DOCSLIB.ORG

Improved Cryptanalysis of the Stream Cipher Polar Bear

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Improved Cryptanalysis of the Stream Cipher Polar Bear 中国科技论文在线 http://www.paper.edu.cn C h inese Journa1 of E lectron ics V o1.16,N o.3,July 20 07 Im proved C ryptanalysis of the Stream C ipher P olar B ear冰 H U A N G X iaoli1,2 and W U C huankun1 (1.The S tate K ey Laboratory of Inform ation Security,Institute of S oftw aFe, C hinese A cadem y of Sciences,Beijing 1 00080, C hina) (2.Graduate S chool of C hinese A cadem y of Sciences,Beijing 1 00080, C hina) A b stract ---—— T his PaP er gives a guess-and-.determ ine th e first ev alu a tio n ro u n d ,i.e.,th e eS T R E A M w ish es to carry attack against p olar b ear,w hich is one of th e cand idate p o lar b ea r to th e se con d p h as e o f it. st r e a m c iph e r s o f e STR EA M . V le c h o s e t h r e e d iffler e n t T here are m any attacks ap plicable to stream ciphers,such c le a r t e xt g r o u p s u nd e r di ffe re n t a s s u m p t io n s , a nd o nl y as key recovery attac ks[¨ lin ear cry p tan aly sis[7。,a lge b raic considered the flrst th ree cy cles in each grou P.Som e values , attac k s[ ,引 d istin g u ish in g a tta ck s [2,1 11 a n d so o n . . L a t e ly J . in each gro uP w ere recovered through k now n constant va l— M a ttsso n [101 a n d M H asanzadeh e£以 【9】presented guess—and- u es an d som e relation s in th e p revious and current g rou ps. . W _e recover th e in itial state of p olar bear com pletely w ith determ ine attacks on polar b ear w ith tim e com plexity O (2 ) tim e com plex ity 0 (236·80).In this respect,our results are and O (2 · ) resp ectively. m ugh be tter than that of the tw o recent attacks w hose tim e W e use a g uess—an d-determ ine attack on p olar bear.W e com plexities ar e 0 (2 0) and 0 (2 · ) resp ectively.O ur at— re d u ce th e a tta ck tim e co m p lex ity to O f2 00· 0 ) w h ich is m u ch tack is bas ed on know n p laintex t scenar io w h ich requ ires kn ow ledge of three d ifierent clear text grou ps,w h ere the low er th an th at in R efs.1 10 ,91.W e ch o se th ree different plain— flrst 12 bytes of each grou P cleartext n eed to be know n . text groups bas ed on different as sum ptions,and only consid— ered th e first th ree cy cles in each gro u p .T h en m ad e a gu ess o n K ey w ords —— C ryptan alysis,P olar b ear,S tream ci- tw o in te r n a l—s t a t e v a lu e s in t h e firs t g ro u p .an d o b t a in e d so m e p her,G uess-and-determ ine attack ,eS T R E A M . oth er in tern a l—state valu es.T h en m a d e a g uess on on e intern a1. state value in the second grou p.O n th e bas is of the obtained I.Introdu ction values an d som e relations in the first tw o groups.som e other values w ere com puted.In the third group,w ithout any guess Stream cip hers are im p ortant sym m etric encryption sys— w e com p uted the rem aining unk now n initial—state values bas ed tern .M an y strea m ciph ers are used w id ely in rea l lire su ch as o n th e o bta ine d va lue s in th e first tw o gro u p s. th e strea m cip h er E 0 Lf】.w h ich is u se d in th e B lu eto oth tech — n o lo g y fo r w ire les s c o m m u n ic a t io n s .H o w t o d e s ig n se c u re a n d fast stream ciphers has been a h ot research topic.M any old II.D escrip tion of P olar B ear strea m cip h ers ,w h ich w ere co n sidered se cu re a t earlier tim e , L et lI,0 ,田 denote concaten ation ,bit—w ise m odulo-2 ad — a re fo u n d to b e in sec u re la ter d u e to m o re e ffi c ien t cry p ta n al— dition.and ad d ition m odulo 2 resp ectively. L et + and . y sis.S o co ntin u o us effo rts to ca ll for sec ure an d fas t stream den ote addition and m ultip lication operations in the finite c iph ers h av e b ee n m a