Cryptanalysis of Block Ciphers

Slides:

Advertisements

Similar presentations

6.1.2 Overview DES is a block cipher, as shown in Figure 6.1.

Advertisements

The Data Encryption Standard - see Susan Landau’s paper: “Standing the test of time: the data encryption standard.” DES - adopted in 1977 as a standard.

LINEAR FEEDBACK SHIFT REGISTERS, GALOIS FIELDS, AND STREAM CIPHERS Mike Thomsen Cryptography II May 14 th, 2012.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of reduced- round CAST-128 and CAST-256 Jorge Nakahara Jr 1 Mads Rasmussen 2 1 UNISANTOS, Brazil 2.

Cryptography and Network Security Chapter 3

Analysis and design of symmetric ciphers David Wagner University of California, Berkeley.

Data Encryption Standard (DES)

Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.

Block Ciphers: Workhorses of Cryptography COMP 1721 A Winter 2004.

Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.

JLM :161 Homework 6 – Problem 1 S-box 4 is observed to have the indicated output xor when presented with the indicated inputs In1: 0x22, In2:

1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.

Introduction to Symmetric Block Cipher Jing Deng Based on Prof. Rick Han’s Lecture Slides Dr. Andreas Steffen’s Security Tutorial.

Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Lecture 2.2: Private Key Cryptography II CS 436/636/736 Spring 2012 Nitesh Saxena.

Cryptanalysis on Substitution- Permutation Networks Jen-Chang Liu, 2005 Ref: Cryptography: Theory and Practice, D. R. Stinson.

CSE 651: Introduction to Network Security

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

Cryptanalysis. The Speaker  Chuck Easttom  

Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on “A Tutorial on Linear and Differential Cryptanalysis” by Howard Heys.] Modern block ciphers.

The Data Encryption Standard - see Susan Landau’s paper: “Standing the test of time: the data encryption standard.” DES - adopted in 1977 as a standard.

CSCI 5857: Encoding and Encryption

Block ciphers 2 Session 4. Contents Linear cryptanalysis Differential cryptanalysis 2/48.

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference.

1 Lect. 10 : Cryptanalysis. 2 Block Cipher – Attack Scenarios  Attacks on encryption schemes  Ciphertext only attack: only ciphertexts are given  Known.

Cryptographic Attacks on Scrambled LZ-Compression and Arithmetic Coding By: RAJBIR SINGH BIKRAM KAHLON.

Data Encryption Standard (DES) © 2000 Gregory Kesden.

DIFFERENTIAL CRYPTANALYSIS Chapter 3.4. Ciphertext only attack. The cryptanalyst knows the cryptograms. This happens, if he can eavesdrop the communication.

The RC5 Encryption Algorithm: Two Years On Lisa Yin RC5 Encryption –Ron Rivest, December 1994 –Fast Block Cipher –Software and Hardware Implementations.

Block Ciphers and the Advanced Encryption Standard

DES Analysis and Attacks CSCI 5857: Encoding and Encryption.

Linear Cryptanalysis of DES

CS519, © A.SelcukDifferential & Linear Cryptanalysis1 CS 519 Cryptography and Network Security Instructor: Ali Aydin Selcuk.

CS548_ ADVANCED INFORMATION SECURITY Jong Heon, Park / Hyun Woo, Cho Paper Presentation #1 Improved version of LC in attacking DES.

Linear Cryptanalysis of DES M. Matsui. 1.Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 93, 1994.Linear Cryptanalysis Method for DES Cipher 2.The.

Block Ciphers and the Data Encryption Standard. Modern Block Ciphers  One of the most widely used types of cryptographic algorithms  Used in symmetric.

Markov Ciphers and Differential Cryptanalysis Jung Daejin Lee Sangho.

CST 312 Pablo Breuer. A block of plaintext is treated as a whole and used to produce a ciphertext block of equal length Typically a block size of 64 or.

@Yuan Xue CS 285 Network Security Block Cipher Principle Fall 2012 Yuan Xue.

Lecture 4 Data Encryption Standard (DES) Dr. Nermin Hamza

Lecture 3 Page 1 CS 236 Online Basic Encryption Methods Substitutions –Monoalphabetic –Polyalphabetic Permutations.

CS480 Cryptography and Information Security

Computer and Information Security Chapter 6 Advanced Cryptanalysis 1.

Chapter3: Block Ciphers and the Data Encryption Standard

6b. Practical Constructions of Symmetric-Key Primitives.

Symmetric Algorithm of Cryptography

Basic Encryption Methods

SYMMETRIC KEY ALGORITHMS

Lecture 2.2: Private Key Cryptography II

Lecture 3: Symmetric Key Encryption

مروري برالگوريتمهاي رمز متقارن(كليد پنهان)

Cryptography II Jagdish S. Gangolly School of Business

PART VII Security.

Security in Network Communications

Some of this slide set is from Section 2,

Introduction to Modern Symmetric-key Ciphers

Cryptography Lecture 17.

Cryptanalysis of Vigenere Cipher

Cryptanalysis of C2 Lee, Jae-song Cryptanalysis of C2.

SYMMETRIC KEY ALGORITHMS

Differential Cryptanalysis

Cryptography Lecture 16.

