Now showing 1 - 10 of 27
  • Placeholder Image
    Publication
    Differential fault analysis on Tiaoxin and AEGIS family of ciphers
    (01-01-2016)
    Dey, Prakash
    ;
    Rohit, Raghvendra Singh
    ;
    ;
    Adhikari, Avishek
    Tiaoxin and AEGIS are two second round candidates of the ongoing CAESAR competition for authenticated encryption. In 2014, Brice Minaud proposed a distinguisher for AEGIS-256 that can be used to recover bits of a partially known message, encrypted 2188 times, regardless of the keys used. Also he reported a correlation between AEGIS-128 ciphertexts at rounds i and i + 2, although the biases would require 2140 data to be detected. Apart from that, to the best of our knowledge, there is no known cryptanalysis of AEGIS or Tiaoxin. In this paper we propose differential fault analyses of Tiaoxin and AEGIS family of ciphers in a nonce reuse setting. Analysis shows that the secret key of Tiaoxin can be recovered with 384 single bit faults and the states of AEGIS-128, AEGIS-256 and AEGIS-128L can be recovered respectively with 384, 512 and 512 single bit faults. Considering multi byte fault, the number of required faults and re-keying reduces 128 times.
  • Placeholder Image
    Publication
    On acyclic edge-coloring of complete bipartite graphs
    (01-03-2017)
    Venkateswarlu, Ayineedi
    ;
    ;
    Ananthanarayanan, Sai Mali
    An acyclic edge-coloring of a graph is a proper edge-coloring without bichromatic (2-colored) cycles. The acyclic chromatic index of a graph G, denoted by a′(G), is the least integer k such that G admits an acyclic edge-coloring using k colors. Let Δ=Δ(G) denote the maximum degree of a vertex in a graph G. A complete bipartite graph with n vertices on each side is denoted by Kn,n. Basavaraju, Chandran and Kummini proved that a′(Kn,n)≥n+2=Δ+2 when n is odd. Basavaraju and Chandran provided an acyclic edge-coloring of Kp,p using p+2 colors and thus establishing a′(Kp,p)=p+2=Δ+2 when p is an odd prime. The main tool in their approach is perfect 1-factorization of Kp,p. Recently, following their approach, Venkateswarlu and Sarkar have shown that K2p−1,2p−1 admits an acyclic edge-coloring using 2p+1 colors which implies that a′(K2p−1,2p−1)=2p+1=Δ+2, where p is an odd prime. In this paper, we generalize this approach and present a general framework to possibly get an acyclic edge-coloring of Kn,n which possesses a perfect 1-factorization using n+2=Δ+2 colors. In this general framework, using number theoretic techniques, we show that Kp2,p2 admits an acyclic edge-coloring with p2+2 colors and thus establishing a′(Kp2,p2)=p2+2=Δ+2 when p is an odd prime.
  • Placeholder Image
    Publication
    Exhaustive search for various types of MDS matrices
    (01-01-2019)
    Kesarwani, Abhishek
    ;
    ;
    Venkateswarlu, Ayineedi
    MDS matrices are used in the design of diffusion layers in many block ciphers and hash functions due to their optimal branch number. But MDS matrices, in general, have costly implementations. So in search for efficiently implementable MDS matrices, there have been many proposals. In particular, circulant, Hadamard, and recursive MDS matrices from companion matrices have been widely studied. In a recent work, recursive MDS matrices from sparse DSI matrices are studied, which are of interest due to their low fixed cost in hardware implementation. In this paper, we present results on the exhaustive search for (recursive) MDS matrices over GL(4, F2). Specifically, circulant MDS matrices of order 4, 5, 6, 7, 8; Hadamard MDS matrices of order 4, 8; recursive MDS matrices from companion matrices of order 4; recursive MDS matrices from sparse DSI matrices of order 4, 5, 6, 7, 8 are considered. It is to be noted that the exhaustive search is impractical with a naive approach. We first use some linear algebra tools to restrict the search to a smaller domain and then apply some space-time trade-off techniques to get the solutions. From the set of solutions in the restricted domain, one can easily generate all the solutions in the full domain. From the experimental results, we can see the (non) existence of (involutory) MDS matrices for the choices mentioned above. In particular, over GL(4, F2), we provide companion matrices of order 4 that yield involutory MDS matrices, circulant MDS matrices of order 8, and establish the nonexistence of involutory circulant MDS matrices of order 6, 8, circulant MDS matrices of order 7, sparse DSI matrices of order 4 that yield involutory MDS matrices, and sparse DSI matrices of order 5, 6, 7, 8 that yield MDS matrices. To the best of our knowledge, these results were not known before. For the choices mentioned above, if such MDS matrices exist, we provide base sets of MDS matrices, from which all the MDS matrices with the least cost (with respect to d-XOR and s-XOR counts) can be obtained. We also take this opportunity to present some results on the search for sparse DSI matrices over finite fields that yield MDS matrices. We establish that there is no sparse DSI matrix S of order 8 over F<>2<>8 such that S<>8<> is MDS.
  • Placeholder Image
    Publication
    Coverage Problem of sensor network in Continuous Region
    (01-04-2019)
    Nandi, Mrinal
    ;
    In this paper, we consider well known 'coverage problem' in Wireless Sensor Networks (WSNs) in continuous domain. Here, we discuss optimal placement of sensors and coverage criteria in Rn with special emphasis on R2. Coverage is essential in WSNs, which are two-or three-dimensional systems. When sensors are deployed from air on some previously fixed points (vertices) in the Region of Interest (ROI), they may not fall on the target vertices. So, some part of the ROI may be uncovered by the sensors. In this paper, we consider the problem, how one reduced the uncovered area? To reduce the uncovered area, extra sensors are usually deployed on some randomly chosen vertices. We develop a new strategy for deployment of extra sensors and compare the uncovered areas for these two strategies and for different number of extra sensors, using simulation.
  • Placeholder Image
    Publication
    Cryptanalysis of variants of RSA with multiple small secret exponents
    (01-01-2015)
    Peng, Liqiang
    ;
    Hu, Lei
    ;
    Lu, Yao
    ;
    ;
    Xu, Jun
    ;
    Huang, Zhangjie
    In this paper, we analyze the security of two variants of the RSA public key cryptosystem where multiple encryption and decryption exponents are used with a common modulus. For the most well known variant, CRT-RSA, assume that n encryption and decryption exponents (el, dpl, dql), where l = 1, …, n, are used with a common CRT-RSA modulus N. By utilizing a Minkowski sum based lattice construction and combining several modular equations which share a common variable, we prove that one can factor N when (Formula presented) for all l = 1, …, n. We further improve this bound to (Formula presented) for all l = 1, …, n. Moreover, our experiments do better than previous works by Jochemsz-May (Crypto 2007) and Herrmann-May (PKC 2010) when multiple exponents are used. For Takagi’s variant of RSA, assume that n key pairs (el, dl) for l = 1, …, n are available for a common modulus N = prq where r ≥ 2. By solving several simultaneous modular univariate linear equations, we show that when (Formula presented), for all l = 1, …, n, one can factor the common modulus N.
  • Placeholder Image
    Publication
    Some results on Fruit
    (15-03-2019)
    Dey, Sabyasachi
    ;
    Roy, Tapabrata
    ;
    In FSE 2015, Armknecht et al. proposed a new technique to design stream ciphers, which involves repeated use of keybits in each round of the keystream bit generation. This technique showed the possibility to design stream ciphers where the internal state size is significantly lower than twice the key size. They proposed a new cipher based on this idea, named Sprout. But soon Sprout was proved to be insecure. In Crypto 2015, Lallemand et al. proposed an attack which was 2 10 times faster than the exhaustive search. But the new idea used in Sprout showed a new direction in the design of stream cipher, which led to the proposal of several new ciphers with small size of internal state. Fruit is a recently proposed cipher where both the key size and the state size are 80. In this paper, we attack full round Fruit by a divide-and-conquer method. Our attack is equivalent to 2 74.95 many Fruit encryptions, which is around 16.95 times faster than the average exhaustive key search. Our idea also works for the second version of Fruit.
