35 research outputs found

    Some Words on Cryptanalysis of Stream Ciphers

    Get PDF
    In the world of cryptography, stream ciphers are known as primitives used to ensure privacy over a communication channel. One common way to build a stream cipher is to use a keystream generator to produce a pseudo-random sequence of symbols. In such algorithms, the ciphertext is the sum of the keystream and the plaintext, resembling the one-time pad principal. Although the idea behind stream ciphers is simple, serious investigation of these primitives has started only in the late 20th century. Therefore, cryptanalysis and design of stream ciphers are important. In recent years, many designs of stream ciphers have been proposed in an effort to find a proper candidate to be chosen as a world standard for data encryption. That potential candidate should be proven good by time and by the results of cryptanalysis. Different methods of analysis, in fact, explain how a stream cipher should be constructed. Thus, techniques for cryptanalysis are also important. This thesis starts with an overview of cryptography in general, and introduces the reader to modern cryptography. Later, we focus on basic principles of design and analysis of stream ciphers. Since statistical methods are the most important cryptanalysis techniques, they will be described in detail. The practice of statistical methods reveals several bottlenecks when implementing various analysis algorithms. For example, a common property of a cipher to produce n-bit words instead of just bits makes it more natural to perform a multidimensional analysis of such a design. However, in practice, one often has to truncate the words simply because the tools needed for analysis are missing. We propose a set of algorithms and data structures for multidimensional cryptanalysis when distributions over a large probability space have to be constructed. This thesis also includes results of cryptanalysis for various cryptographic primitives, such as A5/1, Grain, SNOW 2.0, Scream, Dragon, VMPC, RC4, and RC4A. Most of these results were achieved with the help of intensive use of the proposed tools for cryptanalysis

    Smashing WEP in A Passive Attack

    Get PDF
    In this paper, we report extremely fast and optimised active and passive attacks against the old IEEE 802.11 wireless communication protocol WEP. This was achieved through a huge amount of theoretical and experimental analysis (capturing WiFi packets), refinement and optimisation of all the former known attacks and methodologies against RC4 stream cipher in WEP mode. We support all our claims by providing an implementation of this attack as a publicly available patch on Aircrack-ng. Our new attacks improve its success probability drastically. We adapt our theoretical analysis in Eurocrypt 2011 to real-world scenarios and we perform a slight adjustment to match the empirical observations. Our active attack, based on ARP injection, requires 22 500 packets to gain success probability of 50% against a 104-bit WEP key, using Aircrack-ng in non-interactive mode. It runs in less than 5 seconds on an off-the-shelf PC. Using the same number of packets, Aicrack-ng yields around 3% success rate. Furthermore, we describe very fast passive only attacks by just eavesdropping TCP/IPv4 packets in a WiFi communication. Our passive attack requires 27 500 packets. This is much less than the number of packets Aircrack-ng requires in active mode (around 37 500), which is a huge improvement.We believe that our analysis brings on further insight to the security of RC4

    Tornado Attack on RC4 with Applications to WEP & WPA

    Get PDF
    In this paper, we construct several tools for building and manipulating pools of biases in the analysis of RC4. We report extremely fast and optimized active and passive attacks against IEEE 802.11 wireless communication protocol WEP and a key recovery and a distinguishing attack against WPA. This was achieved through a huge amount of theoretical and experimental analysis (capturing WiFi packets), refinement and optimization of all the former known attacks and methodologies against RC4 stream cipher in WEP and WPA modes. We support all our claims on WEP by providing an implementation of this attack as a publicly available patch on Aircrack-ng. Our new attack improves its success probability drastically. Our active attack, based on ARP injection, requires 22500 packets to gain success probability of 50\% against a 104-bit WEP key, using Aircrack-ng in non-interactive mode. It runs in less than 5 seconds on an off-the-shelf PC. Using the same number of packets, Aicrack-ng yields around 3\% success rate. Furthermore, we describe very fast passive only attacks by just eavesdropping TCP/IPv4 packets in a WiFi communication. Our passive attack requires 27500 packets. This is much less than the number of packets Aircrack-ng requires in active mode (around 37500), which is a huge improvement. Deploying a similar theory, we also describe several attacks on WPA. Firstly, we describe a distinguisher for WPA with complexity 2^{42} and advantage 0.5 which uses 2^{42} packets. Then, based on several partial temporary key recovery attacks, we recover the full 128-bit temporary key of WPA by using 2^{42} packets. It works with complexity 2^{96}. So far, this is the best key recovery attack against WPA. We believe that our analysis brings on further insight to the security of RC4

