DOCSLIB.ORG

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Daniele Micciancio UCSD 1 Integrity and authenticity The goal is to ensure that • M really originates with Alice and not someone else • M has not been modified in transit Daniele Micciancio UCSD 2 Integrity and authenticity example Bob Alice (Bank) Alice Pay $100 to Charlie - Adversary Eve might • Modify \Charlie" to \Eve" • Modify \$100" to \$1000" Integrity prevents such attacks. Daniele Micciancio UCSD 3 Message authentication codes A message authentication code T : Keys × D ! R is a family of functions. The envisaged usage is shown below, where A is the adversary: Keys ?$ K ? ? M - T - T - - T 0 - A V - d - - M0 - We refer to T as the MAC or tag. We have defined 0 0 Algorithm VK (M ; T ) 0 0 If TK (M ) = T then return 1 else return 0 Daniele Micciancio UCSD 4 MAC usage Sender and receiver share key K. To authenticate M, sender transmits (M; T ) where T = TK (M). Upon receiving (M0; T 0), the receiver accepts M0 as authentic iff 0 0 0 0 VK (M ; T ) = 1, or, equivalently, iff TK (M ) = T . Daniele Micciancio UCSD 5 UF-CMA Let T : Keys × D ! R be a message authentication code. Let A be an adversary. Game UFCMAT procedure Initialize procedure Finalize(M; T ) K $ Keys ; S ; If M 2 S then return false procedure Tag(M) If M 62 D then return false Return (T = TK (M)) T TK (M); S S [ fMg return T The uf-cma advantage of adversary A is uf-cma h A i AdvT (A) = Pr UFCMAT ) true Daniele Micciancio UCSD 6 UF-CMA: Explanations Adversary A does not get the key K. It can call Tag with any message M of its choice to get back the correct tag T = TK (M). To win, the adversary A must output a message M 2 D and a tag T that are • Correct: T = TK (M) • New: M 62 S, meaning M was not a query to Tag Interpretation: Tag represents the sender and Finalize represents the receiver. Security means that the adversary can't get the receiver to accept a message that is not authentic, meaning was not already transmitted by the sender. Daniele Micciancio UCSD 7 Exercise: Tag lengths Let T : Keys × D ! f0; 1g` be a message authentication code. Specify in pseudocode an efficient adversary A making zero Tag queries and uf-cma −` achieving AdvT (A) = 2 . Conclusion: Tags have to be long enough. For 80 bit security, tags have to be at least 80 bits. Daniele Micciancio UCSD 8 Example: Basic CBC MAC Let E : f0; 1gk × B ! B be a blockcipher, where B = f0; 1gn. View a message M 2 B∗ as a sequence of n-bit blocks, M = M[1] ::: M[m]. The basic CBC MAC T : f0; 1gk × B∗ ! B is defined by Alg TK (M) C[0] 0n for i = 1;:::; m do C[i] EK (C[i − 1] ⊕ M[i]) return C[m] M[1] M[2] M[m − 1] M[m] EK EK EK EK C[m] = TK (M) Daniele Micciancio UCSD 9 Splicing attack on basic CBC MAC adversary A Alg TK (M) Let x 2 f0; 1gn C[0] 0n T Tag(x) for i = 1;:::; m do 1 M xjjT ⊕ x C[i] E (C[i − 1] ⊕ M[i]) 1 K Return M; T return C[m] 1 Then, xT 1 ⊕ x TK (M) = EK (EK (x) ⊕ T1 ⊕ x) E E K K = EK (T1 ⊕ T1 ⊕ x) = EK (x) T1 T1 = T1 Daniele Micciancio UCSD 10 Insecurity of basic CBC MAC adversary A Alg TK (M) Let x 2 f0; 1gn C[0] 0n T Tag(x) for i = 1;:::; m do 1 M xjjT ⊕ x C[i] E (C[i − 1] ⊕ M[i]) 1 K Return M; T return C[m] 1 uf-cma Then AdvT (A) = 1 and A is efficient, so the basic CBC MAC is not UF-CMA secure. Daniele Micciancio UCSD 11 Exercise Let E: f0; 1gk × f0; 1gn ! f0; 1gn be a blockcipher. Let D = f M 2 f0; 1g∗ : 0 < jMj < n2n and jMj mod n = 0 g : Let T : f0; 1gk × D ! f0; 1gn be defined as follows: Alg TK (M) M[1] ::: M[m] M; M[m + 1] hmi; C[0] 0n For i = 1;:::; m + 1 do C[i] EK (C[i − 1] ⊕ M[i]) T C[m + 1]; return T Above, hmi denotes the n-bit binary representation of the integer m. Show that T is not UF-CMA-secure by presenting in pseudocode a practical adversary A making at most 4 Tag queries and achieving uf-cma AdvT (A) = 1. Daniele Micciancio