DOCSLIB.ORG

Cryptanalysis of GOST2: Can Updated Key Schedule Solve All of GOST's

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Cryptanalysis of GOST2: Can Updated Key Schedule Solve All of GOST's GOST GOST2 Attacks Summary Cryptanalysis of GOST2: Can Updated Key Schedule Solve all of GOST’s Problems? Orr Dunkelman (joint work with Achiya Bar-On and Tomer Ashur) University of Haifa June 29, 2016 Orr Dunkelman Cryptanalysis of GOST2 1/ 24 GOST GOST2 Attacks Summary Definition Attacks Standardization History of the GOST Block Cipher ◮ GOST 28147-89 defined a block cipher (A.K.A. Magma these days) ◮ 64-bit block, 256-bit key ◮ 32-round Feistel ◮ With different secret S-boxes for each industry (a few leaked) Orr Dunkelman Cryptanalysis of GOST2 2/ 24 GOST GOST2 Attacks Summary Definition Attacks Standardization The GOST Block Cipher S8✛ ✛ S7 SKr S6✛ S ✛ ❄ ✐✛ ≪ 11 ✛ 5 ✛ ✛ S4✛ S3✛ S2✛ S ✛ ❵❵ 1 ✥✥ ❵❵❵ ✥✥✥ ❵❵❵ ✥✥✥ ❵✥❵❵✥✥ ✥✥✥ ❵❵❵ ✥✥✥ ❵❵❵ ✥✥✥ ❵❵❵ Orr Dunkelman Cryptanalysis of GOST2 3/ 24 GOST GOST2 Attacks Summary Definition Attacks Standardization The GOST Key Schedule ◮ The key schedule takes a 256-bit key (eight 32-bit words — K0, K2, K3,..., K7) and uses them according to: K0 K1 K2 K3 K4 K5 K6 K7 K0 K1 K2 K3 K4 K5 K6 K7 K0 K1 K2 K3 K4 K5 K6 K7 K7 K6 K5 K4 K3 K2 K1 K0 ◮ The descending order — probably to defeat slide attacks Orr Dunkelman Cryptanalysis of GOST2 4/ 24 GOST GOST2 Attacks Summary Definition Attacks Standardization Attacks on GOST (Short and Partial History) ◮ Related-key differential attacks on reduced-round GOST (specific S-boxes) [KSW96] ◮ Chosen-key S-box recovery attacks [S99] ◮ Related-key differential attacks on reduced-round GOST [KS00] ◮ Related-key differential attacks on full GOST [K+04] ◮ Slide attacks on first 24 rounds [BW00] ◮ Slide attacks on full GOST for a weak key class of 2128 keys [BW00] ◮ Slide attacks on first 30 rounds [BDK07] Orr Dunkelman Cryptanalysis of GOST2 5/ 24 GOST GOST2 Attacks Summary Definition Attacks Standardization Attacks on GOST (Short and Partial History) Attack Data Memory Time S-boxes Reflection [I11] 232CP 264 2224 Bijective Fixed point/Algebraic [C11] 264KP 264 2248 Russian Banks Differential [CM11] 264KP 264 2226 Russian Banks Fixed point [DDS12] 264KP 236 2192 any Fixed point [DDS12] 264KP 219 2204 any Reflection [DDS12] 232KP 236 2224 any Reflection [DDS12] 232KP 219 2236 any Orr Dunkelman Cryptanalysis of GOST2 6/ 24 GOST GOST2 Attacks Summary Definition Attacks Standardization Very Quick Summary of the Reflection Attack ◮ Assume that at the entrance to round 25, the intermediate encryption value is (x, x) ◮ Then round 25 cancels round 24, round 26 cancels round 23, etc. x x ⊕ y y x L R S + K7 x x y x L R S + K7 x x ⊕ y Orr Dunkelman Cryptanalysis of GOST2 7/ 24 GOST GOST2 Attacks Summary Definition Attacks Standardization Very Quick Summary of the Reflection Attack ◮ Isobe noticed that for a reflection point, the intermediate encryption value after 16 rounds is equal to the ciphertext ◮ This allows for attacking 16-round GOST (using meet in the middle, or any attack you