DOCSLIB.ORG

Methods for Symmetric Key Cryptography and Cryptanalysis EWM Phd Summer School, Turku, June 2009

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Methods for Symmetric Key Cryptography and Cryptanalysis EWM Phd Summer School, Turku, June 2009 Methods for Symmetric Key Cryptography and Cryptanalysis EWM PhD Summer School, Turku, June 2009 Kaisa Nyberg [email protected] Department of Information and Computer Science Helsinki University of Technology and Nokia, Finland Methods for Symmetric Key Cryptography and Cryptanalysis – 1/32 This lecture is dedicated to the memory of Professor Susanne Dierolf a dear and supporting friend, a highly respected colleague, and a great European Woman in Mathematics, who passed away in May 2009 at the age of 64 in Trier, Germany. Methods for Symmetric Key Cryptography and Cryptanalysis – 2/32 Outline 1. Boolean function Linear approximation of Boolean function Related probability distribution 2. Cryptographic encryption primitives Linear approximation of block cipher Linear approximation of stream cipher 3. Cryptanalysis and attack scenarios Key information deduction on block cipher Distinguishing attack on stream cipher Initial state recovery of stream cipher 4. Conclusions Methods for Symmetric Key Cryptography and Cryptanalysis – 3/32 Boolean Functions Methods for Symmetric Key Cryptography and Cryptanalysis – 4/32 Binary vector space n Z 2 the space of n-dimensional binary vectors ¨ sum modulo 2 Given two vectors 1 n 1 n n a = ´a ; : : : ; a µ; b = ´b ; : : : ; b µ ¾ Z 2 the inner product (dot product) is defined as 1 1 n n a ¡ b = a b ¨ ¡ ¡ ¡ ¨ a b : Then a is called the linear mask of b. Methods for Symmetric Key Cryptography and Cryptanalysis – 5/32 Boolean function n f : Z 2 Z 2 Boolean function. Linear Boolean function is of the form f ´x µ = u ¡ x for some n fixed linear mask u ¾ Z 2. n m f : Z 2 Z 2 with f = ´ f1 ; : : : ; fm µ; where fi are Boolean functions, is called a vector Boolean function of dimension m. n m A linear vector Boolean function from Z 2 to Z 2 is represented by an m ¢ n binary matrix U. The m rows of U are denoted by u1 ; : : : ; um, where each ui is a linear mask. Methods for Symmetric Key Cryptography and Cryptanalysis – 6/32 Correlation n The correlation between two Boolean functions f : Z 2 Z 2 n and g : Z 2 Z 2 is defined as n n n c´ f ; gµ = 2 ´ #x ¾ Z 2 f ´x µ = g´x µ #x ¾ Z 2 f ´x µ = g´x µµ Correlation c´ f ; 0µ is called the correlation (sometimes aka bias) of f . Linear cryptanalysis makes use of large correlations of Boolean functions in cipher constructions. Methods for Symmetric Key Cryptography and Cryptanalysis – 7/32 Random variable related to Boolean function n X discrete random variable taking on values in Z 2 = ´ η µ n If p p η¾Z is the probability distribution (p.d.) of X, 2 ηµ where pη = Pr´X = , we denote X p. n θ Z Let denote the uniform distribution on 2. n m θ: Let f : Z 2 Z 2 be a Boolean function and X Then the p.d. of f ´X µ is called the p.d. of f . Methods for Symmetric Key Cryptography and Cryptanalysis – 8/32 Walsh-Hadamard Transform Walsh-Hadamard transform is a type of discrete Fourier-transform. n φ Z Ê Let : 2 be a real-valued function. The Walsh-Hadamard transform bφ of φ is defined as x¡u n b φ φ´ µ = ´ µ´ µ ; ¾ Z : u ∑ x 1 u 2 n x¾Z 2 Then b n n b φ ¾ Z ; φ´ µ; ´x µ = 2 x x 2 using the inverse of Walsh-Hadamard transform. Methods for Symmetric Key Cryptography and Cryptanalysis – 9/32 Convolution n n φ Z Ê ψ Z Ê The convolution of two functions : 2 and : 2 is defined as n φ £ ψµ´ µ = ´ µψ´ · µ; ¾ Z : ´ φ y ∑ x x y y 2 n x¾Z 2 Then \ n b b φ £ ψµ´ µ = φ´ µψ ´ µ; ¾ Z : ´ u u u u 2 Methods for Symmetric Key Cryptography and Cryptanalysis – 10/32 Correlation and probability distribution The correlations of masked Boolean function can be computed as Walsh-Hadamard transform of the distribution of the function: η n a¡ f ´xµ a¡ b c´a ¡ f µ = 2 ∑ ´ 1µ = ∑ ´ 1µ pη = p´aµ: n m η¾Z x¾Z 2 2 n m Theorem 1 Let f : Z 2 Z 2 be a Boolean function with p.d. p and m one-dimensional correlations c´a ¡ f µ; a ¾ Z 2 . Then η m a¡ pη = 2 ∑ ´ 1µ c´a ¡ f µ m a¾Z 2 m η ¾ Z for all 2 . Methods for Symmetric Key Cryptography and Cryptanalysis – 11/32 Cryptographic Encryption Primitives Methods for Symmetric Key Cryptography and Cryptanalysis – 12/32 Symmetric-key encryption K ¾ K the key x ¾ P the plaintext y ¾ C the ciphertext Encryption method is a family EK of transformations EK : P C , parametrised using the key K such that for each encryption transfor- mation EK there is a decryption transformation DK : C P , such that DK ´EK ´x µµµ = x, for all x ¾ P . Methods for Symmetric Key Cryptography and Cryptanalysis – 13/32 Block cipher The data to be encrypted is split into blocks xi, i = 1; : : : ; N of fixed length n. A typical value of n is 128. n ` P = C = Z 2, K = Z 2 Block cipher seen as a vector Boolean function n ` n n ` f : Z 2 ¢ Z 2 Z 2 ¢ Z 2 ¢ Z 2 f ´x ; K µ = ´x ; EK ´x µ; K µ Linear approximation of a block cipher u ¡ x ¨ w ¡ EK ´x µ ¨ v ¡ K θ where x and K is fixed. Methods for Symmetric Key Cryptography and Cryptanalysis – 14/32 Stream cipher Data to be encrypted is split into blocks xi ; i = 1; : : : ; N of fixed length n. Now typical values of n are n = 1; 8; or 32. ` K = Z 2 The key K ¾ K determines the initial state of a keystream generator which produces a new fresh key Ki, i = 1; : : : ; N, for each data block. n N P = C = ´Z 2 µ where N can be any positive integer less than the period of the keystream generator. EK ´x1 ; : : : ; xN µ = K1 ¨ x1 ; : : : ; KN ¨ xN Methods for Symmetric Key Cryptography and Cryptanalysis – 15/32 Linear approximation of stream cipher Key stream generator seen as Boolean functions ` ` n fi : Z 2 Z 2 ¢ Z 2 ; fi ´K µ = ´K ; Ki µ Linear approximations of key stream generator ui ¡ K ¨ w ¡ Ki Methods for Symmetric Key Cryptography and Cryptanalysis – 16/32 Cryptanalysis Methods for Symmetric Key Cryptography and Cryptanalysis – 17/32 Attack scenarios Assumptions about data available to attacker Ciphertext only (Shannon’s model) Known plaintext-ciphertext pairs Chosen (by attacker) plaintext and corresponding ciphertext Methods for Symmetric Key Cryptography and Cryptanalysis – 18/32 Breaks This classification is hierarchial. An attack is successful if its complexity is less than the complexity of exhaustive key search. Total break: attacker gets the key Instance deduction: attacker gets a clone of DK Key information deduction: attacker gets partial information about the key Distinguishing: attacker can distinguish the cipher from a purely random function Distinguishing leads sometimes to information deduction. Methods for Symmetric Key Cryptography and Cryptanalysis – 19/32 Linear cryptanalysis Linear cryptanalysis is a known plaintext-ciphertext attack Linear cryptanalysis makes use of linear approximations of the cipher. Linear cryptanalysis can be used in distinguishing attacks or in key information deduction. Methods for Symmetric Key Cryptography and Cryptanalysis – 20/32 Key information recovery on block cipher Linear approximation of a block cipher u ¡ x ¨ w ¡ EK ´x µ ¨ v ¡ K θ where x and K is fixed. The correlation c of this Boolean function is assumed to be known or a sufficiently accurate estimate is available. Observe