78 research outputs found
Floating Fault analysis of Trivium under Weaker Assumptions
Trivium is a hardware-oriented stream cipher, and one of the finally chosen ciphers by eSTREAM project. Michal Hojsik and Bohuslav Rudolf presented an effective attack to Trivium, named floating fault analysis, at INDOCRYPT 2008. Their attack makes use of the fault injection and the fault float. In this paper, we present an improvement of this attack. Our attack is under following weaker and more practical assumptions.The fault injection can be made for the state at a random time.The positions of the fault bits are from random one of 3 NFSRs, and from a random area within 8 neighboring bits.We present a checking method, by which either the injecting time and fault positions can be determined, or the state differential at a known time can be determined. Each of these two determinations is enough for floating attack. After the determination, the attacker can averagely obtain 67.167 additional linear equations from 82 original quadratic equations, and obtain 66 additional quadratic equations from 66 original cubic equations
Hard Fault Analysis of Trivium
Fault analysis is a powerful attack to stream ciphers. Up to now,
the major idea of fault analysis is to simplify the cipher system by
injecting some soft faults. We call it soft fault analysis. As a
hardware--oriented stream cipher, Trivium is weak under soft fault
analysis.
In this paper we consider another type of fault analysis of stream
cipher, which is to simplify the cipher system by injecting some
hard faults. We call it hard fault analysis. We present the
following results about such attack to Trivium. In Case 1 with the
probability not smaller than 0.2396, the attacker can obtain 69 bits
of 80--bits--key. In Case 2 with the probability not smaller than
0.2291, the attacker can obtain all of 80--bits--key. In Case 3 with
the probability not smaller than 0.2291, the attacker can partially
solve the key. In Case 4 with non--neglectable probability, the
attacker can obtain a simplified cipher, with smaller number of
state bits and slower non--linearization procedure. In Case 5 with
non--neglectable probability, the attacker can obtain another
simplified cipher. Besides, these 5 cases can be checked out by
observing the key--stream
A Differential Fault Attack on Plantlet
Lightweight stream ciphers have received serious attention in the last few years. The present design paradigm considers very small state (less than twice the key size) and use of the secret key bits during pseudo-random stream generation. One such effort, Sprout, had been proposed two years back and it was broken almost immediately. After carefully studying these attacks, a modified version named Plantlet has been designed very recently. While the designers of Plantlet do not provide any analysis on fault attack, we note that Plantlet is even weaker than Sprout in terms of Differential Fault Attack (DFA). Our investigation, following the similar ideas as in the analysis against Sprout, shows that we require only around 4 faults to break Plantlet by DFA in a few hours time. While fault attack is indeed difficult to implement and our result does not provide any weakness of the cipher in normal mode, we believe that these initial results will be useful for further understanding of Plantlet
Book Reviews
The Rise and Fall of English: Reconstructing English as a Discipline (Robert Scholes) (Reviewed by Jerry Herron, Wayne State University) Common Ground: Eighteenth-Century Satiric Fiction and the Poor (Judith Frank) (Reviewed by Gary Harrison, University of New Mexico) Strange Fits of Passion: Epistemologies of Emotion, Hume to Austen (Adela Pinch) (Reviewed by Andrew M. Stauffer, California State University, Los Angeles) Consuming Subjects: Women, Shopping, and Business in the Eighteenth Century (Elizabeth Kowaleski-Wallace) (Reviewed by Charlotte Sussman, University of Colorado) Romanticism, Race, and Imperial Culture, 1780-1834 (Ed. Alan Richardson and Sonia Hofkosh) (Reviewed by Leon Litvack, The Queen\u27s University of Belfast) The Politics of Motherhood: British Writing and Culture, 1680-1760 (Toni Bowers) (Reviewed by Barbara Dickson, Wayne State University) Andy Warhol, Poetry, and Gossip in the 1960s (Reva Wolf) (Reviewed by Libbie Rifkin, University of Alabama
Cryptanalysis of Symmetric Cryptographic Primitives
Symmetric key cryptographic primitives are the essential building blocks in modern information security systems. The overall security of such systems is crucially dependent on these mathematical functions, which makes the analysis of symmetric key primitives a goal of critical importance. The security argument for the majority of such primitives in use is only a heuristic one and therefore their respective security evaluation continually remains an open question.
