Showing papers on "Block cipher published in 2008"

On the indifferentiability of the sponge construction

Abstract: In this paper we prove that the sponge construction introduced in [4] is indifferentiable from a random oracle when being used with a random transformation or a random permutation and discuss its implications. To our knowledge, this is the first time indifferentiability has been shown for a construction calling a random permutation (instead of an ideal compression function or ideal block cipher) and for a construction generating outputs of any length (instead of a fixed length).

The Salsa20 Family of Stream Ciphers

Abstract: Salsa20 is a family of 256-bit stream ciphers designed in 2005 and submitted to eSTREAM, the ECRYPT Stream Cipher Project. Salsa20 has progressed to the third round of eSTREAM without any changes. The 20-round stream cipher Salsa20/20 is consistently faster than AES and is recommended by the designer for typical cryptographic applications. The reduced-round ciphers Salsa20/12 and Salsa20/8 are among the fastest 256-bit stream ciphers available and are recommended for applications where speed is more important than confidence. The fastest known attacks use ≈ 2153simple operations against Salsa20/7, ≈ 2249simple operations against Salsa20/8, and ≈ 2255simple operations against Salsa20/9, Salsa20/10, etc. In this paper, the Salsa20 designer presents Salsa20 and discusses the decisions made in the Salsa20 design.

Cube Attacks on Tweakable Black Box Polynomials.

Abstract: Almost any cryptographic scheme can be described by tweakable polynomials over GF (2), which contain both secret variables (e.g., key bits) and public variables (e.g., plaintext bits or IV bits). The cryptanalyst is allowed to tweak the polynomials by choosing arbitrary values for the public variables, and his goal is to solve the resultant system of polynomial equations in terms of their common secret variables. In this paper we develop a new technique (called a cube attack) for solving such tweakable polynomials, which is a major improvement over several previously published attacks of the same type. For example, on the stream cipher Trivium with a reduced number of initialization rounds, the best previous attack (due to Fischer, Khazaei, and Meier) requires a barely practical complexity of 2 to attack 672 initialization rounds, whereas a cube attack can find the complete key of the same variant in 2 bit operations (which take less than a second on a single PC). Trivium with 735 initialization rounds (which could not be attacked by any previous technique) can now be broken with 2 bit operations. Trivium with 767 initialization rounds can now be broken with 2 bit operations, and the complexity of the attack can almost certainly be further reduced to about 2 bit operations. Whereas previous attacks were heuristic, had to be adapted to each cryptosystem, had no general complexity bounds, and were not expected to succeed on random looking polynomials, cube attacks are provably successful when applied to random polynomials of degree d over n secret variables whenever the number m of public variables exceeds d + logdn. Their complexity is 2 d−1n + n bit operations, which is polynomial in n and amazingly low when d is small. Cube attacks can be applied to any block cipher, stream cipher, or MAC which is provided as a black box (even when nothing is known about its internal structure) as long as at least one output bit can be represented by (an unknown) polynomial of relatively low degree in the secret and public variables.

Grøstl – a SHA-3 candidate

Abstract: Grostl is a SHA-3 candidate proposal. Grostl is an iterated hash function with a compression function built from two fixed, large, distinct permutations. The design of Grostl is transparent and based on principles very different from those used in the SHA-family. The two permutations are constructed using the wide trail design strategy, which makes it possible to give strong statements about the resistance of Grostl against large classes of cryptanalytic attacks. Moreover, if these permutations are assumed to be ideal, there is a proof for the security of the hash function. Grostl is a byte-oriented SP-network which borrows components from the AES. The S-box used is identical to the one used in the block cipher AES and the diffusion layers are constructed in a similar manner to those of the AES. As a consequence there is a very strong confusion and diffusion in Grostl. Grostl is a so-called wide-pipe construction where the size of the internal state is significantly larger than the size of the output. This has the effect that all known, generic attacks on the hash function are made much more difficult. Grostl has good performance on a wide range of platforms and counter-measures against side-channel attacks are well-understood from similar work on the AES.

