Rotational cryptanalysis of round-reduced Keccak

In this paper we attack round-reduced Keccak hash function with a technique called rotational cryptanalysis. We focus on Keccak variants proposed as SHA-3 candidates in the NIST’s contest for a new standard of cryptographic hash function. Our main result is a preimage attack on 4-round Keccak and a 5-round distinguisher on Keccak-f[1600] permutation — the main building block of Keccak hash function.

Improved cryptanalysis of the Common Scrambling Algorithm Stream Cipher

This paper provides a fresh analysis of the widely-used Common Scrambling Algorithm Stream Cipher (CSA-SC). Firstly, a new representation of CSA-SC with a state size of only 89 bits is given, a significant reduction from the 103 bit state of a previous CSA-SC representation. Analysis of this 89-bit representation demonstrates that the basis of a previous guess-and-determine attack is flawed. Correcting this flaw increases the complexity of that attack so that it is worse than exhaustive key search. Although that attack is not feasible, the reduced state size of our representation makes it obvious that CSA-SC is vulnerable to several generic attacks, for which feasible parameters are given.

Improved algebraic cryptanalysis of QUAD, Bivium and Trivium via graph partitioning on equation systems

We present a novel approach for preprocessing systems of polynomial equations via graph partitioning. The variable-sharing graph of a system of polynomial equations is defined. If such graph is disconnected, then the corresponding system of equations can be split into smaller ones that can be solved individually. This can provide a tremendous speed-up in computing the solution to the system, but is unlikely to occur either randomly or in applications. However, by deleting certain vertices on the graph, the variable-sharing graph could be disconnected in a balanced fashion, and in turn the system of polynomial equations would be separated into smaller systems of near-equal sizes. In graph theory terms, this process is equivalent to finding balanced vertex partitions with minimum-weight vertex separators. The techniques of finding these vertex partitions are discussed, and experiments are performed to evaluate its practicality for general graphs and systems of polynomial equations. Applications of this approach in algebraic cryptanalysis on symmetric ciphers are presented: For the QUAD family of stream ciphers, we show how a malicious party can manufacture conforming systems that can be easily broken. For the stream ciphers Bivium and Trivium, we nachieve significant speedups in algebraic attacks against them, mainly in a partial key guess scenario. In each of these cases, the systems of polynomial equations involved are well-suited to our graph partitioning method. These results may open a new avenue for evaluating the security of symmetric ciphers against algebraic attacks.

Shortening cemented femoral implants. An in vitro investigation to quantify exeter femoral implant rotational stability vs simulated implant length

The Exeter stems vary in length from 90 to 150 mm. The shorter stems generally have lower offsets. The purpose of this study was to determine if length of stem, with fixed offset, affected rotational stability. Mechanical testing was carried out on 10 implant-cement constructs with 2 loading profiles, rising from chair and stair climbing, at different simulated implant lengths using purpose-built apparatus. This paper presents a mechanism for clinically observed rotational stability and explains the mechanical characteristics required for rotational stability in Exeter femoral stems. © 2012.

Inter-vertebral rotational deformity after endoscopic anterior scoliosis correction may contribute to rib hump recurrence after two years

Introduction. Endoscopic anterior scoliosis correction has been employed recently as a less invasive and level-sparing approach compared with open surgical techniques. We have previously demonstrated that during the two-year post-operative period, there was a mean loss of rib hump correction by 1.4 degrees. The purpose of this study was to determine whether intra- or inter-vertebral rotational deformity during the post-operative period could account for the loss of rib hump correction. Materials and Methods. Ten consecutive patients diagnosed with adolescent idiopathic scoliosis were treated with an endoscopic anterior scoliosis correction. Low-dose computed tomography scans of the instrumented segment were obtained post-operatively at 6 and 24 months following institutional ethical approval and patient consent. Three-dimensional multi-planar reconstruction software (Osirix Imaging Software, Pixmeo, Switzerland) was used to create axial slices of each vertebral level, corrected in both coronal and sagittal planes. Vertebral rotation was measured using Ho’s method for every available superior and inferior endplate at 6 and 24 months. Positive changes in rotation indicate a reduction and improvement in vertebral rotation. Intra-observer variability analysis was performed on a subgroup of images. Results. Mean change in rotation for vertebral endplates between 6 and 24 months post-operatively was -0.26˚ (range -3.5 to 4.9˚) within the fused segment and +1.26˚ (range -7.2 to 15.1˚) for the un-instrumented vertebrae above and below the fusion. Mean change in clinically measured rib hump for the 10 patients was -1.6˚ (range -3 to 0˚). The small change in rotation within the fused segment accounts for only 16.5% of the change in rib hump measured clinically whereas the change in rotation between the un-instrumented vertebrae above and below the construct accounts for 78.8%. There was no clear association between rib hump recurrence and intra- or inter-vertebral rotation in individual patients. Intra-rater variability was ± 3˚. Conclusions. Intra- and inter-vertebral rotation continues post-operatively both within the instrumented and un-instrumented segments of the immature spine. Rotation between the un-instrumented vertebrae above and below the fusion was +1.26˚, suggesting that the un-instrumented vertebrae improved and de-rotated slightly after surgery. This may play a role in rib hump recurrence, however this remains clinically insignificant.