d e in recen t y ea rs . field G F (2 1 respectively.For sim plicity ·一m ay be om itted. In 1999 the E uropean C om m ission launched a project B yte/word are used to denote S/16一bit quantities resp ectively. N E S SIE 【 J. T he m ain objective of the project w as to p ut If a,b,c are bytes,in allbllc,a is the m ost sign ificant byte etc. forw ard good stream cip hers that w ere obtained after an op en L et Ts den ote the R ijndaelt~J S—box.If w = W l I1w2 is a 2-byte call and evaluation .B ut after seversl evaluation rounds.no w ord,then (叫)denotes Ts(叫1)IIT8(~ 2). strea m ciph ers are selected b ec au se o f insu ffi cient se cu rity .In P olar bear is a synchr onous stream cipher. It uses a 7一 2004,E C R Y P T -E uropean netw ork of excellence fo r cryptol- w ord Linear feedbac k shift register (LF SR 、R 0 and a 9一word ogy.started a new stream cipher project eST R E A M [ .It is L F SR R .T hese are view ed as acting over G F (2 1.B esides a m ulti—year e肋 rt to select new and secure enough stream the se reg iste rs.th e in tern a l sta te o f th e c ip h er a lso d ep e n d s o n ciphers that m ay becom e suitable for w idesp read adoption . a w ord quantity S and a dynam ic perm utation of bytes D 8. P o la r b e a r tsJ is o n e o f th e c a n d id a t e st r e a m c ip h e r s o f e S . T he cip her is m ainly designed for a 128.bit keY an d 256.bit T R E A M .It w as claim ed to be suitable for both softw are and internal state.T he Initial vector (IV ) can b e any num ber of h ar d w are im p lem en ta tio n .P o lar b e ar b elo n g s to P h as e 2 a fter bytes up to a m axim um of 3 1. M a nu script R eceived J uly 200 6 ;A ccep ted A p r.2007 .T h is w o rk is sup po rted by th e N ation al N atu ral Scien ce Fo un d ation o f C h in a (N o.60673068) and the C hina N ational 973 P rogram (N o.2oo4c B 3l8oo4). 转载 中国科技论文在线 http://www.paper.edu.cn Chinese Journal of Electronics Electronics Chinese Journalof 2007 On each messageto be processed.the cipher initializedis cycles,R。is three (1)In first the stepped2,3,3 steps by taking the expanded key,interpreting the IV as a cleart— orderly and R isstepped 2,2,2steps orderly.Because S is ext blockand modified applyingroundslightly a five Rijndael initializedto 0,the cycle first of registers alwaysis clocked 2 encryption with block length 256.The resulting cipher text steps. block isloaded into R0 and R .D8 and S are initializedto Thereforethe probability that this assumption can be met equal to and zero respectively. The two LFSRs are first 0.5 is : 2一 . irregularly clocked through S.Two selectedwords fromeach for different.Thea;are probability 8 all first the (2)Let ofR0 and R arerun through Ds to produce4 bytes output. this is Then selected entries in D8 are swapped. Finally S and R are modified inpreparation for the next output cycle. 2 ×(2 一1)×...×(2 一7)/(2 ) ≈0.90 N ext state function Let l0= 7 and Z1= 9 be the (3)Let the following 16 a are all different.The probabil— different.Theprobabil— aall 16 are following the (3)Let lengths of the registers.R the 2+(【S/2stepped of is lengths mod2) J ityfor this is steps,where【s/2H morenot integer largest the denotes J thanS/2 .Andfollowing: the of consists stepeach 2 ×(2 一1)×⋯ ×(2 一15)/(2 ) ≈0.62 ·Set f +-- ·Setf +-- 。+Rt ,where, 0 。areconstants,J = 1 andJ = 5: The probabilitythat the three assumptions are allmet is ·SetR;+--R;+l'J=0,1,·一,f 一2; about 2一 × 0.90× 0.62≈ 2一 · . ·FeedbackR;一】 ,. assumptionsweguess瞒 Basedthese on andR 0.R and Afterstepping the two registers,do the following steps first from瞒 calculated beRgcan Ri0.Once and stages four the for i= 0.then repeat fori= 1. R ,R2,威andknown,T are R}0 known.Because fol— is the (1)d lla lIa lla lla lIa (1)d lla (R 一 ,R。