DOCSLIB.ORG

Physical Attacks and Countermeasures on the Advanced Encryption Standard

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Physical Attacks and Countermeasures on the Advanced Encryption Standard PHYSICAL ATTACKS AND COUNTERMEASURES ON THE ADVANCED ENCRYPTION STANDARD DISSERTATION for the degree of Doktor-Ingenieur of the Faculty of Electrical Engineering and Information Technology at the Ruhr-Universitat¨ Bochum, Germany by Oliver Marc Mischke Bochum, April 2015 Copyright © 2015 by Oliver Marc Mischke. All rights reserved. Printed in Germany. To Elfi, Norbert, and Melanie Oliver Marc Mischke Place of birth: Frankfurt am Main, Germany Author’s contact information: [email protected] http://www.sha.rub.de/ Thesis Advisor: Prof. Dr.-Ing. Tim G¨uneysu Ruhr-Universit¨atBochum, Germany Secondary Referee: Prof. Dr.-Ing. Stefan Mangard Graz Universtity of Technology, Austria Tertiary Referee: Dr. Amir Moradi Ruhr-Universit¨atBochum, Germany Thesis submitted: April 14, 2015 Thesis defense: May 18, 2015 Last revision: May 2, 2016 v Abstract With the increasing pervasion of embedded computing devices in our everyday life, there arises also the need to protect these devices by means of strong cryptography. This may either be required to protect the intellectual property of a vendor, secure confidentiality of sensitive data, or to establish secure means of communication. The preferred cryptographic algorithm in many – especially commercial – applications is the Advanced Encryption Standard (AES). It was selected in 2001 by the National Institute of Standards and Technology (NIST) in a public competition, whose aim was to find the most suitable successor to the outdated Data Encryption Standard (DES) algorithm. Due to the short key size and low performance in software implementations, DES could no longer satisfy the requirements imposed by many applications. While AES remains a very secure algorithm considering a black-box attack scenario, care has to be taken when designing a physical implementation for embedded devices. Since these devices are in the field and must therefore be considered as operating in a hostile environment, they are susceptible to a multitude of physical attacks. This includes passive attacks like measuring the data-dependent power consumption while computing on sensitive data (so-called power analysis), and also active attacks where the device is forced into faulty behavior by being operated outside the defined operating conditions (e.g., clock or voltage spikes). Many countermeasures have been proposed to protect implementations of AES against those attacks, but the resistance of these countermeasures when deployed on actual hard- ware is seldom evaluated in sufficient detail. For example, even recently, some coun- termeasures were proposed claiming resistance to power analysis purely considering a Hamming Distance (HD) leakage metric on registers. Considering that glitches in un- derlying hardware gates are a major reason for the leakage of supposedly masked data, designs based on such a pure HD metric can never provide a sufficient level of protection when implemented in hardware. This dissertation aims to address the problems arising from the practical utilization of the theoretical countermeasures in hardware implementations. We have evaluated the suitability of several countermeasure proposals for achieving a high level of resistance when implemented on FPGAs. Using collision attacks, we are able to detect leakages without relying on hypothetical power models, which are usually not able to adequately capture real device behavior. We also propose a new technique on how to implement a Boolean masking scheme in a glitch-free manner making use of special FPGA resources and characteristics. In addition, we present new variants of an active fault attack. They allow the recovery of data-dependent timing behavior of S-boxes and can thereby extract the secrets. It is also shown how a