DES Block Cipher Hao Qi
Download as PPT, PDF0 likes1,515 views
The document describes several block ciphers including DES, AES (Rijndael), and others. It provides details on: - DES such as its Feistel structure, S-boxes, modes of operation, and cryptanalysis techniques like differential and linear cryptanalysis. - AES/Rijndael including its SPN structure, security and efficiency compared to Triple DES, and its selection as the AES standard over other finalists like Serpent and Twofish. - Other block ciphers mentioning characteristics like linear and confusion layers.
![
Introduction
◦
◦
◦
◦
◦
Biham and Shamir : CR90, CR92
Efficient than Key Exhaustive Search
Chosen Plaintext Attack
O(Breaking DES16) ~ 247
Utilize the probabilistic distribution between input XOR and
output XOR values Iteratively
◦ Stimulate to announce hidden criteria of DES [Cop92]
◦ Apply to other DES-like Ciphers
* E.Biham, A. Shamir,”Differential Cryptanalysis of the Data Encryption Standard”, SpringerVerlag, 1993
46](https://image.slidesharecdn.com/090224blockcipher-140202154009-phpapp01/85/DES-Block-Cipher-Hao-Qi-46-320.jpg)
![(Goal) : Find linear approximation
P[i1,i2,…,ia] ⊕ C[j1,j2,…,jb]=K[k1,k2,…,kc]
with significant prob. p (≠ ½)
where A[i,j,…,k]=A[i] ⊕ A[j] ⊕ … ⊕ A[k]
(Algorithm)MLE(Maximum Likelihood Estimation)
(Step 1) For given P and C, compute X=P[i1,i2,…,ia] ⊕ C[j1,j2,…,jb],
let N = # of Pt given,
(Step 2) if |X=0| > N/2 K[k1,k2,…,Kc]=0 else 1.
if |X=0| < N/2 K[k1,k2,…,kc]=1 else 0.
56](https://image.slidesharecdn.com/090224blockcipher-140202154009-phpapp01/85/DES-Block-Cipher-Hao-Qi-56-320.jpg)
![
For a S-box Sa,(a=1,2,…,8) of DES
NSa(α,β)= #{x | 0 ≤ x < 64, parity(x•α) = parity(S(x)•β)}
1≤ α ≤ 63 , 1 ≤ β ≤15, • : dot product (bitwise AND)
Ex) NS5(16,15) =12
◦ The 5-th input bit at S5-box is equal to the linear sum of 4 output
bits with probability 12/64.
◦ X[15] ⊕ F(X,K)[7,18,24,29]=K[22] with 0.19
◦ X[15] ⊕ F(X,K)[7,18,24,29]=K[22] ⊕ 1 with 1-0.19=0.81
(Note) least significant at the right and index 0 at the least significant bit (Little endian)
57](https://image.slidesharecdn.com/090224blockcipher-140202154009-phpapp01/85/DES-Block-Cipher-Hao-Qi-57-320.jpg)
![P
PH
PL
[22]
[7,18,24,29]
[15]
F1
K1 X2[7,18,24,29] PH[7,18,24,29]
PL[15] = K1[22] ---------- (1)
X1
p1=12/64
K2
F2
X2
[22]
CH
[7,18,24,29]
F3
C
[15]
K3 X2[7,18,24,29] CH[7,18,24,29]
X3
CL[15] = K3[22] ---------- (2)
p3=12/64
CL
(1) (2) => X2[7,18,24,29] CH[7,18,24,29] CL[15] X2[7,18,24,29]
PH[7,18,24,29] PL[15] = K1[22] K3[22] holding prob. = (p1 * p3 ) + (1 - p1) *(1-p3)
* Discard IP and FP like DC
59](https://image.slidesharecdn.com/090224blockcipher-140202154009-phpapp01/85/DES-Block-Cipher-Hao-Qi-59-320.jpg)
DES Block Cipher Hao Qi
- 1. DES Description: Feistel, S-box Exhaustive Search, DC and LC Modes of Operation AES Description: SPN, Branch number Security and Efficiency Modes of Operation Other Ciphers Linear layer Confusion layer 1