t一2). lowing 16a aredifferent.T all caxlbe regarded as aconstant (2)Let (2)Let =Ds(a~),J=0,1,2,3. during the followingtwo cycles.The notation T usedstill is (3)Swap elements in Ds (3)SwapDs(aby in elements ) ,Ds(ai) , to denote Ds duringthe followingtwo cycles. Ds(a~)卜俄,Ds(a~) i. possible瞒 all through 0(2。 takes ) R}0Searching and Next, time.The successful probability of this attack step is about ·UpdateS accordingtoS S田 ll . 2一 ’ .Sothe time complexityof the firststep for successful ·UpdateR。according to磁 磁 田 ll 0(2。。· is attack and、.Therela- output groupinternal first where bj= where 0田.Output generation Output four bytes bo[[bzll62lIb3 tions and nonlinear update ofthe three first cycles under our assumptions are shown in Table 1.For the detailed process Let denote the ith output word,i = 0,1,that is, ofgetting other values,see Table 4.Table 4 means that we Z0=b0lIblandZ1=62lIb3. useknown caa-1 words and Table..cycle..relationto getdeduced Ifmore output bytes areneeded,go back andrepeat the wordsin each step. above process. In thesecond attackstep we choose the second cleartext group whichdifferent is fromthe group.W first make le three assumptions similarto those ofthe group.0nly first the first III.Description ofthe Attack assumption different is fromthat ofthe group.Thefirst first Let( 一1,R;+f +f 一2,·一, R oft )be state theafter assumptionas follows:Inis the threefirst cycles. stepped is steps ofprocessing,where theli is length of R . denotes 2,3,3 steps orderly and R is stepped 2,3,2 steps orderly. after update.Let z ,begroup,tththeith andcycle jth As statedbefore,the probabilitythat this assumption can be , m etis 2-4 outputword,1 i 3,1 t 3,0 J 1.Tomake simple, . let letT= Ts andT bethe permutation Ds afterthe cycle. first Theprobability that allthe three assumptions aremet is An importantobservation that is no matterhow each cy_ about 2一 ’ . cle of Ro is clocked,鹋,R2,.一,R24 Ro is of cle because constants are weR§.Under guess step this In and theobservation our , R2,.一,磁,R9, matter no that and R9,Roconstants are assumptions,wethree caD_recover some otherR:through the howeach cycle of R clocked,R is constant is becauseentries obtainedvalues and some relationsin thetwo first groups and
Load more

Recommended publications
  • Failures of Secret-Key Cryptography D
    Failures of secret-key cryptography D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven http://xkcd.com/538/ 2011 Grigg{Gutmann: In the past 15 years \no one ever lost money to an attack on a properly designed cryptosystem (meaning one that didn't use homebrew crypto or toy keys) in the Internet or commercial worlds". 2011 Grigg{Gutmann: In the past 15 years \no one ever lost money to an attack on a properly designed cryptosystem (meaning one that didn't use homebrew crypto or toy keys) in the Internet or commercial worlds". 2002 Shamir:\Cryptography is usually bypassed. I am not aware of any major world-class security system employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis." Do these people mean that it's actually infeasible to break real-world crypto? Do these people mean that it's actually infeasible to break real-world crypto? Or do they mean that breaks are feasible but still not worthwhile for the attackers? Do these people mean that it's actually infeasible to break real-world crypto? Or do they mean that breaks are feasible but still not worthwhile for the attackers? Or are they simply wrong: real-world crypto is breakable; is in fact being broken; is one of many ongoing disaster areas in security? Do these people mean that it's actually infeasible to break real-world crypto? Or do they mean that breaks are feasible but still not worthwhile for the attackers? Or are they simply wrong: real-world crypto is breakable; is in fact being broken; is one of many ongoing disaster areas in security? Let's look at some examples.
