DOCSLIB.ORG

A Practical-Time Related-Key Boomerang Attack on MMB

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
A Practical-Time Related-Key Boomerang Attack on MMB A Practical-Time Related-Key Boomerang Attack on MMB Tomer Ashur Orr Dunkelman 29/10/2013 A Practical-Time Related-Key Boomerang Attack on MMB Overview 1. Quick description of the MMB block cipher. A Practical-Time Related-Key Boomerang Attack on MMB Overview 1. Quick description of the MMB block cipher. 2. Short Explanation about cryptanalytic techniques used in this paper. A Practical-Time Related-Key Boomerang Attack on MMB Overview 1. Quick description of the MMB block cipher. 2. Short Explanation about cryptanalytic techniques used in this paper. 3. A related-key boomerang attack that recovers 62 key bits for MMB. A Practical-Time Related-Key Boomerang Attack on MMB Overview 1. Quick description of the MMB block cipher. 2. Short Explanation about cryptanalytic techniques used in this paper. 3. A related-key boomerang attack that recovers 62 key bits for MMB. 4. Using the previously recovered 62 bits to recover another 31 bits of the key. A Practical-Time Related-Key Boomerang Attack on MMB Overview 1. Quick description of the MMB block cipher. 2. Short Explanation about cryptanalytic techniques used in this paper. 3. A related-key boomerang attack that recovers 62 key bits for MMB. 4. Using the previously recovered 62 bits to recover another 31 bits of the key. 5. Recovering the last bits. A Practical-Time Related-Key Boomerang Attack on MMB Overview 1. Quick description of the MMB block cipher. 2. Short Explanation about cryptanalytic techniques used in this paper. 3. A related-key boomerang attack that recovers 62 key bits for MMB. 4. Using the previously recovered 62 bits to recover another 31 bits of the key. 5. Recovering the last bits. 6. Results of experimental verification. A Practical-Time Related-Key Boomerang Attack on MMB Overview 1. Quick description of the MMB block cipher. 2. Short Explanation about cryptanalytic techniques used in this paper. 3. A related-key boomerang attack that recovers 62 key bits for MMB. 4. Using the previously recovered 62 bits to recover another 31 bits of the key. 5. Recovering the last bits. 6. Results of experimental verification. 7. Possible extenstions of the attack. A Practical-Time Related-Key Boomerang Attack on MMB The Modular Multiplication Block (MMB) Cipher ◮ Invented in 1997, by Joan Daemen as an improvment for the IDEA cipher. A Practical-Time Related-Key Boomerang Attack on MMB The Modular Multiplication Block (MMB) Cipher ◮ Invented in 1997, by Joan Daemen as an improvment for the IDEA cipher. ◮ Block and key size of 128-bit. A Practical-Time Related-Key Boomerang Attack on MMB The Modular Multiplication Block (MMB) Cipher ◮ Invented in 1997, by Joan Daemen as an improvment for the IDEA cipher. ◮ Block and key size of 128-bit. ◮ Six rounds, 4 operations: A Practical-Time Related-Key Boomerang Attack on MMB The Modular Multiplication Block (MMB) Cipher ◮ Invented in 1997, by Joan Daemen as an improvment for the IDEA cipher. ◮ Block and key size of 128-bit. ◮ Six rounds, 4 operations: ◮ j σ - key injection (xi ⊕ ki ). A Practical-Time Related-Key Boomerang Attack on MMB The Modular Multiplication Block (MMB) Cipher ◮ Invented in 1997, by Joan Daemen as an improvment for the IDEA cipher. ◮ Block and key size of 128-bit. ◮ Six rounds, 4 operations: ◮ j σ - key injection (xi ⊕ ki ). 