DOCSLIB.ORG

Nonlinear Invariant Attack

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Nonlinear Invariant Attack September 28, 2016 @ASK2016 Nonlinear Invariant Attack NTT Secure Platform Laboratories and Kobe University Yosuke Todo Copyright©2016 NTT corp. All Rights Reserved. Overview. • Joint work with Gregor Leander and Yu Sasaki. • New type of cryptanalyses. ‐ This attack works on the weak-key setting. • Surprising practical extensions. ‐ Ciphertext-only message recovery attack!! • Good applications. ‐ Scream, iScream, and Midori64. Copyright©2016 NTT corp. All Rights Reserved. 2 Summary of results. Distinguishing attack under known-plaintext setting. Target # of weak keys Data complexity. Distinguishing probability. SCREAM 296 iSCREAM 296 1−푘 푘 1 − 2 Midori64 264 The distinguishing attack incidentally recovers 1 bit of secret key. Message-recovery attack under ciphertext-only setting. Target # of weak keys Maximum # of Data Time recovered bits. complexity. complexity. 96 3 15 SCREAM 2 32 bits 33 ciphertexts 32 = 2 96 3 15 iSCREAM 2 32 bits 33 ciphertexts 32 = 2 64 3 15 Midori64-CTR 2 32h bits 33h ciphertexts 32 ℎ = 2 ℎ ℎ is the number of blocks in the mode of operations. Copyright©2016 NTT corp. All Rights Reserved. 3 Outline 1. Nonlinear invariant attack. ‐ Map of related attacks. • Linear and nonlinear cryptanalyses. • Invariant subspace attack. ‐ Distinguishing attack. 2. Surprising extension toward practical attack. ‐ What’s happened if vulnerable ciphers are used in well- known mode of operations? 3. How to find nonlinear invariant. ‐ Appropriate nonlinear invariants. ‐ How to find nonlinear invariant for KSP round functions. 4. Practical attack on full SCREAM. Copyright©2016 NTT corp. All Rights Reserved. 4 Two streams join in new attacks. Linear attack [Matsui 1993] Nonlinear attack [Harpes et al. 1995] Invariant subspace attack [Gregor et al. 2011] Nonlinear invariant attack [Todo, Gregor, Yu 2016] Copyright©2016 NTT corp. All Rights Reserved. 5 Stream from linear attacks. Linear attack [Matsui 1993] Nonlinear attack [Harpes et al. 1995] Invariant subspace attack [Gregor et al. 2011] Nonlinear invariant attack [Todo, Gregor, Yu 2016] Copyright©2016 NTT corp. All Rights Reserved. 6 Linear attack [Matsui 93]. Key-alternating structure. 푘푖 푥푖 F 푥푖+1 푓푖 푥푖 ⊕ 푓푖+1 푥푖+1 ≈ const 푓푖 푥푖 holds with high probability. 푓푖+1 푥푖+1 next-round 푓푖 and 푓푖+1 are linearly Boolean functions. Copyright©2016 NTT corp. All Rights Reserved. 7 Nonlinear attack [Harpes et al.95]. Key-alternating structure. 푘푖 푥푖 F 푥푖+1 푔푖 푥푖 ⊕ 푔푖+1 푥푖+1 ≈ const 푔푖 푥푖 holds with high probability. 푔푖+1 푥푖+1 next-round 푔푖 and 푔푖+1 are nonlinearly Boolean functions. Copyright©2016 NTT corp. All Rights Reserved. 8 Insurmountable problem. Key-alternating structure. 푘푖 푥푖 F 푥푖+1 • The actual propagation of nonlinear mask depends on the specific value of the state. • Therefore, we cannot join nonlinear masks for two rounds. Copyright©2016 NTT corp. All Rights Reserved. 9 Nonlinear invariant attack. Key-alternating structure. Alternatively, we limit the space of secret keys. 푘푖 푥푖 F 푥푖+1 푔푖 푥푖 ⊕ 푔푖+1 푥푖+1 = const 푔푖 푥푖 with probability one. 