attacks on stream ciphers a perspective
play

Attacks on Stream Ciphers: A Perspective Palash Sarkar Applied - PowerPoint PPT Presentation

Nov 27, 2022 •277 likes •1.76k views

Attacks on Stream Ciphers: A Perspective Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in First Asian Workshop on Symmetric Key Cryptography ASK 2011, 30th August 2011 isilogo Palash

  1. Linear Feedback Shift Register Given (non-zero) initial state ( a 0 , . . . , a n − 1 ) generates a sequence a 0 , a 1 , a 2 , . . . , a i , . . . where a i = c n − 1 a i − 1 ⊕ · · · ⊕ c 1 a i − n + 1 + c 0 a i − n . Characteristic (connection) polynomial: τ ( x ) = x n ⊕ c n − 1 x n − 1 ⊕ · · · ⊕ c 1 x ⊕ c 0 . If τ ( x ) is primitive over GF ( 2 ) , then the period of { a i } is 2 n − 1. Other well-understood “randomness-like” properties. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 15 / 55

  2. Linear Feedback Shift Register Given (non-zero) initial state ( a 0 , . . . , a n − 1 ) generates a sequence a 0 , a 1 , a 2 , . . . , a i , . . . where a i = c n − 1 a i − 1 ⊕ · · · ⊕ c 1 a i − n + 1 + c 0 a i − n . Characteristic (connection) polynomial: τ ( x ) = x n ⊕ c n − 1 x n − 1 ⊕ · · · ⊕ c 1 x ⊕ c 0 . If τ ( x ) is primitive over GF ( 2 ) , then the period of { a i } is 2 n − 1. Other well-understood “randomness-like” properties. Any bit of the sequence is a linear combination of the first n bits. Given any n bits of the sequence, it is easy to get the initial state. Unsuitable for direct use in cryptography. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 15 / 55

  3. Nonlinear Combiner Model (1) X i LFSR 1 m i (2) X i LFSR k c 2 i i f � � � � � � � � � � � � (n) X i LFSR n m i = length of LFSR i isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 16 / 55

  4. Correlation Attacks. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 17 / 55

  5. Correlation Attack Suppose � � = p � = 1 X ( i ) = k i 2 . Pr 1 Divide-and-conquer attack. Collect ℓ bits of the keystream. From each possible 2 m 1 − 1 non-zero initial states of LFSR 1 , generate ℓ bits of the LFSR sequence. Let s be the number of places where the LFSR sequence equals the keystream sequence. If s ≈ ℓ p , then the corresponding state is likely to be the correct intial state. If s ≈ ℓ/ 2, then the corresponding state is unlikely to be the correct intial state. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 18 / 55

  6. Correlation Attack (contd.) For the attack to work ℓ must be at least m 1 / ( 1 − H ( p )) . If p = 1 / 2 the attack does not work. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 19 / 55

  7. Correlation Attack (contd.) For the attack to work ℓ must be at least m 1 / ( 1 − H ( p )) . If p = 1 / 2 the attack does not work. � � X ( i ) ⊕ X ( i ) = k i = p � = 1 But, if Pr 2 then the LFSRs 1 and 2 can 1 2 be attacked simultaneously. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 19 / 55

  8. Correlation Attack (contd.) For the attack to work ℓ must be at least m 1 / ( 1 − H ( p )) . If p = 1 / 2 the attack does not work. � � X ( i ) ⊕ X ( i ) = k i = p � = 1 But, if Pr 2 then the LFSRs 1 and 2 can 1 2 be attacked simultaneously. In general, if � � = p � = 1 X ( i ) j 1 ⊕ · · · ⊕ X ( i ) = k i Pr j r 2 then the LFSRs j 1 , . . . , j r can be attacked simulatenously. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 19 / 55

  9. Correlation Attack (contd.) For the attack to work ℓ must be at least m 1 / ( 1 − H ( p )) . If p = 1 / 2 the attack does not work. � � X ( i ) ⊕ X ( i ) = k i = p � = 1 But, if Pr 2 then the LFSRs 1 and 2 can 1 2 be attacked simultaneously. In general, if � � = p � = 1 X ( i ) j 1 ⊕ · · · ⊕ X ( i ) = k i Pr j r 2 then the LFSRs j 1 , . . . , j r can be attacked simulatenously. Leads to Boolean function design criteria and trade-offs. Balancedness. Correlation immunity (resilience). Algebraic degree. Nonlinearity. isilogo Other properties: propagation criteria, strict avalanche criteria, .... Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 19 / 55

  10. Fast Correlation Attacks Coding theory framework: State S of an LFSR is expanded to sequence a which is perturbed by non-linear noise e to obtain ciphertext c with p = Pr [ e i = 0 ] � = 1 / 2. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 20 / 55

  11. Fast Correlation Attacks Coding theory framework: State S of an LFSR is expanded to sequence a which is perturbed by non-linear noise e to obtain ciphertext c with p = Pr [ e i = 0 ] � = 1 / 2. View the expansion of S to a as the encoding procedure of a linear code. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 20 / 55

  12. Fast Correlation Attacks Coding theory framework: State S of an LFSR is expanded to sequence a which is perturbed by non-linear noise e to obtain ciphertext c with p = Pr [ e i = 0 ] � = 1 / 2. View the expansion of S to a as the encoding procedure of a linear code. Given c , using suitable decoding technique to obtain S . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 20 / 55

  13. An Iterative Decoding Procedure Generation of parity checks: find a number of linear relations that a bit a i in the sequence a should satisfy. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 21 / 55

  14. An Iterative Decoding Procedure Generation of parity checks: find a number of linear relations that a bit a i in the sequence a should satisfy. Shifting, squaring and multiples of the connection polynomial. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 21 / 55

