Improved Attack on Full-round Grain-128
|
|
- Marion Stephens
- 5 years ago
- Views:
Transcription
1 Improved Attack on Full-round Grain-128 Ximing Fu 1, and Xiaoyun Wang 1,2,3,4, and Jiazhe Chen 5, and Marc Stevens 6, and Xiaoyang Dong 2 1 Department of Computer Science and Technology, Tsinghua University, Beijing , China 2 Institute for Advanced Study, Tsinghua University, Beijing , China xiaoyunwang@mail.tsinghua.edu.cn 3 School of Mathematics, Shandong University, Jinan , China 4 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan , China, 5 China Information Technology Security Evaluation Center, Beijing , China, 6 Centrum Wiskunde & Informatica, Amsterdam, The Netherlands Keywords: Stream ciphers, Grain-128, Polynomial reduction, IV representation, Dynamic cube attack Abstract. In this paper, we propose a series of techniques that can be used to determine the missing IV terms of a complex multivariable Boolean polynomial. Using these techniques, we revisit the dynamic cube attack on Grain-128. Based on choosing one more nullified state bit and one more dynamic bit, we are able to obtain the IV terms of degree 43, combined with various of reduction techniques, fast discarding monomial techniques and IV representation technique for polynomials, so that the missing IV terms can be determined. As a result, we improve the time complexity of the best previous attack on Grain-128 by a factor of Moreover, our attack applies to all keys. 1 Introduction Most cryptanalytic problems of symmetric ciphers can be reduced to the problem of solving large non-linear multivariate polynomial systems. This problem is NPcomplete [?,?]. Solving the system using linearization or relinearization methods directly will result in space and time complexities that are beyond the power of current computers. As a result, algebraic attacks such as cube attack [?], cube tester [?,?] and dynamic cube attack [?] were proposed in order to reduce the complexities. Stream cipher Grain-128 [?] is a refined version of Grain scheme ciphers, one of the finalists of estream Project. The output bit is a high degree Boolean function over initial vector (IV) bits and key bits. Since the proposal of Grain-128, a number of cryptanalytic results have been presented in the literatures. Fischer et al. applied the statistical analysis to recover the key of reduced Corresponding author.
2 Grain-128 up to 180 out of 256 iterations with a complexity slightly better than brute force [?]. They pointed out that Grain-128 may be immune to this attack due to the very high degree of the output polynomial. Knellwolf et al. proposed the conditional differential cryptanalysis on NFSR-based stream ciphers including Grain scheme ciphers [?]. Conditional differential cryptanalysis exploited the message modification technique introduced in [?,?], which controlled the diffusion by controlling the plaintexts. It was applied to recover 3 bit s key of the Grain-128 reduced to 213 rounds with a probability up to 0.59 and distinguish Grain-128 reduced to 215 rounds from random primitives [?]. Another message controlling method is to nullify some state bits which may be more important than the others for reducing the degree or enhancing the density. After nullifying some state bits, the representation of the output bit with IV bits can be simplified; and the output bit becomes nonrandom. This technique is called dynamic cube attack which combines the conditional differential and cube tester. With dynamic cube attack, Dinur and Shamir [?] proposed two key-recovery attacks on reduced-round Grain-128 for arbitrary keys and an attack on the full Grain- 128 that holds for 2 10 of the key space. Furthermore, Dinur et al. [?] improved the dynamic cube attack on full Grain-128, and tested the main component with a dedicated hardware. Their experimental results showed that for about 7.5% of the keys, the proposed attack beat the exhaustive search by a factor of In this paper, we further improve the attack in [?] by obtaining the missing IV terms. Our Contributions. The contributions of this paper are five fold. Firstly, we exploit the nullification technique introduced in [?] and improve the nullification by a better choice of nullified state bits and a carefully selected nullification of IV bits. Secondly, we give several fast discarding monomial techniques for Boolean functions in order to reduce the number of terms we need to process. Thirdly, with the aforementioned techniques, we mathematically compute the IV terms of degree 43, combined with IV representation technique. The major difference between our attack and the previous dynamic cube attacks is that we focus on obtaining the IV terms mathematically instead of choosing the suitable (sub)cubes with testing technique. Finally, we present an attack with a complexity 2 16 faster than the best result before. In this way, our method not only improves the previous attacks but also can naturally be applied to all keys. So the successful ratio of our attack is 100%. Due to the difference, we also simplified the attack procedure of the dynamic cube attack. Briefly, our attack can be decomposed to the following phases: 1. Determine the dynamic variables, state/iv bits to be nullified, as well as the key bits to be guessed. Calculate the IV terms of degree 43 afterwards. The cube can be chosen freely from those disappeared IV terms. This is the preprocessing phase of the attack. However, most of the dedicated work in this paper contributes to this phase. In this phase, we use various techniques to obtain the exact IV terms. We exploit degree evaluation, degree reduction and low-frequency IV bits, which help discard monomials dramatically. We also use IV representation to compute the IV terms of degree 43. 2
3 2. Guess the key bits, and get the output bits with IVs chosen according to the principle in the previous phase. The summation of the output bits over the cube can be used as a distinguisher since for the correct key the summation will always be 0, while for wrong keys 0 and 1 are supposed to occur with the same probability. This is the only on-line phase of our attack. The time complexity of our attack is about 2 74 cipher executions, which is applicable to all keys of Grain128. The details of our attack will be demonstrated in the rest of the paper. In Section??, the outline of Grain-128 and basic concepts of Boolean functions will be introduced. The related techniques including cube attacks/tester, dynamic cube attack and nullification will be introduced in Section??. In Section??, we will show the outline of our attack. Then the preprocessing phase of our attack will be presented in Section??, followed by the online attack in Section??. Next, we show an example of Grain128 reduced to 191 to illustrate our attack process in Section??. Finally, Section?? summarizes the paper. 2 Preliminaries In this section, we will first briefly introduce Grain-128, followed by the basic concepts about Boolean functions. 2.1 Notations ANF the Algebraic Normal Form IV bit public variables of Grain IV term product of certain IV bits state bit internal state bit in the initialization of Grain stream cipher state term product of certain state bits, IV bits or key bits 2.2 Outline of Grain-128 The state of Grain-128 is represented by a 128-bit linear feedback shift register (LFSR) and a 128-bit nonlinear feedback shift register (NFSR). The feedback function of the LFSR and NFSR are defined as s i+128 =s i + s i+7 + s i+38 + s i+70 + s i+81 + s i+96, b i+128 =s i + b i + b i+26 + b i+56 + b i+91 + b i+96 + b i+3 b i+67 + b i+11 b i+13 + b i+17 b i+18 + b i+27 b i+59 + b i+40 b i+48 + b i+61 b i+65 + b i+68 b i+84. The output function is z i =b i+2 + b i+15 + b i+36 + b i+45 + b i+64 + b i+73 + b i+89 + s i+93 + b i+12 s i+8 + s i+13 s i+20 + b i+95 s i+42 + s i+60 s i+79 + b i+12 b i+95 s i+95. During the initialization step, the 128-bit key is loaded into the NFSR and 96 bits of IV are loaded into the LFSR, with the other IV bits setting to 1. The state runs 256 rounds with the output feeding back, and the first output bit is z 257. For the detail of Grain-128, we refer to [?]. 3