푔푖+1 푥푖+1 next-round 푔푖 and 푔푖+1 are nonlinearly Boolean functions. Copyright©2016 NTT corp. All Rights Reserved. 10 Stream from invariant subspace attacks. Linear attack [Matsui 1993] Nonlinear attack [Harpes et al. 1995] Invariant subspace attack [Gregor et al. 2011] Nonlinear invariant attack [Todo, Gregor, Yu 2016] Copyright©2016 NTT corp. All Rights Reserved. 11 Invariant subspace attacks Key-alternating structure. weak keys. 푘푖 푥푖 F 푥푖+1 key-add F U+a U+a U+b next-round Copyright©2016 NTT corp. All Rights Reserved. 12 Nonlinear invarinat attack. Key-alternating structure. weak keys. 푘푖 푥푖 F 푥푖+1 key-add F 푔0 푔0 푔0 푔1 푔1 푔1 next-round Copyright©2016 NTT corp. All Rights Reserved. 13 Nonlinear invarinat attack. Key-alternating structure. weak keys. 푘푖 푥푖 F 푥푖+1 key-add F 푔0 푔0 푔0 푔1 푔1 푔1 next-round Copyright©2016 NTT corp. All Rights Reserved. 14 Distinguishing attack. • If the block cipher has the nonlinear invariant, we can easily distinguish from ideal ciphers. 1. Collect 푘 known plaintexts (푝푖, 푐푖). 2. Compute 푔푝 푝푖 ⊕ 푔푐(푐푖) for 푘 pair. Then 푘 XORs are always the same. The probability that ideal ciphers have this property is 2−푘+1. • At most one bit of information leaks from 푔푝 푝푖 ⊕ 푔푐(푐푖). Copyright©2016 NTT corp. All Rights Reserved. 15 Outline 1. Nonlinear invariant attack. ‐ Map of related attacks. • Linear and nonlinear cryptanalyses. • Invariant subspace attack. ‐ Distinguishing attack. 2. Surprising extension toward practical attack. ‐ What’s happened if vulnerable ciphers are used in well- known mode of operations? 3. How to find nonlinear invariant. ‐ Appropriate nonlinear invariants. ‐ How to find nonlinear invariant for KSP round functions. 4. Practical attack on full SCREAM. Copyright©2016 NTT corp. All Rights Reserved. 16 Practical attacks. strong Chosen-plaintext attacks (CPA) is natural assumption for cryptographers. is debatable in practical case. Assumption. Known-plaintext attacks (KPA) is very weak assumption for cryptographers. sometimes holds in practical case. Ciphertext-only attacks (COA) is unlikely to happen for cryptographers. is information-theoretically impossible w/o assumptions. causes non-negligible risks in practical use if possible. weak Copyright©2016 NTT corp. All Rights Reserved. 17 Our attack assumptions. • Attackers can collect multiple ciphertext blocks whose original message is the same but the IV is different. • Then, we can recover the part of message. 퐸 푘,퐼푉1 Ciphertext block 퐸푘,퐼푉2 Plaintext 퐸푘,퐼푉3 Ciphertext block block Ciphertext block Copyright©2016 NTT corp. All Rights Reserved. 18 Is this assumption practical? • It’s very difficult questions because it depends on applications. • We believe it’s more practical than KPA. • Example of vulnerable application. ‐ Application sometimes sends the ciphertext of a password for the authentication. And, attackers know the behavior of the application. Copyright©2016 NTT corp. All Rights Reserved. 19 CBC mode. P1 P2 P3 Ph IV (C0) EK EK EK EK C1 C2 C3 Ch If Ek has nonlinear invariants, 푔푝 퐶푖−1 ⊕ 푃푖 ⊕ 푔푐 퐶푖 = const Copyright©2016 NTT corp. All Rights Reserved. 