Conditional Differential Cryptanalysis of Trivium and KATAN

Knellwolf, Simon; Meier, Willi; Naya-Plasencia, Maŕıa

doi:10.1007/978-3-642-28496-0_12

“…Now, instead, we have 64 bits forced to be 1, 1 equal to zero, and (128 + 93) = 221 bits of the initial state controlled by the attacker in the weak-key setting, plus potentially 21 additional bits from the key still not used, that will be inserted during the first rounds. We can conclude that, while in Trivium it is possible in the weak-key setting, to introduce zeros in the whole initial state but in 3 bits, in Kreyvium, we will never be able to set to zero 64 bits, implying that applying the techniques from [41] becomes much harder.…”

Section: Kreyviummentioning

confidence: 96%

“…885) rounds out of 1152. The highest number of initialization rounds that can be attacked is 961: in this case, a distinguisher exists for a class of weak keys [41].…”

Section: Trivium In the He Settingmentioning

confidence: 99%

Stream Ciphers: A Practical Solution for Efficient Homomorphic-Ciphertext Compression

Canteaut

¹

,

Carpov

²

,

Fontaine

³

et al. 2016

Fast Software Encryption

Self Cite

View full text Add to dashboard Cite

In typical applications of homomorphic encryption, the first step consists for Alice to encrypt some plaintext m under Bob's public key pk and to send the ciphertext c = HE pk (m) to some third-party evaluator Charlie. This paper specifically considers that first step, i.e. the problem of transmitting c as efficiently as possible from Alice to Charlie. As previously noted, a form of compression is achieved using hybrid encryption. Given a symmetric encryption scheme E, Alice picks a random key k and sends a much smaller ciphertext c = (HE pk (k), E k (m)) that Charlie decompresses homomorphically into the original c using a decryption circuit C E −1 . In this paper, we revisit that paradigm in light of its concrete implementation constraints; in particular E is chosen to be an additive IV-based stream cipher. We investigate the performances offered in this context by Trivium, which belongs to the eSTREAM portfolio, and we also propose a variant with 128-bit security: Kreyvium. We show that Trivium, whose security has been firmly established for over a decade, and the new variant Kreyvium have an excellent performance.

show abstract

“…As this is not the case here, such attacks, as well as the recent interpolation attacks against LowMC [21], do not apply. The best attacks against KATAN, when excluding MitM techniques, are conditional differential attacks [40,41].…”

Section: Kreyviummentioning

confidence: 99%

“…Our change of constant is motivated by the conditional differential attacks from [41]: the conditions needed for a successful attack are that 106 bits from the IV or the key are equal to '0' and a single one needs to be '1'. This suggests that values set to zero "encourage" non-random behaviors, leading to our new constant.…”

Section: Kreyviummentioning

confidence: 99%

Stream Ciphers: A Practical Solution for Efficient Homomorphic-Ciphertext Compression

Canteaut

¹

,

Carpov

²

,

Fontaine

³

et al. 2018

Self Cite

View full text Add to dashboard Cite

In typical applications of homomorphic encryption, the first step consists for Alice to encrypt some plaintext m under Bob's public key pk and to send the ciphertext c = HE pk (m) to some third-party evaluator Charlie. This paper specifically considers that first step, i.e. the problem of transmitting c as efficiently as possible from Alice to Charlie. As previously noted, a form of compression is achieved using hybrid encryption. Given a symmetric encryption scheme E, Alice picks a random key k and sends a much smaller ciphertext c = (HE pk (k), E k (m)) that Charlie decompresses homomorphically into the original c using a decryption circuit C E −1 . In this paper, we revisit that paradigm in light of its concrete implementation constraints; in particular E is chosen to be an additive IV-based stream cipher. We investigate the performances offered in this context by Trivium, which belongs to the eSTREAM portfolio, and we also propose a variant with 128-bit security: Kreyvium. We show that Trivium, whose security has been firmly established for over a decade, and the new variant Kreyvium have an excellent performance.

show abstract

“…For the sake of completeness we mention some distinguisher attacks based on cube testers in [27,6,35]. The best covers up to 961 rounds working in a reduced key space of 2 26 keys (out of 2 80 ).…”

Section: Related Workmentioning

confidence: 99%

Advanced Algebraic Attack on Trivium

Quedenfeld

¹

,

Wolf

²

2016

Mathematical Aspects of Computer and Information Sciences

4

0

View full text Add to dashboard Cite

Abstract. This paper presents an algebraic attack against Trivium that breaks 625 rounds using only 4096 bits of output in an overall time complexity of 2 42.2 Trivium computations. While other attacks can do better in terms of rounds (799), this is a practical attack with a very low data usage (down from 2 40 output bits) and low computation time (down from 2 62 ). From another angle, our attack can be seen as a proof of concept: how far can algebraic attacks can be pushed when several known techniques are combined into one implementation? All attacks have been fully implemented and tested; our figures are therefore not the result of any potentially error-prone extrapolation, but results of practical experiments.

show abstract

Conditional Differential Cryptanalysis of Trivium and KATAN

Cited by 49 publications

References 14 publications

Stream Ciphers: A Practical Solution for Efficient Homomorphic-Ciphertext Compression

Stream Ciphers: A Practical Solution for Efficient Homomorphic-Ciphertext Compression

Stream Ciphers: A Practical Solution for Efficient Homomorphic-Ciphertext Compression

Advanced Algebraic Attack on Trivium

Contact Info

Product

Resources

About