4 2.3 Boolean Polynomial The output bit and internal state bits of symmetric cryptosystem can be described as a Boolean function of the public variables and private variables, which can be applicable to all symmetric ciphers. For stream ciphers, the public variables are often IV while the private variables are keys. Supposing that there are m IV bits, i.e., v 0, v 1,..., v m 1 and n key bits, i.e., k 0, k 1,..., k n 1, the Algebraic Normal Form (ANF) of the internal state bit s could be written as the following style: v i k j, (1) s = I,J i I where the sum operation is over filed F 2. The i I v i j J k j is denoted as a state term of s and i I v i is denoted as its corresponding IV term. Let IV term t I = i I v i be the multiplication of v i whose indices are within I, the ANF of s can be rewritten as j J s = I t I g I (k), (2) where g I (k) is the sum of corresponding coefficient function of terms whose corresponding IV term is t I, i.e. g I (k) = l 1 J 1 k l1 + l 2 J 2 k l2 + + l p J p k lp. The degree of s is deg(s) = max I {deg (t I )}. Property 1. (Repeat Property) In the ANF of s in Equ. (??), suppose two state terms are equal, i.e. i I v i j J k j = i I v i j J k j, then the ANF of state bit s is simplified by removing the two state terms. Property 2. (Cover Property) In Equ. (??), suppose there are two state terms T 1 = t I1 g I1 (k) and T 2 = t I2 g I2 (k). If I 1 I 2, we denote that the state term T 1 is covered by T 2. We delete the covered state term T 1 from s to get a new s. If T 1 = T 2, according to the repeat property, the two state terms should be removed from s. However, according to the cover property, T 2 is still in s. So deg(s ) deg(s). This property could help us estimate deg(s) efficiently. 3 Related Works In this section, the techniques related to our work will be introduced, including cube attack/tester, dynamic cube attack and nullification technique. 3.1 Cube Attack and Cube Tester Cube attack [?] exploits the IV terms whose coefficient is linear over key bits, and then retrieves the keys once enough independent linear functions are obtained, by solving linear equations. A methodology is proposed [?,?] to test if a coefficient is linear and which key bits are involved. 4
5 Cube attack and cube tester techniques can retrieve partial information about Boolean functions probabilistically, however maybe fail for some specific structures with high degrees. For example, if the coefficient function of key bits is k 0 + k 1 k 2 k 3 k 4 k 5 k 6 k 7, cube attack may return a linear function k 0 for less than 128 tests with random keys. In addition, if the coefficient function over key bits is k 1 k 2 k 3 k 4 k 5 k 6 k 7, the result of cube tester may be always 0 for less than 128 tests with random keys, so that it is determined that the IV term t I does not occur. 3.2 Dynamic Cube Attack In [?], Dinur and Shamir proposed the dynamic cube attack to recover the secret key by exploiting distinguishers obtained from cube testers, with application to Grain-128. In dynamic cube attack, some dynamic bits in the IV are determined by key bits are chosen to nullify some state bits so as to greatly simplify the output function. Then one expects to acquire certain nonrandom property which can be exploited by cube tester. The nonrandom property can be used as a distinguisher for key recovery. As mentioned in Section 1, the attack in [?] is an improvement of that in [?]. The dynamic cube attacks introduced and exploited in [?,?] are based on the nullification technique. The major difference between the two works is the different choices of nullified bits 7. As a consequence, we will detail the nullification technique in the next subsection. 3.3 Nullification Technique For Grain-128, the first output bit z 257 can be expresses by state bits as z 257 =b 269 b 352 s b 352 s s 317 s s 270 s b 269 s s b b b b b b b 259. b 269 b 352 s 352 is the most vital term for us because it comprises more high degree IV terms than the others. Similarly, the most vital terms of the ANF of b 269, b 352 and s 352 are b 153 b 236 s 236, b 236 b 319 s 319 and b 236 b 319 s 319 respectively. The common factor is b 236, so b 269, b 352, s 352 and z 257 can be simplified if nullifying b 236. But b 236 is too complex, i.e., b 236 =b 120 b 203 s b 203 s b 176 b s 168 s b 169 b b 148 b b 135 b b 125 b b 119 b b 111 b s 121 s b 120 s b s b b b b b b b b b b b Nullifying b 236 needs too many guessed key bits, so the scheme in [?] retrieved a subset of 2 10 of all possible keys by fixing 10 key bits to be zero. 7 The authors also experimentally verified the main component of the attack by a dedicated hardware in [?] 5
6 Another approach is to simplify b 236 by nullifying b 203, which is adopted by [?]. b 203 is still too complex to be nullified directly, i.e., b 203 =b 87 b 170 s b 170 s b 143 b s 135 s b 136 b b 115 b b 102 b b 92 b 93 + b 86 b 88 + b 78 b s 88 s 95 + b 87 s 83 + b s b b b b b b b b b 90 + b 77 + b 75 + s 75. In order to nullify b 203, one should first nullify b 170, b 159, b 138, s 135, b 136, b 134, b 133, and b 131. All of these bits but b 170 can be nullified directly by choosing IV bits. We know that b 170 =b 54 b 137 s b 137 s 84 + b 110 b s 102 s b 103 b b 82 b 90 + b 69 b b 59 b 60 + b 53 b 55 + b 45 b s 55 s 62 + b 54 s 50 + b s b b b b b 98 + b 87 + b 78 + b 68 + b 57 + b 44 + b 42 + s 42. In order to nullify b 170, b 137 can be nullified first by setting s 9 to be a dynamic value. In fact, b 170 can be nullified directly as well since its expression over IV and key bits can be obtained directly in a PC. However, nullification of b 137 can not only nullify b 170 but also simplify b 253 which contributes a lot to the degree and IV terms. The term b 143 b 159 can be nullified by nullifying either b 143 or b 159. The authors chose to nullify b 159 because it can help reduce b 275 whose ANF significant term is b 159 b 242 s 242. b 145, b 153 and b 176 are also nullified in order to simplify s 261, b 269 and b 292. The nullified state bits and dynamic IV bits of [?] are shown in??. Table 1. Nullification Scheme in [?] nullification b 131, b 133, b 134, s 135, b 136, b 137, b 138, b 145, b 153, b 159, b 170, b 176, b 203 dynamic bits s 3, s 5, s 6, s 77, s 8, s 9, s 10, s 17, s 25, s 31, s 42, s 83, s 1 4 Basic Ideas 4.1 Outline of Our Attack In this paper, our basic idea is to find the missing IV terms in the ANF of the first output bit z 257 of Grain128. For example, the output bit is polynomial p over six secret variables k 1, k 2,..., k 6 and five public variables v 1, v 2, v 3, v 4, v 5, as shown in??. p = k 1 k 2 v 1 v 2 v 3 v 4 v 5 + k 3 v 2 v 3 v 4 v 5 + k 5 v 1 v 3 v 4 v 5 + k 6 v 1 v 2 v 4 v 5 + k 2 v 1 v 2 v (3) 6
7 Obviously, the IV term v 1 v 2 v 3 v 4 does not exist in p. So we can construct cubesum distinguisher by setting v 5 = 0 and selecting cube C T = {v 1, v 2, v 3, v 4 }. Then the cube sum of p is always zero. So to determine the missing product of certain IV bits (missing IV term) is in fact a way to find the missing cube variables combination from a set of candidate cube variables, i.e. the five public variables. In our attack on Grain128, there are totally 96 public variables (IV bits), in order to reduce the ANFs of the internal state bits and then reduce the output polynomial, we study the nullification technique comprehensively and give a new nullification scheme, which includes: i. We use 14 dynamic variables to nullify 14 internal state bits. When comparing with Dinur et al. s nullification scheme, we use one more dynamic variable s 15 to nullify an additional internal state bit b 143. Thus there are 96-14=82 free public variables (IV bits) left. ii. Then calculate the frequency of occurrence of the 82 IV bits in the internal state bits and state terms. We nullify the high frequency IV bits to reduce the internal state bits and state terms as much as possible. We choose 36 IV bits to be nullified (set to zero). Then there are 82-36=46 free IV bits left. iii. Thus, we have to find the missing IV terms from a candidate cube set with size 46. In this paper, we are going to find the 43-degree missing IV terms in the output polynomial z 257. After determining the nullification scheme, we have to reduce the output polynomial z 257 in order to find the 43-degree missing IV terms. The procedures are as follows shown in??: Step 1. Initialize LFSR and NFSR with the new nullification scheme. We compute forward to express the ANF of some internal state bits over IV bits and key bits. Thus, b i and s i (0 i 222) are computed and their degrees are compute directly. Step 2. During the iteratively computing the ANF representation of the output bit z in the backward direction (decryption), we introduce the fast discarding monomial technique in Section??, which includes the following techniques: First, we propose the degree evaluation algorithm to obtain the degree bounds of internal state bits. As the monomials of z s ANF is a product of these internal state bits, the degree of a monomial is bounded by the sum of the degrees of the multiplied internal state bits, which is regarded as the degree estimation of the monomial. If the estimated degrees of monomials are lower than 43, they are discarded directly. Second, we find in Grain128 encryption scheme the high degree state terms are in the form of b i s i. We pre-compute the degree reductions of those products, which is d t = deg(b i ) + deg(s i ) deg(b i s i ). Thus, the degree of a monomial is upper bounded by difference value between the sum of the multiplied internal state bits and the corresponding degree reduction d t. If it is smaller than 43, the monomial is discarded. 7