UCSD 12 Replay Suppose Alice transmits (M1; T1) to Bank where M1 =\Pay $100 to Bob". Adversary • Captures (M1; T1) • Keeps re-transmitting it to bank Result: Bob gets $100, $200, $300,... Our UF-CMA notion of security does not ask for protection against replay, because A will not win if it outputs M; T with M 2 S, even if T = TK (M) is the correct tag. Question: Why not? Answer: Replay is best addressed as an add-on to standard message authentication. Daniele Micciancio UCSD 13 Obviously forgery is possible within a ∆ interval. But the main problem is that TimeA is not authenticated, so adversary can transmit (M; TK (M); Time1); (M; TK (M); Time2);::: for any times Time1; Time2;::: of its choice, and Bob will accept. Preventing Replay Using Timestamps Let TimeA be the time as per Alice's local clock and TimeB the time as per Bob's local clock. • Alice sends (M; TK (M); TimeA) • Bob receives (M; T ; Time) and accepts iff T = TK (M) and jTimeB − Timej ≤ ∆ where ∆ is a small threshold. Does this work? Daniele Micciancio UCSD 14 Preventing Replay Using Timestamps Let TimeA be the time as per Alice's local clock and TimeB the time as per Bob's local clock. • Alice sends (M; TK (M); TimeA) • Bob receives (M; T ; Time) and accepts iff T = TK (M) and jTimeB − Timej ≤ ∆ where ∆ is a small threshold. Does this work? Obviously forgery is possible within a ∆ interval. But the main problem is that TimeA is not authenticated, so adversary can transmit (M; TK (M); Time1); (M; TK (M); Time2);::: for any times Time1; Time2;::: of its choice, and Bob will accept. Daniele Micciancio UCSD 15 Preventing Replay Using Timestamps Let TimeA be the time as per Alice's local clock and TimeB the time as per Bob's local clock. • Alice sends (M; TK (MkTimeA); TimeA) • Bob receives (M; T ; Time) and accepts iff TK (MkTime) = T and jTimeB − Timej ≤ ∆ where ∆ is a small threshold. Daniele Micciancio UCSD 16 Preventing Replay Using Counters Alice maintains a counter ctrA and Bob maintains a counter ctrB . Initially both are zero. • Alice sends (M; TK (MkctrA)) and then increments ctrA • Bob receives (M; T ). If TK (MkctrB ) = T then Bob accepts and increments ctrB . Counters need to stay synchronized. Daniele Micciancio UCSD 17 Any PRF is a MAC If F is PRF-secure then it is also UF-CMA-secure: Theorem [GGM86,BKR96]: Let F : f0; 1gk × D ! f0; 1gn be a family of functions. Let A be a uf-cma adversary making q Tag queries and having running time t. Then there is a prf-adversary B such that 2 Advuf-cma(A) ≤ Advprf (B) + : F F 2n Adversary B makes q + 1 queries to its Fn oracle and has running time t plus some overhead. We do not prove this here, but we give a little intuition. Daniele Micciancio UCSD 18 1 2n because A did not query Fn(x). Intuition for why PRFs are UF-CMA-secure 1 Random functions make good (UF-CMA) MACs 2 PRFs are pretty much as good as random functions For (1), suppose Fn : D ! f0; 1gn is random and consider A who • Can query Fn at any points x1;:::; xq 2 D it likes • To win, must output x; T such that x 2= fx1;:::; xqg but T = Fn(x) Then, Pr[A wins] = Daniele Micciancio UCSD 19 Intuition for why PRFs are UF-CMA-secure 1 Random functions make good (UF-CMA) MACs 2 PRFs are pretty much as good as random functions For (1), suppose Fn : D ! f0; 1gn is random and consider A who • Can query Fn at any points x1;:::; xq 2 D it likes • To win, must output x; T such that x 2= fx1;:::; xqg but T = Fn(x) Then, 1 Pr[A wins] = 2n because A did not query Fn(x). Daniele Micciancio UCSD 20 Intuition for why PRFs are UF-CMA-secure 1 Random functions make good (UF-CMA) MACs 2 PRFs are pretty much as good as random functions For (2), consider A who • Can query FK at any points x1;:::; xq 2 D it likes • To win, must output x; T such that x 2= fx1;:::; xqg but T = FK (x) If Pr[A wins] is significantly more then 2−n then we are detecting a difference between FK and a random function. Daniele Micciancio UCSD 21 PRF domain extension A family of functions F : Keys × D ! R is • FIL (Fixed-input-length) if D = f0; 1g` for some ` • VIL (Variable-input-length) if D is a \large" set like D = f0; 1g∗ or D = f M 2 f0; 1g∗ : 0 < jMj < n2n and jMj mod n = 0 g : for some n ≥ 1 or ... We have families we are willing to assume are PRFs, namely blockciphers and compression functions, but they are FIL.
