Showing papers on "Collision attack published in 2017"

The first collision for full SHA-1

Abstract: SHA-1 is a widely used 1995 NIST cryptographic hash function standard that was officially deprecated by NIST in 2011 due to fundamental security weaknesses demonstrated in various analyses and theoretical attacks.

A Simple Secure Hash Function Scheme Using Multiple Chaotic Maps

Abstract: The chaotic maps posses high parameter sensitivity, random-like behavior and one-way computations, which favor the construction of cryptographic hash functions. In this paper, we propose to present a novel hash function scheme which uses multiple chaotic maps to generate efficient variable-sized hash functions. The message is divided into four parts, each part is processed by a different 1D chaotic map unit yielding intermediate hash code. The four codes are concatenated to two blocks, then each block is processed through 2D chaotic map unit separately. The final hash value is generated by combining the two partial hash codes. The simulation analyses such as distribution of hashes, statistical properties of confusion and diffusion, message and key sensitivity, collision resistance and flexibility are performed. The results reveal that the proposed anticipated hash scheme is simple, efficient and holds comparable capabilities when compared with some recent chaos-based hash algorithms.

Haraka v2 – Efficient Short-Input Hashing for Post-Quantum Applications

Abstract: Recently, many efficient cryptographic hash function design strategies have been explored, not least because of the SHA-3 competition. These designs are, almost exclusively, geared towards high performance on long inputs. However, various applications exist where the performance on short (fixed length) inputs matters more. Such hash functions are the bottleneck in hash-based signature schemes like SPHINCS or XMSS, which is currently under standardization. Secure functions specifically designed for such applications are scarce. We attend to this gap by proposing two short-input hash functions (or rather simply compression functions). By utilizing AES instructions on modern CPUs, our proposals are the fastest on such platforms, reaching throughputs below one cycle per hashed byte even for short inputs, while still having a very low latency of less than 60 cycles. Under the hood, this results comes with several innovations. First, we study whether the number of rounds for our hash functions can be reduced, if only second-preimage resistance (and not collision resistance) is required. The conclusion is: only a little. Second, since their inception, AES-like designs allow for supportive security arguments by means of counting and bounding the number of active S-boxes. However, this ignores powerful attack vectors using truncated differentials, including the powerful rebound attacks. We develop a general tool-based method to include arguments against attack vectors using truncated differentials.

New Collision Attacks on Round-Reduced Keccak

Abstract: In this paper, we focus on collision attacks against Keccak hash function family and some of its variants. Following the framework developed by Dinur et al. at FSE 2012 where 4-round collisions were found by combining 3-round differential trails and 1-round connectors, we extend the connectors one round further hence achieve collision attacks for up to 5 rounds. The extension is possible thanks to the large degree of freedom of the wide internal state. By linearization of all S-boxes of the first round, the problem of finding solutions of 2-round connectors are converted to that of solving a system of linear equations. However, due to the quick freedom reduction from the linearization, the system has solution only when the 3-round differential trails satisfy some additional conditions. We develop a dedicated differential trail search strategy and find such special differentials indeed exist. As a result, the first practical collision attack against 5-round SHAKE128 and two 5-round instances of the Keccak collision challenges are found with real examples. We also give the first results against 5-round Keccak-224 and 6-round Keccak collision challenges. It is remarked that the work here is still far from threatening the security of the full 24-round Keccak family.

Research on the Hash Function Structures and its Application

Abstract: Since the traditional classic hash function structure (MD structure) is suffering from all kinds of attacks, the research of new hash function structure becomes hot issue. This paper analyses these attacks, based on MD structure, this paper brings in two security parameters and improves the message padding scheme, and then designs a Double-Serial iterative structure. In this structure, since there are more message blocks affecting the chaining variables, it can not only avoid the traditional second collision attack, multicollision attack and second preimage attack of long message, but also accelerate the message diffusion and enhance the avalanche effect. According to the efficiency analysis and security authentication, this proposed structure improves security and has the same efficiency of Double-Pipe structure.

