PY (Roo): a Fast and Secure Stream Cipher Using Rolling Arrays
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Key Differentiation Attacks on Stream Ciphers
Key differentiation attacks on stream ciphers Abstract In this paper the applicability of differential cryptanalytic tool to stream ciphers is elaborated using the algebraic representation similar to early Shannon’s postulates regarding the concept of confusion. In 2007, Biham and Dunkelman [3] have formally introduced the concept of differential cryptanalysis in stream ciphers by addressing the three different scenarios of interest. Here we mainly consider the first scenario where the key difference and/or IV difference influence the internal state of the cipher (∆key, ∆IV ) → ∆S. We then show that under certain circumstances a chosen IV attack may be transformed in the key chosen attack. That is, whenever at some stage of the key/IV setup algorithm (KSA) we may identify linear relations between some subset of key and IV bits, and these key variables only appear through these linear relations, then using the differentiation of internal state variables (through chosen IV scenario of attack) we are able to eliminate the presence of corresponding key variables. The method leads to an attack whose complexity is beyond the exhaustive search, whenever the cipher admits exact algebraic description of internal state variables and the keystream computation is not complex. A successful application is especially noted in the context of stream ciphers whose keystream bits evolve relatively slow as a function of secret state bits. A modification of the attack can be applied to the TRIVIUM stream cipher [8], in this case 12 linear relations could be identified but at the same time the same 12 key variables appear in another part of state register. -
Comparison of 256-Bit Stream Ciphers DJ Bernstein Thanks To
Comparison of Cipher implementations 256-bit stream ciphers from cipher authors D. J. Bernstein Timing tools Thanks to: (De Canni`ere) University of Illinois at Chicago Denmark Technical University Timings Alfred P. Sloan Foundation on various machines Graphing tools (Bernstein) Speed graphs in this talk Comparison of Cipher implementations Security disasters 256-bit stream ciphers from cipher authors Attack claimed on YAMB: “258.” D. J. Bernstein 72 Timing tools Attack claimed on Py: “2 .” Thanks to: (De Canni`ere) Presumably also Py6. University of Illinois at Chicago Attack claimed on SOSEMANUK: Denmark Technical University Timings “2226.” Alfred P. Sloan Foundation on various machines Is there any dispute Graphing tools about these attacks? (Bernstein) If not: Reject YAMB etc. as competition for 256-bit AES. Speed graphs in this talk Cipher implementations Security disasters from cipher authors Attack claimed on YAMB: “258.” 72 Timing tools Attack claimed on Py: “2 .” (De Canni`ere) Presumably also Py6. Attack claimed on SOSEMANUK: Timings “2226.” on various machines Is there any dispute Graphing tools about these attacks? (Bernstein) If not: Reject YAMB etc. as competition for 256-bit AES. Speed graphs in this talk Cipher implementations Security disasters Speed disasters from cipher authors Attack claimed on YAMB: “258.” FUBUKI is slower than AES 72 in all of these benchmarks. Timing tools Attack claimed on Py: “2 .” Any hope of faster FUBUKI? (De Canni`ere) Presumably also Py6. If not: Reject FUBUKI. Attack claimed on SOSEMANUK: VEST is extremely slow Timings “2226.” on various machines in all of these benchmarks. Is there any dispute On the other hand, Graphing tools about these attacks? VEST is claimed to be (Bernstein) If not: Reject YAMB etc. -
Statistical Weaknesses in 20 RC4-Like Algorithms and (Probably) the Simplest Algorithm Free from These Weaknesses - VMPC-R
