Collision analysis of the GMR-2 cipher used in the satellite phone

A collision property analysis of the GMR-2 cipher used in the satellite phone was presented.By using the F-component as a bridge,the link between the difference of the key byte and the collision of the output ofFas well as the link between the collision of the output of F and the collision of keystream byte were analyzed,which finally revealed the relationship between the difference of the original key byte and the keystream collision.The theoretical analysis showed that for a random frame number,a special chosen key pair could lead to a keystream collision with a high probability,when the key pair has only one byte difference in which the most significant 4 bit of the difference was equal to the last significant 4 bit.The experimental result shows that the keystream collision probability is 2^?8.248,which is far higher than the ideal collision probability 2^?120.This proves once again,that there exists serious potential security hazards in the GMR-2 cipher.     

A Single-Key Attack on the Full GOST Block Cipher

The GOST block cipher is the Russian encryption standard published in 1989. In spite of considerable cryptanalytic efforts over the past 20 years, a key recovery attack on the full GOST block cipher without any key conditions (e.g., weak keys and related keys) has not been published yet. In this paper, we show the first single-key attack, which works for all key classes, on the full GOST block cipher. To begin, we develop a new attack framework called Reflection-Meet-in-the-Middle Attack. This approach combines techniques of the reflection attack and the meet-in-the-middle (MITM) attack. Then we apply it to the GOST block cipher employing bijective S-boxes. In order to construct the full-round attack, we use additional novel techniques which are the effective MITM techniques using equivalent keys on a small number of rounds. As a result, a key can be recovered with a time complexity of 2²²⁵ encryptions and 2³² known plaintexts. Moreover, we show that our attack is applicable to the full GOST block cipher using any S-boxes, including non-bijective S-boxes.     

对简化版LBLock算法的相关密钥不可能差分攻击

LBLOCK是吴文玲等人于2011年设计的一种轻量级密码算法。该文利用一个特殊的相关密钥差分特征,对19轮的LBlock算法进行了相关密钥不可能差分攻击,攻击的计算复杂度为O(270.0),所需要的数据量为264。进一步,提出了一种针对21轮LBlock的相关密钥不可能差分攻击,计算复杂度为O(271.5),数据量为263。     

Effective Uses of FPGAs for Brute-Force Attack on RC4 Ciphers

This paper presents an effective field-programmable gate array (FPGA)-based hardware implementation of a parallel key searching system for the brute-force attack on RC4 encryption. The design employs several novel key scheduling techniques to minimize the total number of cycles for each key search and uses on-chip memories of the FPGA to maximize the number of key searching units per chip. Based on the design, a total of 176 RC4 key searching units can be implemented in a single Xilinx XC2VP20-5 FPGA chip, which currently costs only a few hundred U.S. dollars. Operating at a 47-MHz clock rate, the design can achieve a key searching speed of 1.07 x 10⁷ keys per second. Breaking a 40-bit RC4 encryption only requires around 28.5 h.     

减轮LEA密码算法的积分攻击

LEA密码算法是一类ARX型轻量级分组密码,广泛适用于资源严格受限的环境.本文使用中间相错技术找到LEA算法的86条8轮和6条9轮零相关区分器,进一步利用零相关区分器和积分区分器的关系,构造出5条8轮和1条9轮积分区分器.在8轮积分区分器的基础上,利用密钥扩展算法的性质和部分和技术,首次实现了对LEA-128的10轮积分攻击,攻击的计算复杂度为2¹²⁰次10轮LEA-128加密.进一步,实现了对LEA-192的11轮积分攻击以及对LEA-256的11轮积分攻击,计算复杂度分别为2^185.02次11轮LEA-192加密和2²⁴⁸次11轮LEA-256加密.     

