Ruhr-Universität Bochum (RUB): Open Journal Systems
Not a member yet
4280 research outputs found
Sort by
A5/3 make or break: A massively parallel FPGA architecture for exhaustive key search
In this paper, we have designed and implemented a massively parallel FPGA architecture for exhaustive key search on the A5/3 encryption algorithm. A5/3 is based on KASUMI, it has an effective key of 64 bits, and it is used in GSM (2G) mobile telephony systems. Despite the widespread adoption of more advanced technologies (4G, 5G), 2G networks remain as fallback options. In our novel hardware architecture, we use an AMD-Xilinx Alveo U250 card, with its FPGA configured to operate with 104 cores clocked at 496.7 M Hz, that can evaluate 235.59 keys/sec. Our results show that the $1 million attack can be achieved with 128 Alveo U250 cards, on average, in 16 days
Manuskripte als Spiegel der Methode. Die visuellen Spuren von Max Imdahls Arbeitsweise
Tracing Conceptual Change: From Pre-Concepts to Differentiated Concepts of Justice
This study investigates the transformation of students’ pre-concepts of distributive justice into more differentiated and reflective understandings through a structured philosophy les-son series. Based on a constructivist three-phase teaching model, the intervention was im-plemented in four eighth-grade classes and evaluated using a pre-, post-, and follow-up design. A qualitative content analysis, combining theory-driven and inductive category devel-opment, revealed four key justice principles in students’ conceptions: equality, need, merit, and chance. The inductive emergence of the principle of chance illustrates the added value of empirical pre-testing for lesson planning. Post- and follow-up data show increased differentiation in students’ justice concepts, though limitations remain regarding the assessment of their ability to apply these concepts in normative judgments. The study highlights the methodological potential of qualitative content analysis for resource-efficient evaluation in philosophy didactics and calls for a refinement of assessment formats
The Large Block Cipher Vistrutah
Vistrutah is a block cipher with block sizes of 256 and 512 bits. It iterates a step function consisting of two AES rounds applied to each 128-bit block of the state, followed by a state-wide cell permutation. Building upon established design principles from Simpira, Haraka, Pholkos, and ASURA, Vistrutah leverages AES instructions to achieve high performance.For each component of Vistrutah, we conduct a systematic evaluation of functions that can be efficiently implemented on both Intel and Arm architectures. We therefore expect them to perform efficiently on any recent vector instruction set architecture (ISA) with AES support. Our evaluation methodology combines, for each combination of the various choices of the cipher’s components, a security analysis with a latency estimation on an abstracted ISA. The goal is to maximize the ratio of “bits of security per unit of time,” i.e., to achieve the highest security for a given performance target, or equivalently, the best performance for a given security level within this class of designs. Implementations confirm the accuracy of our latency model. Vistrutah even performs significantly better than Rijndael-256-256.Our security claims are backed by a comprehensive ad-hoc cryptanalysis. An isomorphism between Vistrutah-512, the 512-bit wide variant, and the AES, allows us to also leverage the extensive cryptanalysis of AES and apply it to Vistrutah-512. A core design principle is the use of an inline key schedule, computed during each encryption or decryption operation without requiring storage in any external memory. In fact, rekeying Vistrutah has no associated overheads. Key schedules like the AES’s must precompute and store round keys in memory for acceptable performance. However, in 2010 Kamal and Youssef showed that this makes cold boot attacks significantly more effective. Vistrutah’s approach minimizes leakage to at most two byte-permutations of the original key during context switches. Furthermore, expensive key schedules reduce key agility, limiting the design of modes of operation. Vistrutah is particularly well-suited for Birthday-Bound modes of operation, including Synthetic IV modes and Accordion modes for 256-bit block ciphers. It can serve as a building block for compression functions (such as Matyas-Meyer-Oseas) in wide Merkle–Damgård hash functions. Additionally, it can implement “ZIP” wide pseudo-random functions as recently proposed by Flórez-Gutiérrez et al. in 2024.Finally, we present short, i.e., reduced-round versions of Vistrutah which are analyzed taking into account the restrictions posed on attackers by specific modes of operation. In particular, we model the use of the block ciphers in Hash-Encrypt-Hash (HEH) constructions such as HCTR2 as well as in ForkCiphers. These short versions of Vistrutah can be used to accelerate modes of operation without sacrificing security
