|
COCONUT98
In cryptography, COCONUT98 (Cipher Organized with Cute Operations and N-Universal Transformation) is a block cipher designed by Serge Vaudenay in 1998. It was one of the first concrete applications of Vaudenay's decorrelation theory, designed to be provably secure against differential cryptanalysis, linear cryptanalysis, and even certain types of undiscovered cryptanalytic attacks. The cipher uses a block size of 64 bits and a key size of 256 bits. Its basic structure is an 8-round Feistel network, but with an additional operation after the first 4 rounds, called a ''decorrelation module''. This consists of a key-dependent affine transformation in the finite field GF(264). The round function makes use of modular multiplication and addition, bit rotation, XORs, and a single 8×24-bit S-box. The entries of the S-box are derived using the binary expansion of e as a source of "nothing up my sleeve numbers". Despite Vaudenay's proof of COCONUT98's security, in 1999 David Wagner ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
DFC (cipher)
In cryptography, DFC (Decorrelated Fast Cipher) is a symmetric block cipher which was created in 1998 by a group of researchers from École Normale Supérieure, CNRS, and France Télécom (including Jacques Stern and Serge Vaudenay) and submitted to the AES competition. Like other AES candidates, DFC operates on blocks of 128 bits, using a key of 128, 192, or 256 bits. It uses an 8-round Feistel network. The round function uses a single 6×32-bit S-box, as well as an affine transformation mod 264+13. DFC can actually use a key of any size up to 256 bits; the key schedule uses another 4-round Feistel network to generate a 1024-bit "expanded key". The arbitrary constants, including all entries of the S-box, are derived using the binary expansion of e as a source of "nothing up my sleeve numbers". Soon after DFC's publication, Ian Harvey raised the concern that reduction modulo a 65-bit number was beyond the native capabilities of most platforms, and that careful implementation w ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Boomerang Attack
In cryptography, the boomerang attack is a method for the cryptanalysis of block ciphers based on differential cryptanalysis. The attack was published in 1999 by David Wagner, who used it to break the COCONUT98 cipher. The boomerang attack has allowed new avenues of attack for many ciphers previously deemed safe from differential cryptanalysis. Refinements on the boomerang attack have been published: the amplified boomerang attack, and the rectangle attack. Due to the similarity of a Merkle–Damgård construction with a block cipher, this attack may also be applicable to certain hash functions such as MD5. The attack The boomerang attack is based on differential cryptanalysis Differential cryptanalysis is a general form of cryptanalysis applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash functions. In the broadest sense, it is the study of how differences in information input can aff .... In differential cryptanalysis, an attacker expl ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Decorrelation Theory
In cryptography, decorrelation theory is a system developed by Serge Vaudenay in 1998 for designing block ciphers to be provably secure against differential cryptanalysis, linear cryptanalysis, and even undiscovered cryptanalytic attacks meeting certain broad criteria. Ciphers designed using these principles include COCONUT98 and the AES candidate DFC, both of which have been shown to be vulnerable to some forms of cryptanalysis not covered by the theory. According to Vaudenay, the decorrelation theory has four tasks: 1) the definition of a measurement for the decorrelation, which usually relies on a matrix norm; 2) the construction of simple primitive or "decorrelation module" with a quite good decorrelation; 3) the construction of cryptographic algorithms Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or '' -logia'', "study", respectively), is the practice and study of techniques for secure communication ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Related-key Attack
In cryptography, a related-key attack is any form of cryptanalysis where the attacker can observe the operation of a cipher under several different keys whose values are initially unknown, but where some mathematical relationship connecting the keys is known to the attacker. For example, the attacker might know that the last 80 bits of the keys are always the same, even though they don't know, at first, what the bits are. This appears, at first glance, to be an unrealistic model; it would certainly be unlikely that an attacker could persuade a human cryptographer to encrypt plaintexts under numerous secret keys related in some way. KASUMI KASUMI is an eight round, 64-bit block cipher with a 128-bit key. It is based upon MISTY1, and was designed to form the basis of the 3G confidentiality and integrity algorithms. Mark Blunden and Adrian Escott described differential related key attacks on five and six rounds of KASUMI. Differential attacks were introduced by Biham and Shamir. R ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Nothing Up My Sleeve Number
In cryptography, nothing-up-my-sleeve numbers are any numbers which, by their construction, are above suspicion of hidden properties. They are used in creating cryptographic functions such as hashes and ciphers. These algorithms often need randomized constants for mixing or initialization purposes. The cryptographer may wish to pick these values in a way that demonstrates the constants were not selected for a nefarious purpose, for example, to create a backdoor to the algorithm. These fears can be allayed by using numbers created in a way that leaves little room for adjustment. An example would be the use of initial digits from the number as the constants. Using digits of millions of places after the decimal point would not be considered trustworthy because the algorithm designer might have selected that starting point because it created a secret weakness the designer could later exploit. Digits in the positional representations of real numbers such as , ''e'', and irration ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
David A
David (; , "beloved one") (traditional spelling), , ''Dāwūd''; grc-koi, Δαυΐδ, Dauíd; la, Davidus, David; gez , ዳዊት, ''Dawit''; xcl, Դաւիթ, ''Dawitʿ''; cu, Давíдъ, ''Davidŭ''; possibly meaning "beloved one". was, according to the Hebrew Bible, the third king of the United Kingdom of Israel. In the Books of Samuel, he is described as a young shepherd and harpist who gains fame by slaying Goliath, a champion of the Philistines, in southern Canaan. David becomes a favourite of Saul, the first king of Israel; he also forges a notably close friendship with Jonathan, a son of Saul. However, under the paranoia that David is seeking to usurp the throne, Saul attempts to kill David, forcing the latter to go into hiding and effectively operate as a fugitive for several years. After Saul and Jonathan are both killed in battle against the Philistines, a 30-year-old David is anointed king over all of Israel and Judah. Following his rise to power, David ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Chosen-plaintext Attack
