Joseph Lano

On the (im)possibility of practical and secure nonlinear filters and combiners

A vast amount of literature on stream ciphers is directed to the cryptanalysis of LFSR-based filters and combiners, resulting in various cryptanalytic attacks. In this paper, we present a unified framework for the security of a design against these attacks based on the properties of the LFSR(s) and the Boolean function used. It is explained why building nonlinear filters seems more practical than building nonlinear combiners. We also investigate concrete building blocks that offer a good trade-off in their resistance against these various attacks, and can at the same time be used to build a low-cost synchronous stream cipher for hardware applications.

Cryptanalysis of the Alleged SecurID Hash Function

The SecurID hash function is used for authenticating users to a corporate computer infrastructure. We analyse an alleged implementation of this hash function. The block cipher at the heart of the function can be broken in few milliseconds on a PC With 70 adaptively chosen plaintexts. The 64-bit secret key of 10% of the cards can be discovered given two months of token outputs and 2 48 analysis steps. A larger fraction of cards can be covered given more observation time.

Non-randomness of the full 4 and 5-pass HAVAL

HAVAL is a cryptographic hash function proposed in 1992 by Zheng, Pieprzyk and Seberry. Its structure is quite similar to other widely used hash functions such as MD5 and SHA-1. The specification of HAVAL includes a security parameter: the number of passes (that is, the number of times that a particular word of the message is used in the computation) which can be chosen equal to 3, 4 or 5. In this paper we cryptanalyze the compression functions of the 4-pass and the 5-pass HAVAL using differential cryptanalysis. We show that each of these two functions can be distinguished from a truly random function.

Recent attacks on alleged SecurID and their practical implications

SecurID tokens are developed by SDTI/RSA Security to authenticate users to a corporate computer infrastructure. In this paper we show the results of our analysis of the function contained in these tokens. The block cipher at the heart of the function can be broken in milliseconds. We present two attack scenarios on the full function: if one can observe the output of the device during some time period, one can predict with high probability future output values and one can recover the secret key significantly faster than by exhaustive search.

Extending the resynchronization attack

Synchronous stream ciphers need perfect synchronization between sender and receiver. In practice, this is ensured by a resync mechanism. Daemen et al. [10] first described attacks on ciphers using such a resync mechanism. In this paper, we extend their attacks in several ways by combining the standard attack with cryptanalytic techniques such as algebraic attacks and linear cryptanalysis. Our results show that using linear resync mechanisms should be avoided, and provide lower bounds for the nonlinearity required from a secure resync mechanism.

Cryptanalysis of Sober-t32

Sober-t32 is a candidate stream cipher in the NESSIE competition. Some new attacks are presented in this paper. A Guess and Determine attack is mounted against Sober-t32 without the decimation of the key stream by the so-called stuttering phase. Also, two distinguishing attacks are mounted against full Sober-t32. These attacks are not practically feasible, but they are theoretically more efficient than exhaustive key search.

Cryptanalysis of the two-dimensional circulation encryption algorithm

We analyze the security of the two-dimensional circulation encryption algorithm (TDCEA), recently published by Chen et al. in this journal. We show that there are several flaws in the algorithm and describe some attacks. We also address performance issues in current cryptographic designs.

Cryptanalysis of reduced variants of the FORK-256 hash function

FORK-256 is a hash function presented at FSE 2006. Whereas SHA-like designs process messages in one stream, FORK-256 uses four parallel streams for hashing. In this article, we present the first cryptanalytic results on this design strategy. First, we study a linearized variant of FORK-256, and show several unusual properties of this linearized variant. We also explain why the linearized model can not be used to mount attacks similar to the recent attacks by Wang et al. on SHA-like hash functions. Second, we show how collision attacks, exploiting the non-bijectiveness of the nonlinear functions of FORK-256, can be mounted on reduced variants of FORK-256. We show an efficient attack on FORK-256 reduced to 2 streams and present actual colliding pairs. We expect that our attack can also be extended to FORK-256 reduced to 3 streams. For the moment our approach does not appear to be applicable to the full FORK-256 hash function.

Evaluating the resistance of stream ciphers with linear feedback against fast algebraic attacks

In this paper we evaluate the resistance of stream ciphers with linear feedback against fast algebraic attacks. We summarize the current knowledge about fast algebraic attacks, develop new and more efficient algorithms to evaluate the resistance against fast algebraic attacks, study theoretical bounds on the attacks, and apply our methodology to the eSTREAM candidates SFINKS and WG as an illustration.