scholarly journals Vectorized linear approximations for attacks on SNOW 3G

2020 ◽  
pp. 249-271
Author(s):  
Jing Yang ◽  
Thomas Johansson ◽  
Alexander Maximov
Keyword(s):  
Stream Cipher ◽  
Key Recovery ◽  
Distinguishing Attack ◽  
Linear Approximations ◽  
Correlation Attack ◽  
Finite State ◽  
Integrity Protection ◽  
Key Length ◽  
Expected Complexity ◽  
4G Lte

SNOW 3G is a stream cipher designed in 2006 by ETSI/SAGE, serving in 3GPP as one of the standard algorithms for data confidentiality and integrity protection. It is also included in the 4G LTE standard. In this paper we derive vectorized linear approximations of the finite state machine in SNOW3G. In particular,we show one 24-bit approximation with a bias around 2−37 and one byte-oriented approximation with a bias around 2−40. We then use the approximations to launch attacks on SNOW 3G. The first approximation is used in a distinguishing attack resulting in an expected complexity of 2172 and the second one can be used in a standard fast correlation attack resulting in key recovery in an expected complexity of 2177. If the key length in SNOW 3G would be increased to 256 bits, the results show that there are then academic attacks on such a version faster than the exhaustive key search.

scholarly journals Security analysis of linearly filtered NLFSRs

2013 ◽  
Vol 7 (4) ◽  
pp. 313-332 ◽  
Author(s):  
Mohammad Ali Orumiehchiha ◽  
Josef Pieprzyk ◽  
Ron Steinfeld ◽  
Harry Bartlett
Keyword(s):  
Linear Combination ◽  
Mobile Communication ◽  
Stream Cipher ◽  
High Efficiency ◽  
Security Analysis ◽  
Linear Feedback ◽  
Attractive Feature ◽  
Key Recovery ◽  
Distinguishing Attack ◽  
Feedback Shift Register

Abstract. Non-linear feedback shift register (NLFSR) ciphers are cryptographic tools of choice of the industry especially for mobile communication. Their attractive feature is a high efficiency when implemented in hardware or software. However, the main problem of NLFSR ciphers is that their security is still not well investigated. The paper makes a progress in the study of the security of NLFSR ciphers. In particular, we show a distinguishing attack on linearly filtered NLFSR (or LF-NLFSR) ciphers. We extend the attack to a linear combination of LF-NLFSRs. We investigate the security of a modified version of the Grain stream cipher and show its vulnerability to both key recovery and distinguishing attacks.

scholarly journals Comparison Analysis Of Stream Cipher Algorithms For Digital Communication

2012 ◽  
Author(s):  
Abd Rahim Mat Sidek ◽  
Ahmad Zuri Sha’ameri
Keyword(s):  
Stream Cipher ◽  
Statistical Tests ◽  
Linear Feedback ◽  
Radio Communication ◽  
Worst Case ◽  
Correlation Attack ◽  
Feedback Shift Register ◽  
Key Length ◽  
The One ◽  
Linear Complexity Profile

Penghantaran maklumat dalam sistem komunikasi radio seperti frekuensi tinggi akan mendedahkan maklumat itu kepada pihak–pihak yang tidak berkaitan. Untuk memastikan maklumat tersebut selamat, ia haruslah dienkodkan terlebih dahulu sebelum dihantar. Bagi maklumat bersaiz besar, pengenkod jenis satu bit adalah lebih sesuai berbanding pengenkod jenis blok kerana ia lebih cepat dan tidak mempengaruhi bit bersebelahan jika berlakunya kesilapan semasa penghantaran. Pengenkod satu bit biasanya dihasilkan menggunakan kaedah anjakan balik secara linear dan juga penggabungan secara tidak linear. Dengan menggunakan panjang kunci yang sama untuk setiap pengenkod iaitu 64 bit, kekuatan pengenkod ditentukan dengan menggunakan beberapa jenis ujian piawaian. Pengenkod yang melepasi kesemua ujian adalah yang paling baik dan sesuai untuk digunakan dalam penghantaran maklumat digital. Kata kunci: Penghantaran, pengenkod, komunikasi, selamat, linear The broadcast nature of radio communication such as in the HF (High Frequency) spectrum exposes the transmitted information to unauthorized third parties. Confidentiality is ensured by employing cipher system. For bulk transmission of data, stream ciphers are ideal choices over block ciphers due to faster implementation speed and not introducing error propagation. The stream cipher algorithms evaluated are based on the linear feedback shift register (LFSR) with nonlinear combining function. By using a common key length and worst case conditions, the strength of several stream cipher algorithms are evaluated using statistical tests, correlation attack, linear complexity profile and nonstandard test. The best algorithm is the one that exceeds all of the tests. Key words: Confidential, LFSR, stream, block, correlation

scholarly journals Cryptanalysis of Loiss Stream Cipher-Revisited

2014 ◽  
Vol 2014 ◽  
pp. 1-7
Author(s):  
Lin Ding ◽  
Chenhui Jin ◽  
Jie Guan ◽  
Qiuyan Wang
Keyword(s):  
Time Complexity ◽  
Stream Cipher ◽  
Linear Equations ◽  
Data Complexity ◽  
Secret Key ◽  
Key Recovery ◽  
Systems Of Linear Equations ◽  
Key Recovery Attack ◽  
Better Than

Loiss is a novel byte-oriented stream cipher proposed in 2011. In this paper, based on solving systems of linear equations, we propose an improved Guess and Determine attack on Loiss with a time complexity of 2231and a data complexity of 268, which reduces the time complexity of the Guess and Determine attack proposed by the designers by a factor of 216. Furthermore, a related key chosenIVattack on a scaled-down version of Loiss is presented. The attack recovers the 128-bit secret key of the scaled-down Loiss with a time complexity of 280, requiring 264chosenIVs. The related key attack is minimal in the sense that it only requires one related key. The result shows that our key recovery attack on the scaled-down Loiss is much better than an exhaustive key search in the related key setting.

scholarly journals Multidimensional linear cryptanalysis with key difference invariant bias for block ciphers

Cybersecurity ◽  
2021 ◽  
Vol 4 (1) ◽  
Author(s):  
Wenqin Cao ◽  
Wentao Zhang
Keyword(s):  
Time Complexity ◽  
Block Ciphers ◽  
Linear Cryptanalysis ◽  
Compression Technique ◽  
Key Recovery ◽  
Linear Approximations ◽  
Theoretical Advantage ◽  
Multidimensional Linear ◽  
Multidimensional Linear Cryptanalysis ◽  
Key Recovery Attacks

AbstractFor block ciphers, Bogdanov et al. found that there are some linear approximations satisfying that their biases are deterministically invariant under key difference. This property is called key difference invariant bias. Based on this property, Bogdanov et al. proposed a related-key statistical distinguisher and turned it into key-recovery attacks on LBlock and TWINE-128. In this paper, we propose a new related-key model by combining multidimensional linear cryptanalysis with key difference invariant bias. The main theoretical advantage is that our new model does not depend on statistical independence of linear approximations. We demonstrate our cryptanalysis technique by performing key recovery attacks on LBlock and TWINE-128. By using the relations of the involved round keys to reduce the number of guessed subkey bits. Moreover, the partial-compression technique is used to reduce the time complexity. We can recover the master key of LBlock up to 25 rounds with about 260.4 distinct known plaintexts, 278.85 time complexity and 261 bytes of memory requirements. Our attack can recover the master key of TWINE-128 up to 28 rounds with about 261.5 distinct known plaintexts, 2126.15 time complexity and 261 bytes of memory requirements. The results are the currently best ones on cryptanalysis of LBlock and TWINE-128.

scholarly journals Breaking Trivium Stream Cipher Implemented in ASIC Using Experimental Attacks and DFA

Sensors ◽  
2020 ◽  
Vol 20 (23) ◽  
pp. 6909
Author(s):  
Francisco Eugenio Potestad-Ordóñez ◽  
Manuel Valencia-Barrero ◽  
Carmen Baena-Oliva ◽  
Pilar Parra-Fernández ◽  
Carlos Jesús Jiménez-Fernández
Keyword(s):  
Stream Cipher ◽  
Internal State ◽  
Clock Cycle ◽  
Fault Analysis ◽  
Invasive Technique ◽  
Sensitive Information ◽  
Secret Key ◽  
Key Recovery ◽  
Differential Fault Analysis ◽  
Secret Keys

One of the best methods to improve the security of cryptographic systems used to exchange sensitive information is to attack them to find their vulnerabilities and to strengthen them in subsequent designs. Trivium stream cipher is one of the lightweight ciphers designed for security applications in the Internet of things (IoT). In this paper, we present a complete setup to attack ASIC implementations of Trivium which allows recovering the secret keys using the active non-invasive technique attack of clock manipulation, combined with Differential Fault Analysis (DFA) cryptanalysis. The attack system is able to inject effective transient faults into the Trivium in a clock cycle and sample the faulty output. Then, the internal state of the Trivium is recovered using the DFA cryptanalysis through the comparison between the correct and the faulty outputs. Finally, a backward version of Trivium was also designed to go back and get the secret keys from the initial internal states. The key recovery has been verified with numerous simulations data attacks and used with the experimental data obtained from the Application Specific Integrated Circuit (ASIC) Trivium. The secret key of the Trivium were recovered experimentally in 100% of the attempts, considering a real scenario and minimum assumptions.

scholarly journals On the Usage of Deterministic (Related-Key) Truncated Differentials and Multidimensional Linear Approximations for SPN Ciphers

2020 ◽  
pp. 262-287
Author(s):  
Ling Sun ◽  
David Gerault ◽  
Wei Wang ◽  
Meiqin Wang
Keyword(s):  
Internal State ◽  
Constraint Satisfaction Problem ◽  
Exhaustive Search ◽  
Distinguishing Attack ◽  
Linear Approximations ◽  
Inherent Feature ◽  
Differential Pattern ◽  
Impossible Differential ◽  
Multidimensional Linear ◽  
Fixed Input

Among the few works realising the search of truncated differentials (TD) and multidimensional linear approximations (MDLA) holding for sure, the optimality of the distinguisher should be confirmed via an exhaustive search over all possible input differences/masks, which cannot be afforded when the internal state of the primitive has a considerable number of words. The incomplete search is also a long-term problem in the search of optimal impossible differential (ID) and zerocorrelation linear approximation (ZCLA) since all available automatic tools operate under fixed input and output differences/masks, and testing all possible combinations of differences/masks is impracticable for now. In this paper, we start by introducing an automatic approach based on the constraint satisfaction problem for the exploration of deterministic TDs and MDLAs. Since we transform the exhaustive search into an inherent feature of the searching model, the issue of incomplete search is settled. This tool is applied to search for related-key (RK) TDs of AES-192, and a new related-key differential-linear (DL) distinguisher is identified with a TD with certainty. Due to the novel property of the distinguisher, the previous RK DL attack on AES-192 is improved. Also, the new distinguisher is explained from the viewpoint of differentiallinear connectivity table (DLCT) and thus can be regarded as the first application of DLCT in the related-key attack scenario. As the second application of the tool, we propose a method to construct (RK) IDs and ZCLAs automatically. Benefiting from the control of the nonzero fixed differential pattern and the inherent feature of exhaustive search, the new searching scheme can discover longer distinguishers and hence possesses some superiorities over the previous methods. This technique is implemented with several primitives, and the provable security bounds of SKINNY and Midori64 against impossible differential distinguishing attack are generalised.

scholarly journals On Distinguishing Attack Against the Reduced Version of the Cipher Nlsv2

2012 ◽  
Vol 53 (1) ◽  
pp. 21-32
Author(s):  
Michal Braško ◽  
Jaroslav Boor
Keyword(s):  
Stream Cipher ◽  
Stream Ciphers ◽  
Web Page ◽  
Security Issue ◽  
Phase 3 ◽  
Distinguishing Attack ◽  
De Vries ◽  
Practical Demonstration

ABSTRACT The Australian stream cipher NLSv2 [Hawkes, P.-Paddon, M.-Rose, G. G.-De Vries, M. W.: Primitive specification for NLSv2, Project eSTREAM web page, 2007, 1-25] is a 32-bit word oriented stream cipher that was quite successful in the stream ciphers competition-the project eSTREAM. The cipher achieved Phase 3 and successfully accomplished one of the main requirements for candidates in Profile 1 (software oriented proposals)-to have a better performance than AES in counter mode. However the cipher was not chosen into the final portfolio [Babbage, S.-De Canni`ere, Ch.-Canteaut, A.-Cid, C.-Gilbert, H.-Johansson, T.-Parker, M.-Preneel, B.-Rijmen, V.-Robshaw, M.: The eSTREAM Portfolio, Project eSTREAM web page, 2008], because its performance was not so perfect when comparing with other finalist. Also there is a security issue with a high correlation in the used S-Box, which some effective distinguishers exploit. In this paper, a practical demonstration of the distinguishing attack against the smaller version of the cipher is introduced. In our experiments, we have at disposal a machine with four cores (Intel® CoreTM Quad @ 2.66 GHz) and single attack lasts about 6 days. We performed successful practical experiments and our results demonstrate that the distingushing attack against the smaller version is working.

scholarly journals Exploring Practicability for Solving a Task Based on the Generalized Cellular Automata via SAT Solvers

2019 ◽  
pp. 11-22
Author(s):  
P. G. Klyucharev
Keyword(s):  
Positive Integer ◽  
Cellular Automata ◽  
Operation Time ◽  
Computational Experiments ◽  
Key Recovery ◽  
Sat Solvers ◽  
Initial Values ◽  
Sat Solver ◽  
Key Length ◽  
Exhaustive Method

The paper deals with exploring practicability to solve a task of the recovery key of generalized cellular automata via SAT solvers.The problem, which we call a task of the key recovery of generalized cellular automata, is under consideration. This task is formulated as follows. The generalized cellular automata, the positive integer s, the initial values of some cells, and the values of some cells after the s steps of the automata are given. It is required to find the initial values of the remaining cells (their number will be called the key length).To solve the task, were tested Picosat, MiniSat, Glucose, Lingeling, and CryptoMiniSat SAT solvers. In further computational experiments, was used the MiniSat, which was the best.The key recovery task was solved for the generalized cellular automata of a small size via the MiniSat SAT solver. Pizer's graphs were used as graphs of the automata. The key length was approximately half the number of the cells in the automata. As a result of the study, it turned out that operation time of a SAT solver quite significantly (several orders of magnitude) exceeds the estimated time of solution using the FPGA exhaustive method, and the empirical dependencies of the SAT-solver operation time on the key length are exponential.The obtained results confirm that SAT solvers disable effective solving a task under consideration. This allows giving the better reasons for the cryptographic security of the crypto-algorithms based on the generalized cellular automata with regard to the cryptanalysis methods using SAT solvers.

A Distinguishing Attack on a Fast Software-Implemented RC4-Like Stream Cipher

2007 ◽  
Vol 53 (9) ◽  
pp. 3250-3255 ◽  
Author(s):  
Yukiyasu Tsunoo ◽  
Teruo Saito ◽  
Hiroyasu Kubo ◽  
Tomoyasu Suzaki
Keyword(s):  
Stream Cipher ◽  
Distinguishing Attack
Sign in / Sign up

Export Citation Format

Share Document