Catálogo de publicaciones - libros

Given a PRP defined over {0,1}, we describe a new generic and efficient method to obtain modes of operation with a security level beyond the birthday bound 2. These new modes, named NAME (for New Encryption Modes of Operation), are based on a new contribution to the problem of transforming a PRP into a PRF. According to our approach, any generator matrix of a linear code of minimal distance ,  ≥ 1, can be used to design a PRF with a security of order 2. Such PRFs can be used to obtain NAME, the security level of which is of the same order (2). In particular, the well-known counter mode becomes a particular case when considering the identity linear code (of minimal distance  = 1) and the mode of operation CENC [7] corresponds to the case of the the parity check linear code of minimal distance  = 2. Any other generator matrix leads to a new PRF and a new mode of operation. We give an illustrative example using  = 4 which reaches the security level 2 with a computation overhead less than 4% in comparison to the counter mode.

We present several weaknesses in the key scheduling algorithm of RC4 when the secret key contains an initialization vector – a cryptographic scheme typically used by the WEP and WPA protocols to protect IEEE 802.11 wireless communications. First, we show how the previously discovered key recovery attacks can be improved by reducing the dependency between the secret key bytes. Then, we describe two new weaknesses related to the modulo operation of the key scheduling algorithm. Finally, we describe a passive-only attack able to significantly improve the key recovery process on WEP with a data complexity of 2 eavesdropped packets.

A theoretical analysis of the RC4 Key Scheduling Algorithm (KSA) is presented in this paper, where the nonlinear operation is swapping among the permutation bytes. Explicit formulae are provided for the probabilities with which the permutation bytes after the KSA are biased to the secret key. Theoretical proofs of these formulae have been left open since Roos’s work (1995). Based on this analysis, an algorithm is devised to recover the bytes (i.e., 8 bits, typically 5 ≤  ≤ 16) secret key from the final permutation after the KSA with constant probability of success. The search requires (2) many operations which is the square root of the exhaustive key search complexity 2. Further, a generalization of the RC4 KSA is analyzed corresponding to a class of update functions of the indices involved in the swaps. This reveals an inherent weakness of shuffle-exchange kind of key scheduling.

Correlation-immunity is a cryptographic criterion on Boolean functions arising from correlation attacks on combining functions. When it comes to filtering functions, the status of correlation-immunity lacks study in itself and, if it is commonly accepted as a requirement for nonlinear filter generators, this is for other concerns. We revisit the concept of correlation-immunity and clear up its meaning for filtering functions. We summarize existing criteria similar to correlation-immunity and attacks in two different models, showing that such criteria are not relevant in both models. We also derive a precise property to avoid correlations due to the filter function only, which appears to be a bit looser than correlation-immunity. We then propose new attacks based on whether this property is verified.

TPypy is a tweaked version of the Py stream cipher algorithm submitted to eSTREAM. Py uses a kind of processing referred to as a ‘rolling array’, the mixing of two types of array and one variable, to generate the keystream. TPypy is proposed as a highly secure stream cipher that fixes all of the previously identified weaknesses of Py.

This paper reports a significant bias in the pseudo-random generation algorithm of TPypy that can be exploited to distinguish the keystream obtained from multiple arbitrary secret key and initial vector pairs from a truly random number sequence using about 2 words.