MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher
|
|
- Annice Hudson
- 6 years ago
- Views:
Transcription
1 MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher Raghvendra Rohit, Riham AlTawy, & Guang Gong Department of Electrical and Computer Engineering, University of Waterloo Waterloo, ON, N2L 3G1, CANADA IMACC 2017, December 2017 St Catherines College, University of Oxford, Oxford
2 Outline Introduction WG stream cipher Cube attack on WG-5 Comparison with Grain128a & Trivium Conclusions 1
3 Introduction
4 Cube attacks Proposed in , Basic idea: Let f : F 5 2 F 2 given by f (k 0, k 1, k 2, v 0, v 1 ) = v 0 v 1 k 0 + v 0 v 1 k 2 + v 0 v 1 + k 0 k 1 + v 1 k 2 + k = f (k 0, k 1, k 2, v 0, v 1 ) = v 0 v 1 (k 0 + k 2 + 1) + k 0 k 1 + v 1 k 2 + k Summing f over all possible choices of v 0, v 1 gives f (k 0, k 1, k 2, 0, 0) + f (k 0, k 1, k 2, 0, 1) + f (k 0, k 1, k 2, 1, 0)+ f (k 0, k 1, k 2, 1, 1) = k 0 + k 2 + 1, which gives a linear relation of the two key bits k 0 and k 2. 1 Vielhaber, M.: Breaking ONE.FIVIUM by AIDA an algebraic IV differential attack. Cryptology eprint Archive, Report 2007/413 2 Dinur, I., and Shamir, A. Cube attacks on tweakable blackbox polynomials. EUROCRYPT
5 Cube attacks (ctd.) Mathematical description Initialization phase k v Update state k = (k 0, k 1,..., k n 1 ): secret variables v = (v 0, v 1,..., v m 1 ): public variables z = f (k, v): first keystream bit z = f (k, v) I = {i 1, i 2,, i I } {0, 1,, m 1}: cube indices f (k, v) can be represented as : f (k, v) = t I p(k, v) + q(k, v), where, t I = v i1 v i2 v i I, p(k, v) is a polynomial that does not contain any of the cube indices variables (v i1, v i2,, v i I ), and q(k, v) is independent of at least one variable from (v i1, v i2,, v i I ). 3
6 Cube attacks (ctd) Let C I denote the set of all the possible 2 I values of (v i1, v i2,, v i I ), and the remaining input n + m I variables are set to some constant values, then C I f (k, v) = p(k, v) p(k, v) is called superpoly corresponding to cube C I. Simpler p(k, v) leads to algebraic attacks by solving equations. 4
7 Division property Definition: Division property 3 Let X F n 2, 0 k n, we say that X has the division property Dk n if π u (x) = 0, for all u F n 2 s.t w u < k. x X Definition: Bit based Division property 4 Let X be a multiset whose elements take a value of F n 2. Let W be a set whose elements take an n-dimensional vector of binary elements. The multiset X has the division property D 1,n W if it fulfills the following conditions: { unknown if there exists w W s.t u w, π u (x) = 0 otherwise, x X where u, w, x F n 2, π u(x) = n 1 i=0 x u i i and u w if u i w i for all i. 3 Todo, Y.: Structural evaluation by generalized integral property. EUROCRYPT Todo, Y., and Morii, M. Bit-based division property and application to simon family. FSE
8 MILP models for bit-based division property propagation Mixed Integer Linear Programming models M.var a, b 1, b 2,..., b m a COPY {b 1, b 2,..., b m } as binary. M.con a = b 1 + b b m. {a 1, a 2,..., a m } XOR b M.var a 1, a 2, a m, b as binary. M.con a 1 + a a m = b. {a 1, a 2,..., a m } AND b M.var a 1, a 2, a m, b as binary. M.con b a i for i = 1, 2,, m. Solutions of inequalities corresponds to all division trails. 6
9 Division property & Cube attacks To check if secret variable k j is involved in superpoly 1. For a given cube C I, start with the initial division property D 1,n W, where W = {(v, e j)} and v i = 1 if i {i 1, i 2,, i I }, k j = 1 and v i = 0, k j = 0 for all remaining indices. 2. Add the constraint z = 1 3. If there is no division trial s.t steps 1 & 2 are satisfied, then k j is not involved in the superpoly of C I [Todo et al.] 5. 5 Todo, Y., Isobe, T., Hao, Y., and Meier, W. Cube attacks on non-blackbox polynomials based on division property. CRYPTO
10 Our Contributions We investigate the security of nonlinear intialization phase of WG-5 with respect to cube attacks. We present an argument to show WG-5 initialization phase is more resistant to cube attacks than that of Grain128a and Trivium. 8
11 WG stream cipher
12 General architecture for WG ciphers cl 1 cl 2 c2 c1 m m m m m a l 1 a l a 2 a 1 a 0 Initialization phase m x d W GP -m(x d ) m T r(.) 1 Mathematical parameters m : Bit width of LFSR g(x) : Generating polynomial for GF(2 m ) p(x) = l 1 i=1 c ix i + x l Primitive polynomial for LFSR l : Degree of p Find k s.t 3k 1 mod m r 1 = 2 k + 1 r 2 = 2 2k + 2 k + 1 r 3 = 2 2k 2 k + 1 r 4 = 2 2k + 2 k 1 W GP -m(x) = t(x + 1) + 1 t(x) = x + x r1 + x r2 + x r3 + x r4, where x GF (2 m ) gcd(d, 2 m 1 ) = 1 9
13 WG ciphers: Randomness properties Randomness properties of WG keystream Long period: 2 lm 1 Balanced Ideal 2-level autocorrelation Ideal t-tuple distribution 10