Types of Cryptanalysis attacks

Cryptanalysis Network Security.

Stream Cipher Structure

Feistel Cipher Structure

Permutation Ciphers Instead of substituting different characters, scramble up the existing characters Use algorithm based on the key to control how they’re.

Presentation transcript:

Cryptanalysis of Block Ciphers - Linear Cryptanalysis Differential Cryptanalysis Cryptanalysis of Block Ciphers CSCI284 Spring 2008 GWU This slide set almost entirely from: H. M. Heys, "A Tutorial on Linear and Differential Cryptanalysis", Technical Report CORR 2001-17, Centre for Applied Cryptographic Research, Department of Combinatorics and Optimization, University of Waterloo, Mar. 2001. (Also appears in Cryptologia, vol. XXVI, no. 3, pp. 189-221, 2002.)

Recall: Single SP block One part of key “S” block permutations From: Hey’s paper 4/16/2019 CS284-162/Spring08/GWU/Vora/Block Ciphers: Cryptanalysis. All equations, tables, figures and accompanying text from Heys

4 Rounds 4/16/2019 CS284-162/Spring08/GWU/Vora/Block Ciphers: Cryptanalysis. All equations, tables, figures and accompanying text from Heys

An attack: linear cryptanalysis First concentrate on breaking a single S-box: Model S-box in terms of probabilities of linear relationships between input and output bits E.g.: x1 x4 = y2  y4 is true with what probability? If S-box were truly random, what would be the probability of that equation being true? Difference is the bias – the higher it is, the easier an attack 4/16/2019 CS284-162/Spring08/GWU/Vora/Block Ciphers: Cryptanalysis. All equations, tables, figures and accompanying text from Heys

4/16/2019 CS284-162/Spring08/GWU/Vora/Block Ciphers: Cryptanalysis. All equations, tables, figures and accompanying text from Heys

Generate some of these 4/16/2019 CS284-162/Spring08/GWU/Vora/Block Ciphers: Cryptanalysis. All equations, tables, figures and accompanying text from Heys

4/16/2019 CS284-162/Spring08/GWU/Vora/Block Ciphers: Cryptanalysis. All equations, tables, figures and accompanying text from Heys

U1 P5 P7  P8  K15 K17  K18 = V16 V1 V16  K26 = V26  V28 4/16/2019 CS284-162/Spring08/GWU/Vora/Block Ciphers: Cryptanalysis. All equations, tables, figures and accompanying text from Heys

Errors There are some errors in each approximation. What happens to them as concatenated? 4/16/2019 CS284-162/Spring08/GWU/Vora/Block Ciphers: Cryptanalysis. All equations, tables, figures and accompanying text from Heys

Combined errors 4/16/2019 CS284-162/Spring08/GWU/Vora/Block Ciphers: Cryptanalysis. All equations, tables, figures and accompanying text from Heys

Further 4/16/2019 CS284-162/Spring08/GWU/Vora/Block Ciphers: Cryptanalysis. All equations, tables, figures and accompanying text from Heys

4/16/2019 CS284-162/Spring08/GWU/Vora/Block Ciphers: Cryptanalysis. All equations, tables, figures and accompanying text from Heys

Complexity of linear cryptanalysis Need known plaintext-ciphertext pairs O(1 / 2) 4/16/2019 CS284-162/Spring08/GWU/Vora/Block Ciphers: Cryptanalysis. All equations, tables, figures and accompanying text from Heys

4/16/2019 CS284-162/Spring08/GWU/Vora/Block Ciphers: Cryptanalysis. All equations, tables, figures and accompanying text from Heys

Differential Cryptanalysis Like linear cryptanalysis, concentrate on breaking a single S-box: Model S-box in terms of probabilities of output differences given input differences E.g.:x = 1011 y = 0010 is true with what probability? If S-box were truly random, what would be the probability? Difference is the bias – the higher the bias, the easier an attack 4/16/2019 CS284-162/Spring08/GWU/Vora/Block Ciphers: Cryptanalysis. All equations, tables, figures and accompanying text from Heys

4/16/2019 CS284-162/Spring08/GWU/Vora/Block Ciphers: Cryptanalysis. All equations, tables, figures and accompanying text from Heys

4/16/2019 CS284-162/Spring08/GWU/Vora/Block Ciphers: Cryptanalysis. All equations, tables, figures and accompanying text from Heys

Then choose S-boxes Total probability = 27/1024 4/16/2019 CS284-162/Spring08/GWU/Vora/Block Ciphers: Cryptanalysis. All equations, tables, figures and accompanying text from Heys

4/16/2019 CS284-162/Spring08/GWU/Vora/Block Ciphers: Cryptanalysis. All equations, tables, figures and accompanying text from Heys

Try all target sub-keys Try all sub-keys and see which one gives the correct input to the last round most often. That’s the most likely sub-key. 4/16/2019 CS284-162/Spring08/GWU/Vora/Block Ciphers: Cryptanalysis. All equations, tables, figures and accompanying text from Heys

4/16/2019 CS284-162/Spring08/GWU/Vora/Block Ciphers: Cryptanalysis. All equations, tables, figures and accompanying text from Heys