complementing feistel ciphers
play

Complementing Feistel Ciphers Ivica Nikoli c (joint work with Alex - PowerPoint PPT Presentation

Nov 04, 2022 •175 likes •426 views

Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion Complementing Feistel Ciphers Ivica Nikoli c (joint work with Alex Biryukov) Nanyang Technological University, Singapore

  1. Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion Complementing Feistel Ciphers Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg 11 March 2013 Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg Complementing Feistel Ciphers

  2. Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion 1 Complementation Property 2 General Complementation Property 3 Application to Camellia-128 4 Application to GOST 5 Conclusion Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg Complementing Feistel Ciphers

  3. Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion What is complementation property In DES, if you complement/flip all bits of plaintext and key, then all bits of ciphertext would flip If DES K ( P ) = C then DES K ( P ) = C Results: Distinguisher with only two queries Reduction of exhaustive key search by factor 2 Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg Complementing Feistel Ciphers

  4. Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion Why does it work Complementation/ All bit flip = difference 11 . . . 11 Diff. 11 . . . 11 in master key = > diff. 11 . . . 11 in subkeys Difference 11 . . . 11 in the state and the subkey cancel Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg Complementing Feistel Ciphers

  5. Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion 1 Complementation Property 2 General Complementation Property 3 Application to Camellia-128 4 Application to GOST 5 Conclusion Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg Complementing Feistel Ciphers

  6. Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion How to relax the requirements Original: If in Feistel cipher, for any key one flips all of the bits ... Ideas for general: Not applicable to all keys, i.e. weak-key class Not necessarily flip all the bits Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg Complementing Feistel Ciphers

  7. Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion General complementation Partial-alternating : Start with (∆ 1 , ∆ 2 ) in the plaintext Weak-key : KS (∆) → (∆ 1 , ∆ 2 , . . . , ∆ 1 , ∆ 2 ) for some K Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg Complementing Feistel Ciphers

  8. Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion Outcome Lemma (Classical Feistel) If for n-bit cipher with k-bit keys p ∃ ∆ : KS ( K ⊕ ∆) ⊕ KS ( K ) → (∆ 1 , ∆ 2 , ∆ 1 , ∆ 2 , . . . , ∆ 1 , ∆ 2 ) − Then, if p > 2 − k , distinguisher for a weak-key class of size p · 2 k exists for the cipher. Problem: how to find the differential in the key schedule Result: RK differential where the state characteristic has probability 1 Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg Complementing Feistel Ciphers

  9. Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion Outcome Modular Feistel = subkeys are modularly added to the state Lemma (Modular Feistel) If for n-bit cipher with k-bit keys p ∃ ∆ : KS ( K ⊕ ∆) ⊕ KS ( K ) − → (∆ 1 , ∆ 2 , ∆ 1 , ∆ 2 , . . . , ∆ 1 , ∆ 2 ) Then, if p · 2 −⌈ r 2 ⌉ ( | (∆ 1 ) n − 1 | + | (∆ 2 ) n − 1 | ) > 2 − k and 2 −⌈ r 2 ⌉ ( | (∆ 1 ) n − 1 | + | (∆ 2 ) n − 1 | ) > 2 − n , distinguisher for a weak-key class of size p · 2 k exists for the cipher. Problem: how to find char. in the key schedule with low hamming weight output difference Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg Complementing Feistel Ciphers

  10. Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion 1 Complementation Property 2 General Complementation Property 3 Application to Camellia-128 4 Application to GOST 5 Conclusion Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg Complementing Feistel Ciphers

  11. Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion Specification Camellia-128 is Japanese CRYPTREC standard 128-bit state/key classical Feistel cipher with 2 additional non-linear layers 18 rounds Key schedule composed of 4 rounds of Feistels and rotations We analyze the cipher without the non-linear layers ! Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg Complementing Feistel Ciphers

