Showing papers on "Cipher published in 2002"
18 Aug 2002
TL;DR: The tweak serves much the same purpose that an initialization vector does for CBC mode or that a nonce does for OCB mode, and is brought down to the primitive block-cipher level, instead of incorporating it only at the higher modes-of-operation levels.
Abstract: We propose a new cryptographic primitive, the "tweakable block cipher." Such a cipher has not only the usual inputs - message and cryptographic key - but also a third input, the "tweak." The tweak serves much the same purpose that an initialization vector does for CBC mode or that a nonce does for OCB mode. Our proposal thus brings this feature down to the primitive block-cipher level, instead of incorporating it only at the higher modes-of-operation levels. We suggest that (1) tweakable block ciphers are easy to design, (2) the extra cost of making a block cipher "tweakable" is small, and (3) it is easier to design and prove modes of operation based on tweakable block ciphers.
468 citations
15 Aug 2002
TL;DR: This paper proposes a new version of SNOW, called SNOW 2.0, which does not only appear to be more secure, but its implementation is also a bit faster in software.
Abstract: In 2000, the stream cipher SNOW was proposed. A few attacks followed, indicating certain weaknesses in the design. In this paper we propose a new version of SNOW, called SNOW 2.0. The new version of the cipher does not only appear to be more secure, but its implementation is also a bit faster in software.
297 citations
28 Nov 2002
TL;DR: This paper reduces the cryptanalysis of a stream cipher to solving a system of multivariate equations that is overdefined (much more equations than unknowns), and adapts the XL method, introduced at Eurocrypt 2000 for overdefined quadratic systems, to solving equations of higher degree.
Abstract: Many stream ciphers are built of a linear sequence generator and a non-linear output function f. There is an abundant literature on (fast) correlation attacks, that use linear approximations of f to attack the cipher. In this paper we explore higher degree approximations, much less studied. We reduce the cryptanalysis of a stream cipher to solving a system of multivariate equations that is overdefined (much more equations than unknowns). We adapt the XL method, introduced at Eurocrypt 2000 for overdefined quadratic systems, to solving equations of higher degree. Though the exact complexity of XL remains an open problem, there is no doubt that it works perfectly well for such largely overdefined systems as ours, and we confirm this by computer simulations. We show that using XL, it is possible to break stream ciphers that were known to be immune to all previously known attacks. For example, we cryptanalyse the stream cipher Toyocrypt accepted to the second phase of the Japanese government Cryptrec program. Our best attack on Toyocrypt takes 292 CPU clocks for a 128-bit cipher. The interesting feature of our XL-based higher order correlation attacks is, their very loose requirements on the known keystream needed. For example they may work knowing ONLY that the ciphertext is in English.
216 citations
18 Feb 2002
TL;DR: This work explores the problem of enciphering members of a finite set M where k = |M| is arbitrary and sees ciphers with arbitrary domains as a worthwhile primitive in its own right, and as a potentially useful one for making higher-level protocols.
Abstract: We explore the problem of enciphering members of a finite set M where k = |M| is arbitrary (in particular, it need not be a power of two). We want to achieve this goal starting from a block cipher (which requires a message space of size N = 2n, for some n). We look at a few solutions to this problem, focusing on the case when M= [O, k - 1]. We see ciphers with arbitrary domains as a worthwhile primitive in its own right, and as a potentially useful one for making higher-level protocols.
207 citations
TL;DR: This paper presents a detailed tutorial on linear cryptanalysis and differential cryptanalysis, the two most significant attacks applicable to symmetric-key block ciphers, based on the analysis of a simple, yet realistically structured, basic Substitution-Permutation Network cipher.
Abstract: In this paper, we present a detailed tutorial on linear cryptanalysis and differential cryptanalysis, the two most significant attacks applicable to symmetric-key block ciphers. The intent of the paper is to present a lucid explanation of the attacks, detailing the practical application of the attacks to a cipher in a simple, conceptually revealing manner for the novice cryptanalyst. The tutorial is based on the analysis of a simple, yet realistically structured, basic Substitution-Permutation Network cipher. Understanding the attacks as they apply to this structure is useful, as the Rijndael cipher, recently selected for the Advanced Encryption Standard (AES), has been derived from the basic SPN architecture. As well, experimental data from the attacks is presented as confirmation of the applicability of the concepts as outlined.
189 citations
Journal Article•
TL;DR: Saturation attacks on reduced-round variants of the Twofish block cipher with up to seven rounds with full whitening or eight rounds without whitening at the end (i.e., half of the cipher) were introduced in this paper.
Abstract: This paper introduces the notion of a saturation attack Consider a permutation p over w-bit words If p is applied to all 2 ω disjoint words, the set of outputs is exactly the same as the set of inputs A saturation attack exploits this fact The current paper applies saturation attacks on reduced-round variants of the Twofish block cipher with up to seven rounds with full whitening or eight rounds without whitening at the end (ie, half of the cipher) The attacks take up to 2 127 chosen plaintexts (half of the codebook) and are 2-4 times faster than exhaustive search The attacks are based on key-independent distinguishers for up to six rounds of Twofish, making extensive use of saturation properties
115 citations
Posted Content•
IBM1
TL;DR: In this article, a cryptanalytical technique for distinguishing some stream ciphers from a truly random process is described, where the output of the cipher can be the linear sum of both processes.
Abstract: We describe a cryptanalytical technique for distinguishing some stream ciphers from a truly random process. Roughly, the ciphers to which this method applies consist of a “non-linear process” (say, akin to a round function in block ciphers), and a “linear process” such as an LFSR (or even fixed tables). The output of the cipher can be the linear sum of both processes. To attack such ciphers, we look for any property of the “non-linear process” that can be distinguished from random. In addition, we look for a linear combination of the linear process that vanishes. We then consider the same linear combination applied to the cipher’s output, and try to find traces of the distinguishing property. In this report we analyze two specific “distinguishing properties”. One is a linear approximation of the non-linear process, which we demonstrate on the stream cipher SNOW. This attack needs roughly 2 words of output, with work-load of about 2. The other is a “low-diffusion” attack, that we apply to the cipher Scream-0. The latter attack needs only about 2 bytes of output, using roughly 2 space and 2 time.
111 citations
18 Nov 2002
TL;DR: It is shown that some common obfuscation methods can be defeated using a fault injection attack, namely an attack where during program execution an attacker injects errors into the program environment.
Abstract: We study the strength of certain obfuscation techniques used to protect software from reverse engineering and tampering. We show that some common obfuscation methods can be defeated using a fault injection attack, namely an attack where during program execution an attacker injects errors into the program environment. By observing how the program fails under certain errors the attacker can deduce the obfuscated information in the program code without having to unravel the obfuscation mechanism. We apply this technique to extract a secret key from a block cipher obfuscated using a commercial obfuscation tool and draw conclusions on preventing this weakness.
107 citations
Patent•
18 Dec 2002TL;DR: In this article, a programmable data encryption engine for performing the cipher function of an AES algorithm includes a parallel look-up table system responsive in a first mode to a first data block for implementing an AES selection function and executing the multiplicative inverse in GF -1 ( 2 8 ) and applying an affine over GF( 2 ) transformation to obtain a sub-byte transformation and in a second mode to the subbyte transformation to transform the sub-transformer to get a shift row transformation.
Abstract: A programmable data encryption engine for performing the cipher function of an advanced encryption standard ( AES ) algorithm includes a parallel look-up table system responsive in a first mode to a first data block for implementing an AES selection function and executing the multiplicative inverse in GF -1 ( 2 8 ) and applying an affine over GF( 2 ) transformation to obtain a subbyte transformation and in a second mode to the subbyte transformation to transform the subbyte transformation to obtain a shift row transformation, and a Galois field multiplier for transforming the shift row transformation to obtain a mix column transformation and add a round key resulting in an advanced encryption standard cipher function of the first data block.
100 citations
Patent•
13 May 2002TL;DR: In this article, the output control unit can selectively send clear data and/or cipher data to the hash circuit and to an output FIFO memory buffer, which handles final processing under the control of the output controller.
Abstract: A cryptographic processing system includes a cipher circuit and hash circuit. An input control unit and output control unit work together to process data packets in a pipelined manner wherein the data packets move through the processing system in a single-pass. The input control unit manages data received from a read interface and the initiation of cipher processing of the data in the cipher circuit. The output control unit manages data output to a write interface and the hash processing of the data in the hash circuit. Data moves through the cipher circuit in clear data and cipher data form so that the output control unit may selectively send clear data and/or cipher data to the hash circuit and to an output FIFO memory buffer, which handles final processing under the control of the output control unit prior to sending fully processed data to the write interface.
