DOCSLIB.ORG

Improved Linear Analysis on Block Cipher MULTI2⋆

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Improved Linear Analysis on Block Cipher MULTI2⋆ Improved Linear Analysis on Block Cipher MULTI2⋆ Yi Lu, Liping Ding, and Yongji Wang National Engineering Research Center of Fundamental Software, Institute of Software, Chinese Academy of Sciences, Beijing, China Abstract. Developed by Hitachi, MULTI2 is a block cipher used mainly to secure the multimedia content. It was registered in ISO/IEC 9979 and was patented in US and Japan. MULTI2 uses the Feistel structure and operates on the 64-bit blocks. The encryption key has 256 bits. This paper studies the linear analysis on MULTI2. We give a detailed bias analysis on MULTI2 round functions. For the first time formal proofs on − their bias properties are given. This allows to find a new 4-round bias 2 2. − . Previously, the best 4-round bias 2 5 7 was proposed. Using our results on the MULTI2 round functions, we propose the linear attacks on r-round MUTLI2 to recover the encryption key. Our linear attack can recover . the 256-bit encryption key in time 246, 260 4, 283 8, 291 7, 2123 4, 2123 2 of r-round encryptions for r = 8, 12, 16, 20, 24, 28 respectively. Further, we can recover the 32-bit sub-key in last round much faster than the whole encryption key recovery, i.e., in time 237 for r = 8, 12, 16, 20, 24. Note that previously, the best linear key-recovery attack was a 20-round . attack with time 293 4 (of 20-round encryptions) and data 239 2. As ISO register recommends to use at least 32 rounds, our attacks remain to be theoretical and do not threaten security for the practical use currently. Keywords: Block Cipher, Feistel Structure, MULTI2, Linear Analysis, Bias. 1 Introduction MULTI2 is a block cipher developed by Hitachi. It has been used mainly to secure the multimedia content. It was registered in ISO/IEC 9979 in 1994 and was patented in US and Japan [7]. MULTI2 is the only cipher specified in Japanese standard ARIB [3] for conditional access systems. ARIB is the basic standard of the recent ISDB (Integrated Services Digital Broadcasting), which is the Japanese standard for digital television and ⋆ This work is supported by the National Science and Technology Major Project un- der Grant No. 2010ZX01036-001-002 & 2010ZX01037-001-002, the Knowledge Inno- vation Key Directional Program of Chinese Academy of Sciences under Grant No. KGCX2-YW-125 & KGCX2-YW-174, and the National Natural Science Foundation of China under Grant No. 61170072. digital radio. MULTI2 adopts the Feistel structure and operates on the 64- bit blocks. The encryption key has 256 bits. The ISO register recommends to use at least 32 rounds. For a survey on backgrounds and the attacks on MULTI2, we refer to [2]. Table 1. Our linear key-recovery attacks on r-round MULTI2, and the time unit is one r-round encryption key-recovery attack r time data . [2]linearattack 20 293 4 239 2 . [2]guess-and-determineattack any r 2185 4 3 [2] related-key slide attack r =0(mod8) 2128/r 233 (strong assumptions on key relations) thispaper 8 246 217 . thispaper 12 260 4 233 . thispaper 16 283 8 249 . thispaper 20 291 7 263 . thispaper 24 2123 4 263 . thispaper 28 2123 2 263 This paper gives the linear analysis on MULTI2. Our main contribu- tions are the following. First, we give a detailed bias analysis on MULTI2 round functions. In particular, we give formal proofs on the bias prop- erties for the first time. This allows to discover new interesting results. Secondly, we give a new 4-round bias 2−2. Previously, the best 4-round bias 2−5.7 was proposed in [2]. Thirdly, using our results on the MULTI2 round functions, we propose the linear attacks on r-round MUTLI2 to recover the 256-bit encryption key for r = 8, 12, 16, 20, 24, 28. In Table 1, we give our attack results and compare with the best known key-recovery attacks [2]. Note that to recover the 32-bit sub-key in the last round we need (time, data): (237, 212.4) for r = 8, (237, 223.8) for r = 12, (237, 235.2) for r = 16, (237, 246.6) for r = 20, and (237, 258) for r = 24 respectively, which are much faster than the whole key recovery. Previously, the best linear key-recovery attack was a 20-round attack [2] with time 293.4 and data 239.2. The rest of the paper is organized as following. In Sect. 2, we give preliminaries on MULTI2 and review the related work. In Sect. 3, we present detailed analysis on MULTI2 round functions with formal proofs. In Sect. 4, we give a new 4-round distinguisher. This is the best known 4-round linear attack. We give the key-recovery attacks on MULTI2 in Sect. 5. Finally, we conclude in Sect. 6. 