National Institute of Standards and Technology における超伝導研究及び生活

Since Rijndael was chosen as the Advanced Encryption Standard (AES), improving upon 7-round attacks on the 128-bit key variant (out of 10 rounds) or upon 8-round attacks on the 192/256-bit key variants (out of 12/14 rounds) has been one of the most difficult challenges in the cryptanalysis of block ciphers for more than a decade. In this paper, we present the novel technique of block cipher cryptanalysis with bicliques, which leads to the following results:

 

The first key recovery method for the full AES-128 with computational complexity 2126.1.

The first key recovery method for the full AES-192 with computational complexity 2189.7.

The first key recovery method for the full AES-256 with computational complexity 2254.4.

Key recovery methods with lower complexity for the reduced-round versions of AES not considered before, including cryptanalysis of 8-round AES-128 with complexity 2124.9.

Preimage search for compression functions based on the full AES versions faster than brute force.

In contrast to most shortcut attacks on AES variants, we do not need to assume related-keys. Most of our techniques only need a very small part of the codebook and have low memory requirements, and are practically verified to a large extent. As our cryptanalysis is of high computational complexity, it does not threaten the practical use of AES in any way.

/pdf/biclique-cryptanalysis-of-the-full-aes-pi8uwf8n7d.pdf

Biclique cryptanalysis of the full AES

IoT is becoming more common and popular due to its wide range of applications in various domains. They collect data from the real environment and transfer it over the networks. There are many challenges while deploying IoT in a real-world, varying from tiny sensors to servers. Security is considered as the number one challenge in IoT deployments, as most of the IoT devices are physically accessible in the real world and many of them are limited in resources (such as energy, memory, processing power and even physical space). In this paper, we are focusing on these resource-constrained IoT devices (such as RFID tags, sensors, smart cards, etc.) as securing them in such circumstances is a challenging task. The communication from such devices can be secured by a mean of lightweight cryptography, a lighter version of cryptography. More than fifty lightweight cryptography (plain encryption) algorithms are available in the market with a focus on a specific application(s), and another 57 algorithms have been submitted by the researchers to the NIST competition recently. To provide a holistic view of the area, in this paper, we have compared the existing algorithms in terms of implementation cost, hardware and software performances and attack resistance properties. Also, we have discussed the demand and a direction for new research in the area of lightweight cryptography to optimize balance amongst cost, performance and security.

/pdf/lightweight-cryptography-algorithms-for-resource-constrained-10420w1mk4.pdf

Lightweight Cryptography Algorithms for Resource-Constrained IoT Devices: A Review, Comparison and Research Opportunities

In this paper we describe a variant of existing meet-in-the-middle attacks on block ciphers. As an application, we propose meetin-the-middle attacks that are applicable to the KTANTAN family of block ciphers accepting a key of 80 bits. The attacks are due to some weaknesses in its bitwise key schedule. We report an attack of time complexity 275.170 encryptions on the full KTANTAN32 cipher with only 3 plaintext/ciphertext pairs and well as 275.044 encryptions on the full KTANTAN48 and 275.584 encryptions on the full KTANTAN64 with 2 plaintext/ciphertext pairs. All these attacks work in the classical attack model without any related keys.

In the differential related-key model, we demonstrate 218- and 174- round differentials holding with probability 1. This shows that a strong related-key property can translate to a successful attack in the nonrelated-key setting. Having extremely low data requirements, these attacks are valid even in RFID-like environments where only a very limited amount of text material may be available to an attacker.

/pdf/a-3-subset-meet-in-the-middle-attack-cryptanalysis-of-the-47emyj8gcr.pdf

A 3-subset meet-in-the-middle attack: cryptanalysis of the lightweight block cipher KTANTAN

Lightweight cryptography has been one of the “hot topics” in symmetric cryptography in the recent years. A huge number of lightweight algorithms have been published, standardized and/or used in commercial products. In this paper, we discuss the different implementation constraints that a “lightweight” algorithm is usually designed to satisfy in both the software and the hardware case. We also present an extensive survey of all lightweight symmetric primitives we are aware of. It covers designs from the academic community, from government agencies and proprietary algorithms which were reverse-engineered or leaked. Relevant national (NIST...) and international (ISO/IEC...) standards are listed. We identified several trends in the design of lightweight algorithms, such as the designers’ preference for ARX-based and bitsliced-S-Box-based designs or simpler key schedules. We also discuss more general trade-offs facing the authors of such algorithms and suggest a clearer distinction between two subsets of lightweight cryptography. The first, ultra-lightweight cryptography, deals with primitives fulfilling a unique purpose while satisfying specific and narrow constraints. The second is ubiquitous cryptography and it encompasses more versatile algorithms both in terms of functionality and in terms of implementation trade-offs.