Load more

Recommended publications
  • Introduction to Public Key Cryptography and Clock Arithmetic Lecture Notes for Access 2010, by Erin Chamberlain and Nick Korevaar
    1 Introduction to Public Key Cryptography and Clock Arithmetic Lecture notes for Access 2010, by Erin Chamberlain and Nick Korevaar We’ve discussed Caesar Shifts and other mono-alphabetic substitution ciphers, and we’ve seen how easy it can be to break these ciphers by using frequency analysis. If Mary Queen of Scots had known this, perhaps she would not have been executed. It was a long time from Mary Queen of Scots and substitution ciphers until the end of the 1900’s. Cryptography underwent the evolutionary and revolutionary changes which Si- mon Singh chronicles in The Code Book. If you are so inclined and have appropriate leisure time, you might enjoy reading Chapters 2-5, to learn some of these historical cryptography highlights: People came up with more complicated substitution ciphers, for example the Vigen`ere square. This Great Cipher of France baffled people for quite a while but a de- termined cryptographer Etienne Bazeries had a Eureka moment after three years of work, cracked the code, and possibly found the true identity of the Man in the Iron Mask, one of the great mysteries of the seventeeth century. Edgar Allan Poe and Sir Arthur Conan Doyle even dabbled in cryptanalysis. Secrecy was still a problem though because the key needed to be sent, and with the key anyone could encrypt and decrypt the messages. Frequency analysis was used to break all of these codes. In 1918 Scherbius invented his Enigma machine, but Alan Turing’s machine (the first computer?) helped in figuring out that supposedly unbreakable code, and hastened the end of the second World War.
    [Show full text]
  • The Mathemathics of Secrets.Pdf
    THE MATHEMATICS OF SECRETS THE MATHEMATICS OF SECRETS CRYPTOGRAPHY FROM CAESAR CIPHERS TO DIGITAL ENCRYPTION JOSHUA HOLDEN PRINCETON UNIVERSITY PRESS PRINCETON AND OXFORD Copyright c 2017 by Princeton University Press Published by Princeton University Press, 41 William Street, Princeton, New Jersey 08540 In the United Kingdom: Princeton University Press, 6 Oxford Street, Woodstock, Oxfordshire OX20 1TR press.princeton.edu Jacket image courtesy of Shutterstock; design by Lorraine Betz Doneker All Rights Reserved Library of Congress Cataloging-in-Publication Data Names: Holden, Joshua, 1970– author. Title: The mathematics of secrets : cryptography from Caesar ciphers to digital encryption / Joshua Holden. Description: Princeton : Princeton University Press, [2017] | Includes bibliographical references and index. Identifiers: LCCN 2016014840 | ISBN 9780691141756 (hardcover : alk. paper) Subjects: LCSH: Cryptography—Mathematics. | Ciphers. | Computer security. Classification: LCC Z103 .H664 2017 | DDC 005.8/2—dc23 LC record available at https://lccn.loc.gov/2016014840 British Library Cataloging-in-Publication Data is available This book has been composed in Linux Libertine Printed on acid-free paper. ∞ Printed in the United States of America 13579108642 To Lana and Richard for their love and support CONTENTS Preface xi Acknowledgments xiii Introduction to Ciphers and Substitution 1 1.1 Alice and Bob and Carl and Julius: Terminology and Caesar Cipher 1 1.2 The Key to the Matter: Generalizing the Caesar Cipher 4 1.3 Multiplicative Ciphers 6
