DES Block Cipher Hao Qi

1. 
DES
 Description: Feistel, S-box
 Exhaustive Search, DC and LC
 Modes of Operation

AES
 Description: SPN, Branch number
 Security and Efficiency
 Modes of Operation

Other Ciphers
 Linear layer
 Confusion layer
1

2. DES
(Data Encryption Standard)
http://en.wikipedia.org/wiki/Data_Encryption_Standard
2

3. 
Confusion:
The ciphertext statistics should depend on the plaintext
statistics in a manner too complicated to be exploited by
the enemy cryptanalyst

Diffusion:
Each digit of the plaintext should influence many digits of
the ciphertext, and/or
Each digit of the secret key should influence many digits
of the the ciphertext.

Block cipher:
◦ A repetition of confusion(Substitution) and
diffusion(Permutation)
◦ Iteration: Weak  Strong
Claude Shannon
3

4. 4

5. 
Definition:
Let Bn denote the set of bit strings of length n.
A block cipher is an encryption algorithm E such that EK is a
permutation of Bn for each key K

Characteristics
◦
◦
◦
◦
◦
◦
Based on Shannon’s Theorem(1949)
Same P => Same C
{|P| = |C|} ≥ 64 bit, |P| ≠ |K| ≥ 56 bit
Memoryless configuration
Operate as stream cipher depending on mode
Shortcut cryptanalysis (DC, LC etc) in 90’s
* DC: Differential Cryptanalysis, LC: Linear Cryptanalysis
5

6. 








Provide a high level of security
Completely specify and easy to understand
Security must depend on hidden key, not algorithm
Available to all users
Adaptable for use in diverse applications
Economically implementable in electronic device
Efficient to use
Able to be validated
Exportable
* Federal Register, May 15, 1973
6

7. Based on Lucifer (1972)
 Developed by IBM and intervened by NSA
 Adopted Federal Standard by NIST, revised
every 5 years (~’98),
 64bit block cipher, 56bit key
 16 Round, Nonlinearity : S-box
 Cryptanalysis like DC, LC, etc. after 1992

* DC:Differential Cryptanalysis, LC : Linear Cryptanalysis
7

8. 

If we apply its operation 2 times, it returns to the
original value, e.g., f(f(x)) = x.
Type of f-1(x) = f(x)
x1
x2
x1
(d)
(c)
(b)
(a)
x2
x1
x2
⊕
y1
y2
y1
y2
y1=x1⊕ x2
x1
⊕
y2 = x2
x2
g
y1=x1⊕ g(x2) y2 = x2
or x1⊕ g(x2,k)
8

9. K
P
64
PC-1
56
IP
R0(32)
PC-2
L0(32)
Rot
Rot
f
16 Round
PC-2
R16
L16
FP
64
Round function
Key Scheduling
C
9

10. * Decryption is done by executing
round key in the reverse order.
10

11. FP= IP-1
IP
58 50 42 34 26 18 10
60 52 44 36 28 20 12
62 54 46 38 30 22 14
64 56 48 40 32 24 16
57 49 41 33 25 17 9
59 51 43 35 27 19 11
61 53 45 37 29 21 13
63 55 47 39 31 23 15
2
4
6
8
1
3
5
7
40
39
38
37
36
35
34
33
8 48 16 56 24 64 32
7 47 15 55 23 63 31
6 46 14 54 22 62 30
5 45 13 53 21 61 29
4 44 12 52 20 60 28
3 43 11 51 19 59 27
2 42 10 50 18 58 26
1 41 9 49 17 57 25
cf.) The 58th bit of x is the first bit of
IP(x)
IP & FP have no cryptanalytic significance.
11

12. 12

13. 13

14. 



