Differential cryptanalysis of Lucifer

Differential cryptanalysis was introduced as an approach to analyze the security of DES-like cryptosystems. The first example of a DES-like cryptosystem was Lucifer, the direct predecessor of DES, which is still believed by many people to be much more secure than DES, since it has 128 key bits, and since no attacks against (the full variant of) Lucifer were ever reported in the cryptographic literature. In this paper we introduce a new extension of differential cryptanalysis, devised to extend the class of vulnerable cryptosystems. This new extension suggests key-dependent characteristics, calledconditional characteristics, selected to increase the characteristics' probabilities for keys in subsets of the key space. The application of conditional characteristics to Lucifer shows that more than half of the keys of Lucifer are insecure, and the attack requires about 2³⁶ complexity and chosen plaintexts to find these keys. The same extension can also be used to attack a new variant of DES, called RDES, which was designed to be immune against differential cryptanalysis. These new attacks flash new light on the design of DES, and show that the transition of Lucifer to DES strengthened the later cryptosystem.     

An improvement of Davies’ attack on DES

In this paper we improve Davies’ attack [2] on DES to become capable of breaking the full 16-round DES faster than the exhaustive search. Our attack requires 2⁵⁰ known plaintexts and 2⁵⁰ complexity of analysis. If independent subkeys are used, a variant of this attack can find 26 bits out of the 768 key bits using 2⁵² known plaintexts. All the 768 bits of the subkeys can be found using 2⁶⁰ known plaintexts. The data analysis requires only several minutes on a SPARC workstation. Therefore, this is the third successful attack on DES, faster than brute force, after differential cryptanalysis [1] and linear cryptanalysis [5]. We also suggest criteria which make the S-boxes immune to this attack.     

对强化MD结构杂凑函数的一个新的“牧群”攻击

该文构造了具有2k个起始点的变长"钻石树"结构的多碰撞,并据此提出了对强化MD结构杂凑函数的一个新的选择目标强制前缀且原像长度为2k+3块的原像攻击(即"牧群"攻击).由于增大了攻击过程中可利用的中间链接值的数量,故当k≤n/4-1.05时,新的牧群攻击可将该攻击的计算复杂性由现有结果O(2n-2(k+1)+2n/2+k+5+2)降至O(2n-k/3+2n/2+k+2).     

Two-Key Triple Encryption

In this paper we consider multiple encryption schemes built from conventional cryptosystems such as DES. The existing schemes are either vulnerable to variants of meet-in-the-middle attacks, i.e., they do not provide security corresponding to the full key length used or there is no proof that the schemes are as secure as the underlying cipher. We propose a variant of two-key triple encryption with a new method of generating three keys from two. Our scheme is not vulnerable to the meet-in-the-middle attack and, under an appropriate assumption, we can show that our scheme is at least about as hard to break as the underlying block cipher. Received 22 June 1995 and revised 11 October 1996     

A Practical-Time Related-Key Attack on the KASUMI Cryptosystem Used in GSM and 3G Telephony

Over the last 20 years, the privacy of most GSM phone conversations was protected by the A5/1 and A5/2 stream ciphers, which were repeatedly shown to be cryptographically weak. They are being replaced now by the new A5/3 and A5/4 algorithms, which are based on the block cipher KASUMI. In this paper we describe a new type of attack called a sandwich attack, and use it to construct a simple related-key distinguisher for 7 of the 8 rounds of KASUMI with an amazingly high probability of 2^?14. By using this distinguisher and analyzing the single remaining round, we can derive the complete 128-bit key of the full KASUMI with a related-key attack which uses only 4 related keys, 2²⁶ data, 2³⁰ bytes of memory, and 2³² time. These completely practical complexities were experimentally verified by performing the attack in less than two hours on a single-core of a PC. Interestingly, neither our technique nor any other published attack can break the original MISTY block cipher (on which KASUMI is based) significantly faster than exhaustive search. Our results thus indicate that the modifications made by ETSI’s SAGE group in moving from MISTY to KASUMI made it extremely weak when related-key attacks are allowed, but do not imply anything about its resistance to single-key attacks. Consequently, there is no indication that the way KASUMI is implemented in GSM and 3G networks is practically vulnerable in any realistic attack model.     

Cryptanalysis of Triple Modes of Operation

Multiple modes of operation and, in particular, triple modes of operation were proposed as a simple method to improve the strength of blockciphers, and in particular of DES. Developments in the cryptanalysis of DES in recent years have popularized the triple modes of DES, and such modes are now considered for ANSI standards. In a previous paper we analyzed multiple modes of operation and showed that the security of many multiple modes is significantly smaller than expected. In this paper we extend these results, with new cryptanalytic techniques, and show that all the (cascaded) triple modes of operation are not much more secure than a single encryption—in the case of DES they can be attacked with up to an order of 2 ⁵⁶ —2 ⁶⁶ chosen plaintexts or ciphertexts and complexity of analysis. We then propose several candidates for more secure modes. Received 19 August 1996 and revised 29 September 1997     

Elucidating the Coordination of Diethyl Sulfide Molecules in Copper(I) Thiocyanate (CuSCN) Thin Films and Improving Hole Transport by Antisolvent Treatment

Copper(I) thiocyanate (CuSCN) is rising to prominence as a hole‐transporting semiconductor in various opto/electronic applications. Its unique combination of good hole mobility, high optical transparency, and solution‐processability renders it a promising hole‐transport layer for solar cells and p‐type channel in thin‐film transistors. CuSCN is typically deposited from sulfide‐based solutions with diethyl sulfide (DES) being the most widely used. However, little is known regarding the effects of DES on CuSCN films despite the fact that DES can coordinate with Cu(I) and result in a different coordination polymer having a distinct crystal structure when fully coordinated. Herein, the coordination of DES in CuSCN films is thoroughly investigated with a suite of characterization techniques as well as density functional theory. This study reveals that DES directly affects the microstructure of CuSCN by stabilizing the polar crystalline surfaces via the formation of strong coordination bonds. Furthermore, a simple antisolvent treatment is demonstrated to be effective at modifying the microstructure and morphology of CuSCN films. The treatment with tetrahydrofuran or acetone leads to uniform films consisting of CuSCN crystallites with high crystallinity and their surfaces passivated by DES molecules, resulting in an increase in the hole mobility from 0.01 to 0.05 cm² V^?1 s^?1.     

Is the Data Encryption Standard a group? (Results of cycling experiments on DES)

The Data Encryption Standard (DES) defines an indexed set of permutations acting on the message space ={0,1}⁶⁴. If this set of permutations were closed under functional composition, then the two most popular proposals for strengthening DES through multiple encryption would be equivalent to single encryption. Moreover, DES would be vulnerable to a known-plaintext attack that runs in 2²⁸ steps on the average. It is unknown in the open literature whether or not DES has this weakness.Two statistical tests are presented for determining if an indexed set of permutations acting on a finite message space forms a group under functional composition. The first test is a meet-in-the-middle algorithm which uses O(K) time and space, where K is the size of the key space. The second test, a novel cycling algorithm, uses the same amount of time but only a small constant amount of space. Each test yields a known-plaintext attack against any finite, deterministic cryptosystem that generates a small group.The cycling closure test takes a pseudorandom walk in the message space until a cycle is detected. For each step of the pseudorandom walk, the previous ciphertext is encrypted under a key chosen by a pseudorandom function of the previous ciphertext. Results of the test are asymmetrical: long cycles are overwhelming evidence that the set of permutations is not a group; short cycles are strong evidence that the set of permutations has a structure different from that expected from a set of randomly chosen permutations.Using a combination of software and special-purpose hardware, the cycling closure test was applied to DES. Experiments show, with overwhelming confidence, that DES is not a group. Additional tests confirm that DES is free of certain other gross algebraic weaknesses. But one experiment discovered fixed points of the so-called weak-key transformations, thereby revealing a previously unpublished additional weakness of the weak keys.Support for this research was provided in part by the National Science Foundation under contract number MCS-8006938 and by the International Business Machines Corporation.     

