4 research outputs found

    A Combinatorial Analysis of HC-128

    Get PDF
    We show that the knowledge of any one of the two internal state arrays of HC-128 along with the knowledge of 2048 keystream words is sufficient to construct the other state array completely in 2422^{42} time complexity. Though our analysis does not lead to any attack on HC-128, it reveals a structural insight into the cipher. In the process, we theoretically establish certain combinatorial properties of HC-128 keystream generation algorithm. We also suggest a modification to HC-128 that takes care of the recently known cryptanalytic results with little reduction in speed

    On Data Complexity of Distinguishing Attacks vs. Message Recovery Attacks on Stream Ciphers

    Get PDF
    We revisit the different approaches used in the literature to estimate the data complexity of distinguishing attacks on stream ciphers and analyze their inter-relationships. In the process, we formally argue which approach is applicable (or not applicable) in what scenario. To our knowledge, this is the first kind of such an exposition. We also perform a rigorous statistical analysis of the message recovery attack that exploits a distinguisher and show that in practice there is a significant gap between the data complexities of a message recovery attack and the underlying distinguishing attack. This gap is not necessarily determined by a constant factor as a function of the false positive and negative rate, as one would expect. Rather this gap is also a function of the number of samples of the distinguishing attack. We perform a case study on RC4 stream cipher to demonstrate that the typical complexities for message recovery attack inferred in the literature are but under-estimates and the actual estimates are quite larger

    Cryptanalysis of Symmetric Cryptographic Primitives

    Get PDF
    Symmetric key cryptographic primitives are the essential building blocks in modern information security systems. The overall security of such systems is crucially dependent on these mathematical functions, which makes the analysis of symmetric key primitives a goal of critical importance. The security argument for the majority of such primitives in use is only a heuristic one and therefore their respective security evaluation continually remains an open question. In this thesis, we provide cryptanalytic results for several relevant cryptographic hash functions and stream ciphers. First, we provide results concerning two hash functions: HAS-160 and SM3. In particular, we develop a new heuristic for finding compatible differential paths and apply it to the the Korean hash function standard HAS-160. Our heuristic leads to a practical second order collision attack over all of the HAS-160 function steps, which is the first practical-complexity distinguisher on this function. An example of a colliding quartet is provided. In case of SM3, which is a design that builds upon the SHA-2 hash and is published by the Chinese Commercial Cryptography Administration Office for the use in the electronic authentication service system, we study second order collision attacks over reduced-round versions and point out a structural slide-rotational property that exists in the function. Next, we examine the security of the following three stream ciphers: Loiss, SNOW 3G and SNOW 2.0. Loiss stream cipher is designed by Dengguo Feng et al. aiming to be implemented in byte-oriented processors. By exploiting some differential properties of a particular component utilized in the cipher, we provide an attack of a practical complexity on Loiss in the related-key model. As confirmed by our experimental results, our attack recovers 92 bits of the 128-bit key in less than one hour on a PC with 3 GHz Intel Pentium 4 processor. SNOW 3G stream cipher is used in 3rd Generation Partnership Project (3GPP) and the SNOW 2.0 cipher is an ISO/IEC standard (IS 18033-4). For both of these two ciphers, we show that the initialization procedure admits a sliding property, resulting in several sets of related-key pairs. In addition to allowing related-key key recovery attacks against SNOW 2.0 with 256-bit keys, the presented properties reveal non-random behavior of the primitives, yield related-key distinguishers for the two ciphers and question the validity of the security proofs of protocols based on the assumption that these ciphers behave like perfect random functions of the key-IV. Finally, we provide differential fault analysis attacks against two stream ciphers, namely, HC-128 and Rabbit. In this type of attacks, the attacker is assumed to have physical influence over the device that performs the encryption and is able to introduce random faults into the computational process. In case of HC-128, the fault model in which we analyze the cipher is the one in which the attacker is able to fault a random word of the inner state of the cipher but cannot control its exact location nor its new faulted value. Our attack requires about 7968 faults and recovers the complete internal state of HC-128 by solving a set of 32 systems of linear equations over Z2 in 1024 variables. In case of Rabbit stream cipher, the fault model in which the cipher is analyzed is the one in which a random bit of the internal state of the cipher is faulted, however, without control over the location of the injected fault. Our attack requires around 128 − 256 faults, precomputed table of size 2^41.6 bytes and recovers the complete internal state of Rabbit in about 2^38 steps

    Some Observations on HC-128

    Get PDF
    Abstract. In this paper, we use linear approximations of the addition modulo 2 n of three n-bit integers to identify linear approximations of g1, g2, the feedback functions of HC-128. This, in turn, shows that the process of keystream output generation of HC-128 can be well approximated by linear functions. In this direction, we show that the “least significant bit ” based distinguisher (presented by the designer himself) of HC-128 works for the complete 32-bit word. In a different note, in the line of Dunkelman’s observation, we also study how HC-128 keystream words leak secret state information of the cipher due to the properties of the functions h1, h2 and present improved results
    corecore