DOCSLIB.ORG

Introduction to the Block Cipher KASUMI

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Introduction to the Block Cipher KASUMI Improved Cryptanalysis of the Block Cipher KASUMI Keting Jia1, Leibo Li2, Christian Rechberger3 Jiazhe Chen2, Xiaoyun Wang1,2 1 Tsinghua University, 2 Shandong University, 3 The Technical University of Denmark Outline • Introduction to the Block Cipher KASUMI – Brief Description of KASUMI – Main Cryptanalysis Results of KASUMI • Impossible Differential Attacks on 7-round KASUMI – Impossible Differential Attack on Last 7-round KASUMI – Impossible Differential Attack on First 7-round KASUMI • Summary 2 Outline • Introduction to the Block Cipher KASUMI – Brief Description of KASUMI – Main Cryptanalysis Results of KASUMI • Impossible Differential Attacks on 7-round KASUMI – Impossible Differential Attack on Last 7-round KASUMI – Impossible Differential Attack on First 7-round KASUMI • Summary 3 Brief Description of KASUMI • KASUMI is designed by ETSI SAGE • Modification of MISTY1 • Widely used in UMTS, GSM and GPRS mobile communications systems • 8-round Feistel structure • Block: 64 bits • Key: 128 bits 4 Round Function • Each round is made up of an FL function and an FO function • FO is a 3-round Feistel structure made up from three FI functions • The FI functions use two S-boxes S7 and S9 • FL function is a simple key-dependent boolean function FL Function 5 Key Schedule • 6 Outline • Introduction to the Block Cipher KASUMI – Brief Description of KASUMI – Main Cryptanalysis Results of KASUMI • Impossible Differential Attacks on 7-round KASUMI – Impossible Differential Attack on Last 7-round KASUMI – Impossible Differential Attack on First 7-round KASUMI • Summary 7 Main Cryptanalysis Results of KASUMI • Previous Results – Kühn introduced an impossible differential attack on 6- round KASUMI, EUROCRYPT 2001 – Blunden et al. gave a related-key differential attack on 6- round KASUMI, FSE 2001 – Biham et al. introduced related-key boomerang and rectangle attacks on the full 8-round KASUMI, ASIACRYPT 2005 – Dunkelman et al. proposed a practical related-key attack on the full KASUMI, CRYPTO 2010 • Our Contribution – Propose impossible differential attacks on 7-round KASUMI 8 Outline • Introduction to the Block Cipher KASUMI – Brief Description of KASUMI – Main Cryptanalysis Results of KASUMI • Impossible Differential Attacks on 7-round KASUMI – Impossible Differential Attack on Last 7-round KASUMI – Impossible Differential Attack on First 7-round KASUMI • Summary 9 Impossible Differential Attack • The impossible differential attack use a differential hold with probability 0 • eliminate wrong keys which bring about the input and output values of the impossible differential Plaintext α p K1 The correspongding Pr(α→β)=0 subkeys which make the impossible β differential hold q K2 Ciphertext 10 Impossible Differential Attack on Last 7-round KASUMI • Observation 1. Given a pair of input values (XO , i XOi’) of the function with difference ∆= XO il ( a || 0) , ∆ where al is a 16-bit non-zero value. Let YO i be the corresponding output difference, and then ∆ YO i only depends on the 64-bit subkey KIi1, KO ii 13 ,, KI KO i 3 11 Impossible Differential Attack on Last 7-round KASUMI • The 6-round attack on KASUMI given by Kühn use a generic 5-round impossible differential of Feistel structure: 5R (0,,aa )→ (0 ) • We select some special impossible differentials to attack the 7-round KASUMI • For the last 7 rounds, the impossible differential path 5R (0,,aall || 0)→ (0 || 0) 12 Impossible Differential Attack on Last 7-round