20 Message-recovery attacks. • Attackers know IV and ciphertexts, and 푔푝 퐶푖−1 ⊕ 푃푖 ⊕ 푔푐 퐶푖 is always constant. • We collect multiple (퐶푖−1, 퐶푖) whose corresponding 푃푖 is the same. • By guessing 푃푖, we can recover it only from ciphertexts. ‐ Bits of 푃푖 that involve the nonlinear term of the function 푔 can be recovered. ‐ Practically, the time complexity to recover 푡 bits 3 of 푃푖 is at most 푡 . Copyright©2016 NTT corp. All Rights Reserved. 21 Outline 1. Nonlinear invariant attack. ‐ Map of related attacks. • Linear and nonlinear cryptanalyses. • Invariant subspace attack. ‐ Distinguishing attack. 2. Surprising extension toward practical attack. ‐ What’s happened if vulnerable ciphers are used in well- known mode of operations? 3. How to find nonlinear invariant. ‐ Appropriate nonlinear invariants. ‐ How to find nonlinear invariant for KSP round functions. 4. Practical attack on full SCREAM. Copyright©2016 NTT corp. All Rights Reserved. 22 Nonlinear invariant attack. Key-alternating structure. Alternatively, we limit the space of secret keys. 푘푖 푥푖 F 푥푖+1 푔푖 푥푖 ⊕ 푔푖+1 푥푖+1 = const 푔푖 푥푖 with probability one. 푔푖+1 푥푖+1 next-round We have to search for nonlinear invariants that hold in arbitrary number of rounds. Copyright©2016 NTT corp. All Rights Reserved. 23 Nonlinear invariant attack. Key-alternating structure. Alternatively, we limit the space of secret keys. 푘푖 푥푖 F 푥푖+1 푔 푥푖 ⊕ 푔 푥푖+1 = const 푔 푥푖 with probability one. 푔 푥푖+1 next-round The property tribially holds if 푔푖 = 푔푖+1. Copyright©2016 NTT corp. All Rights Reserved. 24 Searching for nonlinear invariants. • Assume that KSP-type round function. S S L S S Copyright©2016 NTT corp. All Rights Reserved. 25 Nonlinear invariants for S-box. 푥1 S 푔푖 푥푖 ⊕ 푔푖 푆 푥푖 = cons 푥2 S L 푥3 S 푥4 S • Because the bit size of S-boxes is generally small, it’s not difficult to find nonlinear invariant for S-boxes. Copyright©2016 NTT corp. All Rights Reserved. 26 Example. • Nonlinear invariant for the S-box in Scream. 푔 푥 = 푥1푥2 ⊕ 푥0 ⊕ 푥2 ⊕ 푥5 8 Then, for all 푥 ∈ 픽2, 푔 푥 = 푔 푆 푥 ⊕ 1. • Nonlinear invariant for the S-box in Midori64. 푔 푥 = 푥2푥3 ⊕ 푥0 ⊕ 푥1 ⊕ 푥2 4 Then, for all 푥 ∈ 픽2, 푔 푥 = 푔 푆 푥 . Copyright©2016 NTT corp. All Rights Reserved. 27 Nonlinear invariant for S-box layer. 푥1 S 푔푖 푥푖 ⊕ 푔푖 푆 푥푖 = cons 푥2 S L 푥3 S 푔 푥 = 푔푖(푥푖) 푖∈Λ 푥4 S • If the function 푔푖 is nonlinear invariant for the th S-box, the function 푖∈Λ 푔푖(푥푖) becomes nonlinear invariant for the S-box layer for any set Λ. Copyright©2016 NTT corp. All Rights Reserved. 28 Nonlinear invariants for key XORing. 푥 1 S 푔 푥 ⊕ 푔 푥 ⊕ 푘 = cons 푥2 S L 푥3 S 푔 푥 = 푔푖(푥푖) 푖∈Λ 푥4 S • If “1s” in 푘 are involved in only linear term of the function 푔, 푔 푥 ⊕ 푘 = 푔 푥 ⊕ 푔(푘). • 푔 푥 ⊕ 푔 푥 ⊕ 푘 = 푔 푘 = cons. Copyright©2016 NTT corp. All Rights Reserved. 29 Example. • Nonlinear invariant for the S-box in Scream. 푔 푥 = 푥1푥2 ⊕ 푥0 ⊕ 푥2 ⊕ 푥5 If 푘1 = 푘2 = 0, 푔 푥 ⊕ 푘 = 푔 푥 ⊕ 푔(푘) • Nonlinear invariant for the S-box in Midori64. 푔 푥 = 푥2푥3 ⊕ 푥0 ⊕ 푥1 ⊕ 푥2 If 푘2 = 푘3 = 0, 푔 푥 ⊕ 푘 = 푔 푥 ⊕ 푔(푘) Copyright©2016 NTT corp. All Rights Reserved. 30 Nonlinear invariant for linear layer. 푥 1 S 푔 푥 ⊕ 푔 퐿 푥 = cons 푥2 S 푛 L 푥3 S 푔 푥 = 푔푖(푥푖) 푖=1 푥4 S • If the linear function is binary orthogonal and there is a quadratic invariant for the S-box, 푛 푔푖=1(푥푖) is nonlinear invariant for the linear layer.