  15. An Iterative Decoding Procedure Generation of parity checks: find a number of linear relations that a bit a i in the sequence a should satisfy. Shifting, squaring and multiples of the connection polynomial. Use k as an approximation of a and find the number of equations involving a i that hold for k i . If this number is less than a threshold, then complement k i . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 21 / 55

  16. An Iterative Decoding Procedure Generation of parity checks: find a number of linear relations that a bit a i in the sequence a should satisfy. Shifting, squaring and multiples of the connection polynomial. Use k as an approximation of a and find the number of equations involving a i that hold for k i . If this number is less than a threshold, then complement k i . Iterate the procedure until the sequence satisfies the LFSR recurrence. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 21 / 55

  17. An Iterative Decoding Procedure Generation of parity checks: find a number of linear relations that a bit a i in the sequence a should satisfy. Shifting, squaring and multiples of the connection polynomial. Use k as an approximation of a and find the number of equations involving a i that hold for k i . If this number is less than a threshold, then complement k i . Iterate the procedure until the sequence satisfies the LFSR recurrence. Works well if the number of taps in the LFSR is small. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 21 / 55

  18. Improvements to Correlation Attacks Identify an embedded low-rate convolutional code in the LFSR code; use Viterbi algorithm for decoding. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 22 / 55

  19. Improvements to Correlation Attacks Identify an embedded low-rate convolutional code in the LFSR code; use Viterbi algorithm for decoding. Turbo code techniques. Identify “parallel” embedded convolutional code in the LFSR code. The keystream sequence is used to construct received sequences for the convolutional codes. These are decoded using an iterative algorithm. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 22 / 55

  20. Improvements to Correlation Attacks Identify an embedded low-rate convolutional code in the LFSR code; use Viterbi algorithm for decoding. Turbo code techniques. Identify “parallel” embedded convolutional code in the LFSR code. The keystream sequence is used to construct received sequences for the convolutional codes. These are decoded using an iterative algorithm. List decoding techniques. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 22 / 55

  21. Improvements to Correlation Attacks A different view: Reconstruction of linear polynomials. m 1 − 1 � Bit a i is a linear combination a i = w i , j a j ; where w i , j s can be j = 0 computed from τ ( x ) . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 23 / 55

  22. Improvements to Correlation Attacks A different view: Reconstruction of linear polynomials. m 1 − 1 � Bit a i is a linear combination a i = w i , j a j ; where w i , j s can be j = 0 computed from τ ( x ) . m 1 − 1 � Let w i = ( w i , 0 , . . . , w i , m 1 − 1 ) and define A ( x ) = x j a j . j = 0 The values a 0 , . . . , a m 1 − 1 define the polynomial and are unknown. Then A ( x ) is a linear polynomial and a i = A ( w i ) for i ≥ m 1 . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 23 / 55

  23. Improvements to Correlation Attacks A different view: Reconstruction of linear polynomials. m 1 − 1 � Bit a i is a linear combination a i = w i , j a j ; where w i , j s can be j = 0 computed from τ ( x ) . m 1 − 1 � Let w i = ( w i , 0 , . . . , w i , m 1 − 1 ) and define A ( x ) = x j a j . j = 0 The values a 0 , . . . , a m 1 − 1 define the polynomial and are unknown. Then A ( x ) is a linear polynomial and a i = A ( w i ) for i ≥ m 1 . k i is a noisy output of the unknown polynomial A ( x ) evaluated at the known point w i . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 23 / 55

  24. Improvements to Correlation Attacks A different view: Reconstruction of linear polynomials. m 1 − 1 � Bit a i is a linear combination a i = w i , j a j ; where w i , j s can be j = 0 computed from τ ( x ) . m 1 − 1 � Let w i = ( w i , 0 , . . . , w i , m 1 − 1 ) and define A ( x ) = x j a j . j = 0 The values a 0 , . . . , a m 1 − 1 define the polynomial and are unknown. Then A ( x ) is a linear polynomial and a i = A ( w i ) for i ≥ m 1 . k i is a noisy output of the unknown polynomial A ( x ) evaluated at the known point w i . Use of techniques from computational learning theory due to Goldreich, Rubinfeld and Sudan to reconstruct f from the k i s. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 23 / 55

  25. Improvements to Correlation Attacks A different view: Reconstruction of linear polynomials. m 1 − 1 � Bit a i is a linear combination a i = w i , j a j ; where w i , j s can be j = 0 computed from τ ( x ) . m 1 − 1 � Let w i = ( w i , 0 , . . . , w i , m 1 − 1 ) and define A ( x ) = x j a j . j = 0 The values a 0 , . . . , a m 1 − 1 define the polynomial and are unknown. Then A ( x ) is a linear polynomial and a i = A ( w i ) for i ≥ m 1 . k i is a noisy output of the unknown polynomial A ( x ) evaluated at the known point w i . Use of techniques from computational learning theory due to Goldreich, Rubinfeld and Sudan to reconstruct f from the k i s. The application is not straightforward, there are a few tricks isilogo involved. Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 23 / 55

  26. Other Kinds of Correlations Correlations between linear functions of several output bits and linear functions of a subset of LFSR bits. For strong enough correlations, a number of stochastic equations may be derived. If the known keystream sequence is long enough, then the equations can be solved. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 24 / 55

  27. Other Kinds of Correlations Correlations between linear functions of several output bits and linear functions of a subset of LFSR bits. For strong enough correlations, a number of stochastic equations may be derived. If the known keystream sequence is long enough, then the equations can be solved. Keystream (or simply key) correlation: leads to distinguishing attacks. Bias in a particular keystream bit or a linear combination of keystream bits, eg. Pr [ k 16 = 0 ] � = 1 / 2. Attack types: multiple keys; or, single key but, multiple IVs. Bias in a subsequence of key bits, eg. Pr [ k i = k i + 3 ] � = 1 / 2 for all i ≥ 0. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 24 / 55