    [Show full text]
  • High Performance Architecture for LILI-II Stream Cipher
    International Journal of Computer Applications (0975 – 8887) Volume 107 – No 13, December 2014 High Performance Architecture for LILI-II Stream Cipher N. B. Hulle R. D. Kharadkar, Ph.D. S. S. Dorle, Ph.D. GHRIEET, Pune GHRIEET, Pune GHRCE, Nagpur Domkhel Road Domkhel Road Hingana Road Wagholi, Pune Wagholi, Pune Nagpur ABSTRACT cipher. This architecture uses same clock for both LFSRs. It is Proposed work presents high performance architecture for capable of shifting LFSRD content by one to four stages, LILI-II stream cipher. This cipher uses 128 bit key and 128 bit depending on value of function FC in single clock cycle IV for initialization of two LFSR. Proposed architecture uses without losing any data from function FC. single clock for both LFSRs, so this architecture will be useful in high speed communication applications. Presented 2. LILI-II STREAM CIPHER architecture uses four bit shifting of LFSR in single clock LILI-II is synchronous stream cipher developed by A. Clark et D al. in 2002 by removing existing weaknesses of LILI-128 cycle without losing any data items from function FC. Proposed architecture is coded by using VHDL language with stream cipher. It consists of two subsystems, clock controlled CAD tool Xilinx ISE Design Suite 13.2 and targeted hardware subsystem and data generation subsystem as shown in Fig. 1. is Xilinx Virtex5 FPGA having device xc4vlx60, with KEY IV package ff1148. Proposed architecture achieved throughput of 127 128 128 224.7 Mbps at 224.7 MHz frequency. 127 General Terms Hardware implementation of stream ciphers LFSRc LFSRd ... Keywords X0 X126 X0 X1 X96 X122 LILI, Stream cipher, clock controlled, FPGA, LFSR.
    [Show full text]
  • A Uniform Framework for Cryptanalysis of the Bluetooth E0
    1 A Uniform Framework for Cryptanalysis of the Bluetooth E0 Cipher Ophir Levy and Avishai Wool School of Electrical Engineering, Tel Aviv University, Ramat Aviv 69978, ISRAEL. [email protected], [email protected] . Abstract— In this paper we analyze the E0 cipher, which “short key” attacks, that need at most 240 known is the encryption system used in the Bluetooth specification. keystream bits and are applicable in the Bluetooth We suggest a uniform framework for cryptanalysis of the setting; and “long key” attacks, that are applicable only E0 cipher. Our method requires 128 known bits of the if the E0 cipher is used outside the Bluetooth mode of keystream in order to recover the initial state of the LFSRs, operation. which reflects the secret key of this encryption engine. In one setting, our framework reduces to an attack of 1) Short Key Attacks: D. Bleichenbacher has shown D. Bleichenbacher. In another setting, our framework is in [1] that an attacker can guess the content of the equivalent to an attack presented by Fluhrer and Lucks. registers of the three smaller LFSRs and of the E0 − Our best attack can recover the initial state of the LFSRs combiner state registers with a probability of 2 93. Then after solving 286 boolean linear systems of equations, which the attacker can compute the the contents of the largest is roughly equivalent to the results obtained by Fluhrer and LFSR (of length 39 bit) by “reverse engineering” it Lucks. from the outputs of the other LFSRs and the combiner states. This attack requires a total of 128 bits of known I.
    [Show full text]
  • Key Differentiation Attacks on Stream Ciphers
    Key differentiation attacks on stream ciphers Abstract In this paper the applicability of differential cryptanalytic tool to stream ciphers is elaborated using the algebraic representation similar to early Shannon’s postulates regarding the concept of confusion. In 2007, Biham and Dunkelman [3] have formally introduced the concept of differential cryptanalysis in stream ciphers by addressing the three different scenarios of interest. Here we mainly consider the first scenario where the key difference and/or IV difference influence the internal state of the cipher (∆key, ∆IV ) → ∆S. We then show that under certain circumstances a chosen IV attack may be transformed in the key chosen attack. That is, whenever at some stage of the key/IV setup algorithm (KSA) we may identify linear relations between some subset of key and IV bits, and these key variables only appear through these linear relations, then using the differentiation of internal state variables (through chosen IV scenario of attack) we are able to eliminate the presence of corresponding key variables. The method leads to an attack whose complexity is beyond the exhaustive search, whenever the cipher admits exact algebraic description of internal state variables and the keystream computation is not complex. A successful application is especially noted in the context of stream ciphers whose keystream bits evolve relatively slow as a function of secret state bits. A modification of the attack can be applied to the TRIVIUM stream cipher [8], in this case 12 linear relations could be identified but at the same time the same 12 key variables appear in another part of state register.
