scholarly journals Cryptanalysis of Loiss Stream Cipher-Revisited

2014 ◽  
Vol 2014 ◽  
pp. 1-7
Author(s):  
Lin Ding ◽  
Chenhui Jin ◽  
Jie Guan ◽  
Qiuyan Wang
Keyword(s):  
Time Complexity ◽  
Stream Cipher ◽  
Linear Equations ◽  
Data Complexity ◽  
Secret Key ◽  
Key Recovery ◽  
Systems Of Linear Equations ◽  
Key Recovery Attack ◽  
Better Than

Loiss is a novel byte-oriented stream cipher proposed in 2011. In this paper, based on solving systems of linear equations, we propose an improved Guess and Determine attack on Loiss with a time complexity of 2231and a data complexity of 268, which reduces the time complexity of the Guess and Determine attack proposed by the designers by a factor of 216. Furthermore, a related key chosenIVattack on a scaled-down version of Loiss is presented. The attack recovers the 128-bit secret key of the scaled-down Loiss with a time complexity of 280, requiring 264chosenIVs. The related key attack is minimal in the sense that it only requires one related key. The result shows that our key recovery attack on the scaled-down Loiss is much better than an exhaustive key search in the related key setting.

scholarly journals Weak Keys in Reduced AEGIS and Tiaoxin

2021 ◽  
pp. 104-139
Author(s):  
Fukang Liu ◽  
Takanori Isobe ◽  
Willi Meier ◽  
Kosei Sakamoto
Keyword(s):  
Time Complexity ◽  
High Performance ◽  
Stream Cipher ◽  
Third Party ◽  
Key Recovery ◽  
Weak Keys ◽  
Internal States ◽  
Caesar Competition ◽  
Key Recovery Attack ◽  
Pass Through

AEGIS-128 and Tiaoxin-346 (Tiaoxin for short) are two AES-based primitives submitted to the CAESAR competition. Among them, AEGIS-128 has been selected in the final portfolio for high-performance applications, while Tiaoxin is a third-round candidate. Although both primitives adopt a stream cipher based design, they are quite different from the well-known bit-oriented stream ciphers like Trivium and the Grain family. Their common feature consists in the round update function, where the state is divided into several 128-bit words and each word has the option to pass through an AES round or not. During the 6-year CAESAR competition, it is surprising that for both primitives there is no third-party cryptanalysis of the initialization phase. Due to the similarities in both primitives, we are motivated to investigate whether there is a common way to evaluate the security of their initialization phases. Our technical contribution is to write the expressions of the internal states in terms of the nonce and the key by treating a 128-bit word as a unit and then carefully study how to simplify these expressions by adding proper conditions. As a result, we find that there are several groups of weak keys with 296 keys each in 5-round AEGIS-128 and 8-round Tiaoxin, which allows us to construct integral distinguishers with time complexity 232 and data complexity 232. Based on the distinguisher, the time complexity to recover the weak key is 272 for 5-round AEGIS-128. However, the weak key recovery attack on 8-round Tiaoxin will require the usage of a weak constant occurring with probability 2−32. All the attacks reach half of the total number of initialization rounds. We expect that this work can advance the understanding of the designs similar to AEGIS and Tiaoxin.

scholarly journals Some cryptanalytic results on Lizard

2017 ◽  
pp. 82-98
Author(s):  
Subhadeep Banik ◽  
Takanori Isobe ◽  
Tingting Cui ◽  
Jian Guo
Keyword(s):  
Stream Cipher ◽  
Secret Key ◽  
Key Recovery ◽  
Key Recovery Attack ◽  
Key Recovery Attacks

Lizard is a lightweight stream cipher proposed by Hamann, Krause and Meier in IACR ToSC 2017. It has a Grain-like structure with two state registers of size 90 and 31 bits. The cipher uses a 120-bit secret key and a 64-bit IV. The authors claim that Lizard provides 80-bit security against key recovery attacks and a 60-bit security against distinguishing attacks. In this paper, we present an assortment of results and observations on Lizard. First, we show that by doing 258 random trials it is possible to find a set of 264 triplets (K, IV0, IV1) such that the Key-IV pairs (K, IV0) and (K, IV1) produce identical keystream bits. Second, we show that by performing only around 228 random trials it is possible to obtain 264 Key-IV pairs (K0, IV0) and (K1, IV1) that produce identical keystream bits. Thereafter, we show that one can construct a distinguisher for Lizard based on IVs that produce shifted keystream sequences. The process takes around 251.5 random IV encryptions (with encryption required to produce 218 keystream bits) and around 276.6 bits of memory. Next, we propose a key recovery attack on a version of Lizard with the number of initialization rounds reduced to 223 (out of 256) based on IV collisions. We then outline a method to extend our attack to 226 rounds. Our results do not affect the security claims of the designers.

scholarly journals Cryptanalysis of Plantlet

2019 ◽  
pp. 103-120
Author(s):  
Subhadeep Banik ◽  
Khashayar Barooti ◽  
Takanori Isobe
Keyword(s):  
Stream Cipher ◽  
Internal State ◽  
Polynomial Equations ◽  
Secret Key ◽  
Key Recovery ◽  
Internal States ◽  
Key Recovery Attack ◽  
System Of Polynomial Equations ◽  
The Given ◽  
Generic Time

Plantlet is a lightweight stream cipher designed by Mikhalev, Armknecht and Müller in IACR ToSC 2017. It has a Grain-like structure with two state registers of size 40 and 61 bits. In spite of this, the cipher does not seem to lose in security against generic Time-Memory-Data Tradeoff attacks due to the novelty of its design. The cipher uses a 80-bit secret key and a 90-bit IV. In this paper, we first present a key recovery attack on Plantlet that requires around 276.26 Plantlet encryptions. The attack leverages the fact that two internal states of Plantlet that differ in the 43rd LFSR location are guaranteed to produce keystream that are either equal or unequal in 45 locations with probability 1. Thus an attacker can with some probability guess that when 2 segments of keystream blocks possess the 45 bit difference just mentioned, they have been produced by two internal states that differ only in the 43rd LFSR location. Thereafter by solving a system of polynomial equations representing the keystream bits, the attacker can find the secret key if his guess was indeed correct, or reach some kind of contradiction if his guess was incorrect. In the latter event, he would repeat the procedure for other keystream blocks with the given difference. We show that the process when repeated a finite number of times, does indeed yield the value of the secret key. In the second part of the paper, we observe that the previous attack was limited to internal state differences that occurred at time instances that were congruent to 0 mod 80. We further observe that by generalizing the attack to include internal state differences that are congruent to all equivalence classed modulo 80, we lower the total number of keystream bits required to perform the attack and in the process reduce the attack complexity to 269.98 Plantlet encryptions.

scholarly journals Breaking Trivium Stream Cipher Implemented in ASIC Using Experimental Attacks and DFA

Sensors ◽  
2020 ◽  
Vol 20 (23) ◽  
pp. 6909
Author(s):  
Francisco Eugenio Potestad-Ordóñez ◽  
Manuel Valencia-Barrero ◽  
Carmen Baena-Oliva ◽  
Pilar Parra-Fernández ◽  
Carlos Jesús Jiménez-Fernández
Keyword(s):  
Stream Cipher ◽  
Internal State ◽  
Clock Cycle ◽  
Fault Analysis ◽  
Invasive Technique ◽  
Sensitive Information ◽  
Secret Key ◽  
Key Recovery ◽  
Differential Fault Analysis ◽  
Secret Keys

One of the best methods to improve the security of cryptographic systems used to exchange sensitive information is to attack them to find their vulnerabilities and to strengthen them in subsequent designs. Trivium stream cipher is one of the lightweight ciphers designed for security applications in the Internet of things (IoT). In this paper, we present a complete setup to attack ASIC implementations of Trivium which allows recovering the secret keys using the active non-invasive technique attack of clock manipulation, combined with Differential Fault Analysis (DFA) cryptanalysis. The attack system is able to inject effective transient faults into the Trivium in a clock cycle and sample the faulty output. Then, the internal state of the Trivium is recovered using the DFA cryptanalysis through the comparison between the correct and the faulty outputs. Finally, a backward version of Trivium was also designed to go back and get the secret keys from the initial internal states. The key recovery has been verified with numerous simulations data attacks and used with the experimental data obtained from the Application Specific Integrated Circuit (ASIC) Trivium. The secret key of the Trivium were recovered experimentally in 100% of the attempts, considering a real scenario and minimum assumptions.

scholarly journals Modified Preconditioned GAOR Methods for Systems of Linear Equations

2013 ◽  
Vol 2013 ◽  
pp. 1-7 ◽  
Author(s):  
Xue-Feng Zhang ◽  
Qun-Fa Cui ◽  
Shi-Liang Wu
Keyword(s):  
Linear System ◽  
Convergence Rate ◽  
Least Squares ◽  
Linear Equations ◽  
Generalized Least Squares ◽  
Numerical Results ◽  
Least Squares Problem ◽  
Comparison Results ◽  
Systems Of Linear Equations ◽  
Better Than

Three kinds of preconditioners are proposed to accelerate the generalized AOR (GAOR) method for the linear system from the generalized least squares problem. The convergence and comparison results are obtained. The comparison results show that the convergence rate of the preconditioned generalized AOR (PGAOR) methods is better than that of the original GAOR methods. Finally, some numerical results are reported to confirm the validity of the proposed methods.

scholarly journals Differential Attacks on CRAFT Exploiting the Involutory S-boxes and Tweak Additions

2020 ◽  
pp. 119-151
Author(s):  
Hao Guo ◽  
Siwei Sun ◽  
Danping Shi ◽  
Ling Sun ◽  
Yao Sun ◽  
...  
Keyword(s):  
Low Cost ◽  
Success Probability ◽  
Schedule Algorithm ◽  
Invariant Property ◽  
Differential Analysis ◽  
Secret Key ◽  
Key Recovery ◽  
Weak Keys ◽  
Key Recovery Attack ◽  
Truncated Differential

CRAFT is a lightweight tweakable block cipher proposed at FSE 2019, which allows countermeasures against Differential Fault Attacks to be integrated into the cipher at the algorithmic level with ease. CRAFT employs a lightweight and involutory S-box and linear layer, such that the encryption function can be turned into decryption at a low cost. Besides, the tweakey schedule algorithm of CRAFT is extremely simple, where four 64-bit round tweakeys are generated and repeatedly used. Due to a combination of these features which makes CRAFT exceedingly lightweight, we find that some input difference at a particular position can be preserved through any number of rounds if the input pair follows certain truncated differential trails. Interestingly, in contrast to traditional differential analysis, the validity of this invariant property is affected by the positions where the constant additions take place. We use this property to construct “weak-tweakey” truncated differential distinguishers of CRAFT in the single-key model. Subsequently, we show how the tweak additions allow us to convert these weak-tweakey distinguishers into ordinary secret-key distinguishers based on which key-recovery attacks can be performed. Moreover, we show how to construct MILP models to search for truncated differential distinguishers exploiting this invariant property. As a result, we find a 15-round truncated differential distinguisher of CRAFT and extend it to a 19-round key-recovery attack with 260.99 data, 268 memory, 294.59 time complexity, and success probability 80.66%. Also, we find a 14-round distinguisher with probability 2−43 (experimentally verified), a 16-round distinguisher with probability 2−55, and a 20-round weak-key distinguisher (2118 weak keys) with probability 2−63. Experiments on round-reduced versions of the distinguishers show that the experimental probabilities are sometimes higher than predicted. Finally, we note that our result is far from threatening the security of the full CRAFT.

scholarly journals Boomeyong: Embedding Yoyo within Boomerang and its Applications to Key Recovery Attacks on AES and Pholkos

2021 ◽  
pp. 137-169
Author(s):  
Mostafizar Rahman ◽  
Dhiman Saha ◽  
Goutam Paul
Keyword(s):  
Time Complexity ◽  
Block Cipher ◽  
New Technique ◽  
Small Scale ◽  
Key Recovery ◽  
Boomerang Attack ◽  
Tweakable Block Cipher ◽  
Key Recovery Attack ◽  
Key Recovery Attacks

This work investigates a generic way of combining two very effective and well-studied cryptanalytic tools, proposed almost 18 years apart, namely the boomerang attack introduced by Wagner in FSE 1999 and the yoyo attack by Ronjom et al. in Asiacrypt 2017. In doing so, the s-box switch and ladder switch techniques are leveraged to embed a yoyo trail inside a boomerang trail. As an immediate application, a 6-round key recovery attack on AES-128 is mounted with time complexity of 278. A 10-round key recovery attack on recently introduced AES-based tweakable block cipher Pholkos is also furnished to demonstrate the applicability of the new technique on AES-like constructions. The results on AES are experimentally verified by applying and implementing them on a small scale variant of AES. We provide arguments that draw a relation between the proposed strategy with the retracing boomerang attack devised in Eurocrypt 2020. To the best of our knowledge, this is the first attempt to merge the yoyo and boomerang techniques to analyze SPN ciphers and warrants further attention as it has the potential of becoming an important cryptanalysis tool.

scholarly journals The Mathematical Safe Problem and Its Solution (Part 1)

2020 ◽  
pp. 15-38
Author(s):  
S. Kryvyi ◽  
H. Hoherchak
Keyword(s):  
Mathematical Model ◽  
Finite Fields ◽  
Computer Games ◽  
Time Complexity ◽  
Linear Equations ◽  
Irreducible Polynomial ◽  
Finite Rings ◽  
Systems Of Linear Equations ◽  
Residue Fields ◽  
Mathematical Safe

Introduction. The problem of the mathematical safe arises in the theory of computer games and cryptographic applications. The article considers the formulation of the mathematical safe problem and the approach to its solution using systems of linear equations in finite rings and fields. The purpose of the article is to formulate a mathematical model of the mathematical safe problem and its reduction to systems of linear equations in different domains; to consider solving the corresponding systems in finite rings and fields; to consider the principles of constructing extensions of residue fields and solving systems in the relevant areas. Results. The formulation of the mathematical safe problem is given and the way of its reduction to systems of linear equations is considered. Methods and algorithms for solving this type of systems are considered, where exist methods and algorithms for constructing the basis of a set of solutions of linear equations and derivative methods and algorithms for constructing the basis of a set of solutions of systems of linear equations for residue fields, ghost rings, finite rings and finite fields. Examples are given to illustrate their work. The principles of construction of extensions of residue fields by the module of an irreducible polynomial, and examples of operations tables for them are considered. The peculiarities of solving systems of linear equations in such fields are considered separately. All the above algorithms are accompanied by proofs and estimates of their time complexity. Conclusions. The considered methods and algorithms for solving linear equations and systems of linear equations in finite rings and fields allow to solve the problem of a mathematical safe in many variations of its formulation. The second part of the paper will consider the application of these methods and algorithms to solve the problem of mathematical safe in its various variations. Keywords: mathematical safe, finite rings, finite fields, method, algorithm, solution.

Sign in / Sign up

Export Citation Format

Share Document