Zheng Wu,Lin Ding,Zhengting Li,Xinhai Wang,Ziyu Guan

DOI: https://doi.org/10.1049/2024/6674019

2024-03-02

IET Information Security

Abstract:GEA-1, a proprietary stream cipher, was initially designed and used to protect against eavesdropping general packet radio service (GPRS) between the phone and the base station. Now, a variety of current mobile phones still support this standard cipher. In this paper, a structural weakness of the GEA-1 stream cipher that has not been found in previous works is discovered and analyzed. That is the probability that two different inputs of GEA-1 generate the identical keystream can be up to 2 − 7.30 , which is quite high compared with an ideal stream cipher that generates random sequences. Based on this newfound weakness, a new practical distinguishing attack on GEA-1 is proposed, which shows that the keystreams generated by GEA-1 are far from random and can be easily distinguished with a practical time cost. After then, a new practical key recovery attack on GEA-1 is presented. It has a time complexity of 2 21.02 GEA-1 encryptions and requires only seven related keys, which is much less than the existing related key attack on GEA-1. The experimental results show that GEA-1 can be broken within about 41.75 s on a common PC in the related key setting. These cryptanalytic results show that GEA-1 cannot provide enough security and should be immediately prohibited to be supported in the massive GPRS devices.

computer science, information systems, theory & methods

Qianmei Wu,Fan Zhang,Shize Guo,Kun Yang,Haoting Shen

DOI: https://doi.org/10.1109/tc.2024.3416682

IF: 3.183

2024-01-01

IEEE Transactions on Computers

Abstract:As a common defense against side-channel attacks, random delay insertion introduces noise into the executive flow of encryption, which increases attack complexity. Accordingly, various techniques are exploited to mitigate the defense effect of such insertions. As an advanced mathematical technique, wavelet analysis is considered to be a more effective technology according to its detailed and comprehensive interpretation of signals. In this paper, we propose a unified and fully automated wavelet-based attack framework (denoted as UWAF), whose data processing is kept within one unified wavelet domain, with three enhanced components: denoising, alignment and key extraction. We put forward a new idea of combining machine learning with wavelet analysis to realize the full automation of the program for attack framework, rendering it possible to search exhaustively for the optimal combination of parameter settings in wavelet transform. Our proposal finds a new setting of wavelet parameters that have not been exploited ever before and achieves the performance enhancement for about 20 times fewer traces required for successful key recovery. UWAF is compared with several mainstream attack frameworks. Experimental results show that it outperforms those counterparts, and can be considered as an effective framework-level solution to defeat the countermeasure of random delay insertion.

Ming Xing Wang,Dong Dai Lin

DOI: https://doi.org/10.1109/cse-euc.2017.107

2017-01-01

Abstract:The stream cipher Espresso was proposed by Elena Dubrova and Martin Hell in Cryptography and Communications in 2015, which employs the nonlinear feedback shift register (NLFSR) of Galois configuration as a main building block. This Galois configuration of NLFSR is transformed into its equivalent Fibonacci configuration, and then stream cipher Espresso is changed into the stream cipher Espresso variant denoted by Espresso-a. The structures of both Grain and Espresso-a are similar. Therefore, by virtue of slide attack used in the analysis of Grain, Related key chosen IV attack on the stream cipher Espresso-a is mounted. It is shown that the attack on Espresso-a recovers the 128-bit secret key with only two pairs of related key-IVs, no more than 2(42) chosen IVs and 2(64) computational complexity. Thus stream cipher Espresso is not secure for 128-bit secret key.

Xiaofei Dong,Fan Zhang,Samiya Queshi,Yiran Zhang,Ziyuan Liang,Bolin Yang,Feng Gao

DOI: https://doi.org/10.1109/asianhost.2018.8607162

2018-01-01

Abstract:Random delay insertion is a simple yet rather effective technique to increase the difficulty for traditional power analysis. However as compared to the random masking technique, it is uncommonly used as a countermeasure considering the frequency analysis. In this paper, it is investigated that the frequency analysis may not work as efficiently as expected when facing to advanced random delay countermeasures. Hence, a novel attack is proposed which is in the wavelet domain. After preprocessing the wavelet coefficients of power traces with wavelet decomposition, the effects of multiple random delays can be removed. Two attack strategies are proposed to recover the secret key: either indirectly from the reconstructed power traces without random delays or directly from the processed wavelet coefficients. Our experimental results show that the wavelet-based power analysis attack can perform much better than those frequency-based ones, which is evaluated through several standard metrics to show the efficiency and robustness.

