Presentation is loading. Please wait.

Presentation is loading. Please wait.

Recent Attacks on the Filter Generator Tor Helleseth Department of Informatics University of Bergen NORWAY Joint work: Sondre Rønjom and Guang Gong.

Published byMyles McGee Modified over 9 years ago

Similar presentations

Presentation on theme: "Recent Attacks on the Filter Generator Tor Helleseth Department of Informatics University of Bergen NORWAY Joint work: Sondre Rønjom and Guang Gong."— Presentation transcript:

1 Recent Attacks on the Filter Generator Tor Helleseth Department of Informatics University of Bergen NORWAY Joint work: Sondre Rønjom and Guang Gong

2 Outline Filter generator - m-sequences - Nonlinear Boolean functions Standard algebraic attack on the filter generator New attack on the binary filter generator Extending attack to filter generator over GF(2 m ) Linear representations of filter generator Generalizations of attack

3 m-Sequence (Example) (s t ) : 000100110101111… s t+4 = s t+1 + s t g(x)=x 4 +x+1 Properties of m-sequences Period ε = 2 n - 1 Balanced Run properties s t +s t+  =s t+  Two-level autocorrelation s t = Tr n (Aα t ) = Σ j (Aα t ) 2 j = A 1 α t + A 2 α 2t + A 3 α 4t + A 4 α 8t

4 Binary Filter Generator... f LFSR S ztzt LFSR of length n generating an m-sequence (s t ) of period 2 n -1 determined by initial state (s 0,s 1,...,s n-1 ) Nonlinear Boolean function f(x 0,x 1,...,x n-1 ) of degree d f(x 0,x 1,...,x n-1 ) = Σ c a 0 a 1..a r-1 x a 0 x a 1...x a r-1 = Σ A c A x A Keystream z t = f(s t,s t+1,...,s t+n-1 ) = f t (s 0,s 1,...,s n-1 )

5 Standard Algebraic Attack Shift register m-sequence (s t ) of period 2 n - 1 Boolean function f(x 0,x 1,...,x n-1 ) of degree d z t = f(s t,s t+1,...,s t+n-1 ) = f t (s 0,s 1,...,s n-1 ) Nonlinear equation system of degree d in n unknowns s 0,...,s n-1 Reduce to linear system in D unknowns monomials D = ( ) + ( ) +... + ( ) Need about D keystream bits Complexity D ω, ω =log 2 7 ≈ 2.807 Courtois, Canteaut: filter generator to be secure needs - n=128, d ≥ 16 complexity > 2 128 (ω≈ 2) - n=256, d ≥ 30 complexity > 2 256 (ω≈ 2) n n n d d-1 1

6 New Algebraic Attack Rønjom-Helleseth 2006 Recovering initial state of the binary filter generator in complexity - Pre-computation O(D (log 2 D) 3 ) - Attack O(D) - Need D keystream bits Main idea - Coefficient sequences of I={i 0,i 1,...,i r-1 } - Consider (binary) coefficient K I,t in f t (s 0,s 1,...,s n-1 ) of the monomial s I =s i 0 s i1...s i r-1 at time t - K I,t obeys some nice recursions

7 Example - Coefficient Sequences Let s t+4 =s t+1 +s t i.e., s 4 =s 1 +s 0 z t =f(s t,s t+1,s t+2,s t+3 ) = s t+2 +s t s t+1 +s t+1 s t+2 s t+3 +s t s t+1 s t+2 s t+3 z 0 = f 0 (s 0,s 1,s 2,s 3 ) = s 2 +s 0 s 1 +s 1 s 2 s 3 + s 0 s 1 s 2 s 3 z 1 = f 1 (s 0,s 1,s 2,s 3 ) = s 3 +s 1 s 2 + s 0 s 2 s 3 +s 0 s 1 s 2 s 3 z 2 = f 2 (s 0,s 1,s 2,s 3 ) = s 0 +s 1 +s 1 s 3 +s 2 s 3 +s 0 s 1 s 3 +s 1 s 2 s 3 + s 0 s 1 s 2 s 3 z 3 = f 3 (s 0,s 1,s 2,s 3 ) = s 1 +s 2 +s 0 s 2 +s 0 s 3 +s 1 s 3 +s 0 s 1 s 2 + s 0 s 2 s 3 +s 0 s 1 s 2 s 3 z 4 = f 4 (s 0,s 1,s 2,s 3 ) = s 1 +s 2 +s 3 +s 0 s 1 +s 0 s 2 +s 1 s 2 +s 0 s 1 s 3 + s 0 s 1 s 2 s 3 z 5 = f 5 (s 0,s 1,s 2,s 3 ) = s 0 +s 1 +s 2 +s 3 +s 1 s 3 +s 2 s 3 + s 0 s 1 s 2 + s 0 s 1 s 3 +s 0 s 1 s 2 s 3 Some coefficient sequences I={0,1,2,3} K I,t = 1 1 1 1 1 1... I={0,2,3} K I,t = 0 1 0 1 0 0... I={1,3} K I,t = 0 0 1 1 0 1...

8 Coefficient Sequence Let I = {i 0,i 1,...,i r-1 } and s I = s i 0 s i 1... s i r-1 The coefficients of the monomial s I at time t is called K I,t The coefficient sequence K I,t is defined by z t = f(s t,s t+1,...,s t+n-1 ) = f t (s 0,s 1,...,s n-1 ) = Σ I s I K I,t The main idea behind the attack is to determine the characteristic polynomial of K I,t The main task is to compute a polynomial p(x)=Σp j x j that generates K I,t for |I|≥2 (and hopefully not K I,t for |I|=1).

9 Coefficient Sequences – Example f(s 0,s 1,s 2,s 3 ) = s 2 +s 0 s 1 +s 1 s 2 s 3 +s 0 s 1 s 2 s 3 ; s 4 =s 0 +s 1 f 0 f 1 f 2 f 3 f 4 f 5 f 6 f 7 f 8 f 9 f 10 f 11 f 12 f 13 f 14 s 0 0 0 1 0 0 1 1 1 1 0 1 0 0 0 1 K 0,t s 1 0 0 1 1 1 1 0 1 0 0 0 1 0 0 1 K 1,t s 2 1 0 0 1 1 1 1 0 1 0 0 0 1 0 0 K 2,t s 3 0 1 0 0 1 1 1 1 0 1 0 0 0 1 0 K 3,t s 0 s 1 1 0 0 0 1 0 0 1 0 1 1 0 0 0 0 K 01,t s 0 s 2 0 0 0 1 1 0 1 1 0 1 1 0 0 0 0 K 02,t s 1 s 2 0 1 0 0 1 0 1 1 0 0 0 0 1 0 0 K 12,t s 0 s 3 0 0 0 1 0 0 1 0 1 1 0 0 0 0 1 K 03,t s 1 s 3 0 0 1 1 0 1 1 0 1 1 0 0 1 0 0 K 13,t s 2 s 3 0 0 1 0 0 1 0 1 1 0 0 0 1 0 0 K 23,t s 0 s 1 s 2 0 0 0 1 0 1 0 0 1 1 0 1 1 1 0 K 012,t s 0 s 1 s 3 0 0 1 0 1 0 0 1 1 0 1 1 1 0 0 K 013,t s 0 s 2 s 3 0 1 0 1 0 0 1 1 0 1 1 1 0 0 0 K 023,t s 1 s 2 s 3 1 0 1 0 0 1 1 0 1 1 1 0 0 0 0 K 123,t s 0 s 1 s 2 s 3 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 K 0123,t

10 Recursion - Coefficient Sequences f 0 f 1 f 2 f 3 f 4 f 5 f 6 f 7 f 8 f 9 f 10 f 11 f 12 f 13 f 14 s 0 0 0 1 0 0 1 1 1 1 0 1 0 0 0 1 K 0,t s 1 0 0 1 1 1 1 0 1 0 0 0 1 0 0 1 K 1,t s 2 1 0 0 1 1 1 1 0 1 0 0 0 1 0 0 K 2,t s 3 0 1 0 0 1 1 1 1 0 1 0 0 0 1 0 K 3,t s 0 s 1 1 0 0 0 1 0 0 1 0 1 1 0 0 0 0 K 01,t s 0 s 2 0 0 0 1 1 0 1 1 0 1 1 0 0 0 0 K 02,t s 1 s 2 0 1 0 0 1 0 1 1 0 0 0 0 1 0 0 K 12,t s 0 s 3 0 0 0 1 0 0 1 0 1 1 0 0 0 0 1 K 03,t s 1 s 3 0 0 1 1 0 1 1 0 1 1 0 0 1 0 0 K 13,t s 2 s 3 0 0 1 0 0 1 0 1 1 0 0 0 1 0 0 K 23,t s 0 s 1 s 2 0 0 0 1 0 1 0 0 1 1 0 1 1 1 0 K 012,t s 0 s 1 s 3 0 0 1 0 1 0 0 1 1 0 1 1 1 0 0 K 013,t s 0 s 2 s 3 0 1 0 1 0 0 1 1 0 1 1 1 0 0 0 K 023,t s 1 s 2 s 3 1 0 1 0 0 1 1 0 1 1 1 0 0 0 0 K 123,t s 0 s 1 s 2 s 3 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 K 0123,t

