DOCSLIB.ORG

Cube Attacks on the Stream Cipher Grain-V1 Yong-Juan Wanga*, Shi

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

2017 2nd International Conference on Computer Science and Technology (CST 2017) ISBN: 978-1-60595-461-5 Cube Attacks on the Stream Cipher Grain-v1 Yong-juan WANGa*, Shi-yi ZHANG and Yang GAO Luoyang Foreign Language University, Luoyang, Henan Province, China [email protected] *Corresponding author Keywords: Algebra attack, Cube attack, Stream cipher, Grain-v1, Key recovery. Abstract. The Cube Attack was introduced by Itai Dinur and Adi Shamir. As a known plaintext attack on symmetric primitives, it is efficient to stream cipher, block cipher and hash functions. In this paper, we proposed a new method to find all the cubes U which could produce linear relations, and it is applied to simplified Grain-v1 variants with 60, 65 initialization rounds, from which we can obtain at least 25, 11 key bits respectively. Our results show that the Grain-v1 with reduced initialization rounds can be broken with Cube Attack, and the complexity is significantly lower than exhaustive search. Introduction At Crypto2008, the Cube Attack was introduced by Adi Shamir and his student as a known plaintext attack on symmetric primitives0. It is a major improvement over several previously published attacks of the same type, for example, Algebraic Initial Value Differential Attack (AIDA)0. In the key and public variables (plaintext or IV bits), if the output of cryptosystems can be represented by the polynomial FKIV(, ) overGF()2 via skillfully choosing arbitrary values for the public variables, the attacker may be able to obtain some linear equations. Moreover, given sufficient number of equations, a secret key could be recovered through queries to black box polynomial with tweakable public variables under Cube Attack 0 (e.g. choosing plaintext or initial value), which is followed by solving a linear system of equations in the secret key variables. Cube Attacks can be applied to any block cipher, stream cipher, or MAC which is provided as a black box, even when nothing is known about its internal structure. At least one output bit can be represented by (an unknown) polynomial of relatively low degree in the secret and public variables, the attack has been applied to the ciphers MD6[3], Trivium0, Serpent0, Grain-1280, PHOTON0, Keccak0 and so on, and it works quite well. The stream cipher Grain-v1 was proposed by Hell, Johansson, Maximov, and Meier0 , Christophe De Cannière, Ozgül Kücük and Bart Preneel analyzed the initialization algorithm of Grain, showed that a sliding property of the initialization algorithm, which resulted in a very efficient related–key attack, and developed a differential attack on the Grain-v1 which recovered one out of 29 keys, and required 55 two related keys and 2 chosen pairs0. Yuseop lee, Kitae Jeong and Jaechul Sung extended the slide resynchronization attack and proposed related-key chosen IV 22.59 attacks on Grain-v1, the attack recovered the secret key with 2 chosen IV s, 226.29 -bit keystream sequences and 222.9 computational complexity[0. In recent years, 290 Differential Fault Attack, Near Collision Attack and Probabilistic Algebraic Attack also work on Grain-v1 with good results0. In this paper we provided a new attack approach to the cryptanalyst, and pushed Cube Attack to the reduced variant of Grain-v1. Our results show that the Grain-v1 with reduced number of initialization rounds can be broken with complexity that is significantly faster than exhaustive search. This paper is organized as follows. Following the introduction, we describe the Cube Attack in section 2. In section 3, we describe the stream cipher Grain-v1. In section 4, a new method to find all the cubes U is described and applied to the Grain-v1. In section 5, an improvement is described and applied to the Grain-v1 again. Finally, we conclude the paper in section 6. Cube Attack First, we give a brief overview of the Cube attack0. Throughout this paper, all polynomials = = = have coefficients in GF()2 , let IVv(,1 , vm ) and K (,xx1 ,n ), FKIVii(, ) Y denote the i -th output bit, if Uv=⊂{,,}{,,} v v v has been chosen then i -th ii1 k 1 m output bit can been represented as =+ Fx(,,,,,) xv v vv , , vPx() ,,, xV Qx (,,,,,) xv v . inmiiin1112 k 1 11 nm = ⋅ ∪ Notes Vv{,1 , vUm }\ , P() is linear polynomial in {,x1 ,xVn } , and does not contain any common variable with vv,, v , the polynomial Q misses at least one ii12 ik variable form vv,, v . Let C be the set of points where the variables ii12 ik ∪ in{,x1 ,xVn } are fixed and the variables in U are allowed to take all possible combination of values. Then F (,,,,,)xxvv=+ vvvPxxVQxxvv , ,() ,,, (,,,,,). (1) inmiiin1112 k 1 11 nm CC C ⋅= ⋅ Theorem1. For any polynomial Fi and subset U , PP() ()mod2. C Proof. For the polynomial Q is such that none of the terms in Q have the monomial vv,, v as a factor, summing each of terms in Q over all the 2k possible vectors, ii12 ik the sum value is 0, hence Q = 0 , on the other hand, the coefficient of P(⋅ ) in the C summation is 1 for only one case vvv===1. # iii12k According to Theorem 1, then (1) Fx(,,,,,) x v v=+ v , v , vPx() ,,, xV Q= Px (,,,) xV. inmiiin1112 k 1 1n CC C Brief Description of Grain-v1 Grain-v1 is one of the 3 final candidates of ECRYPT eStream project, which constants of a 80-bit LFSR, a 80-bit NFSR (both over GF()2 ), and a Boolean function hx0 (). The content of the LFSR is denoted by sii,,,ss++179 i , and the content of the NFSR is 291 denoted by bbii,,,++179 b i . The feedback polynomial f0 ()x of the LFSR is a primitive polynomial of degree 80. It is defined as =++++++18 29 42 57 67 80 f0 ()x 1 xxxxxx. The NFSR feedback polynomial g0 ()x is defined as =+18 + 20 + 28 + 35 + 43 + 47 + 52 + 59 + 66 + 71 + 80 gx0 () 1 xxxxxxxxxxx x17xxxxxxxxxxxxxxxxxxx 20+++ 43 47 65 71 20 28 35 + 47 52 59 + 17 35 52 71 + 20 28 43 47 ++xxxx17 20 59 65 xxxxx 17 20 28 35 43 + xxxxx 47 52 59 65 71 + xxxxxx 28 35 43 47 52 59 0 The cipher output bit Zt is derived from the current LFSR and NFSR states with a filter function hxxxxx001234(,,,,)as follows, 0 =+ Zbhssssbtikiiiii +0(,,,,) +++++ 3 25 46 64 63 kA∈ = where A {1,2,4,10,31,43,56}, the filter Boolean function hxxxxx001234(,,,,)is defined as =+++++ + + + + h0(,,,,) x 0 x 1 x 2 x 3 x 4 x 1 x 4 xx 03 xx 23 xx 34 xxx 012 xxx 023 xxx 024 xxx 124 xxx 234 Key Initialization Given a 80-bit key and a 64-bit IV , one initializes Grain-v1 by filling the NFSR with key, and the LFSR with the IV , the remaining bits of the LFSR are filled with ones, then the mechanism is clocked 160 times without producing the output, hx0 () is feedback and XOR with the input both to the LFSR and the NFSR, in the key initialization phase, we can get the contents of the shift registers before the running key is generated. Keystream Generation After the cipher is clocked 160 times, then the mechanism begins to produce output bits, see Figure 1. Figure 1. Keystream Generation. Cube Attack on Grain-v1 The main goal of Cube Attack is to find sufficiently U , then we may be able to obtain linearity polynomials P()⋅ . Through query to the cipher obtain the value of P()⋅ , and with sufficient number of linearly independent relations in the key bits, 292 the attacker can easily recover the key K via Gaussian elimination. Cube Attack is split into two stages: The Preprocessing Stage In order to find U , we use a linearity check approach, the IV s are formed by allowing variables in U to take all possible combinations of values while keeping variables in VIVU= \ fixed to 0. After the selection of U , then we take 100 random pairs of keys (,)X Y and check whether += + + Fiiii(,)(,)(,)(0,)X Y IV F X IV F Y IV F IV . (2) IV∈∈∈∈ C IV C IV C IV C If (2) is satisfied for all the 100 random pairs, then the polynomial P()⋅ is assumed to be linear in key bits 0. The randomized algorithm presented in 0 to find U starting with randomly chosen p(1)≥ variables and use a linearity test to check whether P()⋅ is linear. If U is too small, then P()⋅ is likely to be a nonlinear polynomial in the secret variables. In this case, the attacker adds a public variable to U and checks again. If U is too large, then P(⋅ ) will be a constant. And in this case, the attacker drops one of the public variables form U and checks again. The first problem of this algorithm is that not all U are tested, for it is chosen randomly and starting from a random set of variables. The chances of getting U are not expected to be high. So we select U by adding IV variables one by one. This process can generate all the U which could produce linear relations P()⋅ . See Figure 2. Figure 2 The approach selecting IV . For each of U satisfied linearity check, we need to compute corresponding P()⋅ . This involves finding the coefficients of L for n , and each L has n +1 coefficients including the constant term. To find them, we need to compute the sum FKIV(, )for n +1 keys : x = 0,ee , , e− , where e is the vector with the i -th i 01 n 1 i C component is 1 and the rest are 0.
Recommended publications
  • Key‐Dependent Side‐Channel Cube Attack on CRAFT

