complementing feistel ciphers
play

Complementing Feistel Ciphers Ivica Nikoli c (joint work with Alex - PowerPoint PPT Presentation

Nov 04, 2022 •175 likes •426 views

Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion Complementing Feistel Ciphers Ivica Nikoli c (joint work with Alex Biryukov) Nanyang Technological University, Singapore

  1. Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion Complementing Feistel Ciphers Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg 11 March 2013 Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg Complementing Feistel Ciphers

  2. Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion 1 Complementation Property 2 General Complementation Property 3 Application to Camellia-128 4 Application to GOST 5 Conclusion Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg Complementing Feistel Ciphers

  3. Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion What is complementation property In DES, if you complement/flip all bits of plaintext and key, then all bits of ciphertext would flip If DES K ( P ) = C then DES K ( P ) = C Results: Distinguisher with only two queries Reduction of exhaustive key search by factor 2 Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg Complementing Feistel Ciphers

  4. Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion Why does it work Complementation/ All bit flip = difference 11 . . . 11 Diff. 11 . . . 11 in master key = > diff. 11 . . . 11 in subkeys Difference 11 . . . 11 in the state and the subkey cancel Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg Complementing Feistel Ciphers

  5. Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion 1 Complementation Property 2 General Complementation Property 3 Application to Camellia-128 4 Application to GOST 5 Conclusion Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg Complementing Feistel Ciphers

  6. Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion How to relax the requirements Original: If in Feistel cipher, for any key one flips all of the bits ... Ideas for general: Not applicable to all keys, i.e. weak-key class Not necessarily flip all the bits Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg Complementing Feistel Ciphers

  7. Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion General complementation Partial-alternating : Start with (∆ 1 , ∆ 2 ) in the plaintext Weak-key : KS (∆) → (∆ 1 , ∆ 2 , . . . , ∆ 1 , ∆ 2 ) for some K Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg Complementing Feistel Ciphers

  8. Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion Outcome Lemma (Classical Feistel) If for n-bit cipher with k-bit keys p ∃ ∆ : KS ( K ⊕ ∆) ⊕ KS ( K ) → (∆ 1 , ∆ 2 , ∆ 1 , ∆ 2 , . . . , ∆ 1 , ∆ 2 ) − Then, if p > 2 − k , distinguisher for a weak-key class of size p · 2 k exists for the cipher. Problem: how to find the differential in the key schedule Result: RK differential where the state characteristic has probability 1 Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg Complementing Feistel Ciphers

  9. Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion Outcome Modular Feistel = subkeys are modularly added to the state Lemma (Modular Feistel) If for n-bit cipher with k-bit keys p ∃ ∆ : KS ( K ⊕ ∆) ⊕ KS ( K ) − → (∆ 1 , ∆ 2 , ∆ 1 , ∆ 2 , . . . , ∆ 1 , ∆ 2 ) Then, if p · 2 −⌈ r 2 ⌉ ( | (∆ 1 ) n − 1 | + | (∆ 2 ) n − 1 | ) > 2 − k and 2 −⌈ r 2 ⌉ ( | (∆ 1 ) n − 1 | + | (∆ 2 ) n − 1 | ) > 2 − n , distinguisher for a weak-key class of size p · 2 k exists for the cipher. Problem: how to find char. in the key schedule with low hamming weight output difference Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg Complementing Feistel Ciphers

  10. Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion 1 Complementation Property 2 General Complementation Property 3 Application to Camellia-128 4 Application to GOST 5 Conclusion Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg Complementing Feistel Ciphers

  11. Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion Specification Camellia-128 is Japanese CRYPTREC standard 128-bit state/key classical Feistel cipher with 2 additional non-linear layers 18 rounds Key schedule composed of 4 rounds of Feistels and rotations We analyze the cipher without the non-linear layers ! Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg Complementing Feistel Ciphers

  12. Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion Key schedule Intermediate key K A is obtained from the master key K L in four Feistel rounds All subkeys are particular 32-bit values of rotations of K A , K L on various amounts The difference in the subkey has to be invariant of rotations = > only choice is: ∆ K L → ∆ K A : 11 . . . 11 → 11 . . . 11 Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg Complementing Feistel Ciphers

