In Europe and North America, the most widely used stream cipher to ensure privacy and confidentiality of conversations in GSM mobile phones is the A5/1. In this paper, we present a new attack on the A5/1 stream cipher with a minimum time complexity of around 2 and an average complexity of 2, which is much less than the brute-force attack with a complexity of 2. The attack has a 100% success rat...

In this paper we investigate the security of the compression function of HAS-160 in encryption mode. The structure of HAS-160 is similar to SHA-1 besides some modifications.This is the first cryptographic attack that breaks the encryption mode of the full 80-round HAS-160. We apply a key recovery attack that requires 2 chosen plaintexts and 2 80-round HAS-160 encryptions. The attack does not ai...

The F-FCSR stream cipher family has been presented a few years ago. Apart from some aws in the initial propositions, corrected in a later stage, there are no known weaknesses of the core of these algorithms. The hardware oriented version, called FCSR-H, is one of the ciphers selected for the eSTREAM portfolio. In this paper we present a new and severe cryptanalytic attack on the F-FCSR stream c...

This paper describes a new diierential-style attack, which we call the boomerang attack. This attack has several interesting applications. First, we disprove the oft-repeated claim that eliminating all high-probability diierentials for the whole cipher is suucient to guarantee security against diierential attacks. Second, we show how to break COCONUT98, a cipher designed using decorrelation tec...

SMS4 is a 128-bit block cipher used in the WAPI standard for providing data confidentiality in wireless networks. In this paper we investigate and explain the origin of the S-Box employed by the cipher, show that an embedded cipher similar to BES can be obtained for SMS4 and demonstrate the fragility of the cipher design by giving variants that exhibit 2 weak keys. We also show attacks on reduc...

Differential Fault Analysis (DFA) is a well known cryptanalytic technique that exploits faulty outputs of an encryption device. Despite its popularity and similarity with the classical (DA), thorough analysis explaining DFA from designer’s point-of-view missing in literature. To best our knowledge, no immune block cipher at algorithmic level has been proposed so far. Furthermore, all countermea...

We describe a cryptanalytical technique for distinguishing some stream ciphers from a truly random process. Roughly, the ciphers to which this method applies consist of a “non-linear process” (say, akin to a round function in block ciphers), and a “linear process” such as an LFSR (or even fixed tables). The output of the cipher can be the linear sum of both processes. To attack such ciphers, we...

Inspired by the paper [10], using better differential characteristics in the biclique construction, we give another balanced biclique attack on full rounds PRINCE with the lower complexity in this paper. Our balanced biclique attack has 62.67 2 computational complexity and 32 2 data complexity. Furthermore, we first illustrate a star-based biclique attack on full rounds PRINCE cipher in this pa...

Stream cipher Hiji-Bij-Bij (HBB) was proposed by Sarkar at Indocrypt’03. This cipher uses cellular automata (CA). The algorithm has two modes: a basic mode (B) and a self-synchronizing mode (SS). This article presents the first attack on B mode of HBB using 128 bit secret key. This is a known-pliantext guess-then-determine attack. The main step in the attack guesses 512 bits of unknown out of t...

Tree-structures have been proposed for both the construction of block ciphers by Kam and Davida 7], and self-synchronous stream ciphers by K uhn 9]. Attacks on these ciphers have been given by An-derson 2] and Heys and Tavares 6]. In this paper it is demonstrated that a more eecient attack can be conducted when the underlying Boolean functions for the cells are known. It is shown that this atta...