ORYX. ORYX not an acronym, but upper case Designed for use with cell phones. Standard developed by. Cipher design process not open

Similar documents
PKZIP. PKZIP Stream Cipher 1

A block cipher enciphers each block with the same key.

Classical Cryptography

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

Klein s and PTW Attacks on WEP

Lecture Notes. Advanced Discrete Structures COT S

The Advanced Encryption Standard

Stream Ciphers: Cryptanalytic Techniques

Akelarre. Akelarre 1

Introduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES

A Low Data Complexity Attack on the GMR-2 Cipher Used in the Satellite Phones

On the pseudo-random generator ISAAC

Dan Boneh. Stream ciphers. The One Time Pad

Modern symmetric encryption

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version

Cryptanalysis of the Stream Cipher ABC v2

Secret Key: stream ciphers & block ciphers

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

Breaking the F-FCSR-H Stream Cipher in Real Time

Private-key Systems. Block ciphers. Stream ciphers

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:

Lecture 12: Block ciphers

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Alternative Approaches: Bounded Storage Model

Cryptography 2017 Lecture 2

Symmetric Crypto Systems

In fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Analysis of Modern Stream Ciphers

Symmetric Crypto Systems

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Cryptanalysis of Hiji-bij-bij (HBB)

Impact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers

Algebraic Attack Against Trivium

Public-key Cryptography: Theory and Practice

Differential Cryptanalysis of the Stream Ciphers Py, Py6 and Pypy

Unpredictable Binary Strings

Exam Security January 19, :30 11:30

CSc 466/566. Computer Security. 5 : Cryptography Basics

CHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER

18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Lecture 4: DES and block ciphers

Cryptanalysis of PRESENT-like ciphers with secret S-boxes

On the Design of Trivium

Algebraic attack on stream ciphers Master s Thesis

Introduction to Cryptography

Real scripts backgrounder 3 - Polyalphabetic encipherment - XOR as a cipher - RSA algorithm. David Morgan

Cryptography Lecture 4 Block ciphers, DES, breaking DES

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Low Complexity Differential Cryptanalysis and Fault Analysis of AES

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Introduction to Cybersecurity Cryptography (Part 4)

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

RC4 State Information at Any Stage Reveals the Secret Key

Introduction to Cybersecurity Cryptography (Part 4)

Introduction. Outline. CSC/ECE 574 Computer and Network Security. Secret Keys or Secret Algorithms? Secrets? (Cont d) Secret Key Cryptography

Recent Cryptanalysis of RC4 Stream Cipher

Security Implications of Quantum Technologies

CPA-Security. Definition: A private-key encryption scheme

Cryptography and Security Midterm Exam

Chosen Plaintext Attacks (CPA)

STREAM CIPHER. Chapter - 3

Attacks on DES , K 2. ) L 3 = R 2 = L 1 f ( R 1, K 2 ) R 4 R 2. f (R 1 = L 1 ) = L 1. ) f ( R 3 , K 4. f (R 3 = L 3

Message Authentication Codes (MACs)

Breaking an encryption scheme based on chaotic Baker map

Block ciphers And modes of operation. Table of contents

Key reconstruction from the inner state of RC4

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh

MASKED INVERSION IN GF(2 N ) USING MIXED FIELD REPRESENTATIONS AND ITS EFFICIENT IMPLEMENTATION FOR AES

monoalphabetic cryptanalysis Character Frequencies (English) Security in Computing Common English Digrams and Trigrams Chapter 2

A survey of algebraic attacks against stream ciphers

The LILI-128 Keystream Generator

Number Theory in Cryptography

Solution to Midterm Examination

Lecture 10-11: General attacks on LFSR based stream ciphers

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

New Methods for Cryptanalysis of Stream Ciphers. The Selmer Centre Department of Informatics University of Bergen Norway

Implementation Tutorial on RSA

Processing with Block Ciphers. CSC/ECE 574 Computer and Network Security. Issues (Cont d) Issues for Block Chaining Modes. Electronic Code Book (ECB)

Outline. Computer Science 418. Number of Keys in the Sum. More on Perfect Secrecy, One-Time Pad, Entropy. Mike Jacobson. Week 3

