Showing papers on "Cipher published in 2009"

KATAN and KTANTAN -- A Family of Small and Efficient Hardware-Oriented Block Ciphers

Abstract: In this paper we propose a new family of very efficient hardware oriented block ciphers. The family contains six block ciphers divided into two flavors. All block ciphers share the 80-bit key size and security level. The first flavor, KATAN, is composed of three block ciphers, with 32, 48, or 64-bit block size. The second flavor, KTANTAN, contains the other three ciphers with the same block sizes, and is more compact in hardware, as the key is burnt into the device (and cannot be changed). The smallest cipher of the entire family, KTANTAN32, can be implemented in 462 GE while achieving encryption speed of 12.5 KBit/sec (at 100 KHz). KTANTAN48, which is the version we recommend for RFID tags uses 588 GE, whereas KATAN64, the largest and most flexible candidate of the family, uses 1054 GE and has a throughput of 25.1 Kbit/sec (at 100 KHz).

Advanced Encryption Standard

Abstract: In cryptography, the Advanced Encryption Standard (AES) is an encryption standard adopted by the U.S. government. The standard comprises three block ciphers, AES-128, AES-192 and AES-256, adopted from a larger collection originally published as Rijndael. Each AES cipher has a 128-bit block size, with key sizes of 128, 192 and 256 bits, respectively. The AES ciphers have been analyzed extensively and are now used worldwide, as was the case with its predecessor, the Data Encryption Standard (DES). AES was announced by National Institute of Standards and Technology (NIST) as U.S. FIPS PUB 197 (FIPS 197) on November 26, 2001 after a 5-year standardization process in which fifteen competing designs were presented and evaluated before Rijndael was selected as the most suitable . It became effective as a Federal government standard on May 26, 2002 after approval by the Secretary of Commerce. It is available in many different encryption packages. AES is the first publicly accessible and open cipher approved by the NSA for top secret information.

Extending SAT Solvers to Cryptographic Problems

Abstract: Cryptography ensures the confidentiality and authenticity of information but often relies on unproven assumptions. SAT solvers are a powerful tool to test the hardness of certain problems and have successfully been used to test hardness assumptions. This paper extends a SAT solver to efficiently work on cryptographic problems. The paper further illustrates how SAT solvers process cryptographic functions using automatically generated visualizations, introduces techniques for simplifying the solving process by modifying cipher representations, and demonstrates the feasibility of the approach by solving three stream ciphers. To optimize a SAT solver for cryptographic problems, we extended the solver's input language to support the XOR operation that is common in cryptography. To better understand the inner workings of the adapted solver and to identify bottlenecks, we visualize its execution. Finally, to improve the solving time significantly, we remove these bottlenecks by altering the function representation and by pre-parsing the resulting system of equations. The main contribution of this paper is a new approach to solving cryptographic problems by adapting both the problem description and the solver synchronously instead of tweaking just one of them. Using these techniques, we were able to solve a well-researched stream cipher 26 times faster than was previously possible.

Algebraic Cryptanalysis

Abstract: Algebraic Cryptanalysis bridges the gap between a course in cryptography, and being able to read the cryptanalytic literature. This book is divided into three parts: Part One covers the process of turning a cipher into a system of equations; Part Two covers finite field linear algebra; Part Three covers the solution of Polynomial Systems of Equations, with a survey of the methods used in practice, including SAT-solvers and the methods of Nicolas Courtois. Topics include: Analytic Combinatorics, and its application to cryptanalysis The equicomplexity of linear algebra operations Graph coloring Factoring integers via the quadratic sieve, with its applications to the cryptanalysis of RSA Algebraic Cryptanalysis is designed for advanced-level students in computer science and mathematics as a secondary text or reference book for self-guided study. This book is suitable for researchers in Applied Abstract Algebra or Algebraic Geometry who wish to find more applied topics or practitioners working for security and communications companies.

