DOCSLIB.ORG

NESSIE Reports [Stream Cipher]

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
NESSIE Reports [Stream Cipher] 21世紀COEプログラム 乱数生成とストリーム暗号研究会 2003.02.25 NESSIE reports [Stream cipher] ■Agenda; 一般的なストリーム暗号に関する評価基準および評価方法論を NESSIE プロジェクトのレポートから考察する. [email protected] Copyright (c) 2003 C4Technology,Inc. 1 目次 1. NESSIEの概要 2. Evaluation (Block cipher,Asymmetric...) 3. Stream ciphers ~ Security Requirements (Attacks,Statistical Tests) 4. Stream ciphers ~ Evaluation 5. BMGL 6. Leviathan 7. LILI-128 8. SNOW 9. SOBER-t○ 10. Stream ciphers ~ Evaluation (Deliverables D18,D20) Copyright (c) 2003 C4Technology,Inc. 2 1,NESSIE New European Schemes for Signatures, Integrity, and Encryption NESSIE is a project within the IST (Information Society Technologies) Programme of the EC (European Commission) http://www.cryptonessie.org ↓ https://www.cosic.esat.kuleuven.ac.be/nessie/index.html Copyright (c) 2003 C4Technology,Inc. 3 1, Submissions in categories 1. Block ciphers 2. Synchronous stream ciphers 3. Self-synchronising stream ciphers 4. Message Authentication Codes (MACs) 5. Collision-resistant hash functions 6. One-way hash functions 7. Families of pseudo-random functions 8. Asymmetric encryption schemes 9. Asymmetric digital signature schemes 10. Asymmetric identification schemes Copyright (c) 2003 C4Technology,Inc. 4 1, Schedule 2000 January Beginning of first phase of NESSIE 2000 November First NESSIE workshop 2001 July Beginning of second phase of NESSIE 2001 September Second NESSIE workshop 2002 November Third NESSIE workshop 2003 February Fourth NESSIE workshop 2003 March End of second phase of NESSIE Copyright (c) 2003 C4Technology,Inc. 5 1, NESSIE / AES / CRYPTREC AES NESSIE CRYPTREC 主催 NIST IST Program 総務省,経済産業省 目的 新米国標準ブロック EC(産学)のコンセンサス 電子政府利用暗号リスト 技術要求 128/192/256-bit 暗号プリミティブ ほぼ全般 暗号プリミティブ ほぼ全般 ブロック 選択 唯一に決定 唯一に決定しない 唯一に決定しない Copyright (c) 2003 C4Technology,Inc. 6 2,Phase 1st Evaluation 64bit block ciphers: MAC & hash CS-Cipher CSCommunication &Systems Two-Track-MAC Boer,Rompay Hierocrypt-L1 東芝 UMAC Rogawa他 IDEA Mediacrypt Whirlpool Boer,Rompay Khazad Baretto, Rijmen Asymmetric encryption Misty1 三菱電機 ACE Encrypt IBM Nimbus Machado ECIES Certicom 128bit block ciphers: EPOC-1,-2,-3 NTT Anubis Baretto, Rijmen PSEC-1,-2,-3 NTT Camellia NTT,三菱電機 RSA-OAEP RSA Grand Cru Borst Asymmetric digital signature Hierocrypt-3 東芝 ACE Sign IBM Noekeon Dawson 他 ECDSA Certicom Q McBride ESIGN NTT SC2000 富士通 FLASH BULL CP8 160bit block ciphers: (variable length) QUARTZ BULL CP8 SHACAL Gemplus RSA-PSS RSA SAFER++ Cylink SFLASH BULL CP8 NUSH LAN Crypto Asymmetric identification schemes RC6 RSA GPS France Telecom Copyright (c) 2003 C4Technology,Inc. 7 2, Phase 2nd Evaluation 64bit block ciphers: MAC & hash CS-Cipher CSCommunication &Systems Two-Track-MAC Boer,Rompay Hierocrypt-L1 東芝 UMAC Rogawa他 IDEA Mediacrypt Whirlpool Boer,Rompay Khazad Baretto, Rijmen Asymmetric encryption Misty1 三菱電機 ACE Encrypt IBM Nimbus Machado ECIES Certicom 128bit block ciphers: EPOC-1,-2,-3 NTT Anubis Baretto, Rijmen PSEC-1,-2,-3 NTT Camellia NTT,三菱電機 RSA-OAEP RSA Grand Cru Borst Asymmetric digital signature Hierocrypt-3 東芝 ACE Sign IBM Noekeon Dawson 他 ECDSA Certicom Q McBride ESIGN NTT SC2000 富士通 FLASH BULL CP8 160bit block ciphers: (variable length) QUARTZ BULL CP8 SHACAL Gemplus RSA-PSS RSA SAFER++ Cylink SFLASH BULL CP8 NUSH LAN Crypto Asymmetric identification schemes RC6 RSA GPS France Telecom Copyright (c) 2003 C4Technology,Inc. 8 3,Security Requirements stream ciphers (Self-synchronising / Synchronous) a) High; Key length of at least 256 bits. Internal memory of at least 256 bits. b) Normal; Key length of at least 128 bits. Internal memory of at least 128 bits. Copyright (c) 2003 C4Technology,Inc. 9 …CRYPTREC General