Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium
|
|
- Gary Walker
- 5 years ago
- Views:
Transcription
1 Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson, Itai Dinur, Willi Meier, Adi Shamir 1 / 27
2 Cube attacks 2 / 27
3 Timeline Aug 08: Shamir presents cube attacks at CRYPTO Sep 08: Dinur/Shamir paper on eprint, attack on 771-round Trivium Oct 08: cube attacks reported on 14-round MD6 Oct 08: cube testers reported on 18-round MD6 Dec 08: Dinur/Shamir paper accepted to EUROCRYPT Jan 09: cube testers reported on Shabal 3 / 27
4 Cube attacks in a nutshell Can attack any primitive with secret and public variables keyed hash functions stream ciphers block ciphers MACs Target algorithms with low-degree components stream ciphers based on low-degree NFSR hash functions with only XORs and a few ANDs 4 / 27
5 Cube attacks in a nutshell Requirements of the attacker: only black-box access to the function negligible memory Cube attacks work in 2 phases precomputation: chosen keys and chosen IVs online: fixed unknown key and chosen IVs 5 / 27
6 Key observation 1 Any function f : {0, 1} m {0, 1} n admits an algebraic normal form (ANF) Example: f : {0, 1} 10 {0, 1} 4 f 1 (x) = x 1 x 2 + x 2 x 8 x 9 + x 3 x 4 x 5 x 6 x 7 f 2 (x) = x 2 x 4 + x 6 x 8 x 9 + x 5 x 6 x 7 x 8 x 9 x 10 f 3 (x) = 1 f 4 (x) = 1 + x 1 + x 3 + x 5 6 / 27
7 Key observation 2 Computation of the largest monomial s coefficient f (x 1, x 2, x 3, x 4 ) = x 1 + x 3 + x 1 x 2 x 3 + x 1 x 2 x 4 = x 1 + x 3 + x 1 x 2 x 3 + x 1 x 2 x x 1 x 2 x 3 x 4 Sum over all values of (x 1, x 2, x 3, x 4 ): f (0, 0, 0, 0)+f (0, 0, 0, 1)+f (0, 0, 1, 0)+ +f (1, 1, 1, 1) = 0 7 / 27
8 Key observation 3 Evaluation of factor polynomials f (x 1, x 2, x 3, x 4 ) = x 1 + x 3 + x 1 x 2 x 3 + x 1 x 2 x 4 = x 1 + x 3 + x 1 x 2 (x 3 + x 4 ) Fix x 3 and x 4, sum over all values of (x 1, x 2 ): (x 1,x 2 ) {0,1} 2 f (x 1, x 2, x 3, x 4 ) = 4 x x (x 3 + x 4 ) = x 3 + x 4 8 / 27
9 Key observation 3 Evaluation of factor polynomials f (x 1, x 2, x 3, x 4 ) = + x 1 x 2 (x 3 + x 4 ) Fix x 3 and x 4, sum over all values of (x 1, x 2 ): (x 1,x 2 ) {0,1} 2 f (x 1, x 2, x 3, x 4 ) = x 3 + x 4 9 / 27
10 Terminology f (x 1, x 2, x 3, x 4 ) = x 1 + x 3 + x 1 x 2 (x 3 + x 4 ) (x 3 + x 4 ) is called the superpoly of the cube x 1 x 2 10 / 27
11 Evaluation of a superpoly x 3 and x 4 fixed and unknown f (,, x 3, x 4 ) queried as a black box ANF unknown, except: x 1 x 2 s superpoly is (x 3 + x 4 ) f (x 1, x 2, x 3, x 4 ) = + x 1 x 2 (x 3 + x 4 ) + Query f to evaluate the superpoly: (x 1,x 2 ) {0,1} 2 f (x 1, x 2, x 3, x 4 ) = x 3 + x 4 11 / 27
12 Key-recovery attack On a stream cipher with key k and IV v f : (k, v) first keystream bit Offline: find cubes with linear superpolys f (k, v) = + v 1 v 3 v 5 v 7 (k 2 + k 3 + k 5 ) + f (k, v) = + v 1 v 2 v 6 v 8 v 12 (k 1 + k 2 ) + = f (k, v) = + v 3 v 4 v 5 v 6 (k 3 + k 4 + k 5 ) + (reconstruct the superpolys with linearity tests) Online: evaluate the superpolys, solve the system 12 / 27
13 Cube testers 13 / 27
14 Cube testers in a nutshell Like cube attacks: need only black-box access target primitives with secret and public variables and built on low-degree components Unlike cube attacks: give distinguishers rather than key-recovery don t require low-degree functions need no precomputation 14 / 27
15 Basic idea Detect structure (nonrandomness) in the superpoly, using algebraic property testers A tester for property P on the function f : makes (adaptive) queries to f accepts when f satisfies P rejects with bounded probability otherwise 15 / 27
