Steve Babbage - Academia.edu (original) (raw)
Papers by Steve Babbage
LILI-128 is a stream cipher that was submitted to NESSIE. Strangely, the designers do not really ... more LILI-128 is a stream cipher that was submitted to NESSIE. Strangely, the designers do not really seem to have tried to ensure that cryptanalysis is no easier than by exhaustive key search. We show that there are indeed attacks faster than exhaustive key search. We also demonstrate a related key attack which has very low complexity, and which could be of practical significance if the cipher were used in a certain rather natural way.
LILI-128 is a stream cipher that was submitted to NESSIE. Strangely, the designers do not really ... more LILI-128 is a stream cipher that was submitted to NESSIE. Strangely, the designers do not really seem to have tried to ensure that cryptanalysis is no easier than by exhaustive key search. We show that there are indeed attacks faster than exhaustive key search. We also demonstrate a related key attack which has very low complexity, and which could be of practical significance if the cipher were used in a certain rather natural way.
This documents states the research agenda for the future of cryptology. We show which areas deser... more This documents states the research agenda for the future of cryptology. We show which areas deserve more research bridging the gap between applications and research. For more detailed problems see the STORK document "D6 -Open Problems in Cryptology".
This paper pulls together some thoughts about how the Trivium stream cipher might be attacked. It... more This paper pulls together some thoughts about how the Trivium stream cipher might be attacked. It does not contain a successful attack, but I thought it was worthwhile sharing these thoughts with others, in the hope that they may be able to take them further. Observations from other researchers are presented, together with some of my own.
A new family of very fast stream ciphers called COS (for "crossing over system") has be... more A new family of very fast stream ciphers called COS (for "crossing over system") has been proposed by Filiol and Fontaine, and seems to have been adopted for at least one commercial standard. COS(2,128) Mode I and COS(2,128) Mode II are particular members of this family for which the authors proposed a cryptanalysis challenge. The ciphers accept secret keys of 256, 192 or 128 bits. In this note we cryptanalyse both of these ciphers, using a small amount of known keystream — with negligible effort in the case of Mode II, and with effort well below that required for a single DES key search in the case of Mode I.
: A new family of very fast stream ciphers called COS (for "crossing over system") has ... more : A new family of very fast stream ciphers called COS (for "crossing over system") has beenproposed by Filiol and Fontaine, and seems to have been adopted for at least one commercialstandard. In this note we show that the COS ciphers are very weak indeed --- it requires negligibleeffort to reconstruct the state of the keystream generator from a very small amount of knownkeystream.Keywords: COS, stream cipher, nonlinear feedback shift register, cryptanalysis.1.
European Convention on Security and Detection, 1995
Given a certain amount of known keyst,reani from a keystream generatlor, t,lie most, obvious way ... more Given a certain amount of known keyst,reani from a keystream generatlor, t,lie most, obvious way to deter-mine tlie state of the generat,or is to search through all possible st,at.es, checking for a ma.tch between t,he res111 t,ing ;>ncI observed Iieystreali1. In t~liis paper we draw ...
Information Security Technical Report, 2000
Electronics Letters, 1990
ABSTRACT Some recent work concerning the strict avalanche criterion for a Boolean function has be... more ABSTRACT Some recent work concerning the strict avalanche criterion for a Boolean function has been motivated by the claim that a certain cryptographically useful property will be true of any function satisfying the criterion. In the letter it is observed that not only is this claim untrue, but that possession of the property in question is in fact precluded by satisfaction of the strict avalanche criterion.
Lecture Notes in Computer Science, 2001
Faculty of Science and Technology Information Security Institute, 2007
is one of the stream ciphers submitted to the ECRYPT Stream Cipher Project (eSTREAM [3]). In this... more is one of the stream ciphers submitted to the ECRYPT Stream Cipher Project (eSTREAM [3]). In this paper we present an analysis of the Hermes8 stream ciphers. In particular, we show an attack on the latest version of the cipher (Hermes8F), which requires very few known keystream bytes and recovers the cipher secret key in less than a second on a normal PC. Furthermore, we make some remarks on the cipher's key schedule and discuss some properties of ciphers with similar algebraic structure to Hermes8.
Sober-t16 and Sober-t32 are two synchronous stream ciphers developed by G. Rose and P. Hawkes and... more Sober-t16 and Sober-t32 are two synchronous stream ciphers developed by G. Rose and P. Hawkes and submitted to the NESSIE competition. In this paper we show how a probabilistic factor in the design can be exploited. A Guess and Determine attack is mounted against Sober-tw. For unstuttered Sober-t32, this attack is more efficient than exhaustive key search.
Jansen introduced a technique for building LFSRs that can be clocked a large number of times with... more Jansen introduced a technique for building LFSRs that can be clocked a large number of times with a single simple operation. These may be useful in the construction of stream ciphers based on clock-controlled LFSRs. However, for LFSR sizes of typical interest, it appears generally hard to find such jumping LFSRs with particular desired parameters. In this note we explain a trick which we used to find the jumping LFSRs in MICKEY and MICKEY-128, and which may be useful for future applications.