    Key‐Dependent Side‐Channel Cube Attack on CRAFT

    Received: 26 November 2019 | Revised: 9 September 2020 | Accepted: 5 October 2020 DOI: 10.4218/etrij.2019-0539 ORIGINAL ARTICLE Key- dependent side- channel cube attack on CRAFT Kok- An Pang | Shekh Faisal Abdul- Latip INSFORNET, Centre for Advanced Computing Technology (C- ACT), Fakulti Abstract Teknologi Maklumat dan Komunikasi, CRAFT is a tweakable block cipher introduced in 2019 that aims to provide strong Universiti Teknikal Malaysia Melaka, protection against differential fault analysis. In this paper, we show that CRAFT Melaka, Malaysia is vulnerable to side- channel cube attacks. We apply side-channel cube attacks to Correspondence CRAFT with the Hamming weight leakage assumption. We found that the first half Kok- An Pang and Shekh Faisal Abdul- of the secret key can be recovered from the Hamming weight leakage after the first Latip, INSFORNET, Centre for Advanced Computing Technology (C- ACT), Fakulti round. Next, using the recovered key bits, we continue our attack to recover the sec- Teknologi Maklumat dan Komunikasi, ond half of the secret key. We show that the set of equations that are solvable varies Universiti Teknikal Malaysia Melaka, depending on the value of the key bits. Our result shows that 99.90% of the key space Melaka, Malaysia. Email: [email protected] (Kok- An Pang), can be fully recovered within a practical time. [email protected] (Shekh Faisal Abdul- Latip) KEYWORDS Block cipher, CRAFT, cryptanalysis, cube attack, side- channel attack Funding information This research was supported by the UTeM Zamalah Scheme and Fundamental Research Grant Scheme (FRGS) of Universiti Teknikal Malaysia Melaka (FRGS/1/2015/ICT05/FTMK/02/ F00293) funded by the Ministry of Higher Education, Malaysia 1 | INTRODUCTION attacks varies depending on the implementation, even if the same cipher is adopted.
  • Some Observations on ACORN V1 and Trivia-SC

    Some Observations on ACORN V1 and Trivia-SC

    Some observations on ACORN v1 and Trivia-SC Rebhu Johymalyo Josh1 and Santanu Sarkar2 1 Chennai Mathematical Institute, SIPCOT IT Park, Siruseri, Chennai- 603103, India [email protected] 2 Department of Mathematics, Indian Institute of Technology Madras, Chennai - 600036, India. [email protected] Abstract. In the first part of this paper, we study the security of Acorn v1, an authenticated encryption scheme submitted to the ongoing CAESAR competi­ tion. We perceive some interesting outcomes on the key stream bits of Acorn v1. In fact we observe that bit wise XOR of the first key stream bits for a fixed Key and IV but different associated data becomes 0. In the second part of this paper, we provide slid pairs of modified Trivia-SC. For the original Trivia-SC, finding a slid pair is trivial as the padding is symmetric. Hence, it is in general assumed that finding slid pairs is difficult for asymmetric padding. Here we show that in this case also, getting a slid pair is possible. Keywords: Acorn, Cube Attack, Cryptanalysis, SAT Solver, Stream Cipher, Trivia-SC. 1 Introduction Acorn is a lightweight authenticated cipher which has been submitted to the ongoing CAESAR [9] competition. It uses a single State Register for encryption and authentication. It updates the state for 512 + length of associated data before encrypting the plain text. For encrypting each bit, the state update is run once each time for each character. This is used for encrypting the next bit of plain text. The current state is used for generating a bit called Key stream Bit which is XOR ed with the bit of plain text and output as one bit of cipher text.
  • Cube Attacks on Tweakable Black Box Polynomials

