DOCSLIB.ORG

Improved Integral Attacks on Reduced Round Camellia

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

International Workshop on Cloud Computing and Information Security (CCIS 2013) Integral Attacks on Feistel-SP Structure Block Cipher Yanjun Li Wenling Wu, Lei Zhang, and Liting Zhang The Department of Information Security State Key Laboratory of Information Security Beijing Electronic Science and Technology Institute Institute of Software, Chinese Academy of Sciences Beijing, P.R. China Beijing, P.R. China [email protected] Abstract-In this paper, a method is presented to extend the 11-round Camellia-128 with the data complexity of 2120 length of integral distinguisher of Feistel-SP structure, based and the time complexity of 2125.5, and 12-round on which a new 8-round distinguisher for the block cipher Camellia-256 with the data complexity of 2120 and the Camellia is proposed. Moreover, integral attacks on time complexity of 2214.3. The result is the best integral -1 round-reduced Camellia without FL/FL are improved. We attack on round-reduced Camellia so far. attack 11-round Camellia-128 with the data complexity of This paper is organized as follows: Section II provides 2120 and the time complexity of 2125.5, and attack 12-round Camellia-256 with the data complexity of 2120 and the time a brief description of preliminaries. Section III describes a complexity of 2214.3. These attacks are the best integral method to extend the length of the distinguisher. Section attacks on round-reduced Camellia so far. IV describes the attacks on 11/12-round Camellia. Finally, Section V concludes this paper. Keywords-block cipher, distinguisher, integral attack, camellia, partial sum technique II. PRELIMINARIES A. Description of Camellia I. INTRODUCTION Camellia is a Feistel-SP style block cipher with The block cipher Camellia was proposed by NTT and 1 Mitsubishi in 2000[1]. It is based on Feistel structure with FL/ FL layers, and the number of rounds are 18/24/24 SP-type F function and FL/FL-1 functions layers, and it corresponding to key length of 128/192/256 bits. 1 supports the block length of 128 bits and a variable key Additionally, FL/ FL function is inserted every 6 length of 128/192/256 bits. Camellia was accepted by rounds (Fig.1). The round keys are derived from the ISO/IEC as an international standard[6]. It is also a winner master key by means of key scheduling.The key schedule of NESSIE, CRYPTREC project and IETF. The security constants are listed in Table 1. In this paper the input and of Camellia was initially analyzed by the algorithm output of round function are treated as two 8-byte vectors designers. Efficient attacks on Camellia include linear over F 8 . 28 cryptanalysis[14], differential cryptanalysis[13,14], [15, 17] P impossible differential cryptanalysis , truncated X1 X0 [7, 9,15] K F differential cryptanalysis , higher order differential K 1 cryptanalysis[5], collision attack[16] and Square attack[3, 19, 20] -1 . The best attacks on Camellia without FL/FL function 6-Round X 2 F2 layer were impossible differential cryptanalysis [18], which can attack 12-round Camellia-128 and 16- round -1 FL FL-1 Camellia-256 without FL/FL . X3 F3 Integral attack was extended from Square attack, [2] which is one of the best attacks on AES . Ferguson et al. 6-Round X in [4] improved this attack to 8 rounds version of 4 F4 Rijndael-128 with the partial sum technique and the herd technique. Knudsen and Wagner first proposed the FL FL-1 X5 F5 definition of integral and analyzed it as a dual to differential attacks particularly applicable to block 6-round [8] ciphers with bijective components . Several years later, X 6 F6 Reza Z'aba et al. presented bit pattern based integral K K attack [12]. The integral attack applied to many kinds of [11] [10] block ciphers so far, such as Rijndael , ARIA , and C Serpent [12]. Higher order differential attack and Square Fig. 1. The Structure of Camellia-128 attack are different from integral attack. However, the length of their distinguisher can be extended by using the The round function of Camellia includes three basic integral property. In this paper a method is presented to operations: Round Key Addition, Substitution Layer and extend the length of Camellia’s distinguisher, based on Diffusion Layer (Fig.2). These three basic operations are which the effect of integral attack will be improved. defined