KASUMI • Extend one round forward and backward 13 Impossible Differential Attack on Last 7-round KASUMI • Data Collection – Choose 2n structures of plaintexts, with each structure 48 containing 2 plaintexts (L1, R1)=(*||x,*||*), and query their corresponding ciphertexts – Store (L1, R1, L8, R8) in a hash table indexed by 32-bit values (L1,,l⊕ RR 8 lr ,) 8, – Save the plaintext-ciphertext pair, such that ∆=∆ LR 18 ,,ll and n+95-32 n+63 ∆= R 8 ,r 0 . There are 2 =2 kept pairs on average 14 Impossible Differential Attack on Last 7-round KASUMI Take FI as a key dependent big Sbox and build • Key Recovery the difference distribution table for each key – Considering the key schedule and the definition of the round function, the subkey (k4, k6, k7, k8) can be deduced by guessing the 48-bit subkey (k1, k2, k3) ∆XO,, ∆ YL→kk21 ∆ YI →k′ YI 7 7 FL7 7,1 ()XI7 ,1 FI 1,1 4 7,1 ∆XO,, ∆ YL →∆YI k3 →k′ YI 1 1 (,)k2 k 4 FL1 1,1 ()XI1,1 FI 1,1 6 1,1 ∆YL → ∆YI → XI→ k (,)k2 k 4 FL 1 1,3 ()k1 FI 1,3 1,3 YI1,1 8 ∆YL → ∆ YI →k′ 7 FL7 7,3 ()XI7,3 FI7,3 7 15 Impossible Differential Attack on Last 7-round KASUMI • Key Recovery – For each guess of (k1, k2, k3), there are several 64-bit key n+63 words (k4, k6, k7, k8) kept after the 2 -pair filters – Search for the remaining 16-bit key word k5 • Complexity Evaluation – In the computation of (k1, k2, k3, k4, k6, k7, k8) , there are 3∙2n+63+48 accesses to hash table of size 248 n+63 128 1 2 2⋅− (164 ) – We need 2 encryptions to exhaustively search k5 – By balance, n=4.5 – We need 252.5 chosen plaintexts and 2114.3 encryptions 16 Outline • Introduction to the Block Cipher KASUMI – Brief Description of KASUMI – Main Cryptanalysis Results of KASUMI • Impossible Differential Attacks on 7-round KASUMI – Impossible Differential Attack on Last 7-round KASUMI – Impossible Differential Attack on First 7-round KASUMI • Summary 17 Impossible Differential Attack on First 7-round KASUMI • For the first 7 rounds, the impossible differential is 5R (0,,aalr || )→ (0 aa lr || ) • Extend one round forward and backward 18 Impossible Differential Attack on First 7-round KASUMI • Observation 3. Let aa lr || be the input differences of functions FL1 and FL7, and the input differences of FI1,2, FI7,2 be zero. Then the following equations hold (aklr∧ (1 <<< 1)) <<< 1 = a (3) (aklr∧ (7 <<< 1)) <<< 1 = a (4) – This observation is obtained by the definition of round function and Kühn’s observation (XK∧ )( ⊕ X′ ∧ K ) =∆∧, XK (XK∨ )( ⊕ X′ ∨ K ) =∆ X ⊕∆ ( XK ∧ ) . 19 Impossible Differential Attack on First 7-round KASUMI • Observation 4. Based on equations (3) and (4), we can get (alr<<< 1) ∨ ¬ a = 0 xffff (5) • Proof – Because the equations (3) and (4) can be represented as 16 parallel equations aj[+∧ 1] kj [ ] = aj [ + 2] lr1 ajlr[+∧ 1] k7 [ j ] = aj [ + 2] – (ajlr [+ 1], aj [ +∈ 2]) {(0,0),(1,0),(1,1)} – The equation (5) holds with probability (3/4)16=2-6.64 , when 16 al and ar are chosen from the uniform set {0,1} 20 Impossible Differential Attack on First 7-round KASUMI • The expected number of (k1, k7) which make equations (3) and (4) hold together ? aj[+∧ 1] kj [ ] = aj [ + 2 – For each bit equation lr 1 holds aj[+∧ 1] k [ j ] = aj [ + 2] lr7 (k [j], k [j]) al[j+1], ar[j+2] 1 7 0,0 (0,0), (0,1), (1,0),(1,1) 1,0 (0,0) 1,1 (1,1) 16 jj16− 16 12 42j = 16 – The expected number of (k1, k7) ∑ j=1 j 33 when j=0,…,15, al[j+1], ar[j+1] is chosen from the uniform set {(0,0),(1,0),(1,1)} 21 Impossible Differential Attack on First 7-round KASUMI • This attack is a known plaintexts attack • Data Collection m – Collect 2 plaintexts P(L0, R0) and corresponding ciphertexts C(L7, R7) , and store the pairs in a hash table with index LR07⊕ – There are about 22m-33 pairs whose input and output differences are (al||ar,*) and (*, al||ar) – Save the pairs whose differences al||ar , such that (alr<<< 1) ∨ ¬ a = 0 xffff – There are about 22m-33∙(3/4)16=22m-39.64 pairs kept on average 22 Impossible Differential Attack on First 7-round KASUMI • Key Recovery XL, XL →kk17, YL,, YL ∆ XI , XI 1 7 (∆=∆=YL1,rr 0, YL 7, 0) FL 1 , FL 7 1,r 7 11 71 ∆XI,, ∆ YI k5 → ( XI YI ) →k 11 11 FI1,1 11 11 (k1 ,k 7) FI 1,3 8 ∆YI →k, YI 71 ( XI71) FI 7 ,1 3 71 →YL → k FL1 1,l XI11 2 ∆YI →k 73 ( XI73,) FI 7 ,1 6 23 Impossible Differential Attack on Last 7-round KASUMI • Key Recovery – For each guess of (k1, k5, k7), there are several 64-bit key 2m-55.64 words (k2, k3, k6, k8) kept after the 2 -pair filters – Search for the remaining 16-bit key word k4 • Complexity Evaluation – In the computation of (k1, k2, k3, k5, k6, k7, k8) , there are 5∙22m-55.64+48 accesses to hash table 2m− 55.64 128 1 2 2⋅− (164 ) – We need 2 encryptions to exhaustive k4 – By balance, m=62 – We need 262 known plaintexts and 2115.8 encryptions 24 Outline • Introduction to the Block Cipher KASUMI – Brief Description of KASUMI – Main Cryptanalysis Results of KASUMI • Impossible Differential Attacks on 7-round KASUMI – Some Observations of KASUMI – Impossible Differential Attack on Last 7-round KASUMI – Impossible Differential Attack on First 7-round KASUMI • Summary 25 Summary of the Attacks on Reduced KASUMI Attack Type Rounds Data Time Source Higher-Order Differential 5 222. 1 CP 260. 7 Enc Sugio et al. Higher-Order Differential 5 228. 9 CP 231. 2 Enc Sugio et al. Integral-Interpolation 6 248 CP 2126. 2 Enc Sugio et al. Impossible Differential 6 255 CP 2100 Enc Kühn Impossible Differential 7(2-8) 252. 5 CP 2114. 3 Enc Sect. 4 Impossible Differential 7(1-7) 262 KP 2115. 8 Enc Sect. 5 26 Thanks for your attention! Questions? 27 .
Load more

Recommended publications
  • Improved Related-Key Attacks on DESX and DESX+
    Improved Related-key Attacks on DESX and DESX+ Raphael C.-W. Phan1 and Adi Shamir3 1 Laboratoire de s´ecurit´eet de cryptographie (LASEC), Ecole Polytechnique F´ed´erale de Lausanne (EPFL), CH-1015 Lausanne, Switzerland [email protected] 2 Faculty of Mathematics & Computer Science, The Weizmann Institute of Science, Rehovot 76100, Israel [email protected] Abstract. In this paper, we present improved related-key attacks on the original DESX, and DESX+, a variant of the DESX with its pre- and post-whitening XOR operations replaced with addition modulo 264. Compared to previous results, our attack on DESX has reduced text complexity, while our best attack on DESX+ eliminates the memory requirements at the same processing complexity. Keywords: DESX, DESX+, related-key attack, fault attack. 1 Introduction Due to the DES’ small key length of 56 bits, variants of the DES under multiple encryption have been considered, including double-DES under one or two 56-bit key(s), and triple-DES under two or three 56-bit keys. Another popular variant based on the DES is the DESX [15], where the basic keylength of single DES is extended to 120 bits by wrapping this DES with two outer pre- and post-whitening keys of 64 bits each. Also, the endorsement of single DES had been officially withdrawn by NIST in the summer of 2004 [19], due to its insecurity against exhaustive search. Future use of single DES is recommended only as a component of the triple-DES. This makes it more important to study the security of variants of single DES which increase the key length to avoid this attack.
    [Show full text]
  • Integral Cryptanalysis on Full MISTY1⋆
    Integral Cryptanalysis on Full MISTY1? Yosuke Todo NTT Secure Platform Laboratories, Tokyo, Japan [email protected] Abstract. MISTY1 is a block cipher designed by Matsui in 1997. It was well evaluated and standardized by projects, such as CRYPTREC, ISO/IEC, and NESSIE. In this paper, we propose a key recovery attack on the full MISTY1, i.e., we show that 8-round MISTY1 with 5 FL layers does not have 128-bit security. Many attacks against MISTY1 have been proposed, but there is no attack against the full MISTY1. Therefore, our attack is the first cryptanalysis against the full MISTY1. We construct a new integral characteristic by using the propagation characteristic of the division property, which was proposed in 2015. We first improve the division property by optimizing a public S-box and then construct a 6-round integral characteristic on MISTY1. Finally, we recover the secret key of the full MISTY1 with 263:58 chosen plaintexts and 2121 time complexity. Moreover, if we can use 263:994 chosen plaintexts, the time complexity for our attack is reduced to 2107:9. Note that our cryptanalysis is a theoretical attack. Therefore, the practical use of MISTY1 will not be affected by our attack. Keywords: MISTY1, Integral attack, Division property 1 Introduction MISTY [Mat97] is a block cipher designed by Matsui in 1997 and is based on the theory of provable security [Nyb94,NK95] against differential attack [BS90] and linear attack [Mat93]. MISTY has a recursive structure, and the component function has a unique structure, the so-called MISTY structure [Mat96].
    [Show full text]
  • New Security Proofs for the 3GPP Confidentiality and Integrity
    An extended abstract of this paper appears in Fast Software Encryption, FSE 2004, Lecture Notes in Computer Science, W. Meier and B. Roy editors, Springer-Verlag, 2004. This is the full version. New Security Proofs for the 3GPP Confidentiality and Integrity Algorithms Tetsu Iwata¤ Tadayoshi Kohnoy January 26, 2004 Abstract This paper analyses the 3GPP confidentiality and integrity schemes adopted by Universal Mobile Telecommunication System, an emerging standard for third generation wireless commu- nications. The schemes, known as f8 and f9, are based on the block cipher KASUMI. Although previous works claim security proofs for f8 and f90, where f90 is a generalized versions of f9, it was recently shown that these proofs are incorrect. Moreover, Iwata and Kurosawa (2003) showed that it is impossible to prove f8 and f90 secure under the standard PRP assumption on the underlying block cipher. We address this issue here, showing that it is possible to prove f80 and f90 secure if we make the assumption that the underlying block cipher is a secure PRP-RKA against a certain class of related-key attacks; here f80 is a generalized version of f8. Our results clarify the assumptions necessary in order for f8 and f9 to be secure and, since no related-key attacks are known against the full eight rounds of KASUMI, lead us to believe that the confidentiality and integrity mechanisms used in real 3GPP applications are secure. Keywords: Modes of operation, PRP-RKA, f8, f9, KASUMI, security proofs. ¤Dept. of Computer and Information Sciences, Ibaraki University, 4–12–1 Nakanarusawa, Hitachi, Ibaraki 316- 8511, Japan.
    [Show full text]
  • Encryption Algorithm Trade Survey
    CCSDS Historical Document This document’s Historical status indicates that it is no longer current. It has either been replaced by a newer issue or withdrawn because it was deemed obsolete. Current CCSDS publications are maintained at the following location: http://public.ccsds.org/publications/ CCSDS HISTORICAL DOCUMENT Report Concerning Space Data System Standards ENCRYPTION ALGORITHM TRADE SURVEY INFORMATIONAL REPORT CCSDS 350.2-G-1 GREEN BOOK March 2008 CCSDS HISTORICAL DOCUMENT Report Concerning Space Data System Standards ENCRYPTION ALGORITHM TRADE SURVEY INFORMATIONAL REPORT CCSDS 350.2-G-1 GREEN BOOK March 2008 CCSDS HISTORICAL DOCUMENT CCSDS REPORT CONCERNING ENCRYPTION ALGORITHM TRADE SURVEY AUTHORITY Issue: Informational Report, Issue 1 Date: March 2008 Location: Washington, DC, USA This document has been approved for publication by the Management Council of the Consultative Committee for Space Data Systems (CCSDS) and reflects the consensus of technical panel experts from CCSDS Member Agencies. The procedure for review and authorization of CCSDS Reports is detailed in the Procedures Manual for the Consultative Committee for Space Data Systems. This document is published and maintained by: CCSDS Secretariat Space Communications and Navigation Office, 7L70 Space Operations Mission Directorate NASA Headquarters Washington, DC 20546-0001, USA CCSDS 350.2-G-1 i March 2008 CCSDS HISTORICAL DOCUMENT CCSDS REPORT CONCERNING ENCRYPTION ALGORITHM TRADE SURVEY FOREWORD Through the process of normal evolution, it is expected that expansion, deletion, or modification of this document may occur. This Recommended Standard is therefore subject to CCSDS document management and change control procedures, which are defined in the Procedures Manual for the Consultative Committee for Space Data Systems.
    [Show full text]
  • Known and Chosen Key Differential Distinguishers for Block Ciphers
    Known and Chosen Key Differential Distinguishers for Block Ciphers Ivica Nikoli´c1?, Josef Pieprzyk2, Przemys law Soko lowski2;3, Ron Steinfeld2 1 University of Luxembourg, Luxembourg 2 Macquarie University, Australia 3 Adam Mickiewicz University, Poland [email protected], [email protected], [email protected], [email protected] Abstract. In this paper we investigate the differential properties of block ciphers in hash function modes of operation. First we show the impact of differential trails for block ciphers on collision attacks for various hash function constructions based on block ciphers. Further, we prove the lower bound for finding a pair that follows some truncated differential in case of a random permutation. Then we present open-key differential distinguishers for some well known round-reduced block ciphers. Keywords: Block cipher, differential attack, open-key distinguisher, Crypton, Hierocrypt, SAFER++, Square. 1 Introduction Block ciphers play an important role in symmetric cryptography providing the basic tool for encryp- tion. They are the oldest and most scrutinized cryptographic tool. Consequently, they are the most trusted cryptographic algorithms that are often used as the underlying tool to construct other cryp- tographic algorithms. One such application of block ciphers is for building compression functions for the hash functions. There are many constructions (also called hash function modes) for turning a block cipher into a compression function. Probably the most popular is the well-known Davies-Meyer mode. Preneel et al. in [27] have considered all possible modes that can be defined for a single application of n-bit block cipher in order to produce an n-bit compression function.
    [Show full text]
  • Differential-Linear Crypt Analysis
    Differential-Linear Crypt analysis Susan K. Langfordl and Martin E. Hellman Department of Electrical Engineering Stanford University Stanford, CA 94035-4055 Abstract. This paper introduces a new chosen text attack on iterated cryptosystems, such as the Data Encryption Standard (DES). The attack is very efficient for 8-round DES,2 recovering 10 bits of key with 80% probability of success using only 512 chosen plaintexts. The probability of success increases to 95% using 768 chosen plaintexts. More key can be recovered with reduced probability of success. The attack takes less than 10 seconds on a SUN-4 workstation. While comparable in speed to existing attacks, this 8-round attack represents an order of magnitude improvement in the amount of required text. 1 Summary Iterated cryptosystems are encryption algorithms created by repeating a simple encryption function n times. Each iteration, or round, is a function of the previ- ous round’s oulpul and the key. Probably the best known algorithm of this type is the Data Encryption Standard (DES) [6].Because DES is widely used, it has been the focus of much of the research on the strength of iterated cryptosystems and is the system used as the sole example in this paper. Three major attacks on DES are exhaustive search [2, 71, Biham-Shamir’s differential cryptanalysis [l], and Matsui’s linear cryptanalysis [3, 4, 51. While exhaustive search is still the most practical attack for full 16 round DES, re- search interest is focused on the latter analytic attacks, in the hope or fear that improvements will render them practical as well.
    [Show full text]
  • Optimization of Core Components of Block Ciphers Baptiste Lambin
    Optimization of core components of block ciphers Baptiste Lambin To cite this version: Baptiste Lambin. Optimization of core components of block ciphers. Cryptography and Security [cs.CR]. Université Rennes 1, 2019. English. NNT : 2019REN1S036. tel-02380098 HAL Id: tel-02380098 https://tel.archives-ouvertes.fr/tel-02380098 Submitted on 26 Nov 2019 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. THÈSE DE DOCTORAT DE L’UNIVERSITE DE RENNES 1 COMUE UNIVERSITE BRETAGNE LOIRE Ecole Doctorale N°601 Mathématique et Sciences et Technologies de l’Information et de la Communication Spécialité : Informatique Par Baptiste LAMBIN Optimization of Core Components of Block Ciphers Thèse présentée et soutenue à RENNES, le 22/10/2019 Unité de recherche : IRISA Rapporteurs avant soutenance : Marine Minier, Professeur, LORIA, Université de Lorraine Jacques Patarin, Professeur, PRiSM, Université de Versailles Composition du jury : Examinateurs : Marine Minier, Professeur, LORIA, Université de Lorraine Jacques Patarin, Professeur, PRiSM, Université de Versailles Jean-Louis Lanet, INRIA Rennes Virginie Lallemand, Chargée de Recherche, LORIA, CNRS Jérémy Jean, ANSSI Dir. de thèse : Pierre-Alain Fouque, IRISA, Université de Rennes 1 Co-dir. de thèse : Patrick Derbez, IRISA, Université de Rennes 1 Remerciements Je tiens à remercier en premier lieu mes directeurs de thèse, Pierre-Alain et Patrick.
    [Show full text]
  • Algebraic and Slide Attacks on Keeloq
    Algebraic and Slide Attacks on KeeLoq Nicolas T. Courtois 1 Gregory V. Bard 2 David Wagner 3 1 - University College of London , UK 2 - Fordham University, NY , US 3 - University of California - Berkeley, US Algebraic and Slide Attacks on KeeLoq Roadmap • KeeLoq. • Direct algebraic attacks, – 160 rounds / 528 . Periodic structure => • Slide-Algebraic: – 216 KP and about 253 KeeLoq encryptions. • Slide-Determine: – 223 - 230 KeeLoq encryptions. 2 Courtois, Bard, Wagner, FSE 2008 Algebraic and Slide Attacks on KeeLoq KeeLoq Block cipher used to unlock doors and the alarm in Chrysler, Daewoo, Fiat, GM, Honda, Jaguar, Toyota, Volvo, Volkswagen, etc… 3 Courtois, Bard, Wagner, FSE 2008 Algebraic and Slide Attacks on KeeLoq Our Goal: To learn about cryptanalysis… Real life: brute force attacks with FPGA’s. 4 Courtois, Bard, Wagner, FSE 2008 Algebraic and Slide Attacks on KeeLoq How Much Worth is KeeLoq • Designed in the 80's by Willem Smit. • In 1995 sold to Microchip Inc for more than 10 Million of US$. ?? 5 Courtois, Bard, Wagner, FSE 2008 Algebraic and Slide Attacks on KeeLoq How Secure is KeeLoq According to Microchip, KeeLoq should have “a level of security comparable to DES”. Yet faster. Miserably bad cipher, main reason: its periodic structure: cannot be defended. The complexity of most attacks on KeeLoq does NOT depend on the number of rounds of KeeLoq. 6 Courtois, Bard, Wagner, FSE 2008 Algebraic and Slide Attacks on KeeLoq Remarks • Paying 10 million $ for a proprietary algorithm doesn ’t prevent it from being very weak. • In comparison, RSA Security has offered ( “only ”) 70 K$ as a challenge for breaking RC5.
    [Show full text]
  • TS 135 202 V7.0.0 (2007-06) Technical Specification
    ETSI TS 135 202 V7.0.0 (2007-06) Technical Specification Universal Mobile Telecommunications System (UMTS); Specification of the 3GPP confidentiality and integrity algorithms; Document 2: Kasumi specification (3GPP TS 35.202 version 7.0.0 Release 7) 3GPP TS 35.202 version 7.0.0 Release 7 1 ETSI TS 135 202 V7.0.0 (2007-06) Reference RTS/TSGS-0335202v700 Keywords SECURITY, UMTS ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 Important notice Individual copies of the present document can be downloaded from: http://www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http://portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http://portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authorized by written permission.
    [Show full text]
  • Miss in the Middle Attacks on IDEA and Khufu
    Miss in the Middle Attacks on IDEA and Khufu Eli Biham? Alex Biryukov?? Adi Shamir??? Abstract. In a recent paper we developed a new cryptanalytic techni- que based on impossible differentials, and used it to attack the Skipjack encryption algorithm reduced from 32 to 31 rounds. In this paper we describe the application of this technique to the block ciphers IDEA and Khufu. In both cases the new attacks cover more rounds than the best currently known attacks. This demonstrates the power of the new cryptanalytic technique, shows that it is applicable to a larger class of cryptosystems, and develops new technical tools for applying it in new situations. 1 Introduction In [5,17] a new cryptanalytic technique based on impossible differentials was proposed, and its application to Skipjack [28] and DEAL [17] was described. In this paper we apply this technique to the IDEA and Khufu cryptosystems. Our new attacks are much more efficient and cover more rounds than the best previously known attacks on these ciphers. The main idea behind these new attacks is a bit counter-intuitive. Unlike tra- ditional differential and linear cryptanalysis which predict and detect statistical events of highest possible probability, our new approach is to search for events that never happen. Such impossible events are then used to distinguish the ci- pher from a random permutation, or to perform key elimination (a candidate key is obviously wrong if it leads to an impossible event). The fact that impossible events can be useful in cryptanalysis is an old idea (for example, some of the attacks on Enigma were based on the observation that letters can not be encrypted to themselves).
    [Show full text]
  • Shift Cipher Substitution Cipher Vigenère Cipher Hill Cipher
    Lecture 2 Classical Cryptosystems Shift cipher Substitution cipher Vigenère cipher Hill cipher 1 Shift Cipher • A Substitution Cipher • The Key Space: – [0 … 25] • Encryption given a key K: – each letter in the plaintext P is replaced with the K’th letter following the corresponding number ( shift right ) • Decryption given K: – shift left • History: K = 3, Caesar’s cipher 2 Shift Cipher • Formally: • Let P=C= K=Z 26 For 0≤K≤25 ek(x) = x+K mod 26 and dk(y) = y-K mod 26 ʚͬ, ͭ ∈ ͔ͦͪ ʛ 3 Shift Cipher: An Example ABCDEFGHIJKLMNOPQRSTUVWXYZ 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 • P = CRYPTOGRAPHYISFUN Note that punctuation is often • K = 11 eliminated • C = NCJAVZRCLASJTDQFY • C → 2; 2+11 mod 26 = 13 → N • R → 17; 17+11 mod 26 = 2 → C • … • N → 13; 13+11 mod 26 = 24 → Y 4 Shift Cipher: Cryptanalysis • Can an attacker find K? – YES: exhaustive search, key space is small (<= 26 possible keys). – Once K is found, very easy to decrypt Exercise 1: decrypt the following ciphertext hphtwwxppelextoytrse Exercise 2: decrypt the following ciphertext jbcrclqrwcrvnbjenbwrwn VERY useful MATLAB functions can be found here: http://www2.math.umd.edu/~lcw/MatlabCode/ 5 General Mono-alphabetical Substitution Cipher • The key space: all possible permutations of Σ = {A, B, C, …, Z} • Encryption, given a key (permutation) π: – each letter X in the plaintext P is replaced with π(X) • Decryption, given a key π: – each letter Y in the ciphertext C is replaced with π-1(Y) • Example ABCDEFGHIJKLMNOPQRSTUVWXYZ πBADCZHWYGOQXSVTRNMSKJI PEFU • BECAUSE AZDBJSZ 6 Strength of the General Substitution Cipher • Exhaustive search is now infeasible – key space size is 26! ≈ 4*10 26 • Dominates the art of secret writing throughout the first millennium A.D.
    [Show full text]
  • Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1
    International Journal of Grid and Distributed Computing Vol. 10, No. 11 (2017), pp.79-98 http://dx.doi.org/10.14257/ijgdc.2017.10.11.08 Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1 Rahul Saha1, G. Geetha2, Gulshan Kumar3 and Hye-Jim Kim4 1,3School of Computer Science and Engineering, Lovely Professional University, Punjab, India 2Division of Research and Development, Lovely Professional University, Punjab, India 4Business Administration Research Institute, Sungshin W. University, 2 Bomun-ro 34da gil, Seongbuk-gu, Seoul, Republic of Korea Abstract Cryptography has always been a core component of security domain. Different security services such as confidentiality, integrity, availability, authentication, non-repudiation and access control, are provided by a number of cryptographic algorithms including block ciphers, stream ciphers and hash functions. Though the algorithms are public and cryptographic strength depends on the usage of the keys, the ciphertext analysis using different functions and operations used in the algorithms can lead to the path of revealing a key completely or partially. It is hard to find any survey till date which identifies different operations and functions used in cryptography. In this paper, we have categorized our survey of cryptographic functions and operations in the algorithms in three categories: block ciphers, stream ciphers and cryptanalysis attacks which are executable in different parts of the algorithms. This survey will help the budding researchers in the society of crypto for identifying different operations and functions in cryptographic algorithms. Keywords: cryptography; block; stream; cipher; plaintext; ciphertext; functions; research problems 1. Introduction Cryptography [1] in the previous time was analogous to encryption where the main task was to convert the readable message to an unreadable format.
    [Show full text]