Showing papers on "Differential cryptanalysis published in 2010"

Super-Sbox cryptanalysis: improved attacks for AES-like permutations

Abstract: In this paper, we improve the recent rebound and start-from-the-middle attacks on AES-like permutations. Our new cryptanalysis technique uses the fact that one can view two rounds of such permutations as a layer of big Sboxes preceded and followed by simple affine transformations. The big Sboxes encountered in this alternative representation are named Super-Sboxes. We apply this method to two second-round SHA-3 candidates Grostl and ECHO, and obtain improvements over the previous cryptanalysis results for these two schemes. Moreover, we improve the best distinguisher for the AES block cipher in the known-key setting, reaching 8 rounds for the 128-bit version.

Linear cryptanalysis of reduced-round PRESENT

Abstract: PRESENT is a hardware-oriented block cipher suitable for resource constrained environment In this paper we analyze PRESENT by the multidimensional linear cryptanalysis method We claim that our attack can recover the 80-bit secret key of PRESENT up to 25 rounds out of 31 rounds with around 2624 data complexity Furthermore, we showed that the 26-round version of PRESENT can be attacked faster than key exhaustive search with the 264 data complexity by an advanced key search technique Our results are superior to all the previous attacks We demonstrate our result by performing the linear attacks on reduced variants of PRESENT Our results exemplify that the performance of the multidimensional linear attack is superior compared to the classical linear attack

Rotational cryptanalysis of ARX

Abstract: In this paper we analyze the security of systems based on modular additions, rotations, and XORs (ARX systems). We provide both theoretical support for their security and practical cryptanalysis of real ARX primitives. We use a technique called rotational cryptanalysis, that is universal for the ARX systems and is quite efficient. We illustrate the method with the best known attack on reduced versions of the block cipher Threefish (the core of Skein). Additionally, we prove that ARX with constants are functionally complete, i.e. any function can be realized with these operations.

Hummingbird: ultra-lightweight cryptography for resource-constrained devices

Abstract: Due to the tight cost and constrained resources of high-volume consumer devices such as RFID tags, smart cards and wireless sensor nodes, it is desirable to employ lightweight and specialized cryptographic primitives for many security applications. Motivated by the design of the well-known Enigma machine, we present a novel ultra-lightweight cryptographic algorithm, referred to as Hummingbird, for resource-constrained devices in this paper. Hummingbird can provide the designed security with small block size and is resistant to the most common attacks such as linear and differential cryptanalysis. Furthermore, we also present efficient software implementation of Hummingbird on the 8-bit microcontroller ATmega128L from Atmel and the 16-bit microcontroller MSP430 from Texas Instruments, respectively. Our experimental results show that after a system initialization phase Hummingbird can achieve up to 147 and 4.7 times faster throughput for a size-optimized and a speed-optimized implementations, respectively, when compared to the state-of-the-art ultra-lightweight block cipher PRESENT [10] on the similar platforms.

Conditional differential cryptanalysis of NLFSR-based cryptosystems

Abstract: Non-linear feedback shift registers are widely used in lightweight cryptographic primitives. For such constructions we propose a general analysis technique based on differential cryptanalysis. The essential idea is to identify conditions on the internal state to obtain a deterministic differential characteristic for a large number of rounds. Depending on whether these conditions involve public variables only, or also key variables, we derive distinguishing and partial key recovery attacks. We apply these methods to analyse the security of the eSTREAM finalist Grain v1 as well as the block cipher family KATAN/KTANTAN. This allows us to distinguish Grain v1 reduced to 104 of its 160 rounds and to recover some information on the key. The technique naturally extends to higher order differentials and enables us to distinguish Grain-128 up to 215 of its 256 rounds and to recover parts of the key up to 213 rounds. All results are the best known thus far and are achieved by experiments in practical time.

