

















































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
General method for building invertible functions (block ciphers) from arbitrary functions. 4, implemented as lookup table. e.g., 011011 ⟶ 1001 Page 15 The S- ...
Typology: Exams
1 / 57
This page cannot be seen from the preview
Don't miss anything!


















































Edward J. Schwartz
Carnegie Mellon University
Credits:
Slides originally designed by David Brumley. Many other slides are from Dan
Boneh’s June 2012 Coursera crypto class.
Block of plaintext
n bits
Key
k bits
Block of ciphertext
n bits
E, D
Performance: Stream vs. block ciphers
Crypto++ 5.6.0 [Wei Dai]
AMD Opteron, 2.2 GHz (Linux)
Cipher Block/key size Throughput [MB/s]
Stream
RC4 126
Salsa20/12 643
Sosemanuk 727
Block
3DES 64/168 13
AES128 128/128 109
Block ciphers
The Data Encryption Standard (DES)
Given one-way functions
Goal: build invertible function
1
1
2
2
d
d
d- 1
d- 1
f d
n
- bits
0
n
- bits
0
f 1
f 2
input output
In symbols:
Claim:
Feistel function F is invertible
Proof: construct inverse
i+
i+
i
i
f i+
inverse
i
i
i+
i+
f i+
⊕
Recall from Last Time:
Block Ciphers are (Modeled As) PRPs
Pseudo Random Permutation (PRP) defined over (K,X)
such that:
E(k, ⋅ ), k ∊ K
D(k, ⋅ ), k ∊ K
n
- bits
n
- bits
0
0
f
1
1
f
3
3
2
2
f
The function F(k
, x)
x
32 bits
x’
48 bits
k i
48 bits
⊕
48 bits
32 bits
y
6
4
1
6
4
2
6
4
3
6
4
4
6
4
5
6
4
6
6
4
7
6
4
8
32 bits
S-box: function {0,1}
6 ⟶ {0,1}
4 ,
implemented as lookup table.
The S-boxes
e.g., 011011 ⟶ 1001
Block cipher attacks
Exhaustive Search for block cipher key
Goal : given a few input output pairs
(m i
, c i
= E(k, m i
)) i=1,..,n find key k.
Attack : Brute force to find the key k.
Homework: What is the probability that the key k
found with one <m,c> pair is correct? For two pairs?
3
1
2
3
1
2
3
118
1
2
3
1
2
1
2
key-len = 112 bits for 2DES
m (^) E(k 2
,⋅) E(k 1
,⋅) c
1
10
1
10
2
56:
1
56:
2
1
i
i
2
1
2
112 checks
c’’ = c?
m (^) c'
c’’
k 2 k 1