Showing papers on "Block cipher published in 2009"

Advanced Encryption Standard

Abstract: In cryptography, the Advanced Encryption Standard (AES) is an encryption standard adopted by the U.S. government. The standard comprises three block ciphers, AES-128, AES-192 and AES-256, adopted from a larger collection originally published as Rijndael. Each AES cipher has a 128-bit block size, with key sizes of 128, 192 and 256 bits, respectively. The AES ciphers have been analyzed extensively and are now used worldwide, as was the case with its predecessor, the Data Encryption Standard (DES). AES was announced by National Institute of Standards and Technology (NIST) as U.S. FIPS PUB 197 (FIPS 197) on November 26, 2001 after a 5-year standardization process in which fifteen competing designs were presented and evaluated before Rijndael was selected as the most suitable . It became effective as a Federal government standard on May 26, 2002 after approval by the Secretary of Commerce. It is available in many different encryption packages. AES is the first publicly accessible and open cipher approved by the NSA for top secret information.

Related-Key Cryptanalysis of the Full AES-192 and AES-256

Abstract: In this paper we present two related-key attacks on the full AES. For AES-256 we show the first key recovery attack that works for all the keys and has 299.5 time and data complexity, while the recent attack by Biryukov-Khovratovich-Nikolic works for a weak key class and has much higher complexity. The second attack is the first cryptanalysis of the full AES-192. Both our attacks are boomerang attacks, which are based on the recent idea of finding local collisions in block ciphers and enhanced with the boomerang switching techniques to gain free rounds in the middle. The extended version of this paper is available at http://eprint.iacr.org/2009/317.pdf .

Cube Attacks on Tweakable Black Box Polynomials

Abstract: Almost any cryptographic scheme can be described by tweakable polynomials over GF (2), which contain both secret variables (e.g., key bits) and public variables (e.g., plaintext bits or IV bits). The cryptanalyst is allowed to tweak the polynomials by choosing arbitrary values for the public variables, and his goal is to solve the resultant system of polynomial equations in terms of their common secret variables. In this paper we develop a new technique (called a cube attack ) for solving such tweakable polynomials, which is a major improvement over several previously published attacks of the same type. For example, on the stream cipher Trivium with a reduced number of initialization rounds, the best previous attack (due to Fischer, Khazaei, and Meier) requires a barely practical complexity of 255 to attack 672 initialization rounds, whereas a cube attack can find the complete key of the same variant in 219 bit operations (which take less than a second on a single PC). Trivium with 735 initialization rounds (which could not be attacked by any previous technique) can now be broken with 230 bit operations. Trivium with 767 initialization rounds can now be broken with 245 bit operations, and the complexity of the attack can almost certainly be further reduced to about 236 bit operations. Whereas previous attacks were heuristic, had to be adapted to each cryptosystem, had no general complexity bounds, and were not expected to succeed on random looking polynomials, cube attacks are provably successful when applied to random polynomials of degree d over n secret variables whenever the number m of public variables exceeds d + log d n . Their complexity is 2 d *** 1 n + n 2 bit operations, which is polynomial in n and amazingly low when d is small. Cube attacks can be applied to any block cipher, stream cipher, or MAC which is provided as a black box (even when nothing is known about its internal structure) as long as at least one output bit can be represented by (an unknown) polynomial of relatively low degree in the secret and public variables.

Format-Preserving Encryption

Abstract: Format-preserving encryption (FPE) encrypts a plaintext of some specified format into a ciphertext of identical format--for example, encrypting a valid credit-card number into a valid credit-card number. The problem has been known for some time, but it has lacked a fully general and rigorous treatment. We provide one, starting off by formally defining FPE and security goals for it. We investigate the natural approach for achieving FPE on complex domains, the "rank-then-encipher" approach, and explore what it can and cannot do. We describe two flavors of unbalanced Feistel networks that can be used for achieving FPE, and we prove new security results for each. We revisit the cycle-walking approach for enciphering on a non-sparse subset of an encipherable domain, showing that the timing information that may be divulged by cycle walking is not a damaging thing to leak.