a number N of known plaintext-ciphertext pairs ´x ; EK ´x µµ and calculate the observed correlation c˜ of u ¡ x ¨ w ¡ EK ´x µ. Determine v ¡ K = 0, if cc˜ > 0, and v ¡ K = 1, otherwise. Methods for Symmetric Key Cryptography and Cryptanalysis – 21/32 The probability of success Consider the case c > 0 and v ¡ K = 0. Other cases are similar. Let N0 be the observed number of plaintexts x such that u ¡ x ¨ w ¡ EK ´x µ = 0. Then N0 is binomially distributed with expected value N p and variance N p´1 pµ, c·1 where p = 2 . Then N0 N p Ô Z = N ´0; 1µ N p´1 pµ where N ´0; 1µ is the standard normal distribution. Then the bit v ¡ K is correctly determined if the observed correlation c˜ is positive, which happens if and only if Ô N0 > N =2, or equivalently, Z > c N. Hence the probability of success can be estimated as Ô Φ´ µ 1 c N where Φ is the cumulative density function of N ´0; 1µ. The probability is 0.921 for 2 N = 1=c . This gives an estimate of the number N of plaintext-ciphertext pairs for successful cryptanalysis. Methods for Symmetric Key Cryptography and Cryptanalysis – 22/32 Linear attacks on stream cipher i Let fi : K Ki be of the form g Æ f , where f is a (linear) state transition function and g is a nonlinear state output function, aka filter function. Assume that we have a strong linear approximation of g, that is u ¡ x ¨ w ¡ g´x µ with correlation c. Now two types of linear attacks can be launched: distinguishing attacks initial state information deduction attacks. Methods for Symmetric Key Cryptography and Cryptanalysis – 23/32 Additive synchronous stream cipher Methods for Symmetric Key Cryptography and Cryptanalysis – 24/32 Distinguishing attack on stream cipher From the linear approximation we get u ¡ si ¨ w ¡ g´si µ = u ¡ si ¨ w ¡ Ki i with correlation c, where si = f ´K µ is the state at time i, i = 1; : : : ; N.
Load more

Recommended publications
  • Politecnico Di Torino
    POLITECNICO DI TORINO Master Degree Course in Electronic Engineering Master Degree Thesis Evaluation of Encryption Algorithm Security in Heterogeneous Platform against Differential Power Analysis Attack Supervisor: Candidate: Prof. Stefano DI CARLO Fiammetta VOLPE Student ID: 235145 A.A. 2017/2018 Summary An embedded system security can be violated at different levels of abstraction: the vulnerability is not only present from software point of view, but also the hardware can be attacked. This thesis is focused on an hardware attack at logic/microelectronic level called Differential Power Analysis (DPA), included in the larger categories of the Power Analysis (PA) and Side-Channel Anal- ysis, catalogued like a passive and non-invasive attack, since it includes the observation of the normal behaviour of the device without any physical alteration. As a consequence, this kind of attack could be extremely dangerous and it doesn’t leave any trace. A DPA attack is essentially based on the principle that the power consumption is correlated to the activity of the device during data encryption, so also to the used encryption key. Thus, using statistical analysis on a sufficiently large number of power traces, it is possible to detect the correct hypothesis for the key. Due to the improvement of FPGAs in terms of capacity and performance and the significant in- crement of the value of handled data, it is essential to do an analysis of the level of vulnerability of the device. For this reason, the MachXO2-7000 FPGA included, together with a STM32F4 CPU and a SLJ52G SECURITY CONTROLLER-SMART CARD, inside the BGA chip SEcubeTM, appositely designed for security goals, is the chosen target for this thesis.
