DOCSLIB.ORG

Message Freedom in MD4 and MD5 Collisions. Application to APOP

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Message Freedom in MD4 and MD5 Collisions. Application to APOP Message Freedom in MD4 and MD5 Collisions. Application to APOP. Gaëtan Leurent Message Freedom in MD4 and MD5 Collisions. APOP Application to APOP. Description Attack MD4/MD5 Collisions Gaëtan Leurent The MD4 family Collisions: Wang’s Laboratoire d’Informatique de l’École Normale Supérieure, technique Revisiting Département d’Informatique, Wang 45 rue d’Ulm, Paris 75230 Cedex 05, France Message freedom [email protected] The APOP attack in practice Fast Software Encryption 2007 1 / 27 Message Freedom in Outline MD4 and MD5 Collisions. Application to APOP. Gaëtan 1 APOP Leurent Description APOP Attack Description Attack MD4/MD5 Collisions 2 MD4/MD5 Collisions The MD4 family Collisions: The MD4 family Wang’s technique Collisions: Wang’s technique Revisiting Wang Revisiting Wang Message freedom Message freedom The APOP attack in practice 3 The APOP attack in practice 2 / 27 Message Freedom in The Post Office Protocol MD4 and MD5 Collisions. Application to APOP. POP3 Gaëtan Leurent Standard protocol for remote access to a mailbox APOP RFC 1460,1725,1939 (first version 1993) Description Attack Supported by virtually every mail provider and every mail MD4/MD5 user agent Collisions The MD4 family Widely used (tend to be replaced by IMAP) Collisions: Wang’s technique Revisiting Wang Supported authentication command Message freedom USER/PASS: plaintext password The APOP attack in APOP: “secure” authentication practice AUTH: any IMAP authentication mechanism: Kerberos, GSS-API, S/Key, CRAM-MD5 3 / 27 Message Freedom in APOP authentication MD4 and MD5 Collisions. What is APOP? Application to APOP. Unilateral challenge-response authentication protocol Gaëtan k Leurent based on a MAC: h (m)= MD5(m||k) APOP Server Client Description Attack MD4/MD5 Collisions id ⇒ p id, p The MD4 family Collisions: Wang’s Challenges form: <[email protected]> technique Revisiting Wang Origin authentication and replay protection Message freedom The APOP attack in First remarks practice hk (m)= MD5(m||k) is not a secure MAC: offline collisions and envelope attack. The protocol allows chosen-text attack. There should be some client-chosen randomness. 4 / 27 Message Freedom in APOP authentication MD4 and MD5 Collisions. What is APOP? Application to APOP. Unilateral challenge-response authentication protocol Gaëtan k Leurent based on a MAC: h (m)= MD5(m||k) c APOP Server Client Description Attack id, MD5(c||pwd) MD4/MD5 Collisions The MD4 family Collisions: Wang’s Challenges form: <[email protected]> technique Revisiting Wang Origin authentication and replay protection Message freedom The APOP attack in First remarks practice hk (m)= MD5(m||k) is not a secure MAC: offline collisions and envelope attack. The protocol allows chosen-text attack. There should be some client-chosen randomness. 