Results 1 
9 of
9
Chosen IV statistical analysis for key recovery attacks on stream ciphers
 In Serge Vaudenay, editor, AFRICACRYPT, volume 5023 of LNCS
, 2008
"... Abstract. A recent framework for chosen IV statistical distinguishing analysis of stream ciphers is exploited and formalized to provide new methods for key recovery attacks. As an application, a key recovery attack on simplified versions of two eSTREAM Phase 3 candidates is given: For Grain128 with ..."
Abstract

Cited by 22 (3 self)
 Add to MetaCart
Abstract. A recent framework for chosen IV statistical distinguishing analysis of stream ciphers is exploited and formalized to provide new methods for key recovery attacks. As an application, a key recovery attack on simplified versions of two eSTREAM Phase 3 candidates is given: For Grain128 with IV initialization reduced to up to 180 of its 256 iterations, and for Trivium with IV initialization reduced to up to 672 of its 1152 iterations, it is experimentally demonstrated how to deduce a few key bits. Evidence is given that the present analysis is not applicable on Grain128 or Trivium with full IV initialization.
Cube Testers and Key Recovery Attacks On Reducedround MD6 and Trivium
"... CRYPTO 2008 saw the introduction of the hash function MD6 and of cube attacks, a type of algebraic attack applicable to cryptographic functions having a lowdegree algebraic normal form over GF(2). This paper applies cube attacks to reduced round MD6, finding the full 128bit key of a 14round MD6 w ..."
Abstract

Cited by 22 (3 self)
 Add to MetaCart
CRYPTO 2008 saw the introduction of the hash function MD6 and of cube attacks, a type of algebraic attack applicable to cryptographic functions having a lowdegree algebraic normal form over GF(2). This paper applies cube attacks to reduced round MD6, finding the full 128bit key of a 14round MD6 with complexity 2 22 (which takes less than a minute on a single PC). This is the best key recovery attack announced so far for MD6. We then introduce a new class of attacks called cube testers, based on efficient propertytesting algorithms, and apply them to MD6 and to the stream cipher Trivium. Unlike the standard cube attacks, cube testers detect nonrandom behavior rather than performing key extraction, but they can also attack cryptographic schemes described by nonrandom polynomials of relatively high degree. Applied to MD6, cube testers detect nonrandomness over 18 rounds in 2 17 complexity; applied to a slightly modified version of the MD6 compression function, they can distinguish 66 rounds from random in 2 24 complexity. Cube testers give distinguishers on Trivium reduced to 790 rounds from random with 2 30 complexity and detect nonrandomness over 885 rounds in 2 27, improving on the original 767round cube attack.
A Framework for Chosen IV Statistical Analysis of Stream Ciphers
 In INDOCRYPT 2007. See also Tools for Cryptoanalysis
, 2007
"... Abstract. Saarinen recently proposed a chosen IV statistical attack, called the dmonomial test, and used it to find weaknesses in several proposed stream ciphers. In this paper we generalize this idea and propose a framework for chosen IV statistical attacks using a polynomial description. We propo ..."
Abstract