11 Calculating g i (x) - m=4 Characteristic polynomial g(x)=x 4 +x+1 g(α) = α 4 + α+1 = 0, α 15 =1 g 4 (x) = Π wt(l)=4 (x+α l ) = x + 1 g 3 (x) = Π wt(l)=3 (x+α l ) = x 4 +x 3 +1 g 2 (x) = Π wt(l)=2 (x+α l ) = (x 4 +x 3 +x 2 +x+1)(x 2 +x+1) g 1 (x) = Π wt(l)=1 (x+α l ) = x 4 +x+1 p(x) = g 2 (x)g 3 (x)g 4 (x) = x 11 +x 8 +x 7 +x 5 +x 3 +x 2 +x+1 = Σ i p i x i K I,t, |I|=4 generated by g 4 (x) (and by p(x) ) K I,t, |I|=3 generated by g 3 (x) g 4 (x) (and by p(x) ) K I,t, |I|=2 generated by g 2 (x) g 3 (x) g 4 (x) (and by p(x) ) K I,t, |I|=1 generated by g 1 (x) g 2 (x) g 3 (x) g 4 (x)

12 Characteristic polynomial of K I,t (s t ) є Ω(g(x)) (denotes (s t ) is generated by g(x)) - Zeros of g(x) : α 2 i (= α r ), w(r)=1 - z t =f(s t,s t+1,...,s t+n-1 ) = Σ I s I K I,t, d=deg(f) - s t = Σ i s i l it (l it є Ω(g(x)), l it = Σ j A ij α 2 j t ) Let |I|=d K I,t є Ω(g d (x)) with zeros α r, w(r)=d Let |I|=d-1 K I,t є Ω(g d-1 (x)g d (x)) with zeros α r, w(r) є {d-1,d}........................... Let |I|=2 K I,t є Ω(g 2 (x)... g d (x) ) with zeros α r, w(r) є {2,3,...,d} Conclusion K I,t є Ω(p(x)), p(x)= g 2 (x)... g d (x) for all coefficient sequences with |I|≥2 (i.e., for all nonlinear terms)

13 Key Argument in Attack From the received keystream z j for j=0,1,..,D-1 compute for t=0,1,..,n-1 z t * = Σ j p j z t+j (= Σ j p j f t+j (s 0,s 1,...,s n-1 )) = Σ j p j Σ I s I K I,t+j = Σ I s I Σ j p j K I,t+j = Σ |I|≤1 s I Σ p j K I,t+j = Affine in s 0,s 1,...,s n-1 gives a linear n x n system of equations for finding the (initial state) s 0,s 1,...,s n-1

14 The New Attack z t = f(s t,s t+1,...,s t+n-1 ) = f t (s 0,s 1,...,s n-1 ) = Σ I s I K I,t Precomputation - Complexity O(D(log 2 D) 3 ) Compute p(x)=Π d≥wt(l)≥2 (x+α l ) of degree D–n that generates all coefficient sequences K I,t for |I|≥2 (and hopefully not K I,t for |I|=1) Compute f t * (s 0,s 1,...,s n-1 ) = Σ j p j f t+j (s 0,s 1,...,s n-1 ) (= z t * = Σ j p j z t+j ) for t=0,1,...,n-1 (Need only linear part of f t+j and only f 0 * since f 1 *,f 2 *,..,f n-1 * easily found from f 0 *. If f 0 *=0 need to modify attack) Attack – Complexity O(D) From the received keystream z t for i=0,1,..,D-1 compute z t * = Σ j p j z t+j ( = Σ I s I Σ p j K I,t+j = f t * = Affine in s 0,s 1,...,s n-1 ) gives a linear n x n system of equations for finding the bits in initial state (secret key) s 0,s 1,...,s n-1

15 The Attack - Example Precomputation ( f 0 *=f 11 +f 8 +f 7 +f 5 +f 3 +f 2 +f 1 +f 0 ) f 0 * f 1 f 2 f 3 f 4 f 5 f 6 f 7 f 8 f 9 f 10 f 11 f 12 f 13 f 14 s 0 0 0 1 0 0 1 1 1 1 0 1 0 0 0 1 s 1 1 0 1 1 1 1 0 1 0 0 0 1 0 0 1 s 2 0 0 0 1 1 1 1 0 1 0 0 0 1 0 0 s 3 1 1 0 0 1 1 1 1 0 1 0 0 0 1 0 Attack – Keystream 100010010011110 Equation system (z t *=z t+11 +z t+8 +z t+7 +z t+5 +z t+3 +z t+2 +z t+1 +z t ) f 0 * = s 1 + s 3 = z 0 * = 1 f 1 * = s 0 + s 1 + s 2 = z 1 * = 0 f 2 * = s 1 + s 2 + s 3 = z 2 * = 0 f 3 * = s 0 + s 1 + s 2 + s 3 = z 3 * = 1 Solution (secret key) s 0 =1, s 1 =0, s 2 =1, s 3 =1

16 Filter Generator over GF(2 m ) LFSR of length k generating an m-sequence (S t ) of period 2 n – 1 over GF(2 m ), n=mk Boolean function f(x 0,x 1,...,x m-1 ) of degree d (f acts on single m-bits word S t =(s mt,s mt+1,...,s mt+m-1 )) Keystream z t = f(s mt,s mt+1,...,s mt+m- 1 ) = f t (s 0,s 1,...,s n-1 )... f LFSR S ztzt

17 Filter Generator over GF(2 m ) Let S t =(s mt,s mt+1,..,s mt+m-1 ) Let (s 0,s 1,..,s n-1 ) be the n=mk bits in initial state Define coefficient sequences z t = Σ I s I K I,t Results 1.K I,t generated by g |I| (x) with zeros α r, |I|≤w(r)≤d 2.Linear complexity of z t is reduced (when f acts on single word). Typically reduction in linear complexity is by a factor of roughly e -d 2 (k-1)/2n

18 WG Cipher LFSR of length k=11 over GF(2 29 ) (n=319) Boolean function of degree 11 acts on a single 29-bits word Linear complexity of keystream L=2 45.014 L < < D = ( ) Restrict keystream to 2 45 bits Attack can reconstruct initial state with complexity L with precomputation of complexity O(L(log 2 L) 3 ) ≈ 2 62 but needs L bits of keystream 319 11

19 Linear Representation - Filter Generator Example s t+3 =s t+1 + s t State S t+1 =S t T 1, S t = (s t,s t+1,s t+2 ) (s 1,s 2,s 3 ) = (s 0,s 1,s 2 )T 1, T 1 = [ ] Extended state S t = (s t,s t+1,s t+2,s t s t+1,s t s t+2,s t+1 s t+2,s t s t+1 s t+2 ) Then S 0 = (s 0,s 1,s 2,s 0 s 1,s 0 s 2,s 1 s 2,s 0 s 1 s 2 ) ↓ T S 1 = (s 1,s 2,s 3,s 1 s 2,s 1 s 3,s 2 s 3,s 1 s 2 s 3 ) = (s 1,s 2,s 0 +s 1,s 1 s 2,s 1 +s 0 s 1,s 0 s 2 +s 1 s 2,s 0 s 1 s 2 +s 1 s 2 ) 001 101 010

20 Matrix Representation – Filter Generator S 0 = (s 0,s 1,s 2,s 0 s 1,s 0 s 2,s 1 s 2,s 0 s 1 s 2 ) ↓ T S 1 = (s 1,s 2,s 0 +s 1,s 1 s 2,s 1 +s 0 s 1,s 0 s 2 +s 1 s 2,s 0 s 1 s 2 +s 1 s 2 ) T = 0 0 1 0 0 0 0 1 0 1 0 1 0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 0 0 0 0 1 0 1 1 0 0 0 0 0 0 1 s 1 s 2 s 3 s 1 s 2 s 1 s 3 s 2 s 3 s 1 s 2 s 3 s 0 s 1 s 2 s 0 s 1 s 0 s 2 s 1 s 2 s 0 s 1 s 2 S t+1 = S t T

21 T - Transforms Boolean Function Let I = {i 0,i 1,...,i r-1 } and s I = s i 0 s i 1... s i r-1 f(s 0,s 1,...,s n-1 ) = Σ I c I,f s I Consider f as a vector (in a natural way) such that f = (0101101) (=c I,f ) ↔ s 1 +s 0 s 1 +s 0 s 2 +s 0 s 1 s 2 Then f t+1 = T f t Thus the equations in filter generator are z t = S 0 T t f represents the relation z t = f t (s 0,s 1,..,s n-1 )=f(s t,s t+1,...,s t+n-1 )

22 T t - Coefficient Sequences Let I, J be subsets of {0,1,...,n-1} Let J={j 0,j 1,...,j r-1 } g i (x)=Π(x+α l ), wt(l)=i s t+J = s t+j 0 s t+j 1...s t+j r-1 = Σ I s I K I,J,t K I,J,t generated by g |I| (x) g |I|+1 (x)... g |J| (x) Lemma Let p(x)=g 2 (x)...g d (x) - (T t ) I,J = K I,J,t - p(T) = 0 except for the elements in the first n rows

23 Attack Described Using T Let p(x)=g 2 (x)...g d (x), g i (x)=Π(x+α l ), wt(l)=i z t = S 0 T t f From the received keystream z j for j=0,1,..,D-1 compute for t=0,1,..,n-1 z t * = Σ j p j z t+j (= Σ j p j f t+j (s 0,s 1,...,s n-1 )) = S 0 Σ j p j T t+j f = S 0 T t Σ j p j T j f = S 0 T t p(T) f = Affine in s 0,s 1,...,s n-1 gives a linear n x n system of equations for finding the (initial state) s 0,s 1,...,s n-1 since all rows except the first n rows in p(T) are 0

24 Finding Initial State Let s t = Tr(βα t ) represent initial state of LFSR Let g i (x) have zeros α j where wt(j)=i Let z t = Σ j Tr(A j (βα t ) j ) ε Ω(g 1 g 2... g d ) Let p(x)= (g 1 g 2...g d )/p k, p k (x) min. pol. α k, wt(j)≤d where A k ≠0 and gcd(k,2 n -1)=1 Then u t = p(E)z t = Σ j p j z t+j = Σ j Tr(A j β j p(α j ) α tj ) = Tr(A k β k p(α k ) α tk ) Let r =A k β k p(α k ) and we can find r Gong (1990) give explicite formulaes for A k Since A k ≠0 if gcd(k,2 n -1)=1 we find β i.e initial state (alternatively if gcd(k,2 n -1)>1 we do it once more to find k’ and hopefully gcd(k-k’,2 n -1)>1’

25 Finding r from u t =Tr(rγ t ) Let x i =r 2 i and α i =γ 2 i u t = Tr(rγ t ) = rγ t + (rγ t ) 2 + ··· + (rγ t ) 2 n-1 = α 0 t x 0 + α 1 t x 1 + ··· + α n-1 t x n-1 Then x 0 + x 1 + ··· + x n-1 = u 0 α 0 x 0 + α 1 x 1 + ··· + α n-1 x n-1 = u 1 ··············· α 0 n-1 x 0 + α 1 n-1 x 1 + ··· + α n-1 n-1 x n-1 = u n-1 Then r =x 0 can be determined from u 0,u 1,..,u n-1 since coefficient matrix is a Van der Monde matrix

26 Conclusions New attack on the filter generator of complexity O(D) If z t є Ω(h(x)) for all keystreams for some h(x) of degree L (< D) then initial state can be recovered in complexity O(L) with a precomputation O(L(log 2 L) 3 ) Linear representation related to coefficient sequences Generalized to filter generator over GF(2 m ) Can be generalized LSM not neccesarily LFSR Can be generalized to nonlinear combiner generator Can reduce number of known bits needed by finding a sequence b t such that z t b t =a t has certain properties

27 Simple underlying idea Let z t = A 1 α 1 t + A 2 α 2 t +...+ A D α D t Let p(x) have roots α i Compute p(E)z t = Σ p j z t+j Then u t = p(E)z t = ΣA i p(α i t )

Download ppt "Recent Attacks on the Filter Generator Tor Helleseth Department of Informatics University of Bergen NORWAY Joint work: Sondre Rønjom and Guang Gong."

Similar presentations

Notes 6.6 Fundamental Theorem of Algebra

Notes 6.6 Fundamental Theorem of Algebra
Dates for term tests Friday, February 07 Friday, March 07

Dates for term tests Friday, February 07 Friday, March 07
General Linear Model With correlated error terms  =  2 V ≠  2 I.

General Linear Model With correlated error terms  =  2 V ≠  2 I.
Cryptography, Attacks and Countermeasures Lecture 3 - Stream Ciphers

Cryptography, Attacks and Countermeasures Lecture 3 - Stream Ciphers
Mathematics of Cryptography Part II: Algebraic Structures

Mathematics of Cryptography Part II: Algebraic Structures
Information and Coding Theory

Information and Coding Theory
Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.

Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.
Session 2: Secret key cryptography – stream ciphers – part 2.

Session 2: Secret key cryptography – stream ciphers – part 2.
Stream ciphers 2 Session 2. Contents PN generators with LFSRs Statistical testing of PN generator sequences Cryptanalysis of stream ciphers 2/75.

Stream ciphers 2 Session 2. Contents PN generators with LFSRs Statistical testing of PN generator sequences Cryptanalysis of stream ciphers 2/75.
Block ciphers 1 Session 3. Contents Design of block ciphers Non-linear transformations 2/25.

Block ciphers 1 Session 3. Contents Design of block ciphers Non-linear transformations 2/25.
Session 2 Symmetric ciphers 1. Stream cipher definition Recall the Vernam cipher: Plaintext 000110111101101 Ciphertext 110000101000110 (Running) key 110110010101011.

Session 2 Symmetric ciphers 1. Stream cipher definition Recall the Vernam cipher: Plaintext Ciphertext (Running) key
FFT1 The Fast Fourier Transform. FFT2 Outline and Reading Polynomial Multiplication Problem Primitive Roots of Unity (§10.4.1) The Discrete Fourier Transform.

FFT1 The Fast Fourier Transform. FFT2 Outline and Reading Polynomial Multiplication Problem Primitive Roots of Unity (§10.4.1) The Discrete Fourier Transform.
Elliptic Curve. p2. Outline EC over Z p EC over GF(2 n )

Elliptic Curve. p2. Outline EC over Z p EC over GF(2 n )
1 A simple algebraic representation of Rijndael Niels Ferguson Richard Schroeppel Doug Whiting.

1 A simple algebraic representation of Rijndael Niels Ferguson Richard Schroeppel Doug Whiting.
Curve-Fitting Polynomial Interpolation

Curve-Fitting Polynomial Interpolation
FFT1 The Fast Fourier Transform by Jorge M. Trabal.

FFT1 The Fast Fourier Transform by Jorge M. Trabal.
Princeton University COS 423 Theory of Algorithms Spring 2002 Kevin Wayne Fast Fourier Transform Jean Baptiste Joseph Fourier (1768-1830) These lecture.

Princeton University COS 423 Theory of Algorithms Spring 2002 Kevin Wayne Fast Fourier Transform Jean Baptiste Joseph Fourier ( ) These lecture.
Lattice Based Attacks on RSA. 2004/9/22Lattice Based Attacks on RSA2 Outline Lattices and Lattice reduction Lattice Based Attacks on RSA Hastad ’ s Attack.

Lattice Based Attacks on RSA. 2004/9/22Lattice Based Attacks on RSA2 Outline Lattices and Lattice reduction Lattice Based Attacks on RSA Hastad ’ s Attack.
Stream Ciphers 1 Stream Ciphers. Stream Ciphers 2 Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream.

Stream Ciphers 1 Stream Ciphers. Stream Ciphers 2 Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Similar presentations

Ads by Google