Attack on Broadcast RC4
|
|
- Hilary Cameron
- 6 years ago
- Views:
Transcription
1 Attack on Broadcast RC4 Revisited S. Maitra 1 G. Paul 2 S. Sen Gupta 1 1 Indian Statistical Institute, Kolkata 2 Jadavpur University, Kolkata FSE 2011, Lyngby, Denmark 15 February 2011
2 Outline of the Talk Introduction Basics of RC4 Stream Cipher Motivation and Contribution Our Result: Bias of Output Bytes Computing the Bias Exploiting the Bias Attack on RC4 Broadcast Scheme Study: on-randomness of j on-randomness in Different Rounds Conclusion Summary of the Paper 2 of 26
3 Introduction RC4 Stream Cipher Designed by Ron Rivest in 1987 Data Structure S-array of size = 256 bytes Key k of size 5 to 16 bytes Final key K of = 256 bytes Two indices i and j Output: Stream of bytes Photo: 3 of 26
4 Introduction RC4 Stream Cipher Key Scheduling Algo (KSA) j = j + S[i] + K[i] i j of 26
5 Introduction RC4 Stream Cipher Key Scheduling Algo (KSA) j = j + S[i] + K[i] i j Pseudo-Random Gen. Algo (PRGA) j = j + S[i] S[i] + S[j] i j Z 4 of 26
6 Introduction Cryptanalysis of RC4 More than 20 years of cryptanalytic results Finney Cycle [1994] Key-Output Correlation [Roos, 1995] [Paul & Maitra, 2007, 2008] Key-Permutation Correlation [Roos, 1995] [Paul & Maitra, 2007] on-randomness of Permutation [Mantin, 2001] Fault Attacks [Hoch & Shamir, 2004] [Mantin, 2005] [Biham et al, 2005] State Recovery [Knudsen et al, 1998] [Tomasevic et al, 2004] [Maximov, 2008] on-random event: Glimpse Bias [Jenkins, 1996] 5 of 26
7 Introduction Cryptanalysis of RC4 More than 20 years of cryptanalytic results Finney Cycle [1994] Key-Output Correlation [Roos, 1995] [Paul & Maitra, 2007, 2008] Key-Permutation Correlation [Roos, 1995] [Paul & Maitra, 2007] on-randomness of Permutation [Mantin, 2001] Fault Attacks [Hoch & Shamir, 2004] [Mantin, 2005] [Biham et al, 2005] State Recovery [Knudsen et al, 1998] [Tomasevic et al, 2004] [Maximov, 2008] on-random event: Glimpse Bias [Jenkins, 1996] Distinguishing Attacks 5 of 26
8 Introduction Distinguishing Attacks Goal: Find an event which occurs with different probability in RC4 than in case of a perfectly random source. Existing Distinguishers Digraph Repetition Bias (Occurrence of ABTAB) [Mantin, 2001] Biased Second Output Byte (z 2 = 0) [Mantin & Shamir, 2001] A set of new linear biases of RC4 [Sepehrdad et al, 2010]... a few more in this work 6 of 26
9 Introduction Motivation for this Work FSE A Practical Attack on Broadcast RC4. I. Mantin and A. Shamir. LCS 2355, pp , Main Claim: Pr(z 2 = 0) 2 (bias of second byte) 7 of 26
10 Introduction Motivation for this Work FSE A Practical Attack on Broadcast RC4. I. Mantin and A. Shamir. LCS 2355, pp , Main Claim: Pr(z 2 = 0) 2 (bias of second byte) Two related claims 1. Pr(z r = 0) 1 at PRGA rounds 3 r Pr(z r = 0 j r = 0) > 1 and Pr(z r = 0 j r 0) < 1 for 3 r 255. These two biases, when combined, cancel each other to give no bias at z r = 0 for rounds 3 to of 26
11 Introduction Contribution of this Work FSE Attack on Broadcast RC4 Revisited. 1. Pr(z r = 0) 1 at PRGA rounds 3 r 255. Pr(z r = 0) 1 for 3 r 255 Additional results exploiting the above bias 8 of 26
12 Introduction Contribution of this Work FSE Attack on Broadcast RC4 Revisited. 1. Pr(z r = 0) 1 at PRGA rounds 3 r 255. Pr(z r = 0) 1 for 3 r 255 Additional results exploiting the above bias 2. Pr(z r = 0 j r = 0) > 1 and Pr(z r = 0 j r 0) < 1 for 3 r 255. These two biases, when combined, cancel each other to give no bias at z r = 0 for rounds 3 to 255. Further investigation of the events Careful analysis of non-randomness of j 8 of 26
13 Our Result: Bias of Output Bytes Our Result Bias of Output Bytes 9 of 26
14 Our Result: Bias of Output Bytes Our Result Output bytes 3 to 255 are also biased to Zero Theorem For 3 r 255, the probability that the r-th RC4 keystream byte is equal to 0 is Pr(z r = 0) 1 + c r 2. where c r is given by [ ( 1 ) r + ( 1 ) r 1 ( 1 ) 1 ] [ ( 1 ) r 2 ] of 26
15 Our Result: Bias of Output Bytes Motivation for Proof (our result) Proposition (Jenkins Correlation) After the r-th (r 1) round of the PRGA, Pr(S r [j r ] = i r z r ) = Pr(S r [i r ] = j r z r ) 2. Corollary After the r-th (r 1) round of the PRGA, Pr(z r = r S r 1 [r]) of 26
