DOCSLIB.ORG

Statistical and Algebraic Cryptanalysis of Lightweight and Ultra-Lightweight Symmetric Primitives

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Statistical and Algebraic Cryptanalysis of Lightweight and Ultra-Lightweight Symmetric Primitives Statistical and Algebraic Cryptanalysis of Lightweight and Ultra-Lightweight Symmetric Primitives THÈSE NO 5415 (2012) PRÉSENTÉE LE 27 AOÛT 2012 À LA FACULTÉ INFORMATIQUE ET COMMUNICATIONS LABORATOIRE DE SÉCURITÉ ET DE CRYPTOGRAPHIE PROGRAMME DOCTORAL EN INFORMATIQUE, COMMUNICATIONS ET INFORMATION ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE POUR L'OBTENTION DU GRADE DE DOCTEUR ÈS SCIENCES PAR Pouyan SEPEHRDAD acceptée sur proposition du jury: Prof. E. Telatar, président du jury Prof. S. Vaudenay, directeur de thèse Prof. A. Canteaut, rapporteur Prof. A. Lenstra, rapporteur Prof. W. Meier, rapporteur Suisse 2012 To my two angels of God, my mother and father whom without their help, devotion, affection, love and support not only this dissertation could not be accomplished, but I was not able to put my feet one step forward towards improvement. Abstract Symmetric cryptographic primitives such as block and stream ciphers are the building blocks in many cryptographic protocols. Having such blocks which provide provable security against various types of attacks is often hard. On the other hand, if possible, such designs are often too costly to be implemented and are usually ignored by practitioners. Moreover, in RFID protocols or sensor networks, we need lightweight and ultra-lightweight algorithms. Hence, cryptographers often search for a fair trade-off between security and usability depending on the application. Contrary to public key primitives, which are often based on some hard problems, security in symmetric key is often based on some heuristic assumptions. Often, the researchers in this area argue that the security is based on the confidence level the community has in their design. Consequently, everyday symmetric protocols appear in the literature and stay secure until someone breaks them. In this thesis, we evaluate the security of multiple symmetric primitives against statistical and algebraic attacks. This thesis is composed of two distinct parts: In the first part, we investigate the security of RC4 stream cipher against statistical attacks. We focus on its applications in WEP and WPA protocols. We revisit the previous attacks on RC4 and optimize them. In fact, we propose a framework on how to deal with a pool of biases for RC4 in an optimized manner. During this work, we found multiple new weaknesses in the corresponding applications. We show that the current best attack on WEP can still be improved. We compare our results with the state of the art implementation of the WEP attack on Aircrack-ng program and improve its success rate. Next, we propose a theoretical key recovery and distinguishing attacks on WPA, which cryptographically break the protocol. We perform an extreme amount of experiments to make sure that the proposed theory matches the experiments. Finally, we propose a concrete theoretical and empirical proof of all our claims. These are currently the best known attacks on WEP and WPA. In the second part, we shed some lights on the theory behind ElimLin, which is an algorithm for solving multivariate polynomial systems of equations. We attack PRESENT and LBlock block ciphers with ElimLin algorithm and compare their security using this algebraic technique. Then, we investigate the security of KATAN family of block ciphers and multi-purpose cryptographic primitive ARMADILLO against algebraic attacks. We break reduced-round versions of several members of KATAN family by proposing a novel pre-processing technique on the original algebraic representation of the cipher before feeding it to a SAT solver. Finally, we propose a devastating practical key recovery attack against the ARMADILLO1 protocol, which breaks it in polynomial time using a few challenge-response pairs. Keywords: Symmetric cryptography, light-weight cryptography, statistical attacks, RC4 crypt- V analysis, WEP and WPA, block and stream ciphers, algebraic cryptanalysis, systems of sparse polynomial equations of low degree, challenge-response protocols, ElimLin, SAT solving techniques VI R´esum´e Les primitives cryptographiques `acl´esym´etriquecomme les syst`emesde chiffrement par blocs et les syst`emesde chiffrement `aflot sont les composantes de base de nombreux protocoles cryp- tographiques. Il est souvent difficile d'avoir de telles composantes dont la s´ecurit´eest prouv´ee contre divers types d'attaques. Aussi, de telles conceptions sont souvent trop co^uteusespour ^etre impl´ement´eeset sont habituellement ignor´eesen pratique. De plus, dans des environnements sous contraintes comme les protocoles RFID ou les r´eseauxde capteurs, il est primordial d'utiliser des algorithmes bas-co^ut.Il est donc n´ecessairepour les cryptographes de rechercher un bon com- promis entre la s´ecurit´eet l'utilisabilit´e.Ce compromis d´epend de l'application. Contrairement aux primitives `acl´epublique qui sont souvent bas´eessur des probl`emessuppos´es^etredifficiles `a r´esoudre,la