Subhamoy Maitra

Indian Statistical Institute, Baranagore, Bengal, India

Are you Subhamoy Maitra?

Claim your profile

Publications (162)59.11 Total impact

  • [Show abstract] [Hide abstract]
    ABSTRACT: RC4 has been the most popular stream cipher in the history of symmetric key cryptography. Its internal state contains a permutation over all possible bytes from 0 to 255, and it attempts to generate a pseudo-random sequence of bytes (called keystream) by extracting elements of this permutation. Over the last twenty years, numerous cryptanalytic results on RC4 stream cipher have been published, many of which are based on non-random (biased) events involving the secret key, the state variables, and the keystream of the cipher. Though biases based on the secret key are common in RC4 literature, none of the existing ones depends on the length of the secret key. In the first part of this paper, we investigate the effect of RC4 keylength on its keystream, and report significant biases involving the length of the secret key. In the process, we prove the two known empirical biases that were experimentally reported and used in recent attacks against WEP and WPA by Sepehrdad, Vaudenay and Vuagnoux in EUROCRYPT 2011. After our current work, there remains no bias in the literature of WEP and WPA attacks without a proof. In the second part of the paper, we present theoretical proofs of some significant initial-round empirical biases observed by Sepehrdad, Vaudenay and Vuagnoux in SAC 2010. In the third part, we present the derivation of the complete probability distribution of the first byte of RC4 keystream, a problem left open for a decade since the observation by Mironov in CRYPTO 2002. Further, the existence of positive biases towards zero for all the initial bytes 3 to 255 is proved and exploited towards a generalized broadcast attack on RC4. We also investigate for long-term non-randomness in the keystream, and prove a new long-term bias of RC4.
    Journal of Cryptology 01/2014; 1(1). · 0.84 Impact Factor
  • Subhadeep Banik, Subhamoy Maitra
    [Show abstract] [Hide abstract]
    ABSTRACT: In this paper we present a differential fault attack on the stream cipher MICKEY 2.0 which is in eStream's hardware portfolio. While fault attacks have already been reported against the other two eStream hardware candidates Trivium and Grain, no such analysis is known for MICKEY. Using the standard assumptions for fault attacks, we show that if the adversary can induce random single bit faults in the internal state of the cipher, then by injecting around 216.7 faults and performing 232.5 computations on an average, it is possible to recover the entire internal state of MICKEY at the beginning of the key-stream generation phase. We further consider the scenario where the fault may affect at most three neighbouring bits and in that case we require around 218.4 faults on an average.
    Proceedings of the 15th international conference on Cryptographic Hardware and Embedded Systems; 08/2013
  • Source
    Kaushik Chakraborty, Subhamoy Maitra
    [Show abstract] [Hide abstract]
    ABSTRACT: Let a Boolean function be available as a black-box (oracle) and one likes to devise an algorithm to test whether it has certain property or it is $\epsilon$-far from having that property. The efficiency of the algorithm is judged by the number of calls to the oracle so that one can decide, with high probability, between these two alternatives. The best known quantum algorithm for testing whether a function is linear or $\epsilon$-far $(0 < \epsilon < \frac{1}{2})$ from linear functions requires $O(\epsilon^{-\frac{2}{3}})$ many calls [Hillery and Andersson, Physical Review A 84, 062329 (2011)]. We show that this can be improved to $O(\epsilon^{-\frac{1}{2}})$ by using the Deutsch-Jozsa and the Grover Algorithms.
    06/2013;
  • [Show abstract] [Hide abstract]
    ABSTRACT: RC4 is the most popular stream cipher in the domain of cryptology. In this paper, we present a systematic study of the hardware implementation of RC4, and propose the fastest known architecture for the cipher. We combine the ideas of hardware pipeline and loop unrolling to design an architecture that produces 2 RC4 keystream bytes per clock cycle. We have optimized and implemented our proposed design using VHDL description, synthesized with 130, 90, and 65 nm fabrication technologies at clock frequencies 625 MHz, 1.37 GHz, and 1.92 GHz, respectively, to obtain a final RC4 keystream throughput of 10, 21.92, and 30.72 Gbps in the respective technologies.
    IEEE Transactions on Computers 01/2013; 62(4):730-743. · 1.38 Impact Factor
  • [Show abstract] [Hide abstract]
