SlideShare uma empresa Scribd logo

Cryptanalysis of the seal encryption algorithm

D
degarden
EducaçãoTecnologia
1 de 12
Baixar para ler offline
2 Cryptanalysis of the SEAL Encryption Algorithm Helena Handschuh ? Gemplus PSI 1, Place de la Mediterranee 95200 Sarcelles France Henri Gilbert France Telecom CNET PAA-TSA-SRC 38-40 Rue du General Leclerc 92131 Issy-les-Moulineaux France Abstract. SEAL was rst introduced in 1] by Rogaway and Copper- smith as a fast software- oriented encryption algorithm. It is a pseu- dorandom function which stretches a short index into a much longer pseudorandom string under control of a secret key pre-processed into internal tables. In this paper we rst describe an attack of a simpli ed version of SEAL, which provides large parts of the secret tables from ap- proximately 224 algorithm computations. As far as the original algorithm is concerned, we construct a test capable of distinguishing SEAL from a random function using approximately 230 computations. Moreover, we describe how to derive some bits of information about the secret tables. These results were con rmed by computer experiments. 1 Description of the SEAL Algorithm SEAL is a length-increasing "pseudorandom" function which maps a 32-bit string n to an L-bit string SEAL(n) under a secret 160-bit key a. The output length L is meant to be variable, but is generally limited to 64 kbytes. In this paper, we assume it is worth exactly 64 kbytes (214 32-bit words), but all our results could be obtained with a smaller output length. The key a is only used to de ne three secret tables R, S , and T . These ta- bles respectively contain 256, 256 and 512 32-bit values which are derived from the Secure Hash Algorithm (SHA) 2] using a as the secret key and re-indexing the 160-bit output into 32-bit output words. SEAL is the result of the two cascaded generators shown below. ? The study reported in this paper was performed while Helena Handschuh was work- ing at France Telecom-CNET.
n n n n 8 16 24 R4]l R 4 + 1] l R 4 + 2] l R 4 + 3] l p1 - T -+ 2 q1 - T -+ 2 p2 - T -+ 2 - T -+ 2 q- 2 p3 - T -+ 2 q3 - T -+ 2 p4 - T -+ 2 - T -+ 2 q- 4 n3(= n2(= n4 (= n1(= p5 - T -+ 2 q5 - T -+ 2 p6 - T -+ 2 - T -+ 2 q- 6 ? ? ? ? A0 B0 C0 D0 Fig. 1. The rst generator of SEAL Ai?1 + n1 Bi?1 Ci?1 + n2 Di?1 p1 - T -+ 2 - q1 -T - -+ 2 p1 + p- T -+ 2 2 2 - q- -T- 1 + q2 2 -+ 2 p2 - + p- T - 2 3 q2 + q- T -+ p3 2 3 2 + p- T - 2 4 q- - T -+ 2 3 + q4 2 ? ? ? ? A i Bi Ci Di Fig. 2. The second generator of SEAL (ith iteration)
The rst generator uses a routine depending on the a-derived tables R and T depicted at gure 1. It maps the 32-bit string n and the 6-bit counter l to four 32-bit words A0 , B 0 , C 0, D0 and another four 32-bit words n1 , n2 , n3, n4. These eight words are to be used by the second generator. The second generator uses a routine depending on the a-derived tables de- picted at gure 2. There are 64 iterations of this routine, indexed by i = 1 to 64. A0 B 0 C 0D0 serves as an input to the rst iteration, producing an A1B 1 C 1D1 block. For the next iterations, the input block is alternately (Ai?1 + n1; B i?1 ; C i?1+n2; Di?1) for even i values and (Ai?1 +n3; B i?1 ; C i?1+n4; Di?1) for odd i values. At iteration i, the output block (Y1i , Y2i , Y3i, Y4i ) is deduced from the intermediate block (Ai ,B i ,C i,Di ) using the a-derived table S as shown below in gure 3. Ai Bi Ci Di S 4i ? 1] -L S 4i ? 4] - + S 4i ? 3] -L S 4i ? 2] - + ? ? ? ? Y1 i Y2 i Y3 i Y4 i Fig. 3. Deriving the generator output In the above gures : { stands for the XOR function; { 2 stands for the sum (mod 232); { stands for a right rotation of 9 bits; { N stands for a right rotation of N bits; { p1 through p4 and q1 through q4 stand for the inputs of table T obtained from the 9 bits 2 to 11 of values A, B , C and D; for instance in gure 1, p1 = A&0x7fc. Concerning the de nition of SEAL, more details can be found in 1] and in 2]. The algorithm is divided into three steps. { First we compute the internal tables under the secret key a. The security of this step relies on SHA which is assumed to be highly secure. Therefore, R, S and T are pseudorandom tables. { Second we compute A0, B 0, C 0, D0 , n1, n2, n3 and n4 from n, l and table R. This is what we already called the rst generator. Let us assume the output is pseudorandom as well.
{ Finally, the second generator computes iteratively the Ai Bi C iDi blocks, from which the Y1i , Y2i, Y3i , Y4i values are derived. We change the original notations as follows : Y1i = Ai S1 i Y2i = Bi + Si 2 Y3i = C i S3 i Y4i = Di + S i : 4 In this part we found certain weaknesses which are investigated in Sections 3 and 4. 2 Preliminaries 2.1 Role of mod 232 additions Although the combined use of the + and operations probably strengthens SEAL as compared with a situation where only one of these operations would be used, we do not believe that this represents the main ingredient of the secu- rity of SEAL, which is essentially a table- driven algorithm. As a matter of fact, any x + y sum can be written : x + y = x y c(x; y) where the carry word c(x; y) is far from being uniformly distributed thus + just introduces an additional, unbalanced term, as compared with . This remark led us to assume that replacing in SEAL (more precisely in the second generator of gure 2) all + operators by xors would not fundamentally modify the nature of the algorithm, and that cryptanalytic results obtained with such a simpli ed version could at least partially be transposed to the real cipher. The results of our analysis of this simpli ed version of SEAL are summarised in Section 3 hereafter. 2.2 The three words Di?1 , C i and Di are correlated Let us consider the function depicted at gure 2. Given a xed value of the iteration index i (say i = 3), the input and output to this function are known from the generator outputs (Y1i?1 , Y2i?1, Y3i?1, Y4i?1) and (Y1i , Y2i , Y3i , Y4i ) up to the following unknown words : { the 8 words (S1?1 , S2?1 , S3?1 , S4?1 ) and (S1, S2 , S3 , S4 ), which value does i i i i i i i i not depend upon the considered initial value (n; l). { the 2 words n1 and n2 , which value depends upon (n; l).
The involvement of the IV-dependent words n1 and n2 in the function consider- ably complicates the analysis of the ith iteration because of the randomisation e ect upon the input to output dependency. In order to nd statistics applicable to any IV value, we investigate how to "get rid" of any dependency in n1 and n2 in some relations induced by the equa- tion of iteration i. Let us consider the Di?1 input word and the C i and Di input words. Denote the output tables involved in the right part of gure 2 by : T1 = T p2], T2 = T q3] and T3 = T p4]. It is easy to establish the relation : (1) (Di?1 + T1) (C i 9 + T2 ) = (Di 18) (T3 9) This relation does not involve n1 and n2. The T1 ; T2 ; T3 terms in this relation can be seen as three random values selected from the T table. Since there are only 29 values in the T table, given any two words out of the (Di?1 , C i, Di ) triplets, there are at most 227 possible values for the third word of the triplet instead of 232 if Di?1 , C i and Di were statistically independent. This gives some evidence that the Di?1 input and the C i and Di output are statistically correlated, in a way which does not depend upon n1 and n2. In other words, the SEAL generator derives from an (n; l) initial value three slightly correlated output words Y4i?1, Y3i and Y4i. Relation (1) above represents the starting point for the various attacks reported in Sections 3 to 5 hereafter. 3 An Attack of a simpli ed version of SEAL In this Section we present an attack of the simpli ed version of SEAL obtained by replacing in gure 2 all mod 232 additions by xors. The attack is divided into four steps. 3.1 Step 1 We derive the unordered set of values of the T table, up to an unknown 32-bit constant Di . Relation (1) above represents the starting point for this deriva- tion. After replacing + by in (1) and Di?1 ; C i; Di by X4 = Y4i , Y3 = Y3i and Y4 = Y4i respectively, we obtain the relation : (2) Y4 Y3 9 X4 18 = T3 9 (T1 T2 ) 18 i 9
where the i constant depends upon the S table. T1 and T2 are 2 among 512 values of table T . Statistically speaking, once in 29, T1 = T2 , and T1 T2 = 0. If we compute 218 samples, each of the 512 values of table T i should appear once in average. We collect the combination of the generator output words given by the left term of (2) for about 221 (n; l) samples. Whenever one value appears more than 4 times, we assume this 21 a value of table T is i. All the other values have a probability of about 2232 to appear. This way, we nd about 490 out of 512 values of table T up to one constant value. 3.2 Step 2 The purpose of the second step is to compute a constant i which is needed in the third step in order to nd out statistics involving B i?1 , Di , Ai and B i (see Fig. 2.). Consider the following equation (3) established in a similar way to (2) from the relation between B i?1 and the output words : (3) Y4 9 Y2 Y1 9 X2 18 T3 18 = (T10 T20 ) 18 (T30 T40 ) 9 (S4 9 S2?1 18 S2 S1 9) i i i i where i = S4 i 9 S2?1 i 18 S2 S1 i i 9 i 18 For each sample, we can nd out T3 i by searching exhaustively the right combination (T1 , T2 , T3 ) in equation (2). In order to save time, we compute once and for all a table with the 218 values of (T1 T2 ) 18 and search for the right third value. We perform this search as well as the computation of the left term of (3) for 221 samples. Once in 218, T10 = T20 and T30 = T40 . This way the constant value i we are looking for appears at least 4 times. 3.3 Step 3 The purpose of this step is to nd out various values of n1. Once we have these values, we can make out the relation between the in and outputs of table T up to one constant value. Let us consider equation (4) established from the relation between Ai?1 and the output words : (4) X1 18 Y1 Y4 T20 9 T40 T3 9 = n1 18 S1?1 i 18 S4 S1 i i
We can nd out T20 i and T 0 4 i by searching the right combination of 0 ; T2; T3; T4 ) in equation (2) using the value i we made out in step 2. For (T1 0 0 0 each sample we compute, we get about 16 possibilities, as (T10 ; T20 ; T30 ; T40 ) gives 236 possible values for a 32- bit word. In order to nd the right combination, let us consider two distinct iteration indexes i and j : we know that for a given l value, if i is even (or odd), we always xor the same n1 (or n3 ) to the input A. Let us therefore take two rounds i and j that are both odd (or even). We need to know table T i, table T j , i and j . We collect samples of : { n1 18 i i?1 where i = S1 18 S4 S1 i; i i { n1 18 j j 9 i 9 as value T3 is found through table T i and values T 0 and T 0 through 2 4 table T j. We xor all the samples of round i with all the samples of round j . One of these values is the right combination of i j ( i j ) 9 Then we nd all the samples for rounds i and j of another value n1 (i.e. of round l). We compare these two sets of samples and make out the right value of n1 18 i . This step can be repeated various times to collect values of n1 while computing only once the tables T and the constants . 3.4 Step 4 In this step we nally derive the in and outputs of table T from equation (5): (5) p1 = ((X1 n1 S1?1 )&0x7fc)=4 i In this equation p1 is the input of table T . We have seen in the rst three steps that we can derive the value of T1 from in and output samples of SEAL. So we nally derive several values of : Tp i] i where i = ((S1?1 i i 18)&0x7fc)=4.