wish for) Orr Dunkelman Cryptanalysis of GOST2 8/ 24 GOST GOST2 Attacks Summary Definition Attacks Standardization ISO SC27 (Parallel Work) ◮ The Russian federation has submitted GOST (Magma) for standardization in 2010 to ISO SC27 (18033) ◮ Several issues spotted: ◮ S-boxes were not defined ◮ Related-key attacks ◮ By the time they were “addressed”, Isobe’s attack came out Orr Dunkelman Cryptanalysis of GOST2 9/ 24 GOST GOST2 Attacks Summary Definition Attacks Standardization In Mother Russia, Cipher Encrypts You! ◮ Following the failure of standardizing GOST, a new cipher was suggested ◮ Kuznyechik (Grasshopper) — 128-bit block, 256-bit key SPN ◮ Secret design process ◮ Interesting properties revealed by [BP15,BPU16] about how the S-box was designed ◮ And then came a new proposal. Orr Dunkelman Cryptanalysis of GOST2 10/ 24 GOST GOST2 Attacks Summary Specs Claims The GOST2 Block Cipher ◮ Dmukh, Dygin, and Marshalko offered a variant of GOST on eprint report 2015/065 ◮ Two main changes with respect to GOST: ◮ S-boxes are fully specified ◮ Key schedule changed to: K0 K1 K2 K3 K4 K5 K6 K7 K3 K4 K5 K6 K7 K0 K1 K2 K5 K6 K7 K0 K1 K2 K3 K4 K6 K5 K4 K3 K2 K1 K0 K7 Orr Dunkelman Cryptanalysis of GOST2 11/ 24 GOST GOST2 Attacks Summary Specs Claims The Security Claims Both Isobe and Dinur-Dunkelman-Shamir attacks exploit the reflection property for the last 16 iterations. For the proposed algorithm the probability of the corresponding event is negligible: P{K0 = K2 = K4 = K6, K1 = K3 = K5 = K7)} = 2−192 (if keys are selected at random). The first Dinur-Dunkelman-Shamir method works if K0 = K2 = K4 = K6 = K1 = K3 = K5 = K7. The probability of such event is 2−224. Since the new key schedule could be represented as a concatenation of different shifts of (K0,..., K7), 2-GOST (together with original GOST) is subjected to related-key attacks. At the same time, such attacks are difficult for practical implementation, since the probabilities of relations are negligible (see, for example, [5]), when keys are selected randomly. ... Eprint report 2015/065 Orr Dunkelman Cryptanalysis of GOST2 12/ 24 GOST GOST2 Attacks Summary Specs Claims The Security Claims Orr Dunkelman Cryptanalysis of GOST2 13/ 24 GOST GOST2 Attacks Summary Reflection Fixed A Reflection Property for GOST2 (Weak Key Class) ◮ Consider the key schedule of rounds 18–31, when K5 = K6: K5 K6 K7 K0 K1 K2 K3 K3 K4 K4 K6 K6 K5K5 K4 K4 K3 K3 K2 K1 K0 K7 ◮ Hence, if the intermediate encryption value after 25 rounds is (x, x), the ciphertext is equal to the value after 18 rounds Orr Dunkelman Cryptanalysis of GOST2 14/ 24 GOST GOST2 Attacks Summary Reflection Fixed A Reflection Attack on GOST2 (Weak Key Class) Require: 232 pairs of known plaintexts and ciphertexts - {Pi , Ci }. for S3, K5 = K6 do for (Pi , Ci ), K0 do K1, K2 ← Solve(Pi , S3, K0) −1 −1 −1 −1 −1 S ← R (R (R (R (R (Ci = S ))))) 13 SK13 SK14 SK15 SK16 SK17 18 T [S13] ← (Pi , K0, K1, K2) end for for K3, K4, K7 do S13 ← RSK12 (RSK11 (RSK10 (RSK9 (RSK8 (RSK7 (RSK6 (RSK5 (RSK4 (RSK3 (S3)))))))))) (Pi , K0, K1, K2) ← T [S13] TRY(K0, K1, K2, K3, K4, K5, K6, K7) end