Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 1/43 Contents Encryption modes –Cipher-Block Chaining (CBC) Mode –Counter mode.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 1/43 Contents Encryption modes –Cipher-Block Chaining (CBC) Mode –Counter mode."— Presentation transcript:

1 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 1/43 Contents Encryption modes –Cipher-Block Chaining (CBC) Mode –Counter mode Pseudo-Random Functions (PRF) Proof that CBC Based on a PRF is Good Probabilistic Encryption Substitution-Permutation Networks Linear Cryptanalysis Differential Cryptanalysis The DES Cryptosystem

2 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 2/43 Cryptosystem from Lecture 1 After 5 rounds: sub ???? 1101111110110111???? ???????????? 1101111110110111???????????? 1101111110110111? ???????????????? Artifact of ECB mode

3 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 3/43 Cipher-Block Chaining Cipher block chaining (CBC) mode: –Uses a cryptosystem where plaintext and ciphertext are m-bit strings Plaintext = (m 1,…,m n ) –where m i is an m-bit string Ciphertext = (C 1,…,C n ) –C 1 = E K (m 1 ) –C i+1 = E K (m i+1  C i )

4 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 4/43 Cipher-Block Chaining m1m1 EKEK C1C1 EKEK m2m2 C2C2 m3m3 C3C3 EKEK m4m4 C4C4 EKEK To get same output twice (C i+1 =C j+1 ) requires –E K (m i+1  C i )=E K (m j+1  C j ) –Same as: m i+1  C i = m j+1  C j –Same as: C i  C j = m i+1  m j+1 –Prob. 1/| P | if ciphertexts were random

5 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 5/43 CBC Mode 5 Rounds & CBC: sub ???? 1101111110110111???? ???????????? 1101111110110111???????????? 1101111110110111? ????????????????

6 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 6/43 Xor Mode r S1S1 r+1 S2S2 r+2 S3S3 r+3 S4S4 Produces a random looking bit stream by encrypting the different values r, r+1, … for a random block r The stream (S 1,S 2,…) is then xor’ed onto the plaintext and S is sent along A stream cipher bit stream EKEK EKEK EKEK EKEK

7 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 7/43 Pseudo-Random Function Both CBC mode and Xor mode are secure if the output of E K (m) looks random even if one is given m We will formalize this requirement and call a function with this property a PRF All modern block ciphers are designed to be PRFs We then prove that CBC is secure when based on a PRF

8 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 8/43 A Game of Two Worlds Oracle 1 Random key K The attacker A m C=E K (m) Oracle 2 Uniformly random function R m C=R(m) The attacker A m C Oracle b Uniformly random function R b is picked at random Guess at b c advantage(A) = Pr[c=b] – ½

9 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 9/43 PRF Adv(t,q) = maximum over advantage(A) for all attackers A running in time t and making at most q queries An encryption function E K is called a (t,q,ε)-PRF if Adv(t,q)  ε We call ε the error probability With current technology it is sufficient with t=2 60 and one should be very paranoid not to tolerate an error probability of ε=2 -60 We can often control q ourselves

10 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 10/43 CBC with PRF We prove that CBC mode for encrypting L blocks is a good PRF if the underlying block cipher is a good PRF We use:E K : {0,1} m  {0,1} m We get:CBC K : {0,1} Lm  {0,1} Lm So, as soon as we have one good PRF, we can get a good PRF for longer blocks and thereby encrypt long blocks –Can e.g. encrypt the picture as one block

11 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 11/43 Hybrids Proof We use a so-called hybrids proof We describe three oracles –O1: Contains CBC K : {0,1} Lm  {0,1} Lm –O2: Is a trick –O3: Contains a random function {0,1} Lm  {0,1} Lm Let Adv O,O’ be the best advantage in distinguishing O and O’ To show that CBC K is a PRF we have to show that Adv O1,O3 is small We show that Adv O1,O2 and Adv O2,O3 are small It is easy to see that Adv O1,O3  Adv O1,O2 +Adv O2,O3 It follows that Adv O1,O3 is small