8 Third, we find 7 low-frequency IV bits out of the 46 IV bits, which means that the 7 IV bits have less probability being involved in the internal state bits. We are going to find the 43-degree missing IV terms that contain the 7 low frequency IV bits. So if a monomial does not contain the 7 low-frequency IV bits simultaneously, we discard it. For detailed description, we refer to Section??. Step 3. For the left monomials of z s ANF, we introduce IV representation technique in Section?? to continue to discard monomials and finally find the 43-degree missing product of certain 43 IV bits (missing IV term). In IV representation technique, the symbolic key bits in the internal state bits are removed and only IV bits are left. We combine IV representation technique with the following two techniques: Combining with removing covered IV terms, we can simplify monomials without losing the degree information. It helps us to determine a more accurate upper bound degree of the monomials of z. And then if the degree of a monomial is smaller than 43, delete it. Combining with repeated IV term removing algorithm, we can simplify monomials of z s ANF without losing the missing IV term information. If we find an IV term is not in the IV representation of z, we can conclude that it is also not in z. Initialize by the new nullification scheme Forward Internal State bits ( k1,..., k128, v1,..., v96) i IV Representation Step 1 Step 3 x Internal State bits x i ' discarding monomials Step 2 z 257 Fig. 1. Framework of the Preprocessing Phase Thus, our attack includes two phases, which are the preprocessing phase and the online attack phase. In the preprocessing phase, we determine the 43-degree missing products of certain 43 IV bits (missing IV terms) in z 257, and select those 43-bit IV sets as cubes, which are summarised in??. In the online phase, we guess the key bits in the 14 dynamic variables, and compute the cube sums of the cubes produce in preprocessing phase: a. For the right key guessing, the coefficient is zero. Thus the cube sums must be zero. b. For the wrong key guessing, the output is random, the cube sums are not always zero. 8
9 5 Preprocessing Phase of the Attack on Full-round Grain New Nullification Scheme In Step 1 of??, we have to introduce a nullification scheme to initialize the state. We obtain the nullification scheme of state bits and the corresponding 14 dynamic IV bits in??. More details of the nullification are shown in??. Table 2. Our Nullification Scheme nullification b 131, b 133, b 134, s 135, b 136, b 137, b 138, b 143, b 145, b 153, b 159, b 170, b 176, b 203 dynamic bits s 3, s 5, s 6, s 77, s 8, s 9, s 10, s 15, s 17, s 25, s 31, s 42, s 83, s 1 In??, the first column are the state bits to be nullified and the second column are the corresponding equations. The third column are the subkey bits guessed for nullifications. For example, in order to nullify b 131, we just need to set s 3 to b 15 b 98 +b 98 s 45 +b 71 b 87 +s 63 s 82 +b 64 b 68 +b 43 b 51 +b 30 b 62 +b 20 b 21 +b 14 b 16 +b 6 b 70 + s 16 s 23 +b 15 s 11 +b 99 +b 94 +b 92 +b 76 +b 67 +b 59 +b 48 +b 39 +b 29 +b 18 +b 5 +b 3 +1, where b 98 and b 15 underlined are the key bits guessed. Besides these two bits, one expression on key bits indicated by, that is b 15 b 98 + b 71 b 87 + b 64 b 68 + b 43 b 51 + b 30 b 62 + b 20 b 21 + b 14 b 16 + b 6 b 70 + b 99 + b 94 + b 92 + b 76 + b 67 + b 59 + b 48 + b 39 + b 29 + b 18 + b 5 + b 3 should be guessed. Hence, three bits need to be guessed to nullify b 131. Totally, 40 bits should be guessed for nullifying the state bits in Table??. After setting 14 dynamic IV bits, there are 96-14=82 free IV bits left. We calculate the frequency of occurrence of the 82 IV bits in the internal state bits and state terms. We nullify the high frequency IV bits to reduce the internal state bits and state terms as much as possible. We choose 36 IV bits shown in?? to be nullified (set to zero). There are 82-36=46 free IV bits left. After the initialization of Step 1 in??. We are going to determine the 43- degree missing IV terms. It is divided into two steps as shown in??: Step 2, Fast Discarding Monomials; Step 3, IV Representation. The two steps are shown in??. 5.2 Fast Discarding Monomials After initializing the states in??, we are going to iteratively compute and reduce z 257 in Step 2. In each iteration, many state terms of z 257 are produced. There are 46 free IV bits left and we will find missing IV terms of degree 43. We introduce the following three ways to discard monomials fast shown in??: Removing state terms according to degree evaluation; 9
10 Table 3. Nullification Scheme Nullified bitsequations for nullification Subkey bits guessed s 1 = b 115 b b 92 b 93 + b 86 b 88 + s 88 s 95 + b 87 s 83 + b 111 b b 104 b b 83 b 91 + b 48 b 87, b 52, b 115, b 96, +b 60 b 61 + b 54 b 56 + b 46 b s 56 s 63 + b b 99 + b 88 + b 79 + b 58 + b 45 + b 43 + s 14 s 21 b 13, b 203 +s 43 + b 52 s 48 + b b b 85 + b 55 + b 42 + s 78 + s 47 + s 40 + b 106 b b 99 b b 5 +b 78 b 86 + b 65 b 97 + b 55 b 56 + b 49 b 51 + b 41 b b 50 s 46 + b b 83 + b 64 + b 53 + b 96 s 43 +b 40 + b 104 b b 97 b b 76 b 84 + b 63 b 95 + b 53 b 54 + b 47 b 49 + b 39 b b s 3 b 13 b 96 +b b 90 + b b b b 92 + b 81 + b 72 + b 62 + b 51 + b 36 + b 77 + b 75 + s 82 +s 75 + b 32 b b 115 s 62 + b 88 b s 80 + b 81 b 85 + b 60 b 68 + b 47 b 79 + b 37 b 38 + s 39 + s 8 +b 31 b 33 + b 23 b 87 + b b b 93 + b 84 + b 76 + b 65 + b 56 + b 46 + b 70 b b 16 + b 3 +b 35 + b 22 + b 20 + b 100 s 47 + s 18 s 25 + b 17 s 13 + b 78 + b 50 + b 41 + b 13 s 9 + s 94 + b 90 + b 65 +b 20 + b 7 + s 86 + s 43 + s 12 + s 5 b 15 b 98 + b 98 s 45 + b 15 s 11 + b 92 + b 67 + b 46 + b 37 + b 18 +b 39 + s 73 + s 10 s 83 = s 48 + b 48 + b 74 + b s 11 + b 11 + b 37 + b 67 + b 14 b 78 + b 22 b 24 + b 28 b 29 + b 38 b 70 b 23, b 111, b 16 b 116, +b 51 b 59 + b 72 b 76 + b 79 b 95 + b 13 + b 26 + b 47 + b 56 + b 75 + b s 19 b 23 + b 23 b b 16 b 25, b 99 b 116, +b 42 + b 72 + b 19 b 83 + b 27 b 29 + b 33 b 34 + b 43 b 75 + b 56 b 64 + b 77 b 81 + b 84 b b 18 + b 31 +b 52 + b 61 + b 80 + b 89 + b b 28 b s 58 b b 51 b b 59 b 61 + b 65 b 66 + b 75 b 107 b 176 +b 88 b 96 + b 109 b s 4 b b 4 b b 30 b b 60 b b 95 b b 100 b 116 +b 7 b 71 b b 15 b 17 b b 21 b 22 b b 31 b 63 b b 44 b 52 b b 65 b 69 b 116 +b 72 b 88 b b 6 b b 19 b b 40 b b 49 b b 68 b b 77 b b 93 +b 93 b s 12 b 16 b b 16 b 99 b b s 46 b 99 b b 50 + b 63 + b s 13 +b 15 + b 28 + b 49 + b 58 + b 77 + b 86 + s 21 b 25 + b 25 b s 73 s b s 42 = b 110 b b 103 b b 82 b 90 + b 69 b b 59 b 60 + b 53 b 55 + b 45 b s 55 s b 54 s 50 + b b b 98 + b 87 + b 78 + b 68 + b 57 + b 44 + b b 159 +b 34 b 98 + s 44 s 51 + b 43 s 39 + b b b b b 95 + b 87 + b 76 + b 67 + b 57 + b 46 s 31 = b 43 b b 126 s 73 + b 99 b s 91 + b 92 b 96 + b 71 b 79 + b 58 b 90 + b 48 b 49 + b 42 b 44 b 43,b 126, +b 33 + b b 153 +b 36 b 38 + b b 28 b 92 + s 38 s 45 + b 37 s 33 + b b b 98 + b 89 + b 81 + b 70 s 25 = b 37 b b 120 s 67 + b 93 b s 85 + b 86 b 90 + b 65 b 73 + b 52 b 84 + b 42 b 43 +b 61 + b 51 + b 40 + b 27 + b b 145 +b 28 b 30 + b 20 b 84 + s 30 s 37 + b 29 s 25 + b b b b 90 s 17 = b 29 b b 112 s 59 + b 85 b s 77 + b 78 b 82 + b 57 b 65 + b 44 b 76 + b 34 b 35 b 29, b 112, +b 81 + b 73 + b 62 + b 53 + b 43 + b 32 + b 19 + b b 143 +b 26 b 28 + b 18 b 82 + s 28 s 35 + b 27 s 23 + b b b b 88 + b 79 s 15 = b 27 b b 110 s 57 + b 83 b 99 + s 75 s 94 + b 76 b 80 + b 55 b 63 + b 42 b 74 + b 32 b 33 b 27, b 110, +b 71 + b 60 + b 51 + b 41 + b 30 + b 17 + b b 138 +b 21 b 23 + b 13 b 77 + s 23 s 30 + b 22 s 18 + b b b 99 + b 83 + b 74 s 10 = b 22 b b 105 s 52 + b 78 b 94 + s 70 s 89 + b 71 b 75 + b 50 b 58 + b 37 b 69 + b 27 b 28 b 22, b 105, +b 66 + b 55 + b 46 + b 36 + b 25 + b 12 + b b 137 +b 20 b 22 + b 12 b 76 + s 22 s 29 + b 21 s 17 + b b b 98 + b 82 + b 73 s 9 = b 21 b b 104 s 51 + b 77 b 93 + s 69 s 88 + b 70 b 74 + b 49 b 57 + b 36 b 68 + b 26 b 27 b 21, +b 65 + b 54 + b 45 + b 35 + b 24 + b 11 + b b 136 +b 19 b 21 + b 11 b 75 + s 21 s 28 + b 20 s 16 + b b 99 + b 97 + b 81 + b 72 + b 64 s 8 = b 20 b b 103 s 50 + b 76 b 92 + s 68 s 87 + b 69 b 73 + b 48 b 56 + b 35 b 67 + b 25 b 26 +b 53 + b 44 + b 34 + b 23 + b 10 + b s s 77 = b 19 b b 102 s 49 + s 67 s 86 + s 20 s 27 + b 19 s 15 + b 96 + s 88 b 19, b 102, 135 +b 80 + s 7 + b 71 + b 52 + s 45 + b 43 + b 22 + s 14 + b 9 b 134 +b 17 b 19 + b 9 b 73 + s 19 s 26 + b 18 s 14 + b b 97 + b 95 + b 79 + b 70 + b 62 s 6 = b 18 b b 101 s 48 + b 74 b 90 + s 66 s 85 + b 67 b 71 + b 46 b 54 + b 33 b 65 + b 23 b 24 b 101, +b 51 + b 42 + b 32 + b 21 + b 8 + b b 133 +b 16 b 18 + b 8 b 72 + s 18 s 25 + b 17 s 13 + b b 96 + b 94 + b 78 + b 69 + b 61 s 5 = b 17 b b 100 s 47 + b 73 b 89 + s 65 s 84 + b 66 b 70 + b 45 b 53 + b 32 b 64 + b 22 b 23 b 17, b 100, +b 50 + b 41 + b 31 + b 20 + b 7 + b b 131 +b 14 b 16 + b 6 b 70 + s 16 s 23 + b 15 s 11 + b 99 + b 94 + b 92 + b 76 + b 67 s 3 = b 15 b 98 + b 98 s 45 + b 71 b 87 + s 63 s 82 + b 64 b 68 + b 43 b 51 + b 30 b 62 + b 20 b 21 b 15, b 98, +b 59 + b 48 + b 39 + b 29 + b 18 + b 5 + b Each in this table indicates a different expression of partial key bits. 10