2 2 Preliminaries on MULTI2 MULTI2 (Multi-Media Encryption Algorithm 2) is a standard balanced Feistel structured block cipher [10]. The block length is 64 bits and each half branch has 32 bits. The ISO register entry recommends at least 32 rounds. The round functions are π1,π2,π3,π4 repeatedly every 4 rounds. The basic operations are XOR (denoted by ⊕), modulo 232 addition (de- noted by +) and subtraction (denoted by −), bit-wise left rotation (de- noted by ≪) and logical OR (denoted by OR). We give detailed descrip- tion and analysis on π1,π2,π3,π4 in Sect. 3. L0 R0 π1 k1 π2 k2,k3 π3 k4 π4 π1 k5 π2 k6,k7 π3 k8 π4 L R 8 . 8 . Fig. 1. MULTI2 encryption diagram The 256-bit encryption key consists of k1,k2,...,k8 of 32 bits each. The eight sub-keys are derived from a 256-bit system key and a 64-bit data key (see [2] for details). In this paper, we restrict ourselves to the 3 encryption key. Note that by the key schedule, we always have k4 = k2 ⊕ k3, (1) k8 = k6 ⊕ k7. (2) Thus, the 256-bit encryption key only consists of 32 × 6 = 192 unknown key bits. Note that Round 1 through Round 4 use sub-keys k1,...,k4 and Round 5 through Round 8 use sub-keys k5,...,k8. The eight sub- keys are used repeatedly every 8 rounds. Throughout the paper, let the 32-bit L0,R0 be the left half and right half of the plaintext respectively. We let Ln,Rn denote the left half and right half of the n-round MULTI2 output. Figure 1 shows MULTI2 encryption diagram. Previously, [1,2] studied linear analysis on MULTI2. Based on the 4- round bias 2−5.7 in [2], the best linear key-recovery attack [2] was proposed for 20-round MULTI2 to recover the encryption key. For this 20-round 1 attack, [2] proposes to recover k1,...,k4 with 32 × 3 = 96 unknown bits all together using 239.2 data, which needs 293.4 computations2 of 20-round encryptions. 3 Detailed Analysis on MULTI2 Round Functions We define the bias (also called imbalance [6, page 14]) of a binary random variable X by def bias(X) = | Pr(X = 0) − Pr(X = 1)|. (3) In this section, we discuss the bias properties for each of MULTI2 round functions in details. We not only give the detailed experimental results, but more importantly, we present formal proofs for our important results for the first time. The round function π1 is an identity function without def key mixing, π1(L) = L, which directly outputs the left half input to the right half. It is trivial to see that regardless of the distribution of L, we always have the bias 1 for α · (L ⊕ π1(L)) for any 32-bit α. Below, we discuss the bias properties for the other round functions. 1 By Eq.(1), k1, . , k4 only contain 96 unknown bits. 2 Throughout the paper, we adopt the conventional time unit of one r-round encryp- tion for time estimate of the r-round attack; this makes easy to compare with the L time complexity O(2 ) of exhaustive search, where L denotes the key size. 4 3.1 Analysis of π2 The function π2 takes two inputs of 32 bits each, R and ki, and it is defined by π2(R,ki)=(x ≪ 4) ⊕ x, (4) and x = ((R + ki) ≪ 1) + R + ki − 1. (5) 3 Previously, [2] reported the bias 1 for 0xaaaaaaaa · π2(R,ki) by experi- ments. Below, we give the complete results with formal proofs on the bias properties of π2. Note that x as defined in (5) is not uniformly distributed assuming R,ki are random with uniform distribution. We first analyze a simplified case, in which we let x come from a truly random source rather than generated by R,ki. ′ Property 1. Given 32-bit x, let π2(x)=(x ≪ 4) ⊕ x. We assume that x ′ is random with uniform distribution. Then, the bias for α · π2(x) is 1, if α is in the set E1 defined below {0x11111111, 0x22222222, 0x33333333, 0x44444444, 0x55555555, 0x66666666, 0x77777777, 0x88888888, 0x99999999, 0xaaaaaaaa, 0xbbbbbbbb, 0xcccccccc, 0xdddddddd, 0xeeeeeeee, 0xffffffff}; ′ and the bias for α · π2(x) is 0, if α∈E / 1 ∪ {0}. Proof. For the first half of the results, we show a more general result, ′ i.e., the bias for α · π2(x) is 1 with any distribution of x if α ∈ E1. We demonstrate with the input mask α = 0x11111111 assuming x complies with any distribution as follows. On one hand, we have α · (x ≪ 4) = x[28] ⊕ x[0] ⊕ x[4] ⊕ x[8] ⊕ x[12] ⊕ x[16] ⊕ x[20] ⊕ x[24], where x[0] denotes the Least Significant Bit (LSB) of x.
