- Santanu Sarkar

###### Options

# Santanu Sarkar

Loading...

Preferred name

Santanu Sarkar

Official Name

Santanu Sarkar

Alternative Name

Sarkar, Santanu

Main Affiliation

Email

ORCID

Scopus Author ID

Google Scholar ID

9 results Back to results

### Filters

##### Date

##### Author

##### Organization

##### Subject

##### Has files

##### Type

### Settings

Sort By

Results per page

Now showing 1 - 9 of 9

- PublicationCryptanalysis of variants of RSA with multiple small secret exponents(01-01-2015)
;Peng, Liqiang ;Hu, Lei ;Lu, Yao; ;Xu, JunHuang, ZhangjieShow more In this paper, we analyze the security of two variants of the RSA public key cryptosystem where multiple encryption and decryption exponents are used with a common modulus. For the most well known variant, CRT-RSA, assume that n encryption and decryption exponents (el, dpl, dql), where l = 1, …, n, are used with a common CRT-RSA modulus N. By utilizing a Minkowski sum based lattice construction and combining several modular equations which share a common variable, we prove that one can factor N when (Formula presented) for all l = 1, …, n. We further improve this bound to (Formula presented) for all l = 1, …, n. Moreover, our experiments do better than previous works by Jochemsz-May (Crypto 2007) and Herrmann-May (PKC 2010) when multiple exponents are used. For Takagi’s variant of RSA, assume that n key pairs (el, dl) for l = 1, …, n are available for a common modulus N = prq where r ≥ 2. By solving several simultaneous modular univariate linear equations, we show that when (Formula presented), for all l = 1, …, n, one can factor the common modulus N.Show more - PublicationSome results on Fruit(15-03-2019)
;Dey, Sabyasachi ;Roy, TapabrataShow more In FSE 2015, Armknecht et al. proposed a new technique to design stream ciphers, which involves repeated use of keybits in each round of the keystream bit generation. This technique showed the possibility to design stream ciphers where the internal state size is significantly lower than twice the key size. They proposed a new cipher based on this idea, named Sprout. But soon Sprout was proved to be insecure. In Crypto 2015, Lallemand et al. proposed an attack which was 2 10 times faster than the exhaustive search. But the new idea used in Sprout showed a new direction in the design of stream cipher, which led to the proposal of several new ciphers with small size of internal state. Fruit is a recently proposed cipher where both the key size and the state size are 80. In this paper, we attack full round Fruit by a divide-and-conquer method. Our attack is equivalent to 2 74.95 many Fruit encryptions, which is around 16.95 times faster than the average exhaustive key search. Our idea also works for the second version of Fruit.Show more - PublicationObserving biases in the state: case studies with Trivium and Trivia-SC(01-01-2017)
; ;Maitra, SubhamoyBaksi, AnubhabShow more One generic model of stream cipher considers updating the states and then combining the state bits to produce the key-stream. In case there are biases in the state bits, that may be reflected on the key-stream bits resulting certain weaknesses (distinguisher and/or key recovery) of the cipher. In this context, we study the state biases as well as key-stream biases with great details. We first experiment with cube testers and heuristically obtain several distinguishers for Trivium running more than 800 rounds (maximum 829) with cube sizes not exceeding 27. Further, we apply our techniques to analyze Trivia-SC (the stream cipher used in TriviA-ck AEAD scheme, selected in second round of CAESAR competition) and obtain distinguishers till 950 rounds with a cube size of 25 only. On Trivia-SC, our results refute certain claims made by the designers against both cube and slide attacks. Our detailed empirical analysis provides new results in reduced-round cryptanalysis of Trivium and Trivia-SC.Show more - PublicationRevisiting design principles of Salsa and Chacha(01-11-2019)
;Dey, Sabyasachi ;Roy, TapabrataShow more Salsa and ChaCha are well known names in the family of stream ciphers. In this paper, we first revisit the existing attacks on these ciphers. We first perform an accurate computation of the attack complexities of the existing technique instead of the estimation used in previous works. This improves the complexity by some margin. The differential attacks using probabilistic neutral bits against ChaCha and Salsa involve two probability biases: Forward probability bias (ϵd) and backward probability bias (ϵa). In the second part of the paper, we suggest a method to increase the backward probability bias, which helps reduce the attack complexity. Finally, we focus on the design principle of ChaCha. We suggest a slight modification in the design of this cipher as a countermeasure of the differential attacks against it. We show that the key recovery attacks proposed against ChaCha will not be effective on this modified version.Show more - PublicationGeneralization of Roos bias in RC4 and some results on key-keystream relations(01-03-2018)