In this thesis, we provide cryptanalytic results for several relevant cryptographic hash functions and stream ciphers. First, we provide results concerning two hash functions: HAS-160 and SM3. In particular, we develop a new heuristic for finding compatible differential paths and apply it to the the Korean hash function standard HAS-160. Our heuristic leads to a practical second order collision attack over all of the HAS-160 function steps, which is the first practical-complexity distinguisher on this function. An example of a colliding quartet is provided. In case of SM3, which is a design that builds upon the SHA-2 hash and is published by the Chinese Commercial Cryptography Administration Office for the use in the electronic authentication service system, we study second order collision attacks over reduced-round versions and point out a structural slide-rotational property that exists in the function.
Next, we examine the security of the following three stream ciphers: Loiss, SNOW 3G and SNOW 2.0. Loiss stream cipher is designed by Dengguo Feng et al. aiming to be implemented in byte-oriented processors. By exploiting some differential properties of a particular component utilized in the cipher, we provide an attack of a practical complexity on Loiss in the related-key model. As confirmed by our experimental results, our attack recovers 92 bits of the 128-bit key in less than one hour on a PC with 3
GHz Intel Pentium 4 processor. SNOW 3G stream cipher is used in 3rd Generation Partnership Project (3GPP) and the SNOW 2.0 cipher is an ISO/IEC standard (IS 18033-4). For both of these two ciphers, we show that the initialization procedure admits a sliding property, resulting in several sets of related-key pairs. In addition to allowing related-key key recovery attacks against SNOW 2.0 with 256-bit keys, the presented properties reveal non-random behavior of the primitives, yield related-key distinguishers for the two ciphers and question the validity of the security proofs of protocols based on the assumption that these ciphers behave like perfect random functions of the key-IV.
Finally, we provide differential fault analysis attacks against two stream ciphers, namely, HC-128 and Rabbit. In this type of attacks, the attacker is assumed to have physical influence over the device that performs the encryption and is able to introduce random faults into the computational process. In case of HC-128, the fault model in which we analyze the cipher is the one in which the attacker is able to fault a random word of the inner state of the cipher but cannot control its exact location nor its new faulted value. Our attack requires about 7968 faults and recovers the complete internal state of HC-128 by solving a set of 32 systems of linear equations over Z2 in 1024 variables. In case of Rabbit stream cipher, the fault model in which the cipher is analyzed is the one in which a random bit of the internal state of the cipher is faulted,
however, without control over the location of the injected fault. Our attack requires around 128 â 256 faults,
precomputed table of size 2^41.6 bytes and recovers the complete internal state of Rabbit in about 2^38 steps
Analysis and Design of Symmetric Cryptographic Algorithms
This doctoral thesis is dedicated to the analysis and the design of
symmetric cryptographic algorithms.
In the first part of the dissertation, we deal with fault-based attacks
on cryptographic circuits which belong to the field of active implementation
attacks and aim to retrieve secret keys stored on such chips. Our main focus
lies on the cryptanalytic aspects of those attacks. In particular, we target
block ciphers with a lightweight and (often) non-bijective key schedule where
the derived subkeys are (almost) independent from each other. An attacker who is
able to reconstruct one of the subkeys is thus not necessarily able to directly
retrieve other subkeys or even the secret master key by simply reversing the key
schedule. We introduce a framework based on differential fault analysis that
allows to attack block ciphers with an arbitrary number of independent subkeys
and which rely on a substitution-permutation network. These methods are then
applied to the lightweight block ciphers LED and PRINCE and we show in both
cases how to recover the secret master key requiring only a small number of
fault injections. Moreover, we investigate approaches that utilize algebraic
instead of differential techniques for the fault analysis and discuss advantages
and drawbacks. At the end of the first part of the dissertation, we explore
fault-based attacks on the block cipher Bel-T which also has a lightweight key
schedule but is not based on a substitution-permutation network but instead on
the so-called Lai-Massey scheme. The framework mentioned above is thus not
usable against Bel-T. Nevertheless, we also present techniques for the case of
Bel-T that enable full recovery of the secret key in a very efficient way using
differential fault analysis.