for end for Orr Dunkelman Cryptanalysis of GOST2 15/ 24 GOST GOST2 Attacks Summary Reflection Fixed A Reflection Attack on GOST2 (Weak Key Class) K0,K1,K2 K3,...,K12 K13,...,K17 K18,...,K24 K25,...,K31 S3 S13 C S25 P Rounds 0–2 Rounds 3–12 Rounds 13–17 Rounds 18–24 Rounds 25–31 C L25 “ R25 K0 K1,K2 K0,K1,K2,K5 “ K6 S3 K3,K4,...,K7 S13 ◮ Data complexity: 232 KPs ◮ Memory complexity: 264 blocks ◮ Time complexity: 2192 ◮ Weak Key Size: 2224 ◮ Attack can be transformed into an impossible reflection attack for all other keys (data increased to 264, saves a factor of 5.4 on exhaustive search) Orr Dunkelman Cryptanalysis of GOST2 16/ 24 GOST GOST2 Attacks Summary Reflection Fixed A Fixed Point Property for GOST2 ◮ Consider the key schedule of rounds 10–22: K3 K4 K5 K6 K7 K0 K1 K2 K5 K6 K7 K0 K1 K2 K3 K4 ◮ The keys of rounds 10–15 are the same as 16–21 ◮ Hence, a fixed point of rounds 10–15 is a fixed point for rounds 10–21 Orr Dunkelman Cryptanalysis of GOST2 17/ 24 GOST GOST2 Attacks Summary Reflection Fixed A Fixed-Point Attack on GOST2 Require: 264 pairs of known plaintexts and ciphertexts. for (Pi , Ci ), SK0, SK1, SK2, SK7 do −1 −1 −1 −1 S ← R (R (R (R (Ci )))) 28 SK28 SK29 SK30 SK31 S3 ← RK2 (RK1 (RK0 (Pi ))) T [S3||S28] ← (K0, K1, K2, K7) end for for S10 = S16 = S22, K3, K4, K5, K6, K7 do S13 ← RSK12 (RSK11 (RSK10 (S10))) for K0[0–11], K2[0–11], K1[10] do (K0[0–11], K1[12–19], K2[0–11]) ← SOLVE(S16, S13, K0[0–11], K2[0–11], Carry) end for − − − − − − − S ← R 1 (R 1 (R 1 (R 1 (R 1 (R 1 (R 1 (S ))))))) 3 SK3 SK4 SK5 SK6 SK7 SK8 SK9 10 S28 ← RSK27 (RSK26 (RSK25 (RSK24 (RSK23 (RSK22 (S22)))))) (K0, K1, K2, K7) ← T [S3||S28] Filter(K0, K1, K2, K7) TRY(K0, K1, K2, K3, K4, K5, K6, K7) Orr Dunkelmanend for Cryptanalysis of GOST2 18/ 24 GOST GOST2 Attacks Summary Reflection Fixed A Fixed-Point Attack on GOST2 K0,K1,K2 K3,...,K9 K10,...,K15 K16,...,K21 K22,...,K28 K28,...,K31 S3 S10 S16 S22 P Rounds 0–2 Rounds 3–9 Rounds 10–15 Rounds 16–21 Rounds 22–27 Rounds 28–31 C X X X 0 1 2 1 7 2 P K ,K ,K S3 K r12-19s S28 K ,...,K C K0r0-11s,K2r0-11s K3,...,K7 X X X K3,...,K7 S3 S28 ◮ Data complexity: 264 KPs ◮ Memory complexity: 2160 blocks ◮ Time complexity: 2237 We are working on reducing memory consumption. Orr Dunkelman Cryptanalysis of GOST2 19/ 24 GOST GOST2 Attacks Summary Summary ◮ New GOST2 does not offer full security against fixed-point and reflection attacks ◮ Same related-key attacks can be applied (including complementation property) ◮ Simple ways to handle these issues exist Orr Dunkelman Cryptanalysis of GOST2 20/ 24 GOST GOST2 Attacks Summary Summary of Attacks Type of attack Time Data Memory No. of keys (blocks) Fixed point 2237 264KP 2160 All Reflection 2192 232KP 264 2224 Impossible reflection 2253.56 263CP 2160 2256 − 2224 Impossible reflection 2254.56 264KP 2160 2256 − 2224 Orr Dunkelman Cryptanalysis of GOST2 21/ 24 GOST GOST2 Attacks Summary Some Aftermath ◮ We posted our results (not including some optimizations we now have) on eprint (report 2016/532) ◮ And we got an interesting email from Grigory Marshalko: .