Key Recovery Attacks of Practical Complexity on AES Variants With Up To 10 Rounds.

Abstract: AES is the best known and most widely used block cipher. Its three versions (AES128, AES-192, and AES-256) differ in their key sizes (128 bits, 192 bits and 256 bits) and in their number of rounds (10, 12, and 14, respectively). In the case of AES-128, there is no known attack which is faster than the 2 complexity of exhaustive search. However, AES-192 and AES-256 were recently shown to be breakable by attacks which require 2 and 2 time, respectively. While these complexities are much faster than exhaustive search, they are completely non-practical, and do not seem to pose any real threat to the security of AES-based systems. In this paper we describe several attacks which can break with practical complexity variants of AES-256 whose number of rounds are comparable to that of AES-128. One of our attacks uses only two related keys and 2 time to recover the complete 256-bit key of a 9-round version of AES-256 (the best previous attack on this variant required 4 related keys and 2 time). Another attack can break a 10 round version of AES-256 in 2 time, but it uses a stronger type of related subkey attack (the best previous attack on this variant required 64 related keys and 2 time). While neither AES-128 nor AES-256 can be directly broken by these attacks, the fact that their hybrid (which combines the smaller number of rounds from AES-128 along with the larger key size from AES-256) can be broken with such a low complexity raises serious concern about the remaining safety margin offered by the AES family of cryptosystems.

Algebraic Side-Channel Attacks on the AES: Why Time also Matters in DPA

Abstract: Algebraic side-channel attacks have been recently introduced as a powerful cryptanalysis technique against block ciphers. These attacks represent both a target algorithm and its physical information leakages as an overdefined system of equations that the adversary tries to solve. They were first applied to PRESENT because of its simple algebraic structure. In this paper, we investigate the extent to which they can be exploited against the AES Rijndael and discuss their practical specificities. We show experimentally that most of the intuitions that hold for PRESENT can also be observed for an unprotected implementation of Rijndael in an 8-bit controller. Namely, algebraic side-channel attacks can recover the AES master key with the observation of a single encrypted plaintext and they easily deal with unknown plaintexts/ciphertexts in this context. Because these attacks can take advantage of the physical information corresponding to all the cipher rounds, they imply that one cannot trade speed for code size (or gate count) without affecting the physical security of a leaking device. In other words, more intermediate computations inevitably leads to more exploitable leakages. We analyze the consequences of this observation on two different masking schemes and discuss its impact on other countermeasures. Our results exhibit that algebraic techniques lead to a new understanding of implementation weaknesses that is different than classical side-channel attacks.

Higher-Order Masking and Shuffling for Software Implementations of Block Ciphers

Abstract: Differential Power Analysis (DPA) is a powerful side channel key recovery attack that efficiently breaks block ciphers implementations. In software, two main techniques are usually applied to thwart them: masking and operations shuffling. To benefit from the advantages of the two techniques, recent works have proposed to combine them. However, the schemes which have been designed until now only provide limited resistance levels and some advanced DPA attacks have turned out to break them. In this paper, we investigate the combination of masking and shuffling. We moreover extend the approach with the use of higher-order masking and we show that it enables to significantly improve the security level of such a scheme. We first conduct a theoretical analysis in which the efficiency of advanced DPA attacks targeting masking and shuffling is quantified. Based on this analysis, we design a generic scheme combining higher-order masking and shuffling. This scheme is scalable and its security parameters can be chosen according to any desired resistance level. As an illustration, we apply it to protect a software implementation of AES for which we give several security/efficiency trade-offs.

Lightweight Cryptography for FPGAs

Abstract: The advent of new low-power Field Programmable Gate Arrays (FPGA) for battery powered devices opens a host of new applications to FPGAs. In order to provide security on resource constrained devices lightweight cryptographic algorithms have been developed. However, there has not been much research on porting these algorithms to FPGAs. In this paper we propose lightweight cryptography for FPGAs by introducing block cipher independent optimization techniques for Xilinx Spartan3 FPGAs and applying them to the lightweight cryptographic algorithms HIGHT and Present. Our implementations are the first reported of these block ciphers on FPGAs. Furthermore, they are the smallest block cipher implementations on FPGAs using only 117 and 91 slices respectively, which makes them comparable in size to stream cipher implementations. Both are less than half the size of the AES implementation by Chodowiec and Gaj without using block RAMs. Present’s throughput over area ratio of 240 Kbps/slice is similar to that of AES, however, HIGHT outperforms them by far with 720 Kbps/slice.

MIBS: A New Lightweight Block Cipher

Abstract: In this paper, we propose a new lightweight 64-bit block cipher, which we call MIBS, suitable for resource-constrained devices, such as low-cost RFID tags. We also study its hardware implementation efficiency, as well as its security. The hardware implementation of MIBS requires 1400 gates on 0.18 μm technology, which is less than 2000 gates limit for low-cost RFID tags. We also show MIBS is secure against differential and linear cryptanalysis.

Plaintext Recovery Attacks against SSH

Abstract: This paper presents a variety of plaintext-recovering attacks against SSH. We implemented a proof of concept of our attacks against OpenSSH, where we can verifiably recover 14 bits of plaintext from an arbitrary block of ciphertext with probability $2^{-14}$ and 32 bits of plaintext from an arbitrary block of ciphertext with probability $2^{-18}$. These attacks assume the default configuration of a 128-bit block cipher operating in CBC mode. The paper explains why a combination of flaws in the basic design of SSH leads implementations such as OpenSSH to be open to our attacks, why current provable security results for SSH do not cover our attacks, and how the attacks can be prevented in practice.

Multidimensional Extension of Matsui's Algorithm 2

Abstract: Matsui's one-dimensional Alg. 2 can be used for recovering bits of the last round key of a block cipher. In this paper a truly multidimensional extension of Alg. 2 based on established statistical theory is presented. Two possible methods, an optimal method based on the log-likelihood ratio and a ? 2-based goodness-of-fit test are compared in theory and by practical experiments on reduced round Serpent. The theory of advantage by Selcuk is generalised in multiple dimensions and the advantages and data, time and memory complexities for both methods are derived.

Algebraic side-channel attacks

Abstract: In 2002, algebraic attacks using overdefined systems of equations have been proposed as a potentially very powerful cryptanalysis technique against block ciphers. However, although a number of convincing experiments have been performed against certain reduced algorithms, it is not clear whether these attacks can be successfully applied in general and to a large class of ciphers. In this paper, we show that algebraic techniques can be combined with side-channel attacks in a very effective and natural fashion. As an illustration, we apply them to the block cipher PRESENT that is a stimulating first target, due to its simple algebraic structure. The proposed attacks have a number of interesting features: (1) they exploit the information leakages of all the cipher rounds, (2) in common implementation contexts (e.g. assuming a Hamming weight leakage model), they recover the block cipher keys after the observation of a single encryption, (3) these attacks can succeed in an unknown-plaintext/ciphertext adversarial scenario and (4) they directly defeat countermeasures such as boolean masking. Eventually, we argue that algebraic side-channel attacks can take advantage of any kind of physical leakage, leading to a new tradeoff between the robustness and informativeness of the side-channel information extraction.

Secure Hardware Implementation of Non-linear Functions in the Presence of Glitches

Abstract: Hardware implementations of cryptographic algorithms are still vulnerable to side-channel attacks. Side-channel attacks that are based on multiple measurements of the same operation can be countered by employing masking techniques. In the presence of glitches, most of the currently known masking techniques still leak information during the computation of non-linear functions. We discuss a recently introduced masking method which is based on secret sharing and results in implementations that are provable resistant against first-order side-channel attacks, even in the presence of glitches. We reduce the hardware requirements of this method and show how to derive provable secure implementations of some non-linear building blocks for cryptographic algorithms. Finally, we provide a provable secure implementation of the block cipher Noekeon and verify the results.

Lightweight Block Ciphers Revisited: Cryptanalysis of Reduced Round PRESENT and HIGHT

Abstract: Design and analysis of lightweight block ciphers have become more popular due to the fact that the future use of block ciphers in ubiquitous devices is generally assumed to be extensive. In this respect, several lightweight block ciphers are designed, of which Present and Hight are two recently proposed ones by Bogdanov et al. and Hong et al. respectively. In this paper, we propose new attacks on Present and Hight . Firstly, we present the first related-key cryptanalysis of 128-bit keyed Present by introducing 17-round related-key rectangle attack with time complexity approximately 2104 memory accesses. Moreover, we further analyze the resistance of Hight against impossible differential attacks by mounting new 26-round impossible differential and 31-round related-key impossible differential attacks where the former requires time complexity of 2119.53 reduced round Hight evaluations and the latter is slightly better than exhaustive search.

Memory Leakage-Resilient Encryption Based on Physically Unclonable Functions

Abstract: Physical attacks on cryptographic implementations and devices have become crucial. In this context a recent line of research on a new class of side-channel attacks, called memory attacks , has received increasingly more attention. These attacks allow an adversary to measure a significant fraction of secret key bits directly from memory, independent of any computational side-channels. Physically Unclonable Functions (PUFs) represent a promising new technology that allows to store secrets in a tamper-evident and unclonable manner. PUFs enjoy their security from physical structures at submicron level and are very useful primitives to protect against memory attacks. In this paper we aim at making the first step towards combining and binding algorithmic properties of cryptographic schemes with physical structure of the underlying hardware by means of PUFs. We introduce a new cryptographic primitive based on PUFs, which we call PUF-PRFs. These primitives can be used as a source of randomness like pseudorandom functions (PRFs). We construct a block cipher based on PUF-PRFs that allows simultaneous protection against algorithmic and physical attackers, in particular against memory attacks. While PUF-PRFs in general differ in some aspects from traditional PRFs, we show a concrete instantiation based on established SRAM technology that closes these gaps.

Secure AES engine with a local switched-capacitor current equalizer

Abstract: Hardware implementations of the popular AES encryption algorithm [1,2] provide attackers with important side-channel information (delay, power consumption or EM radiation) that can be used to disclose the secret key of the encryption device. Differential power analysis (DPA) [3–5] is one of the most common side-channel attacks because of its simplicity and effectiveness (Fig. 3.5.1). It performs a statistical analysis of supply-current measurements and either the plaintext or ciphertext to disclose the secret key. These two elements can be easily recorded externally without probing internal signals on the chip. Either the plaintext or ciphertext is used to build a model of the current consumption (e.g., during 0 to 1 transition) using knowledge of the AES algorithm and a key guess. By calculating the correlation between the model and the measured current for each possible key guess the key is discovered. In the AES algorithm, the key consists of 16 blocks of 8b, each of which can be attacked independently since AES is a block cipher. For the 128b secret key, the DPA search space is only 16×28, as opposed to 2128 for a brute-force attack.

Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher

Abstract: In this paper, we propose two new ways to mount attacks on the SHA-3 candidates Grostl, and ECHO, and apply these attacks also to the AES. Our results improve upon and extend the rebound attack. Using the new techniques, we are able to extend the number of rounds in which available degrees of freedom can be used. As a result, we present the first attack on 7 rounds for the Grostl-256 output transformation and improve the semi-free-start collision attack on 6 rounds. Further, we present an improved known-key distinguisher for 7 rounds of the AES block cipher and the internal permutation used in ECHO.