    [Show full text]
  • Generic Attacks on Stream Ciphers
    Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs Distinguishing Attacks Guess-and-Determine attacks Correlation Attacks Algebraic Attacks Sidechannel Attacks Summary Generic Attacks on Stream Ciphers 3/22 What is a stream cipher? Input: Secret key (k bits) Public IV (v bits). Output: Sequence z1, z2, … (keystream) The state (s bits) can informally be defined as the values of the set of variables that describes the current status of the cipher. For each new state, the cipher outputs some bits and then jumps to the next state where the process is repeated. The ciphertext is a function (usually XOR) of the keysteam and the plaintext. Generic Attacks on Stream Ciphers 4/22 Classification of attacks Assumed that the attacker has knowledge of the cryptographic algorithm but not the key. The aim of the attack Key recovery Prediction Distinguishing The information available to the attacker. Ciphertext-only Known-plaintext Chosen-plaintext Chosen-chipertext Generic Attacks on Stream Ciphers 5/22 Exhaustive Key Search Can be used against any stream cipher. Given a keystream the attacker tries all different keys until the right one is found. If the key is k bits the attacker has to try 2k keys in the worst case and 2k−1 keys on average. An attack with a higher computational complexity than exhaustive key search is not considered an attack at all. Generic Attacks on Stream Ciphers 6/22 Time Memory Tradeoffs (state) Large amounts of precomputed data is used to lower the computational complexity.
    [Show full text]
  • Cryptanalysis Techniques for Stream Cipher: a Survey
    International Journal of Computer Applications (0975 – 8887) Volume 60– No.9, December 2012 Cryptanalysis Techniques for Stream Cipher: A Survey M. U. Bokhari Shadab Alam Faheem Syeed Masoodi Chairman, Department of Research Scholar, Dept. of Research Scholar, Dept. of Computer Science, AMU Computer Science, AMU Computer Science, AMU Aligarh (India) Aligarh (India) Aligarh (India) ABSTRACT less than exhaustive key search, then only these are Stream Ciphers are one of the most important cryptographic considered as successful. A symmetric key cipher, especially techniques for data security due to its efficiency in terms of a stream cipher is assumed secure, if the computational resources and speed. This study aims to provide a capability required for breaking the cipher by best-known comprehensive survey that summarizes the existing attack is greater than or equal to exhaustive key search. cryptanalysis techniques for stream ciphers. It will also There are different Attack scenarios for cryptanalysis based facilitate the security analysis of the existing stream ciphers on available resources: and provide an opportunity to understand the requirements for developing a secure and efficient stream cipher design. 1. Ciphertext only attack 2. Known plain text attack Keywords Stream Cipher, Cryptography, Cryptanalysis, Cryptanalysis 3. Chosen plaintext attack Techniques 4. Chosen ciphertext attack 1. INTRODUCTION On the basis of intention of the attacker, the attacks can be Cryptography is the primary technique for data and classified into two categories namely key recovery attack and communication security. It becomes indispensable where the distinguishing attacks. The motive of key recovery attack is to communication channels cannot be made perfectly secure. derive the key but in case of distinguishing attack, the From the ancient times, the two fields of cryptology; attacker’s motive is only to derive the original from the cryptography and cryptanalysis are developing side by side.
    [Show full text]
  • 6.5.4 Nested Authentication Attack
    PDF hosted at the Radboud Repository of the Radboud University Nijmegen The following full text is a publisher's version. For additional information about this publication click this link. http://hdl.handle.net/2066/140089 Please be advised that this information was generated on 2021-10-04 and may be subject to change. The (in)security of proprietary cryptography Roel Verdult Copyright c Roel Verdult, 2015 ISBN: 978-94-6259-622-1 IPA Dissertation Series: 2015-10 URL: http://roel.verdult.xyz/publications/phd_thesis-roel_verdult.pdf Typeset using LATEX The work in this dissertation has been carried out under the auspices of the research school IPA (Institute for Programming research and Algorithmics). For more information, visit http://www.win.tue.nl/ipa/ XY-pic is used for typesetting graphs and diagrams in schematic rep- U x hx,yi resentations of logical composition of visual components. XY-pic allows X ×Z Y p X the style of pictures to match well with the exquisite quality of the y q f g surrounding TEX typeset material [RM99]. For more information, visit Y Z http://xy-pic.sourceforge.net/ msc Example User Machine 1 Machine 2 Machine 3 The message sequence diagrams, charts and protocols in this disserta- control drill test startm1 tion are facilitated by the MSC macro package [MB01, BvDKM13]. It startm2 log continue allows LATEX users to easily include Message Sequence Charts in their free output texts. For more information, visit http://satoss.uni.lu/software/mscpackage/ The graphical art of this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.