Mitigating stealthy collision attack in energy harvesting motivated networks

Abstract: Energy harvesting motivated networks (EHNets) are rapidly emerging as a major part of ubiquitous computing and communication infrastructure in the presence of Internet-of-Things (IoT). A set of self-sustainable nodes equipped with energy harvesting capabilities can effectively exploit ambient energy and convert it into electric energy, but it is admittedly vulnerable to a Denial-of-Service (DoS) attack that primarily targets service availability, often witnessed in wireless multi-hop networks. In this paper, we propose an adaptive acknowledgment-based approach, called AAA, to detect the stealthy collision attack caused by multiple malicious nodes in the realm of EHNets, where two malicious nodes coordinate their packet transmissions simultaneously to create the packet collision at a legitimate node. In the AAA, each node forwards a Data packet, monitors the subsequent packet transmission of its one-hop downstream node and waits for an explicit acknowledgment (Ack) packet from its two-hop downstream node, and then detects the stealthy collision attack in EHNets. We conduct extensive simulation experiments using OMNeT++ for performance evaluation and comparison. The simulation results indicate that the proposed countermeasure can provide higher detection rate and packet delivery ratio but lower detection latency compared to the existing scheme, MCC.

Stochastic Collision Attack

Abstract: On the one hand, collision attacks have been introduced in the context of side-channel analysis for attackers who exploit repeated code with the same data without having any knowledge of the leakage model. On the other hand, stochastic attacks have been introduced to recover leakage models of internally processed intermediate secret variables. Both techniques have shown advantages and intrinsic limitations. Most collision attacks, for instance, fail in exploiting all the leakages (e.g., only a subset of matching samples are analyzed), whereas stochastic attacks cannot involve linear regression with the full basis (while the latter basis is the most informative one). In this paper, we present an innovative attacking approach, which combines the flavors of stochastic and collision attacks. Importantly, our attack is derived from the optimal distinguisher, which maximizes the success rate when the model is known. Notably, we develop an original closed-form expression, which shows many benefits by using the full algebraic description of the leakage model. Using simulated data, we show in the unprotected case that, for low noise, the stochastic collision attack is superior to the state of the art, whereas asymptotically and thus, for higher noise, it becomes equivalent to the correlation-enhanced collision attack. Our so-called stochastic collision attack is extended to the scenario where the implementation is protected by masking. In this case, our new stochastic collision attack is more efficient in all scenarios and, remarkably, tends to the optimal distinguisher. We confirm the practicability of the stochastic collision attack thanks to experiments against a public data set (DPA contest v4). Furthermore, we derive the stochastic collision attack in case of zero-offset leakage that occurs in protected hardware implementations and use simulated data for comparison. Eventually, we underline the capability of the new distinguisher to improve its efficiency when the attack multiplicity increases.

New Collision Attacks on Round-Reduced Keccak.

Abstract: In this paper, we focus on collision attacks against Keccak hash function family and some of its variants. Following the framework developed by Dinur et al. at FSE 2012 where 4-round collisions were found by combining 3-round differential trails and 1-round connectors, we extend the connectors one round further hence achieve collision attacks for up to 5 rounds. The extension is possible thanks to the large degree of freedom of the wide internal state. By linearization of all S-boxes of the first round, the problem of finding solutions of 2-round connectors are converted to that of solving a system of linear equations. However, due to the quick freedom reduction from the linearization, the system has solution only when the 3-round differential trails satisfy some additional conditions. We develop a dedicated differential trail search strategy and find such special differentials indeed exist. As a result, the first practical collision attack against 5-round SHAKE128 and two 5-round instances of the Keccak collision challenges are found with real examples. We also give the first results against 5-round Keccak-224 and 6-round Keccak collision challenges. It is remarked that the work here is still far from threatening the security of the full 24-round Keccak family.

