RC4 has been the most popular stream cipher in the history of symmetric key cryptography. Its internal state contains a permutation over all possible bytes from 0 to 255, and it attempts to generate a pseudo-random sequence of bytes (called keystream) by extracting elements of this permutation. Over the last twenty years, numerous cryptanalytic results on… (More)
In this paper we revisit Wiener's method (IEEE-IT 1990) of continued fraction (CF) to find new weaknesses in RSA. We consider RSA with N = pq, q < p < 2q, public encryption exponent e and private decryption exponent d. Our motivation is to find out when RSA is insecure given d is O(N δ), where we are mostly interested in the range 0.3 ≤ δ ≤ 0.5. Given ρ (1… (More)
The 32-bit MAC of Grain-128a is a linear combination of the first 64 and then the alternative keystream bits. In this paper we describe a successful differential fault attack on Grain-128a, in which we recover the secret key by observing the correct and faulty MACs of certain chosen messages. The attack works due to certain properties of the Boolean… (More)
Design of secure lightweight stream ciphers is an important area in cryptographic hardware & embedded systems and a very recent design by Armknecht and Mikhalev (FSE 2015) has received serious attention that uses shorter internal state and still claims to resist the time-memory-data-tradeoff (TMDTO) attacks. An instantiation of this design paradigm is the… (More)
In this paper, we analyse how to calculate the GCD of k (≥ 2) many large integers, given their approximations. Two versions of the approximate common divisor problem, presented by Howgrave-Graham in CaLC 2001, are special cases of our analysis when k = 2. We then relate the approximate common divisor problem to the implicit factorization problem. This has… (More)
The Modular Inversion Hidden Number Problem (MIHNP) was introduced by Boneh, Halevi and Howgrave-Graham in Asiacrypt 2001 (BHH'01). They provided two heuris-tics-in Method I, two-third of the output bits are required to solve the problem, whereas the more efficient heuristic (Method II) requires only one-third of the bits of the output. After more than a… (More)
We consider an RSA variant with Modulus N = p 2 q. This variant is known as Prime Power RSA. In PKC 2004 May proved when decryption exponent d < N 0.22 , one can factor N in polynomial time. In this paper, we improve this bound upto N 0.395. We provide detailed experimental results to justify our claim.