In the second part of the thesis, we focus on authenticated encryption
schemes. While regular ciphers only protect privacy of processed data,
authenticated encryption schemes also secure its authenticity and integrity.
Many of these ciphers are additionally able to protect authenticity and
integrity of so-called associated data. This type of data is transmitted
unencrypted but nevertheless must be protected from being tampered with during
transmission. Authenticated encryption is nowadays the standard technique to
protect in-transit data. However, most of the currently deployed schemes have
deficits and there are many leverage points for improvements. With NORX we
introduce a novel authenticated encryption scheme supporting associated data.
This algorithm was designed with high security, efficiency in both hardware and
software, simplicity, and robustness against side-channel attacks in mind. Next
to its specification, we present special features, security goals,
implementation details, extensive performance measurements and discuss
advantages over currently deployed standards. Finally, we describe our
preliminary security analysis where we investigate differential and rotational
properties of NORX. Noteworthy are in particular the newly developed
techniques for differential cryptanalysis of NORX which exploit the power of
SAT- and SMT-solvers and have the potential to be easily adaptable to other
encryption schemes as well.Diese Doktorarbeit beschÀftigt sich mit der Analyse und dem Entwurf von
symmetrischen kryptographischen Algorithmen.
Im ersten Teil der Dissertation befassen wir uns mit fehlerbasierten Angriffen
auf kryptographische Schaltungen, welche dem Gebiet der aktiven
Seitenkanalangriffe zugeordnet werden und auf die Rekonstruktion geheimer
SchlĂŒssel abzielen, die auf diesen Chips gespeichert sind. Unser Hauptaugenmerk
liegt dabei auf den kryptoanalytischen Aspekten dieser Angriffe. Insbesondere
beschÀftigen wir uns dabei mit Blockchiffren, die leichtgewichtige und eine
(oft) nicht-bijektive SchlĂŒsselexpansion besitzen, bei denen die erzeugten
TeilschlĂŒssel voneinander (nahezu) unabhĂ€ngig sind. Ein Angreifer, dem es
gelingt einen TeilschlĂŒssel zu rekonstruieren, ist dadurch nicht in der Lage
direkt weitere TeilschlĂŒssel oder sogar den HauptschlĂŒssel abzuleiten indem er
einfach die SchlĂŒsselexpansion umkehrt. Wir stellen Techniken basierend auf
differenzieller Fehleranalyse vor, die es ermöglichen Blockchiffren zu
analysieren, welche eine beliebige Anzahl unabhĂ€ngiger TeilschlĂŒssel einsetzen
und auf Substitutions-Permutations Netzwerken basieren. Diese Methoden werden im
Anschluss auf die leichtgewichtigen Blockchiffren LED und PRINCE angewandt und
wir zeigen in beiden FĂ€llen wie der komplette geheime SchlĂŒssel mit einigen
wenigen Fehlerinjektionen rekonstruiert werden kann. DarĂŒber hinaus untersuchen
wir Methoden, die algebraische statt differenzielle Techniken der Fehleranalyse
einsetzen und diskutieren deren Vor- und Nachteile. Am Ende des ersten Teils der
Dissertation befassen wir uns mit fehlerbasierten Angriffen auf die Blockchiffre
Bel-T, welche ebenfalls eine leichtgewichtige SchlĂŒsselexpansion besitzt jedoch
nicht auf einem Substitutions-Permutations Netzwerk sondern auf dem sogenannten
Lai-Massey Schema basiert. Die oben genannten Techniken können daher bei Bel-T
nicht angewandt werden. Nichtsdestotrotz werden wir auch fĂŒr den Fall von Bel-T
Verfahren vorstellen, die in der Lage sind den vollstĂ€ndigen geheimen SchlĂŒssel
sehr effizient mit Hilfe von differenzieller Fehleranalyse zu rekonstruieren.
