Cryptanalysis of Achterbahn-128/80. Maria Naya-Plasencia. INRIA-Projet CODES FRANCE
|
|
- Marjory Andrews
- 5 years ago
- Views:
Transcription
1 Cryptanalysis of Achterbahn-128/80 Maria Naya-Plasencia INRIA-Projet CODES FRANCE
2 Outline 1 Achterbahn 2 Tools used in our cryptanalysis 3 Cryptanalysis of Achterbahn-128/80
3 Achterbahn [Gammel-Göttfert-Kniffler05]... f keystream NLFSR 1 NLFSR 2 NLFSR N Achterbahn version 1, version 2, version 1 cryptanalysed by Johansson, Meier, Muller. version 2 cryptanalysed by Hell, Johansson. 1/23
4 Achterbahn-128/80 (July 2006) Achterbahn-128: key size = 128 bits 13 primitive NLFSRs of length L i = 21 + i, 0 i 12 Least significant bit of each NLFSR forced to 1 at the initialization process. Boolean combining function F : balanced correlation immunity order = 8 Inputs of F shifted outputs of NLFSRs. Keystream length limited to /23
5 Achterbahn-128/80 (July 2006) Achterbahn-80: key size = 80 bits 11 primitive NLFSRs of length L i = 21 + i, 1 i 11 Least significant bit of each NLFSR forced to 1 at the initialization process. Boolean function G(x 1,..., x 11 ) = F (0, x 1,..., x 11, 0): balanced correlation immunity order = 6 Inputs of G shifted outputs of NLFSRs. Keystream length limited to /23
6 Tools used in our cryptanalysis Parity checks Exhaustive search for the internal states of some registers Decimation by the period of a register Linear approximations Speeding up the exhaustive search 4/23
7 Parity checks Let (s 1 (t)) t 0,..., (s n (t)) t 0 be n sequences of periods T 1,..., T n, and t 0, S(t) = n i=1 s i(t). Then, for all t 0, τ T 1,...,T n S(t + τ) = 0, T 1,..., T n : set of all 2 n possible sums of T 1,..., T n. Example: (s 1 (t)), (s 2 (t)) with periods T 1 and T 2 S(t) + S(t + T 1 ) + S(t + T 2 ) + S(t + T 1 + T 2 ) = 0 5/23
8 Cryptanalysis with parity checks Linear approximation l(t) = m j=1 x i j (t) where: Pr[S(t) = l(t)] = 1 (1 + ε) 2 Parity check: τ T i1,...,t i m l(t + τ) = 0 Pr S(t + τ) = 0 1 ( 1 + ε 2 m ) 2 τ T i1,...,t i m 6/23
9 Exhaustive search over some registers Exhaustive search for the initial states of m registers Pr S(t) = m j=1 x ij (t) + m j=m +1 x ij (t) = 1 (1 + ε). 2 Pr The parity check has 2 m m terms and satisfies: τ T im +1,...,T i m S(t + τ) + m j=1 x ij (t + τ) = 0 = 1 2 (1 + ε 2m m ) 7/23
10 Required keystream length m j=1 Decoding problem = 2 (L i j 1) sequences of length N transmitted through a binary symmetric channel of capacity C(p) = C ( ) 1 m m (1 + ε2 ) (ε2m m ) ln 2 N m j=1 (L i j 1) C(p) 2 ln 2 m j=1 (L i j 1) (ε 2m m ) 2 Keystream bits needed: (ε 2m m ) 2 2 ln 2 (L ij 1) + m m T ij j=1 i=m +1 8/23
11 Decimation [Hell-Johansson06] Parity check: pc(t) = S(t + τ) + m x ij (t + τ) τ T im +1,...,T i m j=1 Decimate by the periods of p linear terms i 1,..., i p : pc p (t) = pc(tt i1... T ip ) Exhaustive search for the remaining (m p) terms 9/23
12 Complexity Keystream bits needed: (ε 2m m ) 2 2 ln 2 m j=p+1 (L ij 1) 2 p j=1 L i j + m j=m +1 2 L i j Time complexity: (ε 2m m ) 2 2 ln 2 m j=p+1 m j=p+1 (L ij 1) 2 (L i j 1) 10/23
13 Cryptanalysis of Achterbahn-80 We use a linear approximation: as G has correlation immunity order 6, the best approximation by a 7-variable function is affine [Canteaut-Trabia00] We use the following one: g 2 (x 1,..., x 10 ) = x 1 +x 3 +x 4 +x 5 +x 6 +x 7 +x 10 with ε = /23
14 Cryptanalysis of Achterbahn-80 Linear approximation: g 2 (x 1,..., x 10 ) = (x 4 +x 7 )+(x 5 +x 6 )+x 1 +x 3 +x 10 with ε = 2 3. Parity check: ll(t) = l(t) + l(t + T 4 T 7 ) + l(t + T 6 T 5 ) + l(t + T 4 T 7 + T 6 T 5 ) Decimate by the period of the register 10. Exhaustive search over registers 1 and 3. 12/23
15 Cryptanalysis of Achterbahn-80 Keystream bits needed: (ε 4 ) 2 2 ln 2 (L 1 +L 3 2) 2 L L 4+L 7 +2 L 5+L 6 = 2 61 bits. Time complexity: (ε 4 ) 2 2 ln 2 (L 1 +L 3 2) 2 L1 1 2 L3 1 = 2 74 operations. Time complexity can be reduced: final complexity We recover the initial states of registers 1 and 3. 13/23