- 3. Confusion: The ciphertext statistics should depend on the plaintext statistics in a manner too complicated to be exploited by the enemy cryptanalyst Diffusion: Each digit of the plaintext should influence many digits of the ciphertext, and/or Each digit of the secret key should influence many digits of the the ciphertext. Block cipher: ◦ A repetition of confusion(Substitution) and diffusion(Permutation) ◦ Iteration: Weak Strong Claude Shannon 3
- 4. 4
- 5. Definition: Let Bn denote the set of bit strings of length n. A block cipher is an encryption algorithm E such that EK is a permutation of Bn for each key K Characteristics ◦ ◦ ◦ ◦ ◦ ◦ Based on Shannon’s Theorem(1949) Same P => Same C {|P| = |C|} ≥ 64 bit, |P| ≠ |K| ≥ 56 bit Memoryless configuration Operate as stream cipher depending on mode Shortcut cryptanalysis (DC, LC etc) in 90’s * DC: Differential Cryptanalysis, LC: Linear Cryptanalysis 5
- 6. Provide a high level of security Completely specify and easy to understand Security must depend on hidden key, not algorithm Available to all users Adaptable for use in diverse applications Economically implementable in electronic device Efficient to use Able to be validated Exportable * Federal Register, May 15, 1973 6
- 7. Based on Lucifer (1972) Developed by IBM and intervened by NSA Adopted Federal Standard by NIST, revised every 5 years (~’98), 64bit block cipher, 56bit key 16 Round, Nonlinearity : S-box Cryptanalysis like DC, LC, etc. after 1992 * DC:Differential Cryptanalysis, LC : Linear Cryptanalysis 7
- 8. If we apply its operation 2 times, it returns to the original value, e.g., f(f(x)) = x. Type of f-1(x) = f(x) x1 x2 x1 (d) (c) (b) (a) x2 x1 x2 ⊕ y1 y2 y1 y2 y1=x1⊕ x2 x1 ⊕ y2 = x2 x2 g y1=x1⊕ g(x2) y2 = x2 or x1⊕ g(x2,k) 8
- 9. K P 64 PC-1 56 IP R0(32) PC-2 L0(32) Rot Rot f 16 Round PC-2 R16 L16 FP 64 Round function Key Scheduling C 9
- 10. * Decryption is done by executing round key in the reverse order. 10
- 11. FP= IP-1 IP 58 50 42 34 26 18 10 60 52 44 36 28 20 12 62 54 46 38 30 22 14 64 56 48 40 32 24 16 57 49 41 33 25 17 9 59 51 43 35 27 19 11 61 53 45 37 29 21 13 63 55 47 39 31 23 15 2 4 6 8 1 3 5 7 40 39 38 37 36 35 34 33 8 48 16 56 24 64 32 7 47 15 55 23 63 31 6 46 14 54 22 62 30 5 45 13 53 21 61 29 4 44 12 52 20 60 28 3 43 11 51 19 59 27 2 42 10 50 18 58 26 1 41 9 49 17 57 25 cf.) The 58th bit of x is the first bit of IP(x) IP & FP have no cryptanalytic significance. 11
- 12. 12
- 13. 13
- 14. 8 S-boxes (6 -> 4 bits) each row : permutation of 0-15 4 rows : choose by MSB & LSB of input some known design criteria ◦ ◦ ◦ ◦ ◦ ◦ not linear (affine) Any one bit of the inputs changes at least two output bits S(x) and S(x ⊕ 001100) differs at least 2bits S(x) ≠ S(x ⊕ 11ef00) for any ef={00.01.10.11} Resistance against DC etc. The actual design principles have never been revealed (U.S. classified information) 14
- 15. Input values mapping order L R 0 0 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 0 1 1 0 1 1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13 S1(1 0111 0)=11=(1011)2 15
- 16. S1-box 14 4 13 1 2 15 11 8 0 15 7 4 14 4 1 14 8 13 15 12 8 2 4 3 10 6 12 5 9 0 7 2 13 1 10 6 12 11 9 5 3 8 6 2 11 15 12 9 7 3 10 5 0 9 1 7 5 11 3 14 10 0 6 13 S2-box 15 1 8 14 6 11 3 4 9 7 2 13 12 0 3 13 4 7 15 2 8 14 12 0 1 10 6 9 0 14 7 11 10 4 13 1 5 8 12 6 9 3 13 8 10 1 3 15 4 2 11 6 7 12 0 5 5 10 11 5 2 15 14 9 e.g.) S2(010010)= ? 16