Evaluation Stream Cipher - statistical properties,length of period & linear complexity - resistance against well known attack and heuristic attack PRNG - statistical properties with randomness tests etc. - resistance against attacks, unpredictability Full Evaluation Stream Cipher - statistical properties (period, Linear complexity, etc) - known attack (correlation, divide & conquer,..) - heuristic attack PRNG - statistical properties with randomness (FIPS140-1) - unpredictability, heuristic attack Copyright (c) 2003 C4Technology,Inc. 10 3, Attacks # Linear Complexity (線形複雑度) PRNG をLFSRと仮定し,最少のLFSRの長さを求める. # Statistical Properties (統計的特性) PRNG 出力の生起確率を求め,独立一様分布からのずれを求める. - Correlation Attacks (相関攻撃) PRNG の出力と相関をもつ単純な生成器を考える攻撃手法. - Divide-and-Conquer Attacks (分割統治攻撃) 部分的な系列を推測し,同様の推測条件を他の部分に適応する攻撃手法. Copyright (c) 2003 C4Technology,Inc. 11 3, Attacks - Time-Memory Trade-Offs 攻撃に使用するメモリを増やすことによって,全数探索に要する必要時間を 減らす攻撃手法. - Distinguishing Attacks (識別攻撃) 真のランダム系列(独立一様分布)と PRNG出力を識別する攻撃手法. - Rekeying attacks (鍵再使用攻撃) 同じ鍵を数回使用する攻撃手法. Copyright (c) 2003 C4Technology,Inc. 12 3, Statistical Tests (NESSIE toolbox ) - Dyadic Complexity Test - Percolation Test - Constant Runs Test - Frequency Test - Collision Test - Overlapping m-tuple Test - Gap Test - Coupon Collector's Test - Universal Maurer Test - Poker Test - Spectral Test - Correlation Test - Rank Test - Linear Complexity Test - Nonlinear Complexity Test - Ziv-Lempel Complexity Test Copyright (c) 2003 C4Technology,Inc. 13 … NIST SP 800-22 1. The Frequency (Monobit) Test. 13. The Approximate Entropy Test. 2. Frequency Test within a Block. 14. The Cumulative Sums (Cusums) Test. 3. The Runs Test. 15. The Random Excursions Test. 4. Test for the Longest-Run-of-Ones in a Block. 16. The Random Excursions Variant Test. 5. The Binary Matrix Rank Test. 6. The Discrete Fourier Transform (Spectral) Test. 7. The Non-overlapping Template Matching Test. 8. The Overlapping Template Matching Test. 9. Maurer's "Universal Statistical" Test. 10. The Lempel-Ziv Compression Test. 11. The Linear Complexity Test. http://csrc.nist.gov/rng/ 12. The Serial Test. Copyright (c) 2003 C4Technology,Inc. 14 3, Classification of attacks Classification of attacks. 前提条件及び仮定 It is customary when analysing stream ciphers to consider known plaintext attacks. ü ストリーム暗号全体の構造は既知. This essentially means assuming the ü 秘密鍵のみわからない. cryptanalyst knows a large volume of keystream. 解析手法 The cryptanalyst's task is then usually classified in one of three ways. A) Distinguishing Attack (識別攻撃) 適切な長さのキーストリームと同長の乱数系列との区別する方法を検討. B) Prediction(予測) キーストリームをランダムに推測するよりも高い精度で予測する方法を検討. C) Key Recovery(鍵回復) キーストリームから秘密鍵を求める方法を検討. Copyright (c) 2003 C4Technology,Inc. 15 4,Stream ciphers - BMGL Hasted,Haslund (Sweeden) High/Normal - Leviathan Cisco Systems (USA) High/Normal - LILI-128 Simpson,Dawson,Golic,Millan (Australia) Normal - SNOW Johannson,Ekdahl (Sweeden) High/Normal - SOBER-t16 Qualcomm International (Australia) Normal - SOBER-t32 Qualcomm International (Australia) High Copyright (c) 2003 C4Technology,Inc. 16 Deliverables D12 Toolbox version 2 D13 Security evaluation of NESSIE First Phase D14 Performance evaluation of NESSIE First Phase D15 Workshop on security and performance evaluation of NESSIE First Phase D16 Internal review report Year 2 D17 Preliminary list of realistic performance estimates D18 Update on the selection of algorithms for further investigation during NESSIE Second Phase D20 NESSIE Security report, version 1.0 D21 Performance of Optimized Implementations of the NESSIE Primitives, version 1.0 Copyright (c) 2003 C4Technology,Inc. 17 4, Evaluation 1st ⇒ 2nd (D13) Phase 1st Evaluation ⇒ Phase 2nd Evaluation o BMGL o BMGL o Leviathan - o LILI-128 - o SNOW o SNOW o SOBER-t16 o SOBER-t16 o