Showing papers on "Block cipher published in 2006"

HIGHT: a new block cipher suitable for low-resource device

Abstract: In this paper, we propose a new block cipher HIGHT with 64-bit block length and 128-bit key length. It provides low-resource hardware implementation, which is proper to ubiquitous computing device such as a sensor in USN or a RFID tag. HIGHT does not only consist of simple operations to be ultra-light but also has enough security as a good encryption algorithm. Our hardware implementation of HIGHT requires 3048 gates on 0.25 μm technology.

Trivium: A Stream Cipher Construction Inspired by Block Cipher Design Principles

Abstract: In this paper, we propose a new stream cipher construction based on block cipher design principles The main idea is to replace the building blocks used in block ciphers by equivalent stream cipher components In order to illustrate this approach, we construct a very simple synchronous stream cipher which provides a lot of flexibility for hardware implementations, and seems to have a number of desirable cryptographic properties

Template attacks in principal subspaces

Abstract: Side-channel attacks are a serious threat to implementations of cryptographic algorithms. Secret information is recovered based on power consumption, electromagnetic emanations or any other form of physical information leakage. Template attacks are probabilistic side-channel attacks, which assume a Gaussian noise model. Using the maximum likelihood principle enables us to reveal (part of) the secret for each set of recordings (i.e., leakage trace). In practice, however, the major concerns are (i) how to select the points of interest of the traces, (ii) how to choose the minimal distance between these points, and (iii) how many points of interest are needed for attacking. So far, only heuristics were provided. In this work, we propose to perform template attacks in the principal subspace of the traces. This new type of attack addresses all practical issues in principled way and automatically. The approach is validated by attacking stream ciphers such as RC4. We also report analysis results of template style attacks against an FPGA implementation of AES Rijndael. Roughly, the template attack we carried out requires five time less encrypted messages than the best reported correlation attack against similar block cipher implementations.

Survey and benchmark of block ciphers for wireless sensor networks

Abstract: Cryptographic algorithms play an important role in the security architecture of wireless sensor networks (WSNs). Choosing the most storage- and energy-efficient block cipher is essential, due to the facts that these networks are meant to operate without human intervention for a long period of time with little energy supply, and that available storage is scarce on these sensor nodes. However, to our knowledge, no systematic work has been done in this area so far. We construct an evaluation framework in which we first identify the candidates of block ciphers suitable for WSNs, based on existing literature and authoritative recommendations. For evaluating and assessing these candidates, we not only consider the security properties but also the storage- and energy-efficiency of the candidates. Finally, based on the evaluation results, we select the most suitable ciphers for WSNs, namely Skipjack, MISTY1, and Rijndael, depending on the combination of available memory and required security (energy efficiency being implicit). In terms of operation mode, we recommend Output Feedback Mode for pairwise links but Cipher Block Chaining for group communications.

Advances on access-driven cache attacks on AES

Abstract: An access-driven attack is a class of cache-based side channel analysis. Like the time-driven attack, the cache's timings are under inspection as a source of information leakage. Access-driven attacks scrutinize the cache behavior with a finer granularity, rather than evaluating the overall execution time. Access-driven attacks leverage the ability to detect whether a cache line has been evicted, or not, as the primary mechanism for mounting an attack. In this paper we focus on the case of AES and we show that the vast majority of processors suffer from this cache-based vulnerability. Our best results are indeed performed on a processor without the multi-threading capabilities -- in contrast to previous works in this area that had suggested that multi-threading actually improved, or even made possible, this class of attack. Despite some technical difficulties required to mount such attacks, our work shows that access-driven cache-based attacks are becoming easier to understand and analyze. Also, when such attacks are mounted against systems performing AES, only a very limited number of encryptions are required to recover the whole key with a high probability of success, due to our last round analysis from the ciphertext.