    [Show full text]
  • The Enigma History and Mathematics
    The Enigma History and Mathematics by Stephanie Faint A thesis presented to the University of Waterloo in fulfilment of the thesis requirement for the degree of Master of Mathematics m Pure Mathematics Waterloo, Ontario, Canada, 1999 @Stephanie Faint 1999 I hereby declare that I am the sole author of this thesis. I authorize the University of Waterloo to lend this thesis to other institutions or individuals for the purpose of scholarly research. I further authorize the University of Waterloo to reproduce this thesis by pho­ tocopying or by other means, in total or in part, at the request of other institutions or individuals for the purpose of scholarly research. 11 The University of Waterloo requires the signatures of all persons using or pho­ tocopying this thesis. Please sign below, and give address and date. ill Abstract In this thesis we look at 'the solution to the German code machine, the Enigma machine. This solution was originally found by Polish cryptologists. We look at the solution from a historical perspective, but most importantly, from a mathematical point of view. Although there are no complete records of the Polish solution, we try to reconstruct what was done, sometimes filling in blanks, and sometimes finding a more mathematical way than was originally found. We also look at whether the solution would have been possible without the help of information obtained from a German spy. IV Acknowledgements I would like to thank all of the people who helped me write this thesis, and who encouraged me to keep going with it. In particular, I would like to thank my friends and fellow grad students for their support, especially Nico Spronk and Philippe Larocque for their help with latex.
    [Show full text]
  • Encryption Is Futile: Delay Attacks on High-Precision Clock Synchronization 1
    R. ANNESSI, J. FABINI, F.IGLESIAS, AND T. ZSEBY: ENCRYPTION IS FUTILE: DELAY ATTACKS ON HIGH-PRECISION CLOCK SYNCHRONIZATION 1 Encryption is Futile: Delay Attacks on High-Precision Clock Synchronization Robert Annessi, Joachim Fabini, Felix Iglesias, and Tanja Zseby Institute of Telecommunications TU Wien, Austria Email: fi[email protected] Abstract—Clock synchronization has become essential to mod- endanger control decisions, and adversely affect the overall ern societies since many critical infrastructures depend on a functionality of a wide range of (critical) services that depend precise notion of time. This paper analyzes security aspects on accurate time. of high-precision clock synchronization protocols, particularly their alleged protection against delay attacks when clock syn- In recent years, security of clock synchronization received chronization traffic is encrypted using standard network security increased attention as various attacks on clock synchronization protocols such as IPsec, MACsec, or TLS. We use the Precision protocols (and countermeasures) were proposed. For this Time Protocol (PTP), the most widely used protocol for high- reason, clock synchronization protocols need to be secured precision clock synchronization, to demonstrate that statistical whenever used outside of fully trusted network environments. traffic analysis can identify properties that support selective message delay attacks even for encrypted traffic. We furthermore Clock synchronization protocols are specifically susceptible to identify a fundamental conflict in secure clock synchronization delay attacks since the times when messages are sent and between the need of deterministic traffic to improve precision and received have an actual effect on the receiver’s notion of the need to obfuscate traffic in order to mitigate delay attacks.