    ABSTRACT: A Heron triangle is a triangle whose sides are area are all integers. In the paper under review, the authors fix two positive integers a and b, and give upper bounds for the function H(a,b) which counts the number of Heron triangles with two fixed sides a and b. They obtain that if the factorization of ab is ab=2 α 0 ∏ i=1 s p i a i ∏ j=1 r q j e j , where p i ≡3(mod4) and q j ≡1(mod4) are primes, then H(a,b)≤3+(-1) ab 2∏ j=1 r (2e j +1)-1· In particular, H(ab)=0 if all prime factors of ab are congruent to 3 modulo 4, and H(p,q)≤8 if p and q are primes. They prove a better estimate for H(p,q) according to the residue classes of p and q modulo 4. They also show that H(p,q)=0 for special pairs of primes, such as when p=2q+1 (Sophie Germain primes) or when p and q are both Mersenne primes. They also prove some other results concerning Heron triangles such as that there are no isosceles Heron triangles with square sides and give a lower bound for the number of Heron triangles with a fixed integer height h.
    Integers [electronic only]. 01/2013;
  • Santanu Sarkar, Subhamoy Maitra
    [Show abstract] [Hide abstract]
    ABSTRACT: In this paper we study weaknesses of two variants of RSA: Dual RSA and Common Prime RSA. Several schemes under the framework of Dual RSA have been proposed by Sun et al. (IEEE Trans Inf Theory 53(8):2922–2933, 2007). We here concentrate on the Dual CRT-RSA scheme and present certain range of parameters where it is insecure. As a corollary of our work, we prove that the Dual Generalized Rebalanced-RSA (Scheme III of Sun et al.) can be efficiently broken for a significant region where the scheme has been claimed to be secure. Next we consider the Common Prime RSA as proposed by Wiener (IEEE Trans. Inf. Theory 36:553–558, 1990). We present new range of parameters in Common Prime RSA where it is not secure. We use lattice based techniques for the attacks.
    Designs Codes and Cryptography 01/2013; 66(1-3). · 0.78 Impact Factor
  • [Show abstract] [Hide abstract]
    ABSTRACT: Ultra-low power dissipation for nanoscale circuits and future technologies such as quantum computing require reversible logic. Existing methods of reversible logic synthesis attempt to minimize gate count, quantum cost, garbage count and try to achieve scalability for large Boolean functions. Several notable heuristics for reversible logic synthesis employ a method based on repeated transformation, demonstrating excellent performance compared to available optimal results. In this paper, we suggest two novel techniques to the transformationbased synthesis flow for improving synthesis outcome. The first technique is based on properties of Boolean functions and the second technique incorporates generalized Fredkin gates during synthesis flow. We present theoretical results and experimental evidence in support of our strategies.
    Proceedings of The International Symposium on Multiple-Valued Logic 01/2013;
  • Source
    Subhadeep Banik, Subhamoy Maitra, Santanu Sarkar
    [Show abstract] [Hide abstract]
    ABSTRACT: The 32-bit MAC of Grain-128a is a linear combination of the first 64 and then the alternative keystream bits. In this paper we describe a successful differential fault attack on Grain-128a, in which we recover the Secret Key by observing the correct and faulty MACs of certain chosen messages. The attack works due to certain properties of the Boolean functions and corresponding choices of the taps from the LFSR. We present methods to identify the fault locations and then construct a set of linear equations to obtain the contents of the LFSR and the NFSR. Our attack requires less than 211 fault injections and invocations of less than 212 MAC generation routines.
    Proceedings of the Second international conference on Security, Privacy, and Applied Cryptography Engineering; 11/2012
  • Subhadeep Banik, Subhamoy Maitra, Santanu Sarkar
    [Show abstract] [Hide abstract]
    ABSTRACT: In this paper we explain how one can obtain Key-IV pairs for Grain family of stream ciphers that can generate output key-streams which are either (i) almost similar in the initial part or (ii) exact shifts of each other throughout the generation of the stream. Let lP be the size of the pad used during the key loading of Grain. For the first case, we show that in expected $2^{l_P}$ many invocations of the Key Scheduling Algorithm and its reverse routine, one can obtain two related Key-IV pairs that can produce same output bits in 75 (respectively 112 and 115) selected positions among the initial 96 (respectively 160 and 160) bits for Grain v1 (respectively Grain-128 and Grain-128a). Similar idea works for the second case in showing that given any Key-IV, one can obtain another related Key-IV in expected $2^{l_P}$ many trials such that the related Key-IV pairs produce shifted key-streams. We also provide an efficient strategy to obtain related Key-IV pairs that produce exactly i-bit shifted key-streams for small i. Our technique pre-computes certain equations that help in obtaining such related Key-IV pairs in 2i many expected trials.
    Proceedings of the Second international conference on Security, Privacy, and Applied Cryptography Engineering; 11/2012