Algebraic Side-Channel Attacks on the AES: Why Time also Matters in DPA

Abstract: Algebraic side-channel attacks have been recently introduced as a powerful cryptanalysis technique against block ciphers. These attacks represent both a target algorithm and its physical information leakages as an overdefined system of equations that the adversary tries to solve. They were first applied to PRESENT because of its simple algebraic structure. In this paper, we investigate the extent to which they can be exploited against the AES Rijndael and discuss their practical specificities. We show experimentally that most of the intuitions that hold for PRESENT can also be observed for an unprotected implementation of Rijndael in an 8-bit controller. Namely, algebraic side-channel attacks can recover the AES master key with the observation of a single encrypted plaintext and they easily deal with unknown plaintexts/ciphertexts in this context. Because these attacks can take advantage of the physical information corresponding to all the cipher rounds, they imply that one cannot trade speed for code size (or gate count) without affecting the physical security of a leaking device. In other words, more intermediate computations inevitably leads to more exploitable leakages. We analyze the consequences of this observation on two different masking schemes and discuss its impact on other countermeasures. Our results exhibit that algebraic techniques lead to a new understanding of implementation weaknesses that is different than classical side-channel attacks.

Algebraic side-channel attacks

Abstract: In 2002, algebraic attacks using overdefined systems of equations have been proposed as a potentially very powerful cryptanalysis technique against block ciphers. However, although a number of convincing experiments have been performed against certain reduced algorithms, it is not clear whether these attacks can be successfully applied in general and to a large class of ciphers. In this paper, we show that algebraic techniques can be combined with side-channel attacks in a very effective and natural fashion. As an illustration, we apply them to the block cipher PRESENT that is a stimulating first target, due to its simple algebraic structure. The proposed attacks have a number of interesting features: (1) they exploit the information leakages of all the cipher rounds, (2) in common implementation contexts (e.g. assuming a Hamming weight leakage model), they recover the block cipher keys after the observation of a single encryption, (3) these attacks can succeed in an unknown-plaintext/ciphertext adversarial scenario and (4) they directly defeat countermeasures such as boolean masking. Eventually, we argue that algebraic side-channel attacks can take advantage of any kind of physical leakage, leading to a new tradeoff between the robustness and informativeness of the side-channel information extraction.

System and Method for Cipher E-Mail Protection

Abstract: The preferred embodiments of the present invention disclose a security transformation system which includes an e-mail client, a cipher proxy, a dictionary database and an Internet e-mail system. The system is capable of generating and receiving messages and performing a cipher substitution and encryption of key fields of messages when they are stored at a user's Internet e-mail system. When the messages are received or accessed the system permits deciphering and decrypting the message using a reverse security transformation The preferred embodiments of the method of the present invention comprises steps of generating and receiving messages at an Internet e-mail system, performing a security transformation on said messages, encrypting said messages, updating a cipher dictionary at a cipher proxy, and decoding and decrypting the messages when accessed by a user.

Cryptanalysis of a Generic Class of White-Box Implementations

Abstract: A white-box implementation of a block cipher is a software implementation from which it is difficult for an attacker to extract the cryptographic key. Chow et al. published white-box implementations for AES and DES. These implementations are based on ideas that can be used to derive white-box implementations for other block ciphers as well. In particular, the ideas can be used to derive a white-box implementation for any substitution linear-transformation (SLT) cipher. Although the white-box implementations of AES and DES have been cryptanalyzed, the cryptanalyses published use typical properties of AES and DES. It is therefore an open question whether an SLT cipher exists for which the techniques of Chow et al. result in a secure white-box implementation. In this paper we largely settle this question by presenting an algorithm that is able to extract the key from such an implementation under a mild condition on the diffusion matrix. The condition is, for instance, satisfied by all MDS matrices. Our result can serve as a basis to design block ciphers and to develop white-box techniques that result in secure white-box implementations.

A Diagonal Fault Attack on the Advanced Encryption Standard.

Abstract: The present paper develops an attack on the AES algorithm, exploiting multiple byte faults in the state matrix. The work shows that inducing a random fault anywhere in one of the four diagonals of the state matrix at the input of the eighth round of the cipher leads to the deduction of the entire AES key. We also propose a more generalized fault attack which works if the fault induction does not stay confined to one diagonal. To the best of our knowledge, we present for the first time actual chip results for a fault attack on an iterative AES hardware running on a Xilinx FPGA platform. We show that when the fault stays within a diagonal, the AES key can be deduced with a brute force complexity of approximately 2, which was successfully performed in about 400 seconds on an Intel Xeon Server with 8 cores. We show further that even if the fault induction corrupts two or three diagonals, 2 and 4 faulty ciphertexts are necessary to uniquely identify the correct key.