CS 6260 Applied Cryptography

Enigma Marian Rejewski, Jerzy Róz ycki, Henryk Zygalski

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

High-Order Conversion From Boolean to Arithmetic Masking

Differential Fault Analysis of Trivium

Some New Weaknesses in the RC4 Stream Cipher

AES side channel attacks protection using random isomorphisms

Research Proposal for Secure Double slit experiment. Sandeep Cheema Security Analyst, Vichara Technologies. Abstract

Cryptographic Hash Functions

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography Lecture 3. Pseudorandom generators LFSRs

Transcription:

ORYX ORYX 1

ORYX ORYX not an acronym, but upper case Designed for use with cell phones o To protect confidentiality of voice/data o For data channel, not control channel o Control channel encrypted with CMEA Standard developed by o Telecommunications Industry Association (TIA) o Flaws in cipher discovered in 1997 Cipher design process not open o In violation of Kerckhoffs Principle ORYX 2

Stream Cipher ORYX is a stream cipher Recall that a stream cipher can be viewed as a generalization of one-time pad A stream cipher initialized with (short) key Cipher then generates a long keystream Keystream is used like a one-time pad o XOR with message to encrypt/decrypt ORYX 3

ORYX Stream cipher Uses 3 shift registers, denoted X, A, B o Each holds 32 bits Key is initial fill of registers Therefore, ORYX has 96 bit key ORYX also uses a lookup table L o Where L acts as IV (or MI) Note that L is not secret ORYX 4

ORYX ORYX generates keystream 1 byte/step Most stream ciphers generate 1 bit/step o RC4 stream cipher also generates bytes ORYX is very weak o RC4 is weak due to the way it is used in WEP What is wrong with ORYX? o Generates 1 byte of keystream o Too much of the internal state is exposed o Might be stronger if only generated 1 bit/step ORYX 5

ORYX Shift Registers Three shift registers, X, A, B, each 32 bits Feedback functions (polynomials) o Register X uses feedback polynomial P X = x 0 x 4 x 5 x 8 x 9 x 10 x 13 x 15 x 17 x 18 x 27 x 31 o Register A uses two polynomial P A0 = a 0 a 1 a 3 a 4 a 6 a 7 a 9 a 10 a 11 a 15 a 21 a 22 a 25 a 31 P A1 = a 0 a 1 a 6 a 7 a 8 a 9 a 10 a 12 a 16 a 21 a 22 a 23 a 24 a 25 a 26 a 31 o Register B uses polynomial P B = b 0 b 2 b 5 b 14 b 15 b 19 b 20 b 30 b 31 ORYX 6

ORYX Lookup Table Table L is different for each message o 1 byte in, 1 byte out Example lookup table L Table is not secret Consider L to left o L[5a] = ee Row 5, column a o L[d2] = f5 Row d, column 2 ORYX 7

ORYX Wiring Diagram P A0 0 31 S P A1 0 Shift Register A 31 L C P B 0 Shift Register B 31 L + K t P X Shift Register X S determines whether to use P A0 or P A1 C determines whether B steps 1 or 2 times L is a fixed (per msg), known lookup table ORYX 8

ORYX Keystream Generator 1. Polynomial X steps once using P X 2. Polynomial A steps once using P A0 or P A1 As determined by bit 29 of X 3. Polynomial B steps 1 or 2 times using P B As determined by bit 26 of X 4. Byte: k i = H(X) + L[H(A)] + L[H(B)] mod 256 Where L is a known lookup table and H is high byte, i.e., bits 24 through 31 k i is i th keystream byte Note: Polynomials step before generating byte ORYX 9

ORYX Keystream Let k 0, k 1, k 2, be keystream bytes Then k 0 given by k 0 = H(X) + L[H(A)] + L[H(B)] mod 256 where X, A, B are fills after 1st iteration Then k 1 given by k 1 = H(X) + L[H(A)] + L[H(B)] mod 256 where X, A, B are fills after 2nd iteration And so on ORYX 10

ORYX Attack Attack is not difficult Idea of the attack o Suppose we know plaintext bytes p 0,p 1,,p n o Then we know keystream bytes, k 0,k 1,,k n o At each iteration, small change in internal state o Byte of output gives lots of info on state o Given enough plaintext, reconstruct initial fills Only need small amount of known plaintext ORYX 11