An enhanced chaotic key‐based RC5 block cipher adapted to image encryption

RC5 is a block cipher that has several salient features such as adaptability to process different word lengths with a variable block size, a variable number of rounds and a variable‐length secret key. However, RC5 can be broken with various attacks such as correlation attack, timing attack, known plaintext correlation attack and differential attacks, revealing weak security. We aimed to enhance the RC5 block cipher to be more secure and efficient for real‐time applications while preserving its advantages. For this purpose, this article introduces a new approach based on strengthening both the confusion and diffusion operations by combining chaos and cryptographic primitive operations to produce round keys with better pseudo‐random sequences. Comparative security analysis and performance evaluation of the enhanced RC5 block cipher (ERC5) with RC5, RC6 and chaotic block cipher algorithm (CBCA) are addressed. Several test images are used for inspecting the validity of the encryption and decryption algorithms. The experimental results show the superiority of the suggested enhanced RC5 (ERC5) block cipher to image encryption algorithms such as RC5, RC6 and CBCA from the security analysis and performance evaluation points of view.     

Cryptanalysis of full Skipjack block cipher

The first known cryptanalysis of the full 32 rounds of Skipjack, a symmetric-key block cipher, is presented. By exploiting its periodic key schedule, a complementation slide attack is mounted, requiring only 2 ^32.5 known texts and 2⁴⁴ encryptions. This result shows the importance of putting more emphasis on key schedule design     

“与密钥模2~n加运算”的差分性质研究

“与密钥K模2n加”－Y=X+Kmod2ⁿ是密码算法中一个常用的基本编码环节,在SAFER++,RC6 Phelix等算法中有广泛的应用。该文对Y=X+Kmod2ⁿ进行了差分分析,首次给出了当差分转移概率取最大值1,次大值1-1/2^n-2,次小值1/2^n-2以及1/2时,输入差,输出差及密钥的结构特点和计数公式。     

A Detailed Analysis of SAFER K

In this paper we analyze the block cipher SAFER K. First, we show a weakness in the key schedule, that has the effect that for almost every key there exists on the average three and a half other keys such that the encryptions of plaintexts different in one of eight bytes yield ciphertexts also different in only one byte. Moreover, the differences in the keys, plaintexts, and ciphertexts are in the same byte. This enables us to do a related-key chosen plaintext attack on SAFER K, which finds the secret key. Also, the security of SAFER K, when used in standard hashing modes, is greatly reduced, which is illustrated. Second, we propose a new key schedule for SAFER K avoiding these problems. Third, we do differential cryptanalysis of SAFER K. We consider truncated differentials and apply them in an attack on five-round SAFER K, which finds the secret key much faster than by an exhaustive search. Received 21 December 1997 and revised 29 May 1998     

Biclique cryptanalysis on lightweight block ciphers I-PRESENT-80 and I-PRESENT-128

I-PRESENT was a lightweight SPN block cipher for resource-constraint environments such as RFID tags and sensor networks.The biclique structures of I-PRESENT with sieve-in-the-middle technique was an constracted.The biclique cryptanalysis schemes on full-round I-PRESENT-80 and I-PRESENT-128 were proposed for the first time.The results show that the data complexity of the biclique cryptanalysis on I-PRESENT-80 and I-PRESENT-128 is 2 ²⁶ and 2³⁶ chosen ciphertexts respectively，and the time complexity on them is 2 ^79.48 and 2 ^127.33 encryptions respectively.The time and data complexity are better than that of the exhaustive attack.In addition,the time complexity on them can be reduced to 2 ^78.61 and 2^126.48 encryptions by using related-key technology of I-PRESENT.     

基于唯密文数据的序列密码识别

对采用RC4、A5/1和Trivium序列密码加密的数据进行了识别研究。首先,在训练和测试样本加密密钥一致和不一致时分别进行了序列密码识别;其次,对序列密码和分组密码进行混合识别;最后,考虑了短密钥流情形下的序列密码识别。实验结果表明,即使训练和测试样本加密密钥不一致时,基于短密钥流的识别也能达到较好的识别效果,同时序列密码与3DES、Blowfish能够以较高的识别率进行混合识别。     

数字视频广播通用加扰算法的不可能差分分析

数字视频广播通用加扰算法(DVB-CSA)是一种混合对称加密算法,由分组密码加密和流密码加密两部分组成。该算法通常用于保护视讯压缩标准(MPEG-2)中的信号流。主要研究DVB-CSA分组加密算法(DVB-CSA-Block Cipher, CSA-BC)的不可能差分性质。通过利用S盒的具体信息,该文构造了CSA-BC的22轮不可能差分区分器,该区分器的长度比已有最好结果长2轮。进一步,利用构造的22轮不可能差分区分器,攻击了缩减的25轮CSA-BC,该攻击可以恢复24 bit种子密钥。攻击的数据复杂度、时间复杂度和存储复杂度分别为253.3个选择明文、232.5次加密和224个存储单元。对于CSA-BC的不可能差分分析,目前已知最好结果能够攻击21轮的CSA-BC并恢复16 bit的种子密钥量。就攻击的长度和恢复的密钥量而言,该文的攻击结果大大改进了已有最好结果。     

基于AIRS卫星的全球和东亚地区CO2时空特征分析

利用2002年12月到2016年11月的大气红外探测仪(Atmospheric infrared sounder, AIRS)卫星观测资料,分析了全球 和东亚地区(70~140^。E, 10~55^。N)CO₂浓度的时空变化和季节分布特征,并与地面观测 资料进行了对比。结果表明: 1) AIRS反演的CO₂资料与地表观测资料相关系数均在0.9以上,且年均值相对误差均 在1%以内。2)全球CO₂年平均浓度从2003年的375.16 ml/m³增加到2016年的401.24 ml/m³, 年平均增长率约2.01 ml/m³;同期,东亚地区CO₂平均浓度从2003年的375.13 ml/m³增加 到2016年的402.22 ml/m³,年增长率约为2.08 ml/m³,高于全球的年平均增长率。 在2010~2016年,北半球大部分地区CO₂浓度增长率低于2003~2009年的增长率。CO₂增幅较明显 的区域位于北半球高纬度地区如中西伯利亚和格陵兰岛等地上空。3)CO₂分布存在明显的区域性,高值区主要位于 北半球的中高纬度地区;低值区主要位于青藏高原上空。在南半球,CO₂浓度的高值区主要位于南美洲中纬度地区; 低值区主要出现在低纬度(0~20^。S, 50^。W~5^。E)的大西洋上空。在对流层中低层(4~6 km), AIRS反演的CO₂浓度的季节变化特征准确性较高,特别在冬季,北半球大部分地区的CO₂浓度随着时间 变化呈现先减小后增加的趋势。4)在东亚地区,CO₂高值区位于中国北方地区,呈带状分布。     

基于E0算法的猜测决定攻击

对短距离无线蓝牙技术中使用的E0序列密码算法进行了猜测决定攻击,攻击中利用线性逼近的方法做出了一个巧妙的攻击假设,降低了攻击所需的猜测量,并且通过一个检验方程降低了候选状态的数量,攻击的计算复杂度为O(276),需要约988bit密钥流,属于短密钥流攻击.相对于长密钥流攻击,短密钥流攻击所需的密钥流不超过2745bit,对E0的安全性更具威胁.与目前已有的针对E0的短密钥流攻击相比,所提出猜测决定的攻击结果是最好的.     

Effects of trap-state density reduction by plasma hydrogenation inlow-temperature polysilicon TFT

The reduction of trap-state densities by plasma hydrogenation in n-channel polysilicon thin-film transistors (poly-TFTs) fabricated using a maximum temperature of 600°C has been studied. Hydrogenated devices have a mobility of ~40 cm²/V×5, a threshold voltage of ~2 V, an inverse subthreshold of ~ 0.55 V/decade, and a maximum on/off current ratio of 5×10⁸. The effective channel length decreases by ~0.85 μm after a short hydrogenation which may be attributed to the activation of donors at trap states near the source/drain junctions. Trap-state densities decrease from 1.6×10¹² to 3.5×10¹¹ cm^-2 after hydrogenation, concomitant with the reduction of threshold voltage. Using the gate lengths at which the trap-state densities deviate from the long-channel values as markets for the leading edge of passivation, the apparent hydrogen diffusivity is found to be 1.2×10^-11 cm²/s at 350°C in the TFT structure     

对Rijndael-256算法新的积分攻击

本文对Rijndael-256密码进行分析,从比特的层面上寻找平衡性,得到了一个新的3轮积分区分器,该区分器仅需32个明文就可将3轮Rijndael-256与随机置换区分开来,并且所得密文的每一比特都是平衡的.该区分器在已知的mjndael-256积分区分器中所需明文量最少.基于新的区分器,对4至7轮Riindael-...     

Cryptanalysis of mCrypton—A lightweight block cipher for security of RFID tags and sensors

mCrypton is a 64‐bit lightweight block cipher designed for use in low‐cost and resource‐constrained applications such as RFID tags and sensors in wireless sensor networks. In this paper, we investigate the strength of this cipher against related‐key impossible differential cryptanalysis. First, we construct two 6‐round related‐key impossible differentials for mCrypton‐96 and mCrypton‐128. Then, using these distinguishers, we present 9‐round related‐key impossible differential attacks on these two versions. The attack on mCrypton‐96 requires 2^59.9 chosen plaintexts, and has a time complexity of about 2^74.9 encryptions. The data and time complexities for the attack on mCrypton‐128 are 2^59.7 chosen plaintexts and 2^66.7 encryptions, respectively. Copyright © 2011 John Wiley & Sons, Ltd.     

Coding theorems for Shannon's cipher system with correlated sourceoutputs, and common information

Source coding problems are treated for Shannon's (1949) cipher system with correlated source outputs (X,Y). Several cases are considered based on whether both X and Y, only X, or only Y must be transmitted to the receiver, whether both X and Y, only X, or only Y must be kept secret, or whether the security level is measured by (¹/_KH(X^K|W), (¹/_KH(Y^K|W)) or ¹/_K H(X^KY^K|W) where W is a cryptogram. The admissible region of cryptogram rate and key rate for a given security level is derived for each case. Furthermore, two new kinds of common information of X and Y, say C₁(X;Y) and C₂(X;Y), are considered. C₁(X;Y) is defined as the rate of the attainable minimum core of (X^K,Y^K) by removing each private information from (X^K,Y^K) as much as possible, while C₂(X;Y) is defined as the rate of the attainable maximum core V_C such that if one loses V_C , then each uncertainty of X^K and Y^K becomes H(V_C). It is proved that C₁(X;Y)=I(X;Y) and C₂(X;Y)=min {H(X), H(Y)}. C₁(X;Y) justifies the author's intuitive feeling that the mutual information represents a common information of X and Y     

Deep-level dominated current-voltage characteristics of buriedimplanted oxide silicon-on-insulator

Current-voltage characteristics of Au contacts formed on buried implanted oxide silicon-on-insulator (SOI) structures are discussed, which indicate that the dominant transport mechanism is space-charge-limited current (SCLC) conduction in the presence of deep-level states. The deep-level parameters, determined using a simple analysis, appear to be sensitive to anneal conditions used and subsequent processing. Silicon implanted with 1.7×10¹⁸ cm^-2 oxygen ions at 150 keV following a 1200°C anneal for 3 h shows deep level 0.37 eV below the conduction band edge with a concentration of unoccupied traps of ~ 2×10¹⁵ cm^-3 . In contrast, arsenic ion implantation, in the 1200°C annealed material with a dose of 1.5×10¹² cm^-2 at 60 keV and activated by rapid thermal annealing (RTA), introduces a deep level 0.25 eV below the conduction band edge with an unoccupied trap concentration of ~6×10¹⁷ cm^-2     

分组密码TWIS的三子集中间相遇攻击

对轻量级分组密码TWIS的安全性做进一步分析,将三子集中间相遇攻击应用于忽略后期白化过程的10轮TWIS。基于TWIS密钥生成策略中存在的缺陷,即其实际密钥长度仅为62 bit且初始密钥混淆速度慢,攻击恢复10轮TWIS全部62 bit密钥的计算复杂度为245,数据复杂度达到最低,仅为一个已知明密文对。分析结果表明TWIS在三子集中间相遇攻击下是不安全的。