12 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 12/43 O1: CBC Mode with E K m1m1 EKEK C1C1 EKEK m2m2 C2C2 m3m3 C3C3 EKEK m4m4 C4C4 EKEK This is just CBC K : {0,1} Lm  {0,1} Lm

13 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 13/43 O2: CBC with Random Function R m1m1 R C1C1 R m2m2 C2C2 m3m3 C3C3 R m4m4 C4C4 R We use a uniformly random function R instead of E K As a consequence the outputs are uniformly random and independent until two inputs to R are the same

14 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 14/43 The Proof (1/3) Advantage in distinguishing O1 and O2 is Adv O1,O2 (t,q)  Adv E K,R (t,Lq) If we plug E K respectively R into the below we get O1 or O2 So, a distinguisher for O1 and O2 can be turned into a distinguisher for E K and R –It uses L queries for each CBC encryption m1m1 R C1C1 R m2m2 C2C2 m3m3 C3C3 R m4m4 C4C4 R

15 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 15/43 O3: A Random Function m1m1 R C1C1 m2m2 C2C2 m3m3 C3C3 m4m4 C4C4 Here R is a random function from Lm bits to Lm bits

16 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 16/43 The Proof (2/3) Advantage in distinguishing O2 and O3 is Adv O2,O3 (t,q)  (Lq) 2 /2 m The two oracles both output independent uniformly random values until two inputs are the same, at which point they behave differently Such a collision happens with probability less than Q 2 /2 m after Q queries –There are less than Q 2 pairs of inputs and each collide with probability 1/2 m m1m1 R C1C1 R m2m2 C2C2 m3m3 C3C3 R m4m4 C4C4 R

17 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 17/43 The Proof (3/3) Advantage in distinguishing O1 and O3 is Adv O1,O3 (t,q)  Adv E K,R (t,Lq)+(Lq) 2 /2 m And Adv O1,O3 (t,q) = Adv CBC K, R (t,q) So, if E K is a good PRF and well below the square root of 2 m  blocks are encrypted in total, then CBC K is a good PRF

18 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 18/43 Probabilistic Encryption Block ciphers we large block still have the problem that the same message sent twice gives the same ciphertext –If we encrypt and send Friedman twice it will be obvious that the same message was sent twice! To protect against this we can e.g. add an initial random block to ensure that all plaintexts are unique (except with very small probability) –Called randomized encryption when the encryption adds its own randomness r –Note that Xor mode is already randomized

19 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 19/43 Semantic Security Oracle 1 Random key K New random r each time The attacker A m C=E K (m,r) Oracle 2 Random key K New random m’ and r each time m C=E K (m’,r) The attacker A m C Oracle b Uniformly random function R b is picked at random Guess at b c advantage(A) = Pr[c=b] – ½

20 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 20/43 Probabilistic Encryption Oracle 1: Given same m twice it replies with E K (m) and E K (m) Oracle 2: Given same m twice it replies with E K (m’) and E K (m’’) Semantic security says that these replies cannot be distinguished –The same message encrypted twice look like encryptions of independent values! –Strong guarantee! Clearly requires that E K is randomized

21 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 21/43 In Search of Good PRFs Given a good PRF we can build semantic secure cryptosystems! A lot of attention in symmetric cryptography goes into designing and breaking PRF candidates Most used design is Substitution-Permutation Networks (SPNs) Most used cryptanalytic methods are linear cryptoanalysis and differential cryptanalysis Best known PRF candidates are DES and AES

22 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 22/43 SPNs Use substitution of small blocks and transposition like the cryptosystem from Lecture 1 The substitution and transpositions are, however, fixed and known A key is added using Vernam’s one-time pad after each iteration of substitution and transposition –Called key mixing