- 17. S3-box 10 0 9 13 7 0 13 6 4 1 10 13 14 9 9 0 6 3 3 4 8 15 6 9 15 5 6 10 3 0 8 7 1 13 12 7 11 4 2 8 2 8 5 14 12 11 15 1 11 1 2 12 5 10 14 7 4 15 14 3 11 5 2 12 S4-box 7 13 10 3 13 8 6 15 14 11 9 0 3 0 5 6 0 12 6 10 6 9 15 0 11 7 1 13 10 3 13 8 1 4 15 9 2 7 1 4 8 5 11 12 4 15 2 12 1 10 14 9 3 14 5 2 8 4 5 11 12 7 2 14 S4-box is most linear than others.!!! 17
- 18. Short key size : 112 -> 56 bits by NSA Classified design criteria Revision of standard every 5 yrs after 1977 by NIST No more standard 18
- 19. (P,C) dependency with fixed Key : after 5 round (K,C) dependency with fixed plaintext : after 5 round Avalanche effect Cyclic Test : Random function Algebraic structure : Not a group i.e., E(K1, E(K2,P)) ≠ E(K3,P) 19
- 20. Complementary Prop. If C= E(K,P), C = E(K, P) Weak Key : 4 keys E(K, E(K,P))=P Semi-weak Keys : 12 keys (6 pairs) E(K1, E(K2,P))=P Key Exhaustive Search : 255 20
- 21. RSA Data Security Inc’s protest against US’s export control(‘97) ◦ $10,000(‘97) award ◦ Key search machine by Internet Loveland’s Rocker Verser ◦ 60.1 Billion/1 day key search, succeeded in 18 quadrillion operations and 96 days 25% of Total 72 quadrillion (1q=1015 =0.1 kyung) 90MHz, 16MB Memory Pentium(700 Million/sec) ◦ http://www.rsa.com/des/ 21
- 22. Distributed.Net + EFF ◦ 100,000 PC on Network ◦ 56hr EFF(Electronic Frontier Foundation) ◦ http://www.eff.org/DEScrac ker ◦ Specific tools ◦ 22hr 15min ◦ 250,000$ P. Kocher 22
- 23. Cost-Optimized Parallel Code Breaker Machine by Univ. of Bochum, Germany and Kiel Commercially available 120 FPGA’s of type XILINX Spartan3-1000 run in parallel 10,000$ of ¼ of EFF project 23
- 24. FEAL, GOST, IDEA, LOKI, SKIPJACK, MISTY, SEED TEA (Tiny Encryption Algorithm) for RFID/USN, XTEA, XXTEA ARIA, Serpent, Baseking, BATON, BEAR&LION, C2, Camellia, CAST-128,256, CIPHERUNICORN,CMEA, Cobra, Coconut98, Crypton, DEAL, E2, FROG, G-DES, Hasty Pudding Cipher, Hierocrypt,MUITL2, New Data Seal, SAFER-64,128, SHACAL, Square, Xenon, etc…. 24
- 26. AES (Rijndael) Joan Daemen and Vincent Rijmen, “The Design of Rijndael, AES – The Advanced Encryption Standard”, Springer, 2002, ISBN 3-540-42580-2 FIPS Pub 197, Advanced Encryption Standard (AES), December 04, 2001 Rijndael : variable, AES : fixed Vincent 26
- 27. Block cipher ◦ 128-bit blocks ◦ 128/192/256-bit keys Worldwide-royalty free More secure than Triple DES More efficient than Triple DES 27
- 28. ◦ Jan. 2, 1997 : Announcement of intent to develop AES and request for comments ◦ Sep. 12, 1997 : Formal call for candidate algorithms ◦ Aug. 20-22, 1998 : First AES Candidate Conference and beginning of Round 1 evaluation (15 algorithms), Rome, Italy ◦ Mar. 22-23, 1999 : Second AES Candidate Conference, NY, USA ◦ Sep. 2000 : Final AES selection (Rijndael !) Jan. 1997 Call for algorithms Aug. 1998 AES1 15 algorithms Mar. 1999 AES2 5 algorithms selected Apr. 2000 AES3 Announce winner in Sep, 2000 28
- 29. 15 algorithms are proposed at AES1 conference 29