A 3-subset meet-in-the-middle attack: cryptanalysis of the lightweight block cipher KTANTAN

Abstract: In this paper we describe a variant of existing meet-in-the-middle attacks on block ciphers. As an application, we propose meetin-the-middle attacks that are applicable to the KTANTAN family of block ciphers accepting a key of 80 bits. The attacks are due to some weaknesses in its bitwise key schedule. We report an attack of time complexity 275.170 encryptions on the full KTANTAN32 cipher with only 3 plaintext/ciphertext pairs and well as 275.044 encryptions on the full KTANTAN48 and 275.584 encryptions on the full KTANTAN64 with 2 plaintext/ciphertext pairs. All these attacks work in the classical attack model without any related keys. In the differential related-key model, we demonstrate 218- and 174- round differentials holding with probability 1. This shows that a strong related-key property can translate to a successful attack in the nonrelated-key setting. Having extremely low data requirements, these attacks are valid even in RFID-like environments where only a very limited amount of text material may be available to an attacker.

Cryptanalysis of a Perturbated White-Box AES Implementation

Abstract: In response to various cryptanalysis results on white-box cryptography, Bringer et al. presented a novel white-box strategy. They propose to extend the round computations of a block cipher with a set of random equations and perturbations, and complicate the analysis by implementing each such round as one system that is obfuscated with annihilating linear input and output encodings. The improved version presented by Bringer et al. implements the AEw/oS, which is an AES version with key-dependent S-boxes (the S-boxes are in fact the secret key). In this paper we present an algebraic analysis to recover equivalent keys from the implementation. We show how the perturbations and system of random equations can be distinguished from the implementation, and how the linear input and output encodings can be eliminated. The result is that we have decomposed the white-box implementation into a much more simple, functionally equivalent implementation and retrieved a set of keys that are equivalent to the original key. Our cryptanalysis has a worst time complexity of 217 and a negligible space complexity.

Improved Impossible Differential Cryptanalysis of 7-Round AES-128

Abstract: Using a new 4-round impossible differential in AES that allows us to exploit the redundancy in the key schedule of AES-128 in a way more effective than previous work, we present a new impossible differential attack on 7 rounds of this block cipher. By this attack, 7-round AES-128 is breakable with a data complexity of about 2106 chosen plaintexts and a time complexity equivalent to about 2110 encryptions. This result is better than any previously known attack on AES-128 in the single-key scenario.

Automatic search for related-key differential characteristics in byte-oriented block ciphers: application to AES, Camellia, Khazad and others

Abstract: While differential behavior of modern ciphers in a single secret key scenario is relatively well understood, and simple techniques for computation of security lower bounds are readily available, the security of modern block ciphers against related-key attacks is still very ad hoc. In this paper we make a first step towards provable security of block ciphers against related-key attacks by presenting an efficient search tool for finding differential characteristics both in the state and in the key (note that due to similarities between block ciphers and hash functions such tool will be useful in analysis of hash functions as well). We use this tool to search for the best possible (in terms of the number of rounds) related-key differential characteristics in AES, byte-Camellia, Khazad, FOX, and Anubis. We show the best related-key differential characteristics for 5, 11, and 14 rounds of AES-128, AES-192, and AES-256 respectively. We use the optimal differential characteristics to design the best related-key and chosen key attacks on AES-128 (7 out of 10 rounds), AES-192 (full 12 rounds), byte-Camellia (full 18 rounds) and Khazad (7 and 8 out of 8 rounds). We also show that ciphers FOX and Anubis have no related-key attacks on more than 4-5 rounds.

Differential properties of power functions

Abstract: Some properties of power permutations, that is, monomials bijective mappings on double-struck capital F 2 n, are investigated. In particular, the differential spectrum of these functions is shown to be of great interest for estimating their resistance to some variants of differential cryptanalysis. The relationships between the differential spectrum of a power permutation and the weight enumerator of a cyclic code with two zeroes are provided. The functions with a two-valued differential spectrum are also studied and the differential spectra of several infinite families of exponents are computed.