Zero-Value vulnerability in S-boxes implemented using a composite field approach can be exploited to break implementations even if they are equipped with sophisticated error detection schemes. Keywords. Physical Attacks, Side-Channel Attacks, Side-Channel Countermeasures, Power Analysis, Fault Analysis, Advanced Encryption Standard (AES), Masking Schemes, Concurrent Error Detection (CED), Collision Attacks, Fault Sensitivity Analysis (FSA), Glitches. viii Kurzfassung Physikalische Angriffe und Gegenmaßnahmen auf die Advanced Encryption Standard Blockchiffre Mit der fortschreitenden Verbreitung von eingebetteten Prozessoren in Ger¨aten des t¨aglichen Gebrauchs, w¨achst auch der Bedarf diese mittels starker Kryptographie zu schutzen.¨ Dies kann sowohl zum Schutz des geistigen Eigentums, der Vertraulichkeit sen- sibler Nutzerdaten, als auch zur Etablierung sicherer Kommunikationskan¨ale erforderlich sein. Der bevorzugte Algorithmus, vor allem fur¨ gewerbliche Anwendungen, ist der Advan- ced Encryption Standard (AES). AES wurde im Jahre 2001 vom National Institute of Standards and Technology (NIST) nach einem ¨offentlichen Wettkampf als am besten ge- eigneter Nachfolger des Data Encryption Standard (DES) ausgew¨ahlt. DES wurde Auf- grund einer zu geringen Schlussell¨ ¨ange sowie unzureichender Ausfuhrungsgeschwindigkeit¨ in Softwareimplementierungen aktuellen und zukunftigen¨ Anforderungen nicht mehr ge- recht. Zwar ist AES als mathematisch hochsicher anzusehen, bei physischen Realisierungen des Algorithmus in Hardware ergibt sich jedoch ein anderes Bild. Da sich die Ger¨ate in der Hand des Nutzers befinden ergeben sich eine Vielzahl an M¨oglichkeiten physika- lische Angriffe durchzufuhren.¨ Ein Beispiel fur¨ einen passiven Angriff ist die Messung des datenabh¨angigen Stromverbrauchs w¨ahrend Ver- und Entschlusselungsoperationen¨ durchgefuhrt¨ werden (Stromprofilanalyse). Auch aktive Angriffe, wie beispielsweise die M¨oglichkeit uber¨ Spannungsspitzen eine fehlerhafte Berechnung im Ger¨at zu erzwingen (Fehlerinjektionsangriffe), sind in diesen Einsatzgebieten durchfuhrbar.¨ Zwar wurden in der Vergangenheit bereits zahlreiche Gegenmaßnahmen vorgestellt um physikalische Angriffe auf AES Implementierungen zu erschweren, jedoch wurde die Wirk- samkeit in der Praxis h¨aufig nur unzureichend untersucht. Erst vor kurzem wurde eine Gegenmaßnahme pr¨asentiert, deren Sicherheit auf der Annahme beruht, dass nur der dy- namische Stromverbrauch beim Uberschreiben¨ von Registern in der Schaltung zu schutzen¨ ist. Vor dem Hintergrund, dass einer der Hauptgrunde¨ fur¨ die Unsicherheit von eigentlich geschutzten¨ Implementierungen physikalische Effekte auf Gatter-Ebene sind, kann eine solche Gegenmaßnahme nicht die Erwartungen erfullen.¨ Der Fokus dieser Dissertation liegt auf der praktischen Untersuchung der oftmals nur theoretisch fundierten Gegenmaßnahmen. Es wird das erreichbare Sicherheitsniveau einer Vielzahl von Gegenmaßnahmen auf rekonfigurierbaren Hardware Plattformen (FPGAs) evaluiert. Mit Hilfe von Kollisionsangriffen war es m¨oglich auch solche Informationslecks zu finden, welche nicht bekannten theoretischen Modellen entsprechen. Einer der For- schungsbeitr¨age dieser Dissertation ist eine neue Implementierungstechnik, mit welcher kryptographische Schaltungen in FPGAs sicher realisiert werden k¨onnen. Zus¨atzlich werden zwei neuartige Varianten eines aktiven Fehlerinjektionsangriffes pr¨asen- tiert, welcher es erm¨oglicht die datenabh¨angige Laufzeit von Signalen in kryptographi- schen S-boxen zu ermitteln und so die Implementierung zu brechen. Ebenso wird demons- triert, wie mittels einer speziellen Schwachstelle von S-boxen, welche in einem Erweite- rungsk¨orper implementiert wurden, die Schlusselextraktion¨ sogar in solchen F¨allen ge- lingt, in denen Implementierungen mit speziellen Fehlerdetektionsalgorithmen geschutzt¨ sind. Schlagworte. Physikalische Angriffe, Seitenkanalangriffe, Seitenkanalgegenmaßnahmen, Stromprofil- analyse, Fehleranalyse, Advanced