s´ecurit´edes syst`emes`acl´esym´etriqueest souvent bas´eesur des suppositions heuris- tiques. Les chercheurs dans ce domaine affirment souvent que la s´ecurit´eest bas´eesur le niveau de confiance qu'a la communaut´een leur construction. En cons´equence,de nouveaux protocoles `acl´e sym´etriqueapparaissent r´eguli`erement et restent s^ursjusqu’`ace que quelqu'un les cassent. Dans cette th`ese, nous ´evaluons la s´ecurit´ede plusieurs primitives `acl´esym´etriquecontre les attaques statistiques et alg´ebriques.Cette th`eseest compos´eede deux parties distinctes. Dans la premi`erepartie, nous ´etudionsla s´ecurit´econtre les attaques statistiques du syst`eme de chiffrement `aflot RC4. Nous nous int´eressonsen particulier `ases applications dans les pro- tocoles WEP et WPA. Nous revisitons les attaques d´evelopp´eespr´ec´edemment sur RC4 et nous les optimisons. En fait, nous proposons un cadre pour traiter une banque de biais pour RC4 de fa¸conoptimis´ee.Dans ce travail, nous avons trouv´ede nombreuses nouvelles vuln´erabilit´esdans les applications correspondantes. Nous montrons aussi que la meilleure attaque actuellement existante sur WEP peut encore ^etream´elior´ee.Nous comparons nos r´esultatsavec le logiciel Aircrack-ng, la meilleure impl´ementation actuelle attaquant WEP et nous am´elioronssa probabilit´ede succ`es. Ensuite, nous proposons des attaques par distingueurs ainsi qu'une attaque th´eoriquesur WPA qui r´ecup`erela cl´esecr`ete.Ces attaques cassent le protocole d'un point de vue cryptographique. Nous effectuons une ´enormequantit´ed'exp´eriencesafin d'^etres^ursque la th´eorieque nous proposons soit bien v´erifi´eeen pratique. Finalement, nous proposons des preuves th´eoriqueset empiriques de toutes nos affirmations. Nos attaques sont actuellement les meilleures attaques sur WEP et WPA. Dans la deuxi`emepartie, nous apportons quelques ´eclaircissements sur la th´eoriederri`ere Elim- Lin qui est un algorithme utilis´epour r´esoudredes syst`emesd'´equationspolynomiales multivari´ees. Nous ´etudions ensuite la s´ecurit´econtre les attaques alg´ebriquesde plusieurs syst`emesde chiffre- ments par blocs et d'une primitive cryptographique multi-usage. Cette liste comprend KATAN, PRESENT et LBlock pour les chiffrement par blocs et ARMADILLO1 pour la primitive cryptogra- phique multi-usage. Nous cassons des versions r´eduitesde plusieurs membres de la famille KATAN VII et nous proposons une nouvelle technique de pr´etraitement sur la repr´esentation alg´ebriquedu syst`emeavant de le donner `aun solveur SAT. Nous attaquons les syst`emesde chiffrement par blocs PRESENT et LBlock en utilisant l'algorithme ElimLin et nous comparons leur s´ecurit´een utilisant cette technique alg´ebrique.Finalement, nous proposons une attaque `ar´ecup´erationde cl´e d´evastatrice contre le protocole ARMADILLO1 qui le casse en temps polynomial en utilisant un faible nombre de paires challenge/r´eponse. Mots-cl´es: Cryptographie `acl´esym´etrique,cryptographie bas-co^ut,attaques statistiques, cryp- tanalyse de RC4, WEP et WPA, syst`emesde chiffrement par blocs, syst`emesde chiffrement `a flot, syst`emesd'´equationspolynomiales creuses de faible degr´e,protocoles de challenge/r´eponse, ElimLin, techniques r´esolvant SAT VIII Acknowledgment There are always some influential people in anyone's academic life. Since this dissertation is the last written document in my student life, I would like to thank all those who changed my life and attitude during these exciting and challenging years: I can not imagine how I can thank the best teachers of my life, my two angels of God, my parents, for all their support, help, sacrifices and love during my entire life; the only ones who were always there for me in both my happiness and hard time; the ones I love the most for ever and can not reciprocate even a small part of what they did for me. At any period in my academic life, it was my dream to have someone beside me who has the answer to all my questions. I never had such an opportunity before I met Prof. Serge Vaudenay. For me, Serge is the realization of the \Decryption Oracle" in cryptography. I have never met anyone brighter and smarter in my life. One of the hardest decisions in my academic life was to decide whether to pursue PhD studies in England or to join Serge's group at EPFL, Switzerland. Quoting one of my favorite statements from one of the most influential people in Computer Science, Steve Jobs: \you can not connect the dots looking forward; you can only connect them looking backwards". Looking backward, coming to LASEC was the best decision I have ever made in my academic life. I would like to warmly thank Serge for giving me the opportunity to join his group, his help and support, providing such a nice environment for research and always motivating me to deliver precise results. I would like to warmly thank Dr. Nicolas Courtois for his extreme kindness, help and support during the last 5 years. More importantly, he changed my attitude towards several points in life. I learned from him to follow my passion and to do research in areas which I find interesting, though other people believe what I am doing is of no interest.
