Showing papers on "Block cipher published in 2004"

The security and performance of the galois/counter mode (GCM) of operation

Abstract: The recently introduced Galois/Counter Mode (GCM) of operation for block ciphers provides both encryption and message authentication, using universal hashing based on multiplication in a binary finite field. We analyze its security and performance, and show that it is the most efficient mode of operation for high speed packet networks, by using a realistic model of a network crypto module and empirical data from studies of Internet traffic in conjunction with software experiments and hardware designs. GCM has several useful features: it can accept IVs of arbitrary length, can act as a stand-alone message authentication code (MAC), and can be used as an incremental MAC. We show that GCM is secure in the standard model of concrete security, even when these features are used. We also consider several of its important system-security aspects.

Algebraic Attacks and Decomposition of Boolean Functions

Abstract: Algebraic attacks on LFSR-based stream ciphers recover the secret key by solving an overdefined system of multivariate algebraic equations. They exploit multivariate relations involving key bits and output bits and become very efficient if such relations of low degrees may be found. Low degree relations have been shown to exist for several well known constructions of stream ciphers immune to all previously known attacks. Such relations may be derived by multiplying the output function of a stream cipher by a well chosen low degree function such that the product function is again of low degree. In view of algebraic attacks, low degree multiples of Boolean functions are a basic concern in the design of stream ciphers as well as of block ciphers.

Survey and Benchmark of Block Ciphers for Wireless Sensor Networks

Abstract: Choosing the most storage- and energy-efficient block cipher specifically for wireless sensor networks (WSNs) is not as straightforward as it seems. To our knowledge so far, there is no systematic evaluation framework for the purpose. In this paper, we have identified the candidates of block ciphers suitable for WSNs based on existing literature. For evaluating and assessing these candidates, we have devised a systematic framework that not only considers the security properties but also the storage- and energy-efficency of the candidates. Finally, based on the evaluation results, we have selected the suitable ciphers for WSNs, namely Rijndael for high security and energy efficiency requirements; and MISTY1 for good storage and energy efficiency.

Power-analysis attack on an ASIC AES implementation

Abstract: The AES (advanced encryption standard) is a new block cipher standard published by the US government in November 2001. As a consequence, there is a growing interest in efficient implementations of the AES. For many applications, these implementations need to be resistant against side channel attacks, that is, it should not be too easy to extract secret information from physical measurements on the device. We present the first results on the feasibility of power analysis attack against an AES hardware implementation. Our attack is targeted against an ASIC implementation of the AES developed by the ETH Zurich. We show how to build a reliable measurement setup and how to improve the correlation coefficients, i.e., the signal to noise ratio for our measurements. Our approach is also the first step to link a behavior HDL simulator generated simulated power measurements to real power measurements.

Cryptanalysis of a white box AES implementation

Abstract: The white box attack context as described in [1, 2] is the common setting where cryptographic software is executed in an untrusted environment—ie an attacker has gained access to the implementation of cryptographic algorithms, and can observe or manipulate the dynamic execution of whole or part of the algorithms. In this paper, we present an efficient practical attack against the obfuscated AES implementation [1] proposed at SAC 2002 as a means to protect AES software operated in the white box context against key exposure. We explain in details how to extract the whole AES secret key embedded in such a white box AES implementation, with negligible memory and worst time complexity 230.

How Far Can We Go Beyond Linear Cryptanalysis

Abstract: Several generalizations of linear cryptanalysis have been proposed in the past, as well as very similar attacks in a statistical point of view. In this paper, we define a rigorous general statistical framework which allows to interpret most of these attacks in a simple and unified way. Then, we explicitely construct optimal distinguishers, we evaluate their performance, and we prove that a block cipher immune to classical linear cryptanalysis possesses some resistance to a wide class of generalized versions, but not all. Finally, we derive tools which are necessary to set up more elaborate extensions of linear cryptanalysis, and to generalize the notions of bias, characteristic, and piling-up lemma.