3.5 Summary Summing up the four steps we have just described, we can break the T table up to one constant value using about 2 221 samples of (n; l) for step 1, 2 221 samples of (n; l) for step 2 and about 29 values of (n; l) for steps 3 and 4. This means, the T table can be broken using about 224 samples of (n; l). We could probably go on breaking the simpli ed version of SEAL by nding out sets of values (n1 , n2 , n3 , n4 ), then trying to break the rst generator and nd table R, but this is not our purpose here. 4 A Test of the real version of SEAL In this Section we use some of the ideas of Vaudenay's Statistical Cryptanalysis of Block Ciphers 3] to distinguish SEAL from a truely random function. 4.1 2 Cryptanalysis The purpose of Vaudenay's paper is to prove that statistical analysis on ciphers such as DES may provide as e cient attacks as linear or di erential cryptanal- ysis. Statistical analysis enables to recover very low biases and a simple 2 test can get very good results even without knowing exactly what happens inside the inner loops of the algorithm or the S- boxes. We intend to use this property to detect low biases of a certain combination of the output words of SEAL suggested by the analysis made in Section 3 in order to prove SEAL is far from being undistinguishable from a pseudo-random function. This provides a rst test of the SEAL algorithm. 4.2 Number of samples needed for the 2 test to distinguish a biased distribution from an unbiased one We denote by N the number of samples computed. We assume the samples are drawn from a set of r values. We call ni the number of occurances of the ith of the r values among the N samples and S 2 the associated indicator : Pri=1(ni ? N )2 S =2 N r r The 2 test compares the value of this indicator to the one an unbiased dis- tribution would be likely to provide. If the ni were drawn according to an unbi- ased multinomial distribution of parameters ( r , 1 ,..., r ), the expectation and the 1 r 1 standard deviation of the S 2 estimator would be given by :
{ E(S 2 ) ! = p? 1 r { (S 2 ) ! = 2(r ? 1) If the distribution of the ni is still multinomial but biased, say with probabilities p1; :::; pr, then we can compute the new expected value 0 of the S 2 : Pr N 2 0 = E ( i=1 (ni ? r ) ) = N r X N r i=1 E ((ni ? piN + pi N ? N )2 ) r r It can be easily shown that : 0 ! + r(N ? 1) X(pi ? 1 )2 r i=1 r An order of magnitude of the number N of samples needed by the 2 test to dis- tinguish a biased distribution from an unbiased one with substantial probability is given by the condition : 0? which gives us the following order of magnitude for N : p2( N r Pri=1(rp??1)r1 )2 i 4.3 Model of the test Let us consider equation (2) with the real scheme (including the sums). We can rewrite it : (6)Y4 Y3 9 X4 18 = T3 9 (T1 T2 ) 18 (r1 r2 r3 ) 18 i 9 r4 where r1 and r2 are the carry bits created by the addition of T1 and T2 , and r3 and r4 the ones of the addition of S4?1 and S4 . i i We apply the 2 test to the four leftmost bits of Y4 Y3 9 X4 18 suspecting a slight bias in this expression. Without having carefully analysed the exact distribution of the sum of the four carries, we intend to prove that its convolution with the biased distribution of T3 9 (T1 T2 ) 18 i 9 does result in a still slightly unbalanced distribution. As we take 4-bit samples, we apply the 2 test with r ? 1 = 15 degrees of freedom. Detailed information about this test can be found in 4].
4.4 Results Whenever we analyse at least 233 samples, the test proves with probability 10001 to be wrong, that SEAL has a biased distribution. We have made several tests, and each time the value of the S 2 estimator we obtained for this order of mag- nitude of N was greater than 40 for the 4 least signi cant bits and greater than 320 for the 8 least signi cant bits. In other words, the test proves that the dis- tribution is a biased one. Figure 4 shows the value of the S 2 estimator for tests made with a = 0x67452301. S 2 223 224 225 226 227 228 229 230 231 232 233 234 235 4 bits 14.27 25 13.97 9.41 26.96 16.5 16.78 29.65 21.05 30.15 45.74 44.69 55.96 8 bits 261 293 274 238 229 227 246 225 278 313 331 378 453 Fig. 4. Results of the tests with up to 235 samples of (n; l). The former test test can be slightly improved as follows : let us denote the four least signi cant bits of S4 by si4 . For each of the 16 possible values of si4 , apply i the S 2 test to the 4 or the 8 least signi cant bits of (Y4 ? si4 ) Y3 9 X4 18. The test with the correct si4 value detects a bias with 230 (n; l) values only (see Figure 5). Note that a signi cant bias is also detected whenever the two least signi cant bits of si4 are correct. S 2 225 226 227 228 229 230 231 232 233 234 235 4 bits 9.45 13.56 20.62 25.59 32.77 71.90 83.63 130 250 438 928 8 bits 253 271 292 321 276 357 379 438 569 838 1520 Fig. 5. Results of the test with the correct value of the four si4 bits. 4.5 Deriving rst information on SEAL The interpretation of the above improved test is straightforward : when the two least signi cant bits of si4 are correct, r4 is partly known and the 2 test gives much better results than with wrong bits of si4 . Therefore we can derive at least two bits of information on table S . If the test is applied to more than the four leftmost bits of the samples, more than 2 bits can be derived from secret table T . Whenever these bits are right, the 2 rises much faster than for wrong values. As the evolution of the 2 indicator is quite close to a straight line when the divergence starts, the results can be checked applying the test to 220 through 232 samples. Divergence becomes obvious when about 230 samples have been computed.
5 Deriving information on the T table In this Section we give some evidence that the initial step of the attack on the simpli ed version of SEAL introduced in Section 3 can be adapted to provide large parts of the T table for the real algorithm. Let us consider relation (6). As seen in Section 3.1, the distribution of the T3 9 (T1 T2 ) 18 i 9 value at the right of (6) is unbalanced. The most frequent values are provided by the 512 T i words. On the other hand the distribution of the carry words r1 r2 r3 and r4 is also unbalanced. More precisely, due to the fact that in any carry word r each 3 bit r j ] has a 4 probability of being equal to the next bit r j + 1], the number of 'inversions', i.e. j values s.t. r j ] 6= r j + 1] is likely to be small when r is a carry word or an exclusive or of carry words. Thus we can expect the 512 T i values to give rise to 'spread' probabil- ity maxima in the distribution probability of the left term of (6). Based on 232 (n; l) values, we did the following experiment : We analysed the probabililty distribution of the 23 lowest weight bits of the left combination of (6) in order to reduce the memory requirements. So in the rest of this Section, though we do not introduce any new notation, we implicitely refer to 23-bit words instead of 32-bit words. For several T i values (about 25), we computed the sum of the probabil- ities of the neighbours of T i , i.e. the values of the form T i + r, where r is one of the approximately 222 23-bit words with at most 11 inversions. We computed the same sum of approximately 222 probabilities around arbi- trarily chosen values other than the 512 T i values. For more than half of the T i values, the obtained sum was larger than all the sums associated to the arbitrarily chosen values. The complexity of the search of the T i values is quite high if an independent computation of a sum of 222 probabilities is made for each of the 223 candidate values. This approach leads to a 245 complexity, far over the computing capabil- ities of the computer we used for the experiments ; however, substantial gains might be achieved by reusing appropriately selected partial sums of probabilities. Thus in summary, we believe that with slightly more than 232 (n; l) values, it should be possible to recover a substantial part of the information on the T
table, up to an unknown constant. 6 Conclusion We have shown in some detail in Section 3 that the simpler scheme with xors instead of sums can be attacked with the generator output corresponding to about 224 samples of (n; l), e.g. 218 n values and 26 l values for each n value. The test of Section 4 can be applied with about 230 samples of (n; l), e.g. 224 n values and 26 l values for each n value. Moreover, information about table S can be derived from this test with 230 samples of (n; l) as well, and large amounts of information contained in table T can be derived from approximately 232 samples of (n; l) or slightly more. Despite of their relatively low time and space complexity, which enabled us to perform the computer simulations mentioned in Sections 4 and 5, the at- tacks reported in this paper do not seriously endanger the practical security of SEAL, because a too large amount of keystream samples (corresponding to more than 230 (n; l) initialisation vectors) is required. These attacks suggest however that simple modi cations of some design features of SEAL, e.g. the detail of the involvement of the IV-dependent values n1 to n4 in the second generator, would probably strengthen the algorithm without signi cant impact upon its performance. 7 Acknowledgements We thank Thierry Baritaud and Pascal Chauvaud for the elaboration of the L TEX version of the gures and the paper. We would like to address special A thanks to Francois Allegre who gave us access to a quite powerful computer that made the tests reasonably quick and to Alain Scheiwe who helped us write the C source code of the tests. References 1. P. Rogaway and D. Coppersmith, "A Software-Optimized Encryption Algorithm", Proceedings of the 1993 Cambridge Security Workshop, Springer-Verlag, 1994. 2. B. Schneier, Applied Cryptography, Second Edition, John Wiley & Sons, 1996. 3. S. Vaudenay, "Statistical Cryptanalysis of Block Ciphers - 2 Cryptanalysis", 1995. 4. J. Bass, Elements de Calcul des Probabilites, 3e edition, Masson Et Cie, 1974. A This article was processed using the L TEX macro package with LLNCS style

Recomendados

040513
040513040513
040513pannomion
 
GeneIndex: an open source parallel program for enumerating and locating words...
GeneIndex: an open source parallel program for enumerating and locating words...GeneIndex: an open source parallel program for enumerating and locating words...
GeneIndex: an open source parallel program for enumerating and locating words...PTIHPA
 
1 ไฟฟ้าสถิตย์ physics4
1 ไฟฟ้าสถิตย์ physics41 ไฟฟ้าสถิตย์ physics4
1 ไฟฟ้าสถิตย์ physics4รินธรรม ชำระใจ
 
Newfile6
Newfile6Newfile6
Newfile6David Rogers
 
Advance Data Structure
Advance Data StructureAdvance Data Structure
Advance Data StructureRamzi Alqrainy
 
Network Information Processing
Network Information ProcessingNetwork Information Processing
Network Information ProcessingReza Rahimi
 
Poster rga
Poster rgaPoster rga
Poster rgaMiguel Castaño
 
Układ chłodzenia i smarowania oraz układ dolotowy i wylotowy
Układ chłodzenia i smarowania oraz układ dolotowy i wylotowyUkład chłodzenia i smarowania oraz układ dolotowy i wylotowy
Układ chłodzenia i smarowania oraz układ dolotowy i wylotowySzymon Konkol - Publikacje Cyfrowe
 

Recomendados

040513
040513040513
040513pannomion
 
GeneIndex: an open source parallel program for enumerating and locating words...
GeneIndex: an open source parallel program for enumerating and locating words...GeneIndex: an open source parallel program for enumerating and locating words...
GeneIndex: an open source parallel program for enumerating and locating words...PTIHPA
 
1 ไฟฟ้าสถิตย์ physics4
1 ไฟฟ้าสถิตย์ physics41 ไฟฟ้าสถิตย์ physics4
1 ไฟฟ้าสถิตย์ physics4รินธรรม ชำระใจ
 
Newfile6
Newfile6Newfile6
Newfile6David Rogers
 
Advance Data Structure
Advance Data StructureAdvance Data Structure
Advance Data StructureRamzi Alqrainy
 
Network Information Processing
Network Information ProcessingNetwork Information Processing
Network Information ProcessingReza Rahimi
 
Poster rga
Poster rgaPoster rga
Poster rgaMiguel Castaño
 
Układ chłodzenia i smarowania oraz układ dolotowy i wylotowy
Układ chłodzenia i smarowania oraz układ dolotowy i wylotowyUkład chłodzenia i smarowania oraz układ dolotowy i wylotowy
Układ chłodzenia i smarowania oraz układ dolotowy i wylotowySzymon Konkol - Publikacje Cyfrowe
 
Braas katalog 2012
Braas katalog 2012Braas katalog 2012
Braas katalog 2012wampirek80
 
