Xiao-Juan Wang,Tian Tian,Wen-Feng Qi

DOI: https://doi.org/10.1007/s12095-024-00694-2

2024-01-19

Cryptography and Communications

Abstract:Recently nonlinear feedback shift registers (NFSRs) have frequently been used as basic building blocks for stream ciphers. A major problem concerning NFSRs is to construct NFSRs with large periods. In this paper, a new NFSR structure whose period could be theoretically analyzed is proposed and studied, called GL-S-NFSR. A GL-S-NFSR is a selective cascade connection of a primitive Galois LFSR into a standard Galois NFSR with a linear simplified feedback function, where standard Galois NFSRs with linear simplified feedback functions are very useful in stream ciphers, e.g., Trivium. It is proved that the periods of the output sequences of a GL-S-NFSR are lower bounded by the product of all the Zsigmondy primes of with a probability close to 1 under a weak assumption, and particularly, if n is a prime, then divides the periods of the output sequences with a high probability, where n is the stage of the Galois LFSR. Besides, it is also proved that there are several registers satisfying that the periods are multiples of Zsigmondy primes without any assumption. Note that the main building block of Kreyvium consists of a standard Galois NFSR with a linear simplified feedback function and two pure cycling registers (PCRs). Periodic results on GL-S-NFSR are applied to Kreyvium by modifying one PCR to a primitive LFSR and the modified building block of Kreyvium is called M-Kreyvium. It is shown that the sequences involved in M-Kreyvium could have large periods with high probabilities.

computer science, theory & methods,mathematics, applied

Ge Yao,Udaya Parampalli

DOI: https://doi.org/10.48550/arXiv.1911.01002

2019-11-04

Abstract:Lightweight stream ciphers are highly demanded in IoT applications. In order to optimize the hardware performance, a new class of stream cipher has been proposed. The basic idea is to employ a single Galois NLFSR with maximum period to construct the cipher. As a representative design of this kind of stream ciphers, Espresso is based on a 256-bit Galois NLFSR initialized by a 128-bit key. The $2^{256}-1$ maximum period is assured because the Galois NLFSR is transformed from a maximum length LFSR. However, we propose a Galois-to-Fibonacci transformation algorithm and successfully transform the Galois NLFSR into a Fibonacci LFSR with a nonlinear output function. The transformed cipher is broken by the standard algebraic attack and the Rønjom-Helleseth attack with complexity $\mathcal{O}(2^{68.44})$ and $\mathcal{O}(2^{66.86})$ respectively. The transformation algorithm is derived from a new Fibonacci-to-Galois transformation algorithm we propose in this paper. Compare to existing algorithms, proposed algorithms are more efficient and cover more general use cases. Moreover, the transformation result shows that the Galois NLFSR used in any Espresso-like stream ciphers can be easily transformed back into the original Fibonacci LFSR. Therefore, this kind of design should be avoided in the future.

Cryptography and Security

Ximing Fu,Xiaoyun Wang,Xiaoyang Dong,Willi Meier

DOI: https://doi.org/10.1007/978-3-319-96881-0_6

2018-01-01

Abstract:In this paper, we propose a key-recovery attack on Trivium reduced to 855 rounds. As the output is a complex Boolean polynomial over secret key and IV bits and it is hard to find the solution of the secret keys, we propose a novel nullification technique of the Boolean polynomial to reduce the output Boolean polynomial of 855-round Trivium. Then we determine the degree upper bound of the reduced nonlinear boolean polynomial and detect the right keys. These techniques can be applicable to most stream ciphers based on nonlinear feedback shift registers (NFSR). Our attack on 855-round Trivium costs time complexity . As far as we know, this is the best key-recovery attack on round-reduced Trivium. To verify our attack, we also give some experimental data on 721-round reduced Trivium.

Haining Fan

DOI: https://doi.org/10.1109/TC.2015.2428704

2016-01-01

Abstract:We show that the step “modulo the degree-$n$ field generating irreducible polynomial” in the classical definition of the $GF(2^{n})$ multiplication operation can be avoided. This leads to an alternative representation of the finite field multiplication operation. Combining this representation and the Chinese Remainder Theorem, we design bit-parallel $GF(2^{n})$ multipliers for irreducible trinomials $u^n+u^k+1$ on $GF(2)$ where $1 < k \\le n/2$ . For some values of $n$ , our architectures have the same time complexity as the fastest bit-parallel multipliers—the quadratic multipliers, but their space complexities are reduced. Take the special irreducible trinomial $u^{2k}+u^k+1$ for example, the space complexity of the proposed design is reduced by about $1/8$ , while the time complexity matches the best result. Our experimental results show that among the 539 values of $n$ such that $4< n < 1{,}000$ and $x^n+x^k+1$ is irreducible over $GF(2)$ for some $k$ in the range $1 < k \\le n/2$ , the proposed multipliers beat the current fastest parallel multipliers for 290 values of $n$ when $(n-1)/3 \\le k \\le n/2$ : they have the same time complexity, but the space complexities are reduced by $8.4$ percent on average.

Wenlong Sun,Jie Guan

DOI: https://doi.org/10.1049/cmu2.12752

IF: 1.345

2024-05-04

IET Communications

Abstract:In this paper, the authors show that the first Algebraic Side‐Channel Attacks on Trivium are implemented both in ASIC under Hamming distance leakage model and in microcontrollers of different buses under Hamming weight leakage model. Algebraic Side‐Channel Attacks (ASCAs), first proposed by Renauld and Standaert in 2009, are a potent cryptanalysis method against block ciphers. In this paper, the authors initially utilize ASCAs to analyze the security of the Trivium stream cipher, given its concise algebraic structure. Considering its efficiency in both hardware and software implementations, the authors deploy ASCAs to target Trivium implemented both in application specific integrated circuit (ASIC) under the Hamming Distance Leakage Model (HDLM) (noted as CASE 1) and in microcontrollers of various buses (i.e. some common 8‐bit, 16‐bit, and 32‐bit architectures, noted as CASE 2, CASE 3, and CASE 4, respectively) under the Hamming Weight Leakage Model (HWLM). Here, the authors' attacks are conducted on power‐simulated targets and not on real devices. For a single power consumption trace without measurement errors, this paper presents experimental results using MiniSat 2.0. Unfortunately, the authors were unable to break the ASIC implementation of Trivium under HDLM (CASE 1) with a time complexity of 2109 s or so, which is worse than the exhaustive key attack. For CASEs 2 to 4, the authors can find the complete 288‐bit state of Trivium within a reasonable timeframe. Specially, the success rate can reach 100% with an average solving time of less than 1 s when only measuring the leakages of the first eight consecutive rounds for CASE 2. Furthermore, the authors can still successfully recover the internal state even when obtaining leakages of the first 41 rounds with a random loss rate. In fact, it can tolerate a 74% random loss rate for the first 223 rounds. With regard to the potential errors in the measurements, the authors mitigate them using Tolerant ASCA (TASCA). Similarly, CASE 1 cannot be compromised even in error‐free situations, while the authors can still successfully recover the internal state of CASEs 2 to 4 from a single power trace, even with a high error rate, including 100% incorrect measurements. Surprisingly, for CASEs 2 to 4, the authors can recover the internal state with a 100% success rate, regardless of the error rate. As a result, the security of Trivium will not be enhanced when transitioning from a smaller 8‐bit platform to a larger 32‐bit platform. In the end, the authors will consider some more abstract attack models. The results can provide us with additional insights into the security of Trivium from a different perspective.

engineering, electrical & electronic

Roberto La Scala,Federico Pintore,Sharwan K. Tiwari,Andrea Visconti

2024-06-05

Abstract:In this paper we introduce a multistep generalization of the guess-and-determine or hybrid strategy for solving a system of multivariate polynomial equations over a finite field. In particular, we propose performing the exhaustive evaluation of a subset of variables stepwise, that is, by incrementing the size of such subset each time that an evaluation leads to a polynomial system which is possibly unfeasible to solve. The decision about which evaluation to extend is based on a preprocessing consisting in computing an incomplete Grobner basis after the current evaluation, which possibly generates linear polynomials that are used to eliminate further variables. If the number of remaining variables in the system is deemed still too high, the evaluation is extended and the preprocessing is iterated. Otherwise, we solve the system by a complete Grobner basis computation. Having in mind cryptanalytic applications, we present an implementation of this strategy in an algorithm called MultiSolve which is designed for polynomial systems having at most one solution. We prove explicit formulas for its complexity which are based on probability distributions that can be easily estimated by performing the proposed preprocessing on a testset of evaluations for different subsets of variables. We prove that an optimal complexity of MultiSolve is achieved by using a full multistep strategy with a maximum number of steps and in turn the standard guess-and-determine strategy, which essentially is a strategy consisting of a single step, is the worst choice. Finally, we extensively study the behaviour of MultiSolve when performing an algebraic attack on the well-known stream cipher Trivium.

Symbolic Computation,Cryptography and Security,Commutative Algebra

Jeffrey Shallit

DOI: https://doi.org/10.48550/arXiv.2210.03996

2022-10-08

Abstract:In a recent talk of Robbert Fokkink, some conjectures related to the infinite Tribonacci word were stated by the speaker and the audience. In this note we show how to prove (or disprove) the claims easily in a "purely mechanical" fashion, using the Walnut theorem-prover.

Combinatorics,Discrete Mathematics,Formal Languages and Automata Theory

Xing Zhang,Shaoyu Tang,Tianning Li,Xiaowei Li,Changda Wang

DOI: https://doi.org/10.3390/electronics12020405

IF: 2.9

2023-01-13

Electronics

Abstract:The study of lightweight block ciphers has been a "hot topic". As one of the main structures of block ciphers, the Feistel structure has attracted much attention. However, the traditional Feistel structure cipher changes only half of the plaintext in an iterative round, resulting in slow diffusion. Therefore, more encryption rounds are required to ensure security. To address this issue, a new algorithm, GFRX, is proposed, which combines a generalized Feistel structure and ARX (Addition or AND, Rotation, XOR). The GFRX algorithm uses an ARX structure with different non-linear components to deal with all the branches of a generalized Feistel structure so that it can achieve a better diffusion effect in fewer rounds. {The results of a security analysis of the GFRX algorithm show that the effective differential attacks do not exceed 19 rounds and that the effective linear attacks do not exceed 13 rounds.} Therefore, the GFRX algorithm has an adequate security level for differential and linear analysis. Avalanche test results obtained for the GFRX algorithm show that the GFRX algorithm has strong diffusion and only takes six rounds to meet the avalanche effect. In addition, the GFRX algorithm can achieve different serialization levels depending on different hardware resource requirements and can achieve full serialization, which ensures operational flexibility in resource-constrained environments.

engineering, electrical & electronic,computer science, information systems,physics, applied

Yang Yu,Guangwu Xu,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-662-54365-8_17

2017-01-01

Abstract:Due to its remarkable performance and potential resistance to quantum attacks, NTRUEncrypt has drawn much attention recently; it also has been standardized by IEEE. However, classical NTRUEncrypt lacks a strong security guarantee and its security still relies on heuristic arguments. At Eurocrypt 2011, Stehle and Steinfeld first proposed a variant of NTRUEncrypt with a security reduction from standard problems on ideal lattices. This variant is restricted to the family of rings Z[X]/(X-n + 1) with n a power of 2 and its private keys are sampled by rejection from certain discrete Gaussian so that the public key is shown to be almost uniform. Despite the fact that partial operations, especially for RLWE, over Z[X]/(X-n + 1) are simple and efficient, these rings are quite scarce and different from the classical NTRU setting. In this work, we consider a variant of NTRUEncrypt over prime cyclotomic rings, i.e. Z[X]/(Xn-1 + ... + X + 1) with n an odd prime, and obtain IND-CPA secure results in the standard model assuming the hardness of worst-case problems on ideal lattices. In our setting, the choice of the rings is much more flexible and the scheme is closer to the original NTRU, as Z[X]/(Xn-1 + ... + X + 1) is a large subring of the NTRU ring Z[X]/(X-n -1). Some tools for prime cyclotomic rings are also developed.