SOBER-t32 o SOBER-t32 Copyright (c) 2003 C4Technology,Inc. 18 5,BMGL The submission BMGL is a pseudorandom number generator with the block cipher Rijndael as cryptographic core. Rijndael is considered as a one-way function from the key to the cipher-text. BMGL iterates this function and extracts a few pseudo-random bits in each iteration using hard-core predicates. The construction uses an optimization of earlier work on pseudo-random generators [19, 48]. Copyright (c) 2003 C4Technology,Inc. 19 6,Leviathan It is defined by a set of binary tree structures of height 16. Each node of each tree is associated with a triple of words (each of four bytes) z|y|x. The triple at the root of the jth tree is 1|0|j. Key-dependent functions a and b map the triple s at a node to a triple at each of its two descendants, so that its lefthand descendant is a(s) while its righthand descendant is b(s). Copyright (c) 2003 C4Technology,Inc. 20 6, Leviathan The functions fod (left) and god (right). Here and below denotes the bitwise exclusive or operation, denotes integer addition (with dashed lines indicating the carry operations), and ・indicates the bitwise complementation operation (or logical ‘not’). Copyright (c) 2003 C4Technology,Inc. 21 6, Leviathan The functions cof and cog , showing how the output of the cipher is derived from the state of the leaf nodes. Copyright (c) 2003 C4Technology,Inc. 22 7,LILI-128 It consists of two LFSRs each with primitive feedback polynomials. The first, LFSR c , has length 39 while the second, LFSR d , has length 89. Two bits from LFSR c (which is clocked regularly) are used to determine an integer c in the range {1, 2, 3, 4} and LFSR d is clocked c times. A nonlinear filter f d is then applied to ten bits of the output of LFSR d to produce the keystream. Copyright (c) 2003 C4Technology,Inc. 23 8,SNOW1.0 Copyright (c) 2003 C4Technology,Inc. 24 8,SNOW2.0 Copyright (c) 2003 C4Technology,Inc. 25 9,SOBER-t Copyright (c) 2003 C4Technology,Inc. 26 9,SOBER-t 32-bit Input Partition the input 8 bits 24 bits SBOX Skipjack ISRC, QUT S-box S-box 8 bits 24 bits 32-bit Output Copyright (c) 2003 C4Technology,Inc. 27 Evaluation 1st (D13) LEVIATHAN LILI-128 SOBER-t SNOW BMGL
Load more

Recommended publications
  • Grade 6 Reading Student At–Home Activity Packet
    Printer Warning: This packet is lengthy. Determine whether you want to print both sections, or only print Section 1 or 2. Grade 6 Reading Student At–Home Activity Packet This At–Home Activity packet includes two parts, Section 1 and Section 2, each with approximately 10 lessons in it. We recommend that your student complete one lesson each day. Most lessons can be completed independently. However, there are some lessons that would benefit from the support of an adult. If there is not an adult available to help, don’t worry! Just skip those lessons. Encourage your student to just do the best they can with this content—the most important thing is that they continue to work on their reading! Flip to see the Grade 6 Reading activities included in this packet! © 2020 Curriculum Associates, LLC. All rights reserved. Section 1 Table of Contents Grade 6 Reading Activities in Section 1 Lesson Resource Instructions Answer Key Page 1 Grade 6 Ready • Read the Guided Practice: Answers will vary. 10–11 Language Handbook, Introduction. Sample answers: Lesson 9 • Complete the 1. Wouldn’t it be fun to learn about Varying Sentence Guided Practice. insect colonies? Patterns • Complete the 2. When I looked at the museum map, Independent I noticed a new insect exhibit. Lesson 9 Varying Sentence Patterns Introduction Good writers use a variety of sentence types. They mix short and long sentences, and they find different ways to start sentences. Here are ways to improve your writing: Practice. Use different sentence types: statements, questions, imperatives, and exclamations. Use different sentence structures: simple, compound, complex, and compound-complex.
