Subhamoy Maitra

Indian Statistical Institute, Baranagore, West Bengal, India

Are you Subhamoy Maitra?

Claim your profile

Publications (172)73.09 Total impact

  • Kaushik Chakraborty · Subhamoy Maitra
    [Show abstract] [Hide abstract]
    ABSTRACT: In this paper, we explore quantum algorithms to check the resiliency property of a Boolean function (in particular, when it is non-resilient). First we explain that Deutsch-Jozsa algorithm can be immediately used for this purpose. We further analyse how the quadratic improvement in query complexity can be obtained using Grover’s technique. While the worst case quantum query complexity to check the resiliency order is exponential in the number of input variables of the Boolean function, in our strategy one requires polynomially many measurements only. We also describe a subset of n-variable Boolean functions for which the algorithm works in polynomially many steps, i.e., we can achieve an exponential speed-up over best known classical algorithms.
    No preview · Article · Aug 2015 · Cryptography and Communications
  • Toshanlal Meenpal · Subhadeep Banik · Subhamoy Maitra
    [Show abstract] [Hide abstract]
    ABSTRACT: Most of the existing conditional access-based systems (CAS) follow a standard methodology. The service provider shares two copies for single information (specifically image for this work). One copy is a low-resolution version which is shared in the public domain for preview purpose. The other one is a high-resolution version to be provided to the customers through a secure channel on demand (after payment). We propose a novel scheme that can be efficiently adapted in such a scenario. We analyze the images in the discrete cosine transform (DCT) domain and note that polynomials of suitable degree, representing the sorted DCT coefficients together with original index locations, can uniquely represent an image. We show that the arrangement of DCT index locations, after the actual coefficients have been sorted by magnitude, is significantly different for various images and we exploit this to design an efficient CAS-based scheme. We also show that the amount of private data, which a service provider needs to transmit through a secure channel to the customers on demand, is reduced significantly. This reduction in transmitted data makes the system apt for real-time secure applications.
    No preview · Article · Feb 2014 · Journal of Real-Time Image Processing
  • Santanu Sarkar · Sourav Sen Gupta · Goutam Paul · Subhamoy Maitra
    [Show abstract] [Hide abstract]
    ABSTRACT: After a series of results on RC4 cryptanalysis in flagship cryptology conferences and journals, one of the most significant recent attacks on the cipher has been the discovery of vulnerabilities in the SSL/TLS protocol, by AlFardan et al. (USENIX 2013). Through extensive computations, they identified some new significant short-term single-byte biases in RC4 keystream sequence, and utilized those, along-with existing biases, towards the TLS attack. The current article proves these new and unproved biases in RC4, and in the process discovers intricate non-randomness within the cipher. In this connection, we also prove the anomaly in the 128th element of the permutation after the key scheduling algorithm. Finally, the proof for the extended key-length dependent biases in RC4 keystream sequence, a problem attempted and partially solved by Isobe et al. in FSE 2013, has also been completed in this work.
    No preview · Article · Jan 2014 · Designs Codes and Cryptography
  • Sourav Sen Gupta · Subhamoy Maitra · Goutam Paul · Santanu Sarkar
    [Show abstract] [Hide abstract]
    ABSTRACT: RC4 has been the most popular stream cipher in the history of symmetric key cryptography. Its internal state contains a permutation over all possible bytes from 0 to 255, and it attempts to generate a pseudo-random sequence of bytes (called keystream) by extracting elements of this permutation. Over the last twenty years, numerous cryptanalytic results on RC4 stream cipher have been published, many of which are based on non-random (biased) events involving the secret key, the state variables, and the keystream of the cipher. Though biases based on the secret key are common in RC4 literature, none of the existing ones depends on the length of the secret key. In the first part of this paper, we investigate the effect of RC4 keylength on its keystream, and report significant biases involving the length of the secret key. In the process, we prove the two known empirical biases that were experimentally reported and used in recent attacks against WEP and WPA by Sepehrdad, Vaudenay and Vuagnoux in EUROCRYPT 2011. After our current work, there remains no bias in the literature of WEP and WPA attacks without a proof. In the second part of the paper, we present theoretical proofs of some significant initial-round empirical biases observed by Sepehrdad, Vaudenay and Vuagnoux in SAC 2010. In the third part, we present the derivation of the complete probability distribution of the first byte of RC4 keystream, a problem left open for a decade since the observation by Mironov in CRYPTO 2002. Further, the existence of positive biases towards zero for all the initial bytes 3 to 255 is proved and exploited towards a generalized broadcast attack on RC4. We also investigate for long-term non-randomness in the keystream, and prove a new long-term bias of RC4.