Za co muszę zapłacić? Czyli dodatkowe koszty związane z istnieniem w Internecie.
Za co muszę zapłacić? Czyli dodatkowe koszty związane z istnieniem w Internecie.Za co muszę zapłacić? Czyli dodatkowe koszty związane z istnieniem w Internecie.
Za co muszę zapłacić? Czyli dodatkowe koszty związane z istnieniem w Internecie.Wielka Orkiestra Świątecznej Pomocy
 
Excel. Analiza danych biznesowych
Excel. Analiza danych biznesowychExcel. Analiza danych biznesowych
Excel. Analiza danych biznesowychWydawnictwo Helion
 
Przygoda ze sportem- rozwujanie aktywności ruchowej przedszkolaków
Przygoda ze sportem- rozwujanie aktywności ruchowej przedszkolakówPrzygoda ze sportem- rozwujanie aktywności ruchowej przedszkolaków
Przygoda ze sportem- rozwujanie aktywności ruchowej przedszkolakówwiosenka
 
Stream ciphers presentation
Stream ciphers presentationStream ciphers presentation
Stream ciphers presentationdegarden
 
Zdrowy styl życia
Zdrowy styl życiaZdrowy styl życia
Zdrowy styl życiaszkolagim3
 
Understanding and Managing Electronic Word of Mouth (EWOM)
Understanding and Managing Electronic Word of Mouth (EWOM)Understanding and Managing Electronic Word of Mouth (EWOM)
Understanding and Managing Electronic Word of Mouth (EWOM)Simon Fraser University
 
Wskazniki i rezultaty
Wskazniki i rezultatyWskazniki i rezultaty
Wskazniki i rezultatyUM Łódzkie
 
Riscurile intreprinderii de constructii
Riscurile intreprinderii de constructiiRiscurile intreprinderii de constructii
Riscurile intreprinderii de constructii0011aaccdd
 
13.30 o2 v bubanja
13.30 o2 v bubanja13.30 o2 v bubanja
13.30 o2 v bubanjaNZIP
 
Seminar atlas 1103.6208
Seminar atlas 1103.6208Seminar atlas 1103.6208
Seminar atlas 1103.6208RiggoryLirikin
 
Rotation3
Rotation3Rotation3
Rotation3hprmup
 
January 2012 solution
January 2012 solutionJanuary 2012 solution
January 2012 solutionleroy walker
 
Non newtonian models
Non newtonian modelsNon newtonian models
Non newtonian modelsMARIO CERDA CORTES
 
09 trial johor_p2
09 trial johor_p209 trial johor_p2
09 trial johor_p2zabidah awang
 
Chapter5 system analysis
Chapter5 system analysisChapter5 system analysis
Chapter5 system analysisKing Mongkut's University of Technology Thonburi
 
6 truyen nhiet
6 truyen nhiet6 truyen nhiet
6 truyen nhietCang Nguyentrong
 
Saarbruecken
SaarbrueckenSaarbruecken
SaarbrueckenUniversität Rostock
 
Case Study (All)
Case Study (All)Case Study (All)
Case Study (All)gudeyi
 
レインボーテーブルを使ったハッシュの復号とSalt
レインボーテーブルを使ったハッシュの復号とSaltレインボーテーブルを使ったハッシュの復号とSalt
レインボーテーブルを使ったハッシュの復号とSaltRyo Maruyama
 
European Microwave PLL Class
European Microwave PLL ClassEuropean Microwave PLL Class
European Microwave PLL Classedrucker1
 
Pile daniell
Pile daniellPile daniell
Pile danielltoumed
 

Mais conteúdo relacionado

Destaque

Braas katalog 2012
Braas katalog 2012Braas katalog 2012
Braas katalog 2012wampirek80
 
Za co muszę zapłacić? Czyli dodatkowe koszty związane z istnieniem w Internecie.
Za co muszę zapłacić? Czyli dodatkowe koszty związane z istnieniem w Internecie.Za co muszę zapłacić? Czyli dodatkowe koszty związane z istnieniem w Internecie.
Za co muszę zapłacić? Czyli dodatkowe koszty związane z istnieniem w Internecie.Wielka Orkiestra Świątecznej Pomocy
 
Excel. Analiza danych biznesowych
Excel. Analiza danych biznesowychExcel. Analiza danych biznesowych
Excel. Analiza danych biznesowychWydawnictwo Helion
 
Przygoda ze sportem- rozwujanie aktywności ruchowej przedszkolaków
Przygoda ze sportem- rozwujanie aktywności ruchowej przedszkolakówPrzygoda ze sportem- rozwujanie aktywności ruchowej przedszkolaków
Przygoda ze sportem- rozwujanie aktywności ruchowej przedszkolakówwiosenka
 
Stream ciphers presentation
Stream ciphers presentationStream ciphers presentation
Stream ciphers presentationdegarden
 
Zdrowy styl życia
Zdrowy styl życiaZdrowy styl życia
Zdrowy styl życiaszkolagim3
 
Understanding and Managing Electronic Word of Mouth (EWOM)
Understanding and Managing Electronic Word of Mouth (EWOM)Understanding and Managing Electronic Word of Mouth (EWOM)
Understanding and Managing Electronic Word of Mouth (EWOM)Simon Fraser University
 
Wskazniki i rezultaty
Wskazniki i rezultatyWskazniki i rezultaty
Wskazniki i rezultatyUM Łódzkie
 
Riscurile intreprinderii de constructii
Riscurile intreprinderii de constructiiRiscurile intreprinderii de constructii
Riscurile intreprinderii de constructii0011aaccdd
 

Destaque (9)

Braas katalog 2012
Braas katalog 2012Braas katalog 2012
Braas katalog 2012
 
Za co muszę zapłacić? Czyli dodatkowe koszty związane z istnieniem w Internecie.
Za co muszę zapłacić? Czyli dodatkowe koszty związane z istnieniem w Internecie.Za co muszę zapłacić? Czyli dodatkowe koszty związane z istnieniem w Internecie.
Za co muszę zapłacić? Czyli dodatkowe koszty związane z istnieniem w Internecie.
 
Excel. Analiza danych biznesowych
Excel. Analiza danych biznesowychExcel. Analiza danych biznesowych
Excel. Analiza danych biznesowych
 
Przygoda ze sportem- rozwujanie aktywności ruchowej przedszkolaków
Przygoda ze sportem- rozwujanie aktywności ruchowej przedszkolakówPrzygoda ze sportem- rozwujanie aktywności ruchowej przedszkolaków
Przygoda ze sportem- rozwujanie aktywności ruchowej przedszkolaków
 
Stream ciphers presentation
Stream ciphers presentationStream ciphers presentation
Stream ciphers presentation
 
Zdrowy styl życia
Zdrowy styl życiaZdrowy styl życia
Zdrowy styl życia
 
Understanding and Managing Electronic Word of Mouth (EWOM)
Understanding and Managing Electronic Word of Mouth (EWOM)Understanding and Managing Electronic Word of Mouth (EWOM)
Understanding and Managing Electronic Word of Mouth (EWOM)
 
Wskazniki i rezultaty
Wskazniki i rezultatyWskazniki i rezultaty
Wskazniki i rezultaty
 
Riscurile intreprinderii de constructii
Riscurile intreprinderii de constructiiRiscurile intreprinderii de constructii
Riscurile intreprinderii de constructii
 

Semelhante a Cryptanalysis of the seal encryption algorithm

13.30 o2 v bubanja
13.30 o2 v bubanja13.30 o2 v bubanja
13.30 o2 v bubanjaNZIP
 
Seminar atlas 1103.6208
Seminar atlas 1103.6208Seminar atlas 1103.6208
Seminar atlas 1103.6208RiggoryLirikin
 
Rotation3
Rotation3Rotation3
Rotation3hprmup
 
January 2012 solution
January 2012 solutionJanuary 2012 solution
January 2012 solutionleroy walker
 
Case Study (All)
Case Study (All)Case Study (All)
Case Study (All)gudeyi
 
レインボーテーブルを使ったハッシュの復号とSalt
レインボーテーブルを使ったハッシュの復号とSaltレインボーテーブルを使ったハッシュの復号とSalt
レインボーテーブルを使ったハッシュの復号とSaltRyo Maruyama
 