Cryptanalysis of a Generic Class of White-Box Implementations

Abstract: A white-box implementation of a block cipher is a software implementation from which it is difficult for an attacker to extract the cryptographic key. Chow et al. published white-box implementations for AES and DES. These implementations are based on ideas that can be used to derive white-box implementations for other block ciphers as well. In particular, the ideas can be used to derive a white-box implementation for any substitution linear-transformation (SLT) cipher. Although the white-box implementations of AES and DES have been cryptanalyzed, the cryptanalyses published use typical properties of AES and DES. It is therefore an open question whether an SLT cipher exists for which the techniques of Chow et al. result in a secure white-box implementation. In this paper we largely settle this question by presenting an algorithm that is able to extract the key from such an implementation under a mild condition on the diffusion matrix. The condition is, for instance, satisfied by all MDS matrices. Our result can serve as a basis to design block ciphers and to develop white-box techniques that result in secure white-box implementations.

Practical Fault Attack on a Cryptographic LSI with ISO/IEC 18033-3 Block Ciphers

Abstract: This paper presents practical fault attack results on six kinds of block ciphers listed in ISO/IEC 18033-3 that are implemented on an LSI: AES, DES, Camellia, CAST-128, SEED, and MISTY1. We developed an experimental environment that injects faults into any desired round by supplying a clock signal with a glitch. We examined practical attack assumptions and the fault model based on experimental results. We also succeeded in recovering AES keys in the LSI using Piret's attack, which uses only one faulty cipher text obtained using the proposed experimental environment.

FPGA and ASIC Implementations of AES

Abstract: In 1997, an effort was initiated to develop a new American encryption standard to be commonly used well into the next century. This new standard was given a name AES, Advanced Encryption Standard. A new algorithm was selected through a contest organized by the National Institute of Standards and Technology (NIST). By June 1998, 15 candidate algorithms had been submitted to NIST by research groups from all over the world. After the first round of analysis was concluded in August 1999, the number of candidates was reduced to final five. In October 2000, NIST announced its selection of Rijndael [7] as a winner of the AES contest. The official standard was published in November 2001 as FIPS (Federal Information Processing Standard) number 197 [1]. The primary criteria used by NIST to evaluate AES candidates included security, efficiency in software and hardware, and flexibility. In the absence of any major breakthroughs in the cryptanalysis of the final five candidates, and because of the relatively inconclusive results of their software performance evaluations, hardware efficiency evaluations presented during the third AES conference provided a very substantial quantitative measure that clearly differentiated AES candidates among each other [9, 10, 12, 17, 21, 42]. The importance of this measure was reflected by a survey performed among the participants of the AES conference, in which the ranking of the candidate algorithms coincided very well with their relative speed in hardware [16, 18]. The AES evaluation process resulted in the first efficient hardware architectures for AES. The university groups contributed first implementations of AES based on FPGAs (field programmable gate arrays) [5, 9, 11, 18]. The National Security Agency group and industry groups provided the first implementations targeting ASICs (application-specific integrated circuits) [21, 42].

Linear (Hull) and Algebraic Cryptanalysis of the Block Cipher PRESENT

Abstract: The contributions of this paper include the first linear hull and a revisit of the algebraic cryptanalysis of reduced-round variants of the block cipher PRESENT, under known-plaintext and ciphertext-only settings. We introduce a pure algebraic cryptanalysis of 5-round PRESENT and in one of our attacks we recover half of the bits of the key in less than three minutes using an ordinary desktop PC. The PRESENT block cipher is a design by Bogdanov et al. , announced in CHES 2007 and aimed at RFID tags and sensor networks. For our linear attacks, we can attack 25-round PRESENT with the whole code book, 296.68 25-round PRESENT encryptions, 240 blocks of memory and 0.61 success rate. Further we can extend the linear attack to 26-round with small success rate. As a further contribution of this paper we computed linear hulls in practice for the original PRESENT cipher, which corroborated and even improved on the predicted bias (and the corresponding attack complexities) of conventional linear relations based on a single linear trail.

Key-Dependent S-Box Generation in AES Block Cipher System

Abstract: Advanced Encryption Standard (AES) block cipher system is widely used in cryptographic applications. A nonlinear substitution operation is the main factor of the AES cipher system strength. The purpose of the proposed approach is to generate the random S-boxes changing for every change of the secret key. The fact that the S-boxes are randomly key-dependent and unknown is the main strength of the new approach, since both linear and differential cryptanalysis require known S-boxes. In the paper, we briefly analyze the AES algorithm, substitution S-boxes, linear and differential cryptanalysis, and describe a randomly key-dependent S-box and inverse S-box generation algorithm. After that, we introduce the independency measure of the S-box elements, and experimentally investigate the quality of the generated S-boxes.

Beyond-Birthday-Bound Security Based on Tweakable Block Cipher

Abstract: This paper studies how to build a 2n-bit block cipher which is hard to distinguish from a truly random permutation against attacks with q ≈ 2 n/2 queries, i.e., birthday attacks. Unlike previous approaches using pseudorandom functions, we present a simple and efficient proposal using a tweakable block cipher as an internal module. Our proposal is provably secure against birthday attacks, if underlying tweakable block cipher is also secure against birthday attacks. We also study how to build such tweakable block ciphers from ordinary block ciphers, which may be of independent interest.

How to Compare Profiled Side-Channel Attacks?

Abstract: Side-channel attacks are an important class of attacks against cryptographic devices and profiled side-channel attacks are the most powerful type of side-channel attacks. In this scenario, an adversary first uses a device under his control in order to build a good leakage model. Then, he takes advantage of this leakage model to exploit the actual leakages of a similar target device and perform a key recovery. Since such attacks are divided in two phases (namely profiling and online attack), the question of how to best evaluate those two phases arises. In this paper, we take advantage of a recently introduced framework for the analysis of side-channel attacks to tackle this issue. We show that the quality of a profiling phase is nicely captured by an information theoretic metric. By contrast, the effectiveness of the online key recovery phase is better measured with a security metric. As an illustration, we use this methodology to compare the two main techniques for profiled side-channel attacks, namely template attacks and stochastic models. Our results confirm the higher profiling efficiency of stochastic models when reasonable assumptions can be made about the leakages of a device.

Algebraic Techniques in Differential Cryptanalysis

Abstract: In this paper we propose a new cryptanalytic method against block ciphers, which combines both algebraic and statistical techniques. More specifically, we show how to use algebraic relations arising from differential characteristics to speed up and improve key-recovery differential attacks against block ciphers. To illustrate the new technique, we apply algebraic techniques to mount differential attacks against round reduced variants of Present-128.

Differential Fault Analysis on DES Middle Rounds

Abstract: Differential Fault Analysis (DFA) is a powerful cryptanalytic technique that disturbs cryptographic computations and exploits erroneous results to infer secret keys. Over the last decade, many works have described and improved DFA techniques against block ciphers thus showing an inherent need to protect their implementations. A simple and widely used solution is to perform the computation twice and to check that the same result is obtained. Since DFA against block ciphers usually targets the last few rounds, one does not need to protect the whole ciphering thus saving computation time. However the number of rounds to protect must be chosen very carefully in order to prevent security flaws. To determine this number, one must study DFA targeting middle rounds of the cipher. In this paper, we address this issue for the Data Encryption Standard (DES) algorithm. We describe an attack that breaks DES by introducing some faults at the end of round 9, 10, 11 or 12, more or less efficiently depending on the fault model and the round number.

Weak Keys of Reduced-Round PRESENT for Linear Cryptanalysis

Abstract: The block cipher PRESENT designed as an ultra-light weight cipher has a 31-round SPN structure in which the S-box layer has 16-parallel 4-bit S-boxes and the diffusion layer is a bit permutation. The designers claimed that the maximum linear characteristic deviation is not more than 2? 43 for 28 rounds and concluded that PRESENT is not vulnerable to linear cryptanalysis. But we have found that 32% of PRESENT keys are weak for linear cryptanalysis, and the linear deviation can be much larger than the linear characteristic value by the multi-path effect. And we discovered a 28-round path with a linear deviation of 2? 39.3 for the weak keys. Furthermore, we found that linear cryptanalysis can be used to attack up to 24 rounds of PRESENT for the weak keys.