Energy efficiency of symmetric key cryptographic algorithms in wireless sensor networks

Abstract: In this paper, we examine the energy efficiency of symmetric key cryptographic algorithms applied in wireless sensor networks (WSNs) and in our study we consider both stream ciphers and block ciphers. We derive the computational energy cost of the ciphers under consideration by comparing the number of CPU cycles required to perform encryption. After evaluating a number of symmetric key ciphers, we compare the energy performance of stream ciphers and block ciphers applied to a noisy channel in a WSN. In conclusion, we recommend using a lightweight block cipher referred to as byte-oriented substitution-permutation network (BSPN), to achieve energy efficiency with a level of security suitable for wireless sensor networks.

The Improbable Differential Attack: Cryptanalysis of Reduced Round CLEFIA

Abstract: In this paper we present a new statistical cryptanalytic technique that we call improbable differential cryptanalysis which uses a differential that is less probable when the correct key is used. We provide data complexity estimates for this kind of attacks and we also show a method to expand impossible differentials to improbable differentials. By using this expansion method, we cryptanalyze 13, 14, and 15-round CLEFIA for the key sizes of length 128, 192, and 256 bits, respectively. These are the best cryptanalytic results on CLEFIA up to this date.

Cryptanalysis of the DECT standard cipher

Abstract: The DECT Standard Cipher (DSC) is a proprietary 64-bit stream cipher based on irregularly clocked LFSRs and a non-linear output combiner. The cipher is meant to provide confidentiality for cordless telephony. This paper illustrates how the DSC was reverse-engineered from a hardware implementation using custom firmware and information on the structure of the cipher gathered from a patent. Beyond disclosing the DSC, the paper proposes a practical attack against DSC that recovers the secret key from 215 keystreams on a standard PC with a success rate of 50% within hours; somewhat faster when a CUDA graphics adapter is available.

Cryptographic Randomness Testing of Block Ciphers and Hash Functions.

Abstract: One of the most basic properties expected from block ciphers and hash functions is passing statistical randomness testing, as they are expected to behave like random mappings. Previously, testing of AES candidate block ciphers was done by concatenating the outputs of the algorithms obtained from various input types. In this work, a more convenient method, namely the cryptographic randomness testing is introduced. A package of statistical tests are designed based on certain cryptographic properties of block ciphers and hash functions to evaluate their randomness. The package is applied to the AES finalists, and produced more precise results than those obtained in similar applications.

The differential analysis of S-functions

Abstract: An increasing number of cryptographic primitives use operations such as addition modulo 2n, multiplication by a constant and bitwise Boolean functions as a source of non-linearity. In NIST's SHA-3 competition, this applies to 6 out of the 14 second-round candidates. In this paper, we generalize such constructions by introducing the concept of S-functions. An S-function is a function that calculates the i-th output bit using only the inputs of the i-th bit position and a finite state S[i]. Although S-functions have been analyzed before, this paper is the first to present a fully general and efficient framework to determine their differential properties. A precursor of this framework was used in the cryptanalysis of SHA-1. We show how to calculate the probability that given input differences lead to given output differences, as well as how to count the number of output differences with non-zero probability. Our methods are rooted in graph theory, and the calculations can be efficiently performed using matrix multiplications.

Design and Analysis of Stream Cipher for Network Security

Abstract: This paper mainly analysis and describe the design issue of stream ciphers in Network security as the streams are widely used to protecting the privacy of digital information. A variety of attacks against stream cipher exist;(algebraic and so on). These attacks have been very successful against a variety of stream ciphers. So in this paper efforts have been done to design and analyze stream ciphers. The main contribution is to design new stream ciphers through analysis of the algebraic immunity of Boolean functions and S-Boxes. In this paper, the cryptographic properties of non-linear transformation have been used for designing of stream ciphers Many LFSR (Linear feedback Shift Register) based stream ciphers use non-linear Boolean function to destroy the linearity of the LFSR(s) output. Many of these designs have been broken by algebraic attacks. Here we analyze a popular and cryptographically significant class of non-linear Boolean functions for their resistance to algebraic attacks.