Cited by 15 (0 self)
 Add to MetaCart
Abstract. Saarinen recently proposed a chosen IV statistical attack, called the dmonomial test, and used it to find weaknesses in several proposed stream ciphers. In this paper we generalize this idea and propose a framework for chosen IV statistical attacks using a polynomial description. We propose a few new statistical attacks, apply them on some existing stream cipher proposals, and give some conclusions regarding the strength of their IV initialization. In particular, we experimentally detected statistical weaknesses in some state bits of Grain128 with full IV initialization as well as in the keystream of Trivium using an initialization reduced to 736 rounds from 1152 rounds. We also propose some stronger alternative initialization schemes with respect to these statistical attacks. 1
Plaintextdependant Repetition Codes Cryptanalysis of Block Ciphers  The AES Case
 IACR eprint archive, http://eprint.iacr.org/2003/003/, 8th
, 2003
"... This paper presents a new "operational" cryptanalysis of block ciphers based on the use of a wellknown errorcorrecting code: the repetition codes. We demonstrate how to describe a block cipher with such a code before explaining how to design a new ciphertext only cryptanalysis of these cryptosyste ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
This paper presents a new "operational" cryptanalysis of block ciphers based on the use of a wellknown errorcorrecting code: the repetition codes. We demonstrate how to describe a block cipher with such a code before explaining how to design a new ciphertext only cryptanalysis of these cryptosystems on the assumption that plaintext belongs to a particular class. This new cryptanalysis may succeed for any block cipher and thus is likely to question the security of those cryptosystems for encryption. We then apply this cryptanalysis to the 128bit key AES. Our results have been experimentally confirmed with 100 eective cryptanalysis. Our attack enables to recover two information bits of the secret key with only 2 ciphertext blocks and a complexity of O(2 ) with a success probability of 0.68.
Choseniv statistical attacks on estream stream ciphers
 eSTREAM, ECRYPT Stream Cipher Project, Report 2006/013
, 2006
"... Abstract. dMonomial tests are statistical randomness tests based on Algebraic Normal Form representation of a Boolean function, and were first introduced by Filiol in 2002. We show that there are strong indications that the Gate Complexity of a Boolean function is related to a bias detectable in a ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Abstract. dMonomial tests are statistical randomness tests based on Algebraic Normal Form representation of a Boolean function, and were first introduced by Filiol in 2002. We show that there are strong indications that the Gate Complexity of a Boolean function is related to a bias detectable in a dMonomial test. We then discuss how to effectively apply dMonomial tests in chosenIV attacks against stream ciphers. Finally we present results of tests performed on eSTREAM proposals, and show that six of these new ciphers can be broken using the dMonomial test in a chosenIV attack. Many ciphers even fail a trivial (ANF) bitflipping test.
The Rabbit Stream Cipher  Design and Security Analysis
 In Workshop Record of the State of the Arts of Stream Ciphers Workshop
, 2004
"... The stream cipher Rabbit was first presented at FSE 2003 [6]. In the paper at hand, a full security analysis of Rabbit is given, focusing on algebraic attacks, approximations and di#erential analysis. We determine the algebraic normal form of the main nonlinear parts of the cipher as part of a co ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
The stream cipher Rabbit was first presented at FSE 2003 [6]. In the paper at hand, a full security analysis of Rabbit is given, focusing on algebraic attacks, approximations and di#erential analysis. We determine the algebraic normal form of the main nonlinear parts of the cipher as part of a comprehensive algebraic analysis. In addition, both linear and nonlinear approximations of the nextstate function are presented, as well as a di#erential analysis of the IVsetup function. None of the investigations have revealed any exploitable weaknesses. Rabbit is characterized by high performance in software with a measured encryption/decryption speed of 3.7 clock cycles per byte on a Pentium III processor.
Implementable Privacy for RFID Systems
"... Radio Frequency Identification (RFID) technology bridges the physical and virtual worlds by enabling computers to track the movement of objects. Within a few years, RFID tags will replace barcodes on consumer items to increase the efficiency in logistics processes. The same tags, however, can be use ..."
Abstract
 Add to MetaCart
Radio Frequency Identification (RFID) technology bridges the physical and virtual worlds by enabling computers to track the movement of objects. Within a few years, RFID tags will replace barcodes on consumer items to increase the efficiency in logistics processes. The same tags, however, can be used to monitor business processes of competitors and to track individuals by the items they carry or wear. This work seeks to diminish this loss of privacy by adding affordable privacy protection to RFID systems. Technical privacy measures should be integrated in RFID tags in order to thwart rogue scanning and preserve the privacy of individuals and corporations. To be available for the upcoming deployment of itemlevel tags, protection measures must not substantially increase the costs of RFID systems. Previously proposed solutions, however, would unacceptably increase the costs of RFID tags, because the solutions use building blocks which were not optimized for privacy applications. Privacy, therefore, has been considered too expensive to be included in lowcost tags. This dissertation instead argues that privacy can be achieved at very low cost within the tight constraints of the smallest RFID tags and the largest installations. Designing more economical protection systems requires a better understanding of what properties
Extended Cubes: Enhancing the Cube Attack by Extracting LowDegree NonLinear Equations
"... In this paper, we propose an efficient method for extracting simple lowdegree equations (e.g. quadratic ones) in addition to the linear ones, obtainable from the original cube attack by Dinur and Shamir at EUROCRYPT 2009. This extended cube attack can be successfully applied even to cryptosystems i ..."
Abstract
 Add to MetaCart
In this paper, we propose an efficient method for extracting simple lowdegree equations (e.g. quadratic ones) in addition to the linear ones, obtainable from the original cube attack by Dinur and Shamir at EUROCRYPT 2009. This extended cube attack can be successfully applied even to cryptosystems in which the original cube attack may fail due to the attacker’s inability in finding sufficiently many independent linear equations. As an application of our extended method, we exhibit a side channel cube attack against the PRESENT block cipher using the Hamming weight leakage model. Our side channel attack improves upon the previous work of Yang, Wang and Qiao at CANS 2009 from two aspects. First, we use the Hamming weight leakage model which is a more relaxed leakage assumption, supported by many previously known practical results on side channel attacks, compared to the more challenging leakage assumption that the adversary has access to the “exact ” value of the internal state bits as used by Yang et al. Thanks to applying the extended cube method, our attack has also a reduced complexity compared to that of Yang et al. Namely, for PRESENT80 (80bit key variant) as considered by Yang et al., our attack has a time complexity 2 16 and data complexity of about 2 13 chosen plaintexts; whereas, that of Yang et al. has time complexity of 2 32 and needs about 2 15 chosen plaintexts. Furthermore, our method directly applies Shekh Faisal AbdulLatip is currently with the Faculty
Cube Testers and Key Recovery Attacks On
"... Abstract. CRYPTO 2008 saw the introduction of the hash function MD6 and of cube attacks, a type of algebraic attack applicable to cryptographic functions having a lowdegree algebraic normal form over GF(2). This paper applies cube attacks to reduced round MD6, finding the full 128bit key of a 14r ..."
Abstract
 Add to MetaCart
Abstract. CRYPTO 2008 saw the introduction of the hash function MD6 and of cube attacks, a type of algebraic attack applicable to cryptographic functions having a lowdegree algebraic normal form over GF(2). This paper applies cube attacks to reduced round MD6, finding the full 128bit key of a 14round MD6 with complexity 2 22 (which takes less than a minute on a single PC). This is the best key recovery attack announced so far for MD6. We then introduce a new class of attacks called cube testers, based on efficient propertytesting algorithms, and apply them to MD6 and to the stream cipher Trivium. Unlike the standard cube attacks, cube testers detect nonrandom behavior rather than performing key extraction, but they can also attack cryptographic schemes described by nonrandom polynomials of relatively high degree. Applied to MD6, cube testers detect nonrandomness over 18 rounds in 2 17 complexity; applied to a slightly modified version of the MD6 compression function, they can distinguish 66 rounds from random in 2 24 complexity. Cube testers give distinguishers on Trivium reduced to 790 rounds from random with 2 30 complexity and detect nonrandomness over 885 rounds in 2 27, improving on the original 767round cube attack.