4 / 27 Message Freedom in APOP authentication MD4 and MD5 Collisions. What is APOP? Application to APOP. Unilateral challenge-response authentication protocol Gaëtan k Leurent based on a MAC: h (m)= MD5(m||k) c APOP Server Client Description Attack id, MD5(c||pwd) MD4/MD5 Collisions The MD4 family Collisions: Wang’s Challenges form: <[email protected]> technique Revisiting Wang Origin authentication and replay protection Message freedom The APOP attack in First remarks practice hk (m)= MD5(m||k) is not a secure MAC: offline collisions and envelope attack. The protocol allows chosen-text attack. There should be some client-chosen randomness. 4 / 27 Message Freedom in The APOP Attack MD4 and MD5 Collisions. Application to APOP. Attack setting Gaëtan Leurent Active attack: impersonate the server APOP Description Server Client Attack c MD4/MD5 ) pwd Collisions Attacker (c|| The MD4 family id, MD5 Collisions: Wang’s technique Revisiting Wang Message freedom No server authentication in POP. The APOP attack in Typical scenario: open WiFi network. practice We can use the client to log on the server and access the mails, but the password should still be safe... 5 / 27 Message Freedom in The APOP Attack MD4 and Basic idea MD5 Collisions. Application to APOP. Basic idea: use collisions Gaëtan Leurent c1 APOP h = MD5(c ||pwd) Description Attacker 1 1 Client Attack MD4/MD5 ? c2 Collisions h h The MD4 1 = 2 family h2 = MD5(c2||pwd) Collisions: Wang’s technique Revisiting Wang Message freedom Chosen message attack: craft challenges. The APOP attack in practice Choose the challenge size to isolate some part of the key in a block. Same idea as the key-recovery against the envelope method by Preneel and van Oorschot. 6 / 27 Message Freedom in The APOP Attack MD4 and Basic idea MD5 Collisions. Application to APOP. Recover the first password character Gaëtan Leurent If we have an MD5 collision with a specific format: APOP Description M = <‽‽‽ ‽‽@ ‽‽‽> x c1 = <‽‽‽...‽‽‽> Attack 1 MD4/MD5 ‽ ‽ ‽ ‽ ‽ ‽ ‽ ‽ ‽ ‽ ‽ ‽ ‽ Collisions ‽ The MD4 M2 = < @ > x c2 = < ... > family Collisions: Wang’s technique We send c1 and c2 as challenges, and we get: Revisiting Wang Message freedom MD5 <‽‽‽ ‽‽@ ‽‽‽> p0 p1p2... pad The APOP attack in ‽ ‽ ‽ ‽ ‽ ‽ ‽ practice MD5 < ‽ @ > p0 p1p2... pad Both hashes collide if p0 = ‘x’ (unlikely if p0 6= ‘x’). We will repeat this with all ‘x’ until we find p0. 7 / 27 Message Freedom in The APOP Attack MD4 and Basic idea MD5 Collisions. Application to APOP. Recover the next password character Gaëtan Leurent Then we use collisions of the form: APOP Description M1 = <‽‽‽ ‽‽@ ‽‽‽> p0 y c1 = <‽‽‽...‽‽‽> Attack MD4/MD5 ‽ ‽ ‽ ‽ ‽ ‽ ‽ ‽ ‽ ‽ ‽ ‽ ‽ Collisions M ‽ p0 y c < ... > The MD4 2 = < @ > 2 = family Collisions: Wang’s When we send the challenges c and c , we receive: technique 1 2 Revisiting Wang Message freedom MD5 <‽‽‽ ‽‽@ ‽‽‽> p0 p1 p2... pad The APOP ‽ ‽ ‽ ‽ ‽ ‽ ‽ attack in ‽ practice MD5 < @ > p0 p1 p2... pad Both hashes collide if p1 = ‘y’. We can recover the full password in linear time. 8 / 27 Message Freedom in Using Wang’s collision to attack APOP MD4 and MD5 Collisions. Application to APOP. Gaëtan Leurent What we need to attack APOP APOP We need collisions with control over the end of the last Description block. Attack MD4/MD5 Birthday paradox too expensive. Collisions The MD4 family Collisions: Wang’s Using Wang’s collisions technique Revisiting Wang Wang’s collisions look random. Message freedom Due to the message modifications, we loose control over The APOP attack in the message value. practice Modify Wang’s collision finding technique. 