    No preview · Article · Jan 2014 · Journal of Cryptology
  • Santanu Sarkar · Subhadeep Banik · Subhamoy Maitra
    [Show abstract] [Hide abstract]
    ABSTRACT: The series of published works, related to differential fault attack (DFA) against the Grain family, require quite a large number (hundreds) of faults and also several assumptions on the locations and the timings of the faults injected. In this paper, we present a significantly improved scenario from the adversarial point of view for DFA against the Grain family of stream ciphers. Our model is the most realistic one so far as it considers that the cipher has to be re-keyed only a few times and faults can be injected at any random location and at any random point of time, i.e., no precise control is needed over the location and timing of fault injections. We construct equations based on the algebraic description of the cipher by introducing new variables so that the degrees of the equations do not increase. In line of algebraic cryptanalysis, we accumulate such equations based on the fault-free and faulty key-stream bits and solve them using the SAT Solver Cryptominisat-2.9.5 installed with SAGE 5.7. In a few minutes we can recover the state of Grain v1, Grain-128 and Grain-128a with as little as 10, 4 and 10 faults respectively.
    No preview · Article · Jan 2014 · IEEE Transactions on Computers
  • Subhamoy Maitra · Sourav Sen Gupta
    [Show abstract] [Hide abstract]
    ABSTRACT: In 1996, Jenkins pointed out a correlation between the hidden state and the output keystream of RC4, which is well known as the Glimpse theorem. With a permutation of size N-bytes, the probability of guessing one location by random association is 1/N, whereas the existing correlations related to glimpse allow an adversary to guess a permutation location, using the knowledge of the keystream output bytes, with probability 2/N. To date, this is the best known state-leakage based on glimpse. For the first time in RC4 literature, we show that there are certain events that leak state information with a probability of 3/N, considerably higher than the existing results. Further, the new glimpse correlation that we observe is a long-term phenomenon; it remains valid at any stage of the evolution of RC4 Pseudo Random Generation Algorithm (PRGA). This new glimpse with a considerably higher probability of state-leakage may potentially have serious ramifications towards state-recovery attacks on RC4.
    No preview · Chapter · Dec 2013
  • Subhadeep Banik · Subhamoy Maitra
    [Show abstract] [Hide abstract]
    ABSTRACT: In this paper we present a differential fault attack on the stream cipher MICKEY 2.0 which is in eStream's hardware portfolio. While fault attacks have already been reported against the other two eStream hardware candidates Trivium and Grain, no such analysis is known for MICKEY. Using the standard assumptions for fault attacks, we show that if the adversary can induce random single bit faults in the internal state of the cipher, then by injecting around 216.7 faults and performing 232.5 computations on an average, it is possible to recover the entire internal state of MICKEY at the beginning of the key-stream generation phase. We further consider the scenario where the fault may affect at most three neighbouring bits and in that case we require around 218.4 faults on an average.
    No preview · Conference Paper · Aug 2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: Due to the symmetric padding used in the stream cipher Grain v1 and Grain-128, it is possible to find Key-IV pairs that generate shifted keystreams efficiently. Based on this observation, Y. Lee et al. [Lect. Notes Comput. Sci. 5107, 321–335 (2008; Zbl 1285.94076)] presented a chosen IV related Key attack on Grain v1 and Grain-128 at ACISP 2008. Later, the designers introduced Grain-128a having an asymmetric padding. As a result, the existing idea of chosen IV related Key attack does not work on this new design. In this paper, we present a Key recovery attack on Grain-128a, in a chosen IV related Key setting. We show that using around γ·2 32 (γ is a experimentally determined constant and it is sufficient to estimate it as 2 8 ) related Keys and γ·2 64 chosen IVs, it is possible to obtain 32·γ simple nonlinear equations and solve them to recover the secret key in Grain-128a.
    No preview · Article · Jul 2013
  • Source
    Kaushik Chakraborty · Subhamoy Maitra
    [Show abstract] [Hide abstract]