Load more

Recommended publications
  • Zero Correlation Linear Cryptanalysis on LEA Family Ciphers
    Journal of Communications Vol. 11, No. 7, July 2016 Zero Correlation Linear Cryptanalysis on LEA Family Ciphers Kai Zhang, Jie Guan, and Bin Hu Information Science and Technology Institute, Zhengzhou 450000, China Email: [email protected]; [email protected]; [email protected] Abstract—In recent two years, zero correlation linear Zero correlation linear cryptanalysis was firstly cryptanalysis has shown its great potential in cryptanalysis and proposed by Andrey Bogdanov and Vicent Rijmen in it has proven to be effective against massive ciphers. LEA is a 2011 [2], [3]. Generally speaking, this cryptanalytic block cipher proposed by Deukjo Hong, who is the designer of method can be concluded as “use linear approximation of an ISO standard block cipher - HIGHT. This paper evaluates the probability 1/2 to eliminate the wrong key candidates”. security level on LEA family ciphers against zero correlation linear cryptanalysis. Firstly, we identify some 9-round zero However, in this basic model of zero correlation linear correlation linear hulls for LEA. Accordingly, we propose a cryptanalysis, the data complexity is about half of the full distinguishing attack on all variants of 9-round LEA family code book. The high data complexity greatly limits the ciphers. Then we propose the first zero correlation linear application of this new method. In FSE 2012, multiple cryptanalysis on 13-round LEA-192 and 14-round LEA-256. zero correlation linear cryptanalysis [4] was proposed For 13-round LEA-192, we propose a key recovery attack with which use multiple zero correlation linear approximations time complexity of 2131.30 13-round LEA encryptions, data to reduce the data complexity.
    [Show full text]
  • 3GPP TR 55.919 V6.1.0 (2002-12) Technical Report
    3GPP TR 55.919 V6.1.0 (2002-12) Technical Report 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G Security; Specification of the A5/3 Encryption Algorithms for GSM and ECSD, and the GEA3 Encryption Algorithm for GPRS; Document 4: Design and evaluation report (Release 6) R GLOBAL SYSTEM FOR MOBILE COMMUNICATIONS The present document has been developed within the 3rd Generation Partnership Project (3GPP TM) and may be further elaborated for the purposes of 3GPP. The present document has not been subject to any approval process by the 3GPP Organizational Partners and shall not be implemented. This Specification is provided for future development work within 3GPP only. The Organizational Partners accept no liability for any use of this Specification. Specifications and reports for implementation of the 3GPP TM system should be obtained via the 3GPP Organizational Partners' Publications Offices. Release 6 2 3GPP TR 55.919 V6.1.0 (2002-12) Keywords GSM, GPRS, security, algorithm 3GPP Postal address 3GPP support office address 650 Route des Lucioles - Sophia Antipolis Valbonne - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Internet http://www.3gpp.org Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. © 2002, 3GPP Organizational Partners (ARIB, CWTS, ETSI, T1, TTA, TTC). All rights reserved. 3GPP Release 6 3 3GPP TR 55.919 V6.1.0 (2002-12) Contents Foreword ............................................................................................................................................................5
    [Show full text]
  • Balanced Permutations Even–Mansour Ciphers
    Article Balanced Permutations Even–Mansour Ciphers Shoni Gilboa 1, Shay Gueron 2,3 ∗ and Mridul Nandi 4 1 Department of Mathematics and Computer Science, The Open University of Israel, Raanana 4353701, Israel; [email protected] 2 Department of Mathematics, University of Haifa, Haifa 3498838, Israel 3 Intel Corporation, Israel Development Center, Haifa 31015, Israel 4 Indian Statistical Institute, Kolkata 700108, India; [email protected] * Correspondence: [email protected]; Tel.: +04-824-0161 Academic Editor: Kwangjo Kim Received: 2 February 2016; Accepted: 30 March 2016; Published: 1 April 2016 Abstract: The r-rounds Even–Mansour block cipher is a generalization of the well known Even–Mansour block cipher to r iterations. Attacks on this construction were described by Nikoli´c et al. and Dinur et al. for r = 2, 3. These attacks are only marginally better than brute force but are based on an interesting observation (due to Nikoli´c et al.): for a “typical” permutation P, the distribution of P(x) ⊕ x is not uniform. This naturally raises the following question. Let us call permutations for which the distribution of P(x) ⊕ x is uniformly “balanced” — is there a sufficiently large family of balanced permutations, and what is the security of the resulting Even–Mansour block cipher? We show how to generate families of balanced permutations from the Luby–Rackoff construction and use them to define a 2n-bit block cipher from the 2-round Even–Mansour scheme. We prove that this cipher is indistinguishable from a random permutation of f0, 1g2n, for any adversary who has oracle access to the public permutations and to an encryption/decryption oracle, as long as the number of queries is o(2n/2).