  12. Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion Key schedule Intermediate key K A is obtained from the master key K L in four Feistel rounds All subkeys are particular 32-bit values of rotations of K A , K L on various amounts The difference in the subkey has to be invariant of rotations = > only choice is: ∆ K L → ∆ K A : 11 . . . 11 → 11 . . . 11 Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg Complementing Feistel Ciphers

  13. Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion Differential in the key schedule If we go with characteristic 11 . . . 11 → 11 . . . 11, the probability is too low as there are too many active S-boxes Switch to differentials: compute the number of characteristics in the differential 11 . . . 11 → 11 . . . 11 compute the lower bound on probability of each characteristic obtain the lower bound on probability of differential Result: the differential has a probability of at least 2 − 128 , i.e. there is on good key Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg Complementing Feistel Ciphers

  14. Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion Applications Weak-key class is too small for attack on the cipher Switch to hash functions, e.g. Davies-Meyer mode based on Camellia-128 The right key/message can be found with 2 112 encryptions The right message produces collisions for any chaining value (key whitening introduces the right difference at the beginning and cancels the difference at the end) q -differential multicollisions with 2 112 calls for the hash function Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg Complementing Feistel Ciphers

  15. Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion 1 Complementation Property 2 General Complementation Property 3 Application to Camellia-128 4 Application to GOST 5 Conclusion Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg Complementing Feistel Ciphers

  16. Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion Specification GOST is Russian encryption standard 64-bit state, 256-bit key modular Feistel cipher 32 rounds No key schedule, only word permutations Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg Complementing Feistel Ciphers

  17. Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion Key schedule and differentials Master key words: K 1 , . . . , K 8 Subkey words: K 1 , . . . , K 8 , K 1 , . . . , K 8 , K 1 , . . . , K 8 , K 8 , . . . , K 1 Probability 1 differential for any difference in the master key words Ivica Nikoli´ c (joint work with Alex Biryukov) Nanyang Technological University, Singapore University of Luxembourg, Luxembourg Complementing Feistel Ciphers

Recommend

Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 2 October, 2012 Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers DES II.

588 views • 10 slides
Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University

Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University

Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University of Versailles and ANSSI 2 March 2014 - FSE 2014 Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 1 / 11

553 views • 52 slides
Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University

Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University

Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University of Versailles and ANSSI 4th March 2014 - FSE 2014 Lampe & Seurin (Versailles & ANSSI) Key-Alternating Feistel Ciphers FSE 2014 1 / 16

865 views • 53 slides
Generic Attacks on Feistel Ciphers With Internal Permutations Joana Treger, Jacques Patarin

Generic Attacks on Feistel Ciphers With Internal Permutations Joana Treger, Jacques Patarin

Generic Attacks on Feistel Ciphers With Internal Permutations Joana Treger, Jacques Patarin PRiSM, Universit e de Versailles 2008-11-27 Joana Treger, Jacques Patarin (PRiSM, Universit Generic Attacks on Feistel Ciphers With Internal

1.04k views • 52 slides
Revisiting Key-alternating Feistel Ciphers for Shorter Keys and Multi-user Security Chun Guo and

Revisiting Key-alternating Feistel Ciphers for Shorter Keys and Multi-user Security Chun Guo and

Revisiting Key-alternating Feistel Ciphers for Shorter Keys and Multi-user Security Chun Guo and Lei Wang ICTEAM/ELEN/Crypto Group, Universit e catholique de Louvain Shanghai Jiao Tong University Presented by Yaobin Shen, Shanghai Jiao Tong

653 views • 36 slides
Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers Assume encryption and decryption use the

425 views • 5 slides
Extended Generalized Feistel Networks using Matrix Representation Thierry P. Berger 1 , Marine

Extended Generalized Feistel Networks using Matrix Representation Thierry P. Berger 1 , Marine

Introduction Full Diffusion Delay Matrix of a Feistel Network New Feistel Networks Proposals An Efficient Example Extended Generalized Feistel Networks using Matrix Representation Thierry P. Berger 1 , Marine Minier 2 , Gal Thomas 1 1 XLIM