Linear (Hull) and Algebraic Cryptanalysis of the Block Cipher PRESENT

Abstract: The contributions of this paper include the first linear hull and a revisit of the algebraic cryptanalysis of reduced-round variants of the block cipher PRESENT, under known-plaintext and ciphertext-only settings. We introduce a pure algebraic cryptanalysis of 5-round PRESENT and in one of our attacks we recover half of the bits of the key in less than three minutes using an ordinary desktop PC. The PRESENT block cipher is a design by Bogdanov et al. , announced in CHES 2007 and aimed at RFID tags and sensor networks. For our linear attacks, we can attack 25-round PRESENT with the whole code book, 296.68 25-round PRESENT encryptions, 240 blocks of memory and 0.61 success rate. Further we can extend the linear attack to 26-round with small success rate. As a further contribution of this paper we computed linear hulls in practice for the original PRESENT cipher, which corroborated and even improved on the predicted bias (and the corresponding attack complexities) of conventional linear relations based on a single linear trail.

An Improved Image Encryption Algorithm based on Chaotic System

Abstract: The security of stream cipher, which is known as one of the main cipher techniques, is dependents completely on the quality of generated pseudo-stochastic sequences. Chaotic systems can produce the pseudo-random sequences with good randomness, therefore, these systems are suitable to the stream cipher. In this paper, a new encryption algorithm is proposed by analyzing the principle of the chaos encryption algorithm based on logistic map. Moreover, the security and performance of the proposed algorithm is also estimated. The experimental results based on coupled chaotic maps approve the effectiveness of the proposed method, and the coupled chaotic maps shows advantages of large key space and high-level security. The ciphertext generated by this method is the same size as the plaintext and is suitable for practical use in the secure transmission of confidential information over the Internet.

Differential Fault Analysis on DES Middle Rounds

Abstract: Differential Fault Analysis (DFA) is a powerful cryptanalytic technique that disturbs cryptographic computations and exploits erroneous results to infer secret keys. Over the last decade, many works have described and improved DFA techniques against block ciphers thus showing an inherent need to protect their implementations. A simple and widely used solution is to perform the computation twice and to check that the same result is obtained. Since DFA against block ciphers usually targets the last few rounds, one does not need to protect the whole ciphering thus saving computation time. However the number of rounds to protect must be chosen very carefully in order to prevent security flaws. To determine this number, one must study DFA targeting middle rounds of the cipher. In this paper, we address this issue for the Data Encryption Standard (DES) algorithm. We describe an attack that breaks DES by introducing some faults at the end of round 9, 10, 11 or 12, more or less efficiently depending on the fault model and the round number.

Comparing Block Cipher Modes of Operation on MICAz Sensor Nodes

Abstract: Wireless sensor networks are a key technology for "ubiquitous computing" applications. The challenges of securing such networks are tremendous. On the one side, sensor nodes are commonly deployed in potentially hostile environments, which requires additional protection in comparison to traditional computing systems. On the other side, the capabilities of sensor nodes in terms of computing power, memory, and available energy are severely limited, which makes it hard to adapt existing security solutions. In this paper, we examine different options for providing confidentiality and message authentication to sensor network communication. More specifically, we examine four modern block cipher modes of operation regarding their applicability in sensor networks. These are the Offset Codebook mode (OCB), the Counter Cipher Feedback with Header mode (CCFB+H), the EAX mode, and the Galois/Counter mode (GCM). Our practical evaluation targets the MICAz sensor node and accounts for the typically small packet size of sensor network traffic. Our results indicate that the CCFB+H mode is the best choice for a large range of applications.

EM Side-Channel Attacks on Commercial Contactless Smartcards Using Low-Cost Equipment

Abstract: We introduce low-cost hardware for performing non-invasive side-channel attacks on Radio Frequency Identification Devices (RFID) and develop techniques for facilitating a correlation power analysis (CPA) in the presence of the field of an RFID reader. We practically verify the effectiveness of the developed methods by analysing the security of commercial contactless smartcards employing strong cryptography, pinpointing weaknesses in the protocol and revealing a vulnerability towards side-channel attacks. Employing the developed hardware, we present the first successful key-recovery attack on commercially available contactless smartcards based on the Data Encryption Standard (DES) or Triple-DES (3DES) cipher that are widely used for security-sensitive applications, e.g., payment purposes.