    [Show full text]
  • On the Security of IV Dependent Stream Ciphers
    On the Security of IV Dependent Stream Ciphers Côme Berbain and Henri Gilbert France Telecom R&D {[email protected]} research & development Stream Ciphers IV-less IV-dependent key K key K IV (initial value) number ? generator keystream keystream plaintext ⊕ ciphertext plaintext ⊕ ciphertext e.g. RC4, Shrinking Generator e.g. SNOW, Scream, eSTREAM ciphers well founded theory [S81,Y82,BM84] less unanimously agreed theory practical limitations: prior work [RC94, HN01, Z06] - no reuse of K numerous chosen IV attacks - synchronisation - key and IV setup not well understood IV setup – H. Gilbert (2) research & developement Orange Group Outline security requirements on IV-dependent stream ciphers whole cipher key and IV setup key and IV setup constructions satisfying these requirements blockcipher based tree based application example: QUAD incorporate key and IV setup in QUAD's provable security argument IV setup – H. Gilbert (3) research & developement Orange Group Security in IV-less case: PRNG notion m K∈R{0,1} number truly random VS generator g generator g g(K) ∈{0,1}L L OR Z ∈R{0,1} 1 input A 0 or 1 PRNG A tests number distributions: Adv g (A) = PrK [A(g(K)) = 1] − PrZ [A(Z) = 1] PRNG PRNG Advg (t) = maxA,T(A)≤t (Advg (A)) PRNG 80 g is a secure cipher ⇔ g is a PRNG ⇔ Advg (t < 2 ) <<1 IV setup – H. Gilbert (4) research & developement Orange Group Security in IV-dependent case: PRF notion stream cipher perfect random fct. IV∈ {0,1}n function generator VSOR g* gK G = {gK} gK(IV) q oracle queries • A 0 or 1 PRF gK g* A tests function distributions: Adv G (A) = Pr[A = 1] − Pr[A = 1] PRF PRF Adv G (t, q) = max A (Adv G (A)) PRF 80 40 G is a secure cipher ⇔ G is a PRF ⇔ Adv G (t < 2 ,2 ) << 1 IV setup – H.
    [Show full text]
  • 9/11 Report”), July 2, 2004, Pp
    Final FM.1pp 7/17/04 5:25 PM Page i THE 9/11 COMMISSION REPORT Final FM.1pp 7/17/04 5:25 PM Page v CONTENTS List of Illustrations and Tables ix Member List xi Staff List xiii–xiv Preface xv 1. “WE HAVE SOME PLANES” 1 1.1 Inside the Four Flights 1 1.2 Improvising a Homeland Defense 14 1.3 National Crisis Management 35 2. THE FOUNDATION OF THE NEW TERRORISM 47 2.1 A Declaration of War 47 2.2 Bin Ladin’s Appeal in the Islamic World 48 2.3 The Rise of Bin Ladin and al Qaeda (1988–1992) 55 2.4 Building an Organization, Declaring War on the United States (1992–1996) 59 2.5 Al Qaeda’s Renewal in Afghanistan (1996–1998) 63 3. COUNTERTERRORISM EVOLVES 71 3.1 From the Old Terrorism to the New: The First World Trade Center Bombing 71 3.2 Adaptation—and Nonadaptation— ...in the Law Enforcement Community 73 3.3 . and in the Federal Aviation Administration 82 3.4 . and in the Intelligence Community 86 v Final FM.1pp 7/17/04 5:25 PM Page vi 3.5 . and in the State Department and the Defense Department 93 3.6 . and in the White House 98 3.7 . and in the Congress 102 4. RESPONSES TO AL QAEDA’S INITIAL ASSAULTS 108 4.1 Before the Bombings in Kenya and Tanzania 108 4.2 Crisis:August 1998 115 4.3 Diplomacy 121 4.4 Covert Action 126 4.5 Searching for Fresh Options 134 5.