16 Our Result: Bias of Output Bytes Motivation for Proof (our result) Proposition (Jenkins Correlation) After the r-th (r 1) round of the PRGA, Pr(S r [j r ] = i r z r ) = Pr(S r [i r ] = j r z r ) 2. Corollary After the r-th (r 1) round of the PRGA, Pr(z r = r S r 1 [r]) 2. How about Pr(S r 1 [r] = r)? 11 of 26
17 Our Result: Bias of Output Bytes Mantin s Observation At the end of KSA, for 0 u 1, 0 v 1, [ ( Pr(S 0 [u] = v) = 1 1 ) v ( + 1 ( ) 1 v ) ( 1 ) u 1 ] [ ( Pr(S 0 [u] = v) = 1 1 ) u 1 ( + 1 ) v ] v u v > u 12 of 26
18 Our Result: Bias of Output Bytes Mantin s Observation At the end of KSA, for 0 u 1, 0 v 1, [ ( Pr(S 0 [u] = v) = 1 1 ) v ( + 1 ( ) 1 v ) ( 1 ) u 1 ] [ ( Pr(S 0 [u] = v) = 1 1 ) u 1 ( + 1 ) v ] v u v > u Does this propagate to PRGA? 12 of 26
19 Our Result: Bias of Output Bytes Sketch of Proof (our result) Mantin s Observation: Bias for S 0 [r] = r S r 1 [r] = r may happen in two ways: 1. S 0 [r] = r and i, j never touches this cell 2. S 0 [r] r but S r 1 [r] = r occurs at random 13 of 26
20 Our Result: Bias of Output Bytes Sketch of Proof (our result) Mantin s Observation: Bias for S 0 [r] = r S r 1 [r] = r may happen in two ways: 1. S 0 [r] = r and i, j never touches this cell 2. S 0 [r] r but S r 1 [r] = r occurs at random Lemma For r 3, the probability that S r 1 [r] = r is [ ( ) ] 1 r 1 Pr(S r 1 [r] = r) Pr(S 0 [r] = r) of 26
21 Our Result: Bias of Output Bytes Sketch of the Proof (our result) z r = 0 can be branched as follows: S r 1 [r] = r (lemma) and z r = r S r 1 [r] (Jenkin) S r 1 [r] r (lemma) and z r = 0 (random) 14 of 26
22 Our Result: Bias of Output Bytes Sketch of the Proof (our result) z r = 0 can be branched as follows: S r 1 [r] = r (lemma) and z r = r S r 1 [r] (Jenkin) S r 1 [r] r (lemma) and z r = 0 (random) Hence the result: Pr(z r = 0) 1 + c r 2 with c r = [ ( 1 ) r + ( 1 ) r 1 ( 1 ) 1 ] [ ( 1 ) r 2 ] of 26
23 Our Result: Bias of Output Bytes umerical Bound on c r max c r = c 3 = and min c r = c 255 = r r Pr(z r = 0) of 26
24 Our Result: Bias of Output Bytes Experimental Verification umber of trials = 1 Billion Key size = 16 Bytes [ote: Sepehrdad et al (2010) do not cover these biases] 16 of 26
25 Our Result: Bias of Output Bytes Applications Of the Biases Discovered 17 of 26
26 Our Result: Bias of Output Bytes Appl. 1: A Class of ew Distinguishers E occurs in X with probability p and in Y with probability p(1 + ɛ) implies a possible distinguisher with O(p 1 ɛ 2 ) required samples. In case of our E : z r = 0 for 3 r 255, Random source: p = 1 RC4 Keystream: p(1 + ɛ) = 1 ( 1 + c r ) 18 of 26
27 Our Result: Bias of Output Bytes Appl. 1: A Class of ew Distinguishers E occurs in X with probability p and in Y with probability p(1 + ɛ) implies a possible distinguisher with O(p 1 ɛ 2 ) required samples. In case of our E : z r = 0 for 3 r 255, Random source: p = 1 RC4 Keystream: p(1 + ɛ) = 1 ( 1 + c r ) We get 253 new distinguishers, each requiring O( 3 ) samples! [ote: Mantin & Shamir (2001) distinguisher is much stronger] 18 of 26
28 Our Result: Bias of Output Bytes Appl. 2: Guessing State Information Idea: Guess S r 1 [r] = r using output information z r = 0 Pr(S r 1 [r] = r z r = 0) = Pr(S r 1[r]=r) Pr(z r =0) Pr(z r = 0 S r 1 [r] = r) 2 ( 1 + cr ) ( cr 1 + c r ) of 26
29 Our Result: Bias of Output Bytes Appl. 3: Attack on RC4 Broadcast Scheme Situation: Message M is broadcast to k parties (random keys) Attack: Reliably extract byte(s) of M from the k ciphertexts 20 of 26
30 Our Result: Bias of Output Bytes Appl. 3: Attack on RC4 Broadcast Scheme Situation: Message M is broadcast to k parties (random keys) Attack: Reliably extract byte(s) of M from the k ciphertexts Mantin & Shamir (FSE 2001): Extract 2nd byte of M given k = Ω() We can extract bytes 3 to 255 of M given k = Ω( 3 ) Idea: r-th byte of M gets XOR-ed with z r, which is 0 most often. 20 of 26
31 Study: on-randomness of j Study on-randomness of j 21 of 26