Load more

Recommended publications
  • Statistical and Algebraic Cryptanalysis of Lightweight and Ultra-Lightweight Symmetric Primitives
    Statistical and Algebraic Cryptanalysis of Lightweight and Ultra-Lightweight Symmetric Primitives THÈSE NO 5415 (2012) PRÉSENTÉE LE 27 AOÛT 2012 À LA FACULTÉ INFORMATIQUE ET COMMUNICATIONS LABORATOIRE DE SÉCURITÉ ET DE CRYPTOGRAPHIE PROGRAMME DOCTORAL EN INFORMATIQUE, COMMUNICATIONS ET INFORMATION ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE POUR L'OBTENTION DU GRADE DE DOCTEUR ÈS SCIENCES PAR Pouyan SEPEHRDAD acceptée sur proposition du jury: Prof. E. Telatar, président du jury Prof. S. Vaudenay, directeur de thèse Prof. A. Canteaut, rapporteur Prof. A. Lenstra, rapporteur Prof. W. Meier, rapporteur Suisse 2012 To my two angels of God, my mother and father whom without their help, devotion, affection, love and support not only this dissertation could not be accomplished, but I was not able to put my feet one step forward towards improvement. Abstract Symmetric cryptographic primitives such as block and stream ciphers are the building blocks in many cryptographic protocols. Having such blocks which provide provable security against various types of attacks is often hard. On the other hand, if possible, such designs are often too costly to be implemented and are usually ignored by practitioners. Moreover, in RFID protocols or sensor networks, we need lightweight and ultra-lightweight algorithms. Hence, cryptographers often search for a fair trade-off between security and usability depending on the application. Contrary to public key primitives, which are often based on some hard problems, security in symmetric key is often based on some heuristic assumptions. Often, the researchers in this area argue that the security is based on the confidence level the community has in their design. Consequently, everyday symmetric protocols appear in the literature and stay secure until someone breaks them.
    [Show full text]
  • Cryptanalysis of the ISDB Scrambling Algorithm (MULTI2)
    Cryptanalysis of the ISDB Scrambling Algorithm (MULTI2) Jean-Philippe Aumasson1⋆, Jorge Nakahara Jr.2⋆⋆, and Pouyan Sepehrdad2 1 FHNW, Windisch, Switzerland 2 EPFL, Lausanne, Switzerland [email protected], {jorge.nakahara,pouyan.sepehrdad}@epfl.ch Abstract. MULTI2 is the block cipher used in the ISDB standard for scrambling digital multimedia content. MULTI2 is used in Japan to se- cure multimedia broadcasting, including recent applications like HDTV and mobile TV. It is the only cipher specified in the 2007 Japanese ARIB standard for conditional access systems. This paper presents a theoretical break of MULTI2 (not relevant in practice), with shortcut key recovery attacks for any number of rounds. We also describe equivalent keys and linear attacks on reduced versions with up 20 rounds (out of 32), improv- ing on the previous 12-round attack by Matsui and Yamagishi. Practical attacks are presented on up to 16 rounds. Keywords: ISDB, ARIB, MULTI2, block cipher, linear cryptanalysis, conditional access 1 Introduction MULTI2 is a block cipher developed by Hitachi in 1988 for general-purpose applications, but which has mainly been used for securing multimedia content. It was registered in ISO/IEC 99793 [8] in 1994, and is patented in the U.S. [13, 14] and in Japan [7]. MULTI2 is the only cipher specified in the 2007 Japanese standard ARIB for conditional access systems [2]. ARIB is the basic standard of the recent ISDB (for Integrated Services Digital Broadcasting), Japan’s standard for digital television and digital radio (see http://www.dibeg.org/) Since 1995, MULTI2 is the cipher used by satellite and terrestrial broadcast- ers in Japan [16, 18] for protecting audio and video streams, including HDTV, mobile and interactive TV.
    [Show full text]
  • Neptune Township Tax List Book: 1 Block/Lot: 101/1
    NEPTUNE TOWNSHIP TAX LIST BOOK: 1 BLOCK/LOT: 101/1 NEW JERSEY PROPERTY TAX SYSTEM LEGEND QUALIFICATION BUILDING DESCRIPTION REAL PROPERTY EXEMPT PROPERTY LIMITED EXEMPTIONS CODE EXPLANATION Format: Stories-Structure-Style-Garage CLASS CODES CLASS CODES CODE EXPLANATION S Sector Number Prefix STORIES D Dutch Colonial TAXABLE PROPERTY W Ward Number Prefix S Prefix S with no. of stories E English Tudor C Condo Unit No. Prefix F Cape Cod LOT Lot only is owned STRUCTURE L Colonial 1 Vacant Land 15A Public School Property E Fire Suppression System BLDG Building only is owned AL Aluminum Siding M Mobile Home 2 Residential 15B Other School Property F Fallout Shelter HM Hackensack Meadow Lands B Brick R Rancher 3A Farm (Regular) 15C Public Property P Pollution Control X Exmpt. Port. of Taxable Property CB Concrete Block S Split Level 3B Farm (Qualified) 15D Church & Charit. Property W Water Supply Control HL Highlands F Frame T Twin 4A Commercial 15E Cemeteries & Graveyards G Commercial Indust. Exempt. FP Flood Plain M Metal W Row Home 4B Industrial 15F Other Exempt. I Dwelling Exemption M Mobile Home RC Reinforced Concrete X Duplex 4C Apartment J Dwelling Abatement PL Pine Lands S Stucco Z Raised Rancher K New Dwelling/Conversion Z Coastal Zone SS Structural Steel O Other RAILROAD PROPERTY DEDUCTIONS Exemption L Wet Lands ST Stone 2 Bi-Level CODE EXPLANATION L New Dwelling/Conversion B Billboard W Wood 3 Tri-Level 5A Railroad Class I Abatement T Cell Tower 5B Railroad Class II N Mulitiple Dwelling Exemption QFARM Qualified Farmland STYLE GARAGE S Senior Citizen O Multiple Dwelling Abatement A Commercial AG Attached Garage PERSONAL PROPERTY V Veteran U Urban Enterprise Zone Abate.
    [Show full text]
  • Confidentiality and Tamper--Resistance of Embedded Databases Yanli Guo
    Confidentiality and Tamper--Resistance of Embedded Databases Yanli Guo To cite this version: Yanli Guo. Confidentiality and Tamper--Resistance of Embedded Databases. Databases [cs.DB]. Université de Versailles Saint Quentin en Yvelines, 2011. English. tel-01179190 HAL Id: tel-01179190 https://hal.archives-ouvertes.fr/tel-01179190 Submitted on 21 Jul 2015 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. UNIVERSITE DE VERSAILLES SAINT-QUENTIN-EN-YVELINES Ecole Doctorale Sciences et Technologies de Versailles - STV Laboratoire PRiSM UMR CNRS 8144 THESE DE DOCTORAT DE L’UNIVERSITE DE VERSAILLES SAINT–QUENTIN–EN–YVELINES présentée par : Yanli GUO Pour obtenir le grade de Docteur de l’Université de Versailles Saint-Quentin-en-Yvelines CONFIDENTIALITE ET INTEGRITE DE BASES DE DONNEES EMBARQUEES (Confidentiality and Tamper-Resistance of Embedded Databases) Soutenue le 6 décembre 2011 ________ Rapporteurs : Didier DONSEZ, Professeur, Université Joseph Fourier, Grenoble PatriCk VALDURIEZ, Directeur de recherche, INRIA, Sophia Antipolis Examinateurs : NiColas
    [Show full text]
  • DVB); Content Protection and Copy Management (DVB-CPCM); Part 4: CPCM System Specification
    ETSI TS 102 825-4 V1.2.2 (2013-12) Technical Specification Digital Video Broadcasting (DVB); Content Protection and Copy Management (DVB-CPCM); Part 4: CPCM System Specification 2 ETSI TS 102 825-4 V1.2.2 (2013-12) Reference RTS/JTC-DVB-334-4 Keywords broadcast, digital, DVB, TV ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 Important notice Individual copies of the present document can be downloaded from: http://www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http://portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http://portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authorized by written permission.
