Results 1  10
of
180
PRESENT: An UltraLightweight Block Cipher
 THE PROCEEDINGS OF CHES 2007
, 2007
"... With the establishment of the AES the need for new block ciphers has been greatly diminished; for almost all block cipher applications the AES is an excellent and preferred choice. However, despite recent implementation advances, the AES is not suitable for extremely constrained environments such ..."
Abstract

Cited by 167 (19 self)
 Add to MetaCart
(Show Context)
With the establishment of the AES the need for new block ciphers has been greatly diminished; for almost all block cipher applications the AES is an excellent and preferred choice. However, despite recent implementation advances, the AES is not suitable for extremely constrained environments such as RFID tags and sensor networks. In this paper we describe an ultralightweight block cipher, present. Both security and hardware efficiency have been equally important during the design of the cipher and at 1570 GE, the hardware requirements for present are competitive with today’s leading compact stream ciphers.
Algebraic cryptanalysis of hidden field equation (HFE) cryptosystems using Gröbner bases
"... ..."
(Show Context)
Instant CiphertextOnly Cryptanalysis of GSM Encrypted Communication
 Advances in Cryptology, proceedings of CRYPTO 2003, Lecture Notes in Computer Science 2729
"... Abstract. In this paper we present a very practical ciphertextonly cryptanalysis of GSM encrypted communication, and various active attacks on the GSM protocols. These attacks can even break into GSM networks that use “unbreakable ” ciphers. We describe a ciphertextonly attack on A5/2 that require ..."
Abstract

Cited by 102 (2 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we present a very practical ciphertextonly cryptanalysis of GSM encrypted communication, and various active attacks on the GSM protocols. These attacks can even break into GSM networks that use “unbreakable ” ciphers. We describe a ciphertextonly attack on A5/2 that requires a few dozen milliseconds of encrypted offtheair cellular conversation and finds the correct key in less than a second on a personal computer. We then extend this attack to a (more complex) ciphertextonly attack on A5/1. We describe new attacks on the protocols of networks that use A5/1, A5/3, or even GPRS. These attacks are based on security flaws of the GSM protocols, and work whenever the mobile phone supports A5/2. We emphasize that these attacks are on the protocols, and are thus applicable whenever the cellular phone supports a weak cipher, for instance they are also applicable using the cryptanalysis of A5/1. Unlike previous attacks on GSM that require unrealistic information, like long known plaintext periods, our attacks are very practical and do not require any knowledge of the content of the conversation. These attacks allow attackers to tap conversations and decrypt them either in realtime, or at any later time. We also show active attacks, such as call hijacking, altering of data messages and call theft. 1
Cube Attacks on Tweakable Black Box Polynomials
 in Proceedings of the 28th Annual International Conference on Advances in Cryptology: The Theory and Applications of Cryptographic Techniques, LNCS 5479
, 2009
"... Abstract. Almost any cryptographic scheme can be described by tweakable polynomials over GF (2), which contain both secret variables (e.g., key bits) and public variables (e.g., plaintext bits or IV bits). The cryptanalyst is allowed to tweak the polynomials by choosing arbitrary values for the publ ..."
Abstract

Cited by 91 (8 self)
 Add to MetaCart
(Show Context)
Abstract. Almost any cryptographic scheme can be described by tweakable polynomials over GF (2), which contain both secret variables (e.g., key bits) and public variables (e.g., plaintext bits or IV bits). The cryptanalyst is allowed to tweak the polynomials by choosing arbitrary values for the public variables, and his goal is to solve the resultant system of polynomial equations in terms of their common secret variables. In this paper we develop a new technique (called a cube attack) for solving such tweakable polynomials, which is a major improvement over several previously published attacks of the same type. For example, on the stream cipher Trivium with a reduced number of initialization rounds, the best previous attack (due to Fischer, Khazaei, and Meier) requires a barely practical complexity of 255 to attack 672 initialization rounds, whereas a cube attack can find the complete key of the same variant in 219 bit operations (which take less than a second on a single PC). Trivium with 735 initialization rounds (which could not be attacked by any previous technique) can now be broken with 230 bit operations. Trivium with 767 initialization rounds can now be broken with 245 bit operations, and the complexity of the attack can almost certainly be further reduced to about 236 bit operations. Whereas previous attacks were heuristic, had to be adapted to each cryptosystem, had no general complexity bounds, and were not expected to succeed on random looking polynomials, cube attacks are provably successful when applied to random polynomials of degree d over n secret variables whenever the number m of public variables exceeds d + logdn. Their complexity is 2 d−1n + n2 bit operations, which is polynomial in n and amazingly low when d is small. Cube attacks can be applied to any block cipher, stream cipher, or MAC which is provided as a black box (even when nothing is known about its internal structure) as long as at least one output bit can be represented by (an unknown) polynomial of relatively low degree in the secret and public variables.
Essential algebraic structure within the AES
, 2002
"... Abstract. One difficulty in the cryptanalysis of the Advanced Encryption Standard AES is the tension between operations in the two fields GF (2 8) and GF (2). This paper outlines a new approach that avoids this conflict. We define a new block cipher, the BES, that uses only simple algebraic operatio ..."
Abstract

Cited by 77 (7 self)
 Add to MetaCart
(Show Context)
Abstract. One difficulty in the cryptanalysis of the Advanced Encryption Standard AES is the tension between operations in the two fields GF (2 8) and GF (2). This paper outlines a new approach that avoids this conflict. We define a new block cipher, the BES, that uses only simple algebraic operations in GF (2 8). Yet the AES can be regarded as being identical to the BES with a restricted message space and key space, thus enabling the AES to be realised solely using simple algebraic operations in one field GF (2 8). This permits the exploration of the AES within a broad and rich setting. One consequence is that AES encryption can be described by an extremely sparse overdetermined multivariate quadratic system over GF (2 8), whose solution would recover an AES key.
Algebraic Cryptanalysis of the Data Encryption Standard
 IN PREPARATION. SEE IACR EPRINT
, 2006
"... In spite of growing importance of AES, the Data Encryption Standard is by no means obsolete. DES has never been broken from the practical point of view. The triple ..."
Abstract

Cited by 56 (14 self)
 Add to MetaCart
In spite of growing importance of AES, the Data Encryption Standard is by no means obsolete. DES has never been broken from the practical point of view. The triple
Noisy Polynomial Interpolation and Noisy Chinese Remaindering
, 2000
"... Abstract. The noisy polynomial interpolation problem is a new intractability assumption introduced last year in oblivious polynomial evaluation. It also appeared independently in password identification schemes, due to its connection with secret sharing schemes based on Lagrange’s polynomial interpo ..."
Abstract

Cited by 46 (2 self)
 Add to MetaCart
Abstract. The noisy polynomial interpolation problem is a new intractability assumption introduced last year in oblivious polynomial evaluation. It also appeared independently in password identification schemes, due to its connection with secret sharing schemes based on Lagrange’s polynomial interpolation. This paper presents new algorithms to solve the noisy polynomial interpolation problem. In particular, we prove a reduction from noisy polynomial interpolation to the lattice shortest vector problem, when the parameters satisfy a certain condition that we make explicit. Standard lattice reduction techniques appear to solve many instances of the problem. It follows that noisy polynomial interpolation is much easier than expected. We therefore suggest simple modifications to several cryptographic schemes recently proposed, in order to change the intractability assumption. We also discuss analogous methods for the related noisy Chinese remaindering problem arising from the wellknown analogy between polynomials and integers. 1
Algebraic and Slide Attacks on KeeLoq
"... Abstract. KeeLoq is a block cipher used in wireless devices that unlock the doors and alarms in cars manufactured by Chrysler, Daewoo, Fiat, ..."
Abstract

Cited by 43 (6 self)
 Add to MetaCart
(Show Context)
Abstract. KeeLoq is a block cipher used in wireless devices that unlock the doors and alarms in cars manufactured by Chrysler, Daewoo, Fiat,
Efficient Methods for Conversion and Solution of Sparse Systems of LowDegree Multivariate Polynomials over GF(2) via SATSolvers
, 2007
"... The computational hardness of solving large systems of sparse and lowdegree multivariate equations is a necessary condition for the security of most modern symmetric cryptographic schemes. Notably, most cryptosystems can be implemented with inexpensive hardware, and have a low gate counts, resulti ..."
Abstract

Cited by 41 (13 self)
 Add to MetaCart
(Show Context)
The computational hardness of solving large systems of sparse and lowdegree multivariate equations is a necessary condition for the security of most modern symmetric cryptographic schemes. Notably, most cryptosystems can be implemented with inexpensive hardware, and have a low gate counts, resulting in a sparse system of equations, which in turn renders such attacks feasible. On one hand, numerous recent papers on the XL algorithm and more sophisticated Gröbnerbases techniques [5, 7, 13, 14] demonstrate that systems of equations are efficiently solvable when they are sufficiently overdetermined or have a hidden internal algebraic structure that implies the existence of some useful algebraic relations. On the other hand, most of this work, as well as most successful algebraic attacks, involve dense, not sparse systems, at least until linearization by XL or a similar algorithm. No polynomialsystemsolving algorithm we are aware of, demonstrates that a significant benefit is obtained from the extreme sparsity of some systems of equations. In this paper, we study methods for efficiently converting systems of lowdegree sparse multivariate equations into a conjunctive normal form satisfiability (CNFSAT) problem, for which excellent heuristic algorithms have been developed in recent years. A direct application of this method gives very efficient results: we show that sparse multivariate quadratic systems (especially if overdefined) can be solved much faster than by exhaustive search if β ≤ 1/100. In particular, our method requires no additional memory beyond that required to store the problem, and so often terminates with an answer for problems that cause Magma and Singular to crash. On the other hand, if Magma or Singular do not crash, then they tend to be faster than our method, but this case includes only the smallest sample problems.
QUAD: a Practical Stream Cipher with Provable Security
 In EUROCRYPT 2006, volume 4004 of LNCS
, 2006
"... 45 avenue des EtatsUnis, F78035 Versailles cedex, France. Abstract. We introduce a practical synchronous stream cipher with provable security named QUAD. The cipher relies on the iteration of a multivariate quadratic system of m equations in n < m unknowns over a finite field. The security of Q ..."
Abstract

Cited by 39 (3 self)
 Add to MetaCart
(Show Context)
45 avenue des EtatsUnis, F78035 Versailles cedex, France. Abstract. We introduce a practical synchronous stream cipher with provable security named QUAD. The cipher relies on the iteration of a multivariate quadratic system of m equations in n < m unknowns over a finite field. The security of QUAD is provably reducible to the conjectured intractability of the MQ problem, namely solving a multivariate system of quadratic equations. 1