8 S-boxes (6 -> 4 bits)
each row : permutation of 0-15
4 rows : choose by MSB & LSB of input
some known design criteria
◦
◦
◦
◦
◦
◦
not linear (affine)
Any one bit of the inputs changes at least two output bits
S(x) and S(x ⊕ 001100) differs at least 2bits
S(x) ≠ S(x ⊕ 11ef00) for any ef={00.01.10.11}
Resistance against DC etc.
The actual design principles have never been revealed (U.S.
classified information)
14

15. 
Input values mapping order
L R
0 0
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
0 1
1 0
1 1
0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
S1(1 0111 0)=11=(1011)2
15

16. 
S1-box
14
4 13 1
2 15 11 8
0 15 7 4 14
4 1 14 8 13
15 12 8 2 4

3 10
6 12 5 9 0 7
2 13 1 10 6 12 11 9 5 3 8
6 2 11 15 12 9 7 3 10 5 0
9 1 7 5 11 3 14 10 0 6 13
S2-box
15 1 8 14 6 11 3 4 9 7 2 13 12 0
3 13 4 7 15 2 8 14 12 0 1 10 6 9
0 14 7 11 10 4 13 1 5 8 12 6 9 3
13 8 10 1 3 15 4 2 11 6 7 12 0 5
5 10
11 5
2 15
14 9
e.g.) S2(010010)= ?
16

17. 
S3-box
10 0 9
13 7 0
13 6 4
1 10 13

14
9
9
0
6 3
3 4
8 15
6 9
15 5
6 10
3 0
8 7
1 13 12 7 11 4 2 8
2 8 5 14 12 11 15 1
11 1 2 12 5 10 14 7
4 15 14 3 11 5 2 12
S4-box
7
13
10
3
13
8
6
15
14
11
9
0
3 0
5 6
0 12
6 10
6 9
15 0
11 7
1 13
10
3
13
8
1
4
15
9
2
7
1
4
8 5 11 12 4 15
2 12 1 10 14 9
3 14 5 2 8 4
5 11 12 7 2 14
S4-box is most linear than others.!!!
17

18.  Short
key size : 112 -> 56 bits by NSA
 Classified design criteria
 Revision of standard every 5 yrs after
1977 by NIST
 No more standard
18

19. (P,C) dependency with fixed Key : after 5 round
 (K,C) dependency with fixed plaintext : after 5
round
 Avalanche effect
 Cyclic Test : Random function
 Algebraic structure : Not a group

i.e., E(K1, E(K2,P)) ≠ E(K3,P)
19

20. 
Complementary Prop.
If C= E(K,P), C = E(K, P)

Weak Key : 4 keys
E(K, E(K,P))=P

Semi-weak Keys : 12 keys (6 pairs)
E(K1, E(K2,P))=P

Key Exhaustive Search : 255
20

21. 
RSA Data Security Inc’s protest against US’s
export control(‘97)
◦ $10,000(‘97) award
◦ Key search machine by Internet Loveland’s Rocker
Verser
◦ 60.1 Billion/1 day key search, succeeded in 18
quadrillion operations and 96 days
25% of Total 72 quadrillion (1q=1015 =0.1 kyung)
90MHz, 16MB Memory Pentium(700 Million/sec)
◦ http://www.rsa.com/des/
21

22. 
Distributed.Net + EFF
◦ 100,000 PC on Network
◦ 56hr

EFF(Electronic Frontier
Foundation)
◦ http://www.eff.org/DEScrac
ker
◦ Specific tools
◦ 22hr 15min
◦ 250,000$
P. Kocher
22

23. Cost-Optimized Parallel Code Breaker Machine
by Univ. of Bochum, Germany and Kiel
 Commercially available 120 FPGA’s of type
XILINX Spartan3-1000 run in parallel
 10,000$ of ¼ of EFF project

23

24. 
FEAL, GOST, IDEA, LOKI, SKIPJACK, MISTY,
SEED

TEA (Tiny Encryption Algorithm) for RFID/USN,
XTEA, XXTEA

ARIA, Serpent, Baseking, BATON, BEAR&LION,
C2, Camellia, CAST-128,256,
CIPHERUNICORN,CMEA, Cobra, Coconut98,
Crypton, DEAL, E2, FROG, G-DES, Hasty Pudding
Cipher, Hierocrypt,MUITL2, New Data Seal,
SAFER-64,128, SHACAL, Square, Xenon, etc….
24

