Chosen-Ciphertext Attacks Against MOSQUITO
نویسندگان
چکیده
Self-Synchronizing Stream Ciphers (SSSC) are a particular class of symmetric encryption algorithms, such that the resynchronization is automatic, in case of error during the transmission of the ciphertext. In this paper, we extend the scope of chosen-ciphertext attacks against SSSC. Previous work in this area include the cryptanalysis of dedicated constructions, like KNOT, HBB or SSS. We go further to break the last standing dedicated design of SSSC, i.e. the ECRYPT proposal MOSQUITO. Our attack costs about 2 computation steps, while a 96-bit security level was expected. It also applies to ΓΥ (an ancestor of MOSQUITO) therefore the only secure remaining SSSC are blockcipher-based constructions.
منابع مشابه
Chosen-Ciphertext Security of Multiple Encryption
Encryption of data using multiple, independent encryption schemes (“multiple encryption”) has been suggested in a variety of contexts, and can be used, for example, to protect against partial key exposure or cryptanalysis, or to enforce threshold access to data. Most prior work on this subject has focused on the security of multiple encryption against chosen-plaintext attacks, and has shown con...
متن کاملSecurity Analysis of Signcryption Scheme from q-Diffie-Hellman Problems
SUMMARY In this paper, we analyse the Libert-Quisquater's q-DH signcryption scheme proposed in SCN'2004. Although the paper proved that their scheme is secure against adaptive chosen ciphertext attacks in the random oracle model, we disprove their claim and show that their scheme is not even secure against non-adaptive chosen ciphtertext attacks, which is the weaker security than the adaptive c...
متن کاملProtecting NTRU Against Chosen Ciphertext and Reaction Attacks
This report describes how the Fujisaki-Okamoto SelfReferential Technique (FOSRT) can be used to make the NTRU Public Key Cryptosystem resistant to adaptive chosen ciphertext attacks and to reaction attacks. Many asymmetric ciphers are susceptible to (adaptive) chosen ciphertext attacks. An attacker sends a series of purported ciphertexts e1, e2, . . . and uses the decryptions to deduce informat...
متن کاملNote for Technical Report #007 Version 2. the Material on Oaep in This Report Has Been Superceded by Ntru Technical Report #016, " Protecting Ntru against Chosen Ciphertext and Reaction Attacks, " Available At
RSA and Bell Labs [2, 3] have recently announced a potential attack on certain public key protocols, along with several suggested countermeasures. The most secure of these countermeasures uses the concept of plaintext aware, which means that it should be infeasible to construct a valid ciphertext without knowing the corresponding plaintext. Failure to be plaintext aware may open a cryptosystem ...
متن کاملRelations among Privacy Notions for Signcryption and Key Invisible "Sign-then-Encrypt"
Signcryption simultaneously offers authentication through unforgeability and confidentiality through indistinguishability against chosen ciphertext attacks by combining the functionality of digital signatures and public-key encryption into a single operation. Libert and Quisquater (PKC 2004) extended this set of basic requirements with the notions of ciphertext anonymity (or key privacy) and ke...
متن کامل