A Case Against Currently Used Hash Functions in RFID Protocols

Abstract: Designers of RFID security protocols can choose between a wide variety of cryptographic algorithms However, when implementing these algorithms on RFID tags fierce constraints have to be considered Looking at the common assumption in the literature that hash functions are implementable in a manner suitable for RFID tags and thus heavily used by RFID security protocol designers we claim the following Current standards and state-of-the-art low-power implementation techniques favor the use of block ciphers like the Advanced Encryption Standard (AES) instead of hash functions from the SHA family as building blocks for RFID security protocols In turn, we present a low-power architecture for the widely recommended hash function SHA-256 which is the basis for the smallest and most energy-efficient ASIC implementation published so far To back up our claim we compare the achieved results with the smallest available AES implementation The AES module requires only a third of the chip area and half of the mean power Our conclusions are even stronger since we can show that smaller hash functions like SHA-1, MD5 and MD4 are also less suitable for RFID tags than the AES Our analysis of the reasons of this result gives some input for future hash function designs.

A case against currently used hash functions in RFID protocols

Abstract: Designers of RFID security protocols can choose between a wide variety of cryptographic algorithms However, when implementing these algorithms on RFID tags fierce constraints have to be considered Looking at the common assumption in the literature that hash functions are implementable in a manner suitable for RFID tags and thus heavily used by RFID security protocol designers we claim the following Current standards and state-of-the-art low-power implementation techniques favor the use of block ciphers like the Advanced Encryption Standard (AES) instead of hash functions from the SHA family as building blocks for RFID security protocols In turn, we present a low-power architecture for the widely recommended hash function SHA-256 which is the basis for the smallest and most energy-efficient ASIC implementation published so far To back up our claim we compare the achieved results with the smallest available AES implementation The AES module requires only a third of the chip area and half of the mean power Our conclusions are even stronger since we can show that smaller hash functions like SHA-1, MD5 and MD4 are also less suitable for RFID tags than the AES Our analysis of the reasons of this result gives some input for future hash function designs.

Topics in cryptology - CT-RSA 2006 : The Cryptographers' Track at the RSA Conference 2006, San Jose, CA, USA, February 13-17, 2006 : proceedings

Abstract: Attacks on AES.- Cache Attacks and Countermeasures: The Case of AES.- Related-Key Impossible Differential Attacks on 8-Round AES-192.- Identification.- Session Corruption Attack and Improvements on Encryption Based MT-Authenticators.- Fair Identification.- Algebra.- Efficient Doubling on Genus 3 Curves over Binary Fields.- Another Look at Small RSA Exponents.- Integrity.- Collision-Resistant Usage of MD5 and SHA-1 Via Message Preprocessing.- RFID-Tags for Anti-counterfeiting.- Public Key Encryption.- A "Medium-Field" Multivariate Public-Key Encryption Scheme.- A New Security Proof for Damgard's ElGamal.- Signatures.- Stand-Alone and Setup-Free Verifiably Committed Signatures.- Toward the Fair Anonymous Signatures: Deniable Ring Signatures.- Side-Channel Attacks.- Practical Second-Order DPA Attacks for Masked Smart Card Implementations of Block Ciphers.- Higher Order Masking of the AES.- CCA Encryption.- Chosen Ciphertext Secure Public Key Threshold Encryption Without Random Oracles.- How to Construct Multicast Cryptosystems Provably Secure Against Adaptive Chosen Ciphertext Attack.- Message Authentication.- On the (Im)possibility of Blind Message Authentication Codes.- An Optimal Non-interactive Message Authentication Protocol.- Block Ciphers.- A New Criterion for Nonlinearity of Block Ciphers.- Block Ciphers Sensitive to Grobner Basis Attacks.- Multi-party Computation.- Universally Composable Oblivious Transfer in the Multi-party Setting.- A Round and Communication Efficient Secure Ranking Protocol.

