Cryptology

1
Cryptology
Lecture Five

• Dr. Richard Spillman
• Pacific Lutheran University

2
Last Lecture

• History
• More Transpositions
• Double Column Transposition
• Computer Based Encryption
• Stream Ciphers
• LFSR
• One Time Pad
• Cellular Automata

3
Review Stream Cipher

• A stream cipher XORs a plaintext stream with a
  key stream to create a ciphertext stream

The random key stream can be produce by a LFSR,
Cellular Automata,or another random process
(such as a modification of a block cipher)
4
Outline

• History
• RC4 Algorithm
• Introduction to Block Ciphers
• DES and AES (and others)
• Cryptanalysis of Block Ciphers

5
History
6
WW1 The American Effort

• Soon after the American declaration of war in
  April 1917, Herbert O. Yardley sold the war
  department on the idea of starting a cryptologic
  service called MI-8
• David Stevens, 32, an English instructor at
  UChicago
• Thomas A. Knot, 37, an associate professor of
  English at UC
• Charles H. Beeson, 47, associate professor of
  Latin at UC
• Bliss Luquiens, 41, professor of Spanish at Yale
• MI-8 became involved in many activities including
• cryptography
• secret inks
• shorthand translation

7
Secret Inks

• The Germans used several kinds of secret inks
  which could be developed by exposure to heat or
  by special chemicals
• Allied chemists responded with a reagent that
  brought out secret writing of any kind because it
  could detect the fibers of paper which had been
  disturbed by a wetting action
• Germans responded by writing in a sympathetic ink
  and then moistening the entire sheet
• Allies responded with a chemical streak test that
  would detect whether the paper surface had been
  dampened - who but a spy would dampen paper?
• Eventually, both sides discovered a general
  reagent that would detect any ink under any
  conditions
• MI-8s secret ink division, however, was testing
  over 2,000 letters a week and discovered 50 of
  major importance including the plans of one spy
  to import high explosives inside the hollow
  figures of saints and the Virgin Mary

8
Cryptographic Section

• MI-8s cryptographic section was very successful
• One of their most important solutions involved
  the case of the only German spy condemned to
  death in the US during WWI.
• Captured in January 1918 in Mexico by a US agent,
  he had a cipher letter
• Broken by Dr. John Manly who went on to become
  one of the worlds leading authorities on Chaucer
• After a marathon 3-day effort he broke down the
  12 step transposition cipher

9
The American Black Chamber

• After Armistice, Yardley sold both the State
  Department and the War Department on jointly
  setting up a permanent cryptography organization
• it became known as the American Black Chamber and
  was established on July 15, 1919 in NYC
• its first task was to solve the codes of Japan
  and by 1921, they were regularly reading Japanese
  telegrams
• In the summer of 1921, they solved telegram 813
  of July 5th from the Japanese ambassador in
  London to Tokyo which contained instructions
  about the upcoming naval disarmament conference

10
Conference Results

• Japan was demanding a tonnage ratio of 10 t0 7
  with the US when the Black Chamber read what
  Yardley called the most important telegram he
  ever solved (0.5 represents 50,000 tons of ship -
  a battleship and a half)
• It is necessary to avoid any clash with Great
  Britain and America, particularly America, in
  regard to the armament limitation question. You
  will to the upmost maintain a middle attitude and
  redouble your efforts to carry out our policy.
  In case of inevitable necessity you will work to
  establish your second proposal of 10 to 6.5. If,
  in spite of your utmost efforts, it becomes
  necessary in view of the situation and in the
  interests of general policy to fall back on your
  proposal no. 3, you will endeavor to limit the
  power of concentration and maneuver of the
  Pacific and to make an adequate reservation which
  will make clear that this is our intention in
  agreeing to a 10 to 6 ratio.
• What do you think the Americans settled for with
  Japan?

11
The End of the Black Chamber

• Between 1971 and 1929, the American Black Chamber
  solved more that 45,000 telegrams involving the
  codes of
• Argentina, Brazil, Chile, China, Cuba, England,
  France, Germany, Japan, Liberia, Mexico, Peru,
  USSR, Spain, ...
• They even started on the codes used by the
  Vatican
• It all ended on Oct 31, 1929 after Henry L.
  Stimson, Hoovers Secretary of State received
  some solutions from the Black Chamber. He said
  Gentlemen do not read each others mail

12
RC4
13
RC4

• RC4 was developed by Ron Rivest of MIT (one of
  the developers of RSA a cipher that will be
  covered later)
• It is perhaps the most widely used stream cipher
  in the world
• Microsoft Windows
• Lotus Notes
• the SSL (Secure Sockets Layer) protocol to
  protect Internet traffic
• the Wireless Equivalent Privacy (WEP) system used
  to protect wireless links.
• One advantage of RC4 is that it can be easily
  implemented in software.