    [Show full text]
  • Ciphertext-Only Cryptanalysis on Hardened Mifare Classic Cards Extended
    Eindhoven University of Technology MASTER Ciphertext-only cryptanalysis on hardened mifare classic cards extended Meijer, C.F.J. Award date: 2016 Link to publication Disclaimer This document contains a student thesis (bachelor's or master's), as authored by a student at Eindhoven University of Technology. Student theses are made available in the TU/e repository upon obtaining the required degree. The grade received is not published on the document as presented in the repository. The required complexity or quality of research of student theses may vary by program, and the required minimum study period may vary in duration. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain EINDHOVEN UNIVERSITY OF TECHNOLOGY MASTER THESIS Ciphertext-only Cryptanalysis on Hardened Mifare Classic Cards Extended The paradox of keeping things secret Supervisors: Author: dr. ing. Roel VERDULT Carlo MEIJER prof. dr. Boris SKORIC´ A thesis submitted in fulfilment of the requirements for the degree of Master of Science in Information Security Technology Department of Mathematics and Computer Science August 17, 2016 EINDHOVEN UNIVERSITY OF TECHNOLOGY Abstract Faculty of Computer Science Department of Mathematics and Computer Science Master of Science Ciphertext-only Cryptanalysis on Hardened Mifare Classic Cards Extended The paradox of keeping things secret by Carlo MEIJER Despite a series of attacks, MIFARE Classic is still the world’s most widely de- ployed contactless smartcard on the market.
    [Show full text]
  • A New Stream Cipher Based on Nonlinear Dynamic System
    2018 26th European Signal Processing Conference (EUSIPCO) A new Stream cipher based on Nonlinear dynamic system 1st O. Mannai 2nd R. Becheikh 3rd R. Rhouma Risc Laboratory Risc Laboratory and S. Belghith National Engineering School of Tunis National Engineering School of Tunis Risc Laboratory Tunis El Manar University Tunis El Manar University National Engineering School of Tunis 1002, Tunis, Tunisia 1002, Tunis, Tunisia Tunis El Manar University email address: [email protected] 1002, Tunis, Tunisia Abstract—In this paper, we introduce a new synchronous very large linear complexity, large period and white-noise stream cipher. The core of the cipher is the Ikeda system which statistics. It is on this basis that, the eSTREAM candidates can be seen as a Nonlinear Feedback Shift Register (NLFSR) of were launched [8] to determine secure and efficient stream length 7 plus one memory. The cipher takes 256-bit key as input and generates in each iteration an output of 16-bits. A single key ciphers that might become useful for widespread adoption. is allowed to generate up to 264 output bits. A security analysis has been carried out and it has been showed that the output In this paper, we propose a new synchronous stream cipher sequence produced by the scheme is pseudorandom in the sense (SSC) where the keystream is generated independently from that they cannot be distinguished from truly random sequence the plaintext. The design of the SSC is based on the Ikeda and resist to well-known stream cipher attacks. system. The specific properties of this chaotic system as the Keywords— Stream ciphers; NLFSR; Distinguishing at- extremely complex chaotic behavior introduces a nonlinearity tack; diffusion; confusion.
    [Show full text]
  • Linear Biases in AEGIS Keystream
    Linear Biases in AEGIS Keystream Brice Minaud ANSSI, 51, boulevard de la Tour-Maubourg, 75700 Paris 07 SP, France [email protected] Abstract. AEGIS is an authenticated cipher introduced at SAC 2013, which takes advantage of AES-NI instructions to reach outstanding speed in software. Like LEX, Fides, as well as many sponge-based designs, AEGIS leaks part of its inner state each round to form a keystream. In this paper, we investigate the existence of linear biases in this keystream. Our main result is a linear mask with bias 2−89 on the AEGIS-256 keystream. The resulting distinguisher can be exploited to recover bits of a partially known message encrypted 2188 times, regardless of the keys used. We also consider AEGIS-128, and find a surprising correlation between ciphertexts at rounds i and i + 2, although the biases would require 2140 data to be detected. Due to their data requirements, neither attack threatens the practical security of the cipher. Key words: Cryptanalysis, AEGIS, CAESAR 1 Introduction Traditional block cipher-based encryption ensures the confidentiality of encrypted data: it is infeasible for anyone to decipher a message without knowledge of the secret encryption key. However there is a compelling need for ciphers achieving at once confidentiality and authenticity; that is, ciphers in- tegrating a form of integrity check guaranteeing that the encrypted message does originate from its purported sender. Any tampering of the data will result in its rejection by the deciphering algorithm. The CAESAR [cae13] authenticated cipher competition, sponsored by the National Institute of Stan- dards and Technology, crystallizes the community's growing interest in this type of cipher.
