Nasratullah GHAFOORI Atsuko MIYAJI Ryoma ITO Shotaro MIYASHITA
This paper introduces significant improvements over the existing cryptanalysis approaches on Salsa20 and ChaCha stream ciphers. For the first time, we reduced the attack complexity on Salsa20/8 to the lowest possible margin. We introduced an attack on ChaCha7.25. It is the first attack of its type on ChaCha7.25/20. In our approach, we studied differential cryptanalysis of the Salsa20 and ChaCha stream ciphers based on a comprehensive analysis of probabilistic neutral bits (PNBs). The existing differential cryptanalysis approaches on Salsa20 and ChaCha stream ciphers first study the differential bias at specific input and output differential positions and then search for probabilistic neutral bits. However, the differential bias and the set of PNBs obtained in this method are not always the ideal combination to conduct the attack against the ciphers. The researchers have not focused on the comprehensive analysis of the probabilistic neutrality measure of all key bits concerning all possible output difference positions at all possible internal rounds of Salsa20 and ChaCha stream ciphers. Moreover, the relationship between the neutrality measure and the number of inverse quarter rounds has not been scrutinized yet. To address these study gaps, we study the differential cryptanalysis based on the comprehensive analysis of probabilistic neutral bits on the reduced-round Salsa20 and ChaCha. At first, we comprehensively analyze the neutrality measure of 256 key bits positions. Afterward, we select the output difference bit position with the best average neutrality measure and look for the corresponding input differential with the best differential bias. Considering all aspects, we present an attack on Salsa20/8 with a time complexity of 2241.62 and data complexity of 231.5, which is the best-known single bit differential attack on Salsa20/8 and then, we introduced an attack on ChaCha7.25 rounds with a time complexity of 2254.011 and data complexity of 251.81.
Jiang MA Jun ZHANG Yanguo JIA Xiumin SHEN
Pseudorandom sequences with large linear complexity can resist the linear attack. The trace representation plays an important role in analysis and design of pseudorandom sequences. In this letter, we present the construction of a family of new binary sequences derived from Euler quotients modulo pq, where pq is a product of two primes and p divides q-1. Firstly, the linear complexity of the sequences are investigated. It is proved that the sequences have larger linear complexity and can resist the attack of Berlekamp-Massey algorithm. Then, we give the trace representation of the proposed sequences by determining the corresponding defining pair. Moreover, we generalize the result to the Euler quotients modulo pmqn with m≤n. Results indicate that the generalized sequences still have high linear complexity. We also give the trace representation of the generalized sequences by determining the corresponding defining pair. The result will be helpful for the implementation and the pseudorandom properties analysis of the sequences.
Construction of resilient Boolean functions in odd variables having strictly almost optimal (SAO) nonlinearity appears to be a rather difficult task in stream cipher and coding theory. In this paper, based on the modified High-Meets-Low technique, a general construction to obtain odd-variable SAO resilient Boolean functions without directly using PW functions or KY functions is presented. It is shown that the new class of functions possess higher resiliency order than the known functions while keeping higher SAO nonlinearity, and in addition the resiliency order increases rapidly with the variable number n.
Luyang LI Linhui WANG Dong ZHENG Qinlan ZHAO
Construction of multiple output functions is one of the most important problems in the design and analysis of stream ciphers. Generally, such a function has to be satisfied with several criteria, such as high nonlinearity, resiliency and high algebraic degree. But there are mutual restraints among the cryptographic parameters. Finding a way to achieve the optimization is always regarded as a hard task. In this paper, by using the disjoint linear codes and disjoint spectral functions, two classes of resilient multiple output functions are obtained. It has been proved that the obtained functions have high nonlinearity and high algebraic degree.
Jin HOKI Kosei SAKAMOTO Kazuhiko MINEMATSU Takanori ISOBE
In this paper, we explore the security against integral attacks on well-known stream ciphers SNOW 3G and KCipher-2. SNOW 3G is the core of the 3GPP confidentiality and integrity algorithms UEA2 and UIA2, and KCipher-2 is a standard algorithm of ISO/IEC 18033-4 and CRYPTREC. Specifically, we investigate the propagation of the division property inside SNOW 3G and KCipher-2 by the Mixed-Integer Linear Programming to efficiently find an integral distinguisher. As a result, we present a 7-round integral distinguisher with 23 chosen IVs for KCipher-2. As far as we know, this is the first attack on a reduced variant of KCipher-2 by the third party. In addition, we present a 13-round integral distinguisher with 27 chosen IVs for SNOW 3G, whose time/data complexity is half of the previous best attack by Biryukov et al.
This paper presents new key correlations of the keystream bytes generated from RC4 and their application to plaintext recovery on WPA-TKIP. We first observe new key correlations between two bytes of the RC4 key pairs and a keystream byte in each round, and provide their proofs. We refer to these correlations as iterated RC4 key correlations since two bytes of the RC4 key pairs are iterated every 16 rounds. We then extend the existing attacks by Isobe et al. at FSE 2013 and AlFardan et al. at USENIX Security 2013, 0and finally propose an efficient attack on WPA-TKIP. We refer to the proposed attack as chosen plaintext recovery attack (CPRA) since it chooses the best approach for each byte from a variety of the existing attacks. In order to recover the first 257 bytes of a plaintext on WPA-TKIP with success probability of at least 90%, CPRA requires approximately 230 ciphertexts, which are approximately half the number of ciphertexts for the existing attack by Paterson et al. at FSE 2014.
Jin HOKI Kosei SAKAMOTO Fukang LIU Kazuhiko MINEMATSU Takanori ISOBE
This paper investigates the security of KCipher-2 against differential attacks. We utilize an MILP-based method to evaluate the minimum number of active S-boxes in each round. We try to construct an accurate model to describe the 8-bit truncated difference propagation through the modular addition operation and the linear transformation of KCipher-2, respectively, which were omitted or simplified in the previous evaluation by Preneel et al. In our constructed model, the difference characteristics neglected in Preneel et al.'s evaluation can be taken into account and all valid differential characteristics can be covered. As a result, we reveal that the minimal number of active S-boxes is 25 over 15 rounds in the related IV setting and it is 17 over 24 rounds in the related IV-key setting. Therefore, this paper shows for the first time that KCipher-2 is secure against the related IV differential attack.
In recent years, with the continuous development of the Internet of Things, radio frequency identification (RFID) technology has also been widely concerned. The computing power of low cost tags is limited because of their high hardware requirements. Symmetric encryption algorithms and asymmetric encryption algorithms, such as RSA, DES, AES, etc., cannot be suitable for low cost RFID protocols. Therefore, research on RFID security authentication protocols with low cost and high security has become a focus. Recently, an ultralightweight RFID authentication protocol LP2UF was proposed to provide security and prevent all possible attacks. However, it is discovered that a type of desynchronization attack can successfully break the proposed scheme. To overcome the vulnerability against desynchronization attacks, we propose here a new ultra-lightweight RFID two-way authentication protocol based on stream cipher technology that uses only XOR. The stream cipher is employed to ensure security between readers and tags. Analysis shows that our protocol can effectively resist position tracking attacks, desynchronization attacks, and replay attacks.
In 2015, Carlet and Tang [Des. Codes Cryptogr. 76(3): 571-587, 2015] proposed a concept called enhanced Boolean functions and a class of such kind of functions on odd number of variables was constructed. They proved that the constructed functions in this class have optimal algebraic immunity if the numbers of variables are a power of 2 plus 1 and at least sub-optimal algebraic immunity otherwise. In addition, an open problem that if there are enhanced Boolean functions with optimal algebraic immunity and maximal algebraic degree n-1 on odd variables n≠2k+1 was proposed. In this letter, we give a negative answer to the open problem, that is, we prove that there is no enhanced Boolean function on odd n≠2k+1 variables with optimal algebraic immunity and maximal algebraic degree n-1.
Miao TANG Juxiang WANG Minjia SHI Jing LIANG
Linear complexity and the k-error linear complexity of periodic sequences are the important security indices of stream cipher systems. This paper focuses on the distribution of p-error linear complexity of p-ary sequences with period pn. For p-ary sequences of period pn with linear complexity pn-p+1, n≥1, we present all possible values of the p-error linear complexity, and derive the exact formulas to count the number of the sequences with any given p-error linear complexity.
Luyang LI Dong ZHENG Qinglan ZHAO
Boolean functions and vectorial Boolean functions are the most important components of stream ciphers. Their cryptographic properties are crucial to the security of the underlying ciphers. And how to construct such functions with good cryptographic properties is a nice problem that worth to be investigated. In this paper, using two small nonlinear functions with t-1 resiliency, we provide a method on constructing t-resilient n variables Boolean functions with strictly almost optimal nonlinearity >2n-1-2n/2 and optimal algebraic degree n-t-1. Based on the method, we give another construction so that a large class of resilient vectorial Boolean functions can be obtained. It is shown that the vectorial Boolean functions also have strictly almost optimal nonlinearity and optimal algebraic degree.
Subhadeep BANIK Takanori ISOBE Masakatu MORII
The stream cipher Sprout with a short internal state was proposed in FSE 2015. Although the construction guaranteed resistance to generic Time Memory Data Tradeoff attacks, there were some weaknesses in the design and the cipher was completely broken. In this paper we propose a family of stream ciphers LILLE in which the size of the internal state is half the size of the secret key. Our main goal is to develop robust lightweight stream cipher. To achieve it, our cipher based on the two-key Even Mansour construction and thus its security against key/state recovery attacks reduces to a well analyzed problem. We also prove that like Sprout, the construction is resistant to generic Time Memory Data Tradeoff attacks. Unlike Sprout, the construction of the cipher guarantees that there are no weak key-IV pairs which produce a keystream sequence with short period or which make the algebraic structure of the cipher weaker and easy to cryptanalyze. The reference implementations of all members of the LILLE family with standard cell libraries based on the STM 90nm and 65nm processes were also found to be smaller than Grain v1 while security of LILLE family depend on reliable problem in the symmetric cryptography.
Tongjiang YAN Ruixia YUAN Xiao MA
In this paper, we consider the crosscorrelation of two interleaved sequences of period 4N constructed by Gong and Tang which has been proved to possess optimal autocorrelation. Results show that the interleaved sequences achieve the largest crosscorrelation value 4.
Subhadeep BANIK Takanori ISOBE Masakatu MORII
Spritz is a stream cipher proposed by Rivest and Schuldt at the rump session of CRYPTO 2014. It is intended to be a replacement of the popular RC4 stream cipher. In this paper we propose distinguishing attacks on the full Spritz, based on a short-term bias in the first two bytes of a keystream and a long-term bias in the first two bytes of every cycle of N keystream bytes, where N is the size of the internal permutation. Our attacks are able to distinguish a keystream of the full Spritz from a random sequence with samples of first two bytes produced by 244.8 multiple key-IV pairs or 260.8 keystream bytes produced by a single key-IV pair. These biases are also useful in the event of plaintext recovery in a broadcast attack. In the second part of the paper, we look at a state recovery attack on Spritz, in a special situation when the cipher enters a class of weak states. We determine the probability of encountering such a state, and demonstrate a state recovery algorithm that betters the 21400 step algorithm of Ankele et al. at Latincrypt 2015. Finally we propose a simple fix that removes the bias in the first two keystream bytes. The countermeasure requires only one additional memory access and hence does not diminish software performance substantially, and in fact the loss in software speed is only around 1.5%.
Hao CHEN Tao WANG Shize GUO Xinjie ZHAO Fan ZHANG Jian LIU
The differential fault analysis of SOSEMNAUK was presented in Africacrypt in 2011. In this paper, we improve previous work with algebraic techniques which can result in a considerable reduction not only in the number of fault injections but also in time complexity. First, we propose an enhanced method to determine the fault position with a success rate up to 99% based on the single-word fault model. Then, instead of following the design of SOSEMANUK at word levels, we view SOSEMANUK at bit levels during the fault analysis and calculate most components of SOSEMANUK as bit-oriented. We show how to build algebraic equations for SOSEMANUK and how to represent the injected faults in bit-level. Finally, an SAT solver is exploited to solve the combined equations to recover the secret inner state. The results of simulations on a PC show that the full 384 bits initial inner state of SOSEMANUK can be recovered with only 15 fault injections in 3.97h.
To resist algebraic and fast algebraic attacks, Boolean functions used in stream ciphers should have optimal algebraic immunity and good fast algebraic immunity. One challenge of cryptographic Boolean functions is to determine their ability to resist fast algebraic attacks, which can be measured by their fast algebraic immunities. In this letter, we determine the exact values of fast algebraic immunity of the majority function of 2m and 2m+1 variables. This is the first time that the exact values of the fast algebraic immunity of an infinite class of symmetric Boolean functions with optimal algebraic immunity are determined.
Longjiang QU Shaojing FU Qingping DAI Chao LI
In this paper, we study the problem of a Boolean function can be represented as the sum of two bent functions. This problem was recently presented by N. Tokareva when studying the number of bent functions [27]. Firstly, several classes of functions, such as quadratic Boolean functions, Maiorana-MacFarland bent functions, many partial spread functions etc, are proved to be able to be represented as the sum of two bent functions. Secondly, methods to construct such functions from low dimension ones are also introduced. N. Tokareva's main hypothesis is proved for n≤6. Moreover, two hypotheses which are equivalent to N. Tokareva's main hypothesis are presented. These hypotheses may lead to new ideas or methods to solve this problem. Finally, necessary and sufficient conditions on the problem when the sum of several bent functions is again a bent function are given.
RC4 stream cipher, designed by Rivest in 1987, is widely used in various standard protocols and commercial applications. After the disclosure of RC4 algorithm in 1994, many cryptanalytic results on RC4 have been reported. In 1996, Jenkins discovered correlations between a keystream byte and an internal state variable. This is known as the Glimpse theorem. In 2013, Maitra and Sen Gupta proved the Glimpse theorem and showed other correlations between two consecutive keystream bytes and an internal state variable. This is called the long-term Glimpse. These correlations provide only cases with positive biases, and hold generally on any round. In this paper, we refine known Glimpse correlations from two aspects. One is to find new positive or negative biases on all values in addition to a known value. The other is to provide precise biases on specific rounds. As a result, we can discover 6 cases with several new biases, and prove these cases theoretically. From the first refinement, combining our new biases with known one, the long-term Glimpse with positive biases is integrated into a whole. From the second refinement, we can successfully find that two correlations on specific rounds become an impossible condition.
Minglong QI Shengwu XIONG Jingling YUAN Wenbi RAO Luo ZHONG
Let r be an odd prime, such that r≥5 and r≠p, m be the order of r modulo p. Then, there exists a 2pth root of unity in the extension field Frm. Let G(x) be the generating polynomial of the considered quaternary sequences over Fq[x] with q=rm. By explicitly computing the number of zeros of the generating polynomial G(x) over Frm, we can determine the degree of the minimal polynomial, of the quaternary sequences which in turn represents the linear complexity. In this paper, we show that the minimal value of the linear complexity is equal to $ rac{1}{2}(3p-1) $ which is more than p, the half of the period 2p. According to Berlekamp-Massey algorithm, these sequences viewed as enough good for the use in cryptography.
Yu ZHOU Lin WANG Weiqiong WANG Xiaoni DU
The global avalanche characteristics measure the overall avalanche properties of Boolean functions, an n-variable balanced Boolean function of the sum-of-square indicator reaching σƒ=22n+2n+3 is an open problem. In this paper, we prove that there does not exist a balanced Boolean function with σƒ=22n+2n+3 for n≥4, if the hamming weight of one decomposition function belongs to the interval Q*. Some upper bounds on the order of propagation criterion of balanced Boolean functions with n (3≤n≤100) variables are given, if the number of vectors of propagation criterion is equal and less than 7·2n-3-1. Two lower bounds on the sum-of-square indicator for balanced Boolean functions with optimal autocorrelation distribution are obtained. Furthermore, the relationship between the sum-of-squares indicator and nonlinearity of balanced Boolean functions is deduced, the new nonlinearity improves the previously known nonlinearity.