. em. James L. Massey, Prof. Jacques Stern, Prof. Willi Meier, and Prof. Stephan Morgenthaler for having accepted to be part of the jury and for having invested such a lot of time for reviewing this thesis. I would like to express my gratitude to all my (former and current) col- leagues at LASEC for their support and for their friendship: Gildas Avoine, Thomas Baign`eres, Nenad Buncic, Brice Canvel, Martine Corval, Matthieu Finiasz, Yi Lu, Jean Monnerat, Philippe Oechslin, and John Pliam. With- out them, the EPFL (and the crypto) would not be so fun! Without their support, trust and encouragement, the last part of this thesis, FOX, would certainly not be born: I owe to MediaCrypt AG, espe- cially to Ralf Kastmann and Richard Straub many, many, many hours of interesting work.
    [Show full text]
  • Statistical Cryptanalysis of Block Ciphers
    Statistical Cryptanalysis of Block Ciphers THESE` N◦ 3179 (2004) PRESENT´ EE´ A` LA FACULTE´ INFORMATIQUE & COMMUNICATIONS Institut de syst`emes de communication SECTION DES SYSTEMES` DE COMMUNICATION ECOLE´ POLYTECHNIQUE FED´ ERALE´ DE LAUSANNE POUR L'OBTENTION DU GRADE DE DOCTEUR ES` SCIENCES PAR Pascal JUNOD ing´enieur informaticien diplom´e EPF de nationalit´e suisse et originaire de Sainte-Croix (VD) accept´ee sur proposition du jury: Prof. Emre Telatar (EPFL), pr´esident du jury Prof. Serge Vaudenay (EPFL), directeur de th`ese Prof. Jacques Stern (ENS Paris, France), rapporteur Prof. em. James L. Massey (ETHZ & Lund University, Su`ede), rapporteur Prof. Willi Meier (FH Aargau), rapporteur Prof. Stephan Morgenthaler (EPFL), rapporteur Lausanne, EPFL 2005 to Mimi and Chlo´e Acknowledgments First of all, I would like to warmly thank my supervisor, Prof. Serge Vaude- nay, for having given to me such a wonderful opportunity to perform research in a friendly environment, and for having been the perfect supervisor that every PhD would dream of. I am also very grateful to the president of the jury, Prof. Emre Telatar, and to the reviewers Prof. em. James L. Massey, Prof. Jacques Stern, Prof. Willi Meier, and Prof. Stephan Morgenthaler for having accepted to be part of the jury and for having invested such a lot of time for reviewing this thesis. I would like to express my gratitude to all my (former and current) col- leagues at LASEC for their support and for their friendship: Gildas Avoine, Thomas Baign`eres, Nenad Buncic, Brice Canvel, Martine Corval, Matthieu Finiasz, Yi Lu, Jean Monnerat, Philippe Oechslin, and John Pliam.
    [Show full text]
  • Standard Grant Application Form
    Articles scientifiques (liste partielle) 1. Houda Ferradi, Rémi Géraud, Diana Maimut, David Naccache, Amaury de Wargny: Regulating the Pace of von Neumann Correctors. IACR Cryptology ePrint Archive 2015: 849 (2015) 2. Houda Ferradi and Rémi Géraud and David Naccache and Assia Tria : When Organized Crime Applies Academic Results - A Forensic Analysis of an In-Card Listening Device. IACR Cryptology ePrint Archive 2015: 963 (2015) 3. Ehsan Aerabi and A. Elhadi Amirouche and Houda Ferradi and Rémi Géraud David Naccache and Jean Vuillemin: The Conjoined Microprocessor. IACR Cryptology ePrint Archive 2015: 974 (2015) 4. Diana Maimut, David Naccache, Rodrigo Portella do Canto, and Emil Simion Applying Cryptographic Acceleration Techniques to Error Correction, Proceedings of SECITC 2015, to appear in Springer LNCS 2015. 5. Eric Brier, Jean-Sébastien Coron, Rémi Géraud, Diana Maimut and David Naccache, A Number-Theoretic Error-Correcting Code, Proceedings of SECITC 2015, to appear in Springer LNCS 2015. 6. Céline Chevalier, Damien Gaumont, David Naccache, How to (Carefully) Breach a Service Contract?, Festschrift for David Kahn volume. Springer LNCS 9100 (to appear). 7. Jean-Luc Danger, Sylvain Guilley, Philippe Hoogvorst, Cédric Murdica, David Naccache, Improving the Big Mac Attack on Elliptic Curve Cryptography. Festschrift for David Kahn volume. Springer LNCS 9100 (to appear). 8. Pierre-Alain Fouque, Sylvain Guilley, Cédric Murdica and David Naccache, Safe-Errors on SPA Protected implementations with the Atomicity Technique, IACR Cryptology ePrint Archive 2015: 764 (2015). Festschrift for David Kahn volume. Springer LNCS 9100 (to appear). 9. Houda Ferradi, Rémi Géraud, Diana Maimut, David Naccache and Hang Zho, Backtracking-Assisted Multiplication IACR Cryptology ePrint Archive 2015: 787 (2015).