Load more

Recommended publications
  • Cryptanalysis of the ISDB Scrambling Algorithm (MULTI2)
    Cryptanalysis of the ISDB Scrambling Algorithm (MULTI2) Jean-Philippe Aumasson1⋆, Jorge Nakahara Jr.2⋆⋆, and Pouyan Sepehrdad2 1 FHNW, Windisch, Switzerland 2 EPFL, Lausanne, Switzerland [email protected], {jorge.nakahara,pouyan.sepehrdad}@epfl.ch Abstract. MULTI2 is the block cipher used in the ISDB standard for scrambling digital multimedia content. MULTI2 is used in Japan to se- cure multimedia broadcasting, including recent applications like HDTV and mobile TV. It is the only cipher specified in the 2007 Japanese ARIB standard for conditional access systems. This paper presents a theoretical break of MULTI2 (not relevant in practice), with shortcut key recovery attacks for any number of rounds. We also describe equivalent keys and linear attacks on reduced versions with up 20 rounds (out of 32), improv- ing on the previous 12-round attack by Matsui and Yamagishi. Practical attacks are presented on up to 16 rounds. Keywords: ISDB, ARIB, MULTI2, block cipher, linear cryptanalysis, conditional access 1 Introduction MULTI2 is a block cipher developed by Hitachi in 1988 for general-purpose applications, but which has mainly been used for securing multimedia content. It was registered in ISO/IEC 99793 [8] in 1994, and is patented in the U.S. [13, 14] and in Japan [7]. MULTI2 is the only cipher specified in the 2007 Japanese standard ARIB for conditional access systems [2]. ARIB is the basic standard of the recent ISDB (for Integrated Services Digital Broadcasting), Japan’s standard for digital television and digital radio (see http://www.dibeg.org/) Since 1995, MULTI2 is the cipher used by satellite and terrestrial broadcast- ers in Japan [16, 18] for protecting audio and video streams, including HDTV, mobile and interactive TV.
    [Show full text]
  • Neptune Township Tax List Book: 1 Block/Lot: 101/1
    NEPTUNE TOWNSHIP TAX LIST BOOK: 1 BLOCK/LOT: 101/1 NEW JERSEY PROPERTY TAX SYSTEM LEGEND QUALIFICATION BUILDING DESCRIPTION REAL PROPERTY EXEMPT PROPERTY LIMITED EXEMPTIONS CODE EXPLANATION Format: Stories-Structure-Style-Garage CLASS CODES CLASS CODES CODE EXPLANATION S Sector Number Prefix STORIES D Dutch Colonial TAXABLE PROPERTY W Ward Number Prefix S Prefix S with no. of stories E English Tudor C Condo Unit No. Prefix F Cape Cod LOT Lot only is owned STRUCTURE L Colonial 1 Vacant Land 15A Public School Property E Fire Suppression System BLDG Building only is owned AL Aluminum Siding M Mobile Home 2 Residential 15B Other School Property F Fallout Shelter HM Hackensack Meadow Lands B Brick R Rancher 3A Farm (Regular) 15C Public Property P Pollution Control X Exmpt. Port. of Taxable Property CB Concrete Block S Split Level 3B Farm (Qualified) 15D Church & Charit. Property W Water Supply Control HL Highlands F Frame T Twin 4A Commercial 15E Cemeteries & Graveyards G Commercial Indust. Exempt. FP Flood Plain M Metal W Row Home 4B Industrial 15F Other Exempt. I Dwelling Exemption M Mobile Home RC Reinforced Concrete X Duplex 4C Apartment J Dwelling Abatement PL Pine Lands S Stucco Z Raised Rancher K New Dwelling/Conversion Z Coastal Zone SS Structural Steel O Other RAILROAD PROPERTY DEDUCTIONS Exemption L Wet Lands ST Stone 2 Bi-Level CODE EXPLANATION L New Dwelling/Conversion B Billboard W Wood 3 Tri-Level 5A Railroad Class I Abatement T Cell Tower 5B Railroad Class II N Mulitiple Dwelling Exemption QFARM Qualified Farmland STYLE GARAGE S Senior Citizen O Multiple Dwelling Abatement A Commercial AG Attached Garage PERSONAL PROPERTY V Veteran U Urban Enterprise Zone Abate.
