DES S-box generator | EPFL Graph Search

The Data Encryption Standard (DES) is a cryptographic algorithm, designed by IBM, that was selected to be the national standard in 1977 by the National Bureau of Standards. The algorithm itself was entirely published but the design criteria were kept secret until 1994 when Coppersmith, one of the designers of DES, published them. He states that the IBM team already knew about the attack called Differential cryptanalysis during the design of the algorithm and that it had an effect on choosing the S-boxes. To be more specific, he mentions eight design criteria that all the S-boxes of DES are based on. How the S-boxes were generated is a mystery, as the legend says this was outsourced to the NSA. Indeed, building a set of S-boxes respecting these criteria is a non-trivial task. In this paper we present an efficient S-box generator respecting all criteria and even more. Coppersmith's design criteria served as a basis but were strengthened for better resistance to Linear Cryptanalysis. While other researchers have already proposed S-box generators for DES satisfying either non-linearity or good diffusion, our generator offers both. Moreover, apart from suggesting a new set of 8 S-boxes, it can also very quickly produce a large pool of S-boxes to be used in further research.

The Security of Cryptographic Primitives

Jacques Stern, Serge Vaudenay

In the early fifties, Claude Shannon initiated the theory of cryptographic primitives. He defined the notion of diffusion and confusion. However, this theory did not developed very much until nowadays. Recently, the differential cryptanalysis and the linear cryptanalysis gave a significant advance in the analysis of the primitives. Security criteria for confusion, essentially nonlinearity criteria, has been proposed. In this thesis, we show how to define a notion of complexity on the graph structure of the primitives and how to study it. This gives security criteria of the computational network. We propose new criteria for diffusion. Finally, we unify the two types of cryptanalysis, getting rid of their linear aspects by a statistical approach.

Laboratoire d'Informatique de l'Ecole Normale Supérieure1995

An experiment on DES statistical cryptanalysis

Serge Vaudenay

Linear cryptanalysis and differential cryptanalysis are the most important methods of attack against block ciphers. Their efficiency have been demonstrated against several ciphers, including the Data Encryption Standard. We prove that both of them can be considered, improved and joined in a more general statistical framework. We also show that the very same results as those obtained in the case of DES can be found without any linear analysis and we slightly improve them into an attack with theoretical complexity 242.9 We can apply another statistical attack-the ?2 cryptanalysis-on the same characteristics without a definite idea of what happens in the encryption process. It appears to be roughly as efficient as both differential and linear cryptanalysis. We propose a new heuristic method to find good characteristics. It has found an attack against DES absolutely equivalent to M. Matsui's (1994) one by following a distinct path.

1996

Analysis of lightweight stream ciphers

Simon Fischer

Stream ciphers are fast cryptographic primitives to provide confidentiality of electronically transmitted data. They can be very suitable in environments with restricted resources, such as mobile devices or embedded systems. Practical examples are cell phones, RFID transponders, smart cards or devices in sensor networks. Besides efficiency, security is the most important property of a stream cipher. In this thesis, we address cryptanalysis of modern lightweight stream ciphers. We derive and improve cryptanalytic methods for different building blocks and present dedicated attacks on specific proposals, including some eSTREAM candidates. As a result, we elaborate on the design criteria for the development of secure and efficient stream ciphers. The best-known building block is the linear feedback shift register (LFSR), which can be combined with a nonlinear Boolean output function. A powerful type of attacks against LFSR-based stream ciphers are the recent algebraic attacks, these exploit the specific structure by deriving low degree equations for recovering the secret key. We efficiently determine the immunity of existing and newly constructed Boolean functions against fast algebraic attacks. The concept of algebraic immunity is then generalized by investigating the augmented function of the stream cipher. As an application of this framework, we improve the cryptanalysis of a well-known stream cipher with irregularly clocked LFSR's. Algebraic attacks can be avoided by substituting the LFSR with a suitable nonlinear driving device, such as a feedback shift register with carry (FCSR) or the recently proposed class of T-functions. We investigate both replacement schemes in view of their security, and devise different practical attacks (including linear attacks) on a number of specific proposals based on T-functions. Another efficient method to amplify the nonlinear behavior is to use a round-based filter function, where each round consists of simple nonlinear operations. We use differential methods to break a reduced-round version of eSTREAM candidate Salsa20. Similar methods can be used to break a related compression function with a reduced number of rounds. Finally, we investigate the algebraic structure of the initialization function of stream ciphers and provide a framework for key recovery attacks. As an application, a key recovery attack on simplified versions of eSTREAM candidates Trivium and Grain-128 is given.

EPFL2008

Analysis of lightweight stream ciphers

Simon Fischer

EPFL2008