32 ◮ γ - modular multiplication ((xi ∗ Gi) mod (2 − 1)). A Practical-Time Related-Key Boomerang Attack on MMB The Modular Multiplication Block (MMB) Cipher ◮ Invented in 1997, by Joan Daemen as an improvment for the IDEA cipher. ◮ Block and key size of 128-bit. ◮ Six rounds, 4 operations: ◮ j σ - key injection (xi ⊕ ki ). 32 ◮ γ - modular multiplication ((xi ∗ Gi) mod (2 − 1)). ◮ η - data-dependent operation ((xi mod 2) ? (δ ⊕ xi): xi). A Practical-Time Related-Key Boomerang Attack on MMB The Modular Multiplication Block (MMB) Cipher ◮ Invented in 1997, by Joan Daemen as an improvment for the IDEA cipher. ◮ Block and key size of 128-bit. ◮ Six rounds, 4 operations: ◮ j σ - key injection (xi ⊕ ki ). 32 ◮ γ - modular multiplication ((xi ∗ Gi) mod (2 − 1)). ◮ η - data-dependent operation ((xi mod 2) ? (δ ⊕ xi): xi). ◮ θ - matrix multiplication (xi−1 ⊕ xi ⊕ xi+1). A Practical-Time Related-Key Boomerang Attack on MMB MMB’s Round Function j j j j x0 x1 x2 x3 j j j j σ k0 Lk1 Lk2 Lk3 L γ G0 NG1 NG2 NG3 N η L LSB(x0) · δ LSB(x3) · δ L Θ j+1 j+1 j+1 j+1 x0 x1 x2 x3 A Practical-Time Related-Key Boomerang Attack on MMB Differential Cryptanalysis and its Variants ◮ Differential cryptanalysis[BS91] A Practical-Time Related-Key Boomerang Attack on MMB Differential Cryptanalysis and its Variants ◮ Differential cryptanalysis[BS91] ◮ Related-key differential cryptanalysis[KSW96] A Practical-Time Related-Key Boomerang Attack on MMB Differential Cryptanalysis and its Variants ◮ Differential cryptanalysis[BS91] ◮ Related-key differential cryptanalysis[KSW96] ◮ Boomerang attack[W99] A Practical-Time Related-Key Boomerang Attack on MMB Differential Cryptanalysis and its Variants ◮ Differential cryptanalysis[BS91] ◮ Related-key differential cryptanalysis[KSW96] ◮ Boomerang attack[W99] ◮ Related-key boomerang attack[K+04,K+05,BDK05] A Practical-Time Related-Key Boomerang Attack on MMB Previous Work ◮ 2-round differential with probability 1 [WNS09]: σ[k0] γ η θ (0, 0¯, 0¯, 0) −−−→ (0, 0¯, 0¯, 0) −→ (0, 0¯, 0¯, 0) −→ (0, 0¯, 0¯, 0) −→ (0¯, 0, 0, 0)¯ σ[k1] γ η θ −−−→ (0¯, 0, 0, 0)¯ −→ (0¯, 0, 0, 0)¯ −→ (δ,¯ 0, 0, δ¯) −→ (0, δ,¯ δ,¯ 0) A Practical-Time Related-Key Boomerang Attack on MMB Previous Work ◮ 2-round differential with probability 1 [WNS09]: σ[k0] γ η θ (0, 0¯, 0¯, 0) −−−→ (0, 0¯, 0¯, 0) −→ (0, 0¯, 0¯, 0) −→ (0, 0¯, 0¯, 0) −→ (0¯, 0, 0, 0)¯ σ[k1] γ η θ −−−→ (0¯, 0, 0, 0)¯ −→ (0¯, 0, 0, 0)¯ −→ (δ,¯ 0, 0, δ¯) −→ (0, δ,¯ δ,¯ 0) ◮ 5-round distinguisher with probability 2−110 [WNS09]. ◮ Full key recovery with time complexity of 2118 [WNS09]. A