    [Show full text]
  • Vector Boolean Functions: Applications in Symmetric Cryptography
    Vector Boolean Functions: Applications in Symmetric Cryptography José Antonio Álvarez Cubero Departamento de Matemática Aplicada a las Tecnologías de la Información y las Comunicaciones Universidad Politécnica de Madrid This dissertation is submitted for the degree of Doctor Ingeniero de Telecomunicación Escuela Técnica Superior de Ingenieros de Telecomunicación November 2015 I would like to thank my wife, Isabel, for her love, kindness and support she has shown during the past years it has taken me to finalize this thesis. Furthermore I would also liketo thank my parents for their endless love and support. Last but not least, I would like to thank my loved ones such as my daughter and sisters who have supported me throughout entire process, both by keeping me harmonious and helping me putting pieces together. I will be grateful forever for your love. Declaration The following papers have been published or accepted for publication, and contain material based on the content of this thesis. 1. [7] Álvarez-Cubero, J. A. and Zufiria, P. J. (expected 2016). Algorithm xxx: VBF: A library of C++ classes for vector Boolean functions in cryptography. ACM Transactions on Mathematical Software. (In Press: http://toms.acm.org/Upcoming.html) 2. [6] Álvarez-Cubero, J. A. and Zufiria, P. J. (2012). Cryptographic Criteria on Vector Boolean Functions, chapter 3, pages 51–70. Cryptography and Security in Computing, Jaydip Sen (Ed.), http://www.intechopen.com/books/cryptography-and-security-in-computing/ cryptographic-criteria-on-vector-boolean-functions. (Published) 3. [5] Álvarez-Cubero, J. A. and Zufiria, P. J. (2010). A C++ class for analysing vector Boolean functions from a cryptographic perspective.
    [Show full text]
  • Algebraic Attacks on SOBER-T32 and SOBER-T16 Without Stuttering
    Algebraic Attacks on SOBER-t32 and SOBER-t16 without stuttering Joo Yeon Cho and Josef Pieprzyk? Center for Advanced Computing – Algorithms and Cryptography, Department of Computing, Macquarie University, NSW, Australia, 2109 {jcho,josef}@ics.mq.edu.au Abstract. This paper presents algebraic attacks on SOBER-t32 and SOBER-t16 without stuttering. For unstuttered SOBER-t32, two differ- ent attacks are implemented. In the first attack, we obtain multivariate equations of degree 10. Then, an algebraic attack is developed using a collection of output bits whose relation to the initial state of the LFSR can be described by low-degree equations. The resulting system of equa- tions contains 269 equations and monomials, which can be solved using the Gaussian elimination with the complexity of 2196.5. For the second attack, we build a multivariate equation of degree 14. We focus on the property of the equation that the monomials which are combined with output bit are linear. By applying the Berlekamp-Massey algorithm, we can obtain a system of linear equations and the initial states of the LFSR can be recovered. The complexity of attack is around O(2100) with 292 keystream observations. The second algebraic attack is applica- ble to SOBER-t16 without stuttering. The attack takes around O(285) CPU clocks with 278 keystream observations. Keywords : Algebraic attack, stream ciphers, linearization, NESSIE, SOBER-t32, SOBER-t16, modular addition, multivariate equations 1 Introduction Stream ciphers are an important class of encryption algorithms. They encrypt individual characters of a plaintext message one at a time, using a stream of pseudorandom bits.