    [Show full text]
  • Linear Cryptanalysis of Non Binary Ciphers with an Application to SAFER
    Linear Cryptanalysis of Non Binary Ciphers with an Application to SAFER Thomas Baign`eres⋆1, Jacques Stern2, and Serge Vaudenay1 1 EPFL CH-1015 Lausanne – Switzerland [email protected], [email protected] 2 Ecole´ normale sup´erieure D´epartement d’Informatique 45, rue d’Ulm 75230 Paris Cedex 05, France [email protected] Abstract. In this paper we re-visit distinguishing attacks. We show how to generalize the notion of linear distinguisher to arbitrary sets. Our thesis is that our generalization is the most natural one. We compare it with the one by Granboulan et al. from FSE’06 by showing that we can get sharp estimates of the data complexity and cumulate characteristics in linear hulls. As a proof of concept, we propose a better attack on their toy cipher TOY100 than the one that was originally suggested and we propose the best known plaintext attack on SAFER K/SK so far. This provides new directions to block cipher cryptanalysis even in the binary case. On the constructive side, we introduce DEAN18, a toy cipher which encrypts blocks of 18 decimal digits and we study its security. 1 Introduction and Mathematical Background In the digital age, information is always seen as a sequence of bits and, naturally, most practical block ciphers and cryptanalytic tools assume that the text space is made of binary strings. In the literature, a block cipher over a finite set M is commonly defined as a set of permutations Ck : M M indexed by a key k , with M = 0, 1 ℓ [36].
    [Show full text]
  • Tweakable Block Ciphers
    Tweakable Block Ciphers Moses Liskov1, Ronald L. Rivest1, and David Wagner2 1 Laboratory for Computer Science Massachusetts Institute of Technology Cambridge, MA 02139, USA e-mail: [email protected], [email protected] 2 University of California Berkeley Soda Hall Berkeley, CA 94720, USA e-mail: [email protected] Abstract. We propose a new cryptographic primitive, the \tweakable block cipher." Such a cipher has not only the usual inputs|message and cryptographic key|but also a third input, the \tweak." The tweak serves much the same purpose that an initialization vector does for CBC mode or that a nonce does for OCB mode. Our proposal thus brings this feature down to the primitive block-cipher level, instead of incorporating it only at the higher modes-of-operation levels. We suggest that (1) tweakable block ciphers are easy to design, (2) the extra cost of making a block cipher \tweakable" is small, and (3) it is easier to design and prove modes of operation based on tweakable block ciphers. Keywords: block ciphers, tweakable block ciphers, initialization vector, modes of operation 1 Introduction A conventional block cipher takes two inputs|a key K 2 f0; 1gk and a message (or plaintext) M 2 f0; 1gn|and produces a single output|a ciphertext C 2 f0; 1gn. The signature for a block cipher is thus (see Figure 1(a)): E : f0; 1gk × f0; 1gn ! f0; 1gn : (1) On the other hand, the corresponding operators for variable-length encryp- tion have a different signature. These operators are usually defined as \modes of operation" for a block cipher, but they may also be viewed abstractly as another set of encryption operators.
    [Show full text]
  • Provable Security of Block Ciphers Against Linear Cryptanalysis - a Mission Impossible?
    Provable Security of Block Ciphers Against Linear Cryptanalysis - a Mission Impossible? An Experimental Review of the Practical Security Approach and the Key Equivalence Hypothesis in Linear Cryptanalysis Gilles Piret1, Fran¸cois-Xavier Standaert2⋆ 1 Oberthur Card Systems, Nanterre, France 2UCL Crypto Group, Microelectronics Laboratory, Louvain-la-Neuve, Belgium Abstract. In this paper, we are concerned with the security of block ciphers against linear cryptanalysis and discuss the distance between the so-called practical security approach and the actual theoretical security provided by a given cipher. For this purpose, we present a number of illustrative experiments performed against small (i.e. computationally tractable) ciphers. We compare the linear probability of the best linear characteristic and the actual best linear probability (averaged over all keys). We also test the key equivalence hypothesis. Our experiments illustrate both that provable security against linear cryptanalysis is not achieved by present design strategies and the relevance of the practical security approach. Finally, we discuss the (im)possibility to derive actual design criteria from the intuitions underlined in these experiments. Keywords: Symmetric Cryptography, Block Ciphers, Linear Cryptanalysis. AMS Classification: 94A60 1 Introduction The linear cryptanalysis [15, 22] is one of the most powerful attacks against block ciphers. However, although a number of commonly accepted strategies have been developed to provide practical security against such adversaries (most famously, the wide-trail strategy [6] that has been used for the design of the AES Rijn- dael [7]), the foundations of these important techniques are mainly based on a number of practically acceptable but theoretically disputable hypotheses. In addition, actual solutions to counteract linear cryptanalysis are frequently based on heuristics rather than on a sound theoretical framework allowing provable se- curity.
    [Show full text]
  • Linear Cryptanalysis of Non Binary Ciphers with an Application to SAFER
    Linear Cryptanalysis of Non Binary Ciphers with an Application to SAFER Thomas Baign`eres⋆1, Jacques Stern2, and Serge Vaudenay1 1 EPFL CH-1015 Lausanne – Switzerland [email protected], [email protected] 2 Ecole´ normale sup´erieure D´epartement d’Informatique 45, rue d’Ulm 75230 Paris Cedex 05, France [email protected] Abstract. In this paper we re-visit distinguishing attacks. We show how to generalize the notion of linear distinguisher to arbitrary sets. Our thesis is that our generalization is the most natural one. We compare it with the one by Granboulan et al. from FSE’06 by showing that we can get sharp estimates of the data complexity and cumulate characteristics in linear hulls. As a proof of concept, we propose a better attack on their toy cipher TOY100 than the one that was originally suggested and we propose the best known plaintext attack on SAFER K/SK so far. This provides new directions to block cipher cryptanalysis even in the binary case. On the constructive side, we introduce DEAN18, a toy cipher which encrypts blocks of 18 decimal digits and we study its security. 1 Introduction and Mathematical Background In the digital age, information is always seen as a sequence of bits and, naturally, most practical block ciphers and cryptanalytic tools assume that the text space is made of binary strings. In the literature, a block cipher over a finite set M is commonly defined as a set of permutations Ck : M M indexed by a key k , with M = 0, 1 ℓ [36].
    [Show full text]