Block Ciphers Security of block ciphers. Symmetric Ciphers

Similar documents
V.Sorge/E.Ritter, Handout 2

Cryptography. Module in Autumn Term 2016 University of Birmingham. Lecturers: Mark D. Ryan and David Galindo

Chapter 4 The Data Encryption Standard

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Stream Ciphers And Pseudorandomness Revisited. Table of contents

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Introduction to Cryptography

Introduction to Cryptography CS 355

Introduction to Cryptography

DUBLIN CITY UNIVERSITY

TMA4155 Cryptography, Intro

DES Data Encryption standard

Course Business. Harry. Hagrid. Homework 2 Due Now. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Location: Right here

Classification of Ciphers

Dr. V.U.K.Sastry Professor (CSE Dept), Dean (R&D) SreeNidhi Institute of Science & Technology, SNIST Hyderabad, India. P = [ p

Network Security: Secret Key Cryptography

Lecture 1: Introduction

o Broken by using frequency analysis o XOR is a polyalphabetic cipher in binary

Eliminating Random Permutation Oracles in the Even-Mansour Cipher. Zulfikar Ramzan. Joint work w/ Craig Gentry. DoCoMo Labs USA

New Linear Cryptanalytic Results of Reduced-Round of CAST-128 and CAST-256

The number theory behind cryptography

B. Substitution Ciphers, continued. 3. Polyalphabetic: Use multiple maps from the plaintext alphabet to the ciphertext alphabet.

Journal of Discrete Mathematical Sciences & Cryptography Vol. ( ), No., pp. 1 10

Public Key Cryptography Great Ideas in Theoretical Computer Science Saarland University, Summer 2014

Cryptography CS 555. Topic 20: Other Public Key Encryption Schemes. CS555 Topic 20 1

Classical Cryptography

Solution: Alice tosses a coin and conveys the result to Bob. Problem: Alice can choose any result.

Cryptanalysis on short messages encrypted with M-138 cipher machine

AES Encryption and Decryption in Microsoft.NET

Pseudorandom Number Generation and Stream Ciphers

Encryption at the Speed of Light? Towards a cryptanalysis of an optical CDMA encryption scheme

CPSC 467: Cryptography and Computer Security

Automated Analysis and Synthesis of Block-Cipher Modes of Operation

Multi-Instance Security and its Application to Password- Based Cryptography

Secret Key Systems (block encoding) Encrypting a small block of text (say 128 bits) General considerations for cipher design:

An enciphering scheme based on a card shuffle

4. Design Principles of Block Ciphers and Differential Attacks

Merkle s Puzzles. c Eli Biham - May 3, Merkle s Puzzles (8)

Colored Image Ciphering with Key Image

Discrete Mathematics & Mathematical Reasoning Multiplicative Inverses and Some Cryptography

Example Enemy agents are trying to invent a new type of cipher. They decide on the following encryption scheme: Plaintext converts to Ciphertext

EE 418 Network Security and Cryptography Lecture #3

Lecture 32. Handout or Document Camera or Class Exercise. Which of the following is equal to [53] [5] 1 in Z 7? (Do not use a calculator.

Purple. Used by Japanese government. Not used for tactical military info. Used to send infamous 14-part message

Cryptanalysis of Ladder-DES

Generic Attacks on Feistel Schemes

Random Bit Generation and Stream Ciphers

IND-CCA Secure Hybrid Encryption from QC-MDPC Niederreiter

Conditional Cube Attack on Reduced-Round Keccak Sponge Function

Unlinkability and Redundancy in Anonymous Publication Systems

DATA SECURITY USING ADVANCED ENCRYPTION STANDARD (AES) IN RECONFIGURABLE HARDWARE FOR SDR BASED WIRELESS SYSTEMS

Generic Attacks on Feistel Schemes

Proposal of New Block Cipher Algorithm. Abstract

Example Enemy agents are trying to invent a new type of cipher. They decide on the following encryption scheme: Plaintext converts to Ciphertext

EE 418: Network Security and Cryptography

CDMA Physical Layer Built-in Security Enhancement

Keywords: dynamic P-Box and S-box, modular calculations, prime numbers, key encryption, code breaking.

DUBLIN CITY UNIVERSITY

Diffie-Hellman key-exchange protocol

Cryptography, Number Theory, and RSA

Symmetric-key encryption scheme based on the strong generating sets of permutation groups

Some Cryptanalysis of the Block Cipher BCMPQ

Data security (Cryptography) exercise book

OFDM Based Low Power Secured Communication using AES with Vedic Mathematics Technique for Military Applications

ElGamal Public-Key Encryption and Signature

Public-Key Cryptosystem Based on Composite Degree Residuosity Classes. Paillier Cryptosystem. Harmeet Singh

Amalgamation of Cyclic Bit Operation in SD-EI Image Encryption Method: An Advanced Version of SD-EI Method: SD-EI Ver-2

Hardware Bit-Mixers. Laszlo Hars January, 2016

Towards a Cryptanalysis of Scrambled Spectral-Phase Encoded OCDMA

High Diffusion Cipher: Encryption and Error Correction in a Single Cryptographic Primitive

A Novel Encryption System using Layered Cellular Automata

CRYPTANALYSIS OF THE PERMUTATION CIPHER OVER COMPOSITION MAPPINGS OF BLOCK CIPHER

SOME OBSERVATIONS ON AES AND MINI AES. Hüseyin Demirci TÜBİTAK UEKAE

Encryption Systems 4/14/18. We have seen earlier that Python supports the sorting of lists with the built- in.sort( ) method

Grade 7 and 8 Math Circles March 19th/20th/21st. Cryptography

A basic guitar is a musical string instrument with six strings. In standard tuning they have the notes E, A, D, G, B and E

UPenn NETS 412: Algorithmic Game Theory Game Theory Practice. Clyde Silent Confess Silent 1, 1 10, 0 Confess 0, 10 5, 5

A Block Cipher Based Pseudo Random Number Generator Secure against Side-Channel Key Recovery

Drill Time: Remainders from Long Division

Quality of Encryption Measurement of Bitmap Images with RC6, MRC6, and Rijndael Block Cipher Algorithms

Overview GAME THEORY. Basic notions

Explaining Differential Fault Analysis on DES. Christophe Clavier Michael Tunstall

Linear Congruences. The solutions to a linear congruence ax b (mod m) are all integers x that satisfy the congruence.

Secure Distributed Computation on Private Inputs

Hamming Codes and Decoding Methods

Image Encryption using Pseudo Random Number Generators

Design of a High Throughput 128-bit AES (Rijndael Block Cipher)

II. RC4 Cryptography is the art of communication protection. This art is scrambling a message so it cannot be clear; it

Error Detection and Correction

Vernam Encypted Text in End of File Hiding Steganography Technique

A Novel Color Image Cryptosystem Using Chaotic Cat and Chebyshev Map

Halftone based Secret Sharing Visual Cryptographic Scheme for Color Image using Bit Analysis

Math 1111 Math Exam Study Guide

Why (Special Agent) Johnny (Still) Can t Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System

On Symmetric Key Broadcast Encryption

MA/CSSE 473 Day 14. Permutations wrap-up. Subset generation. (Horner s method) Permutations wrap up Generating subsets of a set

Lecture 2.3: Symmetric and alternating groups

Challenge 2. uzs yfr uvjf kay btoh abkqhb khgb tv hbk lk t tv bg akwv obgr

Secure Function Evaluation

Error Protection: Detection and Correction

Transcription:

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 26 Assume encryption and decryption use the same key. Will discuss how to distribute key to all parties later Symmetric ciphers unusable for authentication of sender Kinds of symmetric ciphers: Block cipher: Symmetric cipher operating on fixed-length groups of bits, called blocks Stream cipher Symmetric cipher encrypting plaintext continuously. Digits are encrypted one at a time, differently for each bit.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 27 Players Have the following main players: Alice: sender of an encrypted message Bob: intended receiver of encrypted message. Assumed to the key. Eve: (Passive) attacker intercepting messages and trying to identify plaintexts or keys Mallory: (Active) attacker intercepting and modifying messages to identify plaintexts or keys Key Eve, Mallory Key Encryption Decryption Alice Bob

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 28 Feistel Cipher Invented in 1971 at IBM Important class of ciphers (eg Blowfish, DES, 3DES) Same encryption scheme applied iteratively for several rounds Important step: Derive next message state from previous message state via special function called Feistel function Each round works as follows: Split input in half Apply Feistel function to the right half Compute xor of result with old left half to be new left half Swap old right and new left half, unless we are in the last round

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 29 Feistel Cipher, continued Formal definition: Split plaintext block in two equal pieces M = (L 0, R 0 ) For each round i = 0, 1,..., r 1 compute The ciphertext is C = (R r, L r ) L i+1 = R i R i+1 = L i F (K i, R i ) L i R i F K i L i+1 R i+1

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 30 Decryption Works as encryption, but with a reversed order of keys Split ciphertext block in two equal pieces C = (R r, L r ) For each round i = r, r 1,..., 1 compute Plaintext is M = (L 0, R 0 ) R i 1 = L i L i 1 = R i F (K i 1, L i )

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 31 DES Data Encryption Standard (DES) adopted in 1976 Key size too small for today s computers (can be broken within 10 hours) Variants still provide good security

