Yukiyasu Tsunoo

Cryptanalysis of DES Implemented on Computers with Cache

This paper presents the results of applying an attack against the Data Encryption Standard (DES) implemented in some applications, using side-channel information based on CPU delay as proposed in (11). This cryptanalysis technique uses side-channel information on encryption processing to select and collect effective plaintexts for cryptanalysis, and infers the information on the expanded key from the collected plaintexts. On applying this attack, we found that the cipher can be broken with 2 23 known plaintexts and 2 24 calculations at a success rate > 90%, using a personal computer with 600-MHz Pentium III. We discuss the feasibility of cache attack on ciphers that need many S-box look-ups, through reviewing the results of our experimental attacks on the block ciphers excluding DES, such as AES.

Impossible Differential Cryptanalysis of CLEFIA

This paper reports impossible differential cryptanalysis on the 128-bit block cipher CLEFIA that was proposed in 2007, including new 9-round impossible differentials for CLEFIA, and the result of an impossible differential attack using them. For the case of a 128-bit key, it is possible to apply the impossible differential attack to CLEFIA reduced to 12 rounds. The number of chosen plaintexts required is 2118.9and the time complexity is 2119. For key lengths of 192 bits and 256 bits, it is possible to apply impossible differential attacks to 13-round and 14-round CLEFIA. The respective numbers of chosen plaintexts required are 2119.8and 2120.3and the respective time complexities are 2146and 2212. These impossible differential attacks are the strongest method for attacking reduced-round CLEFIA.

Provably secure MACs from differentially-uniform permutations and AES-Based implementations

We propose message authentication codes (MACs) that combine a block cipher and an additional (keyed or unkeyed) permutation. Our MACs are provably secure if the block cipher is pseudorandom and the additional permutation has a small differential probability. We also demonstrate that our MACs are easily implemented with AES and its 4-round version to obtain MACs that are provably secure and 1.4 to 2.5 times faster than the previous MAC modes of AES such as the CBC-MAC-AES.

Improving cache attacks by considering cipher structure

A concrete attack using side channel information from cache memory behaviour was proposed for the first time at ISITA 2002. The attack uses the difference between execution times associated with S-box cache-hits and cache-misses to recover the intermediate key. Recently, a theoretical estimation of the number of messages needed for the attack was proposed and it was reported that the average method obtains key information with fewer messages than maximum threshold or intermediate threshold method. Taking the structure of cipher into account, this paper provided the cache attack in which the average method is embodied, and provides improved key estimation. This paper includes the study on the attack that exploits internal collision.

A new video encryption scheme for H.264/AVC

With the increase of video applications, the security of video data becomes more and more important. In this paper, we propose a new video encryption scheme for H.264/AVC video coding standard. We define Unequal Secure Encryption (USE) as an approach that applies different cryptographic algorithms (with different security strength) to different partitions of video data. The USE scheme includes two parts: video data classification and unequal secure video data encryption. For data classification, we propose 3 data classification methods and define 5 security levels in our scheme. For encryption, we propose a new stream cipher algorithm FLEX and XOR method to reduce computational cost. In this way, our scheme can achieve both high security and low computational cost. The experimental results show that the computational cost of the USE scheme is very low. In security level 0, the computational cost is about 18% of naive encryption. The USE scheme is very suitable for high security and low cost video encryption systems.

A Distinguishing Attack on a Fast Software-Implemented RC4-Like Stream Cipher

In 2005, Gong proposed an RC4-like stream cipher capable of fast operation on a 32/64-bit processor. This stream cipher solved the RC4 problem of difficult 32/64-bit processing, a problem once thought impossible to solve. Operation of the cipher on 32- and 64-bit processors is about 3.1 and 6.2 times as fast, respectively, as that of the RC4 cipher. However, we have found a considerable bias in the output sequence of the RC4-like stream cipher. Using the bias along with the first two words of a keystream associated with approximately 230 secret keys allows us to build a distinguisher.

Higher Order Differential Attacks on Reduced-Round MISTY1

MISTY1 is a 64-bit block cipher that has provable security against differential and linear cryptanalysis. MISTY1 is one of the algorithms selected in the European NESSIE project, and it has been recommended for Japanese e-Government ciphers by the CRYPTREC project. This paper shows that higher order differential attacks can be successful against 6-round and 7-round versions of MISTY1 with FL functions. The attack on 6-round MISTY1 can recover a partial subkey with a data complexity of 253.7 and a computational complexity of 253.7, which is the smallest computational complexity for an attack on 6-round MISTY1. The attack on 7-round MISTY1 can recover a partial subkey with a data complexity of 254.1 and a computational complexity of 2120.7, which signifies the first successful attack on 7-round MISTY1 without limiting conditions such as a weak key.

Cryptanalysis of CLEFIA using multiple impossible differentials

This paper reports impossible differential cryptanalysis on the 128-bit block cipher CLEFIA that was proposed in 2007. It is known that there are the 9-round impossible differentials in CLEFIA. This paper presents the several results of impossible differential attacks using multiple impossible differentials. For key lengths of 128, 192 and 256 bits, it is possible to apply impossible differential attacks to 12-round, 13-round and 14-round CLEFIA. For the case of a 128-bit key, this attack is the most efficient compared with previous results. For key lengths of 192 and 256 bits, the numbers of chosen plaintexts are the least.

An Unequal Secure Encryption Scheme for H.264/AVC Video Compression Standard

H.264/AVC is the newest video coding standard. There are many new features in it which can be easily used for video encryption. In this paper, we propose a new scheme to do video encryption for H.264/AVC video compression standard. We define Unequal Secure Encryption (USE) as an approach that applies different encryption schemes (with different security strength) to different parts of compressed video data. This USE scheme includes two parts: video data classification and unequal secure video data encryption. Firstly, we classify the video data into two partitions: Important data partition and unimportant data partition. Important data partition has small size with high secure protection, while unimportant data partition has large size with low secure protection. Secondly, we use AES as a block cipher to encrypt the important data partition and use LEX as a stream cipher to encrypt the unimportant data partition. AES is the most widely used symmetric cryptography which can ensure high security. LEX is a new stream cipher which is based on AES and its computational cost is much lower than AES. In this way, our scheme can achieve both high security and low computational cost. Besides the USE scheme, we propose a low cost design of hybrid AES/LEX encryption module. Our experimental results show that the computational cost of the USE scheme is low (about 25% of naive encryption at Level 0 with VEA used). The hardware cost for hybrid AES/LEX module is 4678 Gates and the AES encryption throughput is about 50 Mbps.

Cryptanalysis of Mir-1: A T-Function-Based Stream Cipher

This correspondence describes the cryptanalysis of Mir-1, a T-function based stream cipher proposed at eSTREAM (the ECRYPT Stream Cipher Project) in 2005. This cipher uses a multiword T-function, with four 64-bit words, as its basic structure. Mir-1 operations process the data in every 64 bits (one word) to generate a keystream. The correspondence discusses a distinguishing attack against Mir-1 that exploits the T-function characteristics and the Mir-1 initialization. With merely three or four initial vector pairs, this attack can distinguish a Mir-1 output sequence from a truly random number sequence. In this case, the amount of data theoretically needed for cryptanalysis is only 210 words. This correspondence also proposes a countermeasure that provides resistance against the attack described in this correspondence.