    [Show full text]
  • Stream Ciphers: a Comparative Study of Attacks and Structures
    International Journal of Computer Applications (0975 – 8887) Volume 83 – No1, December 2013 Stream Ciphers: A Comparative Study of Attacks and Structures Daniyal M. Alghazzawi Syed Hamid Hasan Mohamed Salim Trigui Information Security Research Group Faculty of Computing and Information Technology Department of Information Systems King Abdulaziz University Kingdom of Saudi Arabia ABSTRACT operation modes. S0 & Kc are the initial S-bit and KC Bit In the latest past, research work has been done in the region of cypher key, respectively that the stream cipher is laden with. steam ciphers and as a answer of which, several design The key stream Zt is generated by the output function ‘O’ of the stream cipher at every time interval t. A plain-text digit P models for stream ciphers were projected. In Order to t appreciate a international standard for data encryption that is encrypted by this key stream digit through E, an encryption would prove good in the due course of time, endure the action function, which results in the cipher-text C . Then U, the states of cryptanalysis algorithms and reinforce the security that will t update function updates the state S . the three equations that take longer to be broken, this research work was taken up. t There is no standard model for Stream cipher and their design, state the rules of the encryption process are as follows: in comparison to block ciphers, is based on a number of Z = O(S , K ) structures. We would not try to evaluate the different designs t t c taken up by various stream ciphers, different attacks agreed C = E(P , Z ) out on these stream ciphers and the result of these attacks.
    [Show full text]
  • Photonic Encryption Using All Optical Logic
    SANDIA REPORT SAND 2003-4474 Unlimited Release Printed December 2003 Photonic Encryption using All Optical Logic Jason D Tang, Thomas D Tarman, and Lyndon G Pierson Ethan L. Blansett and G. Allen Vawter Perry J. Robertson and Richard Schroeppel Prepared by Sandia National Laboratories Albuquerque, New Mexico 87185 and Livermore, California 94550 Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear Security Administration under Contract DE-AC04-94AL85000. Approved for public release; further dissemination unlimited. Issued by Sandia National Laboratories, operated for the United States Department of Energy by Sandia Corporation. NOTICE: This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government, nor any agency thereof, nor any of their employees, nor any of their contractors, subcontractors, or their employees, make any warranty, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represent that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government, any agency thereof, or any of their contractors or subcontractors. The views and opinions expressed herein do not necessarily state or reflect those of the United States Government, any agency thereof, or any of their contractors. Printed in the United States of America.
    [Show full text]
  • Introduction to Cryptanalysis: Attacking Stream Ciphers
    Introduction to Cryptanalysis: Attacking Stream Ciphers Roel Verdult Institute for Computing and Information Sciences Radboud University Nijmegen, The Netherlands. [email protected] Abstract. This article contains an elementary introduction to the cryptanalysis of stream ciphers. Initially, a few historical examples are given to explain the core aspects of cryptography and the various properties of stream ciphers. We define the mean- ing of cryptographic strength and show how to identify weaknesses in a cryptosystem. Then, we show how these cryptographic weaknesses can be exploited and attacked by a number of cryptanalytic techniques. The academic literature includes many articles there use complex mathematical notations to represent trivial cryptanalytic techniques. Contrarily, this paper tries to put forward the most commonly used cryptanalytic tech- niques by using only simplistic and comprehensible examples. The addressed techniques are used in several scientific articles to mount practical attacks on real cryptosystems. 1 Introduction This manuscript is an excerpt of the third chapter in the doctoral dissertation of Roel Ver- dult [120]. The first chapters of this book contains a theoretical background with an elemen- tary description of security protocols, cryptographic primitives and cryptanalytic attacks. 1.1 Cryptographic strength The strength of a cryptographic algorithm is expressed in the total amount of computations an adversary needs to perform to recover the secret key. It is often referred to as the compu- tational complexity of the cipher. For a perfectly secure cipher, the computational complexity is the same as the key space, sometimes referred to as the entropy of the key. The key space refers to the set of all possible keys and represents the total number of combinations using all secret key bits.
