Pub Date : 2013-07-29DOI: 10.5220/0004509203310338
Boaz Catane, A. Herzberg
We present and implement schemes for authenticating messages from a group of users to a recipient, with revocable anonymity and massive (very high) message rate. Our implementations present a trade-off between the efficiency and the security required: from online group managers that participate in every message sent to offline managers, from assuming a trusted group manager and a trusted recipient to securing against both entities. All implementations have the traceablity feature, allowing distributive and efficient tracing of all messages originating from a specific group member without violating anonymity of other members. In addition, our schemes are efficient and practical.
{"title":"Massive group message authentication with revocable anonymity","authors":"Boaz Catane, A. Herzberg","doi":"10.5220/0004509203310338","DOIUrl":"https://doi.org/10.5220/0004509203310338","url":null,"abstract":"We present and implement schemes for authenticating messages from a group of users to a recipient, with revocable anonymity and massive (very high) message rate. Our implementations present a trade-off between the efficiency and the security required: from online group managers that participate in every message sent to offline managers, from assuming a trusted group manager and a trusted recipient to securing against both entities. All implementations have the traceablity feature, allowing distributive and efficient tracing of all messages originating from a specific group member without violating anonymity of other members. In addition, our schemes are efficient and practical.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"52 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130488942","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-07-29DOI: 10.5220/0004505903050312
R. Ii-Yung, Khoongming Khoo, R. Phan
While block cipher design is relatively mature, advances in computational power mean that the keylength of block ciphers, upon which the security relies entirely, becomes less resistant to cryptanalysis over time. Therefore, the security for a block cipher with a particular keylength typically is seen to last for at most some decades. One common approach to strengthen a block cipher's security is based on increasing its keylength. In the literature, two strategies have emerged: multiple keyed multiple encryption and multiple keyed XOR sandwiching. Known attacks on these such as Meet-in-the-Middle(Merkle and Hellman, 1981; van Oorschot and Wiener, 1991; Lucks, 1998) and Related-Key (J. Kelsey and Wagner, 1996; Choi et al., 1996; Vaudenay, 2011; Phan, 2004) attacks, show that Triple Encryption is significantly weaker than a brute-force attack would suggest, especially for block ciphers with small keys, such as the Data Encryption Standard (DES). This paper provides a comprehensive analysis on the security of the XOR sandwiching paradigm against known attacks for the case of multiple keyed triple encryption, without loss of generality, using DES as the underlying block cipher. In particular, we focus on DES-XEXEXEX variants, based on 2-Key and 3-Key Triple-DES, which involve performing the XOR for key-whitening before and after each encryption with an additional 64-bit key. One of the conclusions to be drawn from this work is the increased strength obtained from the XOR sandwiching paradigm while requiring little in terms of additional computational resources.
虽然分组密码设计相对成熟,但计算能力的进步意味着安全性完全依赖的分组密码的密钥长度随着时间的推移变得越来越不耐密码分析。因此,具有特定密钥长度的分组密码的安全性通常最多持续几十年。增强分组密码安全性的一种常用方法是增加其密钥长度。在文献中,出现了两种策略:多密钥多重加密和多密钥异或夹心。已知的攻击包括Meet-in-the-Middle(Merkle and Hellman, 1981;van Oorschot and Wiener, 1991;Lucks, 1998)和Related-Key (J. Kelsey and Wagner, 1996;Choi et al., 1996;Vaudenay, 2011;Phan, 2004)攻击表明三重加密明显弱于暴力攻击,特别是对于具有小密钥的分组密码,如数据加密标准(DES)。本文全面分析了多密钥三重加密情况下XOR夹夹范式在不损失通用性的情况下对已知攻击的安全性,使用DES作为底层分组密码。我们特别关注基于2-Key和3-Key Triple-DES的DES-XEXEXEX变体,它们涉及在每次加密之前和之后使用额外的64位密钥执行密钥美白的异或。从这项工作中得出的结论之一是,从XOR夹在范例中获得的强度增加,同时只需要很少的额外计算资源。
{"title":"On the security of the XOR sandwiching paradigm for multiple keyed block ciphers","authors":"R. Ii-Yung, Khoongming Khoo, R. Phan","doi":"10.5220/0004505903050312","DOIUrl":"https://doi.org/10.5220/0004505903050312","url":null,"abstract":"While block cipher design is relatively mature, advances in computational power mean that the keylength of block ciphers, upon which the security relies entirely, becomes less resistant to cryptanalysis over time. Therefore, the security for a block cipher with a particular keylength typically is seen to last for at most some decades. One common approach to strengthen a block cipher's security is based on increasing its keylength. In the literature, two strategies have emerged: multiple keyed multiple encryption and multiple keyed XOR sandwiching. Known attacks on these such as Meet-in-the-Middle(Merkle and Hellman, 1981; van Oorschot and Wiener, 1991; Lucks, 1998) and Related-Key (J. Kelsey and Wagner, 1996; Choi et al., 1996; Vaudenay, 2011; Phan, 2004) attacks, show that Triple Encryption is significantly weaker than a brute-force attack would suggest, especially for block ciphers with small keys, such as the Data Encryption Standard (DES). This paper provides a comprehensive analysis on the security of the XOR sandwiching paradigm against known attacks for the case of multiple keyed triple encryption, without loss of generality, using DES as the underlying block cipher. In particular, we focus on DES-XEXEXEX variants, based on 2-Key and 3-Key Triple-DES, which involve performing the XOR for key-whitening before and after each encryption with an additional 64-bit key. One of the conclusions to be drawn from this work is the increased strength obtained from the XOR sandwiching paradigm while requiring little in terms of additional computational resources.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"77 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125709648","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-07-29DOI: 10.5220/0004530004030410
Rolf Haynberg, Jochen Rill, Dirk Achenbach, J. Müller-Quade
Searchable Encryption schemes allow searching within encrypted data without prior decryption. Various index-based schemes have been proposed in the past, which are only adequate for certain use cases. There is a lack of schemes with exact pattern matching capabilities. We introduce Symmetric Searchable Encryption for Exact Pattern Matching, a new class of searchable encryption schemes. To this end, we define the XPM-SSE primitive and two privacy notions for the new primitive. Our own construction, SEDAWG, is a XPM-SSE scheme which uses Directed Acyclic Word Graphs. We discuss and prove its properties.
{"title":"Symmetric searchable encryption for exact pattern matching using directed Acyclic Word Graphs","authors":"Rolf Haynberg, Jochen Rill, Dirk Achenbach, J. Müller-Quade","doi":"10.5220/0004530004030410","DOIUrl":"https://doi.org/10.5220/0004530004030410","url":null,"abstract":"Searchable Encryption schemes allow searching within encrypted data without prior decryption. Various index-based schemes have been proposed in the past, which are only adequate for certain use cases. There is a lack of schemes with exact pattern matching capabilities. We introduce Symmetric Searchable Encryption for Exact Pattern Matching, a new class of searchable encryption schemes. To this end, we define the XPM-SSE primitive and two privacy notions for the new primitive. Our own construction, SEDAWG, is a XPM-SSE scheme which uses Directed Acyclic Word Graphs. We discuss and prove its properties.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"262 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133695238","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-07-29DOI: 10.5220/0004535902540264
R. Jhawar, V. Piuri
Security, availability and performance are critical to meet service level agreements in most Cloud computing services. In this paper, we build on the virtual machine technology that allows software components to be cheaply moved, replicated, and allocated on the hardware infrastructure to devise a solution that ensures users availability and performance requirements in Cloud environments. To deal with failures and vulnerabilities also due to cyber-attacks, we formulate the availability and performance attributes in the users perspective and show that the two attributes may often be competing for a given application. We then present a heuristics-based approach that restores application's requirements in the failure and recovery events. Our algorithm uses Markov chains and queuing networks to estimate the availability and performance of different deployment contexts, and generates a set of actions to re-deploy a given application. By simulation, we show that our proposed approach improves the availability and lowers the degradation of system's response time compared to traditional static schemes.
{"title":"Adaptive resource management for balancing availability and performance in cloud computing","authors":"R. Jhawar, V. Piuri","doi":"10.5220/0004535902540264","DOIUrl":"https://doi.org/10.5220/0004535902540264","url":null,"abstract":"Security, availability and performance are critical to meet service level agreements in most Cloud computing services. In this paper, we build on the virtual machine technology that allows software components to be cheaply moved, replicated, and allocated on the hardware infrastructure to devise a solution that ensures users availability and performance requirements in Cloud environments. To deal with failures and vulnerabilities also due to cyber-attacks, we formulate the availability and performance attributes in the users perspective and show that the two attributes may often be competing for a given application. We then present a heuristics-based approach that restores application's requirements in the failure and recovery events. Our algorithm uses Markov chains and queuing networks to estimate the availability and performance of different deployment contexts, and generates a set of actions to re-deploy a given application. By simulation, we show that our proposed approach improves the availability and lowers the degradation of system's response time compared to traditional static schemes.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"34 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115095685","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-07-29DOI: 10.5220/0004524001350146
P. Švenda, Martin Ukrop, Vashek Matyás
Cryptanalysis of a cryptographic function usually requires advanced cryptanalytical skills and extensive amount of human labour. However, some automation is possible, e.g., by using randomness testing suites like STS NIST (Rukhin, 2010) or Dieharder (Brown, 2004). These can be applied to test statistical properties of cryptographic function outputs. Yet such testing suites are limited only to predefined patterns testing particular statistical defects. We propose more open approach based on a combination of software circuits and evolutionary algorithms to search for unwanted statistical properties like next bit predictability, random data non-distinguishability or strict avalanche criterion. Software circuit that acts as a testing function is automatically evolved by a stochastic optimization algorithm and uses information leaked during cryptographic function evaluation. We tested this general approach on problem of finding a distinguisher (Englund et al., 2007) of outputs produced by several candidate algorithms for eStream competition from truly random sequences. We obtained similar results (with some exceptions) as those produced by STS NIST and Dieharder tests w.r.t. the number of rounds of the inspected algorithm. This paper focuses on providing solid assessment of the proposed approach w.r.t. STS NIST and Dieharder when applied over multiple different algorithms rather than obtaining best possible result for a particular one. Additionally, proposed approach is able to provide random distinguisher even when presented with very short sequence like 16 bytes only.
{"title":"Towards cryptographic function distinguishers with evolutionary circuits","authors":"P. Švenda, Martin Ukrop, Vashek Matyás","doi":"10.5220/0004524001350146","DOIUrl":"https://doi.org/10.5220/0004524001350146","url":null,"abstract":"Cryptanalysis of a cryptographic function usually requires advanced cryptanalytical skills and extensive amount of human labour. However, some automation is possible, e.g., by using randomness testing suites like STS NIST (Rukhin, 2010) or Dieharder (Brown, 2004). These can be applied to test statistical properties of cryptographic function outputs. Yet such testing suites are limited only to predefined patterns testing particular statistical defects. We propose more open approach based on a combination of software circuits and evolutionary algorithms to search for unwanted statistical properties like next bit predictability, random data non-distinguishability or strict avalanche criterion. Software circuit that acts as a testing function is automatically evolved by a stochastic optimization algorithm and uses information leaked during cryptographic function evaluation. We tested this general approach on problem of finding a distinguisher (Englund et al., 2007) of outputs produced by several candidate algorithms for eStream competition from truly random sequences. We obtained similar results (with some exceptions) as those produced by STS NIST and Dieharder tests w.r.t. the number of rounds of the inspected algorithm. This paper focuses on providing solid assessment of the proposed approach w.r.t. STS NIST and Dieharder when applied over multiple different algorithms rather than obtaining best possible result for a particular one. Additionally, proposed approach is able to provide random distinguisher even when presented with very short sequence like 16 bytes only.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"23 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132131436","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-07-29DOI: 10.5220/0004500904780481
J. Domingo-Ferrer
t-Closeness was introduced as an improvement of the well-known k-anonymity privacy model for data release. On the other hand, e-differential privacy was originally proposed as a privacy property for answers to on-line database queries and it has been very welcome in academic circles. In spite of their quite diverse origins and motivations, we show in this paper that t-closeness and e-differential privacy actually provide related privacy guarantees when applied to off-line data release. Specifically, k-anonymity for the quasi-identifiers combined with differential privacy for the confidential attributes yields t-closeness in expectation.
{"title":"On the connection between t-closeness and differential privacy for data releases","authors":"J. Domingo-Ferrer","doi":"10.5220/0004500904780481","DOIUrl":"https://doi.org/10.5220/0004500904780481","url":null,"abstract":"t-Closeness was introduced as an improvement of the well-known k-anonymity privacy model for data release. On the other hand, e-differential privacy was originally proposed as a privacy property for answers to on-line database queries and it has been very welcome in academic circles. In spite of their quite diverse origins and motivations, we show in this paper that t-closeness and e-differential privacy actually provide related privacy guarantees when applied to off-line data release. Specifically, k-anonymity for the quasi-identifiers combined with differential privacy for the confidential attributes yields t-closeness in expectation.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"21 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134083527","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-07-29DOI: 10.5220/0004505300510061
T. Ishiguro, S. Kiyomoto, Yutaka Miyake
In this paper, we propose a new Attribute-Based Encryption (ABE) scheme applicable to mobile cloud environments. A key issue in mobile cloud environments is how to reduce the computational cost on mobile devices and delegate the remaining computation to cloud environments. We also consider two additional issues: an efficient key revocation mechanism for ABE based on a concept of token-controlled public key encryption, and attribute hiding encryption from a cloud server. To reduce the computational cost on the client side, we propose an efficient ABE scheme jointly with secure computing on the server side. We analyze the security of our ABE scheme and evaluate the transaction time of primitive functions implemented on an Android mobile device and a PC. The transaction time of our encryption algorithm is within 150 msec for 89-bit security and about 600 msec for 128-bit security on the mobile device. Similarly, the transaction time of the decryption algorithm is within 50 msec for 89-bit security and 200 msec for 128-bit security.
{"title":"A key-revocable attribute-based encryption for mobile cloud environments","authors":"T. Ishiguro, S. Kiyomoto, Yutaka Miyake","doi":"10.5220/0004505300510061","DOIUrl":"https://doi.org/10.5220/0004505300510061","url":null,"abstract":"In this paper, we propose a new Attribute-Based Encryption (ABE) scheme applicable to mobile cloud environments. A key issue in mobile cloud environments is how to reduce the computational cost on mobile devices and delegate the remaining computation to cloud environments. We also consider two additional issues: an efficient key revocation mechanism for ABE based on a concept of token-controlled public key encryption, and attribute hiding encryption from a cloud server. To reduce the computational cost on the client side, we propose an efficient ABE scheme jointly with secure computing on the server side. We analyze the security of our ABE scheme and evaluate the transaction time of primitive functions implemented on an Android mobile device and a PC. The transaction time of our encryption algorithm is within 150 msec for 89-bit security and about 600 msec for 128-bit security on the mobile device. Similarly, the transaction time of the decryption algorithm is within 50 msec for 89-bit security and 200 msec for 128-bit security.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"30 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123615930","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-07-29DOI: 10.5220/0004526201700182
Peter Teufl, Thomas Zefferer, Christof Stromberger, Christoph Hechenblaikner
The high usability of smartphones and tablets is embraced by consumers as well as the private and public sector. However, especially in the non-consumer area the factor security plays a decisive role for the platform selection process. All of the current companies within the mobile device sector added a wide range of security features to the initially consumer-oriented devices (Apple, Google, Microsoft), or have dealt with security as a core feature from the beginning (RIM, now Blackerry). One of the key security features for protecting data on the device or in device backups are the encryption systems, which are deployed in most current devices. However, even under the assumption that the systems are implemented correctly, there is a wide range of parameters, specific use cases, and weaknesses that need to be considered by the security officer. As the first part in a series of papers, this work analyzes the deployment of the iOS platform and its encryption systems within a security-critical context from a security officer's perspective. Thereby, the different sub-systems, the influence of the developer, the applied configuration, and the susceptibility to various attacks are analyzed in detail. Based on these results we present a workflow that supports the security officer in analyzing the security of an iOS device and the installed applications within a security-critical context. This workflow is supported by various tools that were either developed by ourselves or are available from other sources.
{"title":"iOS encryption systems: Deploying iOS devices in security-critical environments","authors":"Peter Teufl, Thomas Zefferer, Christof Stromberger, Christoph Hechenblaikner","doi":"10.5220/0004526201700182","DOIUrl":"https://doi.org/10.5220/0004526201700182","url":null,"abstract":"The high usability of smartphones and tablets is embraced by consumers as well as the private and public sector. However, especially in the non-consumer area the factor security plays a decisive role for the platform selection process. All of the current companies within the mobile device sector added a wide range of security features to the initially consumer-oriented devices (Apple, Google, Microsoft), or have dealt with security as a core feature from the beginning (RIM, now Blackerry). One of the key security features for protecting data on the device or in device backups are the encryption systems, which are deployed in most current devices. However, even under the assumption that the systems are implemented correctly, there is a wide range of parameters, specific use cases, and weaknesses that need to be considered by the security officer. As the first part in a series of papers, this work analyzes the deployment of the iOS platform and its encryption systems within a security-critical context from a security officer's perspective. Thereby, the different sub-systems, the influence of the developer, the applied configuration, and the susceptibility to various attacks are analyzed in detail. Based on these results we present a workflow that supports the security officer in analyzing the security of an iOS device and the installed applications within a security-critical context. This workflow is supported by various tools that were either developed by ourselves or are available from other sources.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"45 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122354003","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-07-29DOI: 10.5220/0004612606090614
D. Codetta-Raiteri
Fault trees (FT) are widespread models in the field of reliability, but they lack of modelling power. So, in the literature, several extensions have been proposed and introduced specific new modelling primitives. Attack trees (AT) have gained acceptance in the field of security. They follow the same notation of standard FT, but they represent the combinations of actions necessary for the success of an attack to a computing system. In this paper, we extend the AT formalism by exploiting the new primitives introduced in the FT extensions. This leads to more accurate models. The approach is applied to a case study: the AT is exploited to represent the attack mode and compute specific quantitative measures about the system security.
{"title":"A preliminary application of generalized fault trees to security","authors":"D. Codetta-Raiteri","doi":"10.5220/0004612606090614","DOIUrl":"https://doi.org/10.5220/0004612606090614","url":null,"abstract":"Fault trees (FT) are widespread models in the field of reliability, but they lack of modelling power. So, in the literature, several extensions have been proposed and introduced specific new modelling primitives. Attack trees (AT) have gained acceptance in the field of security. They follow the same notation of standard FT, but they represent the combinations of actions necessary for the success of an attack to a computing system. In this paper, we extend the AT formalism by exploiting the new primitives introduced in the FT extensions. This leads to more accurate models. The approach is applied to a case study: the AT is exploited to represent the attack mode and compute specific quantitative measures about the system security.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"76 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126159005","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-07-29DOI: 10.5220/0004532504110418
N. Courtois, Theodosis Mourouzis, M. Misztal
GOST is a well-known block cipher implemented in standard libraries such as OpenSSL, it has extremely low implementation cost and nothing seemed to threaten its high 256-bit security [CHES 2010]. In 2010 it was submitted to ISO to become a worldwide industrial standard. Then many new attacks on GOST have been found in particular some advanced differential attacks by Courtois and Misztal with complexity of 2179 which are based on distinguishers for 20 Rounds. In July 2012 Rudskoy et al claimed that these attacks fail when the S-boxes submitted to ISO 18033-3 are used. However, the authors failed to consider that these attacks need to be re-optimized again for this set of S-boxes. This is difficult because we have exponentially many sets of differentials. In this paper we present a basic heuristic methodology and a framework for constructing families of distinguishers and we introduce differential sets of a special new form dictated by the specific regular structure of GOST. We look at different major variants of GOST and we have been able to construct a distinguisher for 20 round for CryptoParamSetA and similar results for the new version of GOST submitted to ISO which is expected to be the strongest (!). Therefore there is absolutely no doubt that these versions of GOST are also broken by the same sort of attacks.
{"title":"Enhanced truncated differential cryptanalysis of GOST","authors":"N. Courtois, Theodosis Mourouzis, M. Misztal","doi":"10.5220/0004532504110418","DOIUrl":"https://doi.org/10.5220/0004532504110418","url":null,"abstract":"GOST is a well-known block cipher implemented in standard libraries such as OpenSSL, it has extremely low implementation cost and nothing seemed to threaten its high 256-bit security [CHES 2010]. In 2010 it was submitted to ISO to become a worldwide industrial standard. Then many new attacks on GOST have been found in particular some advanced differential attacks by Courtois and Misztal with complexity of 2179 which are based on distinguishers for 20 Rounds. In July 2012 Rudskoy et al claimed that these attacks fail when the S-boxes submitted to ISO 18033-3 are used. However, the authors failed to consider that these attacks need to be re-optimized again for this set of S-boxes. This is difficult because we have exponentially many sets of differentials. In this paper we present a basic heuristic methodology and a framework for constructing families of distinguishers and we introduce differential sets of a special new form dictated by the specific regular structure of GOST. We look at different major variants of GOST and we have been able to construct a distinguisher for 20 round for CryptoParamSetA and similar results for the new version of GOST submitted to ISO which is expected to be the strongest (!). Therefore there is absolutely no doubt that these versions of GOST are also broken by the same sort of attacks.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"14 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128873418","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: