Subhamoy Maitra - Academia.edu (original) (raw)

Papers by Subhamoy Maitra

Designs, Codes and Cryptography, 2014

After a series of works on RC4 cryptanalysis in last few years (published in flagship cryptology ... more After a series of works on RC4 cryptanalysis in last few years (published in flagship cryptology conferences and journals), the most significant (and also very recent) attack on the cipher has been the discovery of vulnerabilities in the SSL/TLS protocol, by AlFardan, Bernstein, Paterson, Poettering and Schuldt. They ran extensive computations to identify significant short-term single-byte keystream biases of RC4, and utilized that knowledge in the attack. The biases identified by AlFardan et al. consist of earlier known biases of RC4, as well as some newly discovered ones. In this paper, we attempt at proving the new, unproved or partially proved biases amongst the above-mentioned ones. The theoretical proofs of these biases not only assert a scientific justification, but also discover intricate patterns and operations of the cipher associated with these biases. For example, while attempting the proof of a bias of the first output byte towards 129, we observe that this bias occurs prominently only for certain lengths of the secret key of RC4. In addition, our findings reveal that this bias may be related to the old and unsolved problem of "anomalies" in the distribution of the state array after the Key Scheduling Algorithm. In this connection, we prove the anomaly in S0[128] = 127, a problem open for more than a decade. Other than proving the new biases, we also complete the proof for the extended keylength dependent biases in RC4, a problem attempted and partially solved by Isobe, Ohigashi, Watanabe and Morii in FSE 2013. Our new proofs and observations in this paper, along with the connection to the older results, provide a comprehensive view on the state-of-the-art literature in RC4 cryptanalysis.

Lecture Notes in Computer Science, 2012

In-network data aggregation in Wireless Sensor Networks (WSNs) provides efficient bandwidth utili... more In-network data aggregation in Wireless Sensor Networks (WSNs) provides efficient bandwidth utilization and energy-efficient computing. Supporting efficient in-network data aggregation while preserving the privacy of the data of individual sensor nodes has emerged as an important requirement in numerous WSN applications. For privacypreserving data aggregation in WSNs, He et al. (INFOCOM 2007) have proposed a Cluster-based Private Data Aggregation (CPDA) that uses a clustering protocol and a well-known key distribution scheme for computing an additive aggregation function in a privacy-preserving manner. In spite of the wide popularity of CPDA, it has been observed that the protocol is not secure and it is also possible to enhance its efficiency. In this paper, we first identify a security vulnerability in the existing CPDA scheme, wherein we show how a malicious participant node can launch an attack on the privacy protocol so as to get access to the private data of its neighboring sensor nodes. Next it is shown how the existing CPDA scheme can be made more efficient by suitable modification of the protocol. Further, suitable modifications in the existing protocol have been proposed so as to plug the vulnerability of the protocol.

Lecture Notes in Computer Science, 2003

Here we present an efficient implementation strategy and some general design criteria for the sta... more Here we present an efficient implementation strategy and some general design criteria for the standard nonlinear combiner model. This model combines the output sequences of several independent Linear Feedback Shift Registers (LFSRs) using a Boolean function to produce the running key sequence. The model is well studied and a standard target for many cryptanalytic attacks. The naive bitwise software implementation of the LFSRs is not efficient. In this paper we explore an efficient block oriented software implementation technique to make it competitive with the recently proposed fast stream ciphers. Our proposed specifications on this model can resist the fast correlation attacks. To evaluate our design criteria and implementation techniques, we carry out the security and performance analysis considering a specific scheme based on this model.

Lecture Notes in Computer Science, 2003

A standard model of nonlinear combiner generator for stream cipher system combines the outputs of... more A standard model of nonlinear combiner generator for stream cipher system combines the outputs of several independent Linear Feedback Shift Register (LFSR) sequences using a nonlinear Boolean function to produce the key stream. Given such a model, cryptanalytic attacks have been proposed by finding out the sparse multiples of the connection polynomials corresponding to the LFSRs. In this direction recently a few works are published on t-nomial multiples of primitive polynomials. We here provide further results on degree distribution of the t-nomial multiples. However, finding out the sparse multiples of just a single primitive polynomial does not suffice. The exact cryptanalysis of the nonlinear combiner model depends on finding out sparse multiples of the products of primitive polynomials. We here make a detailed analysis on t-nomial multiples of products of primitive polynomials. We present new enumeration results for these multiples and provide some estimation on their degree distribution.

Lecture Notes in Computer Science, 2009

RC4 Key Scheduling Algorithm (KSA) uses a secret pseudo-random index j which is dependent on the ... more RC4 Key Scheduling Algorithm (KSA) uses a secret pseudo-random index j which is dependent on the secret key. Let S N be the permutation after the complete KSA of RC4. It is known that the value of j in round y + 1 can be predicted with high probability from S N [y] for the initial values of y and from S-</font

ABSTRACT The class of rotation symmetric Boolean functions (RSBF) is very rich in terms of crypto... more ABSTRACT The class of rotation symmetric Boolean functions (RSBF) is very rich in terms of cryptograph-ically significant Boolean functions. It has been shown that the search space of such functions can be significantly reduced by using specific data structures — the matrices nA and nB. In this paper we have shown an efficient implementation of the search strategy based on nA and nB. In particular, it allowed us to reduce the search time of (9,3,5,240) and [9,3,5,240] functions from 3 years to just a few days.

International Journal of Distributed Sensor Networks, 2005

Key pre-distribution is an important area of research in Distributed Sensor Networks (DSN). Two s... more Key pre-distribution is an important area of research in Distributed Sensor Networks (DSN). Two sensor nodes are considered connected for secure communication if they share one or more common secret key(s). It is important to analyse the largest subset of nodes in a DSN where each node is connected to every other node in that subset (i.e., the largest clique). This parameter (largest clique size) is important in terms of resiliency and capability towards efficient distributed computing in a DSN. In this paper, we concentrate on the schemes where the key pre-distribution strategies are based on transversal design and study the largest clique sizes. We show that merging of blocks to construct a node provides larger clique sizes than considering a block itself as a node in a transversal design.

Lecture Notes in Computer Science, 2001

Linear Feedback Shift Registers (LFSR) are important building blocks in stream cipher systems. Th... more Linear Feedback Shift Registers (LFSR) are important building blocks in stream cipher systems. The connection polynomials of the LFSRs need to be primitive over GF(2). Also the polynomial should have high weight and it should not have sparse multiples of moderate degree. Here we provide results which have immediate application in synthesis of connection polynomials for stream cipher systems. We

Lecture Notes in Computer Science

A theoretical analysis of the RC4 Key Scheduling Algorithm (KSA) is presented in this paper, wher... more A theoretical analysis of the RC4 Key Scheduling Algorithm (KSA) is presented in this paper, where the nonlinear operation is swapping among the permutation bytes. Explicit formulae are provided for the probabilities with which the permutation bytes after the KSA are biased to the secret key. Theoretical proofs of these formulae have been left open since Roos's work (1995). Based on this analysis, an algorithm is devised to recover the l bytes (i.e., 8l bits, typically 5 ≤ l ≤ 16) secret key from the final permutation after the KSA with constant probability of success. The search requires O(2 4l) many operations which is the square root of the exhaustive key search complexity 2 8l. Further, a generalization of the RC4 KSA is analyzed corresponding to a class of update functions of the indices involved in the swaps. This reveals an inherent weakness of shuffle-exchange kind of key scheduling.

Lecture Notes in Computer Science, 2010

Abstract. Consider CRT-RSA with the parameters p, q, e, dp,dq, where p, q are secret primes, e is... more Abstract. Consider CRT-RSA with the parameters p, q, e, dp,dq, where p, q are secret primes, e is the public encryption exponent and dp, dq are the private decryption exponents. We present an efficient method to se-lect CRT-RSA parameters in such a manner so that ...

Lecture Notes in Computer Science

In this paper we revisit Wiener's method (IEEE-IT 1990) of continued fraction (CF) to find new we... more In this paper we revisit Wiener's method (IEEE-IT 1990) of continued fraction (CF) to find new weaknesses in RSA. We consider RSA with N = pq, q < p < 2q, public encryption exponent e and private decryption exponent d. Our motivation is to find out when RSA is insecure given d is O(N δ), where we are mostly interested in the range 0.3 ≤ δ ≤ 0.5. Given ρ (1 ≤ ρ ≤ 2) is known to the attacker, we show that the RSA keys are weak when d = N δ and δ < 1 2 − γ 2 , where |ρq − p| ≤ N γ 16. This presents additional results over the work of de Weger (AAECC 2002). We also discuss how the lattice based idea of Boneh-Durfee (IEEE-IT 2000) works better to find weak keys beyond the bound δ < 1 2 − γ 2. Further we show that, the RSA keys are weak when d < 1 2 N δ and e is O(N 3 2 −2δ) for δ ≤ 1 2. Using similar techniques we also present new results over the work of Blömer and May (PKC 2004).

2013 IEEE 43rd International Symposium on Multiple-Valued Logic, 2013

ABSTRACT Ultra-low power dissipation for nanoscale circuits and future technologies such as quant... more ABSTRACT Ultra-low power dissipation for nanoscale circuits and future technologies such as quantum computing require reversible logic. Existing methods of reversible logic synthesis attempt to minimize gate count, quantum cost, garbage count and try to achieve scalability for large Boolean functions. Several notable heuristics for reversible logic synthesis employ a method based on repeated transformation, demonstrating excellent performance compared to available optimal results. In this paper, we suggest two novel techniques to the transformationbased synthesis flow for improving synthesis outcome. The first technique is based on properties of Boolean functions and the second technique incorporates generalized Fredkin gates during synthesis flow. We present theoretical results and experimental evidence in support of our strategies.

Lecture Notes in Computer Science, 2014

From the first principle, we concentrate on the Differential Power Analysis (DPA) in the Hamming ... more From the first principle, we concentrate on the Differential Power Analysis (DPA) in the Hamming weight model. Based on the power related data of an \((n, n)\) permutation S-box, we propose a spectrum (we call it Relative Power Spectrum, RPS in short) at \(2^n\) points each providing a vector containing \(n\) coordinates. Each coordinate contains the data related to single-bit DPA, and taking them together we provide relevant results in the domain of multi-bit DPA. For two affine equivalent \((n,n)\) permutation S-boxes \(F\) and \(G\), such that \(G(x) = F(Ax \oplus b)\), where \(A\) is a linear permutation (nonsingular binary matrix) and \(b\) is an \(n\)-bit vector, the RPSs of \(F\) and \(G\) are permutations of each other. However, this is not true in general when \(F\) and \(G\) are affine or extended affine equivalent, i.e., \(G(x) = B(F(Ax \oplus b)) \oplus L(x) \oplus c\), where \(B\) is a linear permutation, \(L\) is a linear mapping, and \(c\) is an \(n\)-bit vector. In such a case, the RPSs of \(F\) and \(G\) may not be related by permutation and may contain completely different vectors. We provide the effect of this in terms of DPA both in noise-free and noisy scenarios. Our results guide the designer to choose one S-box among all those in the same (extended) affine equivalence class when DPA in the Hamming weight model is considered. This is an instance where cryptographic advantage is attained by applying (extended) affine equivalence. For example, we provide a family of S-boxes that should replace the \((4, 4)\) S-boxes proposed in relation to the PRINCE block cipher.

Quantum Information Processing, 2014

In this paper, we study efficient algorithms towards the construction of any arbitrary Dicke stat... more In this paper, we study efficient algorithms towards the construction of any arbitrary Dicke state. Our contribution is to use proper symmetric Boolean functions that involve manipulations with Krawtchouk polynomials. Deutsch-Jozsa algorithm, Grover algorithm and the parity measurement technique are stitched together to devise the complete algorithm. Further, motivated by the work of Childs et al (2002), we explore how one can plug the biased Hadamard transformation in our strategy. Our work compares fairly with the results of Childs et al (2002).

Lecture Notes in Computer Science, 2011

Lecture Notes in Computer Science, 2011

In this paper, contrary to the claim of Mantin and Shamir (FSE 2001), we prove that there exist b... more In this paper, contrary to the claim of Mantin and Shamir (FSE 2001), we prove that there exist biases in the initial bytes (3 to 255) of the RC4 keystream towards zero. These biases immediately provide distinguishers for RC4. Additionally, the attack on broadcast RC4 to recover the second byte of the plaintext can be extended to recover the bytes 3 to 255 of the plaintext given Ω(N 3) many ciphertexts. Further, we also study the non-randomness of index j for the first two rounds of PRGA, and identify a strong bias of j2 towards 4. This in turn provides us with certain state information from the second keystream byte.

