On Bugs and Ciphers: New Techniques in Cryptanalysis

Total Page:16

File Type:pdf, Size:1020Kb

On Bugs and Ciphers: New Techniques in Cryptanalysis On Bugs and Ciphers: New Techniques in Cryptanalysis Yaniv Carmeli Technion - Computer Science Department - Ph.D. Thesis PHD-2015-01 - 2015 Technion - Computer Science Department - Ph.D. Thesis PHD-2015-01 - 2015 On Bugs and Ciphers: New Techniques in Cryptanalysis Research Thesis Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy Yaniv Carmeli Submitted to the Senate of the Technion | Israel Institute of Technology Adar 5775 Haifa March 2015 Technion - Computer Science Department - Ph.D. Thesis PHD-2015-01 - 2015 Technion - Computer Science Department - Ph.D. Thesis PHD-2015-01 - 2015 The research thesis was done under the supervision of Prof. Eli Biham in the Computer Science Department. The generous financial support of the Technion is gratefully acknowledged. Technion - Computer Science Department - Ph.D. Thesis PHD-2015-01 - 2015 Technion - Computer Science Department - Ph.D. Thesis PHD-2015-01 - 2015 Contents Abstract 1 1 Introduction 3 2 Bug Attacks 9 2.1 Introduction . 9 2.1.1 Introduction to Side Channel Attacks (SCA) . 13 2.1.2 Fault Attacks . 14 2.2 Overview of Our Methods and Notations . 15 2.2.1 Multiplication of Big Numbers . 16 2.2.2 Notations . 16 2.2.3 Methods . 16 2.2.4 Complexity Analysis . 17 2.2.5 Exponentiation Algorithms . 17 2.2.6 Remarks . 18 2.3 Bug Attack on CRT-RSA with One Chosen Ciphertext . 19 2.4 Bug Attacks on LTOR Exponentiations . 20 2.4.1 Bug Attacks on Pohlig-Hellman . 21 2.4.2 Bug Attacks on RSA . 25 2.4.3 Bug Attacks on OAEP . 29 2.5 Bug Attacks on RTOL Exponentiations . 30 2.5.1 Bug Attacks on Pohlig-Hellman . 30 2.5.2 Bug Attacks on RSA . 32 2.5.3 Bug Attacks on OAEP Implementations that use RTOL 34 2.6 Bug Attacks Using the Legendre Symbol and Square Roots . 35 2.6.1 Bug Attacks on Pohlig-Hellman Implementations that use RTOL . 35 i Technion - Computer Science Department - Ph.D. Thesis PHD-2015-01 - 2015 2.6.2 Bug Attacks on Pohlig-Hellman Implementations that use LTOR . 38 2.7 Vulnerabilities of Other Kind of Schemes . 44 2.7.1 Elliptic Curve Schemes . 44 2.7.2 Bug Attacks on Symmetric Primitives . 45 2.8 Summary and Countermeasures . 45 2.A Brief Descriptions of Several Cryptosystems . 46 2.A.1 The Pohlig-Hellman Cryptosystem and Pohlig-Hellman- Shamir Protocol . 46 2.A.2 The RSA Cryptosystem . 48 2.A.3 RSA Decryption Using CRT . 48 2.A.4 OAEP . 49 2.B Known Hardware Bugs . 50 3 Efficient Reconstruction of RC4 Keys from Internal States 53 3.1 Introduction . 53 3.1.1 Previous Attacks . 54 3.1.2 Outline of Our Contribution . 57 3.1.3 Organization of the Chapter . 58 3.2 The RC4 Stream Cipher . 58 3.2.1 Properties of RC4 Keys . 60 3.2.2 Notations . 60 3.3 Previous Techniques . 61 3.4 Our Observations . 63 3.4.1 Subtracting Equations . 64 3.4.2 Using Counting Methods . 66 3.4.3 The Sum of the Key Bytes . 67 3.4.4 Adjusting Weights and Correcting Equations . 69 3.4.5 Refining the Set of Equations . 70 3.4.6 Heuristic Pruning of the Search . 72 3.5 The Algorithm . 73 3.6 Efficient Implementation . 73 3.7 Discussion . 76 ii Technion - Computer Science Department - Ph.D. Thesis PHD-2015-01 - 2015 4 An Improvement of Linear Cryptanalysis with Addition Op- erations with Applications to FEAL-8X 79 4.1 Introduction . 79 4.2 The Cipher FEAL-8X . 81 4.2.1 An Equivalent Description of FEAL-8X . 83 4.3 First Attack { Finding the Key Using 215 Known Plaintexts . 84 4.3.1 The Linear Approximations . 85 4.3.2 The Basic Attack . 85 4.3.3 Matching Subkeys from the Backward and Forward Directions . 88 4.3.4 Retrieving the Rest of the Subkeys . 89 4.4 Our Partitioning Technique { Finding The Key Using 214 Known Plaintexts . 91 4.4.1 A Simplified Example . 92 4.4.2 The Attack . 94 4.5 Attacking FEAL-8X Using 210 Known Plaintexts with Com- plexity 262 ............................. 