Cipher

About: Cipher is a research topic. Over the lifetime, 9409 publications have been published within this topic receiving 110309 citations. The topic is also known as: cypher & cryptographic algorithm.

Minimizing the Two-Round Even-Mansour Cipher

Abstract: The r-round (iterated) Even-Mansour cipher (also known as key-alternating cipher) defines a block cipher from r fixed public n-bit permutations P1,…,P r as follows: given a sequence of n-bit round keys k0,…,k r , an n-bit plaintext x is encrypted by xoring round key k0, applying permutation P1, xoring round key k1, etc. The (strong) pseudorandomness of this construction in the random permutation model (i.e., when the permutations P1,…,P r are public random permutation oracles that the adversary can query in a black-box way) was studied in a number of recent papers, culminating with the work of Chen and Steinberger (EUROCRYPT 2014), who proved that the r-round Even-Mansour cipher is indistinguishable from a truly random permutation up to \( \mathcal{O} (2^{\frac{rn}{r+1}})\) queries of any adaptive adversary (which is an optimal security bound since it matches a simple distinguishing attack). All results in this entire line of work share the common restriction that they only hold under the assumption that the round keys k0,…,k r and the permutations P1,…,P r are independent. In particular, for two rounds, the current state of knowledge is that the block cipher E(x) = k2 ⊕ P2(k1 ⊕ P1(k0 ⊕ x)) is provably secure up to \( \mathcal{O} (2^{2n/3})\) queries of the adversary, when k0, k1, and k2 are three independent n-bit keys, and P1 and P2 are two independent random n-bit permutations. In this paper, we ask whether one can obtain a similar bound for the two-round Even-Mansour cipher from just one n-bit key and one n-bit permutation. Our answer is positive: when the three n-bit round keys k0, k1, and k2 are adequately derived from an n-bit master key k, and the same permutation P is used in place of P1 and P2, we prove a qualitatively similar \( \widetilde{ \mathcal{O} } (2^{2n/3})\) security bound (in the random permutation model). To the best of our knowledge, this is the first “beyond the birthday bound” security result for AES-like ciphers that does not assume independent round keys.

TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM)

Abstract: RFC 4492 describes elliptic curve cipher suites for Transport Layer Security (TLS). However, all those cipher suites use SHA-1 as their MAC algorithm. This document describes sixteen new CipherSuites for TLS/DTLS which specify stronger digest algorithms. Eight use HMAC with SHA-256 or SHA-384 and eight use AES in Galois Counter Mode (GCM).

A cipher based on data-dependent permutations

Abstract: Data-dependent permutations (DDP) are introduced as basic cryptographic primitives to construct fast hardware-oriented ciphers. Some variants of the DDP operations and their application in the cipher CIKS-1 are considered. A feature of CIKS-1 is the use of both the data-dependent transformation of round subkeys and the key-dependent DDP operations.

Area Efficient Hardware Implementation of Elliptic Curve Cryptography by Iteratively Applying Karatsuba's Method

Abstract: Securing communication channels is especially needed in wireless environments, but applying cipher mechanisms in software is limited by the calculation and energy resources of mobile devices. If hardware is applied to realize cryptographic operations, cost becomes an issue. We describe an approach which tackles all three of these points. We implemented a hardware accelerator for polynomial multiplication in extended Galois fields (GF) applying Karatsuba's method iteratively. With this approach, the area required is reduced to 2.1 mm/sup 2/ in comparison to 6.2 mm/sup 2/ for the standard application of Karatsuba's method, i.e., for its recursive application. Our approach also reduces the energy consumption to 60 per cent of the original approach. The price we have to pay for this achievement is an increased execution time. In our implementation, a polynomial multiplication takes 3 clock cycles, whereas the recursive Karatsuba approach needs only one clock cycle. However, considering area, energy and calculation speed, we are convinced that the benefits of our approach outweigh its drawback.

A Framework for the Analysis and Evaluation of Algebraic Fault Attacks on Lightweight Block Ciphers

Abstract: Algebraic fault analysis (AFA), which combines algebraic cryptanalysis with fault attacks, has represented serious threats to the security of lightweight block ciphers. Inspired by an earlier framework for the analysis of side-channel attacks presented at EUROCRYPT 2009, a new generic framework is proposed to analyze and evaluate algebraic fault attacks on lightweight block ciphers. We interpret AFA at three levels: 1) the target; 2) the adversary; and 3) the evaluator. We describe the capability of an adversary in four parts: 1) the fault injector; 2) the fault model describer; 3) the cipher describer; and 4) the machine solver. A formal fault model is provided to cover most of current fault attacks. Different strategies of building optimal equation set are also provided to accelerate the solving process. At the evaluator level, we consider the approximate information metric and the actual security metric. These metrics can be used to guide adversaries, cipher designers, and industrial engineers. To verify the feasibility of the proposed framework, we make a comprehensive study of AFA on an ultra-lightweight block cipher called LBlock. Three scenarios are exploited, which include injecting a fault to encryption, to key scheduling, or modifying the round number or counter. Our best results show that a single fault injection is enough to recover the master key of LBlock within the affordable complexity in each scenario. To verify the generic feature of the proposed framework, we apply AFA to three other block ciphers, i.e., Data Encryption Standard, PRESENT, and Twofish. The results demonstrate that our framework can be used for different ciphers with different structures.