    ABSTRACT: Let a Boolean function be available as a black-box (oracle) and one likes to devise an algorithm to test whether it has certain property or it is $\epsilon$-far from having that property. The efficiency of the algorithm is judged by the number of calls to the oracle so that one can decide, with high probability, between these two alternatives. The best known quantum algorithm for testing whether a function is linear or $\epsilon$-far $(0 < \epsilon < \frac{1}{2})$ from linear functions requires $O(\epsilon^{-\frac{2}{3}})$ many calls [Hillery and Andersson, Physical Review A 84, 062329 (2011)]. We show that this can be improved to $O(\epsilon^{-\frac{1}{2}})$ by using the Deutsch-Jozsa and the Grover Algorithms.
    Full-text · Article · Jun 2013
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: RC4 is the most popular stream cipher in the domain of cryptology. In this paper, we present a systematic study of the hardware implementation of RC4, and propose the fastest known architecture for the cipher. We combine the ideas of hardware pipeline and loop unrolling to design an architecture that produces 2 RC4 keystream bytes per clock cycle. We have optimized and implemented our proposed design using VHDL description, synthesized with 130, 90, and 65 nm fabrication technologies at clock frequencies 625 MHz, 1.37 GHz, and 1.92 GHz, respectively, to obtain a final RC4 keystream throughput of 10, 21.92, and 30.72 Gbps in the respective technologies.
    Full-text · Article · Apr 2013 · IEEE Transactions on Computers
  • [Show abstract] [Hide abstract]
    ABSTRACT: Ultra-low power dissipation for nanoscale circuits and future technologies such as quantum computing require reversible logic. Existing methods of reversible logic synthesis attempt to minimize gate count, quantum cost, garbage count and try to achieve scalability for large Boolean functions. Several notable heuristics for reversible logic synthesis employ a method based on repeated transformation, demonstrating excellent performance compared to available optimal results. In this paper, we suggest two novel techniques to the transformationbased synthesis flow for improving synthesis outcome. The first technique is based on properties of Boolean functions and the second technique incorporates generalized Fredkin gates during synthesis flow. We present theoretical results and experimental evidence in support of our strategies.
    No preview · Article · Jan 2013 · Proceedings of The International Symposium on Multiple-Valued Logic
  • Santanu Sarkar · Subhamoy Maitra
    [Show abstract] [Hide abstract]
    ABSTRACT: In this paper we study weaknesses of two variants of RSA: Dual RSA and Common Prime RSA. Several schemes under the framework of Dual RSA have been proposed by Sun et al. (IEEE Trans Inf Theory 53(8):2922–2933, 2007). We here concentrate on the Dual CRT-RSA scheme and present certain range of parameters where it is insecure. As a corollary of our work, we prove that the Dual Generalized Rebalanced-RSA (Scheme III of Sun et al.) can be efficiently broken for a significant region where the scheme has been claimed to be secure. Next we consider the Common Prime RSA as proposed by Wiener (IEEE Trans. Inf. Theory 36:553–558, 1990). We present new range of parameters in Common Prime RSA where it is not secure. We use lattice based techniques for the attacks.
    No preview · Article · Jan 2013 · Designs Codes and Cryptography
  • [Show abstract] [Hide abstract]
    ABSTRACT: The first known result on RC4 cryptanalysis (presented by Roos in 1995) points out that the most likely value of the y-th element of the permutation after the key scheduling algorithm (KSA) for the first few values of y is given by S N [y]=f y , some linear combinations of the secret keys. While it should have been quite natural to study the association S N [y]=f y ±t for small positive integers t (e.g., t≤4), surprisingly that had never been tried before. In this paper, we study that problem for the first time and show that though the event S N [y]=f y +t occurs with random association, there is a significantly high probability for the event S N [y]=f y -t. We also present several related non-randomness behaviour for the event S N [S N [y]]=f y -t of RC4 KSA in this direction. Further, we investigate near-colliding keys that lead to related states after the KSA and related keystream bytes. Our investigation reveals that near-colliding states do not necessarily lead to near-colliding keystreams. From this motivation, we present a heuristic to find a related key pair with differences in two bytes, that lead to significant matches in the initial keystream. In the process, we discover a class of related key distinguishers for RC4. The best one of these shows that given a random key and a related one to that (the last two bytes increased and decreased by 1 respectively), the first pair of bytes corresponding to the related keys are same with very high probability (e.g., approximately 0.011 for 16-byte keys to 0.044 for 30-byte keys).
    No preview · Article · Jan 2013
  • Goutam Paul · Subhamoy Maitra · Anupam Chattopadhyay