32 Study: on-randomness of j on-randomness of j 1 ote that j 1 = j 0 + S 0 [i 1 ] = 0 + S 0 [1] = S 0 [1], where S 0 is the state array right after KSA is over. Pr(j 1 = v) = Pr(S 0 [1] = v) = 1, v = ( 1 ( ( ( 1 ) 2 ), v = 1 ) 2 ( + 1 ) v ), v > 1 22 of 26
33 Study: on-randomness of j on-randomness of j 1 ote that j 1 = j 0 + S 0 [i 1 ] = 0 + S 0 [1] = S 0 [1], where S 0 is the state array right after KSA is over. Pr(j 1 = v) = Pr(S 0 [1] = v) = 1, v = ( 1 ( ( ( 1 ) 2 ), v = 1 ) 2 ( + 1 ) v ), v > 1 Clearly not random! 22 of 26
34 Study: on-randomness of j on-randomness of j 2 ote that j 2 = j 1 + S 1 [i 2 ] = S 0 [1] + S 1 [2] Pr(j 2 = v) = 1 w=0 Pr(S 0 [1] = w) Pr((S 1 [2] = v w) (S 0 [1] = w)) 23 of 26 Case I. S 0 [1] = 2 S 1 [2] = 2. Pr((S 1 [2] = v 2) (S 0 [1] = 2)) = Case II. S 0 [1] 2 S 1 [2] = S 0 [2]. { 1 if v = 4, 0 otherwise. Pr((S 1 [2] = v w) (S 0 [1] 2)) = Pr(S 0 [2] = v w).
35 Study: on-randomness of j on-randomness of j 2 24 of 26
36 Study: on-randomness of j on-randomness of j 2 Appl: Combine Jenkin s bias Pr(S r [i r ] = j r z r ) = 2 to get Pr(S 2 [i 2 ] = 4 z 2 ) 1 + 4/ of 26 [ote: Sepehrdad et al (2010) do not cover this bias] [ote: j behaves almost random round 3 onwards]
37 Conclusion Summary This paper: Revisiting Mantin Shamir paper from FSE Bias of Keystream bytes towards Zero EW A new class of distinguishers for RC4 Attack on RC4 broadcast scheme along this line Guessing related state information from keystream 2. Strong bias of j 2 towards 4 EW Guessing related state information from keystream 25 of 26
38 Conclusion thank you for your kind attention 26 of 26
Attack on Broadcast RC4 Revisited
Attack on Broadcast RC4 Revisited Subhamoy Maitra, Goutam Paul 2, and Sourav Sen Gupta Applied Statistics Unit, Indian Statistical Institute, Kolkata 700 08, India {subho,souravsg r}@isical.ac.in 2 Department
More informationProof of Empirical RC4 Biases and New Key Correlations
Proof of Empirical RC4 Biases and ew Key Correlations Sourav Sen Gupta, Subhamoy Maitra, Goutam Paul 2, and Santanu Sarkar Applied Statistics Unit, Indian Statistical Institute, Kolkata 700 08, India 2
More information(Non-)Random Sequences from (Non-)Random Permutations - Analysis of RC4 stream cipher
(on-)random Sequences from (on-)random Permutations - Analysis of RC4 stream cipher Sourav Sen Gupta, Subhamoy Maitra, Goutam Paul 2, and Santanu Sarkar Applied Statistics Unit, Indian Statistical Institute,
More informationNew Form of Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4
ew Form of Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4 Subhamoy Maitra Applied Statistics Unit, Indian Statistical Institute, 203 B T Road, Kolkata 700 08, India, Email: subho@isical.ac.in
More information(Non-)Random Sequences from (Non-)Random Permutations Analysis of RC4 Stream Cipher
J. Cryptol. (2014) 27: 67 108 DOI: 10.1007/s00145-012-9138-1 (on-)random Sequences from (on-)random Permutations Analysis of RC4 Stream Cipher Sourav Sen Gupta and Subhamoy Maitra Applied Statistics Unit,
More informationSome New Weaknesses in the RC4 Stream Cipher
Some ew Weaknesses in the RC4 Stream Cipher Jing Lv (B), Bin Zhang, and Dongdai Lin 2 Laboratory of Trusted Computing and Information Assurance, Institute of Software, Chinese Academy of Sciences, 0090
More informationRecent Cryptanalysis of RC4 Stream Cipher
28 August, 2013 ASK 2013 @ Weihai, China Recent Cryptanalysis of RC4 Stream Cipher Takanori Isobe Kobe University Joint work with Toshihiro Ohigashi, Yuhei Watanabe, and Maskatu Morii Agenda This talk
More informationRC4 State Information at Any Stage Reveals the Secret Key
RC4 State Information at Any Stage Reveals the Secret Key Goutam Paul Department of Computer Science and Engineering, Jadavpur University, Kolkata 700 032, India, Email: goutam paul@cse.jdvu.ac.in Subhamoy
More informationRevisiting Roos Bias in RC4 Key Scheduling Algorithm
Revisiting Roos Bias in RC4 Key Scheduling Algorithm Santanu Sarkar, Ayineedi Venkateswarlu To cite this version: Santanu Sarkar, Ayineedi Venkateswarlu. Revisiting Roos Bias in RC4 Key Scheduling Algorithm.
More informationDependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA
Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Sourav Sen Gupta 1 Subhamoy Maitra 1 Willi Meier 2 Goutam Paul 1 Santanu Sarkar 3 Indian Statistical Institute, India FHNW, Windisch,
More informationPredicting and Distinguishing Attacks on RC4 Keystream Generator
Predicting and Distinguishing Attacks on RC4 Keystream Generator Itsik Mantin NDS Technologies, Israel imantin@nds.com Abstract. In this paper we analyze the statistical distribution of the keystream generator
More informationExpanding Weak-key Space of RC4
[DOI: 10.2197/ipsjjip.22.357] Recommended Paper Expanding Weak-key Space of RC4 Atsushi agao 1,a) Toshihiro Ohigashi 2 Takanori Isobe 1 Masakatu Morii 1 Received: July 7, 2013, Accepted: ovember 1, 2013
More informationKey reconstruction from the inner state of RC4
BACHELOR THESIS Lukáš Sladký Key reconstruction from the inner state of RC4 Department of Algebra Supervisor of the bachelor thesis: Study programme: Study branch: Mgr. Milan Boháček Mathematics Mathematical
More informationCryptanalysis of the Full Spritz Stream Cipher
Cryptanalysis of the Full Spritz Stream Cipher Subhadeep Banik 1,2 and Takanori Isobe 3 1 School of Physical and Mathematical Sciences, NTU 2 DTU Compute, Technical University of Denmark, Lungby 3 Sony
More informationOn the Weak State in GGHN-like Ciphers
2012 Seventh International Conference on Availability, Reliability and Security On the Weak State in GGH-like Ciphers Aleksandar Kircanski Dept. of Computer Science and Software Engineering Concordia University
More informationOn a new properties of random number sequences,a randomness test and a new RC4 s key scheduling algorithm.
On a new properties of random number sequences,a randomness test and a new RC4 s key scheduling algorithm. Samir Bouftass 1 and Abdelhak Azhari 2 1 Crypticator.Inc, e-mail : crypticator@gmail.com. 2 University
More informationstate-recovery analysis of spritz
state-recovery analysis of spritz Ralph Ankele 1 Stefan Kölbl 2 Christian Rechberger 2 August 25, 2015 1 RHUL, Royal Holloway University of London, United Kingdom 2 DTU Compute, Technical University of
More informationMessage Authentication (MAC) Algorithm For The VMPC-R (RC4-like) Stream Cipher
Message Authentication (MAC) Algorithm For The VMPC-R (RC4-like) Stream Cipher Bartosz Zoltak www.vmpcfunction.com bzoltak@vmpcfunction.com Abstract. We propose an authenticated encryption scheme for the
More informationDifferential Cryptanalysis of the Stream Ciphers Py, Py6 and Pypy
Differential Cryptanalysis of the Stream Ciphers Py, Py6 and Pypy Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven, ESAT/SCD-COSIC Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium wu.hongjun,bart.preneel@esat.kuleuven.be
More informationImproved Distinguishing Attacks on HC-256
Improved Distinguishing Attacks on HC-256 Gautham Sekar 1,2, and Bart Preneel 1,2 1 Department of Electrical Engineering ESAT/SCD-COSIC, Katholieke Universiteit Leuven, Kasteelpark Arenberg 10, B-3001
More informationHow to Find Short RC4 Colliding Key.
JAIST Reposi https://dspace.j Title How to Find Short RC4 Colliding Key Author(s)Chen, Jiageng; Miyaji, Atsuko Citation Lecture Notes in Computer Science, 7 46 Issue Date 2011-10-12 Type Journal Article
More informationDD2448 Foundations of Cryptography Lecture 3
DD2448 Foundations of Cryptography Lecture 3 Douglas Wikström KTH Royal Institute of Technology dog@kth.se February 3, 2016 Linear Cryptanalysis of the SPN Basic Idea Linearize Find an expression of the
More informationOn the pseudo-random generator ISAAC
On the pseudo-random generator ISAAC Jean-Philippe Aumasson FHNW, 5210 Windisch, Switzerland Abstract. This paper presents some properties of he deterministic random bit generator ISAAC (FSE 96), contradicting
More informationBlock Cipher Cryptanalysis: An Overview
0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution
More informationDynamic Cube Attack on 105 round Grain v1
Noname manuscript No. (will be inserted by the editor) Dynamic Cube Attack on 105 round Grain v1 Subhadeep Banik Received: date / Accepted: date Abstract As far as the Differential Cryptanalysis of reduced
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationA Combinatorial Analysis of HC-128
A Combinatorial Analysis of HC-128 Goutam Paul 1, Subhamoy Maitra 2, Shashwat Raizada 2 1 Department of Computer Science and Engineering, Jadavpur University, Kolkata 700 032, India. goutam.paul@ieee.org
More informationVMPC One-Way Function and Stream Cipher
VMPC One-Way Function and Stream Cipher Bartosz Zoltak http://www.vmpcfunction.com bzoltak@vmpcfunction.com This paper was presented at FSE 04, Delhi, India, 5-7.FEB.2004 Copyright by IACR Abstract. A
More informationAttacks on the RC4 stream cipher
Attacks on the RC4 stream cipher Andreas Klein July 4, 2007 Abstract In this article we present some weaknesses in the RC4 cipher and their cryptographic applications. Especially we improve the attack
More informationStatistical Attack on RC4
Statistical Attack on RC4 Distinguishing WPA Pouyan Sepehrdad, Serge Vaudenay, and Martin Vuagnoux EPFL CH-1015 Lausanne, Switzerland http://lasecwww.epfl.ch Abstract. In this paper we construct several
More informationImpact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers
Impact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers Goutam Paul and Shashwat Raizada Jadavpur University, Kolkata and Indian Statistical Institute,
More informationNew Distinguishers for Reduced Round Trivium and Trivia-SC using Cube Testers (Extended Abstract)
New Distinguishers for Reduced Round Trivium and Trivia-SC using Cube Testers (Extended Abstract) Anubhab Baksi 1, Subhamoy Maitra 1, Santanu Sarkar 2 1 Indian Statistical Institute, 203 B. T. Road, Kolkata
More informationAnalysing and Exploiting the Mantin Biases in RC4
Analysing and Exploiting the Mantin Biases in RC4 Remi Bricout 1, Sean Murphy 2, Kenneth G. Paterson 2, and Thyla van der Merwe 2 1 ENS, Paris 2 Royal Holloway, University of London Abstract. We explore
More informationDistinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network
Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense
More informationSalsa20 Cryptanalysis: New Moves and Revisiting Old Styles
Salsa0 Cryptanalysis: New Moves and Revisiting Old Styles Subhamoy Maitra 1, Goutam Paul 1, Willi Meier 1 Indian Statistical Institute, Kolkata, India {subho,goutam.paul}@isical.ac.in FHNW, Windisch, Switzerland
More informationDistinguishing Attacks on the Stream Cipher Py
Distinguishing Attacks on the Stream Cipher Py Souradyuti Paul, Bart Preneel, and Gautham Sekar Katholieke Universiteit Leuven, Dept. ESAT/COSIC, Kasteelpark Arenberg 10, B 3001, Leuven-Heverlee, Belgium
More informationAnalysis and Implementation of RC4 Stream Cipher
Analysis and Implementation of RC4 Stream Cipher A thesis presented to Indian Statistical Institute in fulfillment of the thesis requirement for the degree of Doctor of Philosophy in Computer Science by
More informationDifferential Fault Analysis on DES Middle Rounds
Differential Fault Analysis on DES Middle Rounds Matthieu Rivain Speaker: Christophe Giraud Oberthur Technologies Agenda 1 Introduction Data Encryption Standard DFA on DES Last & Middle Rounds 2 Our Attack
More informationCryptanalysis of the Stream Cipher DECIM
Cryptanalysis of the Stream Cipher DECIM Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven, ESAT/SCD-COSIC Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium {wu.hongjun, bart.preneel}@esat.kuleuven.be
More informationA TMDTO Attack Against Lizard
A TMDTO Attack Against Lizard Subhamoy Maitra 1, Nishant Sinha 2, Akhilesh Siddhanti 3, Ravi Anand 4, Sugata Gangopadhyay 2 1 Indian Statistical Institute, Kolkata, subho@isical.ac.in 2 Indian Institute
More informationThe Improbable Differential Attack. Cryptanalysis of Reduced Round CLEFIA
: Cryptanalysis of Reduced Round CLEFIA École Polytechnique Fédérale de Lausanne, Switzerland (This work was done at) Institute of Applied Mathematics Middle East Technical University, Ankara, Turkey INDOCRYPT
More informationLinear Cryptanalysis of RC5 and RC6
Linear Cryptanalysis of RC5 and RC6 Johan Borst, Bart Preneel, and Joos Vandewalle K.U. Leuven, Dept. Elektrotechniek-ESAT/COSIC Kardinaal Mercierlaan 94, B-3001 Heverlee Belgium Johan.Borst@esat.kuleuven.ac.be
More informationPrivate-Key Encryption
Private-Key Encryption Ali El Kaafarani Mathematical Institute Oxford University 1 of 37 Outline 1 Pseudo-Random Generators and Stream Ciphers 2 More Security Definitions: CPA and CCA 3 Pseudo-Random Functions/Permutations
More informationLinear and Statistical Independence of Linear Approximations and their Correlations
Linear and Statistical Independence of Linear Approximations and their Correlations Kaisa Nyberg Aalto University School of Science kaisa.nyberg@aalto.fi Boolean Functions and their Applications Os, Norway,
More informationA New Distinguisher on Grain v1 for 106 rounds
A New Distinguisher on Grain v1 for 106 rounds Santanu Sarkar Department of Mathematics, Indian Institute of Technology, Sardar Patel Road, Chennai 600036, India. sarkar.santanu.bir@gmail.com Abstract.
More informationCube Attacks on Stream Ciphers Based on Division Property
Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven 12-10-2017, Crete Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 1 / 23 Plan 1 Cube Attack:
More informationDifferential Fault Analysis of Trivium
Differential Fault Analysis of Trivium Michal Hojsík 1,2 and Bohuslav Rudolf 2,3 1 Department of Informatics, University of Bergen, N-5020 Bergen, Norway 2 Department of Algebra, Charles University in
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationCryptanalysis of the Stream Cipher ABC v2
Cryptanalysis of the Stream Cipher ABC v2 Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven, ESAT/SCD-COSIC Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium {wu.hongjun,bart.preneel}@esat.kuleuven.be
More informationCryptanalysis of the Light-Weight Cipher A2U2 First Draft version
Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version Mohamed Ahmed Abdelraheem, Julia Borghoff, Erik Zenner Technical University of Denmark, DK-2800 Kgs. Lyngby, Denmark {M.A.Abdelraheem,J.Borghoff,E.Zenner}@mat.dtu.dk
More informationOn Data Complexity of Distinguishing Attacks vs. Message Recovery Attacks on Stream Ciphers
On Data Complexity of Distinguishing Attacks vs. Message Recovery Attacks on Stream Ciphers Goutam Paul Souvik Ray Abstract We revisit the different approaches used in the literature to estimate the data
More informationAlgebraic Techniques in Differential Cryptanalysis
Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London FSE 2009, Leuven, 24.02.2009 Martin Albrecht and Carlos
More informationZero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA
Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA Andrey Bogdanov, Meiqin Wang Technical University of Denmark, Shandong University, China ESC 2013,
More informationStatistical Attacks on Cookie Masking for RC4
Statistical Attacks on Cookie Masking for RC4 Kenneth G. Paterson 1 and Jacob C.N. Schuldt 2 1 Royal Holloway, University of London, UK 2 AIST, Japan Abstract. Levillain et al. (AsiaCCS 2015) proposed
More informationDifferential Attack on Five Rounds of the SC2000 Block Cipher
Differential Attack on Five Rounds of the SC2 Block Cipher Jiqiang Lu Department of Mathematics and Computer Science, Eindhoven University of Technology, 56 MB Eindhoven, The Netherlands lvjiqiang@hotmail.com
More informationBernoulli variables. Let X be a random variable such that. 1 with probability p X = 0 with probability q = 1 p
Unit 20 February 25, 2011 1 Bernoulli variables Let X be a random variable such that { 1 with probability p X = 0 with probability q = 1 p Such an X is called a Bernoulli random variable Unit 20 February
More informationAn Analysis of the RC4 Family of Stream Ciphers against Algebraic Attacks
Proc 8th Australasian Information Security Conference AISC 010, Brisbane, Australia An Analysis of the RC4 Family of Stream Ciphers against Algebraic Attacks Kenneth Koon-Ho Wong 1 Gary Carter 1 Ed Dawson
More informationStream Ciphers: Cryptanalytic Techniques
Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and Information Technology. Lund University, Sweden ECRYPT Summer school 2007 (Lund University) Stream Ciphers: Cryptanalytic
More informationImproved Cascaded Stream Ciphers Using Feedback
Improved Cascaded Stream Ciphers Using Feedback Lu Xiao 1, Stafford Tavares 1, Amr Youssef 2, and Guang Gong 3 1 Department of Electrical and Computer Engineering, Queen s University, {xiaolu, tavares}@ee.queensu.ca
More informationLinear Cryptanalysis of Reduced-Round Speck
Linear Cryptanalysis of Reduced-Round Speck Tomer Ashur Daniël Bodden KU Leuven and iminds Dept. ESAT, Group COSIC Address Kasteelpark Arenberg 10 bus 45, B-3001 Leuven-Heverlee, Belgium tomer.ashur-@-esat.kuleuven.be
More informationGENERALIZED NONLINEARITY OF S-BOXES. Sugata Gangopadhyay
Volume X, No. 0X, 0xx, X XX doi:0.3934/amc.xx.xx.xx GENERALIZED NONLINEARITY OF -BOXE ugata Gangopadhyay Department of Computer cience and Engineering, Indian Institute of Technology Roorkee, Roorkee 47667,
More informationKlein s and PTW Attacks on WEP
TTM4137 Wireless Security Klein s and PTW Attacks on WEP Anton Stolbunov NTNU, Department of Telematics version 1, September 7, 2009 Abstract These notes should help for an in-depth understanding of the
More informationIntroduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.
Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography
More informationSOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies
SOBER Cryptanalysis Daniel Bleichenbacher and Sarvar Patel {bleichen,sarvar}@lucent.com Bell Laboratories Lucent Technologies Abstract. SOBER is a new stream cipher that has recently been developed by
More informationOn the structural weakness of the GGHN stream cipher
Cryptogr. Commun. (2010) 2:1 17 DOI 10.1007/s12095-009-0013-3 On the structural weakness of the GGHN stream cipher Aleksandar Kircanski Amr M. Youssef Received: 24 January 2009 / Accepted: 9 September
More information7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive key-search do not exploit any properties of the encryption algorithm or implementation. Structural attacks
More informationSalsa20 Cryptanalysis: New Moves and Revisiting Old Styles
Salsa0 Cryptanalysis: New Moves and Revisiting Old Styles Subhamoy Maitra, Goutam Paul, Willi Meier To cite this version: Subhamoy Maitra, Goutam Paul, Willi Meier. Salsa0 Cryptanalysis: New Moves and
More informationCryptanalysis of the SIMON Family of Block Ciphers
Cryptanalysis of the SIMON Family of Block Ciphers Hoda A. Alkhzaimi and Martin M. Lauridsen DTU Compute Section for Cryptology Department of Applied Mathematics and Computer Science Matematiktorvet, building
More informationImpossible Differential Attacks on 13-Round CLEFIA-128
Mala H, Dakhilalian M, Shakiba M. Impossible differential attacks on 13-round CLEFIA-128. JOURNAL OF COMPUTER SCIENCE AND TECHNOLOGY 26(4): 744 750 July 2011. DOI 10.1007/s11390-011-1173-0 Impossible Differential
More informationRelated-Key Rectangle Attack on Round-reduced Khudra Block Cipher
Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher Xiaoshuang Ma 1,2 Kexin Qiao 1,2 1 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy
More informationDistinguishing Attack on Common Scrambling Algorithm
410 The International Arab Journal of Information Technology, Vol. 12, No. 4, July 2015 Distinguishing Attack on Common Scrambling Algorithm Kai Zhang and Jie Guan Zhengzhou Information Science and Technology
More informationON DISTINGUISHING ATTACK AGAINST THE REDUCED VERSION OF THE CIPHER NLSV2
t m Mathematical Publications DOI: 10.2478/v10127-012-0037-5 Tatra Mt. Math. Publ. 53 (2012), 21 32 ON DISTINGUISHING ATTACK AGAINST THE REDUCED VERSION OF THE CIPHER NLSV2 Michal Braško Jaroslav Boor
More informationCube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version)
Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version) Yosuke Todo 1, Takanori Isobe 2, Yonglin Hao 3, and Willi Meier 4 1 NTT Secure Platform Laboratories, Tokyo 180-8585,
More informationLinear Cryptanalysis
Linear Cryptanalysis Linear cryptanalysis is a powerful method of cryptanalysis introduced by Matsui in 1993 [11]. It is a known plaintext attack in which the attacker studies the linear approximations
More informationHow Biased Are Linear Biases
How Biased Are Linear Biases Adnan Baysal and Orhun Kara TÜBİTAK BİLGEM UEKAE Gebze, 41470 Kocaeli Turkey. E-mails: {abaysal,orhun}@uekae.tubitak.gov.tr Abstract In this paper we re-visit the Matsui s
More informationImprobable Differential Cryptanalysis and Undisturbed Bits
Improbable Differential Cryptanalysis and Undisturbed Bits Institute of Applied Mathematics Department of Cryptography Middle East Technical University September 5, 2013 Leuven, Belgium A (Very) Short
More informationRelated-Key Statistical Cryptanalysis
Related-Key Statistical Cryptanalysis Darakhshan J. Mir Department of Computer Science, Rutgers, The State University of New Jersey Poorvi L. Vora Department of Computer Science, George Washington University
More informationExtended Criterion for Absence of Fixed Points
Extended Criterion for Absence of Fixed Points Oleksandr Kazymyrov, Valentyna Kazymyrova Abstract One of the criteria for substitutions used in block ciphers is the absence of fixed points. In this paper
More informationAdvanced differential-style cryptanalysis of the NSA's skipjack block cipher
Loughborough University Institutional Repository Advanced differential-style cryptanalysis of the NSA's skipjack block cipher This item was submitted to Loughborough University's Institutional Repository
More informationExperiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL
More informationIntegrals go Statistical: Cryptanalysis of Full Skipjack Variants
Integrals go Statistical: Cryptanalysis of ull Skipjack Variants Meiqin Wang mqwang@sdu.edu.cn Joint Work with Tingting Cui, Huaifeng Chen, Ling Sun, Long Wen, Andrey Bogdanov Shandong University, China;
More informationStream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden
Dept. of EIT, Lund University, P.O. Box 118, 221 00 Lund, Sweden thomas@eit.lth.se May 16, 2011 Outline: Introduction to stream ciphers Distinguishers Basic constructions of distinguishers Various types
More informationDistinguishing Attacks on Stream Ciphers Based on Arrays of Pseudo-random Words
Distinguishing Attacks on Stream Ciphers Based on Arrays of Pseudo-random Words Nathan Keller and Stephen D. Miller Abstract In numerous modern stream ciphers, the internal state consists of a large array
More informationZero-Correlation Linear Cryptanalysis of Reduced-Round LBlock
Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock Hadi Soleimany and Kaisa Nyberg Department of Information and Computer Science, Aalto University School of Science, Finland WCC 2013 1/53 Outline
More informationImproved Multiple Impossible Differential Cryptanalysis of Midori128
Improved Multiple Impossible Differential Cryptanalysis of Midori128 Mohamed Tolba, Ahmed Abdelkhalek, and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University,
More informationLecture 4 - Computational Indistinguishability, Pseudorandom Generators
Lecture 4 - Computational Indistinguishability, Pseudorandom Generators Boaz Barak September 27, 2007 Computational Indistinguishability Recall that we defined that statistical distance of two distributions
More informationLow Complexity Differential Cryptanalysis and Fault Analysis of AES
Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 34 Introduction We present a survey of low
More informationPermutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1
Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Kwangsu Lee A Thesis for the Degree of Master of Science Division of Computer Science, Department
More informationOvertaking VEST. 45, avenue des États-Unis, Versailles Cedex, France 3 DCSSI Crypto Lab
Overtaking VEST Antoine Joux 1,2 and Jean-René Reinhard 3 1 DGA 2 Université de Versailles St-Quentin-en-Yvelines, PRISM 45, avenue des États-Unis, 78035 Versailles Cedex, France antoine.joux@m4x.org 3
More informationNew Combined Attacks on Block Ciphers
New Combined Attacks on Block Ciphers Eli Biham 1, Orr Dunkelman 1,, and Nathan Keller 2 1 Computer Science Department, Technion, Haifa 32000, Israel {biham, orrd}@cs.technion.ac.il 2 Einstein Institute
More informationData Complexity and Success Probability for Various Cryptanalyses
Data Complexity and Success Probability for Various Cryptanalyses Céline Blondeau, Benoît Gérard and Jean Pierre Tillich INRIA project-team SECRET, France Blondeau, Gérard and Tillich. Data Complexity
More informationImproved Impossible Differential Cryptanalysis of Rijndael and Crypton
Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,
More informationSubspace Trail Cryptanalysis and its Applications to AES
Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and Sondre Rønjom March, 2017 1 / 28 Introduction In the case of AES, several alternative representations (algebraic
More informationNEW ATTACKS ON RC4A AND VMPC
NEW ATTACKS ON RC4A AND VMPC a thesis submitted to the graduate school of engineering and science of bilkent university in partial fulfillment of the requirements for the degree of master of science in
More informationComplementing Feistel Ciphers
Complementing Feistel Ciphers Alex Biryukov 1 and Ivica Nikolić 2 1 University of Luxembourg 2 Nanyang Technological University, Singapore alex.biryukov@uni.lu inikolic@ntu.edu.sg Abstract. In this paper,
More informationAnalysis of Modern Stream Ciphers
Analysis of Modern Stream Ciphers Josef Pieprzyk Centre for Advanced Computing Algorithms and Cryptography, Macquarie University, Australia CANS - Singapore - December 2007 estream Outline 1. estream Project
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informationA Practical Attack Against the Use of RC4 in the HIVE Hidden Volume Encryption System
A Practical Attack Against the Use of RC4 in the HIVE Hidden Volume Encryption System Kenneth G. Paterson 1 and Mario Strefler 2 1 Information Security Group, Royal Holloway, University of London Kenny.Paterson@rhul.ac.uk
More informationImpossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128
Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com
More informationImpossible Differential Cryptanalysis of Mini-AES
Impossible Differential Cryptanalysis of Mini-AES Raphael Chung-Wei Phan ADDRESS: Swinburne Sarawak Institute of Technology, 1 st Floor, State Complex, 93576 Kuching, Sarawak, Malaysia. rphan@swinburne.edu.my
More information