95 4.6 Attacks with a Few Known or Chosen Plaintexts . 96 4.6.1 Differential and Linear Exhaustive Search Attacks . 96 4.6.2 Meet in the Middle Attacks . 98 4.7 Summary . 99 4.A Retrieving The FEAL-8X Key from the Actual Subkeys . 100 4.A.1 The Key Processing Algorithm . 100 4.A.2 Finding the Key . 102 4.B Efficient Implementation . 104 א Abstract in Hebrew iii Technion - Computer Science Department - Ph.D. Thesis PHD-2015-01 - 2015 List of Figures 3.1 Two Probable Alternatives to the Positions of the Indices i and j Right Before the Assignment S[i0] x Occurred . 71 4.1 The outline of FEAL-8 and of the F -function . 82 4.2 Equivalent Description of FEAL-8X Without Whitening at the End . 84 4.3 Approximation 1 { A six-round approximation with bias 2−6 86 4.4 Approximation 2 { A six-round approximation with bias 2−6 87 4.5 The Approximation of the Seventh Round . 92 4.6 The Key Processing Algorithm and the Fk Function . 101 iv Technion - Computer Science Department - Ph.D. Thesis PHD-2015-01 - 2015 List of Algorithms 2.1 The Two Basic Exponentiation Algorithms . 18 2.2 Basic Adaptive Chosen-Ciphertext Attack Against Pohlig- Hellman with LTOR . 22 2.3 Improved Adaptive Chosen-Ciphertext Attack Against Pohlig- Hellman with LTOR . 23 2.4 Adaptive Chosen-Ciphertext Attack Against RSA with LTOR 26 2.5 Chosen-Ciphertext Attack Against RSA with LTOR . 28 2.6 Chosen-Ciphertext Attack Against Pohlig-Hellman with RTOL 31 2.7 Chosen-Ciphertext attack against RSA with RTOL . 33 2.8 Adaptive Chosen-Ciphertext Attack Against RSA-OAEP with RTOL . 35 2.9 Chosen-Ciphertext Attack Against Pohlig-Hellman with RTOL 37 2.10 Known-Plaintext Attack Against Pohlig-Hellman with RTOL 38 2.11 Chosen-Ciphertext Attack Against Pohlig-Hellman with LTOR 42 2.12 Known-Plaintext Attack Against Pohlig-Hellman with LTOR 44 3.1 The RC4 Algorithms . 59 3.2 The FIND KEY Algorithm . 74 3.3 The Recursive REC SUBROUTINE Algorithm . 75 4.1 Basic Attack on FEAL-NX with 215 messages . 88 4.2 Breaking FEAL in 2112 Time and Only 5 Known Plaintexts . 97 4.3 Efficient Implementation of the Attack in Algorithm 4.1 . 105 v Technion - Computer Science Department - Ph.D. Thesis PHD-2015-01 - 2015 List of Tables 2.1 Summary of the Presented Bug Attacks . 47 3.1 The Probabilities Given by Theorem 3.2 . 62 3.2 Success Probabilities and Running Time of the RecoverKey Algorithm of [65] . 64 3.3 Probabilities that s is Among the Four Highest Counters . 69 3.4 Empirical Results of The Proposed Attack . 77 4.1 The Subkeys of FEAL-8X and the Actual Subkeys of the Equivalent Descriptions . 83 4.2 A mapping between the standard notation for FEAL subkeys and the notation used in this appendix . 100 4.3 Relation Between the Bytes of the Decryption Actual Subkeys and the Subkeys of the Cipher . 102 4.4 Relation Between the Bytes of the Encryption Actual Subkeys and the Subkeys of the Cipher . 102 1 Technion - Computer Science Department - Ph.D. Thesis PHD-2015-01 - 2015 Abstract This research thesis presents three independent contributions to cryptanal- ysis. The first contribution is Bug Attacks, a new type of side-channel attack that takes advantages of bugs in hardware or software. The best known example of a bug in hardware is the Intel division bug, which resulted in slightly inaccurate results for extremely rare inputs. Whereas in most ap- plications such bugs can be viewed as a minor nuisance, we show that in the case of RSA (even when protected by OAEP), Pohlig-Hellman, elliptic curve cryptography, and several other schemes, such bugs can be a security disaster: Decrypting ciphertexts on any computer which multiplies even one pair of numbers incorrectly can lead to full leakage of the secret key, sometimes with a single well-chosen ciphertext. Bugs may also be planted by tampering with otherwise bug-free hardware. Recent documents leaked by Edward Sonwden show that this is a method which