ORYX Attack Given register fills A,B Fill A can be extended in 2 ways: 0 or 1 Fill B can be extended 6 ways: 0,1,00,01,10,11 Table lists possible extensions of A,B New bit(s) appear on left of H(A),H(B) ORYX 12

ORYX Attack Given keystream bytes k i where k i = H(X) + L[H(A)] + L[H(B)] mod 256 And X, A, B are fills after (i+1)st iteration For each of 2 16 possible (H(A),H(B)) o Let H(X) = k 0 L[H(A)] L[H(B)] mod 256 o For each of 12 extensions of (A,B) o Let Y = k 1 L[H(A)] L[H(B)] mod 256 o Is Y a possible extension of H(X)? If yes, save result for testing with bytes k 2, k 3, o If no valid extension, discard (H(A),H(B)) ORYX 13

ORYX Attack Example Spse k 0 = da, k 1 = 31 Consider case where H(A) = b3, H(B) = 84 Then, modulo 256, H(X) = da L[b3] L[84] H(X) = da ca 99 = 77 Can we extend H(X) = 77 to next iteration? Must use k 1 and consider all 12 cases ORYX 14

ORYX Attack Example Have: k 1 = 31, H(A) = b3, H(B) = 84, H(X) = 77 Try extension where A 1A, B 0B Then Y = 31 L[d9] L[42] Y = 31 13 ce = 50 But H(X) = 77 can only be extended to 3b or bb So this is not a valid extension Must consider 11 more cases for (H(A),H(B)) pair ORYX 15

ORYX Attack Example Have: k 1 = 31, H(A) = b3, H(B) = 84, H(X) = 77 Try extension where A 0A, B 00B Then Y = 31 L[59] L[21] Y = 31 1e 58 = bb Note that H(X) = 77 can be extended to bb So this is a consistent extension of H(X) Save it, and consider remaining extensions ORYX 16

ORYX Attack Attack algorithm o We have described a breadth first search o Depth-first search would work too But is the attack practical? o Can we really determine correct initial fill? o How efficient is attack? o How much known plaintext is required? We can easily answer these questions ORYX 17

ORYX Attack Guess all pairs of initial (H(A),H(B)) o There are 2 16 = 65536 of these o For each, use k 0 to solve for H(X) Have 2 16 putative triples (H(A),H(B),H(X)) For each of these 65536 o For each of 12 extensions of (H(A),H(B)), compute Y = k 1 L[H(A)] L[H(B)] mod 256 o Note that Y is putative extension of X o So, 7 bits of Y must agree with 7 bits from H(X) Expect (12 65536) / 128 = 6144 survivors ORYX 18

ORYX Attack Expect 6144 survivors using k 1 For each of these 6144, use k 2 and repeat the process o Compute 12 extensions of (H(A),H(B)) o New Y must agree with 7 bits of putative X (previous Y) o Expect (12 6144) / 128 = 576 survivors Expected number of survivors decreases by factor greater that 10 at each step o Eventually, only 1 survivor is expected ORYX 19

ORYX Attack After 6 steps, expect only 1 survivor Keep going After about 25 keystream bytes, X,A,B fills will be completely known o Not initial fills, but fills after 1st iteration o Easy to back up to initial fills, if desired Suppose n keystream bytes used Then work is on the order of 12 (65536 + 6144 + 576 + 54 + n) < 2 20 ORYX 20

ORYX ORYX is very insecure o Work of about 2 20 to recover 96-bit key! What is the problem? o One iteration does not change internal state very much o Byte of keystream gives lots of info on state Can it be improved? o Many alternatives ORYX 21

More Secure ORYX? ORYX does the following byte = H(X) + L[H(A)] + L[H(B)] mod 256 where H is high-order byte Could instead do bit = s(x) s(l[h(a)]) s(l[h(b)]) where s selects the high-order bit of a byte Then previous attack does not work, since o Expect (12 2 16 ) / 1 = 2 19.6 after k 1 o Expect (12 2 19.6 ) / 1 = 2 23.2 after k 2, etc. But this secure ORYX is very slow! And may be other attacks to worry about ORYX 22

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback