24 research outputs found
Multidimensional Zero-Correlation Linear Cryptanalysis of the Block Cipher KASUMI
The block cipher KASUMI is widely used for security in many synchronous
wireless standards. It was proposed by ETSI SAGE for usage in 3GPP (3rd
Generation Partnership Project) ciphering algorthms in 2001. There are a great
deal of cryptanalytic results on KASUMI, however, its security evaluation
against the recent zero-correlation linear attacks is still lacking so far. In
this paper, we select some special input masks to refine the general 5-round
zero-correlation linear approximations combining with some observations on the
functions and then propose the 6-round zero-correlation linear attack on
KASUMI. Moreover, zero-correlation linear attacks on the last 7-round KASUMI
are also introduced under some weak keys conditions. These weak keys take
of the whole key space.
The new zero-correlation linear attack on the 6-round needs about
encryptions with known plaintexts. For the attack under weak keys
conditions on the last 7 round, the data complexity is about known
plaintexts and the time complexity encryptions
Key classification attack on block ciphers
In this paper, security analysis of block ciphers with key length greater
than block length is proposed. When key length is significantly greater than
block length and the statistical distribution of cipher system is like a
uniform distribution, there are more than one key which map fixed input to
fixed output. If a block cipher designed sufficiently random, it is expected
that the key space can be classified into same classes. Using such classes of
keys, our proposed algorithm would be able to recover the key of block cipher
with complexity O(max(2^n, 2^{k-n}) where n is block length and k is key
length. We applied our algorithm to 2- round KASUMI block cipher as sample
block cipher by using weakness of functions that used in KASUMI
Performance and Statistical Analysis of Stream ciphers in GSM Communications
For a stream cipher to be secure, the keystream generated by it should be uniformly random with parameter 1/2.Statistical tests check whether the given sequence follow a certain probability distribution. In this paper, we perform a detailed statistical analysis of various stream ciphers used in GSM 2G,3G, 4G and 5G communications. The sequences output by these ciphers are checked for randomness using the statistical tests defined by the NIST Test Suite. It should also be not possible to derive any information about secret key and the initial state ofthe cipher from the keystream. Therefore, additional statistical tests based on properties like Correlation between Keystreamand Key, and Correlation between Keystream and IV are also performed. Performance analysis of the ciphers also has been done and the results tabulated. Almost all the ciphers pass the tests in the NIST test suite with 99% confidence level. For A5/3stream cipher, the correlation between the keystream and key is high and correlation between the keystream and IV is low when compared to other ciphers in the A5 family
Improved Related-Key Attacks on DESX and DESX+
In this paper, we present improved related-key attacks on the original DESX, and DESX+, a variant of the DESX with its pre- and post-whitening XOR operations replaced with addition modulo . Compared to previous results, our attack on DESX has reduced text complexity, while our best attack on DESX+ eliminates the memory requirements at the same processing complexity
Impossible Boomerang Attack for Block Cipher Structures
Impossible boomerang attack \cite{lu} (IBA) is a new variant of differential cryptanalysis against block ciphers. Evident from its name, it combines the ideas of both impossible differential cryptanalysis and boomerang attack. Though such an attack might not be the best attack available, its complexity is still less than that of the exhaustive search. In impossible boomerang attack, impossible boomerang distinguishers are used to retrieve some of the subkeys. Thus the security of a block cipher against IBA can be evaluated by impossible boomerang distinguishers. In this paper, we study the impossible boomerang distinguishers for block cipher structures whose round functions are bijective. Inspired by the -method in \cite{kim}, we provide an algorithm to compute the maximum length of impossible boomerang distinguishers for general block cipher structures, and apply the algorithm to known block cipher structures such as Nyberg\u27s generalized Feistel network, a generalized CAST256-like structure, a generalized MARS-like structure, a generalized RC6-like structure, etc
The (related-key) impossible boomerang attack and its application to the AES block cipher
The Advanced Encryption Standard (AES) is a 128-bit block cipher with a user key of 128, 192 or 256 bits, released by NIST in 2001 as the next-generation data encryption standard for use in the USA. It was adopted as an ISO international standard in 2005. Impossible differential cryptanalysis and the boomerang attack are powerful variants of differential cryptanalysis for analysing the security of a block cipher. In this paper, building on the notions of impossible differential cryptanalysis and the boomerang attack, we propose a new cryptanalytic technique, which we call the impossible boomerang attack, and then describe an extension of this attack which applies in a related-key attack scenario. Finally, we apply the impossible boomerang attack to break 6-round AES with 128 key bits and 7-round AES with 192/256 key bits, and using two related keys we apply the related-key impossible boomerang attack to break 8-round AES with 192 key bits and 9-round AES with 256 key bits. In the two-key related-key attack scenario, our results, which were the first to achieve this amount of attacked rounds, match the best currently known results for AES with 192/256 key bits in terms of the numbers of attacked rounds. The (related-key) impossible boomerang attack is a general cryptanalytic technique, and can potentially be used to cryptanalyse other block ciphers
Where's Crypto?: Automated Identification and Classification of Proprietary Cryptographic Primitives in Binary Code
The continuing use of proprietary cryptography in embedded systems across
many industry verticals, from physical access control systems and
telecommunications to machine-to-machine authentication, presents a significant
obstacle to black-box security-evaluation efforts. In-depth security analysis
requires locating and classifying the algorithm in often very large binary
images, thus rendering manual inspection, even when aided by heuristics, time
consuming.
In this paper, we present a novel approach to automate the identification and
classification of (proprietary) cryptographic primitives within binary code.
Our approach is based on Data Flow Graph (DFG) isomorphism, previously proposed
by Lestringant et al. Unfortunately, their DFG isomorphism approach is limited
to known primitives only, and relies on heuristics for selecting code fragments
for analysis. By combining the said approach with symbolic execution, we
overcome all limitations of their work, and are able to extend the analysis
into the domain of unknown, proprietary cryptographic primitives. To
demonstrate that our proposal is practical, we develop various signatures, each
targeted at a distinct class of cryptographic primitives, and present
experimental evaluations for each of them on a set of binaries, both publicly
available (and thus providing reproducible results), and proprietary ones.
Lastly, we provide a free and open-source implementation of our approach,
called Where's Crypto?, in the form of a plug-in for the popular IDA
disassembler.Comment: A proof-of-concept implementation can be found at
https://github.com/wheres-crypto/wheres-crypt
On the sliding property of SNOW 3G and SNOW 2.0
SNOW 3G is a stream cipher chosen by the 3rd Generation Partnership Project (3GPP) as a crypto-primitive to substitute KASUMI in case its security is compromised. SNOW 2.0 is one of the stream ciphers chosen for the ISO/IEC standard IS 18033-4. In this study, the authors show that the initialisation procedure of the two ciphers admits a sliding property, resulting in several sets of related-key pairs. In case of SNOW 3G, a set of 232 related-key pairs is presented, whereas in the case of SNOW 2.0, several such sets are found, out of which the largest are of size 264 and 2192 for the 128-bit and 256-bit variant of the cipher, respectively. In addition to allowing related-key recovery attacks against SNOW 2.0 with 256-bit keys, the presented properties reveal non-random behaviour that yields related-key distinguishers and also questions the validity of the security proofs of protocols that are based on the assumption that SNOW 3G and SNOW 2.0 behave like perfect random functions of the key-IV