A Low Data Complexity Attack on the GMR-2 Cipher Used in the Satellite Phones
|
|
- Lillian Anis Dennis
- 5 years ago
- Views:
Transcription
1 A Low Data Complexity Attack on the GMR-2 Cipher Used in the atellite Phones Ruilin Li, Heng Li, Chao Li, Bing un National University of Defense Technology, Changsha, China FE 2013, ingapore 11 th ~13 th March, 2013
2 Outline Backgrounds and the GMR-2 Cipher Revisit the Component of the GMR-2 Cipher The Low Data Complexity Attack Experimental Result Conclusion 2
3 Outline Backgrounds and the GMR-2 Cipher Revisit each Component of the GMR-2 Cipher The Low Data Complexity Attack Experimental Result Conclusion 3
4 Backgrounds and the GMR-2 Cipher Mobile communication systems have revolutionized the way we interact with each other GM, UMT, CDMA2000, 3GPP LTE When do we need satellite based mobile system? In some special cases researchers on a field trip in a desert crew on ships on open sea people living in remote areas or areas that are affected by a natural disaster
5 Backgrounds and the GMR-2 Cipher What is GMR? GMR stands for GEO-Mobile Radio GEO stands for Geostationary Earth Orbit Design heavily inspired from GM 5
6 Backgrounds and the GMR-2 Cipher Two major GMR tandards GMR-1 (de-facto standard, Thuraya etc) GMR-2 (Inmarsat and AcE) How to protect the security of the communication in GMR system? Using symmetric cryptography Both the authentication and encryption are similar as that of GM A3/A5 algorithms. 6
7 Backgrounds and the GMR-2 Cipher Encryption Algorithms in GMR tream ciphers Reconstructed by Driessen et al. GMR-1 Cipher Based on A5/2 of GM Totally broken by ciphertext-only attack GMR-2 Cipher New design strategy Can be broken by known-plaintext attack Read-collision based technique 7
8 Backgrounds and the GMR-2 Cipher In this talk, we focus on GMR-2 stream cipher Revisit components of the GMR-2 cipher Propose dynamic guess and determine strategy Present a low data complexity attack
9 Outline Backgrounds and the GMR-2 Cipher Revisit each Component of the GMR-2 Cipher The Low Data Complexity Attack Experimental Result Conclusion 9
10 Revisit each Component of the GMR-2 Cipher Encryption mechanism of the GMR-2 cipher Data are divided into frames identified by the frame number with 22-bits New frame is re-initialized Each frame contains 120-bit (15-byte) Parameters of the GMR-2 cipher Key length: 6-bit (ession key) IV length: 22-bit (Frame number) Key stream bits length within a frame: 120-bit 10
11 Revisit each Component of the GMR-2 Cipher K t 1 c 3 F G 6 H 6 Z l s 7 s 6 s 1 s 0 An overview on the GMR-2 cipher -byte shift register, a 3-bit counter c, and a toggle bit t byte-oriented, three major components p F combines two bytes of session key with previous output G is a linear function for mixing purpose consists two DE boxes as a nonlinear filter H 11
12 Revisit each Component of the GMR-2 Cipher K t t 2 >>> O 0 c K 0 K 1 K 2 K 3 K K 5 K 6 K 7 t1 a Å O 1 Å The component F At the l-th clock, the input -byte array holding the session key K, read from two sides. a counter c ranging from 0 to 7 sequentially and repeatedly. a toggle bit t=c mod 2. p the previous key stream byte p=z l-1 12
13 Revisit each Component of the GMR-2 Cipher K t t 2 >>> O 0 c K 0 K 1 K 2 K 3 K K 5 K 6 K 7 t1 a Å O 1 Å The component F The lower side outputs K c with the help of the counter c. The upper output depends on the lower output K c, the previous key stream byte p and the toggle bit t. t 1 t 2 maps -bit to 3-bit which select the upper output. maps 3-bit to 3-bit which determine the rotation. p 13
14 Revisit each Component of the GMR-2 Cipher K t t 2 >>> O 0 c K 0 K 1 K 2 K 3 K K 5 K 6 K 7 t1 a Å O 1 Å The F component The output is 1 p ìï O0 = Kt1 ( a ) t 2 ( t1( a)) í ïî O = ((( K Å p)? ) & 0xF) Å (( K Å p) & 0xF) c ì( Kc Å p) & 0xF, if t = 0 a = í î (( Kc Å p)? ) & 0xF, if t = 1 c 1
15 Revisit each Component of the GMR-2 Cipher O 0 B 1 O 0 6 B 1 O 1 B 3 Å B 2 B 2 6 O 1 The G 0 component ìb1 :( x3, x2, x1, x0) a( x3 Å x0, x3 Å x2 Å x0, x3, x1 ); ï íb2 :( x3, x2, x1, x0) a( x1, x3, x0, x2); ï îb3 :( x3, x2, x1, x0 ) a( x2, x0, x3 Å x1 Å x0, x3 Å x0). 15