    Settling the mystery of Zr=rZ_r=r in RC4

    Get PDF
    In this paper, using probability transition matrix, at first we revisit the work of Mantin on finding the probability distribution of RC4 permutation after the completion of KSA. After that, we extend the same idea to analyse the probabilities during any iteration of Pseudo Random Generation Algorithm. Next, we study the bias Zr=rZ_r=r (where ZrZ_r is the rr-th output keystream bit), which is one of the significant biases observed in RC4 output keystream. This bias has played an important role in the plaintext recovery attack proposed by Isobe et al. in FSE 2013. However, the accurate theoretical explanation of the bias of Zr=rZ_r=r is still a mystery. Though several attempts have been made to prove this bias, none of those provides accurate justification. Here, using the results found with the help of probability transition matrix we justify this bias of Zr=rZ_r=r accurately and settle this issue. The bias obtained from our proof matches perfectly with the experimental observations

    Stream ciphers for secure display

    Get PDF
    In any situation where private, proprietary or highly confidential material is being dealt with, the need to consider aspects of data security has grown ever more important. It is usual to secure such data from its source, over networks and on to the intended recipient. However, data security considerations typically stop at the recipient's processor, leaving connections to a display transmitting raw data which is increasingly in a digital format and of value to an adversary. With a progression to wireless display technologies the prominence of this vulnerability is set to rise, making the implementation of 'secure display' increasingly desirable. Secure display takes aspects of data security right to the display panel itself, potentially minimising the cost, component count and thickness of the final product. Recent developments in display technologies should help make this integration possible. However, the processing of large quantities of time-sensitive data presents a significant challenge in such resource constrained environments. Efficient high- throughput decryption is a crucial aspect of the implementation of secure display and one for which the widely used and well understood block cipher may not be best suited. Stream ciphers present a promising alternative and a number of strong candidate algorithms potentially offer the hardware speed and efficiency required. In the past, similar stream ciphers have suffered from algorithmic vulnerabilities. Although these new-generation designs have done much to respond to this concern, the relatively short 80-bit key lengths of some proposed hardware candidates, when combined with ever-advancing computational power, leads to the thesis identifying exhaustive search of key space as a potential attack vector. To determine the value of protection afforded by such short key lengths a unique hardware key search engine for stream ciphers is developed that makes use of an appropriate data element to improve search efficiency. The simulations from this system indicate that the proposed key lengths may be insufficient for applications where data is of long-term or high value. It is suggested that for the concept of secure display to be accepted, a longer key length should be used

    D.STVL.9 - Ongoing Research Areas in Symmetric Cryptography

    Get PDF
    This report gives a brief summary of some of the research trends in symmetric cryptography at the time of writing (2008). The following aspects of symmetric cryptography are investigated in this report: • the status of work with regards to different types of symmetric algorithms, including block ciphers, stream ciphers, hash functions and MAC algorithms (Section 1); • the algebraic attacks on symmetric primitives (Section 2); • the design criteria for symmetric ciphers (Section 3); • the provable properties of symmetric primitives (Section 4); • the major industrial needs in the area of symmetric cryptography (Section 5)

