- Santanu Sarkar

###### Options

# Santanu Sarkar

Loading...

Preferred name

Santanu Sarkar

Official Name

Santanu Sarkar

Alternative Name

Sarkar, Santanu

Main Affiliation

Email

ORCID

Scopus Author ID

Google Scholar ID

16 results Back to results

### Filters

##### Date

##### Author

##### Organization

##### Subject

##### Has files

##### Type

### Settings

Sort By

Results per page

Now showing 1 - 10 of 16

- PublicationDifferential fault analysis on Tiaoxin and AEGIS family of ciphers(01-01-2016)
;Dey, Prakash ;Rohit, Raghvendra Singh; Adhikari, AvishekShow more Tiaoxin and AEGIS are two second round candidates of the ongoing CAESAR competition for authenticated encryption. In 2014, Brice Minaud proposed a distinguisher for AEGIS-256 that can be used to recover bits of a partially known message, encrypted 2188 times, regardless of the keys used. Also he reported a correlation between AEGIS-128 ciphertexts at rounds i and i + 2, although the biases would require 2140 data to be detected. Apart from that, to the best of our knowledge, there is no known cryptanalysis of AEGIS or Tiaoxin. In this paper we propose differential fault analyses of Tiaoxin and AEGIS family of ciphers in a nonce reuse setting. Analysis shows that the secret key of Tiaoxin can be recovered with 384 single bit faults and the states of AEGIS-128, AEGIS-256 and AEGIS-128L can be recovered respectively with 384, 512 and 512 single bit faults. Considering multi byte fault, the number of required faults and re-keying reduces 128 times.Show more - PublicationRevisiting Cryptanalysis on ChaCha From Crypto 2020 and Eurocrypt 2021(01-09-2022)
;Dey, Sabyasachi ;Dey, Chandan; Meier, WilliShow more ChaCha has been one of the most prominent ARX designs of the last few years because of its use in several systems. The cryptanalysis of ChaCha involves a differential attack that exploits the idea of Probabilistic Neutral Bits (PNBs). For a long period, the single-bit distinguisher in this differential attack was found up to 3rd round. At Crypto 2020, Beierle et al. introduced for the first time the single bit distinguishers for 3.5th round, which contributed significantly to regaining the flow of the research work in this direction. This discovery became the primary factor behind the huge improvement in the key recovery attack complexity in that work. This was followed by another work at Eurocrypt 2021, where a single bit distinguisher at 3.5th round helped to produce a 7th round distinguisher of ChaCha and a further improvement in the key recovery. In this paper, first, we provide the theoretical framework for the distinguisher given by Beierle et al. We mathematically derive the observed differential correlation for the particular position where the output difference is observed at 3.5th round. Also, Beierle et al. mentioned the issue of the availability of proper IVs to produce such distinguishers, and pointed out that not all keys have such IVs available. Here we provide a theoretical insight of this issue. Next, we revisit the work of Coutinho et al. (Eurocrypt 2021). Using Differential-Linear attacks against ChaCha, they claimed the distinguisher and the key recovery with complexities 2218 and $2^{228.51}$ respectively. We show that the differential correlation for the 3.5th round is much smaller than the claim of Coutinho et al. This makes the attack complexities much higher than their claim.Show more - PublicationA New Approach for Side Channel Analysis on Stream Ciphers and Related Constructions(01-10-2022)
;Baksi, Anubhab ;Kumar, SatyamShow more Side Channel Analysis (SCA) is among the newly emerged threats to small scale devices performing a cryptographic operation. While such analysis is well studied against the block ciphers, we observe that the stream cipher counterpart is not that much explored. We propose novel modelling that can work with a number of stream ciphers and related constructions. We show practical state/key recovery attacks on the lightweight ciphers, LIZARD, PLANTLET and GRAIN-128-AEAD. We consider the software platform (where the Hamming weight leakage is available) as well as the hardware platform (where the Hamming distance leakage is available). Through the modelling of Satisfiability Modulo Theory (SMT), we show that the solution can be obtained in a matter of seconds in most cases. In a handful of cases, however, the entire state/key recovery is not feasible in a practical amount of time. For those cases, we show full recovery is possible when a small number of bits are guessed. We also study the effect of increasing/decreasing the number of keystream bits on the solution time. Following a number of literature, we initially assume the traces that are obtained are noiseless. Later, we show how an extension of our model can deal with the noisy traces (which is a more general assumption).Show more - PublicationSome results on Fruit(15-03-2019)
;Dey, Sabyasachi ;Roy, TapabrataShow more In FSE 2015, Armknecht et al. proposed a new technique to design stream ciphers, which involves repeated use of keybits in each round of the keystream bit generation. This technique showed the possibility to design stream ciphers where the internal state size is significantly lower than twice the key size. They proposed a new cipher based on this idea, named Sprout. But soon Sprout was proved to be insecure. In Crypto 2015, Lallemand et al. proposed an attack which was 2 10 times faster than the exhaustive search. But the new idea used in Sprout showed a new direction in the design of stream cipher, which led to the proposal of several new ciphers with small size of internal state. Fruit is a recently proposed cipher where both the key size and the state size are 80. In this paper, we attack full round Fruit by a divide-and-conquer method. Our attack is equivalent to 2 74.95 many Fruit encryptions, which is around 16.95 times faster than the average exhaustive key search. Our idea also works for the second version of Fruit.Show more - PublicationObserving biases in the state: case studies with Trivium and Trivia-SC(01-01-2017)
; ;Maitra, SubhamoyBaksi, AnubhabShow more One generic model of stream cipher considers updating the states and then combining the state bits to produce the key-stream. In case there are biases in the state bits, that may be reflected on the key-stream bits resulting certain weaknesses (distinguisher and/or key recovery) of the cipher. In this context, we study the state biases as well as key-stream biases with great details. We first experiment with cube testers and heuristically obtain several distinguishers for Trivium running more than 800 rounds (maximum 829) with cube sizes not exceeding 27. Further, we apply our techniques to analyze Trivia-SC (the stream cipher used in TriviA-ck AEAD scheme, selected in second round of CAESAR competition) and obtain distinguishers till 950 rounds with a cube size of 25 only. On Trivia-SC, our results refute certain claims made by the designers against both cube and slide attacks. Our detailed empirical analysis provides new results in reduced-round cryptanalysis of Trivium and Trivia-SC.Show more - PublicationEnhanced Differential-Linear Attacks on Reduced Round ChaCha(01-08-2023)
;Dey, Sabyasachi ;Garai, Hirendra Kumar; Sharma, Nitin KumarShow more We present numerous refinements to the previous differential-linear attacks on ChaCha in this study. Beierle et al. discovered a 3.5-round differential at CRYPTO 2020, which was based on the condition that suitable key-IV pairs are picked, which they termed as 'right pair'. They were able to refine their approach by doing so, but they also observed that the acquisition of a right pair requires an average of 25 iterations. In our work, we propose a method for achieving the right pairs with the help of listing, so that the extra multiplication of 25 in the overall complexity can be avoided. In addition, we present a tactical enhancement in 'Probabilistic Neutral Bit'- searching algorithm, a change in complexity computation and a novel attack strategy based on two input-output pairs. We employ them to lower the attack complexity from 2230.86 to 2218.95 for the 7-round ChaCha256. Furthermore, after almost ten years, we enhance the complexity of a 6-round 128-bit version of ChaCha (Shi et al: ICISC 2012) by more than 78 million times and for the first time, propose attacks on 7.25-round ChaCha256 and 6.5-round ChaCha128 with time complexities 2244.85 and 2121.40 respectively.Show more - PublicationNew cube distinguishers on NFSR-based stream ciphers(01-01-2020)
;Kesarwani, Abhishek ;Roy, Dibyendu; Meier, WilliShow more In this paper, we revisit the work of Sarkar et al. (Des Codes Cryptogr 82(1–2):351–375, 2017) and Liu (Advances in cryptology—Crypto 2017, 2017) and show how both of their ideas can be tuned to find good cubes. Here we propose a new algorithm for cube generation which improves existing results on Zero- Sum distinguisher. We apply our new cube finding algorithm to three different nonlinear feedback shift register (NFSR) based stream ciphers Trivium, Kreyvium and ACORN. From the results, we can see a cube of size 39, which gives Zero- Sum for maximum 842 rounds and a significant non-randomness up to 850 rounds of Trivium. We provide some small size good cubes for Trivium, which outperform existing ones. We further investigate Kreyvium and ACORN by a similar technique and obtain cubes of size 56 and 92 which give Zero- Sum distinguisher till 875 and 738 initialization rounds of Kreyvium and ACORN respectively. To the best of our knowledge, these results are best results as compared to the existing results on distinguishing attacks of these ciphers. We also provide a table of good cubes of sizes varying from 10 to 40 for these three ciphers.Show more - PublicationSome Cryptanalytic Results on TRIAD(01-01-2019)
;Kesarwani, Abhishek; Venkateswarlu, AyineediShow more In this paper, we study TRIAD-AE, which is submitted in the on-going NIST Lightweight competition. We first estimate an upper bound of the algebraic degree of internal state and key-stream bit seen as multivariate Boolean polynomials. Using this estimation, we find good cubes to analyze reduced round TRIAD-AE. We get a cube of size 32 which gives zero-sum up to 540 rounds, and a cube of size 34 which can distinguish TRIAD-AE up to 550 rounds with a confidence level around $$95 \%$$. Further, we also obtained some small size good cubes which distinguishes TRIAD-AE from a random generator. We believe that our analysis can help to understand the security of the cipher better.Show more - PublicationRevisiting design principles of Salsa and Chacha(01-11-2019)
;Dey, Sabyasachi ;Roy, TapabrataShow more Salsa and ChaCha are well known names in the family of stream ciphers. In this paper, we first revisit the existing attacks on these ciphers. We first perform an accurate computation of the attack complexities of the existing technique instead of the estimation used in previous works. This improves the complexity by some margin. The differential attacks using probabilistic neutral bits against ChaCha and Salsa involve two probability biases: Forward probability bias (ϵd) and backward probability bias (ϵa). In the second part of the paper, we suggest a method to increase the backward probability bias, which helps reduce the attack complexity. Finally, we focus on the design principle of ChaCha. We suggest a slight modification in the design of this cipher as a countermeasure of the differential attacks against it. We show that the key recovery attacks proposed against ChaCha will not be effective on this modified version.Show more - PublicationGeneralization of Roos bias in RC4 and some results on key-keystream relations(01-03-2018)
;Dey, SabyasachiShow more RC4 has attracted many cryptologists due to its simple structure. In [9], Paterson, Poettering and Schuldt reported the results of a large scale computation of RC4 biases. Among the biases reported by them, we try to theoretically analyze a few which show very interesting visual patterns. We first study the bias which relates the key stream byte, where k is the first byte of the secret key. We then present a generalization of the Roos bias. In 1995, Roos observed the bias of initial bytes S of the permutation after KSA towards f. Here we study the probability of S. Our generalization provides a complete correlation between z i. We also analyze the key-keystream relation z i = f i - 1 which was studied by Maitra and Paul [6] in FSE 2008. We provide more accurate formulas for the probability of both z i = i - f i {z-{i}=i-f-{i}} and z i = f i - 1 {z-{i}=f-{i-1}} for different i's than the existing works.Show more