    [Show full text]
  • Confidentiality and Tamper--Resistance of Embedded Databases Yanli Guo
    Confidentiality and Tamper--Resistance of Embedded Databases Yanli Guo To cite this version: Yanli Guo. Confidentiality and Tamper--Resistance of Embedded Databases. Databases [cs.DB]. Université de Versailles Saint Quentin en Yvelines, 2011. English. tel-01179190 HAL Id: tel-01179190 https://hal.archives-ouvertes.fr/tel-01179190 Submitted on 21 Jul 2015 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. UNIVERSITE DE VERSAILLES SAINT-QUENTIN-EN-YVELINES Ecole Doctorale Sciences et Technologies de Versailles - STV Laboratoire PRiSM UMR CNRS 8144 THESE DE DOCTORAT DE L’UNIVERSITE DE VERSAILLES SAINT–QUENTIN–EN–YVELINES présentée par : Yanli GUO Pour obtenir le grade de Docteur de l’Université de Versailles Saint-Quentin-en-Yvelines CONFIDENTIALITE ET INTEGRITE DE BASES DE DONNEES EMBARQUEES (Confidentiality and Tamper-Resistance of Embedded Databases) Soutenue le 6 décembre 2011 ________ Rapporteurs : Didier DONSEZ, Professeur, Université Joseph Fourier, Grenoble PatriCk VALDURIEZ, Directeur de recherche, INRIA, Sophia Antipolis Examinateurs : NiColas
    [Show full text]
  • DVB); Content Protection and Copy Management (DVB-CPCM); Part 4: CPCM System Specification
    ETSI TS 102 825-4 V1.2.2 (2013-12) Technical Specification Digital Video Broadcasting (DVB); Content Protection and Copy Management (DVB-CPCM); Part 4: CPCM System Specification 2 ETSI TS 102 825-4 V1.2.2 (2013-12) Reference RTS/JTC-DVB-334-4 Keywords broadcast, digital, DVB, TV ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 Important notice Individual copies of the present document can be downloaded from: http://www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http://portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http://portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authorized by written permission.
    [Show full text]
  • Low-End Rental Housing the Forgotten Story in L O
    N E W M A N LOW-END RENTAL HOUSING THE FORGOTTEN STORY IN L O W BALTIMORE’S HOUSING BOOM - E N D R E N T A L Sandra J. Newman H O U S I N G THE URBAN INSTITUTE 2100 M Street N.W. Washington, D.C. 20037 Tel: (202) 261-5687 Fax: (202) 467-5775 Web: www.urban.org FUNDED BY THE ABELL FOUNDATION LOW-END RENTAL HOUSING THE FORGOTTEN STORY IN BALTIMORE’S HOUSING BOOM Sandra J. Newman FUNDED BY THE ABELL FOUNDATION Copyright © August 2005. The Urban Institute. All rights re- served. Except for short quotes, no part of this book may be reproduced or used in any form or by any means, electronic or mechanical, including photocopying, recording, or by informa- tion storage or retrieval system, without written permission from the Urban Institute. The Urban Institute is a nonprofit, nonpartisan policy research and educational organization that examines the social, economic, and governance problems facing the nation. The views expressed are those of the author and should not be attributed to the Urban Institute, its trustees, or its funders. CONTENTS Acknowledgments . v Executive Summary . vii The Status of Low-End Rental Housing. 5 Baltimore City Renters . 6 Vacancy Rates and Abandonment . 8 Rents . 10 Affordability. 12 Housing Quality . 14 Neighborhood Quality. 19 Rental Housing Owners. 20 Federally Assisted Housing . 22 What All These Numbers Tell Us . 25 What Should Be Done? . 26 Addressing the Affordability Problem . 26 Addressing the Combined Problems of Affordability and Inadequacy with Project-Based Vouchers . 29 Addressing the Inadequacy Problem .
