Book•
Information Security and Cryptology - ICISC 2007 : 10th International Conference Seoul, Korea, November 29-30, 2007 : proceedings
01 Jan 2007-
TL;DR: A Secure Virtual Execution Environment for Untrusted Code and Security-Preserving Asymmetric Protocol Encapsulation are studied.
Abstract: Cryptanalysis - I.- Cryptanalysis of a Hash Function Proposed at ICISC 2006.- Cryptanalysis of Reduced Versions of the HIGHT Block Cipher from CHES 2006.- A Cryptanalysis of the Double-Round Quadratic Cryptosystem.- A Lightweight Privacy Preserving Authentication and Access Control Scheme for Ubiquitous Computing Environment.- Establishing RBAC-Based Secure Interoperability in Decentralized Multi-domain Environments.- Handling Dynamic Information Release.- Cryptanalysis - II.- Improving the Time Complexity of Matsui's Linear Cryptanalysis.- On Large Distributions for Linear Cryptanalysis.- Passive Attacks on a Class of Authentication Protocols for RFID.- Side Channel Attacks on Irregularly Decimated Generators.- Asynchronous Pseudo Physical Memory Snapshot and Forensics on Paravirtualized VMM Using Split Kernel Module.- Filesystem Activity Following a SSH Compromise: An Empirical Study of File Sequences.- A Secure Virtual Execution Environment for Untrusted Code.- Liveness Detection of Fingerprint Based on Band-Selective Fourier Spectrum.- Improving Upon the TET Mode of Operation.- Hash Functions - I.- New Local Collisions for the SHA-2 Hash Family.- Multi-collision Attack on the Compression Functions of MD4 and 3-Pass HAVAL.- Differential Cryptanalysis of T-Function Based Stream Cipher TSC-4.- New Results on Impossible Differential Cryptanalysis of Reduced AES.- A Note About the Traceability Properties of Linear Codes.- Power Analysis Attacks on MDPL and DRSL Implementations.- Safe-Error Attack on SPA-FA Resistant Exponentiations Using a HW Modular Multiplier.- Generalized MMM-Algorithm Secure Against SPA, DPA, and RPA.- Pairing-Friendly Elliptic Curves with Small Security Loss by Cheon's Algorithm.- Hash Functions - II.- Analysis of Multivariate Hash Functions.- Colliding Message Pair for 53-Step HAS-160.- Weaknesses in the HAS-V Compression Function.- Security-Preserving Asymmetric Protocol Encapsulation.
Citations
More filters
[...]
TL;DR: This paper shows a partial pseudo-preimage attack on the compression function of MD4, using some ideas from previous cryptanalysis ofMD4, and is believed to be the first pre image attack on a member of the MD4 family.
Abstract: MD4 is a hash function introduced by Rivest in 1990. It is still used in some contexts, and the most commonly used hash functions (MD5, Sha1, Sha2) are based on the design principles of MD4. MD4 has been extensively studied and very efficient collision attacks are known, but it is still believed to be a one-way function.
In this paper we show a partial pseudo-preimage attack on the compression function of MD4, using some ideas from previous cryptanalysis of MD4. We can choose 64 bits of the output for the cost of 232compression function computations (the remaining bits are randomly chosen by the preimage algorithm).
This gives a preimage attack on the compression function of MD4 with complexity 296, and we extend it to an attack on the full MD4 with complexity 2102. As far as we know this is the first preimage attack on a member of the MD4 family.
122 citations
13 May 2008
TL;DR: An intuitive formal definition of untraceability is given of the standard Dolev-Yao intruder model and a previously unknown attack on a publishedRFID protocol is shown and the framework to prove that the protocol is notuntraceable is used.
Abstract: We give an intuitive formal definition of untraceability inthe standard Dolev-Yao intruder model, inspired by existing definitionsof anonymity. We show how to verify whether communication protocolssatisfy the untraceability property and apply our methods to knownRFID protocols. We show a previously unknown attack on a publishedRFID protocol and use our framework to prove that the protocol is notuntraceable.
78 citations
05 Dec 2009
TL;DR: It is found that some part of the inner encryption function of AES can be expressed with relatively few constants under certain conditions and a meet-in-the-middle attack is developed for key size of 128 at the expense of an increase in the complexities of memory and precomputation.
Abstract: We improve the existing distinguishers of AES. Our work is mainly built upon the works by Gilbert& Miner [17] and Demirci & Selcuk [14]. We find out that some part of the inner encryption function of AES can be expressed with relatively few constants under certain conditions. These new distinguishers are exploited to develop a meet-in-the-middle attack on 7 rounds of AES-128 and AES-192, and on 8 rounds of AES-256. The proposed attack is faster than the existing attacks [15,17] for key size of 128 at the expense of an increase in the complexities of memory and precomputation.
62 citations
03 Mar 2014
TL;DR: This paper focuses on key-recovery attacks on 9-round AES-192 and AES-256 under single-key model with the framework of the meet-in-the-middle attack, and a new technique named key-dependent sieve is introduced to further reduce the size of lookup table of the attack.
Abstract: This paper focuses on key-recovery attacks on 9-round AES-192 and AES-256 under single-key model with the framework of the meet-in-the-middle attack. A new technique named key-dependent sieve is introduced to further reduce the size of lookup table of the attack, and the 9-round AES-192 is broken with \(2^{121}\) chosen plaintexts, \(2^{187.5}\) 9-round encryptions and \(2^{185}\) 128-bit words of memory. If the attack starts from the third round, the complexities would be further reduced by a factor of 16. Moreover, the whole attack is split up into a series of weak-key attacks. Then the memory complexity of the attack is saved significantly when we execute these weak attacks in streaming mode. This method is also applied to reduce the memory complexity of the attack on 9-round AES-256.
52 citations
30 Aug 2009
TL;DR: Three emerging types of attacks on RFID protocols, concerning authentication, untraceability, and secrecy are discussed and the methodology is applicable to any operator with algebraic properties.
Abstract: This work aims to identify the algebraic problems which enable many attacks on RFID protocols. Toward this goal, three emerging types of attacks on RFID protocols, concerning authentication, untraceability, and secrecy are discussed. We demonstrate the types of attacks by exhibiting previously unpublished vulnerabilities in several protocols and referring to various other flawed protocols.
The common theme in these attacks is the fact that the algebraic properties of operators employed by the protocols are abused. While the methodology is applicable to any operator with algebraic properties, the protocols considered in this paper make use of xor , modular addition, and elliptic curve point addition.
47 citations
References
More filters
[...]
TL;DR: This paper shows a partial pseudo-preimage attack on the compression function of MD4, using some ideas from previous cryptanalysis ofMD4, and is believed to be the first pre image attack on a member of the MD4 family.
Abstract: MD4 is a hash function introduced by Rivest in 1990. It is still used in some contexts, and the most commonly used hash functions (MD5, Sha1, Sha2) are based on the design principles of MD4. MD4 has been extensively studied and very efficient collision attacks are known, but it is still believed to be a one-way function.
In this paper we show a partial pseudo-preimage attack on the compression function of MD4, using some ideas from previous cryptanalysis of MD4. We can choose 64 bits of the output for the cost of 232compression function computations (the remaining bits are randomly chosen by the preimage algorithm).
This gives a preimage attack on the compression function of MD4 with complexity 296, and we extend it to an attack on the full MD4 with complexity 2102. As far as we know this is the first preimage attack on a member of the MD4 family.
122 citations
19 Mar 2012
TL;DR: In this paper, a statistical technique was proposed to reduce the data complexity of zero correlation linear cryptanalysis (ZCLC) by using the high number of linear approximations available.
Abstract: Zero correlation linear cryptanalysis is a novel key recovery technique for block ciphers proposed in [5]. It is based on linear approximations with probability of exactly 1/2 (which corresponds to the zero correlation). Some block ciphers turn out to have multiple linear approximations with correlation zero for each key over a considerable number of rounds. Zero correlation linear cryptanalysis is the counterpart of impossible differential cryptanalysis in the domain of linear cryptanalysis, though having many technical distinctions and sometimes resulting in stronger attacks.
In this paper, we propose a statistical technique to significantly reduce the data complexity using the high number of zero correlation linear approximations available. We also identify zero correlation linear approximations for 14 and 15 rounds of TEA and XTEA. Those result in key-recovery attacks for 21-round TEA and 25-round XTEA, while requiring less data than the full code book. In the single secret key setting, these are structural attacks breaking the highest number of rounds for both ciphers.
The findings of this paper demonstrate that the prohibitive data complexity requirements are not inherent in the zero correlation linear cryptanalysis and can be overcome. Moreover, our results suggest that zero correlation linear cryptanalysis can actually break more rounds than the best known impossible differential cryptanalysis does for relevant block ciphers. This might make a security re-evaluation of some ciphers necessary in the view of the new attack.
93 citations
13 May 2008
TL;DR: An intuitive formal definition of untraceability is given of the standard Dolev-Yao intruder model and a previously unknown attack on a publishedRFID protocol is shown and the framework to prove that the protocol is notuntraceable is used.
Abstract: We give an intuitive formal definition of untraceability inthe standard Dolev-Yao intruder model, inspired by existing definitionsof anonymity. We show how to verify whether communication protocolssatisfy the untraceability property and apply our methods to knownRFID protocols. We show a previously unknown attack on a publishedRFID protocol and use our framework to prove that the protocol is notuntraceable.
78 citations
05 Dec 2009
TL;DR: It is found that some part of the inner encryption function of AES can be expressed with relatively few constants under certain conditions and a meet-in-the-middle attack is developed for key size of 128 at the expense of an increase in the complexities of memory and precomputation.
Abstract: We improve the existing distinguishers of AES. Our work is mainly built upon the works by Gilbert& Miner [17] and Demirci & Selcuk [14]. We find out that some part of the inner encryption function of AES can be expressed with relatively few constants under certain conditions. These new distinguishers are exploited to develop a meet-in-the-middle attack on 7 rounds of AES-128 and AES-192, and on 8 rounds of AES-256. The proposed attack is faster than the existing attacks [15,17] for key size of 128 at the expense of an increase in the complexities of memory and precomputation.
62 citations
03 Mar 2014
TL;DR: This paper focuses on key-recovery attacks on 9-round AES-192 and AES-256 under single-key model with the framework of the meet-in-the-middle attack, and a new technique named key-dependent sieve is introduced to further reduce the size of lookup table of the attack.
Abstract: This paper focuses on key-recovery attacks on 9-round AES-192 and AES-256 under single-key model with the framework of the meet-in-the-middle attack. A new technique named key-dependent sieve is introduced to further reduce the size of lookup table of the attack, and the 9-round AES-192 is broken with \(2^{121}\) chosen plaintexts, \(2^{187.5}\) 9-round encryptions and \(2^{185}\) 128-bit words of memory. If the attack starts from the third round, the complexities would be further reduced by a factor of 16. Moreover, the whole attack is split up into a series of weak-key attacks. Then the memory complexity of the attack is saved significantly when we execute these weak attacks in streaming mode. This method is also applied to reduce the memory complexity of the attack on 9-round AES-256.
52 citations