prf block ciphers mac
play

PRF , Block Ciphers MAC Lecture 6 One-time CPA-secure RECALL SKE - PowerPoint PPT Presentation

Mar 18, 2024 •293 likes •1.33k views

PRF , Block Ciphers MAC Lecture 6 One-time CPA-secure RECALL SKE with a Stream-Cipher m (stream) Enc One-time Encryption with a stream-cipher: SC K Generate a one-time pad from a short seed Can share just the seed as the key Mask

  1. Pseudorandom Function (PRF) A PRF can be constructed from any PRG Not blazing fast Faster constructions based on specific number-theoretic computational complexity assumptions Fast heuristic constructions PRF in practice: Block Cipher K BC Extra features/requirements: r Permutation: input block (r) to output block

  2. Pseudorandom Function (PRF) A PRF can be constructed from any PRG Not blazing fast Faster constructions based on specific number-theoretic computational complexity assumptions Fast heuristic constructions PRF in practice: Block Cipher K BC Extra features/requirements: r Permutation: input block (r) to output block Key can be used as an inversion trapdoor

  3. Pseudorandom Function (PRF) A PRF can be constructed from any PRG Not blazing fast Faster constructions based on specific number-theoretic computational complexity assumptions Fast heuristic constructions PRF in practice: Block Cipher K BC Extra features/requirements: r Permutation: input block (r) to output block Key can be used as an inversion trapdoor Pseudorandomness even with access to inversion

  4. CPA-secure SKE with a Block Cipher

  5. CPA-secure SKE with a Block Cipher Suppose Alice and Bob have shared a key (seed) for a block-cipher (PRF) BC

  6. CPA-secure SKE with a Block Cipher Suppose Alice and Bob have shared a key (seed) for a block-cipher (PRF) BC For each encryption, Alice will pick a fresh pseudorandom pad, by picking a fresh value r and setting pad=BC K (r)

  7. CPA-secure SKE with a Block Cipher Suppose Alice and Bob have shared a key (seed) m for a block-cipher (PRF) BC (block) Enc For each encryption, Alice will pick a fresh K BC pseudorandom pad, by picking a fresh value r and ⊕ setting pad=BC K (r) r

  8. CPA-secure SKE with a Block Cipher Suppose Alice and Bob have shared a key (seed) m for a block-cipher (PRF) BC (block) Enc For each encryption, Alice will pick a fresh K BC pseudorandom pad, by picking a fresh value r and ⊕ setting pad=BC K (r) r Bob needs to be able to generate the same pad, so Alice sends r (in the clear, as part of the ciphertext) to Bob

  9. CPA-secure SKE with a Block Cipher Suppose Alice and Bob have shared a key (seed) m for a block-cipher (PRF) BC (block) Enc For each encryption, Alice will pick a fresh K BC pseudorandom pad, by picking a fresh value r and ⊕ setting pad=BC K (r) r Bob needs to be able to generate the same pad, so Alice sends r (in the clear, as part of the ciphertext) to Bob

  10. CPA-secure SKE with a Block Cipher Suppose Alice and Bob have shared a key (seed) m for a block-cipher (PRF) BC (block) Enc For each encryption, Alice will pick a fresh K BC pseudorandom pad, by picking a fresh value r and ⊕ setting pad=BC K (r) r Bob needs to be able to generate the same pad, so Alice sends r (in the clear, as part of the ciphertext) to Bob K BC ⊕ Dec m

  11. CPA-secure SKE with a Block Cipher Suppose Alice and Bob have shared a key (seed) m for a block-cipher (PRF) BC (block) Enc For each encryption, Alice will pick a fresh K BC pseudorandom pad, by picking a fresh value r and ⊕ setting pad=BC K (r) r Bob needs to be able to generate the same pad, so Alice sends r (in the clear, as part of the ciphertext) to Bob Even if Eve sees r, PRF security guarantees that BC K (r) is pseudorandom. (In fact, Eve could have K BC ⊕ picked r, as long as we ensure no r is reused.) Dec m

  12. CPA-secure SKE with a Block Cipher Suppose Alice and Bob have shared a key (seed) m for a block-cipher (PRF) BC (block) Enc For each encryption, Alice will pick a fresh K BC pseudorandom pad, by picking a fresh value r and ⊕ setting pad=BC K (r) r Bob needs to be able to generate the same pad, so Alice sends r (in the clear, as part of the ciphertext) to Bob Even if Eve sees r, PRF security guarantees that BC K (r) is pseudorandom. (In fact, Eve could have K BC ⊕ picked r, as long as we ensure no r is reused.) How to pick a fresh r? Dec m

  13. CPA-secure SKE with a Block Cipher Suppose Alice and Bob have shared a key (seed) m for a block-cipher (PRF) BC (block) Enc For each encryption, Alice will pick a fresh K BC pseudorandom pad, by picking a fresh value r and ⊕ setting pad=BC K (r) r Bob needs to be able to generate the same pad, so Alice sends r (in the clear, as part of the ciphertext) to Bob Even if Eve sees r, PRF security guarantees that BC K (r) is pseudorandom. (In fact, Eve could have K BC ⊕ picked r, as long as we ensure no r is reused.) How to pick a fresh r? Pick at random! Dec m

  14. CPA-secure SKE with a Block Cipher

  15. CPA-secure SKE with a Block Cipher How to encrypt a long message (multiple blocks)?

  16. CPA-secure SKE with a Block Cipher How to encrypt a long message (multiple blocks)? Chop the message into blocks and independently encrypt each block as before?

  17. CPA-secure SKE with a Block Cipher How to encrypt a long message (multiple blocks)? Chop the message into blocks and independently encrypt each block as before? Works, but ciphertext size is double that of the plaintext (if |r| is one-block long)

  18. CPA-secure SKE with a Block Cipher How to encrypt a long message (multiple blocks)? Chop the message into blocks and independently encrypt each block as before? Works, but ciphertext size is double that of the plaintext (if |r| is one-block long) Extend output length of PRF (w/o increasing input length)

  19. CPA-secure SKE with a Block Cipher How to encrypt a long message (multiple blocks)? Chop the message into blocks and independently encrypt each block as before? Works, but ciphertext size is double that of the plaintext (if |r| is one-block long) Extend output length of PRF (w/o increasing input length) r r ... F K F K F K

  20. CPA-secure SKE with a Block Cipher How to encrypt a long message (multiple blocks)? Chop the message into blocks and independently encrypt each block as before? Works, but ciphertext size is double that of the plaintext (if |r| is one-block long) Extend output length of PRF (w/o increasing input length) r sequential r ... F K F K F K

  21. CPA-secure SKE with a Block Cipher How to encrypt a long message (multiple blocks)? Chop the message into blocks and independently encrypt each block as before? Works, but ciphertext size is double that of the plaintext (if |r| is one-block long) Extend output length of PRF (w/o increasing input length) r r sequential r r,1 r,2 r,t ... F K F K F K F K F K F K ...

  22. CPA-secure SKE with a Block Cipher How to encrypt a long message (multiple blocks)? Chop the message into blocks and independently encrypt each block as before? Works, but ciphertext size is double that of the plaintext (if |r| is one-block long) Extend output length of PRF (w/o increasing input length) input length r r sequential slightly decreased, r r,1 r,2 r,t based on ... F K F K F K F K F K F K an a priori ... limit on t

  23. CPA-secure SKE with a Block Cipher How to encrypt a long message (multiple blocks)? Chop the message into blocks and independently encrypt each block as before? Works, but ciphertext size is double that of the plaintext (if |r| is one-block long) Extend output length of PRF (w/o increasing input length) input length r r sequential slightly decreased, r r,1 r,2 r,t based on ... F K F K F K F K F K F K an a priori ... limit on t Output is indistinguishable from t random blocks (even if input to F K known/chosen)

  24. CPA-secure SKE with a Block Cipher

  25. CPA-secure SKE with a Block Cipher Various “modes” of operation of a Block-cipher (i.e., encryption schemes using a block-cipher). All with one block overhead.

  26. CPA-secure SKE with a Block Cipher Various “modes” of operation of a Block-cipher (i.e., encryption schemes using a block-cipher). All with one block overhead. Output Feedback (OFB) mode: Extend the pseudorandom output using the first construction in the previous slide

  27. CPA-secure SKE with a Block Cipher Various “modes” of operation of a Block-cipher (i.e., encryption schemes using a block-cipher). All with one block overhead. r Output Feedback (OFB) mode: Extend the pseudorandom output using the first construction in the previous slide

  28. CPA-secure SKE with a Block Cipher Various “modes” of operation of a Block-cipher (i.e., encryption schemes using a block-cipher). All with one block overhead. r Output Feedback (OFB) mode: Extend the pseudorandom output using the first construction in the previous slide m 1 ⊕ m 2 ⊕ m t ⊕ c 1 c 2 c t