16 Examples of efficiently testable properties balance linearity low-degree constantness presence of linear variables presence of neutral variables General characterization by Kaufman/Sudan, STOC / 27
17 Superpolys attackable by testing low-degree (6) + x 1 x 2 x 3 (x 5 x 6 + x 7 x 21 + x 6 x 9 x 20 x 30 x 40 x 50 ) +... neutral variables (x 6 ) + x 1 x 2 x 3 x 4 x 5 g(x 7, x 8,..., x 80 ) +... linear variables (x 6 ) + x 1 x 2 x 3 x 4 x 5 (x 6 + g(x 7, x 8,..., x 80 )) + 17 / 27
18 Results 18 / 27
19 MD6 Presented by Rivest at CRYPTO 2008 Submitted to the SHA-3 competition quadtree structure construction RO-indifferentiable low-degree compression function at least 80 rounds best attack by the designers: 12 rounds 19 / 27
20 MD6 s compression function {0, 1} {0, 1} Input: 64-bit words A 0.A 1,..., A 88 Compute the A i s with the recursion x S i A i 17 A i 89 (A i 18 A i 21 ) (A i 31 A i 67 ) x x (x r i ) A i x (x l i ) round-dependent constant S i quadratic step, at least 1280 steps 20 / 27
21 Results on MD6 Cube attack (key recovery) on the 14-round compression function recover any 128-bit key in time 2 22 Cube testers (testing balance) detect nonrandomness on 18 rounds detect nonrandomness on 66 rounds when S i = 0 in time 2 17, 2 24, resp. 21 / 27
22 Trivium Stream cipher by De Cannière and Preneel, 2005 estream HW portfolio 80-bit key and IV 3 quadratic NFSRs 1152 initialization rounds best attack on 771 rounds (cube attack) 22 / 27
23 Cube testers on Trivium Test the presence of neutral variables Distinguishers (only choose IVs) 2 24 : 772 rounds 2 30 : 790 rounds Nonrandomness (assumes some control of the key) 2 24 : 842 rounds 2 27 : 885 rounds Full version: 1152 rounds 23 / 27
24 Conclusions 24 / 27
25 Cube testers + more general than classical cube attacks no precomputation polymorphic only gives distinguishers only finds feasible attacks relevant for a minority of functions (like cube attacks) 25 / 27
26 Open issues How to predict the existence of unexpected properties? How to find the best cubes? Attack on (reduced versions of) other algorithms: Grain, ESSENCE, Keccak, Luffa, Shabal, / 27
27 Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson, Itai Dinur, Willi Meier, Adi Shamir 27 / 27
Cube Attacks on Stream Ciphers Based on Division Property
Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven 12-10-2017, Crete Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 1 / 23 Plan 1 Cube Attack:
More informationCube Testers and Key Recovery Attacks On Reduced-Round MD6 and Trivium
Cube Testers and Key Recovery Attacks On Reduced-Round MD6 and Trivium Jean-Philippe Aumasson 1, Itai Dinur 2, Willi Meier 1, and Adi Shamir 2 1 FHNW, Windisch, Switzerland 2 Computer Science Department,
More informationCube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium
Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson 1,,ItaiDinur 2, Willi Meier 1,, and Adi Shamir 2 1 FHNW, Windisch, Switzerland 2 Computer Science Department,
More informationChosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers
Chosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers Simon Fischer 1, Shahram Khazaei 2, and Willi Meier 1 1 FHNW and 2 EPFL (Switzerland) AfricaCrypt 2008, Casablanca - June 11-14
More informationA New Distinguisher on Grain v1 for 106 rounds
A New Distinguisher on Grain v1 for 106 rounds Santanu Sarkar Department of Mathematics, Indian Institute of Technology, Sardar Patel Road, Chennai 600036, India. sarkar.santanu.bir@gmail.com Abstract.