16 Revisit each Component of the GMR-2 Cipher t O 0 O Z l The 5 H Z l component ì( 2( O 1), 6( O 0)) if t = 0 = í î( 2( O 0), 6( O 1)) if t = 1 where and are the two sboxes of DE. Assume the input of 2 6 is ( x, x, x, x, x, x ), then ( x, x ) selects the row index, and ( x, x, x, x ) selects the column index
17 Revisit each Component of the GMR-2 Cipher F G H Initialization Mode et c=0, t=0, and initialize with frame number N -byte key is written into the resister in Clock the cipher times and discard the output Z l 17 F
18 Revisit each Component of the GMR-2 Cipher F G H Generation Mode For each frame number N, further clock the cipher 15 times, and the output keystream is Z l Z = ( Z, Z, L, Z ; Z, Z, LZ ; Z, L) (0) (0) (0) (1) (1) (1) (2) ( N) denotes the l-th byte of keystream generated after 1 initialization with N
19 Revisit each Component of the GMR-2 Cipher Property of F If p is known, then we can get the value of a only by the most/least significant four bits of K c K ì( Kc Å p) & 0xF, if t = 0 a = í î (( Kc Å p)? ) & 0xF, if t = 1 t t 2 >>> O 0 c K 0 K 1 K 2 K 3 K K 5 K 6 K 7 t1 a Å O 1 Å 19 p
20 Revisit each Component of the GMR-2 Cipher Property of H We can invert 2 / Given the row index and the output, the column index can be uniquely obtained. 6 Given the column index and the output, the row index can be uniquely obtained, except for 6 when the column index is and the output is 9, the row index can be either 0 or 3. Given the outputs of both -boxes, there will be 16 possible inputs. O 0 2 Z l O
21 Revisit each Component of the GMR-2 Cipher Property of G The key point The links between the input and output of the component can be expressed by a well-structured matrix G O 0 B 1 O 0 6 B 1 O 1 B 3 Å B 2 B 2 6 O
22 ' æ O ö 0, 5 æ O 0, 7 ö ' , 5 ç O 0, é ù æ ö ê O ' ú ç 0, 6 ç 0, 7 ç O 0, 3 ê ú ç ç ' ê O ç 0, 5 ú ç 0, ç O 0, 2 ê ú ç O 0, ç ç ' ê ç O 1, 5 ê ú 0, ú ç O 0, 3 ç 0,1 ç ' O ê ú 1, ê O ú ' = ç 0, 2 0, 3 ç O ê úg ç 1, 3 ê O Å ç 0,1 ú 0, 0 ç ' ç O ê ú ç O 1, 2 0, 0 ç ê ú 0, 2 ' ç O 0,1 ê O ú ç 1, 3 ç 0 ê ú ç ' ç O O ç 1, 2 0 0, 0 ê ú ç ' ê ú ç O 1,1 ç 0 ç O 1,1 ê ë ú û ç ç ç ' O 0 1, 0 è ø è O è ø 1, 0 ø 22
23 ' æ O ö 0, 5 æ O 0, 7 ö ' , 5 ç O 0, é ù æ ö ê O ' ú ç 0, 6 ç 0, 7 ç O 0, 3 ê ú ç ç ' ê O ç 0, 5 ú ç 0, ç O 0, 2 ê ú ç O 0, ç ç ' ê ç O 1, 5 ê ú 0, ú ç O 0, 3 ç 0,1 ç ' O ê ú 1, ê O ú ' = ç 0, 2 0, 3 ç O ê úg ç 1, 3 ê O Å ç 0,1 ú 0, 0 ç ' ç O ê ú ç O 1, 2 0, 0 ç ê ú 0, 2 ' ç O 0,1 ê O ú ç 1, 3 ç 0 ê ú ç ' ç O O ç 1, 2 0 0, 0 ê ú ç ' ê ú ç O 1,1 ç 0 ç O 1,1 ê ë ú û ç ç ç ' O 0 1, 0 è ø è O è ø 1, 0 ø 23
24 ' æ O ö 0, 5 æ O 0, 7 ö ' , 5 ç O 0, é ù æ ö ê O ' ú ç 0, 6 ç 0, 7 ç O 0, 3 ê A ú ç ç ' ê O ç 0, 5 ú 0, y 1 ç O 0, 2 ê ú ç O 0, x ç ' ê ç O 1, 5 ê ú 0, ú ç O 0, 3 ç 0,1 ç ' O ê ú 1, ê O ú ' = ç 0, 2 0, 3 ç O ê A úg ç 1, 3 ê O Å ç 0,1 ú 0, 0 ç ' ç O ê ú ç O 1, 2 0, 0 ç ê ú 0, 2 ' ç O 0,1 ê O ú ç 1, 3 ç 0 ê ú ç ' ç O O ç 1, 2 0 y 0, 0 ê ú 2 B ç ' ê ú ç O x 1,1 ç 0 ç O 1,1 ê ë ú 2 û ç ç ç ' O 0 1, 0 è ø è O è ø 1, 0 ø v 1 v 2 2
25 Revisit each Component of the GMR-2 Cipher Three linear systems 25
26 Revisit each Component of the GMR-2 Cipher Another linear system Let then thus from we obtain 26
27 Revisit each Component of the GMR-2 Cipher ì y = W x Å v ï y1 = W1 x1 Å v1 ï íy 2 = W2 x2 Å v2 ï y = W kh Å W k l Å W2 u Å v ï ï î x1 = K t ( ( )) 1 ( a t t a ) 2 1 W, W, W, v, v, v u are known values Given x ( x i ), we can obtain y( y i ), and vice vera. Given y 1,a, we can get x 1, K t, and vice vera. 1 ( a ) y1 selects the column index of the -box and y2 selects the row index. 27
28 Revisit each Component of the GMR-2 Cipher K t ( a ) \ t ( t ( a)) ' Kc Å p F G H Kc Å p K t ( a ) \ t ( t ( a)) K t ( a ) \ t ( t ( a))
29 Revisit each Component of the GMR-2 Cipher K t ( a ) \ t ( t ( a)) Kc Å p x 1 x 2 F G H ' Kc Å p K t ( a ) \ t ( t ( a)) K t ( a ) \ t ( t ( a))
30 Revisit each Component of the GMR-2 Cipher y 1 K t ( a ) \ t ( t ( a)) Kc Å p x 1 x 2 y 2 F G H ' Kc Å p K t ( a ) \ t ( t ( a)) K t ( a ) \ t ( t ( a))
31 Outline Backgrounds and the GMR-2 Cipher Revisit each Component of the GMR-2 Cipher The Low Data Complexity Attack Experimental Result Conclusion 31