    [Show full text]
  • Improved Cryptanalysis of the Stream Cipher Polar Bear
    中国科技论文在线 http://www.paper.edu.cn C h inese Journa1 of E lectron ics V o1.16,N o.3,July 20 07 Im proved C ryptanalysis of the Stream C ipher P olar B ear冰 H U A N G X iaoli1,2 and W U C huankun1 (1.The S tate K ey Laboratory of Inform ation Security,Institute of S oftw aFe, C hinese A cadem y of Sciences,Beijing 1 00080, C hina) (2.Graduate S chool of C hinese A cadem y of Sciences,Beijing 1 00080, C hina) A b stract ---—— T his PaP er gives a guess-and-.determ ine th e first ev alu a tio n ro u n d ,i.e.,th e eS T R E A M w ish es to carry attack against p olar b ear,w hich is one of th e cand idate p o lar b ea r to th e se con d p h as e o f it. st r e a m c iph e r s o f e STR EA M . V le c h o s e t h r e e d iffler e n t T here are m any attacks ap plicable to stream ciphers,such c le a r t e xt g r o u p s u nd e r di ffe re n t a s s u m p t io n s , a nd o nl y as key recovery attac ks[¨ lin ear cry p tan aly sis[7。,a lge b raic considered the flrst th ree cy cles in each grou P.Som e values , attac k s[ ,引 d istin g u ish in g a tta ck s [2,1 11 a n d so o n . . L a t e ly J . in each gro uP w ere recovered through k now n constant va l— M a ttsso n [101 a n d M H asanzadeh e£以 【9】presented guess—and- u es an d som e relation s in th e p revious and current g rou ps. . W _e recover th e in itial state of p olar bear com pletely w ith determ ine attacks on polar b ear w ith tim e com plexity O (2 ) tim e com plex ity 0 (236·80).In this respect,our results are and O (2 · ) resp ectively. m ugh be tter than that of the tw o recent
    [Show full text]
  • Cryptography on a Customized Network Mathematics And
    Cryptography on a Customized Network Ricardo Martinho Ferreira Miranda Thesis to obtain the Master of Science Degree in Mathematics and Applications Examination Committee Chairperson: Prof. Maria Cristina Sales Viana Serodioˆ Sernadas Supervisor: Prof. Paulo Alexandre Carreira Mateus Co-supervisor: Bruno Neto de Oliveira Tavares Member of the Committee: Prof. Andre´ Nuno Carvalho Souto November 2017 Acknowledgements I want to thank both my supervisors Paulo Mateus and Bruno Tavares for all their support and guid- ance. I would also like to thank my dearest friend Sofia Brito, whose counseling and motivation were crucial aspects in the overcoming of the most difficult moments. i ii Resumo Construir uma rede segura para ser utilizada em aplicac¸oes˜ reais onde ha´ restric¸oes˜ impostas as` capacidades dos elementos da rede e a` transferenciaˆ de informac¸ao˜ necessita uma analise´ crip- tografica´ costumizada de forma a proteger as comunicac¸oes˜ e detectar e minimizar as vulnerabilidades do sistema que poderao˜ ser exploradas. Neste documento, uma rede com essas condic¸oes˜ e´ apre- sentada, procura-se encontrar um esquema topologico´ otimo´ antes de se escolherem os componentes criptograficos´ da rede embutidos nas comunicac¸oes˜ e armazenamento e posteriormente analiza-se a sua seguranc¸a. De entre as alternativas escrutinadas, apenas uma e´ escolhida como a soluc¸ao,˜ por comparac¸ao˜ em termos de performance, seguranc¸a e adaptac¸ao˜ as` restric¸oes˜ impostas. Esta soluc¸ao˜ e´ implementada usando as linguagens de programac¸ao˜ C e Java. Prova-se que os esquemas de encriptac¸ao˜ e protocolos escolhidos sao˜ opc¸oes˜ altamente adequadas e o seu uso na pratica´ e´ acon- selhado.
    [Show full text]