Lecture Notes in Computer Science, 2003
In this paper, we investigate the security, in the Luby-Rackoff security paradigm, of blockcipher... more In this paper, we investigate the security, in the Luby-Rackoff security paradigm, of blockcipher modes of operation allowing to expand a one-block input into a longer t-block output under the control of a secret key K. Such "one-block-to-many" modes of operation are of frequent use in cryptology. They can be used for stream cipher encryption purposes, and for authentication and key distribution purposes in contexts such as mobile communications. We show that although the expansion functions resulting from modes of operation of blockciphers such as the counter mode or the output feedback mode are not pseudorandom, slight modifications of these two modes provide pseudorandom expansion functions. The main result of this paper is a detailed proof, in the Luby-Rackoff security model, that the expansion function used in the construction of the third generation mobile (UMTS) example authentication and key agreement algorithm MILENAGE is pseudorandom.
Abstract: The stream cipher MICKEY (which stands for Mutual Irregular Clocking KEYstream generato... more Abstract: The stream cipher MICKEY (which stands for Mutual Irregular Clocking KEYstream generator) is aimed at resource-constrained hardware platforms. It is intended to have low complexity in hardware, while providing a high level of security. It uses irregular clocking ...
Hermes8 [4,5] is one of the stream ciphers submitted to the ECRYPT Stream Cipher Project (eSTREAM... more Hermes8 [4,5] is one of the stream ciphers submitted to the ECRYPT Stream Cipher Project (eSTREAM [2]). In this paper we present an attack on the latest version of the cipher (Hermes8F), which requires very few known keystream bytes and recovers the cipher secret key in less than a second on a normal PC.
The information in this document is provided as is, and no guarantee or warranty is given or impl... more The information in this document is provided as is, and no guarantee or warranty is given or implied that the information is fit for any particular purpose. The user thereof uses the information at its sole risk and liability.
Lecture Notes in Computer Science, 2004
A new approach to attack A5/1 is proposed. The proposed attack is a refinement of a previous atta... more A new approach to attack A5/1 is proposed. The proposed attack is a refinement of a previous attack by Ekdahl and Johansson. We make two important observations that lead to a new attack with improved performance.
Lecture Notes in Computer Science, 2008
The family of stream ciphers MICKEY (which stands for Mutual Irregular Clocking KEYstream generat... more The family of stream ciphers MICKEY (which stands for Mutual Irregular Clocking KEYstream generator) is aimed at resource-constrained hardware platforms. It is intended to have low complexity in hardware, while providing a high level of security. It uses irregular clocking ...
LILI-128 is a stream cipher that was submitted to NESSIE. Strangely, the designers do not really ... more LILI-128 is a stream cipher that was submitted to NESSIE. Strangely, the designers do not really seem to have tried to ensure that cryptanalysis is no easier than by exhaustive key search. We show that there are indeed attacks faster than exhaustive key search. We also demonstrate a related key attack which has very low complexity, and which could be of practical significance if the cipher were used in a certain rather natural way.
LILI-128 is a stream cipher that was submitted to NESSIE. Strangely, the designers do not really ... more LILI-128 is a stream cipher that was submitted to NESSIE. Strangely, the designers do not really seem to have tried to ensure that cryptanalysis is no easier than by exhaustive key search. We show that there are indeed attacks faster than exhaustive key search. We also demonstrate a related key attack which has very low complexity, and which could be of practical significance if the cipher were used in a certain rather natural way.
This documents states the research agenda for the future of cryptology. We show which areas deser... more This documents states the research agenda for the future of cryptology. We show which areas deserve more research bridging the gap between applications and research. For more detailed problems see the STORK document "D6 -Open Problems in Cryptology".
This paper pulls together some thoughts about how the Trivium stream cipher might be attacked. It... more This paper pulls together some thoughts about how the Trivium stream cipher might be attacked. It does not contain a successful attack, but I thought it was worthwhile sharing these thoughts with others, in the hope that they may be able to take them further. Observations from other researchers are presented, together with some of my own.
A new family of very fast stream ciphers called COS (for "crossing over system") has be... more A new family of very fast stream ciphers called COS (for "crossing over system") has been proposed by Filiol and Fontaine, and seems to have been adopted for at least one commercial standard. COS(2,128) Mode I and COS(2,128) Mode II are particular members of this family for which the authors proposed a cryptanalysis challenge. The ciphers accept secret keys of 256, 192 or 128 bits. In this note we cryptanalyse both of these ciphers, using a small amount of known keystream — with negligible effort in the case of Mode II, and with effort well below that required for a single DES key search in the case of Mode I.
: A new family of very fast stream ciphers called COS (for "crossing over system") has ... more : A new family of very fast stream ciphers called COS (for "crossing over system") has beenproposed by Filiol and Fontaine, and seems to have been adopted for at least one commercialstandard. In this note we show that the COS ciphers are very weak indeed --- it requires negligibleeffort to reconstruct the state of the keystream generator from a very small amount of knownkeystream.Keywords: COS, stream cipher, nonlinear feedback shift register, cryptanalysis.1.
European Convention on Security and Detection, 1995
Given a certain amount of known keyst,reani from a keystream generatlor, t,lie most, obvious way ... more Given a certain amount of known keyst,reani from a keystream generatlor, t,lie most, obvious way to deter-mine tlie state of the generat,or is to search through all possible st,at.es, checking for a ma.tch between t,he res111 t,ing ;>ncI observed Iieystreali1. In t~liis paper we draw ...
Information Security Technical Report, 2000
Electronics Letters, 1990
ABSTRACT Some recent work concerning the strict avalanche criterion for a Boolean function has be... more ABSTRACT Some recent work concerning the strict avalanche criterion for a Boolean function has been motivated by the claim that a certain cryptographically useful property will be true of any function satisfying the criterion. In the letter it is observed that not only is this claim untrue, but that possession of the property in question is in fact precluded by satisfaction of the strict avalanche criterion.
Lecture Notes in Computer Science, 2001
Faculty of Science and Technology Information Security Institute, 2007
is one of the stream ciphers submitted to the ECRYPT Stream Cipher Project (eSTREAM [3]). In this... more is one of the stream ciphers submitted to the ECRYPT Stream Cipher Project (eSTREAM [3]). In this paper we present an analysis of the Hermes8 stream ciphers. In particular, we show an attack on the latest version of the cipher (Hermes8F), which requires very few known keystream bytes and recovers the cipher secret key in less than a second on a normal PC. Furthermore, we make some remarks on the cipher's key schedule and discuss some properties of ciphers with similar algebraic structure to Hermes8.
Sober-t16 and Sober-t32 are two synchronous stream ciphers developed by G. Rose and P. Hawkes and... more Sober-t16 and Sober-t32 are two synchronous stream ciphers developed by G. Rose and P. Hawkes and submitted to the NESSIE competition. In this paper we show how a probabilistic factor in the design can be exploited. A Guess and Determine attack is mounted against Sober-tw. For unstuttered Sober-t32, this attack is more efficient than exhaustive key search.
Jansen introduced a technique for building LFSRs that can be clocked a large number of times with... more Jansen introduced a technique for building LFSRs that can be clocked a large number of times with a single simple operation. These may be useful in the construction of stream ciphers based on clock-controlled LFSRs. However, for LFSR sizes of typical interest, it appears generally hard to find such jumping LFSRs with particular desired parameters. In this note we explain a trick which we used to find the jumping LFSRs in MICKEY and MICKEY-128, and which may be useful for future applications.
Lecture Notes in Computer Science, 2003
In this paper, we investigate the security, in the Luby-Rackoff security paradigm, of blockcipher... more In this paper, we investigate the security, in the Luby-Rackoff security paradigm, of blockcipher modes of operation allowing to expand a one-block input into a longer t-block output under the control of a secret key K. Such "one-block-to-many" modes of operation are of frequent use in cryptology. They can be used for stream cipher encryption purposes, and for authentication and key distribution purposes in contexts such as mobile communications. We show that although the expansion functions resulting from modes of operation of blockciphers such as the counter mode or the output feedback mode are not pseudorandom, slight modifications of these two modes provide pseudorandom expansion functions. The main result of this paper is a detailed proof, in the Luby-Rackoff security model, that the expansion function used in the construction of the third generation mobile (UMTS) example authentication and key agreement algorithm MILENAGE is pseudorandom.
Abstract: The stream cipher MICKEY (which stands for Mutual Irregular Clocking KEYstream generato... more Abstract: The stream cipher MICKEY (which stands for Mutual Irregular Clocking KEYstream generator) is aimed at resource-constrained hardware platforms. It is intended to have low complexity in hardware, while providing a high level of security. It uses irregular clocking ...
Hermes8 [4,5] is one of the stream ciphers submitted to the ECRYPT Stream Cipher Project (eSTREAM... more Hermes8 [4,5] is one of the stream ciphers submitted to the ECRYPT Stream Cipher Project (eSTREAM [2]). In this paper we present an attack on the latest version of the cipher (Hermes8F), which requires very few known keystream bytes and recovers the cipher secret key in less than a second on a normal PC.
The information in this document is provided as is, and no guarantee or warranty is given or impl... more The information in this document is provided as is, and no guarantee or warranty is given or implied that the information is fit for any particular purpose. The user thereof uses the information at its sole risk and liability.
Lecture Notes in Computer Science, 2004
A new approach to attack A5/1 is proposed. The proposed attack is a refinement of a previous atta... more A new approach to attack A5/1 is proposed. The proposed attack is a refinement of a previous attack by Ekdahl and Johansson. We make two important observations that lead to a new attack with improved performance.
Lecture Notes in Computer Science, 2008
The family of stream ciphers MICKEY (which stands for Mutual Irregular Clocking KEYstream generat... more The family of stream ciphers MICKEY (which stands for Mutual Irregular Clocking KEYstream generator) is aimed at resource-constrained hardware platforms. It is intended to have low complexity in hardware, while providing a high level of security. It uses irregular clocking ...