14 WG-5 Specification WG-5 6 is a lightweight version of estream submission WG cipher 7 5 γ S i [31] S i [30] S i [8] S i [7] S i [6] S i [5] S i [4] S i [3] S i [2] S i [1] S i [0] Initialization phase 5 x 3 W GP -5(x 3 ) 5 T r(.) g(x) = x 5 + x 4 + x 2 + x + 1 p(x) = x 32 + x 7 + x 6 + x 4 + x 3 + x 2 + γ γ = α 4 + α 3 + α 2 + α + 1 Initial state { S 0 K[j mod 2], if j 0 mod 2 [j] = IV [j mod 2], if j 0 mod 2 # initialization rounds: Aagaard, M. D., Gong, G., and Mota, R. K. Hardware implementations of the wg-5 cipher for passive rfid tags. 7 Nawaz, Y., and Gong, G. Wg: A family of stream ciphers with designed randomness properties. 11
15 Cube attack on WG-5
16 Attack framework Notations key: k = (k 0, k 1,..., k 79 ), IV: v = (v 0, v 1,..., v 79 ) first keystream bit: z = f (k, v) superpoly: CI f (k, v) = p( k, v), where C I is the cube of length I, v = {{v 0, v 1,..., v 79 } {v i1, v i2,..., v i I }}, k = {k j1, k j2,..., k j J }, and J is the number of variables in k 12
17 Attack framework The attack consists of two phases: 1) Offline phase 2) Online phase Offline phase Goal: To recover a superpoly that is almost balanced for a given cube C I. Steps: 1. Create a MILP model M that encodes the division trails for WG-5 reduced to R rounds. 2. Evaluate the secret variables k involved in the superpoly p. 3. Choose a value for v and recover p( k, v) by trying out all 2 I + J possible values. Also, store p( k, v) for all values of k. 13
18 Attack framework (ctd.) Goal: Online phase To recover the entire secret key. Steps: 1. Query the cube C I to the encryption oracle to obtain the value of p( k, v) and compare to the previously stored values. This step reduces the keyspace by half. We use multiple cubes to reduce keyspace further. 2. Guess the remaining secret key values. 14
19 MILP model for WG-5 initialization Algorithm 1 MILP model for the initialization of WG-5 1: function WG5Eval(R) 2: Prepare empty MILP Model M 3: M.var S 0 [j] for 0 j 31 4: for i = 1 to R do S 0 [j] = (s 0 5j, s0 5j+1, s0 5j+2, s0 5j+3, s0 5j+4 ) 5: (M, S, a) = WGP(S i 1 ) 6: (M, S, b) = FBK(S, [0, 2, 3, 4, 6, 7]) 7: for j = 0 to 30 do 8: S i [j] = S [j + 1] 9: end for 10: M.con S [0] = 0 11: M.var S i [31] as binary 12: M.con S i [31] = a + b 13: end for 14: (M, S, z) = KSG(S R ) 15: for j = 0 to 31 do 16: S [j] = 0 17: end for 18: M.con z = 1 19: end function 15
20 MILP model for WG permutation (WGP-5) WGP-5 = [ 0x0, 0x1, 0x1C, 0x4, 0x12, 0x10, 0x1F, 0x13, 0x1E, 0x3, 0x19, 0x15, 0x5, 0x16, 0x18, 0x8, 0xB, 0xF, 0x7, 0xE, 0x17, 0xA, 0xC, 0x6, 0xD, 0x2, 0x14, 0x1D, 0x1B, 0x11, 0x9, 0x1A ] Modeling division trails of WGP-5 Let (x 0, x 1, x 2, x 3, x 4 ) and (y 0, y 1, y 2, y 3, y 4 ) be the input and output of the WGP-5 Sbox, respectively. Reduce the #inequalities using inequality generator() function in Sage and Algorithms 1 and 2 in [XZBL] 8. 8 Xiang, Z., Zhang, W., Bao, Z., and Lin, D.: Applying milp method to searching integral distinguishers based on division property for 6 lightweight block ciphers. ASIACRYPT
21 MILP model for WG permutation (WGP-5) (ctd.) 2x 0 + 2x 1 + 2x 2 + 2x 3 + 6x 4 3y 0 3y 1 3y 2 3y 3 3y 4 1 4x 3 y 0 y 1 y 2 y 3 y 4 1 4x 0 y 0 y 1 y 2 y 3 y 4 1 x 0 x 2 x 3 y 0 + 4y 1 y 2 y 3 2y 4 4 6x 0 3x 1 6x 3 6x 4 + 2y 0 4y 1 + 3y 2 y 3 + 2y x 0 x 1 x 2 3x 3 2x 4 + 9y 0 + 7y 1 + 8y 2 + 9y 3 + 9y 4 0 x 0 + x 1 + x 2 + x 3 + x 4 3y 0 3y 1 3y 2 3y 3 + 5y 4 2 x 0 3x 2 3x 3 2x 4 + y 0 + y 2 + y 3 2y 4 8 x 0 x 1 + 2x 2 x 3 x 4 y 0 2y 1 2y 2 + 3y 3 y 4 5 x 0 2x 1 2x 2 2x 3 x 4 2y 0 y 1 y 2 y 3 + 5y 4 8 2x 0 x 1 2x 2 2x 4 + y 0 + y 1 y 2 + y 4 6 x 0 x 2 x 3 + y 0 y
22 MILP model for FBK and KSG MILP model for FBK The feedback function is given by S i [0] S i [2] S i [3] S i [4] S i [6] S i [7] Model division property of bitwise XOR only. MILP model for KSG The keystream bit at R-th round is given by z = Tr(WGP-5(S R [31]) 3 ) = s R sr sr sr sr s R 155 sr sr 155 sr sr 155 sr sr 156 sr sr 156 sr sr 155 sr 156 sr s R 155 sr 157 sr sr 155 sr 157 sr sr 155 sr 158 sr sr 156 sr 157 sr sr 156 sr 158 sr 159 Model division property of bitwise XOR and AND. 18
23 Number of MILP variables & constraints Function # of variables # of constraints WGP FBK KSG R round of WG R + 5R R + 10R 19
24 MILP model to find involved secret variables in superpoly Step 4-6 sets the input initial division property. 20
25 Results Rounds Involved secret variables J Time complexity log 2 (.) 15 {k 5, k 6,..., k 54 } {k 5, k 6,..., k 54 } {k 5, k 6,..., k 59 } {k 5, k 6,..., k 59 } {k 5, k 6,..., k 64 } {k 5, k 6,..., k 64 } {k 5, k 6,..., k 69 } {k 5, k 6,..., k 69 } {k 5, k 6,..., k 74 } {k 5, k 6,..., k 74 } 74 Table 1: Involved secret variables in superpoly for cube indices I {I 1, I 2, I 3, I 4, I 5} I 1 = {0, 1, 2, 3}, I 2 = {0, 1, 2, 4}, I 3 = {0, 1, 3, 4}, I 4 = {0, 2, 3, 4}, I 5 = {1, 2, 3, 4} 21
26 Key recovery for 24 rounds Key recovery procedre 1. Choose a value in the constant part of the IV and vary all values to recover p(k 5, k 6,..., k 74, v) where v = ({v 0, v 1,..., v 79 } {v j j I i }) for 1 i 5 and R = Store 2 70 values of p( k, v). 3. Query the cube C Ii to the encryption oracle and compute the sum CIi f (k, v). 4. Compare above sum with values of p stored in the offline phase and discard the values of {k 5, k 6,..., k 74 } for which the sum is different. Data complexity: Time complexity:
27 Attack comparison with algebraic attacks Existing algebraic attack 9 on WG-5 require data and time complexity 2 15 and 2 33, resp. Not applicable if WGP-5 is feedback into the state during KSG phase. Our attack remains unaffected by feedback of WGP-5 during KSG phase. 9 Ronjom, S. Improving algebraic attacks on stream ciphers based on linear feedback shift register over F2 K. DCC
28 Comparison with Grain128a & Trivium
29 Grain128a 24 5 NLFSR b 7 2 g 6 f LFSR s 7 1 h z Key : 128-bit, IV : 96 bit, #initialization rounds : 256 Initial state : (b 0, b 1,..., b 127 ) = (k 0, k 1,..., k 127 ), (s 0, s 1,..., s 127 ) = (iv 0, iv 1,..., iv 95, 1,..., 1, 0). State update function: g b 0 + b 26 + b 56 + b 91 + b 96 + b 3 b 67 + b 11 b 13 + b 17 b 18 + b 27 b 59 + b 40 b 48 + b 61 b 65 + b 68 b 84 + b 88 b 92 b 93 b 95 + b 22 b 24 b 25 + b 70 b 78 b 82 f s 0 + s 7 + s 38 + s 70 + s 81 + s 96 h b 12 s 8 + s 13 s 20 + b 95 s 42 + s 60 s 79 + b 12 b 95 s 94 z h + s 93 + b 2 + b 15 + b 36 + b 45 + b 64 + b 73 + b 89 (b 0, b 1,..., b 127 ) (b 1, b 2,..., b 127, g + s 0 + z) (s 0, s 1,..., s 127 ) (s 1, s 2,..., s 127, f + z) 24
30 Trivium + Key: 80 bit s0... s65... s68... s90 s91 s92 IV : 80 bit #initialization rounds: 1152 Initial state: + (s 0, s 1,..., s 92 ) = (k 0, k 1,..., k 79, 0,..., 0) + (s 93, s 94,..., s 176 ) = (iv 0, iv 1,..., iv 79, 0,..., 0) + (s 177, s 178,..., s 287 ) = (0, 0,..., 0, 1, 1, 1) s93... s s s174 s175 s176 State update function: t 1 s 65 + s 92 + t 2 s s z t 3 s s 287 z t 1 + t 2 + t 3 + t 1 t 1 + s 90 s 91 + s 170 s s s s285 s286 s287 t 2 t 2 + s 174 s s 263 t 3 t 3 + s 285 s s (s 0, s 1,..., s 92 ) (t 3, s 0,..., s 91 ) (s 93, s 1,..., s 176 ) (t 1, s 93,..., s 175 ) (s 177, s 1,..., s 287 ) (t 2, s 177,..., s 286 ). 25
31 Comparison of initialization phases g(y 0, y 1,..., y m 1) f(x 0, x 1,..., x n 1) NLFSR LFSR ) G(Yi2) G(Yik) G(Yi1 n+m bits 26
32 Comparison of initialization phases (cont.) Observations on keystream bit For Trivium, the degree of z is 3 after 81 rounds. For Grain128a, the degree of z is 6 after 32 rounds. For WG-5 the degree of z is 6 after 1 round. Degree of WG-5 grows much faster than Grain128a and Trivium. 27
33 Comparison of initialization phases (cont.) More observations For WG-5, 5 bits processed by WGP-5 at the i-th round are used to generate the keystream bit at round (i + 1) along with 5 6 = 30 new bits from the feedback function. For Grain128a, updated bits b 127 and s 127 in i-th round are used in keystream bit at i + 32 and i + 33, respectively. For Trivium, the values of t 1, t 2 and t 3 at i-th round are used in keystream bit at i + 90, i + 81 and i rounds, respectively. Cube attack can cover more than half number of rounds for Grain128a (183/256) and Trivium (832/1152) ([Todo et al.] 10 ) compared to WG-5 (24/64). 10 Todo, Y., Isobe, T., Hao, Y., and Meier, W. Cube attacks on non-blackbox polynomials based on division property. CRYPTO
34 Conclusions
35 Conclusions In this paper: we investigated the security of reduced-round WG-5 with respect to cube attacks. the attack require data complexity: and time complexity: for 24 rounds. we compared WG-5 initialization phase with that of Grain128a and Trivium and showed that WG-5 is more resistant to cube attacks. Full paper can be found at: 29
36 Thank you for your attention! Communication Security (ComSec) Lab Department of Electrical and Computer Engineering University of Waterloo Waterloo, ON, N2L 3G1, CANADA 30
MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher
MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher Raghvendra Rohit, Riham AlTawy, and Guang Gong Department of Electrical and Computer Engineering, University of Waterloo, Waterloo,
More informationCube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version)
Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version) Yosuke Todo 1, Takanori Isobe 2, Yonglin Hao 3, and Willi Meier 4 1 NTT Secure Platform Laboratories, Tokyo 180-8585,
More informationImproved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly (Full Version)
Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly (Full Version) Qingju Wang 1,2,3, Yonglin Hao 4, Yosuke Todo 5, Chaoyun Li 6, Takanori Isobe 7, and Willi Meier
More informationCube Attacks on Stream Ciphers Based on Division Property
Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven 12-10-2017, Crete Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 1 / 23 Plan 1 Cube Attack:
More informationFiltering Nonlinear Feedback Shift Registers using Welch-Gong Transformations for Securing RFID Applications
Filtering Nonlinear Feedback Shift Registers using Welch-Gong Transformations for Securing RFID Applications Kalikinkar Mandal, and Guang Gong Department of Electrical and Computer Engineering University
More informationCube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium
Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson, Itai Dinur, Willi Meier, Adi Shamir 1 / 27 Cube attacks 2 / 27 Timeline Aug 08: Shamir presents cube attacks