Practical-Time Related-Key Boomerang Attack on MMB Previous Work ◮ 2-round differential with probability 1 [WNS09]: σ[k0] γ η θ (0, 0¯, 0¯, 0) −−−→ (0, 0¯, 0¯, 0) −→ (0, 0¯, 0¯, 0) −→ (0, 0¯, 0¯, 0) −→ (0¯, 0, 0, 0)¯ σ[k1] γ η θ −−−→ (0¯, 0, 0, 0)¯ −→ (0¯, 0, 0, 0)¯ −→ (δ,¯ 0, 0, δ¯) −→ (0, δ,¯ δ,¯ 0) ◮ 5-round distinguisher with probability 2−110 [WNS09]. ◮ Full key recovery with time complexity of 2118 [WNS09]. ◮ 5-round sandwich distinguisher with probability 1 [J+11]. ◮ Full key recovery with time complexity of 240 [J+11]. A Practical-Time Related-Key Boomerang Attack on MMB Description of the Differential Characteristics 3-round related-key 4-round related-key differential differential 2-round related-key characteristic with characteristic with differential probability 1: probability 1: characteristic with △ = ▽∗ = probability 1: (0,0,0¯,0)¯ (0,0,0¯,0) τ = (0, 0, 0¯, 0)¯ −−−−−→ (0, 0, 0¯, 0) −−−−−→ (0,0,0,0)¯ ∗ (0, 0, 0, 0)¯ −−−−−→ (δ, 0¯, δ, δ¯)= △ . (δ,¯ δ,¯ 0, δ¯)= ▽ ∗ (0, 0¯, 0¯, 0)¯ = τ Full Description Full Description Full Description One additional One additional round can be round can be prepended: prepended: (X, 0¯, 0, 0)¯ →△ (0, 0¯, 0¯,Y ) →▽∗ A Practical-Time Related-Key Boomerang Attack on MMB Description of B0 P1 P2 (X, 0¯, 0, 0)¯ A Practical-Time Related-Key Boomerang Attack on MMB Description of B0 P1 P2 (X, 0¯, 0, 0)¯ 1R A Practical-Time Related-Key Boomerang Attack on MMB Description of B0 P1 P2 (X, 0¯, 0, 0)¯ 1R 3R i1 i2 (δ, 0¯, δ, δ¯) A Practical-Time Related-Key Boomerang Attack on MMB Description of B0 P1 P2 (X, 0¯, 0, 0)¯ 1R 3R i1 i2 (δ, 0¯, δ, δ¯) 2R C1 C2 A Practical-Time Related-Key Boomerang Attack on MMB Description of B0 P1 P2 (X, 0¯, 0, 0)¯ 1R 3R i1 i2 (δ, 0¯, δ, δ¯) 2R C3 C4 ¯ ¯0, 0) C1 C2 0, (0, A Practical-Time Related-Key Boomerang Attack on MMB Description of B0 P1 P2 (X, 0¯, 0, 0)¯ 1R 3R i3 i4 i1 i2 (δ, 0¯, δ, δ¯) 2R 2R C3 C4 ¯ ¯0, 0) C1 C2 0, (0, A Practical-Time Related-Key Boomerang Attack on MMB Description of B0 P1 P2 (X, 0¯, 0, 0)¯ 1R 3R i3 i4 (δ, 0¯, δ, δ¯) ,¯0) i i 0, 0 1 2 (0, (δ, 0¯, δ, δ¯) 2R 2R C3 C4 ¯ ¯0, 0) C1 C2 0, (0, A Practical-Time Related-Key Boomerang Attack on MMB Description of B0 P1 P3 P2 P4 (X, 0¯, 0, 0)¯ 1R 4R 3R i3 i4 (δ, 0¯, δ, δ¯) ,¯0) i i 0, 0 1 2 (0, (δ, 0¯, δ, δ¯) 2R 2R C3 C4 ¯ ¯0, 0) C1 C2 0, (0, A Practical-Time Related-Key Boomerang Attack on MMB Description of B0 P1 P3 P2 P4 (X, 0¯, 0, 0)¯ 1R 4R 3R i3 i4 (δ, 0¯, δ, δ¯) ,¯0) i i 0, 0 1 2 (0, (δ, 0¯, δ, δ¯) 2R 2R C3 C4 ¯ ¯0, 0) C1 C2 0, (0, A Practical-Time Related-Key Boomerang Attack on MMB Identifying right pairs ◮ Store all decrypted data in a hash-table A Practical-Time Related-Key Boomerang Attack on MMB Identifying right pairs ◮ Store all decrypted data in a hash-table ◮ Right pairs can be identified by their collision in the appropriate 96 bits. A Practical-Time Related-Key Boomerang Attack on MMB Identifying right pairs ◮ Store all decrypted data in a hash-table ◮ Right pairs can be identified by their collision in the appropriate 96 bits.
Load more

Recommended publications
  • Bison Instantiating the Whitened Swap-Or-Not Construction (Full Version)
    bison Instantiating the Whitened Swap-Or-Not Construction (Full Version) Anne Canteaut1, Virginie Lallemand2, Gregor Leander2, Patrick Neumann2 and Friedrich Wiemer2 1 Inria, Paris, France [email protected] 2 Horst Görtz Institute for IT-Security, Ruhr University Bochum, Germany [email protected] Abstract. We give the first practical instance – bison – of the Whitened Swap-Or-Not construction. After clarifying inherent limitations of the construction, we point out that this way of building block ciphers allows easy and very strong arguments against differential attacks. Keywords: Whitened Swap-Or-Not · Instantiating Provable Security · Block Cipher Design · Differential Cryptanalysis 1 Introduction Block ciphers are among the most important cryptographic primitives as they are at the core responsible for a large fraction of all our data that is encrypted. Depending on the mode of operation (or used construction), a block cipher can be turned into an encryption function, a hash-function, a message authentication code or an authenticated encryption function. Due to their importance, it is not surprising that block ciphers are also among the best understood primitives. In particular the Advanced Encryption Standard (AES) [Fip] has been scrutinized by cryptanalysts ever since its development in 1998 [DR98] without any significant security threat discovered for the full cipher (see e. g. [BK09; Bir+09; Der+13; Dun+10; Fer+01; GM00; Gra+16; Gra+17; Røn+17]). The overall structure of AES, being built on several (round)-permutations interleaved with a (binary) addition of round keys is often referred to as key-alternating cipher and is depicted in Figure1. k0 k1 kr 1 kr − m R1 ..
    [Show full text]
  • Research on Microarchitectural Cache Attacks
    Advances in Computer Science Research (ACSR), volume 90 3rd International Conference on Computer Engineering, Information Science & Application Technology (ICCIA 2019) Research on Microarchitectural Cache Attacks Yao Lu a, Kaiyan Chen b, Yinlong Wang c Simulation Center of Ordnance Engineering College Army Engineering University Shijiazhuang, Hebei Province, China [email protected], [email protected], [email protected] Abstract. This paper summarizes the basic concepts and development process of cache side- channel attack, analyses three basic methods (Evict and Time, Prime and Probe, Flush and Reload) from four aspects: Attack conditions, realization process, applicability, and characteristics, then I expound how to apply side-channel attack methods on CPU vulnerability. Keywords: Side-channel attacks; Cache; CPU vulnerability; Microarchitecture. 1. Background Cryptography is a technique used to confuse plaintext [1], It transforms normally identifiable information (plaintext) into unrecognizable information (ciphertext). At the same time, the encrypted ciphertext can be transferred back to the normal information through the key, the privacy information of users at this stage is mostly realized by encryption technology [28], so the security of personal information depends on the security of the encryption algorithm. 1.1 Cryptographic Algorithms Cryptographic algorithms have always been an important research object in cryptography, in recent years has also been rapid development, these algorithms are: RIJINDAEL, MARS, RC6, Twofish, Serpent, IDEA, CS-Cipher, MMB, CA-1.1, SKIPJACK Symmetric cryptographic algorithms such as Karn and backpack public key cryptography, RSA, ElGamal [29], ECC [19], NTRU and other asymmetric cryptographic algorithms [27]. in the opinion of the development trend of international mainstream cryptographic algorithms at present [25]: The symmetric cryptographic algorithm transitions from DES-3 to AES, and the password length is gradually increased: 128, 192, 256.