Stream-based cipher feedback mode in wireless error channel

Abstract: Block ciphers encrypt a fixed size block of plaintext at a time to produce a block of ciphertext. Stream ciphers encrypt stream data, such as voice or Telnet traffic, one bit or more bits at a time. The cipher feedback mode is a stream cipher implemented by a block cipher via multiple stages, and in each stage one bit or a number of bits of plaintext are encrypted at a time. In this paper, we study error performance of the stream-based cipher feedback mode in an unreliable wireless channel in terms of throughput. We model performance of the cipher feedback mode in terms of the probability that part of or the whole ciphertext can not be successfully decrypted, and the throughput by adopting the cipher feedback mode. We explicitly derive the optimal number of stages in the cipher feedback mode to achieve the optimal throughput, given an error rate in a wireless network. We also prove that for the cipher feedback mode, the whole ciphertext is successfully decrypted if and only if the whole ciphertext is successfully transmitted.

Practical Algebraic Attacks on the Hitag2 Stream Cipher

Abstract: Hitag2 is a stream cipher that is widely used in RFID car locks in the automobile industry. It can be seen as a (much) more secure version of the [in]famous Crypto-1 cipher that is used in MiFare Classic RFID products [14,20,15]. Recently, a specification of Hitag2 was circulated on the Internet [29]. Is this cipher secure w.r.t. the recent algebraic attacks [8,17,1,25] that allowed to break with success several LFSR-based stream ciphers? After running some computer simulations we saw that the Algebraic Immunity [25] is at least 4 and we see no hope to get a very efficient attack of this type. However, there are other algebraic attacks that rely on experimentation but nevertheless work. For example Faugere and Ars have discovered that many simple stream ciphers can be broken experimentally with Grobner bases, given an extremely small quantity of keystream, see [17]. Similarly reduced-round versions of DES [9] and KeeLoq [11,12] were broken using SAT solvers, that actually seem to outperform Grobner basis techniques. Thus, we have implemented a generic experimental algebraic attack with conversion and SAT solvers,[10,9]. As a result we are able to break Hitag2 quite easily, the full key can be recovered in a few hours on a PC. In addition, given the specific protocol in which Hitag2 cipher is used in cars, some of our attacks are practical.

A New Involutory MDS Matrix for the AES

Abstract: This paper proposes a new, large diffusion layer for the AES block cipher. This new layer replaces the ShiftRows and MixColumns operations by a new involutory matrix in every round. The objective is to provide complete diffusion in a single round, thus sharply improving the overall cipher security. Moreover, the new matrix elements have low Hamming-weight in order to provide equally good performance for both the encryption and decryption operations. We use the Cauchy matrix construction instead of circulant matrices such as in the AES. The reason is that circulant matrices cannot be simultaneously MDS and involutory.

ACTION: Breaking the Privacy Barrier for RFID Systems

Abstract: In order to protect privacy, radio frequency identification (RFID) systems employ privacy-preserving authentication (PPA) to allow valid readers to explicitly authenticate their dominated tags without leaking private information. Typically, an RF tag sends an encrypted message to the reader, then the reader searches for the key that can decrypt the cipher to identify the tag. Due to the large-scale deployment of today's RFID systems, the key search scheme for any PPA requires a short response time. Previous designs construct balance-tree based key management structures to accelerate the search speed to 0(logN), where N is the number of tags. Being efficient, such approaches are vulnerable to compromising attacks. By capturing a small number of tags, compromising attackers are able to identify other tags that have not been corrupted. To address this issue, we propose an Anti- Compromising authenticaTION protocol, ACTION, which employs a novel sparse tree architecture, such that the key of every tag is independent from one another. The advantages of this design include: 1) resilience to the compromising attack, 2) reduction of key storage for tags from 0(logN) to 0(1), which is significant for resource critical tag devices, and 3) high search efficiency, which is 0(logN), as good as the best in the previous designs.

