Security of Block Ciphers E-Book

Table of Contents

Cover

Title Page

Copyright

Preface

Book Organization

About the Authors

Chapter 1: Introduction to Block Ciphers

1.1 Block Cipher in Cryptology

1.2 Boolean Function and Galois Field

1.3 Linear and Nonlinear Functions in Boolean Algebra

1.4 Linear and Nonlinear Functions in Block Cipher

1.5 Advanced Encryption Standard (AES)

Further Reading

Chapter 2: Introduction to Digital Circuits

2.1 Basics of Modern Digital Circuits

2.2 Classification of Signals in Digital Circuits

2.3 Basics of Digital Logics and Functional Modules

2.4 Memory Modules

2.5 Signal Delay and Timing Analysis

2.6 Cost and Performance of Digital Circuits

Further Reading

Chapter 3: Hardware Implementations for Block Ciphers

3.1 Parallel Architecture

3.2 Loop Architecture

3.3 Pipeline Architecture

3.4 AES Hardware Implementations

Further Reading

Chapter 4: Cryptanalysis on Block Ciphers

4.1 Basics of Cryptanalysis

4.2 Differential Cryptanalysis

4.3 Impossible Differential Cryptanalysis

4.4 Integral Cryptanalysis

Further Reading

Chapter 5: Side-Channel Analysis and Fault Analysis on Block Ciphers

5.1 Introduction

5.2 Basics of Side-Channel Analysis

5.3 Side-Channel Analysis on Block Ciphers

5.4 Basics of Fault Analysis

5.5 Fault Analysis on Block Ciphers

Acknowledgment

Bibliography

Chapter 6: Advanced Fault Analysis with Techniques from Cryptanalysis

6.1 Optimized Differential Fault Analysis

6.2 Impossible Differential Fault Analysis

6.3 Integral Differential Fault Analysis

6.4 Meet-in-the-Middle Fault Analysis

Further Reading

Chapter 7: Countermeasures against Side-Channel Analysis and Fault Analysis

7.1 Logic-Level Hiding Countermeasures

7.2 Logic-Level Masking Countermeasures

7.3 Higher Level Countermeasures

Bibliography

Index

End User License Agreement

Pages

xi

xii

xiii

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

273

272

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

Guide

Cover

Table of Contents

Preface

Begin Reading

List of Illustrations

Chapter 1: Introduction to Block Ciphers

Figure 1.1 Basic model for a symmetric-key cryptosystem

Figure 1.2 Block cipher design strategy. Nonlinear operations and linear operations are alternately applied

Figure 1.3 Substitution-permutation network. Popular choices of size and type of nonlinear operations

Figure 1.4 An example of linear layer consisting of three linear operations. Nonlinear layer is supposed to update data in eight parts independently

Figure 1.5 Three algorithms of AES

Figure 1.6 High-level computation structure of the encryption of AES-128. and denote the round function and KSF, respectively. is the last round function, which is different from the other rounds

Figure 1.7 AES state. Each cell denotes a byte

Figure 1.8 Key schedule function of AES-128. The key schedule function is iterated for

Figure 1.9 ShiftRows operation

Figure 1.10 Key schedule function of AES-192. The key schedule function is iterated until 13 subkeys are generated

Figure 1.11 Key schedule function of AES-256. The key schedule function is iterated until 15 subkeys are generated

Figure 1.12 Notations for each state of AES-128

Figure 1.13 Notations for inside AES state

Chapter 2: Introduction to Digital Circuits

Figure 2.1 An overview of synchronous-style design flow

Figure 2.2 Hierarchical structure in digital circuit design

Figure 2.3 Image of clock skew

Figure 2.4 One-bit full adder module and its corresponding combinatorial logics

Figure 2.5 8-bit ripple-carry adder based on FAs

Figure 2.6 Pseudo Verilog code for 8-bit ripple-carry adder

Figure 2.7 DFF with asynchronous reset

Figure 2.8 State of DFF when (reset is provided)

Figure 2.9 State change in DFF for a normal operation,

Figure 2.10 Pseudo Verilog code for 8-bit up counter

Figure 2.11 Timing waveform for 8-bit up counter

Figure 2.12 State machine for an encryption hardware of a 10-round block cipher

Figure 2.13 Pseudo Verilog code for FSM for an encryption hardware of a 10-round block cipher

Figure 2.14 Simplified state machine for an encryption hardware of a 10-round block cipher

Figure 2.15 Pseudo Verilog code for encryption of a 10-round block cipher

Figure 2.16 Example for read operation of single-port SRAM

Figure 2.17 Example for write operation of single-port SRAM

Figure 2.18 Setup time and hold time

Figure 2.19 Condition for satisfying setup time

Figure 2.20 Condition for satisfying hold time

Figure 2.21 Example of hold buffer

Figure 2.22 Example circuit for timing analysis

Chapter 3: Hardware Implementations for Block Ciphers

Figure 3.1 Parallel architecture of four 8-bit additions

Figure 3.2 Serial architecture for 32-bit adder (multi-cycle carry-ripple adder)

Figure 3.3 Parallelized architecture for 32-bit adder (carry-select adder)

Figure 3.4 Loop architecture

Figure 3.5 Straightforward (loop-unrolled) implementation of 8-operand modular addition

Figure 3.6 Optimized implementation of 8-operand modular addition

Figure 3.7 Loop architecture for 8-operand modular addition

Figure 3.8 Four-stage architecture for the round function,

f

Figure 3.9 Four-stage pipeline architecture for 10-round encryption

Figure 3.10 Timing waveform for four-stage pipelined 10-round encryption

Figure 3.11 Straightforward implementation for AES-128 encryption

Figure 3.12 Straightforward implementation for AES-128 decryption

Figure 3.13 Straightforward implementation for AES-128 decryption with modified key scheduling

Figure 3.14 Loop architecture (I) for AES-128 encryption

Figure 3.15 Timing waveform for loop architecture in Figure 3.14

Figure 3.16 Loop architecture (II) for AES-128 encryption

Figure 3.17 Timing waveform for loop architecture in Figure 3.16

Figure 3.18 High-throughput pipeline architecture for AES-128

Figure 3.19 Pipeline in the round operation

Figure 3.20 Round operation with 32-bit or 4-byte datapath

Chapter 4: Cryptanalysis on Block Ciphers

Figure 4.1 Model of block cipher

Figure 4.2 Indistinguishability

Figure 4.3 Chosen ciphertext attack accessing decryption oracle

Figure 4.4 Brute force attack for

Figure 4.5 Codebook attack

Figure 4.6 Illustration of difference

Figure 4.7 Mixing key and plaintext in AES

Figure 4.8 Comparison of analysis with value and with difference

Figure 4.9 Computing output difference in a linear computation

L

Figure 4.10 Differential propagation over a rotation operation

Figure 4.11 Differential propagation for linear operations of AES round function

Figure 4.12 Differential propagation for AES one round

Figure 4.13 Differential propagation for AES two rounds

Figure 4.14 Differential characteristic for AES three rounds with probability

Figure 4.15 Framework of the key recovery attack

Figure 4.16 Histogram of subkey guess reaching

Figure 4.17 Converting subkey value to original key value

Figure 4.18 Key recovery attack against four-round AES

Figure 4.19 Signal-to-noise ratio

Figure 4.20 Recovery of the right half of

Figure 4.21 Key recovery with 6-byte guess of

Figure 4.22 Look-up table returning all solutions for S-box

Figure 4.23 Efficient key suggestions derivation

Figure 4.24 Proof of minimum number of active S-boxes for AES four rounds. Gray byte shows an example of the differential propagation for and

Figure 4.25 Mechanism of impossible differential cryptanalysis

Figure 4.26 Impossible differential characteristic for 3.5-round AES. Gray bytes denote active bytes. During the differential trace in forwards, active bytes are colored in light gray. During the differential trace in backwards, active bytes are colored in dark gray

Figure 4.27 Another impossible differential characteristic for 3.5-round AES

Figure 4.28 Key recovery attack for five-round AES

Figure 4.29 Efficient derivation of wrong subkey suggestions

Figure 4.30 Reducing key space

Figure 4.31 Key recovery attack for five-round AES with different active-byte positions

Figure 4.32 3.5-Round basic impossible differential characteristic for seven-round attack

Figure 4.33 Key recovery attack for seven-round AES

Figure 4.34 Two-round simple extension after the distinguisher

Figure 4.35 Equivalent transformation of subkey addition. The order of and is exchanged

Figure 4.36 Basic set of plaintexts for integral cryptanalysis

Figure 4.37 Plaintexts set after XORing subkey

Figure 4.38 Plaintexts set after the operation

Figure 4.39 Plaintexts set after the operation

Figure 4.40 Integral property for 2.5-round AES

Figure 4.41 Integral property for three-round AES

Figure 4.42 Key recovery attack against five-round AES. Guessed 4 bytes of and 4 bytes of are stressed by bold lines. With those guesses, several bytes of the internal state marked by light gray color can be computed

Figure 4.43 Idea of the higher-order (second-order) integral property

Figure 4.44 Higher-order integral property for four-round AES sets of 256 plaintexts are generated with values of at state . This involves all the values for the first column at state

Figure 4.45 Key recovery attack against six-round AES. Guessed 4 bytes of and 4 bytes of are stressed by bold lines. With those guesses, several bytes of the internal state marked by light gray color can be computed

Chapter 5: Side-Channel Analysis and Fault Analysis on Block Ciphers

Figure 5.1 Category of physical attacks

Figure 5.2 General structure of IC chip

Figure 5.3 Passive and active attacks

Figure 5.4 Cryptanalysis compared to side-channel analysis and fault analysis

Figure 5.5 Main channel and side channel for block ciphers

Figure 5.6 Trade-offs in side-channel analysis

Figure 5.7 General procedures of side-channel analysis

Figure 5.8 Profiling side-channel analysis

Figure 5.9 Nonprofiling side-channel analysis

Figure 5.10 Concept of divide-and-conquer algorithm

Figure 5.11 A typical power measurement setup

Figure 5.12 Illustration of observed data for power measurement setup shown in Figure 5.11

Figure 5.13 Power consumption trace example for hardware implementation of AES

Figure 5.14 Data measurement of power analysis

Figure 5.15 Attack illustration of simple power analysis

Figure 5.16 General key recovery algorithms for differential power analysis

Figure 5.17 Hardware architecture of last round of AES-pprm1 and AES-comp

Figure 5.18 Hardware architecture of AES-pprm1 S-box

Figure 5.19 Hardware architecture of AES-comp S-box

Figure 5.20 Two mean traces of AES-pprm1 after group separation using single-bit model

Figure 5.21 Difference between two mean traces of AES-pprm1 using single-bit model

Figure 5.22 Zoomed Figure 5.23 in last 2 clock cycles

Figure 5.23 Nine mean traces of AES-pprm1 after group separation using HW model

Figure 5.24 Zoomed Figure 5.23 in last two clock cycles

Figure 5.25 Zoomed Figure 5.23 around 1.83 µs

Figure 5.26 Nine mean traces of AES-pprm1 after group separation using HD model

Figure 5.27 Zoomed Figure 5.26 in last two clock cycles

Figure 5.28 Zoomed Figure 5.26 around 1.83 µs

Figure 5.29 Two mean traces of AES-comp after group separation using single-bit model

Figure 5.30 Difference between two mean traces of AES-comp using single-bit model

Figure 5.31 Zoomed Figure 5.23 in last two clock cycles

Figure 5.32 Nine mean traces of AES-comp after group separation using HW model

Figure 5.33 Zoomed Figure 5.32 in last two clock cycles

Figure 5.34 Zoomed Figure 5.32 around 1.83 µs

Figure 5.35 Nine mean traces of AES-comp after group separation using HD model

Figure 5.36 Zoomed Figure 5.35 around 1.83 µs

Figure 5.36 Zoomed Figure 5.35 in last two clock cycles

Figure 5.38 Data processing for each key guess in single-bit DPA

Figure 5.39 Key identification in single-bit DPA

Figure 5.40 Single-bit DPA result targeting for AES-pprm1

Figure 5.41 Zoomed Figure 5.40 in last two clock cycles

Figure 5.42 Single-bit DPA result targeting for AES-comp

Figure 5.43 Zoomed Figure 5.42 in last two clock cycles

Figure 5.44 HW-model-based DPA result targeting for AES-pprm1

Figure 5.45 Zoomed Figure 5.44 in last two clock cycles

Figure 5.46 HW-model-based DPA result targeting for AES-comp

Figure 5.47 Zoomed Figure 5.46 in last two clock cycles

Figure 5.48 Zero-value analysis result targeting for AES-pprm1

Figure 5.49 Zoomed Figure 5.48 in last two clock cycles

Figure 5.50 Zero-value analysis result targeting for on AES-comp

Figure 5.51 Zoomed Figure 5.50 in last two clock cycles

Figure 5.52 CPA result targeting first key byte for AES-pprm1

Figure 5.53 Zoomed Figure 5.52 in last two clock cycles

Figure 5.54 CPA result targeting first key byte for AES-comp

Figure 5.55 Zoomed Figure 5.54 in last two clock cycles

Figure 5.56 Clockwise collision analysis result targeting for AES-pprm1

Figure 5.57 Zoomed Figure 5.56 in last two clock cycles

Figure 5.58 Clockwise collision analysis result targeting for AES-comp

Figure 5.59 Zoomed Figure 5.58 in last two clock cycles

Figure 5.60 Principle of data collision inside an intermediate value at last round of AES

Figure 5.61 Correlation-enhanced power analysis collision attack result targeting for AES-pprm1

Figure 5.62 Zoomed Figure 5.61 in last two clock cycles

Figure 5.63 Correlation-enhanced power analysis collision attack result targeting for AES-comp

Figure 5.64 Zoomed Figure 5.63 in last two clock cycles

Figure 5.65 Signal transitions without setup-time violation

Figure 5.66 Setup-time violation by increasing path delay

Figure 5.67 Setup-time violation by decreasing the clock period

Figure 5.68 Setup-time violation based on under-power fault injection

Figure 5.69 Setup-time violation based on illegal clock supply

Figure 5.70 Example of laser fault injection platform

Figure 5.71 Overview of differential fault analysis

Figure 5.72 Propagation patterns for each column of calculation

Figure 5.73 Propagation of active bytes in one-round operation (encryption direction)

Figure 5.74 Propagation of active bytes in one-round operation (decryption direction)

Figure 5.75 Propagation of active bytes for AES-128

Figure 5.76 Fault injection intensity for illegal clock signal

Figure 5.77 Fault sensitivity measured as critical fault injection intensity

Figure 5.78 Example of data dependency of path delays

Chapter 6: Advanced Fault Analysis with Techniques from Cryptanalysis

Figure 6.1 Differential propagation for four classes of faulty byte position at

Figure 6.2 Recovery of 4 bytes of for class 1

Figure 6.3 Differential propagation against modified AES

Figure 6.4 Impossibility of straightforward recovery of for class 1

Figure 6.5 Storing internal state values for each diagonal against modified AES

Figure 6.6 DFA against modified AES with equivalent transformation of subkey addition

Figure 6.7 Differential propagation for impossible DFA

Figure 6.8 Key recovery mechanism of impossible DFA

Figure 6.9 Differential propagation for impossible DFA with fixed faulty byte position. The Figure describes the case in which the byte has a fault. The attack can work for any byte position as long as the faulty byte position is fixed. Moreover, the attacker does not have to know the faulty byte position as long as it is fixed.

Figure 6.10 Integral property for integral DFA in bit fault model

Figure 6.11 Key recovery procedure for integral DFA

Figure 6.12 Propagation of distinct property

Figure 6.13 Integral property for integral DFA in random byte fault model

Figure 6.14 Integral property for integral DFA in random byte fault model

Figure 6.15 Illustration of coupon collector's problem

Figure 6.16 Probability evaluation of generalized coupon collector's problem

Figure 6.17 Target structure of meet-in-the-middle attacks

Figure 6.18 Key recovery procedure of meet-in-the-middle attacks

Figure 6.19 Differential propagation in MitM DFA

Figure 6.20 Ratio of 4-byte differences in a column

Figure 6.21 Independent partial decryption with 5-byte guess

Figure 6.22 Key recovery procedure of MitM DFA

Chapter 7: Countermeasures against Side-Channel Analysis and Fault Analysis

Figure 7.1 Countermeasures for side-channel analysis and fault analysis

Figure 7.2 Example circuit with WDDL technique (state 0, precharge phase)

Figure 7.3 Example circuit with WDDL technique (state A, evaluation phase)

Figure 7.4 Example circuit with WDDL technique (state B, evaluation phase)

Figure 7.5 The WDDL-NAND gate for zero-precharge case

Figure 7.6 The WDDL-AND, WDDL-NOR, and WDDL-INV gates

Figure 7.7 Pseudo-Verilog code for WDDL NAND, NOR, and INV gates

Figure 7.8 Precharge logics for circuits with WDDL gates

Figure 7.9 Pseudo-Verilog code for DFF with precharge logics (DFFP)

Figure 7.10 Signal toggles for (a) charge and (b) discharge of WDDL gates

Figure 7.11 Wire load capacitance in WDDL gate

Figure 7.13 Re-masking of

n

-bit signal

Figure 7.14 Unmasking of

n

-bit signal

Figure 7.15 Masked AND gate

Figure 7.16 Pseudo-Verilog code for masked AND gate

Figure 7.17 Standard-cell-based RSL-NAND

Figure 7.18 Pseudo-Verilog code for RSL-NAND gate

Figure 7.19 Two RSL NAND connected in sequence

Figure 7.20 Shared AND gate with TI technique

Figure 7.21 Pseudo-Verilog code for shared AND gate with TI technique

Figure 7.22 Masked modular multiplication in

Figure 7.23 Pseudo-Verilog code for masked multiplier in

List of Tables

Preface

Table 1 Main Author

Chapter 1: Introduction to Block Ciphers

Table 1.1 Truth Table for basic operators

Table 1.2 Operations over

Table 1.3 Operations over

Table 1.4 Representations of elements for irreducible polynomial in

Table 1.5 An example of 4-bit to 4-bit S-box,

Table 1.6 AES S-box

Table 1.7 AES inverse S-box

Chapter 2: Introduction to Digital Circuits

Table 2.1 Truth Table of DFF with asynchronous reset

Table 2.2 State transitions of FSM shown in Figure 2.8

Table 2.3 State transitions for Figure 2.13

Table 2.4 Features of SRAM, Register File, and DFF

Chapter 4: Cryptanalysis on Block Ciphers

Table 4.1 Key size and block size of widely used block ciphers

Table 4.2 A 4-bit to 4-bit function

Table 4.3 Output difference of when input difference is 5

Table 4.4 Differential distribution Table of

Chapter 5: Side-Channel Analysis and Fault Analysis on Block Ciphers

Table 5.1 A cipher example for attack simulation

Table 5.2 Signal transitions and path delay for AND gate

SECURITY OF BLOCK CIPHERS

FROM ALGORITHM DESIGN TO HARDWARE IMPLEMENTATION

This edition first published 2015

© 2015 John Wiley & Sons Singapore Pte. Ltd.

Registered office

John Wiley & Sons Singapore Pte. Ltd., 1 Fusionopolis Walk, #07-01 Solaris South Tower, Singapore 138628.

For details of our global editorial offices, for customer services and for information about how to apply for permission to reuse the copyright material in this book please see our website at www.wiley.com.

All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as expressly permitted by law, without either the prior written permission of the Publisher, or authorization through payment of the appropriate photocopy fee to the Copyright Clearance Center. Requests for permission should be addressed to the Publisher, John Wiley & Sons Singapore Pte. Ltd., 1 Fusionopolis Walk, #07-01 Solaris South Tower, Singapore 138628, tel: 65-66438000, fax: 65-66438008, email: [email protected].

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.

Designations used by companies to distinguish their products are often claimed as trademarks. All brand names and product names used in this book are trade names, service marks, trademarks or registered trademarks of their respective owners. The Publisher is not associated with any product or vendor mentioned in this book. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold on the understanding that the Publisher is not engaged in rendering professional services. If professional advice or other expert assistance is required, the services of a competent professional should be sought.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. It is sold on the understanding that the publisher is not engaged in rendering professional services and neither the publisher nor the author shall be liable for damages arising herefrom. If professional advice or other expert assistance is required, the services of a competent professional should be sought.

Library of Congress Cataloging-in-Publication Data

Sakiyama, Kazuo, 1971-

Security of block ciphers : from algorithm design to hardware implementation / Kazuo Sakiyama, Yu Sasaki, Yang Li.

pages cm

Includes bibliographical references and index.

ISBN 978-1-118-66001-0 (cloth)

1. Computer security–Mathematics. 2. Data encryption (Computer science) 3. Ciphers. 4. Computer algorithms. I. Sasaki, Yu. II. Li, Yang, 1986- III. Title.

QA76.9.A25S256 2015

005.8′2–dc23

2015019381

Preface

The main purpose of this book is to offer a fundamental understanding of security and its implementation of block ciphers. Nowadays, research fields in computer science and engineering have a vast scope and cryptology deals with various topics in information security. In order to understand the cutting-edge technology and science that underlies cryptology, block cipher is one of the best-suited targets both from theoretical and practical points of view. In order to offer the learning materials to fill the gap between theory and practice of the security of block ciphers, our focus goes to cryptanalysis, side-channel analysis, and fault analysis against block ciphers rather than covering all the security issues of block ciphers. AES is currently one of the most researched block ciphers in academia and widely used both in government and in commerce. Considering this fact, the explanations in this book are mainly oriented to the security of AES. In addition, AES is one of the best choices to build up all the discussions from algorithm design to hardware implementation, which is very helpful for readers to follow and to understand the basic ideas that can apply to other block ciphers.

Book Organization

This book is intended as a textbook for undergraduate and graduate students to have a big picture understanding of block ciphers from algorithm to implementations. The contents also include essential knowledge that is useful for cryptographers who are not familiar with hardware, and hardware researchers who are not familiar with the security of block ciphers. This book consists of seven chapters, and each chapter is written by the main authors listed in Table 1.

Table 1 Main Author

Chapter Number: Chapter Title

KS

YS

YL

1: Introduction to Block Ciphers

X

X

2: Introduction to Digital Circuits

X

3: Hardware Implementations for Block Ciphers

X

4: Cryptanalysis on Block Ciphers

X

5: Side-Channel Analysis and Fault Analysis on Block Ciphers

X

X

6: Advanced Fault Analysis with Techniques from Cryptanalysis

X

7: Countermeasures against Side-Channel Analysis and Fault Analysis

X

X

For the purpose of helping readers to understand the chapters, we have prepared several exercises. Some exercises are easy, and suitable for testing the comprehension of each individual learner. Some exercises are moderately difficult, and therefore readers might consider working in a small group as they would on a mini project.

There are several (sub)sections whose titles have a mark “†” at the end. They require knowledge about advanced-level techniques to understand and implement the analysis methods. Readers who find it difficult to follow them are recommended to skip them at the first reading, and focus on understanding the essential concepts of cryptanalysis and side-channel analysis from other sections.

We hope that the readers will enjoy the world of block cipher security and open new horizons through this fantastic field of study.

Kazuo SakiyamaYu SasakiYang Li

About the Authors

Kazuo Sakiyamais currently a faculty member in the Department of Informatics at the University of Electro-Communications, Tokyo. He received his Ph.D. degree in electrical engineering from the Katholieke Universiteit Leuven, Belgium in 2007. From 1996 to 2004, he was with the Semiconductor and IC Division, Hitachi, Ltd., and engaged in designing system-on-chip LSIs. His current research interests include information security, hardware security, and security analysis of cryptographic modules.

Yu Sasaki received his Ph.D. degree in engineering from the University of Electro-Communications, Tokyo, in 2010. He is currently a member of NTT Secure Platform Laboratories. He has been working with NTT from 2005. His current research interests include cryptography, especially for design and security analysis of symmetric-key cryptography.

Yang Li received his Ph.D. degree in engineering from the Faculty of Informatics and Engineering of the University of Electro-Communications, Tokyo, in 2012. He is currently an associated professor in College of Computer Science and Technology at Nanjing University of Aeronautics and Astronautics, China. His main research interests include security evaluation and improvement for cryptographic hardware and embedded systems.

Chapter 1Introduction to Block Ciphers

1.1 Block Cipher in Cryptology

1.1.1 Introduction

Information includes our private data that we desire to protect from unwilling leakage depending on the application. Cryptology is a field of research that offers appropriate solutions for the data protection by exploring how to construct a secure communication for fair information exchange. Modern cryptology often deals with digitalized data rather than analog data that cannot be expressed simply with a series of 0s and 1s. In our daily life, information is exchanged by digital devices such as radio frequency identification (RFID) tags, smart cards, and smart phones, where a computational resource is limited. Therefore, it is one of the most important challenges in cryptology to realize an efficient implementation of cryptosystems.

Figure 1.1 Basic model for a symmetric-key cryptosystem

1.1.2 Symmetric-Key Ciphers

There are various ways to realize encryption that is a kind of computational process for information to be protected. In a symmetric-key cipher, information is encrypted with a secret key, and it is expected that the owner of the secret key can decrypt the encrypted information correctly. For instance, let us see the situation, where Alice would like to send a message to Bob in a secure way. If the secret key, K, is shared only with Alice and Bob, only Bob can decrypt the message from the encrypted message. The original and the encrypted messages are called and , respectively. illustrates the encryption and decryption processes.

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!