Encryption Standard (AES), Maskierungsschemata, Fehlerdetektion, Kollisionsangriffe, Fault Sensitivity Analysis (FSA), Glitches. x Acknowledgements This thesis is the outcome of three and a half years in the Hardware Security group (SHA) of the Horst G¨ortzInstitute for IT-Security (HGI), Ruhr University Bochum (RUB). I found not only colleagues and co-authors, but also close friends who made sure that my time in and outside the university was always enjoyable. Same is true for everyone in the Embedded Security group (EMSEC), with whom we shared the office space. Thanks to all of you for a wonderful time, I will not forget you! Special thanks go to my advisor Tim G¨uneysu, who accepted me as PhD student when I wanted to leave industry to pursue an academic career. A big shout-out also to Amir Moradi, who took me with him on his exciting journey of side-channel research. Thanks a lot to both of you, without your guidance and support I would not be who I am today. I would also like to thank Stefan Mangard for taking his time being my secondary referee and providing me excellent feedback on my thesis. Our groups would not have been the same without our non-scientific staff; Irmgard K¨uhn and Horst Edelmann, who kept a lot of administrative or technical issues away from us so that we could focus on the science. Thanks for all your support and for always providing kind words when needed. Another special shout-out goes to Elif Kavun and Alexander Wild, who endured sharing offices with me and made sure that we always had fun no matter how close the next deadline was. This thesis would also not have been possible without the help of all my co-authors (in alphabetical order): Georg Becker, Wayne Burleson, Benedikt Driessen, Thomas Eisen- barth, Tim G¨uneysu,Markus Kasper, Elif Kavun, Yang Li, Amir Moradi, Kazuo Ohta,
Load more

Recommended publications
  • A Novel and Highly Efficient AES Implementation Robust Against Differential Power Analysis Massoud Masoumi K
    A Novel and Highly Efficient AES Implementation Robust against Differential Power Analysis Massoud Masoumi K. N. Toosi University of Tech., Tehran, Iran [email protected] ABSTRACT been proposed. Unfortunately, most of these techniques are Developed by Paul Kocher, Joshua Jaffe, and Benjamin Jun inefficient or costly or vulnerable to higher-order attacks in 1999, Differential Power Analysis (DPA) represents a [6]. They include randomized clocks, memory unique and powerful cryptanalysis technique. Insight into encryption/decryption schemes [7], power consumption the encryption and decryption behavior of a cryptographic randomization [8], and decorrelating the external power device can be determined by examining its electrical power supply from the internal power consumed by the chip. signature. This paper describes a novel approach for Moreover, the use of different hardware logic, such as implementation of the AES algorithm which provides a complementary logic, sense amplifier based logic (SABL), significantly improved strength against differential power and asynchronous logic [9, 10] have been also proposed. analysis with a minimal additional hardware overhead. Our Some of these techniques require about twice as much area method is based on randomization in composite field and will consume twice as much power as an arithmetic which entails an area penalty of only 7% while implementation that is not protected against power attacks. does not decrease the working frequency, does not alter the For example, the technique proposed in [10] adds area 3 algorithm and keeps perfect compatibility with the times and reduces throughput by a factor of 4. Another published standard. The efficiency of the proposed method is masking which involves ensuring the attacker technique was verified by practical results obtained from cannot predict any full registers in the system without real implementation on a Xilinx Spartan-II FPGA.
