JLM 20060209 12:161 Homework 6 – Problem 1 S-box 4 is observed to have the indicated output xor when presented with the indicated inputs In1: 0x22, In2:

Slides:



Advertisements
Similar presentations
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Advertisements

Cryptography and Network Security Chapter 3
Data Encryption Standard (DES)
Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.
Cryptography and Network Security, resuming some notes Dr. M. Sakalli.
Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 1/43 Contents Encryption modes –Cipher-Block Chaining (CBC) Mode –Counter mode.
1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.
Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.
FEAL FEAL 1.
JLM :161 University of Washington CSEP 590TU – Practical Aspects of Modern Cryptography Instructors: Josh Benaloh, Brian LaMacchia, John Manferdelli.
Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.
DES 1 Data Encryption Standard DES 2 Data Encryption Standard  DES developed in 1970’s  Based on IBM Lucifer cipher  U.S. government standard  DES.
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
Announcements: Quizzes returned at end of class Quizzes returned at end of class This week: Mon-Thurs: Data Encryption Standard (DES) Mon-Thurs: Data Encryption.
Chapter 3 – Block Ciphers and the Data Encryption Standard Jen-Chang Liu, 2004 Adopted from lecture slides by Lawrie Brown.
Introduction to Symmetric Block Cipher Jing Deng Based on Prof. Rick Han’s Lecture Slides Dr. Andreas Steffen’s Security Tutorial.
CNS2010lecture 5 :: attacks on DES1 ELEC5616 computer and network security matt barrie
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
Lecture 23 Symmetric Encryption
Lecture 2.2: Private Key Cryptography II CS 436/636/736 Spring 2012 Nitesh Saxena.
Cryptanalysis on Substitution- Permutation Networks Jen-Chang Liu, 2005 Ref: Cryptography: Theory and Practice, D. R. Stinson.
Encryption Schemes Second Pass Brice Toth 21 November 2001.
CSE 651: Introduction to Network Security
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Cryptanalysis. The Speaker  Chuck Easttom  
History and Background Part 1: Basic Concepts and Monoalphabetic Substitution CSCI 5857: Encoding and Encryption.
Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on “A Tutorial on Linear and Differential Cryptanalysis” by Howard Heys.] Modern block ciphers.
Section 2.2: Affine Ciphers; More Modular Arithmetic Practice HW (not to hand in) From Barr Textbook p. 80 # 2a, 3e, 3f, 4, 5a, 7, 8 9, 10 (Use affinecipherbreaker.
The Data Encryption Standard - see Susan Landau’s paper: “Standing the test of time: the data encryption standard.” DES - adopted in 1977 as a standard.
CSCI 5857: Encoding and Encryption
Understanding Cryptography – A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl Chapter 3 – The Data Encryption.
Block ciphers 2 Session 4. Contents Linear cryptanalysis Differential cryptanalysis 2/48.
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference.
1 Lect. 10 : Cryptanalysis. 2 Block Cipher – Attack Scenarios  Attacks on encryption schemes  Ciphertext only attack: only ciphertexts are given  Known.
Block ciphers Structure of a multiround block cipher
13. Other Block Ciphers 13.1 LUCIFER 13.2 MADRYGA 13.3 NEWDES 13.4 FEAL 13.5 REDOC 13.6 LOKI.
Cryptanalysis of 256-Bit Key HyRAL via Equivalent Keys Nagoya University, Japan Yuki Asano, Shingo Yanagihara, and Tetsu Iwata ACNS2012, June 28, 2012,
Simplified DES Cryptography and Network Security
Cryptography Team Presentation 2
Data Encryption Standard (DES) © 2000 Gregory Kesden.
DIFFERENTIAL CRYPTANALYSIS Chapter 3.4. Ciphertext only attack. The cryptanalyst knows the cryptograms. This happens, if he can eavesdrop the communication.
AES Advanced Encryption Standard. Requirements for AES AES had to be a private key algorithm. It had to use a shared secret key. It had to support the.
CS555Spring 2012/Topic 101 Cryptography CS 555 Topic 10: Block Cipher Security & AES.
Lecture 23 Symmetric Encryption
Computer and Network Security Rabie A. Ramadan Lecture 3.
The RC5 Encryption Algorithm: Two Years On Lisa Yin RC5 Encryption –Ron Rivest, December 1994 –Fast Block Cipher –Software and Hardware Implementations.
Block Ciphers and the Advanced Encryption Standard
Data Encryption Standard (DES)
Chapter 2 Symmetric Encryption.
DES Analysis and Attacks CSCI 5857: Encoding and Encryption.
Linear Cryptanalysis of DES
1 The Data Encryption Standard. 2 Outline 4.1 Introduction 4.4 DES 4.5 Modes of Operation 4.6 Breaking DES 4.7 Meet-in-the-Middle Attacks.
David Evans CS551: Security and Privacy University of Virginia Computer Science Lecture 4: Dissin’ DES The design took.
Data Encryption Standard (DES) most widely used block cipher in world adopted in 1977 by NBS (now NIST) – as FIPS PUB 46 encrypts 64-bit data using 56-bit.
CS519, © A.SelcukDifferential & Linear Cryptanalysis1 CS 519 Cryptography and Network Security Instructor: Ali Aydin Selcuk.
CS548_ ADVANCED INFORMATION SECURITY Jong Heon, Park / Hyun Woo, Cho Paper Presentation #1 Improved version of LC in attacking DES.
Linear Cryptanalysis of DES M. Matsui. 1.Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 93, 1994.Linear Cryptanalysis Method for DES Cipher 2.The.
Lecture 3 Overview. Ciphers The intent of cryptography is to provide secrecy to messages and data Substitutions – ‘hide’ letters of plaintext Transposition.
Block Ciphers and the Data Encryption Standard. Modern Block Ciphers  One of the most widely used types of cryptographic algorithms  Used in symmetric.
Lecture 3 Page 1 CS 236 Online Introduction to Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
CST 312 Pablo Breuer. A block of plaintext is treated as a whole and used to produce a ciphertext block of equal length Typically a block size of 64 or.
@Yuan Xue CS 285 Network Security Block Cipher Principle Fall 2012 Yuan Xue.
Computer and Information Security Chapter 6 Advanced Cryptanalysis 1.
CH15 –Security & Crypto.
6b. Practical Constructions of Symmetric-Key Primitives.
SYMMETRIC ENCRYPTION.
Cryptanalysis of Block Ciphers
Differential Cryptanalysis
Cryptography Lecture 16.
Presentation transcript:

JLM :161 Homework 6 – Problem 1 S-box 4 is observed to have the indicated output xor when presented with the indicated inputs In1: 0x22, In2: 0x16, Output xor: 0x0c In1: 0x12, In2: 0x0c, Output xor: 0x05 Perform a differential cryptanalysis and produce the possible candidate key(s). You may find the tables provided in “DC.txt” helpful.

JLM :162 Homework 6, problem 2 (omit) Consider the 2 round iterative differential characteristic for DES 0x  0x , p=1/234 Suppose for the following questions we can always find chosen plaintext with S/N ratio high enough to require only 10 “right pairs” for a successful differential cryptanalysis (“DC”). a.On average, how many chosen plain ciphertext pairs are required for a successful DC on two rounds? b.On average, how many chosen plain ciphertext pairs are required for a successful DC on ten rounds? c.After how many rounds is DC impossible because there cannot possibly be enough plain ciphertext pairs to succeed?

JLM :163 Homework 6 – Problem 3 A certain cipher C with 6 bit key k 1, k 2, k 3, k 4, k 5, k 6 has 4 linear constraints. Given the corresponding plaintext, ciphertext pairs and substituting the equations become: 0= k 1 Å k 3 Å k 4 0= k 4 Å k 5 0= k 1 Å k 2 1= k 1 Å k 6 Guessing k 1 and k 3 calculate k 2, k 4, k 5, k 6. How many encryptions are needed to discover the correct key with exhaustive search in the worst case? How many are needed with these constraints?

JLM :164 Homework 6, problem 4 (A) Suppose the cipher C has a linear constraint (Equation 1) that holds with probability p=.75 where the input to C is plaintext bits i 1 ||i 2 ||…||i 6 ; the output is the ciphertext bits o 1 ||o 2 ||…||o 6 under key bits k 1 ||k 2 ||…||k 6. The constants a 1, a 2, …, a 6, b 1, b 2, …, b 6, c 1, c 2, …, c 6, d are all known. Equation 1: a 1 i 1 Å a 2 i 2 Å a 3 i 3 Å a 4 i 4 Å a 5 i 5 Å a 6 i 6 Å b 1 o 1 Å b 2 o 2 Å b 3 o 3 Å b 4 o 4 Å b 5 o 5 Å b 6 o 6 =  c 1 k 1 Å c 2 k 2 Å c 3 k 3 Å c 4 k 4 Å c 5 k 5 Å c 6 k 6 Å d Finally, suppose upon substituting values from 3 plaintext/ciphertext pairs the left hand side of equation 1 has values 1,1,0, respectively. What are the odds that c 1 k 1 Å c 2 k 2 Å c 3 k 3 Å c 4 k 4 Å c 5 k 5 Å c 6 k 6 Å d=1 rather than 0? (B) Suppose the same setup as in A but 3 out of 4 plaintext/ciphertext pairs “vote” that c 1 k 1 Å c 2 k 2 Å c 3 k 3 Å c 4 k 4 Å c 5 k 5 Å c 6 k 6 Å d=1. What are the odds that c 1 k 1 Å c 2 k 2 Å c 3 k 3 Å c 4 k 4 Å c 5 k 5 Å c 6 k 6 Å d=1 rather than 0?

JLM :165 Homework 6, problem 4 (C) Constructing a multi-round constraint Suppose C is a four round iterative cipher with plaintext input, P and ciphertext output C where each round has 6 bit input I and 6 bit output O and per round keys K (1), K (2),…K (6). Using Matsui’s notation suppose the contraints: I[1,2] Å O[3,4]= K (1) [1,3]R1 I[3,4] Å O[1,5]= K (2) [4,6]R2 I[1,5] Å O[1,6]= K (3) [1,5]R3 I[1,6] Å O[2,5]= K (4) [2]R4 hold with probabilities p 1 =.8, p 2 =.9, p 3 =.8, p 4 =.9, respectively. What is the probability that P[1,2] Å C[2,5]= K (1) [1,3] Å K (2) [4,6] Å K (3) [1,5] Å K (4) [2]?

JLM :166 Homework 6, problem 4 (D) Suppose C is a multi round iterative cipher with 40 bit plaintext input, P, and ciphertext output, C, and 40 bit key. Suppose, using Matsui’s notation, that the following four linearly independent constraints: i.P[a 1 (1), a 2 (1),…, a 40 (1) ] Å C[b 1 (1), b 2 (1),…, b 40 (1) ]= K[c 1 (1), c 2 (1),…, c 40 (1) ] ii.P[a 1 (2), a 2 (2),…, a 40 (2) ] Å C[b 1 (2), b 2 (2),…, b 40 (2) ]= K[c 1 (2), c 2 (2),…, c 40 (2) ] iii.P[a 1 (3), a 2 (3),…, a 40 (3) ] Å C[b 1 (3), b 2 (3),…, b 40 (3) ]= K[c 1 (3), c 2 (3),…, c 40 (3) ] iv.P[a 1 (4), a 2 (4),…, a 40 (4) ] Å C[b 1 (4), b 2 (4),…, b 40 (4) ]= K[c 1 (4), c 2 (4),…, c 40 (4) ] hold with probabilities p 1 =.75, p 2 =.7, p 3 =.8, p 4 =.9, respectively. Suppose that on 10 plaintext/ciphertext pairs the LHS of i, ii, iii and iv “vote” that the RHS of the equations are 0 with tallies (2,8,2,8) What is the probabilities that each of the most popular choices for the resulting constraints is correct? What is the probability that all 4 are correct? If all 4 are correct, and assuming C takes 1 microsecond/encrypt, what is the time to break C by exhaustive search (assuming a serial processor)? How about by applying the 4 constraints and searching for the remaining key bits (assuming a serial processor)? PS: Key search is a “trivially parallelizable” operation.

JLM :167 Homework 6, problem 4 (E) In the lecture we noted that there was a linear attack that worked on 16 round DES with 2 43 plaintext/ciphertext pairs where the basic constraint held with probability p= ½ + e where e = 1.19 x is the “bias”. Using this fact, estimate for what p, there are not enough corresponding plain/cipher texts to enable applying the Linear cryptanalysis to reduce the search keyspace.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.