    [Show full text]
  • VMPC-MAC: a Stream Cipher Based Authenticated Encryption Scheme
    VMPC-MAC: A Stream Cipher Based Authenticated Encryption Scheme Bartosz Zoltak http://www.vmpcfunction.com [email protected] Abstract. A stream cipher based algorithm for computing Message Au- thentication Codes is described. The algorithm employs the internal state of the underlying cipher to minimize the required additional-to- encryption computational e®ort and maintain general simplicity of the design. The scheme appears to provide proper statistical properties, a comfortable level of resistance against forgery attacks in a chosen ci- phertext attack model and high e±ciency in software implementations. Keywords: Authenticated Encryption, MAC, Stream Cipher, VMPC 1 Introduction In the past few years the interest in message authentication algorithms has been concentrated mostly on modes of operation of block ciphers. Examples of some recent designs include OCB [4], OMAC [7], XCBC [6], EAX [8], CWC [9]. Par- allely a growing interest in stream cipher design can be observed, however along with a relative shortage of dedicated message authentication schemes. Regarding two recent proposals { Helix and Sober-128 stream ciphers with built-in MAC functionality { a powerful attack against the MAC algorithm of Sober-128 [10] and two weaknesses of Helix [12] were presented at FSE'04. This paper gives a proposition of a simple and software-e±cient algorithm for computing Message Authentication Codes for the presented at FSE'04 VMPC Stream Cipher [13]. The proposed scheme was designed to minimize the computational cost of the additional-to-encryption MAC-related operations by employing some data of the internal-state of the underlying cipher. This approach allowed to maintain sim- plicity of the design and achieve good performance in software implementations.
    [Show full text]
  • Internet Engineering Task Force (IETF) S. Kanno Request for Comments: 6367 NTT Software Corporation Category: Informational M
    Internet Engineering Task Force (IETF) S. Kanno Request for Comments: 6367 NTT Software Corporation Category: Informational M. Kanda ISSN: 2070-1721 NTT September 2011 Addition of the Camellia Cipher Suites to Transport Layer Security (TLS) Abstract This document specifies forty-two cipher suites for the Transport Security Layer (TLS) protocol to support the Camellia encryption algorithm as a block cipher. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6367. Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
    [Show full text]
  • Nessie Neutrally-Buoyant Elevated System for Satellite Imaging and Evaluation
    NESSIE NEUTRALLY-BUOYANT ELEVATED SYSTEM FOR SATELLITE IMAGING AND EVALUATION 1 Project Overview Space Situational Awareness (SSA) • Determine the orbital characteristics of objects in space Currently there are only two methods Radar • Expensive Telescopes • Cheaper, but can be blocked by cloud cover Both are fully booked and can't collect enough data Over 130,000,000 estimated objects in orbit 2 Introduction Solution Critical Project Elements Risk Analysis Schedule Our Mission: MANTA NESSIE • Full-Scale SSA UAV • Proof of concept vehicle • Operates at 18000ft • Operates at 400ft AGL • Fully realized optical Scale • Payload bay capability 1 : 2.5 payload • Mass 1 lb • Mass 15 lbs • Contained in 4.9” cube • Contained in 12” cube • Requires 5.6 W of Power • Requires 132 W of Power • Provide path to flight at full-scale 3 Introduction Solution Critical Project Elements Risk Analysis Schedule Stay on a 65,600 ft to 164,000 ft distance from takeoff spot Legend: 10 arcseconds object Requirements centroid identification 5. Point optical Dimness ≥ 13 accuracy, 3 sigma precision system, capture Operations flow apparent magnitude image, measure time and position 4. Pointing and stabilization check, 6. Store image autonomous flight and data 7. Start autonomous Loop descent to Ground Station when battery is low. Constantly downlink 3. Manual ascent position and status above clouds, uplink data to ground station 8. Manual landing, Max 18,000 altitude ft from ground station uplink from ground station 1. System 2. Unload/ Assembly/ Prep. Ground Station End of mission 14 transportation hours after first ascent 4 Land 300 ft (100 yards) from takeoff spot Stay within 400 ft of takeoff spot Legend: 4.
    [Show full text]
  • Study on the Use of Cryptographic Techniques in Europe
    Study on the use of cryptographic techniques in Europe [Deliverable – 2011-12-19] Updated on 2012-04-20 II Study on the use of cryptographic techniques in Europe Contributors to this report Authors: Edward Hamilton and Mischa Kriens of Analysys Mason Ltd Rodica Tirtea of ENISA Supervisor of the project: Rodica Tirtea of ENISA ENISA staff involved in the project: Demosthenes Ikonomou, Stefan Schiffner Agreements or Acknowledgements ENISA would like to thank the contributors and reviewers of this study. Study on the use of cryptographic techniques in Europe III About ENISA The European Network and Information Security Agency (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU leg- islation and works to improve the resilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU member states by supporting the development of cross-border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at www.enisa.europa.eu. Contact details For contacting ENISA or for general enquiries on cryptography, please use the following de- tails: E-mail: [email protected] Internet: http://www.enisa.europa.eu Legal notice Notice must be taken that this publication represents the views and interpretations of the au- thors and editors, unless stated otherwise. This publication should not be construed to be a legal action of ENISA or the ENISA bodies unless adopted pursuant to the ENISA Regulation (EC) No 460/2004 as lastly amended by Regulation (EU) No 580/2011.
    [Show full text]
  • Improved Correlation Attacks on SOSEMANUK and SOBER-128
    Improved Correlation Attacks on SOSEMANUK and SOBER-128 Joo Yeon Cho Helsinki University of Technology Department of Information and Computer Science, Espoo, Finland 24th March 2009 1 / 35 SOSEMANUK Attack Approximations SOBER-128 Outline SOSEMANUK Attack Method Searching Linear Approximations SOBER-128 2 / 35 SOSEMANUK Attack Approximations SOBER-128 SOSEMANUK (from Wiki) • A software-oriented stream cipher designed by Come Berbain, Olivier Billet, Anne Canteaut, Nicolas Courtois, Henri Gilbert, Louis Goubin, Aline Gouget, Louis Granboulan, Cedric` Lauradoux, Marine Minier, Thomas Pornin and Herve` Sibert. • One of the final four Profile 1 (software) ciphers selected for the eSTREAM Portfolio, along with HC-128, Rabbit, and Salsa20/12. • Influenced by the stream cipher SNOW and the block cipher Serpent. • The cipher key length can vary between 128 and 256 bits, but the guaranteed security is only 128 bits. • The name means ”snow snake” in the Cree Indian language because it depends both on SNOW and Serpent. 3 / 35 SOSEMANUK Attack Approximations SOBER-128 Overview 4 / 35 SOSEMANUK Attack Approximations SOBER-128 Structure 1. The states of LFSR : s0,..., s9 (320 bits) −1 st+10 = st+9 ⊕ α st+3 ⊕ αst, t ≥ 1 where α is a root of the primitive polynomial. 2. The Finite State Machine (FSM) : R1 and R2 R1t+1 = R2t ¢ (rtst+9 ⊕ st+2) R2t+1 = Trans(R1t) ft = (st+9 ¢ R1t) ⊕ R2t where rt denotes the least significant bit of R1t. F 3. The trans function Trans on 232 : 32 Trans(R1t) = (R1t × 0x54655307 mod 2 )≪7 4. The output of the FSM : (zt+3, zt+2, zt+1, zt)= Serpent1(ft+3, ft+2, ft+1, ft)⊕(st+3, st+2, st+1, st) 5 / 35 SOSEMANUK Attack Approximations SOBER-128 Previous Attacks • Authors state that ”No linear relation holds after applying Serpent1 and there are too many unknown bits...”.
    [Show full text]
  • SOBER: a Stream Cipher Based on Linear Feedback Over GF\(2N\)
    Turing: a fast software stream cipher Greg Rose, Phil Hawkes {ggr, phawkes}@qualcomm.com 25-Feb-03 Copyright © QUALCOMM Inc, 2002 DISCLAIMER! •This version (1.8 of TuringRef.c) is what we expect to publish. Any changes from now on will be because someone broke it. (Note: we said that about 1.5 and 1.7 too.) •This is an experimental cipher. Turing might not be secure. We've already found two attacks (and fixed them). We're starting to get confidence. •Comments are welcome. •Reference implementation source code agrees with these slides. 25-Feb-03 Copyright© QUALCOMM Inc, 2002 slide 2 Introduction •Stream ciphers •Design goals •Using LFSRs for cryptography •Turing •Keying •Analysis and attacks •Conclusion 25-Feb-03 Copyright© QUALCOMM Inc, 2002 slide 3 Stream ciphers •Very simple – generate a stream of pseudo-random bits – XOR them into the data to encrypt – XOR them again to decrypt •Some gotchas: – can’t ever reuse the same stream of bits – so some sort of facility for Initialization Vectors is important – provides privacy but not integrity / authentication – good statistical properties are not enough for security… most PRNGs are no good. 25-Feb-03 Copyright© QUALCOMM Inc, 2002 slide 4 Turing's Design goals •Mobile phones – cheap, slow, small CPUs, little memory •Encryption in software – cheaper – can be changed without retooling •Stream cipher – two-level keying structure (re-key per data frame) – stream is "seekable" with low overhead •Very fast and simple, aggressive design •Secure (? – we think so, but it's experimental) 25-Feb-03
    [Show full text]
  • Development of a Model for Applying Correlation Cryptanalysis to Filtering Generators
    NOVATEUR PUBLICATIONS JournalNX- A Multidisciplinary Peer Reviewed Journal ISSN No: 2581 - 4230 VOLUME 6, ISSUE 5, May -2020 DEVELOPMENT OF A MODEL FOR APPLYING CORRELATION CRYPTANALYSIS TO FILTERING GENERATORS ABDURAKHIMOV BAKHTIYOR FAYZIEVICH Professor, Doctor of Physics and Mathematics, National university of Uzbekistan, +998935143137, [email protected] BOYKUZIEV ILKHOM MARDANAKULOVICH PhD Student, National university of Uzbekistan, +998909779300, [email protected] SHONAZAROV SOATMUROD KULMURODOVICH Teacher, Termez state university, +998996760166, [email protected] ZIYAKULOVA SHAKHNOZA ABDURASULOVNA Teacher, Termez state university, +998905208923, [email protected] ABSTRACT: Proposed mathematical model and This article is devoted to problems of software can be used for estimation of cryptanalysis. Cryptographic analysis stability of the algorithm of the flow crypto results, got from using of correlation operation to correlation cryptanalysis, as cryptanalysis method to algorithm of the well as in scholastic purpose. flow crypto operation, founded on register of KEYWORDS: cryptanalysis, stream ciphers, the shift with feedback, were presented in shift registers, LILI-128, filtering, work. For estimation of the flow crypto correlation operation algorithm’s crypto stability by correlation cryptanalysis method, number INTRODUCTION: of important tasks was defined, purposes and problems of the study were determined. Ensuring information security requires As a result of defined tasks decision, relatively fast cryptographic tools, not only as mathematical model and software of the exchange of documentary information correlation cryptanalysis method to flow transmitted over the network increases, but crypto operation to filtering LILI-128 – were also as the exchange of multimedia, that is, video developed. Results has shown, that and audio, increases. Therefore, the use of characteristic of correlation immunity of stream encryption algorithms in local and global filtering functions, used in filtering networks has become an urgent problem[1,2].
    [Show full text]
  • 2022 Kientzler Catalog
    TRIOMIO – COLOR COMBOS WITH UNIFORM PERFORMANCESRMANCES The consumer's enthusiasm for these trendy, three-coloured combos remains extremely strong! SSUPERCALUPERCAL BIDENS BIDENSBIDENS DUO CYPERUS TRIOMIO SUPERCAL ‘Summer Sensation’ TRIOMIO ‘Tweety Pop’ Bidens Duo ‘Sunshine’ ‘Southern‘Southehern Blues’BBlues’ No. 7298: SUPERCAL No. 7210: Bidens ‘Tweety’, No. 7318: Bidens ‘Sweetie’ No. 7363: Cyperus ‘Cleopatra’, ‘Blue’, ‘Light Yellow’ and ‘Pink’ Verbena VEPITA™ ‘Blue Violet’ and ‘Scarlet’ and ‘Funny Honey’ SURDIVA® ‘Blue Violet’ and SURDIVA® ‘White’ CCALIBRACHOAALIBRACHOA PPOCKETOCKET™ CALIBRACHOACALIBRACHOA UNIQUEUNIQQUE CALENDN ULA Calibrachoa POCKET™ ‘Mini Zumba’ TRIOMIO ‘Zumba’ TRIOMIO ‘Mango Punch’ TRIOMIO CALENDULA ‘Color me Spring’ No. 6981: CALIBRACHOA POCKET™ No.o. 7217:: CaCalibrachoa a oa UNIQUEU QU No.o. 7311: Calibrachoa UNIQUE ‘Mango Punch’, No. 7236: Calendula ‘Power Daisy’, ‘Yellow’, ‘Blue’ and ‘Red’ ‘Golden‘Golden Yellow’, ‘Lilac’‘Lilac’ and ‘Dark‘Dark Red’Red’ ‘Golden Yellow’ and ‘Dark Red’ Calibrachoa ‘Lilac’ and ‘Dark Red’ NEMENEMESISIA SUS PERCAL TRIOMIO NESSIE PLUS ‘Alegria’ TRIOMIO BABYCAKE ‘Little Alegria’rii’a’ TRIOMIO SUPERCAL TRIOMIO SUPERCAL ‘Garden Magic’ No. 7200: Nemesia NESSIE PLUS No. 7202: Nemesia BABYCAKE ‘Little Coco’, No. 7221: SUPERCAL ‘Blushing Pink’, No. 7234: SUPERCAL ‘Light Yellow’, ‘White’, ‘Yellow’ and ‘Red’ ‘Little Banana’ and ‘Little Cherry’ ‘Cherryh Improved’ and ‘Dark Blue’ ‘Blue’ and ‘Cherry Improved’ SUPERCAL PREMIUM VEERBR ENENAA VEPPITA™ TRIOMIO SUPERCAL PREMIUM ‘Magic’ TRIOMIO SUPERCAL
    [Show full text]
  • Year 2010 Issues on Cryptographic Algorithms
    Year 2010 Issues on Cryptographic Algorithms Masashi Une and Masayuki Kanda In the financial sector, cryptographic algorithms are used as fundamental techniques for assuring confidentiality and integrity of data used in financial transactions and for authenticating entities involved in the transactions. Currently, the most widely used algorithms appear to be two-key triple DES and RC4 for symmetric ciphers, RSA with a 1024-bit key for an asymmetric cipher and a digital signature, and SHA-1 for a hash function according to international standards and guidelines related to the financial transactions. However, according to academic papers and reports regarding the security evaluation for such algorithms, it is difficult to ensure enough security by using the algorithms for a long time period, such as 10 or 15 years, due to advances in cryptanalysis techniques, improvement of computing power, and so on. To enhance the transition to more secure ones, National Institute of Standards and Technology (NIST) of the United States describes in various guidelines that NIST will no longer approve two-key triple DES, RSA with a 1024-bit key, and SHA-1 as the algorithms suitable for IT systems of the U.S. Federal Government after 2010. It is an important issue how to advance the transition of the algorithms in the financial sector. This paper refers to issues regarding the transition as Year 2010 issues in cryptographic algorithms. To successfully complete the transition by 2010, the deadline set by NIST, it is necessary for financial institutions to begin discussing the issues at the earliest possible date. This paper summarizes security evaluation results of the current algorithms, and describes Year 2010 issues, their impact on the financial industry, and the transition plan announced by NIST.
    [Show full text]