On Probability of Success in Linear and Differential Cryptanalysis

Abstract: Despite their widespread usage in block cipher security, linear and differential cryptanalysis still lack a robust treatment of their success probability, and the success chances of these attacks have commonly been estimated in a rather ad hoc fashion. In this paper, we present an analytical calculation of the success probability of linear and differential cryptanalytic attacks. The results apply to an extended sense of the term “success” where the correct key is found not necessarily as the highest-ranking candidate but within a set of high-ranking candidates. Experimental results show that the analysis provides accurate results in most cases, especially in linear cryptanalysis. In cases where the results are less accurate, as in certain cases of differential cryptanalysis, the results are useful to provide approximate estimates of the success probability and the necessary plaintext requirement. The analysis also reveals that the attacked key length in differential cryptanalysis is one of the factors that affect the success probability directly besides the signal-to-noise ratio and the available plaintext amount.

Cryptographic hardware and embedded systems : CHES 2008 : 10th International Workshop, Washington, D.C., USA, August 10-13, 2008 : proceedings

Abstract: Side-Channel Analysis 1.- Attack and Improvement of a Secure S-Box Calculation Based on the Fourier Transform.- Collision-Based Power Analysis of Modular Exponentiation Using Chosen-Message Pairs.- Multiple-Differential Side-Channel Collision Attacks on AES.- Implementations 1.- Time-Area Optimized Public-Key Engines: -Cryptosystems as Replacement for Elliptic Curves?.- Ultra High Performance ECC over NIST Primes on Commercial FPGAs.- Exploiting the Power of GPUs for Asymmetric Cryptography.- Fault Analysis 1.- High-Performance Concurrent Error Detection Scheme for AES Hardware.- A Lightweight Concurrent Fault Detection Scheme for the AES S-Boxes Using Normal Basis.- RSA with CRT: A New Cost-Effective Solution to Thwart Fault Attacks.- Random Number Generation.- A Design for a Physical RNG with Robust Entropy Estimators.- Fast Digital TRNG Based on Metastable Ring Oscillator.- Efficient Helper Data Key Extractor on FPGAs.- Side-Channel Analysis 2.- The Carry Leakage on the Randomized Exponent Countermeasure.- Recovering Secret Keys from Weak Side Channel Traces of Differing Lengths.- Attacking State-of-the-Art Software Countermeasures-A Case Study for AES.- Cryptography and Cryptanalysis.- Binary Edwards Curves.- A Real-World Attack Breaking A5/1 within Hours.- Hash Functions and RFID Tags: Mind the Gap.- Implementations 2.- A New Bit-Serial Architecture for Field Multiplication Using Polynomial Bases.- A Very Compact Hardware Implementation of the MISTY1 Block Cipher.- Light-Weight Instruction Set Extensions for Bit-Sliced Cryptography.- Fault Analysis 2.- Power and Fault Analysis Resistance in Hardware through Dynamic Reconfiguration.- RFID and Its Vulnerability to Faults.- Perturbating RSA Public Keys: An Improved Attack.- Side-Channel Analysis 3.- Divided Backend Duplication Methodology for Balanced Dual Rail Routing.- Using Subspace-Based Template Attacks to Compare and Combine Power and Electromagnetic Information Leakages.- Mutual Information Analysis.- Invited Talks.- RSA-Past, Present, Future.- A Vision for Platform Security.

The Random Oracle Model and the Ideal Cipher Model Are Equivalent

Abstract: The Random Oracle Model and the Ideal Cipher Model are two well known idealised models of computation for proving the security of cryptosystems. At Crypto 2005, Coron et al.showed that security in the random oracle model implies security in the ideal cipher model; namely they showed that a random oracle can be replaced by a block cipher-based construction, and the resulting scheme remains secure in the ideal cipher model. The other direction was left as an open problem, i.e.constructing an ideal cipher from a random oracle. In this paper we solve this open problem and show that the Feistel construction with 6 rounds is enough to obtain an ideal cipher; we also show that 5 rounds are insufficient by providing a simple attack. This contrasts with the classical Luby-Rackoff result that 4 rounds are necessary and sufficient to obtain a (strong) pseudo-random permutation from a pseudo-random function.