9 / 27 Message Freedom in Outline MD4 and MD5 Collisions. Application to APOP. Gaëtan Leurent 1 APOP APOP Description 2 Attack MD4/MD5 Collisions MD4/MD5 The MD4 family Collisions The MD4 Collisions: Wang’s technique family Collisions: Revisiting Wang Wang’s technique Revisiting Message freedom Wang Message freedom The APOP 3 The APOP attack in practice attack in practice 10 / 27 Message Freedom in The MD4 family MD4 and Compression function MD5 Collisions. Application to APOP. Compression Function Design Gaëtan Leurent mi APOP Davies-Meyer with a Description Attack Feistel-like cipher. MD4/MD5 Hi−1 Hi Collisions C The MD4 family Collisions: Wang’s technique Revisiting Wang Designed to be fast: 32 bit words, and operations available Message freedom in hardware: 32 The APOP additions mod2 : ⊞ attack in practice boolean functions: Φi rotations ≪ si Message expansion M = hM0, ...M15i 7→ hm0, ...m47/63i 4 words of internal state Qi updated in rounds of 16 steps 11 / 27 Message Freedom in Compression Function MD4 and MD5 Collisions. Application to APOP. MD4 Step Update Gaëtan Leurent Qi−4 Qi−3 Qi−2 Qi−1 APOP Description Φi Attack MD4/MD5 Collisions mi The MD4 family Collisions: Wang’s ki technique Revisiting ≪ Wang si Message freedom The APOP attack in practice Qi−3 Qi−2 Qi−1 Qi Qi = (Qi−4 ⊞ Φi (Qi−1, Qi−2, Qi−3) ⊞ mi ⊞ ki ) ≪ si 12 / 27 Message Freedom in Compression Function MD4 and MD5 Collisions. Application MD5 Step Update to APOP. Gaëtan Leurent Qi−4 Qi−3 Qi−2 Qi−1 APOP Φi Description Attack MD4/MD5 Collisions mi The MD4 family Collisions: ki Wang’s technique ≪ Revisiting si Wang Message freedom The APOP attack in practice Qi−3 Qi−2 Qi−1 Qi Qi = Qi−1 ⊞ (Qi−4 ⊞ Φi (Qi−1, Qi−2, Qi−3) ⊞ mi ⊞ ki ) ≪ si 13 / 27 Message Freedom in Collisions in MD4 and MD5 MD4 and MD5 Collisions. Application Wang in a nutshell to APOP. Gaëtan 1 Precomputation: Leurent Choose a message difference. APOP Compute a differential path. Description Attack Derive a set of sufficient conditions. MD4/MD5 2 Collision search: Collisions The MD4 Find a message that satisfies the set of conditions. family Collisions: Wang’s technique Revisiting Main result Wang Message freedom We know a difference ∆ and a set of conditions on the internal The APOP state variables Qi ’s, such that: attack in practice If all the conditions are satisfied by the internal state variable in the computation of H(M), then H(M)= H(M + ∆). 14 / 27 Message Freedom in Collision search MD4 and MD5 Q− Q Collisions. 4 12 Application Q−3 Q13 to APOP. Q−2 Q14 Gaëtan Q− Leurent 1 Q15 m0 1c Q0 m0 3c Q16 APOP m1 3c Q m4 3c Q Description 1 17 Attack m2 3c Q2 m8 3c Q18 MD4/MD5 m3 5c Q3 m12 2c Q19 Collisions m4 m1 The MD4 5c Q4 2c Q20 family m5 m5 Collisions: 5c Q5 1c Q21 Wang’s m m technique 6 6c Q6 9 2c Q22 Revisiting m m Wang 7 4c Q7 13 Q23 Message m8 4c Q8 m2 Q24 freedom m m The APOP 9 4c Q9 6 Q25 attack in m10 4c Q10 m10 Q26 practice m11 5c Q11 m14 Q27 m12 6c Q12 Goalm3 Q28 m m 13 6c Q13 Given the7 set of conditions,Q29 m14 6c Q m11 Q 14 find a message (here on30 MD4). m15 6c Q15 m15 Q31 15 / 27 Message Freedom in Collision search MD4 and MD5 Q− Collisions.
