New Treatment of the BSW Sampling and Its Applications to Stream Ciphers

By combining the time-memory-data tradeoff (TMDTO) attack independently proposed by Babbage and Golic (BG) with the BSW sampling technique, this paper explores to mount a new TMDTO attack on stream ciphers. The new attack gives a wider variety of trade-offs, compared with original BG-TMDTO attack. It is efficient when multiple data is allowed for the attacker from the same key with different IVs, even though the internal state size is twice the key size. We apply the new attack to MICKEY and Grain stream ciphers, and improves the existing TMDTO attacks on them. Our attacks on Grain v1 and Grain-128 stream ciphers are rather attractive in the respect that the online time, offline time and memory complexities are all better than an exhaustive key search, and the amount of keystream needed are completely valid. Finally, we generalize the new attack to a Guess and Determine-TMDTO attack on stream ciphers, and mount a Guess and Determine-TMDTO attack on SOSEMANUK stream cipher with the online time and offline time complexities both equal to 2128, which achieves the best time com-plexity level compared with all existing attacks on SOSEMANUK so far

Dial C for Cipher

We introduce C, a practical provably secure block cipher with a slow key schedule. C is based on the same structure as AES but uses independent random substitution boxes instead of a fixed one. Its key schedule is based on the Blum-Blum-Shub pseudo-random generator, which allows us to prove that all obtained security results are still valid when taking into account the dependencies between the round keys. C is provably secure against several general classes of attacks. Strong evidence is given that it resists an even wider variety of attacks. We also propose a variant of C with simpler substitution boxes which is suitable for most applications, and for which security proofs still hold

SSE implementation of multivariate pkcs on modern x86 cpus

Multivariate Public Key Cryptosystems (MPKCs) are often touted as future-proo ng the advent of the Quantum Computer. It also has been known for e ciency compared to traditional alternatives. However, this advantage seems to be eroding with the increase of arithmetic resources in modern CPUs and improved algorithms, especially with respect to ECC. We show that the same hardware advances do not necessarily just favor ECC. The same modern commodity CPUs also have an overabundance of small integer arithmetic/logic resources, embodied by SSE2 or other vector instruction set extensions, that are also useful for MPKCs. On CPUs supporting Intel's SSSE3 instructions, we achieve a 4 × speed-up over prior implementations of Rainbow-type systems (such as the ones implemented in hardware by Bogdanov et al. at CHES 2008) in both public and private map operations. Furthermore, if we want to implement MPKCs for all general purpose 64-bit CPUs from Intel and AMD, we can switch to MPKC over elds of relatively small odd prime characteristics. For example, by taking advantage of SSE2 instructions, Rainbow over F31 can be up to 2 × faster than prior implementations of same-sized systems over F16. A key advance is in implementing Wiedemann instead of Gaussian system solvers. We explain the techniques and design choices in implementing our chosen MPKC instances, over representative elds such as F31, F16 and F256. We believe that our results can easily carry over to modern FPGAs, which often contain a large number of multipliers in the form of DSP slices, o ering superior computational power to odd- eld MPKCs

An AEAD Variant of the Grain Stream Cipher

A new Grain stream cipher, denoted Grain-128AEAD is presented, with support for authenticated encryption with associated data. The cipher takes a 128-bit key and a 96-bit IV and produces a pseudo random sequence that is used for encryption and authentication of messages. The design is based on Grain-128a but introduces a few changes in order to increase the security and protect against recent cryptanalysis results. The MAC is 64 bits, as specified by the NIST requirements in their lightweight security standardization process