European Microwave PLL Class
European Microwave PLL ClassEuropean Microwave PLL Class
European Microwave PLL Classedrucker1
 
Pile daniell
Pile daniellPile daniell
Pile danielltoumed
 

Semelhante a Cryptanalysis of the seal encryption algorithm (13)

13.30 o2 v bubanja
13.30 o2 v bubanja13.30 o2 v bubanja
13.30 o2 v bubanja
 
Seminar atlas 1103.6208
Seminar atlas 1103.6208Seminar atlas 1103.6208
Seminar atlas 1103.6208
 
Rotation3
Rotation3Rotation3
Rotation3
 
January 2012 solution
January 2012 solutionJanuary 2012 solution
January 2012 solution
 
Non newtonian models
Non newtonian modelsNon newtonian models
Non newtonian models
 
09 trial johor_p2
09 trial johor_p209 trial johor_p2
09 trial johor_p2
 
Chapter5 system analysis
Chapter5 system analysisChapter5 system analysis
Chapter5 system analysis
 
6 truyen nhiet
6 truyen nhiet6 truyen nhiet
6 truyen nhiet
 
Saarbruecken
SaarbrueckenSaarbruecken
Saarbruecken
 
Case Study (All)
Case Study (All)Case Study (All)
Case Study (All)
 
レインボーテーブルを使ったハッシュの復号とSalt
レインボーテーブルを使ったハッシュの復号とSaltレインボーテーブルを使ったハッシュの復号とSalt
レインボーテーブルを使ったハッシュの復号とSalt
 
European Microwave PLL Class
European Microwave PLL ClassEuropean Microwave PLL Class
European Microwave PLL Class
 
Pile daniell
Pile daniellPile daniell
Pile daniell
 

Mais de degarden

MICHELIN_-AGILIS-CrossClimate_GB
MICHELIN_-AGILIS-CrossClimate_GBMICHELIN_-AGILIS-CrossClimate_GB
MICHELIN_-AGILIS-CrossClimate_GBdegarden
 
ABC 2021 Guia del vino
ABC 2021 Guia del vinoABC 2021 Guia del vino
ABC 2021 Guia del vinodegarden
 
Audi-A3-Sportback-catalogo-es-1146
Audi-A3-Sportback-catalogo-es-1146Audi-A3-Sportback-catalogo-es-1146
Audi-A3-Sportback-catalogo-es-1146degarden
 
Why btrfs is the Bread and Butter of Filesystems
Why btrfs is the Bread and Butter of FilesystemsWhy btrfs is the Bread and Butter of Filesystems
Why btrfs is the Bread and Butter of Filesystemsdegarden
 
Toshiba X300 salessheet english-web_r2
Toshiba X300 salessheet english-web_r2Toshiba X300 salessheet english-web_r2
Toshiba X300 salessheet english-web_r2degarden
 
Toshiba N300 salessheet english-web_r2
Toshiba N300 salessheet english-web_r2Toshiba N300 salessheet english-web_r2
Toshiba N300 salessheet english-web_r2degarden
 
The 20 maps that will help you understand Spain - The Local
The 20 maps that will help you understand Spain - The LocalThe 20 maps that will help you understand Spain - The Local
The 20 maps that will help you understand Spain - The Localdegarden
 
Toshiba X300 Performance Internal Hard Drive
Toshiba X300 Performance Internal Hard DriveToshiba X300 Performance Internal Hard Drive
Toshiba X300 Performance Internal Hard Drivedegarden
 
Sper Food Safety Thermometer with IR
Sper Food Safety Thermometer with IRSper Food Safety Thermometer with IR
Sper Food Safety Thermometer with IRdegarden
 
Plarad Torque and tension systems
Plarad Torque and tension systemsPlarad Torque and tension systems
Plarad Torque and tension systemsdegarden
 
Plarad Hydraulikaggregate Hydraulic Power Packs
Plarad Hydraulikaggregate Hydraulic Power PacksPlarad Hydraulikaggregate Hydraulic Power Packs
Plarad Hydraulikaggregate Hydraulic Power Packsdegarden
 
Hands-Free Profile 1.7
Hands-Free Profile 1.7Hands-Free Profile 1.7
Hands-Free Profile 1.7degarden
 
Fingerprinting Bluetooth-Low-Energy Devices Based on the Generic Attribute Pr...
Fingerprinting Bluetooth-Low-Energy Devices Based on the Generic Attribute Pr...Fingerprinting Bluetooth-Low-Energy Devices Based on the Generic Attribute Pr...
Fingerprinting Bluetooth-Low-Energy Devices Based on the Generic Attribute Pr...degarden
 
Reverse Engineering BLE Devices Documentation
Reverse Engineering BLE Devices DocumentationReverse Engineering BLE Devices Documentation
Reverse Engineering BLE Devices Documentationdegarden
 
pWeb: A P2P Web Hosting Framework
pWeb: A P2P Web Hosting FrameworkpWeb: A P2P Web Hosting Framework
pWeb: A P2P Web Hosting Frameworkdegarden
 
¿Qué esconde tu teléfono? Adquisición forense de dispositivos Android
¿Qué esconde tu teléfono? Adquisición forense de dispositivos Android ¿Qué esconde tu teléfono? Adquisición forense de dispositivos Android
¿Qué esconde tu teléfono? Adquisición forense de dispositivos Android degarden
 
Bose NC 700 - User manual English
Bose NC 700 - User manual EnglishBose NC 700 - User manual English
Bose NC 700 - User manual Englishdegarden
 
MICHELIN CrossCLIMATE+
MICHELIN CrossCLIMATE+MICHELIN CrossCLIMATE+
MICHELIN CrossCLIMATE+degarden
 
Catálogo-Producto-Familia-A3-PI_MY17_Medidas-Semana-9_2017
Catálogo-Producto-Familia-A3-PI_MY17_Medidas-Semana-9_2017Catálogo-Producto-Familia-A3-PI_MY17_Medidas-Semana-9_2017
Catálogo-Producto-Familia-A3-PI_MY17_Medidas-Semana-9_2017degarden
 

Mais de degarden (20)

MICHELIN_-AGILIS-CrossClimate_GB
MICHELIN_-AGILIS-CrossClimate_GBMICHELIN_-AGILIS-CrossClimate_GB
MICHELIN_-AGILIS-CrossClimate_GB
 
ABC 2021 Guia del vino
ABC 2021 Guia del vinoABC 2021 Guia del vino
ABC 2021 Guia del vino
 
Audi-A3-Sportback-catalogo-es-1146
Audi-A3-Sportback-catalogo-es-1146Audi-A3-Sportback-catalogo-es-1146
Audi-A3-Sportback-catalogo-es-1146
 
Why btrfs is the Bread and Butter of Filesystems
Why btrfs is the Bread and Butter of FilesystemsWhy btrfs is the Bread and Butter of Filesystems
Why btrfs is the Bread and Butter of Filesystems
 
Toshiba X300 salessheet english-web_r2
Toshiba X300 salessheet english-web_r2Toshiba X300 salessheet english-web_r2
Toshiba X300 salessheet english-web_r2
 
Toshiba N300 salessheet english-web_r2
Toshiba N300 salessheet english-web_r2Toshiba N300 salessheet english-web_r2
Toshiba N300 salessheet english-web_r2
 
The 20 maps that will help you understand Spain - The Local
The 20 maps that will help you understand Spain - The LocalThe 20 maps that will help you understand Spain - The Local
The 20 maps that will help you understand Spain - The Local
 
Toshiba X300 Performance Internal Hard Drive
Toshiba X300 Performance Internal Hard DriveToshiba X300 Performance Internal Hard Drive
Toshiba X300 Performance Internal Hard Drive
 
Bronces
BroncesBronces
Bronces
 
Sper Food Safety Thermometer with IR
Sper Food Safety Thermometer with IRSper Food Safety Thermometer with IR
Sper Food Safety Thermometer with IR
 
Plarad Torque and tension systems
Plarad Torque and tension systemsPlarad Torque and tension systems
Plarad Torque and tension systems
 
Plarad Hydraulikaggregate Hydraulic Power Packs
Plarad Hydraulikaggregate Hydraulic Power PacksPlarad Hydraulikaggregate Hydraulic Power Packs
Plarad Hydraulikaggregate Hydraulic Power Packs
 
Hands-Free Profile 1.7
Hands-Free Profile 1.7Hands-Free Profile 1.7
Hands-Free Profile 1.7
 
Fingerprinting Bluetooth-Low-Energy Devices Based on the Generic Attribute Pr...
Fingerprinting Bluetooth-Low-Energy Devices Based on the Generic Attribute Pr...Fingerprinting Bluetooth-Low-Energy Devices Based on the Generic Attribute Pr...
Fingerprinting Bluetooth-Low-Energy Devices Based on the Generic Attribute Pr...
 
Reverse Engineering BLE Devices Documentation
Reverse Engineering BLE Devices DocumentationReverse Engineering BLE Devices Documentation
Reverse Engineering BLE Devices Documentation
 
pWeb: A P2P Web Hosting Framework
pWeb: A P2P Web Hosting FrameworkpWeb: A P2P Web Hosting Framework
pWeb: A P2P Web Hosting Framework
 
¿Qué esconde tu teléfono? Adquisición forense de dispositivos Android
¿Qué esconde tu teléfono? Adquisición forense de dispositivos Android ¿Qué esconde tu teléfono? Adquisición forense de dispositivos Android
¿Qué esconde tu teléfono? Adquisición forense de dispositivos Android
 
Bose NC 700 - User manual English
Bose NC 700 - User manual EnglishBose NC 700 - User manual English
Bose NC 700 - User manual English
 
MICHELIN CrossCLIMATE+
MICHELIN CrossCLIMATE+MICHELIN CrossCLIMATE+
MICHELIN CrossCLIMATE+
 
Catálogo-Producto-Familia-A3-PI_MY17_Medidas-Semana-9_2017
Catálogo-Producto-Familia-A3-PI_MY17_Medidas-Semana-9_2017Catálogo-Producto-Familia-A3-PI_MY17_Medidas-Semana-9_2017
Catálogo-Producto-Familia-A3-PI_MY17_Medidas-Semana-9_2017
 

Último

Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatYousafMalik24
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4MiaBumagat1
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersSabitha Banu
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptxmary850239
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management systemChristalin Nelson
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4JOYLYNSAMANIEGO
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxAshokKarra1
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Seán Kennedy
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxlancelewisportillo
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptxmary850239
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfTechSoup
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxHumphrey A Beña
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxiammrhaywood
 

Último (20)

Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice great
 
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptxYOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for Beginners
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management system
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
Raw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptxRaw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptx
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptx
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
 