  13. Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion Differential in the key schedule If we go with characteristic 11 . . . 11 → 11 . . . 11, the probability is too low as there are too many active S-boxes Switch to differentials: compute the number of characteristics in the differential 11 . . . 11 → 11 . . . 11 compute the lower bound on probability of each characteristic obtain the lower bound on probability of differential Result: the differential has a probability of at least 2 − 128 , i.e. there is on good key Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg Complementing Feistel Ciphers

  14. Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion Applications Weak-key class is too small for attack on the cipher Switch to hash functions, e.g. Davies-Meyer mode based on Camellia-128 The right key/message can be found with 2 112 encryptions The right message produces collisions for any chaining value (key whitening introduces the right difference at the beginning and cancels the difference at the end) q -differential multicollisions with 2 112 calls for the hash function Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg Complementing Feistel Ciphers

  15. Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion 1 Complementation Property 2 General Complementation Property 3 Application to Camellia-128 4 Application to GOST 5 Conclusion Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg Complementing Feistel Ciphers

  16. Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion Specification GOST is Russian encryption standard 64-bit state, 256-bit key modular Feistel cipher 32 rounds No key schedule, only word permutations Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg Complementing Feistel Ciphers

  17. Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion Key schedule and differentials Master key words: K 1 , . . . , K 8 Subkey words: K 1 , . . . , K 8 , K 1 , . . . , K 8 , K 1 , . . . , K 8 , K 8 , . . . , K 1 Probability 1 differential for any difference in the master key words Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg Complementing Feistel Ciphers

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 2 October, 2012 Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers DES II.

588 views • 10 slides
Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University

Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University

Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University of Versailles and ANSSI 2 March 2014 - FSE 2014 Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 1 / 11

553 views • 52 slides
Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University

Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University

Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University of Versailles and ANSSI 4th March 2014 - FSE 2014 Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 1 / 16

865 views • 53 slides
Generic Attacks on Feistel Ciphers With Internal Permutations Joana Treger, Jacques Patarin

Generic Attacks on Feistel Ciphers With Internal Permutations Joana Treger, Jacques Patarin

Generic Attacks on Feistel Ciphers With Internal Permutations Joana Treger, Jacques Patarin PRiSM, Universit e de Versailles 2008-11-27 Joana Treger, Jacques Patarin (PRiSM, Universit Generic Attacks on Feistel Ciphers With Internal

1.04k views • 52 slides
Revisiting Key-alternating Feistel Ciphers for Shorter Keys and Multi-user Security Chun Guo and

Revisiting Key-alternating Feistel Ciphers for Shorter Keys and Multi-user Security Chun Guo and

Revisiting Key-alternating Feistel Ciphers for Shorter Keys and Multi-user Security Chun Guo and Lei Wang ICTEAM/ELEN/Crypto Group, Universit e catholique de Louvain Shanghai Jiao Tong University Presented by Yaobin Shen, Shanghai Jiao Tong

653 views • 36 slides
Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers Assume encryption and decryption use the

425 views • 5 slides
Extended Generalized Feistel Networks using Matrix Representation Thierry P. Berger 1 , Marine

Extended Generalized Feistel Networks using Matrix Representation Thierry P. Berger 1 , Marine

Introduction Full Diffusion Delay Matrix of a Feistel Network New Feistel Networks Proposals An Efficient Example Extended Generalized Feistel Networks using Matrix Representation Thierry P. Berger 1 , Marine Minier 2 , Gal Thomas 1 1 XLIM

448 views • 31 slides
Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers Encryption Modes Encryption Modes Shift Cipher Brute%force attack can easily break Ahmet Burak Can Substitution Cipher Hacettepe University

191 views • 6 slides
Generalized Feistel Networks with Optimal Diffusion Lo Perrin DTU, Lyngby Inria, Paris

Generalized Feistel Networks with Optimal Diffusion Lo Perrin DTU, Lyngby Inria, Paris

Generalized Feistel Networks with Optimal Diffusion Lo Perrin DTU, Lyngby Inria, Paris Dagstuhl 2018 (seminar-18021) Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion In this talk

1.31k views • 52 slides
Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade provable security for practicality Stream cipher is initialized with short key Key is stretched into long keystream Keystream is used like

512 views • 35 slides
B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

1 B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a) Fundamentals 3 B.1 Definition A mapping Enc: P K C for which k := Enc( ,k): P C is bijective for each k K is called an

1.1k views • 32 slides
Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

CSS441 Block Ciphers Principles DES Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20