    Cube Attacks on Tweakable Black Box Polynomials

    Cube Attacks on Tweakable Black Box Polynomials Itai Dinur and Adi Shamir Computer Science department The Weizmann Institute Rehobot 76100, Israel Abstract. Almost any cryptographic scheme can be described by tweakable polynomials over GF (2), which contain both secret variables (e.g., key bits) and public variables (e.g., plaintext bits or IV bits). The cryptanalyst is allowed to tweak the polynomials by choosing arbitrary values for the public variables, and his goal is to solve the resultant system of polynomial equations in terms of their common secret variables. In this paper we develop a new technique (called a cube attack) for solving such tweakable polynomials, which is a major improvement over several previously published attacks of the same type. For example, on the stream cipher Trivium with a reduced number of initialization rounds, the best previous attack (due to Fischer, Khazaei, and Meier) requires a barely practical complexity of 255 to attack 672 initialization rounds, whereas a cube attack can find the complete key of the same variant in 219 bit operations (which take less than a second on a single PC). Trivium with 735 initialization rounds (which could not be attacked by any previous technique) can now be broken with 230 bit operations. Trivium with 767 initialization rounds can now be broken with 245 bit operations, and the complexity of the attack can almost certainly be further reduced to about 236 bit operations. Whereas previous attacks were heuristic, had to be adapted to each cryptosystem, had no general complexity bounds, and were not expected to succeed on random looking polynomials, cube attacks are provably successful when applied to random polynomials of degree d over n secret variables whenever the number d−1 2 m of public variables exceeds d + logdn.
  • Grain-128A: a New Version of Grain-128 with Optional Authentication

    Grain-128A: a New Version of Grain-128 with Optional Authentication

    Grain-128a: a new version of Grain-128 with optional authentication Ågren, Martin; Hell, Martin; Johansson, Thomas; Meier, Willi Published in: International Journal of Wireless and Mobile Computing DOI: 10.1504/IJWMC.2011.044106 2011 Link to publication Citation for published version (APA): Ågren, M., Hell, M., Johansson, T., & Meier, W. (2011). Grain-128a: a new version of Grain-128 with optional authentication. International Journal of Wireless and Mobile Computing, 5(1), 48-59. https://doi.org/10.1504/IJWMC.2011.044106 Total number of authors: 4 General rights Unless other specific re-use rights are stated the following general rights apply: Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain • You may freely distribute the URL identifying the publication in the public portal Read more about Creative commons licenses: https://creativecommons.org/licenses/ Take down policy If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. LUND UNIVERSITY PO Box 117 221 00 Lund +46 46-222 00 00 Grain-128a: A New Version of Grain-128 with Optional Authentication Martin Agren˚ 1, Martin Hell1, Thomas Johansson1, and Willi Meier2 1 Dept.
  • Cryptography Using Random Rc4 Stream Cipher on SMS for Android-Based Smartphones

    Cryptography Using Random Rc4 Stream Cipher on SMS for Android-Based Smartphones

    (IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 9, No. 12, 2018 Cryptography using Random Rc4 Stream Cipher on SMS for Android-Based Smartphones Rifki Rifki1, Anindita Septiarini2, Heliza Rahmania Hatta3 Department of Computer Science, Faculty of Computer Science and Information Technology, Mulawarman University, Jl. Panajam Kampus Gn. Kelua, Samarinda, Indonesia. Abstract—Messages sent using the default Short Message image/graphic is 160 characters using 7 bits or 70 characters Service (SMS) application have to pass the SMS Center (SMSC) using 16 bits of character encoding [5]. to record the communication between the sender and recipient. Therefore, the message security is not guaranteed because it may Cryptographic methods are divided based on key-based read by irresponsible people. This research proposes the RC4 and keyless [6]. Several conventional keyless cryptographic stream cipher method for security in sending SMS. However, methods have implemented for improving data security such RC4 has any limitation in the Key Scheduling Algorithm (KSA) as Caesar ciphers [7], Vigenere ciphers [8], [9], Zigzag ciphers and Pseudo Random Generation Algorithm (PRGA) phases. [10], and Playfair cipher [11]. Those methods are more Therefore, this research developed RC4 with a random initial complex and consume a significant amount of power when state to increase the randomness level of the keystream. This applied in the resource-constrained devices for the provision SMS cryptography method applied the processes of encryption of secure communication [12]. Another method that has used against the sent SMS followed by decryption against the received is key-based with Symmetric Cryptography. The type of SMS. The performance of the proposed method is evaluated encryption that used is to provide end-to-end security to SMS based on the time of encryption and decryption as well as the messages.
  • Cryptanalysis with Cube Attack

    Cryptanalysis with Cube Attack

    Cryptanalysis with Cube Attack Vignesh Meenakshi Sundaram, Faculty of Mathematics and Computer Science, University of Tartu, Tartu, Estonia [email protected] Abstract. Cube Attack is a recent type of attack under algebraic cryptanalysis, proposed by Shamir et al. in EUROCRYPT 2009. It can be carried out on any cipher irrespective of the corresponding block and key lengths. Simplified DES, developed by Professor Edward Schaefer of Santa Clara University has similar properties and structure to DES with much smaller parameters. PRESENT is an ultra-lightweight block cipher, proposed by A. Bogdanov et al. in CHES 2007. In this report, section 1 gives an introduction to Cryptanalysis using Cube Attack, section 2 contains a brief description of Simplified DES; section 3 explains the PRESENT cipher, section 4 describes the Cube Attack in brief, while section 5 covers Cube Attack on the SDES cipher and section 6 discusses Cube Attack on the PRESENT cipher. Keywords: block cipher, lightweight, cryptanalysis, cube attack. 1 Introduction Of the various types of attacks under algebraic cryptanalysis, Cube Attack is a recent attack. In EUROCRYPT 2009, Itai and Shamir proposed this attack. Cube attack aids in deriving the key-bits of a key when used in a cipher. It can be used to attack any cryptosystem in which even a single bit can be represented by a low degree multivariate polynomial in the key and plaintext variables. It can be carried out on any cipher irrespective of the corresponding block and key lengths. Cube attack reduces the complexity of the attack, as even the knowledge of a single key bit can prove efficient as the rest of the key-bits can be obtained by brute-force.
  • Analysis of Lightweight Stream Ciphers

    Analysis of Lightweight Stream Ciphers

    ANALYSIS OF LIGHTWEIGHT STREAM CIPHERS THÈSE NO 4040 (2008) PRÉSENTÉE LE 18 AVRIL 2008 À LA FACULTÉ INFORMATIQUE ET COMMUNICATIONS LABORATOIRE DE SÉCURITÉ ET DE CRYPTOGRAPHIE PROGRAMME DOCTORAL EN INFORMATIQUE, COMMUNICATIONS ET INFORMATION ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE POUR L'OBTENTION DU GRADE DE DOCTEUR ÈS SCIENCES PAR Simon FISCHER M.Sc. in physics, Université de Berne de nationalité suisse et originaire de Olten (SO) acceptée sur proposition du jury: Prof. M. A. Shokrollahi, président du jury Prof. S. Vaudenay, Dr W. Meier, directeurs de thèse Prof. C. Carlet, rapporteur Prof. A. Lenstra, rapporteur Dr M. Robshaw, rapporteur Suisse 2008 F¨ur Philomena Abstract Stream ciphers are fast cryptographic primitives to provide confidentiality of electronically transmitted data. They can be very suitable in environments with restricted resources, such as mobile devices or embedded systems. Practical examples are cell phones, RFID transponders, smart cards or devices in sensor networks. Besides efficiency, security is the most important property of a stream cipher. In this thesis, we address cryptanalysis of modern lightweight stream ciphers. We derive and improve cryptanalytic methods for dif- ferent building blocks and present dedicated attacks on specific proposals, including some eSTREAM candidates. As a result, we elaborate on the design criteria for the develop- ment of secure and efficient stream ciphers. The best-known building block is the linear feedback shift register (LFSR), which can be combined with a nonlinear Boolean output function. A powerful type of attacks against LFSR-based stream ciphers are the recent algebraic attacks, these exploit the specific structure by deriving low degree equations for recovering the secret key.
  • Fake Near Collisions Attacks∗

