Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Chapter 3 Secret Key Cryptography Instructor: 孫宏民 Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Chapter 3 Secret Key Cryptography Instructor: 孫宏民 Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694."— Presentation transcript:

1 1 Chapter 3 Secret Key Cryptography Instructor: 孫宏民 hmsun@cs.nthu.edu.tw hmsun@cs.nthu.edu.tw Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694

2 2 Conventional Ciphers(1) (a) Transposition cipher Reorder plaintext letters to form ciphertext Ex. Write message into a 5  4 matrix by row, read it out by column.  permutation of input Ex. TSINGHUAUNIVERSITY TGUET SNHANVRIY IUIS TGUETSNHANVRIYIUIS

3 3 Conventional Ciphers(2) (b)Substitution cipher: Each letter m of M is replaced by some letter c = f(m) to form C  permutation of alphabet –There are four types of substitution ciphers: Simple substitution A single one-to-one mapping from plaintext to ciphertext characters Homophonic substitution The mapping is one-to-many Polyalphabetic substitution Multiple one-to-one mapping Polygram substitution Permit arbitrary substitutions for groups of characters

4 4 Conventional Ciphers(3) (c) Combination of (a) and (b) Ex. Data Encryption Standard (DES) (a) (b) (a) (b).... 16 times each

5 5 Simple Substitution Ciphers Ex. Keyword mixed alphabet The cipher alphabet is constructed by first listing the keyword (INFORMATION in this example), omitting duplicates, and then listing the remaining letters of the alphabet in order. TSINGHUAUNIVERSITY  SQBHATUIUHBVRPQBSY ABCDEFGHIJKLM INFORMATBCDEG NOPQRSTUVWXYZ HJKLPQSUVWXYZ

6 6 Ex. f(a) = ak mod n (k and n are relatively prime) When n = 26 and k = 9, TSINGHUAUNIVERSITY  PGUNCLYAYNUHKXGUPI ABCDEFGHIJKLM AJSBKTCLUDMVE NOPQRSTUVWXYZ NWFOXGPYHQZIR

7 7 Ciphers may also use nonstandard ciphertext alphabets. Ciphertext:

8 8 For English, in principle, it takes at most 27 or 28 letters to break a simple substitution cipher by frequency analysis.

9 9 Homophonic Substitution Ciphers Map each character a of the plaintext alphabet into a set of ciphertext elements f(a). Each c i is picked at random from the set of f(m i ). M=m1m1 m2m2 m3m3 … C=c1c1 c 2 c 3 …

10 10 Homophonic Substitution Ciphers Ex. Suppose that the English letters are enciphered as integers between 0 and 99, where the number of integers assigned to a letter is proportional to the relative frequency of the letter, and no integer is assigned to more than one letter. A1719344156606783 I082253658890 L034476 N02091527324059 O0111232842547080 P3391 T051020294558647899

11 11 Homophonic Substitution Ciphers One possible encipherment of PLAINPILOT is: This cipher is much more difficult to solve than simple substitution ciphers. M=PLAINPILOT C=91445665593308762878

12 12 Second-Order Homophonic Cipher Given enough ciphertext, most ciphers are breakable. There will be a single key K that deciphers C into meaningful plaintext. It is possible to construct ciphers such that a ciphertext will decipher into more than one meaningful message under different keys. Ex. Second-order homophonics EILMS E 1022180211 I 1201250520 L 1906231307 M 0316082415 S 1709211404 M=SMILE X=LIMES C= 2116051911

13 13 Polyalphabetic Substitution Ciphers For simple substitution ciphers, the single-letter frequency distribution of the plaintext letters is preserved in the ciphertext. Homophonic substitutions conceal this distribution by defining multiple ciphertext elements for each plaintext letter. Polyalphabetic substitution ciphers conceal it by using multiple substitutions. Most polyalphabetic ciphers are periodic substitution ciphers.