11 nullified bits Table 4. Nullified IV Bits s14, s16, s20, s22, s23, s24, s28, s30, s32, s33, s35, s36, s38, s41, s44, s50 s 51, s 53, s 55, s 56, s 61, s 64, s 67, s 68, s 69, s 70, s 71, s 75, s 76, s 79, s 81, s 82 s 84, s 85, s 86, s 94 State Terms Fast Discarding Monomials Degree Evaluation Degree Reduction Using Low-frequency IV Bits Step 2 IV Representation Cover Property Step 3 IV Representation Repeat (Algorithm 3) 43-degree IV Term Table FFFFFFFFFF EFFFFFFFFF DFFFFFFFFF Left State Terms Deleted State Terms Fig. 2. Framework of Our Work Removing state terms according to degree reduction; Removing the state terms that do not contain all the 7 low-frequency IV bits. Degree Evaluation Since we are determining the 43-degree missing IV terms, the state terms of z 257 with degree less than 43 are removed without consideration, because they do not contain those 43-degree IV terms certainly. The exact degrees of state bits b i and s i for i [0, 222] can be obtained in a PC and are shown in Table??. The degrees of b i for 0 i < 128 and s j for 96 j < 128 is 0 as they are constant. In order to obtain the degree of state bit b r or s r for r > 222, we decompose the state bits until the state bits are the product of state bits b i and s j for i < end and j < end. Obviously, we will get a more accurate estimation, if we choose a smaller value for end 8. However, the smaller the end is, the more computing resource we will need. In the cryptanalysis of Grain128, we choose 8 Suppose we are going to estimate the degree of b i = b i 3 + b i 1b i 2. deg(b i) = deg(b i 3 + b i 1b i 2) = max{deg(b i 3), deg(b i 1b i 2)} max{deg(b i 3), deg(b i 1) + deg(b i 2)} (4) 11
12 Table 5. Degree of partial state bits i deg(s i) i deg(s i) i deg(s i) i deg(s i) i deg(s i) i deg(s i) i deg(s i) i deg(s i) i deg(b i) deg(s i) i deg(b i) deg(s i) i deg(b i) deg(s i) i deg(b i) deg(s i) i deg(b i) deg(s i) i deg(b i) deg(s i) i deg(b i) deg(s i) i deg(b i) deg(s i)
13 end = r 66 for tradeoff. We estimate the degree upper bound for b 223 as an example, where end = = 157: a) First, we express b 223 = b 95 + b b b b s 95 + b 98 b b 106 b b 112 b b 122 b b 135 b b 156 b b 163 b b 97 + b b 131 +b 140 +b 159 +b 168 +b 184 +s 188 +b b 190 s 137 +s 155 s 174 +b 107 b 190 s 190 according to the iterative function of Grain128. b) According to Table?? highlighted in red, initialize d = max{deg(b 151 ), deg(b 186 ), deg(b 191 ), deg(s 95 ), deg(b 162 ), deg(b 154 ), deg(b 156 )+deg(b 160 ), deg(b 163 )+deg(b 179 ), deg(deg(b 140 ), deg(b 168 ), deg(b 184 ), deg(s 188 ), deg(b 190 )+deg(s 137 ), deg(s 155 )+ deg(s 174 ), deg(b 190 )+deg(s 190 )} = max{2, 2, 2, 1, 3, 2, 1+2, 3+2, 2, 2, 3, 3, 2+1, 2+3, 2+ 2} = 5. The other state terms are discarded directly because their degrees are zeros. c) Discarding the state terms of degree lower than d = 5, we get b 223 = b 163 b 179 +s 155 s 174. Iteratively compute b 223 and discard state terms with degree lower than 5, we get b 223 = b 47 b 130 b 142 s 130 +b 47 b 130 b 140 s 130 +b 47 b 130 b 146 s 93 s b 47 b 63 b 130 b 146 s 130 s b 141 s 88 s b 58 b 141 s 141 s 155. d) Note that there is no state bit in round that is bigger than end=157, the expression ends and there are still state terms that survive. Then the current degree d = 5 is the estimated degree of b 223. e) Note that, if there is no state item in b 223 surviving, which means the degree must be less than 5. We reset d = 4 and continue the above steps c) to d) to get a more accurate degree bound. We summarise the above 5 steps as Algorithm?? and the degrees of state bit b r or s r for 223 r 320 are shown in??. Using degree evaluation to discard state terms in advance. As the monomials of z 257 s ANF is a product of these internal state bits, the degree of a monomial is bounded by the sum of the degrees of the multiplied internal state bits, which is regarded as the degree estimation of the monomial. If the degree estimation of the monomial is smaller than 43, we delete the monomial directly. For example, if deg(b i s i ) DEG(b i ) + DEG(s i ) < 43, delete b i s i. If DEG(b i ) + DEG(s i ) 43, continue to consider degree reduction in the following section. Degree Reduction According to the observation of Grain128 encryption scheme, the high degree state terms are in the form of b i s i. Define the degree reduction If we continue to decompose b i, we find b i 1b i 2 = (b i 4 + b i 2b i 3)(b i 5 + b i 3b i 4) = b i 4b i 5 + b i 3b i 4 + b i 2b i 3b i 5 + b i 2b i 3b i 4, (5) If deg(b i 1) = deg(b i 2b i 3) and deg(b i 2) = deg(b i 3b i 4), then in??, deg(b i 1) + deg(b i 2) may add deg(b i 3) twice. So in order to obtain a more accurate degree estimation, we are willing to decompose b i for several rounds backwards. 13
14 Algorithm 1 Degree Evaluation Algorithm (DEG) of State Bit Input: The value r which indicates the state bit b r. Output: DEG(b r)=d. 1: Initialize the degree bound d similar to step b) of the above example, the end point end and the number of state terms len 0. 2: while len = 0 do 3: Iteratively express b r using state bits in rounds less than end. During each expression, discard the state terms of degree lower than d. Let len be the number of remaining state terms. 4: if len = 0 then 5: d d 1 6: end if 7: end while 8: Return d Table 6. Degree Estimation of State Bits i DEG(b i) DEG(s i) i DEG(b i) DEG(s i) i DEG(b i) DEG(s i) i DEG(b i) DEG(s i) i DEG(b i) DEG(s i) i DEG(b i) DEG(s i) i DEG(b i) DEG(s i) i DEG(b i) DEG(s i) i DEG(b i) DEG(s i)
15 d r t as d r t = deg(b r ) + deg(s r ) deg(b r s r ). (6) The degree reduction can be obtained using Algorithm??. For Algorithm??, we choose end = r 48 considering the efficiency tradeoff of the computation. Algorithm 2 Degree Reduction Algorithm of State Term Input: The value r which indicates the state term degree reduction. Output: The degree reduction d t = DEG(b r) + DEG(s r) deg(b rs r). 1: Initialize the degree bound d = DEG(b r) + DEG(s r), degree reduction d t = 0, end point end and number of survived state terms len. 2: while len = 0 do 3: Express the state term b rs r using state bits in rounds less than end, discard the state terms of degree lower than d d t. Let len be the number of remaining state terms. 4: if len = 0 then 5: d t d t + 1 6: end if 7: end while 8: Return d t The degree reduction can help discard state terms of lower degree dramatically, as it can help predict the change of degree before expression operation. We take the state term b 223 s 223 as an example to illustrate the process to compute the degree reduction d t. Algorithm?? is first used to obtain the degree of state bits as shown in Table?? and??. Let end be = 175. The degree bound d is initialized as d = DEG(b 223 )+DEG(s 223 ) = 10 shown in?? and d t = 0. Express the b 223 s 223 discard the state terms of degree lower than d d t = d, there is 1 state term surviving, i.e., b 163 b 179 s 155 s 174. Continue to compute iteratively, the remaining 5 state terms are b 142 b 163 s 155 s b 140 b 163 s 155 s b 146 b 163 s 93 s 155 s b 163 s 130 s 155 s b 63 b 146 b 163 s 146 s 155 s 174. There is no state bits in rounds more than 175 in all the state terms, hence the expression ends. Degree reduction d t = 0 is returned. The degree reduction of b i s i for i [0, 222] can be obtained directly in?? as the degrees of b i s i, b i and s i can be determined exactly. Degree reductions of b i s i for i [223, 320] are given by?? and shown in??. Using degree reduction to discard state terms in advance. The degree of a monomial is upper bounded by difference value between the sum of the multiplied internal state bits and the corresponding degree reduction d t. For example, reconsider monomial b i s i, if DEG(b i )+DEG(s i ) > 43, degree evaluation introduced in?? could not delete monomial b i s i. Thus, according to degree reduction, deg(b i s i ) DEG(b i ) + DEG(s i ) d i t, if it is smaller than 43, delete b i s i. If not, continue to use low-frequency IV bits in the following section to delete monomials. 15
16 Table 7. Degree Reduction for Partial State bits i d i t i d i t i d i t i d i t Table 8. Degree Reduction of State Terms i d i t i d i t i d i t i d i t i d i t i d i t i d i t i d i t i d i t