Load more

Recommended publications
  • Cryptanalysis of a Reduced Version of the Block Cipher E2
    Cryptanalysis of a Reduced Version of the Block Cipher E2 Mitsuru Matsui and Toshio Tokita Information Technology R&D Center Mitsubishi Electric Corporation 5-1-1, Ofuna, Kamakura, Kanagawa, 247, Japan [email protected], [email protected] Abstract. This paper deals with truncated differential cryptanalysis of the 128-bit block cipher E2, which is an AES candidate designed and submitted by NTT. Our analysis is based on byte characteristics, where a difference of two bytes is simply encoded into one bit information “0” (the same) or “1” (not the same). Since E2 is a strongly byte-oriented algorithm, this bytewise treatment of characteristics greatly simplifies a description of its probabilistic behavior and noticeably enables us an analysis independent of the structure of its (unique) lookup table. As a result, we show a non-trivial seven round byte characteristic, which leads to a possible attack of E2 reduced to eight rounds without IT and FT by a chosen plaintext scenario. We also show that by a minor modification of the byte order of output of the round function — which does not reduce the complexity of the algorithm nor violates its design criteria at all —, a non-trivial nine round byte characteristic can be established, which results in a possible attack of the modified E2 reduced to ten rounds without IT and FT, and reduced to nine rounds with IT and FT. Our analysis does not have a serious impact on the full E2, since it has twelve rounds with IT and FT; however, our results show that the security level of the modified version against differential cryptanalysis is lower than the designers’ estimation.
    [Show full text]
  • Historical Ciphers • A
    ECE 646 - Lecture 6 Required Reading • W. Stallings, Cryptography and Network Security, Chapter 2, Classical Encryption Techniques Historical Ciphers • A. Menezes et al., Handbook of Applied Cryptography, Chapter 7.3 Classical ciphers and historical development Why (not) to study historical ciphers? Secret Writing AGAINST FOR Steganography Cryptography (hidden messages) (encrypted messages) Not similar to Basic components became modern ciphers a part of modern ciphers Under special circumstances modern ciphers can be Substitution Transposition Long abandoned Ciphers reduced to historical ciphers Transformations (change the order Influence on world events of letters) Codes Substitution The only ciphers you Ciphers can break! (replace words) (replace letters) Selected world events affected by cryptology Mary, Queen of Scots 1586 - trial of Mary Queen of Scots - substitution cipher • Scottish Queen, a cousin of Elisabeth I of England • Forced to flee Scotland by uprising against 1917 - Zimmermann telegram, America enters World War I her and her husband • Treated as a candidate to the throne of England by many British Catholics unhappy about 1939-1945 Battle of England, Battle of Atlantic, D-day - a reign of Elisabeth I, a Protestant ENIGMA machine cipher • Imprisoned by Elisabeth for 19 years • Involved in several plots to assassinate Elisabeth 1944 – world’s first computer, Colossus - • Put on trial for treason by a court of about German Lorenz machine cipher 40 noblemen, including Catholics, after being implicated in the Babington Plot by her own 1950s – operation Venona – breaking ciphers of soviet spies letters sent from prison to her co-conspirators stealing secrets of the U.S. atomic bomb in the encrypted form – one-time pad 1 Mary, Queen of Scots – cont.
    [Show full text]
  • The QARMA Block Cipher Family
    The QARMA Block Cipher Family Almost MDS Matrices Over Rings With Zero Divisors, Nearly Symmetric Even-Mansour Constructions With Non-Involutory Central Rounds, and Search Heuristics for Low-Latency S-Boxes Roberto Avanzi Qualcomm Product Security, Munich, Germany [email protected], [email protected] Abstract. This paper introduces QARMA, a new family of lightweight tweakable block ciphers targeted at applications such as memory encryption, the generation of very short tags for hardware-assisted prevention of software exploitation, and the con- struction of keyed hash functions. QARMA is inspired by reflection ciphers such as PRINCE, to which it adds a tweaking input, and MANTIS. However, QARMA differs from previous reflector constructions in that it is a three-round Even-Mansour scheme instead of a FX-construction, and its middle permutation is non-involutory and keyed. We introduce and analyse a family of Almost MDS matrices defined over a ring with zero divisors that allows us to encode rotations in its operation while maintaining the minimal latency associated to {0, 1}-matrices. The purpose of all these design choices is to harden the cipher against various classes of attacks. We also describe new S-Box search heuristics aimed at minimising the critical path. QARMA exists in 64- and 128-bit block sizes, where block and tweak size are equal, and keys are twice as long as the blocks. We argue that QARMA provides sufficient security margins within the constraints de- termined by the mentioned applications, while still achieving best-in-class latency. Implementation results on a state-of-the art manufacturing process are reported.