  • Placeholder Image
    Publication
    Analysis of hidden number problem with hidden multiplier
    (01-11-2017)
    In Crypto 1996, the Hidden Number Problem was introduced by Boneh and Venkatesan. Howgrave-Graham, Nguyen and Shparlinski (Mathematics of Computation 2003) generalized this problem and called it Hidden Number Problem with Hidden Multiplier (HNPHM). It has application in security analysis of timed-release crypto. They proposed a polynomial time algorithm to solve HNPHM. They showed that one can solve it if absolute error is less than m0.20 for some positive integer m. They improved this bound up to m0.25 heuristically. It was also proved that one can not solve HNPHM if error is larger than m0.5. In this paper, we show that one can solve HNPHM in polynomial time heuristically if error is bounded by m0.5.
  • Placeholder Image
    Publication
    Probabilistic signature based generalized framework for differential fault analysis of stream ciphers
    (01-07-2017) ;
    Dey, Prakash
    ;
    Adhikari, Avishek
    ;
    Maitra, Subhamoy
    Differential Fault Attack (DFA) considers injection of faults and the most general set-up should take care of faults at random location and random time. Then one should be able to identify the exact location as well as the exact timing of the fault (including the multi bit ones) with the help of fault signatures. In this paper we solve the problem of DFA under a general frame-work, introducing the idea of probabilistic signatures. The method considers the Maximum Likelihood approach related to probability distributions. Our techniques subsume all the existing DFAs against the Grain family, MICKEY 2.0 and Trivium. In the process we provide improved fault attacks for all the versions of Grain family and also for MICKEY 2.0. Our generalized method successfully takes care of the cases where certain parts of the keystream bits are missing (this situation may arise for authentication purpose). In particular, we show that the unsolved problem of identifying the faults in random time for Grain 128a can be solved in this manner. Moreover, for MICKEY 2.0, our method not only provides improvement in fault identification probability but also reduces the required faults by 60 %, compared to the best known result.
  • Placeholder Image
    Publication
    Observing biases in the state: case studies with Trivium and Trivia-SC
    (01-01-2017) ;
    Maitra, Subhamoy
    ;
    Baksi, Anubhab
    One generic model of stream cipher considers updating the states and then combining the state bits to produce the key-stream. In case there are biases in the state bits, that may be reflected on the key-stream bits resulting certain weaknesses (distinguisher and/or key recovery) of the cipher. In this context, we study the state biases as well as key-stream biases with great details. We first experiment with cube testers and heuristically obtain several distinguishers for Trivium running more than 800 rounds (maximum 829) with cube sizes not exceeding 27. Further, we apply our techniques to analyze Trivia-SC (the stream cipher used in TriviA-ck AEAD scheme, selected in second round of CAESAR competition) and obtain distinguishers till 950 rounds with a cube size of 25 only. On Trivia-SC, our results refute certain claims made by the designers against both cube and slide attacks. Our detailed empirical analysis provides new results in reduced-round cryptanalysis of Trivium and Trivia-SC.
  • Placeholder Image
    Publication
    Revisiting Prime Power RSA
    (20-04-2016)
    Recently Sarkar (DCC 2014) has proposed a new attack on small decryption exponent when RSA Modulus is of the form N=prq for r≥2. This variant is known as Prime Power RSA. The work of Sarkar improves the result of May (PKC 2004) when r≤5. In this paper, we improve the work of Sarkar when 2