Lin Ding,Dawu Gu,Lei Wang

DOI: https://doi.org/10.1007/978-981-15-0818-9_16

2019-01-01

Abstract:The well-known MICKEY 2.0 stream cipher, designed by Babbage and Dodd in 2006, is one of the seven finalists of the eSTREAM project. In this paper, new key recovery attack on the MICKEY family of stream ciphers in the single key setting is proposed. We prove that for a given variant of the MICKEY family of stream ciphers with a key size of n(>= 80) bits and a IV size of m bits, 0 < m < n, there certainly exists a key recovery attack in the single key setting, whose online time, memory, data and offline time complexities are all smaller than 2n. Take MICKEY 2.0 with a 64-bit IV as an example. The new attack recovers all 80 key bits with an online time complexity of 278, an offline time complexity of 279 and a memory complexity of 245, requiring only 80 keystream bits. To the best of our knowledge, this paper presents the first cryptanalytic result of the MICKEY family of stream ciphers better than exhaustive key search.

Hao Chen,Tao Wang,Fan Zhang,Xinjie Zhao,Wei He,Lumin Xu,Yunfei Ma

DOI: https://doi.org/10.1155/2017/8051728

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:HIGHT is a lightweight block cipher which has been adopted as a standard block cipher. In this paper, we present a bit-level algebraic fault analysis (AFA) of HIGHT, where the faults are perturbed by a stealthy HT. The fault model in our attack assumes that the adversary is able to insert a HT that flips a specific bit of a certain intermediate word of the cipher once the HT is activated. The HT is realized by merely 4 registers and with an extremely low activation rate of about 0.000025. We show that the optimal location for inserting the designed HT can be efficiently determined by AFA in advance. Finally, a method is proposed to represent the cipher and the injected faults with a merged set of algebraic equations and the master key can be recovered by solving the merged equation system with an SAT solver. Our attack, which fully recovers the secret master key of the cipher in 12572.26 seconds, requires three times of activation on the designed HT. To the best of our knowledge, this is the first Trojan attack on HIGHT.

Yang Yang,Chenhui Jin

2008-01-01

Kybernetika

Abstract:In this paper, we present a new type of attack on iterated chaotic ciphers using related keys. Based on the fact that a chaotic sequence is not sensitive to the less significant bits of initial conditions and parameters, a divide-and-conquer attack on iterated chaotic ciphers was presented by us before, which significantly reduces the computing complexity of attacks. However, if the information leaked is significant according to the distribution of the coincidence degrees, a measure for the information leakage of chaotic ciphers, or the size of the key is large, then it is difficult for the divide-and-conquer attack to reduce its computing complexity into a realizable level. The related-key attack we present in this paper simultaneously uses the information leaked from different chaotic sequences generated by related keys and combines the ideas of linear cryptanalysis and divide-andconquer attack together, hence greatly enhances the efficiency of divide-and-conquer attack. As an example, we test the related-key attack on the ZLL chaotic cipher with a 64-bit key on a Pentium IV 2.5 GHz PC, which takes only 8 minutes and 45 seconds to recover all bits of the key successfully.

Boxin Zhao,Xiaoyang Dong,Willi Meier,Keting Jia,Gaoli Wang

DOI: https://doi.org/10.1007/s10623-020-00730-1

2020-01-01

Abstract:This paper gives a new generalized key-recovery model of related-key rectangle attacks on block ciphers with linear key schedules. The model is quite optimized and applicable to various block ciphers with linear key schedule. As a proof of work, we apply the new model to two very important block ciphers, i.e. SKINNY and GIFT, which are basic modules of many candidates of the Lightweight Cryptography (LWC) standardization project by NIST. For SKINNY, we reduce the complexity of the best previous 27-round related-tweakey rectangle attack on SKINNY-128-384 from 2 331 to 2 294 . In addition, the first 28-round related-tweakey rectangle attack on SKINNY-128-384 is given, which gains one more round than before. For the candidate LWC SKINNY AEAD M1, we conduct a 24-round related-tweakey rectangle attack with a time complexity of 2 123 and a data complexity of 2 123 chosen plaintexts. For the case of GIFT-64, we give the first 24-round related-key rectangle attack with a time complexity 2 91.58 , while the best previous attack on GIFT-64 only reaches 23 rounds at most.

