DOCSLIB.ORG

A Related-Key Attack on TREYFER

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

The Second International Conference on Emerging Security Information, Systems and Technologies A Related-Key Attack on TREYFER Aleksandar Kircanski and Amr M. Youssef Computer Security Laboratory Concordia Institute for Information Systems Engineering Concordia University, Montreal, Quebec, Canada, H3G 2W1 Abstract such as smart cards, RFIDs, and sensor networks. For example, TREYFER requires only 29 bytes of TREYFER is a lightweight cipher designed for executable code on the 8051 micro-controller. resource constrained environments. In this paper, The best known attack against TREYFER, pre- we present a related-key attack that directly recovers sented by Alex Biryukov and David Wagner [7], is a 11 the secret key of TREYFER using about 2 chosen slide attack that requires 232 known plaintexts, 244 plaintext encryptions. Our attack is based on a time for analysis and 232 memory. set of deterministic algebraic relationships between In this paper, we derive a set of determinis- TREYFER ciphertexts corresponding to related tic algebraic relationships between the ciphertexts plaintexts encrypted under circularly byte shifted corresponding to related plaintexts encrypted with versions of the same key. The attack complexity is TREYFER under circularly byte shifted versions of independent of the number of rounds of the cipher. the same key. Based on these relationships, we present a chosen related-key attack [8]-[14] that di- rectly recovers the secret key of TREYFER using about 211 chosen plaintext encryption operations. 1 Introduction The attack complexity is independent of the number of rounds of the cipher. Despite its current implementation advances, the Ad- The rest of the paper is organized as follows. In sec- vanced Encryption Standard (AES) [1] may not al- tion 2 we briefly review the description of TREYFER. ways be the optimal choice for applications with tight The algebraic relationship between ciphertexts corre- resource constraints such as radio frequency identifi- sponding to related plaintexts encrypted under circu- cation (RFID) tags and tiny sensor networks. In fact, larly (byte-wise) shifted versions of the secret key is with the widespread applications of these resource- derived in section 3. Using this relationship, our at- constrained devices, the analysis and design of light- tack is described in section 4. weight encryption algorithms have started to gain a new momentum (e.g [2], [3].) TREYFER [4] is a 64 bit block cipher (and also 2 Description of TREYFER a MAC) proposed by Gideon Yuval, from Microsoft, at FSE’97. According to Gideon Yuval, TREYFER TREYFER can be seen as an iterative block cipher is targeting an environment for which even TEA [5] with the round function shown in Figure 1 where and SAFER [6] are “gross overdesign [4]”. The sim- <<< denotes a circular left shift by 1 bit, + de- ple and compact design of TREYFER makes it an at- notes addition mod 256 and SKi, i =0...7, de- tractive choice for resource constrained environments notes the key addition and s-box lookup operations 978-0-7695-3329-2/08 $25.00 © 2008 IEEE 213 DOI 10.1109/SECURWARE.2008.51 S[(x + Ki) mod 256] function. All operations are the same way at each round. byte-oriented, and there is a single 8 × 8-bit s-box. The following notation will be used throughout the In [4], the s-box is left undefined; it is suggested paper. that the implementation can simply use whatever • f denotes round function mapping of TREYFER data is available in memory. In each round, each byte (see Figure 1). has added to it the s-box value of the sum of a key byte and the previous data byte, then it is rotated • P = P0P1 ···P7 denotes the 8 byte plaintext in- left one bit. The design attempts to compensate for put the simplicity of this round transformation by using • K = K0K1 ···K7 denotes the 8 byte key a large number of rounds: 32. The pseudo code implementation of TREYFER is • C = C0C1 ···C7 denotes the 8 byte ciphertext as follows: 3 Main Observations for(r =0;r<NumRounds; r ++){ text[8] = text[0]; In this section, we derive an algebraic relationship be- for(i =0;i<8; i ++) tween the ciphertexts corresponding to related plain- text[i +1]= texts encrypted under circularly (byte-wise) shifted (text[i +1]+S[(key[i]+text[i])%256]) <<< 1; versions of the secret key. text[0] = text[8]; Lemma 1 } Let P0P1 ···P7 = f(P0 ···P7,K0 ···K7) and 2 P0 P1 ···P7 = f (P0 ···P7,K0 ···K7). Then we have f(P1P2 ···P7P0,K1 ···K7K0)=P1 P2 ···P7P0 Proof: Let pi,i =0...7 denote i-th byte of f(P1P2 ···P7P0,K1 ···K7K0). Then, by TREYFER definition, we have: p1 =(P2 + S(P1,K1)) <<< 1=P2 p2 =(P3 + S(P2,K2)) <<< 1=P3 . p7 =(P0 + S(P7,K7)) <<< 1=P0 Figure 1: Round function of TREYFER, where p0 =(P1 + S(P0,K0)) <<< 1=P1 SKi(x)=sbox((x + Ki) mod 256) The lemma holds by noting that In order to obtain a more compact and faster ci- f(P1P2 ···P7P0,K1 ···K7K0)=p0 ···p7. pher under the assumed hardware constraints, the This observation can easily be extended to hold for K designer of TREYFER opted not to have any com- composition of multiple rounds. By P −→ C we will plex key scheduling. In particular, TREYFER simply denote the TRYEFER encryption of the plaintext P uses its user supplied key, K, byte by byte in exactly with a key, K. 214 Lemma 2 Let knows or chooses the relationship between keys, i.e., g(·), but not the actual key values. ··· −→K ··· P0 P7 C0 C7, Based on the relations derived in the above sec- tion, we describe a chosen-related-key attack against and TREYFER. C ···C = f(C0 ···C7,K0 ···K7). K 0 7 Given the plaintext-ciphertext pair (P, C), P −→ Then C where K = K0 ···K7, the proposed attack pro- ceeds to recover K0 as follows: rot(K,1) P1P2 ···P7P0 −→ C1C2 ···C7C0 For( X =0;X<256; X ++){ Proof: Follows from previous Lemma and the fact n • ··· that TREYFER function is equal to f , n = 32. Encrypt the plaintext XP2 P7P0 under the ··· That way, for each TREYFER pair (P, C), we can key rot(K, 1) = K1 K7K0 derive another “similar” plaintext-ciphertext pair, • For each ciphertext in the form YC2 ···C7C0, encrypted by key circularly shifted to the left by determine K0 that satisfies one byte. Furthermore, if previous Lemma is applied multiple times, we can get 7 such pairs, as given by X = P1 =(P1 + S[K0 + P0]) <<< 1, the following Theorem. Y = C1 =(C1 + S[K0 + C0]) <<< 1. Theorem 1 Let rot(K, i) denote the left circular } shift of K by i bytes, then, for any K P0 ···P7 −→ C0 ···C7 (1) The process above finds P and C , second bytes of we have 1 1 f(P0 ···P7,K0 ···K7), and f(C0 ···C7,K0 ···K7), respectively. rot(K,1) Theoretically it is possible that there may exist an P1P2P3P4P5P6P7P0 −→ C1C2C3C4C5C6C7C0 (2) rot(K) rot(K,2) X = P1 such that XP2 ···P7P0 −→ YC2 ···C7C0, P2P3P4P5P6P7P0P1 −→ C2C3C4C5C6C7C0C1 (3) leading to false information on K0. However, the . probability that this will happen is practically negli- . ≈ × −15 rot(K,7) gible ( 3 10 ). −→ P7P0P1P2P3P4P5P6 C7C0C1C2C3C4C5C6 (8) If the s-box is bijective, then only one of the equations above can be used to uniquely determine It should be noted that the above presented prop- −1 K0 = S [(P >>> 1) − P1] − P0. In the case of non erty of TREYFER does not depend on any particular 1 bijective s-boxes, the above two steps can be repeated choice of the s-box. until K0 is uniquely determined. K1 to K6 can be sequentially recovered by perform- 4 The Attack ing the above steps using related plaintexts and keys, according to relations (3)-(8). Similarly, the last byte Related-key cryptanalysis assumes that the attacker of the key, K7, can be recovered using relation (1) or learns the encryption of certain plaintexts not only simply by exhaustive search. under the original unknown key, K, but also under Thus, the attack requires about 8 × 256 = 211 cho- some related keys (e.g., K = g(K)). In a chosen- sen plaintext-ciphertext pairs, each 256 of them are related-key attack, the attacker specifies how the key encrypted under a key that is circularly bytes shifted is to be changed. It should be noted that the attacker version of the original secret key. 215 Remark 1 The above attack can be thought of as a tion (FSE ’97), pp. 205-209, Springer-Verlag, slide attack in which the sliding pairs are produced at 1997. the s-box level and not at the level of the whole round function. [5] David J. Wheeler and Roger M. Needham, TEA, a tiny encryption algorithm,Proc.of the 2nd workshop on Fast Software Encryption 5 Conclusion (FSE’94), pp. 363-366, Leuven, Belgium, 1994, Springer-Verlag. The simple, and compact design of TREYFER makes it a very attractive cipher for resource constrained de- [6] James L. Massey, SAFER K-64: A Byte- vices. On the other hand, the key scheduling of the Oriented Block-Ciphering Algorithm,Proc.of cipher seems to be oversimplified which has yielded to the first workshop on Fast Software Encryption several weaknesses. While it might be argued that it (FSE’93), pp. 1-17, Springer-Verlag. is unlikely that an attacker can persuade a human op- [7] Alex Biryukov and David Wagner, Slide At- erator to encrypt plaintexts under the 8 related keys, tacks, Proc, of the 6th International Workshop modern cryptography is implemented using complex on Fast Software Encryption (FSE ’99), pp.
Recommended publications
  • Cryptanalysis of Feistel Networks with Secret Round Functions Alex Biryukov, Gaëtan Leurent, Léo Perrin