Sosemanuk, a Fast Software-Oriented Stream Cipher

Abstract: Sosemanuk is a new synchronous software-oriented stream cipher, corresponding to Profile 1 of the ECRYPT call for stream cipher primitives. Its key length is variable between 128 and 256 bits. It accommodates a 128-bit initial value. Any key length is claimed to achieve 128-bit security. The Sosemanuk cipher uses both some basic design principles from the stream cipher SNOW 2.0 and some transformations derived from the block cipher SERPENT. Sosemanuk aims at improving SNOW 2.0 both from the security and from the efficiency points of view. Most notably, it uses a faster IV-setup procedure. It also requires a reduced amount of static data, yielding better performance on several architectures.

Algebraic and Slide Attacks on KeeLoq

Abstract: KeeLoq is a block cipher used in wireless devices that unlock the doors and alarms in cars manufactured by Chrysler, Daewoo, Fiat, GM, Honda, Jaguar, Toyota, Volvo, Volkswagen, etc [8,9,33,34]. KeeLoq is inexpensive to implement and economical in gate count, yet according to Microchip [33] it should have "a level of security comparable to DES". In this paper we present several distinct attacks on KeeLoq, each of them is interesting for different reasons. First we show that when about 232known plaintexts are available, KeeLoq is very weak and for example for 30% of all keys the full key can be recovered with complexity of 228KeeLoq encryptions. Then we turn our attention to algebraic attacks with the major challenge of breaking KeeLoq given potentially a very small number of known plaintexts. Our best "direct" algebraic attack can break up to 160 rounds of KeeLoq. Much better results are achieved in combination with slide attacks. Given about 216known plaintexts, we present a slide-algebraic attack that uses a SAT solver with the complexity equivalent to about 253KeeLoq encryptions. To the best of our knowledge, this is the first time that a full-round real-life block cipher is broken using an algebraic attack.

New Features of Latin Dances: Analysis of Salsa, ChaCha, and Rumba

Abstract: The stream cipher Salsa20 was introduced by Bernstein in 2005 as a candidate in the eSTREAM project, accompanied by the reduced versions Salsa20/8 and Salsa20/12. ChaCha is a variant of Salsa20 aiming at bringing better diffusion for similar performance. Variants of Salsa20 with up to 7 rounds (instead of 20) have been broken by differential cryptanalysis, while ChaCha has not been analyzed yet. We introduce a novel method for differential cryptanalysis of Salsa20 and ChaCha, inspired by correlation attacks and related to the notion of neutral bits. This is the first application of neutral bits in stream cipher cryptanalysis. It allows us to break the 256-bit version of Salsa20/8, to bring faster attacks on the 7-round variant, and to break 6- and 7-round ChaCha. In a second part, we analyze the compression function Rumba, built as the XOR of four Salsa20 instances and returning a 512-bit output. We find collision and preimage attacks for two simplified variants, then we discuss differential attacks on the original version, and exploit a high-probability differential to reduce complexity of collision search from 2256to 279for 3-round Rumba. To prove the correctness of our approach we provide examples of collisions and near-collisions on simplified versions.

The Random Oracle Model and the Ideal Cipher Model are Equivalent.

Abstract: The Random Oracle Model and the Ideal Cipher Model are two well known idealised models of computation for proving the security of cryptosystems. At Crypto 2005, Coron et al. showed that security in the random oracle model implies security in the ideal cipher model; namely they showed that a random oracle can be replaced by a block cipher-based construction, and the resulting scheme remains secure in the ideal cipher model. The other direction was left as an open problem, i.e. constructing an ideal cipher from a random oracle. In this paper we solve this open problem and show that the Feistel construction with 6 rounds is enough to obtain an ideal cipher; we also show that 5 rounds are insufficient by providing a simple attack. This contrasts with the classical Luby-Rackoff result that 4 rounds are necessary and sufficient to obtain a (strong) pseudo-random permutation from a pseudo-random function.

Implementation of the AES-128 on virtex-5 FPGAs

Abstract: This paper presents an updated implementation of the Advanced Encryption Standard (AES) on the recent Xilinx Virtex-5 FPGAs. We show how a modified slice structure in these reconfigurable hardware devices results in significant improvement of the design efficiency. In particular, a single substitution box of the AES can fit in 8 FPGA slices. We combine these technological changes with a sound intertwining of the round and key round functionalities in order to produce encryption and decryption architectures that perfectly fit with the Digital Cinema Initiative specifications. More generally, our implementations are convenient for any application requiring Gbps-range throughput.