Im zweiten Teil der Doktorarbeit beschÀftigen wir uns mit authentifizierenden
VerschlĂŒsselungsverfahren. WĂ€hrend gewöhnliche Chiffren nur die Vertraulichkeit
der verarbeiteten Daten sicherstellen, gewÀhrleisten authentifizierende
VerschlĂŒsselungsverfahren auch deren AuthentizitĂ€t und IntegritĂ€t. Viele dieser
Chiffren sind darĂŒber hinaus in der Lage auch die AuthentizitĂ€t und IntegritĂ€t
von sogenannten assoziierten Daten zu gewÀhrleisten. Daten dieses Typs werden in
nicht-verschlĂŒsselter Form ĂŒbertragen, mĂŒssen aber dennoch gegen unbefugte
VerĂ€nderungen auf dem Transportweg geschĂŒtzt sein. Authentifizierende
VerschlĂŒsselungsverfahren bilden heutzutage die Standardtechnologie um Daten
wĂ€hrend der Ăbertragung zu beschĂŒtzen. Aktuell eingesetzte Verfahren weisen
jedoch oftmals Defizite auf und es existieren vielfĂ€ltige Ansatzpunkte fĂŒr
Verbesserungen. Mit NORX stellen wir ein neuartiges authentifizierendes
VerschlĂŒsselungsverfahren vor, welches assoziierte Daten unterstĂŒtzt. Dieser
Algorithmus wurde vor allem im Hinblick auf Einsatzgebiete mit hohen
Sicherheitsanforderungen, Effizienz in Hardware und Software, Einfachheit, und
Robustheit gegenĂŒber Seitenkanalangriffen entwickelt. Neben der Spezifikation
prÀsentieren wir besondere Eigenschaften, angestrebte Sicherheitsziele, Details
zur Implementierung, umfassende Performanz-Messungen und diskutieren Vorteile
gegenĂŒber aktuellen Standards. SchlieĂlich stellen wir Ergebnisse unserer
vorlÀufigen Sicherheitsanalyse vor, bei der wir uns vor allem auf differenzielle
Merkmale und Rotationseigenschaften von NORX konzentrieren. ErwÀhnenswert sind
dabei vor allem die fĂŒr die differenzielle Kryptoanalyse von NORX entwickelten
Techniken, die auf die Effizienz von SAT- und SMT-Solvern zurĂŒckgreifen und das
Potential besitzen relativ einfach auch auf andere VerschlĂŒsselungsverfahren
ĂŒbertragen werden zu können
The Goldstone solar system radar: A science instrument for planetary research
The Goldstone Solar System Radar (GSSR) station at NASA's Deep Space Communications Complex in California's Mojave Desert is described. A short chronological account of the GSSR's technical development and scientific discoveries is given. This is followed by a basic discussion of how information is derived from the radar echo and how the raw information can be used to increase understanding of the solar system. A moderately detailed description of the radar system is given, and the engineering performance of the radar is discussed. The operating characteristics of the Arcibo Observatory in Puerto Rico are briefly described and compared with those of the GSSR. Planned and in-process improvements to the existing radar, as well as the performance of a hypothetical 128-m diameter antenna radar station, are described. A comprehensive bibliography of referred scientific and engineering articles presenting results that depended on data gathered by the instrument is provided
CriptografĂa ligera en dispositivos de identificaciĂłn por radiofrecuencia- RFID
Esta tesis se centra en el estudio de la tecnologĂa de identificaciĂłn por radiofrecuencia (RFID), la cual puede ser considerada como una de las tecnologĂas mĂĄs prometedoras dentro del ĂĄrea de la computaciĂłn ubicua. La tecnologĂa RFID podrĂa ser el sustituto de los cĂłdigos de barras. Aunque la tecnologĂa RFID ofrece numerosas ventajas frente a otros sistemas de identificaciĂłn, su uso lleva asociados riesgos de seguridad, los cuales no son fĂĄciles de resolver. Los sistemas RFID pueden ser clasificados, atendiendo al coste de las etiquetas, distinguiendo principalmente entre etiquetas de alto coste y de bajo coste. Nuestra investigaciĂłn se centra fundamentalmente en estas Ășltimas. El estudio y anĂĄlisis del estado del arte nos ha permitido identificar la necesidad de desarrollar soluciones criptogrĂĄficas ligeras adecuadas para estos dispositivos limitados. El uso de soluciones criptogrĂĄficas estĂĄndar supone una aproximaciĂłn correcta desde un punto de vista puramente teĂłrico. Sin embargo, primitivas criptogrĂĄficas estĂĄndar (funciones resumen, cĂłdigo de autenticaciĂłn de mensajes, cifradores de bloque/flujo, etc.) exceden las capacidades de las etiquetas de bajo coste. Por tanto, es necesario el uso de criptografĂa ligera._______________________________________This thesis examines the security issues of Radio Frequency Identification
