Showing papers presented at "Fast Software Encryption in 2004"
5 Feb 2004
TL;DR: In this paper, the authors consider basic notions of security for cryptographic hash functions: collision resistance, preimage resistance, and second-preimage resistance and give seven different definitions that correspond to these three underlying ideas, and then work out all of the implications and separations among these seven definitions within the concrete-security, provable-security framework.
Abstract: We consider basic notions of security for cryptographic hash functions: collision resistance, preimage resistance, and second-preimage resistance. We give seven different definitions that correspond to these three underlying ideas, and then we work out all of the implications and separations among these seven definitions within the concrete-security, provable-security framework. Because our results are concrete, we can show two types of implications, conventional and provisional, where the strength of the latter depends on the amount of compression achieved by the hash function. We also distinguish two types of separations, conditional and unconditional. When constructing counterexamples for our separations, we are careful to preserve specified hash-function domains and ranges; this rules out some pathological counterexamples and makes the separations more meaningful in practice. Four of our definitions are standard while three appear to be new; some of our relations and separations have appeared, others have not. Here we give a modern treatment that acts to catalog, in one place and with carefully-considered nomenclature, the most basic security notions for cryptographic hash functions.
672 citations
5 Feb 2004
TL;DR: In 2003, Courtois [8] proposed Fast Algebraic Attacks as discussed by the authors, which is a method for cryptanalysis which is based on finding and solving a system of nonlinear equations.
Abstract: An algebraic attack is a method for cryptanalysis which is based on finding and solving a system of nonlinear equations. Recently, algebraic attacks where found helpful in cryptanalysing LFSR-based stream ciphers. The efficiency of these attacks greatly depends on the degree of the nonlinear equations. At Crypto 2003, Courtois [8] proposed Fast Algebraic Attacks. His main idea is to decrease the degree of the equations using a precomputation algorithm. Unfortunately, the correctness of the precomputation step was neither proven, nor was it obvious.
245 citations
5 Feb 2004
TL;DR: CWC as discussed by the authors is a new block cipher mode of operation for protecting both the privacy and the authenticity of encapsulated data, which is the first such mode having all five of the following properties: provable security, parallelizability, high performance in hardware and no intellectual property concerns.
Abstract: We introduce CWC, a new block cipher mode of operation for protecting both the privacy and the authenticity of encapsulated data. CWC is the first such mode having all five of the following properties: provable security, parallelizability, high performance in hardware, high performance in software, and no intellectual property concerns. We believe that having all five of these properties makes CWC a powerful tool for use in many performance-critical cryptographic applications. CWC is also the first appropriate solution for some applications; e.g., standardization bodies like the IETF and NIST prefer patent-free modes, and CWC is the first such mode capable of processing data at 10Gbps in hardware, which will be important for future IPsec (and other) network devices. As part of our design, we also introduce a new parallelizable universal hash function optimized for performance in both hardware and software.
152 citations
5 Feb 2004
TL;DR: The resulting design offers better hardware efficiency than other recent 128-key-bit block ciphers and Resistance against side-channel cryptanalysis was also considered as a design criteria for ICEBERG.
Abstract: We present a fast involutional block cipher optimized for reconfigurable hardware implementations. ICEBERG uses 64-bit text blocks and 128-bit keys. All components are involutional and allow very efficient combinations of encryption/decryption. Hardware implementations of ICEBERG allow to change the key at every clock cycle without any performance loss and its round keys are derived “on-the-fly” in encryption and decryption modes (no storage of round keys is needed). The resulting design offers better hardware efficiency than other recent 128-key-bit block ciphers. Resistance against side-channel cryptanalysis was also considered as a design criteria for ICEBERG.
118 citations
5 Feb 2004
TL;DR: In this article, the authors presented new results regarding the Rotation Symmetric (rots) correlation immune (CI) and bent functions and proved the nonexistence of homogeneous rots bent functions of degree ≥ 3o n a single cycle.
Abstract: Recent research shows that the class of Rotation Symmetric Boolean Functions (RSBFs), i.e., the class of Boolean functions that are invariant under circular translation of indices, is potentially rich in functions of cryptographic significance. Here we present new results regarding the Rotation Symmetric (rots) correlation immune (CI) and bent functions. We present important data structures for efficient search strategy of rots bent and CI functions. Further, we prove the nonexistence of homogeneous rots bent functions of degree ≥ 3o n a single cycle.
116 citations
5 Feb 2004
TL;DR: This paper presents a related key truncated differential attack on 27 rounds of XTEA which is the best known attack so far and shows that H. Seki et al.'s idea combined with the authors' related key differential characteristic can be applied to attack 31 rounds of GOST.
Abstract: In this paper, we present a related key truncated differential attack on 27 rounds of XTEA which is the best known attack so far. With an expected success rate of 96.9%, we can attack 27 rounds of XTEA using 220.5 chosen plaintexts and with a complexity of 2115.15 27-round XTEA encryptions. We also propose several attacks on GOST. First, we present a distinguishing attack on full-round GOST, which can distinguish it from a random permutation with probability 1–2− − 64 using a related key differential characteristic. We also show that H. Seki et al.’s idea combined with our related key differential characteristic can be applied to attack 31 rounds of GOST . Lastly, we propose a related key differential attack on full-round GOST. In this attack, we can recover 12 bits of the master key with 235 chosen plaintexts, 236 encryption operations and an expected success rate of 91.7%.
103 citations
5 Feb 2004
TL;DR: In this article, the authors proposed a new way to construct invertible T-functions on multiword states whose iteration is guaranteed to yield a single cycle of arbitrary length (say, 2256).
Abstract: A T-function is a mapping from n-bit words to n-bit words in which for each 0 ≤ i
93 citations
5 Feb 2004
TL;DR: Stream cipher HC-256 is proposed in this paper and generates keystream from a 256-bit secret key and a256-bit initialization vector, which consists of two secret tables, each one with 1024 32-bit elements.
Abstract: Stream cipher HC-256 is proposed in this paper It generates keystream from a 256-bit secret key and a 256-bit initialization vector HC-256 consists of two secret tables, each one with 1024 32-bit elements The two tables are used as S-Box alternatively At each step one element of a table is updated and one 32-bit output is generated The encryption speed of the C implementation of HC-256 is about 19 bit per clock cycle (42 clock cycle per byte) on the Intel Pentium 4 processor
70 citations
5 Feb 2004
TL;DR: In this article, the differential probability adp ⊕ of exclusive-or when differences are expressed using addition modulo 2 N has been studied, where addition is used to add in the round keys.
Abstract: We study the differential probability adp ⊕ of exclusive-or when differences are expressed using addition modulo 2 N . This function is important when analysing symmetric primitives that mix exclusive-or and addition—especially when addition is used to add in the round keys. (Such primitives include idea, Mars, rc6 and Twofish.) We show that adp ⊕ can be viewed as a formal rational series with a linear representation in base 8. This gives a linear-time algorithm for computing adp ⊕ , and enables us to compute several interesting properties like the fraction of impossible differentials, and the maximal differential probability for any given output difference. Finally, we compare our results with the dual results of Lipmaa and Moriai on the differential probability of addition modulo 2 N when differences are expressed using exclusive-or.
63 citations
5 Feb 2004
TL;DR: In this paper, the authors analyze the security of the stream cipher Helix, recently proposed at FSE'03, and describe two new attacks on the keystream generator of Helix.
Abstract: In this paper, we analyze the security of the stream cipher Helix, recently proposed at FSE’03. Helix is a high-speed asynchronous stream cipher, with a built-in MAC functionality. We analyze the differential properties of its keystream generator and describe two new attacks.
60 citations
5 Feb 2004
TL;DR: In order to protect a cryptographic algorithm against Power Analysis attacks, a well-known method consists in hiding all the internal data with randomly chosen masks.
Abstract: In order to protect a cryptographic algorithm against Power Analysis attacks, a well-known method consists in hiding all the internal data with randomly chosen masks
5 Feb 2004
TL;DR: In this paper, the authors developed tools to derive linear independent multivariate equations from algebraic S-boxes by applying them to maximally nonlinear power functions with the inverse exponents, Gold exponents or Kasami exponents.
Abstract: We develop several tools to derive linear independent multivariate equations from algebraic S-boxes. By applying them to maximally nonlinear power functions with the inverse exponents, Gold exponents, or Kasami exponents, we estimate their resistance against algebraic attacks. As a result, we show that S-boxes with Gold exponents have very weak resistance and S-boxes with Kasami exponents have slightly better resistance against algebraic attacks than those with the inverse exponents.
5 Feb 2004
TL;DR: In this article, the algebraic attacks on stream ciphers with memories were applied to the summation generator for a summation generation that uses n LFSRs, and it was shown that for a single LFSR, an algebraic equation relating the key stream bits and the output bits can be made to be of degree less than or equal to the degree of the sum of all the key streams.
Abstract: We apply the algebraic attacks on stream ciphers with memories to the summation generator For a summation generator that uses n LFSRs, an algebraic equation relating the key stream bits and LFSR output bits can be made to be of degree less than or equal to \(^{\lceil\log_2 n \rceil}\) using ⌈log2 n ⌉ + 1 consecutive key stream bits This is much lower than the upper bound given by previous general results We also show that the techniques of [6,2] can be applied to summation generators using 2 k LFSRs to reduce the effective degree of the algebraic equation
5 Feb 2004
TL;DR: In this paper, the authors proposed a new design strategy to avoid the difference cancellation by employing multiple MDS-based matrices in the diffusion layer of the F-function, and the effectiveness of the proposed method is confirmed by an experimental result showing that the percentage of active S-boxes of the newly designed Feistel cipher becomes the same as for the AES.
Abstract: A practical measure to estimate the immunity of block ciphers against differential and linear attacks consists of finding the minimum number of active S-Boxes, or a lower bound for this minimum number. The evaluation result of lower bounds of differentially active S-boxes of AES, Camellia (without FL/FL − − 1) and Feistel ciphers with an MDS based matrix of branch number 9, showed that the percentage of active S-boxes in Feistel ciphers is lower than in AES. The cause is a difference cancellation property which can occur at the XOR operation in the Feistel structure. In this paper we propose a new design strategy to avoid such difference cancellation by employing multiple MDS based matrices in the diffusion layer of the F-function. The effectiveness of the proposed method is confirmed by an experimental result showing that the percentage of active S-boxes of the newly designed Feistel cipher becomes the same as for the AES.
5 Feb 2004
TL;DR: In this paper, it was shown that f8 and f9 are secure under the PRP-RKA assumption on the underlying block cipher against a certain class of related-key attacks.
Abstract: This paper analyses the 3GPP confidentiality and integrity schemes adopted by Universal Mobile Telecommunication System, an emerging standard for third generation wireless communications. The schemes, known as f8 and f9, are based on the block cipher KASUMI. Although previous works claim security proofs for f8 and f9′, where f9′ is a generalized versions of f9, it was recently shown that these proofs are incorrect. Moreover, Iwata and Kurosawa (2003) showed that it is impossible to prove f8 and f9′ secure under the standard PRP assumption on the underlying block cipher. We address this issue here, showing that it is possible to prove f8′ and f9′ secure if we make the assumption that the underlying block cipher is a secure PRP-RKA against a certain class of related-key attacks; here f8′ is a generalized version of f8. Our results clarify the assumptions necessary in order for f8 and f9 to be secure and, since no related-key attacks are known against the full eight rounds of KASUMI, lead us to believe that the confidentiality and integrity mechanisms used in real 3GPP applications are secure.
5 Feb 2004
TL;DR: It is shown that commutative diagram attacks provide a unifying view into the field of block cipher cryptanalysis, and how these new techniques generalize and unify many previous attack methods are introduced.
Abstract: We introduce commutative diagram cryptanalysis, a framework for expressing certain kinds of attacks on product ciphers. We show that many familiar attacks, including linear cryptanalysis, differential cryptanalysis, differential-linear cryptanalysis, mod n attacks, truncated differential cryptanalysis, impossible differential cryptanalysis, higher-order differential cryptanalysis, and interpolation attacks can be expressed within this framework. Thus, we show that commutative diagram attacks provide a unifying view into the field of block cipher cryptanalysis. Then, we use the language of commutative diagram cryptanalysis to compare the power of many previously known attacks. Finally, we introduce two new attacks, generalized truncated differential cryptanalysis and bivariate interpolation, and we show how these new techniques generalize and unify many previous attack methods.
5 Feb 2004
TL;DR: In this paper, a new attack on a general model for irregular clocked keystream generators is proposed, which consists of two feedback shift registers of lengths l 1 and l 2, where the first shift register produces a clock control sequence for the second.
Abstract: In this paper we propose a new attack on a general model for irregular clocked keystream generators. The model consists of two feedback shift registers of lengths l 1 and l 2, where the first shift register produces a clock control sequence for the second. This model can be used to describe among others the shrinking generator, the step-1/step-2 generator and the stop and go generator. We prove that the maximum complexity for attacking such a model is only \(O(2^{l_{1}})\) .
5 Feb 2004
TL;DR: The bound is proved to be tight for functions up to 10 input variables and the technique is applied upto 12-variable functions and it is shown that the construction provides a large class of 1-resilient functions reaching currently best known nonlinearity and achieving very low autocorrelation values which were not known earlier.
Abstract: In this paper we study the minimum distance between the set of bent functions and the set of 1-resilient Boolean functions and present a lower bound on that. The bound is proved to be tight for functions up to 10 input variables. As a consequence, we present a strategy to modify the bent functions, by toggling some of its outputs, in getting a large class of 1-resilient functions with very good nonlinearity and autocorrelation. In particular, the technique is applied upto 12-variable functions and we show that the construction provides a large class of 1-resilient functions reaching currently best known nonlinearity and achieving very low autocorrelation values which were not known earlier. The technique is sound enough to theoretically solve some of the mysteries of 8-variable, 1-resilient functions with maximum possible nonlinearity. However, the situation becomes complicated from 10 variables and above, where we need to go for complicated combinatorial analysis with trial and error using computational facility.
5 Feb 2004
TL;DR: It is shown the MAC generation function of SOBER-128 is vulnerable against differential cryptanalysis, and the success probability of this attack is estimated at 2− − 6.
Abstract: SOBER-128 is a stream cipher designed by Rose and Hawkes in 2003. It can be also uses for generating Message Authentication Codes (MACs). The developers claimed that it is difficult to forge the MAC generated by SOBER-128, though, the security model defined in the proposal paper is not realistic. In this paper, we examine the security of the MAC generation function of SOBER-128 under the security notion given by Bellare and Namprempre. As a result, we show the MAC generation function of SOBER-128 is vulnerable against differential cryptanalysis. The success probability of this attack is estimated at 2− − 6.
5 Feb 2004
TL;DR: In 1985 Siegenthaler introduced the concept of correlation attacks on LFSR based stream ciphers, and a few years later Meier and Staffelbach demonstrated a special technique that is very effective if the feedback polynomial has a special form, namely, if its weight is very low.
Abstract: In 1985 Siegenthaler introduced the concept of correlation attacks on LFSR based stream ciphers. A few years later Meier and Staffelbach demonstrated a special technique, usually referred to as fast correlation attacks, that is very effective if the feedback polynomial has a special form, namely, if its weight is very low. Due to this seminal result, it is a well known fact that one avoids low weight feedback polynomials in the design of LFSR based stream ciphers.
5 Feb 2004
TL;DR: In this paper, the linearly updated component of the stream cipher MUGI, called the buffer, was analyzed theoretically by using the generating function method and it was proven that the intrinsic response of the buffer without the feedback from the nonlinearly updated components, consists of binary linear recurring sequences with small linear complexity 32 and with extremely small period 48.
Abstract: The linearly updated component of the stream cipher MUGI, called the buffer, is analyzed theoretically by using the generating function method. In particular, it is proven that the intrinsic response of the buffer, without the feedback from the nonlinearly updated component, consists of binary linear recurring sequences with small linear complexity 32 and with extremely small period 48. It is then shown how this weakness can in principle be used to facilitate the linear cryptanalysis of MUGI with two main objectives: to reconstruct the secret key and to find linear statistical distinguishers.
5 Feb 2004
TL;DR: Biryukov, Lano, and Preneel as mentioned in this paper showed that vanishing differentials occur quite frequently, and that such differentials allow an attacker to recover the secret key in the token much faster than exhaustive search.
Abstract: SecurID is a widely used hardware token for strengthening authentication in a corporate environment. Recently, Biryukov, Lano, and Preneel presented an attack on the alleged SecurID hash function [1]. They showed that vanishing differentials – collisions of the hash function – occur quite frequently, and that such differentials allow an attacker to recover the secret key in the token much faster than exhaustive search. Based on simulation results, they estimated that the running time of their attack would be about 248 full hash operations when using only a single 2-bit vanishing differential.
5 Feb 2004
TL;DR: In this article, the general case for a linear approximation of the form "X-1+X-k mod 2(n'') -->"X 1 circle plus(...) circle plus X-k circle plus N" is investigated, where the variables and operations are n-bit based, and the noise variable N is introduced due to the approximation.
Abstract: The general case for a linear approximation of the form "X-1+(...)+X-k mod 2(n'') -->"X-1 circle plus(...)circle plus X-k circle plus N" is investigated, where the variables and operations are n-bit based, and the noise variable N is introduced due to the approximation. An efficient and practical algorithm of complexity 0(n (.) 2(3(k-1))) to calculate the probability Pr{N} is given, and in some cases it can be reduced to 0(2(k-2)).
5 Feb 2004
TL;DR: In this article, the authors present a realization of an LFSM that utilizes a LFSR, based on a well-known fact from linear algebra, which is used to show that a previous attempt at using a CA in place of an lfsR in constructing a stream cipher did not necessarily increase its security.
Abstract: We present a realization of an LFSM that utilizes an LFSR. This is based on a well-known fact from linear algebra. This structure is used to show that a previous attempt at using a CA in place of an LFSR in constructing a stream cipher did not necessarily increase its security. We also give a general method for checking whether or not a nonlinear filter generator based on an LFSM allows reduction to one that is based on an LFSR and which is vulnerable to Anderson information leakage.
5 Feb 2004
TL;DR: These attacks find collisions for the MAC and yield MAC forgeries, both faster than a straightforward application of the birthday paradox would suggest and establish an upper bound on the MAC’s security that is substantially lower than one would expect for a 128-bit MAC.
Abstract: A cryptanalysis is given of a MAC proposal presented at CRYPTO 2003 by Cary and Venkatesan. A nice feature of the Cary- Venkatesan MAC is that a lower bound on its security can be proved when a certain block cipher is modelled as an ideal cipher. Our attacks find collisions for the MAC and yield MAC forgeries, both faster than a straightforward application of the birthday paradox would suggest. For the suggested parameter sizes (where the MAC is 128 bits long) we give a method to find collisions using about 248.5 MAC queries, and to forge MACs using about 255 MAC queries. We emphasise that our results do not contradict the lower bounds on security proved by Cary and Venkatesan. Rather, they establish an upper bound on the MAC’s security that is substantially lower than one would expect for a 128-bit MAC.
5 Feb 2004
TL;DR: This paper studies the security of PRF- and PRP-constructions against related-key attacks, and presents two novel constructions for related-keys secure PRFs and proves their security under number-theoretical infeasibility assumptions.
Abstract: In a related-key attack, the adversary is allowed to transform the secret key and request encryptions of plaintexts under the transformed key. This paper studies the security of PRF- and PRP-constructions against related-key attacks.
5 Feb 2004
TL;DR: A simple one-way function along with its proposed application in symmetric cryptography is described in this paper, where the function is computable with three elementary operations on permutations per byte and is estimated to require an average computational effort of about 2260 operations.
Abstract: A simple one-way function along with its proposed application in symmetric cryptography is described The function is computable with three elementary operations on permutations per byte Inverting the function, using the most efficient method known to the author, is estimated to require an average computational effort of about 2260 operations The proposed stream cipher based on the function was designed to be efficient in software implementations and, in particular, to eliminate the known weaknesses of the alleged RC4 keystream generator while retaining most of its speed and simplicity
5 Feb 2004
TL;DR: In this paper, two algebraic attacks on SOBER-t32 without stuttering are presented, using a collection of output bits whose relation to the initial state of the LFSR can be described by low-degree equations.
Abstract: This paper presents algebraic attacks on SOBER-t32 and SOBER-t16 without stuttering. For unstuttered SOBER-t32, two different attacks are implemented. In the first attack, we obtain multivariate equations of degree 10. Then, an algebraic attack is developed using a collection of output bits whose relation to the initial state of the LFSR can be described by low-degree equations. The resulting system of equations contains 269 equations and monomials, which can be solved using the Gaussian elimination with the complexity of 2196.5. For the second attack, we build a multivariate equation of degree 14. We focus on the property of the equation that the monomials which are combined with output bit are linear. By applying the Berlekamp-Massey algorithm, we can obtain a system of linear equations and the initial states of the LFSR can be recovered. The complexity of attack is around O(2100) with 292 keystream observations. The second algebraic attack is applicable to SOBER-t16 without stuttering. The attack takes around O(285) CPU clocks with 278 keystream observations.
5 Feb 2004
TL;DR: Nonce-based encryption as discussed by the authors is an alternative syntax for symmetric encryption, where the encryption process e is a deterministic function that surfaces an initialization vector (IV), which takes on a new value with every message one encrypts.
Abstract: Symmetric encryption schemes are usually formalized so as to make the encryption operation a probabilistic or state-dependent function e of the message M and the key K: the user supplies M and K and the encryption process does the rest, flipping coins or modifying internal state in order to produce a ciphertext C. Here we investigate an alternative syntax for an encryption scheme, where the encryption process e is a deterministic function that surfaces an initialization vector (IV). The user supplies a message M, key K, and initialization vector N, getting back the (one and only) associated ciphertext \(C=\cal E_K^N(M)\). We concentrate on the case where the IV is guaranteed to be a nonce—something that takes on a new value with every message one encrypts. We explore definitions, constructions, and properties for nonce-based encryption. Symmetric encryption with a surfaced IV more directly captures real-word constructions like CBC mode, and encryption schemes constructed to be secure under nonce-based security notions may be less prone to misuse.
5 Feb 2004
TL;DR: A new pseudorandom bit generator, named RC4A, which is based on RC4’s exchange shuffle model is proposed, and it is shown that the new cipher offers increased resistance against most attacks that apply to RC4.
Abstract: The paper presents a new statistical bias in the distribution of the first two output bytes of the RC4 keystream generator. The number of outputs required to reliably distinguish RC4 outputs from random strings using this bias is only 225 bytes. Most importantly, the bias does not disappear even if the initial 256 bytes are dropped. This paper also proposes a new pseudorandom bit generator, named RC4A, which is based on RC4’s exchange shuffle model. It is shown that the new cipher offers increased resistance against most attacks that apply to RC4. RC4A uses fewer operations per output byte and offers the prospect of implementations that can exploit its inherent parallelism to improve its performance further.