is used by the US against intelligence targets. The second contribution is an efficient algorithm for the retrieval of the RC4 secret key, given an internal state. The algorithm we present is several orders of magnitude faster than previously published algorithms. In the case of a 40-bit key, it takes only about 0.02 seconds to retrieve the key, with success probability of 86.4%. Even in cases where our algorithm cannot retrieve the entire key, it can retrieve partial information about the key. The key can also be retrieved if some of the bytes of the initial permutation are incorrect or missing. The third contribution is an improvement to the linear cryptanalysis of ciphers that use addition operations, which we demonstrate on the block cipher FEAL-8X. Since its introduction 27 years ago, FEAL played a key role in the development of many cryptanalytic techniques, including dif- 1 Technion - Computer Science Department - Ph.D. Thesis PHD-2015-01 - 2015 ferential and linear cryptanalysis. For its 25th anniversary Mitsuru Matsui announced a challenge for an improved known plaintext attack on FEAL-8X. We describe our attack as part of this challenge and introduce improvements to linear cryptanalysis that allow us to recover the key given 214 known plain- texts in about 14 hours of computation, and led us to win the challenge.
Recommended publications
  • Basic Cryptography
    Basic cryptography • How cryptography works... • Symmetric cryptography... • Public key cryptography... • Online Resources... • Printed Resources... I VP R 1 © Copyright 2002-2007 Haim Levkowitz How cryptography works • Plaintext • Ciphertext • Cryptographic algorithm • Key Decryption Key Algorithm Plaintext Ciphertext Encryption I VP R 2 © Copyright 2002-2007 Haim Levkowitz Simple cryptosystem ... ! ABCDEFGHIJKLMNOPQRSTUVWXYZ ! DEFGHIJKLMNOPQRSTUVWXYZABC • Caesar Cipher • Simple substitution cipher • ROT-13 • rotate by half the alphabet • A => N B => O I VP R 3 © Copyright 2002-2007 Haim Levkowitz Keys cryptosystems … • keys and keyspace ... • secret-key and public-key ... • key management ... • strength of key systems ... I VP R 4 © Copyright 2002-2007 Haim Levkowitz Keys and keyspace … • ROT: key is N • Brute force: 25 values of N • IDEA (international data encryption algorithm) in PGP: 2128 numeric keys • 1 billion keys / sec ==> >10,781,000,000,000,000,000,000 years I VP R 5 © Copyright 2002-2007 Haim Levkowitz Symmetric cryptography • DES • Triple DES, DESX, GDES, RDES • RC2, RC4, RC5 • IDEA Key • Blowfish Plaintext Encryption Ciphertext Decryption Plaintext Sender Recipient I VP R 6 © Copyright 2002-2007 Haim Levkowitz DES • Data Encryption Standard • US NIST (‘70s) • 56-bit key • Good then • Not enough now (cracked June 1997) • Discrete blocks of 64 bits • Often w/ CBC (cipherblock chaining) • Each blocks encr. depends on contents of previous => detect missing block I VP R 7 © Copyright 2002-2007 Haim Levkowitz Triple DES, DESX,
    [Show full text]
  • Block Ciphers and the Data Encryption Standard
    Lecture 3: Block Ciphers and the Data Encryption Standard Lecture Notes on “Computer and Network Security” by Avi Kak ([email protected]) January 26, 2021 3:43pm ©2021 Avinash Kak, Purdue University Goals: To introduce the notion of a block cipher in the modern context. To talk about the infeasibility of ideal block ciphers To introduce the notion of the Feistel Cipher Structure To go over DES, the Data Encryption Standard To illustrate important DES steps with Python and Perl code CONTENTS Section Title Page 3.1 Ideal Block Cipher 3 3.1.1 Size of the Encryption Key for the Ideal Block Cipher 6 3.2 The Feistel Structure for Block Ciphers 7 3.2.1 Mathematical Description of Each Round in the 10 Feistel Structure 3.2.2 Decryption in Ciphers Based on the Feistel Structure 12 3.3 DES: The Data Encryption Standard 16 3.3.1 One Round of Processing in DES 18 3.3.2 The