Yiyuan Luo,Qi Chai,Guang Gong,Xuejia Lai

DOI: https://doi.org/10.1109/GLOCOM.2010.5684215

2010-01-01

Abstract:The family of WG stream ciphers has good randomness properties. In this paper, we parameterize WG-7 stream cipher for RFID tags, where the modest computation/storage capabilities and the necessity to keep their prices low present a challenging problem that goes beyond the well-studied cryptography. The rigorous security analysis of WG-7 indicates that it is secure against time/memory/data trade off attack, differential attack, algebraic attack, correlation attack and Discrete Fourier Transform (DFT) attack. Furthermore, we offer efficient implementation of WG-7 on the 4-bit microcontroller ATAM893-D and the 8-bit microcontroller ATmega8 from ATmel. The experimental results show that WG-7 outperforms most of previous proposals in terms of throughput and implementation complexity. Moreover, we propose a mutual authentication protocol based on WG-7, which provides the untraceability, resistance of tag impersonation and reader impersonation. With its verified cryptographic properties, low implementation complexity and ideal throughput, WG-7 is a promising candidate for RFID applications.

Bin Zhang,Zhenqi Li,Dengguo Feng,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-662-43933-3_27

2014-01-01

Abstract:Grain v1 is one of the 7 finalists selected in the final portfolio by the eSTREAM project. It has an elegant and compact structure, especially suitable for a constrained hardware environment. Though a number of potential weaknesses have been identified, no key recovery attack on the original design in the single key model has been found yet. In this paper, we propose a key recovery attack, called near collision attack, on Grain v1. The attack utilizes the compact NFSR-LFSR combined structure of Grain v1 and works even if all of the previous identified weaknesses have been sewed and if a perfect key/IV initialization algorithm is adopted. Our idea is to identify near collisions of the internal states at different time instants and restore the states accordingly. Combined with the BSW sampling and the non-uniform distribution of internal state differences for a fixed keystream difference, our attack has been verified on a reduced version of Grain v1 in experiments. An extrapolation of the results under some assumption indicates an attack on Grain v1 for any fixed IV in 2(71.4) cipher ticks after the pre-computation of 2(73.1) ticks, given 2(62.8)-bit memory and 2(67.8) keystream bits, which is the best key recovery attack against Grain v1 so far. Hopefully, it provides some new insights on such compact stream ciphers.

Kai Zhang,Xuejia Lai,Lei Wang,Jie Guan,Bin Hu,Senpeng Wang,Tairong Shi

DOI: https://doi.org/10.1109/tc.2023.3315057

IF: 3.183

2024-01-01

IEEE Transactions on Computers

Abstract:With the rapid development of the Internet of Things (IoT), many new lightweight block ciphers are designed in recent years to meet the security demand in IoT devices. Shadow is a lightweight block cipher designed for IoT Nodes (IEEE Internet of Things Journal, 2021). In this article, an efficient attack on full-round Shadow is proposed based on the idea of a related-key differential attack. First, a differential transfer property for AND operation is illustrated. This property demonstrates a link between the difference and the input value. If the difference of the input is not zero, to lead to a zero difference, there are some constraints on the input value. Furthermore, two properties for Shadow family ciphers are identified. According to these properties, some related keys on Shadow will lead to an internal collision for the subkey generator, which will eventually lead to a full-round distinguisher. Finally, with the idea of related-key differential attack, an efficient attack is applied to Shadow. For Shadow-32, with 4 related keys, 8 master key bits can be derived in about 0.044 seconds on average. For Shadow-64, with 4 related keys, 24 master key bits can be derived in about 3.9 hours on average. All our theoretical results are verified by experiments.

Lin Ding,Zhengting Li,Ziyu Guan,Xinhai Wang,Zheng Wu

DOI: https://doi.org/10.1109/tc.2024.3365943

IF: 3.183

2024-01-01

IEEE Transactions on Computers

Abstract:The DECT Standard Cipher (DSC) is a proprietary stream cipher used for encryption in the Digital Enhanced Cordless Telecommunications (DECT), which is a standard for short range cordless communication and widely deployed worldwide both in residential and enterprise environments. New weaknesses of the DSC stream cipher which are not discovered in previous works are explored and analyzed in this paper. Based on these weaknesses, new practical key recovery attacks and distinguishing attack on DSC with lower time cost are proposed. The first cryptanalytic result show that DSC can be broken in about 13.12 seconds in the known IV setting, when an offline phase that takes about 58.33 minutes is completed. After then, a distinguishing attack on DSC in the related key chosen IV setting is given, which has a time complexity of only 2 encryptions and a success probability of almost 1. Finally, based on the slide property, a key recovery attack on DSC with practical complexities is proposed. The experimental result shows that DSC can be broken on a common PC within about 44.97 seconds in the multiple related key setting. The attacks on DSC proposed in this paper clearly show that a well-designed initialization is absolutely necessary to design a secure stream cipher.

engineering, electrical & electronic,computer science, hardware & architecture

Jiali Shi,Guoqiang Liu,Chao Li,Jianfeng Ma

DOI: https://doi.org/10.23919/cje.2022.00.132

IF: 1.019

2024-01-01

Chinese Journal of Electronics

Abstract:Type-II generalized Feistel network (GFN) has attracted a lot of attention for its simplicity and high parallelism. Impossible differential attack is one of the powerful cryptanalytic approaches for word-oriented block ciphers such as Feistel-like ciphers. We deduce the impossible differential of Type-II GFN by analyzing the Boolean function in the middle round. The main idea is to investigate the expression with the variable representing the plain-text (ciphertext) difference words for the internal state words. By adopting the miss-in-the-middle approach, we can construct the impossible differential of Type-II GFN. As an illustration, we apply this approach to WARP, a lightweight 128-bit block cipher with a 128-bit key which was presented by Banik et al. at SAC 2020. The structure of WARP is a 32-branch Type-II GFN. Therefore, we find two 21-round truncated impossible differentials and implement a 32-round key recovery attack on WARP. For the 32-round key recovery attack on WARP, some observations are used to mount an effective attack. Taking the advantage of the early abort technique, the data, time, and memory complexities are 2125.69 chosen plaintexts, 2126.68 32-round encryptions, and 2100-bit, repectively. To the best of our knowledge, this is the best attack on WARP in the single-key scenario.

engineering, electrical & electronic

Zongyue Wang,Xiaoyang Dong,Keting Jia,Jingyuan Zhao

DOI: https://doi.org/10.1155/2014/251853

IF: 1.43

2014-01-01

Mathematical Problems in Engineering

Abstract:The confidentiality of GSM cellular telephony depends on the security of A5 family of cryptosystems. As an algorithm in this family survived from cryptanalysis, A5/3 is based on the block cipher KASUMI. This paper describes a novel differential fault attack on KAUSMI with a 64-bit key. Taking advantage of some mathematical observations on the FL, FO functions, and key schedule, only one 16-bit word fault is required to recover all information of the 64-bit key. The time complexity is only 2(32) encryptions. We have practically simulated the attack on a PC which takes only a few minutes to recover all the key bits. The simulation also experimentally verifies the correctness and complexity.

Yi-Li Huang,Fang-Yie Leu,Ilsun You,Yao-Kuo Sun,Cheng-Chung Chu

DOI: https://doi.org/10.1007/s11227-013-0958-z

IF: 3.3

2013-06-14

The Journal of Supercomputing

Abstract:In broadband wireless technology, due to having many salient advantages, such as high data rates, quality of service, scalability, security, mobility, etc., LTE-A currently has been one of the trends of wireless system development. This system provides several sophisticated authentication and encryption techniques to enhance its system security. However, LTE-A still suffers from various attacks, like eavesdropping and replay attacks. Therefore, in this paper, we propose a novel security scheme, called the security system for a 4Genvironment (Se4GE for short), which as an LTE-A-based system integrates the RSA and Diffie–Hellman algorithms to solve some of LTE-A’s security drawbacks where LTE-A stands for LTE-Advance which is a 4G system. The Se4GE is an end-to-end ciphertext transfer mechanism which dynamically changes encryption keys to enforce the security of data transmission in an LTE-A system. The Se4GE also produces several logically connected random keys, called the intelligent protection-key chain, which invokes two encryption/decryption techniques to provide users with broader demands for security services. The analytical results show that the Se4GE has higher security level than that of an LTE-A system.

Jie Cui,Liusheng Huang,Hong Zhong,Wei Yang

DOI: https://doi.org/10.1109/ICCSE.2010.5593579

2010-01-01

Abstract:In this paper the authors present an attack on 7-round AES-128/256 to improve the known cryptanalysis by changing the order of round transformation , using the alternative representation of the round keys, exploiting the relationship of keys, designing the key difference pattern properly. By using the improved attack method, the complexity is reduced from 2 192 to 2 104 with 2 72 chosen plaintexts, the authors reduce complexity to 2 88 using partial sums. ©2010 IEEE.

Xuefei Bai,Li Guo,Tie Li

DOI: https://doi.org/10.1109/iccsc.2008.136

2008-01-01

Abstract:SMS4 is a 128-bit block cipher used in the WAPI standard for protecting data packets in WLAN. In this paper, a differential power analysis attack method on every byte of round keys is presented. Through this attack, the round keys of the last four rounds of SMS4 can be obtained, and then the 128- bit encryption key can be found out. The results of simulation experiments indicate that this attack is effective and practical on the SMS4 cipher.

Xiaoyang Dong,Bingyou Dong,Xiaoyun Wang

DOI: https://doi.org/10.1007/s10623-020-00741-y

2020-03-09

Abstract:Post-quantum cryptography has attracted much attention from worldwide cryptologists. However, most research works are related to public-key cryptosystem due to Shor's attack on RSA and ECC ciphers. At CRYPTO 2016, Kaplan et al. showed that many secret-key (symmetric) systems could be broken using a quantum period finding algorithm, which encouraged researchers to evaluate symmetric systems against quantum attackers. In this paper, we continue to study symmetric ciphers against quantum attackers. First, we convert the classical advanced slide attacks (introduced by Biryukov and Wagner) to a quantum one, that gains an exponential speed-up in time complexity. Thus, we could break 2/4K-Feistel and 2/4K-DES in polynomial time. Second, we give a new quantum key-recovery attack on full-round GOST, which is a Russian standard, with <span class="mathjax-tex">\(2^{114.8}\)</span> quantum queries of the encryption process, faster than a quantum brute-force search attack by a factor of <span class="mathjax-tex">\(2^{13.2}\)</span>.

Carla Mascia,Enrico Piccione,Massimiliano Sala

DOI: https://doi.org/10.3934/amc.2023016

2024-04-08

Abstract:In this paper, we propose a new algebraic attack on stream ciphers. Starting from the well-known attack due to Courtois and Meier, we design an attack especially effective against nonlinear filter generators. We test it on two toy stream ciphers and we show that the level of security of one of stream ciphers submitted to the NIST competition on Lightweight Cryptography, WG-PRNG, is less than that stated before now.

Cryptography and Security,Symbolic Computation

Leibo Li,Keting Jia,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-662-46706-0_7

2014-01-01

Abstract:This paper focuses on key-recovery attacks on 9-round AES-192 and AES-256 under single-key model with the framework of the meet-in-the-middle attack. A new technique named key-dependent sieve is introduced to further reduce the size of lookup table of the attack, and the 9-round AES-192 is broken with 2 121 chosen plaintexts, 2(187.5) 9-round encryptions and 2(185) 128-bit words of memory. If the attack starts from the third round, the complexities would be further reduced by a factor of 16. Moreover, the whole attack is split up into a series of weak-key attacks. Then the memory complexity of the attack is saved significantly when we execute these weak attacks in streaming mode. This method is also applied to reduce the memory complexity of the attack on 9-round AES-256.