98 citations
03 Jul 2002
TL;DR: The LILI-II keystream generator is a LFSR based synchronous stream cipher with a 128 bit key that offers large period and linear complexity, is immune to currently known styles of attack, and is simple to implement in hardware or software.
Abstract: The LILI-II keystream generator is a LFSR based synchronous stream cipher with a 128 bit key. LILI-II is a specific cipher from the LILI family of keystream generators, and was designed with larger internal components than previous ciphers in this class, in order to provide increased security. The design offers large period and linear complexity, is immune to currently known styles of attack, and is simple to implement in hardware or software. The cipher achieves a security level of 128 bits.
Patent•
06 Jun 2002
TL;DR: In this article, a method for securing the transfer of cipher keys and security codes between a mobile equipment (100, 300, ME) in a radio network and a SIM card (305) attached thereto is described.
Abstract: The invention relates to a method for securing the transfer of cipher keys and security codes between a mobile equipment (100, 300, ME) in a radio network and a SIM card (305) attached thereto. In the method according to theinvention the mobile equipment and the SIM card attached thereto are first authenticated separately. After successful authentication, a cipher key (KSM) is given to the mobile equipment and the SIM card to be used by them. This cipher key is used to encrypt all other exchanges of passwords and security codes between the mobile equipment and the SIM card.
Patent•
20 Dec 2002
TL;DR: In this paper, the authors proposed a system enabling a member of a group (G) to produce, by means of customized data (z; K), a message (m) accompanied by a signature (8) proving to a verifier that the message originates from a member (G).
Abstract: The invention concerns a system enabling a member (M) of a group (G) to produce, by means of customized data (z; K), a message (m) accompanied by a signature (8) proving to a verifier that the message originates from a member of the group (G). The invention is characterized in that the customized data is in the form of an electronic physical medium (26). Advantageously, the latter also incorporates: encrypting means (B3) for producing a customized cipher (C) from the customized data prior to the signature S of the message (m), means (B5) for producing a combination of a message m to be signed and the cipher (C) associated with said message, for example in the form of a concatenation of the message (m) with the cipher (C), and means (B6) for signing (Sig) the message (m ) with the customized data (z; K) in the form of a cipher (C) associated with said message. Advantageously, the physical medium is a smart card (26) or the like.
09 Dec 2002
TL;DR: This paper presents a large collection of new weak-key classes for the IDEA cipher, and uses the use of boomerang distinguishers for the weak- key class membership test.
Abstract: This paper presents a large collection of new weak-key classes for the IDEA cipher. The classes presented in this paper contain 253-264 weak keys (as compared with 251 differential weak keys presented by Daemen at CRYPTO'93 and 263 differential-linear weak-keys presented by Hawkes at EUROCRYPT'98). The novelty of our approach is in the use of boomerang distinguishers for the weak-key class membership test. We also show large weak-key classes for reduced-round versions of IDEA.
TL;DR: This work proposes a new solution to substitution deciphering based on hidden Markov models that is more accurate than relaxation and much more robust in the presence of noise, making it useful for applications in compressed document processing.
Abstract: It has been shown that simple substitution ciphers can be solved using statistical methods such as probabilistic relaxation. However, the utility of such solutions has been limited by their inability to cope with noise encountered in practical applications. We propose a new solution to substitution deciphering based on hidden Markov models. We show that our algorithm is more accurate than relaxation and much more robust in the presence of noise, making it useful for applications in compressed document processing. Recovering character interpretations from the sequence of cluster identifiers in a symbolically compressed document can be treated as a cipher problem. Although a significant amount of noise is present in the cluster sequence, enough information can be recovered with a robust deciphering algorithm to accomplish certain document analysis tasks. The feasibility of this approach is demonstrated in a multilingual document duplicate detection system.
TL;DR: Data-dependent permutations (DDP) are introduced as basic cryptographic primitives to construct fast hardware-oriented ciphers and their application in the cipher CIKS-1 is considered.