Improving the efficiency of impossible differential cryptanalysis of reduced Camellia and MISTY1

Abstract: We observe that when conducting an impossible differential cryptanalysis on Camellia and MISTY1, their round structures allow us to partially determine whether a candidate pair is useful by guessing only a small fraction of the unknown required subkey bits of a relevant round at a time, instead of guessing all of them at once. Taking advantage of the early abort technique, we improve a previous impossible differential attack on 6-round MISTY1 without the FL functions, and present impossible differential cryptanalysis of 11-round Camellia-128 without the FL functions, 13-round Camellia-192 without the FL functions and 14- round Camellia-256 without the FL functions. The presented results are better than any previously published cryptanalytic results on Camellia and MISTY1 without the FL functions.

Practical symmetric key cryptography on modern graphics hardware

Abstract: Graphics processors are continuing their trend of vastly outperforming CPUs while becoming more general purpose. The latest generation of graphics processors have introduced the ability handle integers natively. This has increased the GPU's applicability to many fields, especially cryptography. This paper presents an application oriented approach to block cipher processing on GPUs. A new block based conventional implementation of AES on an Nvidia G80 is shown with 4-10x speed improvements over CPU implementations and 2-4x speed increase over the previous fastest AES GPU implementation. We outline a general purpose data structure for representing cryptographic client requests which is suitable for execution on a GPU. We explore the issues related to the mapping of this general structure to the GPU. Finally we present the first analysis of the main encryption modes of operation on a GPU, showing the performance and behavioural implications of executing these modes under the outlined general purpose data model. Our AES implementation is used as the underlying block cipher to show the overhead of moving from an optimised hard-coded approach to a generalised one.

Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis

Abstract: In the recent years, side channel analysis has received a lot of attention, and attack techniques have been improved. Side channel analysis of second order is now successful in breaking implementations of block ciphers supposed to be effectively protected. This progress shows not only the practicability of second order attacks, but also the need for provably secure countermeasures. Surprisingly, while many studies have been dedicated to the attacks, only a few papers have been published about the dedicated countermeasures. In fact, only the method proposed by Schramm and Paar at CT-RSA 2006 enables to thwart second order side channel analysis. In this paper, we introduce two new methods which constitute a worthwhile alternative to Schramm and Paar's proposal. We prove their security in a strong security model and we exhibit a way to significantly improve their efficiency by using the particularities of the targeted architectures. Finally, we argue that the introduced methods allow us to efficiently protect a wide variety of block ciphers, including AES.

Multidimensional Linear Cryptanalysis of Reduced Round Serpent

Abstract: Various authors have previously presented different approaches how to exploit multiple linear approximations to enhance linear cryptanalysis. In this paper we present a new truly multidimensional approach to generalise Matsui's Algorithm 1. We derive the statistical framework for it and show how to calculate multidimensional probability distributions based on correlations of one-dimensional linear approximations. The main advantage is that the assumption about statistical independence of linear approximations can be removed. Then we apply these new techniques to four rounds of the block cipher Serpent and show that the multidimensional approach is more effective in recovering key bits correctly than the previous methods that use a multiple of one-dimensional linear approximations.

A block cipher based pseudo random number generator secure against side-channel key recovery

Abstract: We study the security of a block cipher-based pseudorandom number generator (PRNG), both in the black box world and in the physical world, separately. We first show that the construction is a secure PRNG in the ideal cipher model. Then, we demonstrate its security against a Bayesian side-channel key recovery adversary. As a main result, we show that our construction guarantees that the success rate of the adversary does not increase with the number of physical observations, but in a limited and controlled way. Besides, we observe that, under common assumptions on side-channel attack strategies, increasing the security parameter (typically the block cipher key size) by a polynomial factor involves an increase of a side-channel attack complexity by an exponential factor, making the probability of a successful attack negligible. We believe this work provides a first interesting example of the way the algorithmic design of a cryptographic scheme influences its side-channel resistance.