14 14 Vigenère and Beaufort Ciphers(1) Vigenère cipher Key: K = k 1... K d f i (a) = (a + k i ) mod n Ex. Key: BAND The Vigenère Tableau facilitates encryption and decryption (see the table on next page). M=INFORMATION K=BAND BAN C=JNSRSMNWJOA

15 15 Vigenère and Beaufort Ciphers(2) Beaufort cipher Key: K = k 1... k d f i (a) = (k i  a) mod n Ex. Key: D ABCDEFGHIJKLM DCBAZYXWVUTSR NOPQRSTUVWXYZ QPONMLKJIHGFE Plaintext Ciphertext Plaintext Ciphertext

16 16 Vigenère Tableau

17 17 Running-Key Ciphers The key is as long as the plaintext message. One method is to use the text in a book as a key sequence. The key is the title of the book and the starting position (section, paragraph, etc.). EX: M=THETREASUREISBURIEDATTW K=THEKEYISASLONGASTHEPLAI C=MOIDVCIKUJPWFHUJBLHPETE

18 18 Rotor Machine Initial setting

19 19 Rotor Machine The machine consists of a set of independently rotating cylinders through which electrical pulses can flow. Each cylinder has 26 input pins and 26 output pins. Consider a machine with a single cylinder. After each input key is depressed, the cylinder rotates one position and thus a different substitution cipher is defined. After 26 letters of plaintext, the cylinder will be back to the initial position. The period is 26.

20 20 Rotor Machine For a machine with three cylinders, the one farthest from the operator rotates one pin position per keystroke. For every complete rotation of the outer cylinder, the inner cylinder rotates one pin position. Thus there are 26 3 = 17576 different substitution alphabets used before system repeats. Rotor machines were used by the Germans during World War II.

21 21 Rotor Machine Setting after one keystroke

22 22 Vernam Cipher and One-Time Pads Vernam designed a system (in 1918) which works on binary data rather than letters. To encipher: c i = m i  k i To decipher: c i  k i = m i  k i  k i = m i Thus enciphering and deciphering are performed with the same operation. Mauborgne suggested using a random key that was as long as the message, and the key tape is used only once. Such a scheme, known as a one-time pad, is unbreakable.

23 23 Vernam Cipher and One-Time Pads The only drawback of the cipher is that it requires a long key sequence. EX: M=11000C=01010 K=10010K= C=01010M=11000

24 24 Polygram Substitution Ciphers All of the preceding substitution ciphers encipher a single letter of plaintext at a time. By enciphering larger blocks of letters, polygram substitution ciphers make cryptanalysis harder by destroying the significance of single-letter frequencies.

25 25 Playfair Cipher The key is a 5  5 matrix of 25 letters (J was not used). Each pair of plaintext letters m 1 m 2 is enciphered as follows: –1. If m 1 and m 2 are in the same row, then c 1 and c 2 are the two characters to the right of m 1 and m 2, respectively. –2. If m 1 and m 2 are in the same column, then c 1 and c 2 are the two characters below m1 and m2, respectively.

26 26 Playfair Cipher –3. If m 1 and m 2 are in different rows and column, then c 1 and c 2 are the other two corners of the rectangle having m 1 and m 2 as corners, where c 1 is in m 1 's row and c 2 is in m 2 's row. –4. If m 1 = m 2, null letter (e.g., X) is inserted into the plaintext between m 1 and m 2. –5. If the plaintext has an odd number of characters, a null letter is appended to the end of the plaintext.

27 27 Playfair Cipher Ex. Keyword: MONARCHY Playfair cipher was invented in 1854 and was used by the British during World War I. MONAR CHYBD EFGI/JK LPQST UVWXZ

28 28 Hill Cipher To encipher: C = KM mod n To decipher: K  1 C mod n = K  1 KM mod n = M where C, K, and M are d  1, d  d, d  1 matrices, respectively.

29 29 Hill Cipher Ex. d = 2 Suppose M = EG  (4, 6) (or YQ) To decipher: Hill cipher is easy to break.

30 30 Data Encryption Standard (DES) DES was published in 1977 by the National Bureau of Standards (since renamed to the National Institute of Standards and Technology) for use in commercial and unclassified (hmm…) U.S. Government. It was designed by IBM based on their own Lucifer cipher and input from NSA. DES enciphers 64-bit blocks of data with a 56-bit key. DES has been implemented both in software and in hardware.

31 31 The same algorithm is used both to encipher and to decipher. Most widely used cipher ever Security based on Shannon’s Theory –Confusion : a piece of information is changed so that the output bits have no obvious relationship to the input bits. –Disfussion : To spread the effect of one plaintext bit to other bits in the ciphertext.

