Hüseyin Demirci

A Meet-in-the-Middle Attack on 8-Round AES

We present a 5-round distinguisher for AES. We exploit this distinguisher to develop a meet-in-the-middle attack on 7 rounds of AES-192 and 8 rounds of AES-256. We also give a time-memory tradeoff generalization of the basic attack which gives a better balancing between different costs of the attack. As an additional note, we state a new square-like property of the AES algorithm.

Improved Meet-in-the-Middle Attacks on AES

We improve the existing distinguishers of AES. Our work is mainly built upon the works by Gilbert& Miner [17] and Demirci & Selcuk [14]. We find out that some part of the inner encryption function of AES can be expressed with relatively few constants under certain conditions. These new distinguishers are exploited to develop a meet-in-the-middle attack on 7 rounds of AES-128 and AES-192, and on 8 rounds of AES-256. The proposed attack is faster than the existing attacks [15,17] for key size of 128 at the expense of an increase in the complexities of memory and precomputation.

A New Meet-in-the-Middle Attack on the IDEA Block Cipher

In this paper we introduce a novel meet-in-the-middle attack on the IDEA block cipher. The attack consists of a precomputation and an elimination phase. The attack reduces the number of required plaintexts significantly for 4 and 4.5 rounds, and, to the best of our knowledge, it is the first attack on the 5-round IDEA.

New Results on the Key Scheduling Algorithm of RC4

A new bias is detected in the key scheduling algorithm of RC4 and a novel framework that advantageously combines this new bias with the existing ones is proposed. Using the new bias, a different algorithm is proposed to retrieve the RC4 key given the state table. The new method not only improves the success probability but also provides a more efficient way of calculation in comparison with the previous methods for any key size. The efficiency of the algorithm is demonstrated experimentally. If the key length is 40 bits, the secret key is retrieved with a 99% success rate in 0.007 seconds. The success probability for retrieving the 128 bit RC4 key is also increased significantly. 128-bit key can be retrieved with 3% success rate in 185 seconds and 7.45% success rate in 1572 seconds on a 2.67GHz Intel CPU.

A novel RFID distance bounding protocol based on physically unclonable functions

Radio Frequency Identification (RFID) systems are vulnerable to relay attacks (i.e., mafia, terrorist and distance frauds) when they are used for authentication purposes. Distance bounding protocols are particularly designed as a countermeasure against these attacks. These protocols aim to ensure that the tags are in a distant area by measuring the round-trip delays during a rapid challenge-response exchange of short authenticated messages. Terrorist fraud is the most challenging attack to avoid, because a legitimate user (a tag owner) collaborates with an attacker to defeat the authentication system. Many RFID distance bounding protocols have been proposed recently, with encouraging results. However, none of them provides the ideal security against the terrorist fraud. Motivated by this need, we first introduce a strong adversary model for Physically Unclonable Functions (PUFs) based authentication protocol in which the adversary has access to volatile memory of the tag. We show that the security of Sadeghi et al. s PUF based authentication protocol is not secure in this model. We provide a new technique to improve the security of their protocol. Namely, in our scheme, even if an adversary has access to volatile memory she cannot obtain all long term keys to clone the tag. Next, we propose a novel RFID distance bounding protocol based on PUFs which satisfies the expected security requirements. Comparing to the previous protocols, the use of PUFs in our protocol enhances the system in terms of security, privacy and tag computational overhead. We also prove that our extended protocol with a final signature provides the ideal security against all those frauds, remarkably the terrorist fraud. Besides that, our protocols enjoy the attractive properties of PUFs, which provide the most cost efficient and reliable means to fingerprint chips based on their physical properties.

Square-like Attacks on Reduced Rounds of IDEA

In this paper we develop two new chosen plaintext attacks on reduced rounds of the IDEA block cipher. The attacks exploit the word structure of the algorithm and are based on the observation that suitable chosen plaintexts give rise to some special kind of distributions which provide a way to distinguish reduced round IDEA output from a random permutation with very few plaintexts. As a result, we develop an attack for 3.5 rounds of IDEA which requires only 103 chosen plaintexts. We have reduced the number of required plaintexts significantly up to 4 rounds. We also present some interesting properties of the reduced round variants of the cipher which have not been published before. The properties and the attacks bring a different approach to analyse the cipher.

ITUbee: A Software Oriented Lightweight Block Cipher

In this paper, we propose a software oriented lightweight block cipher, ITUbee. The cipher is especially suitable for resource constrained devices including an 8-bit microcontroller such as sensor nodes in wireless sensor networks. For a sensor node one of the most important constraints is the low energy consumption because of the limited battery power. Also, the memory on sensor nodes are restricted. We have simulated the performance of ITUbee in the AVR ATtiny45 microcontroller using the integrated development platform Atmel Studio 6. We have evaluated the memory usage and clock cycles needed for an encryption. The number of clock cycles gives a metric for energy consumption. The simulation results show that ITUbee is a competitive block cipher on 8-bit software platforms in terms of energy consumption. Also, less memory requirement of the cipher is remarkable. In addition, we have shown that the attacks which are effective on software oriented lightweight block ciphers can not reduce the 80-bit security level of ITUbee.

Impossible differential cryptanalysis of reduced-round LBlock

In this paper, we improve the impossible differential attack on 20-round LBlock given in the design paper of the LBlock cipher. Using relations between the round keys we attack on 21-round and 22-round LBlock with a complexity of 269.5 and 279.28 encryptions respectively. We use the same 14-round impossible differential characteristic observed by the designers to attack on 21 rounds and another 14-round impossible differential characteristic to attack on 22 rounds of LBlock.

Biclique cryptanalysis of LBlock and TWINE

Abstract LBlock and TWINE are two lightweight block ciphers recently designed for tiny computing devices, such as RFID tags and sensor network nodes. Both of the algorithms have a generalized Feistel structure with a block size of 64 bits. LBlock consists of 32 rounds and supports a key length of 80 bits while TWINE consists of 36 rounds and supports key lengths of 80 and 120 bits. In this paper, we present attacks on different number of rounds of these lightweight block ciphers by using the biclique cryptanalysis technique recently developed for cryptanalysis of the hash functions Skein-512 and SHA-2 and the Advanced Encryption Standard. Applying this technique on full LBlock we have a slight improvement over the brute force attack while the biclique cryptanalysis of full TWINE has already been proposed.

Combined differential and linear cryptanalysis of reduced-round PRINTcipher

In this paper we analyze the security of PRINTcipher using a technique that combines differential and linear cryptanalysis. This technique is different from differential-linear cryptanalysis. We use linear approximations to increase the probability of differential characteristics. We show that specific choices of some of the key bits give rise to a certain differential characteristic probability, which is far higher than the best characteristic probability claimed by the designers. We give the underlying mechanism of this probability increase. We have developed attacks on 29 and 31 rounds of PRINTcipher-48 for 4.54% and 0.036% of the keys, respectively. Moreover, we have implemented the proposed attack algorithm on 20 rounds of the cipher.