23 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 23/43 SPN 1 1 0 1 1 0 0 1 0 1 0 0 0 1 1 0 0 1 0 subsub subsub subsub subsub 1 0 0 1 1 1 1 0 0 1 0 0 1 1 0 1 0 1 1 1 0 0 1 1 0 0 1 0 1 0 1 0 1 1 1 0 0 0 0 1 0 0 0 1 1 1 1 0 0 1 1 0 1 0 0 1 1 0 1 1 1 0 0 1 1 1 0 0 1 0 1 0 1 1 0 1 subsub subsub subsub subsub 1 0 0 1 1 1 1 1 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 1 1 1 0 1 1 0 1 0 0 1 0 1 1 0 1 0 0 1 1 1 0 0 1 1 0 0 0 1 0 1 0 1 1 0 0 0 1 1 0 1 0 0 0 0 1 0 1 1 1 1 0 1 subsub subsub subsub subsub 0 0 1 0 1 1 0 1 1 0 0 1 0 0 1 1 1 0 0 For m rounds, m keys K 1,…,K m are used –Called key schedule –Derived from one key K, often in a simple manner like selecting subsets of the bits of K Called S-box 1 1 0 1 1 0 1 0 0 1 0 0 1 1 1 0 0 1 1 1 0 0 1 1 0 0 1 0 0 0 1 0 1 0 0 1 1 1 End with key mixing

24 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 24/43 SPN 1 1 0 1 1 0 0 1 0 1 0 0 0 1 1 0 0 1 0 subsub subsub subsub subsub 1 0 0 1 1 1 1 0 0 1 0 0 1 1 0 1 0 1 1 1 0 0 1 1 0 0 1 0 1 0 1 0 1 1 1 0 0 0 0 1 0 0 0 1 1 1 1 0 0 1 1 0 1 0 0 1 1 0 1 1 1 0 0 1 1 1 0 0 1 0 1 0 1 1 0 1 subsub subsub subsub subsub 1 0 0 1 1 1 1 1 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 1 1 1 0 1 1 0 1 0 0 1 0 1 1 0 1 0 0 1 1 1 0 0 1 1 0 0 0 1 0 1 0 1 1 0 0 0 1 1 0 1 0 0 0 0 1 0 1 1 1 1 0 1 subsub subsub subsub subsub 0 0 1 0 1 1 0 1 1 0 0 1 0 0 1 1 1 0 0 In transposition: c’[j]:=c[i] In key mixing: c’’[j]:=c’[j]  K r [j] All linear: c’’[j]:= c[i]+K r [j] mod 2 1 1 0 1 1 0 1 0 0 1 0 0 1 1 1 0 0 1 1 1 0 0 1 1 0 0 1 0 0 0 1 0 1 0 0 1 1 1

25 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 25/43 SPN 1 1 0 1 1 0 0 1 0 1 0 0 0 1 1 0 0 1 0 subsub subsub subsub subsub 1 0 0 1 1 1 1 0 0 1 0 0 1 1 0 1 0 1 1 1 0 0 1 1 0 0 1 0 1 0 1 0 1 1 1 0 0 0 0 1 0 0 0 1 1 1 1 0 0 1 1 0 1 0 0 1 1 0 1 1 1 0 0 1 1 1 0 0 1 0 1 0 1 1 0 1 subsub subsub subsub subsub 1 0 0 1 1 1 1 1 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 1 1 1 0 1 1 0 1 0 0 1 0 1 1 0 1 0 0 1 1 1 0 0 1 1 0 0 0 1 0 1 0 1 1 0 0 0 1 1 0 1 0 0 0 0 1 0 1 1 1 1 0 1 subsub subsub subsub subsub 0 0 1 0 1 1 0 1 1 0 0 1 0 0 1 1 1 0 0 Linear cryptosystems are easy to break! –Like the affine cipher Substitution is the only non-linear component Makes non-linearity of S-boxes important! 1 1 0 1 1 0 1 0 0 1 0 0 1 1 1 0 0 1 1 1 0 0 1 1 0 0 1 0 0 0 1 0 1 0 0 1 1 1

26 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 26/43 Linear Cryptanalysis Tries to approximate the S-boxes by linear equations Examples: 1.Bit 3 in output of S-box always equal to xor of bit 2 and 4 in input 2.Xor of bit 2 and 3 in output of S-box equal to xor of bit 1 and 4 in input with probability 75% Typically patterns involve more bits and have correlation closer to ½ –½ is equal to being completely non-linear We do an attack using pattern 1

27 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 27/43 Linear Cryptanalysis 1 1 0 1 1 0 0 1 0 1 0 0 1 0 a 1 subsub subsub subsub subsub 1 0 0 1 1 1 0 0 1 0 1 1 0 1 0 1 c 1 0 0 1 1 0 k1k1 1 0 1 k2k2 1 0 1 1 1 0 0 d 0 1 1 1 0 0 1 1 1 0 0 1 0 0 1 1 0 subsub subsub subsub subsub subsub subsub subsub subsub 0 0 1 0 1 1 0 1 1 0 0 1 0 0 1 1 1 0 0 c=a  b f=d  e g=c  k 1 b c c f d e f 1 0 0 1 1 1 0 0 1 0 1 1 0 1 0 1 c g h 1 0 0 1 1 1 0 0 1 0 1 1 0 1 0 1 c i 1 1 0 0 1 1 0 0 1 0 1 1 0 1 0 1 c 1 1 i 1 0 0 1 1 k3k3 1 0 1 1 0 1 1 1 0 0 d 1 0 0 1 1 0 0 1 0 1 1 0 1 0 1 c 1 1 j h=f  k 2 i=h  g j=i  k 3 j = a  b  d  e  k 1  k 2  k 3 = a  b  d  e  F(K) 1 0 0 1 1 1 0 1 1 0 1 1 1 0 0 d 0 0 1 0 1 1 0 1 1 0 0 1 0 0 1 1 1 0 0

28 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 28/43 Linear Cryptanalysis 1 1 0 1 1 0 0 1 0 1 0 0 1 0 a 1 subsub subsub subsub subsub 1 0 0 1 1 1 0 0 1 0 1 1 0 1 0 1 c 1 0 0 1 1 0 k1k1 1 0 1 k2k2 1 0 1 1 1 0 0 d 0 1 1 1 0 0 1 1 1 0 0 1 0 0 1 1 0 subsub subsub subsub subsub subsub subsub subsub subsub b c c f d e f 1 0 0 1 1 1 0 0 1 0 1 1 0 1 0 1 c g h 1 0 0 1 1 1 0 0 1 0 1 1 0 1 0 1 c i 1 1 0 0 1 1 0 0 1 0 1 1 0 1 0 1 c 1 1 i 1 0 0 1 1 k3k3 1 0 1 1 0 1 1 1 0 0 d 1 0 0 1 1 0 0 1 0 1 1 0 1 0 1 c 1 1 j j = a  b  d  e  F(K) For fixed key K either j=a  b  d  e  1 or j=a  b  d  e –Let us assume the first and do a KPA 0 0 1 0 1 1 0 1 1 0 0 1 0 0 1 1 1 0 0 1 0 0 1 1 1 0 1 1 0 1 1 1 0 0 d 0 0 1 0 1 1 0 1 1 0 0 1 0 0 1 1 1 0 0

29 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 29/43 Linear Cryptanalysis 1 1 0 1 1 0 0 1 0 1 0 0 1 0 a 1 subsub subsub subsub subsub 1 0 0 1 1 1 0 0 1 0 1 1 0 1 0 1 c 1 0 0 1 1 0 1 0 1 1 0 1 1 1 0 0 d 0 1 1 1 0 0 1 1 1 0 0 1 0 0 1 1 0 subsub subsub subsub subsub subsub subsub subsub subsub b c c f d e f 1 0 0 1 1 1 0 0 1 0 1 1 0 1 0 1 c g h 1 0 0 1 1 1 0 0 1 0 1 1 0 1 0 1 c i 1 1 0 0 1 1 0 0 1 0 1 1 0 1 0 1 c 1 1 i 1 0 0 1 1 1 0 1 1 0 1 1 1 0 0 d 1 0 0 1 1 0 0 1 0 1 1 0 1 0 1 c 1 1 j=a  b  d  e  1 with probability 1 Decrypt y 1 y 2 y 3 y 4 with all k 1 k 2 k 3 k 4 and the inverse sub –Discard those where j is not the expected value –Correct key is never discarded –Incorrect keys are discarded with probability around ½ 0 0 1 0 1 1 0 1 1 0 0 1 0 0 1 1 1 0 0 0 0 0 0 1 1 k4k4 1 0 1 1 0 1 1 1 0 0 d y4y4 1 1 0 1 1 0 0 1 0 0 1 1 1 0 0 j Known y Known x Known j k3k3 k2k2 k1k1 y3y3 y2y2 y1y1

30 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 30/43 Linear Cryptanalysis Repeat for n plaintext/ciphertext pairs (x,y) The correct k 1 k 2 k 3 k 4 is never discarded The incorrect k 1 k 2 k 3 k 4 are discarded with probability around 1-½ n which soon goes to 1 Allows to find correct k 1 k 2 k 3 k 4 using a few plaintext/ciphertext pairs In a full attack more so-called active S-boxes are used to learn more key bits –When enough are found an exhaustive search is done

31 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 31/43 Linear Cryptanalysis Typically the relation is not certain –E.g. j=a  b  d  e with probability ½ +0.01 In this case there are many false negatives –Correct key does not give the expected j Then one takes the key which matched for most pairs (x,y) –MANY more pairs are needed to “see through the noise”

32 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 32/43 Differential Cryptanalysis We call (Δ in, Δ out ) a differential if it holds with high probability for (x 1,y 1 ) and (x 2,y 2 ) that: x 1  x 2 =Δ in  z 1  z 2 =Δ out –z is the ciphertext after m-1 rounds of encryption –Differentials for S-boxes can be turned into differentials for rounds –Differentials for rounds can be combined into differentials for the first m-1 rounds Decrypt y 1 and y 2 through some S-boxes and see if z’ 1  z’ 2 =Δ out for the corresponding z- values –Allows to find some key bits as in linear cryptanalysis

33 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 33/43 Differential Cryptanalysis Often the probability of the combined differentials are not very far away from the expected probability for a random function Then the attack requires a lot of different pairs (x 1,y 1 ) and (x 2,y 2 ) with x 1  x 2 =Δ in and z 1  z 2 =Δ out to “see through the noise”

34 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 34/43 PRF versus Total Break A total break using linear cryptanalysis or differential cryptanalysis often requires a lot of known plaintext/ciphertext pairs to do a total break The existence of a linear relation or differential going all the way to the output bits is, however, enough to show that the function is not a good PRF –Random functions show no such structure –So the structure allows to distinguish the function from a uniformly random one

35 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 35/43 DES Digital Encryption Standard USA’s industrial standard from 1977 to 2004 –Now officially replaced by AES We look at AES next week –Still widely used An SPN with 16 rounds Block size is 64 bits Key size is 56 bits

36 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 36/43 DES Round Function Uses a round function F –Designed to be a PRF, though a rather poor one Block size is 32 bits Key size is 48 bit R: 32 bits F C: 32 bits K i : 48 bits

37 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 37/43 DES Round Function C: 32 bits E: 48 bits transposition and expansion R: 32 bits K I : 48 bits B: 48 bits B1B2B3B4B5B6B7B8 split C1C2C3C4C5C6C7C8 S8S7S6S5S4S3S2S1 substitution with 8 different S-boxes Round key: Bits selected from the 56-bit key Input Output

