Improved CRT-RSA Secret Key Recovery Method from Sliding Window Leakage

An Improved Truncated Differential Cryptanalysis of Klein

Tatra Mountains Mathematical Publications ◽

10.1515/tmmp-2016-0036 ◽

2016 ◽

Vol 67 (1) ◽

pp. 135-147

Author(s):

Shahram Rasoolzadeh ◽

Zahra Ahmadian ◽

Mahmoud Salmasizadeh ◽

Mohammad Reza Aref

Keyword(s):

Block Cipher ◽

Slight Modification ◽

Secret Key ◽

Differential Attack ◽

Key Recovery ◽

Recovery Method ◽

Software And Hardware ◽

State Size ◽

Truncated Differential ◽

Better Than

Abstract KLEIN is a family of lightweight block ciphers which was proposed at RFIDSec 2011 by Gong et. al. It has three versions with 64, 80 or 96-bit key size, all with a 64-bit state size. It uses 16 identical 4-bit S-boxes combined with two AES’s MixColumn transformations for each round. This approach allows compact implementations of KLEIN in both low-end software and hardware. Such an unconventional combination attracts the attention of cryptanalysts, and several security analyses have been published. The most successful one was presented at FSE 2014 which was a truncated differential attack. They could attack up to 12, 13 and 14 rounds out of total number of 12, 16 and 20 rounds for KLEIN-64, -80 and -96, respectively. In this paper, we present improved attacks on three versions of KLEIN block cipher, which recover the full secret key with better time and data complexities for the previously analyzed number of rounds. The improvements also enable us to attack up to 14 and 15 rounds for KLEIN-80 and -96, respectively, which are the highest rounds ever analyzed. Our improvements are twofold: the first, finding two new truncated differential paths with probabilities better than that of the previous ones, and the second, a slight modification in the key recovery method which makes it faster.

Download Full-text

Cryptanalysis of Loiss Stream Cipher-Revisited

Journal of Applied Mathematics ◽

10.1155/2014/457275 ◽

2014 ◽

Vol 2014 ◽

pp. 1-7

Author(s):

Lin Ding ◽

Chenhui Jin ◽

Jie Guan ◽

Qiuyan Wang

Keyword(s):

Time Complexity ◽

Stream Cipher ◽

Linear Equations ◽

Data Complexity ◽

Secret Key ◽

Key Recovery ◽

Systems Of Linear Equations ◽

Key Recovery Attack ◽

Better Than

Loiss is a novel byte-oriented stream cipher proposed in 2011. In this paper, based on solving systems of linear equations, we propose an improved Guess and Determine attack on Loiss with a time complexity of 2231and a data complexity of 268, which reduces the time complexity of the Guess and Determine attack proposed by the designers by a factor of 216. Furthermore, a related key chosenIVattack on a scaled-down version of Loiss is presented. The attack recovers the 128-bit secret key of the scaled-down Loiss with a time complexity of 280, requiring 264chosenIVs. The related key attack is minimal in the sense that it only requires one related key. The result shows that our key recovery attack on the scaled-down Loiss is much better than an exhaustive key search in the related key setting.

Download Full-text

A Comprehensive Study of the Key Enumeration Problem

Entropy ◽

10.3390/e21100972 ◽

2019 ◽

Vol 21 (10) ◽

pp. 972 ◽

Cited By ~ 2

Author(s):

Ricardo Villanueva-Polanco

Keyword(s):

Main Memory ◽

Side Channel ◽

Secret Key ◽

Side Channel Attack ◽

Enumeration Algorithm ◽

Key Recovery ◽

Recovery Algorithm ◽

Enumeration Problem ◽

Enumeration Algorithms ◽

Recovery Problem

In this paper, we will study the key enumeration problem, which is connected to the key recovery problem posed in the cold boot attack setting. In this setting, an attacker with physical access to a computer may obtain noisy data of a cryptographic secret key of a cryptographic scheme from main memory via this data remanence attack. Therefore, the attacker would need a key-recovery algorithm to reconstruct the secret key from its noisy version. We will first describe this attack setting and then pose the problem of key recovery in a general way and establish a connection between the key recovery problem and the key enumeration problem. The latter problem has already been studied in the side-channel attack literature, where, for example, the attacker might procure scoring information for each byte of an Advanced Encryption Standard (AES) key from a side-channel attack and then want to efficiently enumerate and test a large number of complete 16-byte candidates until the correct key is found. After establishing such a connection between the key recovery problem and the key enumeration problem, we will present a comprehensive review of the most outstanding key enumeration algorithms to tackle the latter problem, for example, an optimal key enumeration algorithm (OKEA) and several nonoptimal key enumeration algorithms. Also, we will propose variants to some of them and make a comparison of them, highlighting their strengths and weaknesses.

Download Full-text

Cold Boot Attacks on LUOV

Applied Sciences ◽

10.3390/app10124106 ◽

2020 ◽

Vol 10 (12) ◽

pp. 4106 ◽

Cited By ~ 1

Author(s):

Ricardo Villanueva-Polanco

Keyword(s):

Key Generation ◽

Secret Key ◽

Cryptographic Primitives ◽

Key Recovery ◽

Recovery Algorithm ◽

Private Key ◽

Research Article ◽

The Family ◽

And Performance ◽

First Time

This research article assesses the feasibility of cold boot attacks on the lifted unbalanced oil and Vinegar (LUOV) scheme, a variant of the UOV signature scheme. This scheme is a member of the family of asymmetric cryptographic primitives based on multivariable polynomials over a finite field K and has been submitted as candidate to the ongoing National Institute of Standards and Technology (NIST) standardisation process of post-quantum signature schemes. To the best of our knowledge, this is the first time that this scheme is evaluated in this setting. To perform our assessment of the scheme in this setting, we review two implementations of this scheme, the reference implementation and the libpqcrypto implementation, to learn the most common in-memory private key formats and next develop a key recovery algorithm exploiting the structure of this scheme. Since the LUOV’s key generation algorithm generates its private components and public components from a 256-bit seed, the key recovery algorithm works for all the parameter sets recommended for this scheme. Additionally, we tested the effectiveness and performance of the key recovery algorithm through simulations and found the key recovery algorithm may retrieve the private seed when α = 0.001 (probability that a 0 bit of the original secret key will flip to a 1 bit) and β (probability that a 1 bit of the original private key will flip to a 0 bit) in the range { 0.001 , 0.01 , 0.02 , … , 0.15 } by enumerating approximately 2 40 candidates.

Download Full-text

Breaking Trivium Stream Cipher Implemented in ASIC Using Experimental Attacks and DFA

Sensors ◽

10.3390/s20236909 ◽

2020 ◽

Vol 20 (23) ◽

pp. 6909

Author(s):

Francisco Eugenio Potestad-Ordóñez ◽

Manuel Valencia-Barrero ◽

Carmen Baena-Oliva ◽

Pilar Parra-Fernández ◽

Carlos Jesús Jiménez-Fernández

Keyword(s):

Stream Cipher ◽

Internal State ◽

Clock Cycle ◽

Fault Analysis ◽

Invasive Technique ◽

Sensitive Information ◽

Secret Key ◽

Key Recovery ◽

Differential Fault Analysis ◽

Secret Keys

One of the best methods to improve the security of cryptographic systems used to exchange sensitive information is to attack them to find their vulnerabilities and to strengthen them in subsequent designs. Trivium stream cipher is one of the lightweight ciphers designed for security applications in the Internet of things (IoT). In this paper, we present a complete setup to attack ASIC implementations of Trivium which allows recovering the secret keys using the active non-invasive technique attack of clock manipulation, combined with Differential Fault Analysis (DFA) cryptanalysis. The attack system is able to inject effective transient faults into the Trivium in a clock cycle and sample the faulty output. Then, the internal state of the Trivium is recovered using the DFA cryptanalysis through the comparison between the correct and the faulty outputs. Finally, a backward version of Trivium was also designed to go back and get the secret keys from the initial internal states. The key recovery has been verified with numerous simulations data attacks and used with the experimental data obtained from the Application Specific Integrated Circuit (ASIC) Trivium. The secret key of the Trivium were recovered experimentally in 100% of the attempts, considering a real scenario and minimum assumptions.

Download Full-text

“Rank Correction”: A New Side-Channel Approach for Secret Key Recovery

Security Aspects in Information Technology - Lecture Notes in Computer Science ◽

10.1007/978-3-642-24586-2_12 ◽

2011 ◽

pp. 128-143 ◽

Cited By ~ 5

Author(s):

Maxime Nassar ◽

Youssef Souissi ◽

Sylvain Guilley ◽

Jean-Luc Danger

Keyword(s):

Side Channel ◽

Secret Key ◽

Key Recovery

Download Full-text

Differential Attacks on CRAFT Exploiting the Involutory S-boxes and Tweak Additions

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2020.i3.119-151 ◽

2020 ◽

pp. 119-151

Author(s):

Hao Guo ◽

Siwei Sun ◽

Danping Shi ◽

Ling Sun ◽

Yao Sun ◽

...

Keyword(s):

Low Cost ◽

Success Probability ◽

Schedule Algorithm ◽

Invariant Property ◽

Differential Analysis ◽

Secret Key ◽

Key Recovery ◽

Weak Keys ◽

Key Recovery Attack ◽

Truncated Differential

CRAFT is a lightweight tweakable block cipher proposed at FSE 2019, which allows countermeasures against Differential Fault Attacks to be integrated into the cipher at the algorithmic level with ease. CRAFT employs a lightweight and involutory S-box and linear layer, such that the encryption function can be turned into decryption at a low cost. Besides, the tweakey schedule algorithm of CRAFT is extremely simple, where four 64-bit round tweakeys are generated and repeatedly used. Due to a combination of these features which makes CRAFT exceedingly lightweight, we find that some input difference at a particular position can be preserved through any number of rounds if the input pair follows certain truncated differential trails. Interestingly, in contrast to traditional differential analysis, the validity of this invariant property is affected by the positions where the constant additions take place. We use this property to construct “weak-tweakey” truncated differential distinguishers of CRAFT in the single-key model. Subsequently, we show how the tweak additions allow us to convert these weak-tweakey distinguishers into ordinary secret-key distinguishers based on which key-recovery attacks can be performed. Moreover, we show how to construct MILP models to search for truncated differential distinguishers exploiting this invariant property. As a result, we find a 15-round truncated differential distinguisher of CRAFT and extend it to a 19-round key-recovery attack with 260.99 data, 268 memory, 294.59 time complexity, and success probability 80.66%. Also, we find a 14-round distinguisher with probability 2−43 (experimentally verified), a 16-round distinguisher with probability 2−55, and a 20-round weak-key distinguisher (2118 weak keys) with probability 2−63. Experiments on round-reduced versions of the distinguishers show that the experimental probabilities are sometimes higher than predicted. Finally, we note that our result is far from threatening the security of the full CRAFT.

Download Full-text

Dismantling the AUT64 Automotive Cipher

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2018.i2.46-69 ◽

2018 ◽

pp. 46-69

Author(s):

Christopher Hicks ◽

Flavio D. Garcia ◽

David Oswald

Keyword(s):

Block Cipher ◽

Authentication Protocol ◽

Secret Key ◽

Vehicle Manufacturer ◽

Key Recovery ◽

Worst Case ◽

Remote Keyless Entry ◽

First Time ◽

Key Recovery Attacks ◽

Complete Specification

AUT64 is a 64-bit automotive block cipher with a 120-bit secret key used in a number of security sensitive applications such as vehicle immobilization and remote keyless entry systems. In this paper, we present for the first time full details of AUT64 including a complete specification and analysis of the block cipher, the associated authentication protocol, and its implementation in a widely-used vehicle immobiliser system that we have reverse engineered. Secondly, we reveal a number of cryptographic weaknesses in the block cipher design. Finally, we study the concrete use of AUT64 in a real immobiliser system, and pinpoint severe weaknesses in the key diversification scheme employed by the vehicle manufacturer. We present two key-recovery attacks based on the cryptographic weaknesses that, combined with the implementation flaws, break both the 8 and 24 round configurations of AUT64. Our attack on eight rounds requires only 512 plaintext-ciphertext pairs and, in the worst case, just 237.3 offline encryptions. In most cases, the attack can be executed within milliseconds on a standard laptop. Our attack on 24 rounds requires 2 plaintext-ciphertext pairs and 248.3 encryptions to recover the 120-bit secret key in the worst case. We have strong indications that a large part of the key is kept constant across vehicles, which would enable an attack using a single communication with the transponder and negligible offline computation.

Download Full-text

A Pre-processing Composition for Secret Key Recovery on Android Smartphone

Information Security Theory and Practice. Securing the Internet of Things - Lecture Notes in Computer Science ◽

10.1007/978-3-662-43826-8_6 ◽

2014 ◽

pp. 76-91 ◽

Cited By ~ 11

Author(s):

Yuto Nakano ◽

Youssef Souissi ◽

Robert Nguyen ◽

Laurent Sauvage ◽

Jean-Luc Danger ◽

...

Keyword(s):

Secret Key ◽

Key Recovery

Download Full-text

Automated Search Oriented to Key Recovery on Ciphers with Linear Key Schedule

IACR Transactions on Symmetric Cryptology ◽

10.46586/tosc.v2021.i2.249-291 ◽

2021 ◽

pp. 249-291

Author(s):

Lingyue Qin ◽

Xiaoyang Dong ◽

Xiaoyun Wang ◽

Keting Jia ◽

Yunwen Liu

Keyword(s):

High Probability ◽

Block Cipher ◽

Secret Key ◽

Key Recovery ◽

Key Schedule ◽

Before And After ◽

Two Phases ◽

Key Recovery Attack ◽

Key Recovery Attacks ◽

Automated Search

Automatic modelling to search distinguishers with high probability covering as many rounds as possible, such as MILP, SAT/SMT, CP models, has become a very popular cryptanalysis topic today. In those models, the optimizing objective is usually the probability or the number of rounds of the distinguishers. If we want to recover the secret key for a round-reduced block cipher, there are usually two phases, i.e., finding an efficient distinguisher and performing key-recovery attack by extending several rounds before and after the distinguisher. The total number of attacked rounds is not only related to the chosen distinguisher, but also to the extended rounds before and after the distinguisher. In this paper, we try to combine the two phases in a uniform automatic model.Concretely, we apply this idea to automate the related-key rectangle attacks on SKINNY and ForkSkinny. We propose some new distinguishers with advantage to perform key-recovery attacks. Our key-recovery attacks on a few versions of round-reduced SKINNY and ForkSkinny cover 1 to 2 more rounds than the best previous attacks.

Download Full-text