S-Box for the Substitution Step in Each Round 22 3.3.3 The Substitution Tables 26 3.3.4 The P-Box Permutation in the Feistel Function 33 3.3.5 The DES Key Schedule: Generating the Round Keys 35 3.3.6 Initial Permutation of the Encryption Key 38 3.3.7 Contraction-Permutation that Generates the 48-Bit 42 Round Key from the 56-Bit Key 3.4 What Makes DES a Strong Cipher (to the 46 Extent It is a Strong Cipher) 3.5 Homework Problems 48 2 Computer and Network Security by Avi Kak Lecture 3 Back to TOC 3.1 IDEAL BLOCK CIPHER In a modern block cipher (but still using a classical encryption method), we replace a block of N bits from the plaintext with a block of N bits from the ciphertext.
    [Show full text]
  • 1 Perfect Secrecy of the One-Time Pad
    1 Perfect secrecy of the one-time pad In this section, we make more a more precise analysis of the security of the one-time pad. First, we need to define conditional probability. Let’s consider an example. We know that if it rains Saturday, then there is a reasonable chance that it will rain on Sunday. To make this more precise, we want to compute the probability that it rains on Sunday, given that it rains on Saturday. So we restrict our attention to only those situations where it rains on Saturday and count how often this happens over several years. Then we count how often it rains on both Saturday and Sunday. The ratio gives an estimate of the desired probability. If we call A the event that it rains on Saturday and B the event that it rains on Sunday, then the intersection A ∩ B is when it rains on both days. The conditional probability of A given B is defined to be P (A ∩ B) P (B | A)= , P (A) where P (A) denotes the probability of the event A. This formula can be used to define the conditional probability of one event given another for any two events A and B that have probabilities (we implicitly assume throughout this discussion that any probability that occurs in a denominator has nonzero probability). Events A and B are independent if P (A ∩ B)= P (A) P (B). For example, if Alice flips a fair coin, let A be the event that the coin ends up Heads. If Bob rolls a fair six-sided die, let B be the event that he rolls a 3.
    [Show full text]
  • Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, Newdes, RC2, and TEA
    Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, NewDES, RC2, and TEA John Kelsey Bruce Schneier David Wagner Counterpane Systems U.C. Berkeley kelsey,schneier @counterpane.com [email protected] f g Abstract. We present new related-key attacks on the block ciphers 3- WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA. Differen- tial related-key attacks allow both keys and plaintexts to be chosen with specific differences [KSW96]. Our attacks build on the original work, showing how to adapt the general attack to deal with the difficulties of the individual algorithms. We also give specific design principles to protect against these attacks. 1 Introduction Related-key cryptanalysis assumes that the attacker learns the encryption of certain plaintexts not only under the original (unknown) key K, but also under some derived keys K0 = f(K). In a chosen-related-key attack, the attacker specifies how the key is to be changed; known-related-key attacks are those where the key difference is known, but cannot be chosen by the attacker. We emphasize that the attacker knows or chooses the relationship between keys, not the actual key values. These techniques have been developed in [Knu93b, Bih94, KSW96]. Related-key cryptanalysis is a practical attack on key-exchange protocols that do not guarantee key-integrity|an attacker may be able to flip bits in the key without knowing the key|and key-update protocols that update keys using a known function: e.g., K, K + 1, K + 2, etc. Related-key attacks were also used against rotor machines: operators sometimes set rotors incorrectly.