14
Procedure

• RC4 uses an arrangement of the numbers 0 to 255
  (8 bits each) in an array S which changes over
  time
• It consists of two processes
• A Key Scheduling Algorithm (KSA) to set up the
  initial permutation of S
• A pseudo-random generation algorithm (PSGA) to
  randomly select elements of S and modify the
  permutation of S

15
Key Scheduling Algorithm 1

• KSA begins by initialing S such that S(i) i for
  i 0 to 255.
• A secret key is constructed by selecting a set of
  numbers which are loaded into a key array K(0 to
  255)
• The usual process is to select a short sequence
  of numbers and repeat them until K is filled

16
Key Scheduling Algorithm 2

• The key array is used to randomize S based on the
  following algorithm

for i 0 to 255 do
j j S(i) K(i) (mod 256)
swap(S(i), S(j))
17
PRGA

• Once the KSA has completed the initial
  randomization of S, the PRGA takes over and
  selects bytes for the key stream by selecting
  random elements of S and modifying S for the next
  selection.
• The selection process relies on two indices i and
  j which both start at 0.
• The following program is run to select each byte
  of the key stream

swap (S(i), S(j))
18
Example

• A simple example of RC4 will be constructed using
  3 bit representations (the numbers range from 0
  to 7) and mod 8 operations (instead of mod 256).

Initialize S
Select key 5, 6, 7
S Array
K Array
4
5
6
0
1
2
3
4
5
6
7
5
6
7
5
6
7
Use the key to randomize S
Final S Array
i 1 j 5
i 0 j 0
Swap 0 and 5
Swap 1 and 4
j (5 S(1) K(1)) mod 8
j (0 S(0) K(0)) mod 8
6
5
0
3
7
4
1
2
j (0 0 5) mod 8 5
j (5 1 6) mod 8 4
19
Random Numbers

• Now, the S array is ready to be used to produce a
  sequence of random numbers.
• With i and j starting at 0, RC4 calculates the
  first random number as follows

i (i 1) mod 8 (0 1) mod 8 1
7
6
5
4
0
1
3
2
j (j S(i)) mod 8 (0 S(1)) mod 8
(0 4) mod 8 4
Swap S(1) and S(4)
6
t (S(i) S(j)) mod 8 (S(4) S(1) mod 8
(1 4) mod 8 5
k S(t) S(5) 6
20
Using CAP

• CAP uses RC4 to implement a stream cipher

21
Block Ciphers
22
Cipher Structures
23
Block Cipher

• Todays most widely used ciphers are in the class
  of Block Ciphers
• Define a block of computer bits which represent
  several characters
• Encipher the complete block at one time

Algorithm
24
Modes of Operation

• Before examining the details of any specific
  block cipher algorithm, it is useful to consider
  how such algorithms are used
• There are 3 operational modes
• Electronic Code Book (ECB)
• Cipher Block Chaining (CBC)
• Output Feedback Mode (OFM)
• These modes have become international standards
  for implementing any block cipher

25
Electronic Code Book

• Simplest mode of operation
• each block is enciphered into a ciphertext block
  using one key

Problem if Mi Mj then Ci Cj
26
Cipher Block Chaining

• The input to each block stage is the current
  block XORed with the previous stage cipher block

27
Output Feedback Mode

• The block cipher is used as a stream cipher
• it produces the random key stream

28
General Structure

• In 1973, Feistel suggest a form of product
  cipher that has become the architecture of choice
  for almost all symmetric block ciphers in use
  today.
• The overall process involves several stages of a
  substitution followed by a transposition.
• The master key is subdivided into a set of
  subkeys one for each stage.
• At each stage the data block is divided into a
  left and a right segment, the segments are
  swapped, and one segment is mixed with subkey for
  that stage.
• Another name for this type of cipher is a
  substitution-permutation (SP) cipher.