    [Show full text]
  • Instantiating the Whitened Swap-Or-Not Construction Anne Canteaut, Virginie Lallemand, Gregor Leander, Patrick Neumann, Friedrich Wiemer
    Bison: Instantiating the Whitened Swap-Or-Not Construction Anne Canteaut, Virginie Lallemand, Gregor Leander, Patrick Neumann, Friedrich Wiemer To cite this version: Anne Canteaut, Virginie Lallemand, Gregor Leander, Patrick Neumann, Friedrich Wiemer. Bison: Instantiating the Whitened Swap-Or-Not Construction. Eurocrypt 2019 - 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, May 2019, Darmstadt, Germany. 10.1007/978-3-030-17659-4_20. hal-02431714 HAL Id: hal-02431714 https://hal.inria.fr/hal-02431714 Submitted on 8 Jan 2020 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. bison Instantiating the Whitened Swap-Or-Not Construction Anne Canteaut1, Virginie Lallemand2, Gregor Leander2, Patrick Neumann2, and Friedrich Wiemer2 1 Inria, Paris, France [email protected] 2 Horst Görtz Institute for IT-Security, Ruhr University Bochum, Germany [email protected] Abstract We give the first practical instance – bison – of the Whitened Swap-Or-Not construction. After clarifying inherent limitations of the construction, we point out that this way of building block ciphers allows easy and very strong arguments against differential attacks. Keywords Whitened Swap-Or-Not · Instantiating Provable Security · Block Cipher Design · Differential Cryptanalysis 1 Introduction Block ciphers are among the most important cryptographic primitives as they are at the core responsible for a large fraction of all our data that is encrypted.
    [Show full text]
  • Encryption Block Cipher
    10/29/2007 Encryption Encryption Block Cipher Dr.Talal Alkharobi 2 Block Cipher A symmetric key cipher which operates on fixed-length groups of bits, termed blocks, with an unvarying transformation. When encrypting, a block cipher take n-bit block of plaintext as input, and output a corresponding n-bit block of ciphertext. The exact transformation is controlled using a secret key. Decryption is similar: the decryption algorithm takes n-bit block of ciphertext together with the secret key, and yields the original n-bit block of plaintext. Mode of operation is used to encrypt messages longer than the block size. 1 Dr.Talal Alkharobi 10/29/2007 Encryption 3 Encryption 4 Decryption 2 Dr.Talal Alkharobi 10/29/2007 Encryption 5 Block Cipher Consists of two algorithms, encryption, E, and decryption, D. Both require two inputs: n-bits block of data and key of size k bits, The output is an n-bit block. Decryption is the inverse function of encryption: D(E(B,K),K) = B For each key K, E is a permutation over the set of input blocks. n Each key K selects one permutation from the possible set of 2 !. 6 Block Cipher The block size, n, is typically 64 or 128 bits, although some ciphers have a variable block size. 64 bits was the most common length until the mid-1990s, when new designs began to switch to 128-bit. Padding scheme is used to allow plaintexts of arbitrary lengths to be encrypted. Typical key sizes (k) include 40, 56, 64, 80, 128, 192 and 256 bits.
    [Show full text]
  • (12) Patent Application Publication (10) Pub. No.: US 2016/0368929 A1 Janganati Et Al
    US 20160368929A1 (19) United States (12) Patent Application Publication (10) Pub. No.: US 2016/0368929 A1 Janganati et al. (43) Pub. Date: Dec. 22, 2016 (54) MELAMPOMAGNOLIDE B DERVATIVES (22) Filed: Sep. 1, 2016 (71) Applicants: Venumadhav Janganati, Little Rock, Related U.S. Application Data AR (US); Narsimha Reddy Penthala, (62) Division of application No. 14/537,389, filed on Nov. Little Rock, AR (US); Peter A. Crooks, 10, 2014, now Pat. No. 9,469,650. Little Rock, AR (US); Craig T. Jordan, (60) Provisional application No. 61/901,714, filed on Nov. Rochester, NY (US) 8, 2013. (72) Inventors: Venumadhav Janganati, Little Rock, Publication Classification AR (US); Narsimha Reddy Penthala, Little Rock, AR (US); Peter A. Crooks, (51) Int. C. Little Rock, AR (US); Craig T. Jordan, C07D 49.3/04 (2006.01) Rochester, NY (US) (52) U.S. C. CPC ................................... C07D 493/04 (2013.01) (73) Assignees: The Board of Trustees of the University of Arkansas, Little Rock, (57) ABSTRACT AR (US); University of Rochester, The present disclosure provides derivatives of melampo Rochester, NY (US) magnolide B (MMB), including carbonates, carbamates, and thiocarbamates. The derivatives may be synthesized via an MMB triazole intermediate. These derivatives are useful for (21) Appl. No.: 15/254,849 treating cancer in humans. Patent Application Publication Dec. 22, 2016 Sheet 1 of 9 US 2016/0368929 A1 xxii. ::::::::::::::::::::::::::::: i. www.ss 3. O Concentration (ity F.G. 1 Patent Application Publication Dec. 22, 2016 Sheet 2 of 9 US 2016/0368929 A1 -------------------------------------------------------.3. Concentratia (ii) x . «xx-x Y-8 'Ys: x - FG 2 Patent Application Publication Dec.