    [Show full text]
  • Towards Low Energy Stream Ciphers
    IACR Transactions on Symmetric Cryptology ISSN 2519-173X, Vol. 2018, No. 2, pp. 1–19. DOI:10.13154/tosc.v2018.i2.1-19 Towards Low Energy Stream Ciphers Subhadeep Banik1, Vasily Mikhalev2, Frederik Armknecht2, Takanori Isobe3, Willi Meier4, Andrey Bogdanov5, Yuhei Watanabe6 and Francesco Regazzoni7 1 Security and Cryptography Laboratory (LASEC), École Polytechnique Fédérale de Lausanne, Lausanne, Switzerland [email protected] 2 University of Mannheim, Mannheim, Germany {mikhalev,armknecht}@uni-mannheim.de 3 University of Hyogo, Hyogo, Japan [email protected] 4 University of Applied Sciences and Arts Northwestern Switzerland (FHNW), Windisch, Switzerland [email protected] 5 Department of Applied Mathematics and Computer Science (DTU Compute), Technical University of Denmark, Kongens Lyngby, Denmark [email protected] 6 National Institute of Advanced Industrial Science and Technology, Osaka, Japan [email protected] 7 Università della Svizzera italiana (USI), Lugano, Switzerland [email protected] Abstract. Energy optimization is an important design aspect of lightweight cryptog- raphy. Since low energy ciphers drain less battery, they are invaluable components of devices that operate on a tight energy budget such as handheld devices or RFID tags. At Asiacrypt 2015, Banik et al. presented the block cipher family Midori which was designed to optimize the energy consumed per encryption and which reduces the energy consumption by more than 30% compared to previous block ciphers. However, if one has to encrypt/decrypt longer streams of data, i.e. for bulk data encryption/decryption, it is expected that a stream cipher should perform even better than block ciphers in terms of energy required to encrypt.
    [Show full text]
  • Design of an Efficient Architecture for Advanced Encryption Standard Algorithm Using Systolic Structures
    International Conference of High Performance Computing (HiPC 2005) Design of an Efficient Architecture for Advanced Encryption Standard Algorithm Using Systolic Structures 1Suresh Sharma, 2T S B Sudarshan 1Student, Computer Science & Engineering, IIT, Khragpur 2 Assistant Professor, Computer Science & Information Systems, BITS, Pilani. fashion and communication with the memory or Abstract: external devices occurs only through the boundary This Paper presents a systolic architecture for cells. Advanced Encryption standard (AES). Use of systolic The architecture uses similarities of encryption and architecture has improved the hardware complexity decryption to provide a high level of performance and the rate of encryption/decryption. Similarities of while keeping the chip size small. The architecture encryption and decryption are used to provide a high is highly regular and scalable. The key size can performance using an efficient architecture. The easily be changed from 128 to 192 or 256 bits by efficiency of the design is quite high due to use of making very few changes in the design. short and balanced combinational paths in the design. The paper is organized as follows. Section 2 gives a The encryption or decryption rate is 3.2-Bits per brief overview of the AES algorithm. In section 3, a clock-cycle and due to the use of pipelined systolic summary of available AES architecture is given and architecture and balanced combinational paths the proposed AES hardware architecture is maximum clock frequency for the design is quite described. The performance of the architecture is high. compared with other implementations in section 4. Concluding remarks are given in section 5. Index terms:- Advanced Encryption standard (AES), Systolic Architecture, processing elements, 2.
    [Show full text]
  • Cumulative Message Authentication Codes for Resource
    1 Cumulative Message Authentication Codes for Resource-Constrained IoT Networks He Li, Vireshwar Kumar, Member, IEEE, Jung-Min (Jerry) Park, Fellow, IEEE, and Yaling Yang, Member, IEEE Abstract—In resource-constrained IoT networks, the use of problems: the computational burden on the devices for gen- conventional message authentication codes (MACs) to provide erating/verifying the MAC, and the additional communication message authentication and integrity is not possible due to the overhead incurred due to the inclusion of the MAC in each large size of the MAC output. A straightforward yet naive solution to this problem is to employ a truncated MAC which message frame/packet. The first problem can be addressed by undesirably sacrifices cryptographic strength in exchange for using dedicated hardware and cryptographic accelerators [11], reduced communication overhead. In this paper, we address this [31]. However, the second problem is not as easy to address. problem by proposing a novel approach for message authentica- tion called Cumulative Message Authentication Code (CuMAC), Problem. The cryptographic strength of a MAC depends which consists of two distinctive procedures: aggregation and on the cryptographic strength of the underlying cryptographic accumulation. In aggregation, a sender generates compact au- primitive (e.g. a hash or block cipher), the size and quality of thentication tags from segments of multiple MACs by using a systematic encoding procedure. In accumulation, a receiver the key, and the size of the MAC output. Hence, a conventional accumulates the cryptographic strength of the underlying MAC MAC scheme typically employs at least a few hundred bits by collecting and verifying the authentication tags.