    [Show full text]
  • Low-End Rental Housing the Forgotten Story in L O
    N E W M A N LOW-END RENTAL HOUSING THE FORGOTTEN STORY IN L O W BALTIMORE’S HOUSING BOOM - E N D R E N T A L Sandra J. Newman H O U S I N G THE URBAN INSTITUTE 2100 M Street N.W. Washington, D.C. 20037 Tel: (202) 261-5687 Fax: (202) 467-5775 Web: www.urban.org FUNDED BY THE ABELL FOUNDATION LOW-END RENTAL HOUSING THE FORGOTTEN STORY IN BALTIMORE’S HOUSING BOOM Sandra J. Newman FUNDED BY THE ABELL FOUNDATION Copyright © August 2005. The Urban Institute. All rights re- served. Except for short quotes, no part of this book may be reproduced or used in any form or by any means, electronic or mechanical, including photocopying, recording, or by informa- tion storage or retrieval system, without written permission from the Urban Institute. The Urban Institute is a nonprofit, nonpartisan policy research and educational organization that examines the social, economic, and governance problems facing the nation. The views expressed are those of the author and should not be attributed to the Urban Institute, its trustees, or its funders. CONTENTS Acknowledgments . v Executive Summary . vii The Status of Low-End Rental Housing. 5 Baltimore City Renters . 6 Vacancy Rates and Abandonment . 8 Rents . 10 Affordability. 12 Housing Quality . 14 Neighborhood Quality. 19 Rental Housing Owners. 20 Federally Assisted Housing . 22 What All These Numbers Tell Us . 25 What Should Be Done? . 26 Addressing the Affordability Problem . 26 Addressing the Combined Problems of Affordability and Inadequacy with Project-Based Vouchers . 29 Addressing the Inadequacy Problem .
    [Show full text]
  • User Behavior Modeling with Large-Scale Graph Analysis Alex Beutel May 2016 CMU-CS-16-105
    User Behavior Modeling with Large-Scale Graph Analysis Alex Beutel May 2016 CMU-CS-16-105 Computer Science Department School of Computer Science Carnegie Mellon University Pittsburgh, PA Thesis Committee: Christos Faloutsos, Co-Chair Alexander J. Smola, Co-Chair Geoffrey J. Gordon Philip S. Yu, University of Illinois at Chicago Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy. Copyright © 2016 Alex Beutel. This research was sponsored under the National Science Foundation Graduate Research Fellowship Program (Grant no. DGE- 1252522) and a Facebook Fellowship. This research was also supported by the National Science Foundation under grants num- bered IIS-1017415, CNS-1314632 and IIS-1408924, as well as the Army Research Laboratory under Cooperative Agreement Number W911NF-09-2-0053. I also would like to thank the CMU Parallel Data Laboratory OpenCloud for providing infrastructure for ex- periments; this research was funded, in part, by the NSF under award CCF-1019104, and the Gordon and Betty Moore Foundation, in the eScience project. Also, I would like to thank the Open Cloud Consortium (OCC) and the Open Science Data Cloud (OSDC) for the use of resources on the OCC-Y Hadoop cluster, which was donated to the OCC by Yahoo! The views and conclusions contained in this document are those of the author and should not be interpreted as representing the official policies, either expressed or implied, of any sponsoring institution, the U.S. government or any other entity. Keywords: behavior modeling, graph mining, scalable machine learning, fraud detection, recommendation systems, clustering, co-clustering, factorization, machine learning systems, distributed systems Dedicated to my family.