BTM: A Single-Key, Inverse-Cipher-Free Mode for Deterministic Authenticated Encryption

Abstract: We present a new blockcipher mode of operation named BTM, which stands for Bivariate Tag Mixing. BTM falls into the category of Deterministic Authenticated Encryption, which we call DAE for short. BTM makes all-around improvements over the previous two DAE constructions, SIV (Eurocrypt 2006) and HBS (FSE 2009). Specifically, our BTM requires just one blockcipher key, whereas SIV requires two. Our BTM does not require the decryption algorithm of the underlying blockcipher, whereas HBS does. The BTM mode utilizes bivariate polynomial hashing for authentication, which enables us to handle vectorial inputs of dynamic dimensions. BTM then generates an initial value for its counter mode of encryption by mixing the resulting tag with one of the two variables (hash keys), which avoids the need for an implementation of the inverse cipher.

On some block ciphers and imprimitive groups

Abstract: The group generated by the round functions of a block cipher has been widely investigated. We identify a large class of block ciphers for which this group is easily guaranteed to be primitive. Our class includes the AES cipher and the SERPENT cipher.

Method and system for signing JavaScript object notation (JSON) messages

Abstract: The confidentiality of JavaScript Object Notation (JSON) message data is secured using an encryption scheme. The encryption scheme implements a JSON encryption syntax, together with a set of processing rules for creating encrypting arbitrary data in JSON messages in a platform/language independent manner. A method for encrypting a data item in a JSON message begins by applying an encryption method and a key to the data item to generate a cipher value. A data object is then constructed that represents an encryption of the data item. The data item in the JSON message is then replaced with the data object, and the resulting modified JSON message is then output from a sending entity. At a receiving entity, information in the data object is used to re-generate the data item, which is then placed back in the original message.

Fast protection of H.264/AVC by selective encryption of CABAC

Abstract: This paper presents a novel method for the protection of copyrighted multimedia content. The problem of selective encryption (SE) has been addressed alongwith compression for the state of the art video codec H.264/AVC. SE is performed in the context-based adaptive binary arithmetic coding (CABAC) module of video codec. For this purpose, CABAC is converted to an encryption cipher by scrambling of equal length binarized code words. In our scheme, CABAC engine serves the purpose of encryption cipher without affecting the coding efficiency of H.264/AVC by keeping the original bitrate, generating completely compliant bitstream and utilizing negligible computational cost. Nine different benchmark video sequences containing different combinations of motion, texture and objects have been subjected to experimental evaluation of the proposed algorithm.

TWIS --- A Lightweight Block Cipher

Abstract: A new 128-bit block cipher, TWIS is proposed It uses key size of 128-bits The design targets to software environment for resource constrained applications It is inspired from existing block cipher, CLEFIA Although the proposed design uses less resources as compared to CLEFIA, it compares favorably with CLEFIA in terms of security provided

A New Approach for FCSRs

Abstract: The Feedback with Carry Shift Registers (FCSRs) have been proposed as an alternative to Linear Feedback Shift Registers (LFSRs) for the design of stream ciphers. FCSRs have good statistical properties and they provide a built-in non-linearity. However, two attacks have shown that the current representations of FCSRs can introduce weaknesses in the cipher. We propose a new "ring" representation of FCSRs based upon matrix definition which generalizes the Galois and Fibonacci representations. Our approach preserves the statistical properties and circumvents the weaknesses of the Fibonacci and Galois representations. Moreover, the ring representation leads to automata with a quicker diffusion characteristic and better implementation results. As an application, we describe a new version of F-FCSR stream ciphers.

Encrypting variable-length passwords to yield fixed-length encrypted passwords

Abstract: According to one embodiment, encrypting passwords includes performing the following for each input password of a plurality of input passwords to yield encrypted passwords, where at least two input passwords have different lengths and the encrypted passwords have the same length. An input password and a random number are received at logic configured to perform a key derivation operation comprising a pseudorandom function. An encryption key is derived from the input password and the random number according to the key derivation operation. The encryption key and a user identifier are received at logic configured to perform a cipher-based message authentication code (CMAC) function. An encrypted password is generated from the encryption key and the user identifier according to the CMAC function.