Statistical weaknesses in 20 RC4-like algorithms and (probably) the simplest algorithm free from these weaknesses - VMPC-R Bartosz Zoltak www.vmpcfunction.com [email protected] Abstract. We find statistical weaknesses in 20 RC4-like algorithms including the original RC4, RC4A, PC-RC4 and others. This is achieved using a simple statistical test. We found only one algorithm which was able to pass the test - VMPC-R. This algorithm, being approximately three times more complex then RC4, is probably the simplest RC4-like cipher capable of producing pseudo-random output. Keywords: PRNG; CSPRNG; RC4; VMPC-R; stream cipher; distinguishing attack 1 Introduction RC4 is a popular and one of the simplest symmetric encryption algorithms. It is also probably one of the easiest to modify. There is a bunch of RC4 modifications out there. But is improving the old RC4 really as simple as it appears to be? To state the contrary we confront 20 candidates (including the original RC4) against a simple statistical test. In doing so we try to support four theses: 1. Modifying RC4 is easy to do but it is hard to do well. 2. Statistical weaknesses in almost all RC4-like algorithms can be easily found using a simple test discussed in this paper. 3. The only RC4-like algorithm which was able to pass the test was VMPC-R. It is approximately three times more complex than RC4. We believe that any algorithm simpler than VMPC-R would most likely fail the test. 4. Before introducing a new RC4-like algorithm it might be a good idea to run the statistical test described in this paper. -
Cryptanalysis of Stream Ciphers Based on Arrays and Modular Addition
KATHOLIEKE UNIVERSITEIT LEUVEN FACULTEIT INGENIEURSWETENSCHAPPEN DEPARTEMENT ELEKTROTECHNIEK{ESAT Kasteelpark Arenberg 10, 3001 Leuven-Heverlee Cryptanalysis of Stream Ciphers Based on Arrays and Modular Addition Promotor: Proefschrift voorgedragen tot Prof. Dr. ir. Bart Preneel het behalen van het doctoraat in de ingenieurswetenschappen door Souradyuti Paul November 2006 KATHOLIEKE UNIVERSITEIT LEUVEN FACULTEIT INGENIEURSWETENSCHAPPEN DEPARTEMENT ELEKTROTECHNIEK{ESAT Kasteelpark Arenberg 10, 3001 Leuven-Heverlee Cryptanalysis of Stream Ciphers Based on Arrays and Modular Addition Jury: Proefschrift voorgedragen tot Prof. Dr. ir. Etienne Aernoudt, voorzitter het behalen van het doctoraat Prof. Dr. ir. Bart Preneel, promotor in de ingenieurswetenschappen Prof. Dr. ir. Andr´eBarb´e door Prof. Dr. ir. Marc Van Barel Prof. Dr. ir. Joos Vandewalle Souradyuti Paul Prof. Dr. Lars Knudsen (Technical University, Denmark) U.D.C. 681.3*D46 November 2006 ⃝c Katholieke Universiteit Leuven { Faculteit Ingenieurswetenschappen Arenbergkasteel, B-3001 Heverlee (Belgium) Alle rechten voorbehouden. Niets uit deze uitgave mag vermenigvuldigd en/of openbaar gemaakt worden door middel van druk, fotocopie, microfilm, elektron- isch of op welke andere wijze ook zonder voorafgaande schriftelijke toestemming van de uitgever. All rights reserved. No part of the publication may be reproduced in any form by print, photoprint, microfilm or any other means without written permission from the publisher. D/2006/7515/88 ISBN 978-90-5682-754-0 To my parents for their unyielding ambition to see me educated and Prof. Bimal Roy for making cryptology possible in my life ... My Gratitude It feels awkward to claim the thesis to be singularly mine as a great number of people, directly or indirectly, participated in the process to make it see the light of day. -
Ensuring Fast Implementations of Symmetric Ciphers on the Intel Pentium 4 and Beyond
This may be the author’s version of a work that was submitted/accepted for publication in the following source: Henricksen, Matthew& Dawson, Edward (2006) Ensuring Fast Implementations of Symmetric Ciphers on the Intel Pentium 4 and Beyond. Lecture Notes in Computer Science, 4058, Article number: AISP52-63. This file was downloaded from: https://eprints.qut.edu.au/24788/ c Consult author(s) regarding copyright matters This work is covered by copyright. Unless the document is being made available under a Creative Commons Licence, you must assume that re-use is limited to personal use and that permission from the copyright owner must be obtained for all other uses. If the docu- ment is available under a Creative Commons License (or other specified license) then refer to the Licence for details of permitted re-use. It is a condition of access that users recog- nise and abide by the legal requirements associated with these rights. If you believe that this work infringes copyright please provide details by email to [email protected] Notice: Please note that this document may not be the Version of Record (i.e. published version) of the work. Author manuscript versions (as Sub- mitted for peer review or as Accepted for publication after peer review) can be identified by an absence of publisher branding and/or typeset appear- ance. If there is any doubt, please refer to the published source. https://doi.org/10.1007/11780656_5 Ensuring Fast Implementations of Symmetric Ciphers on the Intel Pentium 4 and Beyond Matt Henricksen and Ed Dawson Information Security Institute, Queensland University of Technology, GPO Box 2434, Brisbane, Queensland, 4001, Australia. -
New Results of Related-Key Attacks on All Py-Family of Stream Ciphers
Journal of Universal Computer Science, vol. 18, no. 12 (2012), 1741-1756 submitted: 15/9/11, accepted: 15/2/12, appeared: 28/6/12 © J.UCS New Results of Related-key Attacks on All Py-Family of Stream Ciphers Lin Ding (Information Science and Technology Institute, Zhengzhou, China [email protected]) Jie Guan (Information Science and Technology Institute, Zhengzhou, China [email protected]) Wen-long Sun (Information Science and Technology Institute, Zhengzhou, China [email protected]) Abstract: The stream cipher TPypy has been designed by Biham and Seberry in January 2007 as the strongest member of the Py-family of stream ciphers. At Indocrypt 2007, Sekar, Paul and Preneel showed related-key weaknesses in the Py-family of stream ciphers including the strongest member TPypy. Furthermore, they modified the stream ciphers TPypy and TPy to generate two fast ciphers, namely RCR-32 and RCR-64, in an attempt to rule out all the attacks against the Py-family of stream ciphers. So far there exists no attack on RCR-32 and RCR-64. In this paper, we show that the related-key weaknesses can be still used to construct related-key distinguishing attacks on all Py-family of stream ciphers including the modified versions RCR- 32 and RCR-64. Under related keys, we show distinguishing attacks on RCR-32 and RCR-64 with data complexity 2139.3 and advantage greater than 0.5. We also show that the data complexity of the distinguishing attacks on Py-family of stream ciphers proposed by Sekar et al. can be reduced from 2193.7 to 2149.3 . -
Security Evaluation of the K2 Stream Cipher
Security Evaluation of the K2 Stream Cipher Editors: Andrey Bogdanov, Bart Preneel, and Vincent Rijmen Contributors: Andrey Bodganov, Nicky Mouha, Gautham Sekar, Elmar Tischhauser, Deniz Toz, Kerem Varıcı, Vesselin Velichkov, and Meiqin Wang Katholieke Universiteit Leuven Department of Electrical Engineering ESAT/SCD-COSIC Interdisciplinary Institute for BroadBand Technology (IBBT) Kasteelpark Arenberg 10, bus 2446 B-3001 Leuven-Heverlee, Belgium Version 1.1 | 7 March 2011 i Security Evaluation of K2 7 March 2011 Contents 1 Executive Summary 1 2 Linear Attacks 3 2.1 Overview . 3 2.2 Linear Relations for FSR-A and FSR-B . 3 2.3 Linear Approximation of the NLF . 5 2.4 Complexity Estimation . 5 3 Algebraic Attacks 6 4 Correlation Attacks 10 4.1 Introduction . 10 4.2 Combination Generators and Linear Complexity . 10 4.3 Description of the Correlation Attack . 11 4.4 Application of the Correlation Attack to KCipher-2 . 13 4.5 Fast Correlation Attacks . 14 5 Differential Attacks 14 5.1 Properties of Components . 14 5.1.1 Substitution . 15 5.1.2 Linear Permutation . 15 5.2 Key Ideas of the Attacks . 18 5.3 Related-Key Attacks . 19 5.4 Related-IV Attacks . 20 5.5 Related Key/IV Attacks . 21 5.6 Conclusion and Remarks . 21 6 Guess-and-Determine Attacks 25 6.1 Word-Oriented Guess-and-Determine . 25 6.2 Byte-Oriented Guess-and-Determine . 27 7 Period Considerations 28 8 Statistical Properties 29 9 Distinguishing Attacks 31 9.1 Preliminaries . 31 9.2 Mod n Cryptanalysis of Weakened KCipher-2 . 32 9.2.1 Other Reduced Versions of KCipher-2 . -
Distinguishing Attacks on the Stream Cipher Py