    [Show full text]
  • Security Evaluation of the K2 Stream Cipher
    Security Evaluation of the K2 Stream Cipher Editors: Andrey Bogdanov, Bart Preneel, and Vincent Rijmen Contributors: Andrey Bodganov, Nicky Mouha, Gautham Sekar, Elmar Tischhauser, Deniz Toz, Kerem Varıcı, Vesselin Velichkov, and Meiqin Wang Katholieke Universiteit Leuven Department of Electrical Engineering ESAT/SCD-COSIC Interdisciplinary Institute for BroadBand Technology (IBBT) Kasteelpark Arenberg 10, bus 2446 B-3001 Leuven-Heverlee, Belgium Version 1.1 | 7 March 2011 i Security Evaluation of K2 7 March 2011 Contents 1 Executive Summary 1 2 Linear Attacks 3 2.1 Overview . 3 2.2 Linear Relations for FSR-A and FSR-B . 3 2.3 Linear Approximation of the NLF . 5 2.4 Complexity Estimation . 5 3 Algebraic Attacks 6 4 Correlation Attacks 10 4.1 Introduction . 10 4.2 Combination Generators and Linear Complexity . 10 4.3 Description of the Correlation Attack . 11 4.4 Application of the Correlation Attack to KCipher-2 . 13 4.5 Fast Correlation Attacks . 14 5 Differential Attacks 14 5.1 Properties of Components . 14 5.1.1 Substitution . 15 5.1.2 Linear Permutation . 15 5.2 Key Ideas of the Attacks . 18 5.3 Related-Key Attacks . 19 5.4 Related-IV Attacks . 20 5.5 Related Key/IV Attacks . 21 5.6 Conclusion and Remarks . 21 6 Guess-and-Determine Attacks 25 6.1 Word-Oriented Guess-and-Determine . 25 6.2 Byte-Oriented Guess-and-Determine . 27 7 Period Considerations 28 8 Statistical Properties 29 9 Distinguishing Attacks 31 9.1 Preliminaries . 31 9.2 Mod n Cryptanalysis of Weakened KCipher-2 . 32 9.2.1 Other Reduced Versions of KCipher-2 .
    [Show full text]
  • Fast Correlation Attacks: Methods and Countermeasures
    Fast Correlation Attacks: Methods and Countermeasures Willi Meier FHNW, Switzerland Abstract. Fast correlation attacks have considerably evolved since their first appearance. They have lead to new design criteria of stream ciphers, and have found applications in other areas of communications and cryp- tography. In this paper, a review of the development of fast correlation attacks and their implications on the design of stream ciphers over the past two decades is given. Keywords: stream cipher, cryptanalysis, correlation attack. 1 Introduction In recent years, much effort has been put into a better understanding of the design and security of stream ciphers. Stream ciphers have been designed to be efficient either in constrained hardware or to have high efficiency in software. A synchronous stream cipher generates a pseudorandom sequence, the keystream, by a finite state machine whose initial state is determined as a function of the secret key and a public variable, the initialization vector. In an additive stream cipher, the ciphertext is obtained by bitwise addition of the keystream to the plaintext. We focus here on stream ciphers that are designed using simple devices like linear feedback shift registers (LFSRs). Such designs have been the main tar- get of correlation attacks. LFSRs are easy to implement and run efficiently in hardware. However such devices produce predictable output, and cannot be used directly for cryptographic applications. A common method aiming at destroy- ing the predictability of the output of such devices is to use their output as input of suitably designed non-linear functions that produce the keystream. As the attacks to be described later show, care has to be taken in the choice of these functions.