/pdf/state-of-the-art-in-lightweight-symmetric-cryptography-iwr0aicdkf.pdf

State of the Art in Lightweight Symmetric Cryptography

The Data Encryption Standard (DES) is a 64-bit block cipher. Despite its short key size of 56 bits, DES continues to be used to protect financial transactions valued at billions of Euros. In this paper, we investigate the strength of DES against attacks that use a limited number of plaintexts and ciphertexts. By mounting meet-in-the-middle attacks on reduced-round DES, we find that up to 6-round DES is susceptible to this kind of attacks. The results of this paper lead to a better understanding on the way DES can be used.

Improved Meet-in-the-Middle Attacks on Reduced-Round DES

/pdf/improved-meet-in-the-middle-attacks-on-reduced-round-des-1jh9esjofv.pdf

Improved meet-in-the-middle attacks on reduced-round DES

The block cipher XTEA, designed by Needham and Wheeler, was published as a technical report in 1997. The cipher was a result of fixing some weaknesses in the cipher TEA (also designed byWheeler and Needham), which was used in Microsoft's Xbox gaming console. XTEA is a 64-round Feistel cipher with a block size of 64 bits and a key size of 128 bits. In this paper, we present meet-in-the-middle attacks on twelve variants of the XTEA block cipher, where each variant consists of 23 rounds. Two of these require only 18 known plaintexts and a computational effort equivalent to testing about 2117 keys, with a success probability of 1-2-1025. Under the standard (single-key) setting, there is no attack reported on 23 or more rounds of XTEA, that requires less time and fewer data than the above. This paper also discusses a variant of the classical meet-in-the-middle approach. All attacks in this paper are applicable to XETA as well, a block cipher that has not undergone public analysis yet. TEA, XTEA and XETA are implemented in the Linux kernel.

https://lirias.kuleuven.be/bitstream/123456789/280786/2/article-1505.pdf

Meet-in-the-Middle Attacks on Reduced-Round XTEA

The stream cipher Py designed by Biham and Seberry is a submission to the ECRYPT stream cipher competition The cipher is based on two large arrays (one is 256 bytes and the other is 1040 bytes) and it is designed for high speed software applications (Py is more than 25 times faster than the RC4 on Pentium III) The paper shows a statistical bias in the distribution of its output-words at the 1st and 3rd rounds Exploiting this weakness, a distinguisher with advantage greater than 50% is constructed that requires 2 847 randomly chosen key/IV's and the first 24 output bytes for each key The running time and the data required by the distinguisher are t ini 2 84,7 and 2 892 respectively (t ini denotes the running time of the key/IV setup) We further show that the data requirement can be reduced by a factor of about 3 with a distinguisher that considers outputs of later rounds In such case the running time is reduced to t r 2 847 (t, denotes the time for a single round of Py) The Py specification allows a 256-bit key and a keystream of 2 64 bytes per key/IV As an ideally secure stream cipher with the above specifications should be able to resist the attacks described before, our results constitute an academic break of Py In addition we have identified several biases among pairs of bits; it seems possible to combine all the biases to build more efficient distinguishers

Distinguishing Attacks on the Stream Cipher Py

Moustique is one of the sixteen finalists in the eSTREAM stream cipher project. Unlike the other finalists it is a self-synchronising cipher and therefore offers very different functional properties, compared to the other candidates. We present simple related-key phenomena in Moustique that lead to the generation of strongly correlated keystreams and to powerful key-recovery attacks. Our best key-recovery attack requires only 238 steps in the related-key scenario. Since the relevance of related-key properties is sometimes called into question, we also show how the described effects can help speed up exhaustive search (without related keys), thereby reducing the effective key length of Moustique from 96 bits to 90 bits.

/pdf/correlated-keystreams-in-moustique-bnymzg8mfw.pdf

Gautham Sekar

Papers

Improved Meet-in-the-Middle Attacks on Reduced-Round DES

Improved meet-in-the-middle attacks on reduced-round DES

Meet-in-the-Middle Attacks on Reduced-Round XTEA

Distinguishing Attacks on the Stream Cipher Py

Correlated keystreams in MOUSTIQUE