Abstract: Data-dependent permutations (DDP) are introduced as basic cryptographic primitives to construct fast hardware-oriented ciphers. Some variants of the DDP operations and their application in the cipher CIKS-1 are considered. A feature of CIKS-1 is the use of both the data-dependent transformation of round subkeys and the key-dependent DDP operations.
19 May 2002
TL;DR: This paper proves that s/t can be arbitrarily close to 1 and hence the storage bound is essentially optimal, and exploiting the full potential of the model: K is short, X is very long (e.g. gigabytes), t needs to be only moderately larger than s, and the security proof is optimally strong.
Abstract: (MATH) In the bounded-storage model for information-theoretically secure encryption and key-agreement one can prove the security of a cipher based on the sole assumption that the adversary's storage capacity is bounded, say by s bits, even if her computational power is unlimited. Assume that a random t-bit string R is either publicly available (e.g. the signal of a deep space radio source) or broadcast by one of the legitimate parties. If s$xi;t, the adversary can store only partial information about R. The legitimate sender Alice and receiver Bob, sharing a short secret key K initially, can therefore potentially generate a very long n-bit one-time pad X with n»|K| about which the adversary has essentially no information, thus at first glance apparently contradicting Shannon's bound on the key size of a perfect cipher.All previous results in the bounded-storage model were partial or far from optimal, for one of the following reasons: either the secret key K had in fact to be longer than the derived one-time pad, or t had to be extremely large (tρns), or the adversary was assumed to be able to store only actual bits of R rather than arbitrary s bits of information about R, or the adversary could obtain a non-negligible amount of information about X.In this paper we prove the first non-restricted security result in the bounded-storage model, exploiting the full potential of the model: K is short, X is very long (e.g. gigabytes), t needs to be only moderately larger than s, and the security proof is optimally strong. In fact, we prove that s/t can be arbitrarily close to 1 and hence the storage bound is essentially optimal.
Proceedings Article•
04 Feb 2002
TL;DR: It is concluded that cipher designers may have placed too much faith in multiplication as a mixing operator, and that it should be combined with at least two other incompatible group operations.
Abstract: We present a new type of differential that is particularly suited to analyzing ciphers that use modular multiplication as a primitive operation. These differentials are partially inspired by the differential used to break Nimbus, and we generalize that result. We use these differentials to break the MultiSwap cipher that is part of the Microsoft Digital Rights Management subsystem, to derive a complementation property in the xmx cipher using the recommended modulus, and to mount a weak key attack on the xmx cipher for many other moduli. We also present weak key attacks on several variants of IDEA. We conclude that cipher designers may have placed too much faith in multiplication as a mixing operator, and that it should be combined with at least two other incompatible group operations.
IBM1
TL;DR: Scream as mentioned in this paper is a new software-efficient stream cipher, which was designed to be a more secure version of the SEAL cipher and is roughly as fast as SEAL, but offers a significantly higher security level.
Abstract: We report on the design of Scream, a new software-efficient stream cipher, which was designed to be a "more secure SEAL". Following SEAL, the design of Scream resembles in many ways a block-cipher design. The new cipher is roughly as fast as SEAL, but we believe that it offers a significantly higher security level. In the process of designing this cipher, we re-visit the SEAL design paradigm, exhibiting some tradeoffs and limitations.
Patent•
11 Sep 2002TL;DR: An encryption device, a decrypting device, secret key generation devices, a copyright protection system and a cipher communication device comprise: a CRL memory unit 111 that memorizes a cRL, a device key ring memory unit 112 that memorized a peculiar device key KD A in every IC card 210a used in a decryption device 200a, a content key memory unit 113 that memorised the content key Kc which is a secret key for decrypting content, a hashing function processing unit 114 that calculates a hashing value of the cRL memorized in the CRL unit
Abstract: An encryption device, a decrypting device, a secret key generation device, a copyright protection system and a cipher communication device comprise: a CRL memory unit 111 that memorizes a CRL, a device key ring memory unit 112 that memorizes a peculiar device key KD A in every IC card 210a used in a decrypting device 200a, a content key memory unit 113 that memorizes a content key Kc which is a secret key for decrypting content, a hashing function processing unit 114 that calculates a hashing value of the CRL memorized in the CRL memory unit 111, an Ex-OR unit 115 that carries out an exclusive OR between the hashing value and the device key KD A memorized in the device key ring memory unit 112, and an Enc unit 116 that encrypts the content key Kc memorized in the content key memory unit 113 with an output value of an Ex-OR unit 115.
Patent•
13 May 2002
TL;DR: In this article, the output control unit can selectively send clear data and/or cipher data to the hash circuit and to an output FIFO memory buffer, which handles final processing under the control of the output controller.
Abstract: A cryptographic processing system includes a cipher circuit and hash circuit. An input control unit and output control unit work together to process data packets in a pipelined manner wherein the data packets move through the processing system in a single-pass. The input control unit manages data received from a read interface and the initiation of cipher processing of the data in the cipher circuit. The output control unit manages data output to a write interface and the hash processing of the data in the hash circuit. Data moves through the cipher circuit in clear data and cipher data form so that the output control unit may selectively send clear data and/or cipher data to the hash circuit and to an output FIFO memory buffer, which handles final processing under the control of the output control unit prior to sending fully processed data to the write interface.
04 Feb 2002
TL;DR: A new attack is presented - the Slicing Attack - on the 4-round version of the block cipher MISTY1, which makes use of the special structure and position of these key-dependent linear FL functions.
Abstract: The block cipher MISTY1 [9] proposed for the NESSIE project [11] is a Feistel network augmented with key-dependent linear FL functions. The proposal allows a variable number of rounds provided that it is a multiple of four.Here we present a new attack - the Slicing Attack - on the 4-round version, which makes use of the special structure and position of these key-dependent linear FL functions. While the FL functions were introduced to make attacks harder, they also present a subtle weakness in the 4-round version of the cipher.
Patent•
08 Feb 2002TL;DR: In this article, a method and apparatus for providing data from a service to a client based on the encryption capabilities of the client is disclosed for providing a service based on a client's encryption capabilities.
Abstract: A method and apparatus are disclosed for providing data from a service to a client based on the encryption capabilities of the client. Cipher suite lists are exchanged between a client and an endpoint. On the endpoint, the cipher suite list incorporates a mapping of cipher suite names to services. The endpoint uses the client's list of cipher suites in conjunction with the mapping of cipher suite names to services to determine a cipher suite match. A service is selected based on the cipher suite match. A server farm is selected based on the service. The client is informed of this cipher suite match and the endpoint retains knowledge of the cipher suite match throughout the session. Therefore, the encrypted connection between the client and the endpoint can be disconnected and later reestablished to provide data from the particular server.
01 Nov 2002
TL;DR: In this paper, the authors present perceptual cryptography applied to MPEG Layer III compressed audio (MP3), where the inputs of the cipher are the plaintext MP3 bit-stream, encryption key and encryption percentage.
Abstract: Whereas conventional cryptography is suitable for any kind of data, it does not allow for perceptual degradation of encrypted data in multimedia-compressed formats. We present perceptual cryptography applied to MPEG Layer III compressed audio (MP3). The inputs of the cipher are the plaintext MP3 bit-stream, encryption key and encryption percentage. The cipher outputs a MPEG Layer III compliant bit-stream (ciphertext) that is perceptually less valuable than the original bit-stream. The original MP3 bit-stream can be recovered using the ciphertext bit-stream and the same decryption key and percentage used on encryption. An introduction to MP3 audio compression is given followed by a description of the perceptual cipher and its applications. The paper addresses the relationship between the encryption percentage and the subjective quality.
TL;DR: It is found that, while in some circumstances it is best to employ perfect single photon sources, in other situations it is preferable to utilize weak coherent sources, and the relevant distinguishing figure-of-merit being the effective throughput rate.
Abstract: . A number of questions associated with practical implementations of quantum cryptography systems having to do with unconditional secrecy, computational loads and effective secrecy rates in the presence of perfect and imperfect sources are discussed. The different types of unconditional secrecy, and their relationship to general communications security, are discussed in the context of quantum cryptography. In order to carry out a quantum cryptography protocol it is necessary that sufficient computational resources be available to perform the various processing steps, such as sifting, error correction, privacy amplification and authentication. We display the full computer machine instruction requirements needed to support a practical quantum cryptography implementation. We carry out a numerical comparison of system performance characteristics for implementations that make use of either weak coherent sources of light or perfect single photon sources, for eavesdroppers making individual attacks on the quantum channel characterized by different levels of technological capability. We find that, while in some circumstances it is best to employ perfect single photon sources, in other situations it is preferable to utilize weak coherent sources. In either case the secrecy level of the final shared cipher is identical, with the relevant distinguishing figure-of-merit being the effective throughput rate.
IBM1
TL;DR: In this paper, the authors designed compact and high-speed implementations of the KASUMI block cipher and compared several prototypes to existing designs in ASICs and FPGAs.
Abstract: The KASUMI block cipher and the confidentiality (f8) and integrity (f9) algorithms using KASUMI in feed back cipher modes have been standardized by the 3GPP. We designed compact and high-speed implementations and then compared several prototypes to existing designs in ASICs and FPGAs. Making good use of the nested structure of KASUMI, a lot of function blocks are shared and reused. The data paths of the f8 and f9 algorithms are merged using only one 64-bit selector. An extremely small size of 3.07 Kgates with a 288 Mbps throughput is obtained for a KASUMI core using a 0.13-µm CMOS standard cell library. Even simultaneously supporting both the f8 and f9 algorithms, the same throughput is achieved with 4.89 Kgates. The fastest design supporting the two algorithms achieves 1.6 Gbps with 8.27 Kgates.
10 Dec 2002
TL;DR: This paper presents a content access control method by spatially shuffling codewords of the compressed bitstream, and proposes a method for generating or updating the shuffling tables on the fly, based on encrypting some local-content-specific bits using a standard cipher.
Abstract: This paper presents a content access control method by spatially shuffling codewords of the compressed bitstream. This approach is lightweight and incurs no bit overhead. One important advantage of the approach is that the resulting scrambled bitstream can be made compliant to the compression format, thus providing some level of scalability, error resiliency, network friendliness and capability of performing signal processing directly on the encrypted bitstream. In addition, we propose a method for generating or updating the shuffling tables on the fly, based on encrypting some local-content-specific bits using a standard cipher. This local-content-specific bits based table generation process is self-synchronous, which is critical in the presence of packet loss. It also enhances the resistance of this spatial shuffling approach to plain-text attack.
TL;DR: The protocol eliminates the need for a cipher, yet effectively combines the advantages of symmetric and public-key ciphers, and can be used to build a new key management scheme that allows the service providers to generate different keys for different sets of receivers, and to renew these keys in a convenient way.
Abstract: Digital multimedia content is delivered to homes via the Internet, satellite, terrestrial and cable networks. Scrambling is a common approach used by conditional access systems to prevent unauthorized access to audio/visual data. The descrambling keys are securely distributed to the receivers in the same transmission channel. Their protection is an important part of the key management problem. Although public-key cryptography provides a viable solution, alternative methods are sought for economy and efficiency. Message authentication is an important objective of information security in modern electronic distribution networks. This objective is met by providing the receiver of a message an assurance of the sender's identity. As physical protection such as sealed envelopes is not possible for messages expressed as binary sequences, digital tools have been developed using cryptography. A major limitation of all cryptographic methods for message authentication lies in their use of algorithms with fixed symmetric or public keys. This paper presents a key transport protocol based on secret sharing. Conditional access and message authentication are two important application areas for which the advantages of the proposed protocol are discussed. The protocol eliminates the need for a cipher, yet effectively combines the advantages of symmetric and public-key ciphers. It can be used to build a new key management scheme that allows the service providers to generate different keys for different sets of receivers, and to renew these keys in a convenient way.
Posted Content•
TL;DR: In this article, it was shown that the existence of distinguishing attacks against stream ciphers is unrelated to their security in practical use, and in particular that the amount of data required to perform a distinguishing attack was unrelated to the key length of the cipher.
Abstract: We demonstrate that the existence of distinguishing attacks against stream ciphers is unrelated to their security in practical use, and in particular that the amount of data required to perform a distinguishing attack is unrelated to the key length of the cipher. The implication for the NESSIE Project is that no submitted symmetric cipher would be accepted under the unpublished rules for distinguishing attacks, not even the block ciphers in Counter Mode or Out-
TL;DR: This paper proposes an PS-LFSR with an m(≥ 2)-times faster shifting during one clock interval and a parallel stream cipher that is faster by paralleling many similar keystream generators using the PS- LFSRs.