  28. Some References: Correlation Attacks T. Siegenthaler: Decrypting a Class of Stream Ciphers Using Ciphertext Only. IEEE Trans. Computers 34(1): (1985). T. Siegenthaler: Correlation-immunity of nonlinear combining functions for cryptographic applications. IEEE Trans. on Inf. Th. 30(5): (1984). isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 25 / 55

  29. Some References: Correlation Attacks T. Siegenthaler: Decrypting a Class of Stream Ciphers Using Ciphertext Only. IEEE Trans. Computers 34(1): (1985). T. Siegenthaler: Correlation-immunity of nonlinear combining functions for cryptographic applications. IEEE Trans. on Inf. Th. 30(5): (1984). W. Meier, O. Staffelbach: Fast Correlation Attacks on Certain Stream Ciphers. J. Cryptology 1(3): (1989). J. Dj. Goli´ c: Correlation Properties of a General Binary Combiner with Memory. J. Cryptology 9(2): (1996). isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 25 / 55

  30. Some References: Correlation Attacks T. Siegenthaler: Decrypting a Class of Stream Ciphers Using Ciphertext Only. IEEE Trans. Computers 34(1): (1985). T. Siegenthaler: Correlation-immunity of nonlinear combining functions for cryptographic applications. IEEE Trans. on Inf. Th. 30(5): (1984). W. Meier, O. Staffelbach: Fast Correlation Attacks on Certain Stream Ciphers. J. Cryptology 1(3): (1989). J. Dj. Goli´ c: Correlation Properties of a General Binary Combiner with Memory. J. Cryptology 9(2): (1996). T. Johansson, F. Jönsson: Fast Correlation Attacks Based on Turbo Code Techniques. CRYPTO 1999. T. Johansson, F. Jönsson: Fast Correlation Attacks through Reconstruction of Linear Polynomials. CRYPTO 2000. M. J. Mihaljevic, M. P . C. Fossorier, H. Imai: Fast Correlation Attack Algorithm with List Decoding and an Application. FSE isilogo 2001. Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 25 / 55

  31. Algebraic Attacks. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 26 / 55

  32. Algebraic Attacks: Basic Idea Let L be the update functions of all the LFSRs. Each LFSR is updated using a linear function and let L be the applications of these linear functions to the respective states. L is a linear function on the whole state. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 27 / 55

  33. Algebraic Attacks: Basic Idea Let L be the update functions of all the LFSRs. Each LFSR is updated using a linear function and let L be the applications of these linear functions to the respective states. L is a linear function on the whole state. Let ( s 0 , . . . , s n − 1 ) be the n -bit state at time i . Keystream: f ( s 0 , . . . , s n − 1 ) k i = f ( L ( s 0 , . . . , s n − 1 )) k i + 1 = f ( L 2 ( s 0 , . . . , s n − 1 )) k i + 2 = · · · · · · · · · Each of the expressions on the left have degree d ∆ = deg ( f ) . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 27 / 55

  34. Solving Equations There are � d � n � monomials of degree at most d . j = 1 j Replace each monomial by a new variable. Solve the resulting system of linear equations. Sufficient number of keystream bits required to get an over-defined system of equations. From the solution to the linear system, obtain the solution to the original system. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 28 / 55

  35. Solving Equations There are � d � n � monomials of degree at most d . j = 1 j Replace each monomial by a new variable. Solve the resulting system of linear equations. Sufficient number of keystream bits required to get an over-defined system of equations. From the solution to the linear system, obtain the solution to the original system. Use Gröbner basis based technique to directly solve the system of multivariate polynomial equations over I F 2 . Becomes progressively inefficient as d increases. The linearisation technique also essentially computes the Gröbner basis. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 28 / 55

  36. Controlling the Degree Suppose g is a function such that deg ( f × g ) < deg ( g ) . Example: f ( x 1 , x 2 , x 3 ) = x 1 ⊕ x 2 ⊕ x 1 x 2 x 3 and g ( x 1 , x 2 , x 3 ) = x 2 x 3 . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 29 / 55

  37. Controlling the Degree Suppose g is a function such that deg ( f × g ) < deg ( g ) . Example: f ( x 1 , x 2 , x 3 ) = x 1 ⊕ x 2 ⊕ x 1 x 2 x 3 and g ( x 1 , x 2 , x 3 ) = x 2 x 3 . f ( s 0 , . . . , s n − 1 ) g ( s 0 , . . . , s n − 1 ) k i · g ( s 0 , . . . , s n − 1 ) = f ( L ( s 0 , . . . , s n − 1 )) g ( L ( s 0 , . . . , s n − 1 )) k i + 1 · g ( L ( s 0 , . . . , s n − 1 )) = f ( L 2 ( s 0 , . . . , s n − 1 )) g ( L 2 ( s 0 , . . . , s n − 1 )) k i + 2 · g ( L 2 ( s 0 , . . . , s n − 1 )) = · · · · · · · · · isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 29 / 55

  38. Controlling the Degree Suppose g is a function such that deg ( f × g ) < deg ( g ) . Example: f ( x 1 , x 2 , x 3 ) = x 1 ⊕ x 2 ⊕ x 1 x 2 x 3 and g ( x 1 , x 2 , x 3 ) = x 2 x 3 . f ( s 0 , . . . , s n − 1 ) g ( s 0 , . . . , s n − 1 ) k i · g ( s 0 , . . . , s n − 1 ) = f ( L ( s 0 , . . . , s n − 1 )) g ( L ( s 0 , . . . , s n − 1 )) k i + 1 · g ( L ( s 0 , . . . , s n − 1 )) = f ( L 2 ( s 0 , . . . , s n − 1 )) g ( L 2 ( s 0 , . . . , s n − 1 )) k i + 2 · g ( L 2 ( s 0 , . . . , s n − 1 )) = · · · · · · · · · If deg ( g ) < d or k j = 0 (which happens roughly half of the times), then we get a system of equations whose degrees are less than d . Finding a “good” g is important. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 29 / 55