Cryptanalysis of the convex hull click human identification protocol

Recently, a convex hull-based human identification protocol was proposed by Sobrado and Birget, whose steps can be performed by humans without additional aid. The main part of the protocol involves the user mentally forming a convex hull of secret icons in a set of graphical icons and then clicking randomly within this convex hull. While some rudimentary security issues of this protocol have been discussed, a comprehensive security analysis has been lacking. In this paper, we analyze the security of this convex hull-based protocol. In particular, we show two probabilistic attacks that reveal the user’s secret after the observation of only a handful of authentication sessions. These attacks can be efficiently implemented as their time and space complexities are considerably less than brute force attack. We show that while the first attack can be mitigated through appropriately chosen values of system parameters, the second attack succeeds with a non-negligible probability even with large system parameter values that cross the threshold of usability.

Cryptanalysis of WG-7 : a lightweight stream cipher

WG-7 is a stream cipher based on WG stream cipher and has been designed by Luo et al. (2010). This cipher is designed for low cost and lightweight applications (RFID tags and mobile phones, for instance). This paper addresses cryptographic weaknesses of WG-7 stream cipher. We show that the key stream generated by WG-7 can be distinguished from a random sequence after knowing 213.5 keystream bits and with a negligible error probability. Also, we investigate the security of WG-7 against algebraic attacks. An algebraic key recovery attack on this cipher is proposed. The attack allows to recover both the internal state and the secret key with the time complexity about 2/27.

Cryptanalysis of LASH

We show that the LASH-x hash function is vulnerable to attacks that trade time for memory, including collision attacks as fast as 2(4x/11) and preimage attacks as fast as 2(4x/7). Moreover, we briefly mention heuristic lattice based collision attacks that use small memory but require very long messages that are expected to find collisions much faster than 2 x/2. All of these attacks exploit the designers’ choice of an all zero IV. We then consider whether LASH can be patched simply by changing the IV. In this case, we show that LASH is vulnerable to a 2(7x/8) preimage attack. We also show that LASH is trivially not a PRF when any subset of input bytes is used as a secret key. None of our attacks depend upon the particular contents of the LASH matrix – we only assume that the distribution of elements is more or less uniform.

Cryptanalysis of RC4(n, m) stream cipher

RC4(n, m) is a stream cipher based on RC4 and is designed by G. Gong et al. It can be seen as a generalization of the famous RC4 stream cipher designed by Ron Rivest. The authors of RC4(n, m) claim that the cipher resists all the attacks that are successful against the original RC4. The paper reveals cryptographic weaknesses of the RC4(n, m) stream cipher. We develop two attacks. The first one is based on non-randomness of internal state and allows to distinguish it from a truly random cipher by an algorithm that has access to 24·n bits of the keystream. The second attack exploits low diffusion of bits in the KSA and PRGA algorithms and recovers all bytes of the secret key. This attack works only if the initial value of the cipher can be manipulated. Apart from the secret key, the cipher uses two other inputs, namely, initial value and initial vector. Although these inputs are fixed in the cipher specification, some applications may allow the inputs to be under the attacker control. Assuming that the attacker can control the initial value, we show a distinguisher for the cipher and a secret key recovery attack that for the L-bit secret key, is able to recover it with about (L/n) · 2n steps. The attack has been implemented on a standard PC and can reconstruct the secret key of RC(8, 32) in less than a second.

Cryptanalysis of RC4-based hash function

RC4-Based Hash Function is a new proposed hash function based on RC4 stream cipher for ultra low power devices. In this paper, we analyse the security of the function against collision attack. It is shown that the attacker can find collision and multi-collision messages with complexity only 6 compress function operations and negligible memory with time complexity 2 13. In addition, we show the hashing algorithm can be distinguishable from a truly random sequence with probability close to one.