A parallelizable enciphering mode

Abstract: We describe a block-cipher mode of operation, EME, that turns an n-bit block cipher into a tweakable enciphering scheme that acts on strings of mn bits, where me[1..n]. The mode is parallelizable, but as serial-efficient as the non-parallelizable mode CMC [6]. EME can be used to solve the disk-sector encryption problem. The algorithm entails two layers of ECB encryption and a “lightweight mixing” in between. We prove EME secure, in the reduction-based sense of modern cryptography. We motivate some of the design choices in EME by showing that a few simple modifications of this mode are insecure.

Security of Random Feistel Schemes with 5 or More Rounds

Abstract: We study cryptographic attacks on random Feistel schemes. We denote by m the number of plaintext/ciphertext pairs, and by k the number of rounds. In their famous paper [3], M. Luby and C. Rackoff have completely solved the cases m≪ 2 n/2: the schemes are secure against all adaptive chosen plaintext attacks (CPA-2) when k≥ 3 and against all adaptive chosen plaintext and chosen ciphertext attacks (CPCA-2) when k≥ 4 (for this second result a proof is given in [9]).

Fault analysis of stream ciphers

Abstract: A fault attack is a powerful cryptanalytic tool which can be applied to many types of cryptosystems which are not vulnerable to direct attacks. The research literature contains many examples of fault attacks on public key cryptosystems and block ciphers, but surprisingly we could not find any systematic study of the applicability of fault attacks to stream ciphers. Our goal in this paper is to develop general techniques which can be used to attack the standard constructions of stream ciphers based on LFSR's, as well as more specialized techniques which can be used against specific stream ciphers such as RC4, LILI-128 and SOBER-t32. While most of the schemes can be successfully attacked, we point out several interesting open problems such as an attack on FSM filtered constructions and the analysis of high Hamming weight faults in LFSR's.

EME*: extending EME to handle arbitrary-length messages with associated data

Abstract: This work describes a mode of operation, EME*, that turns a regular block cipher into a length-preserving enciphering scheme for messages of (almost) arbitrary length. Specifically, the resulting scheme can handle any bit-length, not shorter than the block size of the underlying cipher, and it also handles associated data of arbitrary bit-length. Such a scheme can either be used directly in applications that need encryption but cannot afford length expansion, or serve as a convenient building block for higher-level modes. The mode EME* is a refinement of the EME mode of Halevi and Rogaway, and it inherits the efficiency and parallelism from the original EME.

New block cipher: ARIA

Abstract: In this paper, we propose a 128-bit block cipher ARIA which is an involution substitution and permutation encryption network(SPN). We use the same S-boxes as Rijndael to eliminate defects which are caused by a totally involution structure. In the diffusion layer of ARIA, a 16 x 16 binary matrix of the maximum branch number 8 is used to avoid some attacks well applied to the reduced round of Rijndael. ARIA uses only basic operations, S-box substitutions and XOR's together with an involution structure so that it can be efficiently implemented on various platforms.

A Differential Fault Attack Against Early Rounds of (Triple-)DES

Abstract: Previously proposed differential fault analysis (DFA) techniques against iterated block ciphers mostly exploit computational errors in the last few rounds of the cipher to extract the secret key. In this paper we describe a DFA attack that exploits computational errors in early rounds of a Feistel cipher. The principle of the attack is to force collisions by inducing faults in intermediate results of the cipher. We put this attack into practice against DES implemented on a smart card and extracted the full round key of the first round within a few hours by inducing one bit errors in the second and third round, respectively.

On Multiple Linear Approximations.

Abstract: In this paper we study the long standing problem of information extraction from multiple linear approximations. We develop a formal statistical framework for block cipher attacks based on this technique and derive explicit and compact gain formulas for generalized versions of Matsui’s Algorithm 1 and Algorithm 2. The theoretical framework allows both approaches to be treated in a unified way, and predicts significantly improved attack complexities compared to current linear attacks using a single approximation. In order to substantiate the theoretical claims, we benchmarked the attacks against reducedround versions of DES and observed a clear reduction of the data and time complexities, in almost perfect correspondence with the predictions. The complexities are reduced by several orders of magnitude for Algorithm 1, and the significant improvement in the case of Algorithm 2 suggests that this approach may outperform the currently best attacks on the full DES algorithm.

On Multiple Linear Approximations

Abstract: In this paper we study the long standing problem of information extraction from multiple linear approximations. We develop a formal statistical framework for block cipher attacks based on this technique and derive explicit and compact gain formulas for generalized versions of Matsui’s Algorithm 1 and Algorithm 2. The theoretical framework allows both approaches to be treated in a unified way, and predicts significantly improved attack complexities compared to current linear attacks using a single approximation. In order to substantiate the theoretical claims, we benchmarked the attacks against reduced-round versions of DES and observed a clear reduction of the data and time complexities, in almost perfect correspondence with the predictions. The complexities are reduced by several orders of magnitude for Algorithm 1, and the significant improvement in the case of Algorithm 2 suggests that this approach may outperform the currently best attacks on the full DES algorithm.

Exploring area/delay tradeoffs in an AES FPGA implementation

Abstract: Field-Programmable Gate Arrays (FPGAs) have lately become a popular target for implementing cryptographic block ciphers, as a well-designed FPGA solution can combine some of the algorithmic flexibility and cost efficiency of an equivalent software implementation with throughputs that are comparable to custom ASIC designs. The recently selected Advanced Encryption Standard (AES) is slowly replacing older ciphers as the building block of choice for secure systems and is well suited to an FPGA implementation. In this paper we explore the design decisions that lead to area/delay tradeoffs in a single-core AES FPGA implementation. This work provides a more thorough description of the defining AES hardware characteristics than is currently available in the research literature, along with implementation results that are pareto optimal in terms of throughput, latency, and area efficiency.

CWC: A High-Performance Conventional Authenticated Encryption Mode

Abstract: We introduce CWC, a new block cipher mode of operation for protecting both the privacy and the authenticity of encapsulated data. CWC is the first such mode having all five of the following properties: provable security, parallelizability, high performance in hardware, high performance in software, and no intellectual property concerns. We believe that having all five of these properties makes CWC a powerful tool for use in many performance-critical cryptographic applications. CWC is also the first appropriate solution for some applications; e.g., standardization bodies like the IETF and NIST prefer patent-free modes, and CWC is the first such mode capable of processing data at 10Gbps in hardware, which will be important for future IPsec (and other) network devices. As part of our design, we also introduce a new parallelizable universal hash function optimized for performance in both hardware and software.

FOX: a new family of block ciphers

Abstract: In this paper, we describe the design of a new family of block ciphers based on a Lai-Massey scheme, named FOX. The main features of this design, besides a very high security level, are a large implementation flexibility on various platforms as well as high performances. In addition, we propose a new design of strong and efficient key-schedule algorithms. We provide evidence that FOX is immune to linear and differential cryptanalysis, and we discuss its security towards integral cryptanalysis, algebraic attacks, and other attacks.

ICEBERG : An involutional cipher efficient for block encryption in reconfigurable hardware

Abstract: We present a fast involutional block cipher optimized for reconfigurable hardware implementations. ICEBERG uses 64-bit text blocks and 128-bit keys. All components are involutional and allow very efficient combinations of encryption/decryption. Hardware implementations of ICEBERG allow to change the key at every clock cycle without any performance loss and its round keys are derived “on-the-fly” in encryption and decryption modes (no storage of round keys is needed). The resulting design offers better hardware efficiency than other recent 128-key-bit block ciphers. Resistance against side-channel cryptanalysis was also considered as a design criteria for ICEBERG.

Power Analysis of an FPGA

Abstract: Since their publication in 1998, power analysis attacks have attracted significant attention within the cryptographic community. So far, they have been successfully applied to different kinds of (unprotected) implementations of symmetric and public-key encryption schemes. However, most published attacks apply to smart cards and only a few publications assess the vulnerability of hardware implementations. In this paper we investigate the vulnerability of Rijndael FPGA (Field Programmable Gate Array) implementations to power analysis attacks. The design used to carry out the experiments is an optimized architecture with high clock frequencies, presented at CHES 2003. First, we provide a clear discussion of the hypothesis used to mount the attack. Then, we propose theoretical predictions of the attacks that we confirmed experimentally, which are the first successful experiments against an FPGA implementation of Rijndael. In addition, we evaluate the effect of pipelining and unrolling techniques in terms of resistance against power analysis. We also emphasize how the efficiency of the attack significantly depends on the knowledge of the design.