    [Show full text]
  • Ascon (A Submission to CAESAR)
    Ascon (A Submission to CAESAR) Ch. Dobraunig1, M. Eichlseder1, F. Mendel1, M. Schl¨affer2 1IAIK, Graz University of Technology, Austria 2Infineon Technologies AG, Austria 22nd Crypto Day, Infineon, Munich Overview CAESAR Design of Ascon Security analysis Implementations 1 / 20 CAESAR CAESAR: Competition for Authenticated Encryption { Security, Applicability, and Robustness (2014{2018) http://competitions.cr.yp.to/caesar.html Inspired by AES, eStream, SHA-3 Authenticated Encryption Confidentiality as provided by block cipher modes Authenticity, Integrity as provided by MACs \it is very easy to accidentally combine secure encryption schemes with secure MACs and still get insecure authenticated encryption schemes" { Kohno, Whiting, and Viega 2 / 20 CAESAR CAESAR: Competition for Authenticated Encryption { Security, Applicability, and Robustness (2014{2018) http://competitions.cr.yp.to/caesar.html Inspired by AES, eStream, SHA-3 Authenticated Encryption Confidentiality as provided by block cipher modes Authenticity, Integrity as provided by MACs \it is very easy to accidentally combine secure encryption schemes with secure MACs and still get insecure authenticated encryption schemes" { Kohno, Whiting, and Viega 2 / 20 Generic compositions MAC-then-Encrypt (MtE) e.g. in SSL/TLS MAC M security depends on E and MAC E ∗ C T k Encrypt-and-MAC (E&M) ∗ e.g. in SSH E C M security depends on E and MAC MAC T Encrypt-then-MAC (EtM) ∗ IPSec, ISO/IEC 19772:2009 M E C provably secure MAC T 3 / 20 Tags for M = IV (N 1), M = IV (N 2), . ⊕ k ⊕ k are the key stream to read M1, M2,... (Keys for) E ∗ and MAC must be independent! Pitfalls: Dependent Keys (Confidentiality) Encrypt-and-MAC with CBC-MAC and CTR CTR CBC-MAC Nk1 Nk2 Nk` M1 M2 M` IV ··· EK EK ··· EK EK EK EK M1 M2 M` C1 C2 C` T What can an attacker do? 4 / 20 Pitfalls: Dependent Keys (Confidentiality) Encrypt-and-MAC with CBC-MAC and CTR CTR CBC-MAC Nk1 Nk2 Nk` M1 M2 M` IV ··· EK EK ··· EK EK EK EK M1 M2 M` C1 C2 C` T What can an attacker do? Tags for M = IV (N 1), M = IV (N 2), .
    [Show full text]
  • Stream Cipher Designs: a Review
    SCIENCE CHINA Information Sciences March 2020, Vol. 63 131101:1–131101:25 . REVIEW . https://doi.org/10.1007/s11432-018-9929-x Stream cipher designs: a review Lin JIAO1*, Yonglin HAO1 & Dengguo FENG1,2* 1 State Key Laboratory of Cryptology, Beijing 100878, China; 2 State Key Laboratory of Computer Science, Institute of Software, Chinese Academy of Sciences, Beijing 100190, China Received 13 August 2018/Accepted 30 June 2019/Published online 10 February 2020 Abstract Stream cipher is an important branch of symmetric cryptosystems, which takes obvious advan- tages in speed and scale of hardware implementation. It is suitable for using in the cases of massive data transfer or resource constraints, and has always been a hot and central research topic in cryptography. With the rapid development of network and communication technology, cipher algorithms play more and more crucial role in information security. Simultaneously, the application environment of cipher algorithms is in- creasingly complex, which challenges the existing cipher algorithms and calls for novel suitable designs. To accommodate new strict requirements and provide systematic scientific basis for future designs, this paper reviews the development history of stream ciphers, classifies and summarizes the design principles of typical stream ciphers in groups, briefly discusses the advantages and weakness of various stream ciphers in terms of security and implementation. Finally, it tries to foresee the prospective design directions of stream ciphers. Keywords stream cipher, survey, lightweight, authenticated encryption, homomorphic encryption Citation Jiao L, Hao Y L, Feng D G. Stream cipher designs: a review. Sci China Inf Sci, 2020, 63(3): 131101, https://doi.org/10.1007/s11432-018-9929-x 1 Introduction The widely applied e-commerce, e-government, along with the fast developing cloud computing, big data, have triggered high demands in both efficiency and security of information processing.
    [Show full text]
  • Pseudorandomness of Basic Structures in the Block Cipher KASUMI
    Pseudorandomness of Basic Structures in the Block Cipher KASUMI Ju-Sung Kang, Bart Preneel, Heuisu Ryu, Kyo Il Chung, and Chee Hang Park The notion of pseudorandomness is the theoretical I. INTRODUCTION foundation on which to consider the soundness of a basic structure used in some block ciphers. We examine the A block cipher is a family of permutations on a message pseudorandomness of the block cipher KASUMI, which space indexed by a secret key. Luby and Rackoff [1] will be used in the next-generation cellular phones. First, we introduced a theoretical model for the security of block ciphers prove that the four-round unbalanced MISTY-type by using the notion of pseudorandom and super-pseudorandom transformation is pseudorandom in order to illustrate the permutations. A pseudorandom permutation can be interpreted pseudorandomness of the inside round function FI of as a block cipher that cannot be distinguished from a truly KASUMI under an adaptive distinguisher model. Second, random permutation regardless of how many polynomial we show that the three-round KASUMI-like structure is not encryption queries an attacker makes. A super-pseudorandom pseudorandom but the four-round KASUMI-like structure permutation can be interpreted as a block cipher that cannot be is pseudorandom under a non-adaptive distinguisher model. distinguished from a truly random permutation regardless of how many polynomial encryption and decryption queries an attacker makes. Luby and Rackoff used a Feistel-type transformation defined by the typical two-block structure of the block cipher DES in order to construct pseudorandom and super-pseudorandom permutations from pseudorandom functions [1].
    [Show full text]
  • 2013 Summer Challenge Book List TM
    2013 Summer Challenge Book List TM www.scholastic.com/summer Ages 3-5 (By Title, Author and Illustrator) F ABC Drive, Naomi Howland F Corduroy, Don Freeman F Happy Birthday, Hamster, Cynthia Lord & Derek Anderson F ABC I Like Me!, Nancy Carlson F A Den is a Bed for a Bear, Becky Baines F Harold and the Purple Crayon, Crockett Johnson F The ABCs of Thanks and Please, Diane C. Ohanesian F Dolphin Baby!, Nicola Davies F Here Come the Girl Scouts!, Shana Corey & Hadley Hooper F Abuela, Arthur Dorros & Elisa Kleven F Don’t Worry, Douglas!, David Melling F Homer, Shelley Rotner & Diane Detroit F Alexander and the Terrible, Horrible, No Good, F The Dot, Peter H. Reynolds Very Bad Day, Judith Viorst & Ray Cruz F The House that George Built, Suzanne Slade F Exclamation Mark, Amy Krouse Rosenthal & Tom Lichtenheld F Alice the Fairy, David Shannon F A House is a House for Me, Family Pictures, Carmen Lomas Garza F Mary Ann Hoberman & Betty Fraser F Alphabet Under Construction, Denise Fleming F First the Egg, Laura Vaccaro Seeger F How Do Dinosaurs Say Happy Birthday?, F All Kinds of Families!, Mary Ann Hoberman F Five Little Monkeys Reading in Bed, Eileen Christelow Jane Yolen & Mark Teague F The Are You Ready for Kindergarten? F How Does Your Salad Grow?, Francie Alexander workbook series, Kumon Publishing F The Frog & Toad Are Friends, Arnold Lobel F How Georgie Radboum Saved Baseball, David Shannon F Baby Bear Sees Blue, Ashley Wolff F The Froggy books, Jonathan London & Frank Remkiewicz F Huck Runs Amuck, Sean F Bailey, Harry Bliss F The Geronimo Stilton series, Geronimo Stilton F I Am Small, Emma Dodd F Bats at the Beach, Brian Lies F Gilbert Goldfish Wants a Pet, Kelly DiPucchio & Bob Shea F I Read Signs, Ana Hoban F Bird, Butterfly, Eel, James Prosek F The Giving Tree, Shel Silverstein F If Rocks Could Sing, Leslie McGuirk F Brown Bear, Brown Bear, What Do You See?, F Gone with the Wand, Margie Palatini Bill Martin Jr.
    [Show full text]
  • D-DOG: Securing Sensitive Data in Distributed Storage Space by Data Division and Out-Of-Order Keystream Generation †Jun Feng, †Yu Chen*, ‡Wei-Shinn Ku, §Zhou Su †Dept
    D-DOG: Securing Sensitive Data in Distributed Storage Space by Data Division and Out-of-order keystream Generation †Jun Feng, †Yu Chen*, ‡Wei-Shinn Ku, §Zhou Su †Dept. of Electrical & Computer Engineering, SUNY - Binghamton, Binghamton, NY 13902 ‡Dept. of Computer Science & Software Engineering, Auburn University, Auburn, AL 36849 §Dept. of Computer Science, Waseda University, Ohkubo 3-4-1, Shinjyuku, Tokyo 169-8555, Japan {jfeng3, ychen }@binghamton.edu, [email protected], [email protected] ∗ Abstract - Migrating from server-attached storage to system against the attacks/intrusion from outsiders. The distributed storage brings new vulnerabilities in creating a confidentiality and integrity of data are mostly achieved secure data storage and access facility. Particularly it is a using robust cryptograph schemes. challenge on top of insecure networks or unreliable storage However, such a security system is not robust enough to service providers. For example, in applications such as cloud protect the data in distributed storage applications at the computing where data storage is transparent to the owner. It is level of wide area networks. The recent progress of network even harder to protect the data stored in unreliable hosts. technology enables global-scale collaboration over More robust security scheme is desired to prevent adversaries heterogeneous networks under different authorities. For from obtaining sensitive information when the data is in their hands. Meanwhile, the performance gap between the execution instance, in the environment of peer-to-peer (P2P) file speed of security software and the amount of data to be sharing or the distributed storage in cloud computing processed is ever widening. A common solution to close the environment, it enables the concrete data storage to be even performance gap is through hardware implementation.
    [Show full text]
  • Design and Analysis of Lightweight Block Ciphers : a Focus on the Linear
    Design and Analysis of Lightweight Block Ciphers: A Focus on the Linear Layer Christof Beierle Doctoral Dissertation Faculty of Mathematics Ruhr-Universit¨atBochum December 2017 Design and Analysis of Lightweight Block Ciphers: A Focus on the Linear Layer vorgelegt von Christof Beierle Dissertation zur Erlangung des Doktorgrades der Naturwissenschaften an der Fakult¨atf¨urMathematik der Ruhr-Universit¨atBochum Dezember 2017 First reviewer: Prof. Dr. Gregor Leander Second reviewer: Prof. Dr. Alexander May Date of oral examination: February 9, 2018 Abstract Lots of cryptographic schemes are based on block ciphers. Formally, a block cipher can be defined as a family of permutations on a finite binary vector space. A majority of modern constructions is based on the alternation of a nonlinear and a linear operation. The scope of this work is to study the linear operation with regard to optimized efficiency and necessary security requirements. Our main topics are • the problem of efficiently implementing multiplication with fixed elements in finite fields of characteristic two. • a method for finding optimal alternatives for the ShiftRows operation in AES-like ciphers. • the tweakable block ciphers Skinny and Mantis. • the effect of the choice of the linear operation and the round constants with regard to the resistance against invariant attacks. • the derivation of a security argument for the block cipher Simon that does not rely on computer-aided methods. Zusammenfassung Viele kryptographische Verfahren basieren auf Blockchiffren. Formal kann eine Blockchiffre als eine Familie von Permutationen auf einem endlichen bin¨arenVek- torraum definiert werden. Eine Vielzahl moderner Konstruktionen basiert auf der wechselseitigen Anwendung von nicht-linearen und linearen Abbildungen.
    [Show full text]
  • Scream on MSP430 07282015
    Implementation of the SCREAM Tweakable Block Cipher in MSP430 Assembly Language William Diehl George Mason University, Fairfax VA 22033, USA [email protected] Abstract. The encryption mode of the Tweakable Block Cipher (TBC) of the SCREAM Authenticated Cipher is implemented in the MSP430 microcontroller. Assembly language versions of the TBC are prepared using both precomputed tweak keys and tweak keys computed “on-the-fly.” Both versions are compared against published results for the assembly language version of SCREAM on the ATMEL AVR microcontroller, and against the C reference implementation in terms of performance and size. The assembly language version using precomputed tweak keys achieves a speedup of 1.7 and memory savings of 9 percent over the reported SCREAM implementation in the ATMEL AVR. The assembly language version using tweak keys computed “on-the-fly” achieves a speedup of 1.6 over the ATMEL AVR version while reducing memory usage by 15 percent. Keywords: Cryptography, encryption, MSP430, assembly, speed, efficiency 1 Introduction Authenticated ciphers combine the functionality of confidentiality and integrity into one algorithm. In 2014 the Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR) called for submission of authenticated cipher candidates [1]. CAESAR candidates are evaluated in terms of security, size, robustness, flexibility, and performance. Software reference implementations written in C code are required as part of Rounds One and Two submissions. Many of the Round One submissions contained the authors’ evaluations in both hardware and software. Additionally, several Round One submissions investigated the software performance of the authors’ algorithms on various types of platforms, including high-end CPU and resource-constrained microcontrollers suitable for embedded applications.
    [Show full text]