Haining Fan,Masud Anwarul Hasan

DOI: https://doi.org/10.1109/TCSI.2006.883855

2006-01-01

Abstract:A new nonpipelined bit-parallel-shifted polynomial basis multiplier for GF(2n) is presented. For some irreducible trinomials, the space complexity of the multiplier matches the best results available in the literature, and its gate delay is equal to T A+lceillog2nrceilTX, where TA and TX are the delay of one two-input and and xor gates, respectively. To the best of our knowledge, this is the first time that the gate delay bound TA+lceillog2nrceilTX is reached. For some irreducible pentanomials, its gate delay is equal to TA +(1+lceillog2nrceil)TX. NIST has recommended five binary fields for the elliptic curve digital signature algorithm applications: GF(2163), GF(2233), GF(2 283), GF(2409), and GF(2571), but no irreducible trinomials exist for three degrees, viz., 163, 283 and 571. For the three corresponding binary fields, we show that the gate delay of the proposed multiplier is TA+(1+lceillog2nrceil)TX. This result outperforms the previously known results

Arnab Roy,Matthias Johann Steiner

DOI: https://doi.org/10.48550/arXiv.2204.01802

2023-05-28

Abstract:In recent years a new class of symmetric-key primitives over $\mathbb{F}_p$ that are essential to Multi-Party Computation and Zero-Knowledge Proofs based protocols have emerged. Towards improving the efficiency of such primitives, a number of new block ciphers and hash functions over $\mathbb{F}_p$ were proposed. These new primitives also showed that following alternative design strategies to the classical Substitution-Permutation Network (SPN) and Feistel Networks leads to more efficient cipher and hash function designs over $\mathbb{F}_p$ specifically for large odd primes $p$. In view of these efforts, in this work we build an \emph{algebraic framework} that allows the systematic exploration of viable and efficient design strategies for constructing symmetric-key (iterative) permutations over $\mathbb{F}_p$. We first identify iterative polynomial dynamical systems over finite fields as the central building block of almost all block cipher design strategies. We propose a generalized triangular polynomial dynamical system (GTDS), and based on the GTDS we provide a generic definition of an iterative (keyed) permutation over $\mathbb{F}_p^n$. Our GTDS-based generic definition is able to describe the three most well-known design strategies, namely SPNs, Feistel networks and Lai--Massey. Consequently, the block ciphers that are constructed following these design strategies can also be instantiated from our generic definition. Moreover, we find that the recently proposed \texttt{Griffin} design, which neither follows the Feistel nor the SPN design, can be described using the generic GTDS-based definition. We also show that a new generalized Lai--Massey construction can be instantiated from the GTDS-based definition. We further provide generic analysis of the GTDS including an upper bound on the differential uniformity and the correlation.

Cryptography and Security

Sandor Kristyan

2024-07-06

Abstract:The divisibility restrictions in the famous equation a n+bn=cn in Fermat Last Theorem (FLT, 1637) is analyzed how it selects out many triples to be Fermat triple (i.e. solutions) if n greater than 2, decreasing the cardinality of Fermat triples. In our analysis, the restriction on positive integer (PI) solutions ((a,b,c,n) up to the point when there is no more) is not along with restriction on power n in PI as decreasing sets {PI } containing {odd} containing {primes} containing {regular primes}, etc. as in the literature, but with respect to exclusion of more and more c in PI as increasing sets {primes p} in {p k} in {PI}. The divisibility and co-prime property in Fermat equation is analyzed in relation to exclusion of solutions, and the effect of simultaneous values of gcd(a,b,c), gcd(a+b,cn), gcd(c-a,bn) and gcd(c-b,an) on the decrease of cardinality of solutions is exhibited. Again, our derivation focuses mainly on the variable c rather than on variable n, oppositely to the literature in which the FLT is historically separated via the values of power n. Among the most famous are the known, about 2500 years old, existing Pythagorean triples (a,b,c,n=2) and the first milestones as the proved cases (of non-existence as n=3 by Gauss and later by Euler (1753) and n=4 by Fermat) less than 400 years ago. As it is known, Wiles has proved the FLT in 1995 in an abstract roundabout way. The n<0, n:=1/m, as well as complex and quaternion (a,b,c) cases focusing on Pythagoreans are commented. Odd powers FLT over quaternions breaks.

General Mathematics

Jiali Shi,Guoqiang Liu,Chao Li,Jianfeng Ma

DOI: https://doi.org/10.23919/cje.2022.00.132

IF: 1.019

2024-01-01

Chinese Journal of Electronics

Abstract:Type-II generalized Feistel network (GFN) has attracted a lot of attention for its simplicity and high parallelism. Impossible differential attack is one of the powerful cryptanalytic approaches for word-oriented block ciphers such as Feistel-like ciphers. We deduce the impossible differential of Type-II GFN by analyzing the Boolean function in the middle round. The main idea is to investigate the expression with the variable representing the plain-text (ciphertext) difference words for the internal state words. By adopting the miss-in-the-middle approach, we can construct the impossible differential of Type-II GFN. As an illustration, we apply this approach to WARP, a lightweight 128-bit block cipher with a 128-bit key which was presented by Banik et al. at SAC 2020. The structure of WARP is a 32-branch Type-II GFN. Therefore, we find two 21-round truncated impossible differentials and implement a 32-round key recovery attack on WARP. For the 32-round key recovery attack on WARP, some observations are used to mount an effective attack. Taking the advantage of the early abort technique, the data, time, and memory complexities are 2125.69 chosen plaintexts, 2126.68 32-round encryptions, and 2100-bit, repectively. To the best of our knowledge, this is the best attack on WARP in the single-key scenario.

engineering, electrical & electronic

Li-Ping Wang,Harald Niederreiter

DOI: https://doi.org/10.1016/j.ffa.2005.03.005

IF: 1.655

2006-01-01

Finite Fields and Their Applications

Abstract:Recent developments in stream ciphers point towards an interest in word-based or vectorized stream ciphers. Such stream ciphers suggest the study of the joint linear complexity of multisequences. In this paper, using the first author's multisequence linear feedback shift-register synthesis algorithm based on a lattice basis reduction algorithm in function fields, we present a method to determine the value of Nn(m)(L), the number of m-fold multisequences of length n over a finite field Fq with nth joint linear complexity L. Furthermore, a closed-form expression for Nn(m)(L) and formulas for the expected value of the joint linear complexity and its variance are given when m=2.

Xuexin Zheng,Keting Jia

DOI: https://doi.org/10.1007/978-3-319-12160-4_8

2014-01-01

Abstract:TWINE, proposed at the ECRYPT Workshop on Lightweight Cryptography in 2011, is a 64-bit lightweight block cipher consisting of 36 rounds with 80-bit or 128-bit keys. In this paper, we give impossible differential attacks on both versions of the cipher, which is an improvement over what the designers claimed to be the best possible. Although our results are not the best considering different cryptanalysis methods, our algorithm which can filter wrong subkeys that have more than 80 bits and 128 bits for TWINE-80 and TWINE-128 respectively shows some novelty. Besides, some observations which may be used to mount other types of attacks are given. Overall, making use of some complicated subkey relations and time-memory tradeoff trick, the time, data and memory complexity of attacking 23-round TWINE-80 are 2(79.09) 23-round encryptions, 2(57.85) chosen plaintexts and 2(78.04) blocks respectively. Besides, the impossible differential attack on 24-round TWINE-128 needs 2(58.1) chosen plaintexts, 2(126.78) 24-round encryptions and 2(125.61) blocks of memory.

Srivatsav Kunnawalkam Elayavalli,Gregory Patchell

2024-10-22

Abstract:Recall that a unitary in a tracial von Neumann algebra is Haar if $\tau(u^n)=0$ for all $n\in \mathbb{N}$. We introduce and study a new Borel equivalence relation $\sim_N$ on the set of Haar unitaries in a diffuse tracial von Neumann algebra $N$. Two Haar unitaries $u,v$ in $\mathcal{U}(N)$ are related if there exists a finite path of sequentially commuting Haar unitaries in an ultrapower $N^\mathcal{U}$, beginning at $u$ and ending at $v$. We show that for any diffuse tracial von Neumann algebra $N$, the equivalence relation $\sim_N$ admits either 1 orbit or uncountably many orbits. We characterize property Gamma in terms of path length and number of orbits of $\sim_N$ and also show the existence of non-Gamma II$_1$ factors so that $\sim_N$ admits only 1 orbit. Examples where $\sim_N$ admits uncountably many orbits include $N$ having positive 1-bounded entropy: $h(N)>0$. As a key example, we explicitly describe $\sim_{L(\mathbb{F}_t)}$ for the free group factors. Using these ideas we introduce a numerical invariant for diffuse tracial von Neumann algebras called the commutation diameter, with applications to elementary equivalence classification. We compute lower and upper bounds for the commutation diameter in various examples. Notably we obtain non-trivial lower bounds for the family of arbitrary graph products $N$ of diffuse tracial von Neumann algebras whose underlying graph is connected and has diameter at least 4, and distinguish them up to elementary equivalence from the [CIKE23] exotic factors, despite satisfying $h(N)\leq 0$.

Operator Algebras,Group Theory,Logic

Zhi-Hong Sun,Zhi-Wei Sun

DOI: https://doi.org/10.4064/aa-60-4-371-388

1992-01-01

Acta Arithmetica

Abstract:Let {F(n)} be the Fibonacci sequence defined by F0 = 0, F1 = 1, F(n) + 1 = F(n) + F(n-1) (n greater-than-or-equal-to 1). It is well known that F(p-)(5/p) = 0 (mod p) for any odd prime p, where (-) denotes the Legendre symbol. In 1960 D.D. Wall [13] asked whether p2/F(p-)(5/p) is always impossible; up to now this is still open. In this paper the sum [GRAPHICS] is expressed in terms of Fibonacci numbers. As applications we obtain a new formula for the Fibonacci quotient F(p-)(5/p)/p and a criterion for the relation p/F(p-1)/4 (if p = 1 (mod 4)), where p not-equal 5 is an odd prime. We also prove that the affirmative answer to Wall's question implies the first case of FLT (Fermat's last theorem); from this it follows that the first case of FLT holds for those exponents which are (odd) Fibonacci primes or Lucas primes.

Yuxuan Lu,Sihem Mesnager,Nian Li,Lisha Wang,Xiangyong Zeng

2024-08-21

Abstract:The Feistel Boomerang Connectivity Table ($\rm{FBCT}$), which is the Feistel version of the Boomerang Connectivity Table ($\rm{BCT}$), plays a vital role in analyzing block ciphers' ability to withstand strong attacks, such as boomerang attacks. However, as of now, only four classes of power functions are known to have explicit values for all entries in their $\rm{FBCT}$. In this paper, we focus on studying the FBCT of the power function $F(x)=x^{2^{n-2}-1}$ over $\mathbb{F}_{2^n}$, where $n$ is a positive integer. Through certain refined manipulations to solve specific equations over $\mathbb{F}_{2^n}$ and employing binary Kloosterman sums, we determine explicit values for all entries in the $\rm{FBCT}$ of $F(x)$ and further analyze its Feistel boomerang spectrum. Finally, we demonstrate that this power function exhibits the lowest Feistel boomerang uniformity.

Information Theory

Weihua Li,Chengcheng Fang,Wei Cao

DOI: https://doi.org/10.3934/math.2020185

2020-01-01

AIMS Mathematics

Abstract:Let F-q be the finite field of order q and f (x) be an irreducible polynomial of degree n over F-q. For a positive divisor n(1) of n, define the n(1)-traces of f (x) to be Tr(alpha; n(1)) = alpha+alpha(q) +...+alpha(qn1-1) where alpha's are the roots of f (x). Let N-q*(n; n(1)) denote the number of monic irreducible polynomials of degree n over F-q with nozero n(1)-traces. Ruskey, Miers and Sawada have found the formula for N-q*(n; n). Based on the properties of linearized polynomials, we obtain the formula for N-q*(n; n(1)) in the general case, including a new proof to the result by Ruskey, Miers and Sawada.

Jiajun Zhang,Haining Fan

DOI: https://doi.org/10.1016/j.vlsi.2017.02.008

2017-01-01

Abstract:This paper presents new space complexity records for the fastest parallel GF(2n) multipliers for about 22% values of n such that a degree-n irreducible trinomial f=un+uk+1 exists over GF(2). By selecting the largest possible value of k∈(n/2,2n/3], we further reduce the space complexities of the Chinese remainder theorem (CRT)-based hybrid polynomial basis multipliers. Our experimental results show that among the 539 values of n∈[5,999] such that f is irreducible for some k∈[2,n−2], there are 317 values of n such that k∈(n/2,2n/3]. For these irreducible trinomials, the space complexities of the CRT-based hybrid multipliers are reduced by 14.3% on average. As a comparison, the previous CRT-based multipliers considered the case k∈[2,n/2], and the improvement rate is 8.4% on average for only 290 values of n among these 539 values of n.