32 32 Block Cipher: –Block size= 64 bits. –Key Length= 56 bits (64 bits contains the bits 8, 16, 24, 32, 40, 48, 56, 64 for the odd parity check) Advantages of DES: –DES can be implemented by software and hardware for its simple arithmetic and logical operations. –High Speed

33 33 DES In: 64 bits, Out: 64 bits, Key: 56 bits

34 34 IP (Initial Permutation) The table should be read left-to-right, top-to- bottom. T = t 1 t 2... t 64  T 0 = t 58 t 50... t 7 = L 0 R 0

35 35 IP  1 (Final Permutation) IP  1 is the inverse of IP. All tables are fixed.

36 36 Function f

37 37 E (Bit-Selection Table) In: 32 bits, Out: 48 bits

38 38 P (Permutation) In: 32 bits, Out: 32 bits

39 39 S-boxes (Selection Functions)

40 40 Each S-box S j maps a 6-bit block b 1 b 2 b 3 b 4 b 5 b 6 into a 4-bit block. (In: 6 bits, Out: 4 bits) The integer corresponding to b 1 b 6 selects a row and the integer corresponding to b 2 b 3 b 4 b 5 selects a column. Example: (100001) 2 for S-box 1 Row # = (11) 2 = 3 and Column # = (0000) 2 = 0 Ourput= 15= (1111)2.

41 41 Key Calculation K 1, K 2,..., K 16 : 48 bits/each

42 42 PC-1 (Key Permutation) In: 64 bits (with 8 parity bits), Out: 56 bits

43 43 PC-2 (Key Permutation) In: 56 bits, Out: 48 bits

44 44 LS i (Left Circular Shift) Iteration i Number ofLeft Shifts 11 21 32 42 52 62 72 82 91 102 112 122 132 142 152 161

45 45 Deciphering Deciphering is performed using the same algorithm, except that K 16 is used in the first iteration, K 15 in the second iteration, and so on. The last round of enciphering:

46 46 Deciphering The first round of deciphering:

47 47 Deciphering The last round of enciphering: LE 16 = RE 15 RE 16 = LE 15  f(RE 15, K 16 ) The first round of deciphering: LD 1 = RD 0 = LE 16 = RE 15 RD 1 = LD 0  f(RD 0, K 16 ) = RE 16  f(RE 15, K 16 ) = (LE 15  f(RE 15, K 16 ))  f(RE 15, K 16 ) = LE 15  (f(RE 15, K 16 )  f(RE 15, K 16 )) = LE 15  0 = LE 15 Thus, the output of the first round of deciphering is the swap of the input to the sixteenth round of the enciphering.

48 48 The order of subkeys is the reverse order (k 16, k 15, …, k 1 ). –Key shift 改成 shift right circularly. – 每一個 round 的 shift bit 數為 (1, 0), (2, 1), (3, 2), (4, 2), (5, 2), (6, 2), (7, 2), (8, 2), (9, 1), (10, 2), (11, 2), (12, 2), (13, 2), (14, 2), (15, 2), (16, 1).

49 49 Weakness of DES Complements: If C= E k (P), then ¬C= E  k (¬P), where ¬x is the cpmplement of x. –Reduce the complexity for finding keys from 256 to 255. Weak Keys(4): –56 bits key left and right half are all 0 or 1,then it would cause all subkeys are the same.

50 50 Semi-Weak Keys: –the encryption using two different keys could get the same result [E k (P)= E k ’(P)]

51 51 Security of DES Differential Cryptanalysis Attacks –1990 Biham & Shamir prevent. –Belong Chosen-plaintext attacks. –Results: it is secure that DES have 16 rounds

52 52 International Data Encryption Algorithm (IDEA) IDEA was originally called IPES (Improved Proposed Encryption Standard). IDEA encrypts a 64-bit block of plaintext into a 64-bit block of ciphertext using a 128-bit key. IDEA is similar to DES in some ways. Both of them operate in rounds, and both have a complicated mangler function that does not have to be reversible in order for decryption to work.

53 53 Basic Structure of IDEA

54 54 Primitive operations Bitwise exclusive( ⊕ ) A slightly modified add(+) –Addition in IDEA is done by throwing away carries, which is equivalent to saying addition is mod2 16 A slightly modified multiply( ⊗ ) –Multiplication in IDEA is done by first calculating the 32-bit result, and then taking the remainder when divided by 2 16 +1. –Multiplication mod 2 16 +1 is reversible, in the sense that every number x between 1 and 2 16 has an inverse y.