Cryptanalysis of the seal encryption algorithm

  • 1. 2 Cryptanalysis of the SEAL Encryption Algorithm Helena Handschuh ? Gemplus PSI 1, Place de la Mediterranee 95200 Sarcelles France Henri Gilbert France Telecom CNET PAA-TSA-SRC 38-40 Rue du General Leclerc 92131 Issy-les-Moulineaux France Abstract. SEAL was rst introduced in 1] by Rogaway and Copper- smith as a fast software- oriented encryption algorithm. It is a pseu- dorandom function which stretches a short index into a much longer pseudorandom string under control of a secret key pre-processed into internal tables. In this paper we rst describe an attack of a simpli ed version of SEAL, which provides large parts of the secret tables from ap- proximately 224 algorithm computations. As far as the original algorithm is concerned, we construct a test capable of distinguishing SEAL from a random function using approximately 230 computations. Moreover, we describe how to derive some bits of information about the secret tables. These results were con rmed by computer experiments. 1 Description of the SEAL Algorithm SEAL is a length-increasing "pseudorandom" function which maps a 32-bit string n to an L-bit string SEAL(n) under a secret 160-bit key a. The output length L is meant to be variable, but is generally limited to 64 kbytes. In this paper, we assume it is worth exactly 64 kbytes (214 32-bit words), but all our results could be obtained with a smaller output length. The key a is only used to de ne three secret tables R, S , and T . These ta- bles respectively contain 256, 256 and 512 32-bit values which are derived from the Secure Hash Algorithm (SHA) 2] using a as the secret key and re-indexing the 160-bit output into 32-bit output words. SEAL is the result of the two cascaded generators shown below. ? The study reported in this paper was performed while Helena Handschuh was work- ing at France Telecom-CNET.
  • 2. n n n n 8 16 24 R4]l R 4 + 1] l R 4 + 2] l R 4 + 3] l p1 - T -+ 2 q1 - T -+ 2 p2 - T -+ 2 - T -+ 2 q- 2 p3 - T -+ 2 q3 - T -+ 2 p4 - T -+ 2 - T -+ 2 q- 4 n3(= n2(= n4 (= n1(= p5 - T -+ 2 q5 - T -+ 2 p6 - T -+ 2 - T -+ 2 q- 6 ? ? ? ? A0 B0 C0 D0 Fig. 1. The rst generator of SEAL Ai?1 + n1 Bi?1 Ci?1 + n2 Di?1 p1 - T -+ 2 - q1 -T - -+ 2 p1 + p- T -+ 2 2 2 - q- -T- 1 + q2 2 -+ 2 p2 - + p- T - 2 3 q2 + q- T -+ p3 2 3 2 + p- T - 2 4 q- - T -+ 2 3 + q4 2 ? ? ? ? A i Bi Ci Di Fig. 2. The second generator of SEAL (ith iteration)
  • 3. The rst generator uses a routine depending on the a-derived tables R and T depicted at gure 1. It maps the 32-bit string n and the 6-bit counter l to four 32-bit words A0 , B 0 , C 0, D0 and another four 32-bit words n1 , n2 , n3, n4. These eight words are to be used by the second generator. The second generator uses a routine depending on the a-derived tables de- picted at gure 2. There are 64 iterations of this routine, indexed by i = 1 to 64. A0 B 0 C 0D0 serves as an input to the rst iteration, producing an A1B 1 C 1D1 block. For the next iterations, the input block is alternately (Ai?1 + n1; B i?1 ; C i?1+n2; Di?1) for even i values and (Ai?1 +n3; B i?1 ; C i?1+n4; Di?1) for odd i values. At iteration i, the output block (Y1i , Y2i , Y3i, Y4i ) is deduced from the intermediate block (Ai ,B i ,C i,Di ) using the a-derived table S as shown below in gure 3. Ai Bi Ci Di S 4i ? 1] -L S 4i ? 4] - + S 4i ? 3] -L S 4i ? 2] - + ? ? ? ? Y1 i Y2 i Y3 i Y4 i Fig. 3. Deriving the generator output In the above gures : { stands for the XOR function; { 2 stands for the sum (mod 232); { stands for a right rotation of 9 bits; { N stands for a right rotation of N bits; { p1 through p4 and q1 through q4 stand for the inputs of table T obtained from the 9 bits 2 to 11 of values A, B , C and D; for instance in gure 1, p1 = A&0x7fc. Concerning the de nition of SEAL, more details can be found in 1] and in 2]. The algorithm is divided into three steps. { First we compute the internal tables under the secret key a. The security of this step relies on SHA which is assumed to be highly secure. Therefore, R, S and T are pseudorandom tables. { Second we compute A0, B 0, C 0, D0 , n1, n2, n3 and n4 from n, l and table R. This is what we already called the rst generator. Let us assume the output is pseudorandom as well.
  • 4. { Finally, the second generator computes iteratively the Ai Bi C iDi blocks, from which the Y1i , Y2i, Y3i , Y4i values are derived. We change the original notations as follows : Y1i = Ai S1 i Y2i = Bi + Si 2 Y3i = C i S3 i Y4i = Di + S i : 4 In this part we found certain weaknesses which are investigated in Sections 3 and 4. 2 Preliminaries 2.1 Role of mod 232 additions Although the combined use of the + and operations probably strengthens SEAL as compared with a situation where only one of these operations would be used, we do not believe that this represents the main ingredient of the secu- rity of SEAL, which is essentially a table- driven algorithm. As a matter of fact, any x + y sum can be written : x + y = x y c(x; y) where the carry word c(x; y) is far from being uniformly distributed thus + just introduces an additional, unbalanced term, as compared with . This remark led us to assume that replacing in SEAL (more precisely in the second generator of gure 2) all + operators by xors would not fundamentally modify the nature of the algorithm, and that cryptanalytic results obtained with such a simpli ed version could at least partially be transposed to the real cipher. The results of our analysis of this simpli ed version of SEAL are summarised in Section 3 hereafter. 2.2 The three words Di?1 , C i and Di are correlated Let us consider the function depicted at gure 2. Given a xed value of the iteration index i (say i = 3), the input and output to this function are known from the generator outputs (Y1i?1 , Y2i?1, Y3i?1, Y4i?1) and (Y1i , Y2i , Y3i , Y4i ) up to the following unknown words : { the 8 words (S1?1 , S2?1 , S3?1 , S4?1 ) and (S1, S2 , S3 , S4 ), which value does i i i i i i i i not depend upon the considered initial value (n; l). { the 2 words n1 and n2 , which value depends upon (n; l).
  • 5. The involvement of the IV-dependent words n1 and n2 in the function consider- ably complicates the analysis of the ith iteration because of the randomisation e ect upon the input to output dependency. In order to nd statistics applicable to any IV value, we investigate how to "get rid" of any dependency in n1 and n2 in some relations induced by the equa- tion of iteration i. Let us consider the Di?1 input word and the C i and Di input words. Denote the output tables involved in the right part of gure 2 by : T1 = T p2], T2 = T q3] and T3 = T p4]. It is easy to establish the relation : (1) (Di?1 + T1) (C i 9 + T2 ) = (Di 18) (T3 9) This relation does not involve n1 and n2. The T1 ; T2 ; T3 terms in this relation can be seen as three random values selected from the T table. Since there are only 29 values in the T table, given any two words out of the (Di?1 , C i, Di ) triplets, there are at most 227 possible values for the third word of the triplet instead of 232 if Di?1 , C i and Di were statistically independent. This gives some evidence that the Di?1 input and the C i and Di output are statistically correlated, in a way which does not depend upon n1 and n2. In other words, the SEAL generator derives from an (n; l) initial value three slightly correlated output words Y4i?1, Y3i and Y4i. Relation (1) above represents the starting point for the various attacks reported in Sections 3 to 5 hereafter. 3 An Attack of a simpli ed version of SEAL In this Section we present an attack of the simpli ed version of SEAL obtained by replacing in gure 2 all mod 232 additions by xors. The attack is divided into four steps. 3.1 Step 1 We derive the unordered set of values of the T table, up to an unknown 32-bit constant Di . Relation (1) above represents the starting point for this deriva- tion. After replacing + by in (1) and Di?1 ; C i; Di by X4 = Y4i , Y3 = Y3i and Y4 = Y4i respectively, we obtain the relation : (2) Y4 Y3 9 X4 18 = T3 9 (T1 T2 ) 18 i 9
  • 6. where the i constant depends upon the S table. T1 and T2 are 2 among 512 values of table T . Statistically speaking, once in 29, T1 = T2 , and T1 T2 = 0. If we compute 218 samples, each of the 512 values of table T i should appear once in average. We collect the combination of the generator output words given by the left term of (2) for about 221 (n; l) samples. Whenever one value appears more than 4 times, we assume this 21 a value of table T is i. All the other values have a probability of about 2232 to appear. This way, we nd about 490 out of 512 values of table T up to one constant value. 3.2 Step 2 The purpose of the second step is to compute a constant i which is needed in the third step in order to nd out statistics involving B i?1 , Di , Ai and B i (see Fig. 2.). Consider the following equation (3) established in a similar way to (2) from the relation between B i?1 and the output words : (3) Y4 9 Y2 Y1 9 X2 18 T3 18 = (T10 T20 ) 18 (T30 T40 ) 9 (S4 9 S2?1 18 S2 S1 9) i i i i where i = S4 i 9 S2?1 i 18 S2 S1 i i 9 i 18 For each sample, we can nd out T3 i by searching exhaustively the right combination (T1 , T2 , T3 ) in equation (2). In order to save time, we compute once and for all a table with the 218 values of (T1 T2 ) 18 and search for the right third value. We perform this search as well as the computation of the left term of (3) for 221 samples. Once in 218, T10 = T20 and T30 = T40 . This way the constant value i we are looking for appears at least 4 times. 3.3 Step 3 The purpose of this step is to nd out various values of n1. Once we have these values, we can make out the relation between the in and outputs of table T up to one constant value. Let us consider equation (4) established from the relation between Ai?1 and the output words : (4) X1 18 Y1 Y4 T20 9 T40 T3 9 = n1 18 S1?1 i 18 S4 S1 i i
  • 7. We can nd out T20 i and T 0 4 i by searching the right combination of 0 ; T2; T3; T4 ) in equation (2) using the value i we made out in step 2. For (T1 0 0 0 each sample we compute, we get about 16 possibilities, as (T10 ; T20 ; T30 ; T40 ) gives 236 possible values for a 32- bit word. In order to nd the right combination, let us consider two distinct iteration indexes i and j : we know that for a given l value, if i is even (or odd), we always xor the same n1 (or n3 ) to the input A. Let us therefore take two rounds i and j that are both odd (or even). We need to know table T i, table T j , i and j . We collect samples of : { n1 18 i i?1 where i = S1 18 S4 S1 i; i i { n1 18 j j 9 i 9 as value T3 is found through table T i and values T 0 and T 0 through 2 4 table T j. We xor all the samples of round i with all the samples of round j . One of these values is the right combination of i j ( i j ) 9 Then we nd all the samples for rounds i and j of another value n1 (i.e. of round l). We compare these two sets of samples and make out the right value of n1 18 i . This step can be repeated various times to collect values of n1 while computing only once the tables T and the constants . 3.4 Step 4 In this step we nally derive the in and outputs of table T from equation (5): (5) p1 = ((X1 n1 S1?1 )&0x7fc)=4 i In this equation p1 is the input of table T . We have seen in the rst three steps that we can derive the value of T1 from in and output samples of SEAL. So we nally derive several values of : Tp i] i where i = ((S1?1 i i 18)&0x7fc)=4.
  • 8. 3.5 Summary Summing up the four steps we have just described, we can break the T table up to one constant value using about 2 221 samples of (n; l) for step 1, 2 221 samples of (n; l) for step 2 and about 29 values of (n; l) for steps 3 and 4. This means, the T table can be broken using about 224 samples of (n; l). We could probably go on breaking the simpli ed version of SEAL by nding out sets of values (n1 , n2 , n3 , n4 ), then trying to break the rst generator and nd table R, but this is not our purpose here. 4 A Test of the real version of SEAL In this Section we use some of the ideas of Vaudenay's Statistical Cryptanalysis of Block Ciphers 3] to distinguish SEAL from a truely random function. 4.1 2 Cryptanalysis The purpose of Vaudenay's paper is to prove that statistical analysis on ciphers such as DES may provide as e cient attacks as linear or di erential cryptanal- ysis. Statistical analysis enables to recover very low biases and a simple 2 test can get very good results even without knowing exactly what happens inside the inner loops of the algorithm or the S- boxes. We intend to use this property to detect low biases of a certain combination of the output words of SEAL suggested by the analysis made in Section 3 in order to prove SEAL is far from being undistinguishable from a pseudo-random function. This provides a rst test of the SEAL algorithm. 4.2 Number of samples needed for the 2 test to distinguish a biased distribution from an unbiased one We denote by N the number of samples computed. We assume the samples are drawn from a set of r values. We call ni the number of occurances of the ith of the r values among the N samples and S 2 the associated indicator : Pri=1(ni ? N )2 S =2 N r r The 2 test compares the value of this indicator to the one an unbiased dis- tribution would be likely to provide. If the ni were drawn according to an unbi- ased multinomial distribution of parameters ( r , 1 ,..., r ), the expectation and the 1 r 1 standard deviation of the S 2 estimator would be given by :
  • 9. { E(S 2 ) ! = p? 1 r { (S 2 ) ! = 2(r ? 1) If the distribution of the ni is still multinomial but biased, say with probabilities p1; :::; pr, then we can compute the new expected value 0 of the S 2 : Pr N 2 0 = E ( i=1 (ni ? r ) ) = N r X N r i=1 E ((ni ? piN + pi N ? N )2 ) r r It can be easily shown that : 0 ! + r(N ? 1) X(pi ? 1 )2 r i=1 r An order of magnitude of the number N of samples needed by the 2 test to dis- tinguish a biased distribution from an unbiased one with substantial probability is given by the condition : 0? which gives us the following order of magnitude for N : p2( N r Pri=1(rp??1)r1 )2 i 4.3 Model of the test Let us consider equation (2) with the real scheme (including the sums). We can rewrite it : (6)Y4 Y3 9 X4 18 = T3 9 (T1 T2 ) 18 (r1 r2 r3 ) 18 i 9 r4 where r1 and r2 are the carry bits created by the addition of T1 and T2 , and r3 and r4 the ones of the addition of S4?1 and S4 . i i We apply the 2 test to the four leftmost bits of Y4 Y3 9 X4 18 suspecting a slight bias in this expression. Without having carefully analysed the exact distribution of the sum of the four carries, we intend to prove that its convolution with the biased distribution of T3 9 (T1 T2 ) 18 i 9 does result in a still slightly unbalanced distribution. As we take 4-bit samples, we apply the 2 test with r ? 1 = 15 degrees of freedom. Detailed information about this test can be found in 4].
  • 10. 4.4 Results Whenever we analyse at least 233 samples, the test proves with probability 10001 to be wrong, that SEAL has a biased distribution. We have made several tests, and each time the value of the S 2 estimator we obtained for this order of mag- nitude of N was greater than 40 for the 4 least signi cant bits and greater than 320 for the 8 least signi cant bits. In other words, the test proves that the dis- tribution is a biased one. Figure 4 shows the value of the S 2 estimator for tests made with a = 0x67452301. S 2 223 224 225 226 227 228 229 230 231 232 233 234 235 4 bits 14.27 25 13.97 9.41 26.96 16.5 16.78 29.65 21.05 30.15 45.74 44.69 55.96 8 bits 261 293 274 238 229 227 246 225 278 313 331 378 453 Fig. 4. Results of the tests with up to 235 samples of (n; l). The former test test can be slightly improved as follows : let us denote the four least signi cant bits of S4 by si4 . For each of the 16 possible values of si4 , apply i the S 2 test to the 4 or the 8 least signi cant bits of (Y4 ? si4 ) Y3 9 X4 18. The test with the correct si4 value detects a bias with 230 (n; l) values only (see Figure 5). Note that a signi cant bias is also detected whenever the two least signi cant bits of si4 are correct. S 2 225 226 227 228 229 230 231 232 233 234 235 4 bits 9.45 13.56 20.62 25.59 32.77 71.90 83.63 130 250 438 928 8 bits 253 271 292 321 276 357 379 438 569 838 1520 Fig. 5. Results of the test with the correct value of the four si4 bits. 4.5 Deriving rst information on SEAL The interpretation of the above improved test is straightforward : when the two least signi cant bits of si4 are correct, r4 is partly known and the 2 test gives much better results than with wrong bits of si4 . Therefore we can derive at least two bits of information on table S . If the test is applied to more than the four leftmost bits of the samples, more than 2 bits can be derived from secret table T . Whenever these bits are right, the 2 rises much faster than for wrong values. As the evolution of the 2 indicator is quite close to a straight line when the divergence starts, the results can be checked applying the test to 220 through 232 samples. Divergence becomes obvious when about 230 samples have been computed.
  • 11. 5 Deriving information on the T table In this Section we give some evidence that the initial step of the attack on the simpli ed version of SEAL introduced in Section 3 can be adapted to provide large parts of the T table for the real algorithm. Let us consider relation (6). As seen in Section 3.1, the distribution of the T3 9 (T1 T2 ) 18 i 9 value at the right of (6) is unbalanced. The most frequent values are provided by the 512 T i words. On the other hand the distribution of the carry words r1 r2 r3 and r4 is also unbalanced. More precisely, due to the fact that in any carry word r each 3 bit r j ] has a 4 probability of being equal to the next bit r j + 1], the number of 'inversions', i.e. j values s.t. r j ] 6= r j + 1] is likely to be small when r is a carry word or an exclusive or of carry words. Thus we can expect the 512 T i values to give rise to 'spread' probabil- ity maxima in the distribution probability of the left term of (6). Based on 232 (n; l) values, we did the following experiment : We analysed the probabililty distribution of the 23 lowest weight bits of the left combination of (6) in order to reduce the memory requirements. So in the rest of this Section, though we do not introduce any new notation, we implicitely refer to 23-bit words instead of 32-bit words. For several T i values (about 25), we computed the sum of the probabil- ities of the neighbours of T i , i.e. the values of the form T i + r, where r is one of the approximately 222 23-bit words with at most 11 inversions. We computed the same sum of approximately 222 probabilities around arbi- trarily chosen values other than the 512 T i values. For more than half of the T i values, the obtained sum was larger than all the sums associated to the arbitrarily chosen values. The complexity of the search of the T i values is quite high if an independent computation of a sum of 222 probabilities is made for each of the 223 candidate values. This approach leads to a 245 complexity, far over the computing capabil- ities of the computer we used for the experiments ; however, substantial gains might be achieved by reusing appropriately selected partial sums of probabilities. Thus in summary, we believe that with slightly more than 232 (n; l) values, it should be possible to recover a substantial part of the information on the T
  • 12. table, up to an unknown constant. 6 Conclusion We have shown in some detail in Section 3 that the simpler scheme with xors instead of sums can be attacked with the generator output corresponding to about 224 samples of (n; l), e.g. 218 n values and 26 l values for each n value. The test of Section 4 can be applied with about 230 samples of (n; l), e.g. 224 n values and 26 l values for each n value. Moreover, information about table S can be derived from this test with 230 samples of (n; l) as well, and large amounts of information contained in table T can be derived from approximately 232 samples of (n; l) or slightly more. Despite of their relatively low time and space complexity, which enabled us to perform the computer simulations mentioned in Sections 4 and 5, the at- tacks reported in this paper do not seriously endanger the practical security of SEAL, because a too large amount of keystream samples (corresponding to more than 230 (n; l) initialisation vectors) is required. These attacks suggest however that simple modi cations of some design features of SEAL, e.g. the detail of the involvement of the IV-dependent values n1 to n4 in the second generator, would probably strengthen the algorithm without signi cant impact upon its performance. 7 Acknowledgements We thank Thierry Baritaud and Pascal Chauvaud for the elaboration of the L TEX version of the gures and the paper. We would like to address special A thanks to Francois Allegre who gave us access to a quite powerful computer that made the tests reasonably quick and to Alain Scheiwe who helped us write the C source code of the tests. References 1. P. Rogaway and D. Coppersmith, "A Software-Optimized Encryption Algorithm", Proceedings of the 1993 Cambridge Security Workshop, Springer-Verlag, 1994. 2. B. Schneier, Applied Cryptography, Second Edition, John Wiley & Sons, 1996. 3. S. Vaudenay, "Statistical Cryptanalysis of Block Ciphers - 2 Cryptanalysis", 1995. 4. J. Bass, Elements de Calcul des Probabilites, 3e edition, Masson Et Cie, 1974. A This article was processed using the L TEX macro package with LLNCS style