Isaac A. Canales-Martínez,Igor Semaev

DOI: https://doi.org/10.1007/s10623-024-01444-4

IF: 1.4

2024-06-20

Designs Codes and Cryptography

Abstract:Cryptanalysis of modern symmetric ciphers may be done by using linear equation systems with multiple right hand sides, which describe the encryption process. The tool was introduced by Raddum and Semaev (Des Codes Cryptogr 49(1):147–160, 2008) where several solving methods were developed. In this work, the probabilities are ascribed to the right hand sides and a statistical attack is then applied. The new approach is a multivariate generalisation of the correlation attack by Siegenthaler (IEEE Trans Comput C 49(1):81–85, 1985). A fast version of the attack is provided too. It may be viewed as an extension of the fast correlation attack in Meier and Staffelbach (J Cryptol 1(3):159–176, 1989), based on exploiting so called parity-checks for linear recurrences. Parity-checks are a particular case of the relations that we introduce in the present work. The notion of a relation is irrelevant to linear recurrences. We show how to apply the method to some LFSR-based stream ciphers including those from the Grain family. The new method generally requires a lower number of the keystream bits to recover the initial states than other techniques reported in the literature.

mathematics, applied,computer science, theory & methods

WANG Yun-feng,SHEN Hai-bin,YAN Xiao-lang

DOI: https://doi.org/10.3785/j.issn.1008-973x.2006.11.028

2006-01-01

Abstract:The chaotic output-cipher feedback mode(OCFM) stream cipher was developed to resist attacks based on chaotic orbits.The chaotic signals were generated based on iterating the piecewise linear chaotic map(PLCM) with a segment number parameter(SNP).Odd bits were used to produce the key streams.After being incorporated,the even bits and ciphers were fed back as the next state of the key stream generator.When the chaotic systems were realized with finite precision,the perturbation approach was applied to remedy the finite precision effect,and the perturbation signal was m-sequence.Theoretical analysis and experimental results show that the OCFM cipher is secure and easy to be realized by hardware or software,and that the encryption speed can be adjusted to meet the application requirement at the algorithm level.

Subrata Nandi,Srinivasan Krishnaswamy,Pinaki Mitra

2023-07-05

Abstract:In LFSR-based stream ciphers, the knowledge of the feedback equation of the LFSR plays a critical role in most attacks. In word-based stream ciphers such as those in the SNOW series, even if the feedback configuration is hidden, knowing the characteristic polynomial of the state transition matrix of the LFSR enables the attacker to create a feedback equation over $GF(2)$. This, in turn, can be used to launch fast correlation attacks. In this work, we propose a method for hiding both the feedback equation of a word-based LFSR and the characteristic polynomial of the state transition matrix. Here, we employ a $z$-primitive $\sigma$-LFSR whose characteristic polynomial is randomly sampled from the distribution of primitive polynomials over $GF(2)$ of the appropriate degree. We propose an algorithm for locating $z$-primitive $\sigma$-LFSR configurations of a given degree. Further, an invertible matrix is generated from the key. This is then employed to generate a public parameter which is used to retrieve the feedback configuration using the key. If the key size is $n$- bits, the process of retrieving the feedback equation from the public parameter has a average time complexity $\mathbb{O}(2^{n-1})$. The proposed method has been tested on SNOW 2.0 and SNOW 3G for resistance to fast correlation attacks. We have demonstrated that the security of SNOW 2.0 and SNOW 3G increases from 128 bits to 256 bits.

Cryptography and Security

Carla Mascia,Enrico Piccione,Massimiliano Sala

DOI: https://doi.org/10.3934/amc.2023016

2024-04-08

Abstract:In this paper, we propose a new algebraic attack on stream ciphers. Starting from the well-known attack due to Courtois and Meier, we design an attack especially effective against nonlinear filter generators. We test it on two toy stream ciphers and we show that the level of security of one of stream ciphers submitted to the NIST competition on Lightweight Cryptography, WG-PRNG, is less than that stated before now.