as follows: Moreover, this method can also be used even on any Round Key Addition (RKA): The 64-bit round key is Feistel-SP structure. Then a new 8-round distinguisher of Xored to the state. Camellia without FL/FL-1 is proposed. Finally, we attack Substitution Layer (SL): A non-linear byte substitution © 2013. The authors - Published by Atlantis Press 156 operation is applied to each byte of the state and Round Key Addition Layer will not affect this independently. In Camellia this is implemented by 4 property of saturation. However, the linear transformation S-boxes with the relationship as follows. influences the length of the integral distinguisher. Integral s21( a ) s ( a ) 1; attack considers a particular collection of m bytes in the s( a ) s ( a ) 1; plaintexts and ciphertexts. In [8], Knudsen and Wagner 31 also generalized this approach to higher order integrals: s( a ) s ( a 1). d 41 the original set to consider becomes a set of m vectors Diffusion Layer (DL): The diffusion layer is a function which differ in d components where the sum of this set is PFF: 88 , which is given by 2288 predictable after a certain number of rounds. The sum of this set is called a d th -order integral. In this paper we m1 x 1 x 3 x 4 x 6 x 7 x 8 m x x x x x x not only pay attention to the sum, but also to the 2 1 2 4 5 7 8 appearing times of the sum value. m3 x 1 x 2 x 3 x 5 x 6 x 8 The Partial Sum Technique. In our attack we will m4 x 2 x 3 x 4 x 5 x 6 x 7 use the partial sum technique. For a value c0,,,, c 1 c 2 cl , we define m5 x 1 x 2 x 6 x 7 x 8 u m6 x 2 x 3 x 5 x 7 x 8 xu :[] Sj c j k j . j0 m7 x 3 x 4 x 5 x 6 x 8 Guessing the values of k0 and k1 ,we will complete m8 x 1 x 4 x 5 x 6 x 7 the transformation B. Notations (,,,,)c0 c 1 c 2 cl (,,,)x12 c cl . In the following, we introduce some notations used in Guessing the values of ki , we will complete the this paper. The plaintext are denoted as (,)XX10, where transformation Xi ( x i,1 , x i ,2 , , x i ,8 ), ir0, , 1 . Other notations (,,,,)xi11 c i c i c l (,,,)xi c i1 c l . that will be used in this paper are described as follows: In order to obtain the value of xl , l-1 steps of Br: the output of RKA in r -th round. processing are required. If ci s are in byte pattern, the time 8l 16 Or: the output of SL in r -th round. complexity of the count of xl is 2 2 (l 1) times Mr: the output of DL in r -th round. S-box lookups. For the details of the complexities of each step, the readers can refer to [4]. ki8 m si8 i8 xi8 s1 ki7 III. INTEGRAL DISTINGUISHERS BASED ON si7 mi7 xi7 s4 FEISTEL-SP STRUCTURE ki6 k s i8 i6 mi6 In this section we first explain how to construct a xi6 s3 ki5 2nd-order 5-round integral distinguishers (Sec. 2.1), then si5 m i5 introduce a method to extend the length of integral xi5 s2 ki4 distinguishers and the proof is also given in detail (Sec. si4 mi4 xi4 s4 2.2). ki3 si3 mi3 A. The 2nd-Order 5-Round Integral Distinguisher xi3 s3 ki2 si2 The idea of constructing a 2nd-order 5-round integral x s mi2 i2 2 distinguisher is like that of constructing 5-round higher ki1 si1 x s m order differential distinguishers in [5]. i1 1 i1 [5] Lemma 1 . Let the bytes of xx0,1, 0,2 are active, and Fig. 2. The Round Function of Camellia other bytes of XX01, are constants, each value of t appears even times. 1 Kr : the subkey of the r -th round. t s3( x 6,6 k 6,6 ) [ P ( X7 )] 6 . bri, : the i 1-th byte of Br . B. A Method to Extend the Length of Integral o : the i 1-th byte of O . ri, r Distinguisher mri, : the i 1-th byte of M r . In the structure of Feistel-SP, the Xor operation and kri, : the i 1-th byte of Kr . the permutation P are linear transformations (Fig.3), which can influence the general integral property and also : the active bytes. i can be used to extend the integral distinguisher. Let some C. Higher Order Integral Attack and the Partial Sum bytes of X 0 be active, and the bytes of X1 be constant, Technique and then the input of a known t -round integral Higher Order Integral Attack. The integral attack distinguisher is (,)XX10. Now we extend it backward has many interesting features. It can saturate S-Box Layer 157 by one round using the following formula: denoted as x1,,,,,,,, x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 , and all XFXXPSKXX1 ()0 1 ( (0 )) 1 constants be denoted as 0.
Recommended publications
  • Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher

    Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher

    Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher Florian Mendel1, Thomas Peyrin2, Christian Rechberger1, and Martin Schl¨affer1 1 IAIK, Graz University of Technology, Austria 2 Ingenico, France [email protected],[email protected] Abstract. In this paper, we propose two new ways to mount attacks on the SHA-3 candidates Grøstl, and ECHO, and apply these attacks also to the AES. Our results improve upon and extend the rebound attack. Using the new techniques, we are able to extend the number of rounds in which available degrees of freedom can be used. As a result, we present the first attack on 7 rounds for the Grøstl-256 output transformation3 and improve the semi-free-start collision attack on 6 rounds. Further, we present an improved known-key distinguisher for 7 rounds of the AES block cipher and the internal permutation used in ECHO. Keywords: hash function, block cipher, cryptanalysis, semi-free-start collision, known-key distinguisher 1 Introduction Recently, a new wave of hash function proposals appeared, following a call for submissions to the SHA-3 contest organized by NIST [26]. In order to analyze these proposals, the toolbox which is at the cryptanalysts' disposal needs to be extended. Meet-in-the-middle and differential attacks are commonly used. A recent extension of differential cryptanalysis to hash functions is the rebound attack [22] originally applied to reduced (7.5 rounds) Whirlpool (standardized since 2000 by ISO/IEC 10118-3:2004) and a reduced version (6 rounds) of the SHA-3 candidate Grøstl-256 [14], which both have 10 rounds in total.
  • Cryptanalysis of Feistel Networks with Secret Round Functions Alex Biryukov, Gaëtan Leurent, Léo Perrin

    Cryptanalysis of Feistel Networks with Secret Round Functions Alex Biryukov, Gaëtan Leurent, Léo Perrin

    Cryptanalysis of Feistel Networks with Secret Round Functions Alex Biryukov, Gaëtan Leurent, Léo Perrin To cite this version: Alex Biryukov, Gaëtan Leurent, Léo Perrin. Cryptanalysis of Feistel Networks with Secret Round Functions. Selected Areas in Cryptography - SAC 2015, Aug 2015, Sackville, Canada. hal-01243130 HAL Id: hal-01243130 https://hal.inria.fr/hal-01243130 Submitted on 14 Dec 2015 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Cryptanalysis of Feistel Networks with Secret Round Functions ? Alex Biryukov1, Gaëtan Leurent2, and Léo Perrin3 1 [email protected], University of Luxembourg 2 [email protected], Inria, France 3 [email protected], SnT,University of Luxembourg Abstract. Generic distinguishers against Feistel Network with up to 5 rounds exist in the regular setting and up to 6 rounds in a multi-key setting. We present new cryptanalyses against Feistel Networks with 5, 6 and 7 rounds which are not simply distinguishers but actually recover completely the unknown Feistel functions. When an exclusive-or is used to combine the output of the round function with the other branch, we use the so-called yoyo game which we improved using a heuristic based on particular cycle structures.
  • Key-Dependent Approximations in Cryptanalysis. an Application of Multiple Z4 and Non-Linear Approximations

    Key-Dependent Approximations in Cryptanalysis. an Application of Multiple Z4 and Non-Linear Approximations

    KEY-DEPENDENT APPROXIMATIONS IN CRYPTANALYSIS. AN APPLICATION OF MULTIPLE Z4 AND NON-LINEAR APPROXIMATIONS. FX Standaert, G Rouvroy, G Piret, JJ Quisquater, JD Legat Universite Catholique de Louvain, UCL Crypto Group, Place du Levant, 3, 1348 Louvain-la-Neuve, standaert,rouvroy,piret,quisquater,[email protected] Linear cryptanalysis is a powerful cryptanalytic technique that makes use of a linear approximation over some rounds of a cipher, combined with one (or two) round(s) of key guess. This key guess is usually performed by a partial decryp- tion over every possible key. In this paper, we investigate a particular class of non-linear boolean functions that allows to mount key-dependent approximations of s-boxes. Replacing the classical key guess by these key-dependent approxima- tions allows to quickly distinguish a set of keys including the correct one. By combining different relations, we can make up a system of equations whose solu- tion is the correct key. The resulting attack allows larger flexibility and improves the success rate in some contexts. We apply it to the block cipher Q. In parallel, we propose a chosen-plaintext attack against Q that reduces the required number of plaintext-ciphertext pairs from 297 to 287. 1. INTRODUCTION In its basic version, linear cryptanalysis is a known-plaintext attack that uses a linear relation between input-bits, output-bits and key-bits of an encryption algorithm that holds with a certain probability. If enough plaintext-ciphertext pairs are provided, this approximation can be used to assign probabilities to the possible keys and to locate the most probable one.

  • Grade 6 Reading Student At–Home Activity Packet

    Printer Warning: This packet is lengthy. Determine whether you want to print both sections, or only print Section 1 or 2. Grade 6 Reading Student At–Home Activity Packet This At–Home Activity packet includes two parts, Section 1 and Section 2, each with approximately 10 lessons in it. We recommend that your student complete one lesson each day. Most lessons can be completed independently. However, there are some lessons that would benefit from the support of an adult. If there is not an adult available to help, don’t worry! Just skip those lessons. Encourage your student to just do the best they can with this content—the most important thing is that they continue to work on their reading! Flip to see the Grade 6 Reading activities included in this packet! © 2020 Curriculum Associates, LLC. All rights reserved. Section 1 Table of Contents Grade 6 Reading Activities in Section 1 Lesson Resource Instructions Answer Key Page 1 Grade 6 Ready • Read the Guided Practice: Answers will vary. 10–11 Language Handbook, Introduction. Sample answers: Lesson 9 • Complete the 1. Wouldn’t it be fun to learn about Varying Sentence Guided Practice. insect colonies? Patterns • Complete the 2. When I looked at the museum map, Independent I noticed a new insect exhibit. Lesson 9 Varying Sentence Patterns Introduction Good writers use a variety of sentence types. They mix short and long sentences, and they find different ways to start sentences. Here are ways to improve your writing: Practice. Use different sentence types: statements, questions, imperatives, and exclamations. Use different sentence structures: simple, compound, complex, and compound-complex.
  • Vector Boolean Functions: Applications in Symmetric Cryptography

    Vector Boolean Functions: Applications in Symmetric Cryptography

    Vector Boolean Functions: Applications in Symmetric Cryptography José Antonio Álvarez Cubero Departamento de Matemática Aplicada a las Tecnologías de la Información y las Comunicaciones Universidad Politécnica de Madrid This dissertation is submitted for the degree of Doctor Ingeniero de Telecomunicación Escuela Técnica Superior de Ingenieros de Telecomunicación November 2015 I would like to thank my wife, Isabel, for her love, kindness and support she has shown during the past years it has taken me to finalize this thesis. Furthermore I would also liketo thank my parents for their endless love and support. Last but not least, I would like to thank my loved ones such as my daughter and sisters who have supported me throughout entire process, both by keeping me harmonious and helping me putting pieces together. I will be grateful forever for your love. Declaration The following papers have been published or accepted for publication, and contain material based on the content of this thesis. 1. [7] Álvarez-Cubero, J. A. and Zufiria, P. J. (expected 2016). Algorithm xxx: VBF: A library of C++ classes for vector Boolean functions in cryptography. ACM Transactions on Mathematical Software. (In Press: http://toms.acm.org/Upcoming.html) 2. [6] Álvarez-Cubero, J. A. and Zufiria, P. J. (2012). Cryptographic Criteria on Vector Boolean Functions, chapter 3, pages 51–70. Cryptography and Security in Computing, Jaydip Sen (Ed.), http://www.intechopen.com/books/cryptography-and-security-in-computing/ cryptographic-criteria-on-vector-boolean-functions. (Published) 3. [5] Álvarez-Cubero, J. A. and Zufiria, P. J. (2010). A C++ class for analysing vector Boolean functions from a cryptographic perspective.
  • Integral Cryptanalysis on Full MISTY1⋆

    Integral Cryptanalysis on Full MISTY1⋆

    Integral Cryptanalysis on Full MISTY1? Yosuke Todo NTT Secure Platform Laboratories, Tokyo, Japan [email protected] Abstract. MISTY1 is a block cipher designed by Matsui in 1997. It was well evaluated and standardized by projects, such as CRYPTREC, ISO/IEC, and NESSIE. In this paper, we propose a key recovery attack on the full MISTY1, i.e., we show that 8-round MISTY1 with 5 FL layers does not have 128-bit security. Many attacks against MISTY1 have been proposed, but there is no attack against the full MISTY1. Therefore, our attack is the first cryptanalysis against the full MISTY1. We construct a new integral characteristic by using the propagation characteristic of the division property, which was proposed in 2015. We first improve the division property by optimizing a public S-box and then construct a 6-round integral characteristic on MISTY1. Finally, we recover the secret key of the full MISTY1 with 263:58 chosen plaintexts and 2121 time complexity. Moreover, if we can use 263:994 chosen plaintexts, the time complexity for our attack is reduced to 2107:9. Note that our cryptanalysis is a theoretical attack. Therefore, the practical use of MISTY1 will not be affected by our attack. Keywords: MISTY1, Integral attack, Division property 1 Introduction MISTY [Mat97] is a block cipher designed by Matsui in 1997 and is based on the theory of provable security [Nyb94,NK95] against differential attack [BS90] and linear attack [Mat93]. MISTY has a recursive structure, and the component function has a unique structure, the so-called MISTY structure [Mat96].
  • Related-Key Statistical Cryptanalysis

    Related-Key Statistical Cryptanalysis

    Related-Key Statistical Cryptanalysis Darakhshan J. Mir∗ Poorvi L. Vora Department of Computer Science, Department of Computer Science, Rutgers, The State University of New Jersey George Washington University July 6, 2007 Abstract This paper presents the Cryptanalytic Channel Model (CCM). The model treats statistical key recovery as communication over a low capacity channel, where the channel and the encoding are determined by the cipher and the specific attack. A new attack, related-key recovery – the use of n related keys generated from k independent ones – is defined for all ciphers vulnera- ble to single-key recovery. Unlike classical related-key attacks such as differential related-key cryptanalysis, this attack does not exploit a special structural weakness in the cipher or key schedule, but amplifies the weakness exploited in the basic single key recovery. The related- key-recovery attack is shown to correspond to the use of a concatenated code over the channel, where the relationship among the keys determines the outer code, and the cipher and the attack the inner code. It is shown that there exists a relationship among keys for which the communi- cation complexity per bit of independent key is finite, for any probability of key recovery error. This may be compared to the unbounded communication complexity per bit of the single-key- recovery attack. The practical implications of this result are demonstrated through experiments on reduced-round DES. Keywords: related keys, concatenated codes, communication channel, statistical cryptanalysis, linear cryptanalysis, DES Communicating Author: Poorvi L. Vora, [email protected] ∗This work was done while the author was in the M.S.
  • Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, Newdes, RC2, and TEA

    Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, Newdes, RC2, and TEA

    Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, NewDES, RC2, and TEA John Kelsey Bruce Schneier David Wagner Counterpane Systems U.C. Berkeley kelsey,schneier @counterpane.com [email protected] f g Abstract. We present new related-key attacks on the block ciphers 3- WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA. Differen- tial related-key attacks allow both keys and plaintexts to be chosen with specific differences [KSW96]. Our attacks build on the original work, showing how to adapt the general attack to deal with the difficulties of the individual algorithms. We also give specific design principles to protect against these attacks. 1 Introduction Related-key cryptanalysis assumes that the attacker learns the encryption of certain plaintexts not only under the original (unknown) key K, but also under some derived keys K0 = f(K). In a chosen-related-key attack, the attacker specifies how the key is to be changed; known-related-key attacks are those where the key difference is known, but cannot be chosen by the attacker. We emphasize that the attacker knows or chooses the relationship between keys, not the actual key values. These techniques have been developed in [Knu93b, Bih94, KSW96]. Related-key cryptanalysis is a practical attack on key-exchange protocols that do not guarantee key-integrity|an attacker may be able to flip bits in the key without knowing the key|and key-update protocols that update keys using a known function: e.g., K, K + 1, K + 2, etc. Related-key attacks were also used against rotor machines: operators sometimes set rotors incorrectly.
  • Internet Engineering Task Force (IETF) S. Kanno Request for Comments: 6367 NTT Software Corporation Category: Informational M

    Internet Engineering Task Force (IETF) S. Kanno Request for Comments: 6367 NTT Software Corporation Category: Informational M

    Internet Engineering Task Force (IETF) S. Kanno Request for Comments: 6367 NTT Software Corporation Category: Informational M. Kanda ISSN: 2070-1721 NTT September 2011 Addition of the Camellia Cipher Suites to Transport Layer Security (TLS) Abstract This document specifies forty-two cipher suites for the Transport Security Layer (TLS) protocol to support the Camellia encryption algorithm as a block cipher. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6367. Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
  • Impossible Differential Cryptanalysis of TEA, XTEA and HIGHT

    Impossible Differential Cryptanalysis of TEA, XTEA and HIGHT

    Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion Impossible Differential Cryptanalysis of TEA, XTEA and HIGHT Jiazhe Chen1;2 Meiqin Wang1;2 Bart Preneel2 1Shangdong University, China 2KU Leuven, ESAT/COSIC and IBBT, Belgium AfricaCrypt 2012 July 10, 2012 1 / 27 Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion Preliminaries Impossible Differential Attack TEA, XTEA and HIGHT Impossible Differential Attacks on TEA and XTEA Deriving Impossible Differentials for TEA and XTEA Key Recovery Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Impossible Differential Attacks on HIGHT Conclusion 2 / 27 I Pr(∆A ! ∆B) = 1, Pr(∆G ! ∆F) = 1, ∆B 6= ∆F, Pr(∆A ! ∆G) = 0 I Extend the impossible differential forward and backward to attack a block cipher I Guess subkeys in Part I and Part II, if there is a pair meets ∆A and ∆G, then the subkey guess must be wrong P I A B F G II C Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible Differential Cryptanalysis of HIGHT Conclusion Impossible Differential Attack Impossible Differential Attack 3 / 27 I Pr(∆A ! ∆B) = 1, Pr(∆G ! ∆F) = 1, ∆B 6= ∆F, Pr(∆A ! ∆G) = 0 I Extend the impossible differential forward and backward to attack a block cipher I Guess subkeys in Part I and Part II, if there is a pair meets ∆A and ∆G, then the subkey guess must be wrong P I A B F G II C Preliminaries Impossible Differential Attacks on TEA and XTEA Impossible
  • Nessie Neutrally-Buoyant Elevated System for Satellite Imaging and Evaluation

    Nessie Neutrally-Buoyant Elevated System for Satellite Imaging and Evaluation

    NESSIE NEUTRALLY-BUOYANT ELEVATED SYSTEM FOR SATELLITE IMAGING AND EVALUATION 1 Project Overview Space Situational Awareness (SSA) • Determine the orbital characteristics of objects in space Currently there are only two methods Radar • Expensive Telescopes • Cheaper, but can be blocked by cloud cover Both are fully booked and can't collect enough data Over 130,000,000 estimated objects in orbit 2 Introduction Solution Critical Project Elements Risk Analysis Schedule Our Mission: MANTA NESSIE • Full-Scale SSA UAV • Proof of concept vehicle • Operates at 18000ft • Operates at 400ft AGL • Fully realized optical Scale • Payload bay capability 1 : 2.5 payload • Mass 1 lb • Mass 15 lbs • Contained in 4.9” cube • Contained in 12” cube • Requires 5.6 W of Power • Requires 132 W of Power • Provide path to flight at full-scale 3 Introduction Solution Critical Project Elements Risk Analysis Schedule Stay on a 65,600 ft to 164,000 ft distance from takeoff spot Legend: 10 arcseconds object Requirements centroid identification 5. Point optical Dimness ≥ 13 accuracy, 3 sigma precision system, capture Operations flow apparent magnitude image, measure time and position 4. Pointing and stabilization check, 6. Store image autonomous flight and data 7. Start autonomous Loop descent to Ground Station when battery is low. Constantly downlink 3. Manual ascent position and status above clouds, uplink data to ground station 8. Manual landing, Max 18,000 altitude ft from ground station uplink from ground station 1. System 2. Unload/ Assembly/ Prep. Ground Station End of mission 14 transportation hours after first ascent 4 Land 300 ft (100 yards) from takeoff spot Stay within 400 ft of takeoff spot Legend: 4.
  • Optimization of Core Components of Block Ciphers Baptiste Lambin

    Optimization of Core Components of Block Ciphers Baptiste Lambin

    Optimization of core components of block ciphers Baptiste Lambin To cite this version: Baptiste Lambin. Optimization of core components of block ciphers. Cryptography and Security [cs.CR]. Université Rennes 1, 2019. English. NNT : 2019REN1S036. tel-02380098 HAL Id: tel-02380098 https://tel.archives-ouvertes.fr/tel-02380098 Submitted on 26 Nov 2019 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. THÈSE DE DOCTORAT DE L’UNIVERSITE DE RENNES 1 COMUE UNIVERSITE BRETAGNE LOIRE Ecole Doctorale N°601 Mathématique et Sciences et Technologies de l’Information et de la Communication Spécialité : Informatique Par Baptiste LAMBIN Optimization of Core Components of Block Ciphers Thèse présentée et soutenue à RENNES, le 22/10/2019 Unité de recherche : IRISA Rapporteurs avant soutenance : Marine Minier, Professeur, LORIA, Université de Lorraine Jacques Patarin, Professeur, PRiSM, Université de Versailles Composition du jury : Examinateurs : Marine Minier, Professeur, LORIA, Université de Lorraine Jacques Patarin, Professeur, PRiSM, Université de Versailles Jean-Louis Lanet, INRIA Rennes Virginie Lallemand, Chargée de Recherche, LORIA, CNRS Jérémy Jean, ANSSI Dir. de thèse : Pierre-Alain Fouque, IRISA, Université de Rennes 1 Co-dir. de thèse : Patrick Derbez, IRISA, Université de Rennes 1 Remerciements Je tiens à remercier en premier lieu mes directeurs de thèse, Pierre-Alain et Patrick.