More informationA New Distinguisher on Grain v1 for 106 rounds
A New Distinguisher on Grain v1 for 106 rounds Santanu Sarkar Department of Mathematics, Indian Institute of Technology, Sardar Patel Road, Chennai 600036, India. sarkar.santanu.bir@gmail.com Abstract.
More informationAnother View on Cube Attack, Cube Tester, AIDA and Higher Order Differential Cryptanalysis
Another View on Cube Attack, Cube Tester, AIDA and Higher Order Differential Cryptanalysis Bo Zhu 1, Guang Gong 1, Xuejia Lai 2 and Kefei Chen 2 1 Department of Electrical and Computer Engineering, University
More informationDeterministic Cube Attacks:
Deterministic Cube Attacks: A New Method to Recover Superpolies in Practice Chen-Dong Ye and Tian Tian National Digital Switching System Engineering & Technological Research Center, P.O. Box 407, 62 Kexue
More informationFault Analysis of the KATAN Family of Block Ciphers
Fault Analysis of the KATAN Family of Block Ciphers Shekh Faisal Abdul-Latip 1,2, Mohammad Reza Reyhanitabar 1, Willy Susilo 1, and Jennifer Seberry 1 1 Centre for Computer and Information Security Research,
More informationOn the Design of Trivium
On the Design of Trivium Yun Tian, Gongliang Chen, Jianhua Li School of Information Security Engineering, Shanghai Jiaotong University, China ruth tian@sjtu.edu.cn, chengl@sjtu.edu.cn, lijh888@sjtu.edu.cn
More informationAutomatic Search for A Variant of Division Property Using Three Subsets (Full Version)
Automatic Search for A Variant of Division Property Using Three Subsets (Full Version) Kai Hu, Meiqin Wang Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong
More informationCryptographic D-morphic Analysis and Fast Implementations of Composited De Bruijn Sequences
Cryptographic D-morphic Analysis and Fast Implementations of Composited De Bruijn Sequences Kalikinkar Mandal, and Guang Gong Department of Electrical and Computer Engineering University of Waterloo Waterloo,
More informationResilience to Distinguishing Attacks on WG-7 Cipher and Their Generalizations
Resilience to Distinguishing Attacks on WG-7 Cipher and Their Generalizations Guang Gong, Mark Aagaard and Xinxin Fan Department of Electrical and Computer Engineering University of Waterloo, Waterloo,
More informationACORN: A Lightweight Authenticated Cipher (v3)
ACORN: A Lightweight Authenticated Cipher (v3) Designer and Submitter: Hongjun Wu Division of Mathematical Sciences Nanyang Technological University wuhongjun@gmail.com 2016.09.15 Contents 1 Specification
More informationPractical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function
Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function Itai Dinur 1, Pawe l Morawiecki 2,3, Josef Pieprzyk 4 Marian Srebrny 2,3, and Micha l Straus 3 1 Computer Science Department, École
More informationChosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers
Chosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers Simon Fischer 1, Shahram Khazaei 2, and Willi Meier 1 1 FHNW and 2 EPFL (Switzerland) AfricaCrypt 2008, Casablanca - June 11-14
More informationSearching Cubes for Testing Boolean Functions and Its Application to Trivium
Searching Cubes for Testing Boolean Functions and Its Application to Trivium Meicheng Liu, Dongdai Lin and Wenhao Wang State Key Laboratory of Information Security Institute of Information Engineering
More informationAnalysis of Modern Stream Ciphers
Analysis of Modern Stream Ciphers Josef Pieprzyk Centre for Advanced Computing Algorithms and Cryptography, Macquarie University, Australia CANS - Singapore - December 2007 estream Outline 1. estream Project
More informationAlgebraic Immunity of S-boxes and Augmented Functions
Algebraic Immunity of S-boxes and Augmented Functions Simon Fischer and Willi Meier S. Fischer and W. Meier AI of Sbox and AF 1 / 23 Outline 1 Algebraic Properties of S-boxes 2 Augmented Functions 3 Application
More informationLightweight Cryptography for RFID Systems
Lightweight Cryptography for RFID Systems Guang Gong Department of Electrical and Computer Engineering University of Waterloo CANADA G. Gong (University of Waterloo)
More informationCube Analysis of KATAN Family of Block Ciphers
Cube Analysis of KATAN Family of Block Ciphers Speaker: Bingsheng Zhang University of Tartu, Estonia This talk covers partial results of the paper Algebraic, AIDA/Cube and Side Channel Analysis of KATAN
More informationCorrelation Cube Attacks: From Weak-Key Distinguisher to Key Recovery
Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu, Jingchun Yang, Wenhao Wang, and Dongdai Lin State Key Laboratory of Information Security, Institute of Information Engineering,
More informationCube attack in finite fields of higher order
Cube attack in finite fields of higher order Andrea Agnesse 1 Marco Pedicini 2 1 Dipartimento di Matematica, Università Roma Tre Largo San Leonardo Murialdo 1, Rome, Italy 2 Istituto per le Applicazioni
More informationLinear Extension Cube Attack on Stream Ciphers ABSTRACT 1. INTRODUCTION