An Attack Against Message Authentication in the ERTMS Train to Trackside Communication Protocols

Abstract: This paper presents the results of a cryptographic analysis of the protocols used by the European Rail Traffic Management System (ERTMS). A stack of three protocols secures the communication between trains and trackside equipment; encrypted radio communication is provided by the GSM-R protocol, on top of this the EuroRadio protocol provides authentication for a train control application-level protocol. We present an attack which exploits weaknesses in all three protocols: GSM-R has the same well known weaknesses as the GSM protocol, and we present a new collision attack against the EuroRadio protocol. Combined with design weaknesses in the application-level protocol, these vulnerabilities allow an attacker, who observes a MAC collision, to forge train control messages. We demonstrate this attack with a proof of concept using train control messages we have generated ourselves. Currently, ERTMS is only used to send small amounts of data for short sessions, therefore this attack does not present an immediate danger. However, if EuroRadio was to be used to transfer larger amounts of data trains would become vulnerable to this attack. Additionally, we calculate that, under reasonable assumptions, an attacker who could monitor all backend control centres in a country the size of the UK for 45 days would have a 1% chance of being able to take control of a train.

SPHINCS-Simpira: Fast Stateless Hash-based Signatures with Post-quantum Security

Abstract: We introduce SPHINCS-Simpira, which is a variant of the SPHINCS signature scheme with Simpira as a building block. SPHINCS was proposed by Bernstein et al. at EUROCRYPT 2015 as a hash-based signature scheme with post-quantum security. At ASIACRYPT 2016, Gueron and Mouha introduced the Simpira family of cryptographic permutations, which delivers high throughput on modern 64-bit processors by using only one building block: the AES round function. The Simpira family claims security against structural distinguishers with a complexity up to 2 using classical computers. In this document, we explain why the same claim can be made against quantum computers as well. Although Simpira follows a very conservative design strategy, our benchmarks show that SPHINCS-Simpira provides a 1.5× speed-up for key generation, a 1.4× speed-up for signing 59-byte messages, and a 2.0× speed-up for verifying 59-byte messages compared to the originally proposed SPHINCS-256.

Functional Graph Revisited: Updates on (Second) Preimage Attacks on Hash Combiners

Abstract: This paper studies functional-graph-based (second) preimage attacks against hash combiners. By exploiting more properties of functional graph, we find an improved preimage attack against the XOR combiner with a complexity of \(2^{5n/8}\), while the previous best-known complexity is \(2^{2n/3}\). Moreover, we find the first generic second-preimage attack on Zipper hash with an optimal complexity of \(2^{3n/5}\).

A Parallel Hash Function with Variable Initial Values

Abstract: In recent years, considerable effort has been devoted to research on hash function Nevertheless, it’s hard to obtain the proporties of sensitivity, confusion and diffusion, collision resistance, and high efficiency simultaneously Based on research of all attacks to classical hash functions, we propose a parallel and collision resistance hash function With regard to the design of compression function, in order to resist attacks, such as birthday attack, forgery attack and multi-collision attack, we change the initial value of the chaining variable, which is processed through three-round iterations On the aspect of iterative structure, instead of calculating sequentially, a parallel structure is designed The improvement lies in the combination of two message blocks independently in each round The statistical data and experimental analysis prove that the designed hash function algorithm has good properties of confusion and diffusion, collision resistance and superior efficiency, which can make it become a new type of candidate for hash function

Speeding up detection of SHA-1 collision attacks using unavoidable attack conditions