    [Show full text]
  • Effects of Architecture on Information Leakage of a Hardware Advanced Encryption Standard Implementation Eric A
    Air Force Institute of Technology AFIT Scholar Theses and Dissertations Student Graduate Works 9-13-2012 Effects of Architecture on Information Leakage of a Hardware Advanced Encryption Standard Implementation Eric A. Koziel Follow this and additional works at: https://scholar.afit.edu/etd Part of the Computer and Systems Architecture Commons, and the Information Security Commons Recommended Citation Koziel, Eric A., "Effects of Architecture on Information Leakage of a Hardware Advanced Encryption Standard Implementation" (2012). Theses and Dissertations. 1127. https://scholar.afit.edu/etd/1127 This Thesis is brought to you for free and open access by the Student Graduate Works at AFIT Scholar. It has been accepted for inclusion in Theses and Dissertations by an authorized administrator of AFIT Scholar. For more information, please contact [email protected]. EFFECTS OF ARCHITECTURE ON INFORMATION LEAKAGE OF A HARDWARE ADVANCED ENCRYPTION STANDARD IMPLEMENTATION THESIS Eric A. Koziel AFIT/GCO/ENG/12-25 DEPARTMENT OF THE AIR FORCE AIR UNIVERSITY AIR FORCE INSTITUTE OF TECHNOLOGY Wright-Patterson Air Force Base, Ohio APPROVED FOR PUBLIC RELEASE; DISTRIBUTION UNLIMITED The views expressed in this thesis are those of the author and do not reflect the official policy or position of the United States Air Force, Department of Defense, or the United States Government. This material is declared a work of the U.S. Government and is not subject to copyright protection in the United States. AFIT/GCO/ENG/12-25 EFFECTS OF ARCHITECTURE ON INFORMATION LEAKAGE OF A HARDWARE ADVANCED ENCRYPTION STANDARD IMPLEMENTATION THESIS Presented to the Faculty Department of Electrical & Computer Engineering Graduate School of Engineering and Management Air Force Institute of Technology Air University Air Education and Training Command In Partial Fulfillment of the Requirements for the Degree of Master of Science in Cyber Operations Eric A.
    [Show full text]
  • Security in the GSM Network
    Security in the GSM network Marcin Olawski [email protected] Abstract The GSM network is the biggest IT network on the Earth. Most of their users are connected to this network 24h a day but not many knows anything abut GSM security, how it works and how good it is. Most people blindly trust GSM security and send by the network not only theirs very private conversations and text messages but also their current location. This paper will describe how that information is guarded in 2G networks and how much of it an attacker can access without our permission or knowledge. Introduction As of June 30, 2010, 1.967 billion1 people use the Internet, according to Internet World Stats. Most of them heard at least once some terms related to internet security, like anti-virus, worm, firewall, spyware and so forth. In comparison, in July 2010 GSM Association announced that the number of global mobile connections has surpassed the 5 billion mark. Because of multiple SIM ownership there is always a lag between connections and subscribers, but it does not change the fact that far more people use GSM then the Internet. At the same time, how many of those subscribers know anything about GSM security? Have you ever hear terms like Ki number, temporary mobile subscriber identity or the A5 algorithm? For example, any IT specialist knows that it is easy to forge an e-mail, but not everyone is aware that spoofing someone's phone number is even easier. Any IT expert knows that even in correctly protected WLAN when an IP package reaches the Internet it will be travelling unencrypted.
    [Show full text]
  • Stream Cipher Designs: a Review
    SCIENCE CHINA Information Sciences March 2020, Vol. 63 131101:1–131101:25 . REVIEW . https://doi.org/10.1007/s11432-018-9929-x Stream cipher designs: a review Lin JIAO1*, Yonglin HAO1 & Dengguo FENG1,2* 1 State Key Laboratory of Cryptology, Beijing 100878, China; 2 State Key Laboratory of Computer Science, Institute of Software, Chinese Academy of Sciences, Beijing 100190, China Received 13 August 2018/Accepted 30 June 2019/Published online 10 February 2020 Abstract Stream cipher is an important branch of symmetric cryptosystems, which takes obvious advan- tages in speed and scale of hardware implementation. It is suitable for using in the cases of massive data transfer or resource constraints, and has always been a hot and central research topic in cryptography. With the rapid development of network and communication technology, cipher algorithms play more and more crucial role in information security. Simultaneously, the application environment of cipher algorithms is in- creasingly complex, which challenges the existing cipher algorithms and calls for novel suitable designs. To accommodate new strict requirements and provide systematic scientific basis for future designs, this paper reviews the development history of stream ciphers, classifies and summarizes the design principles of typical stream ciphers in groups, briefly discusses the advantages and weakness of various stream ciphers in terms of security and implementation. Finally, it tries to foresee the prospective design directions of stream ciphers. Keywords stream cipher, survey, lightweight, authenticated encryption, homomorphic encryption Citation Jiao L, Hao Y L, Feng D G. Stream cipher designs: a review. Sci China Inf Sci, 2020, 63(3): 131101, https://doi.org/10.1007/s11432-018-9929-x 1 Introduction The widely applied e-commerce, e-government, along with the fast developing cloud computing, big data, have triggered high demands in both efficiency and security of information processing.
    [Show full text]
  • Higher Order Correlation Attacks, XL Algorithm and Cryptanalysis of Toyocrypt
    Higher Order Correlation Attacks, XL Algorithm and Cryptanalysis of Toyocrypt Nicolas T. Courtois Cryptography research, Schlumberger Smart Cards, 36-38 rue de la Princesse, BP 45, 78430 Louveciennes Cedex, France http://www.nicolascourtois.net [email protected] Abstract. Many stream ciphers are built of a linear sequence generator and a non-linear output function f. There is an abundant literature on (fast) correlation attacks, that use linear approximations of f to attack the cipher. In this paper we explore higher degree approximations, much less studied. We reduce the cryptanalysis of a stream cipher to solv- ing a system of multivariate equations that is overdefined (much more equations than unknowns). We adapt the XL method, introduced at Eurocrypt 2000 for overdefined quadratic systems, to solving equations of higher degree. Though the exact complexity of XL remains an open problem, there is no doubt that it works perfectly well for such largely overdefined systems as ours, and we confirm this by computer simula- tions. We show that using XL, it is possible to break stream ciphers that were known to be immune to all previously known attacks. For exam- ple, we cryptanalyse the stream cipher Toyocrypt accepted to the second phase of the Japanese government Cryptrec program. Our best attack on Toyocrypt takes 292 CPU clocks for a 128-bit cipher. The interesting feature of our XL-based higher degree correlation attacks is, their very loose requirements on the known keystream needed. For example they may work knowing ONLY that the ciphertext is in English. Key Words: Algebraic cryptanalysis, multivariate equations, overde- fined equations, Reed-Muller codes, correlation immunity, XL algorithm, Gr¨obner bases, stream ciphers, pseudo-random generators, nonlinear fil- tering, ciphertext-only attacks, Toyocrypt, Cryptrec.
    [Show full text]
  • AEGIS: a Fast Authenticated Encryption Algorithm⋆ (Full Version)
    AEGIS: A Fast Authenticated Encryption Algorithm? (Full Version) Hongjun Wu1, Bart Preneel2 1 School of Physical and Mathematical Sciences Nanyang Technological University [email protected] 2 Dept. Elektrotechniek-ESAT/COSIC KU Leuven and iMinds, Ghent [email protected] Abstract. This paper introduces a dedicated authenticated encryption algorithm AEGIS; AEGIS allows for the protection of associated data which makes it very suitable for protecting network packets. AEGIS- 128L uses eight AES round functions to process a 32-byte message block (one step). AEGIS-128 uses five AES round functions to process a 16-byte message block (one step); AES-256 uses six AES round functions. The security analysis shows that these algorithms offer a high level of secu- rity. On the Intel Sandy Bridge Core i5 processor, the speed of AEGIS- 128L, AEGIS-128 and AEGIS-256 is around 0.48, 0.66 and 0.7 clock cycles/byte (cpb) for 4096-byte messages, respectively. This is substan- tially faster than the AES CCM, GCM and OCB modes. Key words: Authenticated encryption, AEGIS, AES-NI 1 Introduction The protection of a message typically requires the protection of both confiden- tiality and authenticity. There are two main approaches to authenticate and encrypt a message. One approach is to treat the encryption and authentication separately. The plaintext is encrypted with a block cipher or stream cipher, and a MAC algorithm is used to authenticate the ciphertext. For example, we may apply AES [17] in CBC mode [18] to the plaintext, then apply AES-CMAC [22] (or Pelican MAC [6] or HMAC [19]) to the ciphertext to generate an authen- tication tag.