Malaysian Journal of Mathematical Sciences 9(S) June: 139-156 (015) Special ssue: The 4 th nternational Cryptology and nformation Security Conference 014 (Cryptology 014) MALAYSAN JOURNAL OF MATHEMATCAL
More informationStream Ciphers: Cryptanalytic Techniques
Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and Information Technology. Lund University, Sweden ECRYPT Summer school 2007 (Lund University) Stream Ciphers: Cryptanalytic
More informationMILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers
MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers Ling Sun 1, Wei Wang 1, Meiqin Wang 1,2 1 Key Laboratory of Cryptologic Technology and Information Security,
More informationImproved Cascaded Stream Ciphers Using Feedback
Improved Cascaded Stream Ciphers Using Feedback Lu Xiao 1, Stafford Tavares 1, Amr Youssef 2, and Guang Gong 3 1 Department of Electrical and Computer Engineering, Queen s University, {xiaolu, tavares}@ee.queensu.ca
More informationDynamic Cube Attack on 105 round Grain v1
Noname manuscript No. (will be inserted by the editor) Dynamic Cube Attack on 105 round Grain v1 Subhadeep Banik Received: date / Accepted: date Abstract As far as the Differential Cryptanalysis of reduced
More informationSequences, DFT and Resistance against Fast Algebraic Attacks
Sequences, DFT and Resistance against Fast Algebraic Attacks Guang Gong Department of Electrical and Computer Engineering University of Waterloo Waterloo, Ontario N2L 3G1, CANADA Email. ggong@calliope.uwaterloo.ca
More informationKey Recovery with Probabilistic Neutral Bits
ESC 7.1. 11. 1. 2007 Key Recovery with Probabilistic Neutral Bits Simon Fischer 1, Shahram Khazaei 2 and Willi Meier 1 1 FHNW, Windisch, Switzerland 2 EPFL, Lausanne, Switzerland Outline Motivation Probabilistic
More informationCryptanalysis of the Stream Cipher ABC v2
Cryptanalysis of the Stream Cipher ABC v2 Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven, ESAT/SCD-COSIC Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium {wu.hongjun,bart.preneel}@esat.kuleuven.be
More informationParallel Cube Tester Analysis of the CubeHash One-Way Hash Function
Parallel Cube Tester Analysis of the CubeHash One-Way Hash Function Alan Kaminsky Department of Computer Science B. Thomas Golisano College of Computing and Information Sciences Rochester Institute of
More informationDivision Property: a New Attack Against Block Ciphers
Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50 Symmetric-key encryption
More informationA GENERAL FRAMEWORK FOR GUESS-AND-DETERMINE AND TIME-MEMORY-DATA TRADE-OFF ATTACKS ON STREAM CIPHERS
A GENERAL FRAMEWORK FOR GUESS-AND-DETERMINE AND TIME-MEMORY-DATA TRADE-OFF ATTACKS ON STREAM CIPHERS Guanhan Chew, Khoongming Khoo DSO National Laboratories, 20 Science Park Drive, Singapore 118230 cguanhan,kkhoongm@dso.org.sg
More informationOn Stream Ciphers with Small State
ESC 2017, Canach, January 16. On Stream Ciphers with Small State Willi Meier joint work with Matthias Hamann, Matthias Krause (University of Mannheim) Bin Zhang (Chinese Academy of Sciences, Beijing) 1
More informationNew Directions in Cryptanalysis of Self-Synchronizing Stream Ciphers
New Directions in Cryptanalysis of Self-Synchronizing Stream Ciphers Shahram Khazaei 1 and Willi Meier 2 1 EPFL, Lausanne, Switzerland 2 FHNW, Windisch, Switzerland Abstract. In cryptology we commonly
More informationCryptanalysis of the Light-Weight Cipher A2U2 First Draft version
Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version Mohamed Ahmed Abdelraheem, Julia Borghoff, Erik Zenner Technical University of Denmark, DK-2800 Kgs. Lyngby, Denmark {M.A.Abdelraheem,J.Borghoff,E.Zenner}@mat.dtu.dk
More informationAlgebraic analysis of Trivium-like ciphers (Poster)
Algebraic analysis of Trivium-like ciphers (Poster) Sui-Guan Teo 1 Kenneth Koon-Ho Wong 1 Harry Bartlett 2 Leonie Simpson 2 Ed Dawson 1 1 Institute for Future Environments 2 Science and Engineering Faculty
More informationStructural Evaluation by Generalized Integral Property
Structural Evaluation by Generalized Integral Property Yosue Todo NTT Secure Platform Laboratories, Toyo, Japan todo.yosue@lab.ntt.co.jp Abstract. In this paper, we show structural cryptanalyses against
More informationLecture 10-11: General attacks on LFSR based stream ciphers
Lecture 10-11: General attacks on LFSR based stream ciphers Thomas Johansson T. Johansson (Lund University) 1 / 23 Introduction z = z 1, z 2,..., z N is a known keystream sequence find a distinguishing
More informationImproved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method
Improved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method Zheng Li 1, Wenquan Bi 1, Xiaoyang Dong 2, and Xiaoyun Wang 1,2 1 Key Laboratory of Cryptologic Technology and Information Security,
More informationNew Implementations of the WG Stream Cipher
New Implementations of the WG Stream Cipher Hayssam El-Razouk, Arash Reyhani-Masoleh, and Guang Gong Abstract This paper presents two new hardware designs of the WG-28 cipher, one for the multiple output