    [Show full text]
  • On Recent Attacks Against Cryptographic Hash Functions
    On recent attacks against Cryptographic Hash Functions Martin Ekerå & Henrik Ygge 1 Outline ‣ First part ‣ Preliminaries ‣ Which cryptographic hash functions exist? ‣ What degree of security do they offer? ‣ An introduction to Wang’s attack ‣ Second part ‣ Wang’s attack applied to MD5 ‣ Demo 2 Part I 3 Operators Symbol Meaning x ⊞ y Addition modulo 2n x ⊟ y Subtraction modulo 2n x ⊕ y Exclusive OR x ⋀ y Bitwise AND x ⋁ y Bitwise OR ¬ x The negation of x. x ≪ s Shifting of x by s bits to the left. x ⋘ s Rotation of x by s bits to the left. 4 Bitwise Functions Function IF (x, y, z) (x ⋀ y) ⋁ ((¬ x) ⋀ z) XOR (x, y, z) x ⊕ y ⊕ z MAJ (x, y, z) (x ⋀ y) ⋁ (y ⋀ z) ⋁ (z ⋀ x) XNO (x, y, z) y ⊕ ((¬ z) ⋁ x) ‣ The functions above are all bitwise. 5 Hash Functions ‣ A hash function maps elements from a finite or infinite domain, into elements of a fixed size domain. 6 Attacks on Hash Functions ‣ Collision attack Find m and m’ ≠ m such that H(m) = H(m’). ‣ First pre-image attack Given h find m such that h = H(m). ‣ Second pre-image attack Given m find m’ ≠ m such that H(m) = H(m’). 7 Attack Complexities ‣ Collision attack Naïve complexity O(2n/2) due to the birthday paradox. ‣ First pre-image attack Naïve complexity O(2n) ‣ Second pre-image attack Naïve complexity O(2n) 8 Cryptographic Hash Functions ‣ It is desirable for a cryptographic hash function to be collision resistant, first pre-image resistant and second pre-image resistant.
    [Show full text]
  • The Quasigroup Block Cipher and Its Analysis Matthew .J Battey University of Nebraska at Omaha
    University of Nebraska at Omaha DigitalCommons@UNO Student Work 5-2014 The Quasigroup Block Cipher and its Analysis Matthew .J Battey University of Nebraska at Omaha Follow this and additional works at: https://digitalcommons.unomaha.edu/studentwork Part of the Computer Sciences Commons Recommended Citation Battey, Matthew J., "The Quasigroup Block Cipher and its Analysis" (2014). Student Work. 2892. https://digitalcommons.unomaha.edu/studentwork/2892 This Thesis is brought to you for free and open access by DigitalCommons@UNO. It has been accepted for inclusion in Student Work by an authorized administrator of DigitalCommons@UNO. For more information, please contact [email protected]. The Quasigroup Block Cipher and its Analysis A Thesis Presented to the Department of Computer Sience and the Faculty of the Graduate College University of Nebraska In partial satisfaction of the requirements for the degree of Masters of Science by Matthew J. Battey May, 2014 Supervisory Committee: Abhishek Parakh, Co-Chair Haifeng Guo, Co-Chair Kenneth Dick Qiuming Zhu UMI Number: 1554776 All rights reserved INFORMATION TO ALL USERS The quality of this reproduction is dependent upon the quality of the copy submitted. In the unlikely event that the author did not send a complete manuscript and there are missing pages, these will be noted. Also, if material had to be removed, a note will indicate the deletion. UMI 1554776 Published by ProQuest LLC (2014). Copyright in the Dissertation held by the Author. Microform Edition © ProQuest LLC. All rights reserved. This work is protected against unauthorized copying under Title 17, United States Code ProQuest LLC. 789 East Eisenhower Parkway P.O.