29
Feistel Cipher

• A single stage of the Feistel cipher looks like

Creates the subkeyfor each stage
30
Cipher Evaluation

• Any new cipher must be secure against attacks but
  as ciphers become more complicated (such as the
  class of block ciphers) how can we be reasonably
  confident that they can protect our valuable
  data?
• The real answer to this problem is that we can
  never be sure that a cipher is secure.
• The best way to gain some confidence in a new
  cipher is to allow the security community to test
  it.
• There are some features that a cipher must
  possess if it is to be accepted by the users.
• First, of course, the key space must be large
  enough to make a brute force attack impossible or
  at least to expensive to mount.

31
Algorithm Strength

• Algorithm strength is a subjective judgment call.
  Several factors are considered including
• The plaintext cannot be derived from the
  ciphertext without use of the key.
• There should be no plaintext attack that is
  better than a brute force attack.
• Knowledge of the algorithm should not reduce the
  strength of the cipher.
• The algorithm should include substitutions and
  permutations under the control of both the input
  data and the key.
• Redundant bit groups in the plaintext should be
  totally obscured in the ciphertext.
• The length of the ciphertext should be the same
  length as the plaintext.
• Any possible key should produce a strong cipher,

32
Avalanche Condition

• One of the most important strength criteria is
  the avalanche condition there should be no
  correlation between any input bits or key bits
  and the output bits.
• This is important because if someone started
  trying different keys, they should not be able to
  tell if they are close (within a few bits) to the
  actual key.
• There are two versions of the avalanche
  condition
• Strict plaintext avalanche criterion (SPAC) each
  bit of the ciphertext block should change with
  the probability of one half whenever any bit of
  the plaintext block is complemented.
• Strict key avalanche criterion (SKAC.) for a
  fixed plaintext block, each bit of the ciphertext
  block changes with a probability of one half when
  any bit of the key changes.

33
DES Example
Input ........................................
....................... 1 Permuted
.................................................
.............. 1 Round 1 .....................
..........................................
1 Round 2 .................................
.......................... 5 Round 3
.................................
.............. 18 Round 4
...........................
......... 28 Round 5
........................
........... 29 Round 6
...............................
....... 26 Round 7
...............................
....... Round 8 ..............
...................... Round
9 .......................
.......... Round 10 ..........
....................
Round 11 ......................
........... Round 12
...........................
........ Round 13 .............
........................ Round
14 ..........................
............ Round 15 ...........
........................
Round 16 .......................
............. Output
............................
........
34
DES, AES, and Others
35
Data Encryption Standard

• In the mid-70s the US government decided that a
  powerful standard cipher system was necessary.
• The National Bureau of Standards put out a
  request for the development of such a cipher.
• Several companies went to work and submitted
  proposals. The winner was IBM with their cipher
  system called Lucifer.
• With some modifications suggested by the National
  Security Agency, in 1977, Lucifer became known as
  the Data Encryption Standard or DES.
• It has since been replaced by the Advanced
  Encryption Standard (AES)

36
Basic Structure

• DES works on 64 bit blocks of plaintext using a
  56 bit key to produce 64 bit blocks of
  ciphertext.
• It is a substitution-permutation cipher with 16
  SP stages.
• The key for DES is an arbitrary 56 bit string of
  0s and 1s
• there are 256 possible strings (greater than
  1016)
• often it is given as a 7 letter word
• DES expands this key to 64 bits by adding 8
  additional 0s and 1s
• bits 8, 16, 24, 32, 40, 48, 56, and 64 are added
  so that each 8 bit block has odd parity (odd
  number of 1s)
• the key is divided, shifted, and shuffled 16
  times to form 16 different (but related) subkeys
  each of which is 48 bits long

37
Key Generation

• Each of the 16 stages uses a 48 bit subkey which
  is derived from the initial 64 bit key.
• The key passes through a PC-1 block (Permuted
  Choice 1) which extracts the original 56 bits
  supplied by the user.
• The 56 bits are divided into left and right
  halves. Each half is shifted left by 1 or 2 bit
  positions (it varies depending on the stage).
• The new 56 bits are compressed using PC-2
  (Permuted Choice 2) by throwing out 8 bits to
  create the 48 bit key for the given stage.

38
DES Stages

• Each stage of DES is performs the same set of
  operations using a different subkey acting on the
  output of the previous stage.
• Those operations are defined in three boxes
  called the expansion box (Ebox), the substitution
  box (Sbox), and the permutation box (Pbox).

39
Example Stage
The E-Box expands (from 32 to 48 bits) and
permutates
The E-Box output is XORed with part of the key
There are 8 S-Boxes and each one accepts 6 bits
of input and produces 4 bits of output
The P-Box is a simple permutation
Finally, the left side is XORed with the result
and both sides are passed on to the next round
40
E-Box

• The EBox expands its 32-bit input into 48-bits by
  duplicating some of the input bits.

Note the duplication
41
S-Boxes

• The SBoxes are the real source of the power of
  DES.
• There are 8 different Sboxes
• Each Sbox accepts 6-bits of input and produces
  4-bits of output.
• An Sbox has 16 columns and 4 rows where each
  element in the box is a 4-bit block usually given
  in its decimal representation.

42
Working with the S-Boxes

• Each 6-bit input to an S-Box is divided into a
  row and a column index.
• The row index is given by bits 1 and 6 and the
  bits 2 to 5 supply the column index.
• The output of the S-Box is the value stored at
  the addressed row/column

Input 0 1 1 1 1 0
Output 1 0 1 0
43
P-Box

• After the S-Box operation there are just 32-bits
  remaining which are rearranged according to the
  permutation table

44
Final Step

• The final operation places the original RHS
  32-bits on the LHS and XORs the original LHS with
  the 32-bit output of the Pbox
• This process is repeated 16 times using a
  different subkey each time

45
DES Implementations

• DES could be used in any one of the three
  standard block cipher implementation modes OFM,
  CBC, or ECB.
• However DES is no longer a secure cipher.
• Hence, alternative implementations of DES have
  been suggested in an effort to improve its
  overall security. The most common is called
  Triple-DES.
• Triple-DES comes in two versions, one uses three
  keys and the other only uses two keys.
• The three key version first encrypts the message
  with Key1, decrypts the result with Key2, and
  finally encrypts that with K3
• The two key version uses the same steps where K3
  K1.

46
Using CAP

• CAP provides an implementation of DES

RunAvalanche tests
CAP also provides a simple version of DES
47
S-DES

• S-DES (Simplified-DES) was developed by Dr.
  Edward Schaefer at Santa Clara University in
  1996.
• It is simple enough so that you can explore the
  operation of DES and some of its weaknesses.
• It operates on 8-bit data blocks (in other words,
  single characters) using a 10-bit key (only 210
  1024 possibilities) and two stages

48
S-DES Structure
1 2 3 4 5 6 7 8 2 6 3 1 4 8 5 7

• In spite of the simplifications, S-DES looks much
  like our basic DES.

1 2 3 4 5 6 7 8 4 1 3 5 7 2 8 6
49
S-DES S-Boxes

• The function F on the prior slide contains an
  EBox, PBox and 2 SBoxes (much like DES)
• The two S-Boxes are given by

The input is a 4 bit value
The first and last bits define the row The
middle bits define the column
The output is a 2 bit value
50
S-DES Key Generation

• The key generation mechanism begins with a 10-bit
  key which is permuted by PC-1 into the order 3 5
  2 7 4 10 1 9 8 6.
• It is separated into 2 five bit segments and each
  segment is left shift by one bit.
• PC-2 selects and rearranges 8 bits from the two
  five bit segments the bits in order are 6 3 7 4
  8 5 10 9. The result is subkey 1.
• The two segments are now left shifted twice and
  PC-2 is applied again to produce subkey 2.

51
Using CAP

• CAP implements S-DES and in the process
  illustrates the key generation method.

52
Status of DES

• When IBM first proposed DES it had a 128 bit key
• NSA required that the key be reduced to 56 bits
• There have been several successful attacks on DES
• June 1997 Using the internet 14,000 to 78,000
  computers broke DES in 90 days
• Jan 1998 Using the internet again it only took
  39 days
• July 1998 a 210,000 machine called deep crack
  was built and it broke DES in 56 hours

53
AES
54
Advanced Encryption Standard

• Since DES was becoming less reliable as new
  cryptanalysis techniques were developed, the
  National Institute of Standards and Technology
  (NIST) put out a notice in early 1999 requesting
  submissions for a new encryption standard. The
  requirements were
• A symmetric block cipher with a variable length
  key (128, 192, or 256 bits) and a 128-bit block
• It must be more secure than TripleDES
• It must be in the public domain royalty free
  world wide
• It should remain secure for at least 30 years
• Fifteen algorithms were submitted from ten
  different countries.

55
Submitted Algorithms
Australia LOKI97 Belgium RIJNDAEL Canada
CAST-256 DEAL Costa Rica FROG France DFC
Germany MAGENTA
Japan E2 Korea CRYPTON USA HPC MARS
RC6 SAFER TWOFISH UK, Israel, Norway
SERPENT
56
Selection Process

• NIST relied on public participation
• algorithm proposals
• cryptanalysis
• efficiency testing
• AES Timetable
• Round 1 Aug. 20 - April 15, 1999
• Submit papers for 2nd AES conference Feb 1, 1999
• Second AES conference March 22-23, 1999
• Announcement of (about) five finalists
• Round 2 analysis of finalists 6-9 months
• Third AES Conference
• Selection of AES Algorithm

57
AES Finalists

• MARS (IBM)
• RC6 (Rivest, et. al.)
• Rijndael (top Belgium cryptographers)
• Serpent (Anderson, Biham, Knudsen)
• Twofish (Schneier, et. al.)

And the winner was . . .
58
Introduction to Rijndael

• One of the fastest and strongest algorithms
• Variable block length 128, 192, 256 bits
• Variable key length 128, 192, 256 bits
• Variable number of rounds (iterations) 10, 12,
  14
• Number of rounds depend on key/block length

59
Rijndael Structure

• The general structure of Rijndael is shown below
  
• Rather than using just a substitution and a
  permutation at each stage like DES, Rijndael
  consists of multiple cycles of Substitution,
  Shifting, Column mixing and a KeyAdd operation.

KeyAdd
KeyAdd
60
Initial Step

• The process begins by grouping the plaintext bits
  into a column array by bytes.
• The first four bytes form the first column the
  second four bytes form the second column, and so
  on.
• If the block size is 128 bits then this becomes a
  4x4 array. For larger block sizes the array has
  additional columns.
• The key is also grouped into an array using the
  same process.

61
Substitution

• The substitution layer uses a single S-box
  (rather than the 8 Sboxes used in DES). The
  Rijndael S-box is a 16 x 16 array
• Each element in the current column array serves
  as an address into the S-box where the first four
  bits identify the S-box row and the last 4 bits
  identify the S-box column.
• The S-box element at that location replaces the
  current column array element.

b1,2
a1,2
62
Row Shift Operation

• A row shift operation is applied to the output of
  the S-box in which the four rows of the column
  array are cyclically shifted to the left.
• The first row is shifted by 0, the second by 1,
  the third by 2, and the fourth by 3

63
Matrix Multiply

• Column mixing is accomplished by a matrix
  multiplication operation.
• The shifted column array is multiplied by a fixed
  matrix

64
Key Add

• The final operation adds a subkey derived from
  the original key to the column array
• This completes one round of AES

This is repeated 9 more times
65
Key Schedule

• The key is grouped into a column array and then
  expanded by adding 40 new columns.
• If the first four columns (given by the key) are
  C(0), C(1), C(2) and C(3) then the new columns
  are generated in a recursive manner.
• If i is not a multiple of 4 then column i is
  determined by C(i) C(i-4)
  XOR C(i-1)
• If i is a multiple of 4 then column i is
  determined by C(i) C(i-4)
  XOR T(C(i-1))
• Where T(C(i-1)) is a transformation of C(i-1)
  implemented as 1. Cyclically shift the
  elements of C(i-1) by one byte 2. Use each
  of these 4 bytes as input into the S-box to
  create four new bytes e,f,g,h.
  3. Calculate a round constant r(i) 2(i-4)/4
  4. Create the transformed column as (e XOR
  r(i), f, g, h)
• The round key for the ith round consists of the
  columns C(4i), C(4i1), C(4i2), C(4i3).

66
Key Generation Flow

• For whats worth

67
Conclusion
We have come a long way from just shifting
letters over in the alphabet
68
Cryptanalysis of Block Ciphers
69
Security of DES

• DES has a long an interesting history full of
  speculation and controversy.
• It all began when the National Security Agency
  (NSA) required the modification of the original
  specification for Lucifer submitted by IBM.
  Among the changes they requested was that the
  original key length of 128 bit be reduced to 56
  bits.
• This fuelled the speculation (which has never
  been verified) that NSA could break the 56-bit
  version of DES from the very beginning.
• Since NSA wasnt talking, brute force attacks
  seemed to be the only feasible way to undermine
  the algorithm.
• These had to wait until computer technology
  caught up with the key size to allow for high
  speed testing of all possible keys. This
  happened in the late 1990s.
• In July of 1997, a process that borrowed time
  from more than 14,000 computers across the
  Internet was able to break a DES key in 90 days.
  
• Within six months, the time to break DES in this
  way was reduced to 39 days.
• In July of 1998 a special machine was built
  called Deep Crack that was able to break a DES
  key in 56 hours.

70
Weak Keys

• One of the early discoveries was that DES had
  some weak keys.
• These are keys that generate the same subkey for
  each round.
• There are four such DES keys 0101 0101 0101
  0101 FEFE FEFE FEFE FEFE 1F1F 1F1F
  0E0E 0E0E E0E0 E0E0 F1F1 F1F1
• There are also 12 semi-weak DES keys.
• Semi-weak keys generate only two subkeys which
  alternate rounds.

71
Using CAP

• CAP provides two tools for running brute force
  attacks against S-DES
• The first is an attack against a single key
  version of S-DES

72
Meet-in-the-Middle Attack

• One level of improvement to DES is called
  Triple-DES why not simplify the process and use
  Double-DES?
• The reason is that Double-DES is as easy to break
  as single key DES using a Meet-in-the-Middle
  attack
• The process involves a known plaintext/ciphertext
  pair
• If there is enough memory space available,
  encipher the known plaintext with every possible
  key and save each result.
• Then decipher the ciphertext with every possible
  key and compare each result with the contents of
  memory.
• If there is a match, then both keys have been
  found.

73
Using CAP

• CAP will implement a Meet-in-the-Middle attack on
  S-DES

74
Recent Developments

• There are two new classes of attacks which have
  been developed specifically for SP networks
• Differential Cryptanalysis
• Linear Cryptanalysis
• In addition, there is a class of unexpected
  attacks called Side-Channel Analysis

75
DES S-Box

• The S-box for DES is designed to produce random
  like outputs
• Consider the S1 S-box

100101
It is
B 1000
76
S-Box Weakness - Background

• A weakness in the S-box concept was discovered to
  be its behavior when two different inputs are
  compared
• If x and x are the two inputs, there are 642
  4096 possible pairs (x, x)
• Define the S-box output to be S(x) and S(x)
• Consider the relationship between the difference
  of the inputs and the difference of the outputs

77
S-Box Weakness

• While it is expected that the output difference
  values should be evenly distributed over their
  range, it turns out they are not

NOTE the 0s
78
Interesting Feature

• Consider one row of the S1 difference table

There are five output differences which never
occurif the input difference is 1 0, 1, 2, 4, 8
12 of the 64 inputs which produce a difference
of1 produce an output of A.
This is non-random behavior
79
Finding the Key 1

• Say, we know two inputs to S1 (01 and 35) such
  that the differential input to box S1 is 34 and
  the differential output is D

From the differential table, there are only 8
ways 34 can map to D
From the construction of the table,those 8 ways
imply that K xor the inputmust be 06, 10, 16,
1C, 22, 24, 28, 32
Therefore K xor either 01 or 35 must beone of
these 8 values, then K must be
80
Finding the Key 2

• Say, we know two other inputs to S1 (21 and 15)
  such that the differential input to box S1 is 34
  and the differential output is 3

From the differential table, there are only 6
ways 34 can map to 3
From the construction of the table,those 6 ways
imply that K xor the inputmust be 01, 02, 15,
21, 35,36
Therefore K xor either 21 or 15 must beone of
these 6 values, then K must be
81
Finding the Key 3

• The actual key must be in both sets

33, 25, 23, 29, 17, 11, 1D, 07 and 14, 17,
00, 34, 29, 33
RESULT 17, 33
Try other differentials until a single key is
found.
82
Linear Cryptanalysis

• Linear cryptanalysis is a powerful tool to use
  against SP networks developed in the early 90s
• It requires discovering an approximate linear
  relationship between the plaintext, the
  ciphertext and the key that holds more than half
  the time
• Then guess some key bits and verify that the
  linear relationship holds - if it does then your
  guess is correct
• Used to find a subset of key bits, then do a
  brute force attack on the remaining bits

83
Side Channel Analysis

• It turns out that information about the operation
  of the underlying cipher can be leaked by
  observing certain performance characteristics.
• These are called side channel attacks.
• For example, when a key bit of 1 is being
  processed the chip draws more power from the
  power supply.
• By monitoring the power drain, the key bits can
  actually be exposed.
• There is also a timing version of this attack
  which monitors the number of microseconds it
  takes to complete the algorithm.
• The timing values will expose parts of the key as
  well.

84
Summary

• History
• RC4 Algorithm
• Introduction to Block Ciphers
• DES and AES (and others)
• Cryptanalysis of Block Ciphers
• Differential Cryptanalysis
• Linear Cryptanalysis
• Side Channel Attacks