17 Low-frequency IV Bits In our nullification scheme, 36 IV bits are nullified (set to zeros). There are remaining 46 IV bits. By testing the frequency of the occurrence of the 46 IV bits in the internal state bits of b 128 to b 222 and s 128 to s 222, we find out 7 IV Bits, who appear in the internal state bits or terms with lower frequency than others. We list the 7 IV Bits in??, along with the state bits containing those 7 IV Bits. Here, we illustrate how to exploit the 7 low-frequency bits to help discard monomials. We are finding 43-degree missing IV terms in the output polynomial z 257. In order to discard monomials, we add the conditions that, the 43-degree missing IV terms must contain all the 7 low-frequency bits. That means, the corresponding 43-dimension cube contains the 7 IV bits as cube variables. Thus, we do not need to consider the monomials that do not contain all the 7 lowfrequency bits. Those monomials could be deleted in advance. For example, express z 257 using internal state bits b i and s i i [128, 222]. Suppose b 135 b 218 s 218 is a monomial of z 257, however s 80 is not in b 135, b 218, or s 218, thus the monomial b 135 b 218 s 218 must not contain s 80. So we delete this monomial. 5.3 IV Representation In??, after Step 2, we introduce IV representation to study each left monomials. In the cryptanalysis of stream ciphers, the output is a Boolean function over key and IV bits. But obtaining the exact expression is hard, then the IV representation technique is proposed to reduce the computing complexity. Definition 1. (IV representation) Given a state bit s = I,J the IV representation of s is s IV = I i I v i. i I v i j J k j, For example, if a Boolean polynomial is s = v 0 k 1 + v 0 k 0 k 2 + v 1 k 1 k 2 + v 0 v 1 k 2, then its IV representation is s IV = v 0 + v 0 + v 1 + v 0 v 1. IV representation with repeated IV terms Removing Algorithm Due to the neglection of key bits, there are lots of repeated IV terms. According to Property??, repeated state terms should be removed to simplify the polynomial. However, it is different when the polynomial is in IV representation. In the above example, after removing repeated IV terms of s IV, the result should be v 0 + v 1 + v 0 v 1, instead of v 1 + v 0 v 1 given by Property??. Here we give the Algorithm?? to remove the repeated IV terms of s IV. This algorithm is based on a Hash function. First, an empty hash set is initialized. For each IV term T i, compute the hash value as H(T i ) (Line 3), then determine if T i is already in H. If not, then insert T i into H (Lines 4-5). Property 3. If we find an IV term is not in s IV, we can conclude that it is also not in s. 17
18 Table 9. Low frequency bits low-frequency corresponding state bits bits b 128, s 128, b 160, s 160, b 161, s 161, b 163, s 163, b 165, s 165, b 167, s 167, b 172, s 172, s 175, b 177, s 177, b 183, s 183, s 186, b 188, s 188, b 189, s 189, b 191, s 191, b 193, s 193, s 0 b 194, s 194, b 195, s 195, b 196, s 196, b 197, s 197, b 198, s 198, b 200, s 200, b 202, s 202, b 204, s 204, b 205, s 205, b 206, s 206, b 207, s 207, b 208, s 208, b 209, s 209, b 210, s 210, b 211, s 211, b 212, s 212, b 214, s 214, b 216, s 216, s 218, b 219, s 219, b 220, s 220, b 221, s 221, b 222, s 222 b 130, s 130, b 162, s 162, b 163, s 163, b 165, s 165, b 167, s 167, b 169, s 169, b 174, s 174, s 177, b 179, s 179, b 185, s 185, s 188, b 190, s 190, b 191, s 191, b 193, s 193, b 195, s 195, s 2 b 196, s 196, b 198, s 198, b 199, s 199, b 200, s 200, b 202, s 202, b 204, s 204, b 206, s 206, b 207, s 207, b 208, s 208, b 209, s 209, b 210, s 210, b 211, s 211, b 212, s 212, b 213, s 213, b 214, s 214, b 216, s 216, b 218, s 218, s 220, b 221, s 221, b 222, s 222 b 157, s 157, s 158, b 165, s 165, b 189, s 189, b 190, s 190, b 191, s 191, b 192, s 192, b 193, s s 193, b 194, s 194, b 196, s 196, b 197, s 197, b 198, s 198, b 200, s 200, b 201, s 201, b 202, 37 s 202, b 204, s 204, s 205, s 206, b 209, s 209, b 212, s 212, b 214, s 214, s 215, s 216, b 217, s 217, b 218, s 218, b 220, s 220, b 222, s 222 s 133, b 163, s 163, s 164, s 165, b 168, s 168, b 171, s 171, s 180, b 182, s 182, s 191, b 195, s 195, b 196, s 196, b 197, s 197, b 198, s 198, b 199, s 199, b 200, s 200, b 201, s 201, b 202, s 43 s 202, b 204, s 204, b 205, s 205, b 206, s 206, b 207, s 207, b 208, s 208, b 210, s 210, b 211, s 211, b 212, s 212, b 213, s 213, b 214, s 214, b 215, s 215, b 217, s 217, b 218, s 218, b 219, s 219, b 221, s 221 b 146, s 146, s 150, b 178, s 178, b 179, s 179, b 180, s 180, b 181, s 181, s 182, b 183, s 183, b 185, s 185, b 188, s 188, b 190, s 190, s 193, s 197, b 199, s 199, b 201, s 201, s 204, b 206, s 60 s 206, b 207, s 207, s 208, b 209, s 209, b 211, s 211, b 212, s 212, b 213, s 213, b 214, s 214, b 215, s 215, b 216, s 216, b 217, s 217, b 218, s 218, b 219, s 219, b 220, s 220, b 221, s 221, b 222, s 222 b 129, s 129, s 138, b 148, s 148, b 161, s 161, b 162, s 162, b 164, s 164, b 166, s 166, b 168, s 168, b 173, s 173, s 176, b 178, s 178, b 180, s 180, b 181, s 181, b 183, s 183, b 184, s 184, s 80 b 185, s 185, s 187, b 188, s 188, b 190, s 190, b 192, s 192, b 194, s 194, b 195, s 195, s 196, b 197, s 197, b 198, s 198, b 199, s 199, b 200, s 200, b 201, s 201, s 203, b 205, s 205, b 206, s 206, s 207, b 222, s 222 s 137, s 148, b 158, s 158, s 169, b 172, s 172, b 181, s 181, b 183, s 183, s 184, b 186, s 186, b 190, s 190, b 191, s 191, b 193, s 193, b 195, s 195, b 197, s 197, b 198, s 198, s 201, b 202, s 90 s 202, b 205, s 205, s 206, b 209, s 209, b 210, s 210, b 211, s 211, b 213, s 213, b 214, s 214, b 215, s 215, b 216, s 216, b 217, s 217, b 218, s 218, b 219, s 219, b 220, s 220, b 221, s 221, b 222, s
19 After applying Algorithm?? to s IV, it is easy to know that if an IV term exists in s, it must also exist in s IV. But the opposite is not right. For example, x 1 = v 0 (k 1 k 2 + k 0 k 2 ) + v 1 + v 0 v 1 k 2, x 2 = v 2 k 0 k 1 + v 1 v 2 k 1 and s = x 1 x 2. We use the IV representations of x 1 and x 2 to approximate the IV representation of s. Thus, x 1IV = v 0 + v 1 + v 0 v 1, x 2IV = v 2 + v 1 v 2, and s IV = x 1IV x 2IV = v 0 v 2 + v 1 v 2 + v 0 v 1 v 2. However, s = x 1 x 2 = v 1 v 2 (k 0 k 1 + k 1 ). We use Property?? to determine the missing IV terms in the output ANF of Grain128, i.e., we compute the IV representation s IV of the output s, find the missing IV terms of s IV and those IV terms are missing IV terms of s. Algorithm 3 Repeated-IV term Removing Algorithm Input: The vector T with n IV terms, i.e., T 1, T 2,..., T n. Output: Updated T with m IV terms, where m n. 1: Initialize an empty Hash set H. 2: for i 1 : n do 3: Compute the Hash value of T i, i.e., H(T i). 4: if H.contains(T i) is false then 5: H.insert(T i). 6: end if 7: end for After using IV representation combined with Algorithm??, all the existent IV terms are left by ignoring their repetition. With collision-resistent hash function H, the time complexity of Algorithm?? is O(n) for processing n IV terms. It needs several minutes to apply Algorithm?? on 1 billion IV terms on a single core. IV representation with Covered IV Term Removing Method We also use IV representation by removing covered IV terms. As shown in Property??, if we are estimating the degree of a polynomial s, instead of detecting the missing IV terms, the covered IV terms have no effect. For example, s = v 0 k 1 + v 0 k 0 k 2 + v 1 k 1 k 2 + v 0 v 1 k 2, then s IV = v 0 + v 0 + v 1 + v 0 v 1, after use Property?? to remove covered IV terms from s IV, we get s IV = v 0v 1. It is obviously that deg(s) = deg(s IV ) = deg(s IV ). This method can help discard (state, IV) terms dramatically, since we could get a more accurate degree evaluation of s than degree evaluation technique and degree reduction technique. Determining the 43-degree Missing IV Terms As shown in??, after Step 2, the degrees of left state terms are possibly bigger or equal to 43. For the left state terms, we are going to use IV representation to determine the missing 43-degree IV terms. First, we use IV representation technique combined with covered IV term removing method for each left state terms. It could maintain the degree 19