    [Show full text]
  • On the Decorrelated Fast Cipher (DFC) and Its Theory
    On the Decorrelated Fast Cipher (DFC) and Its Theory Lars R. Knudsen and Vincent Rijmen ? Department of Informatics, University of Bergen, N-5020 Bergen Abstract. In the first part of this paper the decorrelation theory of Vaudenay is analysed. It is shown that the theory behind the propo- sed constructions does not guarantee security against state-of-the-art differential attacks. In the second part of this paper the proposed De- correlated Fast Cipher (DFC), a candidate for the Advanced Encryption Standard, is analysed. It is argued that the cipher does not obtain prova- ble security against a differential attack. Also, an attack on DFC reduced to 6 rounds is given. 1 Introduction In [6,7] a new theory for the construction of secret-key block ciphers is given. The notion of decorrelation to the order d is defined. Let C be a block cipher with block size m and C∗ be a randomly chosen permutation in the same message space. If C has a d-wise decorrelation equal to that of C∗, then an attacker who knows at most d − 1 pairs of plaintexts and ciphertexts cannot distinguish between C and C∗. So, the cipher C is “secure if we use it only d−1 times” [7]. It is further noted that a d-wise decorrelated cipher for d = 2 is secure against both a basic linear and a basic differential attack. For the latter, this basic attack is as follows. A priori, two values a and b are fixed. Pick two plaintexts of difference a and get the corresponding ciphertexts.
    [Show full text]
  • Report on the AES Candidates
    Rep ort on the AES Candidates 1 2 1 3 Olivier Baudron , Henri Gilb ert , Louis Granb oulan , Helena Handschuh , 4 1 5 1 Antoine Joux , Phong Nguyen ,Fabrice Noilhan ,David Pointcheval , 1 1 1 1 Thomas Pornin , Guillaume Poupard , Jacques Stern , and Serge Vaudenay 1 Ecole Normale Sup erieure { CNRS 2 France Telecom 3 Gemplus { ENST 4 SCSSI 5 Universit e d'Orsay { LRI Contact e-mail: [email protected] Abstract This do cument rep orts the activities of the AES working group organized at the Ecole Normale Sup erieure. Several candidates are evaluated. In particular we outline some weaknesses in the designs of some candidates. We mainly discuss selection criteria b etween the can- didates, and make case-by-case comments. We nally recommend the selection of Mars, RC6, Serp ent, ... and DFC. As the rep ort is b eing nalized, we also added some new preliminary cryptanalysis on RC6 and Crypton in the App endix which are not considered in the main b o dy of the rep ort. Designing the encryption standard of the rst twentyyears of the twenty rst century is a challenging task: we need to predict p ossible future technologies, and wehavetotake unknown future attacks in account. Following the AES pro cess initiated by NIST, we organized an op en working group at the Ecole Normale Sup erieure. This group met two hours a week to review the AES candidates. The present do cument rep orts its results. Another task of this group was to up date the DFC candidate submitted by CNRS [16, 17] and to answer questions which had b een omitted in previous 1 rep orts on DFC.
    [Show full text]
  • Arxiv:1911.09312V2 [Cs.CR] 12 Dec 2019
    Revisiting and Evaluating Software Side-channel Vulnerabilities and Countermeasures in Cryptographic Applications Tianwei Zhang Jun Jiang Yinqian Zhang Nanyang Technological University Two Sigma Investments, LP The Ohio State University [email protected] [email protected] [email protected] Abstract—We systematize software side-channel attacks with three questions: (1) What are the common and distinct a focus on vulnerabilities and countermeasures in the cryp- features of various vulnerabilities? (2) What are common tographic implementations. Particularly, we survey past re- mitigation strategies? (3) What is the status quo of cryp- search literature to categorize vulnerable implementations, tographic applications regarding side-channel vulnerabili- and identify common strategies to eliminate them. We then ties? Past work only surveyed attack techniques and media evaluate popular libraries and applications, quantitatively [20–31], without offering unified summaries for software measuring and comparing the vulnerability severity, re- vulnerabilities and countermeasures that are more useful. sponse time and coverage. Based on these characterizations This paper provides a comprehensive characterization and evaluations, we offer some insights for side-channel of side-channel vulnerabilities and countermeasures, as researchers, cryptographic software developers and users. well as evaluations of cryptographic applications related We hope our study can inspire the side-channel research to side-channel attacks. We present this study in three di- community to discover new vulnerabilities, and more im- rections. (1) Systematization of literature: we characterize portantly, to fortify applications against them. the vulnerabilities from past work with regard to the im- plementations; for each vulnerability, we describe the root cause and the technique required to launch a successful 1.