FPGA密码芯片改进掩码防护方法研究

功耗攻击已对密码芯片物理安全性构成严峻威胁,对其攻击和防御的研究是密码旁路分析的热点问题。文中给出了一种DES伪随机掩码算法的设计和实现方法,分析了算法抗功耗攻击的安全性。结果表明:一般的DES伪随机掩码算法只能抵抗一阶差分功耗攻击,不能有效防御二阶差分功耗攻击。为抵御二阶DPA攻击,采用掩码方法对DES掩码算法结构进行了改进,在理论上具有抗DPA攻击的能力。     

Practical Collisions for EnRUPT

The EnRUPT hash functions were proposed by O??Neil, Nohl and Henzen as candidates for the SHA-3 competition, organised by NIST. The proposal contains seven concrete hash functions, each with a different digest length. We present a practical collision attack on each of these seven EnRUPT variants. The time complexity of our attack varies from 2³⁶ to 2⁴⁰ round computations, depending on the EnRUPT variant, and the memory requirements are negligible. We demonstrate that our attack is practical by giving an actual collision example for EnRUPT-256.     

针对智能卡的断电式功耗分析攻击

针对智能卡采用个人身份码和密码算法双重保护机制,提出一种截断电源式的功耗分析方法,突破个人身份码的输入次数限制,通过穷举搜索获取个人身份码.并利用差分功耗分析技术,在40000个明文样本的情况下,攻击得到原型智能卡中DES密码的密钥.     

High reliability in PHEMT MMICs with dual-etch-stop AlAs layers for high-speed RF switch applications

We have conducted a thorough investigation on the long-term process reliability for our recently developed dual-etch-stop (DES) pseudomorphic high electron mobility transistor (PHEMT) process using the on-wafer-level accelerated DC and RF biased step stress test up to 320 °C channel temperature as well as package-level three-temperature constant stress lifetest. Devices studied are 0.9-μm-gate InGaAs PHEMTs with two silicon-doped AlAs layers as gate and channel etch-stop materials. High-temperature-operating-life (HTOL) test on our single-pole-double-throw (SPDT) switch products using this DES PHEMT process has also been performed. This article describes the detailed reliability experiments and compares the reliability results of this new DES PHEMT process against the standard non-etch-stop (NES) PHEMT baseline material. Extensive statistical analyses on the DES PHEMT devices derived an activation energy E_a=1.4 eV and a mean-time-to-failure (MTTF) > 10⁷ h at 125 °C, an order of magnitude better than our baseline NES PHEMTs. This study demonstrates and discusses the excellent reliability in the DES PHEMT process for wireless communications applications.     

对比特搜索生成器的猜测确定攻击

针对具有低重量反馈多项式的比特搜索生成器(BSG),利用猜测确定攻击的思想提出了一种快速密钥恢复攻击。该算法基于BSG序列的差分构造特点,首先由截获的密钥流恢复出候选差分序列,然后用反馈多项式对候选差分序列进行校验,以此减少需要求解的L维线性方程系统的数量,从而大大减少了算法所需的复杂度。理论分析和仿真结果表明,对于反馈多项式的重量小于10的BSG,该算法明显优于现有的攻击方法。特别地当反馈多项式的重量为3时,该算法能够将最好的攻击结果O(L320.5L)降低到O(L20.5L)。     

Interface Carriers and Enhanced Electron-Phonon Coupling Effect in Al2O3/TiO2 Heterostructure Revealed by Resonant Inelastic Soft X-Ray Scattering

The electronic structure and the electron-phonon couplings in a novel mass-production-compatible Al₂O₃/TiO₂ 2D electron system (2DES) are investigated using resonant inelastic soft X-ray scattering. The experimental data from the samples of various TiO₂ thicknesses unequivocally show that the Ti³⁺ state indeed exists at the deep interface to serve as an n-type dopant for the 2DES. The electronic structure of Ti³⁺ species is scrutinized as entirely separated from that of the Ti⁴⁺ host lattice. Furthermore, features of sub-eV energy loss phonon modes are clearly observed, indicating substantial electron-phonon coupling effects. Such low energy loss features are enhanced in thinner TiO₂ samples, implying that polaronic local lattice deformation is enhanced due to the presence of Ti³⁺. These findings suggest that the 2DES properties can be controlled via well-established TiO₂ engineering, thereby enthroning the binary oxide heterostructure as a promising candidate for 2DES device applications.     

A Single-Key Attack on the Full GOST Block Cipher

The GOST block cipher is the Russian encryption standard published in 1989. In spite of considerable cryptanalytic efforts over the past 20 years, a key recovery attack on the full GOST block cipher without any key conditions (e.g., weak keys and related keys) has not been published yet. In this paper, we show the first single-key attack, which works for all key classes, on the full GOST block cipher. To begin, we develop a new attack framework called Reflection-Meet-in-the-Middle Attack. This approach combines techniques of the reflection attack and the meet-in-the-middle (MITM) attack. Then we apply it to the GOST block cipher employing bijective S-boxes. In order to construct the full-round attack, we use additional novel techniques which are the effective MITM techniques using equivalent keys on a small number of rounds. As a result, a key can be recovered with a time complexity of 2²²⁵ encryptions and 2³² known plaintexts. Moreover, we show that our attack is applicable to the full GOST block cipher using any S-boxes, including non-bijective S-boxes.     

Shorter bit sequence is enough to break stream cipher LILI-128

LILI-128 is the stream cipher proposed as a candidate cipher for the New European Schemes for Signatures, Integrity, and Encryption (NESSIE) Project. Some methods of breaking it more efficiently than an exhaustive search for its secret key have been found already. The authors propose a new method, which uses shorter bit sequence to break LILI-128 successfully. An attack that can be made with less data can be a more practical threat. With only 2/sup 7/ bits of keystream, this method can break LILI-128 successfully. The efficiency of our attack depends on the memory size. For example, with 2/sup 99.1/ computations, our attack breaks LILI-128, if 2/sup 28.6/-bit memory is available.     

两种背包型的公钥密码算法的安全性分析

背包型公钥密码体制是几个最早的公钥密码体制之一,分析其安全性十分重要。该文对两种抵抗Shamir攻击和低密度攻击的背包型公钥密码体制进行了安全性分析,提出一种新的攻击方法,指出可以利用多项式时间算法以很大的概率找到私钥,从而破解了它们。     

Design of differential power analysis resistant crypto chip based on time randomization

Differential Power Analysis (DPA) is an effective attack method to break the crypto chips and it has been considered to be a threat to security of information system. With analyzing the principle of resist-ing DPA, an available countermeasure based on randomization is proposed in this paper. Time delay is in-serted in the operation process and random number is precharged to the circuit during the delay time, the normal schedule is disturbed and the power is randomized. Following this methodology, a general DPA re-sistance random precharge architecture is proposed and DES algorithm following this architecture is imple-mented. This countermeasure is testified to be efficient to resist DPA.     

投影 C *-体制的缺陷

This paper presents an algebraic method to attack the projected C*^- cryptographic scheme. The attack applies the affine parts of the private keys and the weakness caused by the structures of the private keys to find a large number of linear equations. The attack can recover the private keys efficiently when the parameters are small enough. Meanwhile, the weak keys of the scheme are found and the private keys can be recovered efficiently once the weak keys are used.The paper also proposes a new modification of C*^- cryptographic scheme, which is not only as efficient as original projected C*? scheme, but also resistant to the differential attack and the attack proposed in this paper.     

Cryptanalysis of the ANSI X9.52 CBCM mode

In this paper we cryptanalyze the CBCM mode of operation, which was almost included in the ANSI X9.52 Triple-DES Modes of Operation standard. The CBCM mode is a Triple-DES CBC variant which was designed against powerful attacks which control intermediate feedback for the benefit of the attacker. For this purpose, it uses intermediate feedbacks that the attacker cannot control, choosing them as a keyed OFB stream, independent of the plaintexts and the ciphertexts. In this paper we find a way to use even this kind of feedback for the benefit of the attacker, and we present an attack which requires a single chosen ciphertext of 2 ⁶⁵ blocks which needs to be stored and 2 ⁵⁹ complexity of analysis (CBCM encryptions) to find the key with a high probability. As a consequence of our attack, ANSI decided to remove the CBCM mode from the proposed standard. Received May 1998 and revised June 2001 Online publication 28 November 2001