Correlated Keystreams in Moustique

Käsper, Emilia; Rijmen, Vincent; Bjørstad, Tor E.; Rechberger, Christian; Robshaw, Matthew J. B.; Sekar, Gautham

doi:10.1007/978-3-540-68164-9_17

Cited by 14 publications

(13 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This includes the attack on the self-synchronized stream cipher Moustique [30], the lightweight block cipher KTANTAN [12], and recent improvements upon attacks on 8-rounds of AES-192 and AES-256 [22].…”

Section: What Properties Of the Aes Allowed To Obtain These New Resultsmentioning

confidence: 99%

Biclique Cryptanalysis of the Full AES

Bogdanov

Khovratovich

Rechberger

2011

Lecture Notes in Computer Science

Self Cite

378

338

View full text Add to dashboard Cite

Abstract. Since Rijndael was chosen as the Advanced Encryption Standard (AES), improving upon 7-round attacks on the 128-bit key variant (out of 10 rounds) or upon 8-round attacks on the 192/256-bit key variants (out of 12/14 rounds) has been one of the most difficult challenges in the cryptanalysis of block ciphers for more than a decade. In this paper, we present the novel technique of block cipher cryptanalysis with bicliques, which leads to the following results:-The first key recovery method for the full AES-128 with computational complexity 2 126.1 . -The first key recovery method for the full AES-192 with computational complexity 2 189.7 . -The first key recovery method for the full AES-256 with computational complexity 2 254.4 . -Key recovery methods with lower complexity for the reduced-round versions of AES not considered before, including cryptanalysis of 8-round AES-128 with complexity 2 124.9 . -Preimage search for compression functions based on the full AES versions faster than brute force. In contrast to most shortcut attacks on AES variants, we do not need to assume related-keys. Most of our techniques only need a very small part of the codebook and have low memory requirements, and are practically verified to a large extent. As our cryptanalysis is of high computational complexity, it does not threaten the practical use of AES in any way.

show abstract

Section: What Properties Of the Aes Allowed To Obtain These New Resultsmentioning

confidence: 99%

Biclique Cryptanalysis of the Full AES

Bogdanov

Khovratovich

Rechberger

2011

Lecture Notes in Computer Science

Self Cite

378

338

View full text Add to dashboard Cite

show abstract

“…The MITM approach may be seen as a way to turn very strong related-key properties into attacks in the single-key setting, complementing e.g. the work on the self-synchronized stream-cipher Moustique [21]. Even though the time complexity of our attack remains high, optimizations may result in reduced time complexities, by e.g.…”

Section: Discussion and Future Workmentioning

confidence: 99%

A 3-Subset Meet-in-the-Middle Attack: Cryptanalysis of the Lightweight Block Cipher KTANTAN

Bogdanov

Rechberger

2011

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. In this paper we describe a variant of existing meet-in-themiddle attacks on block ciphers. As an application, we propose meet-inthe-middle attacks that are applicable to the full 254-round KTANTAN family of block ciphers accepting a key of 80 bits. The attacks are due to some weaknesses in its bitwise key schedule. We report an attack of time complexity 2 75.170 encryptions on the full KTANTAN32 cipher with only 3 plaintext/ciphertext pairs and well as 2 75.044 encryptions on the full KTANTAN48 and 275.584 encryptions on the full KTANTAN64 with 2 plaintext/ciphertext pairs 1 . All these attacks work in the classical attack model without any related keys. In the differential related-key model, we demonstrate 218-and 174-round differentials holding with probability 1. This shows that a strong relatedkey property can translate to a successful attack in the non-related-key setting. Having extremely low data requirements, these attacks are valid even in RFID-like environments where only a very limited amount of text material may be available to an attacker.

show abstract

“…These features make the design of secure self‐synchronizing stream ciphers a difficult task, which also explains the rarity of new proposals. In eSTREAM project, only the ciphers SSS and MOUSTIQUE are self‐synchronizing but both are broken. As stated in , there is little interest in self‐synchronization as they are not supported by the industry today.…”

Section: Stream Cipher Designmentioning

confidence: 99%

A survey of lightweight stream ciphers for embedded systems

Manifavas

Hatzivasilis

Fysarakis

et al. 2015

Security Comm. Networks

View full text Add to dashboard Cite

Pervasive computing constitutes a growing trend, aiming to embed smart devices into everyday objects. The limited resources of these devices and the ever‐present need for lower production costs, lead to the research and development of lightweight cryptographic mechanisms. Block ciphers, the main symmetric key cryptosystems, perform well in this field. Nevertheless, stream ciphers are also relevant in ubiquitous computing applications, as they can be used to secure the communication in applications where the plaintext length is either unknown or continuous, like network streams. This paper provides the latest survey of stream ciphers for embedded systems. Lightweight implementations of stream ciphers in embedded hardware and software are examined as well as relevant authenticated encryption schemes. Their speed and simplicity enable compact and low‐power implementations, allow them to excel in applications pertaining to resource‐constrained devices. The outcomes of the International Organization for Standardization/International Electrotechnical Commission 29192‐3 standard and the cryptographic competitions eSTREAM and Competition for Authenticated Encryption: Security, Applicability, and Robustness are summarized along with the latest results in the field. However, cryptanalysis has proven many of these schemes are actually insecure. From the 31 designs that are examined, only six of them have been found to be secure by independent cryptanalysis. A constrained benchmark analysis is performed on low‐cost embedded hardware and software platforms. The most appropriate and secure solutions are then mapped in different types of applications. Copyright © 2015 John Wiley & Sons, Ltd.

show abstract

Correlated Keystreams in Moustique

Cited by 14 publications

References 4 publications

Biclique Cryptanalysis of the Full AES

Biclique Cryptanalysis of the Full AES

A 3-Subset Meet-in-the-Middle Attack: Cryptanalysis of the Lightweight Block Cipher KTANTAN

A survey of lightweight stream ciphers for embedded systems

Contact Info

Product

Resources

About