Practical second-order DPA attacks for masked smart card implementations of block ciphers

Abstract: In this article we describe an improved concept for second-order differential-power analysis (DPA) attacks on masked smart card implementations of block ciphers. Our concept allows to mount second-order DPA attacks in a rather simple way: a second-order DPA attack consists of a pre-processing step and a DPA step. Therefore, our way of performing second-order DPA attacks allows to easily assess the number of traces that are needed for a successful attack. We give evidence on the effectiveness of our methodology by showing practical attacks on a masked AES smart card implementation. In these attacks we target inputs and outputs of the SubBytes operation in the first encryption round.

Practical second-order DPA attacks for masked smart card implementations of block ciphers

Abstract: In this article we describe an improved concept for second-order differential-power analysis (DPA) attacks on masked smart card implementations of block ciphers. Our concept allows to mount second-order DPA attacks in a rather simple way: a second-order DPA attack consists of a pre-processing step and a DPA step. Therefore, our way of performing second-order DPA attacks allows to easily assess the number of traces that are needed for a successful attack. We give evidence on the effectiveness of our methodology by showing practical attacks on a masked AES smart card implementation. In these attacks we target inputs and outputs of the SubBytes operation in the first encryption round.

An Overview of Power Analysis Attacks Against Field Programmable Gate Arrays

Abstract: Since their introduction by Kocher in 1998, power analysis attacks have attracted significant attention within the cryptographic community. While early works in the field mainly threatened the security of smart cards and simple processors, several recent publications have shown the vulnerability of hardware implementations as well. In particular, field programmable gate arrays are attractive options for hardware implementation of encryption algorithms,but their security against power analysis is a serious concern, as we discuss in this paper. For this purpose, we present recent results of attacks attempted against standard encryption algorithms, provide a theoretical estimation of these attacks based on simple statistical parameters and evaluate the cost and security of different possible countermeasures.

Some Plausible Constructions of Double-Block-Length Hash Functions

Abstract: In this article, it is discussed how to construct a compression function with 2n-bit output using a component function with n-bit output. The component function is either a smaller compression function or a block cipher. Some constructions are presented which compose collision-resistant hash functions: Any collision-finding attack on them is at most as efficient as the birthday attack in the random oracle model or in the ideal cipher model. A new security notion is also introduced. which we call indistinguishability in the iteration, with a construction satisfying the notion.

Chaotic block ciphers: from theory to practical algorithms

Abstract: Digital chaotic ciphers have been investigated for more than a decade. However, their overall performance in terms of the tradeoff between security and speed, as well as the connection between chaos and cryptography, has not been sufficiently addressed. We propose a chaotic Feistel cipher and a chaotic uniform cipher. Our plan is to examine crypto components from both dynamical-system and cryptographical points of view, thus to explore connection between these two fields. In the due course, we also apply dynamical system theory to create cryptographically secure transformations and evaluate cryptographical security measures

MCrypton : A Lightweight Block Cipher for Security of Low-Cost RFID Tags and Sensors

Abstract: This paper presents a new 64-bit block cipher mCrypton with three key size options (64 bits, 96 bits and 128 bits), specifically designed for use in resource-constrained tiny devices, such as low-cost RFID tags and sensors. It's designed by following the overall architecture of Crypton but with redesign and simplification of each component function to enable much compact implementation in both hardware and software. A simple hardware implementation of mCrypton is also presented to demonstrate its suitability to our target applications. Our prototype implementation based on the straightforward 1 cycle/round architecture just requires about 3500 to 4100 gates for both encryption and decryption, and about 2400 to 3000 gates for encryption only (under 0.13 μm CMOS technology). The result shows that the hardware complexity of mCrypton is quite well within an economic range of low-cost RFID tags and sensors. A more compact implementation under development promises that further size reduction around 30% could be achievable using the 5 cycles/round architecture.

Algebraic Aspects of the Advanced Encryption Standard

Abstract: Since being officially selected as the new Advanced Encryption Standard (AES), Rijndael has continued to receive great attention and has had its security continuously evaluated by the cryptographic community. Rijndael is a cipher with a simple, elegant and highly algebraic structure. Its selection as the AES has led to a growing interest in the study of algebraic properties of block ciphers, and in particular algebraic techniques that can be used in their cryptanalysis. In these notes we will examine some algebraic aspects of the AES and consider a number of algebraic techniques that could be used in the analysis of the cipher. In particular, we will focus on the large, though surprisingly simple, systems of multivariate quadratic equations derived from the encryption operation, and consider some approaches that could be used when attempting to solve these systems. These notes refer to an invited talk given at the Fourth Conference on the Advanced Encryption Standard (AES4) in May 2004, and are largely based on[4].