Load more

Recommended publications
  • Thesis Submitted for the Degree of Doctor of Philosophy
    Optimizations in Algebraic and Differential Cryptanalysis Theodosis Mourouzis Department of Computer Science University College London A thesis submitted for the degree of Doctor of Philosophy January 2015 Title of the Thesis: Optimizations in Algebraic and Differential Cryptanalysis Ph.D. student: Theodosis Mourouzis Department of Computer Science University College London Address: Gower Street, London, WC1E 6BT E-mail: [email protected] Supervisors: Nicolas T. Courtois Department of Computer Science University College London Address: Gower Street, London, WC1E 6BT E-mail: [email protected] Committee Members: 1. Reviewer 1: Professor Kenny Paterson 2. Reviewer 2: Dr Christophe Petit Day of the Defense: Signature from head of PhD committee: ii Declaration I herewith declare that I have produced this paper without the prohibited assistance of third parties and without making use of aids other than those specified; notions taken over directly or indirectly from other sources have been identified as such. This paper has not previously been presented in identical or similar form to any other English or foreign examination board. The following thesis work was written by Theodosis Mourouzis under the supervision of Dr Nicolas T. Courtois at University College London. Signature from the author: Abstract In this thesis, we study how to enhance current cryptanalytic techniques, especially in Differential Cryptanalysis (DC) and to some degree in Al- gebraic Cryptanalysis (AC), by considering and solving some underlying optimization problems based on the general structure of the algorithm. In the first part, we study techniques for optimizing arbitrary algebraic computations in the general non-commutative setting with respect to sev- eral metrics [42, 44].
    [Show full text]
  • Linear-XOR and Additive Checksums Don't Protect Damgård-Merkle
    Linear-XOR and Additive Checksums Don’t Protect Damg˚ard-Merkle Hashes from Generic Attacks Praveen Gauravaram1! and John Kelsey2 1 Technical University of Denmark (DTU), Denmark Queensland University of Technology (QUT), Australia. [email protected] 2 National Institute of Standards and Technology (NIST), USA [email protected] Abstract. We consider the security of Damg˚ard-Merkle variants which compute linear-XOR or additive checksums over message blocks, inter- mediate hash values, or both, and process these checksums in computing the final hash value. We show that these Damg˚ard-Merkle variants gain almost no security against generic attacks such as the long-message sec- ond preimage attacks of [10,21] and the herding attack of [9]. 1 Introduction The Damg˚ard-Merkle construction [3, 14] (DM construction in the rest of this article) provides a blueprint for building a cryptographic hash function, given a fixed-length input compression function; this blueprint is followed for nearly all widely-used hash functions. However, the past few years have seen two kinds of surprising results on hash functions, that have led to a flurry of research: 1. Generic attacks apply to the DM construction directly, and make few or no assumptions about the compression function. These attacks involve attacking a t-bit hash function with more than 2t/2 work, in order to violate some property other than collision resistance. Exam- ples of generic attacks are Joux multicollision [8], long-message second preimage attacks [10,21] and herding attack [9]. 2. Cryptanalytic attacks apply to the compression function of the hash function.
