Showing papers in "Cryptography and Communications in 2014"
TL;DR: New attacks on the block cipher family KATAN are proposed by adopting a new framework to analyze symmetric ciphers by guessing intermediate states and dividing algorithms into consecutive sub-ciphers, which can be more time-efficient and memory-efficient than existing attacks.
Abstract: This paper investigates a new framework to analyze symmetric ciphers by guessing intermediate states and dividing algorithms into consecutive sub-ciphers It is suitable for lightweight ciphers with simple key schedules and block sizes smaller than key lengths New attacks on the block cipher family KATAN are proposed by adopting this framework Our new attacks can recover the master keys of 175-round KATAN32, 130-round KATAN48 and 112-round KATAN64 faster than exhaustive search, and thus reach many more rounds than previous attacks We also provide new attacks on 115-round KATAN32 and 100-round KATAN48 in order to demonstrate this new kind of attacks can be more time-efficient and memory-efficient than existing attacks
36 citations
TL;DR: It is shown that sequences generated by the standard algorithm have the sparsest known omega vector and, thus, the most efficient generator/correlator and an algorithm for generating 256-QAM sequences is introduced and derive a tight upper bound on the number of generated sequences.
Abstract: A unique decomposition of arbitrary pairs of complementary sequences (including standard binary, polyphase and QAM sequences as well as non-standard sequences and kernels) based on paraunitary matrices is presented. This decomposition allows us to describe the internal structure of any sequence pair of length L using basic paraunitary matrices defined by an ordered set of L complex coefficients named the omega vector. When the omega vector is sparse, the canonic form is compact and leads to an efficient implementation of a generator/correlator. We show that sequences generated by the standard algorithm have the sparsest known omega vector (log2 L non-zero elements out of L) and, thus, the most efficient generator/correlator. The equivalence of paraunitary matrices and Z transforms of complementary sequences allows us to apply the rich results from the theory of perfect reconstruction filter-banks to the field of sequence design. We introduce a new generator/correlator algorithm for sequences in standard and non-standard QAM constellations that is based on this equivalence. Both rectangular and hexagonal constellations are considered and the cardinality of the generated set of unique complementary sequences is either determined or estimated for a number of important cases. We show, in the case of the standard 16-QAM constellation, that the paraunitary algorithm generates the same number of sequences as the published algorithms based on generalized Boolean functions. In the case of 64-QAM, the proposed algorithm generates more sequences than known algorithms. We introduce an algorithm for generating 256-QAM sequences and derive a tight upper bound on the number of generated sequences.
31 citations
TL;DR: This work describes a systematic framework for using a stream cipher supporting an initialisation vector (IV) to perform various tasks of authentication and authenticated encryption, including message authentication code (MAC, AE, AEAD and DAE(AD), and an important practical aspect of this work is that a designer can combine off- the-shelf stream ciphers with off-the-Shelf hash functions to obtain secure primitives for MAC, AE
Abstract: We describe a systematic framework for using a stream cipher supporting an initialisation vector (IV) to perform various tasks of authentication and authenticated encryption. These include message authentication code (MAC), authenticated encryption (AE), authenticated encryption with associated data (AEAD) and deterministic authenticated encryption (DAE) with associated data. Several schemes are presented and rigourously analysed. A major component of the constructions is a keyed hash function having provably low collision and differential probabilities. Methods are described to efficiently extend such hash functions to take multiple inputs. In particular, double-input hash functions are required for the construction of AEAD schemes. An important practical aspect of our work is that a designer can combine off-the-shelf stream ciphers with off-the-shelf hash functions to obtain secure primitives for MAC, AE, AEAD and DAE(AD).
24 citations
TL;DR: A general construction method for cross-bifix-free sequences based on kernels, applicable to a limited number of so-called “regular kernel sets”, is proposed and properties of such sequences with an outline for further research are discussed.
Abstract: Cross-bifix-free sets are sets of bifix-free sequences with the property that no prefix of any sequence is a suffix of any other sequence. This paper presents a general construction method for cross-bifix-free sequences based on kernels. The cardinality of cross-bifix-free sets follows the Fibonacci progression. A simplified method, applicable to a limited number of so-called "regular kernel sets", is proposed as well. Properties of such sequences with an outline for further research are discussed.