    [Show full text]
  • Practical Attack on the Full MMB Block Cipher
    Practical Attack on the Full MMB Block Cipher Keting Jia1, Jiazhe Chen2,3,MeiqinWang2,3, and Xiaoyun Wang1,2,3, 1 Institute for Advanced Study, Tsinghua University, Beijing 100084, China {ktjia,xiaoyunwang}@mail.tsinghua.edu.cn 2 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan 250100, China [email protected], [email protected] 3 School of Mathematics, Shandong University, Jinan 250100, China Abstract. Modular Multiplication based Block Cipher (MMB) is a block cipher designed by Daemen et al. as an alternative to the IDEA block cipher. In this paper, we give a practical sandwich attack on MMB with adaptively chosen plaintexts and ciphertexts. By constructing a 5-round sandwich distinguisher of the full 6-round MMB with probability 1, we recover the main key of MMB with text complexity 240 and time com- plexity 240 MMB encryptions. We also present a chosen plaintexts attack on the full MMB by employing the rectangle-like sandwich attack, which the complexity is 266.5 texts, 266.5 MMB encryptions and 270.5 bytes of memory. In addition, we introduce an improved differential attack on MMB with 296 chosen plaintexts, 296 encryptions and 266 bytes of memory. Especially, even if MMB is extended to 7 rounds, the improved differential attack is applicable with the same complexity as that of the full MMB. Keywords: MMB block cipher, sandwich distinguisher, practical attack, differential attack. 1 Introduction Modular Multiplication based Block Cipher (MMB) [7] was designed as an al- ternative to the IDEA block cipher [9] by Daemen, Govaerts and Vandewalle in 1993.
    [Show full text]
  • An Introduction to Cryptography Version Information an Introduction to Cryptography, Version 8.0
    An Introduction to Cryptography Version Information An Introduction to Cryptography, version 8.0. Released Oct. 2002. Copyright Information Copyright © 1991-2002 by PGP Corporation. All Rights Reserved. No part of this document can be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of PGP Corporation. Trademark Information PGP and Pretty Good Privacy are registered trademarks of PGP Corporation in the U.S. and other countries. IDEA is a trademark of Ascom Tech AG. All other registered and unregistered trademarks in this document are the sole property of their respective owners. Licensing and Patent Information The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech AG. The CAST encryption algorithm is licensed from Northern Telecom, Ltd. PGP Corporation may have patents and/or pending patent applications covering subject matter in this software or its documentation; the furnishing of this software or documentation does not give you any license to these patents. Acknowledgments The compression code in PGP is by Mark Adler and Jean-Loup Gailly, used with permission from the free Info-ZIP implementation. Export Information Export of this software and documentation may be subject to compliance with the rules and regulations promulgated from time to time by the Bureau of Export Administration, United States Department of Commerce, which restrict the export and re-export of certain products and technical data. Limitations The software provided with this documentation is licensed to you for your individual use under the terms of the End User License Agreement provided with the software.