Distinguishing Attacks on the Stream Cipher Py Souradyuti Paul‡, Bart Preneel‡, and Gautham Sekar‡† ‡Katholieke Universiteit Leuven, Dept. ESAT/COSIC, Kasteelpark Arenberg 10, B–3001, Leuven-Heverlee, Belgium †Birla Institute of Technology and Science, Pilani, India, Dept. of Electronics and Instrumentation, Dept. of Physics. {souradyuti.paul, bart.preneel}@esat.kuleuven.be, [email protected] Abstract. The stream cipher Py designed by Biham and Seberry is a submission to the ECRYPT stream cipher competition. The cipher is based on two large arrays (one is 256 bytes and the other is 1040 bytes) and it is designed for high speed software applications (Py is more than 2.5 times faster than the RC4 on Pentium III). The paper shows a statistical bias in the distribution of its output-words at the 1st and 3rd rounds. Exploiting this weakness, a distinguisher with advantage greater than 50% is constructed that requires 284.7 randomly chosen key/IV’s and the first 24 output bytes for each key. The running time and the 84.7 89.2 data required by the distinguisher are tini · 2 and 2 respectively (tini denotes the running time of the key/IV setup). We further show that the data requirement can be reduced by a factor of about 3 with a distinguisher that considers outputs of later rounds. In such case the 84.7 running time is reduced to tr ·2 (tr denotes the time for a single round of Py). The Py specification allows a 256-bit key and a keystream of 264 bytes per key/IV. As an ideally secure stream cipher with the above specifications should be able to resist the attacks described before, our results constitute an academic break of Py. -
New Developments in Cryptology Outline Outline Block Ciphers AES
New Developments in Cryptography March 2012 Bart Preneel Outline New developments in cryptology • 1. Cryptology: concepts and algorithms Prof. Bart Preneel • 2. Cryptology: protocols COSIC • 3. Public-Key Infrastructure principles Bart.Preneel(at)esatDOTkuleuven.be • 4. Networking protocols http://homes.esat.kuleuven.be/~preneel • 5. New developments in cryptology March 2012 • 6. Cryptography best practices © Bart Preneel. All rights reserved 1 2 Outline Block ciphers P1 P2 P3 • Block ciphers/stream ciphers • Hash functions/MAC algorithms block block block • Modes of operation and authenticated cipher cipher cipher encryption • How to encrypt/sign using RSA C1 C2 C3 • Multi-party computation • larger data units: 64…128 bits •memoryless • Concluding remarks • repeat simple operation (round) many times 3 3-DES: NIST Spec. Pub. 800-67 AES (2001) (May 2004) S S S S S S S S S S S S S S S S • Single DES abandoned round • two-key triple DES: until 2009 (80 bit security) • three-key triple DES: until 2030 (100 bit security) round MixColumnsS S S S MixColumnsS S S S MixColumnsS S S S MixColumnsS S S S hedule Highly vulnerable to a c round • Block length: 128 bits related key attack • Key length: 128-192-256 . Key S Key . bits round A $ 10M machine that cracks a DES Clear DES DES-1 DES %^C& key in 1 second would take 149 trillion text @&^( years to crack a 128-bit key 1 23 1 New Developments in Cryptography March 2012 Bart Preneel AES variants (2001) AES implementations: • AES-128 • AES-192 • AES-256 efficient/compact • 10 rounds • 12 rounds • 14 rounds • sensitive • classified • secret and top • NIST validation list: 1953 implementations (2008: 879) secret plaintext plaintext plaintext http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html round round. -
Automated Techniques for Hash Function and Block Cipher Cryptanalysis
Arenberg Doctoral School of Science, Engineering & Technology Faculty of Engineering Department of Electrical Engineering (ESAT) Automated Techniques for Hash Function and Block Cipher Cryptanalysis Nicky MOUHA Dissertation presented in partial fulfillment of the requirements for the degree of Doctor of Engineering June 2012 Automated Techniques for Hash Function and Block Cipher Cryptanalysis Nicky MOUHA Jury: Dissertation presented in partial Prof. em. dr. ir. Yves D. Willems, chair fulfillment of the requirements for Prof. dr. ir. Bart Preneel, supervisor the degree of Doctor of Engineering Prof. dr. ir. Vincent Rijmen, secretary Prof. dr. ir. Frank Piessens Dr. Svetla Petkova-Nikova Dr. Matt Robshaw (Applied Cryptography Group, Orange Labs, France) June 2012 Our greatest glory is not in never falling, but in rising every time we fall. Confucius c 2012 Nicky Mouha � D/2012/7515/71 ISBN 978-94-6018-535-9 If I have seen further it is only by standing on the shoulders of giants. Isaac Newton Acknowledgments Every research paper is a puzzle piece, linking other pieces together to reveal a bigger picture. As such, research can’t be done in isolation. In the past few years, I’ve been extremely fortunate to meet the world’s best and brightest in thefield of symmetric-key cryptography. Many times, I’ve found myself to be the stupidest and most ignorant person in the room. To me, such experiences have been exciting and humbling, but most of all a great opportunity to learn. Therefore, I would like to personally thank everyone who contributed in one way or another to this thesis. -
Cryptanalysis Techniques for Stream Cipher: a Survey
International Journal of Computer Applications (0975 – 8887) Volume 60– No.9, December 2012 Cryptanalysis Techniques for Stream Cipher: A Survey M. U. Bokhari Shadab Alam Faheem Syeed Masoodi Chairman, Department of Research Scholar, Dept. of Research Scholar, Dept. of Computer Science, AMU Computer Science, AMU Computer Science, AMU Aligarh (India) Aligarh (India) Aligarh (India) ABSTRACT less than exhaustive key search, then only these are Stream Ciphers are one of the most important cryptographic considered as successful. A symmetric key cipher, especially techniques for data security due to its efficiency in terms of a stream cipher is assumed secure, if the computational resources and speed. This study aims to provide a capability required for breaking the cipher by best-known comprehensive survey that summarizes the existing attack is greater than or equal to exhaustive key search. cryptanalysis techniques for stream ciphers. It will also There are different Attack scenarios for cryptanalysis based facilitate the security analysis of the existing stream ciphers on available resources: and provide an opportunity to understand the requirements for developing a secure and efficient stream cipher design. 1. Ciphertext only attack 2. Known plain text attack Keywords Stream Cipher, Cryptography, Cryptanalysis, Cryptanalysis 3. Chosen plaintext attack Techniques 4. Chosen ciphertext attack 1. INTRODUCTION On the basis of intention of the attacker, the attacks can be Cryptography is the primary technique for data and classified into two categories namely key recovery attack and communication security. It becomes indispensable where the distinguishing attacks. The motive of key recovery attack is to communication channels cannot be made perfectly secure. derive the key but in case of distinguishing attack, the From the ancient times, the two fields of cryptology; attacker’s motive is only to derive the original from the cryptography and cryptanalysis are developing side by side. -
Design and Analysis of RC4-Like Stream Ciphers
Design and Analysis of RC4-like Stream Ciphers by Matthew E. McKague A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master of Mathematics in Combinatorics and Optimization Waterloo, Ontario, Canada, 2005 c Matthew E. McKague 2005 I hereby declare that I am the sole author of this thesis. This is a true copy of the thesis, including any required final revisions, as accepted by my examiners. I understand that my thesis may be made electronically available to the public. Matthew E. McKague ii Abstract RC4 is one of the most widely used ciphers in practical software ap- plications. In this thesis we examine security and design aspects of RC4. First we describe the functioning of RC4 and present previously published analyses. We then present a new cipher, Chameleon which uses a similar internal organization to RC4 but uses different methods. The remainder of the thesis uses ideas from both Chameleon and RC4 to develop design strategies for new ciphers. In particular, we develop a new cipher, RC4B, with the goal of greater security with an algorithm comparable in simplicity to RC4. We also present design strategies for ciphers and two new ciphers for 32-bit processors. Finally we present versions of Chameleon and RC4B that are implemented using playing-cards. iii Acknowledgements This thesis was undertaken under the supervision of Alfred Menezes at the University of Waterloo. The cipher Chameleon was developed under the supervision of Allen Herman at the University of Regina. Financial support was provided by the University of Waterloo, the University of Regina and the National Science and Engineering Research Council of Canada (NSERC).