    [Show full text]
  • Proceedings of the Nimbus Program Review
    X-650-62-226 J, / N63 18601--N 63 18622 _,_-/ PROCEEDINGS OF THE NIMBUS PROGRAM REVIEW OTS PRICE XEROX S _9, ,_-_ MICROFILM $ Jg/ _-"/_j . J"- O NOVEMBER 14-16, 1962 PROCEEDINGS OF THE NIMBUS PROGRAM REVIEW \ November 14-16, 1962 GODDARD SPACE FLIGHT CENTER Greenbelt, Md. NATIONAL AERONAUTICS AND SPACE ADMINISTRATION GODDARD SPACE FLIGHT CENTER PROCEEDINGS OF THE NIMBUS PROGRAM REVIEW FOREWORD The Nimbus program review was conducted at the George Washington Motor Lodge and at General Electric Missiles and Space Division, Valley Forge, Pennsylvania, on November 14, 15, and 16, 1962. The purpose of the review was twofold: first, to present to top management of the Goddard Space Flight Center (GSFC), National Aeronautics and Space Administration (NASA) Headquarters, other NASA elements, Joint Meteorological Satellite Advisory Committee (_MSAC), Weather Bureau, subsystem contractors, and others, a clear picture of the Nimbus program, its organization, its past accomplishments, current status, and remaining work, emphasizing the continuing need and opportunity for major contributions by the industrial community; second, to bring together project and contractor technical personnel responsible for the planning, execution, and support of the integration and test of the spacecraft to be initiated at General Electric shortly. This book is a compilation of the papers presented during the review and also contains a list of those attending. Harry P_ress Nimbus Project Manager CONTENTS FOREWORD lo INTRODUCTION TO NIMBUS by W. G. Stroud, GSFC _o THE NIMBUS PROJECT-- ORGANIZATION, PLAN, AND STATUS by H. Press, GSFC o METEOROLOGICAL APPLICATIONS OF NIMBUS DATA by E.G. Albert, U.S.
    [Show full text]
  • Chapter 2 the Data Encryption Standard (DES)
    Chapter 2 The Data Encryption Standard (DES) As mentioned earlier there are two main types of cryptography in use today - symmet- ric or secret key cryptography and asymmetric or public key cryptography. Symmet- ric key cryptography is the oldest type whereas asymmetric cryptography is only being used publicly since the late 1970’s1. Asymmetric cryptography was a major milestone in the search for a perfect encryption scheme. Secret key cryptography goes back to at least Egyptian times and is of concern here. It involves the use of only one key which is used for both encryption and decryption (hence the use of the term symmetric). Figure 2.1 depicts this idea. It is necessary for security purposes that the secret key never be revealed. Secret Key (K) Secret Key (K) ? ? - - - - Plaintext (P ) E{P,K} Ciphertext (C) D{C,K} Plaintext (P ) Figure 2.1: Secret key encryption. To accomplish encryption, most secret key algorithms use two main techniques known as substitution and permutation. Substitution is simply a mapping of one value to another whereas permutation is a reordering of the bit positions for each of the inputs. These techniques are used a number of times in iterations called rounds. Generally, the more rounds there are, the more secure the algorithm. A non-linearity is also introduced into the encryption so that decryption will be computationally infeasible2 without the secret key. This is achieved with the use of S-boxes which are basically non-linear substitution tables where either the output is smaller than the input or vice versa. 1It is claimed by some that government agencies knew about asymmetric cryptography before this.