Dismantling SecureMemory, CryptoMemory and CryptoRF

Abstract: The Atmel chip families SecureMemory, CryptoMemory, and CryptoRF use a proprietary stream cipher to guarantee authenticity, confidentiality, and integrity. This paper describes the cipher in detail and points out several weaknesses. One is the fact that the three components of the cipher operate largely independently; another is that the intermediate output generated by two of those components is strongly correlated with the generated keystream. For SecureMemory, a single eavesdropped trace is enough to recover the secret key with probability 0.57 in 2^{39} cipher ticks. This is a factor of 2^{31.5} faster than a brute force attack. On a 2 GHz laptop, this takes around 10 minutes. With more traces, the secret key can be recovered with virtual certainty without significant additional cost in time. For CryptoMemory and CryptoRF, if one has 2640 traces it is possible to recover the key in 2^{52} cipher ticks, which is 2^{19} times faster than brute force. On a 50 machine cluster of 2 GHz quad-core machines this would take less than 2 days.

DES96 - improved DES security

Abstract: The Data Encryption Standard (DES) has shown noticeable signs of aging during the last two decades. In this paper we develop a system that is a DES-variant with more resistance towards the possible attacks against DES. The developed system has a sub-key generation algorithm that is completely different from the original DES. The developed system uses 84-bit initial key instead of the 56-bit key originally used. It has substitution boxes inside the key generation algorithm and mod2 additions. The choice of arrangement of substitution boxes in the main algorithm for each round is sub-key dependent. The result of the design is a DES-variant cryptographic system that has higher resistance against brute-force attack, differential cryptanalysis, and linear cryptanalysis. The proposed system design also cancelled the weak-keys and complement keys properties of the DES.

A New Method for Generating High Non-linearity S-Boxes

Abstract: Substitution boxes are important parts in many block and stream ciphers. The emergence of a range of crypto-attacks has led to the development of criteria for repelling such attacks. The non-linearity criterion provides some protection against wellknown attacks, such as linear cryptanalysis and differential cryptanalysis. The open problem is constructed by generating methods which will be rapid and will generate S-boxes with the highest possible non-linearity. This paper deals with a new rapid method for generating regular 8x8 S-boxes with non-linearity up to a value of 104. The new method combines the special genetic algorithm with total tree searching.

Impossible differential cryptanalysis on feistel ciphers with SP and SPS round functions

Abstract: Impossible differential cryptanalysis is well known to be effective in analyzing the security of block ciphers. Known result shows that there always exists 5-round impossible differentials of a Feistel cipher with bijective round function. However, if more details of the round function are known, the result could be improved. This paper mainly studies the impossible differentials of Feistel ciphers with both SP and SPS round functions where the linear transformation P is defined over Fn×n2. For Feistel ciphers with SP round functions, any column of P ⊕ P-1 whose Hamming weight is greater than 1 corresponds to some 6-round impossible differentials. The existence of some 7-round impossible differentials can be determined by counting the times that 1 appears at some special positions of P and P-1. Some 8-round impossible differentials can be found by computing the rank of some sub-matrix of P. Impossible differentials of Camellia found by these techniques are well consistent with previously known results. For Feistel ciphers with SPS round functions, by determining the rank of some sub-matrix of P, 6- round impossible differentials can be found, which improves the results on E2 by one round. These results tell that when designing a Feistel cipher with SP or SPS round function where the diffusion layer is selected from Fn×n2, the linear transformation should be chosen carefully to make the cipher secure against impossible differential cryptanalysis.

Known and chosen key differential distinguishers for block ciphers

Abstract: In this paper we investigate the differential properties of block ciphers in hash function modes of operation. First we show the impact of differential trails for block ciphers on collision attacks for various hash function constructions based on block ciphers. Further, we prove the lower bound for finding a pair that follows some truncated differential in case of a random permutation. Then we present open-key differential distinguishers for some well known round-reduced block ciphers.

The Rebound Attack and Subspace Distinguishers: Application to Whirlpool.

Abstract: We introduce the rebound attack as a variant of differential cryptanalysis on hash functions and apply it to the hash function Whirlpool, standardized by ISO/IEC. We give attacks on reduced variants of the Whirlpool hash function and the Whirlpool compression function. Next, we introduce the subspace problems as generalizations of near-collision resistance. Finally, we present distinguishers based on the rebound attack, that apply to the full compression function of Whirlpool and the underlying block cipher W .

Distinguishers for the compression function and output transformation of hamsi-256

Abstract: Hamsi is one of 14 remaining candidates in NIST's Hash Competition for the future hash standard SHA-3. Until now, little analysis has been published on its resistance to differential cryptanalysis, the main technique used to attack hash functions. We present a study of Hamsi's resistance to differential and higher-order differential cryptanalysis, with focus on the 256-bit version of Hamsi. Our main results are efficient distinguishers and near-collisions for its full (3-round) compression function, and distinguishers for its full (6-round) finalization function, indicating that Hamsi's building blocks do not behave ideally.

Distinguishing distributions using Chernoff information

Abstract: In this paper, we study the soundness amplification by repetition of cryptographic protocols. As a tool, we use the Chernoff Information. We specify the number of attempts or samples required to distinguish two distributions efficiently in various protocols. This includes weakly verifiable puzzles such as CAPTCHA-like challenge-response protocols, interactive arguments in sequential composition scenario and cryptanalysis of block ciphers. As our main contribution, we revisit computational soundness amplification by sequential repetition in the threshold case, i.e when completeness is not perfect. Moreover, we outline applications to the Leftover Hash Lemma and iterative attacks on block ciphers.

Consecutive S-box lookups: a timing attack on SNOW 3G

Abstract: We present a cache-timing attack on the SNOW 3G stream cipher. The attack has extremely low complexity and we show it is capable of recovering the full cipher state from empirical timing data in a matter of seconds, requiring no known keystream and only observation of a small number of cipher clocks. The attack exploits the cipher using the output from an S-box as input to another S-box: we show that the corresponding cache-timing data almost uniquely determines said S-box input. We mention other ciphers with similar structure where this attack applies, such as the K2 cipher currently under standardization consideration by ISO. Our results yield new insights into the secure design and implementation of ciphers with respect to side-channels. We also give results of a bit-slice implementation as a countermeasure.

Nonlinear equivalence of stream ciphers

Abstract: In this paper we investigate nonlinear equivalence of stream ciphers over a finite field, exemplified by the pure LFSR-based filter generator over F2. We define a nonlinear equivalence class consisting of filter generators of length n that generate a binary keystream of period dividing 2n-1, and investigate certain cryptographic properties of the ciphers in this class. We show that a number of important cryptographic properties, such as algebraic immunity and nonlinearity, are not invariant among elements of the same equivalence class. It follows that analysis of cipher-components in isolation presents some limitations, as it most often involves investigating cryptographic properties that vary among equivalent ciphers. Thus in order to assess the resistance of a cipher against a certain type of attack, one should in theory determine the weakest equivalent cipher and not only a particular instance. This is however likely to be a very difficult task, when we consider the size of the equivalence class for ciphers used in practice; therefore assessing the exact cryptographic properties of a cipher appears to be notoriously difficult.

On the security of NOEKEON against side channel cube attacks

Abstract: In this paper, we investigate the security of the NOEKEON block cipher against side channel cube attacks. NOEKEON was proposed by Daemen et al. for the NESSIE project. The block size and the key size are both 128 bits. The cube attack, introduced by Dinur and Shamir at EUROCRYPT 2009, is a new type of algebraic cryptanalysis. The attack may be applied if the adversary has access to a single bit of information that can be represented by a low degree multivariate polynomial over GF(2) of secret and public variables. In the side channel attack model, the attacker is assumed to have access to some leaked information about the internal state of the cipher as well as the plaintext and ciphertext. Adopting the notion of a single bit leakage as formalized by Dinur and Shamir, we assume that the attacker has only one bit of information about the intermediate state after each round. Using this side channel attack model, we show that it is possible to extract 60 independent linear equations over 99 (out of 128) key variables. To recover the whole 128-bit key, the attack requires only about 210 chosen plaintext and O(268) time complexity.