    [Show full text]
  • Advanced Meet-In-The-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2
    Advanced Meet-in-the-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2 Jian Guo1, San Ling1, Christian Rechberger2, and Huaxiong Wang1 1 Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore 2 Dept. of Electrical Engineering ESAT/COSIC, K.U.Leuven, and Interdisciplinary Institute for BroadBand Technology (IBBT), Kasteelpark Arenberg 10, B–3001 Heverlee, Belgium. [email protected] Abstract. We revisit narrow-pipe designs that are in practical use, and their security against preimage attacks. Our results are the best known preimage attacks on Tiger, MD4, and reduced SHA-2, with the result on Tiger being the first cryptanalytic shortcut attack on the full hash function. Our attacks runs in time 2188.8 for finding preimages, and 2188.2 for second-preimages. Both have memory requirement of order 28, which is much less than in any other recent preimage attacks on reduced Tiger. Using pre-computation techniques, the time complexity for finding a new preimage or second-preimage for MD4 can now be as low as 278.4 and 269.4 MD4 computations, respectively. The second-preimage attack works for all messages longer than 2 blocks. To obtain these results, we extend the meet-in-the-middle framework recently developed by Aoki and Sasaki in a series of papers. In addition to various algorithm-specific techniques, we use a number of conceptually new ideas that are applicable to a larger class of constructions. Among them are (1) incorporating multi-target scenarios into the MITM framework, leading to faster preimages from pseudo-preimages, (2) a simple precomputation technique that allows for finding new preimages at the cost of a single pseudo-preimage, and (3) probabilistic initial structures, to reduce the attack time complexity.
    [Show full text]
  • DIN/ANSI Shark Line Material Specific Application Taps New Products 2017 SHARK
    DIN/ANSI Shark Line Material Specific Application Taps New Products 2017 SHARK INTRODUCTION Dormer brand material specific application-based ranges of DIN ANSI Shark Taps offer high performance and process security. Shark Line taps are easily recognizable by their color ring coding, denoting recommendation for use on specific materials. FEATURES AND BENEFITS • COLOR RING CODING • EDGE TREATMENT (Red, Yellow, Blue Shark) The color ring on the tool shank identifies suitability for Spiral flute taps incorporate a special edge treatment specific materials and enables quick and easy tool selection. to increase strength and reduce the chance • ADVANCED GEOMETRY of micro-chipping on the cutting edges. This considerably Significant reduction in axial forces and torque compared improves performance and tool life. to conventional taps. This ensures problem-free threading of blind and through holes in the selected material. • DIN/ANSI STANDARD Standard ANSI shank and square with DIN overall length, SHARK LINE for extra reach and compatability with Inch Standard Tap Holding. MATERIAL GEOMETRY AND CHAMFER Shark taps are manufactured from a unique powder metallurgy Thread geometry with optimized form generates: tool steel different from any other HSS-E-PM. This provides • Low torque an unbeatable combination of toughness and edge strength, allowing the taps to perform at higher cutting temperatures • Excellent threads at both high and low speeds while offering excellent performance and longer tool life. • Superior surface finish • HIGHER IMPACT TOUGHNESS
    [Show full text]
  • Cryptography
    What is this course about? Aims Cryptography This course provides an overview of basic modern cryptographic techniques and covers essential concepts that users of cryptographic standards need to understand to achieve their intended security goals. Markus Kuhn Objectives By the end of the course you should I be familiar with commonly used standardized cryptographic building Computer Laboratory, University of Cambridge blocks; I be able to match application requirements with concrete security definitions and identify their absence in naive schemes; https://www.cl.cam.ac.uk/teaching/1920/Crypto/ I understand various adversarial capabilities and basic attack These notes are merely provided as an aid for following the lectures. algorithms and how they affect key sizes; They are no substitute for attending the course. I understand and compare the finite groups most commonly used with discrete-logarithm schemes; Lent 2020 { CST Part II I understand the basic number theory underlying the most common public-key schemes, and some efficient implementation techniques. crypto-slides-4up.pdf 2020-04-23 20:49 b7c0c5f 1 2 1 Historic ciphers Related textbooks 2 Perfect secrecy Main reference: 3 Semantic security I Jonathan Katz, Yehuda Lindell: 4 Block ciphers Introduction to Modern Cryptography 2nd ed., Chapman & Hall/CRC, 2014 5 Modes of operation Further reading: 6 Message authenticity I Christof Paar, Jan Pelzl: 7 Authenticated encryption Understanding Cryptography Springer, 2010 8 Secure hash functions http://www.springerlink.com/content/978-3-642-04100-6/ http://www.crypto-textbook.com/ 9 Secure hash applications I Douglas Stinson: 10 Key distribution problem Cryptography { Theory and Practice 3rd ed., CRC Press, 2005 11 Number theory and group theory I Menezes, van Oorschot, Vanstone: 12 Discrete logarithm problem Handbook of Applied Cryptography 13 RSA trapdoor permutation CRC Press, 1996 http://www.cacr.math.uwaterloo.ca/hac/ 14 Digital signatures The course notes and some of the exercises also contain URLs with more detailed information.
    [Show full text]
  • The LED Block Cipher
    The LED Block Cipher Jian Guo1,ThomasPeyrin2,,AxelPoschmann2,, and Matt Robshaw3, 1 Institute for Infocomm Research, Singapore 2 Nanyang Technological University, Singapore 3 Applied Cryptography Group, Orange Labs, France {ntu.guo,thomas.peyrin}@gmail.com, [email protected], [email protected] Abstract. We present a new block cipher LED. While dedicated to com- pact hardware implementation, and offering the smallest silicon footprint among comparable block ciphers, the cipher has been designed to simul- taneously tackle three additional goals. First, we explore the role of an ultra-light (in fact non-existent) key schedule. Second, we consider the resistance of ciphers, and LED in particular, to related-key attacks: we are able to derive simple yet interesting AES-like security proofs for LED regarding related- or single-key attacks. And third, while we provide a block cipher that is very compact in hardware, we aim to maintain a reasonable performance profile for software implementation. Keywords: Lightweight, block cipher, RFID tag, AES. 1 Introduction Over past years many new cryptographic primitives have been proposed for use in RFID tag deployments, sensor networks, and other applications characterised by highly-constrained devices. The pervasive deployment of tiny computational devices brings with it many interesting, and potentially difficult, security issues. Chief among recent developments has been the evolution of lightweight block ciphers where an accumulation of advances in algorithm design, together with an increased awareness of the likely application, has helped provide important developments. To some commentators the need for yet another lightweight block cipher proposal will be open to question. However, in addition to the fact that many proposals present some weaknesses [2,10,45], we feel there is still more to be said on the subject and we observe that it is in the “second generation” of work that designers might learn from the progress, and omissions, of “first generation” proposals.
    [Show full text]
  • Statistical Cryptanalysis of Block Ciphers
    STATISTICAL CRYPTANALYSIS OF BLOCK CIPHERS THÈSE NO 3179 (2005) PRÉSENTÉE À LA FACULTÉ INFORMATIQUE ET COMMUNICATIONS Institut de systèmes de communication SECTION DES SYSTÈMES DE COMMUNICATION ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE POUR L'OBTENTION DU GRADE DE DOCTEUR ÈS SCIENCES PAR Pascal JUNOD ingénieur informaticien dilpômé EPF de nationalité suisse et originaire de Sainte-Croix (VD) acceptée sur proposition du jury: Prof. S. Vaudenay, directeur de thèse Prof. J. Massey, rapporteur Prof. W. Meier, rapporteur Prof. S. Morgenthaler, rapporteur Prof. J. Stern, rapporteur Lausanne, EPFL 2005 to Mimi and Chlo´e Acknowledgments First of all, I would like to warmly thank my supervisor, Prof. Serge Vaude- nay, for having given to me such a wonderful opportunity to perform research in a friendly environment, and for having been the perfect supervisor that every PhD would dream of. I am also very grateful to the president of the jury, Prof. Emre Telatar, and to the reviewers Prof. em. James L. Massey, Prof. Jacques Stern, Prof. Willi Meier, and Prof. Stephan Morgenthaler for having accepted to be part of the jury and for having invested such a lot of time for reviewing this thesis. I would like to express my gratitude to all my (former and current) col- leagues at LASEC for their support and for their friendship: Gildas Avoine, Thomas Baign`eres, Nenad Buncic, Brice Canvel, Martine Corval, Matthieu Finiasz, Yi Lu, Jean Monnerat, Philippe Oechslin, and John Pliam. With- out them, the EPFL (and the crypto) would not be so fun! Without their support, trust and encouragement, the last part of this thesis, FOX, would certainly not be born: I owe to MediaCrypt AG, espe- cially to Ralf Kastmann and Richard Straub many, many, many hours of interesting work.