20 information by ignoring the low degree IV terms and get a more accurate degree. Thus, if the degree of a monomial is smaller than 43, the monomial is deleted. Second, for the left monomials, we use IV representation technique combined with Algorithm??. It could not only maintain the highest degree IV terms, but also the lower degree IV terms by ignoring the repetitions. Then we maintain a table 43-bit indexed by all possible 43-degree IV terms who contain the 7 low-frequency IV bits in??. As there are 7 fixed bits, the number of freedom variables is 39, so that the table size is ( ) = Initial the table with 0. Then, if a 43-degree IV term exists, the entry turns to 1. At last, the indexes with entries equal to 0 are the missing 43-degree IV terms. According to Property??, if an IV term is not in z 257 s IV representation, it must be also not in z 257. Choose the missing 43-degree IV terms as cubes shown in??, whose cube sums must be zero. Table dimension Cubes Cube Index of Cube Variables 1 0,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,88,89,90,91 2 0,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,88,89,90,92 3 0,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,88,89,90,95 4 0,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,88,90,91,92 5 0,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,88,90,91,93 6 0,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,88,90,91,95 7 0,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,88,90,92,93 8 0,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,88,90,92,95 9 0,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,88,90,93, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,89,90,91, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,89,90,91, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,89,90,92, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,89,90,92, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,89,90,93, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,90,91,92, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,90,91,92, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,90,91,93, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,90,92,93, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,88,89,90,91, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,88,89,90,91, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,88,89,90,92, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,88,89,90,92, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,88,89,90,93, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,88,90,91,92, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,88,90,91,92, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,88,90,91,93, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,88,90,92,93, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,89,90,91,92, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,89,90,92,93, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,90,91,92,93, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,80,87,88,89,90,91, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,80,87,88,89,90,91, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,80,87,88,89,90,92, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,80,87,88,89,90,92, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,80,87,88,89,90,93, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,80,87,88,90,91,92, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,80,87,88,90,91,92, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,80,87,88,90,91,93, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,80,87,88,90,92,93, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,88,89,90,93 20
Breaking Grain-128 with Dynamic Cube Attacks
Breaking Grain-128 with Dynamic Cube Attacks Itai Dinur and Adi Shamir Computer Science department The Weizmann Institute Rehovot 76100, Israel Abstract. We present a new variant of cube attacks called
More informationImproved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN
Improved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN Shahram Rasoolzadeh and Håvard Raddum Simula Research Laboratory {shahram,haavardr}@simula.no Abstract. We study multidimensional meet-in-the-middle
More informationImproved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN
Improved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN Shahram Rasoolzadeh and Håvard Raddum Simula Research Laboratory Abstract. We study multidimensional meet-in-the-middle attacks on the
More informationTWO GENERIC METHODS OF. Chinese Academy of Sciences
TWO GENERIC METHODS OF ANALYZING STREAM CIPHERS Lin Jiao, Bin Zhang, Mingsheng Wang Chinese Academy of Sciences Outline Introduction Time Memory Data Tradeoff Attack against Grain v1 Security Evaluation
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham 1, Orr Dunkelman 1, and Nathan Keller 2 1 Computer Science Department, Technion, Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics
More informationOn the Security of Stream Cipher CryptMT v3
On the Security of Stream Cipher CryptMT v3 Haina Zhang 1, and Xiaoyun Wang 1,2 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan 250100,
More informationLinear Cryptanalysis of Reduced Round Serpent
Linear Cryptanalysis of Reduced Round Serpent Eli Biham 1, Orr Dunkelman 1, and Nathan Keller 2 1 Computer Science Department, Technion Israel Institute of Technology, Haifa 32000, Israel, {biham,orrd}@cs.technion.ac.il,
More informationAttack on DES. Jing Li
Attack on DES Jing Li Major cryptanalytic attacks against DES 1976: For a very small class of weak keys, DES can be broken with complexity 1 1977: Exhaustive search will become possible within 20 years,
More informationImproved Attacks on Full GOST
Improved Attacks on Full GOST Itai Dinur 1, Orr Dunkelman 1,2 and Adi Shamir 1 1 Computer Science department, The Weizmann Institute, ehovot, Israel 2 Computer Science Department, University of Haifa,
More informationc Eli Biham - March 13, Cryptanalysis of Modes of Operation (4) c Eli Biham - March 13, Cryptanalysis of Modes of Operation (4)
Single Modes: the S Modes of Operation Modes of Operation are used to hide patterns in the plaintexts, protect against chosen plaintext attacks, and to support fast on-line encryption with precomputation.
More informationMILP-aided Cube-attack-like Cryptanalysis on Keccak Keyed Modes
MILP-aided Cube-attack-like Cryptanalysis on Keccak Keyed Modes Wenquan Bi 1, Xiaoyang Dong 2, Zheng Li 1, Rui Zong 1, and Xiaoyun Wang 1,2 1 Key Laboratory of Cryptologic Technology and Information Security,
More informationDierential-Linear Cryptanalysis of Serpent? Haifa 32000, Israel. Haifa 32000, Israel
Dierential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel fbiham,orrdg@cs.technion.ac.il 2 Mathematics Department,
More informationSyrvey on block ciphers
Syrvey on block ciphers Anna Rimoldi Department of Mathematics - University of Trento BunnyTn 2012 A. Rimoldi (Univ. Trento) Survey on block ciphers 12 March 2012 1 / 21 Symmetric Key Cryptosystem M-Source
More informationDifferential Cryptanalysis
Differential Cryptanalysis See: Biham and Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer Verlag, 1993. c Eli Biham - March, 28 th, 2012 1 Differential Cryptanalysis The Data
More informationA Chosen-Plaintext Linear Attack on DES
A Chosen-Plaintext Linear Attack on DES Lars R. Knudsen and John Erik Mathiassen Department of Informatics, University of Bergen, N-5020 Bergen, Norway {lars.knudsen,johnm}@ii.uib.no Abstract. In this
More informationImproved differential fault analysis on lightweight block cipher LBlock for wireless sensor networks
Jeong et al. EURASIP Journal on Wireless Communications and Networking 2013, 2013:151 RESEARCH Improved differential fault analysis on lightweight block cipher LBlock for wireless sensor networks Kitae
More informationcube attack on stream cipher Trivium and quadraticity test
The cube attack on stream cipher Trivium and quadraticity tests Piotr Mroczkowski Janusz Szmidt Military Communication Institute Poland 17 sierpnia 2010 Cube Attack- Papers and Preprints Itai Dinur and
More informationCube Attacks and Cube-attack-like Cryptanalysis on the Round-reduced Keccak Sponge Function
Cube Attacks and Cube-attack-like Cryptanalysis on the Round-reduced Keccak Sponge Function Itai Dinur 1, Pawe l Morawiecki 2,3, Josef Pieprzyk 4 Marian Srebrny 2,3, and Micha l Straus 3 1 Computer Science
More informationCUBE-TYPE ALGEBRAIC ATTACKS ON WIRELESS ENCRYPTION PROTOCOLS
CUBE-TYPE ALGEBRAIC ATTACKS ON WIRELESS ENCRYPTION PROTOCOLS George W. Dinolt, James Bret Michael, Nikolaos Petrakos, Pantelimon Stanica Short-range (Bluetooth) and to so extent medium-range (WiFi) wireless
More informationAn Improved Algebraic Attack on Hamsi-256
An Improved Algebraic Attack on Hamsi-256 Itai Dinur and Adi Shamir Computer Science department The Weizmann Institute Rehovot 76100, Israel Abstract. Hamsi is one of the 14 second-stage candidates in
More informationPractical Key Recovery Attack on MANTIS 5
ractical Key Recovery Attack on ANTI Christoph Dobraunig, aria Eichlseder, Daniel Kales, and Florian endel Graz University of Technology, Austria maria.eichlseder@iaik.tugraz.at Abstract. ANTI is a lightweight
More informationRECTIFIED DIFFERENTIAL CRYPTANALYSIS OF 16 ROUND PRESENT
RECTIFIED DIFFERENTIAL CRYPTANALYSIS OF 16 ROUND PRESENT Manoj Kumar 1, Pratibha Yadav, Meena Kumari SAG, DRDO, Metcalfe House, Delhi-110054, India mktalyan@yahoo.com 1 ABSTRACT In this paper, we have
More informationImproved Key Recovery Attacks on Reduced-Round AES with Practical Data and Memory Complexities
Improved Key Recovery Attacks on Reduced-Round AES with Practical Data and Memory Complexities Achiya Bar-On 1, Orr Dunkelman 2, Nathan Keller 1, Eyal Ronen 3, and Adi Shamir 3 1 Department of Mathematics,
More informationAttacks on Advanced Encryption Standard: Results and Perspectives
Attacks on Advanced Encryption Standard: Results and Perspectives Dmitry Microsoft Research 29 February 2012 Design Cryptanalysis history Advanced Encryption Standard Design Cryptanalysis history AES 2
More informationThis document is downloaded from DR-NTU, Nanyang Technological University Library, Singapore.
