On the Security of RC4 in TLS
Size: px
Start display at page:

Download "On the Security of RC4 in TLS"

Transcription

1 On the Security of RC4 in TLS Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering, Jacob Schuldt Royal Holloway, University of London University of Illinois at Chicago

2 TLS Record Protocol CBC-mode (AES, 3DES) RC4 2

3 TLS Record Protocol CBC-mode (AES, 3DES) RC4 BEAST attack 2

4 TLS Record Protocol CBC-mode (AES, 3DES) 13 RC4 BEAST attack Lucky 13 2

5 TLS Record Protocol CBC-mode (AES, 3DES) 13 RC4 Switch to RC4? BEAST attack Lucky 13 2

6 TLS Record Protocol CBC-mode (AES, 3DES) 13 RC4 Switch to RC4? BEAST attack Lucky 13 Recommended! 2

7 Usage of RC4 in Practice ICSI Certificate Notary Recent survey of 16 billion TLS connections: Approx. 50% protected via RC4 ciphersuites 3

8 Usage of RC4 in Practice ICSI Certificate Notary Recent survey of 16 billion TLS connections: Approx. 50% protected via RC4 ciphersuites How secure is TLS + RC4? 3

9 RC4 Keystream Distribution Random RC4 keys Keystream bytes 4

10 Keystream Distribution at Position Ciphertext distribution at position 1 Probability Byte value [ ] Byte value

11 Keystream Distribution at Position Ciphertext distribution at position 2 Probability Byte value [ ] Byte value

12 Keystream Distribution at Position Ciphertext distribution at position 3 Probability Byte value [ ] Byte value

13 Keystream Distribution at Position Ciphertext distribution at position 4 Probability Byte value [ ] Byte value

14 Keystream Distribution at Position Ciphertext distribution at position 5 Probability Byte value [ ] Byte value

15 Keystream Distribution at Position Ciphertext distribution at position 6 Probability Byte value [ ] Byte value

16 Keystream Distribution at Position Ciphertext distribution at position 7 Probability Byte value [ ] Byte value

17 Keystream Distribution at Position Ciphertext distribution at position 8 Probability Byte value [ ] Byte value

18 Keystream Distribution at Position Ciphertext distribution at position 9 Probability Byte value [ ] Byte value

19 Keystream Distribution at Position Ciphertext distribution at position 10 Probability Byte value [ ] Byte value

20 Keystream Distribution at Position Ciphertext distribution at position 11 Probability Byte value [ ] Byte value

21 Keystream Distribution at Position Ciphertext distribution at position 12 Probability Byte value [ ] Byte value

22 Keystream Distribution at Position Ciphertext distribution at position 13 Probability Byte value [ ] Byte value

23 Keystream Distribution at Position Ciphertext distribution at position 14 Probability Byte value [ ] Byte value

24 Keystream Distribution at Position Ciphertext distribution at position 15 Probability Byte value [ ] Byte value

25 Keystream Distribution at Position Ciphertext distribution at position 16 Probability Byte value [ ] Byte value

26 Plaintext Recovery Attack Ciphertext distribution at position 1 Ciphertext distribution at position 2 Probability Ciphertext distribution at position Byte value [ ] Probability + Probability Byte value [ ] Byte value [ ] TLS plaintext recovery (initial bytes) 21

27 Success Probability 2 20 Sessions 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 22

28 Success Probability 2 21 Sessions 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 23

29 Success Probability 2 22 Sessions 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 24

30 Success Probability 2 23 Sessions 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 25

31 Success Probability 2 24 Sessions 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 26

32 Success Probability 2 25 Sessions 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 27

33 Success Probability 2 26 Sessions 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 28

34 Success Probability 2 27 Sessions 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 29

35 Success Probability 2 28 Sessions 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 30

36 Success Probability 2 29 Sessions 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 31

37 Success Probability 2 30 Sessions 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 32

38 Success Probability 2 31 Sessions 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 33

39 Success Probability 2 32 Sessions 100%# 80%# Recovery(rate( 60%# 40%# 20%# 0%# 0# 32# 64# 96# 128# 160# 192# 224# 256# Byte(posi/on( 34

40 Second Attack Double-byte long term biases + TLS plaintext recovery (any bytes) 35

41 Second Attack Beyond byte position 256? Double-byte long term biases + TLS plaintext recovery (any bytes) 35

42 Second Attack Beyond byte position 256? Double-byte long term biases + TLS plaintext recovery (any bytes) Interested? TLS + RHUL 35

43 Second Attack Beyond byte position 256? Double-byte long term biases + TLS plaintext recovery (any bytes) Interested? TLS + RHUL Thank You! 35

Similar documents

state-recovery analysis of spritz

state-recovery analysis of spritz state-recovery analysis of spritz Ralph Ankele 1 Stefan Kölbl 2 Christian Rechberger 2 August 25, 2015 1 RHUL, Royal Holloway University of London, United Kingdom 2 DTU Compute, Technical University of

More information

Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA

Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Sourav Sen Gupta 1 Subhamoy Maitra 1 Willi Meier 2 Goutam Paul 1 Santanu Sarkar 3 Indian Statistical Institute, India FHNW, Windisch,

More information

Private-Key Encryption

Private-Key Encryption Private-Key Encryption Ali El Kaafarani Mathematical Institute Oxford University 1 of 37 Outline 1 Pseudo-Random Generators and Stream Ciphers 2 More Security Definitions: CPA and CCA 3 Pseudo-Random Functions/Permutations

More information

Revisiting Roos Bias in RC4 Key Scheduling Algorithm

Revisiting Roos Bias in RC4 Key Scheduling Algorithm Revisiting Roos Bias in RC4 Key Scheduling Algorithm Santanu Sarkar, Ayineedi Venkateswarlu To cite this version: Santanu Sarkar, Ayineedi Venkateswarlu. Revisiting Roos Bias in RC4 Key Scheduling Algorithm.

More information

Statistical Attacks on Cookie Masking for RC4

Statistical Attacks on Cookie Masking for RC4 Statistical Attacks on Cookie Masking for RC4 Kenneth G. Paterson 1 and Jacob C.N. Schuldt 2 1 Royal Holloway, University of London, UK 2 AIST, Japan Abstract. Levillain et al. (AsiaCCS 2015) proposed

More information

Symmetric Crypto Systems

Symmetric Crypto Systems T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2012 Konstantin Beznosov 1 Module Outline! Stream ciphers under the hood Block ciphers under

More information

A Practical Attack Against the Use of RC4 in the HIVE Hidden Volume Encryption System

A Practical Attack Against the Use of RC4 in the HIVE Hidden Volume Encryption System A Practical Attack Against the Use of RC4 in the HIVE Hidden Volume Encryption System Kenneth G. Paterson 1 and Mario Strefler 2 1 Information Security Group, Royal Holloway, University of London Kenny.Paterson@rhul.ac.uk

More information

Analysing and Exploiting the Mantin Biases in RC4

Analysing and Exploiting the Mantin Biases in RC4 Analysing and Exploiting the Mantin Biases in RC4 Remi Bricout 1, Sean Murphy 2, Kenneth G. Paterson 2, and Thyla van der Merwe 2 1 ENS, Paris 2 Royal Holloway, University of London Abstract. We explore

More information

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES CS355: Cryptography Lecture 9: Encryption modes. AES Encryption modes: ECB } Message is broken into independent blocks of block_size bits; } Electronic Code Book (ECB): each block encrypted separately.

More information

Some New Weaknesses in the RC4 Stream Cipher

Some New Weaknesses in the RC4 Stream Cipher Some ew Weaknesses in the RC4 Stream Cipher Jing Lv (B), Bin Zhang, and Dongdai Lin 2 Laboratory of Trusted Computing and Information Assurance, Institute of Software, Chinese Academy of Sciences, 0090

More information

Lecture 12: Block ciphers

Lecture 12: Block ciphers Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is

More information

Recent Cryptanalysis of RC4 Stream Cipher

Recent Cryptanalysis of RC4 Stream Cipher 28 August, 2013 ASK 2013 @ Weihai, China Recent Cryptanalysis of RC4 Stream Cipher Takanori Isobe Kobe University Joint work with Toshihiro Ohigashi, Yuhei Watanabe, and Maskatu Morii Agenda This talk

More information

Introduction to Symmetric Cryptography

Introduction to Symmetric Cryptography Introduction to Symmetric Cryptography COST Training School on Symmetric Cryptography and Blockchain Stefan Kölbl February 19th, 2018 DTU Compute, Technical University of Denmark Practical Information

More information

Cryptanalysis of the Full Spritz Stream Cipher

Cryptanalysis of the Full Spritz Stream Cipher Cryptanalysis of the Full Spritz Stream Cipher Subhadeep Banik 1,2 and Takanori Isobe 3 1 School of Physical and Mathematical Sciences, NTU 2 DTU Compute, Technical University of Denmark, Lungby 3 Sony

More information

Alternative Approaches: Bounded Storage Model

Alternative Approaches: Bounded Storage Model Alternative Approaches: Bounded Storage Model A. Würfl 17th April 2005 1 Motivation Description of the Randomized Cipher 2 Motivation Motivation Description of the Randomized Cipher Common practice in

More information

Attack on Broadcast RC4

Attack on Broadcast RC4 Attack on Broadcast RC4 Revisited S. Maitra 1 G. Paul 2 S. Sen Gupta 1 1 Indian Statistical Institute, Kolkata 2 Jadavpur University, Kolkata FSE 2011, Lyngby, Denmark 15 February 2011 Outline of the Talk

More information

A Weak Cipher that Generates the Symmetric Group

A Weak Cipher that Generates the Symmetric Group A Weak Cipher that Generates the Symmetric Group Sean Murphy Kenneth Paterson Peter Wild Information Security Group, Royal Holloway and Bedford New College, University of London, Egham, Surrey TW20 0EX,

More information

Symmetric Crypto Systems

Symmetric Crypto Systems T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08 Module Outline Stream ciphers under the hood Block ciphers

More information

ORYX. ORYX not an acronym, but upper case Designed for use with cell phones. Standard developed by. Cipher design process not open

ORYX. ORYX not an acronym, but upper case Designed for use with cell phones. Standard developed by. Cipher design process not open ORYX ORYX 1 ORYX ORYX not an acronym, but upper case Designed for use with cell phones o To protect confidentiality of voice/data o For data channel, not control channel o Control channel encrypted with

More information

Distinct difference configurations and Wireless Sensor Networks

Distinct difference configurations and Wireless Sensor Networks Distinct difference configurations and Wireless Sensor Networks Simon R. Blackburn Joint work with: Tuvi Etzion, Keith M. Martin, Maura B. Paterson Royal Holloway, University of London 12th May 2009 S.R.

More information

Symmetric Encryption

Symmetric Encryption 1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently

More information

FORGERY ON STATELESS CMCC WITH A SINGLE QUERY. Guy Barwell University of Bristol

FORGERY ON STATELESS CMCC WITH A SINGLE QUERY. Guy Barwell University of Bristol FORGERY ON STATELESS CMCC WITH A SINGLE QUERY Guy Barwell guy.barwell@bristol.ac.uk University of Bristol Abstract. We present attacks against CMCC that invalidate the claimed security of integrity protection

More information

Simple, Efficient and Strongly KI-Secure Hierarchical Key Assignment Schemes

Simple, Efficient and Strongly KI-Secure Hierarchical Key Assignment Schemes Simple, Efficient and Strongly KI-Secure Hierarchical Key Assignment Schemes Eduarda S. V. Freire and Bertram Poettering and Kenny G. Paterson Information Security Group Royal Holloway, University of London

More information

A Low Data Complexity Attack on the GMR-2 Cipher Used in the Satellite Phones

A Low Data Complexity Attack on the GMR-2 Cipher Used in the Satellite Phones A Low Data Complexity Attack on the GMR-2 Cipher Used in the atellite Phones Ruilin Li, Heng Li, Chao Li, Bing un National University of Defense Technology, Changsha, China FE 2013, ingapore 11 th ~13

More information

Cryptanalysis of the Algebraic Eraser

Cryptanalysis of the Algebraic Eraser Cryptanalysis of the Algebraic Eraser Simon R. Blackburn Royal Holloway University of London 9th June 2016 Simon R. Blackburn (RHUL) The Algebraic Eraser 1 / 14 Diffie-Hellman key exchange Alice and Bob

More information

Impact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers

Impact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers Impact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers Goutam Paul and Shashwat Raizada Jadavpur University, Kolkata and Indian Statistical Institute,

More information

ASYMMETRIC ENCRYPTION

ASYMMETRIC ENCRYPTION ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall

More information

The HMAC brawl. Daniel J. Bernstein University of Illinois at Chicago

The HMAC brawl. Daniel J. Bernstein University of Illinois at Chicago The HMAC brawl Daniel J. Bernstein University of Illinois at Chicago 2012.02.19 Koblitz Menezes Another look at HMAC : : : : Third, we describe a fundamental flaw in Bellare s 2006 security proof for HMAC,

More information

Secret Key: stream ciphers & block ciphers

Secret Key: stream ciphers & block ciphers Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad define a secret key ( seed ) Using the seed generates a byte stream (Keystream): i-th byte is function only

More information

Block ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit

Block ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit Block ciphers Block ciphers Myrto Arapinis School o Inormatics University o Edinburgh January 22, 2015 A block cipher with parameters k and l is a pair o deterministic algorithms (E, D) such that Encryption

More information

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen. Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography

More information

Analysis and Implementation of RC4 Stream Cipher

Analysis and Implementation of RC4 Stream Cipher Analysis and Implementation of RC4 Stream Cipher A thesis presented to Indian Statistical Institute in fulfillment of the thesis requirement for the degree of Doctor of Philosophy in Computer Science by

More information

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern

More information

(Non-)Random Sequences from (Non-)Random Permutations - Analysis of RC4 stream cipher

(Non-)Random Sequences from (Non-)Random Permutations - Analysis of RC4 stream cipher (on-)random Sequences from (on-)random Permutations - Analysis of RC4 stream cipher Sourav Sen Gupta, Subhamoy Maitra, Goutam Paul 2, and Santanu Sarkar Applied Statistics Unit, Indian Statistical Institute,

More information

First-Order DPA Attack Against AES in Counter Mode w/ Unknown Counter. DPA Attack, typical structure

First-Order DPA Attack Against AES in Counter Mode w/ Unknown Counter. DPA Attack, typical structure Josh Jaffe CHES 2007 Cryptography Research, Inc. www.cryptography.com 575 Market St., 21 st Floor, San Francisco, CA 94105 1998-2007 Cryptography Research, Inc. Protected under issued and/or pending US

More information

Symmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway

Symmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway Symmetric Cryptanalytic Techniques Sean Murphy ショーン マーフィー Royal Holloway Block Ciphers Encrypt blocks of data using a key Iterative process ( rounds ) Modified by Modes of Operation Data Encryption Standard

More information

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed Problem 1 n bits k zero bits IV Block Block Block Block removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Missing bits January 27, 2011 Practical

More information

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5) Symmetric Ciphers Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5) Symmetric Cryptography C = E(P,K) P = D(C,K) Requirements Given C, the only way to obtain P should be with the knowledge of K Any

More information

Modern Cryptography Lecture 4

Modern Cryptography Lecture 4 Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html

More information

(Non-)Random Sequences from (Non-)Random Permutations Analysis of RC4 Stream Cipher

(Non-)Random Sequences from (Non-)Random Permutations Analysis of RC4 Stream Cipher J. Cryptol. (2014) 27: 67 108 DOI: 10.1007/s00145-012-9138-1 (on-)random Sequences from (on-)random Permutations Analysis of RC4 Stream Cipher Sourav Sen Gupta and Subhamoy Maitra Applied Statistics Unit,

More information

A block cipher enciphers each block with the same key.

A block cipher enciphers each block with the same key. Ciphers are classified as block or stream ciphers. All ciphers split long messages into blocks and encipher each block separately. Block sizes range from one bit to thousands of bits per block. A block

More information

Practice Assignment 2 Discussion 24/02/ /02/2018

Practice Assignment 2 Discussion 24/02/ /02/2018 German University in Cairo Faculty of MET (CSEN 1001 Computer and Network Security Course) Dr. Amr El Mougy 1 RSA 1.1 RSA Encryption Practice Assignment 2 Discussion 24/02/2018-29/02/2018 Perform encryption

More information

Cellular Automata in Cryptography" Information Security Group,Royal Holloway, Abstract The cipher systems based on Cellular Automata proposed by Nandi

Cellular Automata in Cryptography Information Security Group,Royal Holloway, Abstract The cipher systems based on Cellular Automata proposed by Nandi Comments on \Theory and Applications of Cellular Automata in Cryptography" S.R. Blackburn, S. Murphy y and K.G. Paterson z Information Security Group,Royal Holloway, University of London, Surrey TW20 0EX,

More information

Distinguishing Attack on Common Scrambling Algorithm

Distinguishing Attack on Common Scrambling Algorithm 410 The International Arab Journal of Information Technology, Vol. 12, No. 4, July 2015 Distinguishing Attack on Common Scrambling Algorithm Kai Zhang and Jie Guan Zhengzhou Information Science and Technology

More information

Information Security Theory vs. Reality

Information Security Theory vs. Reality Information Security Theory vs. Reality 0368-4474, Winter 2015-2016 Lecture 3: Power analysis, correlation power analysis Lecturer: Eran Tromer 1 Power Analysis Simple Power Analysis Correlation Power

More information

Differential Fault Analysis of Trivium

Differential Fault Analysis of Trivium Differential Fault Analysis of Trivium Michal Hojsík 1,2 and Bohuslav Rudolf 2,3 1 Department of Informatics, University of Bergen, N-5020 Bergen, Norway 2 Department of Algebra, Charles University in

More information

Bias in the LEVIATHAN Stream Cipher

Bias in the LEVIATHAN Stream Cipher Bias in the LEVIATHAN tream ipher Paul rowley 1 and tefan Lucks 2 1 cryptolabs Amsterdam paul@cryptolabs.org 2 University of Mannheim lucks@weisskugel.informatik.uni-mannheim.de Abstract. We show two methods

More information

Analysis of Message Injection in Stream Cipher-based Hash Functions

Analysis of Message Injection in Stream Cipher-based Hash Functions Analysis o Message Injection in Stream Cipher-based Hash Functions Yuto Nakano 1, Carlos Cid 2, Kazuhide Fukushima 1, and Shinsaku Kiyomoto 1 1 KDDI R&D Laboratories Inc. 2 Royal Holloway, University o

More information

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions CPSC 91 Computer Security Assignment #3 Solutions 1. Show that breaking the semantic security of a scheme reduces to recovering the message. Solution: Suppose that A O( ) is a message recovery adversary

More information

Algebraic Techniques in Differential Cryptanalysis

Algebraic Techniques in Differential Cryptanalysis Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London FSE 2009, Leuven, 24.02.2009 Martin Albrecht and Carlos

More information

Symmetric Encryption. Adam O Neill based on

Symmetric Encryption. Adam O Neill based on Symmetric Encryption Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Syntax Eat $ 1 k7 - draw } randomised t ~ m T# c- Do m or Hateful distinguishes from ywckcipter - Correctness Pr [ NCK,

More information

Subspace Trail Cryptanalysis and its Applications to AES

Subspace Trail Cryptanalysis and its Applications to AES Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and Sondre Rønjom March, 2017 1 / 28 Introduction In the case of AES, several alternative representations (algebraic

More information

Expanding Weak-key Space of RC4

Expanding Weak-key Space of RC4 [DOI: 10.2197/ipsjjip.22.357] Recommended Paper Expanding Weak-key Space of RC4 Atsushi agao 1,a) Toshihiro Ohigashi 2 Takanori Isobe 1 Masakatu Morii 1 Received: July 7, 2013, Accepted: ovember 1, 2013

More information

Innovations in permutation-based crypto

Innovations in permutation-based crypto Innovations in permutation-based crypto Joan Daemen 1,2 based on joint work with Guido Bertoni 3, Seth Hoert, Michaël Peeters 1, Gilles Van Assche 1 and Ronny Van Keer 1 Cryptacus Training School, Azores,

More information

Akelarre. Akelarre 1

Akelarre. Akelarre 1 Akelarre Akelarre 1 Akelarre Block cipher Combines features of 2 strong ciphers o IDEA mixed mode arithmetic o RC5 keyed rotations Goal is a more efficient strong cipher Proposed in 1996, broken within

More information

AES side channel attacks protection using random isomorphisms

AES side channel attacks protection using random isomorphisms Rostovtsev A.G., Shemyakina O.V., St. Petersburg State Polytechnic University AES side channel attacks protection using random isomorphisms General method of side-channel attacks protection, based on random

More information

Key Recovery Attack against 2.5-round π-cipher

Key Recovery Attack against 2.5-round π-cipher Key Recovery Attack against 2.5-round -Cipher Christina Boura 1, Avik Chakraborti 2, Gaëtan Leurent 3, Goutam Paul 2, Dhiman Saha 4, Hadi Soleimany 5,6 and Valentin Suder 7 1 University of Versailles,

More information

Attack on Broadcast RC4 Revisited

Attack on Broadcast RC4 Revisited Attack on Broadcast RC4 Revisited Subhamoy Maitra, Goutam Paul 2, and Sourav Sen Gupta Applied Statistics Unit, Indian Statistical Institute, Kolkata 700 08, India {subho,souravsg r}@isical.ac.in 2 Department

More information

How to Find Short RC4 Colliding Key.

How to Find Short RC4 Colliding Key. JAIST Reposi https://dspace.j Title How to Find Short RC4 Colliding Key Author(s)Chen, Jiageng; Miyaji, Atsuko Citation Lecture Notes in Computer Science, 7 46 Issue Date 2011-10-12 Type Journal Article

More information

Introduction to Modern Cryptography. Benny Chor

Introduction to Modern Cryptography. Benny Chor Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes Lecture 8 Tel-Aviv University

More information

Gurgen Khachatrian Martun Karapetyan

Gurgen Khachatrian Martun Karapetyan 34 International Journal Information Theories and Applications, Vol. 23, Number 1, (c) 2016 On a public key encryption algorithm based on Permutation Polynomials and performance analyses Gurgen Khachatrian

More information

Private-key Systems. Block ciphers. Stream ciphers

Private-key Systems. Block ciphers. Stream ciphers Chapter 2 Stream Ciphers Further Reading: [Sim92, Chapter 2] 21 Introduction Remember classication: Private-key Systems Block ciphers Stream ciphers Figure 21: Private-key cipher classication Block Cipher:

More information

Bernoulli variables. Let X be a random variable such that. 1 with probability p X = 0 with probability q = 1 p

Bernoulli variables. Let X be a random variable such that. 1 with probability p X = 0 with probability q = 1 p Unit 20 February 25, 2011 1 Bernoulli variables Let X be a random variable such that { 1 with probability p X = 0 with probability q = 1 p Such an X is called a Bernoulli random variable Unit 20 February

More information

DM49-2. Obligatoriske Opgave

DM49-2. Obligatoriske Opgave DM49-2. Obligatoriske Opgave Jacob Christiansen, moffe42, 130282 Thomas Nordahl Pedersen, nordahl, 270282 1/4-05 Indhold 1 Opgave 1 - Public Exponent 2 1.1 a.................................. 2 1.2 b..................................

More information

Differential Fault Analysis on DES Middle Rounds

Differential Fault Analysis on DES Middle Rounds Differential Fault Analysis on DES Middle Rounds Matthieu Rivain Speaker: Christophe Giraud Oberthur Technologies Agenda 1 Introduction Data Encryption Standard DFA on DES Last & Middle Rounds 2 Our Attack

More information

Linear Approximations for 2-round Trivium

Linear Approximations for 2-round Trivium Linear Approximations for 2-round Trivium Meltem Sönmez Turan 1, Orhun Kara 2 1 Institute of Applied Mathematics, Middle East Technical University Ankara, Turkey msonmez@metu.edu.tr 2 TUBITAK-UEKAE, Gebze,

More information

On Permissions, Inheritance and Role Hierarchies

On Permissions, Inheritance and Role Hierarchies On Permissions, Inheritance and Role Hierarchies Information Security Group Royal Holloway, University of London Introduction The role hierarchy is central to most RBAC models Modelled as a partially ordered

More information

Cube Attacks on Stream Ciphers Based on Division Property

Cube Attacks on Stream Ciphers Based on Division Property Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven 12-10-2017, Crete Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 1 / 23 Plan 1 Cube Attack:

More information

Cryptanalysis of the Stream Cipher DECIM

Cryptanalysis of the Stream Cipher DECIM Cryptanalysis of the Stream Cipher DECIM Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven, ESAT/SCD-COSIC Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium {wu.hongjun, bart.preneel}@esat.kuleuven.be

More information

Cold Boot Attacks in the Discrete Logarithm Setting

Cold Boot Attacks in the Discrete Logarithm Setting Cold Boot Attacks in the Discrete Logarithm Setting B. Poettering 1 & D. L. Sibborn 2 1 Ruhr University of Bochum 2 Royal Holloway, University of London October, 2015 Outline of the talk 1 Introduction

More information

Distinct Difference Configurations

Distinct Difference Configurations Distinct Difference Configurations Simon R. Blackburn Joint work with: Tuvi Etzion, Keith M. Martin, Maura B. Paterson Royal Holloway, University of London 16th July 009 S.R. Blackburn (RHUL) Distinct

More information

CS 6260 Applied Cryptography

CS 6260 Applied Cryptography CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space

More information

Pseudo-Random Number Generators

Pseudo-Random Number Generators Unit 41 April 18, 2011 1 Pseudo-Random Number Generators Recall the one-time pad: k = k 1, k 2, k 3... a random bit-string p = p 1, p 2, p 3,... plaintext bits E(p) = p k. We desire long sequences of numbers

More information

CSc 466/566. Computer Security. 5 : Cryptography Basics

CSc 466/566. Computer Security. 5 : Cryptography Basics 1/84 CSc 466/566 Computer Security 5 : Cryptography Basics Version: 2012/03/03 10:44:26 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian Collberg Christian

More information

THEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER. A. A. Zadeh and Howard M. Heys

THEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER. A. A. Zadeh and Howard M. Heys THEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER A. A. Zadeh and Howard M. Heys Electrical and Computer Engineering Faculty of Engineering and Applied Science Memorial University of Newfoundland

More information

ECS 189A Final Cryptography Spring 2011

ECS 189A Final Cryptography Spring 2011 ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I

More information

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Pierre-Alain Fouque 1 Jérémy Jean 2 Thomas Peyrin 3 1 Université de Rennes 1, France 2 École Normale Supérieure, France 3 Nanyang

More information

Table Of Contents. ! 1. Introduction to AES

Table Of Contents. ! 1. Introduction to AES 1 Table Of Contents! 1. Introduction to AES! 2. Design Principles behind AES Linear Cryptanalysis Differential Cryptanalysis Square Attack Biclique Attack! 3. Quantum Cryptanalysis of AES Applying Grover

More information

ACORN: A Lightweight Authenticated Cipher (v3)

ACORN: A Lightweight Authenticated Cipher (v3) ACORN: A Lightweight Authenticated Cipher (v3) Designer and Submitter: Hongjun Wu Division of Mathematical Sciences Nanyang Technological University wuhongjun@gmail.com 2016.09.15 Contents 1 Specification

More information

Impossible Differential Cryptanalysis of Mini-AES

Impossible Differential Cryptanalysis of Mini-AES Impossible Differential Cryptanalysis of Mini-AES Raphael Chung-Wei Phan ADDRESS: Swinburne Sarawak Institute of Technology, 1 st Floor, State Complex, 93576 Kuching, Sarawak, Malaysia. rphan@swinburne.edu.my

More information

On the Design of Trivium

On the Design of Trivium On the Design of Trivium Yun Tian, Gongliang Chen, Jianhua Li School of Information Security Engineering, Shanghai Jiaotong University, China ruth tian@sjtu.edu.cn, chengl@sjtu.edu.cn, lijh888@sjtu.edu.cn

More information

On Data Complexity of Distinguishing Attacks vs. Message Recovery Attacks on Stream Ciphers

On Data Complexity of Distinguishing Attacks vs. Message Recovery Attacks on Stream Ciphers On Data Complexity of Distinguishing Attacks vs. Message Recovery Attacks on Stream Ciphers Goutam Paul Souvik Ray Abstract We revisit the different approaches used in the literature to estimate the data

More information

Message Authentication (MAC) Algorithm For The VMPC-R (RC4-like) Stream Cipher

Message Authentication (MAC) Algorithm For The VMPC-R (RC4-like) Stream Cipher Message Authentication (MAC) Algorithm For The VMPC-R (RC4-like) Stream Cipher Bartosz Zoltak www.vmpcfunction.com bzoltak@vmpcfunction.com Abstract. We propose an authenticated encryption scheme for the

More information

A Practical Attack on Bluetooth Encryption

A Practical Attack on Bluetooth Encryption The : A Practical Yi Lu EPFL Willi Meier FH Aargau Serge Vaudenay EPFL CRYPTO 05, Santa Barbara Yi Lu, Willi Meier and Serge Vaudenay - p. 1/21 CRYPTO 05, Santa Barbara Yi Lu, Willi Meier and Serge Vaudenay

More information

Dan Boneh. Stream ciphers. The One Time Pad

Dan Boneh. Stream ciphers. The One Time Pad Online Cryptography Course Stream ciphers The One Time Pad Symmetric Ciphers: definition Def: a cipher defined over is a pair of efficient algs (E, D) where E is often randomized. D is always deterministic.

More information

Stronger Security Variants of GCM-SIV

Stronger Security Variants of GCM-SIV Stronger Security Variants of GCM-SIV Tetsu Iwata 1 Kazuhiko Minematsu 2 FSE 2017 Tokyo, Japan March 8 2017 Nagoya University, Japan NEC Corporation, Japan Supported in part by JSPS KAKENHI, Grant-in-Aid

More information

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden Dept. of EIT, Lund University, P.O. Box 118, 221 00 Lund, Sweden thomas@eit.lth.se May 16, 2011 Outline: Introduction to stream ciphers Distinguishers Basic constructions of distinguishers Various types

More information

Picnic Post-Quantum Signatures from Zero Knowledge Proofs

Picnic Post-Quantum Signatures from Zero Knowledge Proofs Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM DAVID DERLER STEVEN GOLDFEDER JONATHAN KATZ VLAD KOLESNIKOV CLAUDIO ORLANDI SEBASTIAN RAMACHER CHRISTIAN RECHBERGER

More information

Algebraic Aspects of Symmetric-key Cryptography

Algebraic Aspects of Symmetric-key Cryptography Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information Security Group Royal Holloway, University of London 04.May.2007 ECRYPT Summer School 1 Algebraic Techniques

More information

An Improved Estimate of the Correlation of Distinguisher for Dragon

An Improved Estimate of the Correlation of Distinguisher for Dragon An Improved Estimate of the Correlation of Distinguisher for Dragon Joo Yeon Cho Helsinki University of Technology, Laboratory for Theoretical Computer Science, P.O. Box 5400, FI-02015 TKK, Finland joo.cho@tkk.fi

More information

RC4 State Information at Any Stage Reveals the Secret Key

RC4 State Information at Any Stage Reveals the Secret Key RC4 State Information at Any Stage Reveals the Secret Key Goutam Paul Department of Computer Science and Engineering, Jadavpur University, Kolkata 700 032, India, Email: goutam paul@cse.jdvu.ac.in Subhamoy

More information

Cold Boot Key Recovery by Solving Polynomial Systems with Noise

Cold Boot Key Recovery by Solving Polynomial Systems with Noise Cold Boot Key Recovery by Solving Polynomial Systems with Noise Martin R. Albrecht 1 & Carlos Cid 2 Team Salsa, LIP6, UPMC Information Security Group, Royal Holloway, University of London DTU, 04. April

More information

Low Complexity Differential Cryptanalysis and Fault Analysis of AES

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 34 Introduction We present a survey of low

More information

Lecture Notes. Advanced Discrete Structures COT S

Lecture Notes. Advanced Discrete Structures COT S Lecture Notes Advanced Discrete Structures COT 4115.001 S15 2015-01-22 Recap Two methods for attacking the Vigenère cipher Frequency analysis Dot Product Playfair Cipher Classical Cryptosystems - Section

More information

A Pseudo-Random Encryption Mode

A Pseudo-Random Encryption Mode A Pseudo-Random Encryption Mode Moni Naor Omer Reingold Block ciphers are length-preserving private-key encryption schemes. I.e., the private key of a block-cipher determines a permutation on strings of

More information

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII Codes and Cryptography MAMME, Fall 2015 PART XII Outline 1 Symmetric Encryption (II) 2 Construction Strategies Construction Strategies Stream ciphers: For arbitrarily long messages (e.g., data streams).

More information

Klein s and PTW Attacks on WEP

Klein s and PTW Attacks on WEP TTM4137 Wireless Security Klein s and PTW Attacks on WEP Anton Stolbunov NTNU, Department of Telematics version 1, September 7, 2009 Abstract These notes should help for an in-depth understanding of the

More information

Fundamentals of Modern Cryptography

Fundamentals of Modern Cryptography Fundamentals of Modern Cryptography BRUCE MOMJIAN This presentation explains the fundamentals of modern cryptographic methods. Creative Commons Attribution License http://momjian.us/presentations Last

More information

Security Evaluation of Stream Cipher Enocoro-128v2

Security Evaluation of Stream Cipher Enocoro-128v2 Security Evaluation of Stream Cipher Enocoro-128v2 Hell, Martin; Johansson, Thomas 2010 Link to publication Citation for published version (APA): Hell, M., & Johansson, T. (2010). Security Evaluation of

More information

Key reconstruction from the inner state of RC4

Key reconstruction from the inner state of RC4 BACHELOR THESIS Lukáš Sladký Key reconstruction from the inner state of RC4 Department of Algebra Supervisor of the bachelor thesis: Study programme: Study branch: Mgr. Milan Boháček Mathematics Mathematical

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback