Algebraic attacks on the crypto-1 stream cipher in mifare classic and oyster … (original) (raw)

A Practical Attack on the MIFARE Classic

Computing Research Repository, 2008

The mifare Classic is the most widely used contactless smart card in the market. Its design and implementation details are kept secret by its manufacturer. This paper studies the architecture of the card and the communication protocol between card and reader. Then it gives a practical, low-cost, attack that recovers secret information from the memory of the card. Due to a weakness in the pseudo-random generator, we are able to recover the keystream generated by the CRYPTO1 stream cipher. We exploit the malleability of the stream cipher to read all memory blocks of the first sector of the card. Moreover, we are able to read any sector of the memory of the card, provided that we know one memory block within this sector. Finally, and perhaps more damaging, the same holds for modifying memory blocks.

Algebraic Cryptanalysis Of Stream Ciphers With Non Linear Update

2010

Stream ciphers are quite well known for providing security in comunication. Due to their efficient implementation they have received attention of many cipher designers in previous years. Many new designs have been proposed and extensively analyzed in the form of NESSIE and eSTREAM projects. In general a new proposed design has to ensure, at least, that it is resistant to the existing attacks. Algebraic attack is now quite a familiar threat for stream ciphers. Therefore, to make out the design components, that can strengthen a cipher, against algebraic cryptanalysis must also be of interest to stream cipher designers. Algebraic cryptanalysis, in its general form, aims at recovering the internal secret state bits of the registers of the cipher by solving non-linear algebraic equations. That is why it is considered, not to be applicable on stream ciphers, where registers are updated non-linearly. Since, in this case, degree of algebraic equations, which relate internal states with key-stream bits, increase with each clock. However, different designs with nonlinear update may offer disparate levels of resistance. In this thesis, we analyze some structures of stream ciphers with non-linear update and identify the level of resistance their design shows against the reocvery of secret internal states. Our objective is to analyze and compare the design of the key generating mechanism and not the cipher along with its initialization mechanism. Thus, we concentrate on the key generating part and compare the ciphers on the basis that how many of their internal state bits can be recovered by solving nonlinear algebraic equations, using guess and determine approach. Caused by a rise in the degree of equations with each clock, some of the internal state bits have to be guessed to recover the remaining. Our analysis reveals, that due to some thoughtful guessing, more internal state bits can be recovered which are not possible otherwise. However, some structures are resistent to give secret state bits by solving algebraic equations, even after guessing large number of bits. Aim of this thesis is to identify such structures. Ciphers considered for this work are A5/1, A5/2, Trivium, Grain and Mickey. Significance of this work also lies in the fact that we have analyzed those ciphers which have been selected for the final portfolio of completed eSTREAM project. Based on our analysis, we also propose some modifications in the design of Grain-v1 to strengthen it against intial state recovery attack, without any increase in the secret state bits. Some modifications in the design of Trivium are also suggested therefore, the same structure can be used with larger key bit space. Praise to Allah, the Almighty for blessing me with strength and patience to go through this difficult part of my career. Without His will and help I would never have managed to even start this journey. Throughout the years of my PhD, numerous people have supported me in different ways. I would like to take this opportunity to gratefully acknowledge their essential contribution. First of all I wish to thank my supervisor Dr. Ashraf Masood for his continuous support and encouragement. I am indebted to him not only for all kind of guidance and advice in my work but also for his help in some difficult times during these years. I would, also like to thank Dr. Akbar, Dr. Noman Jafri and Dr. Shamim Baig, the members of PhD guidance committee, for their valuable time. This research was financially supported by Higher Education Commission of Pakistan (HEC) and I am grateful to HEC for giving me this opportunity. I am also grateful to all those researchers of Cryptography, whose works have inspired me and guided me throughout my thesis. I would like to thank National University of Sciences and Technology to give me opportunity for the PhD program. I would also like to give credit, to all the helpful people, faculty and staff at NUST especially at Information security department, for their administrative and practical support. I also wish to thank all my friends and colleagues in department especially Firdous Kausar, Liaqat, Nazir, Ahmad Cheema, Imtiaz Ali Khokhar and Dr. Arif Wahla for their help and support. vi Throughout these years there was a life besides my studies also. I would like to extend my gratitude to my friends Rubeena, Shahida and Rabia for giving me encouragement as well as enjoyable time. Finally many thanks to my ammi and my sisters for giving me unending support and blessings. There were times, when I really doubted whether my work would ever be finished. In all such moments my family and my friends were a constant source of comfort and encouragement for me. I would also like to say thank you to, my father, for so many things in my life, although he is no more around me, but my achievement would comfort and solace his soul.

Two Trivial Attacks on A5/1:A GSM Stream Cipher

ArXiv, 2013

Stream ciphers play an important role in those applications where high throughput remains critical and resources are very restricted e.g. in Europe and North America, A5/1 is widely used stream cipher that ensure confidentiality of conversations in GSM mobile phones. However careful security analysis of such cipher is very important due to widespread practical applicability. The basic building blocks used in the design of A5/1 are linear feedback shift registers (LFSRs). Algebraic attacks are new and very powerful tool to cryptanalyse LFSRs based stream ciphers even non-linear combiner are concerned. In this paper we compared previous attacks on A5/1 as well as an algebraic attack and a new improved guess and determine attack is proposed.

Algebraic cryptanalysis of a small-scale version of stream cipher Lex

IET Information Security, 2010

In this paper * we analyse with respect to algebraic attacks a small-scale version of the stream cipher Lex. We base it on a small-scale version of the block cipher AES with 16-bit state and 16-bit key. We represent the small-scale Lex and its key schedule in two alternative ways: as a system of cubic boolean equations and as a system of quadratic boolean equations. We use Gröbner bases to solve the two systems for different number of rounds and sizes of the leak. We obtain the best results for the quadratic representation of the cipher. For this case we are able to recover the secret key in time less than 2 minutes by solving a system of 374 quadratic boolean equations in 208 unknowns resulting from 5 rounds of the cipher.

Algebraic Cryptanalysis of the Data Encryption Standard

Proceedings of the 11th IMA international …, 2007

In spite of growing importance of AES, the Data Encryption Standard is by no means obsolete. DES has never been broken from the practical point of view. The triple DES is believed very secure, is widely used, especially in the financial sector, and should remain so for many many years to come. In addition, some doubts have been risen whether its replacement AES is secure, given the extreme level of "algebraic vulnerability" of the AES S-boxes (their low I/O degree and exceptionally large number of quadratic I/O equations). Is DES secure from the point of view of algebraic cryptanalysis, a new very fast-growing area of research? We do not really hope to break it, but just to advance the field of cryptanalysis. At a first glance, DES seems to be a very poor target-as there is (apparently) no strong algebraic structure of any kind in DES. However in [14] it was shown that "small" S-boxes always have a low I/O degree (cubic for DES as we show below). In addition, due to their low gate count requirements, by introducing additional variables, we can always get an extremely sparse system of quadratic equations. To assess the algebraic vulnerabilities is the easy part, that may appear unproductive. In this paper we demonstrate that in this way, several interesting attacks on a real-life "industrial" block cipher can be found. One of our attack is the fastest known algebraic attack on 6 rounds of DES. Yet, it requires only one single known plaintext (instead of a very large quantity) which is quite interesting in itself. Though (on a PC) we recover the key for only six rounds, in a much weaker sense we can also attack 12 rounds of DES. These results are very interesting because DES is known to be a very robust cipher, and our methods are very generic. They can be applied to DES with modified S-boxes and potentially other reduced-round block ciphers.

Rewriting variables: The complexity of fast algebraic attacks on stream ciphers

Advances in Cryptology–CRYPTO 2004, 2004

Abstract. Recently proposed algebraic attacks [2, 6] and fast algebraic attacks [1,5] have provided the best analyses against some deployed LFSR-based ciphers. The process complexity is exponential in the de-gree of the equations. Fast algebraic attacks were introduced [5] as a way of ...

On guess and determine cryptanalysis of LFSR-based stream ciphers

2009

In this paper, the complexity of applying a guess and determine attack to so-called Linear Feedback Shift register (LFSR)-based stream ciphers is analyzed. This family of stream ciphers uses a single or several LFSR and a filtering function F : GF (2) n ! GF (2) m to generate the blocks of m 1 keystream bits at the time. In difference to a classical guess and determine attack, a method based on guessing certain bits in order to determine the remaining secret key/state bits, our approach efficiently takes advantage of the reduced preimage space for relatively large m and at the same time employing the design structure of the cipher. Several variations of the algorithm are derived to circumvent the sensitivity of attack to the input data, n; m and the key length. In certain cases, our attack outperforms classical algebraic attacks [10]; these being considered as one of the most efficient cryptanalyst tools for this type of ciphers.

An algebraic attack on stream ciphers with application to nonlinear filter generators and WG-PRNG

ArXiv, 2021

In this paper, we propose a new algebraic attack on stream ciphers. Starting from a well-known attack due to Courtois and Meier, we design an attack especially effective against nonlinear filter generators. First, we test it on two toy stream ciphers and then we show that the level of security of WGPRNG, one of the stream ciphers submitted to the NIST competition on Lightweight Cryptography, is less than that claimed until now.