  39. A General Formulation Let s = ( s 0 , . . . , s n − 1 ) . Find a Boolean function � f such that for some δ ≥ 0 f ( L t ( s ) , . . . , L t + δ ( s ) , k t , . . . , k t + δ ) = 0 . � For δ = 0, take � f = f . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 30 / 55

  40. A General Formulation Let s = ( s 0 , . . . , s n − 1 ) . Find a Boolean function � f such that for some δ ≥ 0 f ( L t ( s ) , . . . , L t + δ ( s ) , k t , . . . , k t + δ ) = 0 . � For δ = 0, take � f = f . Suppose � f can be written as f ( L t ( s ) , . . . , L t + δ ( s ) , k t , . . . , k t + δ ) � h ( L t ( s ) , . . . , L t + δ ( s )) ⊕ g ( L t ( s ) , . . . , L t + δ ( s ) , k t , . . . , k t + δ ) = h t ( s ) ⊕ g t ( s , k t , . . . , k t + δ ) = where the degree e of s in g is less than the degree d of s in � f . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 30 / 55

  41. A General Formulation (contd.) Assume that the attacker can find constants c 0 , . . . , c T − 1 such that T − 1 � c j h t + j ( s ) = 0 . j = 0 isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 31 / 55

  42. A General Formulation (contd.) Assume that the attacker can find constants c 0 , . . . , c T − 1 such that T − 1 � c j h t + j ( s ) = 0 . j = 0 Using f ( L t ( s ) , . . . , L t + δ ( s ) , k t , . . . , k t + δ ) = h t ( s ) ⊕ g t ( s , k t , . . . , k t + δ ) 0 = � we can write T − 1 � c j g t + j ( s , k t , . . . , k t + δ ) = 0 . j = 0 isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 31 / 55

  43. A General Formulation (contd.) Assume that the attacker can find constants c 0 , . . . , c T − 1 such that T − 1 � c j h t + j ( s ) = 0 . j = 0 Using f ( L t ( s ) , . . . , L t + δ ( s ) , k t , . . . , k t + δ ) = h t ( s ) ⊕ g t ( s , k t , . . . , k t + δ ) 0 = � we can write T − 1 � c j g t + j ( s , k t , . . . , k t + δ ) = 0 . j = 0 This is an equation of lower degree e in the unknown s . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 31 / 55

  44. A General Formulation (contd.) Finding the constants c 0 , . . . , c T − 1 . Choose a “reasonable” value s ∗ of s . k t = h t ( s ∗ ) for t = 0 , . . . , 2 T − 1. Compute ˆ isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 32 / 55

  45. A General Formulation (contd.) Finding the constants c 0 , . . . , c T − 1 . Choose a “reasonable” value s ∗ of s . k t = h t ( s ∗ ) for t = 0 , . . . , 2 T − 1. Compute ˆ Use Berlekamp-Massey algorithm to find c 0 , . . . , c T − 1 such that T − 1 � c j ˆ k t + j 0 = j = 0 isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 32 / 55

  46. A General Formulation (contd.) Finding the constants c 0 , . . . , c T − 1 . Choose a “reasonable” value s ∗ of s . k t = h t ( s ∗ ) for t = 0 , . . . , 2 T − 1. Compute ˆ Use Berlekamp-Massey algorithm to find c 0 , . . . , c T − 1 such that T − 1 � c j ˆ k t + j 0 = j = 0 T − 1 � c j h t + j ( s ∗ ) . = j = 0 isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 32 / 55

  47. A General Formulation (contd.) Finding the constants c 0 , . . . , c T − 1 . Choose a “reasonable” value s ∗ of s . k t = h t ( s ∗ ) for t = 0 , . . . , 2 T − 1. Compute ˆ Use Berlekamp-Massey algorithm to find c 0 , . . . , c T − 1 such that T − 1 � c j ˆ k t + j 0 = j = 0 T − 1 � c j h t + j ( s ∗ ) . = j = 0 Requires O ( T 2 ) time. The proof that these c 0 , . . . , c T − 1 work for all s is non-trivial. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 32 / 55

  48. Some References: Algebraic Attacks N. Courtois, W. Meier: Algebraic Attacks on Stream Ciphers with Linear Feedback. EUROCRYPT 2003. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 33 / 55

  49. Some References: Algebraic Attacks N. Courtois, W. Meier: Algebraic Attacks on Stream Ciphers with Linear Feedback. EUROCRYPT 2003. N. Courtois: Fast Algebraic Attacks on Stream Ciphers with Linear Feedback. CRYPTO 2003. F. Armknecht, M. Krause: Algebraic Attacks on Combiners with Memory. CRYPTO 2003. Frederik Armknecht: Improving Fast Algebraic Attacks. FSE 2004. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 33 / 55

  50. Some References: Algebraic Attacks N. Courtois, W. Meier: Algebraic Attacks on Stream Ciphers with Linear Feedback. EUROCRYPT 2003. N. Courtois: Fast Algebraic Attacks on Stream Ciphers with Linear Feedback. CRYPTO 2003. F. Armknecht, M. Krause: Algebraic Attacks on Combiners with Memory. CRYPTO 2003. Frederik Armknecht: Improving Fast Algebraic Attacks. FSE 2004. N. Courtois, A. Klimov, J. Patarin, A. Shamir: Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations. EUROCRYPT 2000. C. Diem: The XL-Algorithm and a Conjecture from Commutative Algebra. ASIACRYPT 2004. G. Ars, J.-C. Faugére, H. Imai, M. Kawazoe, M. Sugita: Comparison Between XL and Gröbner Basis Algorithms. isilogo ASIACRYPT 2004. Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 33 / 55