    [Show full text]
  • CRYPTREC Report 2008 暗号技術監視委員会報告書
    CRYPTREC Report 2008 平成21年3月 独立行政法人情報通信研究機構 独立行政法人情報処理推進機構 「暗号技術監視委員会報告」 目次 はじめに ······················································· 1 本報告書の利用にあたって ······································· 2 委員会構成 ····················································· 3 委員名簿 ······················································· 4 第 1 章 活動の目的 ··················································· 7 1.1 電子政府システムの安全性確保 ··································· 7 1.2 暗号技術監視委員会············································· 8 1.3 電子政府推奨暗号リスト········································· 9 1.4 活動の方針····················································· 9 第 2 章 電子政府推奨暗号リスト改訂について ·························· 11 2.1 改訂の背景 ··················································· 11 2.2 改訂の目的 ··················································· 11 2.3 電子政府推奨暗号リストの改訂に関する骨子······················ 11 2.3.1 現リストの構成の見直し ·································· 12 2.3.2 暗号技術公募の基本方針 ·································· 14 2.3.3 2009 年度公募カテゴリ ···································· 14 2.3.4 今後のスケジュール ······································ 15 2.4 電子政府推奨暗号リスト改訂のための暗号技術公募(2009 年度) ····· 15 2.4.1 公募の概要 ·············································· 16 2.4.2 2009 年度公募カテゴリ ···································· 16 2.4.3 提出書類 ················································ 17 2.4.4 評価スケジュール(予定) ·································· 17 2.4.5 評価項目 ················································ 18 2.4.6 応募暗号説明会の開催 ···································· 19 2.4.7 ワークショップの開催 ···································· 19 2.5
    [Show full text]
  • This Is a Chapter from the Handbook of Applied Cryptography, by A. Menezes, P. Van Oorschot, and S. Vanstone, CRC Press, 1996. F
    This is a Chapter from the Handbook of Applied Cryptography, by A. Menezes, P. van Oorschot, and S. Vanstone, CRC Press, 1996. For further information, see www.cacr.math.uwaterloo.ca/hac CRC Press has granted the following specific permissions for the electronic version of this book: Permission is granted to retrieve, print and store a single copy of this chapter for personal use. This permission does not extend to binding multiple chapters of the book, photocopying or producing copies for other than personal use of the person creating the copy, or making electronic copies available for retrieval by others without prior permission in writing from CRC Press. Except where over-ridden by the specific permission above, the standard copyright notice from CRC Press applies to this electronic version: Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, microfilming, and recording, or by any information storage or retrieval system, without prior permission in writing from the publisher. The consent of CRC Press does not extend to copying for general distribution, for promotion, for creating new works, or for resale. Specific permission must be obtained in writing from CRC Press for such copying. c 1997 by CRC Press, Inc. Chapter 15 Patents and Standards Contents in Brief 15.1 Introduction :::::::::::::::::::::::::::::635 15.2 Patents on cryptographic techniques ::::::::::::::::635 15.3 Cryptographic standards ::::::::::::::::::::::645 15.4 Notes and further references ::::::::::::::::::::657 15.1 Introduction This chapter discusses two topics which have signi®cant impact on the use of cryptogra- phy in practice: patents and standards.
    [Show full text]
  • I~O Cfc\;'/OODQ
    ..I~O CfC\;'/OODQ ALGORITHM REGISTER ENTRY a) ISO Entry Name fi.so s.~o.I\A~dtCfq,~ 1"\->11-;'-.(~)} b) Name of Algorithm MULTI2 c) IntendedRange of Application 1. Confidentiality 2. HashFunction -as detailedin ISO 10118-2 3. Authentication -as detailedin ISO 9798 4. Data Integrity -as detailedin ISO 9797 d) CryptographicInterface Parameters 1. Input size 64 bits 2. Output size 64 bits 3. Key length: Data key 64 bits Systemkey 256 bits 4. Round number positive integer e) Test Data ROUND NUMBER 128 SYSTEMKEY all O's for 256 bits of systemkey DATA KEY (0123 4567 89AB CDEF) hex INPUT DATA (0000000000000001 )hex INTERMEDIARY (4th ROUND) (772F 558A F46A C13B )hex INTERMEDIARY (8th ROUND) (696E F331 5EDF OBFB )hex INTERMEDIARY (16h ROUND) (9E89 DA58 87CO 8518 )hex INTERMEDIARY (32th ROUND) (3F98 2A 1 F 459A 8023 )hex INTERMEDIARY (64th ROUND) (11 BD C4DO 9DF3 99A8 )hex OUTPUT DATA (128thROUND) (F894 4084 SEll CF89 )hex t) SponsoringAuthority Information-Technology Promotion Agency, Japan(IP A) Shuwashibakoen3-chome Bldg., 6F, 3-1-38 Shibakoen, Minato-kuffokyo 105, JAPAN Tel: +81-3-3437-2301 Fax: +81-3-3437-9421 RegistrationRequested by Hitachi, Ltd. SoftwareDevelopment Center Contactfor Information HisashiHashimoto SeniorEngineer Hitachi, Ltd. SoftwareDevelopment Center WorkstationNetwork SoftwareDepartment TYG 11thBldg. 16-1 3-chome,Nakamachi 1 ISO ,~,Ct /ooo,! ' Atsugi-shi243, JAPAN Tel: +81-462-25-9271 Fax: +81-462-25-9395 g) Date of submission Date of registration II+-No\le.",be..r ,qq Lt- h) Whether the Subject of a National Standard No. i) Patent -License Restriction Two patentsregistered: 1. United States Patent, No.
