Jorge Nakahara

Linear (Hull) and Algebraic Cryptanalysis of the Block Cipher PRESENT

The contributions of this paper include the first linear hull and a revisit of the algebraic cryptanalysis of reduced-round variants of the block cipher PRESENT, under known-plaintext and ciphertext-only settings. We introduce a pure algebraic cryptanalysis of 5-round PRESENT and in one of our attacks we recover half of the bits of the key in less than three minutes using an ordinary desktop PC. The PRESENT block cipher is a design by Bogdanov et al. , announced in CHES 2007 and aimed at RFID tags and sensor networks. For our linear attacks, we can attack 25-round PRESENT with the whole code book, 296.68 25-round PRESENT encryptions, 240 blocks of memory and 0.61 success rate. Further we can extend the linear attack to 26-round with small success rate. As a further contribution of this paper we computed linear hulls in practice for the original PRESENT cipher, which corroborated and even improved on the predicted bias (and the corresponding attack complexities) of conventional linear relations based on a single linear trail.

ARMADILLO: a multi-purpose cryptographic primitive dedicated to hardware

This paper describes and analyzes the security of a general-purpose cryptographic function design, with application in RFID tags and sensor networks. Based on these analyzes, we suggest minimum parameter values for the main components of this cryptographic function, called ARMADILLO. With fully serial architecture we obtain that 2923 GE could perform one compression function computation within 176 clock cycles, consuming 44 µW at 1MHz clock frequency. This could either authenticate a peer or hash 48 bits, or encrypt 128 bits on RFID tags. A better tradeoff would use 4030 GE, 77 µW of power and 44 cycles for the same, to hash (resp. encrypt) at a rate of 1.1 Mbps (resp. 2.9 Mbps). As other tradeoffs are proposed, we show that ARMADILLO offers competitive performances for hashing relative to a fair Figure Of Merit (FOM).

Algebraic, AIDA/Cube and Side Channel Analysis of KATAN Family of Block Ciphers

This paper presents the first results on AIDA/cube, algebraic and side-channel attacks on variable number of rounds of all members of the KATAN family of block ciphers. Our cube attacks reach 60, 40 and 30 rounds of KATAN32, KATAN48 and KATAN64, respectively. In our algebraic attacks, we use SAT solvers as a tool to solve the quadratic equations representation of all KATAN ciphers. We introduced a novel pre-processing stage on the equations system before feeding it to the SAT solver. This way, we could break 79, 64 and 60 rounds of KATAN32, KATAN48, KATAN64, respectively. We show how to perform side channel attacks on the full 254-round KATAN32 with one-bit information leakage from the internal state by cube attacks. Finally, we show how to reduce the attack complexity by combining the cube attack with the algebraic attack to recover the full 80-bit key. Further contributions include new phenomena observed in cube, algebraic and side-channel attacks on the KATAN ciphers. For the cube attacks, we observed that the same maxterms suggested more than one cube equation, thus reducing the overall data and time complexities. For the algebraic attacks, a novel pre-processing step led to a speed up of the SAT solver program. For the side-channel attacks, 29 linearly independent cube equations were recovered after 40-round KATAN32. Finally, the combined algebraic and cube attack, a leakage of key bits after 71 rounds led to a speed up of the algebraic attack.

3D: A Three-Dimensional Block Cipher

The main contribution of this paper is a new iterated secret-key block cipher called 3D , inspired by the AES cipher. The 3D cipher has an SPN design, operates on 512-bit blocks, uses 512-bit keys, iterates 22 rounds, and employs a 3-dimensional state , instead of the 2-dimensional matrix of the AES. The main innovation of 3D includes the multi-dimensional state, generalizing the design of Rijndael, and allowing block sizes beyond the 256-bit boundary. This features motivates the use of 3D as a building block for compression functions in hash functions, MAC and stream cipher constructions requiring large internal states. We explain the design decisions and discuss the security of 3D under several attack settings.

Cryptanalysis of reduced-round MIBS Block cipher

This paper presents the first independent and systematic lin- ear, differential and impossible-differential (ID) cryptanalyses of MIBS, a lightweight block cipher aimed at constrained devices such as RFID tags and sensor networks. Our contributions include linear attacks on up to 18-round MIBS, and the first ciphertext-only attacks on 13-round MIBS. Our differential analysis reaches 14 rounds, and our impossible- differential attack reaches 12 rounds. These attacks do not threaten the full 32-round MIBS, but significantly reduce its margin of security by more than 50%. One fact that attracted our attention is the striking similarity of the round function of MIBS with that of the Camellia block cipher. We actually used this fact in our ID attacks. We hope further similarities will help build better attacks for Camellia as well.

Cryptanalysis of the ISDB Scrambling Algorithm (MULTI2)

MULTI2 is the block cipher used in the ISDB standard for scrambling digital multimedia content. MULTI2 is used in Japan to secure multimedia broadcasting, including recent applications like HDTV and mobile TV. It is the only cipher specified in the 2007 Japanese ARIB standard for conditional access systems. This paper presents a theoretical break of MULTI2 (not relevant in practice), with shortcut key recovery attacks for any number of rounds. We also describe equivalent keys and linear attacks on reduced versions with up 20 rounds (out of 32), improving on the previous 12-round attack by Matsui and Yamagishi. Practical attacks are presented on up to 16 rounds.

Cryptanalysis of the Full MMB Block Cipher

The block cipher MMB was designed by Daemen, Govaerts and Vandewalle, in 1993, as an alternative to the IDEA block cipher. We exploit and describe unusual properties of the modular multiplication in

A New Approach to Χ 2 Cryptanalysis of Block Ciphers

{\mathbb Z}_{2^{32}-1}

Faster Variants of the MESH Block Ciphers.

, which lead to a differential attack on the full 6-round MMB cipher (both versions 1.0 and 2.0). Further contributions of this paper include detailed square and linear cryptanalysis of MMB. Concerning differential cryptanalysis (DC), we can break the full MMB with 2118 chosen plaintexts, 295.91 6-round MMB encryptions and 264 counters, effectively bypassing the ciphers countermeasures against DC. For the square attack, we can recover the 128-bit user key for 4-round MMB with 234 chosen plaintexts, 2126.32 4-round encryptions and 264 memory blocks. Concerning linear cryptanalysis, we present a key-recovery attack on 3-round MMB requiring 2114.56 known-plaintexts and 2126 encryptions. Moreover, we detail a ciphertext-only attack on 2-round MMB using 293.6 ciphertexts and 293.6 parity computations. These attacks do not depend on weak-key or weak-subkey assumptions, and are thus independent of the key schedule algorithm.

Mini-ciphers: a reliable testbed for cryptanalysis?

Aromatized reconstituted tobacco is prepared from tobacco particles by extracting the particles with water to form an extract containing between 5 and 20 g/l of sugar, fermenting the extract with a yeast of the genera kluyveromyces, saccharomyces or candida, forming sheets from the extracted particles, and incorporating the fermented extract into those sheets.