Encryption quality analysis of the RC5 block cipher algorithm for digital images

Abstract: We investigate the implementation and application of the RC5 block cipher algorithm for digital images and provide testing, verification, and encryption efficiency of the RC5 block cipher for digital images. We describe briefly the basic design parameters of the RC5 block cipher and its implementation for digital images. A complete specification for the method of application of the RC5 block cipher to digital images is given. Several test images are used for inspecting the validity of the encryption and decryption algorithms. Also, we provide and introduce a mathemati- cal measure for encryption efficiency, which we will call the encryption quality instead of visual inspection, and apply it to several images. The encryption quality of the RC5 block cipher algorithm is investigated along its several design parameters, such as word size, number of rounds, and secret key length, and the optimal choices for the best values of these design parameters are given. © 2006 Society of Photo-Optical Instrumentation

Bitslice implementation of AES

Abstract: Network applications need to be fast and at the same time provide security. In order to minimize the overhead of the security algorithm on the performance of the application, the speeds of encryption and decryption of the algorithm are critical. To obtain maximum performance from the algorithm, efficient techniques for its implementation must be used and the implementation must be tuned for the specific hardware on which it is running. Bitslice is a non-conventional but efficient way to implement DES in software. It involves breaking down of DES into logical bit operations so that N parallel encryptions are possible on a single N-bit microprocessor. This results in tremendous throughput. AES is a symmetric block cipher introduced by NIST as a replacement for DES. It is rapidly becoming popular due to its good security features, efficiency, performance and simplicity. In this paper we present an implementation of AES using the bitslice technique. We analyze the impact of the architecture of the microprocessor on the performance of bitslice AES. We consider three processors; the Intel Pentium 4, the AMD Athlon 64 and the Intel Core 2. We optimize the implementation to best utilize the superscalar architecture and SIMD instruction set present in the processors.

An introduction to Block Cipher Cryptanalysis

Abstract: Since the introduction of the Data Encryption Standard (DES) in the mid-1970s, block ciphers have played an ever-increasing role in cryptology. Because of the growing number of practical applications relying on their security,block ciphers have received, and are still receiving, a substantial amount of attention from academic cryptanalysts. This has led, over the last decades,to the development of several general techniques to analyze the security of block ciphers. This paper reviews the fundamental principles behind today's state of the art in block cipher cryptanalysis.

Bitslice Implementation of AES

Abstract: Network applications need to be fast and at the same time provide security. In order to minimize the overhead of the security algorithm on the performance of the application, the speeds of encryption and decryption of the algorithm are critical. To obtain maximum performance from the algorithm, efficient techniques for its implementation must be used and the implementation must be tuned for the specific hardware on which it is running. Bitslice is a non-conventional but efficient way to implement DES in software. It involves breaking down of DES into logical bit operations so that N parallel encryptions are possible on a single N-bit microprocessor. This results in tremendous throughput. AES is a symmetric block cipher introduced by NIST as a replacement for DES. It is rapidly becoming popular due to its good security features, efficiency. performance and simplicity. In this paper we present an implementation of AES using the bitslice technique. We analyze the impact of the architecture of the microprocessor on the performance of bitslice AES We consider three processors; the Intel Pentium 4, the AMD Athlon 64 and the Intel Core 2. We optimize the implementation to best utilize the superscalar architecture and SIMD instruction set present in the processors.