    [Show full text]
  • CRYPTANALYSIS of GOST in the MULTIPLE-KEY SCENARIO 1. The
    Ø Ñ ÅØÑØÐ ÈÙ ÐØÓÒ× DOI: 10.2478/tmmp-2013-0035 Tatra Mt. Math. Publ. 57 (2013), 45–63 CRYPTANALYSIS OF GOST IN THE MULTIPLE-KEY SCENARIO Nicolas T. Courtois ABSTRACT. GOST 28147-89 is a well-known 256-bit block cipher. In 2010 GOST was submitted to ISO, to become an international standard. Then many academic attacks which allow to break full GOST faster than brute force have been found. The fastest known single-key attack on GOST for 264 of data is 2179 of [Courtois, N.: An improved differential attack on full GOST, Cryptol- ogy ePrint Archive, Report 2012/138, http://eprint.iacr.org/2012/138]and for 232 of data it is 2191 of [Courtois, N.: Algebraic complexity reduction and cryptanalysis of GOST, Preprint, 2010–13, http://eprint.iacr.org/2011/626]. Other results are slower but require significantly less memory [Courtois, N.: Al- gebraic complexity reduction and cryptanalysis of GOST, Preprint, 2010–2013, http://eprint.iacr.org/2011/626], [Dinur, I.—Dunkelman, O.—Shamir, A.: Improved attacks on full GOST, in: Fast Software Encryption—FSE ’12, 19th Internat. Workshop, Washington, USA, 2012, Lecture Notes in Comput. Sci., Vol. 7549, Springer, Berlin, 2012, pp. 9–28, http://eprint.iacr.org/2011/558/]. The common stereotype is that these will be “the best” attacks on GOST. However, ciphers are not used in practice with single keys, on the contrary. In this paper we intend to show that there exist attacks on GOST which are more versatile and even somewhat more “practical” than the best single key attack. We argument that multiple random key attacks not single key attacks, are more practical and more likely to be executed in the real life.
    [Show full text]
  • Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES
    Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES John Kclscy I3ruc.e Schrieier David Wagner Counterpane Sysi,enis U.C. Berkeley 101 E. Minriehaha Parkway (’.?I.Div., Soda Hall Minneapolis, MN 55419 Bcrkcley, CA 94720- 1776 {kelsey ,schneier}Qcounterpane. corn dawQcs.berkeley.edu Abstract. We present new athcks on key schedules of block ciphers. These attacks are based on the principles of related-key differential crypt- analysis: a1,tac:ks (,hat,allow both keys and plainkxts t,o be rhoscn with specific diflercnccs. We show how t,hese attacks can be exploited in actual protocols and cryptanalyze the key schedules of a variety of algorithms, including three-key Iriplc-DES. 1 Introduction A key schedule is ari algorithrii that exparids a relalively short master key (typ- ically bet,ween 40 and 256 bit#slong) to a. rclat,ivcly la.rge expanded key (typically several hundred or t,housand bits) for later iisc 111 an encryption and decryption algorillirri. Key scliedules are used in several ways: a. To specify the round krys uf a product, ciphcr. DES [NBS77] uses its key schediile in this way, as do many other product, ciphers. b. To initializc somc fixed elements of a cryptographic transform. Khufu [MerSl], Rlowfish [Sch94], md SEAL [RC:94] use a key schcdulc this way. c. To initialize the state of a st,rearii cipher prior t,o gener:hng keystream. RC4 [SchSG] uses a key schedule iri tliis way. Note that (b) and (c) are the only inst,nnces where synchronous stream ciphers car1 fall prey to any clioseri-input attack.
    [Show full text]
  • Applications of Search Techniques to Cryptanalysis and the Construction of Cipher Components. James David Mclaughlin Submitted F
    Applications of search techniques to cryptanalysis and the construction of cipher components. James David McLaughlin Submitted for the degree of Doctor of Philosophy (PhD) University of York Department of Computer Science September 2012 2 Abstract In this dissertation, we investigate the ways in which search techniques, and in particular metaheuristic search techniques, can be used in cryptology. We address the design of simple cryptographic components (Boolean functions), before moving on to more complex entities (S-boxes). The emphasis then shifts from the construction of cryptographic arte- facts to the related area of cryptanalysis, in which we first derive non-linear approximations to S-boxes more powerful than the existing linear approximations, and then exploit these in cryptanalytic attacks against the ciphers DES and Serpent. Contents 1 Introduction. 11 1.1 The Structure of this Thesis . 12 2 A brief history of cryptography and cryptanalysis. 14 3 Literature review 20 3.1 Information on various types of block cipher, and a brief description of the Data Encryption Standard. 20 3.1.1 Feistel ciphers . 21 3.1.2 Other types of block cipher . 23 3.1.3 Confusion and diffusion . 24 3.2 Linear cryptanalysis. 26 3.2.1 The attack. 27 3.3 Differential cryptanalysis. 35 3.3.1 The attack. 39 3.3.2 Variants of the differential cryptanalytic attack . 44 3.4 Stream ciphers based on linear feedback shift registers . 48 3.5 A brief introduction to metaheuristics . 52 3.5.1 Hill-climbing . 55 3.5.2 Simulated annealing . 57 3.5.3 Memetic algorithms . 58 3.5.4 Ant algorithms .
    [Show full text]
  • Algebraic Cryptanalysis of GOST Encryption Algorithm
    Journal of Computer and Communications, 2014, 2, 10-17 Published Online March 2014 in SciRes. http://www.scirp.org/journal/jcc http://dx.doi.org/10.4236/jcc.2014.24002 Algebraic Cryptanalysis of GOST Encryption Algorithm Ludmila Babenko, Ekaterina Maro Department of Information Security, Southern Federal University, Taganrog, Russia Email: [email protected] Received October 2013 Abstract This paper observes approaches to algebraic analysis of GOST 28147-89 encryption algorithm (also known as simply GOST), which is the basis of most secure information systems in Russia. The general idea of algebraic analysis is based on the representation of initial encryption algorithm as a system of multivariate quadratic equations, which define relations between a secret key and a cipher text. Extended linearization method is evaluated as a method for solving the nonlinear sys- tem of equations. Keywords Encryption Algorithm GOST; GOST⊕; S-Box; Systems of Multivariate Quadratic Equations; Algebraic Cryptanalysis; Extended Linearization Method; Gaussian Elimination 1. Introduction The general idea of algebraic cryptanalysis is finding equations that describe nonlinear transformations of S- boxes followed by finding solution of these equations and obtaining the secret key. This method of cryptanalysis belongs to the class of attacks with known plaintext. It is enough to have a single plaintext/ciphertext pair for the success. Algebraic methods of cryptanalysis contain the following stages: • Creation of the system of equations that describe transformations in non-linear cryptographic primitives of the analyzed cipher (i.e., S-boxes for most symmetric ciphers); • Finding solution of this system. The idea to describe an encryption algorithm as system of linear equations originated quite long time ago.
    [Show full text]
  • GOST R 34.12-2015: Block Cipher "Magma"
    Stream: Independent Submission RFC: 8891 Updates: 5830 Category: Informational Published: September 2020 ISSN: 2070-1721 Authors: V. Dolmatov, Ed. D. Baryshkov JSC "NPK Kryptonite" Auriga, Inc. RFC 8891 GOST R 34.12-2015: Block Cipher "Magma" Abstract In addition to a new cipher with a block length of n=128 bits (referred to as "Kuznyechik" and described in RFC 7801), Russian Federal standard GOST R 34.12-2015 includes an updated version of the block cipher with a block length of n=64 bits and key length of k=256 bits, which is also referred to as "Magma". The algorithm is an updated version of an older block cipher with a block length of n=64 bits described in GOST 28147-89 (RFC 5830). This document is intended to be a source of information about the updated version of the 64-bit cipher. It may facilitate the use of the block cipher in Internet applications by providing information for developers and users of the GOST 64-bit cipher with the revised version of the cipher for encryption and decryption. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not candidates for any level of Internet Standard; see Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8891.
    [Show full text]
  • Design and Analysis of Lightweight Block Ciphers : a Focus on the Linear
    Design and Analysis of Lightweight Block Ciphers: A Focus on the Linear Layer Christof Beierle Doctoral Dissertation Faculty of Mathematics Ruhr-Universit¨atBochum December 2017 Design and Analysis of Lightweight Block Ciphers: A Focus on the Linear Layer vorgelegt von Christof Beierle Dissertation zur Erlangung des Doktorgrades der Naturwissenschaften an der Fakult¨atf¨urMathematik der Ruhr-Universit¨atBochum Dezember 2017 First reviewer: Prof. Dr. Gregor Leander Second reviewer: Prof. Dr. Alexander May Date of oral examination: February 9, 2018 Abstract Lots of cryptographic schemes are based on block ciphers. Formally, a block cipher can be defined as a family of permutations on a finite binary vector space. A majority of modern constructions is based on the alternation of a nonlinear and a linear operation. The scope of this work is to study the linear operation with regard to optimized efficiency and necessary security requirements. Our main topics are • the problem of efficiently implementing multiplication with fixed elements in finite fields of characteristic two. • a method for finding optimal alternatives for the ShiftRows operation in AES-like ciphers. • the tweakable block ciphers Skinny and Mantis. • the effect of the choice of the linear operation and the round constants with regard to the resistance against invariant attacks. • the derivation of a security argument for the block cipher Simon that does not rely on computer-aided methods. Zusammenfassung Viele kryptographische Verfahren basieren auf Blockchiffren. Formal kann eine Blockchiffre als eine Familie von Permutationen auf einem endlichen bin¨arenVek- torraum definiert werden. Eine Vielzahl moderner Konstruktionen basiert auf der wechselseitigen Anwendung von nicht-linearen und linearen Abbildungen.
    [Show full text]
  • Couv Detection-UK.Indd
    The essential guide of Detection helping you easily select the right product 2009 Detection A selection of OsiSense 1430 products, It’s the schneider Electric range name with the top 560 of all the detection products. selling products referenced in bold characters. A worldwide detection first for improving productivity. A complete offer for resolving your most commonly encountered detection problems: p product selection simplified p product availability simplified p installation and setting-up simplified p maintenance simplified p detection simplified using a single supplier. Improved simplicity for improved productivity. Select the sensor according to your specific requirements “Universal” series: “Optimum” series: “Application” series: Multi-purpose Designed for Offers functions products providing essential and specifically for multiple functions. repetitive functions. specialist needs, thus providing the ideal solution for your more complex applications. Contents p OsiSense XU Photo-electric sensors ........................2 to 15 Detection without contact of objects > A single product that whatever their shape or material automatically adapts to > Detection from a few millimetres to several all conditions tens of metres > 3D adjustable fixing accessories > Specific products for particular applications p OsiSense XS Inductive proximity sensors ............16 to 26 Detection without contact of metal objects > A single product that > Sensor / object distance ≤ 60 mm automatically adapts to all installation environ- > Generic cylindrical and flat
    [Show full text]
  • Algebraic Complexity Reduction and Cryptanalysis of GOST Nicolas T
    Algebraic Complexity Reduction and Cryptanalysis of GOST Nicolas T. Courtois University College London, Gower Street, London, UK Abstract. GOST 28147-89 is a well-known Russian government encryp- tion standard. Its large key size of 256 bits at a particularly low imple- mentation cost [83] make that it is widely implemented and used [70, 105, 66, 83, 88]. In 2010 GOST was submitted to ISO to become an inter- national standard. GOST was analysed by Schneier, Biham, Biryukov, Dunkelman, Wagner, various Australian, Japanese, and Russian scien- tists, and all researchers seemed to agree that it looks quite secure. Though the internal structure of GOST seems quite weak compared to DES, and in particular the diffusion is not quite as good, it is always stip- ulated that this should be compensated by a large number of 32 rounds cf. [63, 101, 100, 8] and by the additional non-linearity and diffusion pro- vided by modular additions [63, 84]. At Crypto 2008 the hash function based on this cipher was broken. Yet as far as traditional encryption ap- plications with keys generated at random are concerned, until 2011 no cryptographically significant attack on GOST was found. In this paper we present several new attacks on full 32-rounds GOST. Our methodology is derived from the idea of conditional algebraic attacks on block ciphers [25, 20] which can be defined as attacks in which the prob- lem of key recovery is written as a problem of solving a large system of algebraic equations, and where the attacker makes some \clever" as- sumptions on the cipher which lead to an important simplification in the algebraic description of the problem, which makes it solvable in practice if the assumptions hold.
    [Show full text]
  • Statistical Cryptanalysis of Block Ciphers
    STATISTICAL CRYPTANALYSIS OF BLOCK CIPHERS THÈSE NO 3179 (2005) PRÉSENTÉE À LA FACULTÉ INFORMATIQUE ET COMMUNICATIONS Institut de systèmes de communication SECTION DES SYSTÈMES DE COMMUNICATION ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE POUR L'OBTENTION DU GRADE DE DOCTEUR ÈS SCIENCES PAR Pascal JUNOD ingénieur informaticien dilpômé EPF de nationalité suisse et originaire de Sainte-Croix (VD) acceptée sur proposition du jury: Prof. S. Vaudenay, directeur de thèse Prof. J. Massey, rapporteur Prof. W. Meier, rapporteur Prof. S. Morgenthaler, rapporteur Prof. J. Stern, rapporteur Lausanne, EPFL 2005 to Mimi and Chlo´e Acknowledgments First of all, I would like to warmly thank my supervisor, Prof. Serge Vaude- nay, for having given to me such a wonderful opportunity to perform research in a friendly environment, and for having been the perfect supervisor that every PhD would dream of. I am also very grateful to the president of the jury, Prof. Emre Telatar, and to the reviewers Prof. em. James L. Massey, Prof. Jacques Stern, Prof. Willi Meier, and Prof. Stephan Morgenthaler for having accepted to be part of the jury and for having invested such a lot of time for reviewing this thesis. I would like to express my gratitude to all my (former and current) col- leagues at LASEC for their support and for their friendship: Gildas Avoine, Thomas Baign`eres, Nenad Buncic, Brice Canvel, Martine Corval, Matthieu Finiasz, Yi Lu, Jean Monnerat, Philippe Oechslin, and John Pliam. With- out them, the EPFL (and the crypto) would not be so fun! Without their support, trust and encouragement, the last part of this thesis, FOX, would certainly not be born: I owe to MediaCrypt AG, espe- cially to Ralf Kastmann and Richard Straub many, many, many hours of interesting work.
    [Show full text]
  • Gene Ontology Mining Tool Gost Master’S Thesis
    UNIVERSITY OF TARTU Faculty of Mathematics and Computer Science Institute of Computer Science Jüri Reimand Gene Ontology mining tool GOSt Master’s Thesis Supervisor: Jaak Vilo, PhD TARTU 2006 Contents Introduction 1 1 Gene Ontology (GO) 3 1.1 Biologicalbackground . 3 1.2 Ontologydesignandimplementation. 4 1.3 ThreeontologiesofGO.. .. .. .. .. .. .. 5 1.4 Geneannotations .......................... 8 1.5 Biologicalpathways. 11 1.6 PathwaydatabasesandintegrationwithGO . 13 1.7 ApplicationofGO:Geneexpressionanalysis . 15 2 GOSt - Gene Ontology Statistics 20 2.1 GeneOntologyrepresentation . 20 2.2 AnnotationsandTruePathRule . 22 2.3 Annotationsetsandquerying . 23 2.4 Rankingresults ........................... 24 2.4.1 Precisionandrecall. 25 2.4.2 Statisticalsignificance . 27 2.4.3 Hypergeometric probability. Fisher’s exact test . ... 28 2.4.4 Multipletesting. 30 2.5 Simulationofsignificancethresholds. 32 2.5.1 Experimentalapproach . 32 2.5.2 Analyticalapproach . 37 3 Mining GO with GOSt 42 3.1 Simple queries. Method GOSTMINER1 ............ 42 3.2 Ordered queries. Method GOSTMINER2 ............ 43 3.3 Approximationofprobabilityfunction . 45 i 3.4 Ordered queries. Method GOSTMINER3 ............ 47 3.5 Significant subgraphs. Method GOSTMINER4 ......... 50 4 The tool GOSt: usage and features 54 4.1 Generalusage............................ 54 4.2 Graphicaluserinterface. Evidencecodes. .. 56 4.3 Visualisationofmatchingterms . 58 4.4 Orderedqueriesanalysis . 59 4.5 Expressiondataanalysispipeline . 59 Summary 63 Summary (in Estonian) 65 Acknowledgements 67 Bibliography 68 ii Introduction Recent advancements in technology have changed research course of molecu- lar biology. Fully sequenced genomes of versatile organisms become available at great pace. A modern biologist no longer needs to concentrate on a single gene. High-thoughput technologies such as microarrays produce groups with hundreds of interesting genes proven similar in some sense.
    [Show full text]