  29. CPA-secure SKE with a Block Cipher Various “modes” of operation of a Block-cipher (i.e., encryption schemes using a block-cipher). All with one block overhead. r Output Feedback (OFB) mode: Extend the r+1 r+2 r+t pseudorandom output using the first construction in the previous slide F K F K F K ... Counter (CTR) Mode: Similar idea as in the m 1 ⊕ m 2 ⊕ m t ⊕ second construction. No a priori limit on number of blocks in a message. Security from c 1 c 2 c t low likelihood of (r+1,...,r+t) running into (r’+1,...,r’+t’)

  30. CPA-secure SKE with a Block Cipher Various “modes” of operation of a Block-cipher (i.e., encryption schemes using a block-cipher). All with one block overhead. Not a PRF (Why?) r Output Feedback (OFB) mode: Extend the r+1 r+2 r+t pseudorandom output using the first construction in the previous slide F K F K F K ... Counter (CTR) Mode: Similar idea as in the m 1 ⊕ m 2 ⊕ m t ⊕ second construction. No a priori limit on number of blocks in a message. Security from c 1 c 2 c t low likelihood of (r+1,...,r+t) running into (r’+1,...,r’+t’)

  31. CPA-secure SKE with a Block Cipher Various “modes” of operation of a Block-cipher (i.e., encryption schemes using a block-cipher). All with one block overhead. Not a PRF (Why?) r Output Feedback (OFB) mode: Extend the r+1 r+2 r+t pseudorandom output using the first construction in the previous slide F K F K F K ... Counter (CTR) Mode: Similar idea as in the m 1 ⊕ m 2 ⊕ m t ⊕ second construction. No a priori limit on number of blocks in a message. Security from c 1 c 2 c t low likelihood of (r+1,...,r+t) running into m 1 m t m 2 r (r’+1,...,r’+t’) ⊕ ⊕ ⊕ Cipher Block Chaining (CBC) mode: ... F K F K F K Sequential encryption. Decryption uses F K-1 . Ciphertext an integral number of blocks. c 1 c 2 c t

  32. Active Adversary

  33. Active Adversary

  34. Active Adversary An active adversary can inject messages into the channel

  35. Active Adversary An active adversary can inject messages into the channel Eve can send ciphertexts to Bob and get them decrypted

  36. Active Adversary An active adversary can inject messages into the channel Eve can send ciphertexts to Bob and get them decrypted Chosen Ciphertext Attack (CCA)

  37. Active Adversary An active adversary can inject messages into the channel Eve can send ciphertexts to Bob and get them decrypted Chosen Ciphertext Attack (CCA) If Bob decrypts all ciphertexts for Eve, no security possible

  38. Active Adversary An active adversary can inject messages into the channel Eve can send ciphertexts to Bob and get them decrypted Chosen Ciphertext Attack (CCA) If Bob decrypts all ciphertexts for Eve, no security possible What can Bob do?

  39. Symmetric-Key Encryption SIM-CCA Security Key/ Key/ Recv Enc Dec Send Replay SIM-CCA Filter secure if: ∀ ∃ s.t. ∀ REAL ≈ IDEAL Env Env REAL IDEAL

  40. Symmetric-Key Encryption SIM-CCA Security Invalid ciphertexts are silently ignored Key/ Key/ Recv Enc Dec Send Replay SIM-CCA Filter secure if: ∀ ∃ s.t. ∀ REAL ≈ IDEAL Env Env REAL IDEAL

  41. Symmetric-Key Encryption IND-CCA + ~correctness IND-CCA Security equivalent to SIM-CCA Experiment picks b ← {0,1} and K ← KeyGen Enc(m b ,K) Adv gets (guarded) access to Dec K oracle Key/ Key/ Enc Dec For as long as Adversary wants Adv sends two messages m 0 , m 1 m b to the experiment Replay Filter: No challenge Expt returns Enc(m b ,K) to the ciphertext answered adversary m 0 ,m 1 b’ Adversary returns a guess b’ b b ← {0,1} Experiments outputs 1 iff b’=b b’=b? IND-CCA secure if for all feasible adversaries Pr[b’=b] ≈ 1/2 Yes/No

  42. CCA Security

  43. CCA Security How to obtain CCA security?

  44. CCA Security How to obtain CCA security? Use a CPA-secure encryption scheme, but make sure Bob “accepts” and decrypts only ciphertexts produced by Alice