    [Show full text]
  • Cryptanalysis of the Full MMB Block Cipher
    Cryptanalysis of the full MMB block cipher Meiqin Wang1, Jorge Nakahara Jr2, and Yue Sun1 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan 250100, China 2 EPFL, Lausanne, Switzerland [email protected], [email protected], [email protected] Abstract. The block cipher MMB was designed by Daemen, Govaerts and Vandewalle, in 1993, as an alternative to the IDEA block cipher. We exploit and describe unusual properties of the modular multiplication in ZZ232−1, which lead to a differential attack on the full 6-round MMB cipher (both versions 1.0 and 2.0). Further contributions of this paper include detailed square and linear cryptanalysis of MMB. Concerning differential cryptanalysis (DC), we can break the full MMB with 2118 chosen plaintexts, 295:91 6-round MMB encryptions and 264 counters, effectively bypassing the cipher's countermeasures against DC. For the square attack, we can recover the 128-bit user key for 4-round MMB with 234 chosen plaintexts, 2126:32 4-round encryptions and 264 mem- ory blocks. Concerning linear cryptanalysis, we present a key-recovery attack on 3-round MMB requiring 2114:56 known-plaintexts and 2126 en- cryptions. Moreover, we detail a ciphertext-only attack on 2-round MMB using 293:6 ciphertexts and 293:6 parity computations. These attacks do not depend on weak-key or weak-subkey assumptions, and are thus in- dependent of the key schedule algorithm. Keywords: MMB block cipher, differential cryptanalysis, square cryptanaly- sis, linear cryptanalysis, modular multiplication. 1 Introduction The block cipher MMB (Modular Multiplication Based) block cipher [4] was designed by Daemen, Govaerts and Vandewalle in 1993, and its main innovation was the use of cyclic multiplication in the ring ZZ2n−1, where n is the word size of the cipher.
    [Show full text]
  • Bison Instantiating the Whitened Swap-Or-Not Construction
    bison Instantiating the Whitened Swap-Or-Not Construction Anne Canteaut1, Virginie Lallemand2, Gregor Leander2, Patrick Neumann2, and Friedrich Wiemer2 1 Inria, Paris, France [email protected] 2 Horst Görtz Institute for IT-Security, Ruhr University Bochum, Germany [email protected] Abstract We give the first practical instance – bison – of the Whitened Swap-Or-Not construction. After clarifying inherent limitations of the construction, we point out that this way of building block ciphers allows easy and very strong arguments against differential attacks. Keywords Whitened Swap-Or-Not · Instantiating Provable Security · Block Cipher Design · Differential Cryptanalysis 1 Introduction Block ciphers are among the most important cryptographic primitives as they are at the core responsible for a large fraction of all our data that is encrypted. Depending on the mode of operation (or used construction), a block cipher can be turned into an encryption function, a hash-function, a message authentication code or an authenticated encryption function. Due to their importance, it is not surprising that block ciphers are also among the best understood primitives. In particular the Advanced Encryption Stan- dard (AES) [2] has been scrutinized by cryptanalysts ever since its development in 1998 [19] without any significant security threat discovered for the full cipher (see e. g. [27,26,7,6,23,28,29]). The overall structure of AES, being built on several (round)-permutations interleaved with a (binary) addition of round keys is often referred to as key- alternating cipher and is depicted in Fig. 1. The first cipher following this approach was, to the best of our knowledge, the cipher MMB [17], while the name key-alternating cipher first appears in [20] and in the book describing the design of the AES [21].
    [Show full text]
  • Phenotypic Screening of Parthenolide Derivatives Reveals The
    PHENOTYPIC SCREENING OF PARTHENOLIDE DERIVATIVES REVEALS THE CHEMOPROTECTIVE ROLE OF GALECTIN-1 IN ACUTE MYELOID LEUKEMIA by JESSICA NICOLE PONDER B.S. Truman State University, 2010 M.S. University of Colorado, 2013 A thesis submitted to the Faculty of the Graduate School of the University of Colorado in partial fulfillment of the requirements for the degree of Doctor of Philosophy Toxicology Program 2018 This thesis for the Doctor of Philosophy degree by Jessica Nicole Ponder has been approved for the Toxicology Program by David Ross, Chair Craig Jordan, Advisor Peter Crooks Brad Bendiak Kristopher Fritz Date: May 18, 2018 ii Ponder, Jessica Nicole Ph.D., Toxicology Phenotypic Screening of Parthenolide Derivatives Reveals the Chemoprotective Role of Galectin-1 in Acute Myeloid Leukemia Thesis directed by Professor of Medicine Craig T. Jordan ABSTRACT Despite decades of investigation, the diagnosis of acute myeloid leukemia still carries with it a bleak prognosis, primarily as a result of the failure of clinical chemotherapy to target the leukemic stem cell population. In order to overcome this obstacle a library of derivatives of the small molecule parthenolide, a leukemic stem cell targeting natural product, were screened against acute myeloid leukemia (AML). Using the M9-ENL cell line as a high-throughput screening model for leukemic stem cells, over four hundred novel parthenolide derivatives were screened by flow cytometry for apoptotic activity. Using this method, more than forty compounds with improved efficacy against primary AML were identified, but the most remarkable compounds were those that were dimers of melampomagnolide B (MMB dimers), which had virtually no measurable toxicity to healthy blood stem and progenitor cells.