16 Cryptanalysis of Achterbahn-128 Linear approximation: l(x 0,..., x 12 ) = (x 0 +x 3 +x 7 )+(x 4 +x 10 )+(x 8 +x 9 )+x 1 +x 2 with ε = 2 3. Parity check: lll(t) = τ T 0,3,7,T 4,10,T 8,9 l(t + τ), where T 0,3,7 = lcm(t 0, T 3, T 7 ) Exhaustive search over registers 1 and 2 we can reduce this complexity making profit of the independence of the registers 14/23
17 Improving the exhaustive search ϕ = t =0 τ T 0,3,7,T 4,10,T 8,9 (S(t ) x 1 (t ) x 2 (t )) = = T 2 1 k=0 T 2 1 k= t=0 (σ 2 (k) 1) σ(tt 2 + k) σ 1 (tt 2 + k) σ 2 (tt 2 + k) σ 2 (k) ( ) t= t=0 σ(tt 2 + k) σ 1 (tt 2 + k) + σ(tt 2 + k) σ 1 (tt 2 + k) 15/23
18 Improving the exhaustive search for k = 0 to T 2 1 do V 2 [k] = σ 2 (k) for the all-one initial state. end for for each possible initial state of R1 do for k = 0 to T 2 1 do V 1 [k] = t=0 σ(t 2 t + k) σ 1 (T 2 t + k) end for for each [ possible initial state i of R2 do (V2 [k+imodt 2 ] 1) V 1 [k] + V 2 [k+imodt 2 ] ( V 1 [k] )] T2 1 k=0 if we find the bias then return the initial states of R1 and R2 end if end for end for 16/23
19 Reducing complexity with an FFT T 2 1 k=0 [ (V2 [k + i] 1) V 1 [k] + V 2 [k + i] ( V 1 [k] )] 2 L 2 1 T T 2 1 k=0 ( 1)V 2[k+i] ( V 1 [k] ) + T T 2 log 2 T 2 with an FFT. 17/23
20 Cryptanalysis of Achterbahn-128 Keystream bits needed: (ε 8 ) 2 2 ln 2 (L 1 +L 2 2)+T 0,3,7 +T 4,10 +T 8,9 < 2 61 bits. Time complexity: 2 L 1 1 [ 2 31 T 2 ( ) + T 2 log T 2 ] +T2 2 3 = /23
21 Achterbahn-128 limited to 2 56 bits The same attack as before using the linear approximation: l(x 0,..., x 12 ) = (x 3 +x 8 )+(x 1 +x 10 )+(x 2 +x 9 )+x 0 +x 4 +x 7 Improved exhaustive search over registers 0,4 and 7, considering R 0 and R 4 together. keystream bits needed< 2 56 time complexity:2 104 operations. 19/23
22 Achterbahn-80 limited to 2 52 bits Linear approximation: l(x 1,..., x 11 ) = (x 3 + x 7 ) + (x 4 + x 5 ) + x 1 + x 6 + x 10 With the same attack as before, we need more than 2 52 keystream bits. We can adapt the algorithm in order to reduce the data complexity. 20/23
23 Achterbahn-80 limited to 2 52 bits Instead of one decimated sequence of parity checks of length L, 4 decimated sequences of length L/4: S(t(T 1 ) + i) + S(t(T 1 ) + i + T 7 T 3 ) + S(t(T 1 ) + i + T 4 T 5 ) +S(t(T 1 ) + i + T 7 T 3 + T 4 T 5 ), for i {0,..., 3}. Keystream bits needed < 2 52 Time complexity: 2 67 operations. 21/23
24 Recovering the key From the previously recovered initial states of some registers: Meet-in-the-middle attack on the key-loading. No need to invert all the clocking steps. Additional complexity: Achterbahn-80: 2 40 in time and 2 41 in memory. Achterbahn-128: 2 73 in time and 2 48 in memory. 22/23
25 Conclusions Attacks complexities against all versions of Achterbahn version data complexity time complexity references v1 (80-bit) [JMM06] v2 (80-bit) [HJ06] v2 (80-bit) v80 (80-bit) v128 (128-bit) /23
Computing the biases of parity-check relations
Computing the biases of parity-check relations Anne Canteaut INRIA project-team SECRET B.P. 05 7853 Le Chesnay Cedex, France Email: Anne.Canteaut@inria.fr María Naya-Plasencia INRIA project-team SECRET
More informationCryptanalysis of Achterbahn
Cryptanalysis of Achterbahn Thomas Johansson 1, Willi Meier 2, and Frédéric Muller 3 1 Department of Information Technology, Lund University P.O. Box 118, 221 00 Lund, Sweden thomas@it.lth.se 2 FH Aargau,
More informationStream Ciphers: Cryptanalytic Techniques
Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and Information Technology. Lund University, Sweden ECRYPT Summer school 2007 (Lund University) Stream Ciphers: Cryptanalytic
More informationAchterbahn-128/80: Design and Analysis
Achterbahn-128/80: Design and Analysis Berndt Gammel Rainer Göttfert Oliver Kniffler Infineon Technologies AG Germany berndt.gammel@infineon.com rainer.goettfert@infineon.com oliver.kniffler@infineon.com
More informationImproved Fast Correlation Attacks Using Parity-Check Equations of Weight 4 and 5
Improved Fast Correlation Attacks Using Parity-Check Equations of Weight 4 and 5 Anne Canteaut 1 and Michaël Trabbia 1,2 1 INRIA projet CODES B.P. 105 78153 Le Chesnay Cedex - France Anne.Canteaut@inria.fr
More informationOn Stream Ciphers with Small State
ESC 2017, Canach, January 16. On Stream Ciphers with Small State Willi Meier joint work with Matthias Hamann, Matthias Krause (University of Mannheim) Bin Zhang (Chinese Academy of Sciences, Beijing) 1
More informationFast correlation attacks on certain stream ciphers
FSE 2011, February 14-16, Lyngby, Denmark Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview A decoding problem LFSR-based stream ciphers Correlation attacks Fast
More informationOn the computation of best second order approximations of Boolean Functions ΕΤΗΣΙΑ ΕΚΘΕΣΗ 2010
Introduction Boolean functions 2nd order nonlinearity Summary ARXH PROSTASIAS_APOLOGISMOS 2010.indd 1 20/04/2011 12:54 ΜΜ On the computation of best second order approximations of Boolean Functions ΕΤΗΣΙΑ
More informationTHEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER. A. A. Zadeh and Howard M. Heys
THEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER A. A. Zadeh and Howard M. Heys Electrical and Computer Engineering Faculty of Engineering and Applied Science Memorial University of Newfoundland
More informationChosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers
Chosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers Simon Fischer 1, Shahram Khazaei 2, and Willi Meier 1 1 FHNW and 2 EPFL (Switzerland) AfricaCrypt 2008, Casablanca - June 11-14
More informationAttacks against Filter Generators Exploiting Monomial Mappings
Attacks against Filter Generators Exploiting Monomial Mappings Anne Canteaut and Yann Rotella Inria, Paris, France Anne.Canteaut@inria.fr, Yann.Rotella@inria.fr Abstract. Filter generators are vulnerable
More informationCryptanalysis of Grain
Cryptanalysis of Grain Côme Berbain 1, Henri Gilbert 1, and Alexander Maximov 2 1 France Telecom Research and Development 38-40 rue du Général Leclerc, 92794 Issy-les-Moulineaux, France 2 Dept. of Information
More informationFast Correlation Attacks: an Algorithmic Point of View
Fast Correlation Attacks: an Algorithmic Point of View Philippe Chose, Antoine Joux, and Michel Mitton DCSSI, 18 rue du Docteur Zamenhof F-92131 Issy-les-Moulineaux cedex, France Philippe.Chose@ens.fr,
More informationA new simple technique to attack filter generators and related ciphers
A new simple technique to attack filter generators and related ciphers Håkan Englund and Thomas Johansson Dept. of Information Techonolgy, Lund University, P.O. Box 118, 221 00 Lund, Sweden Abstract. This
More informationAttacks Against Filter Generators Exploiting Monomial Mappings
Attacks Against Filter Generators Exploiting Monomial Mappings Anne Canteaut, Yann Rotella To cite this version: Anne Canteaut, Yann Rotella. Attacks Against Filter Generators Exploiting Monomial Mappings.
More informationCryptanalysis of Full Sprout
Cryptanalysis of Full Sprout Virginie Lallemand and María Naya-Plasencia Inria, France Abstract. A new method for reducing the internal state size of stream cipher registers has been proposed in FSE 2015,
More informationKey Recovery with Probabilistic Neutral Bits
ESC 7.1. 11. 1. 2007 Key Recovery with Probabilistic Neutral Bits Simon Fischer 1, Shahram Khazaei 2 and Willi Meier 1 1 FHNW, Windisch, Switzerland 2 EPFL, Lausanne, Switzerland Outline Motivation Probabilistic
More informationA New Distinguisher on Grain v1 for 106 rounds
A New Distinguisher on Grain v1 for 106 rounds Santanu Sarkar Department of Mathematics, Indian Institute of Technology, Sardar Patel Road, Chennai 600036, India. sarkar.santanu.bir@gmail.com Abstract.
More informationFast Correlation Attacks: An Algorithmic Point of View
Fast Correlation Attacks: An Algorithmic Point of View Philippe Chose, Antoine Joux, and Michel Mitton DCSSI, 18 rue du Docteur Zamenhof, F-92131 Issy-les-Moulineaux cedex, France, Philippe.Chose@ens.fr,
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationNew Methods for Cryptanalysis of Stream Ciphers. The Selmer Centre Department of Informatics University of Bergen Norway
New Methods for Cryptanalysis of Stream Ciphers Håvard Molland The Selmer Centre Department of Informatics University of Bergen Norway 18th May 2005 Acknowledgments I would like to express my gratitude
More informationACHTERBAHN: A Proposal for a Profile 2 Stream Cipher to ECRYPT s Call for Stream Cipher Primitives
ACHTERBAHN: A Proposal for a Profile 2 Stream Cipher to ECRYPT s Call for Stream Cipher Primitives Berndt M. Gammel, Rainer Göttfert and Oliver Kniffler Infineon Technologies AG St.-Martin-Str. 76 81541
More informationCorrelation Analysis of the Shrinking Generator
Correlation Analysis of the Shrinking Generator Jovan Dj. Golić GEMPLUS Rome CryptoDesign Center, Technology R&D Via Pio Emanuelli 1, 00143 Rome, Italy Email: jovan.golic@gemplus.com Abstract. The shrinking
More informationLinear Approximations for 2-round Trivium
Linear Approximations for 2-round Trivium Meltem Sönmez Turan 1, Orhun Kara 2 1 Institute of Applied Mathematics, Middle East Technical University Ankara, Turkey msonmez@metu.edu.tr 2 TUBITAK-UEKAE, Gebze,
More informationData Complexity and Success Probability for Various Cryptanalyses
Data Complexity and Success Probability for Various Cryptanalyses Céline Blondeau, Benoît Gérard and Jean Pierre Tillich INRIA project-team SECRET, France Blondeau, Gérard and Tillich. Data Complexity
More informationSieve-in-the-Middle: Improved MITM Attacks (Full Version )
Sieve-in-the-Middle: Improved MITM Attacks (Full Version ) Anne Canteaut 1, María Naya-Plasencia 1, and Bastien Vayssière 2 1 Inria Paris-Rocquencourt, project-team SECRET B.P. 105, 78153 Le Chesnay cedex,
More informationa fast correlation attack implementation
university of cape town a fast correlation attack implementation Honours Project 2011 Azhar Desai supervisors Dr Anne Kayem Dr Christine Swart Abstract Stream ciphers are used to encrypt data on devices
More informationPractical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function
Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function Itai Dinur 1, Pawe l Morawiecki 2,3, Josef Pieprzyk 4 Marian Srebrny 2,3, and Micha l Straus 3 1 Computer Science Department, École
More informationCellular Automata in Cryptography" Information Security Group,Royal Holloway, Abstract The cipher systems based on Cellular Automata proposed by Nandi
Comments on \Theory and Applications of Cellular Automata in Cryptography" S.R. Blackburn, S. Murphy y and K.G. Paterson z Information Security Group,Royal Holloway, University of London, Surrey TW20 0EX,
More informationCryptanalysis of the Stream Cipher ABC v2
Cryptanalysis of the Stream Cipher ABC v2 Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven, ESAT/SCD-COSIC Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium {wu.hongjun,bart.preneel}@esat.kuleuven.be
More informationRelated-Key Statistical Cryptanalysis
Related-Key Statistical Cryptanalysis Darakhshan J. Mir Department of Computer Science, Rutgers, The State University of New Jersey Poorvi L. Vora Department of Computer Science, George Washington University
More informationQuantum Differential and Linear Cryptanalysis
Quantum Differential and Linear Cryptanalysis Marc Kaplan 1,2 Gaëtan Leurent 3 Anthony Leverrier 3 María Naya-Plasencia 3 1 LTCI, Télécom ParisTech 2 School of Informatics, University of Edinburgh 3 Inria
More informationSolving LPN Using Covering Codes
Solving LPN Using Covering Codes Qian Guo 1,2 Thomas Johansson 1 Carl Löndahl 1 1 Dept of Electrical and Information Technology, Lund University 2 School of Computer Science, Fudan University ASIACRYPT
More informationFast Near Collision Attack on the Grain v1 Stream Cipher
Fast Near Collision Attack on the Grain v1 Stream Cipher Bin Zhang 1,,3,4, Chao Xu 1,, and Willi Meier 5 1 TCA Laboratory, SKLCS, Institute of Software, Chinese Academy of Sciences {zhangbin,xuchao}@tca.iscas.ac.cn
More informationCryptanalysis of SP Networks with Partial Non-Linear Layers
Cryptanalysis of SP Networks with Partial Non-Linear Layers Achiya Bar-On 1, Itai Dinur 2, Orr Dunkelman 3, Nathan Keller 1, Virginie Lallemand 4, and Boaz Tsaban 1 1 Bar-Ilan University, Israel 2 École
More informationSearching for Nonlinear Feedback Shift Registers with Parallel Computing
Searching for Nonlinear Feedback Shift Registers with Parallel Computing Przemysław Dąbrowski, Grzegorz Łabuzek, Tomasz Rachwalik, Janusz Szmidt Military Communication Institute ul. Warszawska 22A, 05-130
More informationAnalysis of Modern Stream Ciphers
Analysis of Modern Stream Ciphers Josef Pieprzyk Centre for Advanced Computing Algorithms and Cryptography, Macquarie University, Australia CANS - Singapore - December 2007 estream Outline 1. estream Project
More informationSequences, DFT and Resistance against Fast Algebraic Attacks
Sequences, DFT and Resistance against Fast Algebraic Attacks Guang Gong Department of Electrical and Computer Engineering University of Waterloo Waterloo, Ontario N2L 3G1, CANADA Email. ggong@calliope.uwaterloo.ca
More informationCryptographic D-morphic Analysis and Fast Implementations of Composited De Bruijn Sequences
Cryptographic D-morphic Analysis and Fast Implementations of Composited De Bruijn Sequences Kalikinkar Mandal, and Guang Gong Department of Electrical and Computer Engineering University of Waterloo Waterloo,
More informationMultiple Differential Cryptanalysis: Theory and Practice
Multiple Differential Cryptanalysis: Theory and Practice Céline Blondeau, Benoît Gérard SECRET-Project-Team, INRIA, France aaa FSE, February 14th, 2011 C.Blondeau and B.Gérard. Multiple differential cryptanalysis
More informationBreaking the F-FCSR-H Stream Cipher in Real Time
Breaking the F-FCSR-H Stream Cipher in Real Time Martin Hell and Thomas Johansson Dept. of Electrical and Information Technology, Lund University, P.O. Box 118, 221 00 Lund, Sweden Abstract. The F-FCSR
More informationCorrelation Cube Attacks: From Weak-Key Distinguisher to Key Recovery
Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu, Jingchun Yang, Wenhao Wang, and Dongdai Lin State Key Laboratory of Information Security, Institute of Information Engineering,
More informationModified Alternating Step Generators
Modified Alternating Step Generators Robert Wicik, Tomasz Rachwalik Military Communication Institute Warszawska 22A, 05-130 Zegrze, Poland {r.wicik, t.rachwalik}@wil.waw.pl Abstract. Irregular clocking
More informationL9: Galois Fields. Reading material
L9: Galois Fields Reading material Muzio & Wesselkamper Multiple-valued switching theory, p. 3-5, - 4 Sasao, Switching theory for logic synthesis, pp. 43-44 p. 2 - Advanced Logic Design L9 - Elena Dubrova
More informationLecture Notes on Cryptographic Boolean Functions
Lecture Notes on Cryptographic Boolean Functions Anne Canteaut Inria, Paris, France Anne.Canteaut@inria.fr https://www.rocq.inria.fr/secret/anne.canteaut/ version: March 10, 016 Contents 1 Boolean functions
More informationAlgebraic Immunity of S-boxes and Augmented Functions
Algebraic Immunity of S-boxes and Augmented Functions Simon Fischer and Willi Meier S. Fischer and W. Meier AI of Sbox and AF 1 / 23 Outline 1 Algebraic Properties of S-boxes 2 Augmented Functions 3 Application
More informationCryptanalysis of the Stream Cipher DECIM
Cryptanalysis of the Stream Cipher DECIM Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven, ESAT/SCD-COSIC Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium {wu.hongjun, bart.preneel}@esat.kuleuven.be
More informationMaximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers
Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers Muxiang Zhang 1 and Agnes Chan 2 1 GTE Laboratories Inc., 40 Sylvan Road LA0MS59, Waltham, MA 02451 mzhang@gte.com 2 College of Computer
More informationNonlinear Equivalence of Stream Ciphers
Sondre Rønjom 1 and Carlos Cid 2 1 Crypto Technology Group, Norwegian National Security Authority, Bærum, Norway 2 Information Security Group, Royal Holloway, University of London Egham, United Kingdom
More informationYet another side-channel attack: Multi-linear Power Analysis attack (MLPA)
Yet another side-channel attack: Multi-linear Power Analysis attack (MLPA) Thomas Roche, Cédric Tavernier Laboratoire LIG, Grenoble, France. Communications and Systems, Le Plessis Robinson, France. Cryptopuces
More informationHow to strengthen pseudo-random generators by using compression
How to strengthen pseudo-random generators by using compression Aline Gouget,, Hervé Sibert France Telecom Research and Development, 4 rue des Coutures, BP643, F-466 Caen Cedex 4, France { aline.gouget,
More informationModified version of Latin Dances Revisited: New Analytic Results of Salsa20 and ChaCha
Modified version of Latin Dances Revisited: New Analytic Results of Salsa20 and ChaCha Tsukasa Ishiguro KDDI R&D Laboratories Inc. 2-1-15 Ohara, Fujimino, Saitama 356-8502, Japan tsukasa@kddilabs.jp 1
More informationOpen problems related to algebraic attacks on stream ciphers
Open problems related to algebraic attacks on stream ciphers Anne Canteaut INRIA - projet CODES B.P. 105 78153 Le Chesnay cedex - France e-mail: Anne.Canteaut@inria.fr Abstract The recently developed algebraic
More informationLecture 10-11: General attacks on LFSR based stream ciphers
Lecture 10-11: General attacks on LFSR based stream ciphers Thomas Johansson T. Johansson (Lund University) 1 / 23 Introduction z = z 1, z 2,..., z N is a known keystream sequence find a distinguishing
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationZero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA
Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA Andrey Bogdanov, Meiqin Wang Technical University of Denmark, Shandong University, China ESC 2013,
More informationA TMDTO Attack Against Lizard
A TMDTO Attack Against Lizard Subhamoy Maitra 1, Nishant Sinha 2, Akhilesh Siddhanti 3, Ravi Anand 4, Sugata Gangopadhyay 2 1 Indian Statistical Institute, Kolkata, subho@isical.ac.in 2 Indian Institute
More informationGeneralized Correlation Analysis of Vectorial Boolean Functions
Generalized Correlation Analysis of Vectorial Boolean Functions Claude Carlet 1, Khoongming Khoo 2, Chu-Wee Lim 2, and Chuan-Wen Loe 2 1 University of Paris 8 (MAATICAH) also with INRIA, Projet CODES,
More informationA Fast Correlation Attack on the Shrinking Generator
A Fast Correlation Attack on the Shrinking Generator Bin Zhang 1,2,HongjunWu 1, Dengguo Feng 2, and Feng Bao 1 1 Institute for Infocomm Research, Singapore 2 State Key Laboratory of Information Security,
More informationCharacterization of Column Parity Kernel and Differential Cryptanalysis of Keccak
Characterization of Column Parity Kernel and Differential Cryptanalysis of Keccak Yin Tan, Kalikinkar Mandal and Guang Gong Department of Electrical and Computer Engineering, University of Waterloo, Canada
More informationAnother view of the division property
Another view of the division property Christina Boura and Anne Canteaut Université de Versailles-St Quentin, France Inria Paris, France Dagstuhl seminar, January 2016 Motivation E K : block cipher with
More information4.3 General attacks on LFSR based stream ciphers
67 4.3 General attacks on LFSR based stream ciphers Recalling our initial discussion on possible attack scenarios, we now assume that z = z 1,z 2,...,z N is a known keystream sequence from a generator
More informationOvertaking VEST. 45, avenue des États-Unis, Versailles Cedex, France 3 DCSSI Crypto Lab
Overtaking VEST Antoine Joux 1,2 and Jean-René Reinhard 3 1 DGA 2 Université de Versailles St-Quentin-en-Yvelines, PRISM 45, avenue des États-Unis, 78035 Versailles Cedex, France antoine.joux@m4x.org 3
More informationCryptanalysis of the Sidelnikov cryptosystem
Cryptanalysis of the Sidelnikov cryptosystem Lorenz Minder, Amin Shokrollahi Laboratoire de mathématiques algorithmiques (LMA), EPFL c 2007 IACR. This paper appeared in Advances in cryptology Eurocrypt
More informationFast Correlation Attack on Stream Cipher ABC v3
Fast Correlation Attack on Stream Cipher ABC v3 Haina Zhang Lin Li Xiaoyun Wang Abstract ABC v3 is a stream cipher proposed as a candidate to ECRYPT Estream Project which enters the second evaluation phase.
More informationThe LILI-128 Keystream Generator
The LILI-128 Keystream Generator E. Dawson 1 A. Clark 1 J. Golić 2 W. Millan 1 L. Penna 1 L. Simpson 1 1 Information Security Research Centre, Queensland University of Technology GPO Box 2434, Brisbane
More informationAlgebraic analysis of Trivium-like ciphers (Poster)
Algebraic analysis of Trivium-like ciphers (Poster) Sui-Guan Teo 1 Kenneth Koon-Ho Wong 1 Harry Bartlett 2 Leonie Simpson 2 Ed Dawson 1 1 Institute for Future Environments 2 Science and Engineering Faculty
More informationData complexity and success probability of statisticals cryptanalysis
Data complexity and success probability of statisticals cryptanalysis Céline Blondeau SECRET-Project-Team, INRIA, France Joint work with Benoît Gérard and Jean-Pierre Tillich aaa C.Blondeau Data complexity
More informationDivision Property: a New Attack Against Block Ciphers
Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50 Symmetric-key encryption
More informationImproved Linear Cryptanalysis of SOSEMANUK
Improved Linear Cryptanalysis of SOSEMANUK Joo Yeon Cho and Miia Hermelin Helsinki University of Technology, Department of Information and Computer Science, P.O. Box 5400, FI-02015 TKK, Finland {joo.cho,miia.hermelin}@tkk.fi
More informationOn the Design of Trivium
On the Design of Trivium Yun Tian, Gongliang Chen, Jianhua Li School of Information Security Engineering, Shanghai Jiaotong University, China ruth tian@sjtu.edu.cn, chengl@sjtu.edu.cn, lijh888@sjtu.edu.cn
More informationOn The Nonlinearity of Maximum-length NFSR Feedbacks
On The Nonlinearity of Maximum-length NFSR Feedbacks Meltem Sönmez Turan National Institute of Standards and Technology meltem.turan@nist.gov Abstract. Linear Feedback Shift Registers (LFSRs) are the main
More informationImprovements to Correlation Attacks Against Stream. Ciphers with Nonlinear Combiners. Brian Stottler Elizabethtown College
Improvements to Correlation Attacks Against Stream Ciphers with Nonlinear Combiners Brian Stottler Elizabethtown College Spring 2018 1 Background 1.1 Stream Ciphers Throughout the multi-thousand year history
More informationLarge Deviations for Channels with Memory
Large Deviations for Channels with Memory Santhosh Kumar Jean-Francois Chamberland Henry Pfister Electrical and Computer Engineering Texas A&M University September 30, 2011 1/ 1 Digital Landscape Delay
More informationA Scalable Method for Constructing Galois NLFSRs with Period 2 n 1 using Cross-Join Pairs
A Scalable Method for Constructing Galois NLFSRs with Period 2 n 1 using Cross-Join Pairs Elena Dubrova Royal Institute of Technology (KTH), Forum 12, 164 4 Kista, Sweden {dubrova}@kth.se Abstract. This
More informationACORN: A Lightweight Authenticated Cipher (v3)
ACORN: A Lightweight Authenticated Cipher (v3) Designer and Submitter: Hongjun Wu Division of Mathematical Sciences Nanyang Technological University wuhongjun@gmail.com 2016.09.15 Contents 1 Specification
More informationCryptanalysis of the Light-Weight Cipher A2U2 First Draft version
Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version Mohamed Ahmed Abdelraheem, Julia Borghoff, Erik Zenner Technical University of Denmark, DK-2800 Kgs. Lyngby, Denmark {M.A.Abdelraheem,J.Borghoff,E.Zenner}@mat.dtu.dk
More informationRecognition of a code in a noisy environment
Introduction Recognition of a code Conclusion Université de Limoges - XLIM - DMI INRIA Rocquencourt - Projet CODES ISIT Nice - June 29, 2007 Introduction Recognition of a code Conclusion Outline 1 Introduction
More informationThe Filter-Combiner Model for Memoryless Synchronous Stream Ciphers
The Filter-Combiner Model for Memoryless Synchronous Stream Ciphers Palash Sarkar Cryptology Research Centre Applied Statistics Unit Indian Statistical Institute 203, B.T. Road, Kolkata 700035 India palash@isical.ac.in
More informationCryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes
Cryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes Magali Bardet 1 Julia Chaulet 2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich 2 Normandie Univ, France; UR, LITIS, F-76821
More informationBreaking Symmetric Cryptosystems Using Quantum Algorithms
Breaking Symmetric Cryptosystems Using Quantum Algorithms Gaëtan Leurent Joined work with: Marc Kaplan Anthony Leverrier María Naya-Plasencia Inria, France FOQUS Workshop Gaëtan Leurent (Inria) Breaking
More informationOptimizing the placement of tap positions. joint work with Enes Pasalic, Samed Bajrić and Yongzhuang Wei
Optimizing the placement of tap positions Samir Hodžić joint work with Enes Pasalic, Samed Bajrić and Yongzhuang Wei Filtering generator Linear feedback shift register (LFSR). Nonlinear filtering function
More informationCryptanalysis of Sosemanuk and SNOW 2.0 Using Linear Masks
Cryptanalysis of Sosemanuk and SNOW 2.0 Using Linear Masks Jung-Keun Lee, Dong Hoon Lee, and Sangwoo Park ETRI Network & Communication Security Division, 909 Jeonmin-dong, Yuseong-gu, Daejeon, Korea Abstract.
More informationarxiv: v1 [cs.it] 27 Sep 2016
Optimizing the placement of tap positions and guess and determine cryptanalysis with variable sampling S. Hodžić, E. Pasalic, and Y. Wei arxiv:1609.08422v1 [cs.it] 27 Sep 2016 Abstract 1 In this article
More informationAlgebraic properties of SHA-3 and notable cryptanalysis results
Algebraic properties of SHA-3 and notable cryptanalysis results Christina Boura University of Versailles, France ICMC 2015, January 9, 2014 1 / 51 Cryptographic Hash Functions H : {0,1} {0,1} n m H h =
More informationSample Test Paper - I
Scheme G Sample Test Paper - I Course Name : Computer Engineering Group Marks : 25 Hours: 1 Hrs. Q.1) Attempt any THREE: 09 Marks a) Define i) Propagation delay ii) Fan-in iii) Fan-out b) Convert the following:
More informationA New Baby-Step Giant-Step Algorithm and Some Applications to Cryptanalysis
A New Baby-Step Giant-Step Algorithm and Some Applications to Cryptanalysis 30/08/2005 J.S. Coron, G. Poupard and D. Lefranc D1-09/11/2005 Overview Introduction : the GPS scheme A new type of private keys
More informationIntroducing a new variant of fast algberaic attacks and minimizing their successive data complexity
Introducing a new variant of fast algberaic attacks and minimizing their successive data complexity Frederik Armknecht 1 Gwénolé Ars 2 1 Theoretische Informatik, University of Mannheim, Germany 2 IRMAR,
More informationImpossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128
Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com
More informationList decoding of binary Goppa codes and key reduction for McEliece s cryptosystem
List decoding of binary Goppa codes and key reduction for McEliece s cryptosystem Morgan Barbier morgan.barbier@lix.polytechnique.fr École Polytechnique INRIA Saclay - Île de France 14 April 2011 University
More informationDecoding One Out of Many
Decoding One Out of Many Nicolas Sendrier INRIA Paris-Rocquencourt, équipe-projet SECRET Code-based Cryptography Workshop 11-12 May 2011, Eindhoven, The Netherlands Computational Syndrome Decoding Problem:
More informationCube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version)
Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version) Yosuke Todo 1, Takanori Isobe 2, Yonglin Hao 3, and Willi Meier 4 1 NTT Secure Platform Laboratories, Tokyo 180-8585,
More informationFast Low Order Approximation of Cryptographic Functions
Fast Low Order Approximation of Cryptographic Functions Jovan Dj. Golii: * Information Security Research Centre, Queerisland University of Technology GPO Box 2434, Brisbane Q 4001, Australia School of
More informationBreaking One.Fivium by AIDA an Algebraic IV Differential Attack
Breaking One.Fivium by an Michael Vielhaber, Instituto de Matemáticas, Universidad Austral de Chile Casilla 567, Valdivia, Chile, vielhaber@gmail.com October 28, 2007 Abstract We show, how to break Trivium
More informationCube Attacks on Stream Ciphers Based on Division Property
Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven 12-10-2017, Crete Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 1 / 23 Plan 1 Cube Attack:
More informationarxiv: v2 [cs.cr] 19 Jan 2019
New Family of Stream Ciphers as Physically Clone-Resistant VLSI-Structures Ayoub Mars and Wael Adi IDA, Institute of Computer and Network Engineering Technical University of Braunschweig, Germany a.mars@tu-bs.de,w.adi@tu-bs.de
More informationAES side channel attacks protection using random isomorphisms
Rostovtsev A.G., Shemyakina O.V., St. Petersburg State Polytechnic University AES side channel attacks protection using random isomorphisms General method of side-channel attacks protection, based on random
More informationTransform Domain Analysis of DES. Guang Gong and Solomon W. Golomb. University of Southern California. Tels and
Transform Domain Analysis of DES Guang Gong and Solomon W. Golomb Communication Sciences Institute University of Southern California Electrical Engineering-Systems, EEB # 500 Los Angeles, California 90089-2565
More informationSTREAM CIPHER. Chapter - 3
STREAM CIPHER Chapter - 3 S t r e a m C i p h e r P a g e 38 S t r e a m C i p h e r P a g e 39 STREAM CIPHERS Stream cipher is a class of symmetric key algorithm that operates on individual bits or bytes.
More informationAlgebraic Attacks and Decomposition of Boolean Functions
Algebraic Attacks and Decomposition of Boolean Functions Willi Meier 1, Enes Pasalic 2, and Claude Carlet 2 1 FH Aargau, CH-5210 Windisch, Switzerland meierw@fh-aargau.ch 2 INRIA, projet CODES, Domaine
More information