Cryptography and Security,Symbolic Computation

Fan Zhang,Shize Guo,Xinjie Zhao,Tao Wang,Jian Yang,Francois-Xavier Standaert,Dawu Gu

DOI: https://doi.org/10.1109/tifs.2016.2516905

2019-01-01

Abstract:Algebraic fault analysis (AFA), which combines algebraic cryptanalysis with fault attacks, has represented serious threats to the security of lightweight block ciphers. Inspired by an earlier framework for the analysis of side-channel attacks presented at EUROCRYPT 2009, a new generic framework is proposed to analyze and evaluate algebraic fault attacks on lightweight block ciphers. We interpret AFA at three levels: 1) the target; 2) the adversary; and 3) the evaluator. We describe the capability of an adversary in four parts: 1) the fault injector; 2) the fault model describer; 3) the cipher describer; and 4) the machine solver. A formal fault model is provided to cover most of current fault attacks. Different strategies of building optimal equation set are also provided to accelerate the solving process. At the evaluator level, we consider the approximate information metric and the actual security metric. These metrics can be used to guide adversaries, cipher designers, and industrial engineers. To verify the feasibility of the proposed framework, we make a comprehensive study of AFA on an ultra-lightweight block cipher called LBlock. Three scenarios are exploited, which include injecting a fault to encryption, to key scheduling, or modifying the round number or counter. Our best results show that a single fault injection is enough to recover the master key of LBlock within the affordable complexity in each scenario. To verify the generic feature of the proposed framework, we apply AFA to three other block ciphers, i.e., Data Encryption Standard, PRESENT, and Twofish. The results demonstrate that our framework can be used for different ciphers with different structures.

Roberto La Scala,Sharwan K. Tiwari

DOI: https://doi.org/10.1016/j.jsc.2021.09.001

IF: 0.97

2022-03-01

Journal of Symbolic Computation

Abstract:In this paper we model a class of stream and block ciphers as systems of (ordinary) explicit difference equations over a finite field. We call this class "difference ciphers" and we show that ciphers of application interest, as for example systems of LFSRs with a combiner, Trivium and KeeLoq, belong to the class. By using Difference Algebra, that is, the formal theory of difference equations, we can properly define and study important properties of these ciphers, such as their invertibility and periodicity. We describe then general cryptanalytic methods for difference ciphers that follow from these properties and are useful to assess the security. We illustrate such algebraic attacks in practice by means of the ciphers Bivium and KeeLoq.

mathematics, applied,computer science, theory & methods

Xiaoyan Zhang,Qichun Wang,Bin Wang,Haibin Kan

DOI: https://doi.org/10.1587/transfun.e94.a.2059

2011-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:In algebraic attack on stream ciphers based on LFSRs, the secret key is found by solving an overdefined system of multivariate equations. There are many known algorithms from different point of view to solve the problem, such as linearization, relinearization, XL and Grobner Basis. The simplest method, linearization, treats each monomial of different degrees as a new variable, and consists of $\\sum_{i=1}^{d}{n \\choose i}$ variables (the degree of the system of equations is denoted by d). Thus it needs at least $\\sum_{i=1}^{d}{n \\choose i}$ equations, i.e. keystream bits to recover the secret key by Gaussian reduction or other. In this paper we firstly propose a concept, called equivalence of LFSRs. On the basis of it, we present a constructive method that can solve an overdefined system of multivariate equations with less keystream bits by extending the primitive polynomial.

Fan Zhang,Bolin Yang,Shize Guo,Xinjie Zhao,Tao Wang,Francois-Xavier Standaert,Dawu Gu

DOI: https://doi.org/10.1007/978-3-030-11333-9_5

2019-01-01

Abstract:Algebraic fault analysis (AFA), which combines algebraic cryptanalysis with fault attacks, has represented serious threats to the security of lightweight block ciphers. Inspired by an earlier framework for the analysis of side-channel attacks presented at EUROCRYPT 2009, a new generic framework is proposed to analyze and evaluate algebraic fault attacks on lightweight block ciphers. We interpret AFA at three levels: the target, the adversary, and the evaluator. We describe the capability of an adversary in four parts: the fault injector, the fault model describer, the cipher describer, and the machine solver. A formal fault model is provided to cover most of the current fault attacks. Different strategies of building optimal equation set are also provided to accelerate the solving process. At the evaluator level, we consider the approximate information metric and the actual security metric. These metrics can be used to …