More informationThe WG Stream Cipher
The WG Stream Cipher Yassir Nawaz and Guang Gong Department of Electrical and Computer Engineering University of Waterloo Waterloo, ON, N2L 3G1, CANADA ynawaz@engmail.uwaterloo.ca, G.Gong@ece.uwaterloo.ca
More informationTHEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER. A. A. Zadeh and Howard M. Heys
THEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER A. A. Zadeh and Howard M. Heys Electrical and Computer Engineering Faculty of Engineering and Applied Science Memorial University of Newfoundland
More informationNumerical Solvers in Cryptanalysis
Numerical Solvers in Cryptanalysis M. Lamberger, T. Nad, V. Rijmen Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria
More informationSome Randomness Experiments on TRIVIUM
1 Some Randomness Experiments on TRIVIUM Technical Report No. ASU/2014/3 Dated : 14 th March, 2014 Subhabrata Samajder Applied Statistics Unit Indian Statistical Institute 203, B. T. Road, Kolkata 700108,
More informationZero-Sum Partitions of PHOTON Permutations
Zero-Sum Partitions of PHOTON Permutations Qingju Wang 1, Lorenzo Grassi 2, Christian Rechberger 1,2 1 Technical University of Denmark, Denmark, 2 IAIK, Graz University of Technology, Austria quwg@dtu.dk,
More informationDifferential Fault Analysis of Trivium
Differential Fault Analysis of Trivium Michal Hojsík 1,2 and Bohuslav Rudolf 2,3 1 Department of Informatics, University of Bergen, N-5020 Bergen, Norway 2 Department of Algebra, Charles University in
More informationCryptanalysis of Achterbahn
Cryptanalysis of Achterbahn Thomas Johansson 1, Willi Meier 2, and Frédéric Muller 3 1 Department of Information Technology, Lund University P.O. Box 118, 221 00 Lund, Sweden thomas@it.lth.se 2 FH Aargau,
More informationCryptanalysis of Full Sprout
Cryptanalysis of Full Sprout Virginie Lallemand and María Naya-Plasencia Inria, France Abstract. A new method for reducing the internal state size of stream cipher registers has been proposed in FSE 2015,
More informationOn the Security of NOEKEON against Side Channel Cube Attacks
On the Security of NOEKEON against Side Channel Cube Attacks Shekh Faisal Abdul-Latip 1,2, Mohammad Reza Reyhanitabar 1, Willy Susilo 1, and Jennifer Seberry 1 1 Center for Computer and Information Security
More informationNew Distinguishers for Reduced Round Trivium and Trivia-SC using Cube Testers (Extended Abstract)
New Distinguishers for Reduced Round Trivium and Trivia-SC using Cube Testers (Extended Abstract) Anubhab Baksi 1, Subhamoy Maitra 1, Santanu Sarkar 2 1 Indian Statistical Institute, 203 B. T. Road, Kolkata
More informationAlgebraic Attack Against Trivium
Algebraic Attack Against Trivium Ilaria Simonetti, Ludovic Perret and Jean Charles Faugère Abstract. Trivium is a synchronous stream cipher designed to provide a flexible trade-off between speed and gate
More informationDifferential Fault Analysis on the families of SIMON and SPECK ciphers
Differential Fault Analysis on the families of SIMON and SPECK ciphers Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay Indian Institute of Technology, Kharagpur Abstract. In 2013, the US National
More informationStream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden
Dept. of EIT, Lund University, P.O. Box 118, 221 00 Lund, Sweden thomas@eit.lth.se May 16, 2011 Outline: Introduction to stream ciphers Distinguishers Basic constructions of distinguishers Various types
More informationA Scalable Method for Constructing Galois NLFSRs with Period 2 n 1 using Cross-Join Pairs
A Scalable Method for Constructing Galois NLFSRs with Period 2 n 1 using Cross-Join Pairs Elena Dubrova Royal Institute of Technology (KTH), Forum 12, 164 4 Kista, Sweden {dubrova}@kth.se Abstract. This
More informationFResCA: A Fault-Resistant Cellular Automata Based Stream Cipher
FResCA: A Fault-Resistant Cellular Automata Based Stream Cipher Jimmy Jose 1,2 Dipanwita Roy Chowdhury 1 1 Crypto Research Laboratory, Department of Computer Science and Engineering, Indian Institute of
More informationAffine equivalence in the AES round function
Discrete Applied Mathematics 148 (2005) 161 170 www.elsevier.com/locate/dam Affine equivalence in the AES round function A.M. Youssef a, S.E. Tavares b a Concordia Institute for Information Systems Engineering,
More informationImproved Multiple Impossible Differential Cryptanalysis of Midori128
Improved Multiple Impossible Differential Cryptanalysis of Midori128 Mohamed Tolba, Ahmed Abdelkhalek, and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University,
More informationFast correlation attacks on certain stream ciphers
FSE 2011, February 14-16, Lyngby, Denmark Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview A decoding problem LFSR-based stream ciphers Correlation attacks Fast
More informationCryptanalysis of the Stream Cipher DECIM
