Analysis of Modern Stream Ciphers
|
|
- Deborah Gray
- 5 years ago
- Views:
Transcription
1 Analysis of Modern Stream Ciphers Josef Pieprzyk Centre for Advanced Computing Algorithms and Cryptography, Macquarie University, Australia CANS - Singapore - December 2007
2 estream Outline 1. estream Project 2. Algebraic Analysis of SOBER-t32 3. Distinguisher for SOBER-128 based on Linear Masking 4. Crossword Puzzle Attack on NLS and NLSv2 5. Distinguisher for DRAGON based on Linear Masking 6. Future Research
3 estream estream Project A multi-year project (part of ECRYPT) to promote research into stream ciphers ( ) Phase 3 of estream started in April 2007 There are two profiles in estream: PROFILE 1. Stream ciphers for software applications PROFILE 2. Stream ciphers for hardware applications The final results will be announced in April/May 2008
4 estream estream Project SW Phase 3 HW Phase 3 CryptMT no attack DRAGON distinguishing attack HC-128 (-256) no attack LEX resynchronization collision attack NLS (encrypt only) distinguishing attack Rabbit no attack Salsa20 no attack SOSEMANUK no attack DECIM no attack Edon-80 no attack F-FCSR no attack Grain no attack MICKEY (-128) no attack MOUSTIQUE CC attack POMARANCH distinguishing attack Trivium no attack there is an attack whose complexity is higher than exhaustive search there are key recovery attacks for reduced versions breakable if the secret key is longer than 224 bits
5 Algebraic Analysis of SOBER-t32 Algebraic Analysis of SOBER-t32 1. Principle of algebraic attacks 2. Structure of SOBER-t32 3. Attack on SOBER-t32 and its complexity
6 Algebraic Analysis of SOBER-t32 Principles of Algebraic Attacks Find a multivariate relation Q of a low degree d between the state bits and the bits of the output. Q(S 0, v 0 ) = 0 (degree : d) The same relation holds for all consecutive clocks t so Q(S t, v t ) = Q(L t (S 0 ), v t ) = 0 (degree : d) Solving the equations. (Linearization, XL, Grobner Bases,...)
7 Algebraic Analysis of SOBER-t32 System Description Key : Sender and Receiver share the same secret key Sender : encrypts message : c t = m t v t Receiver : decrypts message : c t v t = m t v t v t = m t t = 0 (Initial state) t = 1 t = 2 LFSR LFSR LFSR NLF v 0 NLF v 1 NLF v 2 LFSR : Linear Feedback Shift Register NLF : Non-Linear Filter (function f )
8 Algebraic Analysis of SOBER-t32 Complexity of Attack Let n the number of the initial state bits of the LFSR and d the degree of the function f (NLF) Number of monomials : T = ( n ( 1) + n ( 2) + + n ( = n ) d) d Number of keystream bits ( n d Complexity (Gaussian elimination) : 7 T log 2 7 )
9 Algebraic Analysis of SOBER-t32 Description of SOBER-t32/t-16 Major features of SOBER-t32 and SOBER-t16 Big size of LFSR Word-oriented stream cipher The size of S-Box : N M such that N < M LFSR word S-Box t bits 32 bits 8 32 bits t bits 16 bits 8 16 bits
10 Algebraic Analysis of SOBER-t32 s 16 s 15 Overall structure of SOBER-t32/-t16 s 13 s 6 s 4 f K v t stuttering β s 1 s 0
11 Algebraic Analysis of SOBER-t32 Non-linear Filter of SOBER-t32 s 0 s 16 x f(x) x H S-box α x L s 1 s 13 s 6 K v
12 Algebraic Analysis of SOBER-t32 Modular Addition : c = a + b mod 2 32 Let c i be the i-th output bit of the modular addition. Then, c 0 = a 0 b 0, c 1 = a 1 b 1 a 0 b 0 and for 2 i 31, i 2 c i = a i b i a i 1 b i 1 a t b t { t=0 i 1 r=t+1 (a r b r )} Each c i is expressed as a function of input bits of degree i + 1. c 0 = a 0 b 0 c 1 = a 1 b 1 a 0 b 0 c 2 = a 2 b 2 a 1 b 1 (a 1 b 1 )(a 1 b 1 c 1 ). c n = a n b n a n 1 b n 1 (a n 1 b n 1 )(a n 1 b n 1 c n 1 ) The degree of c i : i + 1.
13 Algebraic Analysis of SOBER-t32 Observation Let c i, where 24 i 31, be the i-th output bit of modular addition c = a + b (mod 2 32 ). If c i is multiplied by (1 a 23 b 23 ), then the degree of c i (1 a 23 b 23 ) is reduced to (i 22).
14 Algebraic Analysis of SOBER-t32 c = Justification of Observation c 0 = a 0 b 0 c 1 = a 1 b 1 a 0 b 0 c 2 = a 2 b 2 a 1 b 1 a 0 b 0 (a 1 b 1 ) c 24 = a 24 b 24 a 23 b 23 a 22 b 22 (a 23 b 23 ) a 21 b 21 (a 22 b 22 )(a 23 b 23 ) a 0 b 0 (a 1 b 1 ) (a 23 b 23 ) c 25 = a 25 b 25 a 24 b 24 a 23 b 23 (a 24 b 24 ) a 22 b 22 (a 23 b 23 )(a 24 b 24 ) a 0 b 0 (a 1 b 1 ) (a 24 b 24 ) c 31 = a 31 b 31 a 30 b 30 a 29 b 29 (a 30 b 30 ) a 28 b 28 (a 29 b 29 )(a 30 b 30 ) a 0 b 0 (a 1 b 1 ) (a 30 b 30 )
15 Algebraic Analysis of SOBER-t32 Justification of Observation If c 24,..., c 31 are multiplied by (1 a 23 b 23 ), then c 24 (1 a 23 b 23 ) = a 24 b 24 a 23 b 23 c 25 (1 a 23 b 23 ) = a 25 b 25 a 24 b 24 a 23 b 23 (a 24 b 24 ) c 31 (1 a 23 b 23 ) = a 31 b 31 a 30 b 30 a 29 b 29 (a 30 b 30 ) a 28 b 28 (a 29 b 29 )(a 30 b 30 ) a 23 b 23 (a 24 b 24 ) (a 30 b 30 ) For 24 i 31, the degree of c i (1 a 23 b 23 ) is (i 22).
16 Algebraic Analysis of SOBER-t32 How to Use the Observation s 0 s 16 x f(x) x H S-box α x L s 1 s 13 s 6 K v
17 Algebraic Analysis of SOBER-t32 How to Use the Observation Let s consider the least significant bit of α, i.e. α 0 = s 0,0 s 16,0 s 1,0 s 6,0 s 13,0 v 0 K 0 Let s construct the following table. Rows : all the possibilities for (x 31,, x 24 ) 2 8 rows. The columns : all the monomials A i of degree up to 8 which are coming from the input bits (x 31,, x 24 ) and the least significant output bit α columns. By applying the Gaussian elimination to this matrix, we can obtain a non-linear equation as follows. α 0 = A i = 1 x 24 x 24 x 25 x 24 x 28 x 29 x 30 x 31
18 Algebraic Analysis of SOBER-t32 How to Use the Observation By Observation, x i (1 s 0,23 s 16,23 ) becomes x i (1 s 0,23 s 16,23 ) = g(s 0,23 i, s 16,23 i ) for 24 i 31, where g is a multivariate equation of degree up to (i 22). For example, x 24 (1 s 0,23 s 16,23 ) = s 0,24 s 16,24 s 0,23 s 16,23 x 25 (1 s 0,23 s 16,23 ) = s 0,25 s 16,25 s 0,24 s 16,24 s 0,23 s 16,23 (s 0,24 s 16,24 ) So we get α 0 (1 s 0,23 s 16,23 ) = A i (1 s 0,23 s 16,23 ) By a computer experiment, the degree of α 0 (1 s 0,23 s 16,23 ) is at most 14.
19 Algebraic Analysis of SOBER-t32 Getting Algebraic Relations Let us recall α 0 = s 0,0 s 16,0 s 1,0 s 6,0 s 13,0 v 0 K 0 If we multiply the equation by (1 s 0,23 s 16,23 ), then we have α 0 (1 s 0,23 s 16,23 ) = (s 0,0 s 16,0 s 1,0 s 6,0 s 13,0 v 0 K 0 ) (1 s 0,23 s 16,23 ) The degree of the equation is 14 Let s arrange the equation as a following form where g(s) = h(s, V) g(s) = α 0 (1 s 0,23 s 16,23 ) (s 0,0 s 16,0 s 1,0 s 6,0 s 13,0 K 0 ) (1 s 0,23 s 16,23 ) h(s, V) = v 0 (1 s 0,23 s 16,23 )
20 Algebraic Analysis of SOBER-t32 Algebraic Attack ( 544 If we collect N > 14 ) i i consecutive equations, a linear dependency γ = (γ 0,...,γ N 1 ) for left side equations must exist and To recover γ: N 1 t=0 γ t g(l t (S 0 )) = 0, γ i GF(2) 1. Collect N consecutive equations such that N > 2T = 2 14 ) i ( 544 i 2. Choose a random key S 0 3. Compute 2T outputs bits c t of the left side equations c t = g(l t (S 0 )), for t = 0,...,2T 1 4. By applying the Berlekamp-Massey algorithm, find the smallest connection polynomial that generates the sequence c = (c 0,...,c 2T 1 ).
21 Algebraic Analysis of SOBER-t32 Algebraic Attack The same linear dependency holds for the right hand side. 0 = N+i 1 t=i linear equation. γ t i h(l t (S 0 ), V t ), i = 0, 1,... Collect a system of equations for consecutive keystreams and solve them.
22 Algebraic Analysis of SOBER-t32 Complexity of Algebraic Attack The number of monomials of degree up to 14 that are chosen from n = 544 unknowns T = 14 i=0 ( ) 544 = 2 91 i Pre-computation : O(T log(t) + Tn) = O(2 100 ) CPU clocks by using improved versions of the Berlekamp-Massey algorithm. Keystream observations required : 2T = 2 92 Memory requirements : (the size of the γ) + ( 544) 1 equations around 2 91 bits
23 Distinguisher for SOBER-128 Distinguishing Attack on SOBER Principle of attack 2. Structure of SOBER Attack on SOBER-128
24 Distinguisher for SOBER-128 Linear Feedback Shift Register X x t x t+1 x t+n = 0 y t+1 Non-linear Filter y t+2 Keystream y t+m Y Distinguisher Z z t z t+1 z t+n = 0
25 Distinguisher for SOBER-128 Definition of Bias ǫ and Piling-up Lemma p = ǫ Pr(X1 = 0) : ǫ Pr(X2 = 0) : ǫ Pr(X1 X2 = 0) : 2 ǫ 2 p = 1 2 (1 + ǫ) Pr(X1 = 0) : ǫ Pr(X2 = 0) : ǫ Pr(X1 X2 = 0) : ǫ 2 In general, 2 n 1 ǫ n vs. ǫ n
26 Distinguisher for SOBER-128 Structure of NLF in SOBER-128 ω (H) : most sig. byte of ω S-box s 0 s 16 ω ω (H) s 1 α ω 8 K s 6 ω ω (H) : most sig. byte of ω ω (H) S-box α (8) β (0) ω (8) s 1,(0) s 13 β z ω s 6,(0) s 13,(0) K (0) = z (0)
27 Distinguisher for SOBER-128 Low Weight LFSR Polynomial and Approximations Observed (by Ekdale and Johansson at FSE 2002) that s t+τ1 s t+τ2 s t+τ3 s t+τ4 s t+τ5 s t+τ6 = 0, where s t stands for a state of LFSR at clock t and τ 1 = 0, τ 2 = 11, τ 3 = 13, τ 4 = , τ 5 = , τ 6 = Linear approximations of α (8) : p = 1 2 ( ) α (8) = s 0,(25) s 0,(26) s 0,(28) s 0,(29) s 16,(26) s 16,(29) Linear approximation of β (0) : p = 1 2 ( ) β (0) = s 13,(29) s 13,(30) z (29) z (30) Linear approximations of ω (8) : p = 1 2 ( ) ω (8) = s 0,(8) s 16,(8) s 0,(7)
28 Distinguisher for SOBER-128 Linear Approximation of NLF From three approximations, L(s, z) = s 0,(25) s 0,(26) s 0,(28) s 0,(29) s 16,(26) s 16,(29) }{{} α (8) s 13,(29) s 13,(30) z (29) z (30) }{{} β (0) s 0,(8) s 16,(8) s 0,(7) }{{} ω (8) s 1,(0) s 6,(0) s 13,(0) K (0) z (0) Bias : p = 1 2 ( ) = 1 2 ( )
29 Distinguisher for SOBER-128 Distinguishing Attack on SOBER-128 The approximation is simply described as L(s, z) = linear(s) z (0) z (29) z (30) If we apply the linear masking method, then, linear(s) vanishes by the low weight LFSR polynomial. Then, the distinguisher will be τ 6 t=τ 1 (z (0) z (29) z (30) ) with the bias of (2 8.8 ) 6 =
30 Crossword Puzzle Attack on NLS Crossword Puzzle Attack on NLS 1. Principle of attack 2. Structure of NLS 3. Distinguishing attack on NLS
31 Crossword Puzzle Attack on NLS Principle of Attack Target system : Non-linear Feedback Shift Register (NFSR) + Non-linear filter (NLF) Derive linear approximations of NFSR and NLF Combine a set of both linear approximations Eliminate the internal state bits Build a distinguisher using the observable output bits only.
32 Crossword Puzzle Attack on NLS Simple Example Prob(X1 X2 = 0) = ǫ 1 Prob(X3 X4 = 0) = ǫ 1 Prob(X1 X2 X3 X4 = 0) = ǫ 2 1 Prob(X1 X3 = Z1) = ǫ 2 Prob(X2 X4 = Z2) = ǫ 2 Prob(X1 X2 X3 X4 = Z1 Z2) = ǫ 2 2 Then, Prob(Z1 Z2 = 0) = ǫ 2 1 ǫ2 2
33 Crossword Puzzle Attack on NLS Probabilistic Model Linear approximations of NFSR : l 1 (s) = 0 with ǫ 1 Linear approximations of NLF : u i (s) = l 2 (z) with ǫ 2 l 1 (s i1 ) = u 1 (s i1 ) + u 2 (s i1 ) + + u n (s i1 ) l 1 (s i2 ) = u 1 (s i2 ) + u 2 (s i2 ) + + u n (s i2 ) l 1 (s im ) = u 1 (s im ) + u 2 (s im ) + + u n (s im ) l 2 (z j1 ) l 2 (z j2 ) l 2 (z jn ) Distinguisher : l 2 (z j1 ) + + l 2 (z jn ) = 0 Bias : ǫ m 1 ǫn 2 (by Piling-up lemma)
34 Crossword Puzzle Attack on NLS NLS Cipher NFSR has r[0],, r[16] states. Each state is 32-bit. Konst is a 32-bit key-dependent constant. r t+1 [i] = r t [i + 1] for i = 0,...,15 r t+1 [16] = f((r t [0] 19) (r t [15] 9) Konst) r t [4], where : the addition modulo f(a) = S-box(a H ) a where a H is the most significant 8 bits of 32-bit word a. If t = 0 (modulo 65537), r t+1 [2] = r t+1 [2] t NLF (non-linear filter) : ν t = (r t [0] r t [16]) (r t [1] r t [13]) (r t [6] Konst)
35 Crossword Puzzle Attack on NLS f - function of NFSR Konst r t [0] 19 r t [15] 9 S-Box α t r t [4] r t+1 [16]
36 Crossword Puzzle Attack on NLS Linear Approximations of NFSR The input of the S-box = (r t [0] 9) (H) (r t [15] 19) (H) carry bit 2 17 Linear combination of bits from (r t [0] 9) (H) and (r t [15] 19) (H) 2 16 We build the truth table with 2 17 rows and 2 16 columns. linear approximations of α t,(0) bias r t [0] (10) r t [0] (6) r t [15] (20) r t [15] (16) r t [15] (15) 1/2( ) r t [0] (10) r t [0] (6) r t [0] (5) r t [15] (20) r t [15] (16) 1/2( ) r t [0] (12) r t [15] (22) 1/2( ) r t [0] (10) r t [15] (20) 1/2( ) r t [0] (12) r t [0] (11) r t [0] (10) r t [15] (22) r t [15] (21) r t [15] (20) 1/2( )
37 Crossword Puzzle Attack on NLS Linear Approximation for NLF r[z] = r[x] r[y] Prob(r[z] (0) = r[x] (0) r[y] (0) ) = 1 Prob(r[z] (i) r[z] (i 1) = r[x] (i) r[y] (i) r[x] (i 1) r[y] (i 1) ) = 1/2( ). ν t = (r t [0] r t [16]) (r t [1] r t [13]) (r t [6] Konst) ν t,(0) = (r t [0] (0) r t [16] (0) ) (r t [1] (0) r t [13] (0) ) (r t [6] (0) Konst (0) ) ν t,(i) ν t,(i 1) = (r t [0] (i) r t [16] (i) r t [0] (i 1) r t [16] (i 1) ) (r t [1] (i) r t [13] (i) r t [1] (i 1) r t [13] (i 1) ) (r t [6] (i) Konst (i) r t [6] (i 1) Konst (i 1) ) When Konst = 0, Prob = 1/2(1 + (2 1 ) 2 ) = 1/2( )
38 Crossword Puzzle Attack on NLS Attack on NLS with Konst = 0 Since r t+p [0] = r t [p], r t[0] (10) r t[0] (6) r t+15 [0] (20) r t+17 [0] (0) = 0 r t[1] (10) r t[1] (6) r t+15 [1] (20) r t+17 [1] (0) = 0 r t[6] (10) r t[6] (6) r t+15 [6] (20) r t+17 [6] (0) = 0 r t[13] (10) r t[13] (6) r t+15 [13] (20) r t+17 [13] (0) = 0 r t[16] (10) r t[16] (6) r t+15[16] (20) r t+17[16] (0) = 0 {z } {z } {z } {z } µ t,(10) µ t,(6) µ t+15,(20) µ t+17,(0) A distinguisher will be µ t,(10) µ t,(6) µ t+15,(20) µ t+15,(16) µ t+15,(15) µ t,(13) µ t+15,(23) µ t+4,(0) µ t+17,(0) = K where, K = Konst (10) Konst (6) Konst (20) Konst (16) Konst (15) Konst (13) Konst (23) Bias : (2 1 ) 2 ( ) 5 =
39 Crossword Puzzle Attack on NLS Attack on NLS with Konst = 0 Recall that α t,(0) = r t [0] (12) r t [15] (22) p = 1/2( ). ν t = (r t [0] r t [16]) (r t [1] r t [13]) (r t [6] Konst) Linear approximation of NFSR (from LSB): α t,(0) z } { r t[4] (0) r t+1 [16] (0) r t[0] (12) r t[15] (22) r t[0] (13) r t[15] (23) = 0 {z } {z } l 1 (r t ) l 2 (r t ) For l 1 (r t ), 9 l 1 (r t) = r t[4] (0) r t+1 [16] (0) l 1 (r t+1 ) = r t+1 [4] (0) r t+2 [16] (0) >= l 1 (r t+6 ) = r t+6 [4] (0) r t+7[16] (0) = ν t+4,(0) ν t+17,(0) l 1 (r t+13 ) = r t+13 [4] (0) r t+14 [16] (0) >; l 1 (r t+16 ) = r t+16 [4] (0) r t+17 [16] (0)
40 Crossword Puzzle Attack on NLS Attack on NLS with Konst = 0 l 2 (r t ) = r t [0] (12) r t [0] (13) r t [15] (22) r t [15] (23) For the clocks t, t + 1, t + 6, t + 13, and t + 16, l 2 (r t) = r t[0] (12) r t[0] (13) r t[15] (22) r t[15] (23) l 2 (r t+1 ) = r t+1 [0] (12) r t+1 [0] (13) r t+1 [15] (22) r t+1 [15] (23) l 2 (r t+6 ) = r t+6 [0] (12) r t+6 [0] (13) r t+6 [15] (22) r t+6 [15] (23) l 2 (r t+13 ) = r t+13 [0] (12) r t+13 [0] (13) r t+13 [15] (22) r t+13 [15] (23) l 2 (r t+16 ) = r t+16 [0] (12) r t+16 [0] (13) r t+16 [15] (22) r t+16 [15] (23) Since r t+p [0] = r t [p], l 2 (r t) = r t[0] (12) r t[0] (13) r t+15 [0] (22) r t+15 [0] (23) l 2 (r t+1 ) = r t[1] (12) r t[1] (13) r t+15 [1] (22) r t+15 [1] (23) l 2 (r t+6 ) = r t[6] (12) r t[6] (13) r t+15 [6] (22) r t+15 [6] (23) l 2 (r t+13 ) = r t[13] (12) r t[13] (13) r t+15 [13] (22) r t+15 [13] (23) l 2 (r t+16 ) = r t[16] (12) r t[16] (13) r t+15[16] (22) r t+15[16] (23) {z } {z } ν t,(12) ν t,(13) ν t+15,(22) ν t+15,(23)
41 Crossword Puzzle Attack on NLS Attack on NLS with Konst = 0 Therefore, l 2 (r t ) l 2 (r t+1 ) l 2 (r t+6 ) l 2 (r t+13 ) l 2 (r t+16 ) = ν t,(12) ν t,(13) ν t+15,(22) ν t+15,(23) By combining l 1 (t) and l 2 (t), the distinguisher will be l 1 (r t ) l 1 (r t+1 ) l 1 (r t+6 ) l 1 (r t+13 ) l 1 (r t+16 ) l 2 (r t ) l 2 (r t+1 ) l 2 (r t+6 ) l 2 (r t+13 ) l 2 (r t+16 ) = ν t,(12) ν t,(13) ν t+15,(22) ν t+15,(23) ν t+4,(0) ν t+17,(0) = 0 Approximation of NFSR (5 times) and approximation of NLF (twice) Bias : ( ) 5 (2 2 ) 2 =
42 Crossword Puzzle Attack on NLS Attack on NLS with Konst 0 Konst 0 the biases of linear approximations of NFSR and NLF has been changed. Denote Konst (H) = (Konst (31),..., Konst (24) ), and Konst (L) = (Konst (23),..., Konst (0) ). Bias variation of α t,(0) = r t [0] (12) r t [15] (22) by Konst (H)
43 Crossword Puzzle Attack on NLS Attack on NLS with Konst 0 When Konst (H) is around 1 or 120, ν t,(i) ν t,(i 1) = (r t[0] (i) r t[16] (i) r t[0] (i 1) r t[16] (i 1) ) (r t[1] (i) r t[13] (i) r t[1] (i 1) r t[13] (i 1) ) (r t[6] (i) Konst (i) r t[6] (i 1) Konst (i 1) ) When Konst (H) is around 51 or 179, ν t,(i) ν t,(i 1) ν t,(i 2) ν t,(i 3) = (r t[0] (i) r t[16] (i) r t[0] (i 1) r t[16] (i 1) r t[0] (i 2) r t[16] (i 2) r t[0] (i 3) r t[16] (i 3) ) (r t[1] (i) r t[13] (i) r t[1] (i 1) r t[13] (i 1) r t[1] (i 2) r t[13] (i 2) r t[1] (i 3) r t[13] (i 3) ) (r t[6] (i) Konst (i) r t[6] (i 1) Konst (i 1) r t[6] (i 2) Konst (i 2) r t[6] (i 3) Konst (i 3) ) For the new approximation, we need (r[x] r[y]) (i) (r[x] r[y]) (i 1) (r[x] r[y]) (i 2) (r[x] r[y]) (i 3) = r[x] (i) r[y] (i) r[x] (i 1) r[y] (i 1) r[x] (i 2) r[y] (i 2) r[x] (i 3) r[y] (i that has the bias of 2 3.
44 Crossword Puzzle Attack on NLS Attack on NLS with Konst 0 The bias of the approximation depends on Konst (L). (r t [6] Konst) i (r t [6] Konst) i 1 = (r t [6] (i) Konst (i) r t [6] (i 1) Konst (i 1) ) The bias variation by Konst (L) when i = 13
45 Crossword Puzzle Attack on NLS Attack on NLS with Konst 0 Distinguisher 1 : ν t,(12) ν t,(13) ν t+15,(22) ν t+15,(23) ν t+4,(0) ν t+17,(0) = 0 The average bias of approximation of NFSR : The average bias of approximation of NLF : 2 3 The average bias : ((2 5.4 ) 5 ) ((2 3 ) 2 ) = 2 33 For some values of Konst, the bias of the distinguisher becomes less than (e.g. Konst (H) = 51 or 179)
46 Crossword Puzzle Attack on NLS Attack on NLS with Konst 0 Distinguisher 2 : ν t,(10) ν t,(11) ν t,(12) ν t,(13) ν t+15,(20) ν t+15,(21) ν t+15,(22) ν t+15,(23) ν t+4,(0) ν t+17,(0) = 0 When Konst (H) = 51 or 179, the bias of approximation of NFSR : the bias of approximation of NLF : 2 6 average bias : (( ) 5 ) ((2 6 ) 2 ) = An adversary observes the distinguisher 1 and 2 simultaneously Since the keystream is produced by words, the data complexity for attack has not been changed.
47 Distinguisher for Dragon Distinguisher for Dragon 1. Structure of Dragon 2. Linear Approximations of Functions used in Dragon 3. Building Distinguisher 4. Generalized Masks and Distinguishers 5. Future Research
48 Distinguisher for Dragon Structure of Dragon Dragon is a word-oriented stream cipher submitted to the estream project. During Phase 1, Englund and Maximov presented a distinguishing attack against Dragon that requires around keystream words and 2 96 memory. Dragon consists of a 1024-bit nonlinear feedback register a nonlinear state update function, and a 64-bit internal memory. Two sizes of key : 128 or 256 bits 64-bit (two words) output keystream The nonlinear state update function (F function): 192 bits (six words) 192 bits (six words)
49 Distinguisher for Dragon Structure of Dragon - Function F a b c d e f G 1 G 2 G 3 H 1 H 2 H 3 a b c d e f
50 Distinguisher for Dragon Structure of Dragon - Functions G and H The functions G and H are constructed by using two 8 32 S-boxes :S 1 and S 2. If the 32-bit input x is split into four bytes such as x = x 0 x 1 x 2 x 3, then G 1 (x) = S 1 (x 0 ) S 1 (x 1 ) S 1 (x 2 ) S 2 (x 3 ) G 2 (x) = S 1 (x 0 ) S 1 (x 1 ) S 2 (x 2 ) S 1 (x 3 ) G 3 (x) = S 1 (x 0 ) S 2 (x 1 ) S 1 (x 2 ) S 1 (x 3 ) H 1 (x) = S 2 (x 0 ) S 2 (x 1 ) S 2 (x 2 ) S 1 (x 3 ) H 2 (x) = S 2 (x 0 ) S 2 (x 1 ) S 1 (x 2 ) S 2 (x 3 ) H 3 (x) = S 2 (x 0 ) S 1 (x 1 ) S 2 (x 2 ) S 2 (x 3 )
51 Distinguisher for Dragon Structure of Dragon - State update The states of a nonlinear shift register: B 0, B 1,..., B 31 where B i is a 32-bit word. An internal memory: M = (M L M R ) where M L and M R is a 32-bit word, respectively. Keystream generation Input : {B 0, B 1,..., B 31 } and M = (M L M R ) a = B 0, b = B 9, c = B 16, d = B 19, e = B 30 M L, f = B 31 M R where M = M R M L. (a, b, c, d, e, f ) = F(a, b, c, d, e, f) B 0 = b, B 1 = c and B i = B i 2, 2 i 31, M = M + 1 Output : k = (a e )
52 Distinguisher for Dragon Approximations Definition of Bias Assume a function f : {0, 1} m {0, 1} n for some positive integers m and n. Given a linear input mask Λ GF(2 m ) and a linear output mask Γ GF(2 n ), the bias of an approximation Λ x = Γ f(x) is measured as ǫ f (Λ,Γ) = 2 n (#(Λ x Γ f(x) = 0) #(Λ x Γ f(x) = 1)) Pr[Λ x = Γ f(x)] = 1 2 (1 + ǫ f(λ,γ)).
53 Distinguisher for Dragon Approximations of Functions G and H The linear approximations of the functions G and H can be constructed by combining approximations of S 1 and S 2 appropriately. We need special forms of approximations: Γ G(x) = Γ x : bypassing approximations Γ H(x) = 0 : cutting approximations approximation bias example Γ H(x) = 0 ǫ H (0,Γ) ǫ H (0, 0X B) = Γ x = Γ G 1 (x) ǫ G1 (Γ,Γ) ǫ G1 (0X , 0X ) = Γ x = Γ G 2 (x) ǫ G2 (Γ,Γ) ǫ G2 (0X , 0X ) =
54 Distinguisher for Dragon Approximations of Function H Assume x = x 0 x 1 x 2 x 3, (x i : i-th byte of x) The approximation Γ H 1 (x) = 0 can be represented as Γ H 1 (x) = Γ S 2 (x 0 ) Γ S 2 (x 1 ) Γ S 2 (x 2 ) Γ S 1 (x 3 ) = 0 Hence, the bias ǫ H1 (0,Γ) is computed as ǫ H1 (0,Γ) = ǫ S2 (0,Γ) 3 ǫ S1 (0,Γ), where ǫ Si (0,Γ) denotes the bias of Γ S i (x j ) = 0. Due to the structure, ǫ H1 (0,Γ) = ǫ H2 (0,Γ) = ǫ H3 (0,Γ).
55 Distinguisher for Dragon Approximations of Function G Assume x = x 0 x 1 x 2 x 3, where x i denotes the i-th byte of x and a mask Γ = Γ 0 Γ 1 Γ 2 Γ 3, where Γ i {0, 1} 8 The approximation Γ x = Γ G(x) can be decomposed into Γ (x G 1 (x)) = (Γ 0 x 0 Γ S 1 (x 0 )) (Γ 1 x 1 Γ S 1 (x 1 )) = 0 (Γ 2 x 2 Γ S 1 (x 2 )) (Γ 3 x 3 Γ S 2 (x 3 ) Hence, the bias ǫ G (Γ,Γ) can be computed as ǫ G (Γ,Γ) = ǫ S1 (x 0 )(Γ 0,Γ)ǫ S1 (x 1 )(Γ 1,Γ)ǫ S1 (x 2 )(Γ 2,Γ)ǫ S2 (x 3 )(Γ 3,Γ) where ǫ Si (x j )(Γ,Γ j ) denotes the bias of Γ j x j Γ S i (x j ) = 0.
56 Distinguisher for Dragon Approximations of Modular Addition Given a linear mask Γ = (γ n 1,,γ 0 ) where γ i {0, 1} we assume that the Hamming weight of Γ is m. If a vector W Γ = Γ(31, 30,...,1, 0) = (w m 1,..., w m 2,...,w 0 ) denotes the bit positions of Γ, where γ i = 1, then a bias ǫ + (Γ,Γ) is ǫ + (Γ,Γ) = 2 d 1 where d 1 = when m is even, or ǫ + (Γ,Γ) = 2 d 2 where d 2 = m/2 1 i=0 (m 1)/2 (w 2i+1 w 2i ); (w 2i w 2i 1 ) + w 0 ; i=1 when m is odd. For example, if Γ = 0X D, Hamming weight of Γ is 7 and W Γ = (26, 25, 8, 7, 3, 2, 0). Hence, ǫ + (Γ, Γ) = 2 [(26 25)+(8 7)+(3 2)] = 2 3.
57 Distinguisher for Dragon Approximation of Function F According to the state update rule of Dragon, B 0 [t] = B 30 [t + 15], t = 0, 1,... a = B 0 and e = B 30 M L where a and e are two words out of six input words of the F function. Then, we try Γ a = Γ a and Γ e = Γ e where a and e are two output words of the F function that are produced as a keystream.
58 Distinguisher for Dragon Approximation of a An output word a is expressed as a = [(a (e f)) H 1 ] [(e f G 2 ) (H 2 ((a b) c))] Due to the linear property of Γ, we know that Γ a = Γ [(a (e f)) H 1 ] Γ [(e f G 2 ) (H 2 ((a b) c))] By approximation of modular addition, Γ [(e f G 2 ) (H 2 ((a b) c))] = Γ (e f G 2 ) Γ [(H 2 ((a b) c))] which holds with the bias of ǫ + (Γ,Γ).
59 Distinguisher for Dragon Approximation of a (Cont ) Hence, we have Γ a = Γ [(a (e f)) H 1 ] Γ (e f G 2 ) Γ [H 2 ((a b) c)]. Applying cutting and bypassing approximations, we get Γ a = Γ [(a (e f))] Γ (e f [(a b) c]) Γ [(a b) c] = Γ [(a (e f))] Γ (e f) From approximation for the modular addition, we obtain Γ a = Γ a
60 Distinguisher for Dragon Approximation of a (Cont ) We know that Γ [(a (e f))] = Γ a Γ (e f) holds with the bias of ǫ + (Γ,Γ). Therefore, the bias of approximation can be computed from the biases of the component approximations as follows: ǫ a (Γ,Γ) = ǫ + (Γ,Γ) 2 ǫ H1 (0,Γ) ǫ H2 (0,Γ) ǫ G2 (Γ,Γ). Since a is the upper part of a 64-bit keystream output, Γ k 0 [t] = Γ B 0 [t] where k 0 [t] denotes the upper part of a 64-bit k at clock t.
61 Distinguisher for Dragon Approximation of e An output word e is described as e = [((a (e f)) H 1 ) (c d G 1 )] [H 3 ((c d) e)] From approximation for modular addition, we have Γ e = Γ [(a (e f)) H 1 ] Γ (c d G 1 ) Γ [H 3 ((c d) e)] Applying cutting approximations for functions H 1, H 3 and the bypassing approximation for the function G 1, we get Γ e = Γ [(a (e f))] Γ (c d [a (e f)]) Γ [(c d) e] = Γ (c d) Γ [(c d) e].
62 Distinguisher for Dragon Approximation of e (Cont ) From approximation for modular addition, we obtain Γ e = Γ e with the bias of ǫ e (Γ,Γ) = ǫ + (Γ,Γ) 2 ǫ H1 (0,Γ) ǫ H3 (0,Γ) ǫ G1 (Γ,Γ). Since the 32-bit word e is the lower part of a 64-bit keystream output k, Γ k 1 [t] = Γ (B 30 [t] M L [t]) where k 1 [t] : the lower part of a 64-bit k, M L [t] : the upper part of a 64-bit memory word M
63 Distinguisher for Dragon Distinguisher According to Function F, we can write Γ k 0 [t] = Γ B 0 [t] = Γ B 30 [t + 15] = Γ (k 1 [t + 15] M L [t + 15]) By guessing (partially) the initial value of M, we can build the following distinguisher. Γ k 0 [t] = Γ (k 1 [t + 15]) For the correctly guessed initial value of M, the distinguisher shows the bias of ǫ D (Γ,Γ) = ǫ a (Γ,Γ)ǫ e (Γ,Γ) = ǫ + (Γ,Γ) 4 ǫ H1 (0,Γ) 2 ǫ H2 (0,Γ) ǫ H3 (0,Γ)ǫ G1 (Γ,Γ)ǫ G2 (Γ,Γ)
64 Distinguisher for Dragon Distinguisher we need to guess the first 27 bits of initial value of M L and 32 bits of M R. Hence, we need to store all possible values of the internal state which takes = 2 59 bits. The best linear approximation is to use the mask Γ = 0X D. The bias of the distinguisher in this case is Γ ǫ +(0, Γ) ǫ H (Γ, Γ) ǫ G1 (Γ, Γ) ǫ G2 (Γ, Γ) ǫ a (Γ, Γ) ǫ e (Γ, Γ) ǫ D (Γ, Γ) 0x D
65 Future Research Future Research The estream call - secure and efficient stream ciphers service to the community at large, expected several recommendations for finalists (SW and HW), further analysis of the finalists. Analysis of stream ciphers total break recovery of secret key or initial state, distinguishers indication of weaknesses. Development of new cryptanalytic tools for stream ciphers.
Stream Ciphers: Cryptanalytic Techniques
Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and Information Technology. Lund University, Sweden ECRYPT Summer school 2007 (Lund University) Stream Ciphers: Cryptanalytic
More informationImproved Linear Cryptanalysis of SOSEMANUK
Improved Linear Cryptanalysis of SOSEMANUK Joo Yeon Cho and Miia Hermelin Helsinki University of Technology, Department of Information and Computer Science, P.O. Box 5400, FI-02015 TKK, Finland {joo.cho,miia.hermelin}@tkk.fi
More informationAn Improved Estimate of the Correlation of Distinguisher for Dragon
An Improved Estimate of the Correlation of Distinguisher for Dragon Joo Yeon Cho Helsinki University of Technology, Laboratory for Theoretical Computer Science, P.O. Box 5400, FI-02015 TKK, Finland joo.cho@tkk.fi
More informationLecture 10-11: General attacks on LFSR based stream ciphers
Lecture 10-11: General attacks on LFSR based stream ciphers Thomas Johansson T. Johansson (Lund University) 1 / 23 Introduction z = z 1, z 2,..., z N is a known keystream sequence find a distinguishing
More informationON DISTINGUISHING ATTACK AGAINST THE REDUCED VERSION OF THE CIPHER NLSV2
t m Mathematical Publications DOI: 10.2478/v10127-012-0037-5 Tatra Mt. Math. Publ. 53 (2012), 21 32 ON DISTINGUISHING ATTACK AGAINST THE REDUCED VERSION OF THE CIPHER NLSV2 Michal Braško Jaroslav Boor
More informationChosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers
Chosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers Simon Fischer 1, Shahram Khazaei 2, and Willi Meier 1 1 FHNW and 2 EPFL (Switzerland) AfricaCrypt 2008, Casablanca - June 11-14
More information4.3 General attacks on LFSR based stream ciphers
67 4.3 General attacks on LFSR based stream ciphers Recalling our initial discussion on possible attack scenarios, we now assume that z = z 1,z 2,...,z N is a known keystream sequence from a generator
More informationAlgebraic Attack Against Trivium
Algebraic Attack Against Trivium Ilaria Simonetti, Ludovic Perret and Jean Charles Faugère Abstract. Trivium is a synchronous stream cipher designed to provide a flexible trade-off between speed and gate
More informationCryptanalysis of Sosemanuk and SNOW 2.0 Using Linear Masks
Cryptanalysis of Sosemanuk and SNOW 2.0 Using Linear Masks Jung-Keun Lee, Dong Hoon Lee, and Sangwoo Park ETRI Network & Communication Security Division, 909 Jeonmin-dong, Yuseong-gu, Daejeon, Korea Abstract.
More informationOn Stream Ciphers with Small State
ESC 2017, Canach, January 16. On Stream Ciphers with Small State Willi Meier joint work with Matthias Hamann, Matthias Krause (University of Mannheim) Bin Zhang (Chinese Academy of Sciences, Beijing) 1
More informationOn The Nonlinearity of Maximum-length NFSR Feedbacks
On The Nonlinearity of Maximum-length NFSR Feedbacks Meltem Sönmez Turan National Institute of Standards and Technology meltem.turan@nist.gov Abstract. Linear Feedback Shift Registers (LFSRs) are the main
More informationStream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden
Dept. of EIT, Lund University, P.O. Box 118, 221 00 Lund, Sweden thomas@eit.lth.se May 16, 2011 Outline: Introduction to stream ciphers Distinguishers Basic constructions of distinguishers Various types
More informationTHEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER. A. A. Zadeh and Howard M. Heys
THEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER A. A. Zadeh and Howard M. Heys Electrical and Computer Engineering Faculty of Engineering and Applied Science Memorial University of Newfoundland
More informationBreaking the F-FCSR-H Stream Cipher in Real Time
Breaking the F-FCSR-H Stream Cipher in Real Time Martin Hell and Thomas Johansson Dept. of Electrical and Information Technology, Lund University, P.O. Box 118, 221 00 Lund, Sweden Abstract. The F-FCSR
More informationKey Recovery with Probabilistic Neutral Bits
ESC 7.1. 11. 1. 2007 Key Recovery with Probabilistic Neutral Bits Simon Fischer 1, Shahram Khazaei 2 and Willi Meier 1 1 FHNW, Windisch, Switzerland 2 EPFL, Lausanne, Switzerland Outline Motivation Probabilistic
More informationA New Distinguisher on Grain v1 for 106 rounds
A New Distinguisher on Grain v1 for 106 rounds Santanu Sarkar Department of Mathematics, Indian Institute of Technology, Sardar Patel Road, Chennai 600036, India. sarkar.santanu.bir@gmail.com Abstract.
More informationFast correlation attacks on certain stream ciphers
FSE 2011, February 14-16, Lyngby, Denmark Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview A decoding problem LFSR-based stream ciphers Correlation attacks Fast
More informationLinear Approximations for 2-round Trivium
Linear Approximations for 2-round Trivium Meltem Sönmez Turan 1, Orhun Kara 2 1 Institute of Applied Mathematics, Middle East Technical University Ankara, Turkey msonmez@metu.edu.tr 2 TUBITAK-UEKAE, Gebze,
More informationA survey of algebraic attacks against stream ciphers
A survey of algebraic attacks against stream ciphers Frederik Armknecht NEC Europe Ltd. Network Laboratories frederik.armknecht@netlab.nec.de Special semester on Gröbner bases and related methods, May
More informationPublication VI Springer Science+Business Media. Reprinted with kind permission from Springer Science and Business Media.
Publication VI Joo Yeon Cho and Miia Hermelin. 2010. Improved linear cryptanalysis of SOSEMANUK. In: Donghoon Lee and Seokhie Hong (editors). Revised Selected Papers of the 12th International Conference
More informationA Byte-Based Guess and Determine Attack on SOSEMANUK
A Byte-Based Guess and Determine Attack on SOSEMANUK Xiutao Feng, Jun Liu, Zhaocun Zhou, Chuankun Wu and Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy
More informationAlgebraic attack on stream ciphers Master s Thesis
Comenius University Faculty of Mathematics, Physics and Informatics Department of Computer Science Algebraic attack on stream ciphers Master s Thesis Martin Vörös Bratislava, 2007 Comenius University Faculty
More informationSTREAM CIPHER. Chapter - 3
STREAM CIPHER Chapter - 3 S t r e a m C i p h e r P a g e 38 S t r e a m C i p h e r P a g e 39 STREAM CIPHERS Stream cipher is a class of symmetric key algorithm that operates on individual bits or bytes.
More informationCryptanalysis of Achterbahn
Cryptanalysis of Achterbahn Thomas Johansson 1, Willi Meier 2, and Frédéric Muller 3 1 Department of Information Technology, Lund University P.O. Box 118, 221 00 Lund, Sweden thomas@it.lth.se 2 FH Aargau,
More informationCryptographic D-morphic Analysis and Fast Implementations of Composited De Bruijn Sequences
Cryptographic D-morphic Analysis and Fast Implementations of Composited De Bruijn Sequences Kalikinkar Mandal, and Guang Gong Department of Electrical and Computer Engineering University of Waterloo Waterloo,
More informationDynamic Cube Attack on 105 round Grain v1
Noname manuscript No. (will be inserted by the editor) Dynamic Cube Attack on 105 round Grain v1 Subhadeep Banik Received: date / Accepted: date Abstract As far as the Differential Cryptanalysis of reduced
More informationAlgebraic Immunity of S-boxes and Augmented Functions
Algebraic Immunity of S-boxes and Augmented Functions Simon Fischer and Willi Meier S. Fischer and W. Meier AI of Sbox and AF 1 / 23 Outline 1 Algebraic Properties of S-boxes 2 Augmented Functions 3 Application
More informationCryptanalysis of the Stream Cipher ABC v2
Cryptanalysis of the Stream Cipher ABC v2 Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven, ESAT/SCD-COSIC Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium {wu.hongjun,bart.preneel}@esat.kuleuven.be
More informationImpact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers
Impact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers Goutam Paul and Shashwat Raizada Jadavpur University, Kolkata and Indian Statistical Institute,
More informationMILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher
MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher Raghvendra Rohit, Riham AlTawy, & Guang Gong Department of Electrical and Computer Engineering, University of Waterloo Waterloo,
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informationTowards non-linear feedbacks
Towards non-linear feedbacks Who? Cédric Lauradoux When? December 2, 2008 Applications of sequences BPSK Data Carrier m t IV Init s n K k t f Φ Φ c t s 1 s n s 1 PRNG Spread spectrum Boolean functions
More informationAlgebraic Aspects of Symmetric-key Cryptography
Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information Security Group Royal Holloway, University of London 04.May.2007 ECRYPT Summer School 1 Algebraic Techniques
More informationSearching Cubes for Testing Boolean Functions and Its Application to Trivium
Searching Cubes for Testing Boolean Functions and Its Application to Trivium Meicheng Liu, Dongdai Lin and Wenhao Wang State Key Laboratory of Information Security Institute of Information Engineering
More informationDifferential Fault Analysis of Trivium
Differential Fault Analysis of Trivium Michal Hojsík 1,2 and Bohuslav Rudolf 2,3 1 Department of Informatics, University of Bergen, N-5020 Bergen, Norway 2 Department of Algebra, Charles University in
More informationA new simple technique to attack filter generators and related ciphers
A new simple technique to attack filter generators and related ciphers Håkan Englund and Thomas Johansson Dept. of Information Techonolgy, Lund University, P.O. Box 118, 221 00 Lund, Sweden Abstract. This
More informationA GENERAL FRAMEWORK FOR GUESS-AND-DETERMINE AND TIME-MEMORY-DATA TRADE-OFF ATTACKS ON STREAM CIPHERS
A GENERAL FRAMEWORK FOR GUESS-AND-DETERMINE AND TIME-MEMORY-DATA TRADE-OFF ATTACKS ON STREAM CIPHERS Guanhan Chew, Khoongming Khoo DSO National Laboratories, 20 Science Park Drive, Singapore 118230 cguanhan,kkhoongm@dso.org.sg
More informationOn the Design of Trivium
On the Design of Trivium Yun Tian, Gongliang Chen, Jianhua Li School of Information Security Engineering, Shanghai Jiaotong University, China ruth tian@sjtu.edu.cn, chengl@sjtu.edu.cn, lijh888@sjtu.edu.cn
More informationOpen problems related to algebraic attacks on stream ciphers
Open problems related to algebraic attacks on stream ciphers Anne Canteaut INRIA - projet CODES B.P. 105 78153 Le Chesnay cedex - France e-mail: Anne.Canteaut@inria.fr Abstract The recently developed algebraic
More informationCharacterizations on Algebraic Immunity for Multi-Output Boolean Functions
Characterizations on Algebraic Immunity for Multi-Output Boolean Functions Xiao Zhong 1, and Mingsheng Wang 3 1. Institute of Software, Chinese Academy of Sciences, Beijing 100190, China. Graduate School
More informationSOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies
SOBER Cryptanalysis Daniel Bleichenbacher and Sarvar Patel {bleichen,sarvar}@lucent.com Bell Laboratories Lucent Technologies Abstract. SOBER is a new stream cipher that has recently been developed by
More informationACORN: A Lightweight Authenticated Cipher (v3)
ACORN: A Lightweight Authenticated Cipher (v3) Designer and Submitter: Hongjun Wu Division of Mathematical Sciences Nanyang Technological University wuhongjun@gmail.com 2016.09.15 Contents 1 Specification
More informationA Byte-Based Guess and Determine Attack on SOSEMANUK
A Byte-Based Guess and Determine Attack on SOSEMANUK Xiutao Feng, Jun Liu, Zhaocun Zhou, Chuankun Wu, and Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy
More informationSequences, DFT and Resistance against Fast Algebraic Attacks
Sequences, DFT and Resistance against Fast Algebraic Attacks Guang Gong Department of Electrical and Computer Engineering University of Waterloo Waterloo, Ontario N2L 3G1, CANADA Email. ggong@calliope.uwaterloo.ca
More informationLinear Cryptanalysis of Reduced-Round Speck
Linear Cryptanalysis of Reduced-Round Speck Tomer Ashur Daniël Bodden KU Leuven and iminds Dept. ESAT, Group COSIC Address Kasteelpark Arenberg 10 bus 45, B-3001 Leuven-Heverlee, Belgium tomer.ashur-@-esat.kuleuven.be
More informationNumerical Solvers in Cryptanalysis
Numerical Solvers in Cryptanalysis M. Lamberger, T. Nad, V. Rijmen Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria
More informationComputing the biases of parity-check relations
Computing the biases of parity-check relations Anne Canteaut INRIA project-team SECRET B.P. 05 7853 Le Chesnay Cedex, France Email: Anne.Canteaut@inria.fr María Naya-Plasencia INRIA project-team SECRET
More informationDeterministic Cube Attacks:
Deterministic Cube Attacks: A New Method to Recover Superpolies in Practice Chen-Dong Ye and Tian Tian National Digital Switching System Engineering & Technological Research Center, P.O. Box 407, 62 Kexue
More informationNew Methods for Cryptanalysis of Stream Ciphers. The Selmer Centre Department of Informatics University of Bergen Norway
New Methods for Cryptanalysis of Stream Ciphers Håvard Molland The Selmer Centre Department of Informatics University of Bergen Norway 18th May 2005 Acknowledgments I would like to express my gratitude
More informationCryptanalysis of Lightweight Cryptographic Algorithms
Cryptanalysis of Lightweight Cryptographic Algorithms By Mohammad Ali Orumiehchiha A thesis submitted to Macquarie University for the degree of Doctor of Philosophy Department of Computing July 2014 ii
More informationAlgebraic Attacks and Stream Ciphers
November 25 th, 24 Algebraic Attacks and Stream Ciphers Helsinki University of Technology mkivihar@cc.hut.fi Overview Stream ciphers and the most common attacks Algebraic attacks (on LSFR-based ciphers)
More informationCryptanalysis of the Stream Cipher DECIM
Cryptanalysis of the Stream Cipher DECIM Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven, ESAT/SCD-COSIC Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium {wu.hongjun, bart.preneel}@esat.kuleuven.be
More informationF-FCSR: Design of a New Class of Stream Ciphers
F-FCSR: Design of a New Class of Stream Ciphers François Arnault and Thierry P. Berger LACO, Université de Limoges, 123 avenue A. Thomas, 87060 Limoges CEDEX, France {arnault, thierry.berger}@unilim.fr
More informationCryptanalysis of Grain
Cryptanalysis of Grain Côme Berbain 1, Henri Gilbert 1, and Alexander Maximov 2 1 France Telecom Research and Development 38-40 rue du Général Leclerc, 92794 Issy-les-Moulineaux, France 2 Dept. of Information
More informationNear Collision Attack on the Grain v1 Stream Cipher
Near Collision Attack on the Grain v1 Stream Cipher Bin Zhang, Zhenqi Li, Dengguo Feng and Dongdai Lin State Key Laboratory of Information Security, IIE, Chinese Academy of Sciences, Beijing, 100093, China.
More informationModified version of Latin Dances Revisited: New Analytic Results of Salsa20 and ChaCha
Modified version of Latin Dances Revisited: New Analytic Results of Salsa20 and ChaCha Tsukasa Ishiguro KDDI R&D Laboratories Inc. 2-1-15 Ohara, Fujimino, Saitama 356-8502, Japan tsukasa@kddilabs.jp 1
More informationIntroduction to Modern Cryptography. (1) Finite Groups, Rings and Fields. (2) AES - Advanced Encryption Standard
Introduction to Modern Cryptography Lecture 3 (1) Finite Groups, Rings and Fields (2) AES - Advanced Encryption Standard +,0, and -a are only notations! Review - Groups Def (group): A set G with a binary
More informationOptimizing the placement of tap positions. joint work with Enes Pasalic, Samed Bajrić and Yongzhuang Wei
Optimizing the placement of tap positions Samir Hodžić joint work with Enes Pasalic, Samed Bajrić and Yongzhuang Wei Filtering generator Linear feedback shift register (LFSR). Nonlinear filtering function
More informationFast Near Collision Attack on the Grain v1 Stream Cipher
Fast Near Collision Attack on the Grain v1 Stream Cipher Bin Zhang 1,,3,4, Chao Xu 1,, and Willi Meier 5 1 TCA Laboratory, SKLCS, Institute of Software, Chinese Academy of Sciences {zhangbin,xuchao}@tca.iscas.ac.cn
More informationAlgebraic Attacks on Stream Ciphers with Linear Feedback
Algebraic Attacks on Stream Ciphers with Linear Feedback Extended Version of the Eurocrypt 2003 paper, August 24, 2003 Nicolas T. Courtois 1 and Willi Meier 2 1 Cryptography Research, Schlumberger Smart
More informationA Scalable Method for Constructing Galois NLFSRs with Period 2 n 1 using Cross-Join Pairs
A Scalable Method for Constructing Galois NLFSRs with Period 2 n 1 using Cross-Join Pairs Elena Dubrova Royal Institute of Technology (KTH), Forum 12, 164 4 Kista, Sweden {dubrova}@kth.se Abstract. This
More informationImproved Linear Distinguishers for SNOW 2.0
Improved Linear Distinguishers for SNOW 2.0 Kaisa Nyberg 1,2 and Johan Wallén 1 1 Helsinki University of Technology and 2 Nokia Research Center, Finland Email: kaisa.nyberg@nokia.com; johan.wallen@tkk.fi
More informationFResCA: A Fault-Resistant Cellular Automata Based Stream Cipher
FResCA: A Fault-Resistant Cellular Automata Based Stream Cipher Jimmy Jose 1,2 Dipanwita Roy Chowdhury 1 1 Crypto Research Laboratory, Department of Computer Science and Engineering, Indian Institute of
More informationCryptanalysis of the Light-Weight Cipher A2U2 First Draft version
Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version Mohamed Ahmed Abdelraheem, Julia Borghoff, Erik Zenner Technical University of Denmark, DK-2800 Kgs. Lyngby, Denmark {M.A.Abdelraheem,J.Borghoff,E.Zenner}@mat.dtu.dk
More informationDistinguishing Attack on Common Scrambling Algorithm
410 The International Arab Journal of Information Technology, Vol. 12, No. 4, July 2015 Distinguishing Attack on Common Scrambling Algorithm Kai Zhang and Jie Guan Zhengzhou Information Science and Technology
More informationA block cipher enciphers each block with the same key.
Ciphers are classified as block or stream ciphers. All ciphers split long messages into blocks and encipher each block separately. Block sizes range from one bit to thousands of bits per block. A block
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationResilience to Distinguishing Attacks on WG-7 Cipher and Their Generalizations
Resilience to Distinguishing Attacks on WG-7 Cipher and Their Generalizations Guang Gong, Mark Aagaard and Xinxin Fan Department of Electrical and Computer Engineering University of Waterloo, Waterloo,
More informationFast Correlation Attacks: an Algorithmic Point of View
Fast Correlation Attacks: an Algorithmic Point of View Philippe Chose, Antoine Joux, and Michel Mitton DCSSI, 18 rue du Docteur Zamenhof F-92131 Issy-les-Moulineaux cedex, France Philippe.Chose@ens.fr,
More informationA TMDTO Attack Against Lizard
A TMDTO Attack Against Lizard Subhamoy Maitra 1, Nishant Sinha 2, Akhilesh Siddhanti 3, Ravi Anand 4, Sugata Gangopadhyay 2 1 Indian Statistical Institute, Kolkata, subho@isical.ac.in 2 Indian Institute
More informationCRC Press has granted the following specific permissions for the electronic version of this book:
This is a Chapter from the Handbook of Applied Cryptography, by A. Menezes, P. van Oorschot, and S. Vanstone, CRC Press, 1996. For further information, see www.cacr.math.uwaterloo.ca/hac CRC Press has
More informationLinear Extension Cube Attack on Stream Ciphers ABSTRACT 1. INTRODUCTION
Malaysian Journal of Mathematical Sciences 9(S) June: 139-156 (015) Special ssue: The 4 th nternational Cryptology and nformation Security Conference 014 (Cryptology 014) MALAYSAN JOURNAL OF MATHEMATCAL
More informationOvertaking VEST. 45, avenue des États-Unis, Versailles Cedex, France 3 DCSSI Crypto Lab
Overtaking VEST Antoine Joux 1,2 and Jean-René Reinhard 3 1 DGA 2 Université de Versailles St-Quentin-en-Yvelines, PRISM 45, avenue des États-Unis, 78035 Versailles Cedex, France antoine.joux@m4x.org 3
More informationCharacterization of 2 n -Periodic Binary Sequences with Fixed 2-error or 3-error Linear Complexity
Characterization of n -Periodic Binary Sequences with Fixed -error or 3-error Linear Complexity Ramakanth Kavuluru Department of Computer Science, University of Kentucky, Lexington, KY 40506, USA. Abstract
More informationMaximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers
Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers Muxiang Zhang 1 and Agnes Chan 2 1 GTE Laboratories Inc., 40 Sylvan Road LA0MS59, Waltham, MA 02451 mzhang@gte.com 2 College of Computer
More informationCorrelated Keystreams in Moustique
Correlated Keystreams in Moustique Emilia Käsper 1, Vincent Rijmen 1,3, Tor E. Bjørstad 2, Christian Rechberger 3, Matt Robshaw 4 and Gautham Sekar 1 1 K.U.Leuven, ESAT-COSIC 2 The Selmer Center, University
More informationORYX. ORYX not an acronym, but upper case Designed for use with cell phones. Standard developed by. Cipher design process not open
ORYX ORYX 1 ORYX ORYX not an acronym, but upper case Designed for use with cell phones o To protect confidentiality of voice/data o For data channel, not control channel o Control channel encrypted with
More informationFast Correlation Attacks: An Algorithmic Point of View
Fast Correlation Attacks: An Algorithmic Point of View Philippe Chose, Antoine Joux, and Michel Mitton DCSSI, 18 rue du Docteur Zamenhof, F-92131 Issy-les-Moulineaux cedex, France, Philippe.Chose@ens.fr,
More informationDan Boneh. Stream ciphers. The One Time Pad
Online Cryptography Course Stream ciphers The One Time Pad Symmetric Ciphers: definition Def: a cipher defined over is a pair of efficient algs (E, D) where E is often randomized. D is always deterministic.
More informationRC4 State Information at Any Stage Reveals the Secret Key
RC4 State Information at Any Stage Reveals the Secret Key Goutam Paul Department of Computer Science and Engineering, Jadavpur University, Kolkata 700 032, India, Email: goutam paul@cse.jdvu.ac.in Subhamoy
More informationImpossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128
Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com
More informationX-FCSR: a new software oriented stream cipher based upon FCSRs
X-FCSR: a new software oriented stream cipher based upon FCSRs François Arnault 1, Thierry P. Berger 1, Marine Minier 2, and Cédric Lauradoux 3 1 XLIM, Faculté des Sciences de Limoges 23 avenue Albert
More informationShift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3
Shift Cipher For 0 i 25, the ith plaintext character is shifted by some value 0 k 25 (mod 26). E.g. k = 3 a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V W X Y
More informationUniversity of Bergen Faculty of Mathematical and Natural Sciences Department of Informatics The Selmer Center
University of Bergen Faculty of Mathematical and Natural Sciences Department of Informatics The Selmer Center A DATABASE FOR BOOLEAN FUNCTIONS AND CONSTRUCTIONS OF GENERALIZED COMPLEMENTARY PAIRS by Mohamed
More informationFast Correlation Attack on Stream Cipher ABC v3
Fast Correlation Attack on Stream Cipher ABC v3 Haina Zhang Lin Li Xiaoyun Wang Abstract ABC v3 is a stream cipher proposed as a candidate to ECRYPT Estream Project which enters the second evaluation phase.
More informationAlternative Approaches: Bounded Storage Model
Alternative Approaches: Bounded Storage Model A. Würfl 17th April 2005 1 Motivation Description of the Randomized Cipher 2 Motivation Motivation Description of the Randomized Cipher Common practice in
More informationThe LILI-128 Keystream Generator
The LILI-128 Keystream Generator E. Dawson 1 A. Clark 1 J. Golić 2 W. Millan 1 L. Penna 1 L. Simpson 1 1 Information Security Research Centre, Queensland University of Technology GPO Box 2434, Brisbane
More informationTwo Generic Methods of Analyzing Stream Ciphers
Two Generic Methods of Analyzing Stream Ciphers Lin Jiao 1,2, Bin Zhang 1,3, and Mingsheng Wang 4 1 TCA, Institute of Software, Chinese Academy of Sciences, Beijing 100190, China 2 University of Chinese
More informationOutline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael
Outline CPSC 418/MATH 318 Introduction to Cryptography Advanced Encryption Standard Renate Scheidler Department of Mathematics & Statistics Department of Computer Science University of Calgary Based in
More informationDesign of Filter Functions for Key Stream Generators using Boolean Power Functions Jong-Min Baek
Design of Filter Functions for Key Stream Generators using Boolean Power Functions Jong-Min Baek The Graduate School Yonsei University Department of Electrical and Electronic Engineering Design of Filter
More informationNew Distinguishers for Reduced Round Trivium and Trivia-SC using Cube Testers (Extended Abstract)
New Distinguishers for Reduced Round Trivium and Trivia-SC using Cube Testers (Extended Abstract) Anubhab Baksi 1, Subhamoy Maitra 1, Santanu Sarkar 2 1 Indian Statistical Institute, 203 B. T. Road, Kolkata
More informationCombinatorics of p-ary Bent Functions
Combinatorics of p-ary Bent Functions MIDN 1/C Steven Walsh United States Naval Academy 25 April 2014 Objectives Introduction/Motivation Definitions Important Theorems Main Results: Connecting Bent Functions
More informationBreaking One.Fivium by AIDA an Algebraic IV Differential Attack
Breaking One.Fivium by an Michael Vielhaber, Instituto de Matemáticas, Universidad Austral de Chile Casilla 567, Valdivia, Chile, vielhaber@gmail.com October 28, 2007 Abstract We show, how to break Trivium
More informationOn the computation of best second order approximations of Boolean Functions ΕΤΗΣΙΑ ΕΚΘΕΣΗ 2010
Introduction Boolean functions 2nd order nonlinearity Summary ARXH PROSTASIAS_APOLOGISMOS 2010.indd 1 20/04/2011 12:54 ΜΜ On the computation of best second order approximations of Boolean Functions ΕΤΗΣΙΑ
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More informationAppendix A. Pseudo-random Sequence (Number) Generators
Communication Systems Security, Appendix A, Draft, L. Chen and G. Gong, 2008 1 Appendix A. Pseudo-random Sequence (Number) Generators In this appendix, we introduce how to design pseudo-random sequence
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationSecurity Evaluation of Stream Cipher Enocoro-128v2
Security Evaluation of Stream Cipher Enocoro-128v2 Hell, Martin; Johansson, Thomas 2010 Link to publication Citation for published version (APA): Hell, M., & Johansson, T. (2010). Security Evaluation of
More informationSome New Weaknesses in the RC4 Stream Cipher
Some ew Weaknesses in the RC4 Stream Cipher Jing Lv (B), Bin Zhang, and Dongdai Lin 2 Laboratory of Trusted Computing and Information Assurance, Institute of Software, Chinese Academy of Sciences, 0090
More informationFiltering Nonlinear Feedback Shift Registers using Welch-Gong Transformations for Securing RFID Applications
Filtering Nonlinear Feedback Shift Registers using Welch-Gong Transformations for Securing RFID Applications Kalikinkar Mandal, and Guang Gong Department of Electrical and Computer Engineering University
More information