Results 1  10
of
17
Cube Testers and Key Recovery Attacks On Reducedround MD6 and Trivium
"... CRYPTO 2008 saw the introduction of the hash function MD6 and of cube attacks, a type of algebraic attack applicable to cryptographic functions having a lowdegree algebraic normal form over GF(2). This paper applies cube attacks to reduced round MD6, finding the full 128bit key of a 14round MD6 w ..."
Abstract

Cited by 38 (7 self)
 Add to MetaCart
CRYPTO 2008 saw the introduction of the hash function MD6 and of cube attacks, a type of algebraic attack applicable to cryptographic functions having a lowdegree algebraic normal form over GF(2). This paper applies cube attacks to reduced round MD6, finding the full 128bit key of a 14round MD6 with complexity 2 22 (which takes less than a minute on a single PC). This is the best key recovery attack announced so far for MD6. We then introduce a new class of attacks called cube testers, based on efficient propertytesting algorithms, and apply them to MD6 and to the stream cipher Trivium. Unlike the standard cube attacks, cube testers detect nonrandom behavior rather than performing key extraction, but they can also attack cryptographic schemes described by nonrandom polynomials of relatively high degree. Applied to MD6, cube testers detect nonrandomness over 18 rounds in 2 17 complexity; applied to a slightly modified version of the MD6 compression function, they can distinguish 66 rounds from random in 2 24 complexity. Cube testers give distinguishers on Trivium reduced to 790 rounds from random with 2 30 complexity and detect nonrandomness over 885 rounds in 2 27, improving on the original 767round cube attack.
Chosen IV statistical analysis for key recovery attacks on stream ciphers
 In Serge Vaudenay, editor, AFRICACRYPT, volume 5023 of LNCS
, 2008
"... Abstract. A recent framework for chosen IV statistical distinguishing analysis of stream ciphers is exploited and formalized to provide new methods for key recovery attacks. As an application, a key recovery attack on simplified versions of two eSTREAM Phase 3 candidates is given: For Grain128 with ..."
Abstract

Cited by 33 (3 self)
 Add to MetaCart
(Show Context)
Abstract. A recent framework for chosen IV statistical distinguishing analysis of stream ciphers is exploited and formalized to provide new methods for key recovery attacks. As an application, a key recovery attack on simplified versions of two eSTREAM Phase 3 candidates is given: For Grain128 with IV initialization reduced to up to 180 of its 256 iterations, and for Trivium with IV initialization reduced to up to 672 of its 1152 iterations, it is experimentally demonstrated how to deduce a few key bits. Evidence is given that the present analysis is not applicable on Grain128 or Trivium with full IV initialization.
A Framework for Chosen IV Statistical Analysis of Stream Ciphers
 In INDOCRYPT 2007. See also Tools for Cryptoanalysis
, 2007
"... Abstract. Saarinen recently proposed a chosen IV statistical attack, called the dmonomial test, and used it to find weaknesses in several proposed stream ciphers. In this paper we generalize this idea and propose a framework for chosen IV statistical attacks using a polynomial description. We propo ..."
Abstract

Cited by 21 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Saarinen recently proposed a chosen IV statistical attack, called the dmonomial test, and used it to find weaknesses in several proposed stream ciphers. In this paper we generalize this idea and propose a framework for chosen IV statistical attacks using a polynomial description. We propose a few new statistical attacks, apply them on some existing stream cipher proposals, and give some conclusions regarding the strength of their IV initialization. In particular, we experimentally detected statistical weaknesses in some state bits of Grain128 with full IV initialization as well as in the keystream of Trivium using an initialization reduced to 736 rounds from 1152 rounds. We also propose some stronger alternative initialization schemes with respect to these statistical attacks. 1
Choseniv statistical attacks on estream stream ciphers
 eSTREAM, ECRYPT Stream Cipher Project, Report 2006/013
, 2006
"... Abstract. dMonomial tests are statistical randomness tests based on Algebraic Normal Form representation of a Boolean function, and were first introduced by Filiol in 2002. We show that there are strong indications that the Gate Complexity of a Boolean function is related to a bias detectable in a ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
(Show Context)
Abstract. dMonomial tests are statistical randomness tests based on Algebraic Normal Form representation of a Boolean function, and were first introduced by Filiol in 2002. We show that there are strong indications that the Gate Complexity of a Boolean function is related to a bias detectable in a dMonomial test. We then discuss how to effectively apply dMonomial tests in chosenIV attacks against stream ciphers. Finally we present results of tests performed on eSTREAM proposals, and show that six of these new ciphers can be broken using the dMonomial test in a chosenIV attack. Many ciphers even fail a trivial (ANF) bitflipping test.
Plaintextdependant Repetition Codes Cryptanalysis of Block Ciphers  The AES Case
 IACR eprint archive, http://eprint.iacr.org/2003/003/, 8th
, 2003
"... This paper presents a new "operational" cryptanalysis of block ciphers based on the use of a wellknown errorcorrecting code: the repetition codes. We demonstrate how to describe a block cipher with such a code before explaining how to design a new ciphertext only cryptanalysis of these c ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
This paper presents a new "operational" cryptanalysis of block ciphers based on the use of a wellknown errorcorrecting code: the repetition codes. We demonstrate how to describe a block cipher with such a code before explaining how to design a new ciphertext only cryptanalysis of these cryptosystems on the assumption that plaintext belongs to a particular class. This new cryptanalysis may succeed for any block cipher and thus is likely to question the security of those cryptosystems for encryption. We then apply this cryptanalysis to the 128bit key AES. Our results have been experimentally confirmed with 100 eective cryptanalysis. Our attack enables to recover two information bits of the secret key with only 2 ciphertext blocks and a complexity of O(2 ) with a success probability of 0.68.
The Rabbit Stream Cipher  Design and Security Analysis
 In Workshop Record of the State of the Arts of Stream Ciphers Workshop
, 2004
"... The stream cipher Rabbit was first presented at FSE 2003 [6]. In the paper at hand, a full security analysis of Rabbit is given, focusing on algebraic attacks, approximations and di#erential analysis. We determine the algebraic normal form of the main nonlinear parts of the cipher as part of a co ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
The stream cipher Rabbit was first presented at FSE 2003 [6]. In the paper at hand, a full security analysis of Rabbit is given, focusing on algebraic attacks, approximations and di#erential analysis. We determine the algebraic normal form of the main nonlinear parts of the cipher as part of a comprehensive algebraic analysis. In addition, both linear and nonlinear approximations of the nextstate function are presented, as well as a di#erential analysis of the IVsetup function. None of the investigations have revealed any exploitable weaknesses. Rabbit is characterized by high performance in software with a measured encryption/decryption speed of 3.7 clock cycles per byte on a Pentium III processor.
NESHA256, NEw 256bit Secure Hash Algorithm
 In Preproceedings of WCC ’09
, 2009
"... Abstract. In this paper, we introduce a new dedicated 256bit hash function: NESHA256. The recently contest for hash functions held by NIST, motivates us to design the new hash function which has a parallel structure. Advantages of parallel structures and also using some ideas from the designing pr ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we introduce a new dedicated 256bit hash function: NESHA256. The recently contest for hash functions held by NIST, motivates us to design the new hash function which has a parallel structure. Advantages of parallel structures and also using some ideas from the designing procedure of blockcipherbased hash functions strengthen our proposed hash function both in security and in efficiency. NESHA256 is designed not only to have higher security but also to be faster than SHA256: the performance of NESHA256 is at least 38 % better than that of SHA256 in software. We give security proofs supporting our design, against existing known cryptographic attacks on hash functions.
Implementable Privacy for RFID Systems
 PHD THESIS
, 2009
"... Radio Frequency Identification (RFID) technology bridges the physical and virtual worlds by enabling computers to track the movement of objects. Within a few years, RFID tags will replace barcodes on consumer items to increase the efficiency in logistics processes. The same tags, however, can be use ..."
Abstract
 Add to MetaCart
(Show Context)
Radio Frequency Identification (RFID) technology bridges the physical and virtual worlds by enabling computers to track the movement of objects. Within a few years, RFID tags will replace barcodes on consumer items to increase the efficiency in logistics processes. The same tags, however, can be used to monitor business processes of competitors and to track individuals by the items they carry or wear. This work seeks to diminish this loss of privacy by adding affordable privacy protection to RFID systems. Technical privacy measures should be integrated in RFID tags in order to thwart rogue scanning and preserve the privacy of individuals and corporations. To be available for the upcoming deployment of itemlevel tags, protection measures must not substantially increase the costs of RFID systems. Previously proposed solutions, however, would unacceptably increase the costs of RFID tags, because the solutions use building blocks which were not optimized for privacy applications. Privacy, therefore, has been considered too expensive to be included in lowcost tags. This dissertation instead argues that privacy can be achieved at very low cost within the tight constraints of the smallest RFID tags and the largest installations. Designing more economical protection systems requires a better understanding of what properties are crucial for privacy. By modeling the incentives of attackers and measuring the extent to which different protection measures rescind these incentives, protection systems can be found that prevent different attacks. Sufficient protection is achieved if the cost of rogue scanning exceeds its expected return for all likely attackers. Perfect protection is neither possible nor necessary to achieve strong privacy.
Protection can be realized through the combination of purposefully designed cryptographic primitives and optimized private identification protocols. These protocols achieve privacy only probabilistically, but—when parameterized well—disclose very little information. Adding noise to tag responses is one example for a protocollevel measure that provides a tradeoff between privacy and cost. The noise makes most tags indistinguishable to rogue readers while only modestly increasing the workload for the backend system.
Privacy protocols rely on cryptographic functions, but all available functions are too expensive for RFID tags. New functions should not provide expensive properties that are not necessary for privacy, but be an order of magnitude cheaper. Adapting small noisebased hash functions proposed
for authentication is one alternative to achieving some of the properties of cryptographic functions without incurring their costs. Another alternative is designing new cryptographic primitives to share resources with functions already present on RFID tags. Such functions can be found through automated tests that measure the cryptographic strength of a large number of possible designs.
To achieve maximal privacy within a given cost budget, all design choices need to be considered concurrently, as similar tradeoffs often exist in different building blocks. This dissertation provides the building blocks needed to achieve strong privacy at low cost as well as a design method for building private systems from these building blocks. Towards this end, contributions are made in
modeling the value of information, measuring privacy, optimizing privacy protocols, and designing cryptographic primitives.