Abstract: In [8], Paterson and Yau presented padding oracle attacks against a committee draft version of a revision of the ISO CBC-mode encryption standard [3] Some of the attacks in [8] require knowledge and manipulation of the initialisation vector (IV) The latest draft of the revision of the standard [4] recommends the use of IVs that are secret and random This obviates most of the attacks of [8] In this paper we consider the security of CBC-mode encryption against padding oracle attacks in this secret, random IV setting We present new attacks showing that several ISO padding methods are still weak in this situation

Abstract: This paper discusses the state-of-the-art software optimization methodology for symmetric cryptographic primitives on Pentium III and 4 processors. We aim at maximizing speed by considering the internal pipeline architecture of these processors. This is the first paper studying an optimization of ciphers on Prescott, a new core of Pentium 4. Our AES program with 128-bit key achieves 251 cycles/block on Pentium 4, which is, to our best knowledge, the fastest implementation of AES on Pentium 4. We also optimize SNOW2.0 keystream generator. Our program of SNOW2.0 for Pentium III runs at the rate of 2.75 iops/cycle, which seems the most efficient code ever made for a real-world cipher primitive. For FOX128 block cipher, we propose a technique for speeding-up by interleaving two independent blocks using a register group separation. Finally we consider fast implementation of SHA512 and Whirlpool, two hash functions with a genuine 64-bit architecture. It will be shown that new SIMD instruction sets introduced in Pentium 4 excellently contribute to fast hashing of SHA512.

Abstract: The need of true random number generators for many purposes (ranging from applications in cryptography and stochastic simulation, to search heuristics and game playing) is increasing every day. Many sources of randomness possess the property of stationarity. However, while a biased die may be a good source of entropy, many applications require input in the form of unbiased bits, rather than biased ones. In this paper, we present a new technique for simulating fair coin flips using a biased, stationary source of randomness. Moreover, the same technique can also be used to improve some of the properties of pseudo random number generators. In particular, an improved pseudo random number generator has almost unmeasurable period, uniform distribution of the letters, pairs of letters, triples of letters, and so on, and passes many statistical tests of randomness. Our algorithm for simulating fair coin flips using a biased, stationary source of randomness (or for improving the properties of pseudo random number generators) is designed by using quasigroup string transformations and its properties are mathematically provable. It is very flexible, the input/output strings can be of 2-bits letters, 4-bits letters, bytes, 2-bytes letters, and so on. It is of linear complexity and it needs less than 1Kb memory space in its 2-bits and 4-bits implementations, hence it is suitable for embedded systems as well.

Abstract: T-function is a relatively new cryptographic building block suitable for streamciphers. It has the potential of becoming a substitute for LFSRs, and those that correspond to maximum length LFSRs are called single cycle T-functions. We present a family of single cycle T-functions, previously unknown. An attempt at building a hardware oriented streamcipher based on this new T-function is given.

Abstract: This paper contains several attacks on the hash function MD2 which has a hash code size of 128 bits. At Asiacrypt 2004 Muller presents the first known preimage attack on MD2. The time complexity of the attack is about 2104 and the preimages consist always of 128 blocks. We present a preimage attack of complexity about 297 with the further advantage that the preimages are of variable lengths. Moreover we are always able to find many preimages for one given hash value. Also we introduce many new collisions for the MD2 compression function, which lead to the first known (pseudo) collisions for the full MD2 (including the checksum), but where the initial values differ. Finally we present a pseudo preimage attack of complexity 295 but where the preimages can have any desired lengths.

Abstract: This paper presents a new hash function design, which is different from the popular designs of the MD4-family. Seen in the light of recent attacks on MD4, MD5, SHA-0, SHA-1, and on RIPEMD, there is a need to consider other hash function design strategies. The paper presents also a concrete hash function design named SMASH. One version has a hash code of 256 bits and appears to be at least as fast as SHA-256.

Abstract: In this paper, we describe a sequence of simple, yet efficient chosen-plaintext (or chosen-ciphertext) attacks against reduced-round versions of IDEA (with 2, 2.5, 3, 3.5, and 4 rounds) which compare favourably with the best known attacks: some of them decrease considerably the time complexity given the same order of data at disposal while other ones decrease the amount of necessary known- or chosen-plaintext pairs under comparable time complexities. Additionally, we show how to trade time and memory for some of the known-plaintext attacks of Nakahara et al.

Abstract: Algebraic attacks on stream ciphers apply (at least theoretically) to all LFSR-based stream ciphers that are clocked in a simple and/or easily predictable way One interesting approach to help resist such attacks is to add a component that de-synchronizes the output bits of the cipher from the clock of the LFSR The Bit-search generator, recently proposed by Gouget and Sibert, is inspired by the so-called Self-Shrinking Generator which is known for its simplicity (conception and implementation-wise) linked with some interesting properties In this paper, we introduce two modified versions of the BSG, called MBSG and ABSG, and some of their properties are studied We apply a range of cryptanalytic techniques in order to compare the security of the BSGs

Abstract: In this paper we present a distinguisher targeting towards irregularly clocked filter generators. The attack is applied on the irregularly clocked stream cipher called LILI-II. LILI-II is the successor of the cipher LILI-128 and its design was published in [1]. There have been no known attacks better than exhaustive key search on LILI-II. Our attack is the first of this kind that distinguishes the cipher output from a random source using 2103 bits of keystream using computational complexity of approximately 2103 operations.

Abstract: Hiji-Bij-Bij (HBB) is a new stream cipher proposed by Sarkar at Indocrypt’03. In this algorithm, classical LFSRs are replaced by cellular automata (CA). This idea of using CAs in such constructions was initially proposed by Sarkar at Crypto’02, in order to instantiate its new Filter-Combiner model. In this paper, we show two attacks against HBB. First we apply differential cryptanalysis to the self-synchronizing mode. The resulting attack is very efficient since it recovers the secret key by processing a chosen message of length only 2 Kbytes. Then we describe an algebraic attack against the basic mode of HBB. This attack is much faster than exhaustive search for secret keys of length 256 bits.

Abstract: T-functions were introduced by Klimov and Shamir in a series of papers during the last few years. They are of great interest for cryptography as they may provide some new building blocks which can be used to construct efficient and secure schemes, for example block ciphers, stream ciphers or hash functions. In the present paper, we define the narrowness of a T-function and study how this property affects the strength of a T-function as a cryptographic primitive. We define a new data strucure, called a solution graph, that enables solving systems of equations given by T-functions. The efficiency of the algorithms which we propose for solution graphs depends significantly on the narrowness of the involved T-functions. Thus the subclass of T-functions with small narrowness appears to be weak and should be avoided in cryptographic schemes. Furthermore, we present some extensions to the methods of using solution graphs, which make it possible to apply these algorithms also to more general systems of equations, which may appear, for example, in the cryptanalysis of hash functions.

Abstract: Compact formulas are derived to represent the Algebraic Normal Form (ANF) of $f(\bar{x} + \bar{a}~mod~2^{n})$ and $f(\bar{x} \times \bar{a}~mod~2^{n})$ from the ANF of f, where f is a Boolean function on $\mathbb{F}^{n}_{2}$ and $\bar{a}$ is a constant of $\mathbb{F}^{n}_{2}$ We compare the algebraic degree of the composed functions with the algebraic degree of the original function f As an application, the formula for addition modulo 2n is applied in an algebraic attack on the summation generator and the E0 encryption scheme in the Bluetooth keystream generator

Abstract: The bit-search generator (BSG) was proposed in 2004 and can be seen as a variant of the shrinking and self-shrinking generators. It has the advantage that it works at rate 1/3 using only one LFSR and some selection logic. We present various attacks on the BSG based on the fact that the output sequence can be uniquely defined by the differential of the input sequence. By knowing only a small part of the output sequence we can reconstruct the key with complexity O(L320.5 L). This complexity can be significantly reduced in a data/time tradeoff manner to achieve a complexity of O(L320.27 L) if we have O(20.27 L) of keystream. We also propose a distinguishing attack that can be very efficient if the feedback polynomial is not carefully chosen.

Abstract: We consider the 3GPP confidentiality and integrity schemes that were adopted by Universal Mobile Telecommunication System, an emerging standard for third generation wireless communications. The schemes, known as f8 and f9, are based on the block cipher KASUMI. Although previous works claim security proofs for f8 and f9′, where f9′ is a generalized version of f9, it was shown that these proofs are incorrect; it is impossible to prove f8 and f9′ secure under the standard PRP assumption on the underlying block cipher. Following the results, it was shown that it is possible to prove f8′ and f9′ secure if we make the assumption that the underlying block cipher is a secure PRP-RKA against a certain class of related-key attacks; here f8′ is a generalized version of f8. Needless to say, the assumptions here are stronger than the standard PRP assumptions, and it is natural to seek a practical way to modify f8′ and f9′ to establish security proofs under the standard PRP assumption. In this paper, we propose f8+ and f9+, slightly modified versions of f8′ and f9′, but they allow proofs of security under the standard PRP assumption. Our results are practical in the sense that we insist on the minimal modifications; f8+ is obtained from f8′ by setting the key modifier to all-zero, and f9+ is obtained from f9′ by setting the key modifier to all-zero, and using the encryptions of two constants in the CBC MAC computation.

Abstract: This paper presents the results of a preliminary analysis of the stream cipher Mugi. We study the nonlinear component of this cipher and identify several potential weaknesses in its design. While we can not break the full Mugi design, we show that it is extremely sensitive to small variations. For example, it is possible to recover the full 1216-bit state of the cipher and the original 128-bit secret key using just 56 words of known stream and in 214 steps of analysis if the cipher outputs any state word which is different than the one used in the actual design. If the linear part is eliminated from the design, then the secret non-linear 192-bit state can be recovered given only three output words and in just 232 steps. If it is kept in the design but in a simplified form, then the scheme can be broken by an attack which is slightly faster than exhaustive search.

Abstract: In this paper we introduce the notion of impossible fault analysis, and present an impossible fault analysis of RC4, whose complexity 221 is smaller than the previously best known attack of Hoch and Shamir (226), along with an even faster fault analysis of RC4, based on different ideas, with complexity smaller than 216.

Abstract: Differential cryptanalysis and linear cryptanalysis are the most widely used techniques for block ciphers cryptanalysis. Several attacks combine these cryptanalytic techniques to obtain new attacks, e.g., differential-linear attacks, miss-in-the-middle attacks, and boomerang attacks. In this paper we present several new combinations: we combine differentials with bilinear approximations, higher-order differentials with linear approximations, and the boomerang attack with linear, with differential-linear, with bilinear, and with differential-bilinear attacks. We analyze these combinations and present examples of their usefulness. For example, we present a 6-round differential-bilinear approximation of s5DES with a bias of 1/8, and use it to attack 8-round s5DES using only 384 chosen plaintexts. We also enlarge a weak key class of IDEA by a factor of 512 using the higher-order differential-linear technique. We expect that these attacks will be useful against larger classes of ciphers.

Abstract: Algebraic attack has recently become an important tool in cryptanalysing different stream and block cipher systems. A Boolean function, when used in some cryptosystem, should be designed properly to resist this kind of attack. The cryptographic property of a Boolean function, that resists algebraic attack, is known as Algebraic Immunity ($\mathcal{AI}$). So far, the attempt in designing Boolean functions with required algebraic immunity was only ad-hoc, i.e., the functions were designed keeping in mind the other cryptographic criteria, and then it has been checked whether it can provide good algebraic immunity too. For the first time, in this paper, we present a construction method to generate Boolean functions on n variables with highest possible algebraic immunity ⌈n / 2⌉ . Such a function can be used in conjunction with (using direct sum) functions having other cryptographic properties. In a different direction we identify that functions, having low degree subfunctions, are weak in terms of algebraic immunity and analyse some existing constructions from this viewpoint.

Abstract: We present a new way to construct a MAC function based on a block cipher. We apply this construction to AES resulting in a MAC function that is a factor 2.5 more efficient than CBC-MAC with AES, while providing a comparable claimed security level.

Abstract: In this paper we propose a notion of related-key rectangle attack using 4 related keys. It is based on two consecutive related-key differentials which are independent of each other. Using this attack we can break SHACAL-1 with 512-bit keys up to 70 rounds out of 80 rounds and AES with 192-bit keys up to 8 rounds out of 12 rounds, which are faster than exhaustive search.

Abstract: So far, efficient algorithmic countermeasures to secure the AES algorithm against (first-order) differential side-channel attacks have been very expensive to implement. In this article, we introduce a new masking countermeasure which is not only secure against first-order side-channel attacks, but which also leads to relatively small implementations compared to other masking schemes implemented in dedicated hardware. Our approach is based on shifting the computation of the finite field inversion in the AES S-box down to GF(4). In this field, the inversion is a linear operation and therefore it is easy to mask. Summarizing, the new masking scheme combines the concepts of multiplicative and additive masking in such a way that security against first-order side-channel attacks is maintained, and that small implementations in dedicated hardware can be achieved.

Abstract: In this paper, we propose a 2/3-rate double length compression function and study its security in the black-box model. We prove that to get a collision attack for the compression function requires Ω(22 n/3) queries, where n is the single length output size. Thus, it has better security than a most secure single length compression function. This construction is more efficient than the construction given in [8]. Also the three computations of underlying compression functions can be done in parallel. The proof idea uses a concept of computable message which can be helpful to study security of other constructions like [8],[14],[16] etc.

Abstract: At FSE 2004 two new stream ciphers VMPC and RC4A have been proposed. VMPC is a generalisation of the stream cipher RC4, whereas RC4A is an attempt to increase the security of RC4 by introducing an additional permuter in the design. This paper is the first work presenting attacks on VMPC and RC4A. We propose two linear distinguishing attacks, one on VMPC of complexity 254, and one on RC4A of complexity 258. We investigate the RC4 family of stream ciphers and show some theoretical weaknesses of such constructions.