Ge Yao,Udaya Parampalli

DOI: https://doi.org/10.48550/arXiv.1911.01002

2019-11-04

Abstract:Lightweight stream ciphers are highly demanded in IoT applications. In order to optimize the hardware performance, a new class of stream cipher has been proposed. The basic idea is to employ a single Galois NLFSR with maximum period to construct the cipher. As a representative design of this kind of stream ciphers, Espresso is based on a 256-bit Galois NLFSR initialized by a 128-bit key. The $2^{256}-1$ maximum period is assured because the Galois NLFSR is transformed from a maximum length LFSR. However, we propose a Galois-to-Fibonacci transformation algorithm and successfully transform the Galois NLFSR into a Fibonacci LFSR with a nonlinear output function. The transformed cipher is broken by the standard algebraic attack and the Rønjom-Helleseth attack with complexity $\mathcal{O}(2^{68.44})$ and $\mathcal{O}(2^{66.86})$ respectively. The transformation algorithm is derived from a new Fibonacci-to-Galois transformation algorithm we propose in this paper. Compare to existing algorithms, proposed algorithms are more efficient and cover more general use cases. Moreover, the transformation result shows that the Galois NLFSR used in any Espresso-like stream ciphers can be easily transformed back into the original Fibonacci LFSR. Therefore, this kind of design should be avoided in the future.

Cryptography and Security

Jorge Nakahara,Pouyan Sepehrdad,Bingsheng Zhang,Meiqin Wang

DOI: https://doi.org/10.1007/978-3-642-10433-6_5

2009-01-01

Abstract:The contributions of this paper include the first linear hull and a revisit of the algebraic cryptanalysis of reduced-round variants of the block cipher PRESENT, under known-plaintext and ciphertext-only settings. We introduce a pure algebraic cryptanalysis of 5-round PRESENT and in one of our attacks we recover half of the bits of the key in less than three minutes using an ordinary desktop PC. The PRESENT block cipher is a design by Bogdanov et al., announced in CHES 2007 and aimed at RFID tags and sensor networks. For our linear attacks, we can attack 25-round PRESENT with the whole code book, 296.68 25-round PRESENT encryptions, 240 blocks of memory and 0.61 success rate. Further we can extend the linear attack to 26-round with small success rate. As a further contribution of this paper we computed linear hulls in practice for the original PRESENT cipher, which corroborated and even improved on the predicted bias (and the corresponding attack complexities) of conventional linear relations based on a single linear trail.

Jingjing Wang,Kefei Chen,Shixiong Zhu

DOI: https://doi.org/10.1007/978-3-642-34117-5_12

2012-01-01

Abstract:Spectra attacks proposed recently are more data efficient than algebraic attacks against stream cipher. They are also time-and-space efficient. A measurement of the security of a stream cipher against spectra attacks is spectral immunity, the lowest spectral weight of the annihilator of the key stream. We study both the annihilator and the spectral immunity. We obtain a necessary and sufficient condition for the existence of low spectral weight annihilator and find it is more difficult to decide the (non)existence of the low weight annihilator for spectra attacks than for algebraic attacks. We also give some basic properties of annihilators and find the probability of a periodic sequence to be the annihilator of another sequence of the same period is low. Finally we prove that the spectral immunity is upper bounded by half of the period of the key stream. As a result, to recover any key stream, the least amount of bits required by spectra attacks is at most half of its period. © Springer-Verlag Berlin Heidelberg 2012.

Yin Lv,Danping Shi,Lei Hu,Yi Guo

DOI: https://doi.org/10.1007/s10623-024-01458-y

IF: 1.4

2024-07-26

Designs Codes and Cryptography

Abstract:Linear cryptanalysis is one of the most classical cryptanalysis methods for block ciphers. Some critical techniques of the key-recovery phase are developed for enhancing linear cryptanalysis. Collard et al. improved the time complexity for last-round key-recovery attacks by using FWT. A generalized key-recovery algorithm for an arbitrary number of rounds with an associated time complexity formula is further provided by Flórez-Gutiérrez and Naya-Plasencia based on FWT in Eurocrypt 2020. However, the previous generalized algorithms are mainly applied to block ciphers with SPN structures, where the round-keys in the first and last round XORed to the state can be easily defined as outer keys . In Asiacrypt 2021, Leurent et al. applied the algorithm by Flórez-Gutiérrez et al. to Feistel structure ciphers. However, for other structures, such as NLFSR-based, the outer keys can not be directly deduced to utilize the previous algorithms. This paper extends the algorithm by Flórez-Gutiérrez et al. for more complicated structures, including but not limited to NLFSR-based, Feistel, ARX, and SPN. We also use the dependency relationships between ciphertext, plaintext and key information bits to eliminate the redundancy calculation and the improve analysis phase. We apply the algorithm with the improved analysis phase to KATAN (NLFSR-based) and SPARX (ARX). We obtain significantly improved results. The linear results we find for SPARX-128/128 beat other cryptanalytic techniques, becoming the best key recovery attacks on this cipher. The previous best linear attacks on KATAN32, KATAN48 and KATAN64 are improved by 9, 4, and 14 rounds, respectively.

mathematics, applied,computer science, theory & methods

S. Hodžić,E. Pasalic,Y. Wei

DOI: https://doi.org/10.48550/arXiv.1609.08422

2016-09-27

Abstract:In this article an optimal selection of tap positions for certain LFSR-based encryption schemes is investigated from both design and cryptanalytic perspective. Two novel algorithms towards an optimal selection of tap positions are given which can be satisfactorily used to provide (sub)optimal resistance to some generic cryptanalytic techniques applicable to these schemes. It is demonstrated that certain real-life ciphers (e.g. SOBER-t32, SFINKS and Grain-128), employing some standard criteria for tap selection such as the concept of full difference set, are not fully optimized with respect to these attacks. These standard design criteria are quite insufficient and the proposed algorithms appear to be the only generic method for the purpose of (sub)optimal selection of tap positions. We also extend the framework of a generic cryptanalytic method called Generalized Filter State Guessing Attacks (GFSGA), introduced in [26] as a generalization of the FSGA method, by applying a variable sampling of the keystream bits in order to retrieve as much information about the secret state bits as possible. Two different modes that use a variable sampling of keystream blocks are presented and it is shown that in many cases these modes may outperform the standard GFSGA mode. We also demonstrate the possibility of employing GFSGA-like attacks to other design strategies such as NFSR-based ciphers (Grain family for instance) and filter generators outputting a single bit each time the cipher is clocked. In particular, when the latter scenario is considered, the idea of combining GFSGA technique and algebraic attacks appears to be a promising unified cryptanalytic method against NFSR-based stream ciphers.

Information Theory

Huafei Zhu,Lixin Ran,Yumin Wang

IF: 1.019

1999-01-01

Chinese Journal of Electronics

Abstract:Cryptographic hash functions are very important for cryptographic protocols such as signature scheme and message authentication. Based on the pioneer work of X. Lai et al., a new framework of hash algorithm is developed in this paper. In our hash scheme, an extra pseudorandom keystream generator is not needed which may be more conveniently for practical use. We have proved that the security of the new hash scheme is equivalent to that of feedback shift registers (FSRs) controlled by 2m - bit security keys.

Jingjing Wang,Xiangxue Li,Kefei Chen,Wenzheng Zhang

DOI: https://doi.org/10.1007/978-3-642-31410-0_4

2012-01-01

Abstract:The nonlinear filter generator (NLFG) is a powerful building block commonly used in stream ciphers. In this paper, we present the direct sum decomposition of the NLFG output sequence that leads to a system of linear equations in the initial state of the NLFG and further to an efficient algebraic attack. The coefficients of the equation system rely only on the NLFG structure. The attack is operated in an online/offline manner, doing most of the work (determining the coefficients of the equation system) in the offline phase. Thus the online phase is very fast, requiring only four multiplications and one diagonalization of n×n matrices. Compared with related works, our attack has the advantages in both online computation cost and success probability. On the one hand, far fewer output bits and significantly less matrix computation are required in our attack, although the online computation complexity O(LC) (LC is the linear complexity of the output sequence) is the same as in the known Rønjom-Helleseth attack. On the other hand, the success probability of the attack is analyzed in this paper, different from most prior work. The success probability of this algebraic attack is $1-2^{-\phi(2^n-1)}$ (φ(·) is the Euler function), which is much greater than 1−2−n, the success probability of the Rønjom-Helleseth attack.

Hao Chen,Tao Wang,Fan Zhang,Xinjie Zhao

DOI: https://doi.org/10.13245/j.hust.170214

2017-01-01

Abstract:The SOSEMANUK stream cipher is a member of the finalists of the eSTREAM proj ect.In this paper,the previous known attacks against SOSEMANUK was presented and discussed.Firstly, SOSEMANUK was described as a set of equations involving the public and key variables at bit level. Secondly,the attacker was assumed to be able to fault a random inner state word and the faults were described as a set of equations by analyzing the propagation of faults.Thirdly,the CryptoMinisat sol-ver was adapted to recover the secret inner state by guessing certain inner state words and solving the combined equations.The results show that the first round attack recovers the secret internal states, requires 20 faults and the computational complexity is dramatically reduced to O(296 ).The first two rounds attack recovers the whole states,requires 10 faults without guessing any inner state word, which is better than the previous known cryptanalytic results.

HaiNa Zhang,Lin Li,XiaoYun Wang

DOI: https://doi.org/10.1007/s11432-008-0064-7

2008-01-01

Science in China Series F Information Sciences

Abstract:ABC v3 is a stream cipher submitted to the ECRYPT eStream project and has entered the second evaluation phase. Its key length is 128 bits. In this paper, we find large numbers of new weak keys of ABC family and introduce a method to search for them, and then apply a fast correlation attack to break ABC v3 with weak keys. We show that there are at least 2(103.71) new weak keys in ABC v3. Recovering the internal state of a weak key requires 2(36.05) keystream words and 2(50.56) operations. The attack can be applied to ABC v1 and v2 with the same complexity as that of ABC v3. However, the number of weak keys of ABC v1 as well as ABC v2 decreases to 2(97) + 2(95.19). It reveals that ABC v3 incurs more weak keys than that of ABC v1 and v2.

Yahya S. Khiabani,Shuangqing Wei,Jian Yuan,Jian Wang

DOI: https://doi.org/10.1109/glocom.2012.6503220

2012-01-01

Abstract:In this paper, we study the effect of channel errors on the performance of linear cryptanalysis against block ciphered system. We study DES block cipher working in cipher feedback mode (CFB) as a special case. In our model, eavesdropper launches linear attack by querying an oracle which provides her with corrupted ciphertexts over a binary symmetric channel (BSC). A new verification strategy in linear attack has been designed and numerically optimized to allow Eve to mount a successful attack in noisy environments. However, we show that even by utilizing this optimized strategy, there is still possibility of misdetection in Eve's cryptanalysis, which directly depends on the channel degradation level. Numerical results show that the proposed attack strategy lets Eve maintain a high performance even for relatively high noise levels. On the other hand, they suggest that due to Eve's possible failures in her attack, tunable cross over probability of the channel can bring about the lowest performance for Eve as well as a higher security.

Yufeng Tang,Zheng Gong,Tao Sun,Jinhai Chen,Fan Zhang

DOI: https://doi.org/10.1007/978-3-030-88323-2_22

2021-01-01

Abstract:White-box block cipher (WBC) aims at protecting the secret key of a block cipher even if an adversary has full control over the implementations. At CHES 2016, Bos et al. proved that WBC are also threatened by side-channel analysis (SCA), e.g., differential fault analysis (DFA) and differential computation analysis (DCA). Therefore, advanced countermeasures have been proposed by Lee et al. for resisting DFA and DCA, such as table redundancy and improved masking methods, respectively. In this paper, we introduce a new adaptive side-channel analysis model which assumes that an adversary adaptively collects the intermediate values of a specific function and can mount the DFA/DCA attack with chosen inputs. In the adaptive SCA model, both theoretical analysis and experimental results show that Lee et al.’s proposed methods are vulnerable to DFA and DCA attacks. Moreover, a negative proposition is also demonstrated on the corresponding high-order countermeasures under our new model.

Fan Zhang,Xinjie Zhao,Wei He,Shivam Bhasin,Shize Guo

DOI: https://doi.org/10.1007/s11432-016-0233-0

2017-01-01

Science China Information Sciences

Abstract:>Fault analysis is a very powerful technique to break cryptographic implementations.In particular,bitlevel fault analysis(BLFA),where faults are injected by flipping one or a few isolated bits,are among the most efficient of the lot.BLFA requires both precise fault injection capabilities and sophisticated key extraction skills.Algebraic fault analysis(AFA)[1]is a good analysis technique for BLFA.Compared with differential fault analysis(DFA),AFA relies on the automation from machine solvers.Since it fully utilizes the leakages