Abstract: Counter-cryptanalysis, the concept of using cryptanalytic techniques to detect cryptanalytic attacks, was introduced by Stevens at CRYPTO 2013 [22] with a hash collision detection algorithm. That is, an algorithm that detects whether a given single message is part of a colliding message pair constructed using a cryptanalytic collision attack on MD5 or SHA-1. The concept's utility was proven when it was used to expose the then-unknown cryptanalytic collision attack exploited by the Flame espionage supermalware. So far there is a significant cost: to detect collision attacks against SHA-1 (respectively MD5) costs the equivalent of hashing the message 15 (respectively 224) times. In this paper we present a significant performance improvement for collision detection based on the new concept of unavoidable conditions. Unavoidable conditions are conditions that are necessary for all feasible attacks in a certain attack class. As such they can be used to quickly dismiss particular attack classes that may have been used in the construction of the message. To determine an unavoidable condition one must rule out any feasible variant attack where this condition might not be necessary, otherwise adversaries aware of counter-cryptanalysis could easily bypass this improved collision detection with a carefully chosen variant attack. We provide a formal model for unavoidable conditions for collision attacks on MD5-like compression functions. Furthermore, based on a conjecture solidly supported by the current state of the art, we show how we can determine such unavoidable conditions for SHA-1. We have implemented the improved SHA-1 collision detection using such unavoidable conditions and which is about 16 times faster than without our unavoidable condition improvements. We have measured that overall our implemented SHA-1 with collision detection is only a factor 1.96 slower, on average, than SHA-1. Our work is very timely given the recently announced SHA-1 collision proving that SHA-1 is now practically broken

Cryptanalysis of 48-step RIPEMD-160

Abstract: In this paper, we show how to theoretically compute the step differential probability of RIPEMD-160 under the condition that only one internal variable contains difference and the difference is a power of 2. Inspired by the way of computing the differential probability, we can do message modification such that a step differential hold with probability 1. Moreover, we propose a semi-free-start collision attack on 48-step RIPEMD-160, which improves the best semi-free start collision by 6 rounds. This is mainly due to that some bits of the chaining variable in the i-th step can be computed by adding some conditions in advance, even though some chaining variables before step i are unknown. Therefore, the uncontrolled probability of the differential path is increased and the number of the needed starting points is decreased. Then a semi-free-start collision attack on 48-step RIPEMD-160 can be obtained based on the differential path constructed by Mendel et al. at ASIACRYPT 2013. The experiments confirm our reasoning and complexity analysis.

Finding partial hash collisions by brute force parallel programming

Abstract: A hash function hashes a longer message of arbitrary length into a much shorter bit string of fixed length, called a hash. Inevitably, there will be a lot of different messages being hashed to the same or similar hash. We call this a hash collision or a partial hash collision. By utilizing multiple processors from the CUNY High Performance Computing Center's clusters, we can locate partial collisions for the hash functions MD5 and SHA1 by brute force parallel programming in C with MPI library. The brute force method of finding a second preimage collision entails systematically computing all of the permutations, hashes, and Hamming distances of the target preimage. We explore varying size target strings and the number of processors allocation to examine the effect these variables have on finding partial collisions. The results show that for the same message space the search time for the partial collisions is roughly halved for each doubling of the number of processors; the longer the message is the better partial collisions are produced.

Collisions and Semi-Free-Start Collisions for Round-Reduced RIPEMD-160

Abstract: In this paper, we propose an improved cryptanalysis of the double-branch hash function RIPEMD-160 standardized by ISO/IEC. Firstly, we show how to theoretically calculate the step differential probability of RIPEMD-160, which was stated as an open problem by Mendel et al. at ASIACRYPT 2013. Secondly, based on the method proposed by Mendel et al. to automatically find a differential path of RIPEMD-160, we construct a 30-step differential path where the left branch is sparse and the right branch is controlled as sparse as possible. To ensure the message modification techniques can be applied to RIPEMD-160, some extra bit conditions should be pre-deduced and well controlled. These extra bit conditions are used to ensure that the modular difference can be correctly propagated. This way, we can find a collision of 30-step RIPEMD-160 with complexity \(2^{67}\). This is the first collision attack on round-reduced RIPEMD-160. Moreover, by a different choice of the message words to merge two branches and adding some conditions to the starting point, the semi-free-start collision attack on the first 36-step RIPEMD-160 from ASIACRYPT 2013 can be improved. However, the previous way to pre-compute the equation \(T^{\lll S_0}\boxplus C_0=(T\boxplus C_1)^{\lll S_1}\) costs too much. To overcome this obstacle, we are inspired by Daum’s et al. work on MD5 and describe a method to reduce the time complexity and memory complexity to pre-compute that equation. Combining all these techniques, the time complexity of the semi-free-start collision attack on the first 36-step RIPEMD-160 can be reduced by a factor of \(2^{15.3}\) to \(2^{55.1}\).

