共查询到20条相似文献,搜索用时 15 毫秒
1.
2.
3.
4.
Many computers emit a high-pitched noise during operation, due to vibration in some of their electronic components. These acoustic emanations are more than a nuisance: They can convey information about the software running on the computer and, in particular, leak sensitive information about security-related computations. In a preliminary presentation (Eurocrypt’04 rump session), we have shown that different RSA keys induce different sound patterns, but it was not clear how to extract individual key bits. The main problem was the very low bandwidth of the acoustic side channel (under 20 kHz using common microphones, and a few hundred kHz using ultrasound microphones), and several orders of magnitude below the GHz-scale clock rates of the attacked computers. In this paper, we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG’s implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate such attacks, using a plain mobile phone placed next to the computer, or a more sensitive microphone placed 10 meters away. 相似文献
5.
该文对八阵图(ESF)算法抵抗不可能差分密码分析和线性密码分析的能力进行了研究。ESF算法是一种具有Feistel结构的轻量级分组密码算法,它的轮函数为代换置换(SP)结构。该文首先用新的不可能差分区分器分析了12轮ESF算法,随后用线性密码分析的方法分析了9轮ESF算法。计算得出12轮不可能差分分析的数据复杂度大约为O(267),时间复杂度约为O(2110.7),而9轮线性密码分析的数据复杂度仅为O(235),时间复杂度不大于O(215.6)。结果表明ESF算法足够抵抗不可能差分密码分析,而抵抗线性密码分析的能力相对较弱。 相似文献
6.
Hans Dobbertin 《Journal of Cryptology》1998,11(4):253-271
In 1990 Rivest introduced the hash function MD4. Two years later RIPEMD, a European proposal, was designed as a stronger
mode of MD4. In 1995 the author found an attack against two of three rounds of RIPEMD. As we show in the present note, the
methods developed to attack RIPEMD can be modified and supplemented such that it is possible to break the full MD4, while
previously only partial attacks were known. An implementation of our attack allows us to find collisions for MD4 in a few
seconds on a PC. An example of a collision is given demonstrating that our attack is of practical relevance.
Received 23 October 1995 and revised 31 August 1997 相似文献
7.
Lizhen Yang Kefei Chen Xiaoyun Wang 《Electronics letters》2003,39(22):1586-1587
A simple cryptanalysis of the self-shrinking generator with very short keystream for the case of unknown connection polynomial is provided. The expected complexity of this cryptanalysis is 2/sup 1.5L/ when the length of the LFSR of the generator is L. 相似文献
8.
Patarin proposed the dragon scheme,pointed out the insecurity of the dragon algorithm with one hidden monomial and suggested a candidate dragon signature algorithm with a complicated function.This paper presents an algebraic method to attack the candidate dragon signature algorithm.The attack borrows the basic idea of the attack due to Kipnis and Shamir,and utilizes the underlying algebraic structure of the candidate dragon signature algorithm over the extension field to derive a way to enable the variable Y be viewed as a fixed value.The attack recovers the private keys efficiently when the parameters are n≤25 and D=「logqd」≤3. 相似文献
9.
Structural Cryptanalysis of SASAS 总被引:1,自引:0,他引:1
In this paper we consider the security of block ciphers which contain alternate layers of invertible S-boxes and affine mappings
(there are many popular cryptosystems which use this structure, including the winner of the AES competition, Rijndael). We
show that a five-layer scheme with 128-bit plaintexts and 8-bit S-boxes is surprisingly weak against what we call a multiset attack, even when all the S-boxes and affine mappings are key dependent (and thus completely unknown to the attacker). We
tested the multiset attack with an actual implementation, which required just 216 chosen plaintexts and a few seconds on a single PC to find the 217 bits of information in all the unknown elements of the scheme. 相似文献
10.
AEGIS, an authenticated encryption(AE) algorithm designed by H. J. Wu and B. Preneel, is one of the six winners of the Competition for Authenticated Encryption: Security, Applicability, and Robustness,which was launched by the National Institute of Standards and Technology. In this paper, we comprehensively investigate the existence of collision in the initialization of AEGIS-128 and evaluate the number of advanced encryption standard(AES) round functions involved in initialization, which reflec... 相似文献
11.
Lars R. Knudsen John Erik Mathiassen Frédéric Muller Søren S. Thomsen 《Journal of Cryptology》2010,23(1):72-90
This paper considers the hash function MD2 which was developed by Ron Rivest in 1989. Despite its age, MD2 has withstood cryptanalytic
attacks until recently. This paper contains the state-of-the-art cryptanalytic results on MD2, in particular collision and
preimage attacks on the full hash function, the latter having complexity 273, which should be compared to a brute-force attack of complexity 2128. 相似文献
12.
Julia Borghoff Lars R. Knudsen Gregor Leander Søren S. Thomsen 《Journal of Cryptology》2013,26(1):11-38
This paper considers PRESENT-like ciphers with key-dependent S-boxes. We focus on the setting where the same selection of S-boxes is used in every round. One particular variant with 16 rounds, proposed in 2009, is broken in practice in a chosen plaintext/chosen ciphertext scenario. Extrapolating these results suggests that up to 28 rounds of such ciphers can be broken. Furthermore, we outline how our attack strategy can be applied to an extreme case where the S-boxes are chosen uniformly at random for each round, and where the bit permutation is key-dependent as well. 相似文献
13.
The two main classes of statistical cryptanalysis are the linear and differential attacks. They have many variants and enhancements such as the multidimensional linear attacks and the truncated differential attacks. The idea of differential-linear cryptanalysis is to apply first a truncated differential attack and then a linear attack on different parts of the cipher and then combine them to a single distinguisher over the cipher. This method is known since 1994 when Langford and Hellman presented the first differential-linear cryptanalysis of the DES. Recently, in 2014, Blondeau and Nyberg presented a general link between differential and linear attacks. In this paper, we apply this link to develop a concise theory of the differential-linear cryptanalysis. The differential-linear attack can be, in the theoretical sense, considered either as a multidimensional linear or a truncated differential attack, but is for both types an extreme case, which is best measured by the differential-linear bias. We give an exact expression of the bias in a closed form under the sole assumption that the two parts of the cipher are independent. Unlike in the case of ordinary differentials and linear approximations, it is not granted that restricting to a subset of characteristics of a differential-linear hull will give a lower bound on the absolute value of the bias. Given this, we revisit the previous treatments of differential-linear bias by Biham et al. in 2002–2003, Liu et al. in 2009, and Lu in 2012, and formulate assumptions under which a single differential-linear characteristic gives a close estimate of the bias. These results are then generalized by considering a subspace of linear approximations over the second part of the cipher. To verify the assumptions made, we present several experiments on a toy-cipher. 相似文献
14.
Tree structures have been proposed for both the construction of block ciphers by Kam and Davida (1979), and self-synchronous stream ciphers by Kuhn (1988). Attacks on these ciphers have been given by Anderson (1991), and Heys and Tavares (1993). Here the authors demonstrate that a more efficient attack can be conducted when the underlying Boolean functions for the cells are known. It is shown that this attack requires less than one third of the chosen ciphertext of Anderson's original attack on the Kuhn cipher 相似文献
15.
In this article we propose a new cryptanalysis method for double-branch hash functions and we apply it on the standard RIPEMD-128, greatly improving over previously known results on this algorithm. Namely, we are able to build a very good differential path by placing one nonlinear differential part in each computation branch of the RIPEMD-128 compression function, but not necessarily in the early steps. In order to handle the low differential probability induced by the nonlinear part located in later steps, we propose a new method for using the available freedom degrees, by attacking each branch separately and then merging them with free message blocks. Overall, we present the first collision attack on the full RIPEMD-128 compression function as well as the first distinguisher on the full RIPEMD-128 hash function. Experiments on reduced number of rounds were conducted, confirming our reasoning and complexity analysis. Our results show that 16-year-old RIPEMD-128, one of the last unbroken primitives belonging to the MD-SHA family, might not be as secure as originally thought. 相似文献
16.
Shin-Jia Hwang En-Ti Li 《Communications Letters, IEEE》2003,7(4):195-196
Due to the special requirements of the mobile code system, Shieh et al. (see IEEE Trans. Veh. Technol., vol.49, p.1464-73, July 2000) proposed some multisignature schemes based on a new digital signature scheme with message recovery. One major characteristic of these schemes is to avoid using one-way hash functions and message redundancy schemes. However, this causes some security flaw. An attack is proposed to show that the underlying signature scheme is not secure. To overcome the attack, the message redundancy schemes may be still used. 相似文献
17.
The cryptanalysis of a recently proposed public-key cipher is presented. The mathematical structure of the cipher is based on linear complementary subspaces over a finite field. The cipher is broken simply by multiplying the ciphertext by a matrix which is the multiplicative inverse of a matrix formed with the public information available 相似文献
18.
AES-based functions have attracted of a lot of analysis in the recent years, mainly due to the SHA-3 hash function competition. In particular, the rebound attack allowed to break several proposals and many improvements/variants of this method have been published. Yet, it remained an open question whether it was possible to reach one more round with this type of technique compared to the state-of-the-art. In this article, we close this open problem by providing a further improvement over the original rebound attack and its variants, that allows the attacker to control one more round in the middle of a differential path for an AES-like permutation. Our algorithm is based on lists merging as defined in (Naya-Plasencia in Advances in Cryptology: CRYPTO 2011, pp. 188–205, 2011) and we generalized the concept to non-full active truncated differential paths (Sasaki et al. in Lecture Notes in Computer Science, pp. 38–55, 2010). As an illustration, we applied our method to the internal permutations used in Grøstl, one of the five finalist hash functions of the SHA-3 competition. When entering this final phase, the designers tweaked the function so as to thwart attacks from Peyrin (Peyrin in Lecture Notes in Computer Science, pp. 370–392, 2010) that exploited relations between the internal permutations. Until our results, no analysis was published on Grøstl and the best results reached 8 and 7 rounds for the 256-bit and 512-bit versions, respectively. By applying our algorithm, we present new internal permutation distinguishers on 9 and 10 rounds, respectively. 相似文献
19.
20.