More informationParallel Cube Tester Analysis of the CubeHash One-Way Hash Function
Parallel Cube Tester Analysis of the CubeHash One-Way Hash Function Alan Kaminsky Department of Computer Science B. Thomas Golisano College of Computing and Information Sciences Rochester Institute of
More informationCorrelation Cube Attacks: From Weak-Key Distinguisher to Key Recovery
Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu, Jingchun Yang, Wenhao Wang, and Dongdai Lin State Key Laboratory of Information Security, Institute of Information Engineering,
More informationSearching Cubes for Testing Boolean Functions and Its Application to Trivium
Searching Cubes for Testing Boolean Functions and Its Application to Trivium Meicheng Liu, Dongdai Lin and Wenhao Wang State Key Laboratory of Information Security Institute of Information Engineering
More informationMILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher
MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher Raghvendra Rohit, Riham AlTawy, & Guang Gong Department of Electrical and Computer Engineering, University of Waterloo Waterloo,
More informationImproved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly (Full Version)
Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly (Full Version) Qingju Wang 1,2,3, Yonglin Hao 4, Yosuke Todo 5, Chaoyun Li 6, Takanori Isobe 7, and Willi Meier
More informationPractical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function
Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function Itai Dinur 1, Pawe l Morawiecki 2,3, Josef Pieprzyk 4 Marian Srebrny 2,3, and Micha l Straus 3 1 Computer Science Department, École
More informationLinear Extension Cube Attack on Stream Ciphers ABSTRACT 1. INTRODUCTION
Malaysian Journal of Mathematical Sciences 9(S) June: 139-156 (015) Special ssue: The 4 th nternational Cryptology and nformation Security Conference 014 (Cryptology 014) MALAYSAN JOURNAL OF MATHEMATCAL
More informationCube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version)
Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version) Yosuke Todo 1, Takanori Isobe 2, Yonglin Hao 3, and Willi Meier 4 1 NTT Secure Platform Laboratories, Tokyo 180-8585,
More informationKey Recovery with Probabilistic Neutral Bits
ESC 7.1. 11. 1. 2007 Key Recovery with Probabilistic Neutral Bits Simon Fischer 1, Shahram Khazaei 2 and Willi Meier 1 1 FHNW, Windisch, Switzerland 2 EPFL, Lausanne, Switzerland Outline Motivation Probabilistic
More informationSome Randomness Experiments on TRIVIUM
Some Randomness Experiments on TRIVIUM Subhabrata Samajder and Palash Sarkar Applied Statistics Unit Indian Statistical Institute 203, B.T.Road, Kolkata, India - 700108. {subhabrata r,palash}@isical.ac.in
More informationDeterministic Cube Attacks:
Deterministic Cube Attacks: A New Method to Recover Superpolies in Practice Chen-Dong Ye and Tian Tian National Digital Switching System Engineering & Technological Research Center, P.O. Box 407, 62 Kexue
More informationOn the Security of NOEKEON against Side Channel Cube Attacks
On the Security of NOEKEON against Side Channel Cube Attacks Shekh Faisal Abdul-Latip 1,2, Mohammad Reza Reyhanitabar 1, Willy Susilo 1, and Jennifer Seberry 1 1 Center for Computer and Information Security
More informationSome Randomness Experiments on TRIVIUM
1 Some Randomness Experiments on TRIVIUM Technical Report No. ASU/2014/3 Dated : 14 th March, 2014 Subhabrata Samajder Applied Statistics Unit Indian Statistical Institute 203, B. T. Road, Kolkata 700108,
More informationMILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher
MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher Raghvendra Rohit, Riham AlTawy, and Guang Gong Department of Electrical and Computer Engineering, University of Waterloo, Waterloo,
More informationOn the Design of Trivium
On the Design of Trivium Yun Tian, Gongliang Chen, Jianhua Li School of Information Security Engineering, Shanghai Jiaotong University, China ruth tian@sjtu.edu.cn, chengl@sjtu.edu.cn, lijh888@sjtu.edu.cn
More informationAnother View on Cube Attack, Cube Tester, AIDA and Higher Order Differential Cryptanalysis