    Cryptanalysis of the Counter mode of operation

    Get PDF
    International audienceThe counter mode of operation (CTR mode) is nowadays one of the most widely deployed modes of operation due to its simplicity, elegant design and performance. Therefore understanding more about the security of the CTR mode helps us understand the security of many applications used over the modern internet. On the security of the CTR mode, there is a well-known proof of indistinguishability from random outputs up to the birthday bound that is O(2 n/2) encrypted n-bit blocks. This acts as a proof that no attack that can retrieve useful information about the plaintext exists with a lower complexity. In other words, any attack that breaks the confidentiality of the plaintext will require Ω(2 n/2) blocks of ciphertext. Research problem While we have a lower bound on the complexity of a potential attack, it is not well understood how such attack would work and what would be its complexity not only in terms of data but also computationally (time and memory complexities). Most often the CTR mode is combined with the AES block cipher which acts on 128-bits blocks. In that setting, the birthday bound may appear sufficient to guarantee security in most if not all of today's internet applications as 2 128/2 × 128 bits = 256 exbibytes, a comfortable margin. However if used alongside a 64-bits block cipher, like 3DES, the birthday bound stands at 2 64/2 × 64 bits = 32 gibibytes, an amount of data quickly exchanged in today's internet. Moreover, the proof of indistinguishability says nothing at how quickly information on the plaintext is leaked when nearing the birthday bound. The goal of this internship is to devise efficient message recovery attacks under realistic assumptions and study their complexity to gain a better understanding of the security of the CTR mode. Contribution We give a concrete definition of the algorithmic problem naturally posed by the counter mode of operation, the missing difference problem, upon the resolution of which we can recover part of the unknown plaintext. Then we propose two algorithms to recover a block or more of secret plaintext in different settings motivated by real-life attacker models and compare the results with the work done by McGrew [McG12] on that same topic. We improve McGrew's results in two cases : the case where we know half of the secret plaintext, then we achieve time complexity of˜Oof˜ of˜O(2 n/2) compared tõ O(2 3n/4) for McGrew's searching algorithm and the case where we have no prior information on the secret where we achieve˜Oachieve˜ achieve˜O(2 2n/3) in time and query compared to the previous˜Oprevious˜ previous˜O(2 n/2) queries and˜Oand˜ and˜O(2 n) time. This improvement allows better attack on the mode for a realistic attacker model than what had been described so far in the literature. In fact, we found out that the CTR mode does not offer much more security guarantees than the CBC mode as real attacks are of similar complexities. We described these attacks on the CTR mode and could even extend those to some message authentication code (MAC) schemes GMAC and Poly1305 based on the Wegman-Carter style construction. Arguments supporting its validity Not only do we provide some proofs for the asymptotic complexity but also implementations of these algorithms show that they are practical for blocks sizes n 64 bits and so are the associated attacks. These attacks rely on the repeated encryption of a secret under the same key so frequent rekeying will prevent those attacks from happening and thus we encourage any implementation of the CTR mode to force rekeying well before the birthday bound. Summary and future work We formalized an algorithmic problem that is naturally encountered in some cryptographic schemes, we called it the missing difference problem, and developed tools to solve it efficiently. These tools then help the cryptanalysis of different modes of operation and thus help understanding the security of popular real-world protocols. Now we hope to publish these results and make users aware that using CTR is not much more secure than CBC (though CTR still offers other advantages). Especially when coupled with 64-bits block ciphers, it may not offer enough guarantee for most modern uses as 64-bits CBC mode was shown to be insecure in a recent work by Bhargavan and Leurent [BL16]

    On the Design and Analysis of Stream Ciphers

    Get PDF
    This thesis presents new cryptanalysis results for several different stream cipher constructions. In addition, it also presents two new stream ciphers, both based on the same design principle. The first attack is a general attack targeting a nonlinear combiner. A new class of weak feedback polynomials for linear feedback shift registers is identified. By taking samples corresponding to the linear recurrence relation, it is shown that if the feedback polynomial has taps close together an adversary to take advantage of this by considering the samples in a vector form. Next, the self-shrinking generator and the bit-search generator are analyzed. Both designs are based on irregular decimation. For the self-shrinking generator, it is shown how to recover the internal state knowing only a few keystream bits. The complexity of the attack is similar to the previously best known but uses a negligible amount of memory. An attack requiring a large keystream segment is also presented. It is shown to be asymptotically better than all previously known attacks. For the bit-search generator, an algorithm that recovers the internal state is given as well as a distinguishing attack that can be very efficient if the feedback polynomial is not carefully chosen. Following this, two recently proposed stream cipher designs, Pomaranch and Achterbahn, are analyzed. Both stream ciphers are designed with small hardware complexity in mind. For Pomaranch Version 2, based on an improvement of previous analysis of the design idea, a key recovery attack is given. Also, for all three versions of Pomaranch, a distinguishing attack is given. For Achterbahn, it is shown how to recover the key of the latest version, known as Achterbahn-128/80. The last part of the thesis introduces two new stream cipher designs, namely Grain and Grain-128. The ciphers are designed to be very small in hardware. They also have the distinguishing feature of allowing users to increase the speed of the ciphers by adding extra hardware
    corecore