    [Show full text]
  • Cryptanalysis of Reduced Round SKINNY Block Cipher
    Cryptanalysis of Reduced round SKINNY Block Cipher Sadegh Sadeghi1, Tahereh Mohammadi2 and Nasour Bagheri2,3 1 Department of Mathematics, Faculty of Mathematical Sciences and Computer, Kharazmi University, Tehran, Iran, [email protected] 2 Electrical Engineering Department, Shahid Rajaee Teacher Training University, Tehran, Iran, {T.Mohammadi,Nabgheri}@sru.ac.ir 3 School of Computer Science, Institute for Research in Fundamental Sciences (IPM), Tehran, Iran, [email protected] Abstract. SKINNY is a family of lightweight tweakable block ciphers designed to have the smallest hardware footprint. In this paper, we present zero-correlation linear approximations and the related-tweakey impossible differential characteristics for different versions of SKINNY .We utilize Mixed Integer Linear Programming (MILP) to search all zero-correlation linear distinguishers for all variants of SKINNY, where the longest distinguisher found reaches 10 rounds. Using a 9-round characteristic, we present 14 and 18-round zero correlation attacks on SKINNY-64-64 and SKINNY- 64-128, respectively. Also, for SKINNY-n-n and SKINNY-n-2n, we construct 13 and 15-round related-tweakey impossible differential characteristics, respectively. Utilizing these characteristics, we propose 23-round related-tweakey impossible differential cryptanalysis by applying the key recovery attack for SKINNY-n-2n and 19-round attack for SKINNY-n-n. To the best of our knowledge, the presented zero-correlation characteristics in this paper are the first attempt to investigate the security of SKINNY against this attack and the results on the related-tweakey impossible differential attack are the best reported ones. Keywords: SKINNY · Zero-correlation linear cryptanalysis · Related-tweakey impos- sible differential cryptanalysis · MILP 1 Introduction Because of the growing use of small computing devices such as RFID tags, the new challenge in the past few years has been the application of conventional cryptographic standards to small devices.
    [Show full text]
  • 1 Review 2 Poly-Alphabetic Classical Cryptosystems
    EE 595 (PMP) Introduction to Security and Privacy Lecutre #3 Introduction to Cryptanalysis. DES, AES and Modes of Operation. Lecture notes prepared by Professor Radha Poovendran Thursday, April 12, 2018 Tamara Bonaci Department of Electrical Engineering University of Washington, Seattle Outline: 1. Polyalphabetic classical cryptosystems { Vigenere cipher { Permutation cipher 2. Cryptanalysis. 3. Data Encryption Standard (DES) 4. Triple DES 5. Advanced Encryption Standard (AES) 6. Encrypting large plaintexts: Modes of operation { Electronic Code Book (ECB) mode { Cipher Block Chaining (CBC) mode { Counter (CTR) mode 1 Review Last time, we saw that the goal of a symmetric key cryptosystem is to ensure that two parties Alice and Bob can communicate confidentially using a shared secret key K. Equivalently, the goal is to ensure that a third party Eve, who does not have knowledge of the key K, cannot determine the plaintext sent by Alice to Bob. Let's recall that a cryptosystem is defined as a five-tuple (P; C; K; E; D). The set P is the set of possible plaintexts, C is the set of possible ciphertexts, and K is the set of possible keys. The sets E and D are the sets of possible encryption and decryption functions, respectively. In today's lecture, we will first consider how we can model and analyze a behavior of an attacker, trying to break a cryptosystem. We will then describe two widely-used current symmetric-key cryptosystems, namely DES and AES. For each cryptosystem, we will show the parameter values (e.g., key length) that are specified by standards bodies such as the National Institute of Standards and Technology for real-world use.
    [Show full text]