24 citations
TL;DR: This work provides an efficient generating algorithm producing Gray codes for a remarkable family of cross-bifix-free sets.
Abstract: A set of words with the property that no prefix of any word is the suffix of any other word is called cross-bifix-free set. We provide an efficient generating algorithm producing Gray codes for a remarkable family of cross-bifix-free sets.
19 citations
TL;DR: The new exponent set of WG transformations is presented, and the existence of exponents derived from thenew exponent set for which a decimated WG transformation achieves the maximum algebraic degree is shown.
Abstract: A general structure of the Welch-Gong (WG) stream cipher family is based on filtering an m-sequence of degree l over a finite field $\ensuremath{{\mathbb{F}}}_{2^m}$ where the filtering function is a WG transformation from $\ensuremath{{\mathbb{F}}}_{2^m}$ to $\ensuremath{{\mathbb{F}}}_{2}$ . For a fixed m and l, the linear span of the filtering sequence can be enhanced by increasing the algebraic degree of the WG transformations. This can be accomplished by the composition of a WG transformation with a monomial permutation, which is called the decimation of a WG transformation. In this paper, we first present the new exponent set of WG transformations, and show the existence of exponents derived from the new exponent set for which a decimated WG transformation achieves the maximum algebraic degree. As a result, the linear span of keystreams produced by a decimated WG cipher can be maximized and calculated theoretically. We then give a description of a decimated WG stream cipher which is built upon an LFSR and a decimated WG transformation over an extension field. The randomness properties of keystreams produced by a decimated WG cipher are derived based on the new exponent set. We also discuss the selection criteria for choosing the optimal parameters for the WG cipher family in order to achieve the maximum level of security. Finally, we present the optimal parameters for the WG transformations over $\ensuremath{{\mathbb{F}}}_{2^m}, 7\leq m \leq 16$ based on the proposed criteria.
14 citations
TL;DR: A computer search is able to prove that for any related-key differential characteristic on full-round PRESENT-80, the probability of the characteristic only in the 64-bit state is not higher than 2−64.
Abstract: We examine the security of the 64-bit lightweight block cipher PRESENT-80 against related-key differential attacks. With a computer search we are able to prove that for any related-key differential characteristic on full-round PRESENT-80, the probability of the characteristic only in the 64-bit state is not higher than 2?64. To overcome the exponential (in the state and key sizes) computational complexity of the search we use truncated differences, however as the key schedule is not nibble oriented, we switch to actual differences and apply early abort techniques to prune the tree-based search. With a new method called extended split approach we are able to make the whole search feasible and we implement and run it in real time. Our approach targets the PRESENT-80 cipher however,with small modifications can be reused for other lightweight ciphers as well.
13 citations
TL;DR: It is shown that all modified Lee Sequences (in the sense of Barrera Acevedo and Hall, Lect Notes Comput Sci 159–167, 2012) of length m = p + 1 ≡ 2 (mod 4), where p is a prime number, can be folded into a perfect two-dimensional array of size $2p\times \frac{m}{2}p$ (previously unknown sizes).
Abstract: We show the existence of perfect arrays, of unbounded sizes, over the basic quaternions {1,???1,i,???i,j,???j,k,???k}. We translate the algorithm of Arasu and de Launey, to inflate perfect arrays over the four roots of unity, from a polynomial, into a simple matrix approach. Then, we modify this algorithm to inflate perfect arrays over the basic quaternions {1,???1,i,???i,j,???j,k,???k}. We show that all modified Lee Sequences (in the sense of Barrera Acevedo and Hall, Lect Notes Comput Sci 159---167, 2012) of length m?=?p?+?1???2 (mod 4), where p is a prime number, can be folded into a perfect two-dimensional array (with only one occurrence of the element j) of size $2\times \frac{m}{2}$ , with $GCD(2,\frac{m}{2})=1$ . Then, each of these arrays can be inflated into perfect arrays of sizes $2p\times \frac{m}{2}p$ (previously unknown sizes), with a random appearance of all the elements 1,???1,i,???i,j,???j,k,???k.
9 citations
TL;DR: In this paper, a construction for complementary sets of arrays that exploits a set of mutually-unbiased bases (a MUB) is presented, in detail, where the complementary pairs that are seeded by a MUB of dimension 2 are enumerated and the corresponding set of complementary sequences obtained from the arrays by projection.
Abstract: We propose a construction for complementary sets of arrays that exploits a set of mutually-unbiased bases (a MUB). In particular we present, in detail, the construction for complementary pairs that is seeded by a MUB of dimension 2, where we enumerate the arrays and the corresponding set of complementary sequences obtained from the arrays by projection. We also sketch an algorithm to uniquely generate these sequences. The pairwise squared inner-product of members of the sequence set is shown to be 1 2 $\frac {1}{2}$ . Moreover, a subset of the set can be viewed as a codebook that asymptotically achieves 3 2 $\sqrt {\frac {3}{2}}$ times the Welch bound.
8 citations
TL;DR: The distribution of the nonlinearity of (m, n)-functions is investigated and it is known that asymptotically, almost all m-variable Boolean functions have high nonlinearities.
Abstract: The nonlinearity of a Boolean function $F: \mathbb{F}_{2}^{m}\rightarrow \mathbb{F}_{2}$ is the minimum Hamming distance between f and all affine functions. The nonlinearity of a S-box $f: \mathbb{F}_{2}^{m}\rightarrow \mathbb{F}_{2}^{n}$ is the minimum nonlinearity of its component (Boolean) functions $v\cdot f,\, v\in \mathbb{F}_{2}^{n}\,\backslash \{0\}$ . This notion quantifies the level of resistance of the S-box to the linear attack. In this paper, the distribution of the nonlinearity of (m, n)-functions is investigated. When n?=?1, it is known that asymptotically, almost all m-variable Boolean functions have high nonlinearities. We extend this result to (m, n)-functions.
8 citations
TL;DR: This work shows that under an affine equivalence there is only a single class of bijective n×n S-boxes with multiplicative complexity, and shows that each bijectives 4×4 S-box hasmultiplicative complexity at most 5.
Abstract: Multiplicative complexity of S-box is the minimum number of 2-input AND-gates required to implement the S-box in AND, XOR, NOT logic. We show that under an affine equivalence there is only a single class of bijective n×n S-boxes with multiplicative complexity 1. Furthermore, we show that each bijective 4×4 S-box has multiplicative complexity at most 5. Finally, we refine the bounds on the multiplicative complexity of each affine class of bijective 4×4 S-boxes.
TL;DR: This work studies the following structural problem: let G be an r-twin-free graph, and G∗ be a graph obtained from G by adding or deleting an edge, and compares the behaviours of γ r(G) and γr(G∗), establishing results on their possible differences and ratios.
Abstract: Let G be a simple, undirected graph with vertex set V. For v ? V and r ? 1, we denote by B G, r (v) the ball of radius r and centre v. A set 𝒞 ⊆ V ${\mathcal C} \subseteq V$ is said to be an r-identifying code in G if the sets B G , r ( v ) ? 𝒞 $B_{G,r}(v)\cap {\mathcal C}$ , v ? V, are all nonempty and distinct. A graph G admitting an r-identifying code is called r-twin-free, and in this case the size of a smallest r-identifying code in G is denoted by ? r (G). We study the following structural problem: let G be an r-twin-free graph, and G ? be a graph obtained from G by adding or deleting an edge. If G ? is still r-twin-free, we compare the behaviours of ? r (G) and ? r (G ?), establishing results on their possible differences and ratios.
TL;DR: The access structure and multiplicativity of linear secret sharing schemes based on codes from complete graphs are studied and it is shown that the class of access structures based on odd cycles cannot be realized by ideal multiplicative linearsecret sharing schemes over any finite field.
Abstract: We study the access structure and multiplicativity of linear secret sharing schemes based on codes from complete graphs. First, we describe the access structure of the schemes based on cut-set and cycle codes. Second, we show that the class of access structures based on odd cycles cannot be realized by ideal multiplicative linear secret sharing schemes over any finite field. This can be seen as a contribution to the characterization of access structures of ideal multiplicative schemes. The access structure based on odd cycles corresponds to the scheme based on the dual of the extended cycle code. Finally, we show that we can obtain ideal multiplicative linear secret sharing scheme based on the dual of an augmented extended cycle code.
TL;DR: The resistance against two well-known statistical distinguishers, namely, differential-linear and boomerang distinguishers and 4-decorrelation degree protects against these attacks are measured.
Abstract: Iterated attacks are comprised of iterating adversaries who can make d plaintext queries, in each iteration to compute a bit, and are trying to distinguish between a random cipher C and the perfect cipher C � based on all bits. Vaudenay showed that a 2d-decorrelated cipher resists to iterated attacks of order d when iterations have almost no common queries. Then, he first asked what the necessary conditions are for a cipher to resist a non-adaptive iterated attack of order d. I.e., whether decorrelation of order 2d � 1 could be sufficient. Secondly, he speculated that repeating a plaintext query in different iterations does not provide any advantage to a non-adaptive distinguisher. We close here these two long-standing open problems negatively. For those questions, we provide two counter-intuitive examples.W e also deal with adaptive iterated adversaries who can make both plaintext and ciphertext queries in which the future queries are dependent on the past queries. We show that decorrelation of order 2d protects against these attacks of order d. We also study the generalization of these distinguishers for iterations making non-binary outcomes. Finally, we measure the resistance against two well-known statistical distinguishers, namely, differential-linear and boomerang distinguishers and show that 4-decorrelation degree protects against these attacks.
TL;DR: This paper obtains the precise value of the algebraic immunity of the filter function used in Hitag2, which is equal to 6.5%, and proves that the Walsh spectra of a nested function can be split into a product of the Walsh Spectra of its subfunctions and generating function when the subfun functions are all balanced.
Abstract: Hitag2 is a widely applied lightweight stream cipher with a traditional structure containing linear shift feedback and nonlinear filtering. It uses a Boolean function of 20 variables as its nonlinear filter. For easy implementation, this function is constructed by a two-layer composition of one 5-variable Boolean function and five 4-variable Boolean functions. In this paper, the concept of nested function is extracted from the construction of the two-layer Boolean function in Hitag2. Then we study some general properties of nested functions, such as balancedness, algebraic degree, Walsh spectra and algebraic immunity. We prove that the Walsh spectra of a nested function can be split into a product of the Walsh spectra of its subfunctions and generating function when the subfunctions are all balanced. Moreover, two upper bounds on algebraic immunity of nested functions are proposed. By using a hybrid approach of logical reasoning and computer computation, we obtain the precise value of the algebraic immunity of the filter function used in Hitag2, which is equal to 6.
TL;DR: Algorithms that compute the Walsh coefficients at a small set of points in terms of certain parameters derived from the ANF of a Boolean function, and can perform better than Gupta-Sarkar’s algorithm for specified classes of Boolean functions.
Abstract: We study the relationship between the Walsh Transform of a Boolean function and its Algebraic Normal Form(ANF), and present algorithms that compute the Walsh coefficients at a small set of points in terms of certain parameters derived from the ANF of a Boolean function. In the first part of this paper, based on the previous result by Gupta and Sarkar, we investigate the formula in Gupta-Sarkar's algorithm in a novel iterative method and obtain a recurrence relation for the Walsh Transform of a Boolean function. The second part is devoted to applying this formula to algorithms to evaluate it. Experimental result shows that for the specified classes of Boolean functions, our algorithms can perform better than Gupta-Sarkar's algorithm. For example, the proposed algorithm "ComputeWalsh" is able to compute the Walsh coefficients of the functions for which the complexity of Gupta-Sarkar's algorithm is impractical. Besides, for functions acting on high number of variables (m>30) and having low number of monomials, the proposed algorithms are advantageous over the Fast Walsh Transform which is a standard method of computing the Walsh Transform with a complexity of O(m2 m ) operations.
TL;DR: A shift sequence associated with a primitive polynomial of degree 2J over a finite field GF(2), together with a pair of completely orthogonal sequences of length m to construct near perfect sequences of even lengths, which also exist for unbounded lengths over mth roots of unity.
Abstract: This paper presents a new method of construction of near perfect sequences of even length N?=?2mn where m is an odd prime number and n?=?(2 J ?+?1),?J is an even number. We use a shift sequence associated with a primitive polynomial of degree 2J over a finite field GF(2), together with a pair of completely orthogonal sequences of length m to construct near perfect sequences of odd lengths. We concatenate two near perfect sequences of same odd lengths under certain conditions to obtain new near perfect sequences of even lengths. These near perfect sequences also exist for unbounded lengths over m th roots of unity.