    [Show full text]
  • Colliding Keys for SC2000-256
    Colliding Keys for SC2000-256 Alex Biryukov1 and Ivica Nikoli´c2 1 University of Luxembourg 2 Nanyang Technological University, Singapore [email protected] [email protected] Abstract. In this work we present analysis for the block cipher SC2000 , which is in the Japanese CRYPTREC portfolio for standardization. In spite of its very complex and non-linear key-schedule we have found a property of the full SC2000-256 (with 256-bit keys) which allows the attacker to find many pairs of keys which generate identical sets of sub- keys. Such colliding keys result in identical encryptions. We designed an algorithm that efficiently produces colliding key pairs in 239 time, which takes a few hours on a PC. We show that there are around 268 collid- ing pairs, and the whole set can be enumerated in 258 time. This result shows that SC2000-256 cannot model an ideal cipher. Furthermore we explain how practical collisions can be produced for both Davies-Meyer and Hiroses hash function constructions instantiated with SC2000-256 . Keywords: SC2000 · block cipher · key collisions · equivalent keys · CRYPTREC · hash function 1 Introduction The block cipher SC2000 [15] was designed by researchers from Fujitsu and the Science University of Tokyo, and submitted to the open call for 128-bit encryption standards organized by Cryptography Research and Evaluation Committees (CRYPTREC). Started in 2000, CRYPTREC is a program of the Japanese government set up to evaluate and recom- mend cryptographic algorithms for use in industry and institutions across Japan. An algorithm becomes a CRYPTREC recommended standard af- ter two stages of evaluations.
    [Show full text]
  • ANALYSIS and INNER-ROUND PIPELINED IMPLEMENTATION of SELECTED PARALLELIZABLE CAESAR COMPETITION CANDIDATES By
    ANALYSIS AND INNER-ROUND PIPELINED IMPLEMENTATION OF SELECTED PARALLELIZABLE CAESAR COMPETITION CANDIDATES by Sanjay Deshpande A Thesis Submitted to the Graduate Faculty of George Mason University in Partial Fulfillment of The Requirements for the Degree of Master of Science Computer Engineering Committee: _________________________________ Dr. Kris Gaj, Thesis Director _________________________________ Dr. Jens Peter Kaps, Committee Member _________________________________ Dr. Xiang Chen, Committee Member _________________________________ Dr. Monson Hayes, Department Chair _________________________________ Dr. Kenneth S. Ball, Dean, Volgenau School of Engineering Date: _____________________________ Fall Semester 2016 George Mason University Fairfax, VA. Analysis and Inner-Round Pipelined Implementation of Selected Parallelizable CAESAR Competition Candidates A Thesis submitted in partial fulfillment of the requirements for the degree of Master of Science at George Mason University by Sanjay Deshpande Bachelor of Technology Jawaharlal Nehru Technological University, 2014 Director: Kris Gaj, Associate Professor Electrical and Computer Engineering Fall Semester 2017 George Mason University Fairfax, VA Copyright: 2016 Sanjay Deshpande All Rights Reserved ii Dedication I dedicate this thesis to Shri Kesari Hanuman, my grandfather Shri Nand Kumar Deshpande, my parents Megha Deshpande & Vinay Deshpande, my advisor Dr. Kris Gaj, and Ankitha Prabhu and my beloved friends. iii Acknowledgement I would like to express my heartfelt gratitude to my advisor Dr. Kris Gaj for his patience, motivation and guidance through the research and thesis documentation. I would also take this opportunity to thank Dr. Jens Peter Kaps, Ekawat Homsirikamol a.k.a “Ice”, William Diehl, Farnoud Farahmand, Panasayya Yalla, Ahmed Ferozpuri, Malik Umar Sharif and Rabia Shahid for their immense help. iv Table of Contents Page List of Tables .....................................................................................................
    [Show full text]