448 views • 31 slides
Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers Encryption Modes Encryption Modes Shift Cipher Brute%force attack can easily break Ahmet Burak Can Substitution Cipher Hacettepe University

191 views • 6 slides
Generalized Feistel Networks with Optimal Diffusion Lo Perrin DTU, Lyngby Inria, Paris

Generalized Feistel Networks with Optimal Diffusion Lo Perrin DTU, Lyngby Inria, Paris

Generalized Feistel Networks with Optimal Diffusion Lo Perrin DTU, Lyngby Inria, Paris Dagstuhl 2018 (seminar-18021) Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion In this talk

1.31k views • 52 slides
Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade provable security for practicality Stream cipher is initialized with short key Key is stretched into long keystream Keystream is used like

512 views • 35 slides
B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

1 B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a) Fundamentals 3 B.1 Definition A mapping Enc: P K C for which k := Enc( ,k): P C is bijective for each k K is called an

1.1k views • 32 slides
Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

CSS441 Block Ciphers Principles DES Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20

788 views • 50 slides
Classical Ciphers Classical

Classical Ciphers Classical

Classical Ciphers Classical Cryptography Monoalphabetic ciphers: letters of the plaintext alphabet are mapped into unique ciphertext letters Polyalphabetic ciphers:

512 views • 49 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher One Time Pad School of Engineering and Technology CQUniversity

687 views • 64 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher School of Engineering and Technology One Time Pad CQUniversity

1.02k views • 64 slides
Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the ciphertext block C i = E K ( M i ), and the results are concatenated to the

334 views • 8 slides
Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher:

Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher:

Grbner - Crypto J.-C. Faugre Plan Grbner bases: properties Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher: FLURRY Feistel cipher modelling Jean-Charles Faugre Algorithms Buchberger

694 views • 57 slides
Improved Security Bounds for Generalized Feistel Networks Yaobin Shen 1 Chun Guo 2 Lei Wang 1 1

Improved Security Bounds for Generalized Feistel Networks Yaobin Shen 1 Chun Guo 2 Lei Wang 1 1

Feistel Networks Our Contributions Security Proofs Conclusion Improved Security Bounds for Generalized Feistel Networks Yaobin Shen 1 Chun Guo 2 Lei Wang 1 1 Shanghai Jiao Tong University 2 Shandong University November 13, FSE 2020 Yaobin

407 views • 22 slides
Complementing Bchi automata Guillaume Sadegh LRDE EPITA Research and Development Laboratory

Complementing Bchi automata Guillaume Sadegh LRDE EPITA Research and Development Laboratory

Complementing Bchi automata Guillaume Sadegh LRDE EPITA Research and Development Laboratory May 15, 2009 Guillaume Sadegh Complementing Bchi automata 1 / 25 Context Automata-theoretic approach to model checking 1. We have an

948 views • 72 slides
Contents Introduction Classification of Symmetric Ciphers Types of Attacks

Contents Introduction Classification of Symmetric Ciphers Types of Attacks

Contents Introduction Classification of Symmetric Ciphers Types of Attacks Properties of Secure Ciphers Components of Block Ciphers Classes of Block Ciphers DES AES Secure Communication using

606 views • 27 slides
Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad

Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad

Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad define a secret key (seed) Using the seed generates a byte stream ( Keystream): i-th byte is function only of the key

822 views • 69 slides
Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers &

Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers &

CS 166: Information Security Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers & Block Ciphers Stream ciphers based on the one-time pad Block ciphers based on codebook ciphers Symmetric

650 views • 52 slides
B.e) Stream Ciphers W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.125 Stream Ciphers

B.e) Stream Ciphers W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.125 Stream Ciphers

1 B.e) Stream Ciphers W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.125 Stream Ciphers Normally, stream ciphers are symmetric algorithms with encryption = decryption In this course we only consider symmetric stream ciphers.

828 views • 44 slides

More recommend