Another View on Cube Attack, Cube Tester, AIDA and Higher Order Differential Cryptanalysis Bo Zhu 1, Guang Gong 1, Xuejia Lai 2 and Kefei Chen 2 1 Department of Electrical and Computer Engineering, University
More informationCube Test Analysis of the Statistical Behavior of CubeHash and Skein
Cube Test Analysis of the Statistical Behavior of CubeHash and Skein Alan Kaminsky May, 0 Abstract This work analyzes the statistical properties of the SHA- candidate cryptographic hash algorithms CubeHash
More informationNew Directions in Cryptanalysis of Self-Synchronizing Stream Ciphers
New Directions in Cryptanalysis of Self-Synchronizing Stream Ciphers Shahram Khazaei 1 and Willi Meier 2 1 EPFL, Lausanne, Switzerland 2 FHNW, Windisch, Switzerland Abstract. In cryptology we commonly
More informationNew Distinguishers for Reduced Round Trivium and Trivia-SC using Cube Testers (Extended Abstract)
New Distinguishers for Reduced Round Trivium and Trivia-SC using Cube Testers (Extended Abstract) Anubhab Baksi 1, Subhamoy Maitra 1, Santanu Sarkar 2 1 Indian Statistical Institute, 203 B. T. Road, Kolkata
More informationNumerical Solvers in Cryptanalysis
Numerical Solvers in Cryptanalysis M. Lamberger, T. Nad, V. Rijmen Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria
More informationAlgebraic analysis of Trivium-like ciphers (Poster)
Algebraic analysis of Trivium-like ciphers (Poster) Sui-Guan Teo 1 Kenneth Koon-Ho Wong 1 Harry Bartlett 2 Leonie Simpson 2 Ed Dawson 1 1 Institute for Future Environments 2 Science and Engineering Faculty
More informationCube attack in finite fields of higher order
Cube attack in finite fields of higher order Andrea Agnesse 1 Marco Pedicini 2 1 Dipartimento di Matematica, Università Roma Tre Largo San Leonardo Murialdo 1, Rome, Italy 2 Istituto per le Applicazioni
More informationAlgebraic Immunity of S-boxes and Augmented Functions
Algebraic Immunity of S-boxes and Augmented Functions Simon Fischer and Willi Meier S. Fischer and W. Meier AI of Sbox and AF 1 / 23 Outline 1 Algebraic Properties of S-boxes 2 Augmented Functions 3 Application
More informationOn Stream Ciphers with Small State
ESC 2017, Canach, January 16. On Stream Ciphers with Small State Willi Meier joint work with Matthias Hamann, Matthias Krause (University of Mannheim) Bin Zhang (Chinese Academy of Sciences, Beijing) 1
More informationFault Analysis of the KATAN Family of Block Ciphers
Fault Analysis of the KATAN Family of Block Ciphers Shekh Faisal Abdul-Latip 1,2, Mohammad Reza Reyhanitabar 1, Willy Susilo 1, and Jennifer Seberry 1 1 Centre for Computer and Information Security Research,
More informationComparison of cube attacks over different vector spaces
Comparison of cube attacks over different vector spaces Richard Winter 1, Ana Salagean 1, and Raphael C.-W. Phan 2 1 Department of Computer Science, Loughborough University, Loughborough, UK {R.Winter,
More informationAlgebraic properties of SHA-3 and notable cryptanalysis results
Algebraic properties of SHA-3 and notable cryptanalysis results Christina Boura University of Versailles, France ICMC 2015, January 9, 2014 1 / 51 Cryptographic Hash Functions H : {0,1} {0,1} n m H h =
More informationNew Insights into Divide-and-Conquer Attacks on the Round-Reduced Keccak-MAC
New Insights into Divide-and-onquer Attacks on the Round-Reduced Keccak-MA hen-dong Ye 1 and Tian Tian 1,* 1 National Digital Switching System Engineering & Technological Research enter, P.O. Box 407,
More informationCryptographic Hash Functions Part II
Cryptographic Hash Functions Part II Cryptography 1 Andreas Hülsing, TU/e Some slides by Sebastiaan de Hoogh, TU/e Hash function design Create fixed input size building block Use building block to build
More informationCube Analysis of KATAN Family of Block Ciphers
Cube Analysis of KATAN Family of Block Ciphers Speaker: Bingsheng Zhang University of Tartu, Estonia This talk covers partial results of the paper Algebraic, AIDA/Cube and Side Channel Analysis of KATAN
More informationDynamic Cube Attack on 105 round Grain v1
Noname manuscript No. (will be inserted by the editor) Dynamic Cube Attack on 105 round Grain v1 Subhadeep Banik Received: date / Accepted: date Abstract As far as the Differential Cryptanalysis of reduced
More informationAdvanced Algebraic Attack on Trivium November 26, 2015 Frank-M. Quedenfeld 1 and Christopher Wolf 2 1 University of Technology Braunschweig, Germany
Advanced Algebraic Attack on Trivium November 26, 2015 Frank-M. Quedenfeld 1 and Christopher Wolf 2 1 University of Technology Braunschweig, Germany frank.quedenfeld@googlemail.com 2 Research center Jülich,
More informationDifferential Fault Analysis of Trivium
Differential Fault Analysis of Trivium Michal Hojsík 1,2 and Bohuslav Rudolf 2,3 1 Department of Informatics, University of Bergen, N-5020 Bergen, Norway 2 Department of Algebra, Charles University in
More informationSecurity Evaluation of Stream Cipher Enocoro-128v2
Security Evaluation of Stream Cipher Enocoro-128v2 Hell, Martin; Johansson, Thomas 2010 Link to publication Citation for published version (APA): Hell, M., & Johansson, T. (2010). Security Evaluation of
More informationStream Ciphers: Cryptanalytic Techniques
Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and Information Technology. Lund University, Sweden ECRYPT Summer school 2007 (Lund University) Stream Ciphers: Cryptanalytic
More informationOptimized Interpolation Attacks on LowMC
Optimized Interpolation Attacks on LowMC Itai Dinur 1, Yunwen Liu 2, Willi Meier 3, and Qingju Wang 2,4 1 Département d Informatique, École Normale Supérieure, Paris, France 2 Dept. Electrical Engineering
More informationImproved Zero-sum Distinguisher for Full Round Keccak-f Permutation
Improved Zero-sum Distinguisher for Full Round Keccak-f Permutation Ming Duan 12 and Xuejia Lai 1 1 Department of Computer Science and Engineering, Shanghai Jiao Tong University, China. 2 Basic Courses
More informationTwo Generic Methods of Analyzing Stream Ciphers
Two Generic Methods of Analyzing Stream Ciphers Lin Jiao 1,2, Bin Zhang 1,3, and Mingsheng Wang 4 1 TCA, Institute of Software, Chinese Academy of Sciences, Beijing 100190, China 2 University of Chinese
More informationAlgebraic Attack Against Trivium
Algebraic Attack Against Trivium Ilaria Simonetti, Ludovic Perret and Jean Charles Faugère Abstract. Trivium is a synchronous stream cipher designed to provide a flexible trade-off between speed and gate
More informationACORN: A Lightweight Authenticated Cipher (v3)
ACORN: A Lightweight Authenticated Cipher (v3) Designer and Submitter: Hongjun Wu Division of Mathematical Sciences Nanyang Technological University wuhongjun@gmail.com 2016.09.15 Contents 1 Specification
More informationA TMDTO Attack Against Lizard
A TMDTO Attack Against Lizard Subhamoy Maitra 1, Nishant Sinha 2, Akhilesh Siddhanti 3, Ravi Anand 4, Sugata Gangopadhyay 2 1 Indian Statistical Institute, Kolkata, subho@isical.ac.in 2 Indian Institute
More informationLow-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512
Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512 Takanori Isobe and Taizo Shirai Sony Corporation 1-7-1 Konan, Minato-ku, Tokyo 108-0075, Japan {Takanori.Isobe,Taizo.Shirai}@jp.sony.com
More informationLightweight Cryptography for RFID Systems
Lightweight Cryptography for RFID Systems Guang Gong Department of Electrical and Computer Engineering University of Waterloo CANADA G. Gong (University of Waterloo)
More informationCollision Attacks on Up to 5 Rounds of SHA-3 Using Generalized Internal Differentials
Collision Attacks on Up to 5 Rounds of SHA-3 Using Generalized Internal Differentials Itai Dinur 1, Orr Dunkelman 1,2 and Adi Shamir 1 1 The Weizmann Institute, Israel 2 University of Haifa, Israel Keccak
More informationCryptanalysis of Lightweight Cryptographic Algorithms
Cryptanalysis of Lightweight Cryptographic Algorithms By Mohammad Ali Orumiehchiha A thesis submitted to Macquarie University for the degree of Doctor of Philosophy Department of Computing July 2014 ii
More informationCryptanalysis of Achterbahn
Cryptanalysis of Achterbahn Thomas Johansson 1, Willi Meier 2, and Frédéric Muller 3 1 Department of Information Technology, Lund University P.O. Box 118, 221 00 Lund, Sweden thomas@it.lth.se 2 FH Aargau,
More informationNear Collision Attack on the Grain v1 Stream Cipher
Near Collision Attack on the Grain v1 Stream Cipher Bin Zhang, Zhenqi Li, Dengguo Feng and Dongdai Lin State Key Laboratory of Information Security, IIE, Chinese Academy of Sciences, Beijing, 100093, China.
More informationIntroduction The LED Round Function Minimalism for Key Schedule Security Analysis Implementations and Results
The LED Block Cipher Jian Guo, Thomas Peyrin, Axel Poschmann and Matt Robshaw I2R, NTU and Orange Labs CHE 2011 Nara, Japan Outline Introduction The LED Round Function Minimalism for ey chedule ecurity
More informationImproved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method
Improved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method Zheng Li 1, Wenquan Bi 1, Xiaoyang Dong 2, and Xiaoyun Wang 1,2 1 Key Laboratory of Cryptologic Technology and Information Security,
More informationHow (not) to efficiently dither blockcipher-based hash functions?
How (not) to efficiently dither blockcipher-based hash functions? Jean-Philippe Aumasson, Raphael C.-W. Phan FHNW, Switzerland Loughborough University, UK 1 / 29 CONTENT OF THE TALK Dithered hashing Blockcipher-based
More informationAnalysis of cryptographic hash functions
Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43 Symmetric key cryptography Alice and Bob share
More informationAnalysis of Modern Stream Ciphers
Analysis of Modern Stream Ciphers Josef Pieprzyk Centre for Advanced Computing Algorithms and Cryptography, Macquarie University, Australia CANS - Singapore - December 2007 estream Outline 1. estream Project
More informationCryptanalysis of Full Sprout
Cryptanalysis of Full Sprout Virginie Lallemand and María Naya-Plasencia Inria, France Abstract. A new method for reducing the internal state size of stream cipher registers has been proposed in FSE 2015,
More informationOn the pseudo-random generator ISAAC
On the pseudo-random generator ISAAC Jean-Philippe Aumasson FHNW, 5210 Windisch, Switzerland Abstract. This paper presents some properties of he deterministic random bit generator ISAAC (FSE 96), contradicting
More informationHigher-order differential properties of Keccak and Luffa
Higher-order differential properties of Keccak and Luffa Christina Boura 1,2, Anne Canteaut 1, and Christophe De Cannière 3 1 SECRET Project-Team - INRIA Paris-Rocquencourt - B.P. 105 78153 Le Chesnay
More informationOn The Nonlinearity of Maximum-length NFSR Feedbacks
On The Nonlinearity of Maximum-length NFSR Feedbacks Meltem Sönmez Turan National Institute of Standards and Technology meltem.turan@nist.gov Abstract. Linear Feedback Shift Registers (LFSRs) are the main
More informationFinding Low Degree Annihilators for a Boolean Function Using Polynomial Algorithms
Finding Low Degree Annihilators for a Boolean Function Using Polynomial Algorithms Vladimir Bayev Abstract. Low degree annihilators for Boolean functions are of great interest in cryptology because of
More informationSome thoughts on Trivium
Some thoughts on Trivium Steve Babbage Vodafone Group R&D, Newbury, UK steve.babbage@vodafone.com 19 th January 2007 Abstract: This paper pulls together some thoughts about how the Trivium stream cipher
More informationCube attacks on cryptographic hash functions
Rochester Institute of Technology RIT Scholar Works Theses Thesis/Dissertation Collections 2009 Cube attacks on cryptographic hash functions Joel Lathrop Follow this and additional works at: http://scholarworks.rit.edu/theses
More informationExtended Cubes: Enhancing the Cube Attack by Extracting Low-Degree Non-Linear Equations
Extended Cubes: Enhancing the Cube Attack by Extracting Low-Degree Non-Linear Equations Shekh Faisal Abdul-Latip School of Computer Science and Software Engineering University of Wollongong, Australia
More informationA Scalable Method for Constructing Galois NLFSRs with Period 2 n 1 using Cross-Join Pairs
A Scalable Method for Constructing Galois NLFSRs with Period 2 n 1 using Cross-Join Pairs Elena Dubrova Royal Institute of Technology (KTH), Forum 12, 164 4 Kista, Sweden {dubrova}@kth.se Abstract. This
More informationCryptanalysis of Sosemanuk and SNOW 2.0 Using Linear Masks
Cryptanalysis of Sosemanuk and SNOW 2.0 Using Linear Masks Jung-Keun Lee, Dong Hoon Lee, and Sangwoo Park ETRI Network & Communication Security Division, 909 Jeonmin-dong, Yuseong-gu, Daejeon, Korea Abstract.
More informationFResCA: A Fault-Resistant Cellular Automata Based Stream Cipher
FResCA: A Fault-Resistant Cellular Automata Based Stream Cipher Jimmy Jose 1,2 Dipanwita Roy Chowdhury 1 1 Crypto Research Laboratory, Department of Computer Science and Engineering, Indian Institute of
More informationLinear Approximations for 2-round Trivium
Linear Approximations for 2-round Trivium Meltem Sönmez Turan 1, Orhun Kara 2 1 Institute of Applied Mathematics, Middle East Technical University Ankara, Turkey msonmez@metu.edu.tr 2 TUBITAK-UEKAE, Gebze,
More informationON DISTINGUISHING ATTACK AGAINST THE REDUCED VERSION OF THE CIPHER NLSV2
t m Mathematical Publications DOI: 10.2478/v10127-012-0037-5 Tatra Mt. Math. Publ. 53 (2012), 21 32 ON DISTINGUISHING ATTACK AGAINST THE REDUCED VERSION OF THE CIPHER NLSV2 Michal Braško Jaroslav Boor
More informationCryptanalysis of the Stream Cipher ABC v2
Cryptanalysis of the Stream Cipher ABC v2 Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven, ESAT/SCD-COSIC Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium {wu.hongjun,bart.preneel}@esat.kuleuven.be
More informationDistinguishers for the Compression Function and Output Transformation of Hamsi-256
Distinguishers for the Compression Function and Output Transformation of Hamsi-256 Jean-Philippe Aumasson Emilia Käsper Lars Ramkilde Knudsen Krystian Matusiewicz Rune Ødegård Thomas Peyrin Martin Schläffer
More informationDifferential Fault Analysis of MICKEY Family of Stream Ciphers
1 Differential Fault Analysis of MICKEY Family of Stream Ciphers Sandip Karmakar, and Dipanwita Roy Chowdhury, Member, IEEE, Department of Computer Science and Engineering, Indian Institute of Technology,
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Davies-Meyer Hashes in Practice Hash
More informationFull Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
Full Attacks on HMAC/NMAC- and NMAC-MD5 Pierre-Alain Fouque, Gaëtan Leurent, Phong Nguyen Laboratoire d Informatique de l École Normale Supérieure CRYPTO 2007 1/26 WhatisaMACalgorithm? M Alice wants to
More informationModified version of Latin Dances Revisited: New Analytic Results of Salsa20 and ChaCha
Modified version of Latin Dances Revisited: New Analytic Results of Salsa20 and ChaCha Tsukasa Ishiguro KDDI R&D Laboratories Inc. 2-1-15 Ohara, Fujimino, Saitama 356-8502, Japan tsukasa@kddilabs.jp 1
More informationHigher-order differential properties of Keccak and Luffa
Higher-order differential properties of Keccak and Luffa Christina Boura 1,2, Anne Canteaut 1 and Christophe De Cannière 3 1 SECRET Project-Team - INRIA Paris-Rocquencourt - B.P. 105-78153 Le Chesnay Cedex
More informationAn introduction to Hash functions
An introduction to Hash functions Anna Rimoldi eriscs - Universitée de la Méditerranée, Marseille Secondo Workshop di Crittografia BunnyTN 2011 A. Rimoldi (eriscs) Hash function 12 September 2011 1 / 27
More informationSecond-Order Differential Collisions for Reduced SHA-256
Second-Order Differential Collisions for Reduced SHA-256 Alex Biryukov 1, Mario Lamberger 2, Florian Mendel 2, and Ivica Nikolić 1 1 University of Luxembourg, Luxembourg 2 IAIK, Graz University of Technology,
More informationStream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden
Dept. of EIT, Lund University, P.O. Box 118, 221 00 Lund, Sweden thomas@eit.lth.se May 16, 2011 Outline: Introduction to stream ciphers Distinguishers Basic constructions of distinguishers Various types
More informationMiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity
MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity. Arnab Roy 1 (joint work with Martin Albrecht 2, Lorenzo Grassi 3, Christian Rechberger 1,3 and Tyge Tiessen
More informationThe WG Stream Cipher
The WG Stream Cipher Yassir Nawaz and Guang Gong Department of Electrical and Computer Engineering University of Waterloo Waterloo, ON, N2L 3G1, CANADA ynawaz@engmail.uwaterloo.ca, G.Gong@ece.uwaterloo.ca
More informationRevisit and Cryptanalysis of a CAST Cipher
2017 3rd International Conference on Electronic Information Technology and Intellectualization (ICEITI 2017) ISBN: 978-1-60595-512-4 Revisit and Cryptanalysis of a CAST Cipher Xiao Zhou, Jingwei Li, Xuejia
More informationHard Fault Analysis of Trivium
1 Hard Fault Analysis of Trivium Yupu Hu, Fengrong Zhang, and Yiwei Zhang, arxiv:0907.2315v1 [cs.cr] 14 Jul 2009 Abstract Fault analysis is a powerful attack to stream ciphers. Up to now, the major idea
More informationRotational cryptanalysis of round-reduced Keccak
Rotational cryptanalysis of round-reduced Keccak Pawe l Morawiecki 1,3, Josef Pieprzyk 2, and Marian Srebrny 1,3 1 Section of Informatics, University of Commerce, Kielce, Poland pawelm@wsh-kielce.edu.pl
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationCryptanalysis of the Stream Cipher DECIM
Cryptanalysis of the Stream Cipher DECIM Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven, ESAT/SCD-COSIC Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium {wu.hongjun, bart.preneel}@esat.kuleuven.be
More informationNew attacks on Keccak-224 and Keccak-256
New attacks on Keccak-224 and Keccak-256 Itai Dinur 1, Orr Dunkelman 1,2 and Adi Shamir 1 1 Computer Science department, The Weizmann Institute, Rehovot, Israel 2 Computer Science Department, University
More informationLinear Analysis of Reduced-Round CubeHash
Linear Analysis of Reduced-Round CubeHash Tomer Ashur and Orr Dunkelman, Faculty of Mathematics and Computer Science Weizmann Institute of Science P.O. Box, Rehovot 00, Israel tomerashur@gmail.com Computer
More informationAlgebraic Aspects of Symmetric-key Cryptography
Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information Security Group Royal Holloway, University of London 04.May.2007 ECRYPT Summer School 1 Algebraic Techniques
More informationHow Fast can be Algebraic Attacks on Block Ciphers?
How Fast can be Algebraic Attacks on Block Ciphers? Nicolas T. Courtois Axalto mart Cards, 36-38 rue de la Princesse BP 45, 78430 Louveciennes Cedex, France http://www.nicolascourtois.net courtois@minrank.org
More informationIndifferentiability of Permutation-Based Compression Functions and Tree-Based Modes of Operation, with Applications to MD6
Indifferentiability of Permutation-Based Compression Functions and Tree-Based Modes of Operation, with Applications to MD6 Yevgeniy Dodis 1, Leonid Reyzin 2, Ronald L. Rivest 3, and Emily Shen 3 1 New
More informationThe ANF of the Composition of Addition and Multiplication mod 2 n with a Boolean Function
The ANF of the Composition of Addition and Multiplication mod 2 n with a Boolean Function An Braeken 1 and Igor Semaev 2 1 Department Electrical Engineering, ESAT/COSIC, Katholieke Universiteit Leuven,
More informationCryptanalysis of the Light-Weight Cipher A2U2 First Draft version
Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version Mohamed Ahmed Abdelraheem, Julia Borghoff, Erik Zenner Technical University of Denmark, DK-2800 Kgs. Lyngby, Denmark {M.A.Abdelraheem,J.Borghoff,E.Zenner}@mat.dtu.dk
More informationHigher-order differential properties of Keccak and Luffa
Higher-order differential properties of Keccak and Luffa Christina Boura, Anne Canteaut, Christophe De Cannière To cite this version: Christina Boura, Anne Canteaut, Christophe De Cannière. Higher-order
More informationAlgebraic, AIDA/Cube and Side Channel Analysis of KATAN Family of Block Ciphers
Algebraic, AIDA/Cube and Side Channel Analysis of KATAN Family of Block Ciphers Gregory V. Bard 1, Nicolas T. Courtois 2, Jorge Nakahara Jr 3, Pouyan Sepehrdad 3, and Bingsheng Zhang 4 1 Fordham University,
More informationEtude d hypothèses algorithmiques et attaques de primitives cryptographiques
Etude d hypothèses algorithmiques et attaques de primitives cryptographiques Charles Bouillaguet École normale supérieure Paris, France Ph.D. Defense September 26, 2011 Introduction Modes of Operation
More informationPreimage Attacks on 3, 4, and 5-Pass HAVAL
Preimage Attacks on 3, 4, and 5-Pass HAVAL Yu Sasaki and Kazumaro Aoki NTT, 3-9-11 Midoricho, Musashino-shi, Tokyo, 180-8585 Japan Abstract. This paper proposes preimage attacks on hash function HAVAL
More informationCollision Attack on Boole
Collision Attack on Boole Florian Mendel, Tomislav Nad and Martin Schläffer Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology, Inffeldgasse 16a, A-8010
More information