Improved Related-Key Attacks on DESX and DESX+

In this paper, we present improved related-key attacks on the original DESX, and DESX+, a variant of the DESX with its pre- and post-whitening XOR operations replaced with addition modulo $2^{64}$. Compared to previous results, our attack on DESX has reduced text complexity, while our best attack on DESX+ eliminates the memory requirements at the same processing complexity

Wiretapping the Internet

With network security threats and vulnerabilities increasing, solutions based on online detection remain attractive. A complete, durable record of all activity on a network can be used to evaluate and train intrusion detection algorithms, assist in responding to an intrusion in progress, and, if properly constructed, serve as evidence in legal proceedings. This paper describes the Advanced Packet Vault, a technology for creating such a record by collecting and securely storing all packets observed on a network, with a scalable architecture intended to support network speeds in excess of 100 Mbps. Encryption is used to preserve users' security and privacy, permitting selected traffic to be made available without revealing other traffic. The Vault implementation, based on Linux and OpenBSD, is open-source. A Vault attached to a heavily loaded 100 Mbps network must capture, process, and store about a terabyte each day, so we have to be very sensitive to the recurring cost of operation and the reliability issues of 24x7 operation. We must also be sensitive to the admissibility of information collected by the Vault in support of legal proceedings; the legal ramifications of operating a vault, particularly at a public institution; and the public perception of its use.http://deepblue.lib.umich.edu/bitstream/2027.42/107911/1/citi-tr-00-9.pd

Notions and relations for RKA-secure permutation and function families

The theory of designing block ciphers is mature, having seen signi¯cant progress since the early 1990s for over two decades, especially during the AES devel- opment e®ort. Nevertheless, interesting directions exist, in particular in the study of the provable security of block ciphers along similar veins as public-key primitives, i.e. the notion of pseudorandomness (PRP) and indistinguishability (IND). Furthermore, recent cryptanalytic progress has shown that block ciphers well designed against known cryptanalysis techniques including related-key attacks (RKA) may turn out to be less secure against related-key attacks than expected. The notion of provable security of block ciphers against related-key attacks was initiated by Bellare and Kohno, and sub- sequently treated by Lucks. Concrete block cipher constructions were proposed therein with provable security guarantees. In this paper, we are interested in the security no- tions for RKA-secure block ciphers

On hashing with tweakable ciphers

Cryptographic hash functions are often built on block ciphers in order to reduce the security analysis of the hash to that of the cipher, and to minimize the hardware size. Well known hash constructs are used in international standards like MD5 and SHA-1. Recently, researchers proposed new modes of operations for hash functions to protect against generic attacks, and it remains open how to base such functions on block ciphers. An attracting and intuitive choice is to combine previous constructions with tweakable block ciphers. We investigate such constructions, and show the surprising result that combining a provably secure mode of operation with a provably secure tweakable cipher does not guarantee the security of the constructed hash function. In fact, simple attacks can be possible when the interaction between secure components leaves some additional "freedom" to an adversary. Our techniques are derived from the principle of slide attacks, which were introduced for attacking block ciphers

Second Preimages for Iterated Hash Functions Based on a b-Block Bypass

In this article, we present a second preimage attack on a double block-length hash proposal presented at FSE 2006. If the hash function is instantiated with DESX as underlying block cipher, we are able to construct second preimages deterministically. Nevertheless, this second preimage attack does not render the hash scheme insecure. For the hash scheme, we only show that it should not be instantiated with DESX but AES should rather be used. However, we use the instantiation of this hash scheme with DESX to introduce a new property of iterated hash functions, namely a so-called b-block bypass. We will show that if an iterated hash function possesses a b-block bypass, then this implies that second preimages can be constructed. Additionally, the attacker has more degrees of freedom for constructing the second preimage

On Quantum Slide Attacks

At Crypto 2016, Kaplan et al. proposed the first quantum exponential acceleration of a classical symmetric cryptanalysis technique: they showed that, in the superposition query model, Simon’s algorithm could be applied to accelerate the slide attack on the alternate-key cipher. This allows to recover an n-bit key with O(n) quantum time and queries. In this paper we propose many other types of quantum slide attacks, inspired by classical techniques including sliding with a twist, complementation slide and mirror slidex. These slide attacks on Feistel networks reach up to two round self-similarity with modular additions inside branch or key-addition operations. With only XOR operations, they reach up to four round self-similarity, with a cost at most quadratic in the block size. Some of these variants combined with whitening keys (FX construction)can also be successfully attacked. Furthermore, we show that some quantum slide attacks can be composed with other quantum attacks to perform efficient key-recoveries even when the round function is a strong function classically. Finally, we analyze the case of quantum slide attacks exploiting cycle-finding, that were thought to enjoy an exponential speed up in a paper by Bar-On et al. in2015, where these attacks were introduced. We show that the speed-up is smaller than expected and less impressive than the above variants, but nevertheless provide improved complexities on the previous known quantum attacks in the superpositionmodel for some self-similar SPN and Feistel constructions

Survey and Benchmark of Block Ciphers for Wireless Sensor Networks

Cryptographic algorithms play an important role in the security architecture of wireless sensor networks (WSNs). Choosing the most storage- and energy-efficient block cipher is essential, due to the facts that these networks are meant to operate without human intervention for a long period of time with little energy supply, and that available storage is scarce on these sensor nodes. However, to our knowledge, no systematic work has been done in this area so far.We construct an evaluation framework in which we first identify the candidates of block ciphers suitable for WSNs, based on existing literature and authoritative recommendations. For evaluating and assessing these candidates, we not only consider the security properties but also the storage- and energy-efficiency of the candidates. Finally, based on the evaluation results, we select the most suitable ciphers for WSNs, namely Skipjack, MISTY1, and Rijndael, depending on the combination of available memory and required security (energy efficiency being implicit). In terms of operation mode, we recommend Output Feedback Mode for pairwise links but Cipher Block Chaining for group communications

Tight Security Bounds for Triple Encryption

In this paper, we revisit the old problem asking the exact provable security of triple encryption in the ideal cipher model. For a blockcipher with key length k and block size n, triple encryption is known to be secure up to 2^{k+min{k/2,n/2}} queries, while the best attack requires 2^{k+min{k,n/2}} query complexity. So there is a gap between the upper and lower bounds for the security of triple encryption. We close this gap by proving the security up to 2^{k+min{k,n/2}} query complexity. With the DES parameters, triple encryption is secure up to 2^{82.5} queries, greater than the current bound of 2^{78.3} and comparable to 2^{83.5} for 2-XOR-cascade. We also analyze the security of two-key triple encryption, where the first and the third keys are identical. We prove that two-key triple encryption is secure up to 2^{k+min{k,n/2}} queries to the underlying blockcipher and 2^{min{k,n/2}} queries to the outer permutation. For the DES parameters, this result is interpreted as the security of two-key triple encryption up to 2^{32} plaintext-ciphertext pairs and 2^{81.7} blockcipher encryptions