  51. Differential Attacks. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 34 / 55

  52. Trivium: A Counter-Point to Correlation and Algebraic Attacks State: ( s ( i ) 1 , . . . , s ( i ) 288 ) : (Super-script i is omitted for simplicity.) State update function is non-linear. Output function is linear. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 35 / 55

  53. Trivium: A Counter-Point to Correlation and Algebraic Attacks State: ( s ( i ) 1 , . . . , s ( i ) 288 ) : (Super-script i is omitted for simplicity.) State update function is non-linear. Output function is linear. t 1 = s 66 ⊕ s 93 ; t 2 = s 162 ⊕ s 177 ; t 3 = s 243 ⊕ s 288 ; k i = t 1 ⊕ t 2 ⊕ t 3 ; isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 35 / 55

  54. Trivium: A Counter-Point to Correlation and Algebraic Attacks State: ( s ( i ) 1 , . . . , s ( i ) 288 ) : (Super-script i is omitted for simplicity.) State update function is non-linear. Output function is linear. t 1 = s 66 ⊕ s 93 ; t 2 = s 162 ⊕ s 177 ; t 3 = s 243 ⊕ s 288 ; k i = t 1 ⊕ t 2 ⊕ t 3 ; t 1 = t 1 ⊕ s 91 · s 92 ⊕ s 171 ; t 2 = t 2 ⊕ s 175 · s 176 ⊕ s 264 ; t 3 = t 3 ⊕ s 286 · s 287 ⊕ s 69 ; isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 35 / 55

  55. Trivium: A Counter-Point to Correlation and Algebraic Attacks State: ( s ( i ) 1 , . . . , s ( i ) 288 ) : (Super-script i is omitted for simplicity.) State update function is non-linear. Output function is linear. t 1 = s 66 ⊕ s 93 ; t 2 = s 162 ⊕ s 177 ; t 3 = s 243 ⊕ s 288 ; k i = t 1 ⊕ t 2 ⊕ t 3 ; t 1 = t 1 ⊕ s 91 · s 92 ⊕ s 171 ; t 2 = t 2 ⊕ s 175 · s 176 ⊕ s 264 ; t 3 = t 3 ⊕ s 286 · s 287 ⊕ s 69 ; ( s 1 , s 2 , . . . , s 93 ) ← ( t 3 , s 1 , . . . , s 92 ) ; ( s 94 , s 95 . . . , s 177 ) ← ( t 1 , s 94 , . . . , s 176 ) ; ( s 178 , s 179 , . . . , s 288 ) ← ( t 2 , s 178 , . . . , s 287 ) ; isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 35 / 55

  56. Derivatives Given an n -variable Boolean function f ( x ) and a ∈ { 0 , 1 } n , the derivative of f at a is defined to be a Boolean function ∆ a f ( x ) ∆ = f ( x ⊕ a ) ⊕ f ( x ) . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 36 / 55

  57. Derivatives Given an n -variable Boolean function f ( x ) and a ∈ { 0 , 1 } n , the derivative of f at a is defined to be a Boolean function ∆ a f ( x ) ∆ = f ( x ⊕ a ) ⊕ f ( x ) . Extension: ∆ ( 2 ) a 1 , a 2 f ( x ) = f ( x ⊕ a 1 ⊕ a 2 ) ⊕ f ( x ⊕ a 1 ) ⊕ f ( x ⊕ a 2 ) ⊕ f ( x ) . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 36 / 55

  58. Derivatives Given an n -variable Boolean function f ( x ) and a ∈ { 0 , 1 } n , the derivative of f at a is defined to be a Boolean function ∆ a f ( x ) ∆ = f ( x ⊕ a ) ⊕ f ( x ) . Extension: ∆ ( 2 ) a 1 , a 2 f ( x ) = f ( x ⊕ a 1 ⊕ a 2 ) ⊕ f ( x ⊕ a 1 ) ⊕ f ( x ⊕ a 2 ) ⊕ f ( x ) . Other direction: f ( x ⊕ a 1 ⊕ a 2 ) = ∆ ( 2 ) a 1 , a 2 f ( x ) ⊕ ∆ a 1 f ( x ) ⊕ ∆ a 2 f ( x ) ⊕ f ( x ) . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 36 / 55

  59. Derivatives Given an n -variable Boolean function f ( x ) and a ∈ { 0 , 1 } n , the derivative of f at a is defined to be a Boolean function ∆ a f ( x ) ∆ = f ( x ⊕ a ) ⊕ f ( x ) . Extension: ∆ ( 2 ) a 1 , a 2 f ( x ) = f ( x ⊕ a 1 ⊕ a 2 ) ⊕ f ( x ⊕ a 1 ) ⊕ f ( x ⊕ a 2 ) ⊕ f ( x ) . Other direction: f ( x ⊕ a 1 ⊕ a 2 ) = ∆ ( 2 ) a 1 , a 2 f ( x ) ⊕ ∆ a 1 f ( x ) ⊕ ∆ a 2 f ( x ) ⊕ f ( x ) . n � � ∆ ( i ) f ( x ⊕ a 1 ⊕ · · · ⊕ a n ) = a j 1 ,..., a ji f ( x ) . i = 0 1 ≤ j 1 < ··· < j i ≤ n isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 36 / 55

  60. Derivatives (contd.) Properties. deg (∆ a f ) < deg ( f ) . ∆ ( 2 ) a 1 , a 2 f ( x ) = ∆ ( 2 ) a 2 , a 1 f ( x ) . ∆ a ( f ⊕ g ) = ∆ a f ⊕ ∆ a g . ∆ a ( f ( x ) g ( x )) = f ( x ⊕ a )∆ a g ( x ) ⊕ (∆ a f ( x )) g ( x ) . If a ∈ { 0 , 1 } n is such that supp ( a ) ⊂ { 1 , . . . , i } , then ∆ a ( x 1 · · · x i f ( x i + 1 , . . . , x n )) = f ( x i + 1 , . . . , x n )∆ a ( x 1 · · · x i ) . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 37 / 55

  61. Derivatives (contd.) Properties. deg (∆ a f ) < deg ( f ) . ∆ ( 2 ) a 1 , a 2 f ( x ) = ∆ ( 2 ) a 2 , a 1 f ( x ) . ∆ a ( f ⊕ g ) = ∆ a f ⊕ ∆ a g . ∆ a ( f ( x ) g ( x )) = f ( x ⊕ a )∆ a g ( x ) ⊕ (∆ a f ( x )) g ( x ) . If a ∈ { 0 , 1 } n is such that supp ( a ) ⊂ { 1 , . . . , i } , then ∆ a ( x 1 · · · x i f ( x i + 1 , . . . , x n )) = f ( x i + 1 , . . . , x n )∆ a ( x 1 · · · x i ) . Nothing special about x 1 · · · x i ; easy modification for the monomial x j 1 · · · x j i . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 37 / 55

  62. Derivatives (contd.) Let C [ a 1 , . . . , a i ] be the set of all linear combinations of a 1 , . . . , a i . Then � ∆ ( i ) a 1 ,..., a i f ( x ) = f ( x ⊕ c ) . c ∈ C [ a 1 ,..., a i ] isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 38 / 55

  63. Derivatives (contd.) Let C [ a 1 , . . . , a i ] be the set of all linear combinations of a 1 , . . . , a i . Then � ∆ ( i ) a 1 ,..., a i f ( x ) = f ( x ⊕ c ) . c ∈ C [ a 1 ,..., a i ] If a i is linearly dependent on a 1 , . . . , a i − 1 , then ∆ ( i ) a 1 ,..., a i f ( x ) = 0. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 38 / 55

  64. Using Derivatives Suppose f ( x 1 , . . . , x n ) can be written as f ( x 1 , . . . , x n ) = x 1 · · · x i g ( x i + 1 , . . . , x n ) ⊕ h ( x 1 , . . . , x n ) where x 1 · · · x i does not divide any monomial of h ( x 1 , . . . , x n ) . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 39 / 55

  65. Using Derivatives Suppose f ( x 1 , . . . , x n ) can be written as f ( x 1 , . . . , x n ) = x 1 · · · x i g ( x i + 1 , . . . , x n ) ⊕ h ( x 1 , . . . , x n ) where x 1 · · · x i does not divide any monomial of h ( x 1 , . . . , x n ) . Let a 1 , . . . , a i be linearly independent vectors such that supp ( a 1 ) , . . . , supp ( a i ) ⊂ { 1 , . . . , i } . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 39 / 55

  66. Using Derivatives Suppose f ( x 1 , . . . , x n ) can be written as f ( x 1 , . . . , x n ) = x 1 · · · x i g ( x i + 1 , . . . , x n ) ⊕ h ( x 1 , . . . , x n ) where x 1 · · · x i does not divide any monomial of h ( x 1 , . . . , x n ) . Let a 1 , . . . , a i be linearly independent vectors such that supp ( a 1 ) , . . . , supp ( a i ) ⊂ { 1 , . . . , i } . Then g ( x i + 1 , . . . , x n ) ∆ a 1 ,..., a i f ( x 1 , . . . , x n ) = isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 39 / 55

  67. Using Derivatives Suppose f ( x 1 , . . . , x n ) can be written as f ( x 1 , . . . , x n ) = x 1 · · · x i g ( x i + 1 , . . . , x n ) ⊕ h ( x 1 , . . . , x n ) where x 1 · · · x i does not divide any monomial of h ( x 1 , . . . , x n ) . Let a 1 , . . . , a i be linearly independent vectors such that supp ( a 1 ) , . . . , supp ( a i ) ⊂ { 1 , . . . , i } . Then g ( x i + 1 , . . . , x n ) ∆ a 1 ,..., a i f ( x 1 , . . . , x n ) = � f ( x ⊕ c ) . = c ∈ C [ a 1 ,..., a i ] isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 39 / 55

  68. Using Derivatives Suppose f ( x 1 , . . . , x n ) can be written as f ( x 1 , . . . , x n ) = x 1 · · · x i g ( x i + 1 , . . . , x n ) ⊕ h ( x 1 , . . . , x n ) where x 1 · · · x i does not divide any monomial of h ( x 1 , . . . , x n ) . Let a 1 , . . . , a i be linearly independent vectors such that supp ( a 1 ) , . . . , supp ( a i ) ⊂ { 1 , . . . , i } . Then g ( x i + 1 , . . . , x n ) ∆ a 1 ,..., a i f ( x 1 , . . . , x n ) = � f ( x ⊕ c ) . = c ∈ C [ a 1 ,..., a i ] Nothing special about x 1 · · · x i ; easy modification for x j 1 · · · x j i . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 39 / 55

  69. Using Derivatives (contd.) Maxterm: x j 1 · · · x j i is a maxterm if the corresponding g is of degree 1. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 40 / 55

  70. Using Derivatives (contd.) Maxterm: x j 1 · · · x j i is a maxterm if the corresponding g is of degree 1. Observation: If f is a random polynomial of degree d , then with high probability every degree ( d − 1 ) monomial is a maxterm. isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 40 / 55

  71. Using Derivatives (contd.) Maxterm: x j 1 · · · x j i is a maxterm if the corresponding g is of degree 1. Observation: If f is a random polynomial of degree d , then with high probability every degree ( d − 1 ) monomial is a maxterm. Suppose x 1 · · · x i is a maxterm. f ( x ) = x 1 · · · x i g ( x i + 1 , . . . , x n ) + h ( x ) . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 40 / 55

  72. Using Derivatives (contd.) Maxterm: x j 1 · · · x j i is a maxterm if the corresponding g is of degree 1. Observation: If f is a random polynomial of degree d , then with high probability every degree ( d − 1 ) monomial is a maxterm. Suppose x 1 · · · x i is a maxterm. f ( x ) = x 1 · · · x i g ( x i + 1 , . . . , x n ) + h ( x ) . Constant term of g is obtained by setting x i + 1 , . . . , x n to 0 and XORing together the values of f for all possible choices of x 1 , . . . , x i . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 40 / 55

  73. Using Derivatives (contd.) Maxterm: x j 1 · · · x j i is a maxterm if the corresponding g is of degree 1. Observation: If f is a random polynomial of degree d , then with high probability every degree ( d − 1 ) monomial is a maxterm. Suppose x 1 · · · x i is a maxterm. f ( x ) = x 1 · · · x i g ( x i + 1 , . . . , x n ) + h ( x ) . Constant term of g is obtained by setting x i + 1 , . . . , x n to 0 and XORing together the values of f for all possible choices of x 1 , . . . , x i . The coefficient of x j in g ( j > i ) is obtained by setting x j to 1, all other x i + 1 , . . . , x n to 0 and XORing together the values of f for all possible choices of x 1 , . . . , x i . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 40 / 55

  74. Using Derivatives (contd.) Maxterm: x j 1 · · · x j i is a maxterm if the corresponding g is of degree 1. Observation: If f is a random polynomial of degree d , then with high probability every degree ( d − 1 ) monomial is a maxterm. Suppose x 1 · · · x i is a maxterm. f ( x ) = x 1 · · · x i g ( x i + 1 , . . . , x n ) + h ( x ) . Constant term of g is obtained by setting x i + 1 , . . . , x n to 0 and XORing together the values of f for all possible choices of x 1 , . . . , x i . The coefficient of x j in g ( j > i ) is obtained by setting x j to 1, all other x i + 1 , . . . , x n to 0 and XORing together the values of f for all possible choices of x 1 , . . . , x i . Nothing special about x 1 · · · x i ; easy modification for x j 1 · · · x j i . isilogo Palash Sarkar (ISI, Kolkata) stream ciphers ASK 2011 40 / 55

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade provable security for practicality Stream cipher is initialized with short key Key is stretched into long keystream Keystream is used like

512 views • 35 slides
Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview

Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview

FSE 2011, February 14 -16, Lyngby, Denmark Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview A decoding problem LFSR-based stream ciphers Correlation attacks Fast correlation

908 views • 54 slides
A Countermeasure Against Power Analysis Attacks for FSR-Based Stream Ciphers Shohreh Sharif

A Countermeasure Against Power Analysis Attacks for FSR-Based Stream Ciphers Shohreh Sharif

A Countermeasure Against Power Analysis Attacks for FSR-Based Stream Ciphers Shohreh Sharif Mansouri and Elena Dubrova Department of Electronic Systems, School of ICT, KTH - Royal Institute of Technology, Stockholm Email:{shsm,dubrova}@kth.se

457 views • 17 slides
B.e) Stream Ciphers W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.125 Stream Ciphers

B.e) Stream Ciphers W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.125 Stream Ciphers

1 B.e) Stream Ciphers W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.125 Stream Ciphers Normally, stream ciphers are symmetric algorithms with encryption = decryption In this course we only consider symmetric stream ciphers.

828 views • 44 slides
Stream Ciphers and Coding Theory Tor Helleseth University of Bergen Norway Outline Stream

Stream Ciphers and Coding Theory Tor Helleseth University of Bergen Norway Outline Stream

Stream Ciphers and Coding Theory Tor Helleseth University of Bergen Norway Outline Stream ciphers Building blocks in stream ciphers m-sequences Clock-control registers / Nonlinear combiner / Filter generator Correlation

666 views • 39 slides
Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography Linear Cryptanalysis Differential Cryptanalysis Analytic Cryptanalysis of Block Ciphers, Stream Ciphers, Modes of Other Advanced Attacks Operation,

933 views • 11 slides
Linear Cryptanalysis of Stream Ciphers T-79.514 Special Course on Cryptology Seminar talk Emilia

Linear Cryptanalysis of Stream Ciphers T-79.514 Special Course on Cryptology Seminar talk Emilia

Linear Cryptanalysis of Stream Ciphers T-79.514 Special Course on Cryptology Seminar talk Emilia K asper 1 Overview Basic concept of correlation attacks on stream ciphers A correlation attack on the GSM cipher A5/1 A correlation

256 views • 22 slides
Secret Key: stream ciphers &amp; block ciphers Stream Ciphers Idea: try to simulate one-time pad

Secret Key: stream ciphers &amp; block ciphers Stream Ciphers Idea: try to simulate one-time pad

Secret Key: stream ciphers &amp; block ciphers Stream Ciphers Idea: try to simulate one-time pad define a secret key (seed) Using the seed generates a byte stream ( Keystream): i-th byte is function only of the key

822 views • 69 slides
Recent Results on Stream Ciphers Willi Meier 1 / 47 Overview - Stream Ciphers with Small State

Recent Results on Stream Ciphers Willi Meier 1 / 47 Overview - Stream Ciphers with Small State

ASK 2018, ISI Kolkata November 13, 2018 Recent Results on Stream Ciphers Willi Meier 1 / 47 Overview - Stream Ciphers with Small State - A generic TMD tradeoff distinguisher - High-order differentials - Cryptanalysis with division property

944 views • 47 slides
T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher confidentiality modes of operation Kaufman et al: Ch 4 Stallings: Ch 6, Ch 3 1 Stream ciphers Stream ciphers are generally faster than block