- 30. After AES2 conference, NIST selected the following 5 algorithms as the round 2 candidate algorithm. Cipher Submitter Structure Nonlinear Component MARS IBM Feistel structure Sbox DD-Rotation RC6 RSA Lab. Feistel structure Rotation Rijndael Daemen, Rijmen SPN structure Sbox Serpent Anderson, Biham, Knudsen SPN structure Sbox Twofish Schneier et. al Feistel structure Sbox 30
- 31. Rijndael 10 (128) 12 (192) 14 (256) Serpent(32) Twofish(16) SPN SPN Feistel Mem. Bytes Ops Amp. Boomerang 265 270 2229 16M, 5C 16M, 5C Diff. M-i-M Amp. Boomerang 250 269 2197 273 2247 2197 Stat. Disting. 2118 2112 2122 12 15 (256) Stat. Disting. Stat. Disting. 294 2119 242 2138 2119 2215 6 Feistel Texts Truncated Diff. 232 7*232 272 7 8 (256) 9 (256) Truncated Diff. Truncated Diff. Related Key 2128~ 2119 2128~ 2119 277 261 2101 NA 2120 2204 2224 8 (192,256) RC6(20) Feistel Type of Attack 14 MARS 16 Core (C) 16 Mixing (M) Rounds (Key size) 11C Alg. (Round) Structure Amp. Boomerang 2113 2119 2179 6 (256) 6 7 (256) 8 (192,256) 9 (256) Meet-in-Middle Differential Differential Boomerang Amp. Boomerang 512 271 241 2122 2110 2246 275 2126 2133 2212 2247 2103 2248 2163 2252 6 (256) Impossible Diff. NA NA 2256 31
- 32. Proposed by Joan Daemen, Vincent Rijmen(Belgium) Design choices – Square type – Three distinct invertible uniform transformations(Layers) Linear mixing layer : guarantee high diffusion Non-linear layer : parallel application of S-boxes Key addition layer : XOR the round key to the intermediate state – Initial key addition, final key addition Representation of state and key – – – – Rectangular array of bytes with 4 rows (square type) Nb : number of column of the state (4~8) Nk : number of column of the cipher key (4~8) Nb is independent from Nk 32
- 33. State (Nb=6) Key (Nk=4) Number of rounds (Nr) 33
- 34. Block size: 128 Key size: 128/192/256 bit 44 byte array Component Functions Bit-wise key addition ◦ ByteSubstitution(BS): S-box ◦ ShiftRow(SR): CircularShift Byte-wise substitution(BS) ◦ MixColumn(MC): Shift-Low(SR) Linear(Branch number: 5) Mix-Column(MC) ◦ AddRoundKey(ARK): Bit-wise key addition Omit MC in the last round. BS, SR, ARK Input Input whitening Round transformation Output transformation Output 34
- 35. Substitution-Permutation Network (SPN) ◦ (Invertible) Nonlinear Layer: Confusion ◦ (Invertible) Linear Layer: Diffusion Branch Number ◦ ◦ ◦ ◦ ◦ Measure Diffusion Power of Linear Layer Let F be a linear transformation on n words. W(a): the number of nonzero words in a. λ(F) = mina≠0 {W(a) + W(F(a))} Rijndael: branch number =5 35
- 36. K-secure ◦ No shortcut attacks key-recover attack faster than keyexhaustive search ◦ No symmetry property such as complementary in DES ◦ No non-negligible classes of weak key as in IDEA ◦ No Related-key attacks Hermetic ◦ No weakness found for the majority of block ciphers with same block and key length Rijndael is k-secure and hermetic 36
- 38. ECB (Electronic CodeBook) mode C P n n K K E IF Ci = Cj, DK(Ci) = DK(Cj) D n n C P i) Encryption ii) Decryption 38