    [Show full text]
  • User Behavior Modeling with Large-Scale Graph Analysis Alex Beutel May 2016 CMU-CS-16-105
    User Behavior Modeling with Large-Scale Graph Analysis Alex Beutel May 2016 CMU-CS-16-105 Computer Science Department School of Computer Science Carnegie Mellon University Pittsburgh, PA Thesis Committee: Christos Faloutsos, Co-Chair Alexander J. Smola, Co-Chair Geoffrey J. Gordon Philip S. Yu, University of Illinois at Chicago Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy. Copyright © 2016 Alex Beutel. This research was sponsored under the National Science Foundation Graduate Research Fellowship Program (Grant no. DGE- 1252522) and a Facebook Fellowship. This research was also supported by the National Science Foundation under grants num- bered IIS-1017415, CNS-1314632 and IIS-1408924, as well as the Army Research Laboratory under Cooperative Agreement Number W911NF-09-2-0053. I also would like to thank the CMU Parallel Data Laboratory OpenCloud for providing infrastructure for ex- periments; this research was funded, in part, by the NSF under award CCF-1019104, and the Gordon and Betty Moore Foundation, in the eScience project. Also, I would like to thank the Open Cloud Consortium (OCC) and the Open Science Data Cloud (OSDC) for the use of resources on the OCC-Y Hadoop cluster, which was donated to the OCC by Yahoo! The views and conclusions contained in this document are those of the author and should not be interpreted as representing the official policies, either expressed or implied, of any sponsoring institution, the U.S. government or any other entity. Keywords: behavior modeling, graph mining, scalable machine learning, fraud detection, recommendation systems, clustering, co-clustering, factorization, machine learning systems, distributed systems Dedicated to my family.
    [Show full text]
  • CRYPTREC Report 2008 暗号技術監視委員会報告書
    CRYPTREC Report 2008 平成21年3月 独立行政法人情報通信研究機構 独立行政法人情報処理推進機構 「暗号技術監視委員会報告」 目次 はじめに ······················································· 1 本報告書の利用にあたって ······································· 2 委員会構成 ····················································· 3 委員名簿 ······················································· 4 第 1 章 活動の目的 ··················································· 7 1.1 電子政府システムの安全性確保 ··································· 7 1.2 暗号技術監視委員会············································· 8 1.3 電子政府推奨暗号リスト········································· 9 1.4 活動の方針····················································· 9 第 2 章 電子政府推奨暗号リスト改訂について ·························· 11 2.1 改訂の背景 ··················································· 11 2.2 改訂の目的 ··················································· 11 2.3 電子政府推奨暗号リストの改訂に関する骨子······················ 11 2.3.1 現リストの構成の見直し ·································· 12 2.3.2 暗号技術公募の基本方針 ·································· 14 2.3.3 2009 年度公募カテゴリ ···································· 14 2.3.4 今後のスケジュール ······································ 15 2.4 電子政府推奨暗号リスト改訂のための暗号技術公募(2009 年度) ····· 15 2.4.1 公募の概要 ·············································· 16 2.4.2 2009 年度公募カテゴリ ···································· 16 2.4.3 提出書類 ················································ 17 2.4.4 評価スケジュール(予定) ·································· 17 2.4.5 評価項目 ················································ 18 2.4.6 応募暗号説明会の開催 ···································· 19 2.4.7 ワークショップの開催 ···································· 19 2.5
    [Show full text]
  • This Is a Chapter from the Handbook of Applied Cryptography, by A. Menezes, P. Van Oorschot, and S. Vanstone, CRC Press, 1996. F
    This is a Chapter from the Handbook of Applied Cryptography, by A. Menezes, P. van Oorschot, and S. Vanstone, CRC Press, 1996. For further information, see www.cacr.math.uwaterloo.ca/hac CRC Press has granted the following specific permissions for the electronic version of this book: Permission is granted to retrieve, print and store a single copy of this chapter for personal use. This permission does not extend to binding multiple chapters of the book, photocopying or producing copies for other than personal use of the person creating the copy, or making electronic copies available for retrieval by others without prior permission in writing from CRC Press. Except where over-ridden by the specific permission above, the standard copyright notice from CRC Press applies to this electronic version: Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, microfilming, and recording, or by any information storage or retrieval system, without prior permission in writing from the publisher. The consent of CRC Press does not extend to copying for general distribution, for promotion, for creating new works, or for resale. Specific permission must be obtained in writing from CRC Press for such copying. c 1997 by CRC Press, Inc. Chapter 15 Patents and Standards Contents in Brief 15.1 Introduction :::::::::::::::::::::::::::::635 15.2 Patents on cryptographic techniques ::::::::::::::::635 15.3 Cryptographic standards ::::::::::::::::::::::645 15.4 Notes and further references ::::::::::::::::::::657 15.1 Introduction This chapter discusses two topics which have signi®cant impact on the use of cryptogra- phy in practice: patents and standards.
    [Show full text]
  • I~O Cfc\;'/OODQ
    ..I~O CfC\;'/OODQ ALGORITHM REGISTER ENTRY a) ISO Entry Name fi.so s.~o.I\A~dtCfq,~ 1"\->11-;'-.(~)} b) Name of Algorithm MULTI2 c) IntendedRange of Application 1. Confidentiality 2. HashFunction -as detailedin ISO 10118-2 3. Authentication -as detailedin ISO 9798 4. Data Integrity -as detailedin ISO 9797 d) CryptographicInterface Parameters 1. Input size 64 bits 2. Output size 64 bits 3. Key length: Data key 64 bits Systemkey 256 bits 4. Round number positive integer e) Test Data ROUND NUMBER 128 SYSTEMKEY all O's for 256 bits of systemkey DATA KEY (0123 4567 89AB CDEF) hex INPUT DATA (0000000000000001 )hex INTERMEDIARY (4th ROUND) (772F 558A F46A C13B )hex INTERMEDIARY (8th ROUND) (696E F331 5EDF OBFB )hex INTERMEDIARY (16h ROUND) (9E89 DA58 87CO 8518 )hex INTERMEDIARY (32th ROUND) (3F98 2A 1 F 459A 8023 )hex INTERMEDIARY (64th ROUND) (11 BD C4DO 9DF3 99A8 )hex OUTPUT DATA (128thROUND) (F894 4084 SEll CF89 )hex t) SponsoringAuthority Information-Technology Promotion Agency, Japan(IP A) Shuwashibakoen3-chome Bldg., 6F, 3-1-38 Shibakoen, Minato-kuffokyo 105, JAPAN Tel: +81-3-3437-2301 Fax: +81-3-3437-9421 RegistrationRequested by Hitachi, Ltd. SoftwareDevelopment Center Contactfor Information HisashiHashimoto SeniorEngineer Hitachi, Ltd. SoftwareDevelopment Center WorkstationNetwork SoftwareDepartment TYG 11thBldg. 16-1 3-chome,Nakamachi 1 ISO ,~,Ct /ooo,! ' Atsugi-shi243, JAPAN Tel: +81-462-25-9271 Fax: +81-462-25-9395 g) Date of submission Date of registration II+-No\le.",be..r ,qq Lt- h) Whether the Subject of a National Standard No. i) Patent -License Restriction Two patentsregistered: 1. United States Patent, No.
    [Show full text]
  • Colliding Keys for SC2000-256
    Colliding Keys for SC2000-256 Alex Biryukov1 and Ivica Nikoli´c2 1 University of Luxembourg 2 Nanyang Technological University, Singapore [email protected] [email protected] Abstract. In this work we present analysis for the block cipher SC2000 , which is in the Japanese CRYPTREC portfolio for standardization. In spite of its very complex and non-linear key-schedule we have found a property of the full SC2000-256 (with 256-bit keys) which allows the attacker to find many pairs of keys which generate identical sets of sub- keys. Such colliding keys result in identical encryptions. We designed an algorithm that efficiently produces colliding key pairs in 239 time, which takes a few hours on a PC. We show that there are around 268 collid- ing pairs, and the whole set can be enumerated in 258 time. This result shows that SC2000-256 cannot model an ideal cipher. Furthermore we explain how practical collisions can be produced for both Davies-Meyer and Hiroses hash function constructions instantiated with SC2000-256 . Keywords: SC2000 · block cipher · key collisions · equivalent keys · CRYPTREC · hash function 1 Introduction The block cipher SC2000 [15] was designed by researchers from Fujitsu and the Science University of Tokyo, and submitted to the open call for 128-bit encryption standards organized by Cryptography Research and Evaluation Committees (CRYPTREC). Started in 2000, CRYPTREC is a program of the Japanese government set up to evaluate and recom- mend cryptographic algorithms for use in industry and institutions across Japan. An algorithm becomes a CRYPTREC recommended standard af- ter two stages of evaluations.
