Results 1  10
of
34
Linear Cryptanalysis of ReducedRound PRESENT
"... Abstract. PRESENT is a hardwareoriented block cipher suitable for resource constrained environment. In this paper we analyze PRESENT by the multidimensional linear cryptanalysis method. We claim that our attack can recover the 80bit secret key of PRESENT up to 25 rounds out of 31 rounds with aroun ..."
Abstract

Cited by 27 (0 self)
 Add to MetaCart
Abstract. PRESENT is a hardwareoriented block cipher suitable for resource constrained environment. In this paper we analyze PRESENT by the multidimensional linear cryptanalysis method. We claim that our attack can recover the 80bit secret key of PRESENT up to 25 rounds out of 31 rounds with around 2 62.4 data complexity. Furthermore, we showed that the 26round version of PRESENT can be attacked faster than key exhaustive search with the 2 64 data complexity by an advanced key search technique. Our results are superior to all the previous attacks. We demonstrate our result by performing the linear attacks on reduced variants of PRESENT. Our results exemplify that the performance of the multidimensional linear attack is superior compared to the classical linear attack.
Multiple differential cryptanalysis: Theory and practice
 In Joux [12
"... Abstract. Differential cryptanalysis is a wellknown statistical attack on block ciphers. We present here a generalisation of this attack called multiple differential cryptanalysis. We study the data complexity, the time complexity and the success probability of such an attack and we experimentally ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Differential cryptanalysis is a wellknown statistical attack on block ciphers. We present here a generalisation of this attack called multiple differential cryptanalysis. We study the data complexity, the time complexity and the success probability of such an attack and we experimentally validate our formulas on a reduced version of PRESENT. Finally, we propose a multiple differential cryptanalysis on 18round PRESENT for both 80bit and 128bit master keys.
New Links between Differential and Linear Cryptanalysis
 In EUROCRYPT’13, LNCS 7881
, 2013
"... Abstract. Recently, a number of relations have been established among previously known statistical attacks on block ciphers. Leander showed in 2011 that statistical saturation distinguishers are on average equivalent to multidimensional linear distinguishers. Further relations between these two typ ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Recently, a number of relations have been established among previously known statistical attacks on block ciphers. Leander showed in 2011 that statistical saturation distinguishers are on average equivalent to multidimensional linear distinguishers. Further relations between these two types of distinguishers and the integral and zerocorrelation distinguishers were established by Bogdanov et al. [6]. Knowledge about such relations is useful for classification of statistical attacks in order to determine those that give essentially complementary information about the security of block ciphers. The purpose of the work presented in this paper is to explore relations between differential and linear attacks. The mathematical link between linear and differential attacks was discovered by Chabaud and Vaudenay already in 1994, but it has never been used in practice. We will show how to use it for computing accurate estimates of truncated differential probabilities from accurate estimates of correlations of linear approximations. We demonstrate this method in practice and give the first instantiation of multiple differential cryptanalysis using the LLR statistical test on PRESENT. On a more theoretical side, we establish equivalence between a multidimensional linear distinguisher and a truncated differential distinguisher, and show that certain zerocorrelation linear distinguishers exist if and only if certain impossible differentials exist.
On the relation between the MXL family of algorithms and Gröbner basis algorithms
, 2012
"... The computation of Gröbner bases remains one of the most powerful methods for tackling the Polynomial System Solving (PoSSo) problem. The most efficient known algorithms reduce the Gröbner basis computation to Gaussian eliminations on several matrices. However, several degrees of freedom are availab ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
The computation of Gröbner bases remains one of the most powerful methods for tackling the Polynomial System Solving (PoSSo) problem. The most efficient known algorithms reduce the Gröbner basis computation to Gaussian eliminations on several matrices. However, several degrees of freedom are available to generate these matrices. It is well known that the particular strategies used can drastically affect the efficiency of the computations. In this work we investigate a recentlyproposed strategy, the socalled “Mutant strategy”, on which a new family of algorithms is based (MXL, MXL2 and MXL3). By studying and describing the algorithms based on Gröbner basis concepts, we demonstrate that the Mutant strategy can be understood to be equivalent to the classical Normal Selection strategy currently used in Gröbner basis algorithms. Furthermore, we show that the “partial enlargement ” technique can be understood as a strategy for restricting the number of Spolynomials considered in an iteration of the F4 Gröbner basis algorithm, while the new termination criterion used in MXL3 does not lead to termination at a lower degree than the classical GebauerMöller installation of Buchberger’s criteria. We claim that our results map all novel concepts from the MXL family of algorithms to their wellknown Gröbner basis equivalents. Using previous results that had shown the relation between the original XL algorithm and F4, we conclude that the MXL family of algorithms can be fundamentally reduced to redundant variants of F4.