Data processing systems with format-preserving encryption and decryption engines

Abstract: A data processing system is provided that includes format-preserving encryption and decryption engines. A string that contains characters has a specified format. The format defines a legal set of character values for each character position in the string. During encryption operations with the encryption engine, a string is processed to remove extraneous characters and to encode the string using an index. The processed string is encrypted using a format-preserving block cipher. The output of the block cipher is post-processed to produce an encrypted string having the same specified format as the original unencrypted string. During decryption operations, the decryption engine uses the format-preserving block cipher in reverse to transform the encrypted string into a decrypted string having the same format.

Towards security limits in side-channel attacks

Abstract: In this paper, we consider a recently introduced framework that investigates physically observable implementations from a theoretical point of view. The model allows quantifying the effect of practically relevant leakage functions with a combination of security and information theoretic metrics. More specifically, we apply our evaluation methodology to an exemplary block cipher. We first consider a Hamming weight leakage function and evaluate the efficiency of two commonly investigated countermeasures, namely noise addition and masking. Then, we show that the proposed methodology allows capturing certain non-trivial intuitions, e.g. about the respective effectiveness of these countermeasures. Finally, we justify the need of combined metrics for the evaluation, comparison and understanding of side-channel attacks.

A challenging but feasible blockwise-adaptive chosen-plaintext attack on ssl

Abstract: This paper introduces a chosen-plaintext vulnerability in the Secure Sockets Layer (SSL) and Trasport Layer Security (TLS) protocols which enables recovery of low entropy strings such as can be guessed from a likely set of 2–1000 options. SSL and TLS are widely used for securing communication over the Internet. When utilizing block ciphers for encryption, the SSL and TLS standards mandate the use of the cipher block chaining (CBC) mode of encryption which requires an initialization vector (IV) in order to encrypt. Although the first IV used by SSL is a (pseudo)random string which is generated and shared during the initial handshake phase, subsequent IVs used by SSL are chosen in a deterministic, predictable pattern; in particular, the IV of a message is taken to be the final ciphertext block of the immediately-preceding message, and is therefore known to the adversary. The one-channel nature of web proxies, anonymizers or Virtual Private Networks (VPNs), results in all Internet traffic from one machine traveling over the same SSL channel. We show this provides a feasible “point of entry” for this attack. Moreover, we show that the location of target data among block boundaries can have a profound impact on the number of guesses required to recover that data, especially in the low-entropy case. The attack in this paper is an application of the blockwise-adaptive chosen-plaintext attack paradigm, and is the only feasible attack to use this paradigm with a reasonable probability of success. The attack will work for all versions of SSL, and TLS version 1.0. This vulnerability and others are closed in TLS 1.1 (which is still in draft status) and OpenSSL after 0.9.6d. It is hoped this paper will encourage the deprecation of SSL and speed the adoption of OpenSSL or TLS 1.1/1.2 when they are finially released.

Dynamic encryption of payment card numbers in electronic payment transactions

Abstract: Systems and methods are provided for secure transmission of information identifying account holders in electronic payment transactions made using payment cards or devices that are based integrated circuit chip technology. Individual cards or devices are associated with a cipher key. Information such as personal account numbers, which may be stored on the cards or devices, is encrypted using a block cipher in a variant of the cipher feedback mode. This manner of encryption preserve the lpngth of the cleartext, and allows the ciphertext to be securely transmitted in standard data structure formats over legacy electronic payment networks.

Understanding cache attacks

Abstract: This paper points out that both the micro-architecture of the processor and the cache initial state impact the amount of side-channel information which is provided by analyzing the cache behaviour during a symmetric encryption. Therefore, the vulnerability of a block cipher implementation based on lookup tables highly varies with the encryption context and with the targeted platform. Our results then clarify some simulations reported by Bernstein and show that they can be reproduced only in a very particular context. However, we point out that some AES key bits can be recovered even if all lookup tables lie in the cache before each encryption, i.e., if all cache misses are avoided.

Cryptanalysis of a Cognitive Authentication Scheme.