Cryptographic applications of T-functions

Abstract: A T-function is a mapping in which the i-th bit of the output can depend only on bits 0,1,..., i of the input. All the bitwise machine operations and most of the numeric machine operations in modern processors are T-functions, and their compositions are also T-functions. In this paper we show that T-functions can be used to construct exceptionally efficient cryptographic building blocks which can be used as nonlinear maximal length state transition functions in stream ciphers, as large S-boxes in block ciphers, and as non-algebraic multipermutations in hash functions.

Provably secure double-block-length hash functions in a black-box model

Abstract: In CRYPTO’89, Merkle presented three double-block-length hash functions based on DES. They are optimally collision resistant in a black-box model, that is, the time complexity of any collision-finding algorithm for them is Ω(2l/2) if DES is a random block cipher, where l is the output length. Their drawback is that their rates are low. In this article, new double-block-length hash functions with higher rates are presented which are also optimally collision resistant in the black-box model. They are composed of block ciphers whose key length is twice larger than their block length.

Ciphers Secure against Related-Key Attacks

Abstract: In a related-key attack, the adversary is allowed to transform the secret key and request encryptions of plaintexts under the transformed key. This paper studies the security of PRF- and PRP-constructions against related-key attacks.

Systems and methods for protecting data secrecy and integrity

Abstract: A technique for integrating message authentication with encryption and decryption is disclosed. Intermediate internal states of the decryption operation are used to generate a validation code that can be used to detect manipulation of the encrypted data. The technique is optimized with respect to processing time, execution space for code and runtime data, and buffer usage. The technique is generally applicable to a variety of block ciphers, including TEA, Rijndael, DES, RC5, and RC6.

Protection of digital content using block cipher crytography

Abstract: Protection of digital content using a specific application of block cipher cryptography is described. The digital content is encrypted using an encryption key and a calculated initialization vector. The digital content includes a plurality of strides of data and each stride includes a string of data to be encrypted and a block of data to be encrypted. The calculated initialization vector to be used to encrypt the block of data is derived from the string of data in the stride to be encrypted. Furthermore, the initialization vector is calculated by performing an exclusive disjunction function on a seed value and the string of data for each stride.

Theoretical Analysis of XL over Small Fields

Abstract: XL was first introduced to solve determined or overdetermined systems of equations over a finite field as an “algebraic attack” against multivariate cryptosystems. There has been a steady stream of announcements of cryptanalysis of primitives by such attacks, including stream ciphers (e.g. Toyocrypt), PKC’s, and more controversially block ciphers (AES/Rijndael and Serpent).

The Extended Codebook (XCB) Mode of Operation.

Abstract: We describe a block cipher mode of operation that implements a ‘tweakable’ (super) pseudorandom permutation with an arbitrary block length. This mode can be used to provide the best possible security in systems that cannot allow data expansion, such as disk-block encryption and some network protocols. The mode accepts an additional input, which can be used to protect against attacks that manipulate the ciphertext by rearranging the ciphertext blocks. Our mode is similar to a five-round Luby-Rackoff cipher in which the first and last rounds do not use the conventional Feistel structure, but instead use a single block cipher invocation. The third round is a Feistel structure using counter mode as a PRF. The second and fourth rounds are Feistel structures using a universal hash function; we re-use the polynomial hash over a binary field defined in the Galois/Counter Mode (GCM) of operation for block ciphers. This choice provides efficiency in both hardware and software and allows for re-use of implementation effort. XCB also has several useful properties: it accepts arbitrarily-sized plaintexts and associated data, including any plaintexts with lengths that are no smaller than the width of the block cipher. This document is a pre-publication draft manuscript.