25. Algorithm
Year
Country
Pt/Ct
Key
Round
DES
1977
USA
64
56
16
FEAL
1987
Japan
64
64
4,8,16,32
GOST
1989
Russia
64
256
32
IDEA
1990
Swiss
64
128
8
LOKI
1991
Australia
64
64
16
SKIPJACK
1990
USA
64
80
32
MISTY
1996
Japan
64
128
>8
SEED
1998
Korea
128
128
16
25

26. AES (Rijndael)
Joan Daemen and Vincent Rijmen, “The Design of
Rijndael, AES – The Advanced Encryption Standard”,
Springer, 2002, ISBN 3-540-42580-2
FIPS Pub 197, Advanced Encryption Standard (AES),
December 04, 2001
Rijndael : variable, AES : fixed
Vincent
26

27.  Block
cipher
◦ 128-bit blocks
◦ 128/192/256-bit keys
 Worldwide-royalty
free
 More secure than Triple DES
 More efficient than Triple DES
27

28. ◦ Jan. 2, 1997 : Announcement of intent to develop AES and
request for comments
◦ Sep. 12, 1997 : Formal call for candidate algorithms
◦ Aug. 20-22, 1998 : First AES Candidate Conference and
beginning of Round 1 evaluation (15 algorithms), Rome, Italy
◦ Mar. 22-23, 1999 : Second AES Candidate Conference, NY,
USA
◦ Sep. 2000 : Final AES selection (Rijndael !)
Jan. 1997
Call for
algorithms
Aug. 1998
AES1
15 algorithms
Mar. 1999
AES2
5 algorithms selected
Apr. 2000
AES3
Announce winner
in Sep, 2000
28

29. 
15 algorithms are proposed at AES1 conference
29

30. 
After AES2 conference, NIST selected the following 5
algorithms as the round 2 candidate algorithm.
Cipher
Submitter
Structure
Nonlinear
Component
MARS
IBM
Feistel structure
Sbox
DD-Rotation
RC6
RSA Lab.
Feistel structure
Rotation
Rijndael
Daemen, Rijmen
SPN structure
Sbox
Serpent
Anderson, Biham,
Knudsen
SPN structure
Sbox
Twofish
Schneier et. al
Feistel structure
Sbox
30

31. Rijndael
10 (128)
12 (192)
14 (256)
Serpent(32)
Twofish(16)
SPN
SPN
Feistel
Mem.
Bytes
Ops
Amp. Boomerang
265
270
2229
16M, 5C
16M, 5C
Diff. M-i-M
Amp. Boomerang
250
269
2197
273
2247
2197
Stat. Disting.
2118
2112
2122
12
15 (256)
Stat. Disting.
Stat. Disting.
294
2119
242
2138
2119
2215
6
Feistel
Texts
Truncated Diff.
232
7*232
272
7
8 (256)
9 (256)
Truncated Diff.
Truncated Diff.
Related Key
2128~ 2119
2128~ 2119
277
261
2101
NA
2120
2204
2224
8 (192,256)
RC6(20)
Feistel
Type of Attack
14
MARS
16 Core (C)
16 Mixing (M)
Rounds (Key
size)
11C
Alg. (Round) Structure
Amp. Boomerang
2113
2119
2179
6 (256)
6
7 (256)
8 (192,256)
9 (256)
Meet-in-Middle
Differential
Differential
Boomerang
Amp. Boomerang
512
271
241
2122
2110
2246
275
2126
2133
2212
2247
2103
2248
2163
2252
6 (256)
Impossible Diff.
NA
NA
2256
31

32. Proposed by Joan Daemen, Vincent Rijmen(Belgium)
Design choices
– Square type
– Three distinct invertible uniform transformations(Layers)
Linear mixing layer : guarantee high diffusion
Non-linear layer : parallel application of S-boxes
Key addition layer : XOR the round key to the intermediate state
– Initial key addition, final key addition
Representation of state and key
–
–
–
–
Rectangular array of bytes with 4 rows (square type)
Nb : number of column of the state (4~8)
Nk : number of column of the cipher key (4~8)
Nb is independent from Nk
32

33. State (Nb=6)
Key (Nk=4)
Number of rounds (Nr)
33

34. 



Block size: 128
Key size: 128/192/256 bit
44 byte
array
Component Functions
Bit-wise key addition
◦ ByteSubstitution(BS): S-box
◦ ShiftRow(SR): CircularShift Byte-wise substitution(BS)
◦ MixColumn(MC):
Shift-Low(SR)
Linear(Branch number: 5)
Mix-Column(MC)
◦ AddRoundKey(ARK):
Bit-wise key addition
Omit MC in the last round.
BS, SR, ARK
Input
Input whitening
Round
transformation
Output
transformation
Output
34

35. 
Substitution-Permutation Network (SPN)
◦ (Invertible) Nonlinear Layer: Confusion
◦ (Invertible) Linear Layer: Diffusion

Branch Number
◦
◦
◦
◦
◦
Measure Diffusion Power of Linear Layer
Let F be a linear transformation on n words.
W(a): the number of nonzero words in a.
λ(F) = mina≠0 {W(a) + W(F(a))}
Rijndael: branch number =5
35

36. 
K-secure
◦ No shortcut attacks key-recover attack faster than keyexhaustive search
◦ No symmetry property such as complementary in DES
◦ No non-negligible classes of weak key as in IDEA
◦ No Related-key attacks

Hermetic
◦ No weakness found for the majority of block ciphers with
same block and key length

Rijndael is k-secure and hermetic
36

37. Mode of Operations
37

38. ECB (Electronic CodeBook) mode
C
P
n
n
K
K
E
IF Ci = Cj,
DK(Ci) = DK(Cj)
D
n
n
C
P
i) Encryption
ii) Decryption
38

39. 
CBC (Cipher Block Chaining)
P1
P2
Pl
IV
K
E
K
E
K
E
C1
IV
C2
C2
Ci = EK(Pi  Ci-1)
Cl
C1
K
IV : Initialization Vector
Cl
K
D
P1
K
D
P2
Pi = DK(Ci)  Ci-1
- 2 block Error Prog.
- self-sync
- If |Pl|  |P|,
Padding req’d
D
Pl
39

40. m-bit OFB (Output FeedBack)
IV
IV
Ci = Pi  O(EK)
Pi = Ci  O(EK)
K
E
Pi
m-bit
Ci
I) Encryption
m-bit
E
K
Ci
- No Error Prog.
- Req’d external sync
- Stream cipher
Pi - EK or DK
II) Decryption
40

41. m-bit CFB (Cipher FeedBack)
IV
K
IV
E
Pi
Ci
I) Encryption
m-bit
m-bit
Ci = Pi  EK(Ci-1)
Pi = Ci  EK(Ci-1)
E
K
- Error prog. till an error
disappears in the buffer
- self-sync
- EK or DK
Pi
Ci
II) Decryption
41

42. 
Counter mode
ctr
K
E
K
E
K
E
Pm-1
P2
P1
ctr+m-1
ctr+1
C2
Cm-1
ctr+1
C
Ci = Pi  EK(Ti)
Pi = Ci  EK(Ti)
Ti = ctr+i -1 mod 2m
|P|, |ctr|= m,
Parallel computation
ctr+m-1
1
ctr
K
E
K
E
C2
C1
P1
K
E
Cm-1
P2
Pm-1
42

43. CCM mode (Counter with CBC-MAC mode)
 Ctr + CBC
 Authenticated encryption by producing a MAC as
a part of the encryption process

43

44. 
Use of mode
◦ ECB : key management, useless for file encryption
◦ CBC : File encryption, useful for MAC
◦ m-bit CFB : self-sync, impossible to use channel with
low BER
◦ m-bit OFB : external-sync. m= 1, 8 or n
◦ Ctr : secret ctr, parallel computation
◦ CCM : authenticated encryption
◦ Performance Degradation/ Cost Tradeoff
44

45. Differential Cryptanalysis
45

46. 
Introduction
◦
◦
◦
◦
◦
Biham and Shamir : CR90, CR92
Efficient than Key Exhaustive Search
Chosen Plaintext Attack
O(Breaking DES16) ~ 247
Utilize the probabilistic distribution between input XOR and
output XOR values Iteratively
◦ Stimulate to announce hidden criteria of DES [Cop92]
◦ Apply to other DES-like Ciphers
* E.Biham, A. Shamir,”Differential Cryptanalysis of the Data Encryption Standard”, SpringerVerlag, 1993
46

47. Discard linear components(IP, FP)
 Properties of XOR (X’ = X ⊕ X* )

◦ {E,P,IP} : (P(X))’=P(X) ⊕ P(X*)=P(X’)
◦ XOR : (X ⊕ Y)’=(X ⊕ Y) ⊕ (X* ⊕ Y*)=X’ ⊕ Y’
◦ Mixing key : (X ⊕ K)’=(X ⊕ K) ⊕ (X* ⊕ K)=X’
◦ Differences(=xor) are linear in linear operation and in
particular the result is key independent.
47

48. X
X*

X’
Si-box
XDT

Si-box
Y’
Y
Y*
X’ = {0,1,…63}, Y’= {0,1,…15}
 For a given S-box, pre-compute the number of count of X’ and

Y’ in a table
* % of entry in DES S-boxes : 75 ~ 80%
48

49. 49

50. 
2-round characteristic in S1 box (0Cx --> Ex
with 14/64)
(00 80 82 00 60 00 00 00x)
 A’=00808200x
=P(E0000000x)

B’=0x
F
F
a’=60000000x
b’=0x
p=14/64
p=1
(60 00 00 00 00 00 00 00x)
0110 0C=001100 E=1110
50

51. (1) Choose suitable Plaintext (Pt) XOR.
(2) Get 2 Pts for a chosen Pt and obtain the
corresponding Ct by encryption
(3) From Pt XOR and pair of Ct, get the expected
output XOR for the S-boxes of final round.
(4) Count the maximum potential key at the final round
using the estimated key
(5) Right key is a subkey of having large number of
pairs of expected output XOR
51

52. Self-concatenating probability
 Best iterative char. of DES

(19 60 00 00 00 00 00 00x)


A’=0x
B’=0x
F
F
a’=0x
b’=19 60 00 00x
E(b)=03 32 2C
00 00 00 00 00x
p1=1
p2 =14 x 8 x 10 / 643
= 1/234
(00 00 00 00 19 60 00 00x)
52

53. Linear Cryptanalysis
53

54. 
Introduction
◦ Matsui : EC931, CR942
◦ Known Plaintext Attack
◦ O(Breaking DES16) ~ 243
 12 HP W/S, 50-day operation
◦ Utilize the probabilistic distribution between input
linear sum and output linear sum values Iteratively
◦ Duality to DC : XOR branch vs.three-forked branch
◦ Apply to other DES-like cryptosytems
1. M.Matsui,”Linear Cryptanalysis Method for DES Cipher”, Proc. Of Eurocrypt’93,LNCS765, pp.386-397
2. M.Matsui,”The First Experimental Cryptanalysis of the Data Encryption Standard”, Proc. Of Crypto’94,LNCS839, pp.1-11 .
54

55. LC
DC
X i-1

Y i
X i
Fi
Ki
Xi
X i-1 Yi
Y i

Xi
Y i
Y i-1
Y i
Fi
X i
Ki
Yi-1Xi
XOR branch after f-ft. i.e.,
DC goes downstream through f-ft.
Xi = Xi-2  Yi-1 (3  i  n)
with {i=1}n pi
3-forked branch before f-ft. i.e.,
LC goes upstream through f-ft.
 Yi =  Yi-2   Xi-1 (3  i  n)
with 2n-1{i=1}n |pi -1/2|
Xi : Xi’s Differential value
 Xi-1 : Xi-1’s Masking value
55

56. (Goal) : Find linear approximation
P[i1,i2,…,ia] ⊕ C[j1,j2,…,jb]=K[k1,k2,…,kc]
with significant prob. p (≠ ½)
where A[i,j,…,k]=A[i] ⊕ A[j] ⊕ … ⊕ A[k]
(Algorithm)MLE(Maximum Likelihood Estimation)
(Step 1) For given P and C, compute X=P[i1,i2,…,ia] ⊕ C[j1,j2,…,jb],
let N = # of Pt given,
(Step 2) if |X=0| > N/2 K[k1,k2,…,Kc]=0 else 1.
if |X=0| < N/2 K[k1,k2,…,kc]=1 else 0.
56

57. 
For a S-box Sa,(a=1,2,…,8) of DES
NSa(α,β)= #{x | 0 ≤ x < 64, parity(x•α) = parity(S(x)•β)}
1≤ α ≤ 63 , 1 ≤ β ≤15, • : dot product (bitwise AND)

Ex) NS5(16,15) =12
◦ The 5-th input bit at S5-box is equal to the linear sum of 4 output
bits with probability 12/64.
◦ X[15] ⊕ F(X,K)[7,18,24,29]=K[22] with 0.19
◦ X[15] ⊕ F(X,K)[7,18,24,29]=K[22] ⊕ 1 with 1-0.19=0.81
(Note) least significant at the right and index 0 at the least significant bit (Little endian)
57

58. 58

59. P
PH
PL
[22]

[7,18,24,29]
[15]
F1
K1 X2[7,18,24,29] PH[7,18,24,29] 
PL[15] = K1[22] ---------- (1)
X1
p1=12/64
K2

F2
X2
[22]

CH
[7,18,24,29]
F3
C
[15]
K3 X2[7,18,24,29] CH[7,18,24,29] 
X3
CL[15] = K3[22] ---------- (2)
p3=12/64
CL
(1)  (2) => X2[7,18,24,29] CH[7,18,24,29] CL[15]  X2[7,18,24,29]
PH[7,18,24,29] PL[15] = K1[22]  K3[22] holding prob. = (p1 * p3 ) + (1 - p1) *(1-p3)
* Discard IP and FP like DC
59

60. 
If independent prob. value, Xi ‘s ( 1≤ i ≤ n )
have prob pi to value 0, (1-pi) to value 1,
p
= {prob(X1⊕ X2⊕ … ⊕Xn ) = 0} is
p = 2n-1Πi=1n(pi - 1/2) +1/2.

The number of known pt req’d for LC with
success prob. 97.7% is |p - 1/2|-2
60

61.  Key
size expansion
◦ Double Encryption
ek:E2(K2,E1(K1,P)), dk:D1(K1,D2(K2,C))
Meet-in-the-middle attack
No effectiveness
◦ Triple Encryption
ek:E(K1,D(K2,E(K1,P))), dk:D(K1,E(K2,D(K1,C)))
ek:E(K1,D(K2,E(K3,P))), dk:D(K3,E(K2,D(K1,C)))
112 or 168 bits
61

62. Side Channel Attack
62

63. 
Traditional Cryptographic Model vs. Side Channel
Power Consumption / Timing / EM Emissions / Acoustic
Attacker
C=E(P,Ke)
P
E()
Ke
Key
P=D(C,Kd)
C
Insecure
channel
D()
D
Kd
Secure channel
Radiation / Temperature / Power Supply / Clock Rate, etc.
63

64. ☆
J. DAEMEN AND V. RIJMEN. The Design of Rijndael.AES - The Advanced
Encryption Standard. Springer, 2002.
배성호
1
★
M. E. HELLMAN. A cryptanalytic time-memory trade-off. IEEE Transactions
of Information Theory, 26 (1980), 401-406.
임준현
2
☆
E. BIHAM AND A. SHAMIR. Differential cryptanalysis of the full 16-round
DES. LNCS 740 (1993), 494-502. (CRYPTO '92)
장래영
3
☆
M. BELLARE AND P. ROGAWAY. Optimal asymmetric encryption. Lecture Notes
in Computer Science, 950 (1995), 92-111. (EUROCRYPT '94)
조준희
4
황대성
5
남궁호
6
장래영
7
☆
★
☆
S. GOLDWASSER AND S. MICALI. Probabilistic encryption. Journal of
Computer and Systems Science, 28 (1984), 270-299.
J. H. Moore. Protocol failures in cryptosystems. In Contemporary
Cryptology, The Science of Information Integrity, pages 541-558. IEEE
Press, 1992.
M. BELLARE, J. KILIAN AND P. ROGAWAY. The security of the cipher block
chaining message authentication code. Journal of Computer and System
Sciences, 61 (2000), 362-399.
★
W. DIFFIE AND M. E. HELLMAN. New directions in cryptography. IEEE
Transactions on Information Theory, 22 (1976), 644-654.
조준희
8
★
M. MATSUI. Linear cryptanalysis method for DES cipher. LNCS 765 (1994),
386-397. (EUROCRYPT '93)
배성호
9
☆
M. BELLARE AND P. ROGAWAY. Random oracles are practical: a paradigm for
designing efficient protocols. In First ACM Conference on Computer and
Communications Security, pages 62-73. ACM Press, 1993.
김영삼
PT #1
10
PT#2
64

65. ☆
☆
☆
★
☆
☆☆
☆☆
★
☆☆
★
N. T. COURTOIS AND J. PIEPRZYK. Cryptanalysis of block ciphers with
overdefined systems of equations. LNCS 2501 (2002), 267-287. (ASIACRYPT
2002)
S. C. POHLIG AND M. E. HELLMAN. An improved algorithm for computing
logarithms ove GF(p) and its cryptographic significance. IEEE
Transations on Information Theory, 24 (1978), 106-110.
M. J. WIENER. Cryptanalysis of short RSA secret exponents. IEEE
Transations on Inforamtion Theory, 36 (1990), 553-558.
T. ELGAMAL. Apublic key cryptosystem and a signature scheme based on
discrete logarithms. IEEE Transactions on Information Theory, 31 (1985),
469-472.
D. CHAUM AND H. VAN ANTWERPEN. Undeniable signature. LNCS 435 (1990),
212-216. (CRYPTO '89)
P. BEAUCHEMIN AND G. BRASSARD, C. CREPEAU, C. GOUTIER and C. POMERANCE.
The generation of random numbers that are probably prime. Journal of
Cryptology, 1 (1988), 53-64.
M. BELLARE AND P. ROGAWAY. The exact security of digital signatures: how
to sign with RSA and Rabin. LNCS, 1070(1996), 399-416. (EUROCRYPT '96)
A. FIAT AND A. SHAMIR. How to prove yourself: practical solutions to
identification and signature problems. LNCS 263 (1987), 186-194. (CRYPTO
'86)
M. BELLARE. Practice-oriented provable-security. In Lectures on Data
Security, pages 1-15. Springer, 1999.
A. FIAT AND M. NAOR. Broadcast encryption. LNCS 773 (1994), 480-491.
(CRYPTO '93)
조준희
11
황대성
12
남궁호
13
장래영
14
신지강
15
남궁호
16
임준현
17
김영삼
18
신지강
19
황대성
20
PT#3
PT#4
65

66. ☆
M. BURMESTER AND Y. DESMEDT. A secure and efficient conference key
distribution system. LNCS 250 (1994), 275-286 (EUROCRYPT '94)
김영삼
21
★
U. FEIGE, A. FIAT AND A. SHAMIR. Zero-knolwedge proofs of identity.
Journal of Cyrptology, 1 (1988), 77-94
신지강
22
☆
C. P. SHNORR. Efficient signature generation by smart cards. Journal of
Cryptology, 4 (1991), 161-174.
임준현
23
☆
D. E. DENNING AND G. M. SACCO. Timestamps in key distribution protocols.
Communications of the ACM 24 (1981), 533-536.
배성호
24
PT#5
★ : 필수 , ☆: 난이도 1, ☆☆: 난이도 2( 가산점 )
66