535 views • 12 slides
Algebraic Attacks on Stream Ciphers Trial Lecture Rune Steinsmo degrd Centre for

Algebraic Attacks on Stream Ciphers Trial Lecture Rune Steinsmo degrd Centre for

Algebraic Attacks on Stream Ciphers Trial Lecture Rune Steinsmo degrd Centre for Quantifiable Quality of Service in Communication Systems Centre of Excellence NTNU, Norway NTNU, Trondheim, 2012-04-23 www.q2s.ntnu.no Rune Steinsmo

716 views • 49 slides
B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

1 B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a) Fundamentals 3 B.1 Definition A mapping Enc: P K C for which k := Enc( ,k): P C is bijective for each k K is called an

1.1k views • 32 slides
Pseudo-Random Numbers and Stream PRNG+Block Ciphers Stream Ciphers RC4 CSS441: Security and

Pseudo-Random Numbers and Stream PRNG+Block Ciphers Stream Ciphers RC4 CSS441: Security and

CSS441 Random Numbers Principles PRNGs Pseudo-Random Numbers and Stream PRNG+Block Ciphers Stream Ciphers RC4 CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven

460 views • 24 slides
Algebraic Attacks and Stream Ciphers Mikko Kiviharju Helsinki University of Technology

Algebraic Attacks and Stream Ciphers Mikko Kiviharju Helsinki University of Technology

T-79.514 Special Course on Cryptology November 25 th , 2004 Algebraic Attacks and Stream Ciphers Mikko Kiviharju Helsinki University of Technology mkivihar@cc.hut.fi T-79.514 Special Course on Cryptology Mikko Kiviharju 1 Overview

493 views • 28 slides
Eli Biham Presented by: Nael Masalha Outline Introduction LOKI89 Related Keys

Eli Biham Presented by: Nael Masalha Outline Introduction LOKI89 Related Keys

New Types of Cryptanalytic Attacks Using Related Keys Eli Biham Presented by: Nael Masalha Outline Introduction LOKI89 Related Keys Chosen Key Attack Chosen plaintext attack Summary Introduction The author studies

612 views • 21 slides
Known plaintext attack on encrypted ZIP files Barosan Dragos Laurentiu Supervisor: Armijn Hemel

Known plaintext attack on encrypted ZIP files Barosan Dragos Laurentiu Supervisor: Armijn Hemel

University of Amsterdam System and Network Engineering Known plaintext attack on encrypted ZIP files Barosan Dragos Laurentiu Supervisor: Armijn Hemel Why? There is no open source implementation Source Code available for PkCrack by

837 views • 19 slides
Corridor Strategic Plan Strategic Vision Test &amp; Apply Technologies Develop

Corridor Strategic Plan Strategic Vision Test &amp; Apply Technologies Develop

I -87 Multimodal Corridor Study Corridor Strategic Plan Strategic Vision Test &amp; Apply Technologies Develop Basis for Higher- Costs Smart Programs Foster Paradigm Shift Shape Further Required Study:

721 views • 22 slides
Geo-Strategy https://www.youtube.com/watch?v=5GvjVUrmgNU Geo-politics Geo-economics

Geo-Strategy https://www.youtube.com/watch?v=5GvjVUrmgNU Geo-politics Geo-economics

https://www.youtube.com/watch?v=eHp3zQAAZso Geo-Strategy https://www.youtube.com/watch?v=5GvjVUrmgNU Geo-politics Geo-economics https://www.youtube.com/watch https://www.youtube.com/watch ?v=z5ddUGVo7tU ?v=Yd0i-ZJx1k8

785 views • 60 slides
Round5 with ring lifting CWG, September 14, 2018 Sauvik Bhattacharya, Scott Fluhrer, Oscar

Round5 with ring lifting CWG, September 14, 2018 Sauvik Bhattacharya, Scott Fluhrer, Oscar

Round5 with ring lifting CWG, September 14, 2018 Sauvik Bhattacharya, Scott Fluhrer, Oscar Garcia-Morchon, Mike Hamburg, Thijs Laarhoven, Ronald Rietman, Markku-Juhani O. Saarinen, Ludo Tolhuizen, Zhenfei Zhang 1 / 1 Outline 2 / 1

463 views • 25 slides
SecureDB A Secure Query Processing System in the Cloud Group Member: Haibin LIN, Eric

SecureDB A Secure Query Processing System in the Cloud Group Member: Haibin LIN, Eric

SecureDB A Secure Query Processing System in the Cloud Group Member: Haibin LIN, Eric Supervisor: Prof Benjamin Kao Department of Computer Science, University of Hong Kong Overview 1. The Problem 2. Related Work 3. Theoretical Background 4.

763 views • 47 slides
SNOW V: A new version of SNOW for 5G Patrik Ekdahl 2 , Thomas Johansson 1 , Alexander Maximov 2 ,

SNOW V: A new version of SNOW for 5G Patrik Ekdahl 2 , Thomas Johansson 1 , Alexander Maximov 2 ,

SNOW V: A new version of SNOW for 5G Patrik Ekdahl 2 , Thomas Johansson 1 , Alexander Maximov 2 , Jing Yang 1 1 Department of Electrical and Information Technology, Lund University 2 Ericsson Research, Ericsson Outline Motivation Motivation

497 views • 36 slides
Arizona Department of Agriculture Agricultural Consultation and Training SPECIALTY CROP BLOCK

Arizona Department of Agriculture Agricultural Consultation and Training SPECIALTY CROP BLOCK

Arizona Department of Agriculture Agricultural Consultation and Training SPECIALTY CROP BLOCK GRANT PROGRAM FARM BILL (SCBGP-FB) PRE-AWARD WORKSHOP L I S A A . J A M E S G R A N T P R O G R A M M A N A G E R A S H L E Y E S T E S ( W

884 views • 69 slides

More recommend