(RFID) technology, one of the most promising technologies in the field of
ubiquitous computing. Indeed, RFID technology may well replace barcode
technology. Although it offers many advantages over other identification
systems, there are also associated security risks that are not easy to address.
RFID systems can be classified according to tag price, with distinction
between high-cost and low-cost tags. Our research work focuses mainly
on low-cost RFID tags. An initial study and analysis of the state of the
art identifies the need for lightweight cryptographic solutions suitable for
these very constrained devices. From a purely theoretical point of view,
standard cryptographic solutions may be a correct approach. However,
standard cryptographic primitives (hash functions, message authentication
codes, block/stream ciphers, etc.) are quite demanding in terms of circuit
size, power consumption and memory size, so they make costly solutions
for low-cost RFID tags. Lightweight cryptography is therefore a pressing
need.
First, we analyze the security of the EPC Class-1 Generation-2 standard,
which is considered the universal standard for low-cost RFID tags.
Secondly, we cryptanalyze two new proposals, showing their unsuccessful
attempt to increase the security level of the specification without much further
hardware demands. Thirdly, we propose a new protocol resistant to
passive attacks and conforming to low-cost RFID tag requirements. In this
protocol, costly computations are only performed by the reader, and security
related computations in the tag are restricted to very simple operations.
The protocol is inspired in the family of Ultralightweight Mutual Authentication
Protocols (UMAP: M2AP, EMAP, LMAP) and the recently proposed
SASI protocol. The thesis also includes the first published cryptanalysis of
xi
SASI under the weakest attacker model, that is, a passive attacker. Fourthly,
we propose a new protocol resistant to both passive and active attacks and
suitable for moderate-cost RFID tags. We adapt Shieh et.âs protocol for
smart cards, taking into account the unique features of RFID systems. Finally,
because this protocol is based on the use of cryptographic primitives
and standard cryptographic primitives are not supported, we address the
design of lightweight cryptographic primitives. Specifically, we propose
a lightweight hash function (Tav-128) and a lightweight Pseudo-Random
Number Generator (LAMED and LAMED-EPC).We analyze their security
level and performance, as well as their hardware requirements and show that both could be realistically implemented, even in low-cost RFID tags
Security of Ubiquitous Computing Systems
The chapters in this open access book arise out of the EU Cost Action project Cryptacus, the objective of which was to improve and adapt existent cryptanalysis methodologies and tools to the ubiquitous computing framework. The cryptanalysis implemented lies along four axes: cryptographic models, cryptanalysis of building blocks, hardware and software security engineering, and security assessment of real-world systems. The authors are top-class researchers in security and cryptography, and the contributions are of value to researchers and practitioners in these domains. This book is open access under a CC BY license
- âŠ