Abstract: We present attacks against two cognitive authentication schemes [3] recently proposed at the 2006 IEEE Symposium on Security and Privacy. These authentication schemes are designed to be secure against eavesdropping attacks while relying only on human cognitive skills. They achieve authentication via challenge response protocols based on a shared secret set of pictures. Our attacks use a SAT solver to recover a user’s key in a few seconds, after observing only a small number of successful logins. These attacks demonstrate that the authentication schemes of [3] are not secure against an eavesdropping adversary.

Resynchronization attacks on WG and LEX

Abstract: WG and LEX are two stream ciphers submitted to eStream – the ECRYPT stream cipher project. In this paper, we point out security flaws in the resynchronization of these two ciphers. The resynchronization of WG is vulnerable to a differential attack. For WG with 80-bit key and 80-bit IV, 48 bits of the secret key can be recovered with about 231.3 chosen IVs . For each chosen IV, only the first four keystream bits are needed in the attack. The resynchronization of LEX is vulnerable to a slide attack. If a key is used with about 260.8 random IVs, and 20,000 keystream bytes are generated from each IV, then the key of the strong version of LEX could be recovered easily with a slide attack. The resynchronization attack on WG and LEX shows that block cipher related attacks are powerful in analyzing non-linear resynchronization mechanisms.

Computing the algebraic immunity efficiently

Abstract: The purpose of algebraic attacks on stream and block ciphers is to recover the secret key by solving an overdefined system of multivariate algebraic equations. They become very efficient if this system is of low degree. In particular, they have been used to break stream ciphers immune to all previously known attacks. This kind of attack tends to work when certain Boolean functions used in the ciphering process have either low degree annihilators or low degree multiples. It is therefore important to be able to check this criterion for Boolean functions. We provide in this article an algorithm of complexity $O \left( m^d\right)$ (for fixed d) which is able to prove that a given Boolean function in m variables has no annihilator nor multiple of degree less than or equal to d. This complexity is essentially optimal. We also provide a more practical algorithm for the same task, which we believe to have the same complexity. This last algorithm is also able to output a basis of annihilators or multiples when they exist.

Block ciphers sensitive to gröbner basis attacks

Abstract: We construct and analyze Feistel and SPN ciphers that have a sound design strategy against linear and differential attacks but for which the encryption process can be described by very simple polynomial equations. For a block and key size of 128 bits, we present ciphers for which practical Grobner basis attacks can recover the full cipher key requiring only a minimal number of plaintext/ciphertext pairs. We show how Grobner bases for a subset of these ciphers can be constructed with neglegible computational effort. This reduces the key–recovery problem to a Grobner basis conversion problem. By bounding the running time of a Grobner basis conversion algorithm, FGLM, we demonstrate the existence of block ciphers resistant against differential and linear cryptanalysis but vulnerable against Grobner basis attacks.

Generic attacks on unbalanced feistel schemes with contracting functions

Abstract: In this paper, we describe generic attacks on unbalanced Feistel schemes with contracting functions. These schemes are used to construct pseudo-random permutations from kn bits to kn bits by using d pseudo-random functions from (k–1)n bits to n bits. We describe known plaintext attacks (KPA) and non-adaptive chosen plaintext attacks (CPA-1) against these schemes with less than 2kn plaintext/ciphertext pairs and complexity strictly less than O(2kn) for a number of rounds d ≤2k –1. Consequently at least 2k rounds are necessary to avoid generic attacks. For k=3, we found attacks up to 6 rounds, so 7 rounds are required. When d ≥2k, we also describe some attacks on schemes with generators, (i.e. schemes where the d pseudo-random functions are generated) and where more than one permutation is required.

Provably Secure MACs from Differentially-Uniform Permutations and AES-Based Implementations

Abstract: We propose message authentication codes (MACs) that combine a block cipher and an additional (keyed or unkeyed) permutation Our MACs are provably secure if the block cipher is pseudorandom and the additional permutation has a small differential probability We also demonstrate that our MACs are easily implemented with AES and its 4-round version to obtain MACs that are provably secure and 14 to 25 times faster than the previous MAC modes of AES such as the CBC-MAC-AES