Differential cryptanalysis of reduced-round PRESENT

Abstract: PRESENT is proposed by A. Bogdanov et al. in CHES 2007 for extremely constrained environments such as RFID tags and sensor networks. In this paper, we present the differential characteristics for r-round(5 ≤ r ≤ 15), then give the differential cryptanalysis on reduced-round variants of PRESENT. We attack 16-round PRESENT using 264 chosen plaintexts, 232 6-bit counters, and 264 memory accesses.

High-Performance Concurrent Error Detection Scheme for AES Hardware

Abstract: This paper proposes an efficient concurrent error detection scheme for hardware implementation of the block cipher AES. The proposed scheme does not require an additional arithmetic unit, but simply divides the round function block into two sub-blocks and uses the sub-blocks alternately for encryption (or decryption) and error detection. The number of clock cycles is doubled, but the maximum operating frequency is increased owing to the shortened critical path of the sub-block. Therefore, the proposed scheme has a limited impact on hardware performance with respect to size and speed. AES hardware with the proposed scheme was designed and synthesized using a 90-nm CMOS standard cell library with size and speed optimization options. The compact and high-speed implementations achieved performances of 2.21 Gbps @ 16.1 Kgates and 3.21 Gbps @ 24.1 Kgates, respectively. In contrast, the performances of AES hardware without error detection were 1.66 Gbps @ 12.9 Kgates for the compact version and 4.22 Gbps @ 30.7 Kgates for the high-speed version. There is only a slight difference between the performances with and without error detection. The performance overhead caused by the error detection is evaluated at the optimal balance between size and speed and was estimated to be 14.5% at maximum. Conversely, the AES hardware with the proposed scheme had better performance in some cases. If pipeline operation is allowed, as in the CTR mode, throughputs can easily be boosted by further dividing the sub-blocks. Although the proposed error detection scheme was applied to AES in the present study, it can also be applied to other algorithms efficiently.

Bit-Pattern Based Integral Attack

Abstract: Integral attacks are well-known to be effective against byte-based block ciphers. In this document, we outline how to launch integral attacks against bit-based block ciphers. This new type of integral attack traces the propagation of the plaintext structure at bit-level by incorporating bit-pattern based notations. The new notation gives the attacker more details about the properties of a structure of cipher blocks. The main difference from ordinary integral attacks is that we look at the pattern the bits in a specific position in the cipher block has through the structure. The bit-pattern based integral attack is applied to Noekeon, Serpent and present reduced up to 5, 6 and 7 rounds, respectively. This includes the first attacks on Noekeon and present using integral cryptanalysis. All attacks manage to recover the full subkey of the final round.

FPGA Implementation(s) of a Scalable Encryption Algorithm

Abstract: SEA is a scalable encryption algorithm targeted for small embedded applications. It was initially designed for software implementations in controllers, smart cards, or processors. In this letter, we investigate its performances in field-programmable gate array (FPGA) devices. For this purpose, a loop architecture of the block cipher is presented. Beyond its low cost performances, a significant advantage of the proposed architecture is its full flexibility for any parameter of the scalable encryption algorithm, taking advantage of generic VHDL coding. The letter also carefully describes the implementation details allowing us to keep small area requirements. Finally, a comparative performance discussion of SEA with the advanced encryption standard Rijndael and (a cipher purposed for efficient FPGA implementations) is proposed. It illustrates the interest of platform/context-oriented block cipher design and, as far as SEA is concerned, its low area requirements and reasonable efficiency.

Stream cipher using multiplication over a finite field of even characteristic

Abstract: An input block of data and a key that includes multiple sub-keys are received by a block cipher. A nonlinear substitution is performed on at least a portion of the data, wherein the nonlinear substitution is achieved by multiplying the portion of the data by one of the sub-keys over a finite field of even characteristic, modulo a fixed primitive polynomial. An output block of ciphertext is then generated.

Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis.

Abstract: In the recent years, side channel analysis has received a lot of attention, and attack techniques have been improved. Side channel analysis of second order is now successful in breaking implementations of block ciphers supposed to be effectively protected. This progress shows not only the practicability of second order attacks, but also the need for provably secure countermeasures. Surprisingly, while many studies have been dedicated to the attacks, only a few papers have been published about the dedicated countermeasures. In fact, only the method proposed by Schramm and Paar at CT-RSA 2006 enables to thwart second order side channel analysis. In this paper, we introduce two new methods which constitute a worthwhile alternative to Schramm and Paar’s proposition. We prove their security in a strong security model and we exhibit a way to significantly improve their efficiency by using the particularities of the targeted architectures. Finally, we argue that the introduced methods allow to efficiently protect a wide variety of block ciphers, including AES.

PUFFIN: A Novel Compact Block Cipher Targeted to Embedded Digital Systems

Abstract: In this paper, we examine the digital hardware design and implementation of a novel compact block cipher, referred to as PUFFIN, that is suitable for embedded applications. An implementation of PUFFIN targeted to ASIC technology is considered. The proposed block cipher is designed to have a 64-bit block size, a 128-bit key, and is capable of both encryption and decryption operations. The cipher structure is based on the following features: a simple encryption process composed of permutations and substitutions based on 4 times 4 S-boxes, an identical datapath for both encryption and decryption facilitated by involutional operations, and a straightforward on-the-fly subkey generation composed of only a permutation and bit inversions. PUFFIN is found to perform well for implementations based on 0.18-micron CMOS technology. In comparison to other lightweight ciphers, PUFFIN has preferred features, low hardware complexity, and good throughput.

Impossible Differential Cryptanalysis of CLEFIA

Abstract: This paper reports impossible differential cryptanalysis on the 128-bit block cipher CLEFIA that was proposed in 2007, including new 9-round impossible differentials for CLEFIA, and the result of an impossible differential attack using them. For the case of a 128-bit key, it is possible to apply the impossible differential attack to CLEFIA reduced to 12 rounds. The number of chosen plaintexts required is 2118.9and the time complexity is 2119. For key lengths of 192 bits and 256 bits, it is possible to apply impossible differential attacks to 13-round and 14-round CLEFIA. The respective numbers of chosen plaintexts required are 2119.8and 2120.3and the respective time complexities are 2146and 2212. These impossible differential attacks are the strongest method for attacking reduced-round CLEFIA.

Low latency block cipher

Abstract: A block cipher is provided that secures data by encrypting it based on the memory address where it is to be stored. When encrypting data for storage in the memory address, the memory address is encrypted in a first plurality of block cipher rounds. Data round keys are generated using information from the first plurality of block cipher rounds. Data to be stored is combined with the encrypted memory address and encrypted in a second plurality of block cipher rounds using the data round keys. The encrypted data is then stored in the memory location. When decrypting data, the memory address is again encrypted as before while the encrypted stored data is decrypted in a second plurality of the block cipher rounds using the data round keys to obtain a partially decrypted data. The partially decrypted data is combined with the encrypted memory address to obtain fully decrypted data.

A practical attack on KeeLoq

Abstract: KeeLoq is a lightweight block cipher with a 32-bit block size and a 64-bit key. Despite its short key size, it is widely used in remote keyless entry systems and other wireless authentication applications. For example, authentication protocols based on KeeLoq are supposedly used by various car manufacturers in anti-theft mechanisms. This paper presents a practical key recovery attack against KeeLoq that requires 216 known plaintexts and has a time complexity of 244.5 KeeLoq encryptions. It is based on the slide attack and a novel approach to meet-in-the-middle attacks. The fully implemented attack requires 65 minutes to obtain the required data and 7.8 days of calculations on 64 CPU cores. A variant which requires 216 chosen plaintexts needs only 3.4 days on 64 CPU cores. Using only 10 000 euro, an attacker can purchase a cluster of 50 dual core computers that will find the secret key in about two days. We investigated the way KeeLoq is intended to be used in practice and conclude that our attack can be used to subvert the security of real systems. An attacker can acquire chosen plaintexts in practice, and one of the two suggested key derivation schemes for KeeLoq allows to recover the master secret from a single key.

Modern Cryptanalysis: Techniques for Advanced Code Breaking

Abstract: As an instructor at the University of Tulsa, Christopher Swenson could find no relevant text for teaching modern cryptanalysis?so he wrote his own This is the first book that brings the study of cryptanalysis into the 21st century Swenson provides a foundation in traditional cryptanalysis, examines ciphers based on number theory, explores block ciphers, and teaches the basis of all modern cryptanalysis: linear and differential cryptanalysis This time-honored weapon of warfare has become a key piece of artillery in the battle for information security