    Cryptanalysis of Feistel Networks with Secret Round Functions Alex Biryukov, Gaëtan Leurent, Léo Perrin

    Cryptanalysis of Feistel Networks with Secret Round Functions Alex Biryukov, Gaëtan Leurent, Léo Perrin To cite this version: Alex Biryukov, Gaëtan Leurent, Léo Perrin. Cryptanalysis of Feistel Networks with Secret Round Functions. Selected Areas in Cryptography - SAC 2015, Aug 2015, Sackville, Canada. hal-01243130 HAL Id: hal-01243130 https://hal.inria.fr/hal-01243130 Submitted on 14 Dec 2015 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Cryptanalysis of Feistel Networks with Secret Round Functions ? Alex Biryukov1, Gaëtan Leurent2, and Léo Perrin3 1 [email protected], University of Luxembourg 2 [email protected], Inria, France 3 [email protected], SnT,University of Luxembourg Abstract. Generic distinguishers against Feistel Network with up to 5 rounds exist in the regular setting and up to 6 rounds in a multi-key setting. We present new cryptanalyses against Feistel Networks with 5, 6 and 7 rounds which are not simply distinguishers but actually recover completely the unknown Feistel functions. When an exclusive-or is used to combine the output of the round function with the other branch, we use the so-called yoyo game which we improved using a heuristic based on particular cycle structures.
  • Improved Related-Key Attacks on DESX and DESX+

    Improved Related-Key Attacks on DESX and DESX+

    Improved Related-key Attacks on DESX and DESX+ Raphael C.-W. Phan1 and Adi Shamir3 1 Laboratoire de s´ecurit´eet de cryptographie (LASEC), Ecole Polytechnique F´ed´erale de Lausanne (EPFL), CH-1015 Lausanne, Switzerland [email protected] 2 Faculty of Mathematics & Computer Science, The Weizmann Institute of Science, Rehovot 76100, Israel [email protected] Abstract. In this paper, we present improved related-key attacks on the original DESX, and DESX+, a variant of the DESX with its pre- and post-whitening XOR operations replaced with addition modulo 264. Compared to previous results, our attack on DESX has reduced text complexity, while our best attack on DESX+ eliminates the memory requirements at the same processing complexity. Keywords: DESX, DESX+, related-key attack, fault attack. 1 Introduction Due to the DES’ small key length of 56 bits, variants of the DES under multiple encryption have been considered, including double-DES under one or two 56-bit key(s), and triple-DES under two or three 56-bit keys. Another popular variant based on the DES is the DESX [15], where the basic keylength of single DES is extended to 120 bits by wrapping this DES with two outer pre- and post-whitening keys of 64 bits each. Also, the endorsement of single DES had been officially withdrawn by NIST in the summer of 2004 [19], due to its insecurity against exhaustive search. Future use of single DES is recommended only as a component of the triple-DES. This makes it more important to study the security of variants of single DES which increase the key length to avoid this attack.
  • Key Differentiation Attacks on Stream Ciphers

    Key Differentiation Attacks on Stream Ciphers

    Key differentiation attacks on stream ciphers Abstract In this paper the applicability of differential cryptanalytic tool to stream ciphers is elaborated using the algebraic representation similar to early Shannon’s postulates regarding the concept of confusion. In 2007, Biham and Dunkelman [3] have formally introduced the concept of differential cryptanalysis in stream ciphers by addressing the three different scenarios of interest. Here we mainly consider the first scenario where the key difference and/or IV difference influence the internal state of the cipher (∆key, ∆IV ) → ∆S. We then show that under certain circumstances a chosen IV attack may be transformed in the key chosen attack. That is, whenever at some stage of the key/IV setup algorithm (KSA) we may identify linear relations between some subset of key and IV bits, and these key variables only appear through these linear relations, then using the differentiation of internal state variables (through chosen IV scenario of attack) we are able to eliminate the presence of corresponding key variables. The method leads to an attack whose complexity is beyond the exhaustive search, whenever the cipher admits exact algebraic description of internal state variables and the keystream computation is not complex. A successful application is especially noted in the context of stream ciphers whose keystream bits evolve relatively slow as a function of secret state bits. A modification of the attack can be applied to the TRIVIUM stream cipher [8], in this case 12 linear relations could be identified but at the same time the same 12 key variables appear in another part of state register.
  • Related-Key Statistical Cryptanalysis

    Related-Key Statistical Cryptanalysis

    Related-Key Statistical Cryptanalysis Darakhshan J. Mir∗ Poorvi L. Vora Department of Computer Science, Department of Computer Science, Rutgers, The State University of New Jersey George Washington University July 6, 2007 Abstract This paper presents the Cryptanalytic Channel Model (CCM). The model treats statistical key recovery as communication over a low capacity channel, where the channel and the encoding are determined by the cipher and the specific attack. A new attack, related-key recovery – the use of n related keys generated from k independent ones – is defined for all ciphers vulnera- ble to single-key recovery. Unlike classical related-key attacks such as differential related-key cryptanalysis, this attack does not exploit a special structural weakness in the cipher or key schedule, but amplifies the weakness exploited in the basic single key recovery. The related- key-recovery attack is shown to correspond to the use of a concatenated code over the channel, where the relationship among the keys determines the outer code, and the cipher and the attack the inner code. It is shown that there exists a relationship among keys for which the communi- cation complexity per bit of independent key is finite, for any probability of key recovery error. This may be compared to the unbounded communication complexity per bit of the single-key- recovery attack. The practical implications of this result are demonstrated through experiments on reduced-round DES. Keywords: related keys, concatenated codes, communication channel, statistical cryptanalysis, linear cryptanalysis, DES Communicating Author: Poorvi L. Vora, [email protected] ∗This work was done while the author was in the M.S.
  • Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, Newdes, RC2, and TEA

    Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, Newdes, RC2, and TEA

    Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, NewDES, RC2, and TEA John Kelsey Bruce Schneier David Wagner Counterpane Systems U.C. Berkeley kelsey,schneier @counterpane.com [email protected] f g Abstract. We present new related-key attacks on the block ciphers 3- WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA. Differen- tial related-key attacks allow both keys and plaintexts to be chosen with specific differences [KSW96]. Our attacks build on the original work, showing how to adapt the general attack to deal with the difficulties of the individual algorithms. We also give specific design principles to protect against these attacks. 1 Introduction Related-key cryptanalysis assumes that the attacker learns the encryption of certain plaintexts not only under the original (unknown) key K, but also under some derived keys K0 = f(K). In a chosen-related-key attack, the attacker specifies how the key is to be changed; known-related-key attacks are those where the key difference is known, but cannot be chosen by the attacker. We emphasize that the attacker knows or chooses the relationship between keys, not the actual key values. These techniques have been developed in [Knu93b, Bih94, KSW96]. Related-key cryptanalysis is a practical attack on key-exchange protocols that do not guarantee key-integrity|an attacker may be able to flip bits in the key without knowing the key|and key-update protocols that update keys using a known function: e.g., K, K + 1, K + 2, etc. Related-key attacks were also used against rotor machines: operators sometimes set rotors incorrectly.
  • Comparison of 256-Bit Stream Ciphers DJ Bernstein Thanks To