55 55 –The number 0, which can be expressed in 16 bits, would not have an inverse. And the number 2 16, which is in the proper range for mod 2 16 +1 arthmetic, cannot be expressed in 16 bits. So both problems are solved by treating 0 as an encoding for 2 16. the only part of IDEA that isn’t necessarily reversible is the mangler function, and it is truly marvelous to note how IDEA’s design manages not to require a reversible mangler function.

56 56 Key Expansion The 128-bit key is expanded into 52 keys(16- bit),K 1,K 2,…,K 52. The 52 encryption keys are generated by writing out the 128-bit key and, staring from the left, chopping off 16-bit at a time. This generates eight 16-bit keys.

57 57 The next eight keys are generated by staring at bit 25, and wrapping around to the beginning when the end is reached. The next eight keys are generated by offsetting 25 more bit, and so forth, until 52 keys are generated.

58 58 One Round IDEA has 17 rounds, where the odd-numbered rounds are different from the even-numbered rounds. Each round takes the input, a 64-bit quantity, and treats it as four 16-bit quantities, which we’ll call x a, x b, x c, and x d. Mathematical functions are performed on x a, x b, x c, x d to yield new versions of x a, x b, x c, x d The odd rounds use four of the K i, which we’ll call K a, K b, K c, and K d. The even rounds use two K i, which we’ll call K e, K f.

59 59 Odd round

60 60 Note that this is easily reversible. To get from the new X a to the old X a, we perform ⊗ with the multiplicative inverse of K a, mod 2 16 +1. Likewise with X d. To get the old X b, given the new Xc, we add the additive inverse of K b, i.e. we subtract K b.

61 61 Even round

62 62 The even round is its own inverse! When performing decryption, the same keys are used as when performing encryption (not the mathematical inverses of the keys, as in the odd rounds). Ex. the new first output = first input ⊕ Y out first output = (new X a ) ⊕ Y out first output = (X a ⊕ Y out ) ⊕ Y out = X a With an input of new X a, we get an output of X a.

63 63 Inverse key for decryption Since we are working backwards, the first decryption keys should be inverses of the last- used encryption keys. Given that the final keys used are K 49, K 50, K 51, K 52, in an odd round, the first four decryption keys will be inverses of the keys K 49 -K 52. K 49 is used in ⊗, so the decryption key K 1 will be the multiplicative inverse of K 49 mod 2 16 +1. And the decryption key K 4 is the multiplicative inverse of K 52. Decryption keys K 2 and K 3 are the additive inverse of K 50 and K 51.

64 64 AES On January 2, 1997, NIST announced a contest to select a new encryption standard to be used for protecting sensitive, non- classified, U.S. government information. After lots of investigation and discussion in the cryptographic community, NIST chose an algorithm called Rijndael, named sfter two Belgian cryptographers who developed and submitted it.

65 65 AES As of 26 November 2001, AES, a standardization of Rijndael, is a Federal Information Processing Standard.

66 66 The Rijndael Cipher Algorithm

67 67 Mathematical preliminaries The field GF(2 8 )  Example: (57) 16  x 6 +x 4 +x 2 +x+1  Addition  Multiplication  Multiplication by x Polynomials with coefficients in GF(2 8 )  Multiplication by x

68 68 Addition Sum of two elements: the sum of coefficients with modulus 2 Example: ’57’+’83’=‘D4’  (x 6 +x 4 +x 2 +x+1)+(x 7 +x+1)=x 7 +x 6 +x 4 +x 2

69 69 Multiplication Multiplication in GF(2 8 ): multiplication of polynomials modulo x 8 +x 4 +x 3 +x+1 or (11B) 16. Example: ’57’  ’83’=‘C1’  (x 6 +x 4 +x 2 +x+1)  (x 7 +x+1) = x 13 +x 11 +x 9 +x 8 +x 6 +x 5 +x 4 +x 3 +1  x 13 +x 11 +x 9 +x 8 +x 6 +x 5 +x 4 +x 3 +1 modulo x 8 +x 4 +x 3 +x+1 = x 7 +x 6 +1

70 70 Some Properties Multiplication is associative with a neutral element ‘01’. Inverse: b -1 (x)=a(x) mod m(x) with a(x)  b(x) mod m(x)= 1 a(x)  (b(x)+c(x))=a(x)  b(x)+a(x)  c(x). The set of 256 possible byte values, with addition and the multiplication defined as above has the structure of the finite field GF(2 8 ).