- 39. CBC (Cipher Block Chaining) P1 P2 Pl IV K E K E K E C1 IV C2 C2 Ci = EK(Pi Ci-1) Cl C1 K IV : Initialization Vector Cl K D P1 K D P2 Pi = DK(Ci) Ci-1 - 2 block Error Prog. - self-sync - If |Pl| |P|, Padding req’d D Pl 39
- 40. m-bit OFB (Output FeedBack) IV IV Ci = Pi O(EK) Pi = Ci O(EK) K E Pi m-bit Ci I) Encryption m-bit E K Ci - No Error Prog. - Req’d external sync - Stream cipher Pi - EK or DK II) Decryption 40
- 41. m-bit CFB (Cipher FeedBack) IV K IV E Pi Ci I) Encryption m-bit m-bit Ci = Pi EK(Ci-1) Pi = Ci EK(Ci-1) E K - Error prog. till an error disappears in the buffer - self-sync - EK or DK Pi Ci II) Decryption 41
- 42. Counter mode ctr K E K E K E Pm-1 P2 P1 ctr+m-1 ctr+1 C2 Cm-1 ctr+1 C Ci = Pi EK(Ti) Pi = Ci EK(Ti) Ti = ctr+i -1 mod 2m |P|, |ctr|= m, Parallel computation ctr+m-1 1 ctr K E K E C2 C1 P1 K E Cm-1 P2 Pm-1 42
- 43. CCM mode (Counter with CBC-MAC mode) Ctr + CBC Authenticated encryption by producing a MAC as a part of the encryption process 43
- 44. Use of mode ◦ ECB : key management, useless for file encryption ◦ CBC : File encryption, useful for MAC ◦ m-bit CFB : self-sync, impossible to use channel with low BER ◦ m-bit OFB : external-sync. m= 1, 8 or n ◦ Ctr : secret ctr, parallel computation ◦ CCM : authenticated encryption ◦ Performance Degradation/ Cost Tradeoff 44
- 46. Introduction ◦ ◦ ◦ ◦ ◦ Biham and Shamir : CR90, CR92 Efficient than Key Exhaustive Search Chosen Plaintext Attack O(Breaking DES16) ~ 247 Utilize the probabilistic distribution between input XOR and output XOR values Iteratively ◦ Stimulate to announce hidden criteria of DES [Cop92] ◦ Apply to other DES-like Ciphers * E.Biham, A. Shamir,”Differential Cryptanalysis of the Data Encryption Standard”, SpringerVerlag, 1993 46
- 47. Discard linear components(IP, FP) Properties of XOR (X’ = X ⊕ X* ) ◦ {E,P,IP} : (P(X))’=P(X) ⊕ P(X*)=P(X’) ◦ XOR : (X ⊕ Y)’=(X ⊕ Y) ⊕ (X* ⊕ Y*)=X’ ⊕ Y’ ◦ Mixing key : (X ⊕ K)’=(X ⊕ K) ⊕ (X* ⊕ K)=X’ ◦ Differences(=xor) are linear in linear operation and in particular the result is key independent. 47
- 48. X X* X’ Si-box XDT Si-box Y’ Y Y* X’ = {0,1,…63}, Y’= {0,1,…15} For a given S-box, pre-compute the number of count of X’ and Y’ in a table * % of entry in DES S-boxes : 75 ~ 80% 48
- 49. 49
- 50. 2-round characteristic in S1 box (0Cx --> Ex with 14/64) (00 80 82 00 60 00 00 00x) A’=00808200x =P(E0000000x) B’=0x F F a’=60000000x b’=0x p=14/64 p=1 (60 00 00 00 00 00 00 00x) 0110 0C=001100 E=1110 50
- 51. (1) Choose suitable Plaintext (Pt) XOR. (2) Get 2 Pts for a chosen Pt and obtain the corresponding Ct by encryption (3) From Pt XOR and pair of Ct, get the expected output XOR for the S-boxes of final round. (4) Count the maximum potential key at the final round using the estimated key (5) Right key is a subkey of having large number of pairs of expected output XOR 51
- 52. Self-concatenating probability Best iterative char. of DES (19 60 00 00 00 00 00 00x) A’=0x B’=0x F F a’=0x b’=19 60 00 00x E(b)=03 32 2C 00 00 00 00 00x p1=1 p2 =14 x 8 x 10 / 643 = 1/234 (00 00 00 00 19 60 00 00x) 52
- 54. Introduction ◦ Matsui : EC931, CR942 ◦ Known Plaintext Attack ◦ O(Breaking DES16) ~ 243 12 HP W/S, 50-day operation ◦ Utilize the probabilistic distribution between input linear sum and output linear sum values Iteratively ◦ Duality to DC : XOR branch vs.three-forked branch ◦ Apply to other DES-like cryptosytems 1. M.Matsui,”Linear Cryptanalysis Method for DES Cipher”, Proc. Of Eurocrypt’93,LNCS765, pp.386-397 2. M.Matsui,”The First Experimental Cryptanalysis of the Data Encryption Standard”, Proc. Of Crypto’94,LNCS839, pp.1-11 . 54
- 55. LC DC X i-1 Y i X i Fi Ki Xi X i-1 Yi Y i Xi Y i Y i-1 Y i Fi X i Ki Yi-1Xi XOR branch after f-ft. i.e., DC goes downstream through f-ft. Xi = Xi-2 Yi-1 (3 i n) with {i=1}n pi 3-forked branch before f-ft. i.e., LC goes upstream through f-ft. Yi = Yi-2 Xi-1 (3 i n) with 2n-1{i=1}n |pi -1/2| Xi : Xi’s Differential value Xi-1 : Xi-1’s Masking value 55
- 56. (Goal) : Find linear approximation P[i1,i2,…,ia] ⊕ C[j1,j2,…,jb]=K[k1,k2,…,kc] with significant prob. p (≠ ½) where A[i,j,…,k]=A[i] ⊕ A[j] ⊕ … ⊕ A[k] (Algorithm)MLE(Maximum Likelihood Estimation) (Step 1) For given P and C, compute X=P[i1,i2,…,ia] ⊕ C[j1,j2,…,jb], let N = # of Pt given, (Step 2) if |X=0| > N/2 K[k1,k2,…,Kc]=0 else 1. if |X=0| < N/2 K[k1,k2,…,kc]=1 else 0. 56
- 57. For a S-box Sa,(a=1,2,…,8) of DES NSa(α,β)= #{x | 0 ≤ x < 64, parity(x•α) = parity(S(x)•β)} 1≤ α ≤ 63 , 1 ≤ β ≤15, • : dot product (bitwise AND) Ex) NS5(16,15) =12 ◦ The 5-th input bit at S5-box is equal to the linear sum of 4 output bits with probability 12/64. ◦ X[15] ⊕ F(X,K)[7,18,24,29]=K[22] with 0.19 ◦ X[15] ⊕ F(X,K)[7,18,24,29]=K[22] ⊕ 1 with 1-0.19=0.81 (Note) least significant at the right and index 0 at the least significant bit (Little endian) 57
- 58. 58
- 59. P PH PL [22] [7,18,24,29] [15] F1 K1 X2[7,18,24,29] PH[7,18,24,29] PL[15] = K1[22] ---------- (1) X1 p1=12/64 K2 F2 X2 [22] CH [7,18,24,29] F3 C [15] K3 X2[7,18,24,29] CH[7,18,24,29] X3 CL[15] = K3[22] ---------- (2) p3=12/64 CL (1) (2) => X2[7,18,24,29] CH[7,18,24,29] CL[15] X2[7,18,24,29] PH[7,18,24,29] PL[15] = K1[22] K3[22] holding prob. = (p1 * p3 ) + (1 - p1) *(1-p3) * Discard IP and FP like DC 59
- 60. If independent prob. value, Xi ‘s ( 1≤ i ≤ n ) have prob pi to value 0, (1-pi) to value 1, p = {prob(X1⊕ X2⊕ … ⊕Xn ) = 0} is p = 2n-1Πi=1n(pi - 1/2) +1/2. The number of known pt req’d for LC with success prob. 97.7% is |p - 1/2|-2 60
- 61. Key size expansion ◦ Double Encryption ek:E2(K2,E1(K1,P)), dk:D1(K1,D2(K2,C)) Meet-in-the-middle attack No effectiveness ◦ Triple Encryption ek:E(K1,D(K2,E(K1,P))), dk:D(K1,E(K2,D(K1,C))) ek:E(K1,D(K2,E(K3,P))), dk:D(K3,E(K2,D(K1,C))) 112 or 168 bits 61
- 63. Traditional Cryptographic Model vs. Side Channel Power Consumption / Timing / EM Emissions / Acoustic Attacker C=E(P,Ke) P E() Ke Key P=D(C,Kd) C Insecure channel D() D Kd Secure channel Radiation / Temperature / Power Supply / Clock Rate, etc. 63