A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which presumes that the attacker can obtain the ciphertexts for arbitrary plaintexts.Ross Anderson, ''Security Engineering: A Guide to Building Dependable Distributed Systems''. The first edition (2001): http://www.cl.cam.ac.uk/~rja14/book.html The goal of the attack is to gain information that reduces the security of the encryption scheme. Modern ciphers aim to provide semantic security, also known as ''ciphertext indistinguishability under chosen-plaintext attack'', and they are therefore, by design, generally immune to chosen-plaintext attacks if correctly implemented. Introduction In a chosen-plaintext attack the adversary can (possibly adaptively) ask for the ciphertexts of arbitrary plaintext messages. This is formalized by allowing the adversary to interact with an encryption oracle, viewed as a black box. The attacker’s goal is to reveal all or a part of the secret encryption key. It may seem infeasi ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Adaptive Chosen-ciphertext Attack
An adaptive chosen-ciphertext attack (abbreviated as CCA2) is an interactive form of chosen-ciphertext attack in which an attacker first sends a number of ciphertexts to be decrypted chosen adaptively, and then uses the results to distinguish a target ciphertext without consulting the oracle on the challenge ciphertext. In an adaptive attack, the attacker is further allowed adaptive queries to be asked after the target is revealed (but the target query is disallowed). It is extending the indifferent (non-adaptive) chosen-ciphertext attack (CCA1) where the second stage of adaptive queries is not allowed. Charles Rackoff and Dan Simon defined CCA2 and suggested a system building on the non-adaptive CCA1 definition and system of Moni Naor and Moti Yung (which was the first treatment of chosen ciphertext attack immunity of public key systems). In certain practical settings, the goal of this attack is to gradually reveal information about an encrypted message, or about the decryption ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Differential-linear Cryptanalysis
Introduced by Martin Hellman and Susan K. Langford in 1994, the differential-linear attack is a mix of both linear cryptanalysis and differential cryptanalysis. The attack utilises a differential characteristic over part of the cipher with a probability of 1 (for a few rounds—this probability would be much lower for the whole cipher). The rounds immediately following the differential characteristic have a linear approximation defined, and we expect that for each chosen plaintext pair, the probability of the linear approximation holding for one chosen plaintext but not the other will be lower for the correct key. Hellman and Langford have shown that this attack can recover 10 key bits of an 8-round DES with only 512 chosen plaintexts and an 80% chance of success. The attack was generalised by Eli Biham et al. to use differential characteristics with probability less than 1. Besides DES, it has been applied to FEAL, IDEA, Serpent, Camellia, and even the stream cipher ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Serge Vaudenay
Serge Vaudenay (born 5 April 1968) is a French cryptographer and professor, director of the Communications Systems Section at the École Polytechnique Fédérale de Lausanne Serge Vaudenay entered the École Normale Supérieure in Paris as a ''normalien'' student in 1989. In 1992, he passed the ''agrégation'' in mathematics. He completed his Ph.D. studies at the computer science laboratory of École Normale Supérieure, and defended it in 1995 at the Paris Diderot University; his advisor was Jacques Stern. From 1995 to 1999, he was a senior research fellow at French National Centre for Scientific Research (CNRS). In 1999, he moved to a professorship at the École Polytechnique Fédérale de Lausanne where he leads the Laboratory of Security and Cryptography (LASEC). LASEC is host to two popular security programs developed by its members: *iChair, developed by Thomas Baignères and Matthieu Finiasz, a popular on-line submission and review server used by many cryptography confere ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Distinguishing Attack
In cryptography, a distinguishing attack is any form of cryptanalysis on data encrypted by a cipher that allows an attacker to distinguish the encrypted data from random data. Modern symmetric-key ciphers are specifically designed to be immune to such an attack. In other words, modern encryption schemes are pseudorandom permutations and are designed to have ciphertext indistinguishability. If an algorithm is found that can distinguish the output from random faster than a brute force search, then that is considered a break of the cipher. A similar concept is the known-key distinguishing attack, whereby an attacker knows the key and can find a structural property in cipher, where the transformation from plaintext to ciphertext is not random. Overview To prove that a cryptographic function is safe, it is often compared to a random oracle. If a function would be a random oracle, then an attacker is not able to predict any of the output of the function. If a function is distinguisha ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
E (mathematical Constant)
The number , also known as Euler's number, is a mathematical constant approximately equal to 2.71828 that can be characterized in many ways. It is the base of the natural logarithms. It is the limit of as approaches infinity, an expression that arises in the study of compound interest. It can also be calculated as the sum of the infinite series e = \sum\limits_^ \frac = 1 + \frac + \frac + \frac + \cdots. It is also the unique positive number such that the graph of the function has a slope of 1 at . The (natural) exponential function is the unique function that equals its own derivative and satisfies the equation ; hence one can also define as . The natural logarithm, or logarithm to base , is the inverse function to the natural exponential function. The natural logarithm of a number can be defined directly as the area under the curve between and , in which case is the value of for which this area equals one (see image). There are various other characteriz ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