    Comparison of 256-Bit Stream Ciphers DJ Bernstein Thanks To

    Comparison of Cipher implementations 256-bit stream ciphers from cipher authors D. J. Bernstein Timing tools Thanks to: (De Canni`ere) University of Illinois at Chicago Denmark Technical University Timings Alfred P. Sloan Foundation on various machines Graphing tools (Bernstein) Speed graphs in this talk Comparison of Cipher implementations Security disasters 256-bit stream ciphers from cipher authors Attack claimed on YAMB: “258.” D. J. Bernstein 72 Timing tools Attack claimed on Py: “2 .” Thanks to: (De Canni`ere) Presumably also Py6. University of Illinois at Chicago Attack claimed on SOSEMANUK: Denmark Technical University Timings “2226.” Alfred P. Sloan Foundation on various machines Is there any dispute Graphing tools about these attacks? (Bernstein) If not: Reject YAMB etc. as competition for 256-bit AES. Speed graphs in this talk Cipher implementations Security disasters from cipher authors Attack claimed on YAMB: “258.” 72 Timing tools Attack claimed on Py: “2 .” (De Canni`ere) Presumably also Py6. Attack claimed on SOSEMANUK: Timings “2226.” on various machines Is there any dispute Graphing tools about these attacks? (Bernstein) If not: Reject YAMB etc. as competition for 256-bit AES. Speed graphs in this talk Cipher implementations Security disasters Speed disasters from cipher authors Attack claimed on YAMB: “258.” FUBUKI is slower than AES 72 in all of these benchmarks. Timing tools Attack claimed on Py: “2 .” Any hope of faster FUBUKI? (De Canni`ere) Presumably also Py6. If not: Reject FUBUKI. Attack claimed on SOSEMANUK: VEST is extremely slow Timings “2226.” on various machines in all of these benchmarks. Is there any dispute On the other hand, Graphing tools about these attacks? VEST is claimed to be (Bernstein) If not: Reject YAMB etc.
  • Performance and Energy Efficiency of Block Ciphers in Personal Digital Assistants

    Performance and Energy Efficiency of Block Ciphers in Personal Digital Assistants

    Performance and Energy Efficiency of Block Ciphers in Personal Digital Assistants Creighton T. R. Hager, Scott F. Midkiff, Jung-Min Park, Thomas L. Martin Bradley Department of Electrical and Computer Engineering Virginia Polytechnic Institute and State University Blacksburg, Virginia 24061 USA {chager, midkiff, jungmin, tlmartin} @ vt.edu Abstract algorithms may consume more energy and drain the PDA battery faster than using less secure algorithms. Due to Encryption algorithms can be used to help secure the processing requirements and the limited computing wireless communications, but securing data also power in many PDAs, using strong cryptographic consumes resources. The goal of this research is to algorithms may also significantly increase the delay provide users or system developers of personal digital between data transmissions. Thus, users and, perhaps assistants and applications with the associated time and more importantly, software and system designers need to energy costs of using specific encryption algorithms. be aware of the benefits and costs of using various Four block ciphers (RC2, Blowfish, XTEA, and AES) were encryption algorithms. considered. The experiments included encryption and This research answers questions regarding energy decryption tasks with different cipher and file size consumption and execution time for various encryption combinations. The resource impact of the block ciphers algorithms executing on a PDA platform with the goal of were evaluated using the latency, throughput, energy- helping software and system developers design more latency product, and throughput/energy ratio metrics. effective applications and systems and of allowing end We found that RC2 encrypts faster and uses less users to better utilize the capabilities of PDA devices.
  • Hemiunu Used Numerically Tagged Surface Ratios to Mark Ceilings Inside the Great Pyramid Hinting at Designed Spaces Still Hidden Within

    Hemiunu Used Numerically Tagged Surface Ratios to Mark Ceilings Inside the Great Pyramid Hinting at Designed Spaces Still Hidden Within

    Archaeological Discovery, 2018, 6, 319-337 http://www.scirp.org/journal/ad ISSN Online: 2331-1967 ISSN Print: 2331-1959 Hemiunu Used Numerically Tagged Surface Ratios to Mark Ceilings inside the Great Pyramid Hinting at Designed Spaces Still Hidden Within Manu Seyfzadeh Institute for the Study of the Origins of Civilization (ISOC)1, Boston University’s College of General Studies, Boston, USA How to cite this paper: Seyfzadeh, M. Abstract (2018). Hemiunu Used Numerically Tagged Surface Ratios to Mark Ceilings inside the In 1883, W. M. Flinders Petrie noticed that the vertical thickness and height Great Pyramid Hinting at Designed Spaces of certain stone courses of the Great Pyramid2 of Khufu/Cheops at Giza, Still Hidden Within. Archaeological Dis- Egypt markedly increase compared to those immediately lower periodically covery, 6, 319-337. https://doi.org/10.4236/ad.2018.64016 and conspicuously interrupting a general trend of progressive course thinning towards the summit. Having calculated the surface area of each course, Petrie Received: September 10, 2018 further noted that the courses immediately below such discrete stone thick- Accepted: October 5, 2018 Published: October 8, 2018 ness peaks tended to mark integer multiples of 1/25th of the surface area at ground level. Here I show that the probable architect of the Great Pyramid, Copyright © 2018 by author and Khufu’s vizier Hemiunu, conceptualized its vertical construction design using Scientific Research Publishing Inc. surface areas based on the same numerical principles used to design his own This work is licensed under the Creative Commons Attribution International mastaba in Giza’s western cemetery and conspicuously used this numerical License (CC BY 4.0).
  • Development of the Advanced Encryption Standard

    Development of the Advanced Encryption Standard

    Volume 126, Article No. 126024 (2021) https://doi.org/10.6028/jres.126.024 Journal of Research of the National Institute of Standards and Technology Development of the Advanced Encryption Standard Miles E. Smid Formerly: Computer Security Division, National Institute of Standards and Technology, Gaithersburg, MD 20899, USA [email protected] Strong cryptographic algorithms are essential for the protection of stored and transmitted data throughout the world. This publication discusses the development of Federal Information Processing Standards Publication (FIPS) 197, which specifies a cryptographic algorithm known as the Advanced Encryption Standard (AES). The AES was the result of a cooperative multiyear effort involving the U.S. government, industry, and the academic community. Several difficult problems that had to be resolved during the standard’s development are discussed, and the eventual solutions are presented. The author writes from his viewpoint as former leader of the Security Technology Group and later as acting director of the Computer Security Division at the National Institute of Standards and Technology, where he was responsible for the AES development. Key words: Advanced Encryption Standard (AES); consensus process; cryptography; Data Encryption Standard (DES); security requirements, SKIPJACK. Accepted: June 18, 2021 Published: August 16, 2021; Current Version: August 23, 2021 This article was sponsored by James Foti, Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology (NIST). The views expressed represent those of the author and not necessarily those of NIST. https://doi.org/10.6028/jres.126.024 1. Introduction In the late 1990s, the National Institute of Standards and Technology (NIST) was about to decide if it was going to specify a new cryptographic algorithm standard for the protection of U.S.
  • State of the Art in Lightweight Symmetric Cryptography

    State of the Art in Lightweight Symmetric Cryptography

    State of the Art in Lightweight Symmetric Cryptography Alex Biryukov1 and Léo Perrin2 1 SnT, CSC, University of Luxembourg, [email protected] 2 SnT, University of Luxembourg, [email protected] Abstract. Lightweight cryptography has been one of the “hot topics” in symmetric cryptography in the recent years. A huge number of lightweight algorithms have been published, standardized and/or used in commercial products. In this paper, we discuss the different implementation constraints that a “lightweight” algorithm is usually designed to satisfy. We also present an extensive survey of all lightweight symmetric primitives we are aware of. It covers designs from the academic community, from government agencies and proprietary algorithms which were reverse-engineered or leaked. Relevant national (nist...) and international (iso/iec...) standards are listed. We then discuss some trends we identified in the design of lightweight algorithms, namely the designers’ preference for arx-based and bitsliced-S-Box-based designs and simple key schedules. Finally, we argue that lightweight cryptography is too large a field and that it should be split into two related but distinct areas: ultra-lightweight and IoT cryptography. The former deals only with the smallest of devices for which a lower security level may be justified by the very harsh design constraints. The latter corresponds to low-power embedded processors for which the Aes and modern hash function are costly but which have to provide a high level security due to their greater connectivity. Keywords: Lightweight cryptography · Ultra-Lightweight · IoT · Internet of Things · SoK · Survey · Standards · Industry 1 Introduction The Internet of Things (IoT) is one of the foremost buzzwords in computer science and information technology at the time of writing.
  • Ensuring Fast Implementations of Symmetric Ciphers on the Intel Pentium 4 and Beyond

    Ensuring Fast Implementations of Symmetric Ciphers on the Intel Pentium 4 and Beyond

    This may be the author’s version of a work that was submitted/accepted for publication in the following source: Henricksen, Matthew& Dawson, Edward (2006) Ensuring Fast Implementations of Symmetric Ciphers on the Intel Pentium 4 and Beyond. Lecture Notes in Computer Science, 4058, Article number: AISP52-63. This file was downloaded from: https://eprints.qut.edu.au/24788/ c Consult author(s) regarding copyright matters This work is covered by copyright. Unless the document is being made available under a Creative Commons Licence, you must assume that re-use is limited to personal use and that permission from the copyright owner must be obtained for all other uses. If the docu- ment is available under a Creative Commons License (or other specified license) then refer to the Licence for details of permitted re-use. It is a condition of access that users recog- nise and abide by the legal requirements associated with these rights. If you believe that this work infringes copyright please provide details by email to [email protected] Notice: Please note that this document may not be the Version of Record (i.e. published version) of the work. Author manuscript versions (as Sub- mitted for peer review or as Accepted for publication after peer review) can be identified by an absence of publisher branding and/or typeset appear- ance. If there is any doubt, please refer to the published source. https://doi.org/10.1007/11780656_5 Ensuring Fast Implementations of Symmetric Ciphers on the Intel Pentium 4 and Beyond Matt Henricksen and Ed Dawson Information Security Institute, Queensland University of Technology, GPO Box 2434, Brisbane, Queensland, 4001, Australia.
  • New Results of Related-Key Attacks on All Py-Family of Stream Ciphers

    New Results of Related-Key Attacks on All Py-Family of Stream Ciphers

    Journal of Universal Computer Science, vol. 18, no. 12 (2012), 1741-1756 submitted: 15/9/11, accepted: 15/2/12, appeared: 28/6/12 © J.UCS New Results of Related-key Attacks on All Py-Family of Stream Ciphers Lin Ding (Information Science and Technology Institute, Zhengzhou, China [email protected]) Jie Guan (Information Science and Technology Institute, Zhengzhou, China [email protected]) Wen-long Sun (Information Science and Technology Institute, Zhengzhou, China [email protected]) Abstract: The stream cipher TPypy has been designed by Biham and Seberry in January 2007 as the strongest member of the Py-family of stream ciphers. At Indocrypt 2007, Sekar, Paul and Preneel showed related-key weaknesses in the Py-family of stream ciphers including the strongest member TPypy. Furthermore, they modified the stream ciphers TPypy and TPy to generate two fast ciphers, namely RCR-32 and RCR-64, in an attempt to rule out all the attacks against the Py-family of stream ciphers. So far there exists no attack on RCR-32 and RCR-64. In this paper, we show that the related-key weaknesses can be still used to construct related-key distinguishing attacks on all Py-family of stream ciphers including the modified versions RCR- 32 and RCR-64. Under related keys, we show distinguishing attacks on RCR-32 and RCR-64 with data complexity 2139.3 and advantage greater than 0.5. We also show that the data complexity of the distinguishing attacks on Py-family of stream ciphers proposed by Sekar et al. can be reduced from 2193.7 to 2149.3 .