Results 1  10
of
253
Algebraic Attacks on Stream Ciphers with Linear Feedback
, 2003
"... A classical construction of stream ciphers is to combine several LFSRs and a highly nonlinear Boolean function f . Their security is usually studied in terms of correlation attacks, that can be seen as solving a system of multivariate linear equations, true with some probability. At ICISC'0 ..."
Abstract

Cited by 260 (21 self)
 Add to MetaCart
(Show Context)
A classical construction of stream ciphers is to combine several LFSRs and a highly nonlinear Boolean function f . Their security is usually studied in terms of correlation attacks, that can be seen as solving a system of multivariate linear equations, true with some probability. At ICISC'02 this approach is extended to systems of higherdegree multivariate equations, and gives an attack in 2 for Toyocrypt, a Cryptrec submission.
PRESENT: An UltraLightweight Block Cipher
 THE PROCEEDINGS OF CHES 2007
, 2007
"... With the establishment of the AES the need for new block ciphers has been greatly diminished; for almost all block cipher applications the AES is an excellent and preferred choice. However, despite recent implementation advances, the AES is not suitable for extremely constrained environments such ..."
Abstract

Cited by 162 (18 self)
 Add to MetaCart
(Show Context)
With the establishment of the AES the need for new block ciphers has been greatly diminished; for almost all block cipher applications the AES is an excellent and preferred choice. However, despite recent implementation advances, the AES is not suitable for extremely constrained environments such as RFID tags and sensor networks. In this paper we describe an ultralightweight block cipher, present. Both security and hardware efficiency have been equally important during the design of the cipher and at 1570 GE, the hardware requirements for present are competitive with today’s leading compact stream ciphers.
Cube Attacks on Tweakable Black Box Polynomials
 in Proceedings of the 28th Annual International Conference on Advances in Cryptology: The Theory and Applications of Cryptographic Techniques, LNCS 5479
, 2009
"... Abstract. Almost any cryptographic scheme can be described by tweakable polynomials over GF (2), which contain both secret variables (e.g., key bits) and public variables (e.g., plaintext bits or IV bits). The cryptanalyst is allowed to tweak the polynomials by choosing arbitrary values for the publ ..."
Abstract

Cited by 91 (8 self)
 Add to MetaCart
(Show Context)
Abstract. Almost any cryptographic scheme can be described by tweakable polynomials over GF (2), which contain both secret variables (e.g., key bits) and public variables (e.g., plaintext bits or IV bits). The cryptanalyst is allowed to tweak the polynomials by choosing arbitrary values for the public variables, and his goal is to solve the resultant system of polynomial equations in terms of their common secret variables. In this paper we develop a new technique (called a cube attack) for solving such tweakable polynomials, which is a major improvement over several previously published attacks of the same type. For example, on the stream cipher Trivium with a reduced number of initialization rounds, the best previous attack (due to Fischer, Khazaei, and Meier) requires a barely practical complexity of 255 to attack 672 initialization rounds, whereas a cube attack can find the complete key of the same variant in 219 bit operations (which take less than a second on a single PC). Trivium with 735 initialization rounds (which could not be attacked by any previous technique) can now be broken with 230 bit operations. Trivium with 767 initialization rounds can now be broken with 245 bit operations, and the complexity of the attack can almost certainly be further reduced to about 236 bit operations. Whereas previous attacks were heuristic, had to be adapted to each cryptosystem, had no general complexity bounds, and were not expected to succeed on random looking polynomials, cube attacks are provably successful when applied to random polynomials of degree d over n secret variables whenever the number m of public variables exceeds d + logdn. Their complexity is 2 d−1n + n2 bit operations, which is polynomial in n and amazingly low when d is small. Cube attacks can be applied to any block cipher, stream cipher, or MAC which is provided as a black box (even when nothing is known about its internal structure) as long as at least one output bit can be represented by (an unknown) polynomial of relatively low degree in the secret and public variables.
Survey and Benchmark of Block Ciphers for Wireless Sensor Networks
 ACM Transactions on Sensor Networks
, 2004
"... Choosing the most storage and energye#cient block cipher specifically for wireless sensor networks (WSNs) is not as straightforward as it seems. To our knowledge so far, there is no systematic evaluation framework for the purpose. In this paper, we have identified the candidates of block ciphe ..."
Abstract

Cited by 85 (1 self)
 Add to MetaCart
(Show Context)
Choosing the most storage and energye#cient block cipher specifically for wireless sensor networks (WSNs) is not as straightforward as it seems. To our knowledge so far, there is no systematic evaluation framework for the purpose. In this paper, we have identified the candidates of block ciphers suitable for WSNs based on existing literature.
Essential algebraic structure within the AES
, 2002
"... Abstract. One difficulty in the cryptanalysis of the Advanced Encryption Standard AES is the tension between operations in the two fields GF (2 8) and GF (2). This paper outlines a new approach that avoids this conflict. We define a new block cipher, the BES, that uses only simple algebraic operatio ..."
Abstract

Cited by 76 (7 self)
 Add to MetaCart
(Show Context)
Abstract. One difficulty in the cryptanalysis of the Advanced Encryption Standard AES is the tension between operations in the two fields GF (2 8) and GF (2). This paper outlines a new approach that avoids this conflict. We define a new block cipher, the BES, that uses only simple algebraic operations in GF (2 8). Yet the AES can be regarded as being identical to the BES with a restricted message space and key space, thus enabling the AES to be realised solely using simple algebraic operations in one field GF (2 8). This permits the exploration of the AES within a broad and rich setting. One consequence is that AES encryption can be described by an extremely sparse overdetermined multivariate quadratic system over GF (2 8), whose solution would recover an AES key.
Carle . Algebraic attacks and decomposition of Boolean functions
 In Advances in CryptologyEUROCRYPT 2004. LNCS 3027
, 2004
"... All intext references underlined in blue are linked to publications on ResearchGate, letting you access and read them immediately. ..."
Abstract

Cited by 70 (6 self)
 Add to MetaCart
(Show Context)
All intext references underlined in blue are linked to publications on ResearchGate, letting you access and read them immediately.
A Theoretical Treatment of RelatedKey Attacks: RKAPRPs, RKAPRFs, and Applications
 Advances in Cryptology – EUROCRYPT ’03, Lecture Notes in Computer Science
, 2003
"... We initiate a theoretical investigation of the popular blockcipher designgoal of security against “relatedkey attacks ” (RKAs). We begin by introducing definitions for the concepts of PRPs and PRFs secure against classes of RKAs, each such class being specified by an associated set of “relatedke ..."
Abstract

Cited by 70 (11 self)
 Add to MetaCart
(Show Context)
We initiate a theoretical investigation of the popular blockcipher designgoal of security against “relatedkey attacks ” (RKAs). We begin by introducing definitions for the concepts of PRPs and PRFs secure against classes of RKAs, each such class being specified by an associated set of “relatedkey deriving (RKD) functions. ” Then for some such classes of attacks, we prove impossibility results, showing that no blockcipher can resist these attacks while, for other, related classes of attacks that include popular targets in the block cipher community, we prove possibility results that provide theoretical support for the view that security against them is achievable. Finally we prove security of various blockcipher based constructs that use related keys, including a tweakable block cipher given in [17]. We believe this work helps blockcipher designers and cryptanalysts by clarifying what classes of attacks can and cannot be targets of design. It helps blockcipher users by providing guidelines about the kinds of related keys that are safe to use in constructs, and by enabling them to prove the security of such constructs. Finally, it puts forth a new primitive for consideration by theoreticians with regard to open questions about constructs based on minimal assumptions.
Higher Order Correlation Attacks, XL algorithm and Cryptanalysis of Toyocrypt
, 2002
"... Abstract. A popular technique to construct stream ciphers is to use a linear sequence generator with a very large period and good statistical properties and a nonlinear filter. There is abundant literature on how to use linear approximations of this nonlinear function to attack the cipher, which i ..."
Abstract

Cited by 67 (8 self)
 Add to MetaCart
Abstract. A popular technique to construct stream ciphers is to use a linear sequence generator with a very large period and good statistical properties and a nonlinear filter. There is abundant literature on how to use linear approximations of this nonlinear function to attack the cipher, which is known as (fast) correlation attacks. In this paper we explore nonlinear approximations, much less well known. We will reduce the cryptanalysis of a stream cipher to solving an overdefined system of multivariate equations. At Eurocrypt 2000, Courtois, Klimov, Patarin and Shamir have introduced the XL algorithm for solving systems of overdefined multivariate quadratic equations over finite fields. The exact complexity of the XL algorithm remains an open problem. and some authors such as T.T.Moh have expressed serious doubts whether it actually works very well. However there is no doubt that such methods work very well for largely overdefined systems (much more equations than variables), and we confirm this by computer simulations. Luckily systems we obtain in cryptanalysis of stream ciphers are precisely very overdefined. In this paper we will show how to break efficiently stream ciphers that are known to be immune to all the previously known attacks. For example, we will be able to break the stream
HIGHT: A New Block Cipher Suitable for LowResource Device
, 2009
"... In this paper, we propose a new block cipher HIGHT with 64bit block length and 128bit key length. It provides lowresource hardware implementation, which is proper to ubiquitous computing device such as a sensor in USN or a RFID tag. HIGHT does not only consist of simple operations to be ultrali ..."
Abstract

Cited by 63 (1 self)
 Add to MetaCart
(Show Context)
In this paper, we propose a new block cipher HIGHT with 64bit block length and 128bit key length. It provides lowresource hardware implementation, which is proper to ubiquitous computing device such as a sensor in USN or a RFID tag. HIGHT does not only consist of simple operations to be ultralight but also has enough security as a good encryption algorithm. Our hardware implementation of HIGHT requires 3048 gates on 0.25 µm technology.
Algebraic attacks on combiners with memory
 ADVANCES IN CRYPTOLOGY  CRYPTO 2003, LNCS 2729
, 2003
"... Recently, algebraic attacks were proposed to attack several cryptosystems, e.g. AES, LILI128 and Toyocrypt. This paper extends the use of algebraic attacks to combiners with memory. A (k, l)combiner consists of k parallel linear feedback shift registers (LFSRs), and the nonlinear filtering is don ..."
Abstract

Cited by 55 (6 self)
 Add to MetaCart
Recently, algebraic attacks were proposed to attack several cryptosystems, e.g. AES, LILI128 and Toyocrypt. This paper extends the use of algebraic attacks to combiners with memory. A (k, l)combiner consists of k parallel linear feedback shift registers (LFSRs), and the nonlinear filtering is done via a finite automaton with k input bits and l memory bits. It is shown that for (k, l)combiners, nontrivial canceling relations of degree at most ⌈k(l+1)/2 ⌉ exist. This makes algebraic attacks possible. Also, a general method is presented to check for such relations with an even lower degree. This allows to show the invulnerability of certain (k, l)combiners against this kind of algebraic attacks. On the other hand, this can also be used as a tool to find improved algebraic attacks. Inspired by this method, the E0 keystream generator from the Bluetooth standard is analyzed. As it turns out, a secret key can be recovered by solving a system of linear equations with 2 23.07 unknowns. To our knowledge, this is the best published attack on the E0 keystream generator yet.