    No preview · Article · Jan 2013

  • No preview · Article · Jan 2013
  • Subhadeep Banik · Subhamoy Maitra · Santanu Sarkar
    [Show abstract] [Hide abstract]
    ABSTRACT: In this paper we study a differential fault attack against ciphers having the same physical structure as in the Grain family. In particular we demonstrate our attack against Grain v1, Grain-128 and Grain-128a. The existing attacks by Berzati et al. (HOST 2009), Karmakar et al. (Africacrypt 2011) and Banik et al. (CHES 2012) assume a fault model that allows them to reproduce a fault at a particular register location more than once. However, we assume a realistic fault model in which the above assumption is no longer necessary, i.e., re-injecting the fault in the same location more than once is not required. In addition, towards a more practical framework, we also consider the situation in which more than one consecutive locations of the LFSR are flipped as result of a single fault injection.
    No preview · Article · Dec 2012
  • Source
    Subhadeep Banik · Subhamoy Maitra · Santanu Sarkar
    [Show abstract] [Hide abstract]
    ABSTRACT: The 32-bit MAC of Grain-128a is a linear combination of the first 64 and then the alternative keystream bits. In this paper we describe a successful differential fault attack on Grain-128a, in which we recover the Secret Key by observing the correct and faulty MACs of certain chosen messages. The attack works due to certain properties of the Boolean functions and corresponding choices of the taps from the LFSR. We present methods to identify the fault locations and then construct a set of linear equations to obtain the contents of the LFSR and the NFSR. Our attack requires less than 211 fault injections and invocations of less than 212 MAC generation routines.
    Full-text · Conference Paper · Nov 2012
  • Subhadeep Banik · Subhamoy Maitra · Santanu Sarkar
    [Show abstract] [Hide abstract]
    ABSTRACT: In this paper we explain how one can obtain Key-IV pairs for Grain family of stream ciphers that can generate output key-streams which are either (i) almost similar in the initial part or (ii) exact shifts of each other throughout the generation of the stream. Let lP be the size of the pad used during the key loading of Grain. For the first case, we show that in expected \(2^{l_P}\) many invocations of the Key Scheduling Algorithm and its reverse routine, one can obtain two related Key-IV pairs that can produce same output bits in 75 (respectively 112 and 115) selected positions among the initial 96 (respectively 160 and 160) bits for Grain v1 (respectively Grain-128 and Grain-128a). Similar idea works for the second case in showing that given any Key-IV, one can obtain another related Key-IV in expected \(2^{l_P}\) many trials such that the related Key-IV pairs produce shifted key-streams. We also provide an efficient strategy to obtain related Key-IV pairs that produce exactly i-bit shifted key-streams for small i. Our technique pre-computes certain equations that help in obtaining such related Key-IV pairs in 2i many expected trials.
    No preview · Conference Paper · Nov 2012
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: In this paper, we study efficient algorithms towards the construction of any arbitrary Dicke state. Our contribution is to use proper symmetric Boolean functions that involve manipulations with Krawtchouk polynomials. Deutsch-Jozsa algorithm, Grover algorithm and the parity measurement technique are stitched together to devise the complete algorithm. Further, motivated by the work of Childs et al (2002), we explore how one can plug the biased Hadamard transformation in our strategy. Our work compares fairly with the results of Childs et al (2002).
    Full-text · Article · Sep 2012 · Quantum Information Processing
  • Santanu Sarkar · Subhamoy Maitra
    [Show abstract] [Hide abstract]
    ABSTRACT: Towards the cold boot attack (a kind of side channel attack), the problems of reconstructing RSA parameters when (i) certain bits are unknown (Heninger and Shacham, Crypto 2009) and (ii) the bits are available but with some error probability (Henecka, May and Meurer, Crypto 2010) have been considered very recently. In this paper we exploit the error correction heuristic proposed by Henecka et al to show that CRT-RSA schemes having low Hamming weight decryption exponents are insecure given small encryption exponents (e.g., e=216+1). In particular, we show that the CRT-RSA schemes presented by Lim and Lee (SAC 1996) and Galbraith, Heneghan and McKee (ACISP 2005) with low weight decryption exponents can be broken in a few minutes in certain cases. Further, the scheme of Maitra and Sarkar (CT-RSA 2010), where the decryption exponents are not of low weight but they have large low weight factors, can also be cryptanalysed. We also identify a few modifications of the error correction strategy that provides significantly improved experimental outcome towards the cold boot attack.
    No preview · Conference Paper · Sep 2012