Algorithmic Algebraic Techniques and Their Application to Block Cipher Cryptanalysis
, 2011
"... In Part I we present and discuss implementations of both wellknown and novel algorithms for fundamental problems of linear algebra over the field with two elements GF(2). In particular, we present the best known implementations for matrixmatrix multiplication and matrix decomposition for dense mat ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
In Part I we present and discuss implementations of both wellknown and novel algorithms for fundamental problems of linear algebra over the field with two elements GF(2). In particular, we present the best known implementations for matrixmatrix multiplication and matrix decomposition for dense matrices over GF(2). These implementations are based on novel variants of the “M4RM ” multiplication algorithm and the M4RI elimination algorithm. In Part II we discuss Gröbner basis algorithms. No algorithm discussed in this part is new. However, we are not aware of any other treatment of either the matrixF5 or the F4style F5 in the English speaking literature which covers these algorithms in such detail. Furthermore, we provide reference implementations for all algorithms discussed in this part. In Part III we apply algebraic techniques to the cryptanalysis of block ciphers. The key contributions of this part are novel ways of utilising algebraic techniques in cryptanalysis. In particular, we combine algebraic techniques with linear, differential and higherorder differential cryptanalysis. These hybrid approaches allow us to push the respective cryptanalytical technique further in most cases. We also explicitly shift the focus from solving polynomial systems of equations to computing features about block ciphers which can then be used in other attacks. Finally, we propose a new family of problems – denoted “MaxPoSSo ” in this thesis – which model polynomial system solving with noise. We also propose an algorithm for solving these problems, based on Integer Programming, and apply this algorithm to the socalled “Cold Boot” problem.
Cryptography is Feasible on 4Bit Microcontrollers A Proof of Concept
"... The RFID technology in combination with cryptographic algorithms and protocols is discussed widely as a promising solution against product counterfeiting. Usually the discussion is focussed on passive lowcost RFIDtags, which have harsh power constraints. 4Bit microcontrollers have very lowpower ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
(Show Context)
The RFID technology in combination with cryptographic algorithms and protocols is discussed widely as a promising solution against product counterfeiting. Usually the discussion is focussed on passive lowcost RFIDtags, which have harsh power constraints. 4Bit microcontrollers have very lowpower characteristics (560 µA) and are therefore an interesting platform for active and passive lowcost RFIDtags. To the best of our knowledge there are no implementations of cryptographic algorithms on a 4bit microcontroller published so far. Therefore, the main contribution of this work is to demonstrate that cryptography is feasible on these ultraconstrained devices and to close this gap. We chose PRESENT [1] as the cryptographic algorithm, because contrary to many other
Linear (Hull) and Algebraic Cryptanalysis of the Block Cipher PRESENT
"... The contributions of this paper include the first linear hull and a revisit of the algebraic cryptanalysis of reducedround variants of the block cipher PRESENT, under knownplaintext and ciphertextonly settings. We introduce a pure algebraic cryptanalysis of 5round PRESENT and in one of our attac ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
The contributions of this paper include the first linear hull and a revisit of the algebraic cryptanalysis of reducedround variants of the block cipher PRESENT, under knownplaintext and ciphertextonly settings. We introduce a pure algebraic cryptanalysis of 5round PRESENT and in one of our attacks we recover half of the bits of the key in less than three minutes using an ordinary desktop PC. The PRESENT block cipher is a design by Bogdanov et al., announced in CHES 2007 and aimed at RFID tags and sensor networks. For our linear attacks, we can attack 25round PRESENT with the whole code book, 2 96.68 25round PRESENT encryptions, 2 40 blocks of memory and 0.61 success rate. Further we can extend the linear attack to 26round with small success rate. As a further contribution of this paper we computed linear hulls in practice for the original PRESENT cipher, which corroborated and even improved on the predicted bias (and the corresponding attack complexities) of conventional linear relations based on a single linear trail.
On the Relation Between the Mutant Strategy and the Normal Selection Strategy in Gröbner Basis Algorithms
"... The computation of Gröbner bases remains one of the most powerful methods for tackling the Polynomial System Solving (PoSSo) problem. The most efficient known algorithms reduce the Gröbner basis computation to Gaussian eliminations on several matrices. However, several degrees of freedom are availab ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
The computation of Gröbner bases remains one of the most powerful methods for tackling the Polynomial System Solving (PoSSo) problem. The most efficient known algorithms reduce the Gröbner basis computation to Gaussian eliminations on several matrices. However, several degrees of freedom are available to generate these matrices. It is well known that the particular strategies used can drastically affect the efficiency of the computations. In this work we investigate a recentlyproposed strategy, the socalled “Mutant strategy”, on which a new family of algorithms is based (MXL, MXL2 and MXL3). By studying and describing the algorithms based on Gröbner basis concepts, we demonstrate that the Mutant strategy can be understood to be equivalent to the classical Normal Selection strategy currently used in Gröbner basis algorithms. Furthermore, we show that the “partial enlargement ” technique can be understood as a strategy for restricting the number of Spolynomials considered in an iteration of the F4 Gröbner basis algorithm, while the new termination criterion used in MXL3 does not lead to termination at a lower degree than the classical GebauerMöller installation of Buchberger’s criteria. We claim that our results map all novel concepts from the MXL family of algorithms to their wellknown Gröbner basis equivalents. Using previous results that had shown the relation between the original XL algorithm and F4, we conclude that the MXL family of algorithms can be fundamentally reduced to redundant variants of F4.
Algebraic Cryptanalysis of Curry and Flurry using Correlated Messages
, 2010
"... In this paper, we present an algebraic attack against the Flurry and Curry block ciphers [12,13]. Usually, algebraic attacks against block ciphers only require one message/ciphertext pair to be mounted. In this paper, we investigate a different approach. Roughly, the idea is to generate an algebrai ..."
Abstract

Cited by 4 (3 self)
 Add to MetaCart
(Show Context)
In this paper, we present an algebraic attack against the Flurry and Curry block ciphers [12,13]. Usually, algebraic attacks against block ciphers only require one message/ciphertext pair to be mounted. In this paper, we investigate a different approach. Roughly, the idea is to generate an algebraic system from the knowledge of several well chosen correlated message/ciphertext pairs. Flurry and Curry are two families of ciphers which fully parametrizable and having a sound design strategy against the most common statistical attacks; i.e. linear and differential attacks. These ciphers are then targets of choices for algebraic attacks. It turns out that our new approach permits to go one step further in the (algebraic) cryptanalysis of difficult instances of Flurry and Curry. To explain the behavior of our attack, we have established an interesting connection between algebraic attacks and high order differential cryptanalysis [32]. From extensive experiments, we estimate that our approach – that we will call “algebraichigh order differential ” cryptanalysis – is polynomial when the Sbox is a power function. As a proof of concept, we have been able to break Flurry/Curry – up to 8 rounds – in few hours. We have also investigated the more difficult (and interesting case) of the inverse function. For such function, we have not been able to bound precisely the theoretical complexity, but our experiments indicate that our approach permits to obtain a significant practical gain. We have attacked Flurry/Curry using the inverse Sbox up to 8 rounds.
Algebraic attacks galore
, 2009
"... This is the first in a twopart survey of current techniques in algebraic cryptanalysis. After introducing the basic setup of algebraic attacks and discussing several attack scenarios for symmetric cryptosystems, public key cryptosystems, and stream ciphers, we discuss a number of individual methods ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
This is the first in a twopart survey of current techniques in algebraic cryptanalysis. After introducing the basic setup of algebraic attacks and discussing several attack scenarios for symmetric cryptosystems, public key cryptosystems, and stream ciphers, we discuss a number of individual methods. The XL, XSL, and MutantXL attacks are based on linearization techniques for multivariate polynomial systems. Then we look at Gröbner basis and border bases methods. In the last section we introduce attacks based on integer programming techniques and try them