  45. CCA Security How to obtain CCA security? Use a CPA-secure encryption scheme, but make sure Bob “accepts” and decrypts only ciphertexts produced by Alice i.e., Eve can’ t create new ciphertexts that will be accepted by Bob

  46. CCA Security How to obtain CCA security? Use a CPA-secure encryption scheme, but make sure Bob “accepts” and decrypts only ciphertexts produced by Alice i.e., Eve can’ t create new ciphertexts that will be accepted by Bob Achieves the stronger guarantee: in IDEAL, Eve can’ t send its own messages to Bob

  47. CCA Security How to obtain CCA security? Use a CPA-secure encryption scheme, but make sure Bob “accepts” and decrypts only ciphertexts produced by Alice i.e., Eve can’ t create new ciphertexts that will be accepted by Bob Achieves the stronger guarantee: in IDEAL, Eve can’ t send its own messages to Bob CCA secure SKE reduces to the problem of CPA secure SKE and (shared key) message authentication

  48. CCA Security How to obtain CCA security? Use a CPA-secure encryption scheme, but make sure Bob “accepts” and decrypts only ciphertexts produced by Alice i.e., Eve can’ t create new ciphertexts that will be accepted by Bob Achieves the stronger guarantee: in IDEAL, Eve can’ t send its own messages to Bob CCA secure SKE reduces to the problem of CPA secure SKE and (shared key) message authentication MAC: Message Authentication Code

  49. Message Authentication Codes

  50. Message Authentication Codes A single short key shared by Alice and Bob

  51. Message Authentication Codes A single short key shared by Alice and Bob Can sign any (polynomial) number of messages

  52. Message Authentication Codes A single short key shared by Alice and Bob Can sign any (polynomial) number of MAC K Ver K messages A triple (KeyGen, MAC, Verify)

  53. Message Authentication Codes A single short key shared by Alice and Bob Can sign any (polynomial) number of MAC K Ver K messages A triple (KeyGen, MAC, Verify) Correctness: For all K from KeyGen, and all messages M, Verify K (M,MAC K (M))=1

  54. Message Authentication Codes A single short key shared by Alice and Bob Can sign any (polynomial) number of MAC K Ver K messages s i = MAC K (M i ) Ver K (M,s) A triple (KeyGen, MAC, Verify) (M,s) M i Correctness: For all K from KeyGen, and all messages M, Verify K (M,MAC K (M))=1 Advantage Security: probability that an adversary can = Pr[ Ver K (M,s)=1 and produce (M,s) s.t. Verify K (M,s)=1 is negligible (M,s) ∉ {(M i ,s i )} ] unless Alice produced an output s=MAC K (M)

  55. CCA Secure SKE

  56. CCA Secure SKE CCA-Enc K1,K2 (m) = ( c:= CPA-Enc K1 (m), t:= MAC K2 (c) )

  57. CCA Secure SKE CCA-Enc K1,K2 (m) = ( c:= CPA-Enc K1 (m), t:= MAC K2 (c) ) CPA secure encryption: Block-cipher/CTR mode construction

  58. CCA Secure SKE CCA-Enc K1,K2 (m) = ( c:= CPA-Enc K1 (m), t:= MAC K2 (c) ) CPA secure encryption: Block-cipher/CTR mode construction MAC: from a PRF or Block-Cipher (next time)

Recommend

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers Assume encryption and decryption use the

425 views • 5 slides
One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers Encryption Modes Encryption Modes Shift Cipher Brute%force attack can easily break Ahmet Burak Can Substitution Cipher Hacettepe University

191 views • 6 slides
Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

CSS441 Block Ciphers Principles DES Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20

788 views • 50 slides
Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu Iwata Nagoya University, Japan FSE 2020 November 913, 2020, Virtual 1 / 19 Block Ciphers block cipher (BC) E : K { 0 , 1 } n { 0

530 views • 24 slides
Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the ciphertext block C i = E K ( M i ), and the results are concatenated to the

334 views • 8 slides
Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 2 October, 2012 Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers DES II.