32 The Low Data Complexity Attack Known-plaintext attack From keystream bits to recover the session key Guess and Determine Guess -Determine -Verify The Guessed and Determined Parts of the internal state are known in prior before applying the attack Dynamic Guess and Determine Dynamically Guess and Determine Dynamically Check the candidate by backtracking 32
33 The Low Data Complexity Attack Basic Analysis How these three components interact each other The linear transformation G plays a central role ince p and 0 must be known to us, we should analyze the cipher at the (c+)th-clock ( 0 c 6) in the keystream generation phase. K t ( a ) \ t ( t ( a)) Kc Å p F 0 G H 6 6 ' Z c + 33
34 The Low Data Complexity Attack K t ( a ) \ t ( t ( a)) Kc Å p F 0 G H 6 6 ' Z c + Rule 1 Let K = ( k, k ), assume c is odd, and given a guessed value for k, if c = t ( a), c then using the theory of linear consistence test, k has no solution or can be determined by Z h l h ( N ) c+ l ; imilarly,assume c is even,and given a guessed value for k, ( N ) if c = t1( a ), then kh has no solution or can be determined by Z c l
35 The Low Data Complexity Attack K t ( a ) \ t ( t ( a)) Kc Å p F 0 G H 6 6 ' Z c + Rule 2 Let K = ( k, k ),and given guessed values for K and k, then k can be c h l t ( a ) h l determined by Z ; imilarly, given guessed values for K and k, then k can be determined by Z. ( N ) c+ t ( a ) ( N ) c+ 1 1 l h 35
36 The Low Data Complexity Attack K t ( a ) \ t ( t ( a)) Kc Å p F 0 G H 6 6 ' Z c + Rule 3 Given a guessed value for K, if t ( a) ¹ c, then K can be determined by Z. ( N ) c+ c 1 t ( a ) 1 36
37 The Low Data Complexity Attack K t ( a ) \ t ( t ( a)) Kc Å p F 0 G H 6 6 ' Z c + Rule Given guessed values for Kc and K t a, then we can determine whether those guessed values are wrong. 1 ( ) 37
38 The Low Data Complexity Attack Attack Procedure Capture a frame of keystream bits (15-byte) ( (0) (0) (0) (0) (0) Z ) 0, Z1, ¼, Z7, Z, ¼, Z1 Apply Guess-and-Determine Attack on ~1th clock Define a index set G, and initialized with G = Æ G saves the indices for the session key that has been known Analyzing the cipher at the (c+)-th clock sequentially Calculate t, c, p, 0, judge whether c ÎG Adopt Rule 1~ Rule to perform the attack A little boring, see the full version paper 3
39 The Low Data Complexity Attack Complexity analysis Data Comp. A frame of Data (15-byte keystream) The last 7 bytes used for guess-and-determine The first bytes used for verification Time Comp. When guessing /-bit, we will determine /-bit The 6-bit session key can be obtained by guessing at most 32-bit Rough estimation, seems hard to obtain exact analysis Experimental results are a little better, about 2 2 exhaustive search 39
40 Outline Backgrounds and the GMR-2 Cipher Revisit each Component of the GMR-2 Cipher The Low Data Complexity Attack Experimental Result Conclusion 0
41 Experimental Result 1000 Experimental Results with Random IV and ession Key 1
42 Experimental Result ome explanations Operated on a 3.2 GHz laptop Non-optimized realization 700 seconds on average 50 seconds for deducing candidates 120 seconds for exhaustive search 2
43 Outline Backgrounds and the GMR-2 Cipher Revisit each Component of the GMR-2 Cipher The Low Data Complexity Attack Experimental Result Conclusion 3
44 Conclusion We perform a security analysis of the GMR-2 cipher Revisit the components of GMR-2 cipher Propose dynamic guess and determine strategy Present a low data complexity attack The design methodology of the GMR-2 cipher is far from what is state of the art in stream ciphers Be careful when using the atellite phones
45 Thanks for your Attention! Q & A 5
A Low Data Complexity Attack on the GMR-2 Cipher Used in the Satellite Phones
A Low Data Complexity Attack on the GMR-2 Cipher Used in the Satellite Phones Ruilin Li 1, Heng Li 2, Chao Li 2, and Bing Sun 2 1 School of Electronic Science and Engineering, National University of Defence
More informationORYX. ORYX not an acronym, but upper case Designed for use with cell phones. Standard developed by. Cipher design process not open
ORYX ORYX 1 ORYX ORYX not an acronym, but upper case Designed for use with cell phones o To protect confidentiality of voice/data o For data channel, not control channel o Control channel encrypted with
More informationAlternative Approaches: Bounded Storage Model
Alternative Approaches: Bounded Storage Model A. Würfl 17th April 2005 1 Motivation Description of the Randomized Cipher 2 Motivation Motivation Description of the Randomized Cipher Common practice in
More informationF O R SOCI AL WORK RESE ARCH
7 TH EUROPE AN CONFERENCE F O R SOCI AL WORK RESE ARCH C h a l l e n g e s i n s o c i a l w o r k r e s e a r c h c o n f l i c t s, b a r r i e r s a n d p o s s i b i l i t i e s i n r e l a t i o n
More informationImproved Cascaded Stream Ciphers Using Feedback
Improved Cascaded Stream Ciphers Using Feedback Lu Xiao 1, Stafford Tavares 1, Amr Youssef 2, and Guang Gong 3 1 Department of Electrical and Computer Engineering, Queen s University, {xiaolu, tavares}@ee.queensu.ca
More informationBlock vs. Stream cipher
Block vs. Stream cipher Idea of a block cipher: partition the text into relatively large (e.g. 128 bits) blocks and encode each block separately. The encoding of each block generally depends on at most
More informationPKZIP. PKZIP Stream Cipher 1
PKZIP PKZIP Stream Cipher 1 PKZIP Phil Katz s ZIP program Katz invented zip file format o ca 1989 Before that, Katz created PKARC utility o ARC compression was patented by SEA, Inc. o SEA successfully
More informationDistinguishing Attack on Common Scrambling Algorithm
410 The International Arab Journal of Information Technology, Vol. 12, No. 4, July 2015 Distinguishing Attack on Common Scrambling Algorithm Kai Zhang and Jie Guan Zhengzhou Information Science and Technology
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08 Module Outline Stream ciphers under the hood Block ciphers
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2012 Konstantin Beznosov 1 Module Outline! Stream ciphers under the hood Block ciphers under
More informationDependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA
Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Sourav Sen Gupta 1 Subhamoy Maitra 1 Willi Meier 2 Goutam Paul 1 Santanu Sarkar 3 Indian Statistical Institute, India FHNW, Windisch,
More informationSOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies
SOBER Cryptanalysis Daniel Bleichenbacher and Sarvar Patel {bleichen,sarvar}@lucent.com Bell Laboratories Lucent Technologies Abstract. SOBER is a new stream cipher that has recently been developed by
More informationCryptanalysis of the Stream Cipher ABC v2
Cryptanalysis of the Stream Cipher ABC v2 Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven, ESAT/SCD-COSIC Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium {wu.hongjun,bart.preneel}@esat.kuleuven.be
More informationDistinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network
Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense
More informationNew Observation on Camellia
New Observation on Camellia Duo ei 1,iChao 2,andeqinFeng 3 1 Department of cience, National University of Defense Technology, Changsha, China Duoduolei@163.com 2 Department of cience, National University
More informationCryptography Lecture 4 Block ciphers, DES, breaking DES
Cryptography Lecture 4 Block ciphers, DES, breaking DES Breaking a cipher Eavesdropper recieves n cryptograms created from n plaintexts in sequence, using the same key Redundancy exists in the messages
More informationAnalysis of Modern Stream Ciphers
Analysis of Modern Stream Ciphers Josef Pieprzyk Centre for Advanced Computing Algorithms and Cryptography, Macquarie University, Australia CANS - Singapore - December 2007 estream Outline 1. estream Project
More informationRecent Cryptanalysis of RC4 Stream Cipher
28 August, 2013 ASK 2013 @ Weihai, China Recent Cryptanalysis of RC4 Stream Cipher Takanori Isobe Kobe University Joint work with Toshihiro Ohigashi, Yuhei Watanabe, and Maskatu Morii Agenda This talk
More informationFirst-Order DPA Attack Against AES in Counter Mode w/ Unknown Counter. DPA Attack, typical structure
Josh Jaffe CHES 2007 Cryptography Research, Inc. www.cryptography.com 575 Market St., 21 st Floor, San Francisco, CA 94105 1998-2007 Cryptography Research, Inc. Protected under issued and/or pending US
More informationOn the Design of Trivium
On the Design of Trivium Yun Tian, Gongliang Chen, Jianhua Li School of Information Security Engineering, Shanghai Jiaotong University, China ruth tian@sjtu.edu.cn, chengl@sjtu.edu.cn, lijh888@sjtu.edu.cn
More informationClassical Cryptography
Classical Cryptography CSG 252 Fall 2006 Riccardo Pucella Goals of Cryptography Alice wants to send message X to Bob Oscar is on the wire, listening to communications Alice and Bob share a key K Alice
More informationDifferential Fault Analysis on DES Middle Rounds
Differential Fault Analysis on DES Middle Rounds Matthieu Rivain Speaker: Christophe Giraud Oberthur Technologies Agenda 1 Introduction Data Encryption Standard DFA on DES Last & Middle Rounds 2 Our Attack
More informationarxiv:nlin/ v1 [nlin.cd] 10 Aug 2006
Cryptanalysis of a chaotic block cipher with external key and its improved version arxiv:nlin/0608020v1 [nlin.cd] 10 Aug 2006 Chengqing Li a,, Shujun Li b,, Gonzalo Álvarezc, Guanrong Chen a and Kwok-Tung
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationAlgebraic Immunity of S-boxes and Augmented Functions
Algebraic Immunity of S-boxes and Augmented Functions Simon Fischer and Willi Meier S. Fischer and W. Meier AI of Sbox and AF 1 / 23 Outline 1 Algebraic Properties of S-boxes 2 Augmented Functions 3 Application
More informationCellular Automata in Cryptography" Information Security Group,Royal Holloway, Abstract The cipher systems based on Cellular Automata proposed by Nandi
Comments on \Theory and Applications of Cellular Automata in Cryptography" S.R. Blackburn, S. Murphy y and K.G. Paterson z Information Security Group,Royal Holloway, University of London, Surrey TW20 0EX,
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationCryptanalysis of PRESENT-like ciphers with secret S-boxes
Cryptanalysis of PRESENT-like ciphers with secret S-boxes Julia Borghoff Lars Knudsen Gregor Leander Søren S. Thomsen DTU, Denmark FSE 2011 Cryptanalysis of Maya Julia Borghoff Lars Knudsen Gregor Leander
More informationA Forgery Attack on the Candidate LTE Integrity Algorithm 128-EIA3 (updated version)
A Forgery Attack on the Candidate LTE Integrity Algorithm 128-EIA3 (updated version) Thomas Fuhr, Henri Gilbert, Jean-René Reinhard, and Marion Videau ANSSI, France Abstract In this note we show that the
More informationBreaking the F-FCSR-H Stream Cipher in Real Time
Breaking the F-FCSR-H Stream Cipher in Real Time Martin Hell and Thomas Johansson Dept. of Electrical and Information Technology, Lund University, P.O. Box 118, 221 00 Lund, Sweden Abstract. The F-FCSR
More informationOn Stream Ciphers with Small State
ESC 2017, Canach, January 16. On Stream Ciphers with Small State Willi Meier joint work with Matthias Hamann, Matthias Krause (University of Mannheim) Bin Zhang (Chinese Academy of Sciences, Beijing) 1
More informationLinear Approximations for 2-round Trivium
Linear Approximations for 2-round Trivium Meltem Sönmez Turan 1, Orhun Kara 2 1 Institute of Applied Mathematics, Middle East Technical University Ankara, Turkey msonmez@metu.edu.tr 2 TUBITAK-UEKAE, Gebze,
More informationExercise Sheet Cryptography 1, 2011
Cryptography 1 http://www.cs.ut.ee/~unruh/crypto1-11/ Exercise Sheet Cryptography 1, 2011 Exercise 1 DES The Data Encryption Standard (DES) is a very famous and widely used block cipher. It maps 64-bit
More informationKlein s and PTW Attacks on WEP
TTM4137 Wireless Security Klein s and PTW Attacks on WEP Anton Stolbunov NTNU, Department of Telematics version 1, September 7, 2009 Abstract These notes should help for an in-depth understanding of the
More informationAkelarre. Akelarre 1
Akelarre Akelarre 1 Akelarre Block cipher Combines features of 2 strong ciphers o IDEA mixed mode arithmetic o RC5 keyed rotations Goal is a more efficient strong cipher Proposed in 1996, broken within
More informationRC4 State Information at Any Stage Reveals the Secret Key
RC4 State Information at Any Stage Reveals the Secret Key Goutam Paul Department of Computer Science and Engineering, Jadavpur University, Kolkata 700 032, India, Email: goutam paul@cse.jdvu.ac.in Subhamoy
More informationA block cipher enciphers each block with the same key.
Ciphers are classified as block or stream ciphers. All ciphers split long messages into blocks and encipher each block separately. Block sizes range from one bit to thousands of bits per block. A block
More informationDifferential Cryptanalysis of the Stream Ciphers Py, Py6 and Pypy
Differential Cryptanalysis of the Stream Ciphers Py, Py6 and Pypy Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven, ESAT/SCD-COSIC Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium wu.hongjun,bart.preneel@esat.kuleuven.be
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informationImproved Impossible Differential Cryptanalysis of Rijndael and Crypton
Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,
More informationJoint Research Centre
Joint Research Centre the European Commission's in-house science service Serving society Stimulating innovation Supporting legislation Improved Cryptanalysis of the DECT Standard Cipher Iwen Coisel, Ignacio
More informationStream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden
Dept. of EIT, Lund University, P.O. Box 118, 221 00 Lund, Sweden thomas@eit.lth.se May 16, 2011 Outline: Introduction to stream ciphers Distinguishers Basic constructions of distinguishers Various types
More informationCHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER
177 CHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER 178 12.1 Introduction The study of cryptography of gray level images [110, 112, 118] by using block ciphers has gained considerable
More informationHow Fast can be Algebraic Attacks on Block Ciphers?
How Fast can be Algebraic Attacks on Block Ciphers? Nicolas T. Courtois Axalto mart Cards, 36-38 rue de la Princesse BP 45, 78430 Louveciennes Cedex, France http://www.nicolascourtois.net courtois@minrank.org
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES
CS355: Cryptography Lecture 9: Encryption modes. AES Encryption modes: ECB } Message is broken into independent blocks of block_size bits; } Electronic Code Book (ECB): each block encrypted separately.
More informationAlgebraic Attack Against Trivium
Algebraic Attack Against Trivium Ilaria Simonetti, Ludovic Perret and Jean Charles Faugère Abstract. Trivium is a synchronous stream cipher designed to provide a flexible trade-off between speed and gate
More informationPrivate-key Systems. Block ciphers. Stream ciphers
Chapter 2 Stream Ciphers Further Reading: [Sim92, Chapter 2] 21 Introduction Remember classication: Private-key Systems Block ciphers Stream ciphers Figure 21: Private-key cipher classication Block Cipher:
More informationACORN: A Lightweight Authenticated Cipher (v3)
ACORN: A Lightweight Authenticated Cipher (v3) Designer and Submitter: Hongjun Wu Division of Mathematical Sciences Nanyang Technological University wuhongjun@gmail.com 2016.09.15 Contents 1 Specification
More informationA Byte-Based Guess and Determine Attack on SOSEMANUK
A Byte-Based Guess and Determine Attack on SOSEMANUK Xiutao Feng, Jun Liu, Zhaocun Zhou, Chuankun Wu and Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy
More informationCryptanalysis of a computer cryptography scheme based on a filter bank
NOTICE: This is the author s version of a work that was accepted by Chaos, Solitons & Fractals in August 2007. Changes resulting from the publishing process, such as peer review, editing, corrections,
More informationCodes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII
Codes and Cryptography MAMME, Fall 2015 PART XII Outline 1 Symmetric Encryption (II) 2 Construction Strategies Construction Strategies Stream ciphers: For arbitrarily long messages (e.g., data streams).
More informationIntroduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES
CSC/ECE 574 Computer and Network Security Topic 3.1 Secret Key Cryptography Algorithms CSC/ECE 574 Dr. Peng Ning 1 Outline Introductory Remarks Feistel Cipher DES AES CSC/ECE 574 Dr. Peng Ning 2 Introduction
More informationSol: First, calculate the number of integers which are relative prime with = (1 1 7 ) (1 1 3 ) = = 2268
ò{çd@àt ø 2005.0.3. Suppose the plaintext alphabets include a z, A Z, 0 9, and the space character, therefore, we work on 63 instead of 26 for an affine cipher. How many keys are possible? What if we add
More informationSolutions to the Midterm Test (March 5, 2011)
MATC16 Cryptography and Coding Theory Gábor Pete University of Toronto Scarborough Solutions to the Midterm Test (March 5, 2011) YOUR NAME: DO NOT OPEN THIS BOOKLET UNTIL INSTRUCTED TO DO SO. INSTRUCTIONS:
More informationSymmetric Encryption
1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently
More informationa fast correlation attack implementation
university of cape town a fast correlation attack implementation Honours Project 2011 Azhar Desai supervisors Dr Anne Kayem Dr Christine Swart Abstract Stream ciphers are used to encrypt data on devices
More informationStream Ciphers: Cryptanalytic Techniques
Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and Information Technology. Lund University, Sweden ECRYPT Summer school 2007 (Lund University) Stream Ciphers: Cryptanalytic
More informationVMPC One-Way Function and Stream Cipher
VMPC One-Way Function and Stream Cipher Bartosz Zoltak http://www.vmpcfunction.com bzoltak@vmpcfunction.com This paper was presented at FSE 04, Delhi, India, 5-7.FEB.2004 Copyright by IACR Abstract. A
More informationCryptanalysis of a Generalized Unbalanced Feistel Network Structure
Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li, Bing Sun, Chao Li, Longjiang Qu National University of Defense Technology, Changsha, China ACISP 2010, Sydney, Australia 5
More informationFFT-Based Key Recovery for the Integral Attack
FFT-Based Key Recovery for the Integral Attack Yosuke Todo NTT Secure Platform Laboratories Abstract. The integral attack is one of the most powerful attack against block ciphers. In this paper, we propose
More informationDan Boneh. Stream ciphers. The One Time Pad
Online Cryptography Course Stream ciphers The One Time Pad Symmetric Ciphers: definition Def: a cipher defined over is a pair of efficient algs (E, D) where E is often randomized. D is always deterministic.
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationStructural Cryptanalysis of SASAS
tructural Cryptanalysis of AA Alex Biryukov and Adi hamir Computer cience department The Weizmann Institute Rehovot 76100, Israel. Abstract. In this paper we consider the security of block ciphers which
More informationAutomatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version)
Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version) Shengbao Wu 1,2, Mingsheng Wang 3 1. Institute of Software, Chinese Academy of Sciences, Beijing 100190,
More informationFast Correlation Attacks: an Algorithmic Point of View
Fast Correlation Attacks: an Algorithmic Point of View Philippe Chose, Antoine Joux, and Michel Mitton DCSSI, 18 rue du Docteur Zamenhof F-92131 Issy-les-Moulineaux cedex, France Philippe.Chose@ens.fr,
More informationBlock Ciphers and Feistel cipher
introduction Lecture (07) Block Ciphers and cipher Dr. Ahmed M. ElShafee Modern block ciphers are widely used to provide encryption of quantities of information, and/or a cryptographic checksum to ensure
More informationTruncated differential cryptanalysis of five rounds of Salsa20
Truncated differential cryptanalysis of five rounds of Salsa20 Paul Crowley 17th October 2005 Abstract We present an attack on Salsa20 reduced to five of its twenty rounds. This attack uses many clusters
More informationCODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.
CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES A selection of the following questions will be chosen by the lecturer to form the Cryptology Assignment. The Cryptology Assignment is due by 5pm Sunday 1
More informationLow Complexity Differential Cryptanalysis and Fault Analysis of AES
Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 34 Introduction We present a survey of low
More informationSymmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)
Symmetric Ciphers Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5) Symmetric Cryptography C = E(P,K) P = D(C,K) Requirements Given C, the only way to obtain P should be with the knowledge of K Any
More informationSome New Weaknesses in the RC4 Stream Cipher
Some ew Weaknesses in the RC4 Stream Cipher Jing Lv (B), Bin Zhang, and Dongdai Lin 2 Laboratory of Trusted Computing and Information Assurance, Institute of Software, Chinese Academy of Sciences, 0090
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationT i t l e o f t h e w o r k : L a M a r e a Y o k o h a m a. A r t i s t : M a r i a n o P e n s o t t i ( P l a y w r i g h t, D i r e c t o r )
v e r. E N G O u t l i n e T i t l e o f t h e w o r k : L a M a r e a Y o k o h a m a A r t i s t : M a r i a n o P e n s o t t i ( P l a y w r i g h t, D i r e c t o r ) C o n t e n t s : T h i s w o
More informationImplementation Tutorial on RSA
Implementation Tutorial on Maciek Adamczyk; m adamczyk@umail.ucsb.edu Marianne Magnussen; mariannemagnussen@umail.ucsb.edu Adamczyk and Magnussen Spring 2018 1 / 13 Overview Implementation Tutorial Introduction
More informationOvertaking VEST. 45, avenue des États-Unis, Versailles Cedex, France 3 DCSSI Crypto Lab
Overtaking VEST Antoine Joux 1,2 and Jean-René Reinhard 3 1 DGA 2 Université de Versailles St-Quentin-en-Yvelines, PRISM 45, avenue des États-Unis, 78035 Versailles Cedex, France antoine.joux@m4x.org 3
More informationImpossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128
Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com
More informationMulti-Map Orbit Hopping Chaotic Stream Cipher
Multi-Map Orbit Hopping Chaotic Stream Cipher Xiaowen Zhang 1, Li Shu 2, Ke Tang 1 Abstract In this paper we propose a multi-map orbit hopping chaotic stream cipher that utilizes the idea of spread spectrum
More informationChosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers
Chosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers Simon Fischer 1, Shahram Khazaei 2, and Willi Meier 1 1 FHNW and 2 EPFL (Switzerland) AfricaCrypt 2008, Casablanca - June 11-14
More informationLecture 4: DES and block ciphers
Lecture 4: DES and block ciphers Johan Håstad, transcribed by Ernir Erlingsson 2006-01-25 1 DES DES is a 64 bit block cipher with a 56 bit key. It selects a 64 bit block and modifies it depending on the
More informationCryptanalysis of Achterbahn
Cryptanalysis of Achterbahn Thomas Johansson 1, Willi Meier 2, and Frédéric Muller 3 1 Department of Information Technology, Lund University P.O. Box 118, 221 00 Lund, Sweden thomas@it.lth.se 2 FH Aargau,
More informationFast Correlation Attacks: An Algorithmic Point of View
Fast Correlation Attacks: An Algorithmic Point of View Philippe Chose, Antoine Joux, and Michel Mitton DCSSI, 18 rue du Docteur Zamenhof, F-92131 Issy-les-Moulineaux cedex, France, Philippe.Chose@ens.fr,
More informationDPA-Resistance without routing constraints?
Introduction Attack strategy Experimental results Conclusion Introduction Attack strategy Experimental results Conclusion Outline DPA-Resistance without routing constraints? A cautionary note about MDPL
More informationCryptanalysis of a Multistage Encryption System
Cryptanalysis of a Multistage Encryption System Chengqing Li, Xinxiao Li, Shujun Li and Guanrong Chen Department of Mathematics, Zhejiang University, Hangzhou, Zhejiang 310027, China Software Engineering
More information7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive key-search do not exploit any properties of the encryption algorithm or implementation. Structural attacks
More informationCryptanalysis of the Light-Weight Cipher A2U2 First Draft version
Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version Mohamed Ahmed Abdelraheem, Julia Borghoff, Erik Zenner Technical University of Denmark, DK-2800 Kgs. Lyngby, Denmark {M.A.Abdelraheem,J.Borghoff,E.Zenner}@mat.dtu.dk
More informationBreaking an encryption scheme based on chaotic Baker map
Breaking an encryption scheme based on chaotic Baker map Gonzalo Alvarez a, and Shujun Li b a Instituto de Física Aplicada, Consejo Superior de Investigaciones Científicas, Serrano 144 28006 Madrid, Spain
More informationDivision Property: a New Attack Against Block Ciphers
Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50 Symmetric-key encryption
More informationLecture 10-11: General attacks on LFSR based stream ciphers
Lecture 10-11: General attacks on LFSR based stream ciphers Thomas Johansson T. Johansson (Lund University) 1 / 23 Introduction z = z 1, z 2,..., z N is a known keystream sequence find a distinguishing
More informationCryptanalysis of the Full Spritz Stream Cipher
Cryptanalysis of the Full Spritz Stream Cipher Subhadeep Banik 1,2 and Takanori Isobe 3 1 School of Physical and Mathematical Sciences, NTU 2 DTU Compute, Technical University of Denmark, Lungby 3 Sony
More informationCorrelated Keystreams in Moustique
Correlated Keystreams in Moustique Emilia Käsper 1, Vincent Rijmen 1,3, Tor E. Bjørstad 2, Christian Rechberger 3, Matt Robshaw 4 and Gautham Sekar 1 1 K.U.Leuven, ESAT-COSIC 2 The Selmer Center, University
More informationQuasigroups and stream cipher Edon80
Department of Algebra, Charles University in Prague June 3, 2010 Stream cipher Edon80 Edon80 is a binary additive stream cipher Input stream m i ( c i ) K Edon80 KEYSTREAM GENERATOR k i Output stream c
More informationSecurity of the SMS4 Block Cipher Against Differential Cryptanalysis
Su BZ, Wu WL, Zhang WT. Security of the SMS4 block cipher against differential cryptanalysis. JOURNAL OF COM- PUTER SCIENCE AND TECHNOLOGY 26(1): 130 138 Jan. 2011. DOI 10.1007/s11390-011-1116-9 Security
More informationSequences, DFT and Resistance against Fast Algebraic Attacks
Sequences, DFT and Resistance against Fast Algebraic Attacks Guang Gong Department of Electrical and Computer Engineering University of Waterloo Waterloo, Ontario N2L 3G1, CANADA Email. ggong@calliope.uwaterloo.ca
More informationSecurity Evaluation of Stream Cipher Enocoro-128v2
Security Evaluation of Stream Cipher Enocoro-128v2 Hell, Martin; Johansson, Thomas 2010 Link to publication Citation for published version (APA): Hell, M., & Johansson, T. (2010). Security Evaluation of
More informationImplementation of the RSA algorithm and its cryptanalysis. Abstract. Introduction
Implementation of the RSA algorithm and its cryptanalysis Chandra M. Kota and Cherif Aissi 1 University of Louisiana at Lafayette, College of Engineering Lafayette, LA 70504, USA Abstract Session IVB4
More informationTowards Provable Security of Substitution-Permutation Encryption Networks
Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,
More informationAlgebraic Attacks and Stream Ciphers
November 25 th, 24 Algebraic Attacks and Stream Ciphers Helsinki University of Technology mkivihar@cc.hut.fi Overview Stream ciphers and the most common attacks Algebraic attacks (on LSFR-based ciphers)
More informationCryptanalysis of the Bluetooth Stream Cipher
1 Cryptanalysis of the Bluetooth Stream Cipher Christophe De Cannière 1, Thomas Johansson 2, and Bart Preneel 1 1 Katholieke Universiteit Leuven, Dept. ESAT, Kasteelpark Arenberg 10, B 3001 Leuven-Heverlee,
More information