    [Show full text]
  • Implementation of Symmetric Algorithms on a Synthesizable 8-Bit Microcontroller Targeting Passive RFID Tags
    Implementation of Symmetric Algorithms on a Synthesizable 8-Bit Microcontroller Targeting Passive RFID Tags Thomas Plos, Hannes Groß, and Martin Feldhofer Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, 8010 Graz, Austria {Thomas.Plos,Martin.Feldhofer}@iaik.tugraz.at, [email protected] Abstract. The vision of the secure Internet-of-Things is based on the use of security-enhanced RFID technology. In this paper, we describe the implementation of symmetric-key primitives on passive RFID tags. Our approach uses a fully synthesizable 8-bit microcontroller that executes, in addition to the communication protocol, also various cryptographic algorithms. The microcontroller was designed to fulfill the fierce con- straints concerning chip area and power consumption in passive RFID tags. The architecture is flexible in terms of used program size and the number of used registers which allows an evaluation of various algorithms concerning their required resources. We analyzed the block ciphers AES, SEA, Present and XTEA as well as the stream cipher Trivium. The achieved results show that our approach is more efficient than other ded- icated microcontrollers and even better as optimized hardware modules when considering the combination of controlling tasks on the tag and executing cryptographic algorithms. Keywords: passive RFID tags, 8-bit microcontroller, symmetric-key al- gorithms, low-resource hardware implementation. 1 Introduction Radio frequency identification (RFID) is the enabler technology for the future Internet-of-Things (IoT), which allows objects to communicate with each other. The ability to uniquely identify objects opens the door for a variety of new applications.
    [Show full text]
  • Authenticated Network Time Synchronization
    Authenticated Network Time Synchronization Benjamin Dowling, Queensland University of Technology; Douglas Stebila, McMaster University; Greg Zaverucha, Microsoft Research https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/dowling This paper is included in the Proceedings of the 25th USENIX Security Symposium August 10–12, 2016 • Austin, TX ISBN 978-1-931971-32-4 Open access to the Proceedings of the 25th USENIX Security Symposium is sponsored by USENIX Authenticated Network Time Synchronization Benjamin Dowling Douglas Stebila Queensland University of Technology McMaster University [email protected] [email protected] Greg Zaverucha Microsoft Research [email protected] Abstract sends a single UDP packet to a server (the request), who responds with a single packet containing the time (the The Network Time Protocol (NTP) is used by many response). The response contains the time the request was network-connected devices to synchronize device time received by the server, as well as the time the response with remote servers. Many security features depend on the was sent, allowing the client to estimate the network delay device knowing the current time, for example in deciding and set their clock. If the network delay is symmetric, i.e., whether a certificate is still valid. Currently, most services the travel time of the request and response are equal, then implement NTP without authentication, and the authen- the protocol is perfectly accurate. Accuracy means that tication mechanisms available in the standard have not the client correctly synchronizes its clock with the server been formally analyzed, require a pre-shared key, or are (regardless of whether the server clock is accurate in the known to have cryptographic weaknesses.
    [Show full text]
  • New Attack Strategy for the Shrinking Generator
    New Attack Strategy for the Shrinking Generator Pino Caballero-Gil1, Amparo Fúster-Sabater2 and M. Eugenia Pazo-Robles3 1 Faculty of Mathematics. University of La Laguna, 38271 La Laguna, Tenerife, Spain. [email protected] 2 Institute of Applied Physics. Spanish High Council for Scientific Research. Serrano, 144, 28006, Madrid, Spain [email protected] 3 Argentine Business University, Lima 717, Buenos Aires, Argentina. [email protected] Abstract. This work shows that the cryptanalysis of the shrinking generator requires fewer intercepted bits than what indicated by the linear complexity. Indeed, whereas the linear complexity of shrunken sequences is between A ⋅ 2(S-2) and A ⋅ 2(S-1), we claim that the initial states of both component registers are easily computed with less than A ⋅ S shrunken bits. Such a result is proven thanks to the definition of shrunken sequences as interleaved sequences. Consequently, it is conjectured that this statement can be extended to all interleaved sequences. Furthermore, this paper confirms that certain bits of the interleaved sequences have a greater strategic importance than others, which may be considered as a proof of weakness of interleaved generators. Keywords: Cryptanalysis, Stream Cipher ACM Classification: E.3 (Data Encryption), B.6.1 (Design Styles) 1 Introduction Stream ciphers are considered nowadays the fastest encryption procedures. Consequently, they are implemented in many practical applications e.g. the algorithms A5 in GSM communications (GSM), the encryption system E0 in Bluetooth specifications (Bluetooth) or the algorithm RC4 (Rivest, 1998) used in SSL, WEP and Microsoft Word and Excel. From a short secret key (known only by the two interested parties) and a public algorithm (the sequence generator), a stream cipher procedure is based on the generation of a long sequence of seemingly random bits.
    [Show full text]
  • Breaking Trivium Stream Cipher Implemented in ASIC Using Experimental Attacks and DFA
    sensors Article Breaking Trivium Stream Cipher Implemented in ASIC Using Experimental Attacks and DFA Francisco Eugenio Potestad-Ordóñez * , Manuel Valencia-Barrero , Carmen Baena-Oliva , Pilar Parra-Fernández and Carlos Jesús Jiménez-Fernández Departament of Electronic Technology, University of Seville, Virgen de Africa 7, 41011 Seville, Spain; [email protected] (M.V.-B.); [email protected] (C.B.-O.); [email protected] (P.P.-F.); [email protected] (C.J.J.-F.) * Correspondence: [email protected] Received: 1 November 2020; Accepted: 1 December 2020; Published: 3 December 2020 Abstract: One of the best methods to improve the security of cryptographic systems used to exchange sensitive information is to attack them to find their vulnerabilities and to strengthen them in subsequent designs. Trivium stream cipher is one of the lightweight ciphers designed for security applications in the Internet of things (IoT). In this paper, we present a complete setup to attack ASIC implementations of Trivium which allows recovering the secret keys using the active non-invasive technique attack of clock manipulation, combined with Differential Fault Analysis (DFA) cryptanalysis. The attack system is able to inject effective transient faults into the Trivium in a clock cycle and sample the faulty output. Then, the internal state of the Trivium is recovered using the DFA cryptanalysis through the comparison between the correct and the faulty outputs. Finally, a backward version of Trivium was also designed to go back and get the secret keys from the initial internal states. The key recovery has been verified with numerous simulations data attacks and used with the experimental data obtained from the Application Specific Integrated Circuit (ASIC) Trivium.
    [Show full text]
  • Enigma Cipher Machine Simulator 7.0.5
    ENIGMA CIPHER MACHINE SIMULATOR 7.0.5 About the Enigma Simulator The German Enigma machine is the most famous example of the battle between codemakers and codebreakers. Never before has the fate of so many lives been so influenced by one cryptographic machine, as the Enigma did in the Second World War. The story of Enigma combines technology, military history, espionage, codebreaking and intelligence into a real thriller. This software is an exact simulation of the 3-rotor Heer (Army) and Luftwaffe (Airforce) Wehrmacht Enigma I, the Kriegsmarine (wartime Navy) Enigma M3 and the famous 4-rotor Enigma M4, as they were used during World War II from 1939 until 1945. The internal wiring of all rotors is identical to those used by the Heer, Luftwaffe and Kriegsmarine. This simulator is therefore fully compatible with the real Enigma machine and you can decipher original messages and encipher your own messages. You can use the Enigma simulator in exactly the same way as a German signal trooper would have done during WW2. The hands-on approach and realistic graphics ensure an authentic feeling. You can open the machine, change the internal settings, select rotors from the spare box, preset their ring settings, insert them into the machine and set the plugboard. The sounds are recorded from an actual Enigma machine. This manual explains how to use the Enigma simulator, the message procedures as used by the German Armed Forces, including some authentic message examples, a complete technical description and a brief history of the Enigma. More information on the Enigma machine is found at the Cipher Machines & Cryptology website: http://users.telenet.be/d.rijmenants This manual is copyrighted.
    [Show full text]