HCTR+: An Optimally Secure TBC-Based Accordion Mode
The design of tweakable wide-block ciphers has advanced significantly over the past two decades. This evolution began with the wide-block cipher by Naor and Reingold. Since then, numerous constructions have been proposed, many of which are built on existing block ciphers and are secure up to the birthday bound for the total number of blocks queried. Although there has been a recent slowdown in the development of such ciphers, the latest NIST proposal for Accordion modes has reignited the interest and momentum in the design and analysis of these ciphers. Although new designs have emerged, their security often falls short of optimal (i.e., n-bit) security, where n is the output size of the primitive. In this direction, designing an efficient tweakable wide-block cipher with n-bit security seems to be an interesting research problem to the symmetric key research community. An optimally secure tweakable wide-block cipher mode can easily be turned into a misuse-resistant RUP secure authenticated encryption scheme with optimal security. This paper proposes HCTR+, which turns an n-bit tweakable block cipher (TBC) with n-bit tweak into a variable input length tweakable wide block cipher. Unlike tweakable HCTR, HCTR+ ensures n-bit security regardless of tweak repetitions. We also propose two TBC-based almost-xor-universal hash functions, named PHASH+ and ZHASH+, and use them as the underlying hash functions in the HCTR+ construction to create two TBC-based n-bit secure tweakable wide block cipher modes, PHCTR+ and ZHCTR+. Experimental results show that both PHCTR+ and ZHCTR+ exhibit excellent software performance when their underlying TBC is instantiated with Deoxys-BC-256
Multidimensional Linear Cryptanalysis of AEGIS
AEGIS is a family of authenticated encryption with associated data (AEAD) ciphers that target for highly efficient implementations in software. The main operation in AEGIS is the AES encryption round function such that it can make full use of the cryptographic properties and efficient implementation. AEGIS includes three variants AEGIS-128, AEGIS-128L, and AEGIS-256, which achieve 128, 128, and 256 bits of security, respectively. AEGIS-128 has been selected and included into the final portfolio of the CAESAR competition. In this paper, we perform multidimensional linear cryptanalysis of AEGIS. We first dig into the reason of the inconsistency between the byte and bit trails in AEGIS and propose an improved truncated model to efficiently derive the accurate minimum number of active Sboxes. Based on the derived byte trails, we perform deep theoretical analysis of the correlation propagation in AEGIS and derive linear approximations with high correlations. Moreover, we find interesting properties of AEGIS that enable us to derive a number of equivalent but independent linear approximations. By combining these linear approximations, we perform multidimensional linear distinguishing attacks on AEGIS-128, AEGIS-256, and AEGIS-128L with complexities 2126.46, 2154.11, and 2144.44, respectively. These results suggest that AEGIS-128 and AEGIS-256 do not meet their security claims. We also apply the improved truncated model to two AES-based stream cipher families LOL and Rocca for the linear cryptanalysis of them. Particularly, for LOL-MINI, we give a fast correlation attack with complexity 2250.5, thereby breaking its security claim if we ignore the restriction in the length of the keystream under a single pair of key and IV
Cryptanalysis: Theory Versus Practice: Correcting Cryptanalysis Results on Ascon, ChaCha, and Serpent Using GPUs
Most modern cryptanalysis results are obtained through theoretical analysis, often relying on simplifications and idealized assumptions. In this work, we use the parallel computational power of GPUs to experimentally verify a small portion of the cryptanalysis results that have been published in recent years. Our focus is on the ciphers Ascon, ChaCha, and Serpent. In none of the attacks we considered did the theoretical estimates fully match the actual practical values. More precisely, we show that the 4.5-round truncated differential with probability one, the 6-round differential-linear (DL), and the 6-round impossible differential distinguishers on Ascon, as well as the best known 7- and 7.5-round DL distinguisher on ChaCha, do not actually work in practice. Moreover, we demonstrate that the best known 10, 11, and 12-round DL attacks on Serpent perform better in practice than previously estimated. Additionally, we provide a new experimentally obtained 9-round DL distinguisher on Serpent, which can be used in 10 and 11-round attacks with reduced data complexity. In a broader sense, we recommend that cryptanalysts experimentally verify reduced versions of their theoretically obtained analysis results whenever possible. In order to simplify this process, we make our optimized code for the ciphers treated here available for future use
XBOOT: Free-XOR Gates for CKKS with Applications to Transciphering
The CKKS scheme is traditionally recognized for approximate homomorphic encryption of real numbers, but BLEACH (Drucker et al., JoC 2024) extends its capabilities to handle exact computations on binary or small integer numbers.Despite this advancement, BLEACH’s approach of simulating XOR gates via (a−b)2 incurs one multiplication per gate, which is computationally expensive in homomorphic encryption. To this end, we introduce XBOOT, a new framework built upon BLEACH’s blueprint but allows for almost free evaluation of XOR gates. The core concept of XBOOT involves lazy reduction, where XOR operations are simulated with the less costly addition operation, a+b, leaving the management of potential overflows to later stages. We carefully handle the modulus chain and scale factors to ensure that the overflows are managed during the CKKS bootstrapping phase, preserving the correct XOR result without extra cost. We use AES-CKKS transciphering as a benchmark to test the capability of XBOOT, and achieve a throughput exceeding one kilobyte per second, which represents a 2.5x improvement over the state-of-the-art (Aharoni et al., HES 2023). Moreover, XBOOT enables the practical execution of tasks with extensive XOR operations that were previously challenging for CKKS. For example, we can do Rasta-CKKS transciphering at over two kilobytes per second, more than 10x faster than the baseline without XBOOT
Improved Attacks Against Lattice-Based KEMs Using Hints From Hertzbleed
The Number Theoretic Transform (NTT) is widely employed to accelerate computations in lattice-based cryptography. At CHES 2024, Yu et al. introduced a class of side-channel attacks targeting NTT operations in the simplified Kyber and NTTRU schemes. Their work demonstrated that side-channel leakages - modeled as modular hints - can reveal partial information about the private key. These modular hints were subsequently integrated into the Learning With Errors (LWE) or NTRU lattices to reduce the overall computational complexity of key recovery. However, their approach fails to fully exploit the potential of these modular hints. Our key observation is that these modular hints is sufficient to directly construct lowdimensional lattices, rather than integrating them into the original high-dimensional one.In this paper, for the simplified CPA-secure Kyber scheme, we directly utilize the extracted modular hints to construct low-dimensional lattices. Subsequently, the adversary leverages lattice reduction algorithms to search for non-zero shortest vectors within these lattices. Our experimental results confirm that the full private key can be recovered within 400 seconds on a personal computer. Therefore, our attack practically recovers the private key. However, the method proposed by Yu et al. at CHES 2024 cannot achieve this.Furthermore, for the CCA-secure NTTRU scheme, we extract additional modular hints based on the side-channel methodology proposed by Yu et al. We combine the special structure of the NTTRU private key with the Gaussian elimination to generate low-dimensional lattices, and subsequently estimate the hardness of solving the non-zero Shortest Vector Problem using the estimation methodology adopted by Yu et al. The results indicate that we reduce the computational complexity of key recovery to 234-a significant improvement over the 2114 computational complexity reported by Yu et al. at CHES 2024