Cryptanalysis of the Stream Cipher DECIM Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven, ESAT/SCD-COSIC Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium {wu.hongjun, bart.preneel}@esat.kuleuven.be
More informationL9: Galois Fields. Reading material
L9: Galois Fields Reading material Muzio & Wesselkamper Multiple-valued switching theory, p. 3-5, - 4 Sasao, Switching theory for logic synthesis, pp. 43-44 p. 2 - Advanced Logic Design L9 - Elena Dubrova
More informationMILP-aided Cryptanalysis of Round Reduced ChaCha
MILP-aided Cryptanalysis of Round Reduced ChaCha Najwa Aaraj, Florian Caullery and Marc Manzano DarkMatter, UAE Abstract The inclusion of ChaCha20 and Poly1305 into the list of supported ciphers in TLS
More informationA TMDTO Attack Against Lizard
A TMDTO Attack Against Lizard Subhamoy Maitra 1, Nishant Sinha 2, Akhilesh Siddhanti 3, Ravi Anand 4, Sugata Gangopadhyay 2 1 Indian Statistical Institute, Kolkata, subho@isical.ac.in 2 Indian Institute
More informationSome Randomness Experiments on TRIVIUM
Some Randomness Experiments on TRIVIUM Subhabrata Samajder and Palash Sarkar Applied Statistics Unit Indian Statistical Institute 203, B.T.Road, Kolkata, India - 700108. {subhabrata r,palash}@isical.ac.in
More informationCryptanalysis of Sosemanuk and SNOW 2.0 Using Linear Masks
Cryptanalysis of Sosemanuk and SNOW 2.0 Using Linear Masks Jung-Keun Lee, Dong Hoon Lee, and Sangwoo Park ETRI Network & Communication Security Division, 909 Jeonmin-dong, Yuseong-gu, Daejeon, Korea Abstract.
More informationSTREAM CIPHER. Chapter - 3
STREAM CIPHER Chapter - 3 S t r e a m C i p h e r P a g e 38 S t r e a m C i p h e r P a g e 39 STREAM CIPHERS Stream cipher is a class of symmetric key algorithm that operates on individual bits or bytes.
More informationDifferential Cryptanalysis of the Stream Ciphers Py, Py6 and Pypy
Differential Cryptanalysis of the Stream Ciphers Py, Py6 and Pypy Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven, ESAT/SCD-COSIC Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium wu.hongjun,bart.preneel@esat.kuleuven.be
More informationA Weak Cipher that Generates the Symmetric Group
A Weak Cipher that Generates the Symmetric Group Sean Murphy Kenneth Paterson Peter Wild Information Security Group, Royal Holloway and Bedford New College, University of London, Egham, Surrey TW20 0EX,
More informationLinear Approximations for 2-round Trivium
Linear Approximations for 2-round Trivium Meltem Sönmez Turan 1, Orhun Kara 2 1 Institute of Applied Mathematics, Middle East Technical University Ankara, Turkey msonmez@metu.edu.tr 2 TUBITAK-UEKAE, Gebze,
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More informationSOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies
SOBER Cryptanalysis Daniel Bleichenbacher and Sarvar Patel {bleichen,sarvar}@lucent.com Bell Laboratories Lucent Technologies Abstract. SOBER is a new stream cipher that has recently been developed by
More informationNonlinear Equivalence of Stream Ciphers
Sondre Rønjom 1 and Carlos Cid 2 1 Crypto Technology Group, Norwegian National Security Authority, Bærum, Norway 2 Information Security Group, Royal Holloway, University of London Egham, United Kingdom
More informationComparison of cube attacks over different vector spaces
Comparison of cube attacks over different vector spaces Richard Winter 1, Ana Salagean 1, and Raphael C.-W. Phan 2 1 Department of Computer Science, Loughborough University, Loughborough, UK {R.Winter,
More informationDesign of a New Stream Cipher: PALS
Design of a New Stream Cipher: PALS Mohammadreza Ashouri, University of Potsdam, Germany Ashouri@uni-potsdam.de Abstract In this paper, a new stream cipher is designed as a clock-controlled one, but with
More informationMILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers
MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers Ling Sun 1, Wei Wang 1, Meiqin Wang 1,2 1 Key Laboratory of Cryptologic Technology and Information Security,
More informationCube Testers and Key Recovery Attacks On Reduced-Round MD6 and Trivium
Cube Testers and Key Recovery Attacks On Reduced-Round MD6 and Trivium Jean-Philippe Aumasson 1, Itai Dinur 2, Willi Meier 1, and Adi Shamir 2 1 FHNW, Windisch, Switzerland 2 Computer Science Department,
More informationComputing the biases of parity-check relations
Computing the biases of parity-check relations Anne Canteaut INRIA project-team SECRET B.P. 05 7853 Le Chesnay Cedex, France Email: Anne.Canteaut@inria.fr María Naya-Plasencia INRIA project-team SECRET
More informationBlock Cipher Cryptanalysis: An Overview
0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution
More informationLinear Cryptanalysis of Reduced-Round Speck
Linear Cryptanalysis of Reduced-Round Speck Tomer Ashur Daniël Bodden KU Leuven and iminds Dept. ESAT, Group COSIC Address Kasteelpark Arenberg 10 bus 45, B-3001 Leuven-Heverlee, Belgium tomer.ashur-@-esat.kuleuven.be
More informationModified Alternating Step Generators
Modified Alternating Step Generators Robert Wicik, Tomasz Rachwalik Military Communication Institute Warszawska 22A, 05-130 Zegrze, Poland {r.wicik, t.rachwalik}@wil.waw.pl Abstract. Irregular clocking