    [Show full text]
  • ANALYSIS and INNER-ROUND PIPELINED IMPLEMENTATION of SELECTED PARALLELIZABLE CAESAR COMPETITION CANDIDATES By
    ANALYSIS AND INNER-ROUND PIPELINED IMPLEMENTATION OF SELECTED PARALLELIZABLE CAESAR COMPETITION CANDIDATES by Sanjay Deshpande A Thesis Submitted to the Graduate Faculty of George Mason University in Partial Fulfillment of The Requirements for the Degree of Master of Science Computer Engineering Committee: _________________________________ Dr. Kris Gaj, Thesis Director _________________________________ Dr. Jens Peter Kaps, Committee Member _________________________________ Dr. Xiang Chen, Committee Member _________________________________ Dr. Monson Hayes, Department Chair _________________________________ Dr. Kenneth S. Ball, Dean, Volgenau School of Engineering Date: _____________________________ Fall Semester 2016 George Mason University Fairfax, VA. Analysis and Inner-Round Pipelined Implementation of Selected Parallelizable CAESAR Competition Candidates A Thesis submitted in partial fulfillment of the requirements for the degree of Master of Science at George Mason University by Sanjay Deshpande Bachelor of Technology Jawaharlal Nehru Technological University, 2014 Director: Kris Gaj, Associate Professor Electrical and Computer Engineering Fall Semester 2017 George Mason University Fairfax, VA Copyright: 2016 Sanjay Deshpande All Rights Reserved ii Dedication I dedicate this thesis to Shri Kesari Hanuman, my grandfather Shri Nand Kumar Deshpande, my parents Megha Deshpande & Vinay Deshpande, my advisor Dr. Kris Gaj, and Ankitha Prabhu and my beloved friends. iii Acknowledgement I would like to express my heartfelt gratitude to my advisor Dr. Kris Gaj for his patience, motivation and guidance through the research and thesis documentation. I would also take this opportunity to thank Dr. Jens Peter Kaps, Ekawat Homsirikamol a.k.a “Ice”, William Diehl, Farnoud Farahmand, Panasayya Yalla, Ahmed Ferozpuri, Malik Umar Sharif and Rabia Shahid for their immense help. iv Table of Contents Page List of Tables .....................................................................................................
    [Show full text]
  • Improved Linear Analysis on Block Cipher MULTI2⋆
    Improved Linear Analysis on Block Cipher MULTI2⋆ Yi Lu, Liping Ding, and Yongji Wang National Engineering Research Center of Fundamental Software, Institute of Software, Chinese Academy of Sciences, Beijing, China Abstract. Developed by Hitachi, MULTI2 is a block cipher used mainly to secure the multimedia content. It was registered in ISO/IEC 9979 and was patented in US and Japan. MULTI2 uses the Feistel structure and operates on the 64-bit blocks. The encryption key has 256 bits. This paper studies the linear analysis on MULTI2. We give a detailed bias analysis on MULTI2 round functions. For the first time formal proofs on − their bias properties are given. This allows to find a new 4-round bias 2 2. − . Previously, the best 4-round bias 2 5 7 was proposed. Using our results on the MULTI2 round functions, we propose the linear attacks on r-round MUTLI2 to recover the encryption key. Our linear attack can recover . the 256-bit encryption key in time 246, 260 4, 283 8, 291 7, 2123 4, 2123 2 of r-round encryptions for r = 8, 12, 16, 20, 24, 28 respectively. Further, we can recover the 32-bit sub-key in last round much faster than the whole encryption key recovery, i.e., in time 237 for r = 8, 12, 16, 20, 24. Note that previously, the best linear key-recovery attack was a 20-round . attack with time 293 4 (of 20-round encryptions) and data 239 2. As ISO register recommends to use at least 32 rounds, our attacks remain to be theoretical and do not threaten security for the practical use currently.
    [Show full text]