    [Show full text]
  • Ray Bradbury Creative Contest Literary Journal
    32nd Annual Ray Bradbury Creative Contest Literary Journal 2016 Val Mayerik Val Ray Bradbury Creative Contest A contest of writing and art by the Waukegan Public Library. This year’s literary journal is edited, designed, and produced by the Waukegan Public Library. Table of Contents Elementary School Written page 1 Middle School Written page 23 High School Written page 52 Adult Written page 98 Jennifer Herrick – Designer Rose Courtney – Staff Judge Diana Wence – Staff Judge Isaac Salgado – Staff Judge Yareli Facundo – Staff Judge Elementary School Written The Haunted School Alexis J. In one wonderful day there was a school-named “Hyde Park”. One day when, a kid named Logan and his friend Mindy went to school they saw something new. Hyde Park is hotel now! Logan and Mindy Went inside to see what was going on. So they could not believe what they say. “Hyde Park is also now haunted! When Logan took one step they saw Slender Man. Then they both walk and there was a scary mask. Then mummies started coming out of the grown and zombies started coming from the grown and they were so stinky yuck! Ghost came out all over the school and all the doors were locked. Now Mindy had a plan to scare all the monsters away. She said “we should put all the monsters we saw all together. So they make Hyde Park normal again. And they live happy ever after and now it is back as normal. THE END The Haunted House Angel A. One day it was night. And it was so dark a lot of people went on a house called “dead”.
    [Show full text]
  • Optimizing the Placement of Tap Positions and Guess and Determine
    Optimizing the placement of tap positions and guess and determine cryptanalysis with variable sampling S. Hodˇzi´c, E. Pasalic, and Y. Wei∗† Abstract 1 In this article an optimal selection of tap positions for certain LFSR-based encryption schemes is investigated from both design and cryptanalytic perspective. Two novel algo- rithms towards an optimal selection of tap positions are given which can be satisfactorily used to provide (sub)optimal resistance to some generic cryptanalytic techniques applicable to these schemes. It is demonstrated that certain real-life ciphers (e.g. SOBER-t32, SFINKS and Grain-128), employing some standard criteria for tap selection such as the concept of full difference set, are not fully optimized with respect to these attacks. These standard design criteria are quite insufficient and the proposed algorithms appear to be the only generic method for the purpose of (sub)optimal selection of tap positions. We also extend the framework of a generic cryptanalytic method called Generalized Filter State Guessing Attacks (GFSGA), introduced in [26] as a generalization of the FSGA method, by applying a variable sampling of the keystream bits in order to retrieve as much information about the secret state bits as possible. Two different modes that use a variable sampling of keystream blocks are presented and it is shown that in many cases these modes may outperform the standard GFSGA mode. We also demonstrate the possibility of employing GFSGA-like at- tacks to other design strategies such as NFSR-based ciphers (Grain family for instance) and filter generators outputting a single bit each time the cipher is clocked.
    [Show full text]
  • MTH6115 Cryptography 4.1 Fish
    MTH6115 Cryptography Notes 4: Stream ciphers, continued Recall from the last part the definition of a stream cipher: Definition: A stream cipher over an alphabet of q symbols a1;:::;aq requires a key, a random or pseudo-random string of symbols from the alphabet with the same length as the plaintext, and a substitution table, a Latin square of order q (whose entries are symbols from the alphabet, and whose rows and columns are indexed by these symbols). If the plaintext is p = p1 p2 ::: pn and the key is k = k1k2 :::kn, then the ciphertext is z = z1z2 :::zn, where zt = pt ⊕ kt for t = 1;:::;n; the operation ⊕ is defined as follows: ai ⊕a j = ak if and only if the symbol in the row labelled ai and the column labelled a j of the substitution table is ak. We extend the definition of ⊕ to denote this coordinate-wise operation on strings: thus, we write z = p ⊕ k, where p;k;z are the plaintext, key, and ciphertext strings. We also define the operation by the rule that p = z k if z = p ⊕ k; thus, describes the operation of decryption. 4.1 Fish (largely not examinable) A simple improvement of the Vigenere` cipher is to encipher twice using two differ- ent keys k1 and k2. Because of the additive nature of the cipher, this is the same as enciphering with k1 + k2. The advantage is that the length of the new key is the least common multiple of the lengths of k1 and k2. For example, if we encrypt a message once with the key FOXES and again with the key WOLVES, the new key is obtained by encrypting a six-fold repeat of FOXES with a five-fold repeat of WOLVES, namely BCIZWXKLPNJGTSDASPAGQJBWOTZSIK 1 The new key has period 30.
    [Show full text]
  • *UPDATED Canadian Values 07-04 201 7/26/2016 4:42:21 PM *UPDATED Canadian Values 07-04 202 COIN VALUES: CANADA 02 .0 .0 12
    CANADIAN VALUES By Michael Findlay Large Cents VG-8 F-12 VF-20 EF-40 MS-60 MS-63R 1917 1.00 1.25 1.50 2.50 13. 45. CANADA COIN VALUES: 1918 1.00 1.25 1.50 2.50 13. 45. 1919 1.00 1.25 1.50 2.50 13. 45. 1920 1.00 1.25 1.50 3.00 18. 70. CANADIAN COIN VALUES Small Cents PRICE GUIDE VG-8 F-12 VF-20 EF-40 MS-60 MS-63R GEORGE V All prices are in U.S. dollars LargeL Cents C t 1920 0.20 0.35 0.75 1.50 12. 45. Canadian Coin Values is a comprehensive retail value VG-8 F-12 VF-20 EF-40 MS-60 MS-63R 1921 0.50 0.75 1.50 4.00 30. 250. guide of Canadian coins published online regularly at Coin VICTORIA 1922 20. 23. 28. 40. 200. 1200. World’s website. Canadian Coin Values is provided as a 1858 70. 90. 120. 200. 475. 1800. 1923 30. 33. 42. 55. 250. 2000. reader service to collectors desiring independent informa- 1858 Coin Turn NI NI 2500. 5000. BNE BNE 1924 6.00 8.00 11. 16. 120. 800. tion about a coin’s potential retail value. 1859 4.00 5.00 6.00 10. 50. 200. 1925 25. 28. 35. 45. 200. 900. Sources for pricing include actual transactions, public auc- 1859 Brass 16000. 22000. 30000. BNE BNE BNE 1926 3.50 4.50 7.00 12. 90. 650. tions, fi xed-price lists and any additional information acquired 1859 Dbl P 9 #1 225.
    [Show full text]
  • Stream Ciphers (Contd.)
    Stream Ciphers (contd.) Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives • Non-linear feedback shift registers • Stream ciphers using LFSRs: – Non-linear combination generators – Non-linear filter generators – Clock controlled generators – Other Stream Ciphers Low Power Ajit Pal IIT Kharagpur 1 Non-linear feedback shift registers • A Feedback Shift Register (FSR) is non-singular iff for all possible initial states every output sequence of the FSR is periodic. de Bruijn Sequence An FSR with feedback function fs(jj−−12 , s ,..., s jL − ) is non-singular iff f is of the form: fs=⊕jL−−−−+ gss( j12 , j ,..., s jL 1 ) for some Boolean function g. The period of a non-singular FSR with length L is at most 2L . If the period of the output sequence for any initial state of a non-singular FSR of length L is 2L , then the FSR is called a de Bruijn FSR, and the output sequence is called a de Bruijn sequence. Low Power Ajit Pal IIT Kharagpur 2 Example f (,xxx123 , )1= ⊕⊕⊕ x 2 x 3 xx 12 t x1 x2 x3 t x1 x2 x3 0 0 0 0 4 0 1 1 1 1 0 0 5 1 0 1 2 1 1 0 6 0 1 0 3 1 1 1 3 0 0 1 Converting a maximal length LFSR to a de-Bruijn FSR Let R1 be a maximum length LFSR of length L with linear feedback function: fs(jj−−12 , s ,..., s jL − ). Then the FSR R2 with feedback function: gs(jj−−12 , s ,..., s jL − )=⊕ f sjj−−12 , s ,..., s j −L+1 is a de Bruijn FSR.
    [Show full text]
  • Methods for Symmetric Key Cryptography and Cryptanalysis EWM Phd Summer School, Turku, June 2009
    Methods for Symmetric Key Cryptography and Cryptanalysis EWM PhD Summer School, Turku, June 2009 Kaisa Nyberg [email protected] Department of Information and Computer Science Helsinki University of Technology and Nokia, Finland Methods for Symmetric Key Cryptography and Cryptanalysis – 1/32 This lecture is dedicated to the memory of Professor Susanne Dierolf a dear and supporting friend, a highly respected colleague, and a great European Woman in Mathematics, who passed away in May 2009 at the age of 64 in Trier, Germany. Methods for Symmetric Key Cryptography and Cryptanalysis – 2/32 Outline 1. Boolean function Linear approximation of Boolean function Related probability distribution 2. Cryptographic encryption primitives Linear approximation of block cipher Linear approximation of stream cipher 3. Cryptanalysis and attack scenarios Key information deduction on block cipher Distinguishing attack on stream cipher Initial state recovery of stream cipher 4. Conclusions Methods for Symmetric Key Cryptography and Cryptanalysis – 3/32 Boolean Functions Methods for Symmetric Key Cryptography and Cryptanalysis – 4/32 Binary vector space n Z 2 the space of n-dimensional binary vectors ¨ sum modulo 2 Given two vectors 1 n 1 n n a = ´a ; : : : ; a µ; b = ´b ; : : : ; b µ ¾ Z 2 the inner product (dot product) is defined as 1 1 n n a ¡ b = a b ¨ ¡ ¡ ¡ ¨ a b : Then a is called the linear mask of b. Methods for Symmetric Key Cryptography and Cryptanalysis – 5/32 Boolean function n f : Z 2 Z 2 Boolean function. Linear Boolean function is of the form f ´x µ = u ¡ x for some n fixed linear mask u ¾ Z 2.
    [Show full text]
  • Politecnico Di Torino
    POLITECNICO DI TORINO Master Degree Course in Electronic Engineering Master Degree Thesis Evaluation of Encryption Algorithm Security in Heterogeneous Platform against Differential Power Analysis Attack Supervisor: Candidate: Prof. Stefano DI CARLO Fiammetta VOLPE Student ID: 235145 A.A. 2017/2018 Summary An embedded system security can be violated at different levels of abstraction: the vulnerability is not only present from software point of view, but also the hardware can be attacked. This thesis is focused on an hardware attack at logic/microelectronic level called Differential Power Analysis (DPA), included in the larger categories of the Power Analysis (PA) and Side-Channel Anal- ysis, catalogued like a passive and non-invasive attack, since it includes the observation of the normal behaviour of the device without any physical alteration. As a consequence, this kind of attack could be extremely dangerous and it doesn’t leave any trace. A DPA attack is essentially based on the principle that the power consumption is correlated to the activity of the device during data encryption, so also to the used encryption key. Thus, using statistical analysis on a sufficiently large number of power traces, it is possible to detect the correct hypothesis for the key. Due to the improvement of FPGAs in terms of capacity and performance and the significant in- crement of the value of handled data, it is essential to do an analysis of the level of vulnerability of the device. For this reason, the MachXO2-7000 FPGA included, together with a STM32F4 CPU and a SLJ52G SECURITY CONTROLLER-SMART CARD, inside the BGA chip SEcubeTM, appositely designed for security goals, is the chosen target for this thesis.
    [Show full text]
  • RC4-2S: RC4 Stream Cipher with Two State Tables
    RC4-2S: RC4 Stream Cipher with Two State Tables Maytham M. Hammood, Kenji Yoshigoe and Ali M. Sagheer Abstract One of the most important symmetric cryptographic algorithms is Rivest Cipher 4 (RC4) stream cipher which can be applied to many security applications in real time security. However, RC4 cipher shows some weaknesses including a correlation problem between the public known outputs of the internal state. We propose RC4 stream cipher with two state tables (RC4-2S) as an enhancement to RC4. RC4-2S stream cipher system solves the correlation problem between the public known outputs of the internal state using permutation between state 1 (S1) and state 2 (S2). Furthermore, key generation time of the RC4-2S is faster than that of the original RC4 due to less number of operations per a key generation required by the former. The experimental results confirm that the output streams generated by the RC4-2S are more random than that generated by RC4 while requiring less time than RC4. Moreover, RC4-2S’s high resistivity protects against many attacks vulnerable to RC4 and solves several weaknesses of RC4 such as distinguishing attack. Keywords Stream cipher Á RC4 Á Pseudo-random number generator This work is based in part, upon research supported by the National Science Foundation (under Grant Nos. CNS-0855248 and EPS-0918970). Any opinions, findings and conclusions or recommendations expressed in this material are those of the author (s) and do not necessarily reflect the views of the funding agencies or those of the employers. M. M. Hammood Applied Science, University of Arkansas at Little Rock, Little Rock, USA e-mail: [email protected] K.
    [Show full text]