71 71 Multiplication by x Multiply b(x) with the polynomial x: b 7 x 8 +b 6 x 7 +b 5 x 6 +b 4 x 5 +b 3 x 4 +b 2 x 3 +b 1 x 2 +b 0 x If b7=0, the reduction is identity operation; if b7=1, m(x) must be subtracted (i.e. EXORed). That is, multiplication by x (‘02’) can be implemented by a left shift and a conditional EXOR with’1B’.

72 72 Example ‘57’  ‘13’ =‘FE’ ‘57’  ’02’=xtime(57)=‘AE’ ‘57’  ’04’=xtime(AE)=‘47’ ‘57’  ’08’=xtime(47)=‘8E’ ‘57’  ’10’=xtime(8E)=‘07’ ‘57’  ‘13’ =‘57’  (‘01’  ’02’  ’10’) = ‘57’  ’AE’  ’07’=‘FE’

73 73 Polynomials with coefficients in GF(2 8 ) Two polynomials over GF(2 8 ): a(x)=a 3 x 3 +a 2 x 2 +a 1 x+a 0 b(x)=b 3 x 3 +b 2 x 2 +b 1 x+b 0 Their product c(x)=c 6 x 6 +c 5 x 5 +c 4 x 4 +c 3 x 3 +c 2 x 2 +c 1 x+c 0 c 0 =a 0  b 0 c 1 =a 1  b 0  a 0  b 1 c 2 =a 2  b 0  a 1  b 1  a 0  b 2 c 3 =a 3  b 0  a 2  b 1  a 1  b 2 +  a 0  b 3 c 4 =a 3  b 1  a 2  b 2  a 1  b 3 c 5 =a 3  b 2  a 2  b 3 c 6 =a 3  b 3

74 74 Polynomials with coefficients in GF(2 8 ) By reducing c(x) modulo a polynomial of degree 4, the result can be reduced to a polynomial of degree below 4. M(x)=x 4 +1 and x i mod x 4 +1=x i mod 4.

75 75 Polynomials with coefficients in GF(2 8 ) Product of a( x ) and b( x ): d( x ) = a( x )  b( x )= d 3 x 3 +d 2 x 2 +d 1 x+d 0 d 0 = a   b 0  a   b 1  a   b 2  a   b 3 d 1 = a   b 0  a   b 1  a   b 2  a   b 3 d 2 = a   b 0  a   b 1  a   b 2  a   b 3 d 3 = a   b 0  a   b 1  a   b 2  a   b 3

76 76 Polynomials with coefficients in GF(2 8 ) circulant matrix:

77 77 Multiplication by x Multiply b( x ) by the polynomial x: b 3 x 4 +b 2 x 3 +b 1 x 2 +b 0 x x  b( x ) modulo 1+x 4 = b 2 x 3 +b 1 x 2 +b 0 x+b 3 It is equivalent to multiplication by a matrix with all a i =‘00’ except a 1 =‘01’. Let c( x ) = x  b( x ). We have:

78 78 Specification Variable block length and key length Block length and the key length can be 128, 192, or 256 bits. The state: the intermediate cipher result. The Cipher Key is similarly picture as a rectangular array with four rows.

79 79 The state and the Cipher Key

80 80 The rounds The number of rounds is denoted by Nr and depends on the values Nb and Nk. It is given in Table 1.

81 81 The cipher The cipher Rijndael consists of An initial Round Key addition; Nr-1 Rounds; A final round. In pseudo C code, Rijndael(State,CipherKey) { KeyExpansion(CipherKey,ExpandedKey) ; AddRoundKey(State,ExpandedKey); For( i=1 ; i<Nr ; i++ ) Round(State,ExpandedKey + Nb*i) ; FinalRound(State,ExpandedKey + Nb*Nr); }

82 82 The cipher The key expansion can be done on beforehand and Rijndael can be specified in terms of the Expanded Key. Rijndael(State,ExpandedKey) { AddRoundKey(State,ExpandedKey); For( i=1 ; i<Nr ; i++ ) Round(State,ExpandedKey + Nb*i) ; FinalRound(State,ExpandedKey + Nb*Nr); }

83 83 The round transformation Round(State,RoundKey) { ByteSub(State); ShiftRow(State); MixColumn(State); AddRoundKey(State,RoundKey); }

84 84 The final round FinalRound(State,RoundKey) { ByteSub(State) ; ShiftRow(State) ; AddRoundKey(State,RoundKey); }

85 85 The ByteSub transformation(1/2) 1. Taking the multiplicative inverse in GF(2 8 ). 2. Applying an affine transformation defined by:

86 86 The ByteSub transformation(2/2)

87 87 The ShiftRow transformation(1/2)

88 88 The ShiftRow transformation(2/2)

89 89 The MixColumn transformation(1/2) The columns of the State are considered as polynomials over GF(2 8 ) and multiplied modulo x 4 +1 with a fixed polynomial c(x)= ‘03’x 3 +‘01’x 2 +‘01’x+‘02’. This can be written as a matrix multiplication. Let b(x) = c(x)  a(x),

90 90 The MixColumn transformation(2/2)

91 91 The Round Key addition

92 92 Key schedule The Round Keys are derived from the Cipher Key by means of the key schedule. This consists of two components: the Key Expansion and the Round Key Selection. The basic principle is the following: The total number of Round Key bits is equal to the block length multiplied by the number of rounds plus 1. (e.g., for a block length of 128 bits and 10 rounds, 1408 Round Key bits are needed). The Cipher Key is expanded into an Expanded Key. Round Keys are taken from this Expanded Key in the following way: the first Round Key consists of the first Nb words, the second one of the following Nb words, and so on.

93 93 Key expansion The Expanded Key is a linear array of 4-byte words and is denoted by W[Nb*(Nr+1)]. The first NK words contain the Cipher Key. All other words are defined recursively in terms of words with smaller indices. For Nk  6, we have: KeyExpansion(byte Key[4*Nk] word W[Nb*(Nr+1)]) { for(i = 0; i < Nk; i++) W[i] = (Key[4*i],Key[4*i+1],Key[4*i+2],Key[4*i+3]); for(i = Nk; i < Nb * (Nr + 1); i++) { temp = W[i - 1]; if (i % Nk == 0) temp = SubByte(RotByte(temp)) ^ Rcon[i / Nk]; W[i] = W[i - Nk] ^ temp;}}

94 94 Key expansion For Nk > 6, we have: KeyExpansion(byte Key[4*Nk] word W[Nb*(Nr+1)]) { for(i = 0; i < Nk; i++) W[i] = (key[4*i],key[4*i+1],key[4*i+2],key[4*i+3]); for(i = Nk; i < Nb * (Nr + 1); i++) {temp = W[i - 1]; if (i % Nk == 0) temp = SubByte(RotByte(temp)) ^ Rcon[i / Nk]; else if (i % Nk == 4) temp = SubByte(temp); W[i] = W[i - Nk] ^ temp;} }

95 95 Round Key selection Round key i is given by the Round Key buffer words W[Nb*i  to W[Nb*(i+1)].

96 96 Strength against known attacks Symmetry properties and weak keys of the DES type  Round constants are different in each round to eliminate symmetry in the cipher.  The cipher and its inverse use different components to eliminates the possibility for weak and semi-weak keys, as existing for DES.  The non-linearity of the key expansion eliminates the possibility of equivalent keys.

97 97 Strength against known attacks Differential cryptanalysis(DC)  First described by Eli Biham and Adi Shamir in 1991.  A differential propagation is composed of differential trails(DT), where its prop ratio(PR) is the sum of the PRs of all DTs that have the specified initial and final difference patterns.  Necessary condition to be resistant against DC: No DT with predicated PR > 2 1-n, n the block length.  For Rijndael: No 4-round DT with predicated PR above 2 -150 (no 8-round trails with PR above 2 -300 ).

98 98 Strength against known attacks Linear cryptanalysis(LC)  First described by Mitsuru Matsui in 1994.  An input-output correlation is composed of linear trails (LT) that have the specified initial and final selection patterns.  Necessary condition to be resistant against LC: No LTs with a correlation coefficients > 2 n/2  For Rijndael: No 4-round LTs with a correlation above 2 -75 (no 8-round trails with a correlation above 2 -150 ).

99 99 Strength against known attacks Interpolation attacks  Introduced by Jakobsen and Knudsen in 1997.  The attacker constructs polynomials using cipher input/output pairs. If the polynomials have a small degree, only a few pairs are necessary to solve for the coefficients of the polynomial.  The expression for the S-box is given by 63+8fX 127 +b5X 191 +01X 223 +f4X 239 +25X 247 +f9X 251 +09X 253 +05X 254

100 100 Strength against known attacks Other attacks considered:  Truncated differentials  The Square attack  Related-key attacks  Weak keys as in IDEA

101 101 Advantages and limitations Advantages  Implementation aspects Rijndael can be implemented to run at speeds unusually fast on a Pentium (Pro). Trade-off between table size/performance. Rijndael can be implemented on a smart card in a small code, using a small amount of RAM and a small number of cycles. The round transformation is parallel by design. As the cipher does not make use of arithmetic operations, it has no bias towards processor architectures.

102 102 Advantages and limitations Advantages  Simplicity of design The cipher is fully “self-supporting”. The cipher does not base its security on obscure and not well understood arithmetic operations. The tight cipher design does not leave enough room to hide a trapdoor.  Variable block length and extensions Block lengths and key length both range from 128 to 256 in steps of 32 bits. Round number can be also modified as a parameter.

103 103 Advantages and limitations Limitations  The inverse cipher is less suited to be implemented on a smart card than the cipher itself: it takes more code and cycles.  In software, the cipher and its inverse make use of different code and/or tables.  In hardware, the inverse cipher can only partially re-use the circuitry that implements the cipher.

Download ppt "1 Chapter 3 Secret Key Cryptography Instructor: 孫宏民 Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694."

Similar presentations

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.
1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.

1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.
Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 5

Cryptography and Network Security Chapter 5
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
The Advanced Encryption Standard (AES) Simplified.

The Advanced Encryption Standard (AES) Simplified.
Block Ciphers and the Data Encryption Standard

Block Ciphers and the Data Encryption Standard
Block ciphers 1 Session 3. Contents Design of block ciphers Non-linear transformations 2/25.

Block ciphers 1 Session 3. Contents Design of block ciphers Non-linear transformations 2/25.
This Lecture: AES Key Expansion Equivalent Inverse Cipher Rijndael performance summary.

This Lecture: AES Key Expansion Equivalent Inverse Cipher Rijndael performance summary.
AES clear a replacement for DES was needed

AES clear a replacement for DES was needed
1 AES Proposal : Rijndael Joan Daeman Vincent Rijmen.

1 AES Proposal : Rijndael Joan Daeman Vincent Rijmen.
1 Chapter 3 – Block Ciphers and the Data Encryption Standard Modern Block Ciphers  now look at modern block ciphers  one of the most widely used types.

1 Chapter 3 – Block Ciphers and the Data Encryption Standard Modern Block Ciphers  now look at modern block ciphers  one of the most widely used types.
1 Chapter 3 – Block Ciphers and the Data Encryption Standard Modern Block Ciphers  now look at modern block ciphers  one of the most widely used types.

1 Chapter 3 – Block Ciphers and the Data Encryption Standard Modern Block Ciphers  now look at modern block ciphers  one of the most widely used types.
Cryptography and Network Security (AES) Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 10/18/2009 INCS 741: Cryptography 10/18/20091Dr.

Cryptography and Network Security (AES) Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 10/18/2009 INCS 741: Cryptography 10/18/20091Dr.
RIJNDAEL Arta Doci University Of Colorado.

RIJNDAEL Arta Doci University Of Colorado.
Introduction to Modern Cryptography Lecture 3 (1) Finite Groups, Rings and Fields (2) AES - Advanced Encryption Standard.

Introduction to Modern Cryptography Lecture 3 (1) Finite Groups, Rings and Fields (2) AES - Advanced Encryption Standard.
Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard It seems very simple. It is very simple. But if you don't know.

Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard "It seems very simple." "It is very simple. But if you don't know.
Cryptography and Network Security Chapter 5 Fourth Edition by William Stallings.

Cryptography and Network Security Chapter 5 Fourth Edition by William Stallings.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
1  A clear a replacement for DES was needed have theoretical attacks that can break it have theoretical attacks that can break it have demonstrated exhaustive.

1  A clear a replacement for DES was needed have theoretical attacks that can break it have theoretical attacks that can break it have demonstrated exhaustive.

Similar presentations

Ads by Google