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: In this paper, we study efficient algorithms towards the construction of any arbitrary Dicke state. Our contribution is to use proper symmetric Boolean functions that involve manipulations with Krawtchouk polynomials. Deutsch-Jozsa algorithm, Grover algorithm and the parity measurement technique are stitched together to devise the complete algorithm. Further, motivated by the work of Childs et al (2002), we explore how one can plug the biased Hadamard transformation in our strategy. Our work compares fairly with the results of Childs et al (2002).
    Quantum Information Processing 09/2012; · 1.75 Impact Factor
  • Santanu Sarkar, Subhamoy Maitra
    [Show abstract] [Hide abstract]
    ABSTRACT: Towards the cold boot attack (a kind of side channel attack), the problems of reconstructing RSA parameters when (i) certain bits are unknown (Heninger and Shacham, Crypto 2009) and (ii) the bits are available but with some error probability (Henecka, May and Meurer, Crypto 2010) have been considered very recently. In this paper we exploit the error correction heuristic proposed by Henecka et al to show that CRT-RSA schemes having low Hamming weight decryption exponents are insecure given small encryption exponents (e.g., e=216+1). In particular, we show that the CRT-RSA schemes presented by Lim and Lee (SAC 1996) and Galbraith, Heneghan and McKee (ACISP 2005) with low weight decryption exponents can be broken in a few minutes in certain cases. Further, the scheme of Maitra and Sarkar (CT-RSA 2010), where the decryption exponents are not of low weight but they have large low weight factors, can also be cryptanalysed. We also identify a few modifications of the error correction strategy that provides significantly improved experimental outcome towards the cold boot attack.
    Proceedings of the 14th international conference on Cryptographic Hardware and Embedded Systems; 09/2012
  • [Show abstract] [Hide abstract]
    ABSTRACT: Due to ubiquitous deployment of embedded systems, security and privacy are emerging as major design concerns and new stream ciphers are being proposed by the cryptographic community. HC-128 is one of the recent stream ciphers that received attention after its selection as an eStream candidate. Till date, the cipher is believed to have a good security margin. In this paper we study several implementation issues for HC-128 in a disciplined manner. We first discuss the experience on embedded and customizable processors. Then we consider a dedicated hardware accelerator implementation. Further we explore several parallelization strategies for improving throughput. To the best of our knowledge such a detailed implementation exercise has not been presented in the literature. Our novel implementation strategies mark the fastest HC-128 execution reported till date.
    Circuits and Systems (ISCAS), 2012 IEEE International Symposium on; 01/2012
  • [Show abstract] [Hide abstract]
    ABSTRACT: Parker considered a new type of discrete Fourier transform, called nega-Hadamard transform. We prove several results regarding its behavior on combinations of Boolean functions and use this theory to derive several results on negabentness (that is, flat nega-spectrum) of concatenations, and partially symmetric functions. We derive the upper bound $\lceil {{ n}\over { 2}} \rceil $ for the algebraic degree of a negabent function on $n$ variables. Further, a characterization of bent–negabent functions is obtained within a subclass of the Maiorana–McFarland set. We develop a technique to construct bent–negabent Boolean functions by using complete mapping polynomials. Using this technique, we demonstrate that for each $\ell \geq 2$, there exist bent–negabent functions on $n = 12\ell $ variables with algebraic degree $ {{ n}\over { 4}}+1 = 3\ell + 1$. It is also demonstrated that there exist bent–negabent functions on eight variables with algebraic degrees 2, 3, and 4. Simple proofs of several previously known facts are obtained as immediate consequences of our work.
    IEEE Transactions on Information Theory 01/2012; 58(6):4064-4072. · 2.62 Impact Factor
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: In this paper, we investigate some algebraic and combinatorial properties of a special Boolean function on n variables, defined using weighted sums in the residue ring modulo the least prime p≥n. We also give further evidence relating to a question raised by Shparlinski regarding this function, by computing accurately the Boolean sensitivity, thus settling the question for prime number values p=n. Finally, we propose a generalization of these functions, which we call laced functions, and compute the weight of one such, for every value of n.
    Discrete Applied Mathematics 07/2011; 159:1059-1069. · 0.72 Impact Factor
  • Source
    Santanu Sarkar, Subhamoy Maitra
    [Show abstract] [Hide abstract]