    Fake Near Collisions Attacks∗

    IACR Transactions on Symmetric Cryptology ISSN 2519-173X, Vol. 2020, No. 4, pp. 88–103. DOI:10.46586/tosc.v2020.i4.88-103 Fake Near Collisions Attacks∗ Patrick Derbez†, Pierre-Alain Fouque and Victor Mollimard Univ Rennes, Centre National de la Recherche Scientifique (CNRS), Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Rennes, France {patrick.derbez,pierre-alain.fouque,victor.mollimard}@irisa.fr Abstract. Fast Near collision attacks on the stream ciphers Grain v1 and A5/1 were presented at Eurocrypt 2018 and Asiacrypt 2019 respectively. They use the fact that the entire internal state can be split into two parts so that the second part can be recovered from the first one which can be found using the keystream prefix and some guesses of the key materials. In this paper we reevaluate the complexity of these attacks and show that actually they are inferior to previously known results. Basically, we show that their complexity is actually much higher and we point out the main problems of these papers based on information theoretic ideas. We also check that some distributions do not have the predicted entropy loss claimed by the authors. Checking cryptographic attacks with galactic complexity is difficult in general. In particular, as these attacks involve many steps it is hard to identify precisely where the attacks are flawed. But for the attack against A5/1, it could have been avoided if the author had provided a full experiment of its attack since the overall claimed complexity was lower than 232 in both time and memory. Keywords: Fast near collision technique · Reproducibility · Stream cipher 1 Introduction Checking results is in some sciences such as experimental physics as important as the result itself.
  • Cryptographic Hash Functions for Image Processing

    Cryptographic Hash Functions for Image Processing

    CRYPTOGRAPHIC HASH FUNCTIONS FOR IMAGE PROCESSING by Shafaq Iftikhar B.S(ENG)., COMSATS Institute of IT, Pakistan, 2007 A project presented to Ryerson University in partial fulfillment of the requirements for the degree of Master of Engineering in the Program of Electrical and Computer Engineering Toronto, Ontario, Canada, June 2015 ©Shafaq Iftikhar 2015 AUTHOR'S DECLARATION I hereby declare that I am the sole author of this MEng Project. This is a true copy of the MEng Project, including any required final revisions, as accepted by my examiners. I authorize Ryerson University to lend this MEng Project to other institutions or individuals for the purpose of scholarly research. I further authorize Ryerson University to reproduce this MEng Project by photocopying or by other means, in total or in part, at the request of other institutions or individuals for the purpose of scholarly research. I understand that MEng Project may be made electronically available to the public. ii Cryptographic Hash Functions for Image Processing, M.Eng. 2015, Shafaq Iftikhar, Program of Electrical and Computer Engineering, Ryerson Universty ABSTRACT In this paper, a novel algorithm based on hash function for image cryptography is proposed. In this algorithm, the key idea is to encrypt half of the image using data from the second half of the image and then apply it to each other. This scheme can achieve high sensitivity, high complexity, and high security. The sole purpose is to improve the image entropy. iii ACKNOWLEDGEMENTS I am using this opportunity to express my gratitude to everyone who supported me throughout the course of this M.Eng project.
  • Algebraic Differential Attacks on Symmetric Cryptography

    Algebraic Differential Attacks on Symmetric Cryptography

    Eindhoven University of Technology MASTER Algebraic differential attacks on symmetric cryptography Lukas, K.A.Y. Award date: 2016 Link to publication Disclaimer This document contains a student thesis (bachelor's or master's), as authored by a student at Eindhoven University of Technology. Student theses are made available in the TU/e repository upon obtaining the required degree. The grade received is not published on the document as presented in the repository. The required complexity or quality of research of student theses may vary by program, and the required minimum study period may vary in duration. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain EINDHOVEN UNIVERSITY OF TECHNOLOGY Department of Mathematics and Computer Science Master’s thesis Algebraic differential attacks on symmetric cryptography by K.A.Y. Lukas (0758084) Supervisors: prof. dr. J. Daemen, prof. dr. T. Lange Second reader: dr. B. Skori˘ c´ Nijmegen, December 2016 Declaration I hereby declare that except where specific reference is made to the work of others, the contents of this thesis are original and have not been submitted in whole or in part for consideration for any other degree or qualification in this, or any other University.
  • Correlation Cube Attacks: from Weak-Key Distinguisher to Key Recovery

    Correlation Cube Attacks: from Weak-Key Distinguisher to Key Recovery

    Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery B Meicheng Liu( ), Jingchun Yang, Wenhao Wang, and Dongdai Lin State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, People’s Republic of China [email protected] Abstract. In this paper, we describe a new variant of cube attacks called correlation cube attack. The new attack recovers the secret key of a cryp- tosystem by exploiting conditional correlation properties between the superpoly of a cube and a specific set of low-degree polynomials that we call a basis, which satisfies that the superpoly is a zero constant when all the polynomials in the basis are zeros. We present a detailed procedure of correlation cube attack for the general case, including how to find a basis of the superpoly of a given cube. One of the most significant advantages of this new analysis technique over other variants of cube attacks is that it converts from a weak-key distinguisher to a key recovery attack. As an illustration, we apply the attack to round-reduced variants of the stream cipher Trivium. Based on the tool of numeric mapping intro- duced by Liu at CRYPTO 2017, we develop a specific technique to effi- ciently find a basis of the superpoly of a given cube as well as a large set of potentially good cubes used in the attack on Trivium variants, and further set up deterministic or probabilistic equations on the key bits according to the conditional correlation properties between the super- polys of the cubes and their bases.
  • M. Tech. (COMPUTER NETWORKS and INFORMATION SECURITY) Two Year PG Day-Time Program (With Effect from 2019 – 20)

    M. Tech. (COMPUTER NETWORKS and INFORMATION SECURITY) Two Year PG Day-Time Program (With Effect from 2019 – 20)

    1 ACADEMIC REGULATIONS, COURSE STRUCTURE & SYLLABI FOR M. Tech. (COMPUTER NETWORKS AND INFORMATION SECURITY) Two Year PG Day-Time Program (with effect from 2019 – 20) JNTUH SCHOOL OF INFORMATION TECHNOLOGY (AUTONOMOUS) JAWAHARLAL NEHRU TECHNOLOGICAL UNIVERSITY HYDERABAD Kukatpally, Hyderabad – 500 085 TELANGANA. SCHOOL OF IT,JNT UNIVERSITY HYDERABAD-500085 : : REGULATIONS,COURSE STRUCTURE & SYLLABUS FOR M.TECH(CNIS) W.E.F 2019-20 2 SCHOOL OF INFORMATION TECHNOLOGY (AUTONOMOUS) JAWAHARLAL NEHRU TECHNOLOGICAL UNIVERSITY HYDERABAD Kukatpally, Hyderabad – 500 085, Telangana (India) ACADEMIC REGULATIONS FOR THE AWARD OF M.Tech. DEGREE BASED ON CHOICE BASED CREDIT SYSTEM (CBCS) (WITH EFFECT FROM THE ACADEMIC YEAR 2019 – 2020) The Master of Technology (M.Tech.) Post Graduate Degree of the Jawaharlal Nehru Technological University Hyderabad (JNTUH) shall be conferred on candidates who are admitted to the program and who fulfill all the requirements for the award of the Degree. JNTUH offers 2 Years (4 Semesters) Master of Technology (M.Tech.) Post Graduate Degree program, under Choice Based Credit System (CBCS) at its constituent Autonomous College – JNTUH, SCHOOL OF INFORMATION TECHNOLOGY (JNTUH SIT), Hyderabad in the following specializations S.No. Specialization 1 Computer Science(CS) 2 Software Engineering(SE) 3 Computer Networks & Information Security(CNIS) 4. Data Science(DS) 1. ELIGIBILITY FOR ADMISSIONS Admission to the above shall be made subject to eligibility, qualification and specialization as prescribed by the University for each Program, from time to time. Admissions shall be made on the basis of merit rank obtained by the qualifying candidate on the basis of Valid GATE score or at an Entrance Test (TSPGECET) conducted by TELANGANA State Government, subject to reservations prescribed by the University time to time through Directorate of admissions JNTUH.