    [Show full text]
  • Biryukov, Shamir, “Wagner: Real Time Cryptanalysis of A5/1 on a PC,”
    Reference Papers [S1] Biryukov, Shamir, “Wagner: Real Time Cryptanalysis of A5/1 on a PC,” FSE2000 [S2] Canteaut, Filiol, “Ciphertext Only Reconstruction of Stream Ciphers based on Combination Generator,” FSE2000 [S3] Chepyzhov, Johansson, Smeets, “A simple algorithm for fast correlation attacks on stream ciphers,” FSE2000 [S4] Ding, “The Differential Cryptanalysis and Design of Natural Stream Ciphers,” Fast Software Encryption, Cambridge Security Workshop, December 1993, LNCS 809 [S5] Ding, Xiao, Sham, “The Stability Theory of Stream Ciphers,” LNCS 561 [S6] Johansson, Jonsson, “Fast correlation attacks based on Turbo code techniques,” CRYPTO’99, August 99, 19th Annual International Cryptology Conference, LNCS 1666 [S7] Fossorier, Mihaljevic, Imai, “Critical Noise for Convergence of Iterative Probabilistic Decoding with Belief Propagation in Cryptographic Applications,” LNCS 1719. [S8] Golic, “Linear Cryptanalysis of Stream Ciphers,” Fast Software Encryption, Second International Workshop, December 1994, LNCS 1008. [S9] Johansson, Jonsson, “Improved Fast Correlation Attacks in Stream Ciphers via Convolutional codes,” EUROCRYPT’99, International Conference on the Theory and Application of Cryptographic Techniques, May 1999, LNCS 1592 [S10] Meier, Staffelbach, “Correlation Properties of Comniners with Memory in Stream Ciphers,” Journal of Cryptology 5(1992) [S11] Palit, Roy, “Cryptanalysis of LFSR-Encrypted Codes with Unknown Combining,” LNCS 1716 [S12] Ruppel, “Correlation Immunity and Summation Generator,” CRYPTO’85 Proceedings, August 85, LNCS 218. [S13] Sigenthalar, “Decrypting a class of Ciphers using Ciphertext only,” IEEE C-34. [S14] Tanaka, Ohishi, Kaneko, “An Optimized Linear Attack on Pseudorandom Generators using a Non-Linear Combiner, Information Security,” First International Workshop, ISW’97 Proceedings, September 1997, LNCS 1396 [S15] Zeng, Huang, “On the Linear Syndrome Method in Cryptanalysis,” CRYPTO’88 Proceedings, August 1988, LNCS 403.
    [Show full text]
  • Analysis of Lightweight Stream Ciphers
    ANALYSIS OF LIGHTWEIGHT STREAM CIPHERS THÈSE NO 4040 (2008) PRÉSENTÉE LE 18 AVRIL 2008 À LA FACULTÉ INFORMATIQUE ET COMMUNICATIONS LABORATOIRE DE SÉCURITÉ ET DE CRYPTOGRAPHIE PROGRAMME DOCTORAL EN INFORMATIQUE, COMMUNICATIONS ET INFORMATION ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE POUR L'OBTENTION DU GRADE DE DOCTEUR ÈS SCIENCES PAR Simon FISCHER M.Sc. in physics, Université de Berne de nationalité suisse et originaire de Olten (SO) acceptée sur proposition du jury: Prof. M. A. Shokrollahi, président du jury Prof. S. Vaudenay, Dr W. Meier, directeurs de thèse Prof. C. Carlet, rapporteur Prof. A. Lenstra, rapporteur Dr M. Robshaw, rapporteur Suisse 2008 F¨ur Philomena Abstract Stream ciphers are fast cryptographic primitives to provide confidentiality of electronically transmitted data. They can be very suitable in environments with restricted resources, such as mobile devices or embedded systems. Practical examples are cell phones, RFID transponders, smart cards or devices in sensor networks. Besides efficiency, security is the most important property of a stream cipher. In this thesis, we address cryptanalysis of modern lightweight stream ciphers. We derive and improve cryptanalytic methods for dif- ferent building blocks and present dedicated attacks on specific proposals, including some eSTREAM candidates. As a result, we elaborate on the design criteria for the develop- ment of secure and efficient stream ciphers. The best-known building block is the linear feedback shift register (LFSR), which can be combined with a nonlinear Boolean output function. A powerful type of attacks against LFSR-based stream ciphers are the recent algebraic attacks, these exploit the specific structure by deriving low degree equations for recovering the secret key.
    [Show full text]
  • 24 Apr 2014 a Previous Block Cipher Known As MISTY1[10], Which Was Chosen As the Foundation for the 3GPP Confidentiality and Integrity Algorithm[14]
    Multidimensional Zero-Correlation Linear Cryptanalysis of the Block Cipher KASUMI Wentan Yi∗ and Shaozhen Chen State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China Abstract. The block cipher KASUMI is widely used for security in many synchronous wireless standards. It was proposed by ETSI SAGE for usage in 3GPP (3rd Generation Partnership Project) ciphering algorthms in 2001. There are a great deal of cryptanalytic results on KASUMI, however, its security evaluation against the recent zero-correlation linear attacks is still lacking so far. In this paper, we select some special input masks to refine the general 5-round zero-correlation linear approximations combining with some observations on the FL functions and then propose the 6- round zero-correlation linear attack on KASUMI. Moreover, zero-correlation linear attacks on the last 7-round KASUMI are also introduced under some weak keys conditions. These weak keys take more than half of the whole key space. The new zero-correlation linear attack on the 6-round needs about 2107:8 encryptions with 259:4 known plaintexts. For the attack under weak keys conditions on the last 7 round, the data complexity is about 262:1 known plaintexts and the time complexity 2125:2 encryptions. Keywords: KASUMI, Zero-correlation linear cryptanalysis, Cryptography. 1 Introduction With the rapid growth of wireless services, various security algorithms have been developed to provide users with effective and secure communications. The KASUMI developed from arXiv:1404.6100v1 [cs.CR] 24 Apr 2014 a previous block cipher known as MISTY1[10], which was chosen as the foundation for the 3GPP confidentiality and integrity algorithm[14].
    [Show full text]
  • Fast Correlation Attacks on Certain Stream Ciphers
    FSE 2011, February 14 -16, Lyngby, Denmark Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview • A decoding problem • LFSR-based stream ciphers • Correlation attacks • Fast correlation attacks • Towards correlation immunity • Combiners with memory • Linear attacks (correlations everywhere?) • Conclusions 2 A decoding problem Given: A noisy version of the output sequence of length L of a LFSR with known length n and known feedback connection. Problem: Find the initial state of the LFSR Solution: Decoding of a linear [ n,L]-code. 3 Statistical Model: BAS zm am LFSR ⊕ bm BAS: Binary asymmetric source, Prob (zm = 0 ) = p > 0.5 4 For given L digits of b and structure of the LFSR of length n: Find correct output sequence a of LFSR Known solution: By exhaustive search over all initial states of LFSR find a such that = = ≤ ≤ T # { j | b j a j 1, j L } is maximum. Complexity: O(2 n) Feasible for n up to about 50 . 5 Efficient solution of this problem of interest in: • Satellite communications • Correlation attacks on LFSR-based stream ciphers • TCHo: An efficient trapdoor stream cipher (M. Finiasz, S. Vaudenay, 2006) • Digital watermarking (D. Wang. P. Lu, 2006) • ε-Biased Generators in NC 0 (E. Mossel, A. Shpilka, L. Trevisan, 2007) 6 LFSR-based stream ciphers Output sequences of linear feedback shift registers (LFSR's): Have desirable statistical properties and large period. Readily analyzable using algebraic techniques, via feedback polynomial. For cryptographic properties, their linearity has to be destroyed. 7 Nonlinear filter generator Generate keystream bits b0, b 1, b2 ,..., as some nonlinear function f of the stages of a single LFSR.
    [Show full text]