588 views • 10 slides
B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

1 B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a) Fundamentals 3 B.1 Definition A mapping Enc: P K C for which k := Enc( ,k): P C is bijective for each k K is called an

1.1k views • 32 slides
B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n

B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n

1 B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n is called a block cipher . The positive integer n denotes the block size ( block length ). 3 B.25 Remark and Convention The encryption

709 views • 67 slides
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Jan 31, 2018 Announcements Project 1 is out, due Feb 14 midnight Recall: Block cipher A function E : {0, 1} k {0, 1} n

553 views • 32 slides
T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES

T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES

T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES 3.3 IDEA 3.4 AES Kaufman et al: Chapter 3 Stallings: Chapters 3, 5 1 Block ciphers Confidentiality primitive Threat: recover the plaintext

774 views • 15 slides
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Sept 15, 2016 Announcements Project due Sept 20 Recall: Block cipher A function E : {0, 1} k {0, 1} n {0, 1} n . Once

417 views • 30 slides
T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher confidentiality modes of operation Kaufman et al: Ch 4 Stallings: Ch 6, Ch 3 1 Stream ciphers Stream ciphers are generally faster than block

535 views • 12 slides
Perfect Block Ciphers With Small Blocks Louis Granboulan 1 , 2 Thomas Pornin 3 1 cole Normale

Perfect Block Ciphers With Small Blocks Louis Granboulan 1 , 2 Thomas Pornin 3 1 cole Normale

Block ciphers with non-standard sizes Choosing uniformly a random permutation P ERMUTATOR Sampling following the Hypergeometric Distribution Security Analysis Perfect Block Ciphers With Small Blocks Louis Granboulan 1 , 2 Thomas Pornin 3 1

550 views • 23 slides
Design Issues of Block Ciphers The objectives of this part is to show certain design issues of

Design Issues of Block Ciphers The objectives of this part is to show certain design issues of

Design Issues of Block Ciphers The objectives of this part is to show certain design issues of block ciphers. 1 Block Ciphers and Stream Ciphers A one-key cipher is a 5-tuple ( M , C , K , E k , D k ) , where M , C , K are respectively the

461 views • 12 slides
How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

Introduction Cryptology Basics Detection Cryptanalysis The Word Case The Excel Case Conclusion How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and Break them Eric Filiol, filiol@esiea.fr ESIEA -

808 views • 64 slides
Contents Introduction Classification of Symmetric Ciphers Types of Attacks

Contents Introduction Classification of Symmetric Ciphers Types of Attacks

Contents Introduction Classification of Symmetric Ciphers Types of Attacks Properties of Secure Ciphers Components of Block Ciphers Classes of Block Ciphers DES AES Secure Communication using

606 views • 27 slides
Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2

Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2

Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2 Subspaces in block ciphers 3 From subspace trails to invariant subspaces in Simpira 4 Zero-di ff erence cryptanalysis of AES Preliminaries Block

2.18k views • 146 slides
Two ways of building round functions for block ciphers Joan Daemen Radboud University ibenik

Two ways of building round functions for block ciphers Joan Daemen Radboud University ibenik

Two ways of building round functions for block ciphers Joan Daemen Radboud University ibenik summer school 2016 1 / 44 Outline 1 Block ciphers and statistical attacks 2 Correlation basics 3 Wide trail strategy: strongly-aligned flavor

620 views • 59 slides
Outline Crypto basics, contd Stream ciphers CSci 5271 Block ciphers and modes of operation

Outline Crypto basics, contd Stream ciphers CSci 5271 Block ciphers and modes of operation

Outline Crypto basics, contd Stream ciphers CSci 5271 Block ciphers and modes of operation Introduction to Computer Security Announcements Cryptography, symmetric and public-key Hash functions and MACs Stephen McCamant Building a secure

440 views • 11 slides
Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad

Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad

Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad define a secret key (seed) Using the seed generates a byte stream ( Keystream): i-th byte is function only of the key

822 views • 69 slides
Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography Linear Cryptanalysis Differential Cryptanalysis Analytic Cryptanalysis of Block Ciphers, Stream Ciphers, Modes of Other Advanced Attacks Operation,

933 views • 11 slides
Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers &

Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers &

CS 166: Information Security Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers & Block Ciphers Stream ciphers based on the one-time pad Block ciphers based on codebook ciphers Symmetric

650 views • 52 slides
Block Ciphers Chester Rebeiro IIT Madras CR CR STINSON : chapters 3 Block Cipher K D K E

Block Ciphers Chester Rebeiro IIT Madras CR CR STINSON : chapters 3 Block Cipher K D K E

Block Ciphers Chester Rebeiro IIT Madras CR CR STINSON : chapters 3 Block Cipher K D K E untrusted communicaGon link Alice Bob E D #%AR3Xf34^$ A?ack at Dawn!! decrypGon encrypGon (ciphertext) message A?ack at Dawn!!

1.71k views • 143 slides

More recommend