788 views • 50 slides
Classical Ciphers Classical

Classical Ciphers Classical

Classical Ciphers Classical Cryptography Monoalphabetic ciphers: letters of the plaintext alphabet are mapped into unique ciphertext letters Polyalphabetic ciphers:

512 views • 49 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher One Time Pad School of Engineering and Technology CQUniversity

687 views • 64 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher School of Engineering and Technology One Time Pad CQUniversity

1.02k views • 64 slides
Welcome Haoma Mining NL Agenda Chairmans Address Business of the day Haoma Mining NL

Welcome Haoma Mining NL Agenda Chairmans Address Business of the day Haoma Mining NL

Haoma Mining NL Annual General Meeting Of Shareholders Wednesday December 18, 2019 Welcome Haoma Mining NL Agenda Chairmans Address Business of the day Haoma Mining NL Location Map of Haoma Mining Pilbara mining tenements

1.05k views • 19 slides
Design of Solar Powered Airplanes for Continuous Flight Andr Noth Doctoral Exam September

Design of Solar Powered Airplanes for Continuous Flight Andr Noth Doctoral Exam September

A UTONOMOUS S YSTEMS L AB A UTONOMOUS S YSTEMS L AB Design of Solar Powered Airplanes for Continuous Flight Andr Noth Doctoral Exam September 30, 2008 Autonomous Systems Lab ETH Zentrum http://www.sky-sailor.ethz.ch/ Tannenstrasse 3,

1.12k views • 92 slides
Development of the silicon microstrip super- module prototype for

Development of the silicon microstrip super- module prototype for

Development of the silicon microstrip super- module prototype for the HL-LHC 8 th "Hiroshima" Symposium on Development and Applica2on of Semiconductor

967 views • 32 slides
to our dear friend : David CLARKE ! .Defence : How to control a process with a non stationary

to our dear friend : David CLARKE ! .Defence : How to control a process with a non stationary

End of the Sixties: - ORIGIN OF MODEL BASED PREDICTIVE CONTROL - PETROLEUM INDUSTRY / DEFENCE INDUSTRY INDUSTRIAL APPLICATIONS OF .Refineries : PREDICTIVE FUNCTIONAL CONTROL How to handle constraints on MVs and CVs ? How to control

580 views • 21 slides
1 Closure Properties of Context-Free Languages We show that context-free languages are closed

1 Closure Properties of Context-Free Languages We show that context-free languages are closed

1 Closure Properties of Context-Free Languages We show that context-free languages are closed under union, concatenation, and Kleene star. Suppose G 1 = ( V 1 , 1 , R 1 , S 1 ) and G 2 = ( V 2 , 2 , R 2 , S 2 ). Example: For G 1 we have S 1

374 views • 11 slides
Turing Machines 4.1 covers algorithms for decidable problems about DFA, NFA, RegExp, CFG, and

Turing Machines 4.1 covers algorithms for decidable problems about DFA, NFA, RegExp, CFG, and

Reading Assignment: Sipser Chapter 3.1, 4.2 Turing Machines 4.1 covers algorithms for decidable problems about DFA, NFA, RegExp, CFG, and PDAs, e.g. slides 17 & 18 below. Ive talked about most of this in class at one point or another,

127 views • 10 slides
Topics in Timed Automata B. Srivathsan RWTH-Aachen Software modeling and Verification group

Topics in Timed Automata B. Srivathsan RWTH-Aachen Software modeling and Verification group

Topics in Timed Automata B. Srivathsan RWTH-Aachen Software modeling and Verification group 1/29 Theorem (Lecture 2) Deterministic timed automata are closed under complement 2/29 Theorem (Lecture 2) Deterministic timed automata are closed under

654 views • 50 slides
COMPLEMENTED SUBSPACES OF THE GROUP VON NEUMANN ALGEBRAS Anthony To-Ming Lau University of

COMPLEMENTED SUBSPACES OF THE GROUP VON NEUMANN ALGEBRAS Anthony To-Ming Lau University of

COMPLEMENTED SUBSPACES OF THE GROUP VON NEUMANN ALGEBRAS Anthony To-Ming Lau University of Alberta Fields Institute, Toronto April 10, 2014 Outline of Talk 1. Locally compact group 2. Fourier algebra of a group 3. Invariant complementation

905 views • 53 slides

More recommend