Predicting Outcomes of ElimLin Attack on Lightweight Block Cipher Simon

There are two major families in cryptanalytic attacks on symmetric ciphers: statistical attacks and algebraic attacks. In this position paper we argue that algebraic cryptanalysis has not yet been developed properly due to the weakness of the theory which has substantial difficulty to prove most basic results on the number of linearly independent equations in algebraic attacks. Consequently most authors present a restricted range of attacks which are shown experimentally to work with their computer but refrain from claiming results which would work on a larger computer but have not yet been tested. For example in recent 2015 work of Raddum we discover that (experimentally) ElimLin attack breaks up to 16 rounds of Simon block cipher however it is hard to know what happens for 17 rounds. In this paper we argue that one CAN predict and model the behavior of such attacks and evaluate complexity of the attacks which we cannot yet execute. To the best of our knowledge this has never been done before

Smashing WEP in A Passive Attack

In this paper, we report extremely fast and optimised active and passive attacks against the old IEEE 802.11 wireless communication protocol WEP. This was achieved through a huge amount of theoretical and experimental analysis (capturing WiFi packets), refinement and optimisation of all the former known attacks and methodologies against RC4 stream cipher in WEP mode. We support all our claims by providing an implementation of this attack as a publicly available patch on Aircrack-ng. Our new attacks improve its success probability drastically. We adapt our theoretical analysis in Eurocrypt 2011 to real-world scenarios and we perform a slight adjustment to match the empirical observations. Our active attack, based on ARP injection, requires 22 500 packets to gain success probability of 50% against a 104-bit WEP key, using Aircrack-ng in non-interactive mode. It runs in less than 5 seconds on an off-the-shelf PC. Using the same number of packets, Aicrack-ng yields around 3% success rate. Furthermore, we describe very fast passive only attacks by just eavesdropping TCP/IPv4 packets in a WiFi communication. Our passive attack requires 27 500 packets. This is much less than the number of packets Aircrack-ng requires in active mode (around 37 500), which is a huge improvement.We believe that our analysis brings on further insight to the security of RC4

Combined Algebraic and Truncated Differential Cryptanalysis on Reduced-round Simon

Recently, two families of ultra-lightweight block ciphers were proposed, SIMON and SPECK, which come in a variety of block and key sizes (Beaulieu et al., 2013). They are designed to offer excellent performance for hardware and software implementations (Beaulieu et al., 2013; Aysu et al., 2014). In this paper, we study the resistance of SIMON-64/128 with respect to algebraic attacks. Its round function has very low Multiplicative Complexity (MC) (Boyar et al., 2000; Boyar and Peralta, 2010) and very low non-linearity (Boyar et al., 2013; Courtois et al., 2011) since the only non-linear component is the bitwise multiplication operation. Such ciphers are expected to be very good candidates to be broken by algebraic attacks and combinations with truncated differentials (additional work by the same authors). We algebraically encode the cipher and then using guess-then-determine techniques, we try to solve the underlying system using either a SAT solver (Bard et al., 2007) or by ElimLin al gorithm (Courtois et al., 2012b). We consider several settings where P-C pairs that satisfy certain properties are available, such as low Hamming distance or follow a strong truncated differential property (Knudsen, 1995). We manage to break faster than brute force up to 10(/44) rounds for most cases we have tried. Surprisingly, no key guessing is required if pairs which satisfy a strong truncated differential property are available. This reflects the power of combining truncated differentials with algebraic attacks in ciphers of low non-linearity and shows that such ciphers require a large number of rounds to be secure

Deformation mechanism and process optimization of mechanical clinching joining technology used for steel and aluminum alloy sheets

Abstract. In this paper we construct several tools for manipulating pools of biases in the analysis of RC4. Then, we show that optimized strategies can break WEP based on 4000 packets by assuming that the first bytes of plaintext are known for each packet. We describe similar attacks for WPA. Firstly, we describe a distinguisher for WPA of complexity 2 43 and advantage 0.5 which uses 2 40 packets. Then, based on several partial temporary key recovery attacks, we recover the full 128-bit temporary key by using 2 38 packets. It works within a complexity of 2 96. So far, this is the best attack against WPA. We believe that our analysis brings further insights on the security of RC4.

Cache Timing Analysis of RC4

Abstract. In this paper we present an attack that recovers the whole internal state of RC4 using a cache timing attack model first introduced in the cache timing attack of Osvik, Shamir and Tromer against some highly efficient AES implementations. In this model, the adversary can obtain some information related to the elements of a secret state used during the encryption process. Zenner formalized this model for LFSRbased stream ciphers. In this theoretical model inspired from practical attacks, we propose a new state recovery analysis on RC4 using a belief propagation algorithm. The algorithm works well and its soundness is proved for known or unknown plaintext and only requires that the attacker queries the RC4 encryption process byte by byte for a practical attack. Depending on the processor, our simulations show that we need between 300 to 1,300 keystream bytes and a computation time of less than a minute

Multipurpose Cryptographic Primitive

Abstract. This paper describes a new design of the multipurpose cryptographic primitive ARMADILLO3 and analyses its security. The AR-MADILLO3 family is oriented on small hardware such as smart cards and RFID chips. The original design ARMADILLO and its variants were analyzed by Sepehrdad et al. at CARDIS’11, the recommended variant ARMADILLO2 was analyzed by Plasencia et al. at FSE’12 and by Abdelraheem et al. at ASIACRYPT’11. The ARMADILLO3 design takes the original approach of combining a substitution and a permutation layer. The new family ARMADILLO3 introduces a reduced-size substitution layer with 3 × 3and4 × 4 S-boxes, which covers the substitution layer from 25 % to 100 % of state bits, depending on the security requirements. We propose an instance ARMADILLO3-A1/4 with a pair of permutations and S-boxes applied on 25 % of state bits at each stage.