    [Show full text]
  • Security Evaluation of the K2 Stream Cipher
    Security Evaluation of the K2 Stream Cipher Editors: Andrey Bogdanov, Bart Preneel, and Vincent Rijmen Contributors: Andrey Bodganov, Nicky Mouha, Gautham Sekar, Elmar Tischhauser, Deniz Toz, Kerem Varıcı, Vesselin Velichkov, and Meiqin Wang Katholieke Universiteit Leuven Department of Electrical Engineering ESAT/SCD-COSIC Interdisciplinary Institute for BroadBand Technology (IBBT) Kasteelpark Arenberg 10, bus 2446 B-3001 Leuven-Heverlee, Belgium Version 1.1 | 7 March 2011 i Security Evaluation of K2 7 March 2011 Contents 1 Executive Summary 1 2 Linear Attacks 3 2.1 Overview . 3 2.2 Linear Relations for FSR-A and FSR-B . 3 2.3 Linear Approximation of the NLF . 5 2.4 Complexity Estimation . 5 3 Algebraic Attacks 6 4 Correlation Attacks 10 4.1 Introduction . 10 4.2 Combination Generators and Linear Complexity . 10 4.3 Description of the Correlation Attack . 11 4.4 Application of the Correlation Attack to KCipher-2 . 13 4.5 Fast Correlation Attacks . 14 5 Differential Attacks 14 5.1 Properties of Components . 14 5.1.1 Substitution . 15 5.1.2 Linear Permutation . 15 5.2 Key Ideas of the Attacks . 18 5.3 Related-Key Attacks . 19 5.4 Related-IV Attacks . 20 5.5 Related Key/IV Attacks . 21 5.6 Conclusion and Remarks . 21 6 Guess-and-Determine Attacks 25 6.1 Word-Oriented Guess-and-Determine . 25 6.2 Byte-Oriented Guess-and-Determine . 27 7 Period Considerations 28 8 Statistical Properties 29 9 Distinguishing Attacks 31 9.1 Preliminaries . 31 9.2 Mod n Cryptanalysis of Weakened KCipher-2 . 32 9.2.1 Other Reduced Versions of KCipher-2 .
    [Show full text]
  • Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1
    International Journal of Grid and Distributed Computing Vol. 10, No. 11 (2017), pp.79-98 http://dx.doi.org/10.14257/ijgdc.2017.10.11.08 Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1 Rahul Saha1, G. Geetha2, Gulshan Kumar3 and Hye-Jim Kim4 1,3School of Computer Science and Engineering, Lovely Professional University, Punjab, India 2Division of Research and Development, Lovely Professional University, Punjab, India 4Business Administration Research Institute, Sungshin W. University, 2 Bomun-ro 34da gil, Seongbuk-gu, Seoul, Republic of Korea Abstract Cryptography has always been a core component of security domain. Different security services such as confidentiality, integrity, availability, authentication, non-repudiation and access control, are provided by a number of cryptographic algorithms including block ciphers, stream ciphers and hash functions. Though the algorithms are public and cryptographic strength depends on the usage of the keys, the ciphertext analysis using different functions and operations used in the algorithms can lead to the path of revealing a key completely or partially. It is hard to find any survey till date which identifies different operations and functions used in cryptography. In this paper, we have categorized our survey of cryptographic functions and operations in the algorithms in three categories: block ciphers, stream ciphers and cryptanalysis attacks which are executable in different parts of the algorithms. This survey will help the budding researchers in the society of crypto for identifying different operations and functions in cryptographic algorithms. Keywords: cryptography; block; stream; cipher; plaintext; ciphertext; functions; research problems 1. Introduction Cryptography [1] in the previous time was analogous to encryption where the main task was to convert the readable message to an unreadable format.
    [Show full text]
  • Improbable Differential from Impossible Differential
    Improbable Differential from Impossible Differential: On the Validity of the Model C´elineBlondeau Aalto University, School of Science, Department of Information and Computer Science [email protected] Abstract. Differentials with low probability are used in improbable dif- ferential cryptanalysis to distinguish a cipher from a random permuta- tion. Due to large diffusion, finding such differentials for actual ciphers re- mains a challenging task. At Indocrypt 2010, Tezcan proposed a method to derive improbable differential distinguishers from impossible differ- ential ones. In this paper, we discuss the validity of the assumptions made in the computation of the improbable differential probabilities. In particular, we show based on experiments that such improbable differ- ential cryptanalysis can fail. The validity of the improbable differential cryptanalyses on PRESENT and CLEFIA is discussed. Keywords:improbable differential, impossible differential, truncated differential, PRESENT, CLEFIA 1 Introduction Since the introduction of differential cryptanalysis [2] in the beginning of the 90's, many generalizations of this attack have been proposed to cryptanalyse a large number of block ciphers. While most of them exploit differentials with high probability, in the impossible differential cryptanalysis context [1] attackers take advantage of zero-probability differentials. Recently a variation of this attack called improbable differential cryptanalysis have been introduced by Tezcan [21] at Indocrypt 2010 and by Mala, Dakhilalian and Shakiba [15]. In this context, differentials with low probabilities are used to distinguish the cipher from a random permutation. While in theory this attack could be efficient on some ciphers, in practice, it may be hard to find differentials or truncated differentials with such small prob- abilities.
    [Show full text]