This document is downloaded from DR-NTU, Nanyang Technological University Library, Singapore. Title Improved Meet-in-the-Middle cryptanalysis of KTANTAN (poster) Author(s) Citation Wei, Lei; Rechberger,
More informationChapter 3 Block Ciphers and the Data Encryption Standard
Chapter 3 Block Ciphers and the Data Encryption Standard Last Chapter have considered: terminology classical cipher techniques substitution ciphers cryptanalysis using letter frequencies transposition
More informationInternational Journal for Research in Applied Science & Engineering Technology (IJRASET) Performance Comparison of Cryptanalysis Techniques over DES
Performance Comparison of Cryptanalysis Techniques over DES Anupam Kumar 1, Aman Kumar 2, Sahil Jain 3, P Kiranmai 4 1,2,3,4 Dept. of Computer Science, MAIT, GGSIP University, Delhi, INDIA Abstract--The
More informationImproved Truncated Differential Attacks on SAFER
Improved Truncated Differential Attacks on SAFER Hongjun Wu * Feng Bao ** Robert H. Deng ** Qin-Zhong Ye * * Department of Electrical Engineering National University of Singapore Singapore 960 ** Information
More informationSymmetric Cryptography. Chapter 6
Symmetric Cryptography Chapter 6 Block vs Stream Ciphers Block ciphers process messages into blocks, each of which is then en/decrypted Like a substitution on very big characters 64-bits or more Stream
More informationThis chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest
1 2 3 This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest PKCS, Diffie- Hellman key exchange. This first published
More informationThe Rectangle Attack
The Rectangle Attack and Other Techniques for Cryptanalysis of Block Ciphers Orr Dunkelman Computer Science Dept. Technion joint work with Eli Biham and Nathan Keller Topics Block Ciphers Cryptanalysis
More informationRelated-key Attacks on Triple-DES and DESX Variants
Related-key Attacks on Triple-DES and DESX Variants Raphael C.-W. han Department of Engineering, Swinburne Sarawak Institute of Technology, 1st Floor, State Complex, 93576 Kuching, Malaysia rphan@swinburne.edu.my
More informationAn Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1
An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1 Miodrag J. Mihaljević 1, Nishant Sinha 2, Sugata Gangopadhyay 2, Subhamoy Maitra 3, Goutam Paul 3 and Kanta Matsuura 4 1 Mathematical Institute,
More informationA General Analysis of the Security of Elastic Block Ciphers
A General Analysis of the Security of Elastic Block Ciphers Debra L. Cook and Moti Yung and Angelos Keromytis Department of Computer Science, Columbia University {dcook,moti,angelos}@cs.columbia.edu September
More informationNecessary conditions for designing secure stream ciphers with the minimal internal states
Necessary conditions for designing secure stream ciphers with the minimal internal states Vahid Amin Ghafari 1( ), Honggang Hu 1, and Mohammadsadegh Alizadeh 2 1 Key Laboratory of Electromagnetic Space
More informationAn Improved Truncated Differential Cryptanalysis of KLEIN
An Improved Truncated Differential Cryptanalysis of KLEIN hahram Rasoolzadeh 1, Zahra Ahmadian 2, Mahmoud almasizadeh 3, and Mohammad Reza Aref 3 1 imula Research Laboratory, Bergen, Norway, 2 hahid Beheshti
More informationKey Recovery from State Information of Sprout: Application to Cryptanalysis and Fault Attack
Key Recovery from State Information of Sprout: Application to Cryptanalysis and Fault Attack Subhamoy Maitra, Santanu Sarkar, Anubhab Baksi, Pramit Dey Indian Statistical Institute, Kolkata and Indian
More informationSAT Solvers in the Context of Cryptography
SAT Solvers in the Context of Cryptography v2.0 Presentation at Montpellier Mate Soos UPMC LIP6, PLANETE team INRIA, SALSA Team INRIA 10th of June 2010 Mate Soos (UPMC LIP6, PLANETE team SAT INRIA, solvers
More informationCryptanalysis and Improvement of a Dynamic ID Based Remote User Authentication Scheme Using Smart Cards
Journal of Computational Information Systems 9: 14 (2013) 5513 5520 Available at http://www.jofcis.com Cryptanalysis and Improvement of a Dynamic ID Based Remote User Authentication Scheme Using Smart
More informationpage 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas
Introduction to Cryptography Lecture 3 Benny Pinkas page 1 1 Pseudo-random generator Pseudo-random generator seed output s G G(s) (random, s =n) Deterministic function of s, publicly known G(s) = 2n Distinguisher
More informationFPGA Implementation of WG Stream Cipher
FPGA Implementation of WG Stream Cipher Anna Johnson Assistant Professor,ECE Department, Jyothi Engineering College,Thrissur Abstract Cryptography is the technique of providing security to a network. The
More informationCHAPTER 1 INTRODUCTION
1 CHAPTER 1 INTRODUCTION 1.1 Advance Encryption Standard (AES) Rijndael algorithm is symmetric block cipher that can process data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256
More informationBiclique Attack of the Full ARIA-256
Biclique Attack of the Full ARIA-256 Shao-zhen Chen Tian-min Xu Zhengzhou Information Science and Technology Institute Zhengzhou 450002, China January 8, 202 Abstract In this paper, combining the biclique
More informationThe Security of Elastic Block Ciphers Against Key-Recovery Attacks
The Security of Elastic Block Ciphers Against Key-Recovery Attacks Debra L. Cook 1, Moti Yung 2, Angelos D. Keromytis 2 1 Alcatel-Lucent Bell Labs, New Providence, New Jersey, USA dcook@alcatel-lucent.com
More informationWeak Keys of the Full MISTY1 Block Cipher for Related-Key Cryptanalysis
3. 2 13.57 Weak eys for a Related-ey Differential Attack Weak eys of the Full MISTY1 Block Cipher for Related-ey Cryptanalysis Institute for Infocomm Research, Agency for Science, Technology and Research,
More informationTruncated Differential Analysis of Round-Reduced RoadRunneR Block Cipher
Truncated Differential Analysis of Round-Reduced RoadRunneR Block Cipher Qianqian Yang 1,2,3, Lei Hu 1,2,, Siwei Sun 1,2, Ling Song 1,2 1 State Key Laboratory of Information Security, Institute of Information
More informationElastic Block Ciphers: The Feistel Cipher Case
Elastic Block Ciphers: The Feistel Cipher Case Debra L. Cook Moti Yung Angelos D. Keromytis Department of Computer Science Columbia University, New York, NY dcook,moti,angelos @cs.columbia.edu Technical
More informationTwo Attacks on Reduced IDEA (Extended Abstract)
1 Two Attacks on Reduced IDEA (Extended Abstract) Johan Borst 1, Lars R. Knudsen 2, Vincent Rijmen 2 1 T.U. Eindhoven, Discr. Math., P.O. Box 513, NL-5600 MB Eindhoven, borst@win.tue.nl 2 K.U. Leuven,
More informationHill Cipher with Parallel Processing Involving Column, Row Shuffling, Permutation and Iteration on Plaintext and Key
International Journal of Computer Networks and Security, ISSN:25-6878, Vol.23, Issue.2 7 Hill Cipher with Parallel Processing Involving Column, Row Shuffling, Permutation and Iteration on Plaintext and
More informationCryptanalysis of Block Ciphers: A Survey
UCL Crypto Group Technical Report Series Cryptanalysis of Block Ciphers: A Survey Francois-Xavier Standaert, Gilles Piret, Jean-Jacques Quisquater REGARDS GROUPE http://www.dice.ucl.ac.be/crypto/ Technical
More informationOn the Security of the 128-Bit Block Cipher DEAL
On the Security of the 128-Bit Block Cipher DAL Stefan Lucks Theoretische Informatik University of Mannheim, 68131 Mannheim A5, Germany lucks@th.informatik.uni-mannheim.de Abstract. DAL is a DS-based block
More informationA Meet in the Middle Attack on Reduced Round Kuznyechik
IEICE TRANS. FUNDAMENTALS, VOL.Exx??, NO.xx XXXX 200x 1 LETTER Special Section on Cryptography and Information Security A Meet in the Middle Attack on Reduced Round Kuznyechik Riham ALTAWY a), Member and
More informationComputer Security CS 526
Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes CS555 Topic 4 1 Readings for This Lecture Required reading from wikipedia Block Cipher Ciphertext Indistinguishability
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 7 January 30, 2012 CPSC 467b, Lecture 7 1/44 Public-key cryptography RSA Factoring Assumption Computing with Big Numbers Fast Exponentiation
More informationP2_L6 Symmetric Encryption Page 1
P2_L6 Symmetric Encryption Page 1 Reference: Computer Security by Stallings and Brown, Chapter 20 Symmetric encryption algorithms are typically block ciphers that take thick size input. In this lesson,
More informationCryptanalytic Time-Memory-Data Tradeoffs for FX-Constructions with Applications to PRINCE and PRIDE
Cryptanalytic Time-Memory-Data Tradeoffs for FX-Constructions with Applications to PRINCE and PRIDE Itai Dinur Département d Informatique, École Normale Supérieure, Paris, France Abstract. The FX-construction
More informationCache Timing Attacks on estream Finalists
Cache Timing Attacks on estream Finalists Erik Zenner Technical University Denmark (DTU) Institute for Mathematics e.zenner@mat.dtu.dk Echternach, Jan. 9, 2008 Erik Zenner (DTU-MAT) Cache Timing Attacks
More informationCSCE 813 Internet Security Symmetric Cryptography
CSCE 813 Internet Security Symmetric Cryptography Professor Lisa Luo Fall 2017 Previous Class Essential Internet Security Requirements Confidentiality Integrity Authenticity Availability Accountability
More informationin a 4 4 matrix of bytes. Every round except for the last consists of 4 transformations: 1. ByteSubstitution - a single non-linear transformation is a
Cryptanalysis of Reduced Variants of Rijndael Eli Biham Λ Nathan Keller y Abstract Rijndael was submitted to the AES selection process, and was later selected as one of the five finalists from which one
More informationIntroduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption
Introduction to Cryptography and Security Mechanisms: Unit 5 Public-Key Encryption Learning Outcomes Explain the basic principles behind public-key cryptography Recognise the fundamental problems that
More informationAlgebraicDierential Cryptanalysis of DES
AlgebraicDierential Cryptanalysis of DES JeanCharles Faugère Ludovic Perret PierreJean Spaenlehauer UPMC LIP6 CNRS INRIA Paris - Rocquencourt SALSA team Journées C2 1/33 PJ Spaenlehauer Plan Introduction
More informationTrivium. 2 Specifications
Trivium Specifications Christophe De Cannière and Bart Preneel Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenberg 10, B 3001 Heverlee, Belgium {cdecanni, preneel}@esat.kuleuven.be
More informationA Practical Platform for Cube-Attack-like Cryptanalyses
A Practical Platform for Cube-Attack-like Cryptanalyses CS 758: Cryptography/Network Security Course Project Bo Zhu, Wenye Yu and Tao Wang {bo.zhu,wenye.yu,t55wang}@uwaterloo.ca University of Waterloo
More informationNetwork Security. Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar
Network Security Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar Modern Block Ciphers now look at modern block ciphers one of the most widely used types
More informationFinding Second Preimages of Short Messages for Hamsi-256
Finding Second Preimages of Short Messages for Hamsi-256 Thomas Fuhr ANSSI, Paris, France and TELECOM-ParisTech, Paris, France thomas.fuhr@ssi.gouv.fr Abstract. In this paper we study the second preimage
More informationPerformance of Symmetric Ciphers and One-way Hash Functions
Performance of Symmetric Ciphers and One-way Hash Functions Michael Roe Cambridge University Computer Laboratory 1 Rationale An alarmingly large number of different cryptosystems have been proposed for
More informationL3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015
L3. An Introduction to Block Ciphers Rocky K. C. Chang, 29 January 2015 Outline Product and iterated ciphers A simple substitution-permutation network DES and AES Modes of operations Cipher block chaining
More informationAEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2014 AEGIS 1
AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University KU Leuven and iminds 1 AEGIS: A shield carried by Athena and Zeus 2 Different Design Approaches:
More informationMeet-in-the-middle Attack on the 6-round Variant of the Block Cipher PRINCE
Vol.5 (ITCS 204), pp.250-255 http://d.doi.org/0.4257/astl.204.5.57 Meet-in-the-middle Attack on the 6-round Variant of the Block Cipher PRINCE Yasutaka Igarashi, Toshinobu Kaneko 2, Satoshi Setoguchi,
More informationEncryption / decryption system. Fig.1. Block diagram of Hummingbird
801 Lightweight VLSI Design of Hybrid Hummingbird Cryptographic Algorithm NIKITA ARORA 1, YOGITA GIGRAS 2 12 Department of Computer Science, ITM University, Gurgaon, INDIA 1 nikita.0012@gmail.com, 2 gigras.yogita@gmail.com
More informationPiret and Quisquater s DFA on AES Revisited
Piret and Quisquater s DFA on AES Revisited Christophe Giraud 1 and Adrian Thillard 1,2 1 Oberthur Technologies, 4, allée du doyen Georges Brus, 33 600 Pessac, France. c.giraud@oberthur.com 2 Université
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.2 Secret Key Cryptography CSC 474/574 Dr. Peng Ning 1 Agenda Generic block cipher Feistel cipher DES Modes of block ciphers Multiple encryptions Message
More informationIntegral Cryptanalysis of the BSPN Block Cipher
Integral Cryptanalysis of the BSPN Block Cipher Howard Heys Department of Electrical and Computer Engineering Memorial University hheys@mun.ca Abstract In this paper, we investigate the application of
More informationOn the Design of Secure Block Ciphers
On the Design of Secure Block Ciphers Howard M. Heys and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University Kingston, Ontario K7L 3N6 email: tavares@ee.queensu.ca
More informationAn improved image encryption algorithm based on chaotic maps
Vol 17 No 11, November 2008 c 2008 Chin. Phys. Soc. 1674-1056/2008/17(11)/4027-06 Chinese Physics B and IOP Publishing Ltd An improved image encryption algorithm based on chaotic maps Xu Shu-Jiang( ) a),
More informationA Differential Fault Attack against Early Rounds of (Triple-)DES
A Differential Fault Attack against Early Rounds of (Triple-)DES Ludger Hemme Giesecke & Devrient GmbH Prinzregentenstr. 159, 81677 Munich, Germany ludger.hemme@de.gi-de.com Abstract. Previously proposed
More informationA New Architecture of High Performance WG Stream Cipher
A New Architecture of High Performance WG Stream Cipher Grace Mary S. 1, Abhila R. Krishna 2 1 P G Scholar, VLSI and Embedded Systems, Department of ECE T K M Institute of Technology, Kollam, India 2 Assistant
More informationSecurity Analysis of Extended Sponge Functions. Thomas Peyrin
Security Analysis of Extended Sponge Functions Hash functions in cryptology: theory and practice Leiden, Netherlands Orange Labs University of Versailles June 4, 2008 Outline 1 The Extended Sponge Functions
More informationNON LINEAR FEEDBACK STREAM CIPHER
NON LINEAR FEEDBACK STREAM CIPHER *Dr.R. Siva Ram Prasad **G.Murali ***S.Gopi Krishna Research Director, Dept. of CSE, Head, Dept. of CSE, Head, Dept. of CSE, Acharya Nagarjuna University, R.K College
More informationStream Ciphers An Overview
Stream Ciphers An Overview Palash Sarkar Indian Statistical Institute, Kolkata email: palash@isicalacin stream cipher overview, Palash Sarkar p1/51 Classical Encryption Adversary message ciphertext ciphertext
More informationA Weight Based Attack on the CIKS-1 Block Cipher
A Weight Based Attack on the CIKS-1 Block Cipher Brian J. Kidney, Howard M. Heys, Theodore S. Norvell Electrical and Computer Engineering Memorial University of Newfoundland {bkidney, howard, theo}@engr.mun.ca
More informationSymmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.
Symmetric Key Algorithms Definition A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting. 1 Block cipher and stream cipher There are two main families
More informationBlock Ciphers and Data Encryption Standard. CSS Security and Cryptography
Block Ciphers and Data Encryption Standard CSS 322 - Security and Cryptography Contents Block Cipher Principles Feistel Structure for Block Ciphers DES Simplified DES Real DES DES Design Issues CSS 322
More informationA New Meet-in-the-Middle Attack on the IDEA Block Cipher
A New Meet-in-the-Middle Attack on the IDEA Block Cipher Hüseyin Demirci 1, Ali Aydın Selçuk, and Erkan Türe 3 1 Tübitak UEKAE, 41470 Gebze, Kocaeli, Turkey huseyind@uekae.tubitak.gov.tr Department of
More informationAn Overview of Cryptanalysis Research for the Advanced Encryption Standard
An Overview of Cryptanalysis Research for the Advanced Encryption Standard Alan Kaminsky, Rochester Institute of Technology Michael Kurdziel, Harris Corporation Stanisław Radziszowski, Rochester Institute
More informationEfficient Dissection of Composite Problems, with Applications to Cryptanalysis, Knapsacks, and Combinatorial Search Problems
Efficient Dissection of Composite Problems, with Applications to Cryptanalysis, Knapsacks, and Combinatorial Search Problems Itai Dinur 1, Orr Dunkelman 1,2, Nathan Keller 1,3, and Adi Shamir 1 1 Computer
More informationData Analytics and Boolean Algebras
Data Analytics and Boolean Algebras Hans van Thiel November 28, 2012 c Muitovar 2012 KvK Amsterdam 34350608 Passeerdersstraat 76 1016 XZ Amsterdam The Netherlands T: + 31 20 6247137 E: hthiel@muitovar.com
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Previously on COS 433 Confusion/Diffusion Paradigm f 1 f 2 f 3 f 4 f 5 f 6 Round π 1 f 7 f 8 f 9 f 10 f 11 f 12 π 2 Substitution
More information7. Symmetric encryption. symmetric cryptography 1
CIS 5371 Cryptography 7. Symmetric encryption symmetric cryptography 1 Cryptographic systems Cryptosystem: t (MCKK GED) (M,C,K,K,G,E,D) M, plaintext message space C, ciphertext message space K, K, encryption
More informationSharing Several Secrets based on Lagrange s Interpolation formula and Cipher Feedback Mode
Int. J. Nonlinear Anal. Appl. 5 (2014) No. 2, 60-66 ISSN: 2008-6822 (electronic) http://www.ijnaa.semnan.ac.ir Sharing Several Secrets based on Lagrange s Interpolation formula and Cipher Feedback Mode
More informationA Mathematical Proof. Zero Knowledge Protocols. Interactive Proof System. Other Kinds of Proofs. When referring to a proof in logic we usually mean:
A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of statements. 2. Based on axioms. Zero Knowledge Protocols 3. Each statement is derived via the derivation rules.
More informationZero Knowledge Protocols. c Eli Biham - May 3, Zero Knowledge Protocols (16)
Zero Knowledge Protocols c Eli Biham - May 3, 2005 442 Zero Knowledge Protocols (16) A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of statements. 2. Based on axioms.
More informationLinear Cryptanalysis of FEAL 8X Winning the FEAL 25 Years Challenge
Linear Cryptanalysis of FEAL 8X Winning the FEAL 25 Years Challenge Yaniv Carmeli Joint work with Prof. Eli Biham CRYPTODAY 2014 FEAL FEAL Published in 1987, designed by Miyaguchi and Shimizu (NTT). 64-bit
More informationVulnerability of Certain Stream Ciphers Based on k-normal Boolean Functions
Vulnerability of Certain Stream Ciphers Based on k-normal Boolean Functions Miodrag Mihaljevic RCIS-AIST, Tokyo A Seminar Lecture at CCRG School of Physics and Mathematical Sciences Nanyang Technological
More informationSymmetric Encryption Algorithms
Symmetric Encryption Algorithms CS-480b Dick Steflik Text Network Security Essentials Wm. Stallings Lecture slides by Lawrie Brown Edited by Dick Steflik Symmetric Cipher Model Plaintext Encryption Algorithm
More informationNew Attacks on Feistel Structures with Improved Memory Complexities
New Attacks on Feistel Structures with Improved Memory Complexities Itai Dinur 1, Orr Dunkelman 2,4,, Nathan Keller 3,4,, and Adi Shamir 4 1 Département d Informatique, École Normale Supérieure, Paris,
More informationCryptanalysis of ORYX
Cryptanalysis of ORYX D. Wagner 1, L. Simpson 2, E. Dawson 2, J. Kelsey 3, W. Millan 2, and B. Schneier 3 1 University of California, Berkeley daw@cs.berkeley.edu 2 Information Security Research Centre,
More informationDifferential Fault Analysis of Trivium
Differential Fault Analysis of Trivium Michal Hojsík 1, 3 and Bohuslav Rudolf 2, 3 1 The Selmer Center, University of Bergen, Norway 2 National Security Authority, Czech Republic 3 Department of Algebra,
More informationApplying Time-Memory-Data Trade-Off to Meet-in-the-Middle Attack
Applying Time-Memory-Data Trade-Off to Meet-in-the-Middle Attack Jiali Choy, Khoongming Khoo, and Chuan-Wen Loe DSO National Laboratories 20 Science Park Drive, Singapore 118230 Email: cjiali,kkhoongm,lchuanwe@dso.org.sg
More informationComputer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Cryptography Part II Paul Krzyzanowski Rutgers University Spring 2018 March 23, 2018 CS 419 2018 Paul Krzyzanowski 1 Block ciphers Block ciphers encrypt a block of plaintext at a
More information