Finding hash collisions using MPI on HPC clusters

Abstract: In cryptography, a hash function is a very important cryptographic primitive with a wide range of applications. There are three required properties for a good hash function, i.e., collision, pre-image, and second pre-image resistance. In this paper, we try to contest these properties on a popular and widely used hash function called MD5 - and its two simplified versions that we made. The birthday attack technique was used to test MD5's general collision resistance, while the brute force method was used in the search for pre-image and second pre-image collisions. We calculated the Hamming distance to monitor the progress in our search for a collision; the smaller the Hamming distance the better. Our input domain for the MD5 hash function consisted of hexadecimal bit-strings and strategically generated ASCII character strings. Since finding hash collisions demands much more computing power and storage, we wrote C parallel programs in conjunction with the Message Passing Interface (MPI) library that runs over multiple processors / cores in the heavily used CUNY HPC cluster called Penzias. Multiple search / sort / merge algorithms were tested, not only to reduce time and space complexities, but also to improve performance. Hash distributions, numerous arbitrary meaningless and a few meaningful collisions were found.

Indifferentiability of Double-Block-Length Hash Function Without Feed-Forward Operations

Abstract: Designing a cryptographic scheme with minimal components is a main theme in cryptographic research Regarding double-block-length (DBL) hashing, feed-forward operations are used to avoid attacks from the blockcipher’s decryption function, whereas Ozen and Stam showed that by using an iterated structure the feed-forward operations can be eliminated Precisely, DBL iterated hash functions are collision resistant up to about \(2^n\) query complexity when a blockcipher with n-bit blocks is used

Speeding up detection of SHA-1 collision attacks using unavoidable attack conditions.

Abstract: Counter-cryptanalysis, the concept of using cryptanalytic techniques to detect cryptanalytic attacks, was introduced by Stevens at CRYPTO 2013 [22] with a hash collision detection algorithm. That is, an algorithm that detects whether a given single message is part of a colliding message pair constructed using a cryptanalytic collision attack on MD5 or SHA-1. The concept's utility was proven when it was used to expose the then-unknown cryptanalytic collision attack exploited by the Flame espionage supermalware. So far there is a significant cost: to detect collision attacks against SHA-1 (respectively MD5) costs the equivalent of hashing the message 15 (respectively 224) times. In this paper we present a significant performance improvement for collision detection based on the new concept of unavoidable conditions. Unavoidable conditions are conditions that are necessary for all feasible attacks in a certain attack class. As such they can be used to quickly dismiss particular attack classes that may have been used in the construction of the message. To determine an unavoidable condition one must rule out any feasible variant attack where this condition might not be necessary, otherwise adversaries aware of counter-cryptanalysis could easily bypass this improved collision detection with a carefully chosen variant attack. We provide a formal model for unavoidable conditions for collision attacks on MD5-like compression functions. Furthermore, based on a conjecture solidly supported by the current state of the art, we show how we can determine such unavoidable conditions for SHA-1. We have implemented the improved SHA-1 collision detection using such unavoidable conditions and which is about 16 times faster than without our unavoidable condition improvements. We have measured that overall our implemented SHA-1 with collision detection is only a factor 1.96 slower, on average, than SHA-1. Our work is very timely given the recently announced SHA-1 collision proving that SHA-1 is now practically broken