38 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 38/43 DES Round Function The S-boxes are not invertible –Makes it impossible to “decrypt” the round function This is handled using a trick by Feistel –Turns any function F K :{0,1} 32  {0,1} 32 into an invertible function G K : {0,1} 64  {0,1} 64 It is then G which is repeated 16 times, using a different key K i in each round

39 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 39/43 Feistel Network L: 32 bitsR: 32 bits F L: 32 bits Easy to see that this is invertible If F is a PRF and the Feistel structure is repeated at least 4 times with independent keys, then the result is a new PRF –But now an invertible one! K: 48 bits

40 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 40/43 Feistel Network L: 32 bitsR: 32 bits L: 32 bits DES repeates for 16 rounds! –(above shows two rounds) K 1 : 48 bits R: 32 bitsL: 32 bits K 2 : 48 bits F F

41 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 41/43 DES DES repeats for 16 rounds to deal with the following facts: –F is not a strong PRF on its own –The keys are not independent Using 16 rounds is exactly enough –There are linear and differential attacks on reduced-round DES –Not a coincidence –The S-boxes and number of rounds were carefully designed to withstand these attacks

42 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 42/43 DES The best linear cryptanalysis of DES (total break) requires 2 43 plaintext/ciphertext pairs –When implemented in 1994 it took 40 days to generate the pairs and 10 days to find the key Hard to get so many pairs in practice! Best differential attack is worse Best attack on DES is exhaustive search –56-bit key is way too short today –You can buy a special machine for $250,000 which can search all keys in 56 hours (1998 numbers!)

43 Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 43/43 Read Chapters 3.1-3.5 in Stinson Chapters 4 and 5 in the note Definitions and results on Cryptosystem

Download ppt "Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 1/43 Contents Encryption modes –Cipher-Block Chaining (CBC) Mode –Counter mode."

Similar presentations

“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Modern Symmetric-Key Ciphers

Modern Symmetric-Key Ciphers
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.

Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.
Cryptography and Network Security Chapter 6. Chapter 6 – Block Cipher Operation Many savages at the present day regard their names as vital parts of themselves,

Cryptography and Network Security Chapter 6. Chapter 6 – Block Cipher Operation Many savages at the present day regard their names as vital parts of themselves,
Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.

Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.
JLM 20060209 12:161 Homework 6 – Problem 1 S-box 4 is observed to have the indicated output xor when presented with the indicated inputs In1: 0x22, In2:

JLM :161 Homework 6 – Problem 1 S-box 4 is observed to have the indicated output xor when presented with the indicated inputs In1: 0x22, In2:
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.

1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers.

Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 1 Security PART VII.

McGraw-Hill©The McGraw-Hill Companies, Inc., Security PART VII.
Chapter 3 – Block Ciphers and the Data Encryption Standard Jen-Chang Liu, 2004 Adopted from lecture slides by Lawrie Brown.

Chapter 3 – Block Ciphers and the Data Encryption Standard Jen-Chang Liu, 2004 Adopted from lecture slides by Lawrie Brown.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
Lecture 2.2: Private Key Cryptography II CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 2.2: Private Key Cryptography II CS 436/636/736 Spring 2012 Nitesh Saxena.
Cryptanalysis on Substitution- Permutation Networks Jen-Chang Liu, 2005 Ref: Cryptography: Theory and Practice, D. R. Stinson.

Cryptanalysis on Substitution- Permutation Networks Jen-Chang Liu, 2005 Ref: Cryptography: Theory and Practice, D. R. Stinson.
Computer Security CS 426 Lecture 3

Computer Security CS 426 Lecture 3
CS555Spring 2012/Topic 91 Cryptography CS 555 Topic 9: Block Cipher Construction & DES.

CS555Spring 2012/Topic 91 Cryptography CS 555 Topic 9: Block Cipher Construction & DES.
Encryption Schemes Second Pass Brice Toth 21 November 2001.

Encryption Schemes Second Pass Brice Toth 21 November 2001.

Similar presentations

Ads by Google