- 64. ☆ J. DAEMEN AND V. RIJMEN. The Design of Rijndael.AES - The Advanced Encryption Standard. Springer, 2002. 배성호 1 ★ M. E. HELLMAN. A cryptanalytic time-memory trade-off. IEEE Transactions of Information Theory, 26 (1980), 401-406. 임준현 2 ☆ E. BIHAM AND A. SHAMIR. Differential cryptanalysis of the full 16-round DES. LNCS 740 (1993), 494-502. (CRYPTO '92) 장래영 3 ☆ M. BELLARE AND P. ROGAWAY. Optimal asymmetric encryption. Lecture Notes in Computer Science, 950 (1995), 92-111. (EUROCRYPT '94) 조준희 4 황대성 5 남궁호 6 장래영 7 ☆ ★ ☆ S. GOLDWASSER AND S. MICALI. Probabilistic encryption. Journal of Computer and Systems Science, 28 (1984), 270-299. J. H. Moore. Protocol failures in cryptosystems. In Contemporary Cryptology, The Science of Information Integrity, pages 541-558. IEEE Press, 1992. M. BELLARE, J. KILIAN AND P. ROGAWAY. The security of the cipher block chaining message authentication code. Journal of Computer and System Sciences, 61 (2000), 362-399. ★ W. DIFFIE AND M. E. HELLMAN. New directions in cryptography. IEEE Transactions on Information Theory, 22 (1976), 644-654. 조준희 8 ★ M. MATSUI. Linear cryptanalysis method for DES cipher. LNCS 765 (1994), 386-397. (EUROCRYPT '93) 배성호 9 ☆ M. BELLARE AND P. ROGAWAY. Random oracles are practical: a paradigm for designing efficient protocols. In First ACM Conference on Computer and Communications Security, pages 62-73. ACM Press, 1993. 김영삼 PT #1 10 PT#2 64
- 65. ☆ ☆ ☆ ★ ☆ ☆☆ ☆☆ ★ ☆☆ ★ N. T. COURTOIS AND J. PIEPRZYK. Cryptanalysis of block ciphers with overdefined systems of equations. LNCS 2501 (2002), 267-287. (ASIACRYPT 2002) S. C. POHLIG AND M. E. HELLMAN. An improved algorithm for computing logarithms ove GF(p) and its cryptographic significance. IEEE Transations on Information Theory, 24 (1978), 106-110. M. J. WIENER. Cryptanalysis of short RSA secret exponents. IEEE Transations on Inforamtion Theory, 36 (1990), 553-558. T. ELGAMAL. Apublic key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory, 31 (1985), 469-472. D. CHAUM AND H. VAN ANTWERPEN. Undeniable signature. LNCS 435 (1990), 212-216. (CRYPTO '89) P. BEAUCHEMIN AND G. BRASSARD, C. CREPEAU, C. GOUTIER and C. POMERANCE. The generation of random numbers that are probably prime. Journal of Cryptology, 1 (1988), 53-64. M. BELLARE AND P. ROGAWAY. The exact security of digital signatures: how to sign with RSA and Rabin. LNCS, 1070(1996), 399-416. (EUROCRYPT '96) A. FIAT AND A. SHAMIR. How to prove yourself: practical solutions to identification and signature problems. LNCS 263 (1987), 186-194. (CRYPTO '86) M. BELLARE. Practice-oriented provable-security. In Lectures on Data Security, pages 1-15. Springer, 1999. A. FIAT AND M. NAOR. Broadcast encryption. LNCS 773 (1994), 480-491. (CRYPTO '93) 조준희 11 황대성 12 남궁호 13 장래영 14 신지강 15 남궁호 16 임준현 17 김영삼 18 신지강 19 황대성 20 PT#3 PT#4 65
- 66. ☆ M. BURMESTER AND Y. DESMEDT. A secure and efficient conference key distribution system. LNCS 250 (1994), 275-286 (EUROCRYPT '94) 김영삼 21 ★ U. FEIGE, A. FIAT AND A. SHAMIR. Zero-knolwedge proofs of identity. Journal of Cyrptology, 1 (1988), 77-94 신지강 22 ☆ C. P. SHNORR. Efficient signature generation by smart cards. Journal of Cryptology, 4 (1991), 161-174. 임준현 23 ☆ D. E. DENNING AND G. M. SACCO. Timestamps in key distribution protocols. Communications of the ACM 24 (1981), 533-536. 배성호 24 PT#5 ★ : 필수 , ☆: 난이도 1, ☆☆: 난이도 2( 가산점 ) 66