A second pre-image attack and a collision attack to cryptographic hash function lux

Abstract: Cryptography is a science that provides the security of information in communication. One of the most important sub-branches of cryptography is the hash functions. Hash functions are known as the digital fingerprints. Following the recent attacks on the widely used hash functions MD5 and SHA1 and the increase in computational power, the need for a new hash function standard has arisen. For this purpose, US National Institute of Standards and Technology (NIST) had announced a competition to select a standard hash function algorithm which would eventually become the Third Secure Hash Algorithm, SHA-3. Initially 64 algorithms were submitted to NIST and 51 of them were announced as the First Round Candidates. After an analysis period, 14 of these algorithms were announced as the Second Round Candidates, and 5 algorithms were announced as Finalists. The winner of the competition, Keccak, was announced in 2012. LUX is one of the 64 algorithms submitted to the SHA-3 competition by Nikolic et al. It is designed as a byte oriented stream cipher based hash function. For LUX-256, Schmidt-Nielsen gave a distinguisher and later Wu et al. presented collision attacks, both of which for reduced rounds of LUX. As a result of these attacks, LUX is eliminated in the first round. In this work, we first give a procedure for the second preimage attack. Then we extend this to the collision and second preimage attacks for the reduced rounds of LUX hash family. Moreover, we implement the attacks and give the specific examples by taking the padding into consideration.

Improved Generic Attacks Against Hash-Based MACs and HAIFA

Abstract: The security of HMAC (and more general hash-based MACs) against state-recovery and universal forgery attacks was shown to be suboptimal, following a series of results by Leurent et al. and Peyrin et al. These results have shown that such powerful attacks require significantly less than 2 computations, contradicting the common belief (where denotes the internal state size). In this work, we revisit and extend these results, with a focus on concrete hash functions that limit the message length, and apply special iteration modes. We begin by devising the first state-recovery attack on HMAC with a HAIFA hash function (using a block counter in every compression function call), with complexity 2^4l/5. Then, we describe improved tradeoffs between the message length and the complexity of a state-recovery attack on HMAC with a Merkle-Damgard hash function. Consequently, we obtain improved attacks on several HMAC constructions used in practice, in which the hash functions limits the maximal message length (e.g., SHA-1 and SHA-2). Finally, we present the first universal forgery attacks, which can be applied with short message queries to the MAC oracle. In particular, we devise the first universal forgery attacks applicable to SHA-1 and SHA-2. Despite their theoretical interest, our attacks do not seem to threaten the practical security of the analyzed concrete HMAC constructions.

Better Than Advertised: Improved Collision-Resistance Guarantees for MD-Based Hash Functions

Abstract: The MD transform that underlies the MD and SHA families iterates a compression function h to get a hash function H. The question we ask is, what property X of h guarantees collision resistance (CR) of H? The classical answer is that X itself be CR. We show that weaker conditions X, in particular forms of what we call constrained-CR, suffice. This reduces demands on compression functions, to the benefit of security, and also, forensically, explains why collision-finding attacks on compression functions have not, historically, lead to immediate breaks of the corresponding hash functions. We obtain our results via a definitional framework called RS security, and a parameterized treatment of MD, that also serve to unify prior work and variants of the transform.

Detection of selfish attack over wireless body area networks

Abstract: Wireless sensor network (WSN) is the promising technology that is being used for several applications in multiple fields Advancements of WSN have made it possible to deploy the sensors in the several fields (eg battle, environmentmonitoring, surveillance, industry, health etc) However, existing approaches experience the severe security threats in the field of WSNs particularly in the wireless body area networks (WBANs) These security threats are observed at the all layers However, Medium Access Control (MAC) sub-layer faces more challenges as compared with other layers because of radio that consumes more energy resources Thus, any possible attack over the MAC makes the slow down working process of WBANs There are several well-known attacks that cause the additional energy consumption observed at the MAC layer in WBANs These attacks involve the collision, denial of sleep, and selfish attack The collision attack and denial of sleep attacks are researched and handled for MAC over the WBANs However, selfish attack is not properly addressed In this paper, we propose a selfish detection medium access control (SDMAC) algorithm against selfish attack in WBAN Here the adversary nodes have advantage over legitimate nodes on MAC protocols that uses the resources wrongly, which leads to energy consumption in sensor nodes, proposed algorithm detects the fake node and blocks the unusual activities In this case, network performance is improved after applying this proposed algorithm To validate the performance of the proposed algorithm, the simulation is conducted using NS3 Based on the simulation results, we demonstrate that our proposed SDMAC outperforms other known existing protocols from energy efficiency and bandwidth reduction perspective

Grøstl Distinguishing Attack: A New Rebound Attack of an AES-like Permutation

Abstract: We consider highly structured truncated differential paths to mount a new rebound attack on Grostl-512, a hash functions based on two AES-like permutations, P1024 and Q1024, with non-square input and output registers. We explain how such differential paths can be computed using a Mixed-Integer Linear Programming approach. Together with a SuperSBox description, this allows us to build a rebound attack with a 6-round inbound phase whereas classical rebound attacks have 4-round inbound phases. This yields the first distinguishing attack on a 11-round version of P1024 and Q1024 with about 272 computations and a memory complexity of about 256 bytes, to be compared with the 296 computations required by the corresponding generic attack. Previous best results on this permutation reached 10 rounds with a computational complexity of about 2392 operations, to be compared with the 2448 computations required by the corresponding generic attack.

Secure algorithms for SAKA protocol in the GSM network

Abstract: This paper deals with the security vulnerabilities of the cryptographic algorithms A3, A8, and A5 existing in the GSM network. We review these algorithms and propose new secure algorithms named NewA3, NewA8, and NewA5 algorithms with respect to the A3, A8, and A5 algorithms. Our NewA5 algorithm is based on block ciphers, but we also propose NewA5 algorithm with Cipher Feedback, Counter, and Output Feedback modes to convert block cipher into stream cipher. However, stream cipher algorithms are slower than the block cipher algorithm. These new algorithms are proposed to use with a secure and efficient authentication and key agreement (AKA) protocol in the GSM network. The proposed architecture is secure against partition attack, narrow pipe attack, collision attack, interleaving attack, and man-in-the-middle attack. The security analysis of the proposed algorithms are discussed with respect to the cryptanalysis, brute force analysis, and operational analysis. We choose the NewA3 and NewA8 algorithms for challenge-response and key generation, respectively. Furthermore, the NewA5 is suitable for encryption as it is efficient than the existing A5/1 and A5/2 algorithms. In case when stream cipher algorithms are required to use, our new algorithms, NewA5-CTR, NewA5-CFB, and NewA5-OFB can be used for specific applications. These algorithms are completely secure and better than the existing A5/1 and A5/2 in terms of resistant to attacks.

Entropy Reduction for the Correlation-Enhanced Power Analysis Collision Attack.

Abstract: Side Channel Attacks are an important attack vector on secure AES implementations. The Correlation-Enhanced Power Analysis Collision Attack by Moradi et al. [MME10] is a powerful collision attack that exploits leakage caused by collisions in between S-Box computations of AES. The attack yields observations from which the AES key can be inferred. Due to noise, an insufficient number of collisions, or errors in the measurement setup, the attack does not find the correct AES key uniquely in practice, and it is unclear how to determine the key in such a scenario. Based on a theoretical analysis on how to quantify the remaining entropy, we derive a practical search algorithm. Both our theoretical analysis and practical experiments show that even in a setting with high noise or few available traces we can either successfully recover the full AES key or reduce its entropy significantly.