    ABSTRACT: In this paper, we analyze how to calculate the GCD of k ( ≥ 2) many large integers, given their approximations. This problem is known as the approximate integer common divisor problem in literature. Two versions of the problem, presented by Howgrave-Graham in CaLC 2001, turn out to be special cases of our analysis when k = 2. We relate the approximate common divisor problem to the implicit factorization problem as well. The later was introduced by May and Ritzenhofen in PKC 2009 and studied under the assumption that some of Least Significant Bits (LSBs) of certain primes are the same. Our strategy can be applied to the implicit factorization problem in a general framework considering the equality of (i) most significant bits (MSBs), (ii) least significant bits (LSBs), and (iii) MSBs and LSBs together. We present new and improved theoretical as well as experimental results in comparison with the state of the art work in this area.
    IEEE Transactions on Information Theory 07/2011; · 2.62 Impact Factor
  • Subhamoy Maitra, Goutam Paul, Sourav Sen Gupta
    [Show abstract] [Hide abstract]
    ABSTRACT: In this paper, contrary to the claim of Mantin and Shamir (FSE 2001), we prove that there exist biases in the initial bytes (3 to 255) of the RC4 keystream towards zero. These biases immediately provide distinguishers for RC4. Additionally, the attack on broadcast RC4 to recover the second byte of the plaintext can be extended to recover the bytes 3 to 255 of the plaintext given Ω(N 3) many ciphertexts. Further, we also study the non-randomness of index j for the first two rounds of PRGA, and identify a strong bias of j 2 towards 4. This in turn provides us with certain state information from the second keystream byte. KeywordsBias–Broadcast RC4–Cryptanalysis–Distinguishing Attack–Keystream–RC4–Stream Cipher
    06/2011: pages 199-217;
  • Source
    Santanu Sarkar, Subhamoy Maitra
    IEEE Transactions on Information Theory. 01/2011; 57:4002-4013.
  • Goutam Paul, Subhamoy Maitra, Shashwat Raizada
    [Show abstract] [Hide abstract]
    ABSTRACT: HC-128 is an eSTREAM finalist and no practical attack on this cipher is known. We show that the knowledge of any one of the two internal state arrays of HC-128 along with the knowledge of 2048 keystream words is sufficient to construct the other state array completely in 242 time complexity. Though our analysis does not lead to any attack on HC-128, it reveals a structural insight into the cipher. In the process, we theoretically establish certain combinatorial properties of HC-128 keystream generation algorithm. Our work may be considered as the first step towards a possible state recovery of HC-128. We also suggest a modification to HC-128 that takes care of the recently known cryptanalytic results with little reduction in speed.
    Advances in Information and Computer Security - 6th International Workshop, IWSEC 2011, Tokyo, Japan, November 8-10, 2011. Proceedings; 01/2011
  • Subhamoy Maitra, Goutam Paul, Sourav Sengupta
    Fast Software Encryption - 18th International Workshop, FSE 2011, Lyngby, Denmark, February 13-16, 2011, Revised Selected Papers; 01/2011
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: A stream cipher has an unobservable internal state that is updated in every step and a keystream output (bit or word) is generated at every state transition. State recovery attack on stream cipher attempts to recover the hidden internal state by observing the keystream. RC4 is a very widely used commercial stream cipher that has a huge internal state. No known state recovery attack on RC4 is feasible in practice and the best so far has a complexity of 2241 (Maximov et al., CRYPTO 2008). In this paper, we take a different approach to the problem. RC4 has a secret index j of size one byte. We perform a combinatorial analysis of the complexity of RC4 state recovery under the assumption that the values of j are known for several rounds. This assumption of knowledge of j is reasonable under some attack models, such as fault analysis, cache analysis, side channel attacks etc. Our objective is not to devise an unconditional full state recovery attack on RC4, but to investigate how much information of j leaks how much information of the internal state. In the process, we reveal a nice combinatorial structure of RC4 evolution and establish certain interesting results related to the complexity of state recovery.
    Information Systems Security - 7th International Conference, ICISS 2011, Kolkata, India, December 15-19, 2011, Procedings; 01/2011

Publication Stats

2k Citations
59.11 Total Impact Points

Institutions

  • 1999–2013
    • Indian Statistical Institute
      • • Applied Statistics Unit (ASU)
      • • Computer and Statistical Services Centre (CSSC)
      Baranagore, Bengal, India
  • 2008
    • Auburn University in Montgomery
      • Department of Mathematics
      Montgomery, Alabama, United States
  • 2001–2002
    • Lund University
      Lund, Skåne, Sweden