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 32 Overview of DES Plaintext Block L i R i Initial Permutation IP F K i L 0 R 0 L i+1 R i+1 R 16 L 16 Final Permutation IP 1 Ciphertext block

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 33 Design parameters Block length is 64 bits Number of rounds R is 16 Key length is is 56 bits Round key length is 48 bit for each subkey K 0,..., K 15. Subkeys are derived from 56 bit key via special key schedule.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 34 DES Feistel function Four stage procedure: Expansion permutation: Expand 32-bit message half block to 48 bit block by doubling 16 bits and permuting them Round key addition: Compute xor of this 48 bit block with round key K i S-Box: Split 48 bit into eight 6-bit blocks. Each of them is given as input to eight substitution boxes, which substitute 6-bit block by 4-bit block. P-Box: Combine these eight 4-bit blocks to 32-bit block and apply another permutation.

DES Feistel function, continued Source: Wikipedia Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 35

DES-operations Have three special operations: Cyclic shifts on bitstring blocks: Will denote by b <<< n the move of the bits of block b by n to the left. Bits that would have fallen out are added at the right side of the b. b >>> n is defined similarly Permutations on the position of bits: Written down as output order of the input bits. Example: the permutation 4 1 2 3 means that the fourth input bit becomes the first output bit, the first input bit becomes the second output bit, the second input bit becomes the third output bit, and the third input bit becomes the fourth output bit. Sometimes, we use the word permutation for bit re-arrangements that include duplication or dropping of bits, even though that is not a proper permutation. Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 36

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 37 S-boxes S-boxes: An S-box substitution is a table lookup. Input is 6 bit, output is 4 bit. Works as follows: Strip out outer bits of input and join them. This two-bit number is the row index. Four inner bits indicate column number. Output is corresponding entry in table

Key schedule Have different keys for each round, computed by so-called Key schedule 64-bit key is actually 56-bit key plus 8 parity bits First apply a permutation PC-1 which removes the parity bits. This results in 56 bits. Split result into half to obtain (C 0, D 0 ) For each round we compute where p i = C i = C i 1 <<< p i D i = D i 1 <<< p i { 1 if i = 1, 2, 9, 16 2 otherwise Now we join C i and D i together, and apply a permutation PC-2 which produces a 48-bit output. Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 38

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 39 Definition A function ɛ : N R + is called negligible if for all d there exists a x d such that for all x x d, ɛ(x) 1 x d

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 40 To define the security of block ciphers, we look at a more abstract notion: pseudorandom permutations. Definition Let X = {0, 1} n. A pseudorandom permutation over (K, X ) is a function E : K X X such that there exists an efficient deterministic algorithm to compute E(k, x) for any k and x; The function E(k, ) is one-to-one for each k There exists a function D : K X X which is efficiently computable, and D(k, E(k, x)) = x for all k and x.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 41 Security of pseudorandom permutations A pseudorandom permutation is secure if an adversary (who can call it) can t distinguish it from a genuine random permutation. Suppose X has size N. There are N! permutations X X. There are K pseudorandom permutations. If n = 64 and X = K = {0, 1} n, then these numbers are 2 n! and 2 n. So there are much fewer pseudorandom permutations there are permutations in total.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 42 Definition Let X = {0, 1} n, and F be the set of all permutations on X, and E a pseudorandom permutation over (K, X ). Define the following game between the attacker and the challenger: The challenger chooses a random bit b {0, 1}. If b = 0, the challenger chooses a k K at random, and if b = 1, the challenger chooses a permutation f on X at random. The attacker does arbitrary computations. The attacker has access to a black box, which is a function from X to X operated by the challenger. He can ask the challenger for the values g(x 1),..., g(x n) during his computation. If b = 0, the challenger answers the query g(x i ) by returning E(k, x i ), and if b = 1, the answer is f (x i ). Eventually the attacker outputs a bit b {0, 1}. The attacker wins this game if b = b.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 43 The attacker s power in security games In security games, attacker can only do efficient operations, and only efficiently many of them Formally: attacker is probabilistic polynomial-time Turing machine (PPT) Importantly: attacker cannot search through all keys, as the number of possible keys increases exponentially with the length of the key

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 44 Definition A pseudorandom permutation E : K X X is secure if for all PPT attackers A, Pr[b = b ] 1 2 is negligible in the size of K. Note that Pr[b = b ] 1 2 is a function of the size of K.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 45 Example 1. Let X = {0, 1} n and K = {1,..., n}. Let E(k, x) be computed as follows: Apply the Rail Fence cipher bitwise to x with key k. Is that a secure pseudorandom permutation?

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 46 Example 2. Let X = {A, B,... Z} n and K = {the set of permutations on {A, B,..., Z}}. Let E(k, x) be computed as follows: apply the permutation k to each of the characters x in turn. Is that a secure pseudorandom permutation?

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback