block ciphers the basics
play

Block Ciphers - The Basics Lars R. Knudsen Spring 2011 L.R. - PowerPoint PPT Presentation

Mar 23, 2023 •482 likes •1.27k views

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Block Ciphers - The Basics Lars R. Knudsen Spring 2011 L.R. Knudsen Block Ciphers - The Basics Intro Attack on iterated ciphers Differential cryptanalysis

  1. Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Block Ciphers - The Basics Lars R. Knudsen Spring 2011 L.R. Knudsen Block Ciphers - The Basics

  2. Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Content Introduction Iterated ciphers Cryptanalysis Differential cryptanalysis Linear cryptanalysis L.R. Knudsen Block Ciphers - The Basics

  3. Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Symmetric encryption Same key for encryption and decryption Two types Block ciphers Stream ciphers L.R. Knudsen Block Ciphers - The Basics

  4. Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Symmetric encryption: Model of reality Enemy M -Source ✻ m ❄ ✲ ✲ c c m sender receiver insecure channel ✻ ✻ k k secure channel K -Source L.R. Knudsen Block Ciphers - The Basics

  5. Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Symmetric encryption Kerckhoffs’ principle Everything is known to an attacker except for the value of the secret key. Attack scenarios Ciphertext only Known plaintext Chosen plaintext/ciphertext Adaptive chosen plaintext/ciphertext (black-box) L.R. Knudsen Block Ciphers - The Basics

  6. Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis From classical crypto to modern crypto looking back.. (almost) all ciphers before 1920s very weak 1920s, rotor machines, mechanical crypto Enigma, Germany Sigaba, USA Typex, UK 1970s, computers take over from rotor machines ciphers operate on long sequence of bits (bytes) L.R. Knudsen Block Ciphers - The Basics

  7. Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Block ciphers Input block m , output block c , key k k ❄ ✲ ✲ m e c e : { 0 , 1 } n × { 0 , 1 } κ → { 0 , 1 } n given k easy to encrypt and decrypt given m , c hard to compute k , such that e k ( m ) = c one-way function: f ( k ) = e k ( m 0 ) for fixed m 0 L.R. Knudsen Block Ciphers - The Basics

  8. Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Block ciphers Applications block encryption (symmetric) pseudorandom number generators/stream ciphers message authentication codes building block in hash functions one-way functions L.R. Knudsen Block Ciphers - The Basics

  9. Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Block cipher, n -bit blocks, κ -bit key family of n -bit permutations # n -bit permutations in block cipher: 2 κ # n -bit permutations: 2 n ! ≃ (2 n − 1 ) 2 n DES: n = 64 , κ = 56 AES: n = 128 , κ = 128 , 192 , 256 design aim: choose the 2 κ permutations uniformly at random from the set of all 2 n ! permutations L.R. Knudsen Block Ciphers - The Basics

  10. Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Cryptanalysis Assumption Assume cryptanalyst has access to black-box implementing block cipher with secret key k Aims of cryptanalyst find key k , or find ( m , c ) such that e k ( m ) = c for unknown k , or distinguish member of block cipher from randomly chosen permutation L.R. Knudsen Block Ciphers - The Basics

  11. Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Generic, brute-force attacks Block size n , key size κ 1 exhaustive key search try all keys, one by one ⌈ κ/ n ⌉ texts, time 2 κ , storage small 2 table attack store e k ( m 0 ) for all k storage 2 κ , time (of attack) small 3 Hellman tradeoffs of 1 and 2, e.g. n = κ , 2 2 n / 3 time & memory L.R. Knudsen Block Ciphers - The Basics

  12. Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Generic, brute-force attacks (cont.) Dictionary and birthday attacks known plaintexts: Collect pairs ( m , c ) ciphertext-only: Collect ciphertexts, look for matches c i = c j . Example CBC mode 1 Collect 2 n / 2 ciphertext blocks 2 With 2 equal ciphertext blocks c i = c j ⇒ e k ( m i ⊕ c i − 1 ) = e k ( m j ⊕ c j − 1 ) ⇒ m i ⊕ m j = c i − 1 ⊕ c j − 1 (similar attacks for ECB and CFB) L.R. Knudsen Block Ciphers - The Basics

  13. Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Short-cut attacks Success dependent on intrinsic properties of e ( · ) Differential cryptanalysis Linear cryptanalysis Interpolation attacks Integral attacks Related key attacks Variants of the above: higher-order differentials, truncated differentials, mod n attack, boomerang attack, ..... L.R. Knudsen Block Ciphers - The Basics

  14. Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES, AES, . . . ) k 0 k 1 k 2 kr ↓ ↓ ↓ ↓ m − → ⊕− → g − → ⊕− → g − → ⊕ · · · · · · − → g − → ⊕− → c plaintext m , ciphertext c , key k key-schedule: user-selected key k → k 0 , . . . , k r round function, g , weak by itself idea: g r , strong for “large” r L.R. Knudsen Block Ciphers - The Basics

  15. Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis DES History developed in early 70’s by IBM using 17 man years evaluation by National Security Agency (US) 1975: publication of proposed standard public discussion (trapdoors, key size) 1977: publication of FIPS 46 (DES) most realistic attack is exhaustive search for key L.R. Knudsen Block Ciphers - The Basics

  16. Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis DES Parameters block size 64 bits key size 64 bits, effective 56 bits 16 round Feistel cipher Feistel network ✛ ✛ ⊕ f L.R. Knudsen Block Ciphers - The Basics

  17. Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis DES Results ∀ m , k : c = DES k ( m ) ⇐ ⇒ c = DES k ( m ) 4 weak keys: DES k ( DES k ( m )) = m , ∀ m 6 pairs of semi-weak keys: DES k 1 = DES − 1 k 2 differential cryptanalysis (1991), 2 47 chosen plaintexts linear cryptanalysis (1993), 2 45 known plaintexts key search engine (98-99), 1 mio US$, 1 key/30 min. record for finding DES-key: 22 hours, 1999 L.R. Knudsen Block Ciphers - The Basics

  18. Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis AES Advanced Encryption Standard US governmental encryption standard open (world) competition announced January 97 keys: choice of 128-bit, 192-bit, and 256-bit keys blocks: 128 bits October 2000: AES=Rijndael standard: FIPS 197, November 2001 iterated cipher, 10, 12 or 14 iterations depending on key L.R. Knudsen Block Ciphers - The Basics

  19. Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Multiple encryption 1 assume e · ( · ) is a block cipher k 1 k 2 2 double encryption ↓ ↓ m − → e − → e − → c 3 triple encryption k 1 k 2 k 3 ↓ ↓ ↓ m − → e − → e − → e − → c L.R. Knudsen Block Ciphers - The Basics

  20. Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Triple-DES e k ( · ), d k ( · ): single encryption and decryption two-key triple DES: c = e k 1 ( d k 2 ( e k 1 ( m ))) known attack: time ≃ 2 120 / 2 t , 2 t known plaintexts tripleDES: c = e k 3 ( e k 2 ( e k 1 ( m ))) known attack: time ≃ 2 112 , 2 known plaintexts, memory ≈ 2 56 L.R. Knudsen Block Ciphers - The Basics

  21. Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Provably secure encryption (assuming ideal components) 1 assume p ( · ) is ideal n -bit bijection (permutation) 2 Even-Mansour (1991) k 0 k 1 ↓ ↓ m − → ⊕− → p − → ⊕− → c 3 security bound of 2 n / 2 4 bound tight, attack by Daemen L.R. Knudsen Block Ciphers - The Basics

  22. Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Provably secure encryption (assuming ideal components) 1 assume p ( · ) and q ( · ) are two ideal n -bit bijections 2 Knudsen-Leander et al. (work in progress) k 0 k 1 k 2 ↓ ↓ ↓ m − → ⊕− → p − → ⊕− → q − → ⊕− → c 2 3 security bound of 2 3 n r r +1 n 4 with r “rounds”, bound is 2 L.R. Knudsen Block Ciphers - The Basics

  23. Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Generic attack: r-round iterated ciphers k 0 k 1 k 2 cr − 1 kr ↓ ↓ ↓ ↓ ↓ m − → ⊕− → g − → ⊕− → g − → ⊕ · · · · · · − → g − → ⊕− → c 1 assume “correlation” between m and c r − 1 2 given a number of pairs ( m , c ) 3 repeat for all pairs and all values i of k r : let c ′ = g − 1 ( c ⊕ i ), compute x = cor( m , c ′ ) 1 if key gives cor( m , c r − 1 ), increment counter 2 4 value of i which yields cor( m , c r − 1 ) taken as value of k r L.R. Knudsen Block Ciphers - The Basics

  24. Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Differential cryptanalysis - (Biham-Shamir 1991) chosen plaintext attack assume x is combined with key, k , via group operation ⊗ define difference of x 1 and x 2 as ∆( x 1 , x 2 ) = x 1 ⊗ x − 1 2 difference same after combination of key ∆( x 1 ⊗ k , x 2 ⊗ k ) = x 1 ⊗ k ⊗ k − 1 ⊗ x − 1 = ∆( x 1 , x 2 ) 2 definition of difference relative to cipher (often exor) L.R. Knudsen Block Ciphers - The Basics

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers Assume encryption and decryption use the

425 views • 5 slides
Outline Crypto basics, contd Stream ciphers CSci 5271 Block ciphers and modes of operation

Outline Crypto basics, contd Stream ciphers CSci 5271 Block ciphers and modes of operation

Outline Crypto basics, contd Stream ciphers CSci 5271 Block ciphers and modes of operation Introduction to Computer Security Announcements Cryptography, symmetric and public-key Hash functions and MACs Stephen McCamant Building a secure

440 views • 11 slides
One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers Encryption Modes Encryption Modes Shift Cipher Brute%force attack can easily break Ahmet Burak Can Substitution Cipher Hacettepe University

191 views • 6 slides
How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

Introduction Cryptology Basics Detection Cryptanalysis The Word Case The Excel Case Conclusion How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and Break them Eric Filiol, filiol@esiea.fr ESIEA -

808 views • 64 slides
Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

CSS441 Block Ciphers Principles DES Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20

788 views • 50 slides
Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu Iwata Nagoya University, Japan FSE 2020 November 913, 2020, Virtual 1 / 19 Block Ciphers block cipher (BC) E : K { 0 , 1 } n { 0

530 views • 24 slides
Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the ciphertext block C i = E K ( M i ), and the results are concatenated to the

334 views • 8 slides
Two ways of building round functions for block ciphers Joan Daemen Radboud University ibenik

Two ways of building round functions for block ciphers Joan Daemen Radboud University ibenik

Two ways of building round functions for block ciphers Joan Daemen Radboud University ibenik summer school 2016 1 / 44 Outline 1 Block ciphers and statistical attacks 2 Correlation basics 3 Wide trail strategy: strongly-aligned flavor

620 views • 59 slides
Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 2 October, 2012 Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers DES II.

588 views • 10 slides
B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

1 B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a) Fundamentals 3 B.1 Definition A mapping Enc: P K C for which k := Enc( ,k): P C is bijective for each k K is called an

1.1k views • 32 slides
B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n

B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n

1 B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n is called a block cipher . The positive integer n denotes the block size ( block length ). 3 B.25 Remark and Convention The encryption

709 views • 67 slides
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Jan 31, 2018 Announcements Project 1 is out, due Feb 14 midnight Recall: Block cipher A function E : {0, 1} k {0, 1} n

553 views • 32 slides
T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES

T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES

T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES 3.3 IDEA 3.4 AES Kaufman et al: Chapter 3 Stallings: Chapters 3, 5 1 Block ciphers Confidentiality primitive Threat: recover the plaintext

774 views • 15 slides
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Sept 15, 2016 Announcements Project due Sept 20 Recall: Block cipher A function E : {0, 1} k {0, 1} n {0, 1} n . Once

417 views • 30 slides
T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher confidentiality modes of operation Kaufman et al: Ch 4 Stallings: Ch 6, Ch 3 1 Stream ciphers Stream ciphers are generally faster than block

535 views • 12 slides
More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 4 Page 1 CS 236 Online Outline Desirable characteristics of ciphers Stream and block ciphers Cryptographic modes Uses of

475 views • 29 slides
Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Technical University

Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Technical University

Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Technical University of Darmstadt 1 1. General Introduction 2. Multivariate public key cryptosystems 3. Challenges 2 1 General Introduction In June 2006, in Belgium,

1.06k views • 68 slides
IETF Security Tutorial Radia Perlman March, 2007 (radia.perlman@sun.com) 1 Why an IETF

IETF Security Tutorial Radia Perlman March, 2007 (radia.perlman@sun.com) 1 Why an IETF

IETF Security Tutorial Radia Perlman March, 2007 (radia.perlman@sun.com) 1 Why an IETF Security Tutorial? Security is important in all protocols; not just protocols in the security area IETF specs mandated to have a security

1.29k views • 95 slides
S-Box Decompositions and some Applications L eo Perrin January 28, 2019, Nancy My Area of

S-Box Decompositions and some Applications L eo Perrin January 28, 2019, Nancy My Area of

S-Box Decompositions and some Applications L eo Perrin January 28, 2019, Nancy My Area of Research: Symmetric Cryptography From Russia With Love Cryptanalysis of a Theorem Conclusion Curriculum Currently : post-doc at SECRET in Inria Paris

1.39k views • 99 slides
Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction to cryptographic protocols communication (various security goals) Bruno Blanchet use cryptographic primitives (e.g. encryption, hash function,

451 views • 14 slides
Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides
Open problems in the design of cryptographic applications based on Cellular Automata Luca Mariot

Open problems in the design of cryptographic applications based on Cellular Automata Luca Mariot

University of Milano-Bicocca Department of Informatics, Systems and Communications Open problems in the design of cryptographic applications based on Cellular Automata Luca Mariot luca.mariot@disco.unimib.it Delft June 19, 2018 Context

329 views • 21 slides
s rtr s

s rtr s

s rtr s t tts 1 1 , 2 r

798 views • 66 slides

More recommend