Theoretical Computer Science, 2005

A standard model of nonlinear combiner generator for stream cipher system combines the outputs of... more A standard model of nonlinear combiner generator for stream cipher system combines the outputs of several independent Linear Feedback Shift Register (LFSR) sequences using a nonlinear Boolean function to produce the key stream. Given such a model, cryptanalytic attacks have been proposed by finding out the sparse multiples of the connection polynomials corresponding to the LFSRs. In this direction recently a few works are published on t-nomial multiples of primitive polynomials. We here provide further results on degree distribution of the t-nomial multiples. However, finding out the sparse multiples of just a single primitive polynomial does not suffice. The exact cryptanalysis of the nonlinear combiner model depends on finding out sparse multiples of the products of primitive polynomials. We here make a detailed analysis on t-nomial multiples of products of primitive polynomials. We present new enumeration results for these multiples and provide some estimation on their degree distribution.

Journal of Cryptology, 2012

RC4 has been the most popular stream cipher in the history of symmetric key cryptography. Its int... more RC4 has been the most popular stream cipher in the history of symmetric key cryptography. Its internal state contains a permutation over all possible bytes from 0 to 255, and it attempts to generate a pseudorandom sequence of bytes (called keystream) by extracting elements of this permutation. Over the last twenty years, numerous cryptanalytic results on RC4 stream cipher have been published, many of which are based on non-random (biased) events involving the secret key, the state variables, and the keystream of the cipher. Though biases based on the secret key is common in RC4 literature, none of the existing ones depends on the length of the secret key. In the first part of this paper, we investigate the effect of RC4 keylength on its keystream, and report significant biases involving the length of the secret key. In the process, we prove the two known empirical biases that were experimentally reported and used in recent attacks against WEP and WPA by Sepehrdad, Vaudenay and Vuagnoux in EUROCRYPT 2011. After our current work, there remains no bias in the literature of WEP and WPA attacks without a proof. In the second part of the paper, we present theoretical proofs of some significant initial-round empirical biases observed by Sepehrdad, Vaudenay and Vuagnoux in SAC 2010. In the third part, we present the derivation of the complete probability distribution of the first byte of RC4 keystream, a problem left open for a decade since the observation by Mironov in CRYPTO 2002. Further, the existence of positive biases towards zero for all the initial bytes 3 to 255 is proved and exploited towards a generalized broadcast attack on RC4. We also investigate for long-term non-randomness in the keystream, and prove a new long-term bias of RC4.

International Journal of Quantum Information, 2005

Boolean functions are important building blocks in cryptography for their wide application in bot... more Boolean functions are important building blocks in cryptography for their wide application in both stream and block cipher systems. For cryptanalysis of such systems, one tries to find out linear functions that are correlated to the Boolean functions used in the crypto system. Let f be an n-variable Boolean function and its Walsh spectra is denoted by Wf(ω) at the point ω ∈ {0, 1}n. The Boolean function is available in the form of an oracle. We like to find a ω such that Wf(ω) ≠ 0 as this will provide one of the linear functions which are correlated to f. We show that the quantum algorithm proposed by Deutsch and Jozsa7 solves this problem in constant time. However, the best known classical algorithm to solve the problem requires exponential time in n. We also analyze certain classes of cryptographically significant Boolean functions and highlight how the basic Deutsch–Jozsa algorithm performs on them.

International Journal of Information Security, 2006

In this paper, combinatorial design followed by randomized merging strategy is applied to key pre... more In this paper, combinatorial design followed by randomized merging strategy is applied to key predistribution in sensor nodes. A transversal design is used to construct a (v, b, r, k) configuration and then randomly selected blocks are merged to form the sensor nodes. We present detailed mathematical analysis of the number of nodes, number of keys per node and the probability that a link gets affected if certain number of nodes are compromised. The technique is tunable to user requirements and it also compares favourably with state of the art design strategies. An important feature of our design is the presence of more number of common keys between any two nodes. Further, we study the situation when properly chosen blocks are merged to form sensor nodes such that the number of intranode common key is minimized. We present a basic heuristic for this approach and show that it provides slight improvement in terms of certain parameters than our basic random merging strategy. Keywords Combinatorial design • Sensor network • Key pre-distribution • Random merging 1 Introduction Recently secure communication among sensor nodes has become an active area of research [2, 4, 6, 7, 10, 11, 12]. One may refer to [9] for broader perspective in the area of sensor networks. Based on the architectural consideration, wireless sensor networks may be broadly classified into two categories viz. (i) Hierarchical Wireless Sensor Networks (HWSN) and (ii) Distributed Wireless Sensor Networks (DWSN). In HWSN, there is a pre-defined hierar-This paper is an extended and revised version of the paper presented

Designs, Codes and Cryptography, 2014

After a series of works on RC4 cryptanalysis in last few years (published in flagship cryptology ... more After a series of works on RC4 cryptanalysis in last few years (published in flagship cryptology conferences and journals), the most significant (and also very recent) attack on the cipher has been the discovery of vulnerabilities in the SSL/TLS protocol, by AlFardan, Bernstein, Paterson, Poettering and Schuldt. They ran extensive computations to identify significant short-term single-byte keystream biases of RC4, and utilized that knowledge in the attack. The biases identified by AlFardan et al. consist of earlier known biases of RC4, as well as some newly discovered ones. In this paper, we attempt at proving the new, unproved or partially proved biases amongst the above-mentioned ones. The theoretical proofs of these biases not only assert a scientific justification, but also discover intricate patterns and operations of the cipher associated with these biases. For example, while attempting the proof of a bias of the first output byte towards 129, we observe that this bias occurs prominently only for certain lengths of the secret key of RC4. In addition, our findings reveal that this bias may be related to the old and unsolved problem of "anomalies" in the distribution of the state array after the Key Scheduling Algorithm. In this connection, we prove the anomaly in S0[128] = 127, a problem open for more than a decade. Other than proving the new biases, we also complete the proof for the extended keylength dependent biases in RC4, a problem attempted and partially solved by Isobe, Ohigashi, Watanabe and Morii in FSE 2013. Our new proofs and observations in this paper, along with the connection to the older results, provide a comprehensive view on the state-of-the-art literature in RC4 cryptanalysis.

Lecture Notes in Computer Science, 2012

In-network data aggregation in Wireless Sensor Networks (WSNs) provides efficient bandwidth utili... more In-network data aggregation in Wireless Sensor Networks (WSNs) provides efficient bandwidth utilization and energy-efficient computing. Supporting efficient in-network data aggregation while preserving the privacy of the data of individual sensor nodes has emerged as an important requirement in numerous WSN applications. For privacypreserving data aggregation in WSNs, He et al. (INFOCOM 2007) have proposed a Cluster-based Private Data Aggregation (CPDA) that uses a clustering protocol and a well-known key distribution scheme for computing an additive aggregation function in a privacy-preserving manner. In spite of the wide popularity of CPDA, it has been observed that the protocol is not secure and it is also possible to enhance its efficiency. In this paper, we first identify a security vulnerability in the existing CPDA scheme, wherein we show how a malicious participant node can launch an attack on the privacy protocol so as to get access to the private data of its neighboring sensor nodes. Next it is shown how the existing CPDA scheme can be made more efficient by suitable modification of the protocol. Further, suitable modifications in the existing protocol have been proposed so as to plug the vulnerability of the protocol.

Lecture Notes in Computer Science, 2003

Here we present an efficient implementation strategy and some general design criteria for the sta... more Here we present an efficient implementation strategy and some general design criteria for the standard nonlinear combiner model. This model combines the output sequences of several independent Linear Feedback Shift Registers (LFSRs) using a Boolean function to produce the running key sequence. The model is well studied and a standard target for many cryptanalytic attacks. The naive bitwise software implementation of the LFSRs is not efficient. In this paper we explore an efficient block oriented software implementation technique to make it competitive with the recently proposed fast stream ciphers. Our proposed specifications on this model can resist the fast correlation attacks. To evaluate our design criteria and implementation techniques, we carry out the security and performance analysis considering a specific scheme based on this model.

Lecture Notes in Computer Science, 2003

A standard model of nonlinear combiner generator for stream cipher system combines the outputs of... more A standard model of nonlinear combiner generator for stream cipher system combines the outputs of several independent Linear Feedback Shift Register (LFSR) sequences using a nonlinear Boolean function to produce the key stream. Given such a model, cryptanalytic attacks have been proposed by finding out the sparse multiples of the connection polynomials corresponding to the LFSRs. In this direction recently a few works are published on t-nomial multiples of primitive polynomials. We here provide further results on degree distribution of the t-nomial multiples. However, finding out the sparse multiples of just a single primitive polynomial does not suffice. The exact cryptanalysis of the nonlinear combiner model depends on finding out sparse multiples of the products of primitive polynomials. We here make a detailed analysis on t-nomial multiples of products of primitive polynomials. We present new enumeration results for these multiples and provide some estimation on their degree distribution.

Lecture Notes in Computer Science, 2009

RC4 Key Scheduling Algorithm (KSA) uses a secret pseudo-random index j which is dependent on the ... more RC4 Key Scheduling Algorithm (KSA) uses a secret pseudo-random index j which is dependent on the secret key. Let S N be the permutation after the complete KSA of RC4. It is known that the value of j in round y + 1 can be predicted with high probability from S N [y] for the initial values of y and from S-&amp;amp;amp;amp;amp;amp;amp;lt;/font

ABSTRACT The class of rotation symmetric Boolean functions (RSBF) is very rich in terms of crypto... more ABSTRACT The class of rotation symmetric Boolean functions (RSBF) is very rich in terms of cryptograph-ically significant Boolean functions. It has been shown that the search space of such functions can be significantly reduced by using specific data structures — the matrices nA and nB. In this paper we have shown an efficient implementation of the search strategy based on nA and nB. In particular, it allowed us to reduce the search time of (9,3,5,240) and [9,3,5,240] functions from 3 years to just a few days.

International Journal of Distributed Sensor Networks, 2005

Key pre-distribution is an important area of research in Distributed Sensor Networks (DSN). Two s... more Key pre-distribution is an important area of research in Distributed Sensor Networks (DSN). Two sensor nodes are considered connected for secure communication if they share one or more common secret key(s). It is important to analyse the largest subset of nodes in a DSN where each node is connected to every other node in that subset (i.e., the largest clique). This parameter (largest clique size) is important in terms of resiliency and capability towards efficient distributed computing in a DSN. In this paper, we concentrate on the schemes where the key pre-distribution strategies are based on transversal design and study the largest clique sizes. We show that merging of blocks to construct a node provides larger clique sizes than considering a block itself as a node in a transversal design.

Lecture Notes in Computer Science, 2001

Linear Feedback Shift Registers (LFSR) are important building blocks in stream cipher systems. Th... more Linear Feedback Shift Registers (LFSR) are important building blocks in stream cipher systems. The connection polynomials of the LFSRs need to be primitive over GF(2). Also the polynomial should have high weight and it should not have sparse multiples of moderate degree. Here we provide results which have immediate application in synthesis of connection polynomials for stream cipher systems. We

Lecture Notes in Computer Science

A theoretical analysis of the RC4 Key Scheduling Algorithm (KSA) is presented in this paper, wher... more A theoretical analysis of the RC4 Key Scheduling Algorithm (KSA) is presented in this paper, where the nonlinear operation is swapping among the permutation bytes. Explicit formulae are provided for the probabilities with which the permutation bytes after the KSA are biased to the secret key. Theoretical proofs of these formulae have been left open since Roos's work (1995). Based on this analysis, an algorithm is devised to recover the l bytes (i.e., 8l bits, typically 5 ≤ l ≤ 16) secret key from the final permutation after the KSA with constant probability of success. The search requires O(2 4l) many operations which is the square root of the exhaustive key search complexity 2 8l. Further, a generalization of the RC4 KSA is analyzed corresponding to a class of update functions of the indices involved in the swaps. This reveals an inherent weakness of shuffle-exchange kind of key scheduling.

Lecture Notes in Computer Science, 2010

Abstract. Consider CRT-RSA with the parameters p, q, e, dp,dq, where p, q are secret primes, e is... more Abstract. Consider CRT-RSA with the parameters p, q, e, dp,dq, where p, q are secret primes, e is the public encryption exponent and dp, dq are the private decryption exponents. We present an efficient method to se-lect CRT-RSA parameters in such a manner so that ...

Lecture Notes in Computer Science

In this paper we revisit Wiener's method (IEEE-IT 1990) of continued fraction (CF) to find new we... more In this paper we revisit Wiener's method (IEEE-IT 1990) of continued fraction (CF) to find new weaknesses in RSA. We consider RSA with N = pq, q < p < 2q, public encryption exponent e and private decryption exponent d. Our motivation is to find out when RSA is insecure given d is O(N δ), where we are mostly interested in the range 0.3 ≤ δ ≤ 0.5. Given ρ (1 ≤ ρ ≤ 2) is known to the attacker, we show that the RSA keys are weak when d = N δ and δ < 1 2 − γ 2 , where |ρq − p| ≤ N γ 16. This presents additional results over the work of de Weger (AAECC 2002). We also discuss how the lattice based idea of Boneh-Durfee (IEEE-IT 2000) works better to find weak keys beyond the bound δ < 1 2 − γ 2. Further we show that, the RSA keys are weak when d < 1 2 N δ and e is O(N 3 2 −2δ) for δ ≤ 1 2. Using similar techniques we also present new results over the work of Blömer and May (PKC 2004).

2013 IEEE 43rd International Symposium on Multiple-Valued Logic, 2013

ABSTRACT Ultra-low power dissipation for nanoscale circuits and future technologies such as quant... more ABSTRACT Ultra-low power dissipation for nanoscale circuits and future technologies such as quantum computing require reversible logic. Existing methods of reversible logic synthesis attempt to minimize gate count, quantum cost, garbage count and try to achieve scalability for large Boolean functions. Several notable heuristics for reversible logic synthesis employ a method based on repeated transformation, demonstrating excellent performance compared to available optimal results. In this paper, we suggest two novel techniques to the transformationbased synthesis flow for improving synthesis outcome. The first technique is based on properties of Boolean functions and the second technique incorporates generalized Fredkin gates during synthesis flow. We present theoretical results and experimental evidence in support of our strategies.

Lecture Notes in Computer Science, 2014

From the first principle, we concentrate on the Differential Power Analysis (DPA) in the Hamming ... more From the first principle, we concentrate on the Differential Power Analysis (DPA) in the Hamming weight model. Based on the power related data of an \((n, n)\) permutation S-box, we propose a spectrum (we call it Relative Power Spectrum, RPS in short) at \(2^n\) points each providing a vector containing \(n\) coordinates. Each coordinate contains the data related to single-bit DPA, and taking them together we provide relevant results in the domain of multi-bit DPA. For two affine equivalent \((n,n)\) permutation S-boxes \(F\) and \(G\), such that \(G(x) = F(Ax \oplus b)\), where \(A\) is a linear permutation (nonsingular binary matrix) and \(b\) is an \(n\)-bit vector, the RPSs of \(F\) and \(G\) are permutations of each other. However, this is not true in general when \(F\) and \(G\) are affine or extended affine equivalent, i.e., \(G(x) = B(F(Ax \oplus b)) \oplus L(x) \oplus c\), where \(B\) is a linear permutation, \(L\) is a linear mapping, and \(c\) is an \(n\)-bit vector. In such a case, the RPSs of \(F\) and \(G\) may not be related by permutation and may contain completely different vectors. We provide the effect of this in terms of DPA both in noise-free and noisy scenarios. Our results guide the designer to choose one S-box among all those in the same (extended) affine equivalence class when DPA in the Hamming weight model is considered. This is an instance where cryptographic advantage is attained by applying (extended) affine equivalence. For example, we provide a family of S-boxes that should replace the \((4, 4)\) S-boxes proposed in relation to the PRINCE block cipher.

Quantum Information Processing, 2014

In this paper, we study efficient algorithms towards the construction of any arbitrary Dicke stat... more In this paper, we study efficient algorithms towards the construction of any arbitrary Dicke state. Our contribution is to use proper symmetric Boolean functions that involve manipulations with Krawtchouk polynomials. Deutsch-Jozsa algorithm, Grover algorithm and the parity measurement technique are stitched together to devise the complete algorithm. Further, motivated by the work of Childs et al (2002), we explore how one can plug the biased Hadamard transformation in our strategy. Our work compares fairly with the results of Childs et al (2002).

Lecture Notes in Computer Science, 2011

Lecture Notes in Computer Science, 2011

In this paper, contrary to the claim of Mantin and Shamir (FSE 2001), we prove that there exist b... more In this paper, contrary to the claim of Mantin and Shamir (FSE 2001), we prove that there exist biases in the initial bytes (3 to 255) of the RC4 keystream towards zero. These biases immediately provide distinguishers for RC4. Additionally, the attack on broadcast RC4 to recover the second byte of the plaintext can be extended to recover the bytes 3 to 255 of the plaintext given Ω(N 3) many ciphertexts. Further, we also study the non-randomness of index j for the first two rounds of PRGA, and identify a strong bias of j2 towards 4. This in turn provides us with certain state information from the second keystream byte.

Theoretical Computer Science, 2005

A standard model of nonlinear combiner generator for stream cipher system combines the outputs of... more A standard model of nonlinear combiner generator for stream cipher system combines the outputs of several independent Linear Feedback Shift Register (LFSR) sequences using a nonlinear Boolean function to produce the key stream. Given such a model, cryptanalytic attacks have been proposed by finding out the sparse multiples of the connection polynomials corresponding to the LFSRs. In this direction recently a few works are published on t-nomial multiples of primitive polynomials. We here provide further results on degree distribution of the t-nomial multiples. However, finding out the sparse multiples of just a single primitive polynomial does not suffice. The exact cryptanalysis of the nonlinear combiner model depends on finding out sparse multiples of the products of primitive polynomials. We here make a detailed analysis on t-nomial multiples of products of primitive polynomials. We present new enumeration results for these multiples and provide some estimation on their degree distribution.

Journal of Cryptology, 2012

RC4 has been the most popular stream cipher in the history of symmetric key cryptography. Its int... more RC4 has been the most popular stream cipher in the history of symmetric key cryptography. Its internal state contains a permutation over all possible bytes from 0 to 255, and it attempts to generate a pseudorandom sequence of bytes (called keystream) by extracting elements of this permutation. Over the last twenty years, numerous cryptanalytic results on RC4 stream cipher have been published, many of which are based on non-random (biased) events involving the secret key, the state variables, and the keystream of the cipher. Though biases based on the secret key is common in RC4 literature, none of the existing ones depends on the length of the secret key. In the first part of this paper, we investigate the effect of RC4 keylength on its keystream, and report significant biases involving the length of the secret key. In the process, we prove the two known empirical biases that were experimentally reported and used in recent attacks against WEP and WPA by Sepehrdad, Vaudenay and Vuagnoux in EUROCRYPT 2011. After our current work, there remains no bias in the literature of WEP and WPA attacks without a proof. In the second part of the paper, we present theoretical proofs of some significant initial-round empirical biases observed by Sepehrdad, Vaudenay and Vuagnoux in SAC 2010. In the third part, we present the derivation of the complete probability distribution of the first byte of RC4 keystream, a problem left open for a decade since the observation by Mironov in CRYPTO 2002. Further, the existence of positive biases towards zero for all the initial bytes 3 to 255 is proved and exploited towards a generalized broadcast attack on RC4. We also investigate for long-term non-randomness in the keystream, and prove a new long-term bias of RC4.

International Journal of Quantum Information, 2005

Boolean functions are important building blocks in cryptography for their wide application in bot... more Boolean functions are important building blocks in cryptography for their wide application in both stream and block cipher systems. For cryptanalysis of such systems, one tries to find out linear functions that are correlated to the Boolean functions used in the crypto system. Let f be an n-variable Boolean function and its Walsh spectra is denoted by Wf(ω) at the point ω ∈ {0, 1}n. The Boolean function is available in the form of an oracle. We like to find a ω such that Wf(ω) ≠ 0 as this will provide one of the linear functions which are correlated to f. We show that the quantum algorithm proposed by Deutsch and Jozsa7 solves this problem in constant time. However, the best known classical algorithm to solve the problem requires exponential time in n. We also analyze certain classes of cryptographically significant Boolean functions and highlight how the basic Deutsch–Jozsa algorithm performs on them.

International Journal of Information Security, 2006

In this paper, combinatorial design followed by randomized merging strategy is applied to key pre... more In this paper, combinatorial design followed by randomized merging strategy is applied to key predistribution in sensor nodes. A transversal design is used to construct a (v, b, r, k) configuration and then randomly selected blocks are merged to form the sensor nodes. We present detailed mathematical analysis of the number of nodes, number of keys per node and the probability that a link gets affected if certain number of nodes are compromised. The technique is tunable to user requirements and it also compares favourably with state of the art design strategies. An important feature of our design is the presence of more number of common keys between any two nodes. Further, we study the situation when properly chosen blocks are merged to form sensor nodes such that the number of intranode common key is minimized. We present a basic heuristic for this approach and show that it provides slight improvement in terms of certain parameters than our basic random merging strategy. Keywords Combinatorial design • Sensor network • Key pre-distribution • Random merging 1 Introduction Recently secure communication among sensor nodes has become an active area of research [2, 4, 6, 7, 10, 11, 12]. One may refer to [9] for broader perspective in the area of sensor networks. Based on the architectural consideration, wireless sensor networks may be broadly classified into two categories viz. (i) Hierarchical Wireless Sensor Networks (HWSN) and (ii) Distributed Wireless Sensor Networks (DWSN). In HWSN, there is a pre-defined hierar-This paper is an extended and revised version of the paper presented