    [Show full text]
  • Security Arguments and Tool-Based Design of Block Ciphers
    Security Arguments and Tool-based Design of Block Ciphers Security Arguments and Tool-based Design of Block Ciphers Dissertation Thesis Friedrich Wiemer 16th August 2019 Submitted in partial fulfillment of the requirements for the degree of Doktor der Naturwissenschaften to the Faculty of Mathematics at Ruhr-Universität Bochum 1st Reviewer Prof. Dr. Gregor Leander 2nd Reviewer Prof. Dr. Alexander May Date of Defense 13th December 2019 IMPRINT Security Arguments and Tool-based Design of Block Ciphers Copyright © 2020 by Friedrich Wiemer. All rights reserved. Printed in Germany. Published by the Ruhr-Universität Bochum, Bochum, Germany. COLOPHON This thesis was typeset using LATEX and the memoir documentclass. It is based 1 1https://people.mpi-sws.org/ on Aaron Turon’s thesis Understanding and expressing scalable concurrency , ~turon/turon-thesis.pdf itself a mixture of classicthesis2 by André Miede and tufte-latex3, 2 https://bitbucket.org/amiede/ based on Edward Tufte’s Beautiful Evidence. The LATEX source is available on classicthesis/ GITHUB.4 3https://github.com/Tufte-LaTeX/ tufte-latex The bibliography was processed by Biblatex. All graphics and plots are made 4https://github.com/pfasante/phd_ with PGF/TikZ. thesis The body text is set 10/14pt (long primer) on a 26pc measure. The margin text is set 8/9pt (brevier) on a 12pc measure. Matthew Carter’s Charter acts as both the text and display typeface. Monospaced text uses Jim Lyles’s Bitstream Vera Mono (“Bera Mono”). If we knew what it was we were doing, it would not be called research, would it? —Albert Einstein Abstract Block ciphers form, without doubt, the backbone of today’s encrypted com- munication and are thus justifiably the workhorses of cryptography.
    [Show full text]
  • BASED on AVALANCHE EFFECT. by KHUMBELO DIFFERENCE MUTHAVHINE Student Number: 62037773
    AN ANALYSIS AND A COMPARATIVE STUDY OF CRYPTOGRAPHIC ALGORITHMS USED ON THE INTERNET OF THINGS (IoT) BASED ON AVALANCHE EFFECT. By KHUMBELO DIFFERENCE MUTHAVHINE Student number: 62037773 Submitted in accordance with the requirements For the degree of Magister Technologiae In the Department of Electrical Engineering At the UNIVERSITY OF SOUTH AFRICA SUPERVISOR: DR. M. SUMBWANYAMBE July 2018 i Declaration I, Khumbelo Difference Muthavhine declare that the work I am submitting for assessment contains no section copied in whole or in part from any other source unless explicitly identified in quotation marks and with detailed, complete and accurate referencing. Name: Mr. Khumbelo Difference Muthavhine. Signature: Date: 24 January 2019 ii Papers published from this dissertation K. D. Muthavhine and M. Sumbwanyambe (2018) “An Analysis and a Comparative Study of Cryptographic Algorithms Used on the Internet of Things (IoT) Based on Avalanche Effect”, in proceedings of ICOIACT conference, Indonesia, 6-8 March 2018. It is edited, evaluated and published by Institute of Electrical and Electronics Engineers (IEEE) on 30 April 2018. Available: https://ieeexplore.ieee.org/document/8350759. iii Abstract Ubiquitous computing is already weaving itself around us and it is connecting everything to the network of networks. This interconnection of objects to the internet is new computing paradigm called the Internet of Things (IoT) networks. Many capacity and non-capacity constrained devices, such as sensors are connecting to the Internet. These devices interact with each other through the network and provide a new experience to its users. In order to make full use of this ubiquitous paradigm, security on IoT is important.
    [Show full text]