More informationThe ANF of the Composition of Addition and Multiplication mod 2 n with a Boolean Function
The ANF of the Composition of Addition and Multiplication mod 2 n with a Boolean Function An Braeken 1 and Igor Semaev 2 1 Department Electrical Engineering, ESAT/COSIC, Katholieke Universiteit Leuven,
More informationA Byte-Based Guess and Determine Attack on SOSEMANUK
A Byte-Based Guess and Determine Attack on SOSEMANUK Xiutao Feng, Jun Liu, Zhaocun Zhou, Chuankun Wu and Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy
More informationCryptanalysis of the Knapsack Generator
Cryptanalysis of the Knapsack Generator Simon Knellwolf and Willi Meier FHNW, Switzerland Abstract. The knapsack generator was introduced in 1985 by Rueppel and Massey as a novel LFSR-based stream cipher
More informationA survey of algebraic attacks against stream ciphers
A survey of algebraic attacks against stream ciphers Frederik Armknecht NEC Europe Ltd. Network Laboratories frederik.armknecht@netlab.nec.de Special semester on Gröbner bases and related methods, May
More informationImproved Linear Cryptanalysis of SOSEMANUK
Improved Linear Cryptanalysis of SOSEMANUK Joo Yeon Cho and Miia Hermelin Helsinki University of Technology, Department of Information and Computer Science, P.O. Box 5400, FI-02015 TKK, Finland {joo.cho,miia.hermelin}@tkk.fi
More informationSiwei Sun, Lei Hu, Peng Wang, Kexin Qiao, Xiaoshuang Ma, Ling Song
Automatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-oriented Block Ciphers Siwei Sun, Lei Hu, Peng Wang, Kexin
More informationOvertaking VEST. 45, avenue des États-Unis, Versailles Cedex, France 3 DCSSI Crypto Lab
Overtaking VEST Antoine Joux 1,2 and Jean-René Reinhard 3 1 DGA 2 Université de Versailles St-Quentin-en-Yvelines, PRISM 45, avenue des États-Unis, 78035 Versailles Cedex, France antoine.joux@m4x.org 3
More informationOpen problems related to algebraic attacks on stream ciphers
Open problems related to algebraic attacks on stream ciphers Anne Canteaut INRIA - projet CODES B.P. 105 78153 Le Chesnay cedex - France e-mail: Anne.Canteaut@inria.fr Abstract The recently developed algebraic
More informationTransform Domain Analysis of DES. Guang Gong and Solomon W. Golomb. University of Southern California. Tels and
Transform Domain Analysis of DES Guang Gong and Solomon W. Golomb Communication Sciences Institute University of Southern California Electrical Engineering-Systems, EEB # 500 Los Angeles, California 90089-2565
More informationBreaking the F-FCSR-H Stream Cipher in Real Time
Breaking the F-FCSR-H Stream Cipher in Real Time Martin Hell and Thomas Johansson Dept. of Electrical and Information Technology, Lund University, P.O. Box 118, 221 00 Lund, Sweden Abstract. The F-FCSR
More informationGurgen Khachatrian Martun Karapetyan
34 International Journal Information Theories and Applications, Vol. 23, Number 1, (c) 2016 On a public key encryption algorithm based on Permutation Polynomials and performance analyses Gurgen Khachatrian
More informationCharacterizations on Algebraic Immunity for Multi-Output Boolean Functions
Characterizations on Algebraic Immunity for Multi-Output Boolean Functions Xiao Zhong 1, and Mingsheng Wang 3 1. Institute of Software, Chinese Academy of Sciences, Beijing 100190, China. Graduate School
More informationTwo Generic Methods of Analyzing Stream Ciphers
Two Generic Methods of Analyzing Stream Ciphers Lin Jiao 1,2, Bin Zhang 1,3, and Mingsheng Wang 4 1 TCA, Institute of Software, Chinese Academy of Sciences, Beijing 100190, China 2 University of Chinese
More informationMaximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers
Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers Muxiang Zhang 1 and Agnes Chan 2 1 GTE Laboratories Inc., 40 Sylvan Road LA0MS59, Waltham, MA 02451 mzhang@gte.com 2 College of Computer
More informationSecurity Evaluation of Stream Cipher Enocoro-128v2
Security Evaluation of Stream Cipher Enocoro-128v2 Hell, Martin; Johansson, Thomas 2010 Link to publication Citation for published version (APA): Hell, M., & Johansson, T. (2010). Security Evaluation of
More informationImproved Linear Distinguishers for SNOW 2.0
Improved Linear Distinguishers for SNOW 2.0 Kaisa Nyberg 1,2 and Johan Wallén 1 1 Helsinki University of Technology and 2 Nokia Research Center, Finland Email: kaisa.nyberg@nokia.com; johan.wallen@tkk.fi
More informationCryptanalysis of PRESENT-like ciphers with secret S-boxes
Cryptanalysis of PRESENT-like ciphers with secret S-boxes Julia Borghoff Lars Knudsen Gregor Leander Søren S. Thomsen DTU, Denmark FSE 2011 Cryptanalysis of Maya Julia Borghoff Lars Knudsen Gregor Leander
More informationSearching for Nonlinear Feedback Shift Registers with Parallel Computing
Searching for Nonlinear Feedback Shift Registers with Parallel Computing Przemysław Dąbrowski, Grzegorz Łabuzek, Tomasz Rachwalik, Janusz Szmidt Military Communication Institute ul. Warszawska 22A, 05-130
More information