;Dey, SabyasachiShow more RC4 has attracted many cryptologists due to its simple structure. In [9], Paterson, Poettering and Schuldt reported the results of a large scale computation of RC4 biases. Among the biases reported by them, we try to theoretically analyze a few which show very interesting visual patterns. We first study the bias which relates the key stream byte, where k is the first byte of the secret key. We then present a generalization of the Roos bias. In 1995, Roos observed the bias of initial bytes S of the permutation after KSA towards f. Here we study the probability of S. Our generalization provides a complete correlation between z i. We also analyze the key-keystream relation z i = f i - 1 which was studied by Maitra and Paul [6] in FSE 2008. We provide more accurate formulas for the probability of both z i = i - f i {z-{i}=i-f-{i}} and z i = f i - 1 {z-{i}=f-{i-1}} for different i's than the existing works.Show more - PublicationSettling the mystery of Zr = r in RC4(15-07-2019)
;Dey, SabyasachiShow more In this paper, using a matrix, at first we revisit the work of Mantin on finding the probability distribution of the RC4 permutation after the completion of the KSA. After that, we extend the same idea to analyse the probabilities during any iteration of the Pseudo Random Generation Algorithm. Next, we study the bias of Zr = r (where Zr is the r-th output keystream byte), which is one of the significant biases observed in the RC4 output keystream. This bias has played an important role in the plaintext recovery attack proposed by Isobe et al. in FSE 2013. However, the accurate theoretical explanation of the bias of Zr = r is still a mystery. Though several attempts have been made to prove this bias, none of those provides an accurate justification. Here, using the results found with the help of the probability transition matrix we justify this bias of Zr = r accurately and settle this issue. The bias obtained from our proof matches the experimental observations perfectly.Show more - PublicationRevisiting (nested) Roos bias in RC4 key scheduling algorithm(01-01-2017)
; Venkateswarlu, AyineediShow more RC4 is one of the most popular stream cipher with wide industrial applications, it has received serious attention in cryptology literature in the last 2 decades. In 1995, Roos pointed out that the elements SN[ y] of the permutation SN after the key scheduling algorithm for the first few values of y are biased to certain combinations of secret key bytes. These correlations were theoretically studied by Paul and Maitra (SAC, 2007). The formula for the correlation probabilities provided by them gives a wrong impression that the probabilities decrease as the value of y becomes larger, which is not true. In this paper, we point out some gaps in their analysis and present a detailed analysis of Roos bias. We provide a more accurate formula for the correlation probabilities. We further study nested Roos type biases and present comparison results. These types of biases are used to reconstruct key from the permutation SN for better success probability.Show more - PublicationA differential fault attack on plantlet(01-10-2017)
;Maitra, Subhamoy ;Siddhanti, AkhileshShow more Lightweight stream ciphers have received serious attention in the last few years. The present design paradigm considers very small state (less than twice the key size) and use of the secret key bits during pseudo-random stream generation. One such effort, Sprout, had been proposed two years back and it was broken almost immediately. After carefully studying these attacks, a modified version named Plantlet has been designed very recently. While the designers of Plantlet do not provide any analysis on fault attacks, we note that Plantlet is even weaker than Sprout in terms of Differential Fault Attack (DFA). Our investigation, following the similar ideas as in the analysis against Sprout, shows that we require only around 4 faults to break Plantlet by DFA in a few hours time. While fault attack is indeed difficult to implement and our result does not provide any weakness of the cipher in normal mode, we believe that these initial results will be useful for further understanding of Plantlet.Show more - PublicationSome Conditional Cube Testers for Grain-128a of Reduced Rounds(01-06-2022)
;Dalai, Deepak Kumar ;Pal, SantuShow more In this article, a new strategy, maximum last α round, is proposed to select cubes for cube attacks. This strategy considers the cubes in a particular round where the probability of its superpoly to be 1 is at most α, where α is a very small number. A heuristic method to find a number of suitable cubes using this strategy and the previously used strategies (i.e., maximum initial zero, maximum last zero) are proposed. To get a bias at the higher rounds, the heuristic, too, imposes conditions on some state bits of the cipher to make the non-constant superpoly of a cube as zero for the first few rounds. Some cube testers are formed by using those suitable cubes to implement a distinguishing attack on Grain-128a of reduced KSA (or initialization) rounds. We present a distinguisher for Grain-128a of 191 (out of 256) KSA round in the single key setup and 201 (out of 256) KSA round in the weak key setup by using the cubes of dimension 5. The number of rounds is the highest till today, and the cube dimension is smaller than the previous results. Further, we tested our algorithm on Grain-128 and achieved good results by using small cubes.Show more