DOCSLIB.ORG

New Developments in Cryptology Outline Outline Block Ciphers AES

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
New Developments in Cryptology Outline Outline Block Ciphers AES New Developments in Cryptography March 2012 Bart Preneel Outline New developments in cryptology • 1. Cryptology: concepts and algorithms Prof. Bart Preneel • 2. Cryptology: protocols COSIC • 3. Public-Key Infrastructure principles Bart.Preneel(at)esatDOTkuleuven.be • 4. Networking protocols http://homes.esat.kuleuven.be/~preneel • 5. New developments in cryptology March 2012 • 6. Cryptography best practices © Bart Preneel. All rights reserved 1 2 Outline Block ciphers P1 P2 P3 • Block ciphers/stream ciphers • Hash functions/MAC algorithms block block block • Modes of operation and authenticated cipher cipher cipher encryption • How to encrypt/sign using RSA C1 C2 C3 • Multi-party computation • larger data units: 64…128 bits •memoryless • Concluding remarks • repeat simple operation (round) many times 3 3-DES: NIST Spec. Pub. 800-67 AES (2001) (May 2004) S S S S S S S S S S S S S S S S • Single DES abandoned round • two-key triple DES: until 2009 (80 bit security) • three-key triple DES: until 2030 (100 bit security) round MixColumnsS S S S MixColumnsS S S S MixColumnsS S S S MixColumnsS S S S hedule Highly vulnerable to a c round • Block length: 128 bits related key attack • Key length: 128-192-256 . Key S Key . bits round A $ 10M machine that cracks a DES Clear DES DES-1 DES %^C& key in 1 second would take 149 trillion text @&^( years to crack a 128-bit key 1 23 1 New Developments in Cryptography March 2012 Bart Preneel AES variants (2001) AES implementations: • AES-128 • AES-192 • AES-256 efficient/compact • 10 rounds • 12 rounds • 14 rounds • sensitive • classified • secret and top • NIST validation list: 1953 implementations (2008: 879) secret plaintext plaintext plaintext http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html round round. round [‘05] dule • HW: 43 Gbit/s in 130 nm CMOS ) . ule le 8 . e . round . round • Intel: new AES instruction: 0.75 cycles/byte [’09-’10] Key (12 Key . round round (192) Key . • SW: 7.6 cycles/byte on Core 2 or 110 Mbyte/s bitsliced Key (256) Key Key Sch Key . [Käsper-Schwabe’09] Key Sched Key round . Key Schedu Key round • HW: most compact: 3600 gates Light weight key schedule, in particular for the 256-bit version – KATAN: 1054, PRESENT: 1570 AES: security AES-256 security • Exhaustive key search on AES-256 takes 2256 encryptions • cryptanalysis: no attack has been found that can –264: 10 minutes with $ 5M exploit this structure (in spite of the algebraic –280: 2 year with $ 5M “attack” [Courtois’02]) –2120 : 1 billion years with $ 5B • [Biryukov-Khovratovich’09] related key attack on AES-256 • implementation level attack – requires 2119 encryptions with 4 related key s, – data & time complexity 2119 << 2256 – cache attack precluded by bitsliced implementations • Why does it work? Very lightweight key schedule or by special hardware support – fault attack requires special countermeasures • Is AES-256 broken? No, only an academic “weakness” that is easy to fix • No implications on security of AES-128 for encryption • Do not use AES-256 in a hash function construction What is a related key attack? Should I worry about a related key attack? • Attacker chooses plaintexts and key difference C • Very hard in practice (except some old US banking • Attacker gets ciphertexts schemes and IBM control vectors) • Task: find the key C • If you are vulnerable to a related key attack, you are making very bad implementation mistakes plaintext1 plaintext2 plaintext1 • This is a very powerful attack round round model: if an opponent can round zeroize 96 key bits of his round round round choice (rather than adding a round round round value), he can find the key in h Key (256) Key . Key (256) Key Key (256) Key . a few seconds . Key Schedule Key . Schedule Key Key Schedule Key round round round • If you are worried, hashing the key is an easy fix ciphertext1 ciphertext2 ciphertext1 2 New Developments in Cryptography March 2012 Bart Preneel Related key attacks on AES-256 and KASUMI KASUMI (2002) Security level in bits Exhaustive search AES [Biryukov- • Widely used in all 3G phones 300 Khovratovich’09] 4 related keys • Present in 40% of GSM phones but not 250 data & time yet used 200 comppylexity Ex haus tive search KASUMI 2119 << 2256 150 100 • Good news: related key attacks do not Practical [Dunkelman- 50 Keller-Shamir’10] apply in in the GSM or 3G context Related key 0 attack: 4 keys, 0 58 1014 15 226 data & 232 rounds time << 2128 KASUMI New announcement: August 2011 [Dunkelman-Keller-Shamir’09] [Bogdanov-Khovratovich-Rechberger] • Practical related key attack announced in • No related keys (attack in 2005) December 2009 on the block cipher KASUMI used in 3GPP • For AES-128: with 288 plaintext/ciphertext pairs, – 4 re ltdklated keys, 226 dtdata, 230 btbytes o f memory, an d the effective key size can be reduced by 2 bits 232 time (AES-126) • It is not possible to carry out this attack in 3G • For AES-192: only 280 plaintext/ciphertext pairs (as related keys are not available) • For AES-256: only 240 plaintext/ciphertext pairs Very minor impact on security and very hard to extend Synchronous Stream Cipher (SSC) Stream ciphers IV state IV state init init • historically very important (compact) – LFSR-based: A5/1, A5/2, E0 – practical attacks K next K next known state state – software-oriented: RC4 – serious weaknesses function function – block cipher in CTR or OFB (slower) • today: output output – many broken schemes function “looks” function random – exception: SNOW2.0, MUGI P C P – lack of standards and open solutions 18 3 New Developments in Cryptography March 2012 Bart Preneel GSM GSM • A5/1 weak • growing number of open source tools to intercept: – [Barkan+03] requires seconds (software not available so requires math) GnuRAdio, Airprobe, OpenBTS – [Nohl10]: Kraken = 2 Terabyte of Rainbow tables • but needs more work (1-2 years?) http://reflextor.com/trac/a51 • A5/2 trivially weak (milliseconds) – withdrawn in 2007 (took 8 years) • A5/3 (= Kasumi) seems ok but slow adoption (even if in 1.2 billion out of 3 billion handsets) • Simpler attacks on GSM – eavesdrop after base station (always cleartext) – switch off encryption (can be detected) – SMS of death GSM International • China: • be careful when rolling out 2-factor – ZUC as 3rd algorithm in LTE (also SMII, SMIII) – National Cryptography Industry Standards Technical Committee authentication via SMS established on 19/10/2011 • war texting hacks on car systems and mod 231 − 1 215 217 221 220 12+ 8 S S S S S S S S S S S S S S S S SCADA systems [Black Hat, Aug’11] 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 X X X 0 X1 2 3 R1 R2 Every algorithm used in L L 1 2 China needs to be designed in China intercepting mobile phone traffic is illegal • US: NIST is very active in standardization Open competition for stream ciphers The eSTREAM Portfolio http://www.ecrypt.eu.org Apr. 2008 (Rev1 Sept. 2008) (in alphabetical order) • run by ECRYPT – high performance in software (32/64-bit): 128-bit key Software Hardware – low-gate count hardware (< 1000 gates): 80-bit key – variants: authenticated encryption HC-128 F-FCSR-H • April 2005: 33 submissions Rabbit Grain v1 • many broken in first year • April 2008: end of competition Salsa20/12 MICKEY v2 Sosemanuk Trivium 3-10 cycles per byte 1500..3000 gates 23 24 4 New Developments in Cryptography March 2012 Bart Preneel Performance reference data Rogue CA attack (Pentium M 1.70GHz Model 6/9/5) [Sotirov-Stevens-Appelbaum-Lenstra-Molnar-Osvik-de Weger ’08] request user cert; by special encryption speed (cycles/byte) Self-signed collision this results in a fake CA root key 120 cert (need to predict serial number 100 + validity period) 80 CA1 CA2 Rogue CA 60 key setup (cycles) 40 35000 impact: rogue CA that User1 User2 User x 20 30000 can issue certs that are 25000 0 trusted by all RC4 HC-128 DES 3-DES AES 20000 15000 browsers 10000 5000 0 6 CAs have issued certificates signed with MD5 in 2008: RC4 HC- DES 3-DES AES 128 Rapid SSL, Free SSL (free trial certificates offered by RapidSSL), 26 26 25 TC TrustCenter AG, RSA Data Security, Verisign.co.jp Low cost hw: throughput versus area Hash functions [Bogdanov+08,Sugawara+08] (100 KHz clock, technology in multiples of 10 nm) 900 Protect short hash value rather • collision resistance GRAIN[8] (13) Trivium[8](13) than long text • preimage resistance ) 800 Enocoro-80[8](18) nd 700 •2 preimage resistance Kbps 600 ( mCRYPTON-96/128 (13) t u 500 CLEFIA (9) This is an input to a crypto- hp 400 graphic hash function. The input g PRESENT-128 (18) 300 is a very long string, that is PICCOLO-128 reduced by the hash function to a HIGHT (25) TDEA (9) string of fixed length. There are 200 1A3FD4128A198FB3CA345932 GOST (18) (13)Trivium(13) additional security conditions: it h Throu GRAIN 100 SEA (13) AES (13) should be very hard to find an KATAN (18) (18) AES (35) input hashing to a given value (a KTANTAN (18) TEA MISTY1 (18) preimage) or to find two colliding 0 PRESENT-80 (18) inputs (a collision). PRINTcipher-960 1000 2000 3000 4000 5000 6000 (18) LED-128 (18) Gate equivalents 27 The complexity of collision attacks SHA-1 • SHA designed by NIST (NSA) in ‘93 Brute force: 4 million PCs or US$ 100K hardware (1 year) • redesign after 2 years (’95) to SHA-1 90 90 80 80 [Wang+’05] 70 MD4 70 [Mendel+’08] 60 [Manuel+’09] MD5 60 [Wang+’04] 50 SHA-0 50 40 [McDonald+’09] SHA-1 SHA-1 40 30 30 20 Brute force 20 10 Largely unpublished/withdrawn 10 0 0 92 94 96 00 02 06 10 19 1992 19 19 1998 20 20 2004 20 2008 20 2003 2004 2005 2006 2007 2008 2009 2010 Prediction: collision for SHA-1 in the next 12-18
Load more

Recommended publications
  • A Differential Fault Attack on MICKEY
    A Differential Fault Attack on MICKEY 2.0 Subhadeep Banik and Subhamoy Maitra Applied Statistics Unit, Indian Statistical Institute Kolkata, 203, B.T. Road, Kolkata-108. s.banik [email protected], [email protected] Abstract. In this paper we present a differential fault attack on the stream cipher MICKEY 2.0 which is in eStream's hardware portfolio. While fault attacks have already been reported against the other two eStream hardware candidates Trivium and Grain, no such analysis is known for MICKEY. Using the standard assumptions for fault attacks, we show that if the adversary can induce random single bit faults in the internal state of the cipher, then by injecting around 216:7 faults and performing 232:5 computations on an average, it is possible to recover the entire internal state of MICKEY at the beginning of the key-stream generation phase. We further consider the scenario where the fault may affect at most three neighbouring bits and in that case we require around 218:4 faults on an average. Keywords: eStream, Fault attacks, MICKEY 2.0, Stream Cipher. 1 Introduction The stream cipher MICKEY 2.0 [4] was designed by Steve Babbage and Matthew Dodd as a submission to the eStream project. The cipher has been selected as a part of eStream's final hardware portfolio. MICKEY is a synchronous, bit- oriented stream cipher designed for low hardware complexity and high speed. After a TMD tradeoff attack [16] against the initial version of MICKEY (ver- sion 1), the designers responded by tweaking the design by increasing the state size from 160 to 200 bits and altering the values of some control bit tap loca- tions.
    [Show full text]
  • LNCS 9065, Pp
    Combined Cache Timing Attacks and Template Attacks on Stream Cipher MUGI Shaoyu Du1,4, , Zhenqi Li1, Bin Zhang1,2, and Dongdai Lin3 1 Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences, Beijing, China 2 State Key Laboratory of Computer Science, Institute of Software, Chinese Academy of Sciences, Beijing, China 3 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China 4 University of Chinese Academy of Sciences, Beijing, China du [email protected] Abstract. The stream cipher MUGI was proposed by Hitachi, Ltd. in 2002 and it was specified as ISO/IEC 18033-4 for keystream genera- tion. Assuming that noise-free cache timing measurements are possible, we give the cryptanalysis of MUGI under the cache attack model. Our simulation results show that we can reduce the computation complexity of recovering all the 1216-bits internal state of MUGI to about O(276) when it is implemented in processors with 64-byte cache line. The at- tack reveals some new inherent weaknesses of MUGI’s structure. The weaknesses can also be used to conduct a noiseless template attack of O(260.51 ) computation complexity to restore the state of MUGI. And then combining these two attacks we can conduct a key-recovery attack on MUGI with about O(230) computation complexity. To the best of our knowledge, it is the first time that the analysis of cache timing attacks and template attacks are applied to full version of MUGI and that these two classes of attacks are combined to attack some cipher.
    [Show full text]
  • Reconsidering the Security Bound of AES-GCM-SIV
    Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Reconsidering the Security Bound of AES-GCM-SIV Tetsu Iwata1 and Yannick Seurin2 1Nagoya University, Japan 2ANSSI, France March 7, 2018 — FSE 2018 T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 1 / 26 Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Summary of the contribution • we reconsider the security of the AEAD scheme AES-GCM-SIV designed by Gueron, Langley, and Lindell • we identify flaws in the designers’ security analysis and propose a new security proof • our findings leads to significantly reduced security claims, especially for long messages • we propose a simple modification to the scheme (key derivation function) improving security without efficiency loss T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 2 / 26 Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Summary of the contribution • we reconsider the security of the AEAD scheme AES-GCM-SIV designed by Gueron, Langley, and Lindell • we identify flaws in the designers’ security analysis and propose a new security proof • our findings leads to significantly reduced security claims, especially for long messages • we propose a simple modification to the scheme (key derivation function) improving security without efficiency loss T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 2 / 26 Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Summary of the contribution • we reconsider the security of the AEAD scheme AES-GCM-SIV designed by Gueron, Langley, and Lindell • we identify flaws in the designers’ security analysis and propose a new security proof • our findings leads to significantly reduced security claims, especially for long messages • we propose a simple modification to the scheme (key derivation function) improving security without efficiency loss T.
    [Show full text]
  • (SMC) MODULE of RC4 STREAM CIPHER ALGORITHM for Wi-Fi ENCRYPTION
    InternationalINTERNATIONAL Journal of Electronics and JOURNAL Communication OF Engineering ELECTRONICS & Technology (IJECET),AND ISSN 0976 – 6464(Print), ISSN 0976 – 6472(Online), Volume 6, Issue 1, January (2015), pp. 79-85 © IAEME COMMUNICATION ENGINEERING & TECHNOLOGY (IJECET) ISSN 0976 – 6464(Print) IJECET ISSN 0976 – 6472(Online) Volume 6, Issue 1, January (2015), pp. 79-85 © IAEME: http://www.iaeme.com/IJECET.asp © I A E M E Journal Impact Factor (2015): 7.9817 (Calculated by GISI) www.jifactor.com VHDL MODELING OF THE SRAM MODULE AND STATE MACHINE CONTROLLER (SMC) MODULE OF RC4 STREAM CIPHER ALGORITHM FOR Wi-Fi ENCRYPTION Dr.A.M. Bhavikatti 1 Mallikarjun.Mugali 2 1,2Dept of CSE, BKIT, Bhalki, Karnataka State, India ABSTRACT In this paper, VHDL modeling of the SRAM module and State Machine Controller (SMC) module of RC4 stream cipher algorithm for Wi-Fi encryption is proposed. Various individual modules of Wi-Fi security have been designed, verified functionally using VHDL-simulator. In cryptography RC4 is the most widely used software stream cipher and is used in popular protocols such as Transport Layer Security (TLS) (to protect Internet traffic) and WEP (to secure wireless networks). While remarkable for its simplicity and speed in software, RC4 has weaknesses that argue against its use in new systems. It is especially vulnerable when the beginning of the output key stream is not discarded, or when nonrandom or related keys are used; some ways of using RC4 can lead to very insecure cryptosystems such as WEP . Many stream ciphers are based on linear feedback shift registers (LFSRs), which, while efficient in hardware, are less so in software.
    [Show full text]
  • Statistical Weaknesses in 20 RC4-Like Algorithms and (Probably) the Simplest Algorithm Free from These Weaknesses - VMPC-R
    Statistical weaknesses in 20 RC4-like algorithms and (probably) the simplest algorithm free from these weaknesses - VMPC-R Bartosz Zoltak www.vmpcfunction.com [email protected] Abstract. We find statistical weaknesses in 20 RC4-like algorithms including the original RC4, RC4A, PC-RC4 and others. This is achieved using a simple statistical test. We found only one algorithm which was able to pass the test - VMPC-R. This algorithm, being approximately three times more complex then RC4, is probably the simplest RC4-like cipher capable of producing pseudo-random output. Keywords: PRNG; CSPRNG; RC4; VMPC-R; stream cipher; distinguishing attack 1 Introduction RC4 is a popular and one of the simplest symmetric encryption algorithms. It is also probably one of the easiest to modify. There is a bunch of RC4 modifications out there. But is improving the old RC4 really as simple as it appears to be? To state the contrary we confront 20 candidates (including the original RC4) against a simple statistical test. In doing so we try to support four theses: 1. Modifying RC4 is easy to do but it is hard to do well. 2. Statistical weaknesses in almost all RC4-like algorithms can be easily found using a simple test discussed in this paper. 3. The only RC4-like algorithm which was able to pass the test was VMPC-R. It is approximately three times more complex than RC4. We believe that any algorithm simpler than VMPC-R would most likely fail the test. 4. Before introducing a new RC4-like algorithm it might be a good idea to run the statistical test described in this paper.
    [Show full text]
  • State of the Art in Lightweight Symmetric Cryptography
    State of the Art in Lightweight Symmetric Cryptography Alex Biryukov1 and Léo Perrin2 1 SnT, CSC, University of Luxembourg, [email protected] 2 SnT, University of Luxembourg, [email protected] Abstract. Lightweight cryptography has been one of the “hot topics” in symmetric cryptography in the recent years. A huge number of lightweight algorithms have been published, standardized and/or used in commercial products. In this paper, we discuss the different implementation constraints that a “lightweight” algorithm is usually designed to satisfy. We also present an extensive survey of all lightweight symmetric primitives we are aware of. It covers designs from the academic community, from government agencies and proprietary algorithms which were reverse-engineered or leaked. Relevant national (nist...) and international (iso/iec...) standards are listed. We then discuss some trends we identified in the design of lightweight algorithms, namely the designers’ preference for arx-based and bitsliced-S-Box-based designs and simple key schedules. Finally, we argue that lightweight cryptography is too large a field and that it should be split into two related but distinct areas: ultra-lightweight and IoT cryptography. The former deals only with the smallest of devices for which a lower security level may be justified by the very harsh design constraints. The latter corresponds to low-power embedded processors for which the Aes and modern hash function are costly but which have to provide a high level security due to their greater connectivity. Keywords: Lightweight cryptography · Ultra-Lightweight · IoT · Internet of Things · SoK · Survey · Standards · Industry 1 Introduction The Internet of Things (IoT) is one of the foremost buzzwords in computer science and information technology at the time of writing.
    [Show full text]
  • Cryptography
    Cryptography From Wikipedia, the free encyclopedia Jump to: navigation, search "Secret code" redirects here. For the Aya Kamiki album, see Secret Code. German Lorenz cipher machine, used in World War II to encrypt very-high-level general staff messages Cryptography (or cryptology; from Greek κρυπτός, kryptos, "hidden, secret"; and γράφ, gráph, "writing", or -λογία, -logia, respectively)[1] is the practice and study of hiding information. Modern cryptography intersects the disciplines of mathematics, computer science, and engineering. Applications of cryptography include ATM cards, computer passwords, and electronic commerce. Cryptology prior to the modern age was almost synonymous with encryption, the conversion of information from a readable state to nonsense. The sender retained the ability to decrypt the information and therefore avoid unwanted persons being able to read it. Since WWI and the advent of the computer, the methods used to carry out cryptology have become increasingly complex and its application more widespread. Alongside the advancement in cryptology-related technology, the practice has raised a number of legal issues, some of which remain unresolved. Contents [hide] • 1 Terminology • 2 History of cryptography and cryptanalysis o 2.1 Classic cryptography o 2.2 The computer era • 3 Modern cryptography o 3.1 Symmetric-key cryptography o 3.2 Public-key cryptography o 3.3 Cryptanalysis o 3.4 Cryptographic primitives o 3.5 Cryptosystems • 4 Legal issues o 4.1 Prohibitions o 4.2 Export controls o 4.3 NSA involvement o 4.4 Digital rights management • 5 See also • 6 References • 7 Further reading • 8 External links [edit] Terminology Until modern times cryptography referred almost exclusively to encryption, which is the process of converting ordinary information (plaintext) into unintelligible gibberish (i.e., ciphertext).[2] Decryption is the reverse, in other words, moving from the unintelligible ciphertext back to plaintext.
    [Show full text]
  • Ensuring Fast Implementations of Symmetric Ciphers on the Intel Pentium 4 and Beyond
    This may be the author’s version of a work that was submitted/accepted for publication in the following source: Henricksen, Matthew& Dawson, Edward (2006) Ensuring Fast Implementations of Symmetric Ciphers on the Intel Pentium 4 and Beyond. Lecture Notes in Computer Science, 4058, Article number: AISP52-63. This file was downloaded from: https://eprints.qut.edu.au/24788/ c Consult author(s) regarding copyright matters This work is covered by copyright. Unless the document is being made available under a Creative Commons Licence, you must assume that re-use is limited to personal use and that permission from the copyright owner must be obtained for all other uses. If the docu- ment is available under a Creative Commons License (or other specified license) then refer to the Licence for details of permitted re-use. It is a condition of access that users recog- nise and abide by the legal requirements associated with these rights. If you believe that this work infringes copyright please provide details by email to [email protected] Notice: Please note that this document may not be the Version of Record (i.e. published version) of the work. Author manuscript versions (as Sub- mitted for peer review or as Accepted for publication after peer review) can be identified by an absence of publisher branding and/or typeset appear- ance. If there is any doubt, please refer to the published source. https://doi.org/10.1007/11780656_5 Ensuring Fast Implementations of Symmetric Ciphers on the Intel Pentium 4 and Beyond Matt Henricksen and Ed Dawson Information Security Institute, Queensland University of Technology, GPO Box 2434, Brisbane, Queensland, 4001, Australia.
    [Show full text]
  • Security Evaluation of the K2 Stream Cipher
    Security Evaluation of the K2 Stream Cipher Editors: Andrey Bogdanov, Bart Preneel, and Vincent Rijmen Contributors: Andrey Bodganov, Nicky Mouha, Gautham Sekar, Elmar Tischhauser, Deniz Toz, Kerem Varıcı, Vesselin Velichkov, and Meiqin Wang Katholieke Universiteit Leuven Department of Electrical Engineering ESAT/SCD-COSIC Interdisciplinary Institute for BroadBand Technology (IBBT) Kasteelpark Arenberg 10, bus 2446 B-3001 Leuven-Heverlee, Belgium Version 1.1 | 7 March 2011 i Security Evaluation of K2 7 March 2011 Contents 1 Executive Summary 1 2 Linear Attacks 3 2.1 Overview . 3 2.2 Linear Relations for FSR-A and FSR-B . 3 2.3 Linear Approximation of the NLF . 5 2.4 Complexity Estimation . 5 3 Algebraic Attacks 6 4 Correlation Attacks 10 4.1 Introduction . 10 4.2 Combination Generators and Linear Complexity . 10 4.3 Description of the Correlation Attack . 11 4.4 Application of the Correlation Attack to KCipher-2 . 13 4.5 Fast Correlation Attacks . 14 5 Differential Attacks 14 5.1 Properties of Components . 14 5.1.1 Substitution . 15 5.1.2 Linear Permutation . 15 5.2 Key Ideas of the Attacks . 18 5.3 Related-Key Attacks . 19 5.4 Related-IV Attacks . 20 5.5 Related Key/IV Attacks . 21 5.6 Conclusion and Remarks . 21 6 Guess-and-Determine Attacks 25 6.1 Word-Oriented Guess-and-Determine . 25 6.2 Byte-Oriented Guess-and-Determine . 27 7 Period Considerations 28 8 Statistical Properties 29 9 Distinguishing Attacks 31 9.1 Preliminaries . 31 9.2 Mod n Cryptanalysis of Weakened KCipher-2 . 32 9.2.1 Other Reduced Versions of KCipher-2 .
    [Show full text]
  • New Developments in Cryptology Outline Outline How NOT to Use A
    New Developments in Cryptography February 2007 Bart Preneel Outline New developments in cryptology • 1. Cryptology: protocols – identification/entity authentication – key establishment Prof. Bart Preneel • 2. Public Key Infrastructures COSIC Bart.Preneel(at)esatDOTkuleuven.be • 3. Secure Networking protocols http://homes.esat.kuleuven.be/~preneel – Internet Security: email, web, IPSEC, SSL • 4. Using cryptography well • 5. New developments in cryptology © Bart Preneel. All rights reserved Outline How to use cryptographic algorithms • Modes of operation • Modes of operation • Padding and error messages • The hash function disaster • Authenticated encryption • How to encrypt using RSA • Algorithm: secure design and • How to encrypt with RSA implementation • Obfuscation • SPAM fighting How NOT to use a block cipher: ECB mode An example plaintext P1 P2 P3 block block block cipher cipher cipher C1 C2 C3 1 New Developments in Cryptography February 2007 Bart Preneel Encrypted with substitution and transposition cipher Encrypted with AES in ECB and CBC mode How to use a block cipher: CBC mode CBC mode decryption P1 P2 P3 P1 P2 P3 IV IV AES AES AES AES-1 AES-1 AES-1 C1 C2 C3 C1 C2 C3 What if IV is constant? CBC with incomplete plaintext (1) Plaintext length P2’ P3’ 1 byte P1 in bytes IV P1 P2 P3|| 0000..0 IV AES AES AES C1 C2’ C3’ AES AES AES Repetition in P results in repetition in C: ⇒ information leakage need random and secret IV C1 C2 C3 2 New Developments in Cryptography February 2007 Bart Preneel CBC with incomplete plaintext (2) CBC with
    [Show full text]
  • RC4-2S: RC4 Stream Cipher with Two State Tables
    RC4-2S: RC4 Stream Cipher with Two State Tables Maytham M. Hammood, Kenji Yoshigoe and Ali M. Sagheer Abstract One of the most important symmetric cryptographic algorithms is Rivest Cipher 4 (RC4) stream cipher which can be applied to many security applications in real time security. However, RC4 cipher shows some weaknesses including a correlation problem between the public known outputs of the internal state. We propose RC4 stream cipher with two state tables (RC4-2S) as an enhancement to RC4. RC4-2S stream cipher system solves the correlation problem between the public known outputs of the internal state using permutation between state 1 (S1) and state 2 (S2). Furthermore, key generation time of the RC4-2S is faster than that of the original RC4 due to less number of operations per a key generation required by the former. The experimental results confirm that the output streams generated by the RC4-2S are more random than that generated by RC4 while requiring less time than RC4. Moreover, RC4-2S’s high resistivity protects against many attacks vulnerable to RC4 and solves several weaknesses of RC4 such as distinguishing attack. Keywords Stream cipher Á RC4 Á Pseudo-random number generator This work is based in part, upon research supported by the National Science Foundation (under Grant Nos. CNS-0855248 and EPS-0918970). Any opinions, findings and conclusions or recommendations expressed in this material are those of the author (s) and do not necessarily reflect the views of the funding agencies or those of the employers. M. M. Hammood Applied Science, University of Arkansas at Little Rock, Little Rock, USA e-mail: [email protected] K.
    [Show full text]
  • Stream Cipher Designs: a Review
    SCIENCE CHINA Information Sciences March 2020, Vol. 63 131101:1–131101:25 . REVIEW . https://doi.org/10.1007/s11432-018-9929-x Stream cipher designs: a review Lin JIAO1*, Yonglin HAO1 & Dengguo FENG1,2* 1 State Key Laboratory of Cryptology, Beijing 100878, China; 2 State Key Laboratory of Computer Science, Institute of Software, Chinese Academy of Sciences, Beijing 100190, China Received 13 August 2018/Accepted 30 June 2019/Published online 10 February 2020 Abstract Stream cipher is an important branch of symmetric cryptosystems, which takes obvious advan- tages in speed and scale of hardware implementation. It is suitable for using in the cases of massive data transfer or resource constraints, and has always been a hot and central research topic in cryptography. With the rapid development of network and communication technology, cipher algorithms play more and more crucial role in information security. Simultaneously, the application environment of cipher algorithms is in- creasingly complex, which challenges the existing cipher algorithms and calls for novel suitable designs. To accommodate new strict requirements and provide systematic scientific basis for future designs, this paper reviews the development history of stream ciphers, classifies and summarizes the design principles of typical stream ciphers in groups, briefly discusses the advantages and weakness of various stream ciphers in terms of security and implementation. Finally, it tries to foresee the prospective design directions of stream ciphers. Keywords stream cipher, survey, lightweight, authenticated encryption, homomorphic encryption Citation Jiao L, Hao Y L, Feng D G. Stream cipher designs: a review. Sci China Inf Sci, 2020, 63(3): 131101, https://doi.org/10.1007/s11432-018-9929-x 1 Introduction The widely applied e-commerce, e-government, along with the fast developing cloud computing, big data, have triggered high demands in both efficiency and security of information processing.
    [Show full text]